Professional Documents
Culture Documents
III
III
I0 I
I0
I0
II 0 I
00 I
0I
II0 I
I 0 0
I
T
he automotive industry is undergo- •• Demand needs to be created, for lot mistook the truck’s white side-wall for
ing a profound change. Manufactur- example by offering solutions providing free space – might have strengthened
ers, industry associations and policy better comfort, increasing time gains this perception.
makers must react as quickly as possible and improving safety. Future consumers
to technical and social megatrends and will consider prestige and technological A recent study by Deloitte1 illustrates the
adapt to changing legal and economic leadership to be less important than current perception of automated cars:
conditions. For the first time, software is mobility and environmental aspects.
playing a decisive role in the competitive- Only in China and India do more than
ness of car manufacturers. •• Apart from promoting the benefits of half of the respondents accept highly
automated vehicles, building sustaina- automated cars (semi-autonomous and
ble trust in the new technology is a key autonomous driving). In traditional car
factor in achieving long-term success. manufacturing countries such as the US,
From a global
Highly developed and creative technol- Japan, South Korea, and Germany, the
ogy, on its own, will only result in short- acceptance is significantly below 50%.
term demand. Preceding technological Germany ranks last with an acceptance
there is no
quality and reliability of the technology in semi-autonomous and autonomous
cannot be guaranteed. A lack of quality driving is highest among the younger gen-
in the case of highly automated vehicles erations (generations Y and Z). The main
the develop-
fact that someone who does not have relation to highly automated cars. The
their hands on the steering wheel tends number of respondents expressing such
to feel vulnerable and assesses risks fears varies between 62% (China) and 81%
omous cars.
summer of 2016 – which drove into a customers become somewhat more confi-
cruising truck, after the activated autopi- dent if, for a certain period of time, highly
What‘s ahead for fully autonomous driving - Consumer opinions on advanced vehicle technology - Perspectives from Deloitte‘s Global Automotive Consumer Study
1
2
Automotive Software Quality
nance of IT
The market is changing in four main areas:
their brands from damage and them-
selves from suffering the legal conse-
•• A current focus is on the introduction of
components
quences of quality issues? And what
emission-free vehicles, including their
role does software development play
charging infrastructure, enabling high
in this regard?
force increased
performance and long range. Afforda-
bility is crucial to making the transition 3. What challenges arise for OEMs from
from fossil to electrical energy attractive. the security and data protection
tion.
importance, culminating in autonomous cybersecurity requirements)? How can
driving. For this reason, vehicles must manufacturers meet them?
communicate with each other, as well as
4. Is there a need for additional legal reg-
with infrastructure components sur-
ulations (such as further type approval
automated vehicles can demonstrate rounding them.
requirements/audits) to account for
that they are safe. Under these circum-
the changes in the vehicle as well as
stances, 47% (Germany) to 81% (China) of •• In the end, vehicles will become more
the overall traffic?
all respondents would agree to using such and more digital, enabling their users to
vehicles. communicate, work, or enjoy multimedia
In this paper, we draw on experiences
entertainment while driving.
gained from past and present projects in
Compared to conventional cars, it is
the automotive sector.
obvious that higher safety and greater •• The increase in autonomous driving
comfort is insufficient to lead highly functions, combined with the possi-
automated cars to market success. Man- bility of individualizing cars driven by
ufacturers need to find ways to build and software, leads to the great attrac-
maintain confidence in this technology. tiveness of “shared cars”. Specialized
If traditional manufacturers cannot cope mobility providers will keep their fleet
with this requirement, new companies are of cars permanently available, which
ready to take over their role. creates an interesting transportation
alternative to rental companies, espe-
cially for short distances in urban areas.
These mobility providers will use, on
a wide scale, exclusive parking lots for
their fleet, making the search for scarce
and expensive parking spaces unneces-
sary.
3
Automotive Software Quality
1. How will the quality of Examples already exist in the aviation Automotive manufacturers and their sup-
industry, and also in the medical appara- pliers strive for the highest quality. This
software-driven functions tus industry. notion is reflected in the reliability and
in cars be defined and longevity of modern cars, while perfor-
Increasing requirements with regard to mance and functionality are continuously
ensured? performance, compatibility, and mainte- improved. Rusty car bodies, frequent tire
nance of IT components force increased punctures, permanent refilling of engine
There is still a lot of work to be done: standardization. This puts the focus of oil etc. are predominantly problems of
neither comprehensive nor generally vehicle safety increasingly on cybersecu- the past. These problems have one thing
applicable regulatory standards exist rity, making it an integral part of software in common: they all concern hardware
that could be set as requirements for quality. This is not like current vehicles, failures. Yet developing software will
type approvals. Nor is there a software (!) which are somewhat protected from mainly influence future development in
quality assurance measure (certification massive hacker attacks or computer virus automotive development and software
processes) available to car manufactur- attacks through their proprietary, individ- requires new quality mechanisms.
ers. Current development guidelines (e.g., ual architectures.
