There are many discussions nowadays about what makes a car Level 4 autonomy vehicle. Some consider it a vehicle that can perform all driving tasks under specific conditions without any human intervention or that it can operate autonomously within certain predefined scenarios or environments without requiring driver intervention. What is actually behind taking the safety of autonomous vehicles to level four autonomy?
We talked about this intriguing topic with Dr. Vladimir Marinković, an instructor at NIT Academy with expertise in safety analysis techniques and a focus on SOTIF and STPA, who gave us a new perspective on the automotive industry today.
As industries embrace autonomous vehicles, advanced robotics, and interconnected smart systems, the need for comprehensive safety frameworks has given rise to methodologies that go beyond traditional safety standards. SOTIF (Safety of the Intended Functionality) standard and STPA (System-Theoretic Process Analysis) method that this standard addresses, have emerged as a base for approaching the challenges of ensuring safety in today's demanding technological environments.
STPA in identifying and documenting a hazard
“There are many limitations and difficulties during the application of these techniques; there are different pitfalls in each of the phases, so there can be different challenges for identifying hazards, for defining the control structure or identifying unsafe control actions. We can address them by following tips that are recommended by the STPA handbook; for instance, that’s at least one good way to address them, and this handbook is actually written by Nancy Leveson. ” said Dr. Marinković.
As he explained, traditional methods of safety analysis are those that he uses every day but as soon as we come to a higher level of autonomous driving, level four and fail-operational systems, functional safety and traditional methods cannot answer all the questions, cannot identify all the losses and hazards, so that's where SOTIF steps in and STPA is main reference and the requirement by this standard.
“STPA is described in detail, but still, it is free for interpretation. That is something that is very interesting to me, too. Regarding the specificity of its position and its relation to other hazard analysis methods, traditional hazard analysis methods, in my opinion, STPA shall be used not as a replacement for those traditional techniques but alongside them so they can be iteratively applied. The output from one is input for the other, and you can simply combine them and identify hazards as much as possible and mitigate them at the end,” Dr. Marinković added.
In his opinion, the purpose of all these techniques is to show them as some filter for filtering the hazards. Some main differences from traditional are that those traditional are not suitable for complex systems - and vehicle systems are becoming more complex. Also, the supporting infrastructure around vehicles is changing. There are a lot of unknowns that you need to investigate as an expert in this field, and for this, some explorative technique is needed, but it still must be structured.
This is actually the STPA. It starts from System Theory, which means we don’t analyze systems broken down into components only, but also, at the beginning, we start from a more abstract level to analyze the interactions between them and what impacts their interfaces.
Traditional methods deal with the analysis of each component separately and show whether they are safe at a reasonable extent. However, System Theory advocates the opinion that this is not enough, because by combining components that are separately analyzed to be sufficiently safe, we get a system for which we cannot claim that this is true because their interactions have not been sufficiently analyzed. The STPA method is based on that theory. There are some misuses that can occur and you should take into account operators and human operators, also software which is relevant for systematic failures and not for probabilistic ones which are by functional safety mostly of interest.
There are four separate steps in performing an STPA analysis that Dr. Marinković shared with us in this conversation. The first one is very important, to define the purpose of analysis, where we define losses and identify hazards for those losses. So losses somehow guide us in different directions. We can even split them to assign them to different stakeholders, someone is interested in human losses or financial aspects or reputation, it depends from which perspective you actually deal with these problems. The second one is to model the control structure of the system. The third one is to identify unsafe control action, and the last one is to identify loss scenarios. Then the output of this technique can serve for different improvements of your system either as additional safety requirements or as refinement and improvement of the architecture.
NIT Course: Assessing the safety of a system
“You can learn how to apply different techniques of safety lifecycle in appropriate stages of the project, but what I teach participants in this course is that it's never too early to identify a hazard and it's not that important by which method or technique you use, it is important that you identify and document it, and to trace it completely. Of course, the purpose of these structured and formalized techniques is to guide you better on covering as much as possible from existing hazards,” our instructor pointed out.
Regarding the Safety Analysis Techniques course, our instructor emphasized that participants will learn how to use various methods, all of them with textual, tabular or graphical representation that can be applied in any suitable software that is already used in the company.
He conducted a cost analysis within the context of STPA, which revealed that approximately 20% of the overall application involves the process of learning and mastering this technique.
“We aim to assist participants by facilitating a comprehensive understanding of STPA through collaborative efforts. Whether it's comprehending the methodology alongside us or applying it in real-world scenarios, our goal is to enhance participants' proficiency. We provide support through straightforward yet reasonable examples, guiding participants through both fundamental and more complexed aspects across various project phases in the course. Additionally, we share valuable insights and experiences from the field.” concluded Dr. Marinković.
In conclusion, understanding and implementing the SOTIF standard and STPA method specifically, is crucial for addressing the safety challenges in autonomous vehicles, especially at Level 4 autonomy. These methodologies go beyond traditional safety analysis methods addressed by functional safety standards, providing a systematic approach to address the unique challenges posed by advanced technologies in the automotive industry. SOTIF and STPA are essential for identifying and reducing hazards in complex systems, offering a comprehensive framework that is necessary for achieving and maintaining the highest levels of safety in autonomous vehicles.
You can find out more about this course by visiting the link.
