Does anyone know if there is any tool development for Capella to help support STPA based hazard analysis? I’ve been participating in the MIT STAMP Workshop this week. It appears the top down analysis method is well aligned to ARCADIA Method, but the professors have indicated there isn’t too much MBSE tool support for the STPA analysis method as of yet.
Any thoughts about this from the Capella experts?
Thanks,
Scott
Hi Scott,
I hope you are doing well.
This is certainly not a comprehensive answer but I found these 2 papers which I believe are relevant to your question:
- “STPA-Inspired Safety Analysis of Driver-Vehicle Interaction in Cooperative Driving Automation”:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwip9YzkpeHqAhUO0uAKHWtoDfwQFjABegQIBRAB&url=http%3A%2F%2Fwww.diva-portal.se%2Fsmash%2Fget%2Fdiva2%3A1371216%2FFULLTEXT01.pdf&usg=AOvVaw0WTPY74kxrVgkyI39kewFE - “MethodologyAndArchitectureForSafetyManagement”:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwip9YzkpeHqAhUO0uAKHWtoDfwQFjACegQIBhAB&url=https%3A%2F%2Fhal-univ-pau.archives-ouvertes.fr%2Fhal-02416468%2Ffile%2Fcsit91801.pdf&usg=AOvVaw3ZEg0mBr1nVCe099Q11k0K
Stephane
Hello Scott,
Yes, there is work going on regarding STPA with Arcadia and Capella. As you pointed out, it feels like a good fit. It is not ready yet, but you can expect that we post on this thread when we have relevant news.
Olivier
Nice to know Oliver. I am interested also.
best, ricardo
Olivier Constant wrote on Tue, 04 August 2020 19:21
Hello Scott,
Yes, there is work going on regarding STPA with Arcadia and Capella. As you pointed out, it feels like a good fit. It is not ready yet, but you can expect that we post on this thread when we have relevant news.
Olivier
This is good to hear. This past week I have been doing a literature review on STPA. Stephane provided some interesting papers above.
What I’m trying to understand is if some existing features of Capella could be leveraged. For example, does a functional chain on a LAB diagram help to visually illustrate Unsafe Control Actions? Is there a chance to use Capella sequence diagrams in support of illustrating Step 4 Loss Scenarios? Would it be valid to use functional exchanges to represent causal factors between model elements such as missing or delayed data?
I’m pretty new to STPA but I hope to develop some architecture views that are of value my safety engineering team mates.
Stephane LACRAMPE wrote on Wed, 22 July 2020 16:40
Hi Scott,
I hope you are doing well.
This is certainly not a comprehensive answer but I found these 2 papers which I believe are relevant to your question:
- “STPA-Inspired Safety Analysis of Driver-Vehicle Interaction in Cooperative Driving Automation”: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwip9YzkpeHqAhUO0uAKHWtoDfwQFjABegQIBRAB&url=http%3A%2F%2Fwww.diva-portal.se%2Fsmash%2Fget%2Fdiva2%3A1371216%2FFULLTEXT01.pdf&usg=AOvVaw0WTPY74kxrVgkyI39kewFE
- “MethodologyAndArchitectureForSafetyManagement”: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwip9YzkpeHqAhUO0uAKHWtoDfwQFjACegQIBhAB&url=https%3A%2F%2Fhal-univ-pau.archives-ouvertes.fr%2Fhal-02416468%2Ffile%2Fcsit91801.pdf&usg=AOvVaw3ZEg0mBr1nVCe099Q11k0KStephane
The 2nd paper was of strong interest as the authors explained that they would propose to associate STPA with each phase of ARCADIA method. The details were really difficult to follow so I didn’t think I learned anything about applying STPA within an architecture phase. Disappointed, as I was hoping to get working insight about alignment of STPA Steps (0-4) to architecture captures in Capella.
Considering STPA is usually applied at system level, most adequate perspective should be SA to start. Having a well defined operational concept (OA perspective) may also help a lot.
It’s done: we have released in open source experimental support for STPA in Capella. It is available as a new project within Labs4Capella: GitHub - labs4capella/stpa-capella: STPA Viewpoint for Capella. Before releasing it, we used it in a number of real-world projects in order to have some confidence that it is usable and useful, even though it can be improved in many ways. Feel free to use it and give feedback.
4 Likes
We had numerous discussions internally on how STPA can integrate with Arcadia and Capella modeling. We gave a very brief overview of the rationale we have followed at ERTS 2022 (ERTS 2022 proceedings - Proceeding of the 11th European Congress on Embedded Real Time Systems). To put it short, there are concepts in Arcadia and in STPA that may look close at first sight; a big difference, however, is that in STPA everything is driven by the risks identified at the very beginning. That sheds a very particular light on the system of interest.
We thus chose to consider STPA as a perspective in its own right. There are organizational/sociological justifications for that, but not only: in our case studies, we ended up with hierarchical control structures that were neither an abstraction nor a refinement of a subset of another perspective.
