Millions of passengers happily travel on aircraft where computers oversee crucial safety-critical functions – yet suspicion still surrounds automotive drive-by-wire systems, especially those relating to steering and braking. Anthony Smith asks why the promised revolution has yet to happen and examines the lessons learned from aerospace that may enable safetycritical drive-by-wire implementation

Today almost every new commercial passenger aircraft is equipped with electronic fly-by-wire systems – yet just twenty years ago such technology was restricted to the domain of advanced military aviation. Until the 1980s all commercial aircraft used servo-assisted mechanical and hydraulic systems for the direct translation of flight deck control instructions into movements of the control surfaces of the wings, rudder and tailplane.

Fly-by-wire aircraft work in afundamentally different way. The pilot’s instructions are interpreted by electronic processors, which in turn activate the aircraft’s control surfaces to bring about the desired manoeuvre, all the while bearing in mind the characteristics and the limitations of the aircraft itself. The advantages were soon clear for combat aircraft, where electronically supervised control not only saved weight but allowed pilots to fly much closer to their planes’ aerodynamic limits, increasing agility and manoeuvrability in combat.

In the 1970s Concorde had taken a step towards fly-by-wire, albeit with a
mechanical fail-safe back-up system. In 1988, amid some public controversy, Airbus launched the A320, the world’s first fully fly-by-wire passenger jet liner: since that date, the technology has been rolled out across the whole Airbus range and has also been adopted by Boeing for its 777 airliner.

Most air passengers of the 1980s would have been deeply suspicious if asked whether they were happy for an electronic system to take the place of safety-critical mechanical flight
controls. Ask the same question today and few – if any – would be remotely concerned: the change of mindset has
been complete. So, what are the lessons of the commercial aerospace experience that can be drawn for the future of automotive drive-by-wire? Will the advanced brake- and steer-by-wire concepts demonstrated by the world’s automakers at successive international auto shows find similar public acceptance and commercial feasibility in years to come?

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Just Auto.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

-From fly-by-wire to drive-by-wire
To attempt to answer these questions and to discover why some forms of drive-by-wire have so readily been taken-up while others remain in the domain of technology demonstrators, it is useful to look at how different systems are categorised in terms of their criticality to vehicle safety.

According to Steve Montgomery, Ricardo director of control systems software, systems are routinely categorised in terms of safety criticality. “We use the concept of Safety Integrity Level (SIL) to identify the importance of each system to vehicle safety. The SIL level ascribed to each system defines the nature of the design rules and
process to be followed.

“The very highest-SIL level would be assigned for example to a steer-bywire or brake-by-wire system,” says Montgomery, “whereas the lowest might be used for an infotainment module. This would be reflected in the rigour and sophistication of the hardware and software development processes. On a like-for-like basis there can be two orders of magnitude greater engineering effort for a system classified at the highest-SIL level compared with the lowest.”

This goes some way to explaining the rapid take-up of many non safetycritical infotainment and telematic automotive technologies, where developers can specify and prototype a system without excessively formalised design or testing procedures.

Products are clearly developed according to predicted market needs and with the implications of possible failure modes in mind. However in an area such as infotainment, such implications will tend to focus upon customer satisfaction and safety will rarely be an issue. It also explains the rapid take-up and public acceptance of intermediate-SIL applications such as throttle-by-wire, which has a potential impact upon safety but where a clear ‘fail-safe’ condition exists.

“We can design throttle control systems to fail-safe as soon as a fault is detected by placing the engine in a low-torque ‘limp-home’ mode,” explains Montgomery. “In almost all circumstances this provides a safe outcome – even during an overtaking manoeuvre – which is no worse than failure of an old-style mechanical linkage would have been.”

The advantages to the manufacturer of such systems are clear in terms of packaging and the ability to engineer desired vehicle performance and response characteristics as a part of the
calibration process. Most customers are completely unaware that this aspect of their vehicle is engineered as a drive-by-wire system, but even those who do know are unlikely to be concerned, given the systems’ inherently fail-safe engineering.

For safety-critical drive-by-wire applications such as braking and steering, however, there is no true failsafe mode into which the system can
be placed. In the absence of mechanical back-up (which would clearly eliminate many of the inherent cost and performance advantages of drive-by-wire electronic systems) there are clearly some significant
engineering challenges and psychological consumer acceptance barriers to be overcome.

The Airbus A340 is one of a series of Airbus models using fly-by-wire controls. Since Airbus pioneered the technology with the A320 in 1988, fly-by-wire has gained widespread customer acceptance

From fail-safe to fault-tolerant
The approach taken follows established aerospace practice where, in the case of the highest-SIL safetycritical applications, developers aim to incorporate the concept of ‘fault tolerance’ rather than ‘fail-safe’. The design process for such systems is fundamentally different from that used in lower-SIL applications.

The starting point is an analysis of the safety requirements of the vehicle as a whole, which in turn must inform the safety requirements of the subsystem. Only at this stage candecisions be made as to how the system specification can be met through hardware and software. Throughout the engineering process, rigorous and detailed tracking is required to ensure conformity with vehicle and system level safety requirements.

