TBOX Functional Safety and Cyber security Consideration
[Author]
Renhong WENG, Safety, and Security, and RAMS investigator.
Note: this is originally written in Jan, 2019.
In ISO26262-2011, we can easily find that failure rate calculation in Part 10 hadbeen detailed for better guidance, and full failure rate had been defined as
Lamda[failurerate]= Lamda[SPF]+Lamda[Residual]+Lamda[Dual, perceived]+Lamda[Dual, detected]+Lamda[Dual, latent]+ Lamda[safe] ***E(1)
Note: MPF is mainly as Dual point failure, for >=3points or more will not be emphasised unless such MPF can be perceived, diagnosed and violate SG seriously will be included in Technical safety concept.
But if this happened in the Intelligent Connected Vehicles, then how to calculate the failure rate and what is the case how to deal with ?
Following is one potential method:
Safety Analysis Case01:
Suppose TBOX supplier is TIER1-01, then Vehicle level is OEM-01, then we shall set up preliminary functional safety analysis regarding Tier1-01 TBOX:
TBOX OEM-01
OEM_TBOX_SafetyGoal_01: Abnormal Communication
OEM_TBOX_FSR_01: Communication Unintended Corruption
OEM_TBOX_FSR.......
OEM_TBOX_FSR_01 decomposition
OEM_TBOX_FSR_0101: TBOX Communication Unintended Corruption
OEM_TBOX_FSR_0102: ICLOUD-TBOX Communication Unintended Corruption
OEM_TBOX_FSR_0103: TBOX-Vehicle internally Communication Unintended Corruption
Suppose OEM just take OEM_TBOX_FSR_0101 as input to TBOX TIER1-01 and as well TIER1-01 will take it as safety goal in supplier side.
TBOX TIER1-01 side:
TBOX_SafetyGoal_01: Communication Unintended Corruption
TBOX_FSR_01: TBOX shall not have internal failures leading to communication unintended Corruption.
TBOX_FSR_02: TBOX shall have internal safety mechanisms to detect and send warning signals to driver or passengers less than **** ms when communication unintended corrupted for ****ms
ASIL: ***
DTTI: ****ms when in *** operation mode....
FDTI: ****ms when in *** operation mode...
FRTI: ****ms when in *** operation mode...
FHTI: ****ms when in *** operation mode...
Emergency operation: when in driving, TBOX communication unintended corrupted shall be monitored and vehicle owner shall make TBOX maintained within two *** trips.
EOTI: ****trips when in *** operation mode...
safe state: (1)TBOX corruption information had be enlogged and sent to ICLOUD for storage and self debug; (2)TBOX corruption information shall be sent to Gateway 01,02,03 in less than ***ms; (3)TBOX shall come into Re-initialization mode if corruption occurs; (4)TBOX shall be stopped to use and come into emergency operation state first if ***times or more times of corruption happened within ***hours......
Validation Criteria: Test the Safety Mechanism corresponding parameters, diagnostic coverage, and final safe state accomplishment.
TBOX TIER1-01 Failure Rate Calculation:
Lamda[TBOX failure rate]=Lamda[SPF]+Lamda[Residual]+Lamda[Dual, perceived]+Lamda[Dual, detected]+Lamda[Dual, latent]+ Lamda[safe]
TBOX TIERI-1 Potential safety analysis listedfollowing:
OEM1_TBOX potential safety analysis listed following:
TBOX OEM1-01 Failure Rate Calculation:
Lamda[communication unintended corruption failurerate] =Xigma[TBOX+ICLOUD+VehicleCommunication]
=Lamda[SPF_oem]+Lamda[Residual_oem]+Lamda[Dual,perceived_oem]+Lamda[Dual, detected_oem]+ Lamda[Dual, latent_oem]+ Lamda[safe_oem]
DRAFT CONCLUSION for Safety Analysis Case01 OEM:
Lamda[SPF_oem]: will be influenced by Lamda[Residual]
Lamda[Residual_oem]: will be influenced byLamda[Residual]
Lamda[Dual, oem]: will be influenced by Lamda[SPF],Lamda[Residual], Lamda[Dual, latent]
Safety Analysis Case02:
Suppose TBOX supplier is TIER1-01, then Vehicle levelis OEM-01, then we shall set up preliminary functional safety and cybersecurity analysis regarding Tier1-01 TBOX:
Note: functional safety analysis please refer tosafety analysis case01.
TBOX OEM-01
OEM_TBOX_SecurityGoal_01: Abnormal Communication
OEM_TBOX_CSR_01: Communication Unintended Corruption
OEM_TBOX_CSR.......
OEM_TBOX_CSR_01 decomposition
OEM_TBOX_CSR_0101: TBOX Communication Unintended Corruption due to Hacker attack
OEM_TBOX_CSR_0102: ICLOUD-TBOX Communication Unintended Corruption due to Hacker attack
OEM_TBOX_CSR_0103: TBOX-Vehicle internally Communication Unintended Corruption due to Hacker attack
Suppose OEM just take OEM_TBOX_CSR_0101 as input to TBOX TIER1-01 and as well TIER1-01 will take it as security goal in supplier side.
