From STPA to Safe Behavior Models
Jette Petzold, Reinhard von Hanxleden
TL;DR
The paper addresses safe verification of safety-critical systems by automatically deriving LTL safety properties from STPA results and synthesizing a Safe Behavior Model (SBM) in SCCharts. It introduces new translation rules for multiple unsafe-control-action types, extends STPA with Desired Control Actions to cover liveness, and provides an end-to-end pipeline implemented in the pasta tool with an ACC example. The key contributions are the expanded STPA-to-LTL translation, automatic SBM generation, and the DCA extension, which together produce a safety-and-liveness compliant behavior model, albeit with incompleteness in initialization and variable calculations that require developer augmentation. This approach tightens the integration between risk analysis and model-based design, reducing manual formula generation and enabling safer automatic code synthesis from safety analysis results.
Abstract
Model checking is a proven approach for checking whether the behavior model of a safety-critical system fulfills safety properties that are stated as LTL formulas.We propose rules for generating such LTL formulas automatically based on the result of the risk analysis technique System-Theoretic Process Analysis (STPA). Additionally, we propose a synthesis of a Safe Behavior Model from these generated LTL formulas. To also cover liveness properties in the model, we extend STPA with Desired Control Actions. We demonstrate our approach on an example system using SCCharts for the behavior model. The resulting model is not necessarily complete but provides a good foundation that already covers safety and liveness properties.