Eric Armengaud

SAHARA: a security-aware hazard and risk analysis method

Safety and Security are two seemingly contradictory system features, which have challenged researchers for decades. Traditionally, these two features have been treated separately, but due to the increasing knowledge about their mutual impacts, similarities, and interdisciplinary values, they have become more important. Because systems (such as Car2x in the automotive industry) are increasingly interlaced, it is no longer acceptable to assume that safety systems are immune to security risks. Future automotive systems will require appropriate systematic approaches that will support security-aware safety development. Therefore, this paper presents a combined approach of the automotive HARA (hazard analysis and risk assessment) approach with the security domain STRIDE approach, and outlines the impacts of security issues on safety concepts at system level. We present an approach to classify the probability of security threats, which can be used to determine the appropriate number of countermeasures that need to be considered. Furthermore, we analyze the impact of these security threats on the safety analysis of automotive systems. This paper additionally describes how such a method has been developed based on the HARA approach, and how the safety-critical contributions of successful security attacks can be quantified and processed.

Automatic and optimal allocation of safety integrity levels

Powertrain electrification of vehicles leads to a higher number of sensors, actuators and control functions resulting in increasing complexity. Due to the safety-criticality of the functionalities, safety standards must be considered during system development. The safety standard ISO 26262 defines discrete ASILs (Automotive Safety Integrity Levels) that must be identified and allocated to the components of the system under development. Once allocated, they determine the applicable requirements of ISO 26262 and the necessary safety measures to accordingly minimize residual risk. Fu rthermore, the allocated ASILs directly influence the development efforts and the costs per piece of the system components. Manual elaboration of an ASIL allocation that is economic and assures functional safety is complex and cumbersome. This work presents a method that allows the automatic allocation of ASILs to the system components. In our approach ASIL allocation is interpreted as an ILP (Integer Linear Programming) problem. This allows obtaining an ASIL allocation that is optimal with respect to an objective function that is subject to constraints. These constraints are derived from the results of PHA (Preliminary Hazard Analysis), FTA (Fault Tree Analysis) and preferences of the safety engineer. The approach is evaluated by the case study of hybrid electric vehicle development.

A Computer-Aided Approach to Preliminary Hazard Analysis for Automotive Embedded Systems

Powertrain electrification of automobiles leads to a higher number of sensors, actuators and control functions, which in turn increases the complexity of automotive embedded systems. The safety-criticality of the system requires the application of Preliminary Hazard Analysis early in the development process. This is a necessary first step for the development of an automotive embedded system that is acceptably safe. Goal of this activity is the identification and classification of hazards and the definition of top level safety requirements that are the basis for designing a safety-critical embedded system that is able to control or mitigate the identified hazards. A computeraided framework to support Preliminary Hazard Analysis for automotive embedded systems is presented in this work. The contribution consists of (1) an enhancement for Preliminary Hazard Analysis to the domain-specific language EAST-ADL, as well as (2) the identification of properties that indicate the correct application of Preliminary Hazard Analysis using the language. These properties and an analysis model reflecting the results of the Preliminary Hazard Analysis are used for the automated detection of an erroneously applied Preliminary Hazard Analysis (property checker) and the automated suggestion and application of corrective measures (model corrector). The applicability of the approach is evaluated by the case study of hybrid electric vehicle development.

Model-based Toolchain for the Efficient Development of Safety-Relevant Automotive Embedded Systems

Advanced functionalities unthinkable a few decades ago are now being introduced into automotive vehicles through embedded systems for reasons like emission control, vehicle connectivity, safety and ...

Computer-aided PHA, FTA and FMEA for automotive embedded systems

The shift of the automotive industry towards powertrain electrification introduces new automotive sensors, actuators and functions that lead to an increasing complexity of automotive embedded systems. The safety-criticality of these systems demands the application of analysis techniques such as PHA (Preliminary Hazard Analysis), FTA (Fault Tree Analysis) and FMEA (Failure Modes and Effects Analysis) in the development process. The early application of PHA allows to identify and classify hazards and to define top-level safety requirements. Building on this, the application of FTA and FMEA supports the verification of a system architecture defining an embedded system together with connected sensors and controlled actuators. This work presents a modeling framework with automated analysis and synthesis capabilities that supports a safety engineering workflow using the domain-specific language EAST-ADL. The contribution of this work is (1) the definition of properties that indicate the correct application of the workflow using the language. The properties and a model integrating the work products of the workflow are used for the automated detection of errors (property checker) and the automated suggestion and application of corrective measures (model corrector). Furthermore, (2) fault trees and a FMEA table can be automatically synthesized from the same model. The applicability of this computer-aided and tightly integrated approach is evaluated using the case study of a hybrid electric vehicle development.

A Combined Safety-Hazards and Security-Threat Analysis Method for Automotive Systems

Safety and Security appear to be two contradicting overall system features. Traditionally, these two features have been treated separately, but due to increasing awareness of mutual impacts, cross domain knowledge becomes more important. Due to the increasing interlacing of automotive systems with networks (such as Car2X), it is no longer acceptable to assume that safety-critical systems are immune to security risks and vice versa.

A structured approach for the systematic test of embedded automotive communication systems

We present a systematic test strategy for the communication subsystem of a distributed automotive system. Key points are (1) system decomposition into layers and services and (2) integration of fault injection and monitoring within this framework

Automotive embedded software: Migration challenges to multi-core computing platforms

The introduction of multi-core computing platforms aims at providing more computing resources and additional interfaces to answer the needs of new automotive control strategies with respect to computing performances and connectivity (e.g. connected vehicle, hybrid powertrains). At the same time, the parallel execution and resulting resources and timing conflicts require a paradigm change for the embedded software. Consequently, efficient migration of legacy software on multi-core platform, while guaranteeing at least the same level of integrity and performance as for single cores, is a significant challenge. The contributions of this paper are (1) to provide a state-of-practice survey on multi-core CPUs and operating systems for the automotive domain, and (2) based on this survey to provide guidelines for the migration of legacy SW. Finally the related challenges and opportunities for the development of high-integrity control systems on multi-cores, as platform for dependable systems are discussed.

A layer model for the systematic test of time-triggered automotive communication systems

This paper presents a layer model tailored for the test of distributed systems that rely on the time-triggered paradigm, such as the FlexRay protocol that is currently employed in the automotive industry. The presented layer model is applied for the generation of a fault model, aids in the inspection of fault propagation throughout the distributed system under consideration and is used for fault diagnosis of defective electronic control units. To that end, this systematic test and diagnosis approach to provide a solid basis for analyzing and verifying future by-wire systems with respect to their communication properties.

A Review of Threat Analysis and Risk Assessment Methods in the Automotive Context

Consumer demands for advanced automotive assistant systems and connectivity of cars to the internet make cyber-security an important requirement for vehicle providers. As vehicle providers gear up for the cyber security challenges, they can leverage experiences from many other domains, but nevertheless, must face several unique challenges. Thus, several security standards are well established and do not need to be created from scratch. The recently released SAE J3061 guidebook for cyber-physical vehicle systems provides information and high-level principles for automotive organizations to identify and assess cyber-security threats and design cyber-security aware systems.