Thomas Gruber

Security Application of Failure Mode and Effect Analysis (FMEA)

Increasingly complex systems lead to an interweaving of security, safety, availability and reliability concerns. Most dependability analysis techniques do not include security aspects. In order to include security, a holistic risk model for systems is needed. In our novel approach, the basic failure cause, failure mode and failure effect model known from FMEA is used as a template for a vulnerability cause-effect chain, and an FMEA analysis technique extended with security is presented. This represents a unified model for safety and security cause-effect analysis. As an example the technique is then applied to a distributed industrial measurement system.

The Need for Safety and Cyber-Security Co-engineering and Standardization for Highly Automated Automotive Vehicles

A key long-term trend is towards highly automated vehicles and autonomous driving. This has a huge impact, besides comfort and enabling people not able or allowed to drive, on sustainability of environmental-friendly urban road transport because the number of vehicles and parking space could considerably be reduced if called on command and left behind after use for the next call. This requires a considerable amount of functionality, sensors, actuators and control, situation awareness etc., and the integration into a new type of critical infrastructure based on communication between vehicles and vehicles and infrastructure for regional traffic management. Both, safety and security aspects have to be handled in a coordinated manner, affecting co-engineering, co-certification and standardization.

A Case Study of FMVEA and CHASSIS as Safety and Security Co-Analysis Method for Automotive Cyber-physical Systems

The increasing integration of computational components and physical systems creates cyber-physical system, which provide new capabilities and possibilities for humans to control and interact with physical machines. However, the correlation of events in cyberspace and physical world also poses new safety and security challenges. This calls for holistic approaches to safety and security analysis for the identification of safety failures and security threats and a better understanding of their interplay. This paper presents the application of two promising methods, i.e. Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) and Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS), to a case study of safety and security co-analysis of cyber-physical systems in the automotive domain. We present the comparison, discuss their applicabilities, and identify future research needs.

A Novel HAZOP study approach in the RAMS analysis of a therapeutic robot for disabled children

In the EU project IROMEC (Interactive RObotic social MEdiators as Companions) a consortium of eight multidisciplinary partners has developed a new therapeutic robotic system for children. It is composed of a mobile base platform with obstacle detection sensors and a so-called application module with a head and movable arms. The embedded controller is programmed for various play scenarios like following a child or dancing. The system is intended to help children with minor motor disabilities or communication deficiencies like for instance autism, who are thereby expected to overcome their shortcomings. It is evident that an autonomous robot represents a potential hazard to its surrounding, in particular to handicapped children who cannot be assumed to react properly in the presence of an autonomously moving robot. Therefore, a RAMS analysis with emphasis on safety issues was performed with special respect to this specific therapeutic situation. This paper describes the methods used and the results found by applying a holistic HAZOP study with a novel two-fold approach to this specific case of a robotic system.

Safety Requirements for a Cooperative Traffic Management System: The Human Interface Perspective

Traffic management systems are complex networks integrating sensors, actors, communication on different levels and humans as active part, consisting of road-side infrastructure coupled with advanced driver assistance systems and on-board data collection facilities. COOPERS1 has the objective of co-operative traffic management by implementing intelligent services interfacing vehicles, drivers, road infrastructure and highway operators. These services have different levels of criticality and safety impact, and involve different types of smart systems and wireless communications. In the initial phase of the COOPERS project a RAMSS2 analysis was carried out on road traffic scenarios, services and communications. The analysis yielded that the HMI (Human Machine Interface) is one of the major threats to reliability. After a short overview on COOPERS and the RAMSS analysis, this paper describes the risks of the HMI and human factors in the specific situation of a driver and gives concrete recommendations for the OBU (On-Board Unit) user interface.

RAMSS analysis for a co-operative integrated traffic management system

The European Project COOPERS aims at developing co-operative systems based on innovative telematics solutions to increase road safety. Co-operative traffic management is implemented by intelligent services interfacing vehicles, drivers, road infrastructure and operators. These services involve various types of smart systems and wireless communications and have different impact on safety. Therefore, a RAMSS analysis has been carried out in the initial phase of the project. One of the major problems faced was the lack of knowledge regarding the implementation of the system. Consequently, a holistic approach to identify the most critical parts of COOPERS had to be considered. The methods used and the results found by applying a RAMSS analysis to the specific case of co-operative road traffic management services are presented.

Standardization challenges for safety and security of connected, automated and intelligent vehicles

Connected, automated and intelligent vehicles give rise to new safety and security challenges. These challenges need to be considered in automotive standards. We describe the challenges and analyze the state of the art of related automotive standards. We identify the gaps and propose possible actions.

RAMS Analysis of a Bio-inspired Traffic Data Sensor ("Smart Eye")

The Austrian Research Centers have developed a compact low-power embedded vision system “Smart Eye TDS”, capable of detecting, counting and measuring the velocity of passing vehicles simultaneously on up to four lanes of a motorway.The system is based on an entirely new bio-inspired wide dynamic “silicon retina” optical sensor. Each of the 128x128 pixels operates autonomously and delivers asynchronous events representing relative changes in illumination with low latency, high temporal resolution and independence of scene illumination. The resulting data rate is significantly lower and reaction significantly faster than for conventional vision systems. In ADOSE, an FP7 project started 2008 (see acknowledgment at the end of the paper), the sensor will be tested on-board for pre-crash warning and pedestrian protection systems.For safety-related control applications, it is evident that dependability issues are important. Therefore a RAMS analysis was performed with the goal of improving the quality of this new traffic data sensor technology, in particular with respect to reliability and availability. This paper describes the methods used and the results found by applying a RAMS analysis to this specific case of a vision system.

Comparing software measures with fault counts derived from unit-testing of safety-critical software

Systematic validation and verification of safety-critical software is of crucial importance. A key precaution is intensive testing at several levels, from the entire system down to individual functional elements, the latter often carried out as unit testing. This paper presents results from a unit test performed on a C++ package from a testbed of a safety critical application at the ARC Seibersdorf research lab. After outlining the test environment and relevant characteristics of the tested software package, a detailed analysis of the test results is given. This analysis comprises fault categorization, fault distribution, relations between software metrics (like McCabes cyclomatic complexity or the risk categories of NASA SATC), software faults, and testing efforts, and yields clues about the significance of these measures for fault probabilities. A summary of the findings and related work conclude the paper.

A Quantitative Approach for the Likelihood of Exploits of System Vulnerabilities

Modern systems’ transition towards more connected, information and communication technologies (ICT) has increased the safety, capacity and reliability of systems such as transport systems (railways, automotive) and industrial systems but it has also exposed a big additional surface for cyber attackers which makes it necessary to take in consideration general IT security concerns. Cyber-physical systems need more effort to consider safety critical IT security concerns. The safety impact of security compromises is evaluated in a semiquantitative manner because it is a relatively new area so there is not enough real data available to analyse attack rates quantitatively and the attack-vulnerability scenario is constantly changing because of adversary intelligence. This paper proposes an approach for the quantification of vulnerabilities based on learning from data obtained by concrete pattern implementations in safety-critical systems. This will allow combined analysis of safety and security.