Search Results

Systems-Theoretic Process Analysis (STPA) is being used as a hazard analysis technique within automotive, due in part to its systems engineering viewpoint making it suitable to automated driving feature analysis and with several new and emerging standards and guidelines suggesting its use as one option its familiarity is increasing. Approaches incorporating the human into the STPA Control Structure Diagram (CSD) have been proposed, such as Engineering for Humans: A New Extension to STPA [1]. Such approaches position the human as the top controller in the CSD hierarchy. While placing the human at the top of the CSD is suited to reasoning about supervisory human machine interactions, perhaps in an industrial control setting, we argue that a different approach is needed to address automotive shared control. In an automotive context the driver is integral to vehicle control.

Industries, regulators, and consumers alike see cybersecurity as an ongoing challenge in our digital world. Protecting and defending computer assets against malicious attacks is a part of our everyday lives. From personal computing devices to online financial transactions to sensitive healthcare data, cyber crimes can affect anyone. As technology becomes more deeply embedded into cars in general, securing the global automotive infrastructure from cybercriminals who want to steal data and take control of automated systems for malicious purposes becomes a top priority for the industry. Systems and components that govern safety must be protected from harmful attacks, unauthorized access, damage, or anything else that might interfere with safety functions. Automotive Cybersecurity: An Introduction to ISO/SAE 21434 provides readers with an overview of the standard developed to help manufacturers keep up with changing technology and cyber-attack methods.

An essential part of an effective cybersecurity engineering process is testing the implementation of a system for vulnerabilities and validating the effectiveness of countermeasures. The SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems provides a recommended framework which organizations can use to implement a cybersecurity engineering process, which includes activities such as integration and testing, penetration testing and verification/validation of cybersecurity requirements at the hardware, software and system levels. This presentation explores the different kinds of testing that are appropriate at each of these process steps and discusses some important differences between cybersecurity testing and more familiar forms of testing.

The process of hazard analysis and risk assessment (H&R or HARA) is well-established in standards and methods for functional safety, such as the automotive functional safety standard ISO 26262. Considering the parallel discipline of cyber security, it is necessary to establish an analogous process of threat analysis and risk assessment (T&R) in order to identify potential security attacks and the risk associated with these attacks if they were successful. While functional safety H&R processes could be used for threat analysis, these methods need extension and adaptation to the cyber security domain. This paper describes how such a method has been developed based on the approach described in ISO 26262 and the related MISRA Safety Analysis Guidelines. In particular key differences are described in the understanding of the severity of a security attack, and the factors that contribute to the probability of a successful attack.

Safety-related systems in road vehicles are subject to hazard analysis as part of developing their safety requirements. Automotive hazard analysis leads to a requirement for target risk reduction in the system to be developed, usually expressed as a safety integrity level, SIL, or ASIL. During risk analysis, credit can be taken for risk reduction from facilities outside the system of interest, or from architectural decisions to distribute the required risk reduction to sub-elements of the system. Up to now, such concepts have been presented in standards without any justification. The different approaches in the standards are discussed, and a scheme for more rigorously defining the allocation of safety integrity requirements across different elements of a system is proposed.

The modern road vehicle has an essential dependence on advanced electronics to control functionality and to deliver demands for safety, environmental efficiency, comfort and brand differentiation required by manufacturers, legislators and consumers. System functional safety is a central part of the design and implementation of these systems. To ensure common approaches in a global marketplace, and avoid duplicated effort, it is necessary to have consensus in the form of standards and guidelines. While the standards-making bodies take the lead in such activities, there is also an important role for industry consensus groups. This paper presents a short overview of standards relevant to safety-related software development in road vehicles, with suggestions for areas in which future improvements could be undertaken.

This paper provides an overview of the new MISRA publication, Guidelines for Safety Analysis of Vehicle-Based Programmable Systems. It describes a process which needs to be incorporated into a company's or organization's management structure so they can manage safety effectively. The MISRA Safety Process comprises two principal phases: Preliminary Safety Analysis and Detailed Safety Analysis. The former identifies what needs to be done; the latter demonstrates that it has been done correctly.

MISRA (The Motor Industry Software Reliability Association) develops practical guidance to assist the developers of safety-related systems in the automotive industry and other sectors in implementing safe and reliable systems. This paper presents a short overview of MISRA's ongoing activities, with particular emphasis on guidance being produced in two areas: process measures for safety-related systems engineering, and product measures for safety-related systems development. Subsequent papers in the session give more details on these activities.

With the increasing dependence on advanced electronic systems to control the functionality of road vehicles, the consideration of functional system safety as part of the design and implementation process for these systems is growing in importance. An important part of such a process is to undertake a hazard analysis. Emerging standards and guidelines, such as ISO 26262 and MISRA Safety Analysis, contain a requirement to perform preliminary hazard analysis in order to identify unwanted events (typically at the vehicle level) that can result from technological causes, and to set safety requirements for the system under development to mitigate the risk associated with those events. In this paper, a generic approach to automotive hazard analysis is described. The method is based upon a generalized model of the causal chain that leads from a low-level fault in an electronic system through to the potential for an unwanted event at the vehicle level.

Automated code generation has developed over the last half century from techniques based on assembly language through high-level programming languages to those based on modeling languages (such as UML). We have previously argued that the use of design patterns to support automated code generation represents a logical next step in this process. To support this claim, a pattern-based code generation tool has been developed. In this paper, we describe the tool and explore its effectiveness by means of an automotive case study.

As the discipline of Functional Safety spreads from its traditional industries such as process and aviation to the automotive sector, this paper - based on the MISRA Safety Analysis Guidelines - describes how a functional safety lifecycle can be applied in a way which is both appropriate for automotive systems and aligned with international standards such as IEC 61508.

The introduction of drive-by-wire systems into modern vehicles has generated new challenges for the designers of embedded systems. These systems, based primarily on microcontrollers, need to achieve very high levels of reliability and availability, but also have to satisfy the strict cost and packaging constraints of the automotive industry. Advances in VLSI technology have allowed the development of single-chip systems, but have also increased the rate of intermittent and transient faults that come as a result of the continuous shrinkage of the CMOS process feature size. This paper presents a low-cost, fault-tolerant system-on-chip architecture suitable for drive-by-wire and other safety-related applications, based on a triple-modular-redundancy configuration at the processor execution pipeline level.

This paper describes the use of electrical design analysis software to automate electrical design analysis techniques such as failure mode and effects analysis and sneak circuit analysis. It illustrates the type of reports that an automated electrical analysis can produce and compares them with those produced by an engineer unaided. The main advantage of the electrical design analysis software is that it significantly reduces the amount of effort needed to complete a competent design analysis report. This makes it possible to perform design analysis much earlier in the design process, at a stage where it is still relatively cost-effective to resolve problems.

In 1994 a consortium of automotive companies in the UK (MISRA) published a set of guidelines intended to assist in the development of safe and reliable vehicle-based software. These guidelines were supplemented in 1998 with recommendations on the safe use of the C programming language. This paper reviews the main issues in the guidelines, including safety analysis and the use of safety integrity levels (SILs). An example of how these guidelines have been used by a UK OEM in the procurement of an electronic system from a US supplier is given.