STPA-Based Analysis of the Process Involved in Enforcing Road Safety in Austria

: The European Commission pursues a strategic action plan using the “Safe System” approach. The function, layout and design of roads shall be coordinated in such a way that human error is compensated, and possible accidents no longer cause fatalities or serious injuries. Four ﬁelds of action are deﬁned: people, vehicles, roads and laws. This study aims to model the process involved in road safety management in Austria based on the System-Theoretic Process Analysis (STPA) and to identify areas of improvement that also meet these goals. This is intended to create the basis for a method that can also be applied in practice to meet the “Safe System” approach. The trafﬁc authorities or road owners are responsible for monitoring and enforcing road safety in Austria. Their main instrument is the Road Safety Inspection (RSI) that focuses primarily on road trafﬁc planning aspects. This study proposes a method for including human-road-vehicle interactions in RSI. The STPA-based analysis showed how the road safety management and RSI can be improved to provide more comprehensive, accurate and relevant information about hazards at various levels of the safety management structure. The results can be used for improving the safety of all road users.


Introduction
A system-based approach to the safety management of road infrastructure is promoted by the European Parliament and the Council in its Directive 2008/96/EC of 19 November 2008 [1] that individual member states are responsible for implementation. The Directive applies to roads of the entire Trans-European Transport Network (TEN-T) and includes the following technical tools: Road Safety Impact Assessment (RIA), Road Safety Inspection (RSI), Road Safety Analysis and Black Spot Management. In order to ensure the implementation of the directive in Austria, the Austrian Federal Roads Act (BStG) [2] was amended accordingly in 2011 [3].
The Directive 2008/96 provides a framework, but the methodological details of applying a systems approach are open. A systemic approach as proposed in this study is expected to enlarge the focus of road safety management. Beyond the road and the road equipment, geometry and installations that are usually inspected for deficiencies, the system boundaries are enlarged in this study to include interactions between the road, drivers and vehicles. With "Vision Zero" the European Commission aims at reducing the number of fatalities and serious injuries to a minimum in the four areas: people, vehicles, roads and law. Human error should be compensated by applying the "Safe System" approach to road engineering in terms of function, design and layout of roads. This shall be applied to all primary roads through revision of the Road Infrastructure Safety Management Directive [4].
In Austria, an RSI [5] is conducted only on Non-TEN-T-roads. The road authorities and road owners commission an RSI only in case of repetitive similar accidents. This study also aims to show how additional information and feedback, and the RSI implementation on all types of roads as well as enlarging the system boundaries, can improve the Austrian road safety management.
The RSI is designed to ensure the safe operation of public transport roads and shall be applied in accordance with the laws. The RSI in Austria applies the RVS 02.02.34 [5] to public traffic roads within the meaning of the road traffic regulations (StVO) [6]. The RSI is prescribed as mandatory for motorways and expressways ( § 5 BStG) [2], while on all other roads, the road owner has the responsibility for inspection. An RSI is a standardized test procedure to detect safety deficiencies and potential hazards. It has to be commissioned in case of multiple similar accidents on a 250 m road section over a period of at least three years. RVS 02.02.21 [7] and RVS 02.02.32 [6,8]. In addition, on the TEN-T roads applies the Federal Roads Act [2].
This study proposes three areas (pillars) for improving the management of road safety.
1. Pillar 1: An extension of the RSI's application to the Non-TEN-T-roads. 2.
Pillar 2: An extension of system boundaries to include besides the road, also the vehicle and the human in an interdisciplinary approach. 3. Pillar 3: A systems-theoretical process approach to road safety management.
The reason for proposing these three pillars is explained in more detail below.

Pillar 1: Extension of the RSI's Application to the Non-TEN-T-Roads
Currently applied on TEN-T roads, the application of RSI shall be extended to include also the Non-TEN-T-roads. It has been shown in the accident statistic of Austria in the last years [9], as well as by Sitran et al. [10] that most accidents occur on Non-TEN-T roads. Therefore, an improvement of road safety by inspection and implementing mitigations is necessary. When looking at the entire Austrian road network with a length of 137.040 km, only 2% are motorways and expressways (high-level road network). The Austrian accident statistics also show that only 6.3% of all accidents in Austria in 2018 (n = 36.846) occurred on the high-level road network, whereas around 93.7% of all accidents in 2018 occurred on Non-TEN-T roads [9]. This study examines the process of RSI with application to the high-level road network and focuses on the possibilities of application on state and federal roads subsequently.
RSI is an essential input to improve road safety. In Austria, a RSI is only ordered when a black spot or other occurrences are detected. The RSI shall detect hazards and propose mitigations, in addition to road maintenance and controls of the road maintenance staff that are carried out at regular intervals. Furthermore, the RSI could be used with a broader scope for detecting various other sources of hazards. Ambros et al. [11] compares the traditional reactive approach to detecting black spots with proactive approaches that identify both accidents that have already occurred and potential accident sites and critical locations (Bayesian method, accident prediction model) and the likewise proactive inspection of road safety to identify danger spots. Ambros et al. [11] conclude that a proactive safety management could be more suitable for identifying dangerous spots on rural roads with low traffic volume and single accidents as compared to the reactive, black spot approach. The findings of Ambros et al. [11] are relevant for the concept of RSI in Austria that is considered to be both a reactive and proactive method. Even though RSI is not commissioned proactively, it can identify any additional road deficiencies, in addition to the (reactive) inspection of black spots.

