STPA-driven Multilevel Runtime Monitoring for In-time Hazard Detection

TL;DR

This paper presents a multilevel runtime monitoring approach driven by System-Theoretic Process Analysis (STPA) to detect hazards in cyber-physical systems during operation, enhancing safety assurance.

Contribution

It introduces a workflow model linking STPA hazard analysis to runtime monitoring, guiding what, where, and how to monitor in cyber-physical systems.

Findings

Effective hazard detection demonstrated on autonomous emergency braking system

Multilevel monitors improve in-time hazard detection accuracy

Workflow model aids in systematic runtime monitoring design

Abstract

Runtime verification or runtime monitoring equips safety-critical cyber-physical systems to augment design assurance measures and ensure operational safety and security. Cyber-physical systems have interaction failures, attack surfaces, and attack vectors resulting in unanticipated hazards and loss scenarios. These interaction failures pose challenges to runtime verification regarding monitoring specifications and monitoring placements for in-time detection of hazards. We develop a well-formed workflow model that connects system theoretic process analysis, commonly referred to as STPA, hazard causation information to lower-level runtime monitoring to detect hazards at the operational phase. Specifically, our model follows the DepDevOps paradigm to provide evidence and insights to runtime monitoring on what to monitor, where to monitor, and the monitoring context. We demonstrate and evaluate the value of multilevel monitors by injecting hazards on an autonomous emergency braking system model.