Nowadays, one of the biggest challenges facing the automotive industry is the transition from hardware-based to software-defined vehicles. As software becomes the main area of development in the automotive industry, an increasing number of OEMs and suppliers are gradually transforming into software companies. Vehicles are evolving from a mere means of transport to computers with mobility: a four-wheeled computer.
Differences and Synergies Between Functional Safety, SOTIF, and Cybersecurity
The rapid development of intelligent connected vehicles has led to the continued emergence of new technologies, including software updates or integration with personal digital devices remotely via OTA technology. The wide implementation of these new technologies in smart connected vehicles places additional demands on the information security (or cybersecurity) of the complete vehicle. A notable example would be the international standard ISO 21434, a professional standard specialized in cybersecurity in “Road vehicles — Cybersecurity engineering." These standards also provide a range of solutions for practices in engineering applications.
Currently, most OEMs and component suppliers adhere to the development process of functional safety, which means they consider the functional safety development process based on ISO 26262 and standards for the safety of intended functionality, such as ISO 21448. Combined with the additional requirements from a cybersecurity perspective, understanding the relationship between current functional safety standards and cybersecurity standards is crucial, and how to achieve coordination between different processes is equally important. How do we guarantee the functional safety of relevant elements, cybersecurity, and finally software development quality in the model-based development process, particularly when using frameworks from MATLAB Simulink or TargetLink for coordination? The subsequent sections will discuss this in detail.
Here we document several important safety standards, starting from classification and comprehension of different safety concepts from a macro perspective. To simplify the description of autonomous driving systems, standard ISO TR 4804:2020 introduces the concept of "dependability." Dependability is defined as "the capacity of a system to deliver a service or function regarding the attributes of reliability, availability, maintainability, safety, and security (RAMSS)" (ISO, 2020). Dependability encompasses the knowledge of reliability, availability, functional safety, and cybersecurity. It includes the crucial considerations for some typical automotive engineering practices in these topics. The functional safety standard ISO 26262 aims to avoid unreasonable risks due to hazards caused by malfunctioning behavior of E/E systems. The safety of the intended functionality (SOTIF) standard ISO 21448 addresses the unreasonable risks due to hazards resulting from functional insufficiencies of the intended functionality or reasonable and foreseeable misuse by personnel. Both functional safety and SOTIF emphasize the necessity of preventing unreasonable risks due to failures or misuse of the system at its functional level. From the aspect of cybersecurity, ISO 21434 is dedicated to hazards resulting from "deliberate manipulation," evaluating the scenario in which assets are protected, and the situations when components of vehicles or their functional components and subcomponents are prevented from threats. The availability of safety-related functions is also noteworthy and is partially mentioned in ISO 26262.
The ISO 26262 standard is widely recognized and applied in functional safety-related fields. Addressing potential functional inefficiencies and personnel misuses, standard ISO 21448 has been proposed as a complementary guideline for intended functional safety, with the recent release of a new version. For cybersecurity, standard ISO SAE 21434 has been proposed by the automotive industry. In addition to these three main standards, in the context of automated driving vehicles, key stakeholders have provided a comprehensive and area-specific standard, ISO 48 TR 4804. Considered as complementary to existing safety standards, the standard ISO 48 TR 4804 aims to achieve a positive risk balance and avoids unreasonable risks or threats associated with cybersecurity. It provides relative guidelines and more practical methods. Of course, the related content leans toward technical descriptions that state the importance of safety design.
The first edition of ISO 26262 was proposed in 2011, with the most recent revision in 2018. Most companies incorporate this standard into their development processes. SOTIF was initially published in 2019 and the contents were updated in 2022. ISO 21434, derived from SAE standard J3061, which is titled "Cybersecurity Guidebook for Cyber-Physical Vehicle Systems," was published in 2016. Later, it was transferred to ISO 21434 by ISO. The ISO standard for automobile driving originated from the book "Safety First for Automated Driving," subsequently included in standard ISO/TR 4804. This standard underwent further updates and has been adopted as technical guidelines within standard ISO/TR 4804. Functional safety, SOTIF, and cybersecurity constitute the prerequisites of the credible domain of safety standards as illustrated in Figure 1.
