STAMP/STPA procedures in Astah¶
This tutorial describes the STAMP/STPA procedures in Astah. If you are new to STAMP/STPA, please refer to the STPA Handbook.
The STAMP/STPA procedures in Astah are as follows:
Preparations
STEP 1 Define analysis purpose
STEP 2 Model the control structure
STEP 3 Identify unsafe control actions
STEP 4 Identify loss scenarios
-
The system analyzed in this tutorial
In this tutorial, we will analyze “Train Control System between stations on a single line for a crossing”.
We focused on the information processing from the detection of an approaching train, and verified that the level crossing control system can correctly instruct the breaker to start the alarm, and that it can control the train safely even in abnormal conditions.
The “A” and “B” in the figure are the alarm start sensors, which are configured as an electric circuit with electric signals flowing to the left and right rails, and detect incoming trains by short-circuiting the rails with the train axles. “C” is the end-of-alarm sensor, which also detects the short-circuiting of the rails by the axles to detect that the train has passed through the level crossing. These sensors are installed in the vicinity of the crossing, and the conditions for both ascending and descending trains are shared by setting the alarm to stop a certain time after the train passes. These train detection sensors are not capable of detecting the direction in which the train is traveling.
STPA Procedure Preparations¶
The STPA Procedure Preparations include the following procedures:
Creating a New Project¶
Launch Astah, then create a project to control the STAMP/STPA analysis model.
To create a new project, select menu [File] - [New].
Hint
If your project does not have a STAMP/STPA model, please enable the STAMP/STPA facet.
Instead of creating a new project, an analysis may be started by opening the project file offered by the organization and using it as a template.
Understanding the Analysis Target System¶
Once the tool preparations are complete, understand the analysis target system.
Read the requirements specifications well to understand the analysis target system, draw a brief picture, or create a model pointing out the requirements, structures, and behaviors, using SysML or UML. Or read the results, including the model created by the engineering activities, and understand the analysis target system.
Astah also supports other models such as SysML. Please use it to understand the system.
Confirming the STPA Procedures¶
Once the analysis target system is understood, start the STAMP/STPA analysis, using Astah.
Refer to “STPA Procedure” view. The STPA Procedure view shows the STAMP/STPA procedures, using Astah. For anyone not accustomed to STPA, it is recommended to follow these procedures to learn the actual process.
Hint
The STPA Procedure is not mandatory. For the well-trained person it is possible to start drawing a Control Structure Diagram, using the diagram menu or structure tree without using the STPA Procedure view.
The structure tree is placed left to the STPA Procedure view. This exhaustively shows the diagrams and models created with the STPA Procedure view or diagram menu, in the tree view.
STPA Procedure Step1 Define analysis purpose¶
The STPA Procedure Step1 Define analysis purpose includes the following procedures:
STEP 1 Determining the Preconditions¶
Once the analysis target system is understood, determine the process and preconditions of the system in the analysis range as a part of the work of clarifying it.
Right-click on a cell in the displayed table to select [Add Precondition].
As a precondition is newly created and assigned a generated number, input “A and B are the sensors that trigger the train crossing control system to start the alarm when they detect a running train.“ in Name.
Let’s add other preconditions in the same way.
See also STAMP related functions - Diagrams_and_diagram_elements - Precondition_Table for more information on the Precondition Table.
STEP 1 Identifying Losses, Hazards, and Safety Constraints¶
Understand the analysis target system, determine the suppositions/preconditions, then clarify for which loss the safety analysis is to be executed.
First, decide which loss is to be analyzed and extract the hazards, i.e., system conditions that lead to the loss. At the end, to avoid the losses, extract the requirements or limitations for maintaining the safety of the analysis target as the safety constraints.
Create and control a model of the Losses, hazards and safety constraints and control them using the table in the same way as for the preconditions mentioned above. The following losses, hazards and safety constraints with a series of operations are identified.
