Vehicles can include an internal combustion engine that drives a powertrain to propel the vehicle. In some instances, the powertrain includes an automatic transmission that multiplies drive torque generated by the engine. In cases where engine start is initiated (i.e., cranking of the engine using a starter motor), traditional vehicles use a switch to determine whether the transmission is in a non-power transfer range (e.g., park (P) or neutral (N)). Engine start is only allowed when the transmission is in P or N while being prohibited otherwise (e.g., while the transmission is in drive (D) or reverse (R)).
In traditional vehicle systems one of a plurality of control modules can make an independent assessment of whether to allow an engine start using a separate P/N switch that is connected to a mechanical parking mechanism of the transmission. In such systems, the onus of ensuring a proper engine start signal lies with the particular control module. The controller area network (CAN) system is always secure in that any failures in the securely-transmitted signal are recognized and engine start is prohibited. The sources of failure that can contribute to a non-secure start of the engine include, but are not limited to sensor failures, control module hardware failures and control module software failures.
Sensor failures in a security-critical system generally require redundant sensors to be used in the system design if they are security-critical. Control module hardware failures can be detected with security-critical microprocessor architectures and industry standards exist for these architectures. Control module software failures can be protected against by having a secondary path of calculation for the security-critical variable. These secondary paths have to be specifically designed for the particular feature which is identified as a security-critical feature. Software failures in the TCM software could lead to an incorrect CAN message being sent to the ECM, which could result in an engine start being allowed when the transmission is in a power flow condition (e.g., D or R ranges).