TIER1-01 will use EVITA method to derive out Security goals from SAEJ3061:
TBOX TIER1-01 side:
TBOX_SecurityGoal_01: TBOX Communication Unintended Corruption due to Hacker attack
TBOX_CSR_01_01: TBOX shall not have communication unintended Corruption and lead to vehicle totally uncontrollable due to hackerattack.
TBOX_CSR_01_02: TBOX shall not have communication unintended Corruption and lead to OTA uncontrollable, privacy and values information spreading due to hacker attack.
Due to time limit, we only analyse in TBOX_CSR_01_01:
TBOX_CSR_01_01: TBOX shall not have communication unintended Corruption and lead to vehicle totally uncontrollable due to hacker attack.
Here this Cybersecurity requirement will impose and bear up important functional safety requirements:
1st stage: to analysis this Cybersecurity impose in FUSA aspect:
ASIL: C value is 4, S value also 3, E value >=2, ASIL C or ASIL D level
DTTI: ****ms when in *** operation mode....
FDTI: ****ms when in *** operation mode...
FRTI: ****ms when in *** operation mode...
FHTI: ****ms when in *** operation mode...
Emergency operation: (1)when in driving, TBOX communication unintended corrupted shall be monitored and vehicle owner shall make TBOX maintained within two *** trips; (2)if when in driving, TBOX communication unintended corrupted and also vehicle loose control, hacker attack had been identified within ***ms, then whole Vehicle CAR shall be transfered to BACK UP OS and decision system, such transfer time shall be less than ***ms; when car is under arbitration if it is hacker attacker or not within ****ms, the car speed shall slow down and to stop aside road. (3) Hacker attack log shall be noted and spreading to remote monitoring system by 4S storeor car maker.
EOTI: (1)****trips when in *** operation mode.
***EOTTI: when in back up OS and decision system, the vehicle shall be drived to 4S store to maintenance and change TBOX configuration, certification or directly changed within 1 trip.
safe state: (1)TBOX corruption information had been logged and sent to ICLOUD for storage and self debug; (2)TBOX corruption information shall be sent to Gateway 01,02,03 in less than ***ms; (3)TBOX shall come into Re-initialization mode if corruption occurs; (4)TBOX shall be stopped to use and come into emergency operation state first if ***times or more times of corruption happened within ***hours...... (5) if when in driving, TBOX communication unintended corrupted and also vehicle loose control, hacker attack had been identified within ***ms, then whole Vehicle CAR shall be transfered to BACK UP OS and decision system, such transfer time shall be less than ***ms;
Arbitration methodology: if when in driving, TBOX communication unintended corrupted and also vehicle loose control, the vehicle shall first to slow down into emergency operation mode, then do arbitration methodology if it is hacker attack based on TBOX build in self scanning.
Contradiction between functional safety and cybersecurity: at best functional safety safe state or emergency operation on slow down vehicle speed, but cybersecurity imposes on information and car controlling rights not lost leading to arbitration and anti-protection against attacker like main decision system alteration to BACK UP OS SYSTEM. Here we shall have to make emergency operation tolerance time interval to do better, and to coordinate these two activities.
2nd stage: to analysis this Cybersecurity countermeasures:
Security Mechanisms shall be made through ATA, but here we will not discuss about this in detail.
So, in safety case02,
TBOX TIER1-01 Failure Rate Calculation under hacker attack:
Lamda[TBOX failure rate]=Lamda[SPF]+Lamda[Residual]+Lamda[Dual, perceived]+Lamda[Dual, detected]+Lamda[Dual, latent]+ Lamda[safe] +Lamda[Hacker attack_SP]+Lamda[Hackerattacker_Residual]
TBOX OEM1-01 Failure Rate Calculation under hacker attack:
Lamda[communication unintended corruption failurerate] =Xigma[TBOX+ICLOUD+VehicleCommunication]
=Lamda[SPF_oem]+Lamda[Residual_oem]+Lamda[Dual,perceived_oem]+Lamda[Dual, detected_oem]+ Lamda[Dual, latent_oem]+Lamda[safe_oem] +Lamda[Hacker attack_SP_oem]+Lamda[Hackerattacker_Residual_oem]
DRAFT CONCLUSION for Safety Analysis Case02 OEM:
Lamda[SPF_oem]: will be influenced by Lamda[Residual]
Lamda[Residual_oem]: will be influenced byLamda[Residual]
Lamda[Dual, oem]: will be influenced by Lamda[SPF],Lamda[Residual], Lamda[Dual, latent]
Lamda[Hacker attack_SP_oem]: will be influenced byLamda[Hacker attack_SP], Lamda[Hacker attacker_Residual]
Lamda[Hacker attacker_Residual_oem]: will beinfluenced by Lamda[Hacker attack_SP], Lamda[Hacker attacker_Residual]
Best thanks for your reading, and may everyone happynew year in 2019.
- 用户评论