Abstract system modeling

Abstract modeling simplifies a system’s internal complex functional logic into three functional layers: sensing, planning, and acting, along with the interlayer interactions of information and energy flow, as shown in Fig 3. This modeling approach is flexible, allowing component adjustments based on actual conditions, so we can comprehensively understand the system external interaction relationships while considering the impacts of the external environment, systems, and human operations on the system. It provides a foundation for the design and analysis of ICV systems.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Schematic of abstract system modeling.

The model depicts an object system that interacts with the environment, human operators, and safety-related systems, and is internally structured around three layers—sensing, planning, and acting—linked by information and energy flows.

https://doi.org/10.1371/journal.pone.0332050.g003

The sensing layer involves information acquisition, such as environmental perception and vehicle state monitoring, using sensors such as cameras and radars. The planning layer formulates strategies and produces information-based instructions, using hardware such as ECUs and decision-making algorithms. The acting layer executes actions through controllers and actuators. Information flow involves the exchange of data (e.g., sensing information and operating instructions) between layers, whereas energy flow refers to energy exchange between components, such as mechanical energy transmitted through transmission mechanisms and hydraulic pipelines.

In modeling external interactions, human-machine interaction, external system impact, and the effects of system output on vehicle behavior are considered. Analyzing safety-related systems, like the dependency of autonomous emergency braking on the braking system’s normal operation, is also crucial.

Specifically, let A represent the set of all possible vehicle maneuvers that the studied system can influence, such as acceleration, deceleration, or lane change. Define unsafe vehicle maneuvers as those that can cause accidents or pose a threat to the safety of passengers, other road users, and the environment. Use to represent the set of all unsafe vehicle maneuvers and to represent a specific unsafe maneuver. Therefore, the set of unsafe vehicle maneuvers can be expressed as where k denotes the total number of hazardous maneuvers. Thus, the set of unsafe vehicle maneuvers can be defined as

(1)

Safety attributes identification

Following the procedure above, we have clarified the internal functional logic and the external interaction relationships of the system. In this section, we quantify the system’s integrated safety attributes based on its internal functional logic relationships. This allows us to determine the priorities for the integrated safety risk analysis for ICVs, ensuring that the critical integrated safety elements are analyzed and evaluated first. This process is divided into four subprocesses: functional safety attribute analysis, SOTIF attribute analysis, cybersecurity attribute analysis, and fusion safety attribute evaluation.

Functional safety attribute analysis.

Based on the established abstract modeling of the research system, we analyze the specific functional elements at each level, including the sensing layer, the planning layer, and the acting layer. We define the system function set as Function_layer where . According to this Function_layer, we identify all possible failure modes and denote them by Fault_layer. Let fault_j be a failure mode of the specific function, then and . Through analysis, we establish the mapping relationship between fault_j and an unsafe vehicle maneuver:

(2)

where y^fault represents the analysis result. If the failure of a functional item fault_j directly leads to unsafe vehicle behavior, then record y^fault as 1; otherwise, it is 0. m and n represent the total number of unsafe maneuvers and failures, respectively. Based on the analysis, the functional safety matrix M_FC is expressed as follows:

(3)

where represents the Boolean calculation result of the j-th functional failure leading to the i-th unsafe maneuver. The system’s functional safety attribute value is determined based on the Frobenius norm of M_FC:

(4)

SOTIF attribute analysis.

Unlike functional safety, the SOTIF issue refers to a situation where neither software nor hardware fails but the system fails to avoid safety risks under certain triggering conditions. According to ISO 21448’s definition of insufficiency, an output insufficiency, either by itself or in combination with one or more output insufficiencies of other elements, contributes to a hazardous behavior at the vehicle level [29]. Therefore, in this text, we consider the collection of outputs as Output_layer, where . Let the output insufficiency at the layer level be Insufficiency_layer, and let the insufficiency of a specific output be insufficiency_k, then , and .

Through analysis, we establish the mapping relationship between insufficiency_k and unsafe vehicle behaviors as defined by the following function:

(5)

The results of the analysis are expressed in Boolean form. If insufficiency directly leads to unsafe vehicle behavior, then y^ins is recorded as 1; otherwise, it is 0. If there is a total of q insufficiencies, the SOTIF matrix M_SOTIF is expressed as follows:

(6)

where represents the Boolean calculation result of the k-th insufficiency and the i-th unsafe maneuver. The SOTIF attribute value is determined based on the Frobenius norm M_sotif, calculated using the following formula:

(7)

Cybersecurity attribute analysis.