Pillar 2: The Interdisciplinary Approach to Road Safety
The extension of system boundaries (second pillar) on an interdisciplinary basis proposed here is considered necessary given the gaps highlighted by current safety reports. According to the Federal Ministry of the Interior [12] carelessness and distraction as well as failure to adapt driving speeds, priority violations and misconduct of pedestrians are the most frequent causes which led to accidents. Other probable main causes of accidents are overtaking, disregard of traffic warnings and prohibitions together with fatigue and failure to keep safety distances. Thus, the human factors as the cause of the accident clearly stand in the foreground of the statistical studies. An improvement would be to consider the human-road-vehicle interaction as a whole. Beyond the human factor that is often confounded with "human error", interactions with both the vehicle itself and the road contribute to accidents. Thus, for taking into account these interactions expertise in human factors and vehicle dynamics is required.
For example,Čičković [13] has examined the gestalt-psychological tools of the spatial road alignment and shows the effects of human behavior on driving and their effects on design guidelines should be implemented. The imperfections of spatial road alignment have an influence on the decision-making process [13]. Molan and Molan [14] also confirmed the importance of paying close attention to the driver and to consider improving driver's perception, recognition and responsiveness in order to improve traffic safety. It is important to consider the psychological and physiological features of the drivers' perception to the road environment, which is also proposed by Batrakova and Gredasova [15]. Identifying elements of the road environment, which most affect the functional state of the driver, is necessary for defining preventive measures and improve traffic safety. This can be integrated in the RSI that is used to determinate hazards and propose preventive measures. In Austria, an RSI addresses road safety in terms of perception testing of the existing road section according to the basic quality assurance principles in order to mitigate existing accident hazards and accident risks [5]. Jagtman et al. [16] used HAZOP (hazard and operability analysis) for an interdisciplinary approach to road safety. In addition, they extended the analysis to include expectations of the road users. This methodology for analyzing traffic safety was found to be effective. Beyond perception and expectation, road users' and vehicles' capability to react in a given time and space need to be considered. Information should be available to the inspector regarding the RSI process, which forms the broadest possible basis for the decision-making process. Examples for implementing human factors in the process of road safety management are shown in the "Human Factors Guidelines for Road Systems" published by the Transportation Research Board in the United States [17]. Basic methods to consider capabilities and needs of road users could find practical application in RSI. In the context of an RSI, it is important to consider the perception reaction time of different drivers, for example, when determining sight distance. Nevertheless, an improvement for RSI would be to address various factors that influence the perception reaction times such as low contrast, visual glare, road user s age, object size/height, driver expectations, to visual complexity and driver experience/familiarity. In contrast, maneuvering time is seen primarily as being dependent on the type of vehicle, vehicle performance, as well as the road surface [17]. Including differences between powered two-wheelers, cars and trucks could improve the RSI. How individual inspectors adapt their inspection to the level of knowledge and experience has already been investigated by Woodcock [18] and a corresponding model was developed, which can also be used to empirically observe inspection decisions.
Yannis et al. [19] showed that it will be essential in the future to collect data in an interdisciplinary manner to improve road safety, with an accident prediction model, as a scientifically sound basis for the evaluation and detection problematic road segments. However, the quality of accident prediction and corresponding models are ultimately dependent on the data available. This brings us back to the problem of data generation. In order to improve and form the basis of data-driven safety management of the road traffic system it is important to generate data as interdisciplinary as possible. An integrated road safety research should be fostered, and an in-depth understanding of the limitations of various road users should be taken into account [20].

