Baixe o app para aproveitar ainda mais
Prévia do material em texto
SAE INTERNATIONAL A GLOBAL DISCUSSION ON SAE INTERNATIONAL J3061™ Parallels Between J3061TM and Functional Safety Lifecycle in ISO 26262 SPEAKER: Dr. David Ward, HORIBA MIRA Head of Functional Safety J3061TM Task Force Member MODERATOR: Lisa Arrigo, SAE International © HORIBA MIRA Ltd. 2015 © HORIBA MIRA Ltd. 2015 December 2015 Parallels between J3061TM and functional safety lifecycle in ISO 26262 Dr David Ward Head of Functional Safety © HORIBA MIRA Ltd. 2015 Agenda ■ Recap: What is ISO 26262? ■ Systems engineering as the basis of the functional safety lifecycle ■ Comparisons between ISO 26262 and the J3061TM lifecycle ■ Parallel activities and contact points ■ Conclusions December 2015 © HORIBA MIRA Ltd. 2015 What is ISO 26262? ■ ISO 26262 Road vehicles – Functional safety ■ An automotive specific functional safety standard - Based on principles of systems engineering and “V” model - Strong emphasis on requirements - Significant current scope exclusions but new Edition 2 due Q1/2018 (timescale subject to confirmation) December 2015 © HORIBA MIRA Ltd. 2015 ISO 26262 basis in systems engineering December 2015 Integration, testing and verification Concept formulation System design Validation and system deployment System implementation Systems engineering V model Flow-down and refinement of requirements Verification (typically through analysis) © HORIBA MIRA Ltd. 2015 ISO 26262 basis in systems engineering December 2015 Requirements specification Safety goals and Functional Safety Concept Element integration (HW/SW) System integration (element/element) Item integration (item to vehicle) HW and SW detailed design and implementation HW and SW component design Measures for fault avoidance and mitigation Architecture and system design Technical Safety concept Traceability Safety analysis etc. Verification e.g. ECU testing Verification e.g. HIL test Validation e.g. vehicle driving tests Requirements Requirements Requirements AG1 Malicious intentional vehicle disable AO1 Malicious remote disable of vehicle AO2 Malicious disable of starting Application of V model in ISO 26262 Traceability Safety analysis etc. Traceability Safety analysis etc. © HORIBA MIRA Ltd. 2015 Functional safety is a subset of product integrity and assurance Product assurance Functional safety Systems engineering Failure mode analysis Availability Cybersecurity December 2015 AG1 Malicious intentional vehicle disable AO1 Malicious remote disable of vehicle AO2 Malicious disable of starting Source: Toyota © HORIBA MIRA Ltd. 2015 Comparisons between ISO 26262 and the J3061TM lifecycle Similarities Differences Additional in J3061TM Based on systems engineering “V” model and flow-down of requirements Additional requirements for security management e.g. incident response Threat Analysis and Risk Assessment may be based on similar approach (see e.g. EVITA) T&R needs extending • Additional types of “harm” • Possibility of affecting multiple stakeholders Role of vulnerability analysis at various lifecycle stages Use of analysis to specify and verify requirements Attack trees are also used to help identify and classify threats Need for specific countermeasures Hardware and software development processes Role of vulnerability analysis at various lifecycle stages ■ Note, not an exhaustive comparison December 2015 © HORIBA MIRA Ltd. 2015 Parallel activities and contact points ■ Functional safety and cybersecurity use very similar processes, so alignment and synchronization is recommended ■ It is planned in ISO 26262 Edition 2 to identify the need for communication channels between functional safety and related disciplines (e.g. cybersecurity) - Including examples of potential interface points ■ Two specific examples today - Concept phase - Product development at the software level December 2015 © HORIBA MIRA Ltd. 2015 Potential communications channels during the concept phase activities December 2015 Source: draft document J3061TM Copyright SAE International Specific example: safety hazards resulting from cyber threat Specific example: alignment of requirements © HORIBA MIRA Ltd. 2015 Safety hazards risk management ■ ISO 26262 contains automotive specific requirements for hazard analysis and risk assessment December 2015 Hazard analysis Risk assessment Safety goals S Severity E Exposure C Controllability © HORIBA MIRA Ltd. 2015 Extended risk management ■ Establishing functional safety requirements ■ Establishing cybersecurity requirements December 2015 Hazard analysis Risk assessment Safety goals Threat analysis Risk assessment Security requirements Prioritize ASIL TBD © HORIBA MIRA Ltd. 2015 Threat analysis and risk assessment (T&R, TARA) ■ Analogous to H&R / HARA in functional safety but some key differences in approach - Hazard identification threat identification o Includes consideration of dark side scenarios e.g. attackers and motivations - Hazard classification (S, E, C) threat classification (severity and risk) - Risk assessment (ASIL) risk assessment (TBD) ■ Work products are more interlinked, e.g. - Attack trees feed into T&R but also are part of defining the dark side scenarios - In cybersecurity understanding the asset attacks is fundamental to be able to assess risk ■ Order and timing of activities may also be different - Attack trees are a specific example December 2015 © HORIBA MIRA Ltd. 2015 Attack trees ■ Analogous to fault trees in reliability / safety engineering ■ Analysis of the tree possible through Boolean or continuous values December 2015 Asset attacks Attack methods Attack objectives Attack goal Disable vehicle Disable starting Exploit internal communications Malicious remote disable Exploit service centre Exploit remote communications Inject malware Impersonat e request Severity Probability RISK © HORIBA MIRA Ltd. 2015 Potential communications channels during the product development (software level) activities December 2015 Source: draft document J3061TM Copyright SAE International Specific example: language subsets Specific example: alignment of requirements © HORIBA MIRA Ltd. 2015 Conclusions ■ SAE J3061TM and ISO 26262 have (purposely) very similar lifecycles ■ Key additional processes to help identify and mitigate system vulnerabilities include - Attack trees - Threat analysis and risk assessment (T&R) - Cybersecurity-specific countermeasures and development methods - Vulnerability testing ■ J3061TM provides the guidance and information to help organizations develop their own internal cybersecurity process - Establish the relationships between cybersecurity and functional safety (and other disciplines) - Sequence and timing of activities may be different between functional safety and cybersecurity December 2015 © HORIBA MIRA Ltd. 2015 Contact details December 2015 HORIBA MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, UK T: +44 24 7635 5000 F: +44 24 7635 8000 www.horiba-mira.com Dr David Ward MA, PhD, CEng, CPhys, MInstP, MIEEE, MSAE Head of Functional Safety Direct T: +44 24 7635 5430 E: david.ward@horiba-mira.com SAE INTERNATIONAL Our Sponsors We thank our sponsorsfor making this Webinar possible SAE INTERNATIONAL Questions? Send us your questions via the ‘Ask a Question’ Box SAE INTERNATIONAL Stay tuned for our next presentation Hardware Protected Security for Ground Vehicles and SAE Draft Document J3101TM
Compartilhar