XIONG Lu,JIA Tong,CHEN Junyi,XING Xingyu,Li Bo

DOI: https://doi.org/10.11908/j.issn.0253-374x.21570

2023-01-01

Abstract:Aimed at the dependence of hazards of the autonomous driving system（ADS） and scenarios, a method for identifying hazards of the safety of the intended functionality（SOTIF） at the vehicle level is proposed based on the finite state machine（FSM）. First, the elements constituting hazardous events are specified. Then the FSM is adopted to abstract the ADS in combination with vehicle states and the operational environment. Finally, by identifying the conflicts between vehicle states and the operational environment, hazardous events of the ADS related to the SOTIF are systematically identified, which overcomes the overdependence on expert knowledge. The proposed method is applied to identify hazardous events on an SAE L3 autonomous vehicle to verify its effectiveness. The results show that compared with the system theoretic process analysis（STPA） method, the FSM model contains more detailed and systematic environmental information and the elements constituting the hazardous events are directly provided by the FSM model, which supports systematic identification of hazardous events.

Asim Abdulkhaleq,Stefan Wagner,Daniel Lammering,Hagen Boehmert,Pierre Blueher

DOI: https://doi.org/10.48550/arXiv.1703.03657

2017-03-10

Software Engineering

Abstract:Safety has become of paramount importance in the development lifecycle of the modern automobile systems. However, the current automotive safety standard ISO 26262 does not specify clearly the methods for safety analysis. Different methods are recommended for this purpose. FTA (Fault Tree Analysis) and FMEA (Failure Mode and Effects Analysis) are used in the most recent ISO 26262 applications to identify component failures, errors and faults that lead to specific hazards (in the presence of faults). However, these methods are based on reliability theory, and they are not adequate to address new hazards caused by dysfunctional component interactions, software failure or human error. A holistic approach was developed called STPA (Systems-Theoretic Process Analysis) which addresses more types of hazards and treats safety as a dynamic control problem rather than an individual component failure. STPA also addresses types of hazardous causes in the absence of failure. Accordingly, there is a need for investigating hazard analysis techniques like STPA. In this paper, we present a concept on how to use STPA to extend the safety scope of ISO 26262 and support the Hazard Analysis and Risk Assessments (HARA) process. We applied the proposed concept to a current project of a fully automated vehicle at Continental. As a result, we identified 24 system- level accidents, 176 hazards, 27 unsafe control actions, and 129 unsafe scenarios. We conclude that STPA is an effective and efficient approach to derive detailed safety constraints. STPA can support the functional safety engineers to evaluate the architectural design of fully automated vehicles and build the functional safety concept.

Guangshuang Ge,Liangliang Sun,Yan Fu Li

DOI: https://doi.org/10.1109/issrew55968.2022.00087

2022-01-01

Abstract:Autonomous delivery vehicles (ADVs) are derivatives of autonomous driving technology. With the rapid development of autonomous driving technology and the rapid rise in demand for terminal logistics and distribution, ADVs have gradually entered commercial operation in many cities, thus it brings higher requirements to the reliability of ADVs. Because of bill of material (BOM) cost pressure, most autopilot sensors and domain controllers of ADVs are not strictly follow passenger vehicle standards and regulations, the ADVs' reliability is very critical. The traditional methods of process hazard analysis (PHA) e.g. HAZOPs, FMEAs, FT A, etc., use a system divide approach. The to be analyzed system is breaking down into component level, and the risks or hazard of each component are analyzed separately. The two important assumptions of the traditional methods are: 1. the system's properties are not changed when it is broken down into component level; 2. the accidents are caused by component failures. However, in an ADV, the system becomes complex since the system effects may be missed, and this assumption is questionable; further, an ADV accidents can happen even there is no component failure. The system level hazard analysis cannot be fully determined only at the component level, but out of interactions of systems. Systems Theoretic Process Analysis (STP A) is a structured system level approach to analyze hazard. Based on the premise that accidents happen when the control is inadequate or lost, STPA approach decodes hazards related not only to component failures, but also to design errors, flawed controller requirements, interaction failures, human errors, and other errors. In this paper, the STPA method is used to analyze various risks and hazards of ADVs, and finally construct an abnormality monitoring system for autonomous driving sensors. Engineering practice shows that this method can effectively monitor the abnormality of sensor data links.

