1 Introduction
2 Background
2.1 FMEA
-
Severity (B): The severity value is assessed taking the potential failure effect into account. A five-point Likert scale is used, ranking the impact from 1 (no impact) to 5 (catastrophic, i.e., potential crash situation)
-
Probability of occurrence (A): To assess the probability of occurrence, the complexity, the potential failure mode, and cause of a failure have to be taken into account. A five-point Likert scale is used to rank the probability, starting from 1 (very low, 0.01%) to 5 (very high, 50%).
-
Detectability (E): The detectability depends on the complexity of the HW/SW component and potential cause of a failure. A five-point Likert scale is used to rank the detectability, starting from 1 (very low probability (0 to 19%) that current controls will detect the cause) to 5 (very high probability (80 to 100%) that current controls will detect the cause).
-
Calculation of risk priority number: RPN is calculated by multiplying the values of severity, probability of occurrence, and detectability. RPN = B × A × E, where B, A, and E denote severity, probability, and detectability according to above. RPN ranges from 1 to 125.
2.2 STPA
-
A control action required is not provided.
-
An unsafe (incorrect) control action is provided.
-
A control action is provided too early or too late (wrong time or sequence).
-
A control action is stopped too early or applied too long.
2.3 Other methods
2.4 Forward collision avoidance system
2.5 Hazard
“A system state or set of conditions that, together with aparticular set of worst-case environmental conditions, will lead to an accident (loss).”
3 Related work
4 Case study design
4.1 Research objective
4.2 Research questions
4.3 Research methodology
4.4 Case and unit of analysis
4.5 Data collection procedures
5 Results
5.1 Safety analysis using FMEA
No. | System | Component | Application function | Potential failure mode(s) | Potential cause of failure | Potential failure effect | Risk assessment | Risk mitigation measures | |||
---|---|---|---|---|---|---|---|---|---|---|---|
B | A | E | RPN | ||||||||
1 | Part A: collision controller system | Collision probability estimator | Calculation of probability of collision | Erroneous probability estimation | SW-defect: calculating probability or in taking environment constraints into account. | Risk of collision with vehicle in front | 4 | 4 | 5 | 80 | Funct. test- strength = 3, code review |
2 | Vehicle and object status | Calculation of speed and position of object | Erroneous calculation of speed of object | Erroneous specification or implementation of state transitions. | Risk of collision with vehicle in front | 4 | 4 | 4 | 64 | Funct. test- strength = 3 | |
3 | Warning indicator | Man-machine interface | Display of warning fails | SW defect | Operator is not alerted about potential danger | 3 | 3 | 2 | 18 | Funct. test- strength = 2 | |
4 | Vehicle sensor complex | Steering of collision controller | Erroneous signaling of sensors | Architecture erroneous or missing services provided by sensors. | Operator is not alerted about potential danger | 3 | 4 | 4 | 48 | Funct. test- strength = 3, design review | |
5 | Object detection | Object detection by radar or camera | Erroneous radar and camera | SW defect or failure: object detection devices. | Operator is not alerted about potential danger | 3 | 3 | 2 | 18 | Funct. test- strength = 3 | |
6 | Collision controller interface | Switch over to complement device | Object recognition device fails | SW defect or failure of communication stack. | Operator is not alerted about potential danger | 3 | 3 | 4 | 36 | Funct. test- strength = 3, code review | |
7 | Part B: brake controller system | Brake controller | Activation of brake system and engine torque controller | Steering of brakes fails | SW defect or failure of communication stack. | Auto brake is not activated properly, risk of collision | 4 | 3 | 2 | 24 | Funct. test- strength = 3 |
8 | Brake pressure determination | Calculation of brake pressure | Steering of brakes fails | SW defect in pressure determination. | Auto brake is not activated properly, risk of collision | 4 | 3 | 5 | 60 | Funct. test- strength = 3, code review | |
9 | Brake system | Switch over from auto brake to manual brake | Activation of manual brake fails | SW defect: handling events or queues. | Improper brake activation, potential crash situation | 5 | 4 | 4 | 80 | Funct. test- strength = 3, code review | |
10 | Brake system | Switch over from manual brake to auto brake system | Activation of auto brake fails | SW defect: handling events or queues. | Improper brake activation, potential crash situation | 5 | 4 | 4 | 80 | Funct. test- strength = 3, code review | |