First, double-click [STEP 1 Define analysis purpose] - [Identifying Losses, Hazards, and Safety Constraints] in the STPA procedure. Then the Loss Hazard Safety Constraint Table shown below will be displayed.
Right-click on a cell in the displayed table to select [Add Loss].
As a new loss, in the same way as with the preconditions, is created and assigned a generated number, input “Collision with train and cars or people on the crossing”.
Next, to add the hazard that leads to this loss, right-click with a cell in the Hazard row selected to select [Add Hazard].
This time set “Crossing does not close when the train is approaching or passing”.
Next, to set the safety constraints, right-click with a cell in the Safety Constraints row selected to select[Add Safety Constraint].
Set the losses, hazards, and safety constraints with the same operations.
Hint
The hazard that leads to a loss may be the same as that analyzed with another loss. Or, the safety constraint may be extracted with the combination of another loss and hazard. In this case, the existing hazard or safety constraint can be selected with “Add Existing Hazard” or “Add Existing Safety Constraint”.
See also STAMP related functions - Diagrams_and_diagram_elements - Loss Hazard Safety Constraint Table for more information on the Loss Hazard Safety Constraint Table.
STPA procedure STEP 2 Model the control structure¶
STPA procedure STEP 2 Model the control structure includes the following steps:
STEP 2 Building a control structure¶
This time, let’s build the following control structure.
Input Start Sensor A in the created component directly.
Similarly, create a “railroad crossing controller” component.
Hint
Using the draw suggest function on a diagram, a control structure can be described without moving the mouse repeatedly on the tool bar on the Link. Click on the line arrow symbol to select a component to be connected, and the link will be created.
Clicking on the “>>” symbol of the line arrow enables you to select a link to define the control action or feedback.
Hint
The link line colors of the control action and feedback have been set to red and blue as default.
This setting can be changed by selecting [Tools] - [System Properties] - [STAMP/STPA] - [Default Item Color] - [Link Line Color] or [Feedback Link Line Color]. Other than color, Line Type can be selected as Solid Line or Dashed Line.
The control structure is constructed by adding and editing the component, link, control action, and feedback.
See also STAMP related functions - diagrams_and_diagram_elements - Control Structure Diagram for more information on control structure diagrams.
STPA Procedure STEP 3 Identify Unsafe Control ACTION¶
The STPA Procedure STEP 3 Identify Unsafe Control ACTION includes the following procedures:
STEP 3 Extracting a UCA (Unsafe Control Action)¶
Once the structure of the analysis target is constructed as a control structure, it is analyzed using the UCA Table as to whether the control action can lead to the hazard/action from a viewpoint of a guide word for each control action.
Then double-click [STEP 3 Identify Unsafe Control Action] - [Identify UCA (Unsafe Control Action)] in the STPA procedure.
In the UCA Table, the control actions automatically extracted from the control structure are displayed. For each control action, analyze the viewpoint of the guide word, such as “Not Providing”.
This time if the control action “Start the alarm” is set to Not Providing, input the analysis that the unsafe result of “The train passes the railroad crossing without ringing the alarm” is generated.
First, double-click on the cell on which “Start the alarm” and “Not Providing” are crossed. The UCA dialog is displayed. Press “Add UCA”.
As a UCA is added, input “Crossing is open while train is passing” in the Text.
Then double-click the Violating Safety Constraints cell. The “Edit Violating Safety Constraint” dialog is displayed. Select the applicable safety constraint from the safety constraints designed in the Loss Hazard Safety Constraint Table and press the OK button to confirm the edit.
Finally click on the OK button.
![]()
With these procedures, the UCA Table is as shown below.
The UCA will be analyzed with these operations.
See also STAMP related functions - diagrams_and_diagram_elements -UCA Table for more information on the UCA Table.
Hint
To change the order of the control actions in the UCA Table, drag the line and drop it at the desired position.
