Part1: Introducing SafeML
Part2: Concepts and elements of SafeML
Welcome back to our series on SafeML!
Last time, I talked a bit about the concepts involved in SafeML and elements that are used to represent the safety information in the system model.
Today I am going to be taking you through the drawing of a single safety model diagram to show you how you produce a SafeML model.
Let’s make diagrams!
Example I am going to be introducing today is based on an robot wheelchair. Purpose of this robot wheelchair is to safely convey a user around town to the destinations they want to go automatically without having to provide too much input into controlling it.
So there are many risks involved using this system. We have hazards such as pedestrians,
and harms such as injury to pedestrians or the rider.
We also have several harm contexts involved or hazardous situations. These include the fact that a wheelchair is going to be used in the same area as pedestrians and they may come closer to them. We see them as hazardous situations. We include several safety features in our robot wheelchair.
Today I am going to be talking a bit about the safety feature that is an emergency stop and also talk about how the wheelchair knows when to activate its emergency stop automatically which is in our monitoring system.
So this is the diagram I am going to be building today.
It’s quite large involving several elements but quiet concisely describes one hazardous situation and safety features involved to protecting against it.
So I start by producing the hazard. The hazard in our case is going to be pedestrians because these will be always be walking around the wheelchair and our safety analysis determined that they can be a hazard to the wheelchairs, the safety of the wheelchair’s rider or pedestrians themselves.
You notice that I’ve linked this to the Footpath which is a part of the external environment around the wheelchair. I added this element in brown to indicate that this is a part of the system model connected by the derived hazard relationship to show us where this is where the hazard comes from in our safety analysis.
Next I am modeling the relevant harm and connecting to the hazard. So the harm is an injury to a person which may be the pedestrian or may be the rider, and this is just modeled simply by an element which we include on the diagram. We then connect it to the hazard that may cause it using the harm context element which you can see here.
So in this case our hazardous situation is a user driving the wheelchair into a pedestrian which is somewhat malicious but has been known to occur.
In this case, the activity of a user controlling motion with joystick is what gives rise to this hazard situation, so we give the control of the wheelchair to the user that may cause the hazardous situation to arise and therefore cause harm to occur.
You can see in this case that I’ve also tagged the harm context element with several important pieces of information from a safety analysis such as the probability of harm occurring, and the probability of hazard situations occurring and the severity of the harm that may be caused.
These tags are very useful when you are looking at the information in the drawing in order to determine the priority of different hazardous situations or safety features.
So on the next slide, I’ve added a safety feature to my system this case it is the green element on the right the active defense element.
This is an emergency stop and this is connected to the harm context that it may cause by the defense result, association class. And this class describes the result of the defense been applied, so again, contains same tags as my harm context but with new values to indicate what will happen to them if the defense was active.
So in this case, if I activate my emergency stop, I would reduce the probability of harm and reduce the probability of occurrence of the hazard situations being caused. However this is an active defense so at some point in my model, I am going to need to add a monitoring system to make sure that this defense gets activated when it should be.
But first, I need to make sure that safety element does something to the system model.
In SafeML, this is by adding a “Requirement” that’s linked to the defense.
So this requirement which is related to the defense that it comes from is called a “safety requirement” and I highlighted it in red to distinguish it from my other system “requirements” in order to indicate that this is related to safety.
And this requirement is treated like all other requirements in SysML because it has blocks that implement it and test cases that verify that it exists
Monitoring feature to tell when active defense should act
So next I am going to look how I am going to activate my emergency stop and to do this, I need to have a monitoring feature in my system. This monitoring feature is represented by the context detector element which I’ve added to the diagram at the bottom here represented in blue.
What this does is, it’s an obstacle detector. So it detects when obstacles in this case “pedestrians” become too close to the wheelchair. So that is what we will define as the hazardous situation as with the defenses. Context detector needs to be implemented by the system. So therefore, again we need a safety requirement be added to our model in this case we have to model the requirement to detect the pedestrians which is related to the context detector that it is derived from.
And again, like any other system requirement, it is implemented by blocks and tested by testcases. So here we have the full diagram describes quiet succinctly our entire hazardous situation and the safety features related to it.
So this case we have the hazardous situation of the user driving the wheelchair into a pedestrian and we can see quite clearly that there’s a monitoring system looking for the situation and there’s an emergency stop defense that is designed to protect any injures being caused when the situation arises.
Safety information and System information are placed all in one place
One thing I want to point out is that on the previous slide, all the elements in brown were system model, they are not part of SafeML, they are not directly part of the safety information. But they are related to it and this shows how parts of the system model are integrated tightly with safety information allowing you to improve the traceability of your safety information throughout the system model and the system design itself.