sysand add alexander-ahlbrecht/librarystpa
The development of complex transport systems presents significant safety challenges. While safety-driven and model-based approaches show promise, their adoption is still in its early stages. One hazard analysis method that is gaining traction is the System Theoretic Process Analysis (STPA). Integrating STPA with the Systems Modeling Language (SysML) holds great potential, thanks to their shared system-theoretic foundation. Simultaneously, SysML v2, with extensibility features such as libraries, offers new integration opportunities. To try the integration, an open-source SysML v2 library for STPA was created.
This package contains:
The library is divided into six packages. For each of the four STPA steps, one dedicated package is used. The fifth and sixth package include the metadata types and view/viewpoint definitions that facilitate the application of the library.
In the following, minimal examples for each step of the STPA with the SysML v2 library are provided. More information on the goals and concepts behind the library is available in the corresponding open-access article.
package DefineAnalysisPurpose {
private import LibrarySTPA::MetaTypesSTPA::*;
package Stakeholders {
part def Passenger;
concern Safety {
subject Ushift;
stakeholder : Passenger;
}
}
package Losses {
#loss occurrence LossOfLife {
ref concern :>> stakeholderConcern = Stakeholders::Safety;
}
}
package Hazards {
#hazard occurrence VehicleTooCloseToPeople {
ref occurrence :>> lossesRef = Losses::LossOfLife;
}
}
}
package ModelControlStructure {
private import LibrarySTPA::MetaTypesSTPA::*;
#controlStructure part UshiftCS {
ref part :>> controllersRef = (Ushift, Teleoperator);
ref flow :>> controlActionsRef = teleoperatorCMD;
ref flow :>> feedbacksRef = vehicleStatus;
#controllerHuman part Teleoperator {
ref part :>> mentalBeliefs = CurrentWorkload;
#mentalModel part CurrentWorkload;
}
#controller part Ushift {
#controller part ControlElectronics {
ref part :>> processBeliefs = OperationalMode;
#processModel part OperationalMode;
}
#controlAction flow teleoperatorCMD from Teleoperator.interactionsOut to UshiftCS::Ushift.interactionsIn;
#feedback flow vehicleStatus from UshiftCS::Ushift.interactionsOut to Teleoperator.interactionsIn;
}
}
package IdentifyUCAs {
private import LibrarySTPA::MetaTypesSTPA::*;
package Contexts {
#context occurrence EmergencyStateWhileCloseToPeople {
ref occurrence :>> systemConditions = EmergencyState;
ref occurrence :>> environmentalConditions = PeopleCloseToVehicle;
}
#sysCon occurrence EmergencyState;
#envCon occurrence PeopleCloseToVehicle;
}
package UCAs {
#uca occurrence TeleoperatorDoesNotProvideOperationCommand {
doc /* Teleoperator does not provide operation command when the automated vehicle is in an emergency situation */
ref part :>> sourceRef = ModelControlStructure::UshiftCS.Teleoperator;
ref flow :>> controlActionRef = ModelControlStructure::UshiftCS.teleoperatorCMD;
enum :>> typeRef = typesOfCAs.NotProvided;
ref part :>> receiverRef = ModelControlStructure::UshiftCS.Ushift;
ref occurrence :>> contextRef = Contexts::EmergencyStateWhileCloseToPeople;
ref occurrence :>> hazardsRef = DefineAnalysisPurpose::Hazards::VehicleTooCloseToPeople;
}
}
}
package IdentifyLSs {
private import LibrarySTPA::MetaTypesSTPA::*;
package CausalFactors {
#cf occurrence TeleoperatorNotInformed {
ref occurrence :>> factorRef = ModelControlStructure::UshiftCS.vehicleStatus;
attribute :>> status = "not forwarded";
}
}
package LossScenarios {
#ls occurrence TeleoperatorNotAwareOfVehiclesEmergencySituation {
doc /* The teleoperator is not aware that he is responsible for the vehicle. As a result, the teleoperator does not provide a resolving operation command */
ref occurrence :>> causalFactorsRef = CausalFactors::TeleoperatorNotInformed;
ref occurrence :>> ucasRef = IdentifyUCAs::UCAs::TeleoperatorDoesNotProvideOperationCommand;
}
}
}
If you use this library and/or if you want to know more about the background, please refer to and cite:
A. Ahlbrecht, F. Wagner, and U. Durak, “Extending SysML v2 for Safety - Open-Source Library for the System-Theoretic Process Analysis.” Systems Engineering (2026): e70057. https://doi.org/10.1002/sys.70057
Related References from Contributors:
Recommended STPA Literature:
For this library the copyright belongs to the German Aerospace Center / Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR):
Copyright (c) 2025 Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
Licensed under MIT + Apache 2.0. That means, as a downstream consumer of this software you may choose to either use it under MIT or under Apache 2.0 license, at your discretion. All contributions from upstream must be licensed under both MIT and Apache 2.0; if you contribute code to this project you agree to license your code under both the MIT and the Apache 2.0 license.
The main contributor of the library is Alexander Ahlbrecht:
In case of questions, you can also write a mail to: alexander.ahlbrecht@dlr.de