Pillar 3: Systems Approach to the Road Safety Management
Safety is seen by Leveson [21] as a system property that emerges from interactions among system components. Communication and control are necessary to control the interactions among components at different hierarchical levels [21]. Leveson [21] also states that human error is a symptom of poor system design. Thus, the identification of human error should be a new beginning and not the end of an investigation. Hierarchical structures are practical for analyzing risk management [22].
Agarwal et al. [23] showed that the development of a hierarchical structure is qualified for identifying critical factors of maintenance components that influence road safety. Road maintenance is generally limited to improving the poor surface and other conditions such as inappropriate geometric course, or an inappropriate state of the road infrastructure. A number of other safety relevant conditions that are indispensable for the creation of a safe road and are neglected, could be identified using a control structure. The effectiveness of road safety management could be improved, and resources could be better used, given that large resources are needed in order to keep the road network in a safe working condition.
Rasmussen [22] already considered risk management by interdisciplinary studies and as a control problem and modelled a control structure for each particular hazard category at all levels of society.
In principle, many different departments and/or subdivisions are integrated in the road traffic system, thus the model of socio-technical control can be applied to various system components, and in particular with focus on performance and variability of road users [24]. All these approaches could be further integrated in road safety and used to improve it.
An innovative, inclusive strategy and systems-thinking are expected to support road design and operation [25]. It is also suggested that systems theory and a system approach should be thoroughly applied in road safety research and in practice at all levels, particularly the system as a whole and at strategic levels [26]. Furthermore, Salmon et al. [27] applied a STAMP (Systems-Theoretical Accident Modell and Process [21]) to develop a control structure of the road system. Salmon et al. [27] concluded that STAMP was a powerful tool that can be used to improve traffic safety. The composition of road systems and the influence of higher-level actors and organizations on the behavior of key players such as road users and road planners should be taken into account. The systems-theoretical approach has been also applied to the analysis of accidents in road freight transport [28]. Kazaras [29] used STAMP to investigate road tunnel safety and showed that STAMP has the potential to identify critical aspects at both technical and organizational levels by taking into account feedback relationships [21,30].
The chosen approach of RSI is already a step in the right direction of sustainably improving traffic safety. Nevertheless, further improvement potential exists. According to the previously described results of Larsson et al. [24]. These improvements are found in an interdisciplinary approach, as well as in an improvement at the strategic level [26] and by considering the adaptation of the system over time [29]. The role of both the technical and the organizational factors was addressed by Kazaras et al. [29]. An earlier version of STPA has been partly applied to modelling the control structure of actors and organization of the road transport system, including controls and feedback loops [27].
STPA is being used in various domains such as aviation [31][32][33], medicine [34], software safety [35] and construction [36]. Table 1 lists a number of STPA applications to vehicle and automotive safety and STAMP applications to road safety research relevant to this study. Traditionally, improvements in road safety are addressed at the physical level rather than the management level. Due to the increasingly complex road-vehicle-driver system, the individual road users are not able anymore to control all risks around them. In such cases, the sociotechnical systems approach to safety proposed by Leveson [37] envisions that higher level controllers-in our case authorities and road owners-control the behavior of the system through various forms of oversight. Table 1. STPA in vehicle/automotive safety and STAMP applications to road safety.

Area of Research Reference
STPA applied to vehicle/automotive safety Integration of STPA into Failure Mode and Effect Analysis (FMEA) template to form a new method called "system theoretic process analysis based on an FMEA template (STPAFT)" that is applied to road vehicle functional safety Chen et al. [38] Integration of STPA into the functional safety process for requirement development based on ISO 26262 Suo et al. [39] Application of STPA to an automotive shift-by-wire system Sundaram and Vernacchia [40] Application of STPA to a lane keeping assistance system Mahajan et al. [41] Application of STPA to engineer operational safety of the fully automated driving vehicle architecture Abdulkhaleq et al. [42] Application of STPA to the Adaptive Cruise Control (ACC) system Abdulkhaleq and Stefan [43] Application of STPA to engineering safety of an automotive software controller Abdulkhaleq et al. [44] STPA applied to an unmanned protective vehicle concept Bagschik et al. [45] Application of STPA to investigate the influence of the highway pilot system on road safety Integration of STAMP and Causal Analysis based on STAMP (CAST) into a new method for the accident analysis of crashes involving automated driving called CASCAD Alvarez Gomez [46] STAMPapplied to road safety Integration of STAMP/STPA and model checking to analyze fallen barrier trap at railroad crossing Yang et al. [47] STAMP modelling of the hierarchical control structure involved in the road safety management of Bangladesh Hanim et al. [48] Verification of the control structure analysis method, specified by STAMP, by applying an adapted two-stage Delphi approach. Mapping the control structure of the road transport system in Cambridgeshire Staton et al. [49] Due to the fact that road safety and RSI s apply to a complex system, STAMP and STPA [21,50] have a great potential for enabling a more comprehensive and inclusive analysis. STPA is based on STAMP and can be used to predict losses and occurrences before they occur, by pure analysis of the system. Since STPA considers causal scenarios, human factors, hardware, software and environmental-related factors, it can be applied for providing a single comprehensive analysis of road safety investigation and RSI. The extension of the system limits proposed by the pillars 1 and 2, and the application of the STPA [21] to model the process of road safety management as well as the classical RSI [5] is expected to enable the detection of a larger number of potential hazards and consequently to provide a comprehensive road safety management. Thus, the STPA analysis and implementation of mitigations could lead to an improvement of road users' safety, and a reduction of both occurrence rates and consequences of accidents.
This study goes beyond the initial applications of STAMP and STPA, to apply the full STPA methodology to road safety, taking the entire process of the RSI into account and extending the system boundaries, in order to also include vehicles, drivers and the road maintenance. This analysis aims to improve the traffic safety investigation and RSI by detecting and make them applicable in practice by detecting and specifying mitigations for any deficiencies and vulnerabilities of the existing road network.

