cross-industry safety & security for connected vehicles
TRANSCRIPT
Hier bitte vollflächig
Titelbild einfügen
ODER
Diesen Text und Begrenzungslinie unten
mit einem weissen Kasten überdecken.
Titel: Zweite Zeile Orange+ fett formatieren!
© mm1 Consulting & Management, Stuttgart/Aichwald
Bild immer
bis zu den
Kanten führen
Cross-industry Safety and Security
for Connected and Automated Vehicles
Remotely Affected Car-usage Experience (RACE) Use Cases
And the Need for Cross Industry Agreement on Safety and Security.
mm1 Consulting & Management PartG, Stuttgart, March 2016
Volker Scholz, Managing Partner, mm1 Consulting & Management
Lyn Matten, Managing Consultant, mm1 Consulting & Management
Cross-industry safety and security for connected vehicles
Next level of vehicle automation is gaining market traction
2
Picture source: screenshots of publicly available OEM videos
Cross-industry safety and security for connected vehicles
Yet, the (partially) automated car still is an independent entity, thinking
and deciding for itself.
3
near range radar
four layer laserultrasonic
long range radar
single layer laser
dead spot radar
mono/stereo cam
Intelligence Contained Within Vehicle
* ADAS = Advanced Driving
Assistance Systems
Cross-industry safety and security for connected vehicles
Car
interactions w/
third parties
Entertainment
& infotainment
for fun & work
Automatiza-
tion for ease
and safety
Comfort &
relaxation
Information
related to
driving
Remotely
controlled
functionalities
Automated &
connected
car
Social media integrationOffice-/ E-Mail-/ SMS-services
Live media streaming
Digital radio and TV
Highway pilotPedestrian protection
Emergency breaking
Traffic jam assistant
Control of park heating
Automated music
adjustment
Biometric driver
identification
Automated child
seat adjustment
Tele-operated drivingRemote-operation of charging
Geographic car-data tracking
Young driver control
Lane change assistant
Street condition
assistantNight view assistant
Collision warning
Monitoring of vital signs
The car’s sensors enable the in-car decision making for ADAS use cases
4
(selected use case examples)
ADAS related use cases,
enabled by sensor information
Traffic light assistant
Parking spot reservationNext workshop
Cost-optimized re-fuel
Automated service data broadcast
Car
interactions w/
third parties
Entertainment
& infotainment
for fun & work
Automatiza-
tion for ease
and safety
Comfort &
relaxation
Information
related to
driving
Remotely
controlled
functionalities
Automated &
connected
car
Social media integrationOffice-/ E-Mail-/ SMS-services
Live media streaming
Digital radio and TV
Highway pilotPedestrian protection
Emergency breaking
Traffic jam assistant
Control of park heating
Automated music
adjustment
Biometric driver
identification
Automated child
seat adjustment
Tele-operated drivingRemote-operation of charging
Geographic car-data tracking
Young driver control
Lane change assistant
Street condition
assistantNight view assistant
Collision warning
Monitoring of vital signs
Trend
towards
automization
ADAS related use cases,
enabled by sensor information
(Framework by IAO, Edag, mm1)
Cross-industry safety and security for connected vehicles
So, why should the car connect?
5
Cross-industry safety and security for connected vehicles
So, why should the car connect? – To improve the scope and reliability
of services via the extension of the car horizon.
6
Offer new use
cases.
car‘s own sensors additional information
(e.g. crowd based)
+ =
Scope
Offer new automated
use cases
Reliability
Improve information
quality for existing
automated use cases
Cross-industry safety and security for connected vehicles
Scope and reliability gain importance with shift towards product liability
for automated vehicles
7
§
tomorrow
today
“highly
automated”
Cross-industry safety and security for connected vehicles
RACE use cases
Car
interactions w/
third parties
Entertainment
& infotainment
for fun & work
Automatiza-
tion for ease
and safety
Comfort &
relaxation
Information
related to
driving
Remotely
controlled
functionalities
Automated &
connected
car
services Highway pilotPedestrian protection
Emergency breaking
PlatooningTraffic jam assistant
operated driving
Lane change assistant
Street condition assistant
Night view assistant
Collision warning
Traffic light assistant
Parking spot reservationNext workshop
Cost-optimized re-fuel
Automated service data broadcast
Monitoring of vital signs
RACE use cases: Enabled by connectivity (scope) or enhancing
intelligence by remote information (reliability).
8
Early hazard assistant
Hidden danger warning
…
(grey = not a RACE case)
New use cases (scope)
Better quality of existing ADAS use cases
(reliability, due to larger statistical
population of environmental data)
Connectivity & ‘the cloud’ can provide remote information
that the car’s sensors cannot detect due to distance or other
impediments. This enables:
Remotely
Affected
Car
Experience
We call these use cases:
Cross-industry safety and security for connected vehicles
The inter-industrial challenges with RACE use cases.