So how do different safety standards interrelate? Two sentences summarized from articles can describe this relationship: "traditionally speaking, functional safety and cybersecurity have been considered separate fields of knowledge with different professionals responsible for them" Serpanos (2019). However, by analyzing their characteristics and drawing analogies, the conclusion is that they are interdependent: functional safety relies on information safety or cybersecurity, and vice versa. There is no functional safety without cybersecurity. Another note is summarized by Ryan (2018), where he also points out that cybersecurity can be seen as the guard of functional safety. In the past, cybersecurity has received less attention, probably due to an oversight by practitioners in the automotive industry. However, with the rapid growth of smart connected vehicles, cybersecurity concerns have gained increasing attention, placing attention on both functional safety and cybersecurity in a more systematic way.
Next this article dives into how to distinguish between functional safety and cybersecurity by providing a more straightforward conceptual view to understand their links. As shown in Figure 2, cybersecurity focuses on protecting systems and safeguarding products or digital assets of devices from external threats. This extends beyond the central system to encompass aspects of cybersecurity both within and outside the system. Threats can come from personnel or external environments, as illustrated by hackers attempting to manipulate ECU by connecting to the car via WIFI. While functional safety concentrates on preventing hazards from system failures, its primary goal is to protect individuals or the environment from harm caused by such failures. A typical example would be the functional insufficiency of anti-lock braking systems (ABS) at high travelling speeds: a system failure can cause severe harm to people.
To gain a deeper understanding of the link between cybersecurity and vehicle safety, this article introduces another example from automotive safety researchers. The example illustrates that these professionals have discovered the potential to control a vehicle through its computer system remotely and wirelessly. Through tools like GM‘s OnStar and Ford’s Sync, researchers have been able to access the in-vehicle computer system or connect to the entire automobile network via Bluetooth using in-vehicle phones, and even control almost all safety-critical systems such as brakes, locks, and the center console.
This is why practitioners in the automotive industry want to analyze and develop cybersecurity in automotive systems more methodically. One notable initiative is the European research project "EmbeddedSafeSec" in the field of functional safety and cybersecurity, sponsored by Investitionsbank Berlin and the European Regional Development Fund (EFRD), which is dedicated to researching better implementations of synergy between functional safety and cybersecurity. This article presents some frameworks for synergies in automotive safety and their best practices.
Firstly, how regarding functional safety, standard ISO 26262 encompasses the lifecycle description from system and software levels, as shown in Figure 3 (the synchronized hardware development cycle is not mentioned). The activities at the system level are shown above the dotted line, while those below are at the software level. At the system level, starting with the Hazard Analysis and Risk Assessment (HARA):
- Practitioners identify and evaluate the potential hazards and associated risks from the functional safety perspective,
- Then determine the ASIL level, generating corresponding safety goals used as top-level safety requirements,
- Derive a set of specific technical safety concepts from functional safety concepts, as well as the implementation of functional safety requirements and specifications at hardware and software level.
After establishing technical safety concepts, the lifecycle has been further developed to software level:
- Software safety requirements, the software architectural design, software unit design, and the software implementation are specified,
- Following this, we move to different levels of testing and verifications corresponding to levels mapped on the left-hand side, i.e. unit integrated system and verifications at complete vehicle level,
- The final step involves validating whether the initial safety goals have been achieved.
These procedures help create a typical product development lifecycle for functional safety products. Subsequent processes such as production, operation, and obsolescence have formed a comprehensive iteration.