11 | Engine torque controller interface | Deactivation of torque controller | Erroneous torque controller is still active | SW defect or missing services provided: engine torque controller | Operator is not alerted about potential crash situation | 4 | 3 | 3 | 36 | Funct. test- strength = 3, code review | |
12 | Collision controller interface | Deactivation of collision controller | Automatic collision avoidance system is still running, when it should stop. | SW defect: activation or deactivation of collision avoidance system | Operator is not alerted about potential crash situation | 4 | 2 | 3 | 24 | Funct. test- strength = 3, code review | |
13 | Part C: engine torque controller system | Collision controller interface | Reception of data from collision controller | Vehicle and object status determination fails. | Architecture erroneous or missing services provided by components, sensors. | Operator is not alerted about potential crash situation | 4 | 3 | 2 | 24 | Funct. test- strength = 2, design review |
14 | Brake controller interface | Reception of data from braking system | Brake pressure determination fails | SW defect or missing services provided: interface, sensors. | Operator is not alerted about potential crash situation | 4 | 3 | 2 | 24 | Funct. test- strength = 2 | |
15 | Accelerator position sensor and accelerator | Calculation of acceleration and position | Erroneous interpretation of sensor signals | SW defect: processing of sensor data. | Operator is not alerted about potential danger | 3 | 3 | 4 | 36 | Funct. test- strength = 3, code review | |
16 | Engine ignition system | Steering of engine ignition | Engine ignition is not activated | SW defect: steering of engine ignition. | Improper stop of vehicle and potential crash situation. | 5 | 2 | 4 | 40 | Funct. test- strength = 3, code review | |
17 | Transmission | Steering of transmission | Transmission downshifting fails. | SW defect or failure of communication stack. | Potential crash situation | 5 | 2 | 4 | 40 | Funct. test- strength = 3 | |
18 | Engine torque controller | Torque reduction | Torque is not reduced | SW defect: state recognition | Operator is not alerted about potential danger | 3 | 2 | 4 | 24 | Funct. test- strength = 3 | |
19 | Parts A, B, C | Operating system | Communications | Bad performance | SW defect: handling events or queues. | Potential crash situation | 5 | 2 | 4 | 40 | Performance test- strength = 3 |
20 | SW/HW components | Processing | Frequent restarts of the system | Sporadic SW defects | System is no longer reliable | 4 | 3 | 5 | 60 | Stress test- strength = 3 | |
21 | Trust boundaries | Protecting system assets | Attacker is pretending to be a measurement device | Encryption problem or security breach. | System is unreliable and potentially unsafe. | 5 | 1 | 3 | 15 | Security test with attack pattern |
5.2 Safety analysis using STPA
No. | Command/event | Not provided | Provided unsafe | Provided | Stopped too soon | ||
---|---|---|---|---|---|---|---|
Too early | Too late | Out of sequence | |||||
1 | Object detection signal | Catastrophic-system dysfunction [collision] (1a) | Catastrophic-system malfunctioning (1b) | N/A | Catastrophic-system dysfunction [collision] (1a) | N/A | N/A |
2 | Vehicle complex signal | Catastrophic-problem in calculation of vehicle status and collision probability (2a) | Catastrophic-problem in calculation of vehicle status and collision probability (2a) | N/A | Catastrophic-problem in calculation of vehicle status and collision probability (2a) | N/A | N/A |
3 | Collision warning signal | Negligible (if every thing is working properly, then the active safety will be saved from collision) (3a) | N/A | Negligible (if every thing is working properly, then the active safety will be saved from collision) (3a) | Negligible (if every thing is working properly, then the active safety will be saved from collision) (3a) | N/A | Negligible (warning will be stopped too soon that can cause accident. If everything works properly, then the active safety will be saved from collision) (3b) |
4 | System reset signal (response from driver by using brakes) | Negligible (if everything is working, then the active safety will be saved from collision) (4a) | Negligible (if everything is working, then the active safety will be saved from collision) (4a) | N/A | Negligible (if everything is working, then the active safety will be saved from collision) (4a) | N/A | N/A |
5 | Vehicle status signal | Catastrophic (wrong brake pressure determination) (5a) | Catastrophic (wrong brake pressure determination) (5a) | N/A | Catastrophic (wrong brake pressure determination and decrease in reaction time) (5a) | N/A | N/A |
6 | Object status signal | Catastrophic (wrong brake pressure determination) (6a) | Catastrophic (wrong brake pressure determination) (6a) | N/A | Catastrophic (wrong brake pressure determination and decrease in reaction time) (6a) | N/A | N/A |
