An STPA-based Approach to the Derivation of Verifiable Safety Requirements for General-Purpose Safety Elements out of Context
Jan Toennemann - Vector Informatik GmbH and University of StuttgartThe automotive industry's rapid shift towards software-defined vehicles increases its reliance on reusable components, including Safety Elements out of Context (SEooCs) — software developed without knowledge of its final operational environment. While SEooCs enhance efficiency, they pose a formidable challenge: how to specify comprehensive and verifiable safety requirements for general-purpose software libraries (e.g., parsers, communication stacks) where the semantic gap between low-level behavior and vehicle-level hazards is vast. Traditional safety analysis methods like FMEA often fall short, focusing on internal component failures rather than emergent hazards from component interactions.
This paper presents a novel methodology that integrates Systems-Theoretic Process Analysis (STPA) into the ISO 26262 SEooC lifecycle to systematically address this gap. We introduce a formal abstraction to model generic software libraries as abstract controllers within a hierarchical control structure. By performing STPA within defined "archetypal contexts of use," we systematically identify Unsafe Control Actions (UCAs). These UCAs represent hazardous interface interactions, such as providing corrupted data while signaling success, failing to report resource exhaustion, or violating real-time constraints. Identified UCAs are then translated into precise, verifiable Technical Safety Requirements (TSRs), forming an explicit safety contract.
We demonstrate this methodology using the cJSON library, showcasing its practical application in deriving artefacts as required by ISO 26262. Since OSS components developed for non-automotive use cases typically lack formalized requirements, this enables an efficient approach to construct requirements and appropriate verification strategies directly as part of the safety analysis process. By augmenting traditional verification with a focus on system-level behaviors and interaction failures, this method strengthens SEooC safety cases against integration faults, enabling robust deployment in complex, software-intensive automotive systems.
Co-authors:
- Steffen Becker, University of Stuttgart
- Stefan Wagner, Technical University of Munich
Short Bio:
Working with safety-critical automotive systems since 2015, with Vector's department for embedded systems since 2020, working on the qualification of pre-existing software components as part of an extracurricular doctorate program since 2022.