STPA Procedure STEP 4 Identify Loss Scenario¶
The STPA Procedure STEP 4 includes the following procedures:
STEP 4 Control Loop Diagram¶
Once the UCA is extracted, identify the Hazard Causal Factor for each control action considered as the UCA.
As one of the methods, create a control structure that focuses on the control action considered as the UCA that is named in the Control Loop Diagram with the Control Structure Diagram.
Then double-click [STEP 4 Identify Loss Scenario] - [Control Loop Diagram] in the STPA procedures. The alert dialog shown below will be displayed.
As described above, the Control Loop Diagram is created by focusing on a control action. So it is necessary to select the control action or link that is focused on in the Control Structure Diagram.
Then open the Control Structure Diagram and double-click on the Control Loop Diagram of the STPA procedures again with the control action “Start the alarm” selected.

A Control Loop Diagram whose components other than those that are directly related to the selected control actions are omitted as the input/output from/to an external device as shown below, is created.
One of the HCF analysis methods in the Control Loop Diagram is to analyze the HCF by referring to hint words that may give the hint recommending discard and the control loop.
Click [Hint Word Set] on Tool Bar in the Control Loop Diagram.
Then the hint words are displayed, as shown below. While observing the Control Loop Diagram, execute the analysis of whether the causes to lead to a hazard occur or not in the status indicated by each hint word.
See also STAMP related functions - diagrams_and_diagram_elements -Control Loop Diagram for more information on the Control Loop Diagram.
Hint
In the Control Loop Diagram (or Control Structure Diagram), the status of the target to be controlled that the controller recognizes can be designed as a process model.
In Astah, right-click a component and select [Process Model Compartment Visibility]. The compartment in which the process model can be designed is displayed.
In the displayed process model compartment, the process variable and process value can be designed by right-clicking or in the property view.
Hint
You can add hyperlinks to your process model. By linking with other diagrams, you can design a more detailed process model.
- You can set hyperlinks in your process model in two ways:
Right-click the process model on the diagram and select [Edit Hyperlink] to set it from the [Hyperlink Information] dialog.
On the Process Model tab of the Property View, click Edit Hyperlink to set it from the Hyperlink Information dialog.
See also Reference - Basic function -Hyperlinks for more information on hyperlinks.
See also Reference - Model Integration Function - Linking Diagrams for more information on linking diagrams.
STEP 4 Identify Loss Scenario¶
Organize the HCF extracted with the procedures mentioned above in the Loss Scenario Table.
Double-click [STEP 4 Identify Loss Scenario] - [Loss Scenario] in the STPA procedures.
Then the dialog to select the HCF for which the UCA to be organized is displayed. Select the UCA currently being analyzed in the Control Loop Diagram.
In this dialog, the circle symbol is added to the UCA that created the Loss Scenario Table, which enables you to identify the UCA for which the HCF analysis has not been executed.
When the Loss Scenario Table is displayed, add an HCF in the same way as in the operations before and create a scenario to lead to the HCF and design for the hint word from which it was extracted.
See also STAMP related functions - diagrams_and_diagram_elements - Loss Scenario Table for more information on the Loss Scenario Table.
STEP 4 Countermeasures¶
The last STPA procedure is to consider the countermeasures for the extracted HCF.
Double-click [STEP 4 Identify Loss Scenario] - [Countermeasures] in the STPA procedure. Then the Countermeasure Table to design the countermeasures for the extracted HCF is displayed.
Right click on the countermeasures cell of this table and add the countermeasures using [Add Countermeasure] or set the Target Component by double-clicking on the cell of the Target Component.
These operations will finalize the countermeasures for the HCF.
See also STAMP related functions - diagrams_and_diagram_elements - Countermeasure Table for more information on the Countermeasure Table.
In STPA, during the UCA analysis, an omission is found in the control structure, and frequently the procedures go back. Execute the STPA analysis with iterative analysis being done as described.