Cameo Safety and Reliability

Analyzer 2024x Refresh1

User Guide

No Magic, Inc., a Dassault Systèmes company, 2024

All material contained herein is considered proprietary information owned by No Magic, Inc. and is not
to be shared, copied, or reproduced by any means. All information copyright 1998-2024 by No Magic,
Incorporated, a Dassault Systèmes company. All Rights Reserved.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company.

Contents

Introduction to Cameo Safety and Reliability Analyzer 7

Installation, licensing, and system requirements 8
Getting started 9
Concepts 9
Risk concepts 10
FMEA concepts 11
ISO 26262 Functional Safety concepts 12
Process description 16
Project templates 17
Reliability analysis using FMEA 18
Generating FMEA Items 18
Describing FMEA Items 19
Creating an FMEA Table 24
Adding FMEA Items to an FMEA Table 24
Cloning FMEA Table rows 25
The sample FMEA Table demonstrates the behavior of the row cloning
feature. The selected rows (highlighted in blue) have been cloned, and each
row clone appears right below the row from which it was cloned. 27

Safety analysis 27
Describing Safety Analysis Items 28
Creating a Risk Table 31
Adding Safety Analysis Items to a Risk Table 31
Describing reduced risks 33
Creating a Risk Reduction Table 37
Adding Safety Analysis Items to a Risk Reduction Table 38
FMEAs to be analyzed 39
Additional features 39
Traceability maps 39
Creating traceability maps 40

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 3

Contents
Manipulations in the Expert mode 42
Safety and Reliability Coverage Analysis 44
Generating reports 44
Linking Failure Modes to model elements 45
Linking Failure Modes to elements in a diagram 45
Linking Failure Modes to elements in the Specification window 47

Customizing Safety Analysis and FMEA configurations 48

Fault Tree Analysis 50
Fault Tree Analysis diagram. 51
Fault Tree Analysis Diagram 51
Creating a Fault Tree Analysis Diagram 52
Adding a Fault Tree Event in the Fault Tree Analysis Diagram 53
Adding a Fault Tree Gate in the Fault Tree Analysis Diagram 54
Adding probability to the Fault Tree Event 55
Calculating the probability of the Intermediate and Top Event 57
Interconnecting the Fault Tree Analysis diagram with the System Model 57

ISO 26262 Functional Safety 58

The ISO 26262 standard structure. 60
Tables and diagrams 60
HazOp Table 61
Operational Conditions Table 65
Operational Situations Table 70
Accident Scenarios Table 75
Effects Table 82
Hazards Table 87
HARA Table 90
Safety Requirement Diagram 97
Generic Safety Table 102
Validation Rules 106
ASIL Decompose and DeriveReqt Relationships 106

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 4

Contents
ASIL Decompose and Independence Requirement Relationships 107
ASIL Decomposition 108
Incompatible Types 109
Independence Requirement and DeriveReqt Relationships 110
Tracking ISO 26262 properties 111
Specifying relation criteria for a Relation map to track ISO 26262
properties. 112
Reports 112
Example of the HARA report. 116
Example of the Functional Safety Concept report. 117
Example of the TARA report. 117
Customizations 117
Adding new types to a HazOp Table 117
Adding new guide words to a HazOp Table 118
Extending ISO 26262 elements with new properties 119

Systems Cybersecurity Designer 123

ISO 21434 Functional Cybersecurity 123
Overview of ISO/SAE 21434:2021 standard 125
Concept 126
ISO 21434 project 127
Table 129
Collaborative modeling 247
Generating Cybersecurity Reports 249
Libraries 249
Adding a library to the project 249
MITRE CWE Library 250
MITRE ATT&CK Enterprise Technique Library 251
MITRE ATT&CK ICS Technique Library 252
NIST Control Library 252

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 5

The Cameo Safety and Reliability Analyzer Plugin provides risk analysis during the entire product
modeling process. For now, the plugin is designed to analyze risks in the modeling of medical devices
and is build on the Medical devices – Application of risk management to medical devices (ISO
14971:2007, Corrected version 2007-10-01) standard.