First, analyze the internal interactions of the system. If there is only energy flow without information interaction, cybersecurity attribute analysis is not required, and the cybersecurity attribute value . Otherwise, all information flows existing between the system layers should be identified and defined as Inf. For each information flow, define inf_flow,l, . The threat-based method in cybersecurity field can be applied to identify potential cyber threats, denoted as cs_threat,u. A cyber threat set CS_threat that includes all identified cyber threats is constructed, so , and .

Subsequently, we analyze the cybersecurity attributes of the information flow that can be compromised in network threat scenarios, establishing a mapping relationship between each type of threat, the information flow, and functional failures or insufficiencies.

The mapping relationship can be expressed as:

(8)

where , Z represents the set of mapped functional failures or output insufficiencies. For example, if a spoofed controller area network (CAN) message is sent to the brake’s ECU, it may result in a functional failure of the braking system. If , substitute it into Eq (2) to calculate the Boolean result. Otherwise, if , substitute it into Eq (5). The calculation results are shown in Eq (9).

(9)

Similarly, based on the calculation results, the cybersecurity matrix M_CS is expressed as follows:

(10)

Here represents the Boolean calculation result of the l th information flow and the i th unsafe maneuver. p represents the total number of information flows in a system.

The system’s cybersecurity attribute value is determined based on the Frobenius norm of M_CS, calculated using the following formula:

(11)

Fusion safety attribute evaluation.

By analyzing the system functional safety, SOTIF, and cybersecurity attributes of the system, we obtain the functional safety analysis matrix M_FC and its safety attribute value , the SOTIF matrix M_SOTIF and its safety attribute value , and the cybersecurity analysis matrix M_CS and its safety attribute value . These three safety matrices are then combined to obtain the final fusion safety attribute analysis matrix:

(12)

The fusion safety attribute value is calculated based on Eq (12) by

(13)

with

(14)

Here, the fusion factor λ serves as a domain interaction indicator that scales the overall fusion safety value , capturing the compounded effect of multi-domain safety issues. It increases as more safety domains—functional safety, SOTIF, and cybersecurity—simultaneously contribute to the overall risk. Specifically, λ equals 0 when only one domain is involved, 1 when two domains contribute, and 2 when all three domains are active. This formulation reflects the escalating complexity and integration challenges associated with cross-domain safety interactions.

Evaluation of unsafe maneuver triggering coefficients

From the fusion safety risk analysis matrix M_FS obtained above, we map functional failures, performance insufficiencies, and cyber threats to unsafe vehicle behaviors. At the level of unsafe maneuvers, we conduct a comprehensive analysis of the impacts of these three safety issues. In other words, unsafe vehicle behaviors result from the compounded state of functional safety, SOTIF, and cybersecurity issues.

In this step, we calculate the triggering risk coefficients for the three safety issues and derive the integrated safety risk triggering coefficient. When assessing the risk of unsafe vehicle behaviors triggered by functional safety issues, we evaluate each functional item layer by layer. By analyzing statistical data and calculating the failure rate of each functional element of the system, we denote the failure rate of the j -th functional element as p_FC,j.

To better handle the failure rates of the system components that may vary significantly and span multiple orders of magnitude, we logarithmically transform the failure rates and compress these differences into a more manageable range. We construct the functional safety risk triggering coefficient vector for the entire system as follows:

(15)

where is the evaluation adjustment coefficient. Since the logarithmic function produces negative values when handling numbers less than 1, the positive constant b is added to ensure positive results, facilitating subsequent processing.

When assessing the risk of unsafe vehicle behaviors triggered by SOTIF issues, it is necessary to evaluate each output item layer by layer, analyze the triggering conditions that cause output insufficiencies, and determine the probability that each triggering condition will lead to a system performance insufficiency. For the k-th insufficiency, the overall triggering probability is calculated, denoted p_SOTIF,j, which directly results from the occurrence rate of the triggering conditions that can activate the functional insufficiencies leading to hazardous maneuvers [29]. Similarly, the vector of the SOTIF risk triggering coefficient for the entire system is constructed as follows:

(16)

When assessing the risk of unsafe vehicle behaviors triggered by cybersecurity issues, we evaluate each information flow inf_flow,l by analyzing the feasibility of cyberattacks to obtain the system vulnerability assessment score . The assessment of system vulnerability refers to the methods suggested by ISO 21434. Using these scores, we construct the vector of the cybersecurity risk triggering coefficient for the entire system as follows:

(17)

We believe that functional failures and performance insufficiencies are inherent system properties that lead to unsafe vehicle behaviors, while system vulnerabilities to threats stem from external sources. Therefore, when calculating the trigger coefficient for unsafe behaviors, the vulnerability of the system is considered a multiplicative factor based on the original foundation of the system. With the triggering coefficient vectors obtained from the analysis above, we calculate the composite triggering coefficient for unsafe maneuvers, which results from multiple overlapping safety problems. The triggering coefficient for the i-th unsafe maneuver is calculated by

(18)

The triggering coefficient vector for the system overall unsafe vehicle behaviors is:

(19)

where m represents the total number of triggering coefficients for unsafe maneuvers.

Exposure analysis of potential hazardous scenario

The ISO 21434 and ISO 21448 standards emphasize that safety analysis involves calculating the exposure by assessing potential hazardous scenarios that could result in hazardous events. For example, if an ICV incorrectly identifies a bridge ahead as an obstacle and performs unexpected braking, a collision accident will only occur if another vehicle follows it. This means that danger typically only causes harm in specific scenarios. Therefore, for each unsafe maneuver, it is necessary to consider its associated hazardous scenarios to complete the exposure rate analysis, denoted as e_i,t. Here, i represents the corresponding unsafe maneuver and t represents the hazardous scenario associated with that unsafe maneuver.

ISO 26262-3 provides an exposure evaluation method that estimates the exposure rate of potentially hazardous scenarios in two ways. The first is based on the duration of a specific hazardous scenario, and the second is based on the probability of encountering a hazardous scenario. For example, the exposure rate can be estimated using the average time that a vehicle passes through an intersection on the road. It can also be estimated using the frequency with which the vehicle passes through the same road intersection. The exposure, based on a representative sample of operating scenarios in the target market, can be categorized into four levels, from E1 to E4, according to the two estimation approaches mentioned above. It is important to note that if driving conditions allow the use of both exposure rate evaluation approaches but yield different results, a detailed analysis is required to select the more appropriate approach.

Controllability analysis

Controllability serves as an indicator to evaluate the capability to manage risks within identified hazardous scenarios. According to the definition in ISO 26262, a higher controllability assessment value indicates poorer risk manageability. However, this standard predominantly considers human intervention-based risk control capabilities, overlooking the inherent risk control capabilities that advanced autonomous driving systems should possess. In addition, considerations regarding human factors tend to neglect the impact of human error. Therefore, within the framework proposed in this paper, we extend the traditional notion of controllability beyond human intervention alone to encompass the inherent risk control capabilities of the system. Rating scores and their criterion are listed in detail [5,7]. Furthermore, when assessing controllability regarding human and system aspects, it is crucial to account for the influence of human misuse and analyze how other associated systems affect the system under study.

In the framework proposed in this article, the modified controllability is adjusted using the controllability gain factor and the gain factor for human misuse . In addition, a scoring-based quantitative evaluation method is introduced to calculate these factors. It should be noted that when applying this framework for integrated safety analysis, other reasonable methods can also be employed to assess human misuse and the impacts of related systems.

To assess , the analysis focuses on the relationships between the target system and other safety-related systems. It involves identifying categories of system interdependencies, including supportive, redundant, and protective relationships. Supportive relationships denote the instances where the safety functions of the target system rely on basic functionalities of other systems, such as AEB depending on the normal operation of the braking system. Redundant relationships refer to backup systems beyond the inherent redundancy of the target system, which can improve reliability in the event of safety risks. Protective relationships involve additional safety systems beyond the inherent protective capabilities of the target system, such as a “safety copilot system”.

Based on the analysis of the interdependencies of safety functions between systems, the system controllability gain factor is obtained as

(20)

To assess the human misuse gain factor , one needs to analyze the types of interactions between the human driver and the system, categorizing them into information and action types. Information types generally include visual alert messages and auditory reminders, while action types involve actions such as taking control of the steering wheel or pressing the brake pedal. Specifically, the Interaction Information factor () is intended to reflect the interface usability and driver cognitive load—a higher score indicates that the interface is harder to interpret or more mentally demanding to process. Meanwhile, the Interaction Operation factor () captures the complexity and physical demand of the required driver response, which is closely related to user response time and action execution difficulty. Together, these two components allow the framework to quantify the human-system interaction burden in a structured way, and provide a foundation for extending controllability analysis in increasingly automated driving environments. is then calculated based on these two factors, as given in Eq (21).

