It's interesting to think about the failure modes here.<p>With domain-based ECUs, a failure means your locks OR windows OR windshield wipers stop working.<p>With zone-based, it could be the entire "west" zone that stops, which means you can't unlock the driver's door, open the windows, adjust the seat, and maybe even the ventilation fans don't work<p>I actually thought a lot of that was already on the CAN bus anyway, but my knowledge of cars stops there so maybe someone can fill in the gaps. Seeing only three "zones" is actually surprising to me. As I was reading I started forming the idea of a single bus cable that went around the car, with I/O modules anywhere there were physical buttons/lights/etc. There would just have to be a cost+weight balance of where it makes sense to stick a small I/O module vs run individual wires back to a bigger module. My assumption is as technology advances it becomes cheaper to have more small I/O modules with very short wire runs to buttons, but it doesn't seem like this is what they're doing.<p>I am also making the assumption this is "dumb I/O", and somewhere there is a "door lock" program that handles all locks/buttons. In the main computer you'd run all the domain programs individually/isolated, but there would still be a single program responsible for each domain, eg: all the locks (eg: considering button presses, fob buttons, door state, moving or not, etc, and act on the locks accordingly).<p>From a pure software point of view, if the east/west/south ECUs are actually doing the logic for their respective parts of the car, that seems like a nightmare to build: the code would end up being all partial and distributed. In the worst case you end up with bizarre bugs like "if you open the passenger door, then open the tailgate, then close the passenger door and press the lock button, the driver's door will lock but the passenger won't until you first unlock then shut everything" (which gets reported as "the locks are unreliable, some will randomly just not work every few days").