Methodology
For the holistic and interdisciplinary preparation and collection of data, experts from the individual fields of psychology (e.g., human factors, human-machine interaction), vehicle technology (driving dynamics analysis, vehicle measurement systems), civil engineering (road planning, road drainage and routing), traffic accident reconstruction, accident analysis and traffic safety have contributed to the analysis. The data was collected through expert interviews. In addition to expert knowledge, the relevant laws, guidelines and regulations used by experts were analyzed. Considering the 3 pillars, STPA [50] was applied to the process of road safety on Austrian roads. The STPA steps according to Leveson and Thomas [50] consists of 4 steps and they were applied as follows: 1.
Specify the system boundaries, and system losses that shall be prevented.

2.
Model the high-level control structure in terms of control loops of the process with focus on functional relationships and interactions. 3.
Analyze control loops and determine any unsafe control action (UCA) that could lead to the defined losses. Based on these UCAs functional requirements and constraints are specified for the system. 4.
Create scenarios to determine causes why unsafe control might occur in the system such as inadequate feedback, decision, execution, environmental disturbances, component failures, etc. Specify mitigations. In addition, consider how these mitigations could erode over time and specify actions to protect them.
For modelling the process of road safety on Austrian roads, the system boundaries have been extended to include the road owner, the road itself, the driver, other road users and the vehicle. A distinction was made as to whether the road maintenance process takes place on its own or whether an RSI is commissioned on the basis of occurrence history of particular road segments.
Inputs from different types of experts that can address questions arise during the analysis [50]. Generally, information is needed about goals and actions of each control instance, sources of information and feedback, as well as working procedures, applicable regulations and standards. The control structure can be used to verify that all areas of expertise needed are covered. In this study experts have also been asked to assess the applicability of the solutions derived by applying STPA. Qualitative data obtained by expert interviews is a well-established approach in safety analysis (see also [51]).

Results
Findings of the STPA analysis are structured in four steps that were described in the method.

STPA Step 1
The first step in applying the STPA is to define the purpose of the analysis. In this case, the purpose of the road safety process is the safe operation of roads. In order to identify losses and hazards that might prevent achievement of the goal of the analysis, both the system and the corresponding system boundaries must first be identified. As a system, the road transport system is chosen as a whole. System boundaries include the vehicle, the driver, the road, other road users and the road owner. Furthermore, for the defined system high-level losses, system-level hazards and safety constraints need to be specified. Losses (L) defined for this system are death or injury to road users, or damage to vehicles or objects. Corresponding hazards (H) are the violation of minimum distances of road users to other road users or objects, loss of control of the vehicle or exceeding the operating range of the road by the road users.
System level safety constraints determined by applying STPA are: • Road users must maintain a minimum distance to other road users or objects. • Vehicle drivers must maintain control over the vehicle. • Road users must act within the operating range of the road.

