Assurance cases for ADAS
Dr Ireri Ibarra Chief Engineer, Functional Safety September 2013 Smarter Thinking. © MIRA Ltd 2013
NMI Automotive Electronic Systems © MIRA Ltd 2013
Why ADAS? Vehicle technologies to increase road safety
Priority area for action defined by the EC in its Policy Orientations is the promotion of technologies to increase road safety, e.g.:
- Intelligent Speed Adaptation (ISA) - Advanced Emergency Braking Systems (AEBS) - Lane Departure Warning Systems (LDWS) - Pedestrian Detection Systems combined with Automatic Emergency Braking (PDS / EBR)
- Blind Spot Detection for Trucks (BSD-T) - Alcohol interlocks - Event Data Recorders (EDRs) - Speed limiters for Light Commercial Vehicles - Tyre Pressure Monitoring Systems Smarter Thinking. © MIRA Ltd 2013
September 2013
ADAS Challenges
A D A S advanced → complex functionality
systems → tightly integrated with other invehicle systems
driver assist → safety relevant functionality Smarter Thinking. © MIRA Ltd 2013
September 2013
Legislation, standards and guidance
ISO 26262 Functional safety passenger vehicles
- Intended to be an automotive adaptation of IEC 61508 - Following ISO 26262 would enable straight forward type approval. E.g. Reg 13H complex electronics annex (also linked with AEBS legislation)
- ISO 26262 sets for the first time in the automotive industry a framework for systems engineering in the development of electronic control systems. Desire to align functional safety assessment with process assessment
- SPICE (ISO 15504) or as part of quality audits (ISO 9001 /ISO/TS 16949) From 1st November 2013, for most but not all M2/M3 and N2/N3 classes of vehicle, fitment of the following is mandatory: AEBS (Advanced Emergency Braking Systems) EC 347/2012 LDW (Lane Departure Warning) EC 351/2012 Smarter Thinking. © MIRA Ltd 2013
September 2013
Roadside technology trends
Inter-system communications e.g. NTCIP (National Transportation Communications for Intelligent Transportation System (ITS) Protocol) Distributed control systems Vehicle–infrastructure communications Increasing safety-related functionality, examples:
- UK hard shoulder running on motorways (M42 “active traffic management”)
- US Express Lanes (I 495, 110, US 36)
Smarter Thinking. © MIRA Ltd 2013
September 2013
Present concerns
Higher degree of system authority Varied threats with different motivation (financial, criminal, recreational) Preparation for situations that may decrease safety levels
- ‘We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems.’ 1
- Transportation is a complex sector - Systems of systems where a given system is composed by a number of elements which are medium to large scale systems on their own.
1 University of
Washington, Center for Automotive Embedded Systems Security
K. Koscher, A. Czeskis, F.Roesner, S. Patel, T. Kohno, S.Checkoway, D. McCoy, B.Kantor, D. Anderson, H.Shacham, S.Savage.Experimental Security Analysis of a Modern Automobile, E Symposium on Security and Privacy, Oakland, CA, May 16–19, 2010.
Smarter Thinking. © MIRA Ltd 2013
September 2013
Levels of automation and ADAS examples NHTSA
EC
SAE
Level 0 – Non automated
Driver only
Level 0 – Non automated
Level 1 – Function specific automation
Assisted
Level 1 – Assisted
Level 2 – Combined function automation
Semiautomated
Level 2 – Partial automation
TJA
Level 3 – Limited selfdriving automation
Highly automated
Level 3 – Conditional automation
AEB
Level 4 – Full self-driving automation
Level 4 – High automation Level 5 – Full automation
Smarter Thinking. © MIRA Ltd 2013
September 2013
Engineering lifecycle process for ADAS
Product liability
How to ensure that industry State-of-theArt is being adhered to
Achieving system assurance How to ensure that test suites are complete
Completeness How to test for safety, security, and availability
Correctness
Functional How to ensure that the system meets its functional requirements
Non- functional
Smarter Thinking. © MIRA Ltd 2013
How to ensure that test suites are correct
September 2013
Functional safety
Generally part of the overall safety of a system that depends on it operating correctly in response to its inputs Specifically in ISO 26262 preventing hazards that may result from electronic system malfunctions The definitions of hazard and harm are narrower compared to other standards and practices
The aim is to provide fail safe behaviour
Smarter Thinking. © MIRA Ltd 2013
September 2013
ISO 26262 requirements cascade
Part 3 Concept phase
Part 7 Production and operation
Item level
FSRs Part 4 Product development: system level
TSRs
Part 5 Product development: hardware level
Part 6 Product development: software level
SwSRs
HwSRs
Smarter Thinking. © MIRA Ltd 2013
Element level
September 2013
Cyber- security
Generally concerned with preventing accidental or intentional intrusion into IT systems Specifically in automotive concerned with securing external interfaces against unintended intrusion and use
- Interfaces include end-of-line programming, service, consumer (nomadic) devices, V2X communications
- Compare “traditional” view of automotive “security” requirements
Smarter Thinking. © MIRA Ltd 2013
May 2013
We Deliver Smarter Thinking.
