STPA results schema
The results of applying STPA should be recorded as structured textual data that is stored using plain text file formats, such as CSV, YAML or markdown, which represents tabular data that can be worked upon in a spreadsheet or a relational database.
This schema is illustrated by the workbook template. This consists of three types of sheet:
- Text sheets (README, Scope): Providing guidance and context - not exported
- Workbook tables - Recording results - exported as CSV
- Category tables - For reference - not exported
The data stored in the latter two types of table are described in the following sections.
Data types
The following data types are used in the table descriptions:
- UID: Locally unique alphanumeric identifier
- Number: Integer value
- Markdown text: A block of (multiline) text with markdown formatting.
- Text: Plain text
- Text array: An array of text items
- Ref-name: Name used to refer to a Reference
- Reference (type): Text matching a constrained set of values defined by type
- Reference array (type-name): An array of Reference items
- Link (table): The UID of a record in table
- Link array (table): An array of UIDs for records in table
Workbook tables
These are the exported tables, which contain all of the structured data recording the STPA results.
Losses
The set of Losses for this analysis.
| Column | Data type | Notes |
|---|---|---|
| Loss Id | UID | |
| Loss description | Text | |
| Loss category | Reference (LCategory) | Categories are for guidance only |
Hazards
The set of Hazards for this analysis.
| Column | Data type | Notes |
|---|---|---|
| Hazard Id | UID | |
| Hazard description | Text | |
| Link to loss(es) | Link Array (Losses) | Each Hazard must link to at least one Loss |
| Notes | Markdown text |
Constraints
Constraints for Hazards (SLC), UCA (Controller Constraints) and/or Causal Scenarios.
| Column | Data type | Notes |
|---|---|---|
| Constraint Id | UID | |
| Description | Text | |
| Constraint Type | Reference (CType) | Determines the type(s) of links |
| Link to Constraint(s) | Link Array(Constraints) | Links to other Constraints (e.g. for sub-constraints) |
| Link to Hazard(s) | Link Array(Hazards) | SLC and CSC |
| Links to UCA | Link Array(UCA) | CFC and CSC |
| Links to CS | Link Array(Causal Scenarios) | CSC only |
| Links to TSF | Text Array | UID of associated Statements in an associated TSF Specification |
Elements
The elements of the Control Structure defined for this analysis.
| Column | Data type | Notes |
|---|---|---|
| Element Id | UID | |
| Element name | Text | |
| Responsibilities | Text array | Responsibilities of the Element |
| Roles | Reference array (ERoleType) | |
| Notes | Markdown text |
Interactions
Interactions between the elements of the Control Structure defined for this analysis.
| Column | Data type | Notes |
|---|---|---|
| Interaction Id | UID | |
| Diagram Label | Text | |
| Interaction description | Text | |
| Type | Reference (IType) | |
| Provider Id | Link (Elements) | |
| Receiver Id | Link (Elements) | |
| Category | Reference (ICategory) | |
| Notes | Markdown text |
CA-Analysis
Analysis of the Control Actions (only) in the Control Structure defined for this analysis.
| Column | Data type | Notes |
|---|---|---|
| CA Analysis ID | UID | |
| CA Id | Link (Interactions) | |
| UCA Type | Reference (UCAType) | |
| UCA Context | Link (UCA-Contexts) | |
| Analysis Result | Reference (CAResult) | |
| Hazard(s) | Link Array (Hazards) | If Analysis Result is UCA, must link to at least one Hazard |
| Justification | Text | Description or example of UCA, or justification for the result |
UCA-Contexts
The UCA Contexts used in the UCA for this analysis.
| Column | Data type | Notes |
|---|---|---|
| Context Id | UID | |
| Unsafe Context | Text | A context in which one or more control actions may be unsafe. |
| Notes | Markdown text | Description or clarification of the context |
UCA
The UCA identified in this analysis.