STPA Step 2
In accordance with STPA Step 2 [50] a model of the hierarchical control structure, in form of control loops, functional relationships and interactions was developed and illustrated in Figure 1. In addition, for each control instance the name (e.g., road authority) the decision rules (knowledge, procedures, regulations, guidelines), the control goal (road quality, safety), the information and feedback (reports) and control actions (such as assignment of maintenance tasks, RSI) are specified. The road authorities are at the top of the control structure. They base their decisions on the construction, maintenance rules, regulations and standards for roads. Their control goals are to maintain an appropriate level of quality and safety of the road. Therefore, they use information about accidents from the accident statistic database and from the reports of the road maintenance staff and the RSI. They commission an RSI if they see a need for it and decide whether to implement or not mitigations specified by the RSI or the road maintenance staff. The road authorities also assign the road maintenances staff to assess the road and, if necessary, to implement mitigations. Generally, the decision to commission a RSI is based on the fact, that a road section shows a "black spot" or if the road authority has another indication for a commission, such as an incident or occurrence.
Another instance in the system control structure is the road maintenance. Road maintenance staff drive at regular intervals and inspect the road for any structural defects or damages in order to ensure safe road operation. They record and report damages and maintain the road. If an RSI is commissioned by the road authorities, the road safety inspector carries out a thorough RSI in accordance with guidelines. This means that in RSI all accidents that have occurred on the road section are investigated. In addition to the structural defects, deficiencies in the infrastructure and road equipment are also recorded in a report. The RSI output is a list of deficiencies and corresponding proposed mitigations. The RSI specifies a time interval in that each identified deficiency should be remedied.
However, the road authorities decide as to whether the mitigations will be implemented and when.
The commissioned road safety inspector is another instance in the system control structure. The inspector's goal is to identify deficiencies of the road section and possible causes of occurrences. Furthermore, the road safety inspector is required to specify mitigations that remedy the deficiencies completely. The road safety inspector receives information from the road authorities and road maintenance staff. In addition, they also collect their own information from the inspection of the road (e.g., inspection by car or by foot, surveying), or interviews with the responsible police department regarding the inspected road section.
The road infrastructure should be safe for every road user. Therefore, the road condition, road equipment and road environment such as the vegetation should be examined. Identified deficiencies should be remedied. The road infrastructure represents the operational envelope for drivers and other road users. This includes the course of the road, speed limitations, traffic signs and road markings influence the decisions and safety performance of the road user, like a driver, for example. The maintenance and development of the road infrastructure is also influenced by environmental factors (e.g., water, ice, snow). Drivers' decisions are based on the road characteristics, traffic rules and regulations, the road infrastructure and the vehicle capability and also on the behavior of other road users. The driver receives information about the vehicle's speed, driving trajectory and may receive information and feedback from driver assistance systems and warnings. The road vehicle is directly controlled by the driver that applies braking, acceleration, steering. The vehicle may be also controlled by driver assistance systems that apply braking, acceleration or steering.
Environmental disturbances such as water, ice, snow and other road users also influence the safety outcome of driving a road vehicle. Figure 1 shows the hierarchical control structure of the system and illustrates the third pillar.
The road authorities conduct maintenance activities and enforce the applicable laws, standards and guidelines according to the commissioning. A distinction is made as to whether the road maintenance process takes place on its own (black/bold) or whether an RSI (green/bold and italic) was commissioned on the basis of accident "black spots". The road authorities receive reports from the road maintenance staff and the road safety inspector. In addition, the road authorities receive information about accidents from a statistical database. If an RSI is commissioned by the road owner, the road owner decides if the measures recommended by the RSI report will be implemented by the maintenance staff. The road infrastructure affects the driver through the road, traffic signs, lane markings, etc. and the driver himself steers, brakes or accelerates the vehicle accordingly. The driver receives information and feedback about the road infrastructure, driving trajectory, driving speed. In addition, the driving environment (e.g., weather conditions) influences both the driver and the road infrastructure. In the current applicable standards, information about both vehicle and driver needs is not mandatory required from the RSI.

STPA Step 3
Once the safety control structure is defined, the third step of STPA focuses on the identification of potential unsafe control actions (UCAS) of the controllers that may result in the losses defined in Step 1. UCAs of the road authorities/owner could be inadequate commissioning of the road maintenance, road safety review or RSI. This could be either omitted, inappropriate, commissioned too late or stopped too early.

STPA Step 4
In STPA Step 4 an analysis is made of the potential causes of these UCAs, and causal scenarios are identified in relation to the specific context of operation [50]. The causal scenarios for UCAs can be identified by examining the elements of the control structure.
Causal scenarios identify for instance how inadequate information and feedback, inadequate requirements, coordination, communication, component errors or other factors can cause unsafe control and ultimately lead to losses [50]. Furthermore, safe control actions may be provided, but not executed [50]. Thus, additional system requirements can be specified and appropriate actions that can complement and improve the existing system can be identified [50]. In order to prevent these UCAs, the process is examined to improve existing but ineffective mitigations or to specify new safety requirements and constraints [50]. For instance, Table 2 presents UCAs of the road authorities, the causal scenarios and safety recommendations that can be derived using STPA. Table 2. Examples of causal scenarios for road authorities unsafe control action (UCA), "omission to commission an inspection or RSI when required". Causal scenarios and safety requirements are specified in STPA Step 4.