Risk analysis adds the following value:

• Ability to demonstrate that risks are addressed by safety requirements/risk control measures.
• Increased agility between Risk/Hazard Analysis, Design, and FMEA: a frequent exchange of
information between risks/hazards and FMEA cross-functional teams, along with shorter
development cycles followed by shorter risk analysis and FMEA.
• Ensured traceability of risks to requirements, design elements, critical quality attributes (CQA)
and other artifacts, traceability from design elements to FMEA, two-way traceability between
FMEA and risks/hazard analysis.
• Performing safety analysis: automatic Risk Score Number calculations, and risk reduction
analysis.
• Impact Analysis: validation rules highlight risks with high or medium risk score, risks without
risk control measures, failure modes that need attention from hazard analysis cross-functional
team and have not been addressed yet, etc.
The Cameo Safety and Reliability Analyzer Plugin can be used together with the ISO 26262 Functional
Safety Plugin (see page 58). The plugin supports the ISO 26262 standard which is derived from IEC 61508.
ISO 26262 is intended for electric and/or electronic systems in production vehicles. This includes driver
assistance, propulsion, and vehicle dynamics control systems. The goal of ISO 26262 is to ensure safety
throughout the lifecycle of automotive systems and equipment.

Risk Analysis and Assessment Modeling Language (RAAML)1 is an extension of SysML that supports
safety and reliability analysis. RAAML is a set of 7 profiles and 6 libraries. These profiles and libraries are
divided mainly into 4 separate domains: FMEA, FTA, ISO 26262, and STPA. There are also sets of Core
and General profiles and libraries. These sets can be used as they are or you can derive your own set of
safety and reliability methodologies and stereotypes based on the domain and usage. For example, the
Systems Cybersecurity Designer plugin is based on RAAML, but stereotypes and methodologies are
created with the help of available profiles and libraries. The three plugins present in this guide, ISO
26262, Systems Cybersecurity Designer, and Fault Tree Analysis, are based on the RAAML 1.0 standard.

To learn more about the product, see:

• Introduction to Cameo Safety and Reliability Analyzer (see page 7)

• Installation, licensing, and system requirements (see page 8)
• Getting started (see page 9)
• Reliability analysis using FMEA (see page 18)
• Safety analysis (see page 27)
• Additional features (see page 39)
• Customizing Safety Analysis and FMEA configurations (see page 48)
• Fault Tree Analysis (see page 50)
• ISO 26262 Functional Safety (see page 58)
• Systems Cybersecurity Designer (see page 123)

Docs of other versions

1 https://www.omg.org/spec/RAAML/1.0/Beta2/About-RAAML

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 6

 • Cameo Safety and Reliability Analyzer 2022x2
• Cameo Safety and Reliability Analyzer 2021x Refresh23
• Cameo Safety and Reliability Analyzer 2021x Refresh14
• Cameo Safety and Reliability Analyzer 2021x5
• Cameo Safety and Reliability Analyzer 19.0 SP46
• Cameo Safety and Reliability Analyzer 19.0 SP37
• Cameo Safety and Reliability Analyzer 19.0 SP28
• Cameo Safety and Reliability Analyzer 19.0 SP19
• Cameo Safety and Reliability Analyzer 19.010

Introduction to Cameo Safety and Reliability

Analyzer
The Cameo Safety and Reliability Analyzer Plugin provides risk analysis during the entire product
modeling process. For now, the plugin is designed to analyze risks in the modeling of medical devices
and is build on the Medical devices – Application of risk management to medical devices (ISO
14971:2007, Corrected version 2007-10-01) standard.

