Navigating the Intersection of Safety and Security

Automotive IC safety and security continue to be hot topics across the industry, and one phrase you may often hear during discussion is:

An Automotive IC can be secure without needing to be safe, but an Automotive IC cannot be safe without also being secure.

Adding a bit of detail to that: An automotive IC which has an incomplete security architecture provides potential attack vectors which may render the safety architecture ineffective, leading to a violation of a safety goal. Effectively, safety and security are joined at the hip and IC teams must to address both to deliver a safe IP or IC.

Rambus and Siemens EDA embarked on a collaboration, focusing on the delivery of a security IP containing a robust safety architecture protected against random failures. At the culmination of the collaboration, Rambus delivered an ASIL-B certified RT-640 Embedded Hardware security module (HSM).

A quick note on ASIL Ready vs. ASIL Certified

At the heart of the ISO 26262 standard is the term Automotive Safety Integrity Level (ASIL). The standard defines ASIL as:

One of four levels to specify the item’s or element’s necessary ISO 26262 requirements and
safety measures to apply for avoiding an unreasonable risk

Definition of ASIL from ISO 26262-1:2018

ASIL A is considered the lowest and ASIL D is considered the most stringent. Industry often uses the terms ASIL Ready and ASIL Certified as a level reached for the a product being delivered. The difference between the two is often confusing.

For ASIL Ready products, the product must be architected to meet the requirements of an ASIL grade component but doesn’t require an actual hardware implementation. The certification is often based on good faith representations of the certification evidence meeting the ASIL requirements.

For ASIL Certified products, the design must be implemented in hardware, containing all the safety features which prove the device is safe to deploy. This is demonstrated through verification of the safety architecture and delivery of the key safety metrics (SPFM, LFM, PMHF, etc…)

Delivering an ASIL-B certified Embedded HSM

There are many requirements which must be met to achieve ISO 26262 certification. A sampling includes process and governance activities, Verification and Validation and Design for Test to eliminate systematic failures, and implementing a robust safety architecture to protect against random failures. The collaboration between Siemens and Rambus focused on random hardware failures

Bathtub curve showing occurrence of random failures which affect Safety and Security

To protect the RT-640 from random failures, Rambus deployed two Siemens technologies to guide them through this process.

Siemens SafetyScope was deployed to analyze the design using structural analysis engines to provide early estimation of the safety metrics and robustness of the safety architecture. This analysis enabled Rambus engineers to identify which safety critical blocks have coverage, and where coverage gaps exist, guiding the team to the optimal safety architecture.

After implementation of the safety features, Rambus deployed Siemens KaleidoScope concurrent fault simulator to inject faults into the design and prove the effectiveness of the implemented safety architecture. The closed loop flow from early cycle estimation to validated metrics provides a single iteration workflow resulting in an efficient execution of the safety lifecycle and delivery of the safety case.

The results obtained from the tools were sent to TÜV-SGS for certification.

Where to learn more

If you are interested in learning more about the intersection of safety and security, techniques used to address safety and security holistically, and the collaboration between Rambus and Siemens, please read the white paper: “Navigating the Intersection of Safety and Security.” This paper can also be found on Rambus.com.

For more information on the Siemens Functional Safety Platform and solutions, please refer to the Functional Safety page on Siemens.com.

Conclusion

At the heart of a robust security architecture is IP implementing state-of-the-art anti-tamper and security functions protecting both hardware and software. To remain functional, this IP must implement sufficient safety features to protect against random failures. Rambus, leveraging Siemens safety tools, delivered an ASIL certified embedded hardware security module. The ASIL certification saves customers time and effort and also provides the assurance the IP has already met ISO 26262 requirements.

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at https://blogs.sw.siemens.com/verificationhorizons/2022/03/11/navigating-the-intersection-of-safety-and-security/