Still, the ability to set traceability links with elements of other perspectives proved very useful. For example, it allowed us to justify the existence of certain control loops through a mapping to functional chains. Mapping control actions and feedback to exchange items was interesting too for Step 4. Conversely, we also had a control loop that we could not “close” due to the absence of suitable feedback in the architecture (it resulted in rather funny loss scenarios), which ended up as a new requirement at logical level.
I presume there are plenty of other situations where the STPA perspective and the usual Arcadia perspectives can help consolidate each other. From what we experimented, all Arcadia perspectives from OA to PA can be concerned (provided the system of interest for STPA has been clearly defined) depending on the intended scope and abstraction level of the STPA analysis. Of course, it is not only about “creating” a design but also about evolving it. For example, traceability and impact analysis can inform us that we are modifying architecture elements which are involved in an STPA control loop, and that this control loop is essential to the prevention of a critical hazard.
3 Likes
Have been using the STPA viewpoint and so far its been extremely useful in linking hazards, safety goals, developing our safety requirements, and showing provenance to our safety design decisions! I see a lot of potential in this viewpoint and hope it continues to get traction, thanks!
QQ from me: our design team interact with our models from the HTML doc we generate, so its important all model content is publishable to that format for us. I noticed the HTML doc output doesn’t get populated with the STPA viewpoint content by default. Does this functionality exist, if so, where do I activate? If not, this would be an excellent update.
Cheers,
sbeaz
2 Likes
I don’t believe this is something that exists yet but maybe Olivier will contradict me or this is something in the roadmap. If not, feel free to contact us (Obeo), we can provide the corresponding service for providing this evolution.
Stephane Lacrampe
Obeo Canada
I have been working with the STPA viewpoint for some time. I think it is a great addition to Capella capabilities. I have also come across the work of the Adaptive project, in Europe (FP7) where they used a layered STPA approach that, in my perspective, traverses the Operational, to System, to Logical layers.
It would be interesting to be able to do this with the STPA add-on, establishing these different layers?
ref: Folie 1 (zhaw.ch)
ref: (2) (PDF) A Systematic Approach Based on STPA for Developing a Dependable Architecture for Fully Automated Driving Vehicles (researchgate.net)
Another related point is having nested controllers. I am thinking if we could have… somehow… the result bellow, in which hiding the nested controllers would lead to second view… probably not that simple, has you can have control/feedback specific to the aggregate and not in any of its constituent controllers…
Finally, exporting to HTML would be fantastic… but maybe that means some work with the XHTML add-on?
1 Like
From my understanding, @Olivier_Constant is the main autor of this add-on. Maybe he can share if some of your ideas are in his roadmap, or if there is a roadmap. I suppose he is opened to contributions…
Stephane
1 Like
Thanks for mentioning me Stéphane, that woke me up! I presume I should improve the way I use the notification system… Anyway, we are definitely open to contributions, indeed! But the good news is, we already worked a bit on HTML export based on the XHTML add-on and it should be available in a few days. 
1 Like
Thanks for your feedback @sbeaz! It is unfortunate I overlooked your message, I guess Christmas holidays went in the way. Anyway, we too found that the HTML generation feature was missing, so as I just wrote above we are about to make it available in a few days. ^^
1 Like
It’s done: new release 0.2.0 includes HTML documentation generation based on the XHTML add-on.
There are limitations but let’s say it’s a start.
Thanks for the feedback and the interesting links, @rreis! Regarding controller abstraction, that would definitely be useful. We had the same kind of need in one of our projects specifically. More precisely, besides controller abstraction the need involved combining control actions into higher-level ones, but that looked a bit too complex as a first step. What you propose looks more feasible.
Regarding STPA analyses at different levels or perspectives, that is definitely a topic we too identified as important, as part of the larger topic of integrating STPA into (model-based) engineering processes. At tool support level, a first basic step could be to support editing several STPA analyses in the same model and having traceability links between their model elements. That would at least allow experimenting in order to become more mature methodologically… Although I would definitely be happy to propose something else than requiring users to maintain traceability links by hand.
Anyway, feel free to create issues to track exchanges on topics you would like to discuss in depth.
3 Likes
Merci for this work @OConstant ! very welcomed! I will try the trial it soon 
Do you prefer to engage through the issues creation or debate through the forum, that might add more views?
About the nesting and layering… this paper from Nancy Leveson was an inspiration… http://sunnyday.mit.edu/conceptual-architecture-final.pdf (eg. see page 12 and 13)
Picking on your words… " combining control actions into higher-level ones" I also see that with responsabilities… That would also be very useful to express in ConOps/OpsCon… zoom out, zoom in
cheers, Ricardo
Feel free to proceed as you see fit. If parts of a forum discussion refer to evolutions of the tool, I’ll create corresponding issues with appropriate references to the discussion in order to have something that is structured enough for tracking.
Olivier