Liangliang Sun,Yan-Fu Li,Enrico Zio

DOI: https://doi.org/10.1115/1.4051940

2022-01-01

Abstract:As autonomous vehicle (AV) intelligence for controllability continues to develop, involving increasingly complex and interconnected systems, the maturity level of AV technology increasingly depends on the systems reliability level, also considering the interactions among them. Hazard analysis is typically used to identify potential system risks and avoid loss of AV system functionality. Conventional hazard analysis methods are commonly used for traditional standalone systems. New hazard analysis methods have been developed that may be more suitable for AV system-of-systems complexity. However, a comprehensive comparison of hazard analysis methods for AV systems is lacking. In this study, the traditional hazard analysis methods, hazard and operability (HAZOP) and failure mode and effects analysis (FMEA), as well as the most recent methods, like functional resonance analysis method (FRAM) and system-theoretic process analysis (STPA), are considered for implementation in the automatic emergency braking system. This system is designed to avoid collisions by utilizing the surrounding sensors to detect objects on the road, warning drivers with alerts about any collision risk, and actuating automatic partial/full braking through calculated adaptive braking deceleration. The objective of this work is to evaluate the methods with the unified theory of acceptance and use of technology (UTAUT) approach, in terms of their applicability to AV technologies. The advantages of HAZOP, FMEA, FRAM, and STPA, as well as the possibility of combining them to achieve systematic risk identification in practice, are discussed.

Xiaomin Wei,Yunwei Dong,Xuelin Li,W. Eric Wong

DOI: https://doi.org/10.1016/j.jss.2017.06.018

IF: 3.5

2018-01-01

Journal of Systems and Software

Abstract:Software systems are becoming increasingly important in safety-critical areas. Designing safe software requires a significant emphasis on hazards in the early design phase of software development. In this paper, we propose a hazard analysis approach based on Architecture Analysis and Design Language (AADL). First, to make up the deficiencies of Error Model Annex (EMV2), we create Hazard Model Annex (HMA) to specify the hazard sources, hazards, hazard trigger mechanisms, and mishaps. By using HMA, a safety model can be built by annotating an architecture model with the error model and hazard model. Then, an architecture-level hazard analysis approach is proposed to automatically generate the hazard analysis table. The approach contains the model transformation from a safety model to a Deterministic Stochastic Petri Nets (DSPNs) model for calculating the occurrence probability of hazards and mishaps. In addition, we present the formal semantics for each constituent part of the safety model, define the model mapping rules, and verify the semantic preservation of the transformation. Finally, HMA is implemented to build safety models and two Eclipse plug-ins of our methodology are also implemented. A case study on a flight control software system has been employed to demonstrate the feasibility of our proposed technique. (C) 2017 Elsevier Inc. All rights reserved.

Camila Correa-Jullian,Marilia Ramos,Ali Mosleh,Jiaqi Ma

DOI: https://doi.org/10.1177/1748006x241233863

2024-02-28

Proceedings of the Institution of Mechanical Engineers Part O Journal of Risk and Reliability

Abstract:Proceedings of the Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability, Ahead of Print. The safety of Automated Driving Systems (ADS) operating as Mobility as a Service (MaaS) depends on multiple factors in addition to the vehicle's functionality, reliability, and performance. Currently, no comprehensive approach has been formally developed to identify operational safety hazards and define the operational safety responsibilities of the key agents involved in Level 4 (L4) ADS MaaS operations. This work develops and applies a structured hazard identification methodology for this operation. The methodology leverages and complements the strengths of various hazard identification and modeling methods, including Event Sequence Diagram (ESD), Concurrent Task Analysis (CoTA), System-Theoretic Process Analysis (STPA), and Fault Tree Analysis (FTA). The methodology is applied to analyze the operation of a fleet of L4 ADS vehicle fleets without a safety driver, monitored and supervised by remote operators. The results highlight the fleet operator's role in ensuring the correct vehicle operation and preventing and mitigating incidents. The analysis demonstrates the developed methodology's strengths and suitability for operational safety analysis of complex systems' operations, considering the inherent complexity of the interactions between multiple human and machine agents.

engineering, industrial, multidisciplinary,operations research & management science