Safety standard ISO 21434 also introduces a cybersecurity lifecycle, as depicted in Figure 4, which is similar to the functional safety lifecycle. Starting from the CySec goals, it proposes the CySec concepts and then designs for components, followed by iterated lifecycle for production, operation, and obsolescence. Finally, the ultimate goals for CySec have been achieved. To be more specific, the general processes begin with the CySec goals-setting, followed by the CySec concepts, and end with the system software and hardware designs. The exact steps might differ due to the different company structures or even objectives. Here we also mention the designs for system components, sub-components, designs from other different levels, and their integration and verifications. The product development cycle of CySec has been constantly updated through iterations, and even with OTA technology, unlimited remote updates, and rapid iterations of the system can be achieved until it finally meets the expected goals.
There are some general descriptions of cross references between different knowledge fields in functional safety and cybersecurity standards. As stated in ISO 26262, these standards require the establishment and maintenance of effective communication channels between functional safety, cybersecurity, and other functional-safety related domains. The standard ISO 21434 also emphasizes that organizations should identify the fields related to or interact with cybersecurity, they should also establish and maintain the communication channels between fields to determine how cybersecurity fits into current processes and achieve synergy in the exchange of information. This synergy includes sharing processes and the implementation of strategic tools across areas. For more details, please refer to the corresponding chapters, and further information can be found in the notes.
Simultaneously, additional information on the synergy between functional safety and cybersecurity is provided in these standards: the correlation between the development process of functional safety and cybersecurity relies on the organization and the scale of projects. Consequently, there is no existing description of the methods, interactions, or technical materials; the organization is free to choose the method that suits its needs.
The synergistic considerations of functional safety and cybersecurity introduce the concept of co-engineering, which indicates how to approach these two primary factors and their related activity processes holistically (Figure 5). For example, what related activities are eligible in a synergistic way and what activities are not? What activities should be separated? How would the parallel activities relate to each other, or interact? A typical example of the communication between different processes is the series of process interactions during the software development phase in product development, and the corresponding mapping of the functional safety lifecycle to the cybersecurity lifecycle.
Co-engineering aligns with the product development phase of the functional safety lifecycle, especially a set of activities within the software product development phase in the cybersecurity lifecycle, which follows the V-shaped model process: from requirements to design, then progressing to the realization of testing and verification across different levels. Functional safety and cybersecurity standards have both mentioned relevant requirements, which are precisely described in sub-chapters of software unit verification and integration. For instance, the 10.4.1 chapter in ISO 21434 standard mentiones the guidelines for refining cybersecurity requirements and architectural design, and chapter 10.4.2 includes guidelines for integration and verification. Correspondingly, as depicted in Figure 6, in functional safety standard these chapters are mapped to the software part in chapter 6.9, addressing the software unit verification.
The software development phase activities in the product development process have been recorded in Figure 7, which illustrates the functional safety lifecycle activities and their corresponding activities in the product development phase of the cybersecurity lifecycle. For example, the refinement of cybersecurity requirements and architectural design corresponds to the product development at the software level phase in the functional safety lifecycle, derives from the detailed software development requirements (with a focus on the software level), software architectural design, implementation, and verification of the software unit, and the software system testing.
Based on the existing input information regarding the item and the operational environment, co-engineering implements verifications at unit and integration levels, and subsequently, the corresponding guidelines of software integration and verification are outputted.
Here we list the objectives for these co-engineering activities at software verification:
- Provide evidence that the SW unit design satisfies the allocated SW requirements as well as the cybersecurity specification and is suitable for implementation
- Verify that the defined safety measures resulting from safety-oriented analyses are properly implemented
- Provide evidence that the implemented SW unit complies with the unit design and fulfils the allocated SW requirements with the required ASIL
- Provide sufficient evidence that the SW unit contains neither undesired functionalities nor undesired properties regarding functional safety and cybersecurity
Here this article emphasizes the coordination in projects including the sharing of processes and usage strategies in the knowledge field. The requirement descriptions for development verification or testing strategies in different standards share similarities. Sharing the tools for development and testing aims to maximize the efficiency in achieving verification goals.
