Michael D. Wagner,P. Koopman

DOI: https://doi.org/10.1109/MITS.2016.2583491

IF: 5.293

2017-01-18

IEEE Intelligent Transportation Systems Magazine

Abstract:Ensuring the safety of fully autonomous vehicles requires a multi-disciplinary approach across all the levels of functional hierarchy, from hardware fault tolerance, to resilient machine learning, to cooperating with humans driving conventional vehicles, to validating systems for operation in highly unstructured environments, to appropriate regulatory approaches. Significant open technical challenges include validating inductive learning in the face of novel environmental inputs and achieving the very high levels of dependability required for full-scale fleet deployment. However, the biggest challenge may be in creating an end-to-end design and deployment process that integrates the safety concerns of a myriad of technical specialties into a unified approach.

Engineering,Environmental Science,Computer Science

Georg Schildbach

DOI: https://doi.org/10.48550/arXiv.1804.04349

2018-04-12

Systems and Control

Abstract:Research on automated vehicles has experienced an explosive growth over the past decade. A main obstacle to their practical realization, however, is a convincing safety concept. This question becomes ever more important as more sophisticated algorithms are used and the vehicle automation level increases. The field of functional safety offers a systematic approach to identify possible sources of risk and to improve the safety of a vehicle. It is based on practical experience across the aerospace, process and other industries over multiple decades. This experience is compiled in the functional safety standard for the automotive domain, ISO 26262, which is widely adopted throughout the automotive industry. However, its applicability and relevance for highly automated vehicles is subject to a controversial debate. This paper takes a critical look at the discussion and summarizes the main steps of ISO 26262 for a safe control design for automated vehicles.

Thomas Drage,Kai Li Lim,Joey En Hai Koh,David Gregory,Craig Brogle,Thomas Bräunl,Thomas Braunl

DOI: https://doi.org/10.1109/iv48863.2021.9575662

2021-07-11

Abstract:This paper presents an approach to specifying a modularised safety system which comprehensively addresses the safety requirements for highly autonomous (SAE Level 3+) road vehicles featuring advanced sensing and automated navigation. As these requirements are often overlooked in similar autonomous driving system proposals, we present a method of hazard and risk analysis which investigates hardware failures, environmental perception limitations, human interaction and functional requirements for artificial intelligence. We then define a system design which implements the required safeguards and examines the application on two electric autonomous vehicle testbeds: a race car and a shuttle bus. The close-coupling of a safety-oriented architecture and multi-regime Hazard and Risk Assessment process was tested to measure the system's ability to detect and react to pedestrian stimuli, resulting in accurate detections and reactions, thereby confirming its ability to design safety systems for autonomous research vehicles in a scalable and easily assured fashion.

Robert Trypuz,Piotr Kulicki,Mirek Sopek

DOI: https://doi.org/10.3233/sw-243578

2024-04-24

Semantic Web

Abstract:Autonomous driving is a recently developed area in which technology seems to be ahead of its understanding within society. That causes some fears concerning the reliability of autonomous vehicles and controversies over liability in case of accidents. Specifying levels of driving autonomy within the SAE-J3016 standard is widely recognized as a significant step towards comprehending the essence of the achievements. However, the standard provides even more valuable insights into the process of driving automation. In the paper, we develop the ideas using the methods of formal ontology that allow us to make the conceptual system more precise and formalize it. To increase inseparability, we ground our system on a top-level BFO ontology. We present a formal account of several areas covered by the SAE-J3016 standard, including motor vehicles and their systems, driving tasks and subtasks, roles of persons in road communication, and autonomy levels.

computer science, information systems, artificial intelligence, theory & methods

Akwasi Adu-Kyere,Ethiopia Nigussie,Jouni Isoaho

DOI: https://doi.org/10.3390/s23218817

2023-10-30

Abstract:The inherent dynamism of recent technological advancements in intelligent vehicles has seen multitudes of noteworthy security concerns regarding interactions and data. As future mobility embraces the concept of vehicles-to-everything, it exacerbates security complexities and challenges concerning dynamism, adaptiveness, and self-awareness. It calls for a transition from security measures relying on static approaches and implementations. Therefore, to address this transition, this work proposes a hierarchical self-aware security architecture that effectively establishes accountability at the system level and further illustrates why such a proposed security architecture is relevant to intelligent vehicles. The article provides (1) a comprehensive understanding of the self-aware security concept, with emphasis on its hierarchical security architecture that enables system-level accountability, and (2) a deep dive into each layer supported by algorithms and a security-specific in-vehicle black box with external virtual security operation center (VSOC) interactions. In contrast to the present in-vehicle security measures, this architecture introduces characteristics and properties that enact self-awareness through system-level accountability. It implements hierarchical layers that enable real-time monitoring, analysis, decision-making, and in-vehicle and remote site integration regarding security-related decisions and activities.