7 | Collision assessment signal | Catastrophic-system will not work [collision] (7a) | Catastrophic-system will not work as intended [collision] (7b) | Moderate-false signal due to system malfunctioning [application of automatic brakes without need] (7c) | Catastrophic-system will not work [collision] (7a) | N/A | N/A |
8 | Reduce torque | Moderate-collision with divider, other things, and vehicle can slip (8a) | N/A | N/A | Moderate-collision with divider, other things, and vehicle can slip (8a) | N/A | N/A |
9 | Brake signal with required pressure | Catastrophic-system dysfunction [collision] (9a) | Catastrophic-system malfunctioning [collision] (9b) | Moderate-false signal due to system malfunctioning [application of automatic brakes without need] (9c) | Catastrophic-system dysfunction [collision] (9a) | N/A | N/A |
10 | Apply brakes signal | Catastrophic-system dysfunction [collision] (10a) | N/A | Moderate-false signal due to system malfunctioning [application of automatic brakes without need] (10b) | Catastrophic-system dysfunction [collision] (10a) | N/A | N/A |
11 | Accelerator signal | Catastrophic (wrong brake pressure determination) (11a) | Catastrophic (wrong brake pressure determination) (11b) | N/A | Catastrophic (wrong brake pressure determination) (11a) | N/A | N/A |
12 | Change transmission signal | Catastrophic-torque will not be reduced (12a) | N/A | N/A | Catastrophic-torque will not be reduced (12a) | N/A | N/A |
13 | Limit air and fuel supply signal | Catastrophic-torque will not be reduced (13a) | N/A | N/A | Catastrophic-torque will not be reduced (13a) | N/A | N/A |
14 | Switch off engine signal | Catastrophic-torque will not be reduced (14a) | N/A | N/A | Catastrophic-torque will not be reduced (14a) | N/A | N/A |
No. | Step 1 no. | Hazards | Severity | Causal factors |
---|---|---|---|---|
1 | 1a | System dysfunction due to failure of object detection system | Catastrophic | Object detection component failure (camera, radar, or motion sensors) |
Communication error (no signal) | ||||
2 | 1b | Malfunctioning of the system due to incorrect input from object detection system | Catastrophic | Corrupted communication (wrong signal) |
Malfunctioning of camera, radar, and motion sensors | ||||
Delayed communication (system will not work on time) | ||||
3 | 2a | Incorrect and missing calculation of vehicle status and collision probability due to failure or malfunctioning of vehicle complex sensors | Catastrophic | Failure of vehicle sensors |
Communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
Malfunctioning of sensors (incorrect values sent by sensors) | ||||
4 | 3a | Missing collision warning signal-if rest of the system is working properly, then the active safety will be prevented from collision | Negligible | Inadequate collision assessment algorithm, failure of warning indicator |
Malfunctioning of warning indicator, incomplete controller process model | ||||
Failure of collision estimator, malfunctioning of collision estimator | ||||
Incorrect vehicle or object status, communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
5 | 3b | If warning stopped too soon, then it can cause accident-if everything else will work, then the active safety will handle the situation | Negligible | Failure of warning indicator |
Malfunctioning of warning indicator | ||||
Communication error | ||||
6 | 4a | Missing system reset signal can cause collision with divider or other objects due to unwanted auto braking | Negligible | Brake pedal sensor failure |
Communication error (no signal) | ||||
Delayed communication (system will not reset on time and will apply brakes) | ||||
7 | 5a | Incorrect brake pressure determination due to missing vehicle status signal | Catastrophic | Failure of vehicle sensor complex (2a) |
Malfunctioning of collision controller due to incomplete process model | ||||
Communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
8 | 6a | Incorrect brake pressure determination due to missing object status signal | Catastrophic | Failure of object detection (1a) |
Malfunctioning of collision controller due to incomplete process model | ||||
Communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
9 | 7a | System dysfunction due to missing collision assessment signal | Catastrophic | Component failures in object detection and vehicle complex signal (1a and 2a) |
Failure of collision probability estimator | ||||
Communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
10 | 7b | System will not work as intended due to unsafe (incorrect) collision assessment signal | Catastrophic | Malfunctioning of collision probability estimator |
Incorrect input by vehicle and object status providers | ||||
Delayed communication (system will not work on time) | ||||