Asim Abdulkhaleq,Stefan Wagner,Nancy Leveson

DOI: https://doi.org/10.48550/arXiv.1612.03109

2016-12-09

Software Engineering

Abstract:Formal verification and testing are complementary approaches which are used in the development process to verify the functional correctness of software. However, the correctness of software cannot ensure the safe operation of safety-critical software systems. The software must be verified against its safety requirements which are identified by safety analysis, to ensure that potential hazardous causes cannot occur. The complexity of software makes defining appropriate software safety requirements with traditional safety analysis techniques difficult. STPA (Systems-Theoretic Processes Analysis) is a unique safety analysis approach that has been developed to identify system hazards, including the software-related hazards. This paper presents a comprehensive safety engineering approach based on STPA, including software testing and model checking approaches for the purpose of developing safe software. The proposed approach can be embedded within a defined software engineering process or applied to existing software systems, allow software and safety engineers integrate the analysis of software risks with their verification. The application of the proposed approach is illustrated with an automotive software controller.

Danjiang Zhu,Shuzhen Yao

DOI: https://doi.org/10.1109/ICSESS.2018.8663927

2018-01-01

Abstract:Hazard analysis is critical for safety assurance of smart systems which is usually controlled by software. As a novel causality model, Systems-Theoretic Accident Modeling and Processes (STAMP) has been used in various areas to obtain more causal factors during hazard analysis. However, the application of STAMP thus far is ad-hoc with no rigorous procedure to analyze the system hazards effectively, and the quality of the analysis results can't be guaranteed. Furthermore, the temporal factor as an important cause of hazards has been paid little attention in STAMP based analysis. With the purpose of overcoming these limitations, this paper presents a systematic method for hazard analysis based on STAMP. And the Hazardous Control Action Tree (HCAT) is proposed to model and analyze all the situations should be considered for hazard analysis. Also, several rules are given to guide the hazard analysis of temporal conditions in the control processes. Finally, a case study is used to illustrate the feasibility and availability of proposed method.

Shijie Zhang,Tao Tang,Jintao Liu

DOI: https://doi.org/10.3390/app11167714

2021-01-01

Applied Sciences

Abstract:The Intelligent Railway Driving Assistance System (IRDAS) is a novel kind of onboard system that relies on its own situational awareness function to ensure the safety and efficiency of train driving. In such systems, the use of situational awareness brings about a new fault-free safety problem, i.e., the safety of the intended functionality (SOTIF). It is essential to analyze the SOTIF-related hazardous factors for ensuring a safe train operation. In this paper, a hazard analysis approach is proposed to capture and evaluate SOTIF-related hazardous factors of IRDAS. This approach consists of an extended STPA-based hazardous factor identification part and a complex network-based hazardous factor evaluation part. In the first part, an extended control structure of STPA is designed for the modeling of the situational awareness process, followed by a new classification of SOTIF-related causal scenarios to assist the identification of causal scenarios. In the second part, a modeling method for heterogeneous complex networks and some customized topological indexes are proposed to evaluate the hazardous factors identified in the STPA causal analysis. The outcomes of the approach can help develop targeted hazard control strategies. The proposed approach has been applied to a new IRDAS operating in Tsuen Wan Line of Hong Kong MTR. The result shows that the approach is effective for the analysis of hazardous factors and is helpful for the formulation of hazard control strategies.

Fei Yan,Tao Tang,Hongwei Yan

DOI: https://doi.org/10.1109/icirt.2016.7588764

2016-01-01

Abstract:Beijing Metro plans to open an Automated Urban Guided Transport (AUGT) Line at the end of 2017. The line will follow GOA4 requirements according to IEC62290-2014 and IEC62267-2009. The main difference between the AUGT line and existing line is no driver or attended people on the train. The system will realize the following functions: Ensure safety movement, Driving Supervising guideway, supervising passenger transfer, Operating a train and Ensuring detection and management of emergency situations. Traditionally, HAZOP (Hazard Operability analysis) or FMEA (Failure Mode and Effect Analysis) method will be used to do the hazard analysis. But the main challenge is that most of human operation and behavior are replaced by equipment in AUGT and it is very difficult to deal with emergency condition. Finally, an operational scenario based method has been used to do hazard analysis which combined with STPA (Systems-Theoretic Process Analysis). As we know, STPA is a systematic analysis method from the view of safety control and it is good at human related error and management related analysis. In this paper, STPA has been used to compare with traditional method. The conclusions are: 1) STPA is more focusing on the safety related interaction and we can easily find the main clue by safety constraints compared to HAZOP; 2) Process Model Analysis should be done in each of scenario in order to find detail safety control measures; 3) In order to identify what could cause the unsafe control action or how control actions may not be executed properly, we also can use low layer control process model to do STPA analysis if we find it is still complex. We can regard this means as nested control process model.