Yufeng Li,Wenqi Liu,Qi Liu,Xiangyu Zheng,Ke Sun,Chengjian Huang

DOI: https://doi.org/10.3390/s24061848

IF: 3.9

2024-03-14

Sensors

Abstract:A cyber-physical system (CPS) integrates communication and automation technologies into the operational processes of physical systems. Nowadays, as a complex CPS, an intelligent connected vehicle (ICV) may be exposed to accidental functional failures and malicious attacks. Therefore, ensuring the ICV's safety and security is crucial. Traditional safety/security analysis methods, such as failure mode and effect analysis and attack tree analysis, cannot provide a comprehensive analysis for the interactions between the system components of the ICV. In this work, we merge system-theoretic process analysis (STPA) with the concept phase of ISO 26262 and ISO/SAE 21434. We focus on the interactions between components while analyzing the safety and security of ICVs to reduce redundant efforts and inconsistencies in determining safety and security requirements. To conquer STPA's abstraction in describing causal scenarios, we improved the physical component diagram of STPA-SafeSec by adding interface elements. In addition, we proposed the loss scenario tree to describe specific scenarios that lead to unsafe/unsecure control actions. After hazard/threat analysis, a unified risk assessment process is proposed to ensure consistency in assessment criteria and to streamline the process. A case study is implemented on the autonomous emergency braking system to demonstrate the validation of the proposed method.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yi Liu,Xuezhu Yang,Muxi Li,Miao Wu,Chengrui Sun,Shiying Zhou

DOI: https://doi.org/10.2991/978-94-6463-108-1_16

2022-01-01

Abstract:Recently, as research on autonomous driving technology progresses, the supply of vehicles having various autonomous driving functions is increasing, and autonomous vehicles represented by V2V (Vehicle to Vehicle) and V2X (Vehicle to Everything) are emerging.For the era of autonomous driving, connectivity between vehicles and vehicles, vehicles and the surrounding environment is required based on information and communication technologies such as LTE, 5G, and WiFi.Advances in autonomous driving technology also face new challenges, with security emerging as a top concern as it can become a prime target for cyberattacks as the vehicle's external networks and connections increase.Therefore, it is necessary to derive the defense requirements in software to respond to such malicious attacks, and it is necessary to apply the verified security coding standard during software development.Recently, the ISO/SAE 21434 international standard replacing SAE J3061 has been established and published in relation to cyber security.In this paper, we propose criteria for cybersecurity and risk assessment methods.In addition, a case study confirms the suitability of the risk level determination according to the proposed evaluation factors and criteria.

Cong Gao,Geng Wang,Weisong Shi,Zhongmin Wang,Yanping Chen

DOI: https://doi.org/10.1109/jiot.2021.3130054

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:The autonomous driving industry has mushroomed over the past decade. Although autonomous driving has undoubtedly become one of the most promising technologies of this century, its development faces multiple challenges, of which security is the major concern. In this article, we present a thorough analysis of autonomous driving security. First, the attack surface of autonomous driving is presented. After an analysis of the operation of autonomous driving in terms of key components and technologies, the security of autonomous driving is elaborated in four dimensions: 1) sensors; 2) operating system; 3) control system; and 4) vehicle-to-everything (V2X) communication. Sensor security is examined from five components, which are mainly responsible for self-positioning and environmental perception. The analysis of operating system security, the second dimension, is concentrated on the robot operating system. Concerning the control system security, the controller area network is approached mainly from vulnerabilities and protection measures. The fourth dimension, V2X communication security, is probed from four categories of attacks: 1) authenticity/identification; 2) availability; 3) data integrity; and 4) confidentiality with corresponding solutions. Moreover, the drawbacks of existing methods adopted in the four dimensions are also provided. Finally, a conceptual multilayer defense framework is proposed to secure the information flow from external communication to the physical autonomous vehicle.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sergej Japs,Harald Anacker

DOI: https://doi.org/10.1017/pds.2021.517

2021-07-27

Proceedings of the Design Society

Abstract:Abstract Cyber-physical systems (CPS), like autonomous vehicles, are intelligent and networked. The development of such systems and its components requires interdisciplinary cooperation between different stakeholders. A lack of system understanding between stakeholders can lead to unidentified and unresolved security threats & safety hazards in early engineering phases, resulting in high costs in product development and potentially compromises compliance with the safety of CPS. Model-based systems engineering (MBSE) improves the system understanding between stakeholders by using models. However, MBSE approaches only partially address security threats & safety hazards. In particular, their integrative consideration is not taken into account. Established security & safety approaches are either only applicable to specific disciplines or only partially consider security threats & safety hazards. In the context of this paper we present a method for the resolution of safety relevant security threats in the system architecture design phase using design patterns. We illustrate our approach with the example of the automotive sector. Finally, we present an evaluation of the method, based on an 8 week project with 67 master students.

