A new safety-guided design methodology to complement model-based safety analysis for safety assurance

TL;DR

This paper introduces STPA+, a safety-guided design methodology that enhances model-based safety analysis by ensuring safety-critical scenarios are included, thereby improving safety assurance for complex human-machine systems.

Contribution

STPA+ extends existing safety analysis methods by directly addressing omissions in safety scenarios and providing a comprehensive design approach for complex cyber-physical systems.

Findings

STPA+ effectively identifies safety-critical scenario omissions.

It produces more reliable safety assurance results.

The methodology improves safety design for complex human-machine interactions.

Abstract

With the rapid advancement of Formal Methods, Model-based Safety Analysis (MBSA) has been gaining tremendous attention for its ability to rigorously verify whether the safety-critical scenarios are adequately addressed by the design solution of a cyber-physical human system. However, there is a gap. If specific safety-critical scenarios are not included in the given design solution (i.e., the model) in the first place, the results of MBSA cannot be trusted for safety assurance. To tackle this problem, we propose a new safety-guided design methodology (called STPA+) to complement MBSA. Inspired by STPA, STPA+ treats a system as a control structure, which is particularly fit for systems with complex interactions between human, machine, and automation. Three methods are developed in STPA+ to tackle the possible omissions of safety-critical scenarios caused by incorrectly defined safety constraints, improperly constrained process model, and inadequately designed controller. In this way, STPA+ directly derives an adequately defined design solution as the input to an MBSA verification program and bridges the gap between current MBSA approaches and safety assurance.