Systems Theoretic Process Analysis (STPA) with safeTbox
This article will briefly show you how the STPA framework is supported in our modeling tool safeTbox. If you work in the safety field, you might also be interested in these other features CFT, HARA. GSN. Please have a look.
This editor includes a navigation pane on the left-hand side that allows you to follow the steps of the process one by one. As you will see later, the STPA Manager can aggregate multiple control structures, UCA analysis and causal scenario analysis. In a simple or focused analysis, it is likely that you will only need one for each of these. However, it may be difficult to determine how the analysis will evolve. Therefore, our approach allows you to create multiple tracks of analysis, depending on how you distribute your efforts. There are several reasons for this:
- Because the system is too complex or too large.
- Because of the need to investigate different concerns (e.g. safety / security).
- To speed up the analysis process by assigning parts to different analysts.
The Loss Identification section brings together two points as suggested in the STPA Handbook. One is the definition of stakeholders and their objectives, and the other is the definition of losses. In theory, reversing the objectives should give a good indication of the losses or aspects that are unacceptable to the stakeholders. In practice, this step is usually skipped and the losses are specified directly. Note that it would be wise to perform this step as it could give good hints in which direction the upcoming analysis should focus, e.g. safety, security, performance etc., which as mentioned earlier could lead to the definition of multiple analysis tracks.
The STPA manager supports the definition of safety-related hazards, security-related threats and generic undesirable states, which can be used to analyze any other system property. In particular, hazards could have been defined from one of our other modelling techniques, namely HARA for ISO 26262. Note that although this section is important, it could be considered optional, as you may not have any results from other analyses, your investigation of hazards may not have directly yielded any undesirable states, or you may simply decide not to define any, assuming that you will find them anyway during the analysis steps.
In a final step, system constraints are specified for the identified unwanted system states. In safeTbox, system constraints are supported by SysML requirements. A mapping could be established in a similar way to that shown above for stakeholders and goals.
Once the control structure has been created in the STPA manager, the navigation button opens the EA diagram where you can carry out the modelling. It will automatically load the toolbox with the modelling elements and connectors. safeTbox also offers several usability features to facilitate the modelling activities. These can be found in the safeTbox context menu (Ctrl + Space).
Together with the EA diagram, a supporting dialog is opened. This dialog allows you to see the currently defined control interactions and to define functional requirements (SysML requirements) for them.
Note that the analysis is usually guided by a set of guidewords. In safeTbox these can be set directly in the application settings or overridden directly in the specific UCA analysis editor. This allows you to specify a catalogue that you can easily reuse, but which you can tailor to your specific analysis needs. For example, you might decide to create a catalogue of safety and security related keywords and then, for a specific UCA analysis, remove those that are not relevant to analyze the specific system property. Another important part of this step is to define the requirements (e.g. safety / security) for the identified critical UCAs. This is done in the requirements section of the editor, where only those UCA’s that are associated with a hazard, threat or undesirable condition are displayed. Note that this view allows you to see the existing requirements associated with the hazard as defined in the purpose definition step as well as the requirements associated with the control actions as defined in step 1.
safeTbox is completely free for non-commercial usage. You can access the tool installer after completing the subscription to our email list.
For commercial usage of the safeTbox, please contact us and we will get back to you with the options suiting your particular usage scenario.