ISO 26262) or audit standards such as A number of reasons play a role in this:
Automotive Spice, CMMI and Misra ensure Standardization of vehicle architecture
a well-structured and reliable process. will change this. Therefore, measures to Dynamics
They are based on the assumption that secure rolling data centers and online While the car body and engine parts
a good process will lead to a good result. backbones (cloud services) are crucial and do not change over their respective life
However, checks, as appropriate for the have to become part of future risk scenar- cycles, software is highly dynamic. The
complexity and functional scope of the ios and test requirements. The German, reason is the need for ever-evolving new
software controlling the vehicles, are not American, and Japanese governments functions and mandatory updates to
part of these standards. Such checks are have all issued corresponding instructions correct mistakes and mitigate risks (espe-
only conducted in exceptional cases. and guidelines. cially concerning the potential risks of
cyberattacks).
Current tests are based on risk scenarios
Software will
and test procedures. These differ for each Life Cycle
OEM and supplier. ISO 26262 correctly The life cycles of software and hardware
requires that tests have a different preci- differ fundamentally from each other in
sion and intensity, depending on the risk
assessment for the functions and modules
mainly influ- nearly all phases, from development to
production, exploitation, and resale or
development.
present, no general and mandatory set of are used by different users, data erasure
risk and test scenarios exists. in case of resale or at the end of use, and
ensuring the long-term compatibility of
Developing such a set of risk test scenar- formats for data exchange.
ios would be expensive and time-con-
suming for OEMs. As an alternative, the
legislator could provide relief by defining
minimum requirements for safety and
reliability, which could be implemented
through car type approvals. However, a
German attempt at going it alone would
be neither efficient nor permissible.
Instead, the requirements of German law
must be coordinated at the European level
and agreed upon at the UN and G7 levels.
4
Automotive Software Quality
Complexity to infrastructure) may add to the external many functions, hence software should
Software is not just one component of the communication. The quantity of data and never be seen as being without errors.
vehicle, it is one of a number of compo- the different processing mechanisms are Test procedures are aimed at covering
nents (ECUs), which fulfill different tasks. growing increasingly complex, always specific risks. Test methods such as HIL,
Even the tires, shock absorbers, and creating new challenges. This develop- SIL, or VIL 2 aim to achieve the highest
wishbones of new vehicles have sensors ment is not comparable to the develop- possible coverage. It is important that the
which generate data and statuses – ment of hardware. covered risk scenarios and corresponding
transmed through either the wiring or tests have already been developed during
integrated software modules. In any Test methods the conceptual phase of the software
case, the many sensors, actuators, and The functionality of a vehicle’s hardware (security by design). A retroactive roll-
control units create a lot of data traffic, is finite, even considering every hardware back of the functions developed is bound
which must be sent, received, under- interaction, and can be examined after to lead to errors and quality gaps. The
stood and interpreted. Information from a stringent quality assurance of single more centralized the vehicle architecture
outside the vehicle is increasingly adding components. Various testing methods in is, the better tests can be prepared and
to this volume of data, e.g., navigation virtual and real surroundings, such as test carried out. Decentralized modules must
systems (including telematics services). In benches, test tracks or the street, have be tested completely, according to their
future, short-term radio communications been developed. By contrast, software is functional scope, before being included in
between vehicles (car to car) or between too complex for comprehensive testing an integration test.
a vehicle and external components (car of all components. There are simply too
5
Automotive Software Quality
Today’s luxury cars have more OEMs face major challenges to ensure
and maintain a comprehensive promise
variety of suppliers.
risks are hidden, and it is difficult to assess
6
Automotive Software Quality
7
Automotive Software Quality
Only an open system architecture can A number of manufacturers have already fore makes sense that Tesla owns essential
be fully assessed and enhanced announced that they will disclose their parts of the intellectual property and uses
Nowadays, software features in cars are architectures. This is based on the OEM’s agile development methods. It is not for no
developed in line with ISO 26262. Car man- desire to defend themselves against reason that some of the big conventional
ufacturers and suppliers rarely cooperate powerful new competitors, who could vehicle manufacturers consider Tesla as a
in this process, even though it is of pivotal enter the market through cross-sector major competitor. They know why.