(21)

The assessment scores for the system interdependency impact factors and human misuse are detailed in Table 1.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. Impact assessment scores for system interdependency and human misuse. This table outlines the evaluation criteria for assessing system interdependency, focusing on the aspects of support, redundancy, and protection, as well as human misuse, which is analyzed through interaction information and operation.

https://doi.org/10.1371/journal.pone.0332050.t001

The modified controllability is calculated by

(22)

where i denotes the i-th unsafe maneuver, and t denotes the t-th scenario associated with the i-th unsafe maneuver.

Severity analysis

The severity of potential harm shall be estimated based on a defined rationale for each hazardous event. Referring to the severity classes in ISO 26262-3, abbreviated injury scale (AIS) classification is employed to categorize injury severity levels denoted by s_i,t, ranging from S0 to S3.

Calculation of fusion safety risk and contribution factor

Based on the unsafe triggering coefficient, exposure, controllability, and severity, the fusion safety value for different safety behaviors is calculated by

(23)

where F_FS is the triggering coefficient vector, e_i,t represents controllability in the t-th hazardous scenario, c_i,t denotes the exposure in the t-th hazardous scenario, and s_i,t signifies the severity in the t-th hazardous scenario.

The total fusion safety risk value is calculated as:

(24)

By employing the partial differentiation chain rule for backtracing, the safety risk contribution factor (RCF) for each factor is computed to identify the factor that has the most substantial impact on the fusion safety risk value. The RCF indicates how each factor influences the output, thereby prioritizing directions for improvement. The calculation formula is as follows:

(25)

(26)

It is worth noting that since we consider threats as external stimuli and map them to corresponding functional failures or performance insufficiencies, the calculations for each factor above already include the impact of information threats. Consequently, to demonstrate the influence of cyberattacks on the contribution factor, we adopt an alternative calculation method. In the overall safety risk value, we differentiate between the safety risks not influenced by network threats and those influenced by network threats. Though assessing the risk contribution of cybersecurity, here we calculate the contribution of a specific network threat to precisely identify threat scenarios and effectively enhance the system’s resilience:

(27)

Abstract system modeling

First, the ACC system architecture is further abstracted and modeled [22], which is divided into the sensing, planning, and acting layers. The sensing layer recognizes the targets ahead of the vehicle, gathers vehicle status, and transmits these results to the planning layer. To determine the status of the vehicle, it is essential to gather data on the brake pedal condition as well as the vehicle’s speed. The planning layer primarily verifies the system’s status and decides whether to maintain the set speed, decelerate, or restore to the set speed based on the target status collected by the sensing layer. The planning layer controls the brake system and power system separately according to the instructions from the planning layer.

The hypothetical ACC external associated systems comprise the central gateway, the power system, and the brake system. The ACC functions by transmitting operational signals to the central gateway, which redirects them to designated ECUs for vehicle behavior control. The central gateway, brake system, and power system are considered dependent subsystems in the ACC system, crucial for the proper functioning of ACC operations. The ACC system discussed adjusts vehicle speed and adapts to road conditions automatically based on set parameters, maintaining safe distances from preceding vehicles or other traffic participants. Fig 4 depicts the abstract model. This system manages only the longitudinal movement of the vehicle. Therefore, according to Eq (1), unsafe maneuvers arising from this system are expressed by , where a_hazardous,1, a_hazardous,2, and a_hazardous,3 denote the unintended acceleration, unintended deceleration, and unintended speed maintenance, respectively.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Schematic of abstract modeling in the case study.

Based on the abstract system modeling, the figure illustrates the architecture of an adaptive cruise control (ACC) system, including sensing, planning, and acting layers, and their interactions with the driver, environment, and vehicle systems.

https://doi.org/10.1371/journal.pone.0332050.g004

Fusion safety attribute identification

To provide a more intuitive representation of the analysis process, we select several key functions of the ACC for step-by-step analysis, rather than analyzing all function failures.

Functional safety attribute.

In this context, we utilize the HAZOP analysis method and apply a guide word-driven strategy to examine functional failure modes within various layers. Here, we focus on typical failure modes of the planning and acting layers.