We frequently employ model-based development (MBD) design methods in software development, especially for application-level software design, such as utilizing modeling tools like MATLAB Simulink/Stateflow or TargetLink for functional modeling. As Figure 8 shows, the iterative approaches of MBD adhere to the well-known V-model process. The modeling approaches mainly include the design of the behavior model, functional model and implementation models based on the software requirements, followed by code generation from the model. One advantage of MBD is that subsequent testing and verification on the right-hand side of the V-model can be fronted to the left-hand side. Consequently, code testing can also be fronted and be placed as a model testing process. With the support of the compliant code generation tools, the tests at the code level can be equivalent to model tests in certain circumstances. Testing the software model at early stages enables the identification of pitfalls in the software as soon as possible, guaranteeing the highest degree of software quality safety.
At the same time, the ISO 21434 standard mentions that during the development phase: "For suitable design, modeling or programming languages for cybersecurity that are not addressed by the language itself shall be covered by design, modeling and coding guidelines, or by the development environment." For instance, in the secure code requirements, using MISRA C or CERT C is recommended for secure coding in C programming languages. The cybersecurity-related properties in this area are ensured by corresponding guidelines of design, modeling, and coding, for example, the security of C code is suitable for MISRA C and CERT C standards and safeguarding programming languages.
Besides guidelines applicable to modeling programming languages, such as the use of language sublets, enforcement of strong typing, and the use of defensive implementation techniques, ensure that the programming language complies with the cybersecurity requirements at an early stage of MBD. To elaborate on strong typing, assume we are implementing TargetLink modeling tools for application development to achieve the arithmetic operations on sums and saturated limits (as shown in Figure 9). For all integer arithmetic, the data type of output and the scaling of the intermediate variables must be sufficient to avoid overflow. Integrated within target blocks, in principle, the saturation limit block is utilized to avoid overflow and underflow. This is accomplished by implementing the data type with sufficient bit length for the output and saving intermediate results to avoid saturation constraints in integer arithmetic via the integer overflow option.
Another example is the constraints to floating-point values in encoding rule CERT C, in which the objective representations shall not be used to compare floating-point values. In Figure 10 (bottom left), by using Simulink modeling to compare the equivalence of the comparison operators, a counterexample is seen. When defining the data type as "double" within the "chart" diagram in the Simulink model, it is not permissible to specify the relational determination as an equivalence comparison. The suggested method is to provide the relative errors to ensure they are within the scale of tolerance, as Figure 10 (bottom right) shows.
Whether it is for model or coding rules, there is no need for manual checks to ensure their correct implementation during the development process. Instead, engineers can get efficient help from model checking tools, such as MXAM, to achieve model consistency with specific modeling guidelines. For example, the coding guidelines or rules for modeling mentioned in ISO 26262 or ISO 21434, are now comprehensively covered in the guideline library of MXAM. In addition, the guidelines for functional safety and best practices from top industry players have also been integrated into MXAM to help engineers check and correct their models automatically. MXAM can also provide reports for specific given guidelines and correct the model automatically, which helps ensure the traceability of safety requirements in models and ultimately meet the specific functional requirements of ASIL. The cybersecurity of the coding language is also ensured. Figure 11 illustrates the automated model analysis and correction process in MXAM.
No cybersecurity, no functional safety. The co-engineering of functional safety and cybersecurity requires comprehensive collaboration throughout the lifecycle and systematic considerations. Traditionally, functional safety and cybersecurity belong to distinct fields of study with different professional knowledge. However, for safety at the system level, they are interrelated and should be considered accordingly. Functional safety managers in the automotive industry should also consider it essential to determine the main contractions in the system and prioritize the following measures, then consider the system design and safety measures comprehensively, to ensure maximum system safety.
References
- Serpanos (2019), There Is No Safety Without Security and Dependability, IEEE Computer 52(6), June 2019, pp. 78 – 81.
- Aileen Ryan (2018), There is no safety without security, https://www.tessentembeddedanalytics.com/no-safety-without-security/
- ISO 21434 Road vehicles – Cybersecurity engineering [RQ-10-05]
