STAMP/STPA procedures in Astah

This tutorial describes the STAMP/STPA procedures in Astah. If you are new to STAMP/STPA, please refer to the STPA Handbook.

The STAMP/STPA procedures in Astah are as follows:

The system analyzed in this tutorial

In this tutorial, we will analyze “Train Control System between stations on a single line for a crossing”.

railroad_crossing

We focused on the information processing from the detection of an approaching train, and verified that the level crossing control system can correctly instruct the breaker to start the alarm, and that it can control the train safely even in abnormal conditions.

The “A” and “B” in the figure are the alarm start sensors, which are configured as an electric circuit with electric signals flowing to the left and right rails, and detect incoming trains by short-circuiting the rails with the train axles. “C” is the end-of-alarm sensor, which also detects the short-circuiting of the rails by the axles to detect that the train has passed through the level crossing. These sensors are installed in the vicinity of the crossing, and the conditions for both ascending and descending trains are shared by setting the alarm to stop a certain time after the train passes. These train detection sensors are not capable of detecting the direction in which the train is traveling.

STPA Procedure Preparations

The STPA Procedure Preparations include the following procedures:

Creating a New Project

Launch Astah, then create a project to control the STAMP/STPA analysis model.

To create a new project, select menu [File] - [New].

Hint

Instead of creating a new project, an analysis may be started by opening the project file offered by the organization and using it as a template.

Understanding the Analysis Target System

Once the tool preparations are complete, understand the analysis target system.

Read the requirements specifications well to understand the analysis target system, draw a brief picture, or create a model pointing out the requirements, structures, and behaviors, using SysML or UML. Or read the results, including the model created by the engineering activities, and understand the analysis target system.

Astah also supports other models such as SysML. Please use it to understand the system.

sysml

Confirming the STPA Procedures

Once the analysis target system is understood, start the STAMP/STPA analysis, using Astah.

Refer to “STPA Procedure” view. The STPA Procedure view shows the STAMP/STPA procedures, using Astah. For anyone not accustomed to STPA, it is recommended to follow these procedures to learn the actual process.

STPA Analysis Procedure

Hint

The STPA Procedure is not mandatory. For the well-trained person it is possible to start drawing a Control Structure Diagram, using the diagram menu or structure tree without using the STPA Procedure view.

The structure tree is placed left to the STPA Procedure view. This exhaustively shows the diagrams and models created with the STPA Procedure view or diagram menu, in the tree view.

Structure Tree

STPA Procedure Step1 Define analysis purpose

The STPA Procedure Step1 Define analysis purpose includes the following procedures:

STEP 1 Determining the Preconditions

Once the analysis target system is understood, determine the process and preconditions of the system in the analysis range as a part of the work of clarifying it.

Many suppositions or preconditions, for example, such as using the railroad-crossing system of Ver1.2, not including the A component in the analysis range, may be extracted to understand the analysis target system.
Organize such information as a precondition table.
Then add the preconditions.
First, double-click [STEP 1 Define analysis purpose] - [Determine Preconditions] in the STPA Procedures. Then the Precondition Table shown below will be displayed.
Precondition Table

Right-click on a cell in the displayed table to select [Add Precondition].

Add Precondition

As a precondition is newly created and assigned a generated number, input “A and B are the sensors that trigger the train crossing control system to start the alarm when they detect a running train.“ in Name.

Let’s add other preconditions in the same way.

Preconditions

See also STAMP related functions - Diagrams_and_diagram_elements - Precondition_Table for more information on the Precondition Table.

STEP 1 Identifying Accidents, Hazards, and Safety Constraints

Understand the analysis target system, determine the suppositions/preconditions, then clarify for which accident the safety analysis is to be executed.

First, decide which accident is to be analyzed and extract the hazards, i.e., system conditions that lead to the accident. At the end, to avoid the accidents, extract the requirements or limitations for maintaining the safety of the analysis target as the safety constraints.

Create and control a model of the accidents, hazards and safety constraints and control them using the table in the same way as for the preconditions mentioned above. The following accidents, hazards and safety constraints with a series of operations are identified.

Accident, Hazard, Safety Constraint

First, double-click [STEP 1 Define analysis purpose] - [Identifying Accidents, Hazards, and Safety Constraints] in the STPA procedure. Then the Accident Hazard Safety Constraint Table shown below will be displayed.

Accident Hazard Safety Constraint Table

Right-click on a cell in the displayed table to select [Add Accident].

