Functional Safety Automation in road transportation and its implications on user safety and cyber-security Dr Ireri Ibarra Chief Engineer, Functional Safety THE SAFETY-CRITICAL SYSTEMS CLUB Safety of Autonomous Systems December 2014 © MIRA Ltd 2012. All rights reserved.
Agenda Road vehicle attributes Road transportation Current features in vehicles Automation Functional safety and cyber security December 2014
EU safety target and strategic objectives Halving the overall number of road deaths in the European Union by 2020 starting from 2010 Objectives (some) Safer vehicles Promote the use of modern technology to increase road safety Improve emergency and post-injuries services December 2014
Road vehicle expected attributes High reliability and safety Reduced emissions and fuel consumption Increased comfort Styling/ additional extras Connectivity and gadgets December 2014
Unique automotive safety issues Functional safety: An introduction to ISO 26262 Unique automotive safety issues Mass-market consumer product Everyone has a view! Any perceived issues can lead to widespread adverse publicity Long product lifetimes with maintenance difficult to assure outside warranty Maintenance and aftermarket issues Driver is part of control loop but receives little formal training in operating safety- related systems December 2014 © MIRA Ltd 2011. All rights reserved. 5
Road infrastructure Maintenance (in part) Legacy (sector specific) Air-gapped (no connectivity) December 2014
Roadside technology trends Inter-system communications e.g. NTCIP (National Transportation Communications for Intelligent Transportation System (ITS) Protocol) Distributed control systems Vehicle–infrastructure communications Increasing safety-related functionality, examples: UK hard shoulder running on motorways (M42 “active traffic management”) US Express Lanes (I 495, 110, US 36) December 2014
Emergency services Confusion Inaccuracy of location Inability to place a call December 2014
Emergency services eCall Pan-European Automated Accurate and prompt December 2014
Goods transportation Delays introduced by manual processes Route / track Theft Misuse December 2014
Goods transportation More automation on routing, tacking and even packing December 2014
Personal transportation December 2014
Current features in passenger vehicles Emergency brake assist, if an emergency situation is detected, an amplifier raises the pressure in the brake circuit. Renault Traffic jam assistant controls the speed of the car and distance to the car ahead in dense traffic on motorways at speeds of up to 60 km/h, and even takes over steering BMW provides the driver with a warning in critical situations where a collision is imminent (within up to 3.0 seconds). Mobileye December 2014
Current features in commercial vehicles Lane change assist warns you about approaching traffic which could pose a danger. VW The Electronic Stability Programme (ESP), checks whether the van is cornering safely. Fiat Adaptive Cruise Control and Collision Warning with Emergency Brake. The radar-based ACC keeps a safe distance to the vehicle in front by controlling the accelerator and brakes Volvo December 2014
Levels of automation and examples Alignment to ISO 26262 for legacy systems and automated features Levels of automation and examples NHTSA EC SAE Level 0 – Non automated Driver only Level 0 – Non automated Level 1 – Function specific automation Assisted Level 1 – Assisted Level 2 – Combined function automation Semi-automated Level 2 – Partial automation Level 3 – Limited self-driving automation Highly automated Level 3 – Conditional automation Level 4 – Full self-driving automation Level 4 – High automation Level 5 – Full automation LDW LKA TJA AEB Notes on SAE levels Level 0 – Non-automated The full-time performance by the human driver of all aspects of the dynamic driving task, even when enhanced by warning or intervention systems (example: LDW) Level 1 –assisted The driving mode-specific execution by a driver assistance system of either steering or acceleration/deceleration using information about the driving environment and with the expectation that the human driver perform all remaining aspects of the dynamic driving task (example: ACC, LKA) Level 2– Partial automation – The driving mode-specific execution by one or more driver assistance systems of both steering and acceleration/deceleration using information about the driving environment and with the expectation that the human driver perform all remaining aspects of the dynamic intervention systems driving task (example: TJA) Level 3 – Conditional automation – The driving mode-specific performance by an automated driving system of all aspects of the dynamic driving task with the expectation that the human driver will respond appropriately to a request to intervene (example: AEB) Level 4 – High automation The driving mode-specific performance by an automated driving system of all aspects of the dynamic driving task, even if a human driver does not respond appropriately to a request to intervene (example: automated valet parking) Level 5 – Full automation The full-time performance by an automated driving system of all aspects of the dynamic driving task under all roadway and environmental conditions that can be managed by a human driver December 2014 © MIRA Ltd 2014. All rights reserved.
The aim is to provide fail safe behaviour Functional safety Generally part of the overall safety of a system that depends on it operating correctly in response to its inputs Specifically in ISO 26262 preventing hazards that may result from electronic system malfunctions The definitions of hazard and harm are narrower compared to other standards and practices The aim is to provide fail safe behaviour November 2013
Cyber- security Generally concerned with preventing accidental or intentional intrusion into IT systems Specifically in automotive concerned with securing external interfaces against unintended intrusion and use Interfaces include end-of-line programming, service, consumer (nomadic) devices, V2X communications Compare “traditional” view of automotive “security” requirements November 2013
Is it safe, if it is not secure? In-vehicle systems with high levels of automation can control longitudinal and lateral acceleration with very little driver intervention or in emergency cases, when the driver will not be able to maintain control. If a vulnerability in the system is exploited to manipulate the controls outside the vehicle manufacturer’s design envelope, safe operation is surely compromised. Vehicle safety and in particular functional safety have made extensive use of risk management strategies to identify assess and manage safety hazards. Cyber-security hazards is one more aspect to be considered when managing risk in road vehicles. November 2013
Conclusions Road vehicles and infrastructure trends are including more electronic controls which are automating some tasks and hence uncompromised availability is essential. As tasks become more automated, hazards due to malfunctions of electronic systems are unacceptable and more rigour has to be part of the design lifecycle. Some of the more automated tasks are only possible when different systems cooperate and share information; as connectivity increases, more safeguards against cyber security have also to be incorporated in their design. A sound and comprehensive risk management strategy to incorporate requirements for prevention, mitigation and reaction to both safety and cyber security threats must be made part of any product quality management system. December 2014
Contact details Dr Ireri Ibarra December 2014 MIRA Ltd Watling Street, BEng, PhD Chief engineer, Functional Safety MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, UK T: +44 (0)24 7635 5000 F: +44 (0)24 7635 8000 www.mira.co.uk Direct T: +44 (0)24 7635 5415 E: ireri.ibarra@mira.co.uk December 2014