Brave new world? Today it appears to be easy and natural for an app provider to distribute new and extended software versions to customer devices – computers and smartphones – in an “over-the-air” manner. They are thus able to provide improved and more comprehensive services to their customers – and to sell them. We are currently in an age of vehicles with a high degree of software being increasingly and permanently connected to the world’s networks. Vehicle manufacturers as well as providers of vehicle-related software and data services want to profit from these capabilities – in every sense of the word “profit”. If we believe in the promises made in advertisements, even the vehicle customers are looking forward to the day when they can “amplify” the acceleration capacity of their truck at a steep hill, or the cooling effect of their air conditioning on a hot day – “right away” and without a visit to the next repair workshop.
This is a dream of comfort for some, and a dream of profit for some others, but it also proves to become a nightmare for other groups involved. Licensing authorities are afraid that a vehicle homologated and sold as tax and energy saving, may be transformed into an energy hungry “monster” just per software update. Manufacturers are afraid that uncontrolled upload of software changes from the outside – that is from everybody other than themselves – might change a vehicle’s behaviour in such a way that it causes damage to humans and material alike: damage for which the manufacturer will become liable. More than once in recent years, experiments have shown that it is possible to take over control of a vehicle’s electronic system via open and “over-the-air” reachable communication interfaces. Already in the year 2015 the successful hijacking of a Jeep by means of computer interaction made headlines all over the world.
UNECE Regulations No 155 and No 156
The UNECE – in its capacity as regulation office for vehicles and vehicle parts all over Europe – created a regulatory package based on regulations no 155 and no 156 to address these risks and considerations.
Regulation no 155 is about requirements to cyber-security in vehicles. It mandates that every communication with a vehicle – be it “over-the-air” or conventionally via cable and diagnostic plug – has to be secured against manipulation. Future communication must always be encrypted, and access will only be granted if valid certificates are presented that have been authorized by the vehicle manufacturer and that are validated inside the vehicle itself.
Regulation no 156 is about requirements toward software update management on the manufacturer’s side. It mandates that only approved software may be used within a vehicle. In this context, the term “software” is also comprising every set of parameters influencing the vehicle behaviour. The UNECE has realized that the homologation of a vehicle type can no longer be dependent on the physical properties of a vehicle alone. Instead, the software versions inside the vehicle’s control units have also to be taken into account. Every software and every software version that contributes to a regulated vehicle function must be homologated in its own right. The software version will get a so-called RxSWIN, a unique software identification number which refers to the regulated vehicle function (e.g., regulation R13 is referring to brakes, a brake-controlling software’s RxSWIN will thus also have the prefix “R13”).
Requirements to the Vehicle Manufacturer
The vehicle manufacturer now must homologate separately every software for regulated vehicle functions. Moreover, he has to verify and assert on every software change whether the change is “harmless”, or whether it incorporates a significant change of functionality in respect to the applicable regulation, and thus requires a new homologation. Furthermore, the vehicle manufacturer must keep accounts for every individual vehicle which software versions are contained – starting from the production process and continuously during the life cycle of the vehicle, thus reflecting every software update or change in a workshop or via an “over-the-air” update. The manufacturer must guarantee that it is always possible for official bodies to determine and verify the software status of a vehicle, be it during a police control or a technical inspection. Additionally, an IVD (Integrity Verification Data) must be provided for every software and every relevant parameter set, to make it possible to determine the manipulation of software or data in such a way that it deviates from the manufacturer’s specification.
It’s easy to imagine that these requirements bring about an immense effort in the formation of development, production, and workshop processes. Moreover, it becomes necessary to adapt and extend software applications supporting these processes (e.g., for managing software development, for performing end-of-line tests, or to execute a workshop diagnostic, to name only a few).
Finally, every vehicle manufacturer must be able to prove during an official audit by which means and to which extent his processes and process enabling applications satisfy the new requirements for software update management.
Implications for the Independent After-Market
These regulations may appear to vehicle owners and vehicle fleet owners alike to be a long-overdue safeguard against software manipulation in vehicles. But these regulations also cause striking consequences for vehicle maintenance in the independent after-market. It is only a couple of years ago that manufacturers have been requested to provide “Repair and Maintenance Information” (RMI) to any independent operator in a way that does not put him into a disadvantage compared to the manufacturer’s own workshops. These regulations have become effective in the context of the Euro 5 standards for passenger cars and the Euro VI for commercial vehicles in the years from 2009 to 2015. They have been intended to foster free competition in Europe, and they threatened various penalties up to the invalidation of vehicle type homologations for manufacturers not complying.
From a technical perspective, the provision of RMI includes the disclosure of meaning and structure of vehicle data accessible via the open diagnostic interface (OBD-II plug). This data can thus be read, understood, and meaningfully modified and written by every workshop – at least to some extent. This capability for modification comprises changes to parameters which control the vehicle’s behaviour, but also allows the upload of software updates.
Based on UNECE regulations no 155 and no 156 vehicle manufacturers are now forced (from another perspective: “are again allowed”) to restrict free access. Encrypted communication over open diagnostic interfaces forces independent operators to acquire access certificates. The new requirements for software update management – in respect to keeping accounts of the software status of vehicles – fundamentally exclude the possibility to modify a vehicle by anyone else but the manufacturer himself. This will restrict access not only for independent workshops but also for providers of multi-brand diagnostic tools and for the suppliers of vehicle ECUs who will lose the access to their own components.
Two new diagnostic technologies might promise relief: With the passthrough technique, diagnostic software and data can be downloaded as a “closed package” from the manufacturer’s service portal. Any independent operator may thus apply this package to a vehicle by using the manufacturer’s original software. The so-called extended-vehicle interface (ISO 20077/78) – which is currently under development – will provide communication access to a vehicle via the manufacturer’s server. (Only the manufacturer is retaining the direct access to his vehicles.) The diagnostic capabilities therein may – depending on their scope and implementation – help or hinder free access. Currently, stakeholders of independent operators are intensively negotiating with vehicle manufacturers by which means free competition among vehicle service providers can be upheld under the given circumstances.
It might well take some more time until the brave new world will become reality as imagined by vehicle users, vehicle manufacturers, and any other participant of the vehicle market. Everybody is busy to intensively work on their respective contributions and from their respective perspectives. ServiceXpert is supporting their customers among vehicle manufacturers and vehicle suppliers in the adaptation and development of processes and tools with the goal of satisfying the new UNECE regulations in the best way possible.
Author: Dr. Roman Cunis, ServiceXpert GmbH, Hamburg
