SafeML Part 3 – SafeML diagram examples


Previous videos:
Part1: Introducing SafeML
Part2: Concepts and elements of SafeML

(Transcripts)

Welcome back to our series on SafeML!

Last time, I talked a bit about the concepts involved in SafeML and elements that are used to represent the safety information in the system model.
Today I am going to be taking you through the drawing of a single safety model diagram to show you how you produce a SafeML model.

blubar-big Let’s make diagrams!

Example I am going to be introducing today is based on an robot wheelchair. Purpose of this robot wheelchair is to safely convey a user around town to the destinations they want to go automatically without having to provide too much input into controlling it.

SafeML example

So there are many risks involved using this system. We have hazards such as pedestrians,
and harms such as injury to pedestrians or the rider.
We also have several harm contexts involved or hazardous situations. These include the fact that a wheelchair is going to be used in the same area as pedestrians and they may come closer to them. We see them as hazardous situations. We include several safety features in our robot wheelchair.

Today I am going to be talking a bit about the safety feature that is an emergency stop and also talk about how the wheelchair knows when to activate its emergency stop automatically which is in our monitoring system.

astah-sample

Click to enlarge

So this is the diagram I am going to be building today.
It’s quite large involving several elements but quiet concisely describes one hazardous situation and safety features involved to protecting against it.

blubar-big Modeling Hazards

So I start by producing the hazard. The hazard in our case is going to be pedestrians because these will be always be walking around the wheelchair and our safety analysis determined that they can be a hazard to the wheelchairs, the safety of the wheelchair’s rider or pedestrians themselves.

Modeling Hazards in SafeML

You notice that I’ve linked this to the Footpath which is a part of the external environment around the wheelchair. I added this element in brown to indicate that this is a part of the system model connected by the derived hazard relationship to show us where this is where the hazard comes from in our safety analysis.

blubar-big Modeling Harm

Next I am modeling the relevant harm and connecting to the hazard. So the harm is an injury to a person which may be the pedestrian or may be the rider, and this is just modeled simply by an element which we include on the diagram. We then connect it to the hazard that may cause it using the harm context element which you can see here.

So in this case our hazardous situation is a user driving the wheelchair into a pedestrian which is somewhat malicious but has been known to occur.

In this case, the activity of a user controlling motion with joystick is what gives rise to this hazard situation, so we give the control of the wheelchair to the user that may cause the hazardous situation to arise and therefore cause harm to occur.

Creating SafeML Diagram - modeling harm and context
You can see in this case that I’ve also tagged the harm context element with several important Astah_SafeML_examplespieces of information from a safety analysis such as the probability of harm occurring, and the probability of hazard situations occurring and the severity of the harm that may be caused.

These tags are very useful when you are looking at the information in the drawing in order to determine the priority of different hazardous situations or safety features.

blubar-big Safety Measure

So on the next slide, I’ve added a safety feature to my system this case it is the green element on the right the active defense element.
SafeML examples - safety measure

This is an emergency stop and this is connected to the harm context that it may cause by the defense result, association class. And this class describes the result of the defense been applied, so again, contains same tags as my harm context but with new values to indicate what will happen to them if the defense was active.
So in this case, if I activate my emergency stop, I would reduce the probability of harm and reduce the probability of occurrence of the hazard situations being caused. However this is an active defense so at some point in my model, I am going to need to add a monitoring system to make sure that this defense gets activated when it should be.
But first, I need to make sure that safety element does something to the system model.

blubar-big Safety Requirements

Requirement_astah_SafeML

In SafeML, this is by adding a “Requirement” that’s linked to the defense.
So this requirement which is related to the defense that it comes from is called a “safety requirement” and I highlighted it in red to distinguish it from my other system “requirements” in order to indicate that this is related to safety.
And this requirement is treated like all other requirements in SysML because it has blocks that implement it and test cases that verify that it exists

blubar-big Monitoring feature to tell when active defense should act

So next I am going to look how I am going to activate my emergency stop and to do this, I need to have a monitoring feature in my system. This monitoring feature is represented by the context detector element which I’ve added to the diagram at the bottom here represented in blue.

Astah SafeML - monitoring method
What this does is, it’s an obstacle detector. So it detects when obstacles in this case “pedestrians” become too close to the wheelchair. So that is what we will define as the hazardous situation as with the defenses. Context detector needs to be implemented by the system. So therefore, again we need a safety requirement be added to our model in this case we have to model the requirement to detect the pedestrians which is related to the context detector that it is derived from.

SafeML Sample Diagrams

And again, like any other system requirement, it is implemented by blocks and tested by testcases. So here we have the full diagram describes quiet succinctly our entire hazardous situation and the safety features related to it.

Astah SafeML diagram example
So this case we have the hazardous situation of the user driving the wheelchair into a pedestrian and we can see quite clearly that there’s a monitoring system looking for the situation and there’s an emergency stop defense that is designed to protect any injures being caused when the situation arises.

blubar-big Safety information and System information are placed all in one place

One thing I want to point out is that on the previous slide, all the elements in brown were system model, they are not part of SafeML, they are not directly part of the safety information. But they are related to it and this shows how parts of the system model are integrated tightly with safety information allowing you to improve the traceability of your safety information throughout the system model and the system design itself.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s