11 | 7c | Unwanted/undesired auto braking due to false collision assessment signal | Moderate | Malfunctioning of collision probability estimator |
Malfunctioning of collision controller due to incomplete process model | ||||
12 | 8a | Collision with the road divider and other things, and also vehicle can slip due to missing reduce torque signal | Moderate | Malfunctioning of brake controller due to incomplete process model (incorrect brake pressure (safe brake pressure) will cause not to send reduce torque signal) |
Incorrect input by collision-assessment signal (7b) | ||||
Communication error (no signal), delayed communication (system will not work on time) | ||||
13 | 9a | System dysfunction due to missing brake signal with appropriate (required) pressure | Catastrophic | Failure of brake controller components |
Brake pressure determination fails, communication error (no signal) | ||||
Missing collision assessment signal, vehicle and object status signals | ||||
14 | 9b | System failure/malfunctioning as intended due to unsafe (incorrect) brake signal | Catastrophic | Incomplete controller process model |
Malfunctioning of collision controller due to incomplete process model | ||||
Delayed communication (system will not work on time) | ||||
15 | 9c | Unwanted/undesired auto braking due to false braking signal | Moderate | Malfunctioning of brake controller due to incomplete process model (generation of false signal) |
16 | 10a | System dysfunction due to missing apply brakes signal | Catastrophic | Connection broken between brake pedal and brake actuator |
Failure of braking system | ||||
Communication error (no signal) | ||||
17 | 10b | False signal due to brake system malfunctioning [application of automatic brakes without need] | Moderate | Malfunctioning of brake system (generation of false signal) |
18 | 11a | Incorrect brake pressure determination due to missing accelerator signal | Catastrophic | Sensor failure |
Communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
19 | 11b | System malfunctioning due to missing accelerator signal | Catastrophic | Malfunctioning of sensor (incorrect reading by sensor) |
20 | 12a | Torque will not be reduced due to missing change transmission signal | Catastrophic | Component failure in the torque controller |
Missing reduce torque signal (8) | ||||
Communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
21 | 13a | Torque will not be reduced due to missing limit air or/and fuel supply signal | Catastrophic | Component failure in the torque controller |
Malfunctioning of controller due to incorrect process model | ||||
Missing reduce torque signal (8) | ||||
Communication error (no signal) | ||||
Delayed communication (system will not work on time) | ||||
22 | 14a | Torque will not be reduced due to missing engine switch off signal | Catastrophic | Component failure in the torque controller |
Malfunctioning of controller due to incorrect process model | ||||
Missing reduce torque signal (8) | ||||
Communication error (no signal) | ||||
Delayed communication (system will not work on time) |
6 Analysis
6.1 Common and distinct hazards identified by both methods
No. | Hazards identified by STPA | Hazards identified by FMEA |
---|---|---|
1 | 1a | 6 |
2 | 1b | Not identified |
3 | 2a | 1 and 2 |
4 | 3a | Not identified |
5 | 3b | 3 |
6 | 4a | 12 |
7 | 5a | 13 |
8 | 6a | 14 |
9 | 7a | Not identified |
10 | 7b | Not identified |
11 | 7c | Not identified |
12 | 8a | 18 |
13 | 9a | Not identified |
14 | 9b | Not identified |
15 | 9c | Not identified |
16 | 10a | 20 |
17 | 10b | Not identified |
18 | 11a | 8 |
19 | 11b | 15 |
20 | 12a | 11 and 17 |
21 | 13a | Not identified |
22 | 14a | Not identified |
23 | Not identified | 4 |
24 | Not identified | 5 |
25 | Not identified | 7 |
26 | Not identified | 9 |
27 | Not identified | 10 |
28 | Not identified | 16 |
29 | Not identified | 19 |
30 | Not identified | 21 |
6.2 Classification of the identified hazards
-
Component interaction error
-
Software error
-
Human error
-
Component error
-
System error
6.3 Comparison of the causal factors of the identified hazards
6.4 Mapping of the analysis steps of FMEA and STPA
FMEA | STPA | Mapping comments |
---|---|---|
Step 1: Decomposition of the system to be analyzed into subsystems and components | Step 1: Acquisition of functional control diagram of the system to be analyzed as a whole, and identification of some high-level system hazards to start with | Map-A: Step 1 of both methods are mapped as a same step in the analysis process because FMEA is based on reliability theory (decomposition required) and STPA is based on system theory (system required as a whole) |
Step 2: Assigning the application function to each subcomponent and subsystem | N/A | Map-B: This step of FMEA does not map to any STPA step |
Step 3: Determine and | Step 2: Identify the | Map-C: Step 3 of FMEA is |
