*4.5. Inverters and DC/DC Converters Used in EV Applications*

An inverter with a bidirectional power flow is required for operating as a starter/generator. This power electronic inverter is used to convert the battery's direct current into a three-phase alternating current, supplying the individual windings of the electrical machine with electric energy. The energy flow is reversed for the regenerative operation mode. In this case, the power electronic inverter converts the alternating current generated into direct current to charge the battery. In terms of its functional configuration, the power electronic inverter of the 48 V powertrain systems is similar to that of the high-voltage inverters used in full hybrids or all-electric vehicles, as can be seen in Figure 12. One of the main differences lies in the power of the semiconductors used. Unlike the high-voltage systems using primarily, insulated gate bipolar transistors (IGBTs), MOSFETs are predestined for use as switching elements in power electronic inverters for starter generators, because of their lower voltages and switching losses. To control a three-phase machine, MOSFETs are mainly used as three half-bridge converters.

**Figure 12.** Block diagram of inverter electronics (source: Infineon Technologies).

A switch-mode converter (DC/DC converter/chopper) is used to transfer the energy between the two subsystems of a dual voltage system. As it mostly transfers energy from the 48 V level system to the 12 V level, it is primarily working as a step-down (buck) converter. In this energy transfer direction, the DC/DC switch-mode DC/DC converter replaces the generator for the traditional 12 V system. Scenarios with switch-mode converters operating in a step-up operation mode usually only involve partial load requirements so as to ensure 48 V operation. Alternatively, they can be stand-alone system solutions without a 48 V generator. The evaluation of various application scenarios of 48 V implementation, with and without 48 V components, reveals that the switching-mode DC–DC converter needs to be implemented in different power classes from one to three kW. To ensure the cost-efficient production, a modular and scalable DC–DC switch-mode converter architecture is necessary to support the different power classes and levels. The scalable converter must be configured with multi-phase half-bridges, polarity reversal protection for 14 V, anti-touch protection and short-circuit protection, and it must be protected against single-point failures in the components carrying current [39]. Several active or passive air-cooling or water-cooling concepts can be used.

#### *4.6. Active Electronic Components*

The electronic control units of 48 V powertrain systems always follow the same fundamental/basic topologies as those used in 12 V or high-voltage systems. Anyway, the semiconductor devices/switches selected for 48 V power electronic converter applications must take the different voltage level and different loads into account. They are mainly used in 48 V systems to control the electrical motors and other electric loads, in addition to connecting the 48 V and 12 V system levels by means of a DC/DC switch-mode converter [45,46].

The semiconductor devices to be used in EVs can be classified into the following topologies: sensors, microcontrollers, power supply and power management integrated circuits (ICs), communication, and driver ICs. In 48 V power systems, MOSFETs are often used as power output stage ICs, as, compared to IGBT devices, their performance regarding switching and conduction losses

and cost is better [39]. A key issue for semiconductor devices/switches managing the current levels of more than 100 amperes, is the selection of their "case style", to ensure a sufficiently good dissipation of lost heat (cooling). Different case styles are possible subject to the configuration of the control unit, ranging from standard-organic field-effect transistors (OFET)-cases for single transistors and the integration of output stages (one or all stages) into one power module to the direct integration of power components into the motor. Driver ICs are another important element. Their primary purpose is to adjust the (PWM) signals generated by the microcontroller to control the motor to the level required for the power output stages. It may sometimes be necessary to use several drivers to ensure that this is achieved.

Multiple options are possible for the design of a DC/DC switch-mode converter, depending on individual requirements. The most important requirements, as discussed in the literature [39], are the converter performance (i.e., line regulation, load regulation, etc.), the efficiency (and hence the power losses), the package weight and volume, whether only unidirectional or also bidirectional power transfer is supported, whether power sources and load have galvanic separation or are coupled, and which classifications are reached in terms of the safety integrity level (SIL). These multiple options result in different circuit topologies (single-phase, two-phase, or multi-phase). The choice of converter switching frequency is also an important parameter.

### **5. In-Vehicle Cyber-Security for New GV Generations: Threats and Countermeasures**

The new electronics control architecture of hybrid and electric vehicles, discussed in Sections 3 and 4, where control units are interconnected through in-vehicle networks, like CAN, will create new cyber-security issues. The latter can lead to severe safety issues as, as discussed in Sections 3 and 4, cyber-attacks propagating through the in-vehicle network can compromise the control of electrical components, providing key functionalities like energy generation, braking, and torque generation. To mitigate these issues, some countermeasures will be discussed in this section.

Some key features, such as integrity of the data, privacy, identification, and availability, should characterize a secure on-board communication system. However, a lot of security threats [46–54] characterize state-of-art technologies for on-board networking. The state-of-art is based on the use of CAN, and its evolutions time-triggered CAN (TTCAN) and flexible data-rate CAN (CAN-FD), as the backbone of the in-vehicle network. Then, several types of communication technologies are used for specific tasks; for example, the local interconnect network (LIN) is used for low data-rate nodes, FlexRay is used for high throughput control tasks, multimedia oriented system transport (MOST), or IDB-1394 (Automotive Firewire) are used for infotainment applications, where the human–machine interfaces exploit Bluetooth and/or USB connectivity.

