Start STAMP/STPA with Astah System Safety

This tutorial will briefly guide you through the STAMP/STPA procedures using Astah System Safety.
You can try out Astah System Safety for 40 days before purchase. So before you being with this tutorial, get a free trial, install Astah System Safety and explore all the functionalities along with this guide.

Once you installed Astah, launch and create a new file from [File] – [New] then open [STPA Procedure] tab in the top-left pane. This pane is a guidance to help you go through the basic STPA steps. It is not mandatory to follow the whole process as it shows but for anyone who first starts using this tool, we suggest you follow so you can learn how Astah System Safety supports STPA.

• Before you begin
• STEP 1 – Define purpose of analysis
• STEP 2- Modeling a Control Structure
• STEP 3- Identify Unsafe Control Action
• STEP 4 – Identify Loss Scenario

Before you begin

Before you start a STPA analysis, you need to fully understand the target system you are about to analyze first – by reading the requirements specifications, drawing a brief picture using SysML or UML diagrams to represent the requirements, structures and behaviors…etc. Astah System Safety also supports SysML diagrams, so you can create SysML diagrams before you start STPA.

STEP1 – Define purpose of analysis

Precondition Table

The first step is to define the purpose of the analysis. What do you analyze in the system and what is the system boundary and what are the losses you aim to prevent by this analysis. Ask these questions and set the scope of analysis and define preconditions. Without any preconditions, the analysis could diverge and you may not get a result as you aimed.

To define the preconditions, you use “Precondition Tables” in Astah.
Double-click Determine Preconditions in the “STPA Procedure” tab.

A blank table opens in the diagram editor. Right-click on it, select [Add Precondition] and start writing the preconditions.


To learn more about Precondition Tables, please refer to the guide here – Precondition Table.

Accident Hazard Safety Constraint Table

Now you need to clarify what kind of accidents and losses you aim to prevent by this analysis and what the potential accidents and losses are. Then identify the hazards – a system state or set of conditions that will lead to a loss. Then identify the constraints to prevent the hazards. In Astah System Safety, you use the Accident Hazard Safety Constraint Table to list them up all.

Double-click [Identify Accident, Hazard, Safety Constraint] in the [STPA Procedure] on the left. A blank table opens in the diagram editor. Right-click on the table, click [Add Accident] to add an accident.


To learn how to add hazards and safety constraints, please refer to the guide – Accident Hazard Safety Constraint Table.

Each hazard could lead to one or more accidents and each safety constraint could be related to one or more hazards. In that case, you can choose an already existing hazard and safety constraint from the drop-down list.

STEP2 – Modeling the control structure

The next step is to model the control structure. In Astah System Safety, you use [Control Structure Diagram] to graphically represents the main control elements, control actions and the control actions between the controllers and the controlled systems. To create a diagram, select [Draw a Control Structure] under STEP 2 in the [STPA Procedure].



Or, go to [Diagram] – [STAMP/STPA] – [Control Structure Diagram].

It is important to begin with an abstract control structure and iteratively adds detail as needed.

Astah System Safety lets you create the diagram easily with smart assist, create main Components by pasting texts or by converting SysML Blocks (just drag and drop Blocks from the tree view to the diagram..etc). Also, there is a view called CS Entire view when you want to see all the structures of the related and nested Components. This is extremely helpful to see the entire view of the system when the interactions between Components are represented over several diagrams.

To learn more about Control Structure Diagram and CS Entire view, please refer to the guides below:

• Control Structure Diagram
• CS Entire View

STEP3 – Identify Unsafe Control Actions

After the control structure is modeled, the next step is to identify Unsafe Control Actions. An Unsafe Control Action is a control action that will lead to a hazard in a particular context. To identify Unsafe Control Actions, click [Identify UCA (Unsafe Control Action) in the [STPA Procedure] tab.

A UCA table appears. Astah System Safety automatically extracts all the Control Actions defined in the Control Structure Diagram and puts them in this list.

There are four ways a control action can be unsafe and these 4 guides are included in the columns by default:


1. Not Providing – Not providing the control action leads to a hazard.
2. Providing causes hazard – Providing the control action leads to a hazard.
3. Too early / Too late – Providing a potentially safe control action but too early or too late.
4. Stop too soon / Applying too long – The control action is applied too long or is stopped too soon.

By filling out all the 4 columns for each control action, you are testing if the control action meets this requirement: A correct control action is provided at the correct time with correct duration. And if any fails to meet the requirement, you can identify them as Unsafe Control Actions.

In the UCA table, you should specify which hazard that the UCA leads to, and the context in which the control action is unsafe.

To learn more about UCA table, please refer to the guide – UCA Table.

STEP4 – Identify Loss Scenario

Control Loop Diagram

Once unsafe control actions are identified, the next step is to identify loss scenarios for each unsafe control action. Loss scenarios are the descriptions of the causal factors that can lead to the unsafe control actions and to hazards. With Astah System Safety, we start from creating a Control Loop Diagram.

Control Loop Diagram is a diagram that focuses on a specific Control Action and shows a control loop with actions and feedback. Create a Control Loop Diagram for every Control Action that was identified as unsafe and find the hazard causal factors.

To create a Control Loop Diagram, you need to select a target Control Action in the Control Structure Diagram then double-click “Control Loop Diagram”.


There are two types of scenarios that you need to consider.

1. Why would Unsafe Control Actions occur?
2. Why would control actions be improperly executed or not executed, leading to hazards?

When you are on a Control Loop Diagram, open the [Hint Word Set] which will help you identify the hazard causal factors.


To learn more about Control Loop Diagrams, please refer to the page here.
You can also customize these Hint words.

Loss Scenarios

Now you document and analyze the hazard causal factors and scenarios using “Loss Scenario Table”.
To create a loss scenario table, select an unsafe control action and double-click the “Loss Scenario” in the “STPA Procedure” tab.


Then a list of unsafe control actions will appear. Select one that you were just analyzing in the Control Loop Diagram and click [OK].

A blank table opens. Add the HCF (Hazard causal factor), write scenario and the hint word that derived the scenario.

To learn how to work with the loss scenario tables, please refer to this page.

Countermeasures

The last step is to consider the countermeasures for the extracted hazard causal factors.
In Astah System Safety, we use the Countermeasures table.

To create one, double-click “Countermeasures” in the “STPA procedure” tab.


Then a Countermeasure Table opens in the diagram editor with a list of all the hazard causal factors you already filled in the loss scenarios and the unsafe control actions.


So using this table, you create countermeasure for each hazard causal factor, specify target Components (you can choose from the drop-down list) and remarks.

To learn how to work with the Countermeasure Table, please refer to the guide – Countermeasure Table.

During the STPA analysis, you may often uncover new hazards and omissions in the Control Structure. STPA is an iterative method so you may revisit the tables, control structure diagrams and control loop diagrams to revise and refine them as needed.

Export documentation to share with others

At last, you can export the complete Countermeasure table and all the other tables (Accident Hazard Safety Constraint tables, UCA table and scenarios) from [File] – [Export] – [STAMP/STPA Tables to Excel].


And export diagrams and tables to image files (PNG, JPEG, EMF or SVG) from [File] – [Export Image] – [Multi-Diagrams] menu to share with the others.