importance for a continuous process of cooperation. Prime suspects are com-
software enhancement and development. panies that already produce operating Without any doubt, the large OEMs around
Car modules including software provided systems/ have experience in the data the world are (still) able to build superior
and delivered by suppliers are still treated business, e.g. Apple, Microsoft, Google cars. However, traditional car manufac-
as black boxes. etc. However, for such publicly announced turers still measure quality based on
initiatives, the affected manufacturer and traditional parameters, e.g. gap dimen-
Applying traditional and established manufacturing groups in the automotive sions. Furthermore, the construction of a
automotive supply chain processes to industry lack the following: vehicle is fully completed before market
software will eventually lead to a deadlock. introduction. Thus OEMs try to avoid any
Current process designs cannot provide 1. The intellectual property of the compo- further adjustments. By contrast, Tesla
the required speed of development, nents which are produced throughout has ensured its software quality by issuing
security/ integrity and transparency since the automotive value chain. Therefore, 200 online updates over the past year. This
the all-embracing product overview is only parts of an (operating) system can keeps the functionality of Tesla’s vehicles
not provided. As a result, the quality of be opened without violating the intel- up-to-date, even enabling later enhance-
software is ultimately compromised. lectual property rights of others. ments. Updates are partly optional for
Although most vehicles differ in their vehicle owners, thus, the business of the
2. Agile and nonetheless reliable methods
communication networks, the major future is already reality. Conventional OEMs
of software development, which could
part of information is transferred via the mainly interpret product care as the devel-
compete with the procedures devel-
CAN-Bus-Architecture and distributed opment of the next vehicle generation, e.g.
oped by IT and internet giants over
electronic control units (ECU). An open a facelift to a model series. Tesla continues
several decades.
system architecture, presumably based to take care for its products, even if they
on a well-established and high-perfor- are already on the market. This approach
It is therefore not surprising that a
mance operating system, e.g., Linux, will has been mainly known from IT products
company which is quite negligible in terms
ultimately replace the proprietary archi- and TC terminal devices. This does not
of its market share has mixed up the whole
tecture of today’s cars. Developments are mean that Tesla has chosen the best path,
automotive industry and is setting trends
moving towards a much stronger centrali- just a different one. Using drivers and
in terms of technology: unlike conventional
zation of the IT architecture in the vehicle their vehicles as beta testers can occa-
manufacturers and their relatively inflexible
by means of which certain functionalities sionally lead to dangerous situations. The
structures, Tesla has had the opportunity
or apps are deployed on a standardized combination of the advantages of both
to build a company on a green field site
operating system.. Access to the hardware alternatives are the way for the future: on
and to align it with upcoming technological
will be limited to the operating system, the one hand extensive quality require-
challenges.
much like modern IT architectures. ments and the desire to introduce matured
One focal point is the rapid and reliable functionality into the market, on the other,
In the medium and long run, such archi-
development of software which provides agile methods of development and sophis-
tectures will facilitate easy and fast mainte-
basic functionality and data security and ticated approaches to incremental tests,
nance and the enhancement of functions.
can be enhanced by constant updates, as online update ability and a permanent
Moreover, development processes can
do competitors from the IT and internet improvement claim.
focus on the main functions within certain
standards. In addition, tests, documen- environment. Like operating systems for
tation, and collaboration throughout the computers and mobile phones, the user
entire supply chain will be facilitated. In this (here: the driver) provides the relevant data
context, the software development associ- for improvements. In general, this does not
ation AUTOSAR 3 is performing substantial happen actively but via protocols which
pioneer work by designing an industry are automatically transmitted from the
standard for system software in vehicles. operating system of the vehicle. It there-
8
Automotive Software Quality
Initial attempts by OEMs to build up small, 3. What challenges Maintenance platforms for the online
flexible, legally independent business units access of a manufacturer and its work-
with essential development responsibilities, arise for OEMs from the shops are a mandatory component of
are a step in the right direction. However, security and data pro- those scenarios and therefore part of
OEMs still primarily rely on existing struc- comprehensive security governance,
tures for the implementation. Ultimately, tection requirements of aiming to make the vehicles resistant to
all innovative ideas are in danger of coming networked vehicles and cyberattacks.
