Intersection management, cooperative infrastructures - what next?

What do recent vehicle recalls mean for future cooperative infrastructures? Anthony Smith takes a look

As ITS industry stakeholders converge on Amsterdam for the 2010 Cooperative Mobility Showcase, an unprecedentedly wide range of technologies will be on display demonstrating what might be achievable in the future from innovations based on Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications.

Such cooperative technologies have been widely heralded as the next big thing in urban and extra-urban transportation. In the vision of the future presented by proponents of such technologies, traffic management systems and individual vehicles would be able to communicate in order to optimise road network efficiency based on real-time information about each vehicle's location, bearing, speed and intended destination. Personalised routing guidance, safety alerts and speed recommendations to groups of vehicles using instantaneous traffic information would all be possible. With the consequent increases in effective road network capacity and reductions in localised congestion, traffic would flow more smoothly with fewer stops, thus improving air quality - and with increased safety too, thus reducing road accidents and casualty rates. Special priority could be given to certain classes of vehicles, such as emergency services or public transport, and the increased efficiencies of vehicle operation would deliver a potentially substantial contribution to reductions in transport CO2 emissions. Moreover in this vision of a future motoring utopia, such ITS innovations would generally be implemented at a significantly reduced cost compared to more conventional automotive technologies and traffic management strategies, including - to cite perhaps the most expensive and least environmentally attractive alternative - new road building.

Vision versus reality

So if this is the vision, what is the current reality in terms of development of the requisite technologies and innovations, and can the gap between what is currently on offer and what is ultimately needed be bridged? One of the key exhibitors at Amsterdam is CVIS (2062 Cooperative Vehicle-Infrastructure Systems), a 60-partner consortium project comprising leading automakers, Tier One and related industry suppliers, as well as representatives from academia, independent research institutions and the national road transport administrative authorities of many EU states. The fundamental enabling technology envisaged by CVIS is a 'universal communications module' that can interface with existing in-vehicle systems and roadside equipment. This module offers a potential framework for continuous high-capacity data transfer using existing cellular phone networks and next-generation wireless local networking. In this way CVIS effectively aims to provide the communications architecture that will allow vehicles to talk to each other and to roadside equipment; in effect, an enabling technology for a wide range of completely new V2I and V2V services based on vehicle identification using location or by IP address.

Acceptance and standards

But even if the communications infrastructure is now becoming available and the technology is being demonstrated, is society really ready to accept the risks of delegating safety-critical decision making to such systems? There is no clear answer to this other than, perhaps, a comparison with other safety-critical wireless or by-wire technologies that have become an accepted part of everyday life following initial scepticism (ranging from well-informed technical concern to media scare-mongering). For example, most air passengers of the 1980s would have been deeply suspicious if asked whether they were happy for an electronic system to take the place of safety-critical mechanical flight controls. Ask the same question today and few - if any - would be remotely concerned; the change of mindset has been complete. Behind this change in perception lies an increasing public awareness that the development processes for safety-critical control systems and software provides a robust framework under which, in systems where no fail-safe condition can be guaranteed, the notion of fault tolerance can be built-in from the concept stage onwards.

In more recent drive-by-wire developments within the automotive industry the same general approach has been taken, albeit adapted to meet the specific needs of road-going vehicles. Typically, systems are classified prior to development in terms of a required Safety Integrity Level (SIL), which defines the design rules and processes to be followed in development. For example, basic infotainment and informational navigation systems would be at the lowest level - while systems for controlling brake- or steer-by-wire that have no mechanical back-up or full authority active driveline control would carry the highest SIL, requiring the most thorough standards of inherent fault tolerance.

The 2060 Motor Industry Software Reliability Association (MISRA) is actively engaged in this area, providing guidelines on best practice in the development of safety-related electronic and embedded software systems in road vehicles. This consortium consists of primarily European vehicle manufacturers, component suppliers and engineering consultancies, and aims to encourage uniform standards and processes in areas such as the increasingly widely used graphical modelling packages such as Simulink and SCADE for safety-critical software development. In this area, MISRA's guidelines provide norms as to the features of modelling packages that should be avoided, notably those that cannot be relied on as a basis for reliable software due to their specific reliance on a given autocode generator.

In 2009 the development frameworks that apply to safety-related electrical and electronic systems for road vehicles moved a significant step forward with the publication of the draft international standard ISO/DIS 26262 (Road vehicles - Functional safety). This standard is the result of a major international collaboration of automakers, Tier One suppliers, systems integrators, as well as electrical, electronic and control systems developers. Inputs were discussed and developed at a national level and subsequently coordinated via the committee structure of the International Organization for Standardization. Development of ISO 26262 commenced in late 2005 and aims to bring standards for the development of safety critical systems up to date by focusing on the specific needs of road vehicles and encompassing state-of-the-art design processes increasingly used by the automotive industry, including model-based control system development.