| Column | Data type | Notes |
|---|---|---|
| UCA Id | UID | |
| CA | Link (Interactions) | |
| UCA Type | Reference (UCAType) | |
| UCA Context | Link (UCA-Contexts) | |
| UCA Definition | Text | Structured definition of UCA using STPA keywords |
| UCA Description | Text | Description or example of the UCA |
| Constraint Id | Link array (Constraints) |
Control-Loops
Control Loops for Controlled Processes.
| Column | Data type | Notes |
|---|---|---|
| Loop Id | UID | |
| Control Loop Description | Text | |
| Controlled Process | Link (Elements) | |
| Linked SLC(s) | Link array (Constraints) | Should only include SLC |
CL-Sequences
Control Loop sequences, describing how sets of Interactions are involved in implementing control loops.
| Column | Data type | Notes |
|---|---|---|
| CL-Sequence Id | UID | |
| Loop | Link (Control-Loops) | The control loop for this step |
| Step | Number | A numerical identifier for a sequential step in the control loop |
| Interaction Id | Link (Interactions) | The interaction that this step involves |
| Provider process model or state | Text | The Process Model of the Provider, or its state if a Controlled process |
| Provider logic | Text | The logic used by the Provider to inform this interaction |
| Expected Receiver behaviour | Text | How the Provider expects the Receiver to behave |
Scenarios
Causal Scenarios to explain how causal factors affecting the Interactions in each of the CL-Sequences may lead to UCA or Hazards
| Column | Data type | Notes |
|---|---|---|
| Scenario Id UID | ||
| Seq Ref | Link (CL-Sequences) | |
| CS Type | Reference (CSType) | |
| Causal Scenario Prompt | Text | Constructed prompt text for the Causal Scenario |
| Analysis Result | Reference (CSResult) | |
| Causal Scenario Definition | Text | Description of how this interaction might lead to a UCA or a Hazard (or both) |
| Links to UCA | Link array (UCA) | |
| Links to Hazard(s) | Link array (Hazards) | |
| Constraint Id | Link array (Constraints) | |
| Notes | Markdown text | Example(s) of the Causal Scenario and other explanatory notes |
Category tables
These tables provide a constrained set of values for specific columns in the workbook tables. They are used to populate dropdown selectors and construct prompt text in the workbook template, and are not exported. The standard sets of categories used in the template are included here for reference, but these may be adapted or extended as required.
LCategory
Categories of Losses (for information and grouping of associated Hazards, UCAs, etc)
| Loss Category | Description |
|---|---|
| Assets | Losses relating to stakeholder's physical assets, equipment, property, etc |
| Commercial | Losses relating to a stakeholder organisation's commercial costs or benefits |
| Safety | Losses relating to the physical well-being of a human stakeholder |
| Security | Losses relating to a stakeholder's confidential information or intellectual property |
| User | Losses relating to a user's goals, convenience, time, desires, etc |
CType
Type identifiers and descriptions for Constraints
| CType | Description |
|---|---|
| SLC | System Level Constraint |
| CFC | Controller (Functional) Constraint |
| CSC | Causal Scenario Constraint |
ERoleType
Types of role for Elements in the control structure
| ERoleType | Responsibilities / Involvement |
|---|---|
| Controller | Provides control actions to a Controlled Process or another Controller |
| Controlled Process | Implements (part of) the behaviour that needs to be controlled |
| Actuator | Mechanisms by which a Controller acts upon a Controlled Process |
| Sensor | Mechanisms by which a Controller senses Feedback from a Controlled process |
| Interference | May interfere with the correct functioning of the Control Structure |
| Control Path | Communicates a Control Action from a Controller to a Controlled Process |
| Feedback Path | Communicates Feedback from a Controlled Process to a Controller |
| Out of Scope | Element is out of scope for this analysis, but has an assumed role |
Note
Elements may have more than one role in the control structure.
The Interference, Control Path and Feedback Path roles are added to better characterise software-specific interactions.
The Out of Scope role should only be used when an Element has another defined role in the control structure.
