cross-industry safety & security for connected vehicles

Hier bitte vollflächig

Titelbild einfügen

ODER

Diesen Text und Begrenzungslinie unten

mit einem weissen Kasten überdecken.

Titel: Zweite Zeile Orange+ fett formatieren!

© mm1 Consulting & Management, Stuttgart/Aichwald

Bild immer

bis zu den

Kanten führen

Cross-industry Safety and Security

for Connected and Automated Vehicles

Remotely Affected Car-usage Experience (RACE) Use Cases

And the Need for Cross Industry Agreement on Safety and Security.

mm1 Consulting & Management PartG, Stuttgart, March 2016

Volker Scholz, Managing Partner, mm1 Consulting & Management

Lyn Matten, Managing Consultant, mm1 Consulting & Management

Cross-industry safety and security for connected vehicles

Next level of vehicle automation is gaining market traction

2

Picture source: screenshots of publicly available OEM videos


Yet, the (partially) automated car still is an independent entity, thinking

and deciding for itself.

3

near range radar

four layer laserultrasonic

long range radar

single layer laser

dead spot radar

mono/stereo cam

Intelligence Contained Within Vehicle

* ADAS = Advanced Driving

Assistance Systems


Car

interactions w/

third parties

Entertainment

& infotainment

for fun & work

Automatiza-

tion for ease

and safety

Comfort &

relaxation

Information

related to

driving

Remotely

controlled

functionalities

Automated &

connected

car

Social media integrationOffice-/ E-Mail-/ SMS-services

Live media streaming

Digital radio and TV

Highway pilotPedestrian protection

Emergency breaking

Traffic jam assistant

Control of park heating

Automated music

adjustment

Biometric driver

identification

Automated child

seat adjustment

Tele-operated drivingRemote-operation of charging

Geographic car-data tracking

Young driver control

Lane change assistant

Street condition

assistantNight view assistant

Collision warning

Monitoring of vital signs

The car’s sensors enable the in-car decision making for ADAS use cases

4

(selected use case examples)

ADAS related use cases,

enabled by sensor information

Traffic light assistant

Parking spot reservationNext workshop

Cost-optimized re-fuel

Automated service data broadcast

Car

interactions w/

third parties

Entertainment

& infotainment

for fun & work

Automatiza-

tion for ease

and safety

Comfort &

relaxation

Information

related to

driving

Remotely

controlled

functionalities

Automated &

connected

car

Social media integrationOffice-/ E-Mail-/ SMS-services

Live media streaming

Digital radio and TV

Highway pilotPedestrian protection

Emergency breaking

Traffic jam assistant

Control of park heating

Automated music

adjustment

Biometric driver

identification

Automated child

seat adjustment

Tele-operated drivingRemote-operation of charging

Geographic car-data tracking

Young driver control


Street condition

assistantNight view assistant

Collision warning


Trend

towards

automization

ADAS related use cases,

enabled by sensor information

(Framework by IAO, Edag, mm1)


So, why should the car connect?

5


So, why should the car connect? – To improve the scope and reliability

of services via the extension of the car horizon.

6

Offer new use

cases.

car‘s own sensors additional information

(e.g. crowd based)

+ =

Scope

Offer new automated

use cases

Reliability

Improve information

quality for existing

automated use cases


Scope and reliability gain importance with shift towards product liability

for automated vehicles

7

§

tomorrow

today

“highly

automated”


RACE use cases

Car

interactions w/

third parties

Entertainment

& infotainment

for fun & work

Automatiza-

tion for ease

and safety

Comfort &

relaxation

Information

related to

driving

Remotely

controlled

functionalities

Automated &

connected

car

services Highway pilotPedestrian protection

Emergency breaking

PlatooningTraffic jam assistant

operated driving


Street condition assistant

Night view assistant

Collision warning

Traffic light assistant

Parking spot reservationNext workshop

Cost-optimized re-fuel

Automated service data broadcast


RACE use cases: Enabled by connectivity (scope) or enhancing

intelligence by remote information (reliability).

8

Early hazard assistant

Hidden danger warning

…

(grey = not a RACE case)

New use cases (scope)

Better quality of existing ADAS use cases

(reliability, due to larger statistical

population of environmental data)

Connectivity & ‘the cloud’ can provide remote information

that the car’s sensors cannot detect due to distance or other

impediments. This enables:

Remotely

Affected

Car

Experience

We call these use cases:


The inter-industrial challenges with RACE use cases.