Ali Nouri,Christian Berger,Fredrik Törner

DOI: https://doi.org/10.1109/SEAA60479.2023.00011

2024-03-14

Abstract:Safety analysis is used to identify hazards and build knowledge during the design phase of safety-relevant functions. This is especially true for complex AI-enabled and software intensive systems such as Autonomous Drive (AD). System-Theoretic Process Analysis (STPA) is a novel method applied in safety-related fields like defense and aerospace, which is also becoming popular in the automotive industry. However, STPA assumes prerequisites that are not fully valid in the automotive system engineering with distributed system development and multi-abstraction design levels. This would inhibit software developers from using STPA to analyze their software as part of a bigger system, resulting in a lack of traceability. This can be seen as a maintainability challenge in continuous development and deployment (DevOps). In this paper, STPA's different guidelines for the automotive industry, e.g. J31887/ISO21448/STPA handbook, are firstly compared to assess their applicability to the distributed development of complex AI-enabled systems like AD. Further, an approach to overcome the challenges of using STPA in a multi-level design context is proposed. By conducting an interview study with automotive industry experts for the development of AD, the challenges are validated and the effectiveness of the proposed approach is evaluated.

Software Engineering,Machine Learning

Fei Yan,Junqiao Ma,Mo Li,Ru Niu,Tao Tang

DOI: https://doi.org/10.1109/access.2021.3050472

IF: 3.9

2021-01-01

IEEE Access

Abstract:Accident causal scenario can describe the process logic of the accident clearly and concretely from the perspective of the control mechanism. Only by improving the quality of the causal scenario can the effective control measures be taken. Combining the technical characteristics of the fully automatic operation (FAO) system, the paper proposes an automated accident causal scenario identification method for FAO system based on the System-Theoretic Process Analysis (STPA) method. Aiming at the problem that there are too many layers in the hierarchical control structure diagram of STPA method, which makes it impossible to effectively trace the cause and the problem that the basic control structure model only contains the control structural information and lacks the cause information, a new basic control structure model is defined to model multiple control processes in time sequence, and then the paper extends it from four aspects: control action, input variables, external disturbance, and synchronous timing to add more system cause information. For the lack of a unified standard description problem for the causal scenario, a four-stage causal scenario description method is defined, this paper has developed the first timing, non-first timing, synchronous timing, and external disturbance causal scenario search rules to ensure the automatic identification of the causal scenarios. Applying the automated safety analysis method to the case study of the operational scenarios of parking in a station of Beijing Yanfang Line, the automated identification of related causal scenarios is successfully completed through the Auto-STPA platform, and corresponding safety requirements are added. The feasibility of the method and the applicability to the analysis of operational scenarios are verified.

Simon Diemert,Jens H. Weber

2023-04-02

Abstract:Self-adaptive systems are able to change their behaviour at run-time in response to changes. Self-adaptation is an important strategy for managing uncertainty that is present during the design of modern systems, such as autonomous vehicles. However, assuring the safety of self-adaptive systems remains a challenge, particularly when the adaptations have an impact on safety-critical functions. The field of safety engineering has established practices for analyzing the safety of systems. System Theoretic Process and Analysis (STPA) is a hazard analysis method that is well-suited for self-adaptive systems. This paper describes a design-time extension of STPA for self-adaptive systems. Then, it derives a reference model and analysis obligations to support the STPA activities. The method is applied to three self-adaptive systems described in the literature. The results demonstrate that STPA, when used in the manner described, is an applicable hazard analysis method for safety-critical self-adaptive systems.

