Abstract: As more parts of the power grid become connected to the internet, the risk of cyberattacks increases. To identify the cybersecurity threats and subsequently reduce vulnerabilities, the common practice is to carry out a cybersecurity risk assessment. For safety classified systems and products, there is also a need for safety risk assessments in addition to the cybersecurity risk assessment to identify and reduce safety risks. These two risk assessments are usually done separately, but since cybersecurity and functional safety are often related, a more comprehensive method covering both aspects is needed. Some work addressing this has been done for specific domains like the automotive domain, but more general methods suitable for, e.g., Intelligent Distributed Grids, are still missing. One such method from the automotive domain is the Security-Aware Hazard Analysis and Risk Assessment (SAHARA) method that combines safety and cybersecurity risk assessments. This paper presents an approach where the SAHARA method has been modified to be more suitable for larger distributed systems. The adapted SAHARA method has a more general risk assessment approach than the original SAHARA. The proposed method has been successfully applied on two use cases of an intelligent distributed grid.
Abstract: The choice of applicable analysis methods in safety or systems engineering depends on the depth of knowledge about a system, and on the respective lifecycle phase. However, the analysis method chain still shows gaps as it should support system analysis during the lifecycle of a system from a rough concept in pre-project phase until end-of-life. This paper’s goal is to discuss an analysis method, the VISSE Shell Model Analysis (VISMA) method, which aims at closing the gap in the early system lifecycle phases, like the conceptual or pre-project phase, or the project start phase. It was originally developed to aid in the definition of the system boundary of electronic system parts, like e.g. a control unit for a pump motor. Furthermore, it can be also applied to non-electronic system parts. The VISMA method is a graphical sketch-like method that stratifies a system and its parts in inner and outer shells, like the layers of an onion. It analyses a system in a two-step approach, from the innermost to the outermost components followed by the reverse direction. To ensure a complete view of a system and its environment, the VISMA should be performed by (multifunctional) development teams. To introduce the method, a set of rules and guidelines has been defined in order to enable a proper shell build-up. In the first step, the innermost system, named system under consideration (SUC), is selected, which is the focus of the subsequent analysis. Then, its directly adjacent components, responsible for providing input to and receiving output from the SUC, are identified. These components are the content of the first shell around the SUC. Next, the input and output components to the components in the first shell are identified and form the second shell around the first one. Continuing this way, shell by shell is added with its respective parts until the border of the complete system (external border) is reached. Last, two external shells are added to complete the system view, the environment and the use case shell. This system view is also stored for future use. In the second step, the shells are examined in the reverse direction (outside to inside) in order to remove superfluous components or subsystems. Input chains to the SUC, as well as output chains from the SUC are described graphically via arrows, to highlight functional chains through the system. As a result, this method offers a clear and graphical description and overview of a system, its main parts and environment; however, the focus still remains on a specific SUC. It helps to identify the interfaces and interfacing components of the SUC, as well as important external interfaces of the overall system. It supports the identification of the first internal and external hazard causes and causal chains. Additionally, the method promotes a holistic picture and cross-functional understanding of a system, its contributing parts, internal relationships and possible dangers within a multidisciplinary development team.
Abstract: This paper suggests a design methodology for the hardware and software of the electronic control unit (ECU) of safety-critical vehicle applications such as braking and steering. The architecture of the hardware is a high integrity system such thatit incorporates a high performance 32-bit CPU and a separate peripheral controlprocessor (PCP) together with an external watchdog CPU. Communication between the main CPU and the PCP is executed via a common area of RAM and events on either processor which are invoked by interrupts. Safety-related software is also implemented to provide a reliable, self-testing computing environment for safety critical and high integrity applications. The validity of the design approach is shown by using the hardware-in-the-loop simulation (HILS)for electric power steering(EPS) systemswhich consists of the EPS mechanism, the designed ECU, and monitoring tools.
Abstract: Safety instrumented systems (SISs) are becoming
increasingly complex and the proportion of programmable electronic
parts is growing. The IEC 61508 global standard was established to
ensure the functional safety of SISs, but it was expressed in highly
macroscopic terms. This study introduces an evaluation process for
hardware safety integrity levels through failure modes, effects, and
diagnostic analysis (FMEDA).FMEDA is widely used to evaluate
safety levels, and it provides the information on failure rates and
failure mode distributions necessary to calculate a diagnostic coverage
factor for a given component. In our evaluation process, the
components of the SIS subsystem are first defined in terms of failure
modes and effects. Then, the failure rate and failure mechanism
distribution are assigned to each component. The safety mode and
detectability of each failure mode are determined for each component.
Finally, the hardware safety integrity level is evaluated based on the
calculated results.
Abstract: In this paper, we propose a hardware and software
design method for automotive Electronic Control Units (ECU)
considering the functional safety. The proposed ECU is considered for
the application to Electro-Mechanical Actuator systems and the
validity of the design method is shown by the application to the
Electro-Mechanical Brake (EMB) control system which is used as a
brake actuator in Brake-By-Wire (BBW) systems. The importance of a
functional safety-based design approach to EMB ECU design has been
emphasized because of its safety-critical functions, which are executed
with the aid of many electric actuators, sensors, and application
software. Based on hazard analysis and risk assessment according to
ISO26262, the EMB system should be ASIL-D-compliant, the highest
ASIL level. To this end, an external signature watchdog and an
Infineon 32-bit microcontroller TriCore are used to reduce risks
considering common-cause hardware failure. Moreover, a software
design method is introduced for implementing functional
safety-oriented monitoring functions based on an asymmetric dual
core architecture considering redundancy and diversity. The validity
of the proposed ECU design approach is verified by using the EMB
Hardware-In-the-Loop (HILS) system, which consists of the EMB
assembly, actuator ECU, a host PC, and a few debugging devices.
Furthermore, it is shown that the existing sensor fault tolerant control
system can be used more effectively for mitigating the effects of
hardware and software faults by applying the proposed ECU design
method.