9


Example of a RACE use case: Early speed reduction in case of hazards that

are not (yet) visible for in-car sensors.

10

Example: Limited value of in-car sensors in case of poor visibility

Car behind a hill or

Heavy snowfall

…


Connectivity enables this use case – Significant technologies outside the

car’s domain are involved.

11

Big Data Backend Infrastructure

Third-party sensors and data sources

Cloud Applications

(e.g. for HD maps)

Wireless Network (e.g. 3G)

„full throttle?

Not a good idea!“


Consequently, partners across industries are involved.

12

Automotive

OEM “B”

Infrastructure Automotive OEM “C”

Backend Infrastructure

Provider (PaaS)Scalable cloud infrastructure and enabling

services

Network provider / Telco

Cloud Application ProviderComputational intelligence services (“Big Data”),

HD maps, management of traffic and device

content, etc.

Automotive

OEM “A”

Content ProviderEnvironmental status,

contextual

information, etc.


The interworking of various partners

13

Integrity

e.g. misleading data,

resulting in accidents

Confidentiality

e.g. abuse of user data

Availability

e.g. service outage due to

network issues

Needs

risk

management


Risk management: Every industry in the value chain has established best

practices as shown in different standards.

14

Value chain of RACE use cases (simplified)

Vehicle

sensors

Wireless

Network

Backend

computing

Wireless

Network

Vehicle

actors

System

Related

Standards

(examples)

ISO

26262

ETSI Regulation

FCC Regulation

APT Regulation

BSI IT-

Grundschutz

ISO 27001

ETSI Regulation

FCC Regulation

APT Regulation

ISO

26262

APT= Asia-Pacific Telecommunity (APT)


The challenge: How can OEMs perform end-to-end risk analysis for safety

relevant functions?

15

Value chain of RACE use cases (simplified)

Vehicle

sensors

Wireless

Network

Backend

computing

Wireless

Network

Vehicle

actors

System

Related

Standards

(examples)

ISO

26262

ETSI Regulation

FCC Regulation

APT Regulation

BSI IT-

Grundschutz

ISO 27001

ETSI Regulation

FCC Regulation

APT Regulation

ISO

26262

The challenge for OEMsEnd-to-end risk analysis for safety relevant functions


The standards apply a similar overall logic – but differ in the details.

16

Assessment of the standards related to overall approach

Eligibility for

cross-industry

approach

Overall logic

The same?

Details

mostly

compatible?

RiskScope StrategySystem

design

Measu-

res

Residual

riskTest

Safety

goal

Example “residual risk”:

exactly calculated in ISO 26262 (ASIL),

roughly estimated in ISO 27001,

not allowed in wireless standards.

!


Deep dive example: Different approaches on SW development with

ISO 26262 vs. BSI IT-Grundschutz (German variant of ISO 27001).

17

ASIL

Standards: State-of-Art and first mapping examples of measures

ISO 26262-6: Developm. at SW level BSI IT-Grundschutz

Principles for

SW design1

A Hierarchical structure

B Hierarchical structure

C High cohesion w/ each SW component

D Restricted use of interruptions

Verification of

SW safety

requirements2

A Range checks for input and output data

B Range checks for input and output data

C Control flow monitoring

D Diverse software design

Mechanism for

error handling3

A Static recovery mechanism

B Static recovery mechanism

C Graceful degradation

D Independ parallel redundancy

1) ISO 26262-6 page 11: Table 3 – Principles for software architectural design

2) ISO 26262-6 page 13: Table 4 – Mechanisms for error detection at the software architectural level

3) ISO 26262-6 page 14: Table 5 – Mechanisms for error handling at the software architectural level

M4 Hardware and Software

Apply anti virus programs

SW reinstallation for new user

Password protection

Secure installation of Win.

Test of new HW and SW

Data bank encryption

Protection of web server

information

Minimal operating system

Safe operation of VPN

… out of 469 items

ISO 26262 requires specific measures at defined sub tasks

and risk levels – BSI provides options to choose from.


Why such differences in detail – because the domains are not the same!

18

Company Product development

Product lifecycle

1 2 3 …

ensuring correct results (“compute

correctly” – functional safety);

keeping the systems running (“just

compute” – operational security)

Gapnot the same domains


A lot of work to be done for joint inter-industrial understanding:

Is it worth the hassle?