At the state-of-art, on-board gateway units are used to interconnect each other the different networking domains. This approach, which allows access to any vehicular bus from every other existing bus system, is a severe source of cybersecurity threats. An ECU that is interconnected on a low security-level and non-safe multimedia bus like MOST can transmit information (data packets) to other ECUs, even those operating in safety domains and interconnected with CAN or FlexRay [55,56]. As a consequence, a security-violation of a single subsystem can propagate and lead to the failure of the whole communication infrastructure. The challenge is when the propagation reaches safety-related domains, like those related to propulsion, braking, and navigation control, which are typically based on CAN or FlexRay technologies. The trends towards autonomous driving, towards a vehicle's connectivity with V2I/V2V technologies, and towards the electrification of propulsion, braking, and energy storage through electric components (machines, converters, and batteries) controlled by digital ECU, are exacerbating the above security risks.

In the state-of-art of on-board networking technologies, the requirement of data integrity is satisfied thanks to the use of error detection techniques, like, for example, cyclic redundancy check (CRC) codes. Instead, security features like data confidentiality, data authentication, and data availability are not guaranteed with the current in-vehicle technologies.

The broadcast nature of CAN, and its evolutions CAN-FD and TTCAN, is a source of threats for data confidentiality. A security-compromised ECU, which is under the control of a hacker, because of the broadcasting communication approach, can monitor all of the messages that are transferred through the bus (generated from or transmitted to all the other non-compromised ECUs).

At the state-of-art, to ensure a car's E/E scalability, ECUs can be added or removed with a plug-and-play approach. For example, if a new ECU is added to a CAN bus, then a new CAN identifier is assigned to it, without any change to the other installed ECUs. Combining this with the fact that signature mechanisms are currently missing, it is easy to understand that at the state-of-art there is a high risk of correct authentication. As consequence, it is possible for a hacker to attack an ECU and to emulate protocol-compliant behavior, as for all the other ECUs, is difficult to understand if a received packet has been transmitted by an authorized or unauthorized (and hence malicious) ECU.

Another feature of the current in-vehicle technologies that is a source of security threats is the arbitration among multi-masters based on identifier priority. This feature creates a risk for data availability. Indeed, a hacked ECU can use a high priority identifier to generate false packets. Because of the arbitration based on the identifier priority, the hacked controller using a fake high priority identifier can continuously send false packets, thus jamming the whole communication infrastructure, which will be no more available to the other ECUs. The jamming attack will cause a denial of service, with a high severity in terms of safety issues when the subsystem under attack is related to propulsion, braking, or navigation functionalities.

To address the above cybersecurity threats, several countermeasures are under analysis in the current R&D activities of the automotive industry and academia.

Cybersecurity hardware accelerators should be integrated in new automotive controllers to implement in real-time the encryption of data packets. To this aim, cybersecurity hardware accelerators to implement in real-time advanced encryption standard (AES), at the core of symmetric cryptography, or elliptic curve cryptography (ECC) for asymmetric cryptography, are under development [56–60].

Moreover, the trusted zone concept can be exploited. This means that the several network domains, and the relevant subsystems, should be clustered in separated security zones. Such zones should each be separated by gateways with integrated cybersecurity features. Thanks to this countermeasure, an attack on a non-safety domain, for example MOST, will be blocked when trying to propagate to a safety-related domain, like CAN. As consequence, a cybersecurity failure of the infotainment system (not related to driver and passenger safety) will not be the first step for a failure of the braking or propulsion systems, which instead are safety-critical.

Besides the adoption of the trusted zone concept, it is important to cluster the ECUs in different classes with different trustability levels. Such clustering should take into account both "how easy an ECU can be attacked" and "which are the safety consequences in an ECU is attacked".

Anomaly detection and intrusion detection mechanisms should be also implemented, exploiting both physical and packet layer features. In this way it will be possible to identify malicious ECUs.

#### **6. Conclusions**

This work has reviewed the recent trends for the electrification and digitalization of GVs. The current and foreseen, until 2030, market penetration of different types of EVs have been discussed, as well as their energy demand and their pollutant emissions. These trends have been compared to the evolution trends of battery technology, mainly based on lithium technology, and of the recharging issues considering the characteristics of the power grid. Real power grid scenarios in three cities, Hong Kong (China), Long Beach (CA, USA), and Manchester (UK) are considered. As result, from the vehicle point of view, light BEVs and 48 V HEVs are seen as the most promising technologies in terms of penetration and market acceptance. From the power grid point of view, demand-side management is the key technology to face the energy demand of transport electrification and to overcome the limits of current power grid. Solutions to integrate EV electricity demand in power grids have been also discussed and proposed. Integrated E/E architectures for HEVs and full EVs have been analyzed,

detailing the innovations emerging for all components—inverter and DC/DC converters, new electric drives, battery-packs, and related BMS. 48 V HEVs are emerging as the most promising solution for a short-term electrification of vehicles. To this aim, a new integrated starter generator e-drive has been proposed; a power rating up to 10 kW is capable of ensuring the hybridization of small and medium cars, with a limited impact of the car architecture. This approach will ensure a smooth and rapid transition from the current ICE-based car generation to full EV. The increased digitalization and connectivity of electrified cars is also posing cyber-security issues. The main limits of state-of-art on-board vehicles, particularly CAN, have been discussed, and a list of countermeasures to mitigate them has been proposed.

**Author Contributions:** Both authors contributed equally to this survey paper.

**Funding:** This work was partially supported by PRA2017 project from University of Pisa.

**Acknowledgments:** With reference to Section 3, discussions with Valeo and AMS partners in the framework of the ATHENIS-3D EU projects are gratefully acknowledged.

**Conflicts of Interest:** The authors declare no conflict of interest.