“In many respects the easy bit is engineering the primary functions of the sensors, actuators, networks, processors and control software,” explains Montgomery. “Far more complex is the extensive analysis of potential failure modes which underlies this: also complex are the inherent redundancies which need to be built in to both the system and its design and development processes.”

On aircraft it is standard practice to have multiple flight controllers, actuators on each control surface, sensors and independent communications buses. For brake- or steer-by-wire, the emerging practice is to use similarly double redundant physical, communications and processing hardware linked by supervisory voting architecture to monitor and arbitrate upon faults during operation. Not all faults are equally serious, of course, and systems will need to be able to differentiate between those which require routine service, those which require implementation of a ‘limphome’ mode, and those which require immediate and urgent action to avoid a potentially catastrophic outcome.

In aerospace much has been made of the use of separate but parallel software development teams toreduce the potential for coding errors. For example, by ensuring that one team works on a system’s primary control software and a different team develops the code for the supervisory system checking its operation, it is unlikely that the same error will be duplicated. Ricardo has carried out many projects where it has applied its technology in the development of such fail-safe monitor systems according to the original specification of the client (see panel opposite). In addition, Ricardo and others are beginning to adopt similar mathematical reasoning tools to those used in aerospace in order to ensure that safety properties are always met in the software generated from specifications.

However, as Montgomery is quick to point out, such parallel development processes and reasoning tools should not be seen as a guarantee of fault-free software: a major focus must be placed upon the robustness of the original specification and its integration with vehicle safety requirements, he stresses. This view is echoed by the 2004 study, Out of Control, published by the UK Health and Safety Executive: this showed that 44 percent of control system software failures studied arose from errors of original specification and that a further 20 per cent arose due to badly controlled changes to the specification. In contrast to this, only 15 per cent of defects were as a result of the interpretation of the specification in software.

Costs, benefits and barriers to implementation
While the cost of the engineering fault-tolerant systems is already significant, the hardware cost of the requisite duplication of sensors, actuators, communications buses and processing may be greater still. With
their inherent need for high power consumption they are also likely to require significant costs in the provision of high-voltage, faulttolerant vehicle electrical supplies.
However, all of these are likely to be subject to significant economies of scale in production and incremental costs could fall as implementation becomes widespread.

Yet, whatever the technical and economic case for drive-by-wire, instinctive psychological barriers to public acceptance of its safety critical applications may prove the most challenging. There is no doubt that the early concerns regarding fly-by-wire have been all but completely eliminated. Nevertheless, the perceived risks of air and road travel are very different: we all implicitly delegate responsibility for our personal safety on an aircraft to the plane’s crew and the air traffic controllers who guide it to its destination. In a car, however, we are more intimately and personally responsible through our own actions for the safety of the vehicle, its passengers and other road users. For most drivers it would be a terrifying prospect for a system malfunction to deprive us of control over braking or steering, however remote the possibility of such a fault. Education as to the robustness and reliability of fault-tolerant systems may go some way to allay such fears, but it is likely to take more than this in a competitive market to persuade consumers that drive-by-wire technology is an attractive option.

Instead, the key to the acceptance of brake- and steer-by-wire may prove to be the tangible additional benefits to the driver in terms of improved functionality and reduced cost. As the widespread take-up of ABS has demonstrated in all but the lowest-cost entry-level products, customers are more than willing to accept electronic intervention in safety-critical vehicle control functions if there is a clear benefit. According to data presented by Infineon Technologies, approximately one third of all traffic deaths occur in front-to-front and front-to-rear collisions: decreases in stopping distances of 30 per cent and 50 per cent respectively would be expected from an improvement in driver reaction time of only 0.5 seconds.

The Ricardo rCube automotive control system prototyping product is used in the development of many failsafe and fault tolerance systems

With the implementation of pure electrical brakes, stopping distances might be reduced by a further 30 per cent, and the implementation of radar based systems may well enable improvements in response time in situations of last resort. Such systems, together with improved handling and stability programmes and possibly radar assisted adaptive cruise control, may well be an attractive proposition for customers once the technologies can be offered at a sufficiently low price. Beyond this, the acceptance of steer-by-wire solutions may require additional innovation to deliver further tangible user benefits, relating perhaps to improved handling capabilities as well as the advanced packaging solutions demonstrated in concept vehicles.

The final barrier: dealer education
Even if the psychological and technical barriers to implementation can be overcome, one of the most significant likely obstacles to the widespread take-up of drive-by-wire technologies could come in the form of the dealer networks who will maintain the vehicles in service. The advanced systems envisaged for drive-by-wire applications will require new levels of diagnostic skills. With increasing inter-connectivity of systems, the model of automatic module replacement on fault identification practised in so many cases today is unlikely to be acceptable. Even if the cost of modules is relatively low, the recurrence of faults and consequent loss of vehicle use resulting from misdiagnosis will rapidly alienate customers.

According to Montgomery, the successful implementation of driveby- wire technologies will thus have to be squarely focused upon delivering tangible benefits to the end user. Robustness will be essential throughout the value chain from faulttolerant systems engineering through to intelligent diagnostic servicing. But if the automotive industry embraces this methodical and customer-focused approach, the sky may well be the limit for drive-by-wire technologies.

This article was first published in the Ricardo Quarterly Review, a publication prepared by Ricardo in association with TwoToneMedia.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up