Patrick Wolf

2024-03-28

Abstract:Autonomous driving vehicles provide a vast potential for realizing use cases in the on-road and off-road domains. Consequently, remarkable solutions exist to autonomous systems' environmental perception and control. Nevertheless, proof of safety remains an open challenge preventing such machinery from being introduced to markets and deployed in real world. Traditional approaches for safety assurance of autonomously driving vehicles often lead to underperformance due to conservative safety assumptions that cannot handle the overall complexity. Besides, the more sophisticated safety systems rely on the vehicle's perception systems. However, perception is often unreliable due to uncertainties resulting from disturbances or the lack of context incorporation for data interpretation. Accordingly, this paper illustrates the potential of a modular, self-adaptive autonomy framework with integrated dynamic risk management to overcome the abovementioned drawbacks.

Robotics

Nadja Marko,Eike Möhlmann,Dejan Ničković,Jürgen Niehaus,Peter Priller,Martijn Rooker

DOI: https://doi.org/10.48550/arXiv.2103.03544

2021-03-11

Abstract:After more than a decade of intense focus on automated vehicles, we are still facing huge challenges for the vision of fully autonomous driving to become a reality. The same "disillusionment" is true in many other domains, in which autonomous Cyber-Physical Systems (CPS) could considerably help to overcome societal challenges and be highly beneficial to society and individuals. Taking the automotive domain, i.e. highly automated vehicles (HAV), as an example, this paper sets out to summarize the major challenges that are still to overcome for achieving safe, secure, reliable and trustworthy highly automated resp. autonomous CPS. We constrain ourselves to technical challenges, acknowledging the importance of (legal) regulations, certification, standardization, ethics, and societal acceptance, to name but a few, without delving deeper into them as this is beyond the scope of this paper. Four challenges have been identified as being the main obstacles to realizing HAV: Realization of continuous, post-deployment systems improvement, handling of uncertainties and incomplete information, verification of HAV with machine learning components, and prediction. Each of these challenges is described in detail, including sub-challenges and, where appropriate, possible approaches to overcome them. By working together in a common effort between industry and academy and focusing on these challenges, the authors hope to contribute to overcome the "disillusionment" for realizing HAV.

Artificial Intelligence,Computers and Society

Marius Bozga,Joseph Sifakis

2024-05-20

Abstract:Developing safe autonomous driving systems is a major scientific and technical challenge. Existing AI-based end-to-end solutions do not offer the necessary safety guarantees, while traditional systems engineering approaches are defeated by the complexity of the problem. Currently, there is an increasing interest in hybrid design solutions, integrating machine learning components, when necessary, while using model-based components for goal management and planning. We study a method for building safe by design autonomous driving systems, based on the assumption that the capability to drive boils down to the coordinated execution of a given set of driving operations. The assumption is substantiated by a compositionality result considering that autopilots are dynamic systems receiving a small number of types of vistas as input, each vista defining a free space in its neighborhood. It is shown that safe driving for each type of vista in the corresponding free space, implies safe driving for any possible scenario under some easy-to-check conditions concerning the transition between vistas. The designed autopilot comprises distinct control policies one per type of vista, articulated in two consecutive phases. The first phase consists of carefully managing a potentially risky situation by virtually reducing speed, while the second phase consists of exiting the situation by accelerating. The autopilots designed use for their predictions simple functions characterizing the acceleration and deceleration capabilities of the vehicles. They cover the main driving operations, including entering a main road, overtaking, crossing intersections protected by traffic lights or signals, and driving on freeways. The results presented reinforce the case for hybrid solutions that incorporate mathematically elegant and robust decision methods that are safe by design.

