UniSTPA: A Safety Analysis Framework for End-to-End Autonomous Driving

TL;DR

The paper tackles the challenge of safety analysis for modular end-to-end autonomous driving systems by introducing UniSTPA, a framework that extends System Theoretic Process Analysis (STPA) across the full development lifecycle and into the internal layers of end-to-end models. Through a highway Navigate on Autopilot case study, UniSTPA identifies hazards at multiple stages, including scene design, sensor fusion biases, and internal model flaws, and traces them to data quality, network architecture, and optimization objectives. It then derives comprehensive safety requirements and proposes a closed-loop safety monitoring and response mechanism to support continuous safety improvement from development to deployment. The work offers theoretical and practical guidance for safer development and operation of learning-based ADS, and points to integration with AI safety standards to enable regulator-aligned safety analysis.

Abstract

As autonomous driving technology continues to advance, end-to-end models have attracted considerable attention owing to their superior generalisation capability. Nevertheless, such learning-based systems entail numerous safety risks throughout development and on-road deployment, and existing safety-analysis methods struggle to identify these risks comprehensively. To address this gap, we propose the Unified System Theoretic Process Analysis (UniSTPA) framework, which extends the scope of STPA from the operational phase to the entire lifecycle of an end-to-end autonomous driving system, including information gathering, data preparation, closed loop training, verification, and deployment. UniSTPA performs hazard analysis not only at the component level but also within the model's internal layers, thereby enabling fine-grained assessment of inter and intra module interactions. Using a highway Navigate on Autopilot function as a case study, UniSTPA uncovers multi-stage hazards overlooked by conventional approaches including scene design defects, sensor fusion biases, and internal model flaws, through multi-level causal analysis, traces these hazards to deeper issues such as data quality, network architecture, and optimisation objectives. The analysis result are used to construct a safety monitoring and safety response mechanism that supports continuous improvement from hazard identification to system optimisation. The proposed framework thus offers both theoretical and practical guidance for the safe development and deployment of end-to-end autonomous driving systems.

Figures (4)

• Figure 1: Traditional STPA Control Structure Applied to E2E ADS.
• Figure 2: UniSTPA Analysis Framework for E2E ADS.
• Figure 3: UniSTPA control loop structures applied on End-to-end Autonomous driving system. The entire diagram shows the stages of system development and deployment from left to right, as well as the key modules involved. ‘Gray boxes’ denotes functional modules of the technical system; ‘Yellow boxes’ denotes human involvement (such as developers and drivers); ‘UCA’ denotes potential unsafe control actions; ‘$\rightarrow$’ denotes control action, while ‘$\dashrightarrow$’ denotes feedback information; ‘red lines interactions between different stages; ‘black lines’ denotes interactions within the same stage; ‘ICU’ denotes interface control unit; ‘ICU’ denotes vehicle control unit.
• Figure 4: UniSTPA Control Loop with Safety Monitor and Safety Response. ‘AS Trajectory’ denotes Active-Safety Trajectory; ‘TOR’ denotes Take-Over Request.