Causal Scenario Number Safety Requirements
Road authorities have no feedback that an inspection/RSI needs to be done. For example, there is no information about occurrences, "black spots" or "conflicts" on the road section. Therefore, no RSI is commissioned because there are no indications of "hazards".

M1
Database design and management of information about "black spots", danger spots, conflict points from data base. Assignment of a process and a role for the detection and evaluation of danger spots, regular update the data base (e.g., control body). The process shall specify data management procedures. For instance, hazards must be identified and managed; conclusions must be drawn from the database information, mitigations must be developed and reviewed.
Road authorities receive wrong feedback stating that there is no "black spot" and thus, no inspection is commissioned.

M2
Review of data quality and data assessment methods for detection of "black spots"/danger spots/conflict points from database.
Road authorities receive feedback about multiple occurrences in a particular road section but decide not to order an inspection because they do not see any correlation between occurrences (different accident types or categories or different causes for similar accidents categories).

M3
Review of methods for data classification and aggregation. Corresponding evaluation and correlations in database, subject-specific rework of accident data in database.
Road authorities falsely believe not to be responsible for a particular road section and someone else should commission the inspection/RSI because the respective section of the road falls into another area of responsibility, the street category is not clearly defined, etc.).

M4
Including in the database information regarding the control instance such as the road authorities or road owner responsible for each road segment. Figure 2 shows the improvement of the system and process after the STPA analysis. For instance, it illustrates the missing feedback and the safety requirements determined by using STPA. The original hierarchical control structure shown in Figure 1 is supplemented accordingly. The missing or additionally installed control instances, feedback and information are shown in red and bold in Figure 2. The analysis shows that road authorities or road owners and the RSI inspector lack certain feedback from vehicle drivers and from the vehicle itself. In this case, the missing vehicle feedback could be generated, for example, via kinematic measured values such as driving trajectory, vehicle speed, acceleration and deceleration. Feedback and information from the road vehicle (e.g., driving dynamic, driving trajectory, vehicle speed, acceleration, deceleration) is necessary for understanding vehicles interactions with the system and for enforcing road safety. Information about various road vehicles and driving dynamics could help to make the road safer for all types of road vehicles. Thus, data about different driving trajectories, vehicle speeds, decelerations, accelerations and specially sight highs depending on the individual road vehicles should be included and monitored in the process of data-driven road safety management. Furthermore, conducting road safety assessments with users of various vehicles, ages, gender and driving experiences could be included in the RSI. Data about drivers should include, for example, perception of the course of the road, speed limitation signs and road markings. Driver's perception shall be considered for a variety of vehicles such as cars or trucks, different sight heights and circumstances. For example, the leaning angle of the motorcycle influences the motorcycle driver's perspective while driving through a curve, depending also on the vehicle speed and curve radius. This data could be assessed during driving tests by methods such as eye-tracking, video recordings and/or reconstruction questionnaires. Finally, this data can be used as feedback to identify the potential for unsafe interactions of drivers and to specify effective mitigations. Another major finding of the STPA analysis is the missing feedback whether a preventive measure has been correctly implemented. A corresponding control instance is missing between the road infrastructure and the road owner. The control instance could collect information about the outcome of the implemented measures. Thus, the feedback loop between road infrastructure, road authorities and road owners could be closed. The information from the RSI report and road maintenance staff report, could be complemented with the review of the implementation of the measures. This could be also collected in a database.
With regards to the need to manage and access all collected information accordingly, the creation of a database becomes necessary, that contains information from different levels of the control hierarchy. At the low level, information and feedback from drivers and vehicles is necessary. In addition, the database could include hazards and deficiencies reported by the road maintenance staff, and the RSI report, as well as mitigations proposed by the RSI, other recommendations and implemented measures. As a result, the outcomes of the implemented measures could be stored, monitored and improved by taking into account changes in the road infrastructure, technology, user groups, vehicle types etc. The control instance could use the database for monitoring actions taken, implementation deadlines and reasons for deciding not to implement mitigations proposed by RSI. Furthermore, in the database occurrence information could be collected that is currently not available from statistical databases. Finally, a repository of rules, regulations and standards could be also established in the database.
The need for certain feedback and additional control instances are other findings highlighted by the STPA-based analysis. The analysis revealed gaps in the control structure, mainly in terms of missing information and feedback. Additional safety requirements for the system were detected and appropriate measures were identified that could complement, improve and influence the existing system design. As a countermeasure, additional controllers or a control body could be installed by the road owner (e.g., for determining whether maintenance activities were carried out, recommendations from RSI were implemented or if deficiencies were effectively resolved by implemented measures).