to a halt at this point. In the medium term,
there is thus no alternative but to develop a connected infrastructure In this respect, ISO 21434, a new standard
new organization for themselves and their (such as cybersecurity currently being developed for automo-
supply chains. tive cybersecurity, could become useful:
requirements)? How can however, the outlined principles of this
manufacturers meet standard must be implemented and –
quite importantly! – monitored in the
these? research and development processes of
the whole supply chain. As both the ISO
Cars are becoming increasingly inter- Standard and type approval are simul-
connected, internally as well as with the taneously evolving, it is currently not yet
internet. However, nowadays they are less assured that the future requirements for
effectively protected than office comput- type approval, including possible addi-
ers, mobile phones, and tablets. To change tional tests of technical services, fully
that, the whole quality and safety process correspond to the ISO 21434 standard.
must be adapted according to ISO 26262. It is only certain that regulatory require-
The industry needs cyber-specific risk ments will focus on far more than cyber-
scenarios, which need to be implemented security. The quality of the software used
in software development as well as in the in vehicles, as well as the protection of
component manufacturing process. personal data, will play a major role and
will need to be included in the risk and test
scenarios of both manufacturers and their
suppliers.
9
Automotive Software Quality
10
Automotive Software Quality
Safety-relevant or not?
All electronic components have to be
Increased competition through lower
market entry barriers In the long run,
classified as to whether and to what Car manufacturers will no longer only
extent they influence vehicle safety. In
principle, ISO 26262 prescribes similar
compete with peers but also with IT and
internet companies. The market entry
the market
requirements, specifically the classification
of each component to an “Automotive
barriers in the automotive sector are being
lowered, mainly due to the rise of electric will break
Safety Integrity Level” (ASIL). The criteria mobility. The expertise of classic car man-
of this classification and the correspond-
ing process must be obligatory across
ufacturers and suppliers is the extremely
complex drivetrain, including the engine,
down into a
sectors. Multimedia and business appli-
cations can be considered uncritical for
clutch, gears, differential, drive shaft, and
wheel, as well as electronical components hardware, a
safety and can therefore be opened to such as ABS and ESP. However, if every
third parties via an API (programming
interface). All systems with an impact on
wheel has its own electric motor, the
software takes over the majority of the
software, and a
driving behavior must be separated.
11
Automotive Software Quality
4. Is there a need for •• What should be paramount: data protec- ments cannot be left to the competition
tion or storage of data for an extended of price and cost in the market. Regulation
additional legal regula- period of time? This is important to needs to set and enforce standards. It can
tions (such as further type determine guilt in the case of accidents thus provide a basic security which manu-
or for the ever more important commu- facturers are forced to comply with.
approval requirements/ nication between car and infrastructure.
audits) to account for the The biggest lever for the regulator is type
These questions are not merely of an approval. As vehicle traffic has already
changes in the vehicle as ethical nature. They have a huge impact assumed global dimensions, it not
well as overall traffic? on the competitive situation. Since possible for any country to find a solution
software and data will become more independently. All measures need to be
Regulation prevents reasonable economic important than the production of vehicles coordinated at the EU, G7 and UN levels
behavior and slows down innovation – this in the long run, OEMs face a major chal- (Vienna Convention on road traffic). It
doctrine is not always true. The situation lenge. On the one hand they need to is in the interests of the population and
of the automotive industry is extremely develop a software system which controls the automotive industry that high safety
complex because of dynamically emerging the individual vehicle units directly, on the standards be set. This has two main
actors, disruptive technological changes, other to develop the operating system for reasons: first of all, German OEMs could
and the general importance of the auto- overarching coordination. This software lose their good reputation for safety and
motive industry due to its sheer size. Reg- must not only be accepted by the market quality. Secondly, for semi-autonomous
ulatory action, following a certain vision but must also be able to compete with and autonomous vehicles to successfully
and claim of intuition could pool forces, new actors from the IT industry. navigate in German’s dense traffic, these
initiate or strengthen developments, and cars will have to comply with high stand-
Further regulation will be introduced, ards. This might ultimately lead to a com-
thus promote innovation.
since it can no longer be ignored that petitive advantage on global markets.