19

Assessment of the standards related to overall approach

Eligibility for

cross-industry

approach

Overall logic

The same?

Details

mostly

compatible?

RiskScope StrategySystem

design

Measu-

res

Residual

riskTest

Safety

goal

?“worth the hassle?”


It is worth the hassle: Four reasons for cross-industry cooperation

regarding RACE use cases.

20

Technology

Push

Threat from new ‘IT affinity’

entrants increases competitive

rivalry

Strong trend in IoT already seizes

automotive industry

Market

Pull

Advances in car safety for

decades sets future demands

EU goal 2020: Halve the

traffic deaths vs. 2010.

New Entrants

Advancing Technologies

Customer Needs

Societal Goals


What to do.

21


Three options are feasible for dealing with RACE use cases.

22

Mindset

Self contained:

ADAS without

connectivity

“play it safe – let’s stay

with the self

contained car

intelligence”

“The world is

connected – let’s be

part of it and seize

the added customer

value”

+ Reliability

“Let’s max out the

potential of external

data sources!”

+ Scope

Enhance existing

ADAS use cases

w/ connectivity

Enable additional

RACE use cases

w/ connectivity

Option A Option B Option C


The latter two require inter-industrial cooperation.

23

Mindset

Self contained:

ADAS without

connectivity

“play it safe – let’s stay

with the self

contained car

intelligence”

“The world is

connected – let’s be

part of it and seize

the added customer

value”

+ Reliability

“Let’s max out the

potential of external

data sources!”

+ Scope

Enhance existing

ADAS use cases

w/ connectivity

Enable additional

RACE use cases

w/ connectivity

Option A Option B Option C


We must look at the whole thing: aspects of functional safety and

security must cover the whole connected eco-system (not only the car).

25

Functional safety today

(ISO 26262)

Within the vehicle

Functional safety tomorrow

(ISO 26262 „plus X“ – yet unknown!)

Interconnected approach with vehicle-external components,

communication technologies as well as intra-vehicle components

Third-party sensor

& data sources

OEM Big Data Backend

(e.g. for HD maps)

Wireless

Network (e.g. 3G)


Solution approach 1: car centric extension of ISO 26262.

26

Third-party sensor

& data sources


(e.g. for HD maps)

Wireless

Network (e.g. 3G)

Extension of ISO 26262: Car centric

Mindset

Approach

Define requirements of automotive industry towards other industries

Industries partner identify suitable best practices and vulnerabilities

Define the technical interfaces from/towards the car’s systems.

Define the requirements, that partners have to fulfill in order to deliver

or receive data from/to the car

00101

11001

1


Solution approach 2: holistic end-to-end framework

for cross-industry functional safety of RACE use cases.

27

Third-party sensor

& data sources


(e.g. for HD maps)

Wireless

Network (e.g. 3G)

Approach Put all involved parties into the position of supporting a total system

with lowest possible risk at internationally reliable, legal compliance

Develop applicable extensions of standards, guidelines or new standards

Cooperative cross-industry functional safety framework: Holistically End-to-End

Mindset Cooperatively develop consistent targets, requirements and interfaces

Execute a joint process while considering the individuals perspective

2


Both approaches may be meaningfully executed along the lean market

introduction sequence of RACE use cases.

28

FuSa Approach

ADAS approach related to RACE use cases

Today

Short term

Medium term

Self contained –

w/o RACE

Advance existing RACE use

cases – reliability

Add new RACE use

cases – scope

Currently discussed in

ISO 26262 committeeStatus April, 2016


FuSiFuture: mm1 is starting up a research consortium for the holistic

cross-industry functional safety framework.

29

Integrated Approach

ADAS approach related to RACE use cases

Today

Short term

Medium term

Self contained –

w/o RACE

Advance existing RACE use

cases – reliability

Add new RACE use

cases – scope

FuSiFuture: Konsortium für Funktionale

Sicherheit und Missbrauchsschutz bei

vernetzten und automatisierten Kfz


The Consultancy for Connected BusinessContact us for further discussion.

30

Volker Scholz

Managing Partner

+49 170 2457999

[email protected]

Lyn Matten

Managing Consultant

+49 151 50674715

[email protected]

www.mm1.com