Suo, D., Yako, S., Boesch, M., and Post, K., "Integrating STPA into ISO 26262 Process for Requirement Development," SAE Technical Paper 2017-01-0058, 2017, doi:10.4271/2017-01-0058.
Developing requirements for automotive electric/electronic systems is challenging, as those systems become increasingly software-intensive. Designs must account for unintended interactions among software features, combined with unforeseen environmental factors. In addition, engineers have to iteratively make architectural tradeoffs and assign responsibilities to each component in the system to accommodate new safety requirements as they are revealed. ISO 26262 is an industry standard for the functional safety of automotive electric/electronic systems. It specifies various processes and procedures for ensuring functional safety, but does not limit the methods that can be used for hazard and safety analysis. System Theoretic Process Analysis (STPA) is a new technique for hazard analysis, in the sense that hazards are caused by unsafe interactions between components (including humans) as well as component failures and faults. Otherwise stated, STPA covers the safety analysis of system malfunctions as well as the safety of the intended function (SOTIF), in addition to Functional Safety..This paper introduces a process map with a complete meta-model based on Systems Model Language (SysML) to support the integration of STPA into the functional safety process based on ISO 26262. In particular, the paper illustrates how STPA can help evaluate safety and other system-level goals with ASIL classifications from ISO26262’s recommended Hazard Analysis and Risk Assessment (HARA). The meta-model can be also used to provide guidance on making architectural decisions in order to create functional safety requirements. To make the process map applicable to different functional safety processes adopted by OEMs, tool support is required. Guidelines on how to develop visualization tools based on the meta-model are given.