IType
Type identifiers and descriptions for interactions
| IType | Description |
|---|---|
| C | CONTROL ACTION |
| F | FEEDBACK |
| I | Information (other than Feedback) |
| P | Controlled Process input or output |
| X | Other interaction (e.g. interference, disturbance) |
Note
The I, P and X types of interaction are not a formal part of the control structure, but may be included in a diagram or structure definition as a prompt for Causal Analysis.
ICategory
Categories of Interactions (e.g. Continuous or Discrete). This is an optional characteristic that may be meaningful for some types of interaction.
| ICategory | Description |
|---|---|
| C | Continuous |
| D | Discrete |
UCAType
Type identifiers and descriptions for UCA.
| UCAType | Description | Keyword | Constraint keyword |
|---|---|---|---|
| NP | NP - Not Provided | DOES NOT PROVIDE | MUST PROVIDE WHEN REQUIRED |
| PR | PR - Provided | PROVIDES | MUST CORRECTLY PROVIDE WHEN REQUIRED |
| ML | ML - Magnitude (less than) | PROVIDES (TOO LITTLE) | MUST NOT PROVIDE TOO LITTLE |
| MM | MM - Magnitude (more than) | PROVIDES (TOO MUCH) | MUST NOT PROVIDE TOO MUCH |
| DS | DS - Duration (too short) | PROVIDES (TOO SHORT) | MUST PROVIDE FOR LONG ENOUGH |
| DL | DL - Duration (too long) | PROVIDES (TOO LONG) | MUST NOT PROVIDE FOR TOO LONG |
| TE | TE- Timing (too early) | PROVIDES (TOO EARLY) | MUST NOT PROVIDE TOO EARLY |
| TL | TL - Timing (too late) | PROVIDES (TOO LATE) | MUST NOT PROVIDE TOO LATE |
| SO | SO - Sequence / Order | PROVIDES (OUT OF SEQUENCE) | MUST NOT PROVIDE OUT OF SEQUENCE |
Note
The Keyword and Constraint keyword field are used to construct UCA and
constraint prompts in the workbook template.
CAResult
Results of CA-Analysis.
| Result | Description |
|---|---|
| UCA | Unsafe Control Action |
| Safe | Applicable, but does not result in UCA |
| N/A | Not Applicable |
| TBD | Not yet analysed |
| Not yet analysed |
CSType
Type identifiers, descriptions and prompts for Scenarios
| Label | Type | Description |
|---|---|---|
| CS1-C | Controller (itself) | Problems with the Controller itself |
| CS1-A | Control Algorithm(s) | Problems with the logic (specification, design or implementation) of the controller's algorithm |
| CS1-I | Unsafe Control input | Problems relating to unsafe control inputs (e.g. from other controllers), which may result from another UCA |
| CS1-M | Process Model | Problems with the process model (or mental model) of the Controller |
| CS1-D | Controller Disturbance | Problems arising from other factors that may affect the Controller |
| CS2-F | Feedback (itself) | Problems with the data / information that needs to be communicated |
| CS2-P | Feedback Path | Problems with the communication / transmission of the data / information |
| CS2-U | Unsafe Data / Information | Problems with the data / information contributing to the feedback, which may result from another UCA |
| CS3-A | Control Action (itself) | Problems with the Control Action itself, including Unsafe / Insecure Control Actions |
| CS3-P | Control Path | Problems with the communication of the Control Action to its target |
| CS4-P | Process (itself) | Problems with the Controlled Process |
| CS4-C | Conflicting Control | Interference from other Controllers |
| CS4-I | Process Inputs | Other information or actions that may affect the Controlled Process |
| CS4-O | Process Outputs | Other information or actions that may result from the Control Action |
| CS4-D | Process Disturbance | Anything else outside the Controlled Process that may affect it |
CSResult
Results of Scenario Analysis.
| Result | Description |
|---|---|
| UCA | Link to UCA |
| Hazard | Link to Hazard |
| Both | Link to UCA and Hazard |
| OOS | Out of scope for this analysis |
| SAF | Scenario already found |
| N/A | Not Applicable |
| TBD | Not yet analysed |
| Not yet analysed |