How to: Identify UCAs analysis

Identifying UCAs is a key component of the analysis and often requires a lot of time invested to ensure a thorough analysis. To identify the unsafe control actions you will need to review each control action from the diagram. The RM Studio STPA module populates all of the control actions from the control structure model. The UCA Categories (Keywords) used to analyze a control action should be determined prior to beginning the UCA analysis.

From the STPA Project tree you need to double click the UCA node to open, but when you open for the first time the UCA analysis will look blank.

Setup the UCA Keywords

1. Open the Keywords from the STPA Project tree.
2. Click the to add a new Keyword or click the to add default Keywords.
   
3. Select a Keyword from the drop down, then click .
4. Click the Add All Default Keywords button to use all in the UCA analysis and click to complete the action.
   
5. After selecting default Keywords you should notice the Description text template after each keyword. This text is editable in the Keyword Details pane. The default format (Template; see-below) to auto-populate the UCA once identified. If you have your own UCA Categories (Keywords), then you have the Description field below for you to make your own UCA template.

<Controller> does not provide <ControlAction> when …

How to: Identify Unsafe Control Actions

Here is another example from the STPA Handbook (March 2018) regarding UCA identification:

The RM Studio – STPA module has many built in automation in order to ensure quality and completeness of the STPA. In the UCAs identification step the tool will populate the list of Control Actions from the Control Structure model. If you perform the Progress Check for the diagram, then the check ensures all control action connectors have been identified and therefore all CAs are in the list for the UCAs analysis.

1. The Control Actions are displayed here in the order they were created on the CS model (notice second image of Control Structure with the CAs highlighted).
2. When the mouse pointer hovers over a CA, the Source and Target are displayed for 5 seconds. This should help the analyst in understanding where the CA is located on the CS model.
3. The Keywords chosen for this UCA are populated and ready for the safe/unsafe analysis.
4. Unsafe means that there will be Hazards when the situation described by the Keyword occurs. Click the to add a new UCA. Click the to delete the UCA (more in depth instructions following the images).
5. If you create a UCA, a check mark will appear in the box for Assessed indicating that the Keyword has been assessed. If you don’t create a UCA, you can check the box for Assessed to indicate the CA is safe. Safe means that the extraordinary situation described by the Keyword will not cause any Hazards even if it does occur.
6. Use the N/A to express the Keyword is not applicable. N/A means that the Keyword is not applicable to the Control Action where the situation described by the Keyword will never occur.

The “Clear Assessments” button is used to reset the state of a Keyword Assessment. Clicking the Clear Assessments button will delete everything that has been added, such as the Justification of why it is N/A or Safe, and all the UCAs if it is Unsafe.

If you make any changes to the CS model by adding or subtracting CAs, then you will use the refresh icon to update the UCA analysis.

How to: Capture UCA’s

The term “unsafe” refers to the hazards identified through STPA. Hazards can include issues related to loss of human life or injury (traditional safety) but they can also be defined much more broadly to include other losses like a mission loss, loss of performance, environmental losses, etc.

1. If a Control Action is identified as unsafe, use the to create a UCA line and justification field for the UCA.
   
2. After clicking the new UCA button the text field auto-populates with the Keyword template set in the Keywords prep.
   <Controller> does not provide <ControlAction> when …
3. The Justification field is used to describe why the Keyword is identified as Safe for the Control Action. The Assessed check box informs users that the Keyword has been assessed and deemed as a safe control action type.
4. The Justification field is also used to describe why the Keyword is identified as N/A (not applicable) in this situation.
   
5. The lowest pane has the field for editing the UCA text from the auto-populated template format.
6. If declaring any assumptions, interpretations, or descriptions regarding the UCA.
7. UCAs should be linked to at least one System Level Hazard using the selection list on the right-hand side of the UCA Detail Panel. This defines what  System Level Hazards may occur if the situation described by the Keyword occurs during its Control Action. UCAs can also be linked to  Constraints that may be derived as a countermeasure to the occurrence of the situation described by the Keyword.
   
8. The clipboard features such as copy, cut, and paste, are enabled between all the separate UCA lists for the Keywords. This allows duplicating UCAs under the same Keyword, or copying UCAs from one Keyword to another. This is done using the common keyboard shortcuts Ctrl+C, Ctrl+X, and Ctrl+V, or via the Context Menu for the lists.

How to: Check the Progress of Identifying UCAs

The Progress check is the used to inform the analyst how complete the UCA assessment is after reevaluating the Progress.

1. The bar meter displays the percentage of completion.
2. Use the Reevaluate Progress button to refresh the Progress check.
3. The Issue and Detail informs the analyst what is missing after the progress check.