9
Cross-industry safety and security for connected vehicles
Example of a RACE use case: Early speed reduction in case of hazards that
are not (yet) visible for in-car sensors.
10
Example: Limited value of in-car sensors in case of poor visibility
Car behind a hill or
Heavy snowfall
…
Cross-industry safety and security for connected vehicles
Connectivity enables this use case – Significant technologies outside the
car’s domain are involved.
11
Big Data Backend Infrastructure
Third-party sensors and data sources
Cloud Applications
(e.g. for HD maps)
Wireless Network (e.g. 3G)
„full throttle?
Not a good idea!“
Cross-industry safety and security for connected vehicles
Consequently, partners across industries are involved.
12
Automotive
OEM “B”
Infrastructure Automotive OEM “C”
Backend Infrastructure
Provider (PaaS)Scalable cloud infrastructure and enabling
services
Network provider / Telco
Cloud Application ProviderComputational intelligence services (“Big Data”),
HD maps, management of traffic and device
content, etc.
Automotive
OEM “A”
Content ProviderEnvironmental status,
contextual
information, etc.
Cross-industry safety and security for connected vehicles
The interworking of various partners
13
Integrity
e.g. misleading data,
resulting in accidents
Confidentiality
e.g. abuse of user data
Availability
e.g. service outage due to
network issues
Needs
risk
management
Cross-industry safety and security for connected vehicles
Risk management: Every industry in the value chain has established best
practices as shown in different standards.
14
Value chain of RACE use cases (simplified)
Vehicle
sensors
Wireless
Network
Backend
computing
Wireless
Network
Vehicle
actors
System
Related
Standards
(examples)
ISO
26262
ETSI Regulation
FCC Regulation
APT Regulation
BSI IT-
Grundschutz
ISO 27001
ETSI Regulation
FCC Regulation
APT Regulation
ISO
26262
APT= Asia-Pacific Telecommunity (APT)
Cross-industry safety and security for connected vehicles
The challenge: How can OEMs perform end-to-end risk analysis for safety
relevant functions?
15
Value chain of RACE use cases (simplified)
Vehicle
sensors
Wireless
Network
Backend
computing
Wireless
Network
Vehicle
actors
System
Related
Standards
(examples)
ISO
26262
ETSI Regulation
FCC Regulation
APT Regulation
BSI IT-
Grundschutz
ISO 27001
ETSI Regulation
FCC Regulation
APT Regulation
ISO
26262
The challenge for OEMsEnd-to-end risk analysis for safety relevant functions
Cross-industry safety and security for connected vehicles
The standards apply a similar overall logic – but differ in the details.
16
Assessment of the standards related to overall approach
Eligibility for
cross-industry
approach
Overall logic
The same?
Details
mostly
compatible?
RiskScope StrategySystem
design
Measu-
res
Residual
riskTest
Safety
goal
Example “residual risk”:
exactly calculated in ISO 26262 (ASIL),
roughly estimated in ISO 27001,
not allowed in wireless standards.
!
Cross-industry safety and security for connected vehicles
Deep dive example: Different approaches on SW development with
ISO 26262 vs. BSI IT-Grundschutz (German variant of ISO 27001).
17
ASIL
Standards: State-of-Art and first mapping examples of measures
ISO 26262-6: Developm. at SW level BSI IT-Grundschutz
Principles for
SW design1
A Hierarchical structure
B Hierarchical structure
C High cohesion w/ each SW component
D Restricted use of interruptions
Verification of
SW safety
requirements2
A Range checks for input and output data
B Range checks for input and output data
C Control flow monitoring
D Diverse software design
Mechanism for
error handling3
A Static recovery mechanism
B Static recovery mechanism
C Graceful degradation
D Independ parallel redundancy
1) ISO 26262-6 page 11: Table 3 – Principles for software architectural design
2) ISO 26262-6 page 13: Table 4 – Mechanisms for error detection at the software architectural level
3) ISO 26262-6 page 14: Table 5 – Mechanisms for error handling at the software architectural level
M4 Hardware and Software
Apply anti virus programs
SW reinstallation for new user
Password protection
Secure installation of Win.
Test of new HW and SW
Data bank encryption
Protection of web server
information
Minimal operating system
Safe operation of VPN
… out of 469 items
ISO 26262 requires specific measures at defined sub tasks
and risk levels – BSI provides options to choose from.
Cross-industry safety and security for connected vehicles
Why such differences in detail – because the domains are not the same!
18
Company Product development
Product lifecycle
1 2 3 …
ensuring correct results (“compute
correctly” – functional safety);
keeping the systems running (“just
compute” – operational security)
Gapnot the same domains
Cross-industry safety and security for connected vehicles
A lot of work to be done for joint inter-industrial understanding:
Is it worth the hassle?
