Safety and Security Analysis of AEB for L4 Autonomous Vehicle Using STPA

Autonomous vehicles (AVs) are coming to our streets. Due to the presence of highly complex software systems in AVs, there is a need for a new hazard analysis technique to meet stringent safety standards. System Theoretic Process Analysis (STPA), based on Systems Theoretic Accident Modeling and Processes (STAMP), is a powerful tool that can identify, define, analyze and mitigate hazards from the earliest conceptual stage deployment to the operation of a system. Applying STPA to autonomous vehicles demonstrates STPA\u27s applicability to preliminary hazard analysis, alternative available, developmental tests, organizational design, and functional design of each unique safety operation. This paper describes the STPA process used to generate system design requirements for an Autonomous Emergency Braking (AEB) system using a top-down analysis approach to system safety. The paper makes the following contributions to practicing STPA for safety and security: 1) It describes the incorporation of safety and security analysis in one process and discusses the benefits of this; 2) It provides an improved, structural approach for scenario analysis, concentrating on safety and security; 3) It demonstrates the utility of STPA for gap analysis of existing designs in the automotive domain; 4) It provides lessons learned throughout the process of applying STPA and STPA-Sec

Safety and Security Co-engineering and Argumentation Framework

Automotive systems become increasingly complex due to their functional range and data exchange with the outside world. Until now, functional safety of such safety-critical electrical/electronic systems has been covered successfully. However, the data exchange requires interconnection across trusted boundaries of the vehicle. This leads to security issues like hacking and malicious attacks against interfaces, which could bring up new types of safety issues. Before mass-production of automotive systems, arguments supported by evidences are required regarding safety and security. Product engineering must be compliant to specific standards and must support arguments that the system is free of unreasonable risks. This paper shows a safety and security co-engineering framework, which covers standard compliant process derivation and management, and supports product specific safety and security co-analysis. Furthermore, we investigate process- and product-related argumentation and apply the approach to an automotive use case regarding safety and security.This work is supported by the projects EMC2 and AMASS. Research leading to these results has received funding from the EU ARTEMIS Joint Undertaking under grant agreement no. 621429 (project EMC2), project AMASS (H2020-ECSEL no 692474; Spain’s MINECO ref. PCIN-2015-262) and from the COMET K2 - Competence Centres for Excellent Technologies Programme of the Austrian Federal Ministry for Transport, Innovation and Technology (bmvit), the Austrian Federal Ministry of Science, Research and Economy (bmwfw), the Austrian Research Promotion Agency (FFG), the Province of Styria and the Styrian Business Promotion Agency (SFG)

Application of the STPA methodology to an automotive system in compliance with ISO26262

In the automotive domain, functional safety is one of the most important aspects that need to be considered while developing a safety-critical system. Functional safety in road vehicles was standardized in 2011 when ISO 26262 was published. The standard gained a lot of interest and many companies now are using it including Daimler AG. Hazard analysis and risk assessment (HARA) is described in part 3 of ISO 26262 and analyses the hazards and evaluate the risk. Despite the standard being used for so many years, this method has some limitation especially when applied to a complex system. For example hazards related to human behaviour are not taken into consideration, while the human is part of the system. System-Theoretic Process Analysis (STPA) a modern method to hazard analysis developed by Nancy leveson at MIT and published in 2012. In STPA more causes of accidents, like human error, are taken into consideration. The purpose of this thesis in broadening the scope of ISO 26262 by integrating STPA in part 3 of ISO 26262 that contains the hazard analysis and risk assessment methodology. This integration is described in a process diagram and guidelines were presented to help conduct the safety analysis using the new method. Later, it was applied to a Daimler’s automotive system that is the cruise control. The results from previous analysis of the same system were compared with the result of the new method and 2 experts at Daimler AG evaluated the analysis and its results. In conclusion, it was proven that STPA can be integrated in an ISO 26262 compliant process and that this integration can help increase the safety scope of the standard since more causes of accidents were found. The new method was proven to be feasible, beneficial and easy to learn. This thesis can be the starting point for many future works where the new method is further improved and applied to other automotive systems.Im automotiven Bereich, ist funktionale Sicherheit einer der wichtigsten Aspekte, die bei der Entwicklung eines sicherheitskritischen Systems berücksichtigt werden muss. Die funktionale Sicherheit in Straßenfahrzeugen wurde 2011 mit der Veröffentlichung der ISO 26262 standardisiert. Der Standard erregte großes Interesse und viele Firmen nutzen ihn, einschließlich Daimler AG. Gefahren und Risikoanalyse (GuR) wird in Teil 3 von ISO 26262 beschrieben und, wie der Name schon sagt, wird zur Analyse der Gefahren und zur Bewertung des Risikos verwendet. Obwohl ISO 26262 seit vielen Jahren verwendet wird, hat er einige Einschränkungen, insbesondere wenn sie auf ein komplexes System angewendet wird. Zum Beispiel werden Gefahren im Zusammenhang mit menschlichem Verhalten nicht berücksichtigt, während der Mensch Teil des Systems ist. System-Theoretic Process Analysis (STPA) ist eine moderne Methode zur Gefahrenanalyse, die von Nancy Leveson am MIT entwickelt und 2012 veröffentlicht wurde. In STPA werden mehr Unfallursachen wie menschliche Fehler berücksichtigt. Ziel dieser Arbeit ist es, den Anwendungsbereich von ISO 26262 durch die Integration von STPA in Teil 3 (der die Gefahrenanalyse und Risikobewertungsmethodik enthält) von ISO 26262 zu erweitern. Diese Integration wird in einem Prozessmodell beschrieben und es wurden Richtlinien vorgestellt, um die Sicherheitsanalyse mit der neuen Methode zu unterstützen. Später, wurde sie auf ein Automobilsystem von Daimler (der Tempomat) angewendet. Die Ergebnisse früherer Analysen des gleichen Systems wurden mit den Ergebnissen der neuen Methode verglichen und 2 Experten der Daimler AG haben die Analyse und ihre Ergebnisse bewertet. Zusammenfassend wurde nachgewiesen, dass STPA in einem ISO 26262-konformen Prozess integriert werden kann und dass diese Integration dazu beitragen kann, den Sicherheit- sumfang der ISO 26262 zu erweitern, da mehr Unfallursachen gefunden wurden. Die neue Methode erwies sich als machbar, vorteilhaft und leicht zu erlernen. Diese These kann der Ausgangspunkt für viele zukünftige Arbeiten sein, in denen die neue Methode weiter verbessert und auf andere Automobilsysteme angewendet wird

