PASTA: Pragmatic Automated System-Theoretic Process Analysis
This extension offers a Domain-Specific-Language (DSL) for System-Theoretic Process Analysis (STPA) including an automatic visualization and validity checks.
Several validity checks are provided, for example
- for each control action at least one Unsafe Control Action (UCA) must be defined,
- for each UCA a constraint must be defined.
These checks can be turned off in the context menu of the editor.
A diagram can be opened for the analysis by clicking on the icon right above the editor or by selecting
Open in Diagram in the editor context menu. In the diagram different color styles and filtering methods are provided. Clicking on a node fades out non-connected nodes and clicking on a node while pressing the
Ctrl key fades out nodes that belong to another aspect.
Instead of informal UCA definitions a context table may be used. This is done by using the section
Context-Table instead of
UCAs. A context table can then be generated automatically and shown alongside the diagram by selecting
Show Context Tables in the editor context menu or the corresponding icon right above the editor. Clicking on a UCA in the context table highlights the corresponding node in the diagram and its definition in the editor. In the context table view a control action can be selected in order to inspect it.
To use the extension for an analysis, the file in which the analysis is done must have
.stpa as its file ending. Each STPA aspect has its own section in the DSL. Components for each aspect are defined with an ID, a description, and a reference list. In order to define a new component, the prefix of the corresponding aspect must be stated, for example "L", and afterwards a string with the description. The numbering of the IDs is adjusted automatically.
In the control structure, system components can be stated, which can contain a process model, input, output, control actions, and feedback. The visualization of input and output edges is in an experimental state at the moment and will be improved in the future.
Minimal example of an analysis for a ferry:
L1 "Loss of life or serious injury to people"
H1 "Vessel's exposure to major damage or breakdown" [L1]
SC1 "Vessel must not be exposed to major damage or breakdown" [H1]
mode: [docking, driving]
input [weather "weather", other "Other information"]
output [info "information"]
[navi "Route navigation", data "Weather data"] -> VirtualCaptain
[manual "Manual setting"] -> Engine
[pars "Set parameters"] -> Engine
[status "System status", faults "Faults"] -> ControlCentre
[motion "Motion"] -> VirtualCaptain
R1 "Actuate reverse gear when too close to a No Go Area" [SC1]
R3 "Manually set parameters of engine in case of a malfunction" [SC1]
UCA1 "ControlCentre does not provide Manual setting when VC is malfunctioning and vessel too close to a No Go Area" [H1]
C1 "ControlCentre must provide the Manual setting control action during VC malfunctioning and vessel too close to No Go Area" [UCA1]
Scenario1 for UCA1 "Abnormal vessel behavior occurs. Vessel comes too close to a No Go Area and ControlCentre does not manual set the parameters of the engine, causing the entering of a No Go Area." [H1]
Scenario2 "Virtual Captain sends the Set parameters command upon coming too close to a No Go Area, but decceleration is not applied due to actuator failure." [H1]
SR1 "ControlCentre must manual set the parameters of the engine when vessel comes too close to a No Go Area" [Scenario1]
Example for defining UCAs with the context table:
UCA1 [mode = docking] [H1]