Systems Theoretic Process Analysis (STPA) is a systematic approach for hazard analysis that has been used across many industrial sectors including transportation, energy, and defense. The unstoppable trend of using Machine Learning (ML) in safety-critical systems has led to the pressing need of extending STPA to Learning-Enabled Systems (LESs). Although works have been carried out on various example LESs, without a systematic review, it is unclear how effective and generalisable the extended STPA methods are, and whether further improvements can be made. To this end, we present a systematic survey of 31 papers, summarising them from five perspectives (attributes of concern, objects under study, modifications, derivatives and processes being modelled). Furthermore, we identify room for improvement and accordingly introduce DeepSTPA, which enhances STPA from two aspects that are missing from the state-of-the-practice: (i) Control loop structures are explicitly extended to identify hazards from the data-driven development process spanning the ML lifecycle; (ii) Fine-grained functionalities are modelled at the layer-wise levels of ML models to detect root causes. We demonstrate and compare DeepSTPA and STPA through a case study on an autonomous emergency braking system.

翻译：系统理论过程分析（STPA）是一种用于危险分析的系统化方法，已被广泛应用于交通、能源和国防等工业领域。在安全关键系统中使用机器学习（ML）的不可阻挡趋势，使得将STPA扩展至学习使能系统（LESs）的需求日益迫切。尽管已有研究针对多种LES示例展开，但缺乏系统性综述，因此尚不清楚扩展后的STPA方法的有效性和普适性，以及能否进一步改进。为此，我们系统性地综述了31篇论文，从五个视角（关注属性、研究对象、修改内容、衍生方法及建模过程）进行了归纳总结。此外，我们识别出改进空间，并据此引入DeepSTPA方法，该方法从当前实践所缺失的两个方面增强了STPA：（i）显式扩展控制回路结构，以识别跨越ML生命周期的数据驱动开发过程中的危险；（ii）在ML模型的逐层粒度上建模细粒度功能，以检测根本原因。我们通过一个自主紧急制动系统的案例研究，对DeepSTPA和STPA进行了演示与比较。