analyze the | potential inadequate | mapped to step 2 and step 3 of STPA, |
−potential failure modes | control commands or | which consists of identification of |
−causes of failure | events (potential hazards) | potential failures (or hazards), their |
−failure effects that can lead system to a hazardous state | Step 3: Determine how each potential hazardous control action (potential hazards) identified in step 2 could occur (causal factors of identified potential hazards) | causes and effects |
Step 4: Evaluate risk and calculate risk priority number (RPN) | N/A | Map-D: This step of FMEA does not map to any STPA step |
Step 5: Specify defect avoidance or risk mitigation measures | Step 4: Design controls and countermeasures if they do not already exist or evaluate existing | Map-E: Step 5 of FMEA and step 4 of STPA are mapped to each other because they are both about designing and evaluating countermeasures |
6.5 Evaluation of the analysis process of FMEA and STPA
TAM constructs | Derived qualitative criteria |
---|---|
Perceived ease of use | - How easy or hard |
- Why was it easy or hard | |
Perceived usefulness | - Provided support by the method |
- Confidence about the results | |
- Applicability for software |
FMEA steps | How easy or hard? | Why was it easy or hard? | Provided support by the method | Confidence about the analysis results | Applicability for software |
---|---|---|---|---|---|
Step 1 | Easy | Requirements and architecture of the system on an abstract level are well defined | Structural decomposition is supported | Experience in the application of FMEA in safety-critical systems such as railway interlocking systems was the basis | Very well suited for software, because, for instance, risk-based development and testing is fostered |
Step 2 | Easy | Functions of the systems are defined | Supported by templates | Method is easy to apply | Yes, on the basis of the requirements |
Step 3 | Moderate | The identification of failure causes may be challenging | Yes, taking domain-specific failure data into account | Confident, because a potential failure can be assigned to each task of a component | Yes, on the basis of requirements and design specification of software systems |
Step 4 | Hard | It is not easy to assign the potential risk to avoid a risk scenario | Yes, by assessing the complexity of a component and the probability of a failure | Taking qualitative interpretation of the RPN into account gives confidence | The method fosters the application of risk-based testing in software development |
Step 5 | Moderate | Efficiency of the measures have to be assessed | Yes | 20 years experience in industry | The application of FMEA fosters the improvement of the software development process |
STPA steps | How easy or hard? | Why was it easy or hard? | Provided support by the method | Confidence about the analysis results | Applicability for software |
---|---|---|---|---|---|
Step 1 | Easy | The functional control diagram and requirements of system with its safety constraints are available in detail | Method does not explicitly support in this step instead it requires detailed functional control diagram and other system descriptions | Confident about the results of this step based on the reviewed literature about STPA and by studying advanced level safety course | Very well suited for software because the main focus of STPA is on dynamic behavior of systems, which covers mainly the software part |
Step 2 | Easy | Identification of inadequate safety controls is easy because of the STPA keywords, i.e., not provided, provided unsafe, provided too late or early, and stopped too soon | Systematic approach by using STPA keywords identified almost complete set of potential hazards | Confident because all components in system’s functional control diagram are one by one evaluated against the keywords to find complete set of hazards | Very well suited as the main focus of STPA is on software and the dynamic behavior of system. It identifies majority of the hazards relevant to software |
Step 3 | Hard | Identification of causal factors can be challenging | Keywords to evaluate system’s dynamic deviation from required safety | Confident, because STPA yielded almost a complete analysis result for both the potential hazards and their causal factors | Very well suited as it identified majority of the software relevant causal factors |
Step 4 | Hard | Designing new countermeasures and evaluating existing ones can be difficult or challenging | No explicit support by the method | Researcher in safety domain having 5 years of research experience in analyzing methods and tools used for the analysis of safety critical systems | It identifies problems in software and suggests improvements depending on the stage, i.e., design, development, and operation |