Multiagent Systems

Barbara J. Czerny

DOI: https://doi.org/10.4271/2013-01-1419

2013-04-08

Abstract:Today's vehicles contain a number of safety-critical systems designed to help improve overall vehicle safety. Such systems may control vital vehicle functions such as steering, braking and/or propulsion independently of the driver. In today's vehicles, much emphasis has been placed on helping ensure that these safety-critical vehicle systems operate as intended. Applying rigorous system safety engineering principles in developing these safety-critical automotive systems helps ensure that they operate as desired and expected. Less emphasis has been placed to-date on helping ensure cybersecurity of cyber-physical automotive systems. However, this is changing as both the world and the automotive industry become more aware of the potential ramifications of cyber-attacks on vehicles. As with system safety, applying a rigorous system security engineering process to the development of cyber-physical automotive systems is beneficial and will help reduce the likelihood of successful attacks on vehicles. System security and system safety interact with one another and cannot be considered in isolation. However, there are also differences between system security and system safety that require unique engineering activities to be performed to address these unique aspects. This paper describes some of the differences and similarities between system security and system safety, between safety-critical systems and security-critical systems, and between system safety and system security engineering, and presents a system security engineering process for applying to cyber-physical automotive systems that is based on the ISO 26262 process framework.

Vivek Nigam,Alexander Pretschner,Harald Ruess

DOI: https://doi.org/10.48550/arXiv.1810.04866

2018-10-11

Logic in Computer Science

Abstract:By exploiting the increasing surface attack of systems, cyber-attacks can cause catastrophic events, such as, remotely disable safety mechanisms. This means that in order to avoid hazards, safety and security need to be integrated, exchanging information, such as, key hazards/threats, risk evaluations, mechanisms used. This white paper describes some steps towards this integration by using models. We start by identifying some key technical challenges. Then we demonstrate how models, such as Goal Structured Notation (GSN) for safety and Attack Defense Trees (ADT) for security, can address these challenges. In particular, (1) we demonstrate how to extract in an automated fashion security relevant information from safety assessments by translating GSN-Models into ADTs; (2) We show how security results can impact the confidence of safety assessments; (3) We propose a collaborative development process where safety and security assessments are built by incrementally taking into account safety and security analysis; (4) We describe how to carry out trade-off analysis in an automated fashion, such as identifying when safety and security arguments contradict each other and how to solve such contradictions. We conclude pointing out that these are the first steps towards a wide range of techniques to support Safety and Security Engineering. As a white paper, we avoid being too technical, preferring to illustrate features by using examples and thus being more accessible.

Christian Wolschke,Behrooz Sangchoolie,Jacob Simon,Stefan Marksteiner,Tobias Braun,Hayk Hamazaryan

DOI: https://doi.org/10.1109/DSN-W52860.2021.00016

2021-06-25

Abstract:Increasing communication and self-driving capabilities for road vehicles lead to threats imposed by attackers. Especially attacks leading to safety violations have to be identified to address them by appropriate measures. The impact of an attack depends on the threat exploited, potential countermeasures and the traffic situation. In order to identify such attacks and to use them for testing, we propose the systematic approach SaSeVAL for deriving attacks of autonomous vehicles. SaSeVAL is based on threats identification and safety-security analysis. The impact of automotive use cases to attacks is considered. The threat identification considers the attack interface of vehicles and classifies threat scenarios according to threat types, which are then mapped to attack types. The safety-security analysis identifies the necessary requirements which have to be tested based on the architecture of the system under test. lt determines which safety impact a security violation may have, and in which traffic situations the highest impact is expected. Finally, the results of threat identification and safety-security analysis are used to describe attacks. The goal of SaSeVAL is to achieve safety validation of the vehicle w.r.t. security concerns. lt traces safety goals to threats and to attacks explicitly. Hence, the coverage of safety concerns by security testing is assured. Two use cases of vehicle communication and autonomous driving are investigated to prove the applicability of the approach.

Cryptography and Security

Philip Koopman,William Widen

2024-08-13

Abstract:Existing definitions and associated conceptual frameworks for computer-based system safety should be revisited in light of real-world experiences from deploying autonomous vehicles. Current terminology used by industry safety standards emphasizes mitigation of risk from specifically identified hazards, and carries assumptions based on human-supervised vehicle operation. Operation without a human driver dramatically increases the scope of safety concerns, especially due to operation in an open world environment, a requirement to self-enforce operational limits, participation in an ad hoc sociotechnical system of systems, and a requirement to conform to both legal and ethical constraints. Existing standards and terminology only partially address these new challenges. We propose updated definitions for core system safety concepts that encompass these additional considerations as a starting point for evolving safe-ty approaches to address these additional safety challenges. These results might additionally inform framing safety terminology for other autonomous system applications.

