Using STPA in Compliance with ISO 26262 for Developing a Safe Architecture for Fully Automated Vehicles

Safety has become of paramount importance in the development lifecycle of the modern automobile systems. However, the current automotive safety standard ISO 26262 does not specify clearly the methods for safety analysis. Different methods are recommended for this purpose. FTA (Fault Tree Analysis) and FMEA (Failure Mode and Effects Analysis) are used in the most recent ISO 26262 applications to identify component failures, errors and faults that lead to specific hazards (in the presence of faults). However, these methods are based on reliability theory, and they are not adequate to address new hazards caused by dysfunctional component interactions, software failure or human error. A holistic approach was developed called STPA (Systems-Theoretic Process Analysis) which addresses more types of hazards and treats safety as a dynamic control problem rather than an individual component failure. STPA also addresses types of hazardous causes in the absence of failure. Accordingly, there is a need for investigating hazard analysis techniques like STPA. In this paper, we present a concept on how to use STPA to extend the safety scope of ISO 26262 and support the Hazard Analysis and Risk Assessments (HARA) process. We applied the proposed concept to a current project of a fully automated vehicle at Continental. As a result, we identified 24 system- level accidents, 176 hazards, 27 unsafe control actions, and 129 unsafe scenarios. We conclude that STPA is an effective and efficient approach to derive detailed safety constraints. STPA can support the functional safety engineers to evaluate the architectural design of fully automated vehicles and build the functional safety concept.