Why make it hard? - Usage of aggregated statistical data for risk assessment of damage scenarios in the context of ISO/SAE 21434

Abstract

ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" is a standard for cyber security, which has been published since August 2021. The standard covers the concept phase. The concept phase is characterized by the cooperation of various mostly high-level stakeholders from different disciplines, departments and possibly companies. The cooperation takes place mainly in workshops. ISO/SAE 21434 requires a Threat and Risk Assessment (TARA) to be carried out for the concept phase. Within TARA, damage scenarios are to be identified for the vehicle/components to be developed. Furthermore, the effects of these damage scenarios are to be assessed. In this context, ISO/SAE 21434 refers to the risk classification scheme ASIL of ISO 26262, which is established in the automotive industry. For the effective application of these schemes, expert knowledge is necessary on the one hand, and verified data on accident types and accident causes are required on the other hand. Access to this data is often difficult and the data itself is not suitable for direct use in workshops.In this paper we present tools for the assessment of damage scenarios. For this purpose, we use data from the Federal Statistical Office (StBA) with over 2 million registered traffic accidents in Germany per year. We have analyzed the StBA data and evaluated them according to their usefulness for workshops. The result of this work are several concrete ASIL tables which address different types of accidents and causes of accidents. In two workshop with 17 experts from the automotive sector and with experts from product development, we applied the elaborated tables to evaluate different damage scenarios.