The increasing complexity of software in modern automotive systems has driven the adoption of reusable components, defined by ISO 26262 as Safety Elements out of Context (SEooCs). While the SEooC paradigm promotes efficiency, it presents a formidable challenge: the a priori specification of a complete and robust set of safety requirements for components that lack a definitive operational context. This can pose a particular challenge for foundational software libraries (e.g. generic parsers, communication stacks, operating system components), where the semantic gap between low-level software behavior and vehicle-level hazards is vast. The Failure Mode and Effect Analysis (FMEA) recommended by the ISO 26262 enables the comprehensive analysis and mitigation of potential faults and off-nominal behavior, but can fall short of assisting the integrator in uncovering hazards arising from flawed component interactions in large-scale systems.
 

This paper presents a novel methodology that addresses this gap by integrating Systems-Theoretic Process Analysis (STPA) into the ISO 26262 SEooC lifecycle. We introduce a formal abstraction to model a generic software component as a controller within a hierarchical control structure. In this paradigm, the library's public interfaces are defined as control actions, and the state of the calling application is modeled as the controlled process. The library's return values and output data serve as the feedback loop to the higher-level controller, while the process model represents the library's internal state — if applicable.
 

By performing an STPA analysis on this abstract control model within an assumed context of use, we can systematically identify Unsafe Control Actions (UCAs). These UCAs represent hazardous interactions at the software interface, such as providing corrupted data while signaling success, failing to report resource exhaustion, or exhibiting excessive execution time that violates real-time constraints. These identified UCAs are then translated into a precise and verifiable set of Technical Safety Requirements (TSRs) for the SEooC. This process creates an explicit safety contract that defines the component's obligations and the assumptions placed on its integrator.
 

We argue that this system-theoretic framework provides a viable alternative of requirement elicitation compared to conventional methods. With regard to the qualification of open-source software (OSS) components, the proposed methodology allows to elicit both requirements as well as verification measures for existing code bases. Since OSS components developed for non-automotive use cases typically lack formalized requirements, this enables an effective and efficient formal approach to construct requirements appropriate for later usage of the component in safety-related systems. By already taking into account the integrator's perspective, typical pain points described by SEooC integrators are at least partially alleviated, providing a more seamless way of managing the increasingly complex software ecosystem in modern software-defined vehicles.
 

It complements traditional software verification by focusing on emergent system-level behaviors and interaction failures, thereby strengthening the SEooC's safety case against integration faults and ensuring greater robustness when deployed in complex, software-intensive automotive systems. We contrast the STPA-based analysis approach to the established FMEA and detail both benefits as well as shortcomings of moving the actual verification more towards the integrator's end. We further show that STPA should be used to augment rather than replace existing workflows maintaining ISO 26262 requirements, as the dissimilar purpose of the safety analysis approach would otherwise lead to blind spots for general-purpose software.

Co-authors: 

• Steffen Becker, University of Stuttgart
• Stefan Wagner, Technical University of Munich

Short Bio:

Working with safety-critical automotive systems since 2015, with Vector's department for embedded systems since 2020, working on the qualification of pre-existing software components as part of an extracurricular doctorate program since 2022.

Friday, September 26, 12.00 AM