This comprehensive tutorial will guide you step-by-step through the STAMP/STPA procedures using Astah System Safety. To fully benefit from this tutorial, we recommend taking advantage of the 40-day free trial of Astah System Safety. Start by downloading and installing the software, then immerse yourself in its wide range of features as you progress through this guide.

section divider

After installing Astah, initiate your STPA analysis journey by launching the application and creating a new file via [File] > [New]. Then, navigate to the [STPA Procedure] tab located in the top-left pane. This pane serves as your roadmap, simplifying the STPA process into manageable steps. While it’s not mandatory to follow this sequence rigidly, we highly recommend it for beginners to effectively familiarize themselves with how Astah System Safety facilitates STPA.


section divider

Before you begin

Before embarking on an STPA analysis, it’s crucial to have an in-depth understanding of the system under review. This preliminary step involves a thorough examination of the system’s requirements specifications. Creating visual representations using SysML or UML diagrams is highly effective in depicting the system’s requirements, structure, and behavior. Utilizing Astah System Safety, which supports SysML diagrams, allows you to visually map out these elements in detail. This preparatory work ensures a solid foundation, enabling a more effective and insightful STPA analysis.
SysML Requirement Diagram

section divider

STEP1 – Define the Purpose of Analysis

Precondition Table

The initial phase of STPA analysis involves establishing the analysis’s objective. It requires identifying the aspects of the system to be analyzed, defining the system boundaries, and pinpointing potential losses you aim to mitigate. This stage is crucial for setting the analysis’s scope and outlining specific preconditions. These preconditions are vital to prevent the analysis from veering off course and ensure targeted, relevant outcomes.

In Astah, preconditions are articulated using “Precondition Tables.” To begin defining these, simply double-click on “Determine Preconditions” in the “STPA Procedure” tab. This action guides you through the process of creating a structured and focused analysis framework.

When a blank table appears in the diagram editor, right-click on it and choose [Add Precondition] to begin entering the preconditions.
Adding Preconditions to STPA

To learn more about Precondition Tables, please refer to the guide here – Precondition Table.

section divider

Loss Hazard Safety Constraint Table

The Loss Hazard Safety Constraint Table is a crucial component in STPA analysis, where you delineate potential losses, hazards, and necessary safety constraints. Hazards are defined as states or conditions in the system that could lead to losses. The purpose of this table is to systematically identify and document these elements.

To use this feature, double-click [Identify Loss, Hazard, Safety Constraint]. This action opens a blank table in the diagram editor. To add a loss, right-click on the table and select [Add Loss]. This process allows you to comprehensively list and categorize losses, hazards, and their corresponding safety constraints.

To learn how to add hazards and safety constraints, please refer to the guide – Loss Hazard Safety Constraint Table.

Each hazard could lead to one or more losses and each safety constraint could be related to one or more hazards. In that case, you can choose an already existing hazard and safety constraint from the drop-down list.

section divider

STEP2 – Modeling the Control Structure

In the second step of STPA analysis, you will model the control structure of the system. Astah System Safety facilitates this through its [Control Structure Diagram] feature, which allows you to visually represent the key control elements, the actions they perform, and the interactions between controllers and controlled systems.
To start creating this diagram, select [Draw a Control Structure] located under STEP 2 in the [STPA Procedure] tab. This graphical representation is pivotal for understanding and analyzing the control dynamics within your system.

Or, go to [Diagram] – [STAMP/STPA] – [Control Structure Diagram].
Create Control Structure Diagram in Astah System Safety

When modeling the control structure in Astah System Safety, it’s beneficial to start with an abstract overview and then incrementally add detail.

Astah’s smart assist feature simplifies this process. You can create main components either by pasting texts directly or by converting SysML Blocks, which can be easily dragged and dropped from the tree view into the diagram. Additionally, the ‘CS Entire View’ is a useful tool for gaining a comprehensive perspective of the system. It’s especially helpful when the interactions between components are spread across multiple diagrams, allowing you to see the entire system’s structure at a glance.

To learn more about Control Structure Diagram and CS Entire view, please refer to the guides below:

section divider

STEP3 – Identify Unsafe Control Actions

After you have modeled the control structure, the subsequent step in the STPA process is to identify Unsafe Control Actions (UCAs). A UCA is defined as any control action that, within a specific context, could lead to a hazardous situation. To initiate the identification of UCAs in Astah System Safety, navigate to the [STPA Procedure] tab and click on [Identify UCA (Unsafe Control Action)]. This function is integral for pinpointing potential risk factors within the control structure of your system.
Identify Unsafe Control Actions in Astah System Safety

A UCA table appears. Astah System Safety automatically extracts all the Control Actions defined in the Control Structure Diagram and puts them in this list.

In Astah System Safety, when identifying Unsafe Control Actions (UCAs), there are four primary ways a control action can be considered unsafe. These four criteria are conveniently included as default columns in the UCA table.

1. Not Providing – Not providing the control action leads to a hazard.
2. Providing causes hazard – Providing the control action leads to a hazard.
3. Too early / Too late – Providing a potentially safe control action but too early or too late.
4. Stop too soon / Applying too long – The control action is applied too long or is stopped too soon.