It is mandatory to regulate some issues software controls the vehicle in an increas-
because an ethically correct decision is ing number of situations, e.g. the regula-
more important than the technical or tion of the compressive forces for electri-
economic interests of OEMs. A major cally operated windows to prevent injuries
contribution is made by the ethics com- from trapping your hands. Failure to
mittee of the German Department of comply with such regulations will not only
Transportation which is composed of affect the hands caught. Certain require-
legal, societal, ethical, technical, and
economic experts. This commission and
other working groups in the Ministries are
trying to answer fundamental questions
concerning autonomous driving. Some
examples are:
12
Automotive Software Quality
Mandatory standard for system to have either the user’s consent (known
software from smartphones) or a law superior to Safety and Security – what is
A joint effort by OEMs may increase the data privacy (e.g. a black box to record the difference?
likelihood of success, but such attempts driving movements).
are unlikely to happen without regulating At first glance, both terms refer to
the terms of competition. Currently, com- the same idea – but their meaning
petition is too strong and the legitimate The initiative should originate from differs in the context of the auto-
fear of antitrust sanctions too great. The the OEMs and could be promoted and motive industry.
creation of safety and security standards, secured with the help of external third
either through laws or by existing stand- parties, i.e., trustees for the lawful usage Safety describes the effort to
ardization organizations such as ISO or and administration of data. Without such prevent mistakes in the core
SAE, would be very likely to have a favora- initiatives, the legislator will set the legal functions of a vehicle or, in a
ble effect. An operating system developed framework. This might be stricter than the worst case, to protect the occu-
centrally for a majority of OEMs would stakeholders of the automotive industry pants and other persons involved
only need a single set of updates if new would wish for. from harm. Components such as
security risks should emerge. Interfaces brakes, steering, airbags, and the
and the certification relevant for type crumple zone of a car, but also
approvals would only have to be defined At the moment there are many parallel electronic assistants such as ESP
and issued once. This could ultimately lead developments in the automotive industry, or ABS are critical to safety.
to a greater focus on quality and reliabil- from which questions arise regarding the
ity due to less competition and less time future balance of this globally important Security, on the other hand,
pressure. economic sector. New actors will enter means the security of software
the market, while traditional players systems against malfunctions and
Data privacy could disappear. Disruptive technologies external attacks. Software in cars
Equally, the security of personal data are a catalyst for such developments. It has various roles: engine control,
will not be possible without regulation. is important not to forget the customer external communications, but
On the one hand there is the risk that in this technological race because even also car safety and security.
strong European data privacy rules will these data centers on wheels need to be
block innovations in car communica- bought and used by somebody.
tions (“car to car” and “car to x”), vital for
autonomous traffic. On the other, strict,
comprehensible data privacy is essen- Important issues are and will remain: car
tial for establishing the consumer trust reliability, security, quality, and the manu-
necessary for technological upheavals facturer’s benefit promise, which must be
(such as the one currently occurring in the in a well-balanced ratio between acqui-
automotive industry). There are therefore sition and maintenance costs. Various
good prospects that sensible regulations customer groups will evaluate these
will promote the development of modern factors differently.
vehicles and a forward-thinking transport
infrastructure, at least in Europe.
One thing is for sure: these issues will
A significant contribution can also be remain exciting.
made via the conception and development
of software and interfaces in vehicles.
“Privacy by design” is the key term in this
context. Most functions that require data,
such as autonomous driving or additional
user services, can be achieved without
the transfer of personal data. This is at
least the case if it is already considered
and implemented at the conceptual stage.
For all other applications, it is necessary
13
Automotive Software Quality
Contacts
Andreas Herzig
Partner Risk Advisory
Tel: +49 (0)711 16554 7160
aherzig@deloitte.de
Peter Wirnsperger
Partner Risk Advisory
Tel: +49 (0)40 32080 4675
pwirnsperger@deloitte.de
Ingo Dassow
Director Risk Advisory
Tel: +49 (0)30 25468 451
idassow@deloitte.de
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by
guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member
firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not
provide services to clients. Please see www.deloitte.com/de/UeberUns for a more detailed description of
DTTL and its member firms.
Deloitte provides audit, risk advisory, tax, financial advisory and consulting services to public and private
clients spanning multiple industries; legal advisory services in Germany are provided by Deloitte Legal.
With a globally connected network of member firms in more than 150 countries, Deloitte brings world-
class capabilities and high-quality service to clients, delivering the insights they need to address their most
complex business challenges. Deloitte’s more than 244,000 professionals are committed to making an
impact that matters.
This communication contains general information only not suitable for addressing the particular
circumstances of any individual case and is not intended to be used as a basis for commercial decisions or
decisions of any other kind. None of Deloitte GmbH Wirtschaftsprüfungsgesellschaft or Deloitte Touche
Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by
means of this communication, rendering professional advice or services. No entity in the Deloitte network
shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
Issued 8/2017