Safety and cybersecurity co-engineering for an ADAS feature

Problem context

On ADAS features, ISO 26262 functional safety and ISO/SAE 21434 cybersecurity have to land together: a cybersecurity attack that disables a safety mechanism breaks the safety case as much as a hardware fault does. Independent HARA and TARA workshops produce diverging assumptions and disjoint evidence — the fix is a co-engineered programme where the analyses share inputs and outputs.

Engineering approach

1. Run a joint HARA-TARA workshop that fixes the item definition, operational environment, and external interfaces once, and lets both analyses build on the same model.
2. Derive Safety Goals (with ASIL) and Cybersecurity Goals from the shared damage / hazardous-event set, marking dependencies where one goal protects the other.
3. Decompose into Functional Safety Concept and Cybersecurity Concept; allocate controls so that safety mechanisms are not undermined by cybersecurity vulnerabilities.
4. Co-engineer the technical safety and cybersecurity concepts at HSI, including FMEDA-credited hardware safety mechanisms and HSM-backed control integrity.
5. Run V&V across MIL/SIL/PIL/HIL with combined safety-and-cybersecurity test cases; capture structural-coverage and robustness evidence in one ASIL-scaled bundle.
6. Maintain a single safety-and-cybersecurity case that walks claim → evidence across both domains, ready for joint Confirmation Review or assessment.

Outputs / evidence

• Item definition shared by HARA and TARA
• Joint HARA + TARA report with linked safety / cybersecurity goals
• Functional Safety Concept and Cybersecurity Concept with explicit dependencies
• FMEDA + HSM-backed control rationale on production silicon
• Combined V&V plan with shared test cases at MIL/SIL/PIL/HIL
• Unified safety-and-cybersecurity case for assessment

Standards touched

• ISO 26262 (Parts 3, 4, 5, 6)
• ISO/SAE 21434 (Clauses 9–11)
• ISO 21448 (SOTIF — where intended-functionality limits are in scope)