As vehicle architectures and services become ever more software-based, OEMs must ensure that their software-driven vehicles (SDVs) meet and comply with new and evolving standards and regulations designed to enhance quality, safety and security.
When it comes to establishing a baseline for compliance and continuous improvement in automotive software and systems engineering, one standard stands out: Automotive SPICE® (Software Process Improvement and Capability Determination).
The new version of ASPICE (4.0) is in draft and will be closed in September 2023, with training and transition expected to take place in 2025. As an ASPICE Level 2-compliant cyber security software company, we’d like to share our unique viewpoint on ASPICE 4.0, how it relates to cyber security processes, and how the new version is likely to impact OEMs, suppliers and ASPICE assessors going forward.
What is Automotive SPICE?
Issued by the German VDA, Automotive SPICE (aka ASPICE) defines processes, practices, and an evaluation methodology to guide, measure and assess the quality of development processes for automotive software suppliers. Today, ASPICE assessments are widely used as part of joint project work between manufacturers and suppliers, covering system requirements analysis, system architectural design, software requirements analysis, project management, and other topics. The ASPICE process assessment model consists of six capability levels that reflect the maturity of a process.
What’s Different in ASPICE 4.0?
The main change in ASPICE 4.0 vis-à-vis ASPICE 3.1 (the current version) is the reduction of the VDA scope. VDA refers to the mandatory requirements within the complete ASPICE standard that a software development process must fulfill. The motivation behind this change is to decrease the number of work products to allow for fast development processes.
In addition, reducing the assessment complexity will make it easier to compare the assessment results of projects/companies in a transparent, measurable, and objective way.
The change in scope relates to the following types of processes:
- Basic Parts – Quality, Project management, Configuration management, Problem resolution, Change request
- Domain specific parts – System engineering processes, Software engineering processes, Hardware engineering processes, Machine Learning processes.
- Flex Parts – Risk management, Measurements, Management of Reuse Products, Process Improvement, Product Release, Stakeholder Requirements Elicitation, Validation, Supplier Monitoring
In ASPICE 4.0, the scope of the mandatory VDA assessment will be reduced to include the Basic Parts and at least one of the domain specific parts. Some OEMs may also ask for an additional flexible part depending on their specific business needs.
The strategy for each process (i.e., how the company works, process goals, owners, tools used, etc.) must be documented. This is a time-consuming activity and typically encompasses dozens of documents. In ASPICE 4.0, the strategy has been removed from Level 1 and moved to Level 2. This change will likely make it easier to achieve Level 1 certification, as preparing strategy documentation has become a barrier for many companies. The change is not in the requirement itself, but rather the level at which the assessor will look for the evidence.
The number of base practices were reduced, although in our opinion this will not affect the amount of required work products because in many cases the new version combines two base practices into one. For example, in ASPICE 3.1 there was one base practice for traceability and another for consistency. In 4.0, the base practice will be to track traceability and consistency. This reduces the number of practices, but it doesn’t actually reduce the work.
In ASPICE 4.0, the way the assessor will be certified is different and new process areas were added. This will require more expertise and knowledge from the assessors, as well as additional training and exams. In order to deliver the necessary expertise, the assessment team will probably need to be enlarged.
In a nutshell, the main impact of ASPICE 4.0 will not be on how companies develop software, but rather how the assessors are going to work. The cost of these assessments for Tier 1 suppliers and other software companies is likely to increase.
ASPICE for Cybersecurity
In February 2022, the VDA formally expanded the scope of ASPICE with its cybersecurity extension, as defined in a process reference and assessment model for cybersecurity engineering (Cybersecurity PAM). Serving as a baseline for OEMs as well as their suppliers, this extension defines new areas for cybersecurity assessment including requirements elicitation, cybersecurity implementation, risk treatment verification, and risk treatment validation.
For OEMs establishing a cyber security strategy, it’s important to understand the differences between the ASPICE cyber security extension, the CSMS, and ISO 21434. Clearly, based on regulatory requirements, performing a CSMS audit at the company level is a “must.” However, conducting a CSMS audit per product and implementing the ASPICE cybersecurity extension within the development process are not currently mandatory and are determined by each customer’s specific requirements.
In June 2022, Argus participated in the industry’s first assessment of the ASPICE for Cybersecurity extension. The assessment focused on the Argus Ethernet IDPS product line. Our own experience in implementing ASPICE enables us to provide added value to our customers and partners.
Cyber Security by Design Is Critical for Efficient ASPICE Assessment
In July 2024, all new or existing vehicle types will be subject to UNR 155 type approval for cyber security. To meet these type approval requirements, manufacturers are incorporating cyber resilience into their vehicle design, development, operation, and maintenance processes.
Moreover, as vehicles become more connected and software-driven, OEMs are realizing that the need for cyber security is no less important than functional safety. From a quality perspective, our experience shows that cyber security shouldn’t be mounted “on top” of functionality. Rather, it should be included as part of the software design process like any other functionality in accordance with the V-model. This is how we work at Argus. For example, when designing our product, we treat each potential cyber security threat as another functional requirement. This is why companies that operate at ASPICE Level 2 find it easier to manage and implement cyber security.
By treating cyber security as part of the system functionality rather than a separate work package, companies can significantly reduce the complexity and time required to conduct the CSMS audit. As such, cyber security should be included within the ASPICE strategy for each process. For example, if you have a strategy document for configuration management, it should also refer to cyber security as part of the existing process.
At the end of the day, all of the strategy documentation must be reviewed by the assessor. By eliminating the duplication of processes and strategies, assessors can manage and conduct the review of strategies more efficiently. For this reason, most assessors want companies to align their ASPICE and cyber security (CSMS) processes by incorporating all relevant functionality for a given process.
Argus Combines ASPICE with Cyber Security Expertise
In the era of software-defined vehicles, OEMs and Tier 1 suppliers realize that quality and cyber security go hand-in-hand. They also understand the inherent need to incorporate software design and cyber security as part of the “V-model” across the automotive ecosystem. Accordingly, many OEMs seek to partner with companies that understand both ASPICE and cyber security.
Based on our extensive experience in helping OEMs and their suppliers in CSMS implementations, Argus is uniquely positioned to help vehicle manufacturers align and streamline their ASPICE and cyber security initiatives. Our unmatched automotive cyber security expertise, as well as a full range of products and services, are trusted by over 90 manufacturers worldwide.