Systems and Control,Software Engineering

Gerrit Bagschik,Andreas Reschka,Torben Stolte,Markus Maurer

DOI: https://doi.org/10.48550/arXiv.1804.08728

2018-04-24

Abstract:The project Automated Unmanned Protective Vehicle for Highway Hard Shoulder Road Works (aFAS) aims to develop an unmanned protective vehicle to reduce the risk of injuries due to crashes for road workers. To ensure functional safety during operation in public traffic the system shall be developed following the ISO 26262 standard. After defining the functional range in the item definition, a hazard analysis and risk assessment has to be done. The ISO 26262 standard gives hints how to process this step and demands a systematic way to identify system hazards. Best practice standards provide systematic ways for hazard identification, but lack applicability for automated vehicles due to the high variety and number of different driving situations even with a reduced functional range. This contribution proposes a new method to identify hazardous events for a system with a given functional description. The method utilizes a skill graph as a functional model of the system and an overall definition of a scene for automated vehicles to identify potential hazardous events. An adapted Hazard and Operability Analysis approach is used to identify system malfunctions. A combination of all methods results in operating scenes with potential hazardous events. These can be assessed afterwards towards their criticality. A use case example is taken from the current development phase of the project aFAS.

Systems and Control

Junyi Chen,Shan Wang,Tangrui Zhou,Lu Xiong,Xingyu Xing

DOI: https://doi.org/10.1109/iv47402.2020.9304599

2020-01-01

Abstract:Take-over process refers to the situation where drivers are required to take over control of vehicles under certain conditions, which currently lacks safety analysis. To address this problem, Systems-Theoretic Process Analysis (STPA) is extended according to ISO 21448 for the safety analysis of a take-over system, which consists of a driver and a human-machine interface (HMI). First, system-level hazards are analyzed to develop safety constraints. Then, a control structure of the take-over process is modeled to identify unsafe control actions considering human factors. Finally, causal factors of the unsafe control actions are analyzed, and safety requirements regarding HMI are put forward to guide the design of the take-over system. This method was applied to analyze the take-over system of an autonomous vehicle operating in a closed area, and corresponding safety requirements were determined. Based on the results of a questionnaire survey and a take-over test, the analysis method is proved to be applicable to improving the safety of the take-over system.

Yufeng Li,Wenqi Liu,Qi Liu,Xiangyu Zheng,Ke Sun,Chengjian Huang

DOI: https://doi.org/10.3390/s24061848

IF: 3.9

2024-03-14

Sensors

Abstract:A cyber-physical system (CPS) integrates communication and automation technologies into the operational processes of physical systems. Nowadays, as a complex CPS, an intelligent connected vehicle (ICV) may be exposed to accidental functional failures and malicious attacks. Therefore, ensuring the ICV's safety and security is crucial. Traditional safety/security analysis methods, such as failure mode and effect analysis and attack tree analysis, cannot provide a comprehensive analysis for the interactions between the system components of the ICV. In this work, we merge system-theoretic process analysis (STPA) with the concept phase of ISO 26262 and ISO/SAE 21434. We focus on the interactions between components while analyzing the safety and security of ICVs to reduce redundant efforts and inconsistencies in determining safety and security requirements. To conquer STPA's abstraction in describing causal scenarios, we improved the physical component diagram of STPA-SafeSec by adding interface elements. In addition, we proposed the loss scenario tree to describe specific scenarios that lead to unsafe/unsecure control actions. After hazard/threat analysis, a unified risk assessment process is proposed to ensure consistency in assessment criteria and to streamline the process. A case study is implemented on the autonomous emergency braking system to demonstrate the validation of the proposed method.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yi Qi,Yi Dong,Siddartha Khastgir,Paul Jennings,Xingyu Zhao,Xiaowei Huang

2023-07-17

Abstract:Systems Theoretic Process Analysis (STPA) is a systematic approach for hazard analysis that has been used across many industrial sectors including transportation, energy, and defense. The unstoppable trend of using Machine Learning (ML) in safety-critical systems has led to the pressing need of extending STPA to Learning-Enabled Systems (LESs). Although works have been carried out on various example LESs, without a systematic review, it is unclear how effective and generalisable the extended STPA methods are, and whether further improvements can be made. To this end, we present a systematic survey of 31 papers, summarising them from five perspectives (attributes of concern, objects under study, modifications, derivatives and processes being modelled). Furthermore, we identify room for improvement and accordingly introduce DeepSTPA, which enhances STPA from two aspects that are missing from the state-of-the-practice: (i) Control loop structures are explicitly extended to identify hazards from the data-driven development process spanning the ML lifecycle; (ii) Fine-grained functionalities are modelled at the layer-wise levels of ML models to detect root causes. We demonstrate and compare DeepSTPA and STPA through a case study on an autonomous emergency braking system.

