SIGYN II Partners and sub projects Partners: Volvo Cars Alkit communication SP EIS by Semcon Chalmers Viktoriainstitutet Sub projects: 1.Academy & Administration 2.Security cOncept and IT Architecture (SOTA) 3.Safety Analysis and concept for Diagnostics and software Download (SADD) 4.TrAfic Control and Test car mAnagement (TACTA) 5.Connected car Impact on Repair shops and After sales (CIRA)

SIGYN II Safety and Security concept cover all parts. Synchronous remote session Wireless Diagnostics & SWDL Remote asynchronous Diagnostics & SWDL Remote SWDL task & result Remote Diagnostic task & result Remote data measurement task & result Vehicle state of health Studies concepts for remote diagnostics and SWDL with focus on Safety & Security Remote online Diagnostics

Date created: [YYYY-MM-DD] Issuer: [Name] [CDS ID], [Organisation], [Name of Doc], Security Class: Proprietary 3 Date created: [YYYY-MM-DD] Issuer: [Name] [CDS ID], [Organisation], [Name of Doc], Security Class: Proprietary 3 Vehicle diagnostics and software download has been performed during decades in workshops with no or little concern of System Safety, so why start considering System Safety in this project? Because of the addition of the term ”Remote” Previously the diagnostic client was always physically attached to the vehicle via the OBD-connector (and became de-attached before the vehicle left the workshop) Soon the diagnostic client will be built into the vehicle (thus never de- attached) In addition, there will be occasions when the workshop mechanic have no visual overview of the vehicle when performing remote diagnostics SIGYN II Safety Analysis

Scope of analysis Issues covered by the Safety analysis What can be done with remote diagnostics? Diagnostic Readout Services Are only able to readout information (signals, DTCs etc.) from the vehicle Does not affect ECUs operation Diagnostic Control Services May write data affecting ANY vehicle function, overruling the vehicle user intention Has the ability to set the vehicle in programming mode (SWDL) I.e. unexpected diagnostic control could in worst case manipulate brakes, turn-off headlights etc. while the vehicle moves!  Functional safety has to be considered! Date created: [YYYY-MM-DD] Issuer: [Name] [CDS ID], [Organisation], [Name of Doc], Security Class: Proprietary 4 1) Remote Diagnostics & SWDL 2) Local 2) Remote 3) Synchronous3) Asynchronous 4)Vehicle user and the diagnostic operator are part of the system under consideration.

Conducting risk analysis In SIGYN II different conventional methods, such as FMECA/HAZOP/FTA, have been applied…  Date created: [YYYY-MM-DD] Issuer: [Name] [CDS ID], [Organisation], [Name of Doc], Security Class: Proprietary 5 The conclusions are that there are risks both caused by potential system malfunction and in normal operation, but the analysis becomes too extensive. A systematic approach was applied where the analysis was subdivided into: 1. Safety Analysis in normal operation, SIGYN II analysis method developed 2. Hazard and risk Assessment ISO Client activates EPB, caused by failure Client move seats when children is inside vehicle, no failure Client activates seat heat, caused by failure Client sets vehicle it prog, no failure Client switch off all lamps, caused by failure Vehicle parked Vehicle moves Night Freeway Trafic jam Snow Indicator manipulation, no failure Slope Speed > 90 km/h etc.

Analysis Result: Functional Safety Concept (FSC) Remote diagnostic services shall be classified as either safe or risk related NO restrictions applies for safe diagnostic services (readout or control) Risk related services can only be executed after the following conditions are fulfilled: Date created: [YYYY-MM-DD] Issuer: [Name] [CDS ID], [Organisation], [Name of Doc], Security Class: Proprietary 6 The above applies only for vehicles that are not located in a designated area (e.g. workshop or factory) The vehicle user shall always be able to abort any ongoing remote diagnostics Confirms consent and controls when diagnostics start b) Defined vehicle conditions are fulfilled: ‘Vehicle not moving’ is always a mandatory condition SWDL requires additional conditions than other diagnostics a) An initiation sequence is performed which secures that a vehicle user: Is informed about the effects of the script/services Is present at the car (by action)

Technical Safety Concept (TSC) There are several different ways for implementing the FSC into a real vehicle. The decision of which implementation to use must be based on deep knowledge of the in-vehicle electric architecture and a cost/benefit estimation which has not been within the scope of SIGYN II. Different proposals of technical safety concepts regarding a general requirement allocation were made, which all had more or less pros and cons. The overall result of the safety analysis is a concept containing both methodologies and proposals.. Date created: [YYYY-MM-DD] Issuer: [Name] [CDS ID], [Organisation], [Name of Doc], Security Class: Proprietary 7

ARTKO SIGYN II Research AE Remote diagnostics Remote online diagnostic read out Vehicle state of Health Remote SWDL Remote parameter settings and data measurement Remote online diagnostic control Remote SWDL & parameter setting campaign SIGYN functions: Vehicle data collection Synchronous workshop diagnostics Vehicle data measurement & callibration Remote SWDL Road map Remote diagnostics & SWDL Coming FFI application Remote vehicle data collection and visalization AE projects for base technologies : WLAN (b/g/n) inc. Ethernet SWDL Next generation AE projects for base technologies : Make concepts remote (AE ) Vehicle information security (AE ) Security concept Safety concept Remote Services