Basically, the analysis shows that the road authorities or the road owner lack a certain kind of information and feedback and, thus a closed-loop control of certain processes involved in safety management is not possible. For example, the road authorities lack information on maintenance deficiencies, checking the information if the measures have been carried out and the information on the effect of the measures that have been commissioned during the course of maintenance. Furthermore, a detection of non-standard road sections and the information about road sections with hazard and conflict potential is necessary for prevention. Thus, the road authorities will have the possibility to authorize an RSI even without an accident having occurred. The road authorities also lack information about road sections that comply to standards but are unsafe due to their sequence of execution. For example, these can be sections of road with different standard curves, where each curve complies with the standards, but their sequencing is unsafe and does not achieve the appropriate overall safety standard. Thus, the results support the first pillar showing that the application to Non-TEN-T-roads can be fulfilled.
The road authorities lack certain information about drivers' perception and interaction with the road infrastructure, the course of the road or the road environment. Inadequate drivers' perception and dysfunctional interactions with the road could be detected before accidents occur. Information is missing on drivers' ability to obtain the necessary information in a timely manner and to respond appropriately. This is essential for the implementation of preventive measures. The extension of the system boundaries to include organizational levels and taking into account the human-road-vehicle interactions as a whole show the feasibility and usefulness of the second pillar. Currently, the road authorities perform a mainly reactive safety management. However, the early detection of danger spots and conflict locations, as well as the detailed information on black spots could help decide to commission an RSI needs in a more proactive manner.
The new recommendation to establish a database in which, for example, road maintenance works or safety recommendations resulting from the RSI are recorded. A corresponding database provides the opportunity to perform a before and after comparisons, or to show developments and effects of measures implemented. Furthermore, it allows to retrieve and update all collected documents for the corresponding road section for the use of concerned executive bodies. The database provides the road authorities and, consequently, the executive bodies with the opportunity to collect all information necessary for the commissioning of remedial maintenance and its assessment. The database can include information on maintenance status, work instructions/procedures for maintenance activities and a priority order for the implementation of maintenance activities. A detailed overview of all the road owners involved, with regards to the responsibilities of individual sections of the road by kilometer, could rule out that a section of a road is not inspected and checked.
If the database contains all the recommended measures from the RSI, the road owners could also be provided with working instructions for the appropriate implementation of measures and for taking into account another control body, as well as information on the impact of the measures and the effect of the order of the traffic requirement. Furthermore, it is necessary to constantly update the database in order to identify hazards, to manage the data and to draw the appropriate conclusions from the data. Thanks to the feedback received from drivers and vehicles, it would also be possible to design the database interdisciplinary and thus, to develop preventive measures appropriately. Information on danger spots and conflict locations would greatly assist the road authority or the road owner, especially with regards to the need for an RSI. In addition, it would be recommendable to implement a database management and a monitoring function within the database in order to check and further develop the new discharges as well as the measures themselves. The information must be managed appropriately to ensure its efficient use. In addition to the data inspection by experts, it also requires a corresponding redundant check and optimization.
Furthermore, it follows that a second inspector will be needed for the implementation of the RSI in addition, this is not only to be meant as a back-up, if one of the inspectors should fail, but also for example, to cover information still lacking from a specialization in the field of vehicle driver perception or the effect of implemented measures. With regards to RSI and traffic safety investigations, it emerges that an expertise covering the fields of human factors, vehicle and road interfaces will be necessary in order to achieve a comprehensive inspection as well as to determine effective mitigations. In this way the systems approach of road safety management shows the applicability of the third pillar. This also implies the need for new, continuously reviewed and improved standards for carrying out inspections and maintenance, with the addition of a control body to supervise the implementation of recommended measures. Another very important result of the STPA-analysis is the requirement to assess and manage changes to the road infrastructure and vehicles' interaction with it, so that the process remains safe. These measures include adapting and registering new findings and new developments to the previously mentioned newly installed database and the ongoing adaptation of work instructions, working procedures and working procedures for the levels concerned. Improvements of the RSI could be in extending its scope to larger system boundaries and to include feedback mechanisms for determining if safety recommendations are adequately applied in practice and effective.
Overall, the STPA-based analysis resulted in a total of 23 safety requirements. As a consequence, improvements for 14 existing safety requirements could be specified and 7 new safety requirements could be introduced.