By meticulously filling out all four columns for each control action in Astah System Safety, you effectively test whether each action meets the essential requirement: the provision of a correct control action at the correct time and for the correct duration. If any control action fails to meet these criteria, it can be identified as an Unsafe Control Action. This systematic approach ensures a thorough assessment of control actions, highlighting any that might pose a risk to the system’s safety and integrity.

In the Unsafe Control Actions (UCA) table within Astah System Safety, it’s important to clearly specify the hazard that each UCA could lead to. Additionally, you should also define the specific context in which the control action is considered unsafe. This detailed approach ensures that each identified UCA is accurately linked to its potential hazard and the conditions under which it becomes a risk. This level of specificity is crucial for effective risk assessment and the development of subsequent safety measures.

To learn more about UCA table, please refer to the guide – UCA Table.

section divider

STEP4 – Identify Loss Scenario

Control Loop Diagram

Once Unsafe Control Actions (UCAs) have been identified, the next step involves identifying loss scenarios for each UCA. Loss scenarios describe the causal factors leading to UCAs and hazards. In Astah System Safety, this process begins by creating a Control Loop Diagram for each identified unsafe Control Action.

A Control Loop Diagram focuses on a specific Control Action, illustrating the control loop with actions and feedback. It helps in identifying hazard causal factors.

To create a Control Loop Diagram, select the target Control Action in the Control Structure Diagram, then double-click on “Control Loop Diagram” in the [STPA Procedure] pane.
Create Control Loop Diagram

In Astah System Safety, when analyzing loss scenarios, you need to consider two types of scenarios:

  1. Reasons for Unsafe Control Actions: This involves understanding why Unsafe Control Actions would occur in the first place.
  2. Causes of Improper Execution: This focuses on identifying why control actions might be improperly executed or not executed at all, leading to hazards.

While working on a Control Loop Diagram, it’s beneficial to open the [Hint Word Set]. This feature provides guidance and prompts that assist in identifying the hazard causal factors related to both types of scenarios. This systematic approach ensures a thorough analysis of potential risks associated with control actions.
Control Loop Diagram and HintWord together

To learn more about Control Loop Diagrams, please refer to the page here.
You can also customize these Hint words.

section divider

Loss Scenarios

To document and analyze the hazard causal factors and scenarios, you should use the “Loss Scenario Table” in Astah System Safety. This table is created by selecting an unsafe control action in UCA Table and then double-clicking on “Loss Scenario” in the “STPA Procedure” tab. This step allows for a detailed and structured analysis of how each identified unsafe control action can lead to potential hazards, helping in the development of comprehensive safety measures.
Create Loss Scenario in Astah System Safety

After selecting “Loss Scenario” in the “STPA Procedure” tab, a list of the previously identified unsafe control actions will appear. From this list, choose the specific control action you were analyzing in the Control Loop Diagram and then click [OK].
Choosing unsafe control action to create a loss scenario of

Once you’ve selected the unsafe control action and clicked [OK], a blank Loss Scenario Table will open. In this table, you should add the Hazard Causal Factor (HCF). Then, write down the specific scenario associated with this HCF, along with the hint word that helped you derive this scenario.
Loss scenario sample

To learn how to work with the loss scenario tables, please refer to this page.

section divider


The final step in the STPA process is to develop countermeasures for the identified hazard causal factors. In Astah System Safety, this is achieved using the Countermeasures table.

To create this table, simply double-click on “Countermeasures” in the “STPA procedure” tab. This table is instrumental in documenting and organizing the strategies and actions that can be employed to mitigate the risks associated with the hazard causal factors identified in the previous steps.

When you open the Countermeasure Table in Astah System Safety, it will display in the diagram editor with a pre-populated list of all the hazard causal factors that you previously identified in the loss scenario analysis and associated with the unsafe control actions. This integrated approach ensures that you have a comprehensive overview of all the risk factors to address when considering and developing appropriate countermeasures.

Using the Countermeasure Table in Astah System Safety, you can create a specific countermeasure for each identified hazard causal factor.
Sample of STPA Countermeasures Table

To learn how to work with the Countermeasure Table, please refer to the guide – Countermeasure Table.

section divider

During the STPA analysis, it’s common to discover new hazards or realize omissions in the Control Structure. STPA is inherently iterative, allowing for continuous refinement of your analysis. As such, you may need to frequently revisit various elements like tables, control structure diagrams, and control loop diagrams. This revisiting enables you to revise and refine these components, ensuring a thorough and accurate safety analysis. Remember, the iterative nature of STPA is a strength, allowing for the gradual enhancement of understanding and the reinforcement of system safety over time.

section divider

Export documentation to share with others

Finally, once your STPA analysis is complete, you have the option to export all your compiled data, including the Countermeasure table, Loss Hazard Safety Constraint tables, UCA table, and scenarios.

This is done through Astah System Safety’s export feature. Simply navigate to [File] – [Export] – [STAMP/STPA Tables to Excel]. This functionality allows you to conveniently consolidate and share your analysis findings in a widely accessible Excel format, facilitating further review, collaboration, or archival purposes.
Export all the STPA tables to Excel

Additionally, Astah System Safety provides the option to export diagrams and tables as image files. To do this, go to [File] – [Export Image] – [Multi-Diagrams]. This feature supports various formats like PNG, JPEG, EMF, or SVG, allowing you to easily share visual representations of your analysis with others. This exporting capability is particularly useful for presentations, reports, or for collaborating with team members who may need a visual understanding of the STPA analysis.
Export Diagram to image files