Robotics,Artificial Intelligence

Romain Cuer,Laurent Piétrac,Eric Niel,Saidou Diallo,Nicoleta Minoiu-Enache,Christophe Dang-Van-Nhan

DOI: https://doi.org/10.1016/j.ress.2018.01.014

2018-06-01

Abstract:The autonomous vehicle is meant to drive by itself, without any driver intervention (for the levels 4 and 5 of automated driving, according to the National Highway Traffic Safety Administration(NHTSA)). This car includes a new function, called Autonomous Driving (AD) function, in charge of driving the vehicle when it is authorized. This function may be in different states (basically active or inactive), that shall be managed by a sub-function, named supervision. The main focus of this work is to ensure that the supervision of a function, performed by a safety critical embedded automotive control system (controlled systems are not considered), respects functional and safety requirements. Usually two processes are involved in the system design: the systems engineering process and the safety one. The first process defines the functional requirements on the function while the safety one specifies redundant sub-functions (realizing together the function) allowing to ensure a continuous service under failure. Since two different aspects of the system are specified, it is a major challenge to make all requirements consistent, from the outset of the design process. In this paper, a method is precisely proposed to address this issue. A progressive reinforcement of the treated requirements is achieved by means of formal state models. In fact, the proposed approach permits to build state models from requirements initially expressed in natural language. Potential ambiguities, incompletenesses or undertones in requirements are in this way gradually deleted. The enrichment of conventional formal verification of control properties with safety requirements constitutes the main originality of the deployed method and contributes to solve inconsistencies between functional and safety verification processes. In addition, the application of the method to the design of AD function supervision highlights its efficiency in an industrial context.

engineering, industrial,operations research & management science

Enrico Del Re,Amirhesam Aghanouri,Cristina Olaverri-Monreal

2024-08-19

Abstract:As autonomous vehicle technology advances, the precise assessment of safety in complex traffic scenarios becomes crucial, especially in mixed-vehicle environments where human perception of safety must be taken into account. This paper presents a framework designed for assessing traffic safety in multi-vehicle situations, facilitating the simultaneous utilization of diverse objective safety metrics. Additionally, it allows the integration of subjective perception of safety by adjusting model parameters. The framework was applied to evaluate various model configurations in car-following scenarios on a highway, utilizing naturalistic driving datasets. The evaluation of the model showed an outstanding performance, particularly when integrating multiple objective safety measures. Furthermore, the performance was significantly enhanced when considering all surrounding vehicles.

Robotics

Qi Li,Jinxin Zuo,Ruohan Cao,Yibo Zhang,Jianrui Chen,Qiang Liu,Jingjing Wang

DOI: https://doi.org/10.1109/mnet.2023.3333545

IF: 10.294

2023-01-01

IEEE Network

Abstract:With the rapid development of intelligent connected vehicles (ICVs), their intelligent, remote, and high-speed mobility characteristics have led to an expansion of their attack surface, and thus an increase in security requirements. Consequently, security research for ICVs has become a current research focus. However, existing security risk monitoring measures lack linkage with attack behavior, and security defense strategies cannot fully and promptly respond to security risk levels and system vulnerabilities. Therefore, this paper proposes a security evaluation framework for ICVs based on attack chains. The framework focuses on the mechanism and steps of attack generation, evaluates the current risk level and degree of harm in a targeted manner, and maps appropriate security management measures according to the degree of harm. This security evaluation model integrates various defense mechanisms and resolves the mismatch between existing ICV security defense measures and security situations. The effectiveness of this model has been validated through experiments, and potential research directions in the future are discussed and analyzed.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Kaj Hänninen,Hans Hansson,Henrik Thane,Mehrdad Saadatmand

DOI: https://doi.org/10.48550/arXiv.1808.10308

2018-08-30

Software Engineering

Abstract:In the early 90s, researchers began to focus on security as an important property to address in combination with safety. Over the years, researchers have proposed approaches to harmonize activities within the safety and security disciplines. Despite the academic efforts to identify interdependencies and to propose combined approaches for safety and security, there is still a lack of integration between safety and security practices in the industrial context, as they have separate standards and independent processes often addressed and assessed by different organizational teams and authorities. Specifically, security concerns are generally not covered in any detail in safety standards potentially resulting in successfully safety-certified systems that still are open for security threats from e.g., malicious intents from internal and external personnel and hackers that may jeopardize safety. In recent years security has again received an increasing attention of being an important issue also in safety assurance, as the open interconnected nature of emerging systems makes them susceptible to security threats at a much higher degree than existing more confined products.This article presents initial ideas on how to extend safety work to include aspects of security during the context establishment and initial risk assessment procedures. The ambition of our proposal is to improve safety and increase efficiency and effectiveness of the safety work within the frames of the current safety standards, i.e., raised security awareness in compliance with the current safety standards. We believe that our proposal is useful to raise the security awareness in industrial contexts, although it is not a complete harmonization of safety and security disciplines, as it merely provides applicable guidance to increase security awareness in a safety context.