Add Accident Menu

As a new accident, in the same way as with the preconditions, is created and assigned a generated number, input “Collision with train and cars or people on the crossing”.

Add Accident

Next, to add the hazard that leads to this accident, right-click with a cell in the Hazard row selected to select [Add Hazard].

Add Hazard Menu

This time set “Crossing does not close when the train is approaching or passing”.

Add Hazard

Next, to set the safety constraints, right-click with a cell in the Safety Constraints row selected to select[Add Safety Constraint].

Set the accidents, hazards, and safety constraints with the same operations.

Accident, Hazard, Safety Constraint

Hint

The hazard that leads to an accident may be the same as that analyzed with another accident. Or, the safety constraint may be extracted with the combination of another accident and hazard. In this case, the existing hazard or safety constraint can be selected with “Add Existing Hazard” or “Add Existing Safety Constraint”.

Select Safety Constraint

See also STAMP related functions - Diagrams_and_diagram_elements - Accident Hazard Safety Constraint Table for more information on the Accident Hazard Safety Constraint Table.

STPA procedure STEP 2 Model the control structure

STPA procedure STEP 2 Model the control structure includes the following steps:

STEP 2 Building a control structure

This time, let’s build the following control structure.

image
First, double-click [STEP 2 Modeling a Control Structure] - [Draw a Control Structure] in the STPA procedure. Then, the following control structure diagram is displayed.
Note that with Astah, the procedure shown in the STPA Procedures view is not compulsory, and you can start writing STPA from the control structure diagram.
image
Let’s add the “Start Sensor A” component to the control structure diagram we created.
Select [Component] on TooL Bar and click on any point on the diagram. Then a component is created. A component can also be created by double-clicking on the diagram.
image

Input Start Sensor A in the created component directly.

image
The component name can also be set in the property view at the bottom left on the screen as well as on the diagram.
In the property view, details regarding the properties of the model, such as “Responsibility” that describes the responsibility of the component, “Definition” that defines the description, “Process Model” described later, “CA (Control Action)” or “FB (Feedback)” connected to the component, can be confirmed in addition to Name.
image

Similarly, create a “railroad crossing controller” component.

Then design the control action “notify Absence” in the Crossing Control System from Start Sensor A.
Select [Link] on Tool Bar , click on Start Sensor A, and drag it with the mouse to the Crossing Control System.
image
image

Hint

Using the draw suggest function on a diagram, a control structure can be described without moving the mouse repeatedly on the tool bar on the Link. Click on the line arrow symbol to select a component to be connected, and the link will be created.

image

Clicking on the “>>” symbol of the line arrow enables you to select a link to define the control action or feedback.

image
A control action can be added by clicking on the icon “CA” that is displayed by hovering the mouse over the created link. Now set “Notify Absence”.
image
Control actions can be added, edited, or deleted in the property view by selecting the link.
image

Hint

The link line colors of the control action and feedback have been set to red and blue as default.

This setting can be changed by selecting [Tool] - [System Properties] - [STAMP/STPA] - [Default Item Color] - [Link Line Color] or [Feedback Link Line Color]. Other than color, Line Type can be selected as Solid Line or Dashed Line.

image

The control structure is constructed by adding and editing the component, link, control action, and feedback.

See also STAMP related functions - diagrams_and_diagram_elements - Control Structure Diagram for more information on control structure diagrams.


STPA Procedure STEP 3 Identify Unsafe Control ACTION

The STPA Procedure STEP 3 Identify Unsafe Control ACTION includes the following procedures:

STEP 3 Extracting a UCA (Unsafe Control Action)

Once the structure of the analysis target is constructed as a control structure, it is analyzed using the UCA Table as to whether the control action can lead to the hazard/action from a viewpoint of a guide word for each control action.

Then double-click [STEP 3 Identify Unsafe Control Action] - [Identify UCA (Unsafe Control Action)] in the STPA procedure.

UCA Table

In the UCA Table, the control actions automatically extracted from the control structure are displayed. For each control action, analyze the viewpoint of the guide word, such as “Not Providing”.

This time if the control action “Start the alarm” is set to Not Providing, input the analysis that the unsafe result of “The train passes the railroad crossing without ringing the alarm” is generated.

  • First, double-click on the cell on which “Start the alarm” and “Not Providing” are crossed. The UCA dialog is displayed. Press “Add UCA”.

  • As a UCA is added, input “Crossing is open while train is passing” in the Text.

  • Then double-click the Violating Safety Constraints cell. The “Edit Violating Safety Constraint” dialog is displayed. Select the applicable safety constraint from the safety constraints designed in the Accident Hazard Safety Constraint Table and press the OK button to confirm the edit.

