Deriving of Time Constants in Timed Automata for Hazard Transition Sequences for STAMP/STPA

Abstract

Abstract In recent years, information systems have become large-scale and complicated. The demand for research on the cause analysis of information systems that can fail and the construction of countermeasures has been increasing. Systems Theoretic Accident Model and Processes (STAMP) is an accident model based on systems theory. STAMP has the feature that it can analyze not only failures of system components and human errors but also hazards caused by unsafe interaction between components and between components and humans. An analysis method based on the STAMP model System-Theoretic Process Analysis (STPA) is a method for analyzing in advance the possibility of a system accident for the interaction between a controller and a controlled device. As a preliminary study, we have performed STAMP/STPA to ‘Fallen Barrier Trap at Railroad Crossing,” which is an example of STAMP/STPA analysis. We have analyzed with the time automaton model checker UPPAAL in cooperation with STAMP Workbench, a STAMP/STPA support tool. From the preliminary study, we consider that the analysis procedure can be automated in order to reduce the burden on analysts. In this paper, we propose a method for deriving hazard transition sequences as a STAMP/STPA support method. Specifically, the model definition is described in STAMP Workbench, the method of deriving files that can be used in UPPAAL from the definition statement is described, and in order to automate model checking, the SAT/SMT solver is used. The constraints for the clock variables in each component are automatically derived. This paper describes a method for deriving the shortest path as a counterexample that does not satisfy the safety constraint equation by using the calculation method of the concrete value the constraints of and the binary search method. The proposed method is applied manually as the evaluation experiment. We confirmed that an effective sequence corresponding to some hazard scenarios derived by the conventional procedure could be derived.