Discussion
The STPA [50] was used in this study for examining the processes involved in road safety management in Austria and identifying areas of improvement. In addition, the practical applicability of recommendations was addressed. As a consequence, road safety in the entire road network could be improved and the approach used is in line with "Safe System" vision of the European Commission. A comparison between the state-of-the art and the new approach is presented in Table 3.
For the gaps identified as a result of STPA, new target-oriented tools could be proposed such as a database and a new control instance that can be used directly in the implementation of road safety management and RSI.
The aim of the STPA-based analysis of traffic safety in Austria was to model how the safety responsibilities are divided within various system levels and how this can be improved in a specific and sustainable manner. A detection of missing information and feedback, that can potentially cause unsafe control actions has been obtained from the analysis. In addition, the analysis highlighted a pattern of how the responsibility can be shared to holistically increase safety. Some important parts of the overall system, which were not taken into account by the too narrow system boundaries used up to date, could be integrated by extending the system boundaries to include the vehicle, vehicle driver or road users, the environment and the interactions among system components. With a corresponding extension of the system boundaries, more hazards could be revealed and the STPA-method was valuable for generating and introducing specific mitigations and safety requirements. The results underpin the three areas of improving the management of road safety and thus the three pillars. An important aspect was the analysis of ongoing control, and beyond that the "update" of the system status at all levels by modelling closed control loops. RSI applicable to TEN-T roads RSI applicable to both TEN-T and Non-TEN-T roads (Pillar 1)

Future Research
The developed STPA-based model of the road safety management system, which primarily considers the RSI and the road safety investigation, could be extended in future research to the Road Safety Audit. Thus, its proactive applicability to the safety assessment and improvement of planned road sections could be investigated.
The STPA-based analysis could be broadened in future research with additional developments and innovations and could be broken down to the level of countries and municipalities' road safety management, in the attempt to cover the entire road network and make it safer. The presented method and its application could lead to a demonstrable improvement in road safety and also to adapting and developing the road-specific perception of vehicle drivers and the further development of vehicles as well as the training of vehicle drivers. The controllers need information and feedback to let them know when an unsafe condition is reached and enable them to act. Above all, they need to know what action they must take to keep the system permanently safe. A recommendation of the authors is to further develop the methodology in practice and to consider the interdisciplinarity both in the analysis and detection of deficiencies, as well as in the determination of corresponding measures. Once established, the database proposed by this study could be used for quantitative analyses to determine trends and safety performance indicators. The developed method definitely has the potential to be further improved and this should be taken into account in view of the fact that it could contribute to a substantial reduction in traffic occurrences.
In addition, future studies could address issues such as the attitudes and acceptance of the proposed measures for improving the management of road safety. Quantitative analysis of expert interviews could be conducted using a method similar to Wong et al. [52]. Interviews could be conducted with experts from various levels of the safety management structure.

Limitations of the Study
The implementation of safety recommendations identified in this study by applying STPA (Pillar 3) is associated with financial costs (e.g., new database and a new control instance). For implementation of the database, data protection principles must be taken into account and legal foundations for data sharing must be created. The economic and social costs of safety decisions based on incomplete information are difficult to calculate. Furthermore, in the absence of a closed-loop monitoring, there is little control if the recommendations of an RSI are adequately implemented. Currently, this could be noticed only after repeated accidents at the road site re-occur and a new RSI is commissioned. Another limitation in implementation of safety requirements derived from our STPA analysis is the lack of procedures and regulations to support the specified improvements. For instance, an update of the regulations, standards and guidelines for commissioning and conducting a RSI would need to address the systems approach (Pillar 3), the interdisciplinarity (Pillar 2) and the extension to Non-TEN-T roads (Pillar 1). However, results of this study suggest that the Safe System vision could be implemented by using scientific methods, involving experts and providing appropriate resources.

Conclusions
As a result of the study, a new approach to road safety management, theoretically based on systems and control theory, methodologically based on STPA [50] and applicable in practice, could be found. The STPA-based analysis has uncovered a number of gaps and weaknesses when applied to the safety management of the Austrian road network. The analysis shows potential benefits of extending the RSI from TEN-T roads to include also Non-TEN-T roads, and to consider various users, vehicles and their interactions, in addition to the road segments. These findings could be relevant to all countries and road categories with the slight change adaptations to cover the laws and regulations applicable in each country. This means that the developed method is not only important for Austrian traffic safety, but both the methodology and the corresponding results can be applied worldwide to increase the traffic safety and to avoid accidents. Therefore, an international application is recommended.
Overall, these results show how the interdisciplinarity and the systems approach envisioned by the European Commission with the Safe System approach could be implemented.