Causality and Functional Safety - How Causal Models Relate to the Automotive Standards ISO 26262, ISO/PAS 21448, and UL 4600

With autonomous driving, the system complexity of vehicles will increase drastically. This requires new ap- proaches to ensure system safety. Looking at standards like ISO 26262 or ISO/PAS 21448 and their suggested methodologies, an increasing trend in the recent literature can be noticed to incorporate uncertainty. Often this is done by using Bayesian Networks as a framework to enable probabilistic reasoning. These models can also be used to represent causal relationships. Many publications claim to model cause-effect relations, yet rarely give a formal introduction of the implications and resulting possibilities such an approach may have. This paper aims to link the domains of causal reasoning and automotive system safety by investigating relations between causal models and approaches like FMEA, FTA, or GSN. First, the famous “Ladder of Causation” and its implications on causality are reviewed. Next, we give an informal overview of common hazard and reliability analysis techniques and associate them with probabilistic models. Finally, we analyse a mixed-model methodology called Hybrid Causal Logic, extend its idea, and build the concept of a causal shell model of automotive system safety

CONSIDERING SAFETY AND SECURITY IN AV FUNCTIONS

Autonomous vehicles (AVs) are coming to our streets. Due to the presence of highly complex software systems in AVs, a new hazard analysis technique is needed to meet stringent safety standards. Also, safety and security are inter-dependent and inter-related aspects of AV. They are focused on shielding the vehicles from deliberate attacks (security issue) as well as accidental failures (safety concern), that might lead to loss of lives and injuries to the occupants. So, the current research work has two key components: functional safety and cybersecurity of the autonomous systems. For the safety analysis, we have applied System Theoretic Process Analysis (STPA), which is built on Systems Theoretic Accident Modeling and Processes (STAMP). STAMP is a powerful tool that can identify, define, analyze, and mitigate hazards from the earliest conceptual stage of development to the operation of a system. Applying STPA to autonomous vehicles demonstrates STPA's applicability to preliminary hazard analysis, alternative available, developmental tests, organizational design, and functional design of each unique safety operation. This thesis describes the STPA process used to generate system design requirements for an Autonomous Emergency Braking (AEB) system using a top-down analysis approach for the system safety. The research makes the following contributions to practicing STPA for safety and security: 1. It describes the incorporation of safety and security analysis in one process and discusses the benefits of this; 2. It provides an improved, structural approach for scenario analysis, concentrating on safety and security; 3. It demonstrates the utility of STPA for gap analysis of existing designs in the automotive domain; 4. It provides lessons learned throughout the process of applying STPA and STPA-Sec. Controlling a physical process is associated with dependability requirements in a cyber-physical system (CPS). Cyberattacks can lead to the dependability requirements not being in the acceptable range. Thus, monitoring of the cyber-physical system becomes inevitable for the detection of the deviations in the system from normal operation. One of the main issues is understanding the rationale behind these variations in a reliable manner. Understanding the reason for the variation is crucial in the execution of accurate and time-based control resolution, for mitigating the cyberattacks as well as other reasons of reduced dependability. Currently, we are using evidential networks to solve the reliability issue. In the present work, we are presenting a cyber-physical system analysis where the evidential networks are used for the detection of attacks. The results obtained from the STPA analysis, which provides the technical safety requirements, can be combined with the EN analysis, which can be used efficiently to detect the quality of the used sensor to justify whether the CPS is suitable for the safe and secure design

Multilevel Runtime Verification for Safety and Security Critical Cyber Physical Systems from a Model Based Engineering Perspective

Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. CPS consists of multiple coordinating and cooperating components, which are often software-intensive and interact with each other to achieve unprecedented tasks. Such highly integrated CPSs have complex interaction failures, attack surfaces, and attack vectors that we have to protect and secure against. This dissertation advances the state-of-the-art by developing a multilevel runtime monitoring approach for safety and security critical CPSs where there are monitors at each level of processing and integration. Given that computation and data processing vulnerabilities may exist at multiple levels in an embedded CPS, it follows that solutions present at the levels where the faults or vulnerabilities originate are beneficial in timely detection of anomalies. Further, increasing functional and architectural complexity of critical CPSs have significant safety and security operational implications. These challenges are leading to a need for new methods where there is a continuum between design time assurance and runtime or operational assurance. Towards this end, this dissertation explores Model Based Engineering methods by which design assurance can be carried forward to the runtime domain, creating a shared responsibility for reducing the overall risk associated with the system at operation. Therefore, a synergistic combination of Verification & Validation at design time and runtime monitoring at multiple levels is beneficial in assuring safety and security of critical CPS. Furthermore, we realize our multilevel runtime monitor framework on hardware using a stream-based runtime verification language