Data Integrity

Many processes of safety-critical automotive vehicle systems development have been created with the help of a solid body of knowledge and experience drawn from the aerospace sector, in some cases existing tools such as SCADE, that have been directly adapted for automotive application. But ITS-based V2V and V2I system developments, which by definition go beyond the boundary of the vehicle, present an entirely new and more complex development challenge. In the operation of these systems the integrity of data provided by external systems - as well as the mode of exchange between systems - is of crucial importance. And while in-vehicle systems can be considered largely in terms of direct operational considerations, V2V and V2I are inherently more exposed to external threats arising from malicious attacks.

Such threats fall into three principal categories: financial, personal privacy and denial of service. The first of these is perhaps the most obvious. In any system where financial details are stored - such as in automated road-user charging - there is the potential for fraudulent use of data, for example for financial theft or for the cloning of personal or vehicle data as a means of avoiding charges. Privacy is another important consideration for ITS systems, as journey and location details could potentially be used for malicious intent - or for purposes outside the scope of the original system design, such as the use of time-based vehicle location data for the recording of speeding offences. Denial of service attacks, a depressingly familiar feature of the internet age, are also a very real threat to the success of ITS systems. While some service denial attacks had humorous intent - such as the January 2009 attack on traffic information signs in Austin, Texas, which left motorists facing messages of 'Caution! Zombies ahead!' - the potential for such intrusions to lead to damage, serious injuries or worse in safety-critical ITS systems is clear. It is a threat that must be taken seriously in product design and development.

Organised under the auspices of 67 innovITS, the UK centre for excellence for transport telematics and sustainable mobility, the facITS (framework, architecture and classification for Intelligent Transportation Systems) project aims to address this issue. A key part of the effort is being directed towards the development of a risk classification, analysis and management process for ITS applications. The project aims to provide a methodology of formal processes and techniques to enable the up-front assessment and management of risks to data integrity. It will build upon MISRA and ISO/DIS26262 as well as established multi-industry frameworks such as IEC61508, ISO27000 and ISO21707 to provide a common terminology and approach across the various domains and industries involved in ITS.
The facITS consortium membership includes vehicle systems integrators, academia and automotive equipment suppliers as well as - in recognition of the importance of the non-technical threats - the UK Association of Chief Police Officers. In addition to bringing together this important coalition of interests on the development of standards and processes, innovITS also aims to unblock another key obstacle to ITS innovation - the need for a dedicated testing infrastructure (see Sidebar, 'Testing advances').

Catching up with aerospace

Recently, there was controversy over the forced withdrawal from service of a regional UK police force's UAV surveillance drone, which was unlicensed for use in public airspace by the country's Civil Aviation Authority. The fact that the aerospace industry appears to be struggling to demonstrate the safety case for the telemetry and other systems that support the non-military operation of such remotely controlled UAVs in civilian airspace is perhaps a demonstration that the automotive sector is now tackling very similar issues in attempting to implement V2V and V2I systems. In this uncharted territory, the developments of CVIS and facITS must be taken seriously and built upon to create cooperative systems development frameworks no less rigorous than those that have delivered the safety-critical vehicle and aircraft systems that we all enjoy today. With dedicated test facilities due to open, it is crucial that the automotive and ITS industries meet this challenge, so that the apparent benefits of cooperative vehicle technologies can be delivered in the form of safer, more efficient highways, greater sustainability through reduced carbon emissions, and a safer transport system for all.

Testing advances

The need for a dedicated centre at which ITS technologies including V2V and V2I systems can be developed in a highly controlled manner and in complete safety will be addressed by the creation of innovITS ADVANCE, the world's first such facility. Many extremely promising innovations are held back by serious technical, legal and moral obstacles to their development on existing test tracks and public highways. The need for dedicated testing infrastructure is well recognised internationally, but the multi-industry/technology nature of ITS innovations, requiring collaboration between telecommunications companies, road network operators and automakers, means that market forces alone are unable to deliver these sorely needed facilities. As a result many innovations that might otherwise promote better road space utilisation - and therefore reduced carbon emissions, smoother journeys and improved road safety - are delayed, or fail to reach market altogether.

The 'city circuit' of innovITS ADVANCE provides a unique environment for the highly controlled testing and development of ITS innovations. A network of roads has been combined with an open architecture of multi-zoned Wi-Fi and GSM mobile telecoms systems that can be configured according to the precise needs of particular tests. With its advanced web-enabled control system, users of innovITS ADVANCE have at their disposal an environment in which new innovations can be tested with plug and play simplicity, under precisely specified road conditions and scenarios of communications access and denial. The creation of innovITS ADVANCE will remove a key obstacle to development and hence enable the benefits of ITS innovations to be realised much sooner than would otherwise be the case.