12
Arguments and assurance cases
Safety arguments have been widely used in different safety-critical industries An assurance argument can be used to show how disruptions can be identified and managed to a degree such that confidence in the system is maintained. Similarly to a traditional safety case:
- A structured body of evidence, in the form of an argument for the intended operation and application of the system, which provides assurance over critical properties of the system. Goals, strategies and solutions are usually structured in a hierarchical fashion
Other mechanisms are required to provide fail operational behaviour Smarter Thinking. © MIRA Ltd 2013
May 2013
We Deliver Smarter Thinking.
13
Goal Structuring Notation
GSN is a framework to capture and represent in a graphical form assurance arguments. GSN aims to show how goals
are broken down into sub-goals,
and supported by evidence (solutions)
whilst making clear the strategies
adopted
The rationale for the approach (assumptions, justifications)
and the context
Smarter Thinking. © MIRA Ltd 2013
in which goals are stated
May 2013
We Deliver Smarter Thinking.
14
Assurance case
High level architecture Risk management model Concept
Development
Validation Risk Identification
Risk Assessment
Risk Management
Smarter Thinking. © MIRA Ltd 2013
September 2013
Assurance case –Risk identification
Veh Risk Identification: Hazard and threat Identification process argument
Hazard Identification: Functional and non-functional hazards have been identified
Smarter Thinking. © MIRA Ltd 2013
Threat Identification: Threats have been identified by use case
September 2013
Assurance case –Hazard and threat identification
Threat Identification: Threats have been identified by use case
Hazard Identification: Functional and non-functional hazards have been identified
Identification Identification of of NonNonFunctional Functional Hazards Hazards
Identification Identification of of Functional Functional Hazards Hazards Identify Identify functional functional hazards hazards
Identify Identify non-functional non-functional hazards hazards
Systematic Hazard Identification: Methods for systematic hazard identification have been applied
Hazard Identification results
Identification Identification of of Car2Car Car2Car Threats Threats
Identification Identification of of Nomadic Nomadic Threats Threats
Identify Identify threats threats for for Car Car to to Car Car communication communication
Identify Identify vulnerabilities vulnerabilities from from nomadic nomadic devices devices
Identification Identification of of Aftermarket Aftermarket Threats Threats
Identification Identification of of I2Car I2Car Threats Threats Identify Identify threats threats for for Infrastructure Infrastructure to to Car Car communication communication
Identify Identify threats threats for for aftermarket aftermarket modifications modifications
Identification Identification of of Service Service Threats Threats Identify Identify threats threats from from service service diagnostics diagnostics
Systematic Threat Identification: Methods for systematic threat identification have been applied
Threat Identification results
Smarter Thinking. © MIRA Ltd 2013
September 2013
Assurance case –Risk assessment
Veh Risk Assessment: Risk Assessment process argument
Hazard Assessment: The identified hazards for the Item have been assessed
Use Case Analysis Example use cases and situations used to provide context to the risk classification
Hazard assessment results
Smarter Thinking. © MIRA Ltd 2013
Threat Assessment: The identified threats for the Item have been assessed
Threat assessment results
September 2013
Conclusions The added complexity of ADAS can be better managed through a top-down systems engineering lifecycle, which caters for incremental testing and allows for requirements traceability Functional requirements of the system need to be captured and consolidated with those non-functional requirements that are necessary to achieve system assurance Combining a safety and cyber-security argument to address system assurance. Amongst the most challenging points for this approach are the completeness in the identification of threats; cyber-security attacks have a more unpredictable nature and will exploit vulnerabilities in the system, which may be introduced as emergent behaviour of the system. Additionally, the specification of requirements to address the elimination of risks is well known for safety properties of the system, it is however not the case for cyber-security threats that may have an impact on safety. Smarter Thinking. © MIRA Ltd 2013
September 2013
Contact details
Dr Ireri Ibarra BEng, PhD
Chief engineer, Functional Safety
Direct T: +44 (0)24 7635 5415 E:
[email protected]
MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, UK T: +44 (0)24 7635 5000 F: +44 (0)24 7635 8000 www.mira.co.uk
Smarter Thinking. © MIRA Ltd 2013
September 2013