  • Finally click on the OK button.

UCA Dialog

With these procedures, the UCA Table is as shown below.

Add UCA

The UCA will be analyzed with these operations.

See also STAMP related functions - diagrams_and_diagram_elements -UCA Table for more information on the UCA Table.

Hint

To change the order of the control actions in the UCA Table, drag the line and drop it at the desired position.


STPA Procedure STEP 4 Identify Loss Scenario

The STPA Procedure STEP 4 includes the following procedures:

STEP 4 Control Loop Diagram

Once the UCA is extracted, identify the Hazard Causal Factor for each control action considered as the UCA.

As one of the methods, create a control structure that focuses on the control action considered as the UCA that is named in the Control Loop Diagram with the Control Structure Diagram.

Then double-click [STEP 4 Identify Loss Scenario] - [Control Loop Diagram] in the STPA procedures. The alert dialog shown below will be displayed.

Control Loop Alert

As described above, the Control Loop Diagram is created by focusing on a control action. So it is necessary to select the control action or link that is focused on in the Control Structure Diagram.

Then open the Control Structure Diagram and double-click on the Control Loop Diagram of the STPA procedures again with the control action “Start the alarm” selected.

Create Control Loop Diagram

A Control Loop Diagram whose components other than those that are directly related to the selected control actions are omitted as the input/output from/to an external device as shown below, is created.

Control Loop Diagram

One of the HCF analysis methods in the Control Loop Diagram is to analyze the HCF by referring to hint words that may give the hint recommending discard and the control loop.

Click [Hint Word Set] on Tool Bar in the Control Loop Diagram.

Then the hint words are displayed, as shown below. While observing the Control Loop Diagram, execute the analysis of whether the causes to lead to a hazard occur or not in the status indicated by each hint word.

Hint Word

See also STAMP related functions - diagrams_and_diagram_elements -Control Loop Diagram for more information on the Control Loop Diagram.

Hint

In the Control Loop Diagram (or Control Structure Diagram), the status of the target to be controlled that the controller recognizes can be designed as a process model.

In Astah, right-click a component and select [Process Model Compartment Visibility]. The compartment in which the process model can be designed is displayed.

In the displayed process model compartment, the process variable and process value can be designed by right-clicking or in the property view.

image

Hint

You can add hyperlinks to your process model. By linking with other diagrams, you can design a more detailed process model.

You can set hyperlinks in your process model in two ways:
  • Right-click the process model on the diagram and select [Edit Hyperlink] to set it from the [Hyperlink Information] dialog.

image
  • On the Process Model tab of the Property View, click Edit Hyperlink to set it from the Hyperlink Information dialog.

    image

See also Reference - Basic function -Hyperlinks for more information on hyperlinks.

See also Reference - Model Integration Function - Linking Diagrams for more information on linking diagrams.

STEP 4 Identify Loss Scenario

Organize the HCF extracted with the procedures mentioned above in the Loss Scenario Table.

Double-click [STEP 4 Identify Loss Scenario] - [Loss Scenario] in the STPA procedures.

Then the dialog to select the HCF for which the UCA to be organized is displayed. Select the UCA currently being analyzed in the Control Loop Diagram.

In this dialog, the circle symbol is added to the UCA that created the Loss Scenario Table, which enables you to identify the UCA for which the HCF analysis has not been executed.

Select UCA

When the Loss Scenario Table is displayed, add an HCF in the same way as in the operations before and create a scenario to lead to the HCF and design for the hint word from which it was extracted.

image

See also STAMP related functions - diagrams_and_diagram_elements - Loss Scenario Table for more information on the Loss Scenario Table.

STEP 4 Countermeasures

The last STPA procedure is to consider the countermeasures for the extracted HCF.

Double-click [STEP 4 Identify Loss Scenario] - [Countermeasures] in the STPA procedure. Then the Countermeasure Table to design the countermeasures for the extracted HCF is displayed.

Countermeasure Table

Right click on the countermeasures cell of this table and add the countermeasures using [Add Countermeasure] or set the Target Component by double-clicking on the cell of the Target Component.

These operations will finalize the countermeasures for the HCF.

Countermeasure Table

See also STAMP related functions - diagrams_and_diagram_elements - Countermeasure Table for more information on the Countermeasure Table.

In STPA, during the UCA analysis, an omission is found in the control structure, and frequently the procedures go back. Execute the STPA analysis with iterative analysis being done as described.