Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Model-Based STPA: Enhancing Safety Analysis with MBSE
System Theoretic Process Analysis (STPA) is a powerful hazard analysis technique for safety-critical systems. The new SAE J3187-3-2023 standard provides recommended practices for applying STPA in a model-based systems engineering (MBSE) environment. This article explores the key concepts, steps, and insights from the standard.
Understanding the Scope and Purpose of SAE J3187-3-2023
SAE J3187-3-2023 is an appendix to the original SAE J3187 Recommended Practice. It focuses specifically on integrating STPA with MBSE to manage complexity, improve traceability, and automate parts of the analysis. The standard uses the RAAML (Risk Analysis and Assessment Modeling Language) and OMG standards to represent STPA elements in a model.
🛠️ Engineering Insight: By embedding STPA within an MBSE framework, teams can link system elements, functions, and unsafe control actions in a cohesive model, enabling dynamic updates and consistency across the engineering lifecycle.
Key Takeaway: The standard provides a structured approach to model-based STPA, from identifying losses and hazards to expanding control structures and analyzing loss scenarios.
Key Steps for Performing Model-Based STPA
The standard outlines seven main steps in model-based STPA, illustrated with an automotive intersection example. The table below summarizes these steps:
| Step | Description | MBSE Representation |
|---|---|---|
| 1. Identify Losses | Define accidents or unacceptable outcomes | Modeled as loss elements |
| 2. Identify Hazards | System states or conditions that can lead to losses | Hazard elements linked to losses |
| 3. Define Control Structure | Map controllers, actuators, sensors, and feedback | Block definition diagrams or internal blocks |
| 4. Understand Operational Contexts | Identify scenarios that affect hazard likelihood | Situation models linked to hazards |
| 5. Develop Unsafe Control Actions (UCAs) | Determine control actions that could cause hazards | UCAs modeled with guidewords and contexts |
| 6. Identify Loss Scenarios | Explore causal factors and sequences that lead to UCAs | Scenario models with factors |
| 7. Expand Control Structure | Decompose to sufficient detail for analysis | Refined block diagrams |
🔍 Design Insight: The standard emphasizes explicit modeling of operational contexts and situations, which helps in systematic identification of hazards that depend on specific conditions (e.g., weather, traffic).
Benefits and Common Pitfalls in Model-Based STPA
Model-based STPA offers several advantages over traditional document-based STPA:
- Improved traceability: Links between losses, hazards, UCAs, and scenarios are maintained in a single model.
- Automation support: Some analysis steps can be automated using MBSE tools.
- Consistency: Changes propagate automatically across the model.
However, the standard also warns of common mistakes, such as improperly identifying losses and hazards, not linking UCAs to control actions correctly, or failing to consider all operational contexts.
⚠️ Caution: Avoid expanding the control structure to too high a level too early; ensure each level provides sufficient detail to identify relevant UCAs and loss scenarios.
Frequently Asked Questions
1. What is the main difference between traditional STPA and model-based STPA?
Traditional STPA often uses documents and spreadsheets, while model-based STPA leverages MBSE tools to create a structured, traceable, and automated representation of the analysis.
2. Can model-based STPA be applied outside the automotive industry?
Yes, the standard states it is applicable to any industry with safety-critical systems, as STPA is domain-agnostic.
3. What is RAAML and how does it relate to STPA?
RAAML (Risk Analysis and Assessment Modeling Language) is an OMG standard that provides stereotypes and profiles to represent STPA concepts in a UML/SysML environment.
4. What are the first steps to adopt model-based STPA in a project?
Start by familiarizing with MBSE tools that support RAAML, then define losses and hazards for your system, and build a high-level control structure model.
For more details, refer to the full SAE J3187-3-2023 standard.