Software Engineering

Lisong Wang,Qin Zhang,Jun Hu

DOI: https://doi.org/10.1186/s13634-022-00853-8

2022-04-04

EURASIP Journal on Advances in Signal Processing

Abstract:Abstract The safety of automotive Adaptive Cruise Control (ACC) system is of great significance to prevent fatigue driving, improve driving comfort, reduce accident rate and promote the development of intelligent transportation and autonomous driving technology. However, the current safety analysis of ACC lacks consideration of the temporal dynamic property, so it is necessary to establish a set of safety analysis methods to consider the temporal characteristics. This paper proposes a new safety analysis method based on MBSA framework and introduces temporal features. Altarica3.0 is a high-level modeling language for safety analysis, and its basic mathematical form is Guardian Transformation System (GTS). In this paper, we outline an analysis approach that converts failure behavioral models (GTS) to temporal fault trees (TFTs), which can be analyzed using Pandora a recent technique for introducing temporal logic to fault trees. However, like classical fault tree analysis, TFT analysis requires a lot of manual effort, which makes it time consuming and expensive. In order to improve the safety of the system, the proposal extends Bayesian Networks with Pandora and results to dependability analysis with temporal relationships to provide more reliable basis for safety design. As a typical case study, the safety analysis method proposed in this paper is applied to the safety analysis of adaptive cruise system, and the results show the effectiveness of the proposed method. Furthermore, it also provides new technologies for the automation and intelligence of safety analysis for smart internet of vehicle.

engineering, electrical & electronic

Jinghua Yu,Stefan Wagner,Feng Luo

DOI: https://doi.org/10.48550/arXiv.2006.09108

2020-06-16

Cryptography and Security

Abstract:The in-vehicle diagnostic and software update system, which supports remote diagnostic and Over-The-Air (OTA) software updates, is a critical attack goal in automobiles. Adversaries can inject malicious software into vehicles or steal sensitive information through communication channels. Therefore, security analysis, which identifies potential security issues, needs to be conducted in system design. However, existing security analyses of in-vehicle systems are threat-oriented, which start with threat identification and assess risks by brainstorming. In this paper, a system-oriented approach is proposed on the basis of the System-Theoretic Process Analysis (STPA). The proposed approach extends the original STPA from the perspective of data flows and is applicable for information-flow-based systems. Besides, we propose a general model for in-vehicle diagnostic and software update systems and use it to establish a security analysis guideline. In comparison with threat-oriented approaches, the proposed approach shifts from focusing on threats to system vulnerabilities and seems to be efficient to prevent the system from known or even unknown threats. Furthermore, as an extension of the STPA, which has been proven to be applicable to high level designs, the proposed approach can be well integrated into high-level analyses and perform co-design in different disciplines within a unified STPA framework.

Peng Jie Liu,Yong Tao Xi,Shen Ping Hu,Bing Han

DOI: https://doi.org/10.1109/ICTIS60134.2023.10243771

2023-01-01

Abstract:The development of Maritime Autonomous Surface Ships (MASS) is an important trend today, and their safe navigation requires real-time risk assessment for effective risk control. The aim of this paper is to build a framework for online risk modeling of MASS to regulate the safe navigation of MASS in real-time. The framework is based on the System-Theoretic Accident Model and Process (STAMP) to build the safety control structure of MASS, using System-Theoretic Process Analysis (STPA) to identify losses or accidents and system-level hazards, identify unsafe control actions and analyze loss scenarios; consider accidents as emergence of the system, consider the results of STPA as possible system states, construct an accident model for system state transitions, and transform it into a Fuzzy-timing Petri Net (FTPN). The trapezoidal fuzzy time interval was used to represent the uncertainty time of system state transitions, the calculation method of each element in the net was given, the temporal modeling and possibility analysis method of temporal phenomena in system state transitions using the net was discussed, and a new safety level expression was introduced to measure the risk level of the system in a specific moment and situation. The final example study shows that the real-time risk assessment feedback of the method can provide a reference for the navigation supervision and risk control of MASS.