19
Assessment of the standards related to overall approach
Eligibility for
cross-industry
approach
Overall logic
The same?
Details
mostly
compatible?
RiskScope StrategySystem
design
Measu-
res
Residual
riskTest
Safety
goal
?“worth the hassle?”
Cross-industry safety and security for connected vehicles
It is worth the hassle: Four reasons for cross-industry cooperation
regarding RACE use cases.
20
Technology
Push
Threat from new ‘IT affinity’
entrants increases competitive
rivalry
Strong trend in IoT already seizes
automotive industry
Market
Pull
Advances in car safety for
decades sets future demands
EU goal 2020: Halve the
traffic deaths vs. 2010.
New Entrants
Advancing Technologies
Customer Needs
Societal Goals
Cross-industry safety and security for connected vehicles
What to do.
21
Cross-industry safety and security for connected vehicles
Three options are feasible for dealing with RACE use cases.
22
Mindset
Self contained:
ADAS without
connectivity
“play it safe – let’s stay
with the self
contained car
intelligence”
“The world is
connected – let’s be
part of it and seize
the added customer
value”
+ Reliability
“Let’s max out the
potential of external
data sources!”
+ Scope
Enhance existing
ADAS use cases
w/ connectivity
Enable additional
RACE use cases
w/ connectivity
Option A Option B Option C
Cross-industry safety and security for connected vehicles
The latter two require inter-industrial cooperation.
23
Mindset
Self contained:
ADAS without
connectivity
“play it safe – let’s stay
with the self
contained car
intelligence”
“The world is
connected – let’s be
part of it and seize
the added customer
value”
+ Reliability
“Let’s max out the
potential of external
data sources!”
+ Scope
Enhance existing
ADAS use cases
w/ connectivity
Enable additional
RACE use cases
w/ connectivity
Option A Option B Option C
Cross-industry safety and security for connected vehicles
We must look at the whole thing: aspects of functional safety and
security must cover the whole connected eco-system (not only the car).
25
Functional safety today
(ISO 26262)
Within the vehicle
Functional safety tomorrow
(ISO 26262 „plus X“ – yet unknown!)
Interconnected approach with vehicle-external components,
communication technologies as well as intra-vehicle components
Third-party sensor
& data sources
OEM Big Data Backend
(e.g. for HD maps)
Wireless
Network (e.g. 3G)
Cross-industry safety and security for connected vehicles
Solution approach 1: car centric extension of ISO 26262.
26
Third-party sensor
& data sources
OEM Big Data Backend
(e.g. for HD maps)
Wireless
Network (e.g. 3G)
Extension of ISO 26262: Car centric
Mindset
Approach
Define requirements of automotive industry towards other industries
Industries partner identify suitable best practices and vulnerabilities
Define the technical interfaces from/towards the car’s systems.
Define the requirements, that partners have to fulfill in order to deliver
or receive data from/to the car
00101
11001
1
Cross-industry safety and security for connected vehicles
Solution approach 2: holistic end-to-end framework
for cross-industry functional safety of RACE use cases.
27
Third-party sensor
& data sources
OEM Big Data Backend
(e.g. for HD maps)
Wireless
Network (e.g. 3G)
Approach Put all involved parties into the position of supporting a total system
with lowest possible risk at internationally reliable, legal compliance
Develop applicable extensions of standards, guidelines or new standards
Cooperative cross-industry functional safety framework: Holistically End-to-End
Mindset Cooperatively develop consistent targets, requirements and interfaces
Execute a joint process while considering the individuals perspective
2
Cross-industry safety and security for connected vehicles
Both approaches may be meaningfully executed along the lean market
introduction sequence of RACE use cases.
28
FuSa Approach
ADAS approach related to RACE use cases
Today
Short term
Medium term
Self contained –
w/o RACE
Advance existing RACE use
cases – reliability
Add new RACE use
cases – scope
Currently discussed in
ISO 26262 committeeStatus April, 2016
Cross-industry safety and security for connected vehicles
FuSiFuture: mm1 is starting up a research consortium for the holistic
cross-industry functional safety framework.
29
Integrated Approach
ADAS approach related to RACE use cases
Today
Short term
Medium term
Self contained –
w/o RACE
Advance existing RACE use
cases – reliability
Add new RACE use
cases – scope
FuSiFuture: Konsortium für Funktionale
Sicherheit und Missbrauchsschutz bei
vernetzten und automatisierten Kfz
Cross-industry safety and security for connected vehicles
The Consultancy for Connected BusinessContact us for further discussion.
30
Volker Scholz
Managing Partner
+49 170 2457999
Lyn Matten
Managing Consultant
+49 151 50674715
www.mm1.com