-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathExampleSTPA.sysml
More file actions
144 lines (143 loc) · 7.66 KB
/
ExampleSTPA.sysml
File metadata and controls
144 lines (143 loc) · 7.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
package PaperExample {
private import LibrarySTPA::DefineAnalysisPurpose::*;
private import LibrarySTPA::ModelControlStructure::*;
private import LibrarySTPA::IdentifyUCAs::*;
private import LibrarySTPA::IdentifyLSs::*;
private import LibrarySTPA::MetaTypesSTPA::*;
private import LibrarySTPA::ViewsAndViewpoints::DefineAnalysisPurposeViews::*;
package DefineAnalysisPurpose {
package Stakeholders {
part def Passenger;
part def Manufacturer;
part def Operator;
concern Safety {
subject Ushift;
stakeholder : Passenger;
stakeholder : Manufacturer;
stakeholder : Operator;
}
concern Reputation {
subject Ushift;
stakeholder : Manufacturer;
stakeholder : Operator;
}
}
package Losses {
#loss occurrence LossOfCustomerSatisfaction {
ref concern :>> stakeholderConcern = Stakeholders::Reputation;
}
#loss occurrence LossOfLife {
ref concern :>> stakeholderConcern = Stakeholders::Safety;
}
}
package Hazards {
#hazard occurrence VehicleCanNotExecuteMission {
ref occurrence :>> lossesRef = (Losses::LossOfCustomerSatisfaction, Losses::LossOfLife);
}
#hazard occurrence VehicleTooCloseToPeople {
ref occurrence :>> lossesRef = Losses::LossOfLife;
}
}
}
package ModelControlStructure {
#controlStructure part UshiftCS {
ref part :>> controllersRef = (Ushift.ControlElectronics, Teleoperator, Passenger, OtherTraffic, VRUs, Environment);
ref part :>> actuatorsRef = Ushift.DriveSystem;
ref part :>> sensorsRef = Ushift.PerceptionSystem;
ref part :>> processesRef = VehicleMovement;
ref flow :>> controlActionsRef = (teleoperatorCMD, maneuverCMD, vehicleForces, travelCMD);
ref flow :>> feedbacksRef = (vehiclePerception, vehicleMovement, vehicleHealth, vehicleStatus, roadPerception, vruPerception, otherTrafficPerception);
#controller part Ushift {
#controller part ControlElectronics {
ref part :>> processBeliefs = (VehicleLimitations, OperationalMode, UnderstandingOfPassengerBehavior, AssumptionAboutRoadInfrastructure,
PassengerCapacity);
#processModel part VehicleLimitations;
#processModel part OperationalMode;
#processModel part UnderstandingOfPassengerBehavior;
#processModel part AssumptionAboutRoadInfrastructure;
#processModel part PassengerCapacity;
}
#sensor part PerceptionSystem;
#actuator part DriveSystem;
}
#controllerHuman part Teleoperator {
ref part :>> mentalBeliefs = CurrentWorkload;
#mentalModel part CurrentWorkload;
}
#controllerHuman part Passenger {
ref part :>> mentalBeliefs = UnderstandingOfVehicleBehavior;
#mentalModel part UnderstandingOfVehicleBehavior;
}
#controller part OtherTraffic;
#controller part VRUs;
#controller part Environment;
#process part VehicleMovement;
#controlAction flow teleoperatorCMD from Teleoperator.interactionsOut to UshiftCS::Ushift::ControlElectronics.interactionsIn;
#feedback flow vehicleHealth from UshiftCS::Ushift::ControlElectronics.interactionsOut to Teleoperator.interactionsIn;
#feedback flow vehicleStatus from UshiftCS::Ushift::ControlElectronics.interactionsOut to Passenger.interactionsIn;
#controlAction flow maneuverCMD from UshiftCS::Ushift::ControlElectronics.interactionsOut to Ushift::DriveSystem.interactionsIn;
#controlAction flow vehicleForces from Ushift::DriveSystem.interactionsOut to VehicleMovement.interactionsIn;
#feedback flow vehicleMovement from VehicleMovement.interactionsOut to Ushift::PerceptionSystem.interactionsIn;
#feedback flow roadPerception from Environment.interactionsOut to Ushift::PerceptionSystem.interactionsIn;
#feedback flow vruPerception from VRUs.interactionsOut to Ushift::PerceptionSystem.interactionsIn;
#feedback flow otherTrafficPerception from OtherTraffic.interactionsOut to Ushift::PerceptionSystem.interactionsIn;
#feedback flow vehiclePerception from Ushift::PerceptionSystem.interactionsOut to UshiftCS::Ushift::ControlElectronics.interactionsIn;
#controlAction flow travelCMD from Passenger.interactionsOut to UshiftCS::Ushift::ControlElectronics.interactionsIn;
doc /* This shows a simplified control structure of DLR's Ushift concept vehicle using the defined element types of the SysML v2 library for SysML v2*/
}
}
package IdentifyUCAs {
package Contexts {
#context occurrence EmergencyStateDueToClosedOneWayStreet {
ref occurrence :>> systemConditions = EmergencyState;
ref occurrence :>> environmentalConditions = ClosedOneWayStreet;
}
#sysCon occurrence EmergencyState;
#envCon occurrence ClosedOneWayStreet;
}
package UCAs {
#uca occurrence TeleoperatorDoesNotProvideOperationCommand {
doc /* Teleoperator does not provide operation command when the automated vehicle is in an emergency situation */
ref part :>> sourceRef = ModelControlStructure::UshiftCS.Teleoperator;
ref flow :>> controlActionRef = ModelControlStructure::UshiftCS.teleoperatorCMD;
enum :>> typeRef = typesOfCAs.NotProvided;
ref part :>> receiverRef = ModelControlStructure::UshiftCS::Ushift.ControlElectronics;
ref occurrence :>> contextRef = Contexts::EmergencyStateDueToClosedOneWayStreet;
ref occurrence :>> hazardsRef = DefineAnalysisPurpose::Hazards::VehicleCanNotExecuteMission;
}
}
}
package IdentifyLSs {
package CausalFactors {
#cf occurrence TeleoperatorNotInformed {
ref occurrence :>> factorRef = ModelControlStructure::UshiftCS.vehicleStatus;
attribute :>> status = "not forwarded";
}
}
package LossScenarios {
#ls occurrence TeleoperatorNotAwareOfVehiclesEmergencySituation {
doc /* The automated vehicle drives into a one way street which is closed and can not resolve the situation. However, the teleoperator is not aware that he is responsible for the vehicle. As a result, the teleoperator does not provide a resolving operation command */
ref occurrence :>> causalFactorsRef = CausalFactors::TeleoperatorNotInformed;
ref occurrence :>> ucasRef = IdentifyUCAs::UCAs::TeleoperatorDoesNotProvideOperationCommand;
}
}
}
package Views {
//private import CameoViewsSTPA::**;
//view HazardsAndLosses : HazardsTable {
// expose PaperExample::DefineAnalysisPurpose::**;
// filter @hazard;
//}
//view UCAs : UCAsTable {
// expose PaperExample::IdentifyUCAs::**;
// filter @uca;
//}
//view LSs : LSsTable {
// expose PaperExample::IdentifyLSs::**;
// filter @ls;
//}
view ShowLosses : DefineLosses::LossTree {
expose DefineAnalysisPurpose::Losses::*;
}
}
}