At the planning level, a set of failure modes is expressed through the HAZOP process as , where fault₁ means “No activation of the ACC when the ON signal is received”, and fault₂ represents “No deactivation of the ACC when the OFF signal is receive”. For the acting layer, , where fault₃ means “More acceleration after the default speed is reached”, and fault₄ represents “Less acceleration than necessary to reach the default speed”. To identify the functional relationship expressed in Eq (2), we employ an expert method to determine the connections between functional failures and unsafe vehicle maneuvers, establishing their mapping relationship as shown in S1 Table (a). It is worth noting that the relationship expressed in Eq (2) can also be derived using other methods, such as a data-driven approach [25].

Thus, according to Eq (3), all analysis results are ultimately compiled into a functional safety analysis matrix:

According to Eq (4), the functional safety attribute value is obtained as .

SOTIF attribute.

Based on the structure of the system abstract model, we analyze its performance insufficiency. In this step, we focus on the typical performance deficiencies in the sensing layer: , where insufficiency₁ represents the image resolution limitation affecting distance estimation, insufficiency₂ represents the poor image rendering under low light conditions, and insufficiency₃ represents the misclassification of unexpected/untrained classes.

To identify the mapping relationship described in Eq (5), the mapping between system performance deficiencies and unsafe maneuvers is established through the system’s operational design domain (ODD) boundaries, as shown in in S1 Table (b).

Thus, according to Eq (6), all analysis results are ultimately compiled into a functional safety analysis matrix:

According to Eq (7), the SOTIF attribute value is obtained as .

Cybersecurity attribute.

Based on the system abstract modeling, a data flow diagram (DFD) [2] is constructed to clarify the information flow process within the system and the information it carries [2]. To demonstrate the analysis process, we only select the “ego speed” information flow for analysis.

To analyze the categories of information threats faced by information flows, Hernan et al. introduced the STRIDE threat model, developed and used by Microsoft in its Security Development Lifecycle (SDL) [23]. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege, representing categories of threats that violate security attributes. By employing the STRIDE framework [26], we identify the categories of cybersecurity attribute violations for information flows. Additionally, using the security guide-word method (SGM) [24], we analyze the connections between threats and failures. More specifically, by identifying hazards through attribute violations and determining triggering causes using security guide-words, we systematically examine the affected components and entry points, identify compromised functionality, and establish the relationship between information attacks and functional faults.

To highlight the main analysis thread in this analysis step, we only analyze the mapping of certain network threats to the functional failures mentioned in the previous steps. The functional relationship between information flows and unsafe maneuvers described in Eq (8) is represented in S1 Table (c).

Thus, according to Eq (10), the cybersecurity matrix is given by

According to Eq (11), the cybersecurity attribute value is . In conclusion, we obtain the final analysis results. According to Eq (12), we have

According to Eqs (13) and (14), λ and are calculated as follows:

Evaluation of triggering coefficient for unsafe maneuvers

Based on the analysis presented in S1 Tables illustrates a summary of the connection between unsafe maneuvers and their triggering causes.

Since obtaining reliable failure rates and the probability of system performance degradation due to triggering conditions involves sensitive design-stage data, which is difficult to access, we have estimated these values using available methods, as this is not the primary focus of the paper. The fault rates are estimated using the method proposed by Wang et al. [18], as follows: the fault₁ rate is , the fault₂ rate is , the fault₃ rate is , and the fault₄ rate is . The occurrence rates of the triggering conditions that activate insufficiencies, based on the method outlined in [29], are , , and , respectively.

Software such as TMTe4PT can be used to evaluate the feasibility of network threats based on established threat rules, using the Common Vulnerability Scoring System (CVSS) method [12]. The assessment metrics include the attack vector (AV), attack complexity (AC), privileges required (PR), and user interaction (UI). Thus, the results of the vulnerability evaluation are as follows: 1.23 for and 2.28 for .

Thus, from the equations above, we obtain the vector of the functional safety risk trigger coefficient, the vector of the SOTIF risk trigger coefficient, and the vector of the cybersecurity risk trigger coefficient. Here, b is set to 10. According to Eqs (15), (16), and (17), the risk triggering coefficient vectors are calculated, respectively, as follows:

According to Eq (18), the triggering factor for unsafe maneuvers is:

Exposure controllability and severity analysis

Due to space limitations, each type of unsafe maneuver analyzed above is associated with a corresponding potentially hazardous scenario. For each scenario, the exposure and severity are determined.

The potential hazardous scenario associated with unsafe acceleration behavior is derived from real-world driving scenarios outlined by the National Highway Traffic Safety Administration (NHTSA) [21], which specifically assesses the performance and safety of the ACC system. The specific scenario for unsafe acceleration is as follows: On curves and exit ramps, with a vehicle ahead, under normal weather conditions. According to this description, the exposure rate for this scenario is E3, and the severity is S3. For unsafe deceleration and unsafe speed maintenance behaviors, potential hazardous scenarios are described in the functional safety analysis of the ACC system using STPA by Xia et al. [20]:

• The potential hazardous scenario for unsafe deceleration behavior is as follows: There is a vehicle behind, on the highway, under normal weather conditions. The exposure rate for this scenario is E4, and the severity is S3.
• The potential hazardous scenario for unsafe speed maintenance behavior is as follows. The vehicle is traveling normally, closely following the vehicle ahead, on the highway, under normal weather conditions. The exposure rate for this scenario is E4, and the severity is also S3.

Based on the previous analysis of system interdependencies, the normal operation of the ACC system relies on the basic functionalities of the central gateway, power system, and brake system, categorizing it as having a highly supportive relationship. Therefore, according to Eq (20), =1.47. Given that the ACC system provides clear and concise prompts and requires simple human actions, the human misuse factor can be derived according to Eq (21) as = 1.

Based on the analysis of the above hazardous scenarios, the adjusted controllability for different scenarios is calculated according to Eq (22). In the unsafe deceleration scenario, we assume that the system can control risks by downgrading to a safe mode; hence c_1,1 = 2.94. In the scenario of unsafe acceleration, we assume that the system can enter an emergency mode and operate normally, thus c^sys = 1 and c_2,1 = 1.47. In the scenario of unsafe speed maintenance behavior, human intervention is a must for the vehicle system, but more than 99% ordinary drivers can avoid harm, resulting in c^sys = 3, c^D = 2 and c_3,1 = 6.41.

Fusion safety risk and contribution factor calculation

Based on the analysis results above, the final evaluation for each unsafe maneuver is carried out according to Eq (23), obtaining the following risk values:

According to Eq (24), the fusion safety risk value is calculated as risk_FS = 588.34.

Subsequently, we calculate the contribution of each safety-related factor according to Eqs (25) and (26):

According to Eq (27), the contributions of cyber-threats to the safety risk are calculated as

As illustrated in Fig 5b, cybersecurity issues account for a significant contribution to the total risk. Within these threats, the most severe threat to the safety of system fusion arises from cs_threat,2, which involves tampering with the ego speed data transmitted from the powertrain gateway to the engine controller. Consequently, it is vital to strengthen the detection and protection measures for this data stream and its associated information assets.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. The Over View of Mapping and Risk Contribution Factor.

(a) The Sankey diagram maps unsafe maneuvers to their causes, with arrows showing how specific faults, insufficiencies, and cyber threats lead to unsafe maneuvers outcomes. (b) This Radial Bar chart shows the risk contributions of faults, insufficiencies, and cyber threats, with segment sizes reflecting their impact on overall risk.

https://doi.org/10.1371/journal.pone.0332050.g005

Among the safety-related factors, the leading contributor to fusion safety risk is insufficiency1, identified as the “Image resolution limitation affecting distance estimation.” This problem results in the most significant combined scores for exposure rate, controllability, and severity of hazardous scenarios, highlighting the need to prioritize its performance improvement in the ACC system within this study. In terms of functional safety, Fault1 holds the highest contribution to fusion safety risk due to its description as “No activation of the ACC when the ON signal is received.” This indicates that Fault1 has the highest risk impact value, necessitating its focus for the enhancement of functional safety design. Since the primary aim of this case study is to validate the framework rather than to produce precise risk metrics, it should be noted that the failure rates, performance insufficiency frequencies, and cybersecurity vulnerability scores in this case study are drawn from published literature without empirical calibration. While suitable for demonstrating the methodological feasibility, they may introduce uncertainty in absolute risk values.

In conclusion, the analysis highlights two key insights in this case study: first, the overall fusion risk value indicates that relying solely on a single safety or security analysis during the design phase is inadequate to address all potential risks, thus requiring a thorough fusion safety evaluation. Moreover, the contributing factors identify Fault1 and cs_threat,2 within the safety and security domains, which need enhancement to promptly and effectively reduce the overall risk value. Additionally, when dealing with various systems, the fusion risk value serves as a beneficial benchmark for assessing the fusion risk of different systems, aiding in the identification of the crucial system.