Risk analysis adds the following value:

• Ability to demonstrate that risks are addressed by safety requirements/risk control measures.
• Increased agility between Risk/Hazard Analysis, Design, and FMEA: a frequent exchange of
information between risks/hazards and FMEA cross-functional teams, along with shorter
development cycles followed by shorter risk analysis and FMEA.
• Ensured traceability of risks to requirements, design elements, critical quality attributes (CQA)
and other artifacts, traceability from design elements to FMEA, two-way traceability between
FMEA and risks/hazard analysis.
• Performing safety analysis: automatic Risk Score Number calculations, and risk reduction
analysis.
• Impact Analysis: validation rules highlight risks with high or medium risk score, risks without
risk control measures, failure modes that need attention from hazard analysis cross-functional
team and have not been addressed yet, etc.
The Cameo Safety and Reliability Analyzer Plugin can be used together with the ISO 26262 Functional
Safety Plugin (see page 58). The plugin supports the ISO 26262 standard which is derived from IEC 61508.
ISO 26262 is intended for electric and/or electronic systems in production vehicles. This includes driver
assistance, propulsion, and vehicle dynamics control systems. The goal of ISO 26262 is to ensure safety
throughout the lifecycle of automotive systems and equipment.

Risk Analysis and Assessment Modeling Language (RAAML)11 is an extension of SysML that supports
safety and reliability analysis. RAAML is a set of 7 profiles and 6 libraries. These profiles and libraries are
divided mainly into 4 separate domains: FMEA, FTA, ISO 26262, and STPA. There are also sets of Core
and General profiles and libraries. These sets can be used as they are or you can derive your own set of
safety and reliability methodologies and stereotypes based on the domain and usage. For example, the
Systems Cybersecurity Designer plugin is based on RAAML, but stereotypes and methodologies are

2 https://docs.nomagic.com/display/CSRA2022x/Cameo+Safety+and+Reliability+Analyzer
3 https://docs.nomagic.com/display/CSRA2021xR2/Cameo+Safety+and+Reliability+Analyzer
4 https://docs.nomagic.com/display/CSRA2021xR1/Cameo+Safety+and+Reliability+Analyzer
5 https://docs.nomagic.com/display/CSRA2021x/Cameo+Safety+and+Reliability+Analyzer
6 https://docs.nomagic.com/display/CSRA190SP4/Cameo+Safety+and+Reliability+Analyzer
7 https://docs.nomagic.com/display/CSRA190SP3/Cameo+Safety+and+Reliability+Analyzer
8 https://docs.nomagic.com/display/CSRA190SP2/Cameo+Safety+and+Reliability+Analyzer
9 https://docs.nomagic.com/display/CSRA190SP1/Cameo+Safety+and+Reliability+Analyzer
10 https://docs.nomagic.com/display/CSRA190/Cameo+Safety+and+Reliability+Analyzer
11 https://www.omg.org/spec/RAAML/1.0/Beta2/About-RAAML

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 7

created with the help of available profiles and libraries. The three plugins present in this guide, ISO
26262, Systems Cybersecurity Designer, and Fault Tree Analysis, are based on the RAAML 1.0 standard.

To learn more about the product, see:

• Introduction to Cameo Safety and Reliability Analyzer (see page 7)

• Installation, licensing, and system requirements (see page 8)
• Getting started (see page 9)
• Reliability analysis using FMEA (see page 18)
• Safety analysis (see page 27)
• Additional features (see page 39)
• Customizing Safety Analysis and FMEA configurations (see page 48)
• Fault Tree Analysis (see page 50)
• ISO 26262 Functional Safety (see page 58)
• Systems Cybersecurity Designer (see page 123)

Docs of other versions

• Cameo Safety and Reliability Analyzer 2022x1213

• Cameo Safety and Reliability Analyzer 2021x Refresh21415
• Cameo Safety and Reliability Analyzer 2021x Refresh11617
• Cameo Safety and Reliability Analyzer 2021x1819
• Cameo Safety and Reliability Analyzer 19.0 SP42021
• Cameo Safety and Reliability Analyzer 19.0 SP32223
• Cameo Safety and Reliability Analyzer 19.0 SP22425
• Cameo Safety and Reliability Analyzer 19.0 SP12627
• Cameo Safety and Reliability Analyzer 19.02829

Installation, licensing, and system requirements

 Software requirements
To install and use the Cameo Safety and Reliability Analyzer Plugin, the following plugins must
be installed in your modeling tool:
• SysML Plugin30

12 https://docs.nomagic.com/display/CSRA2022x/Cameo+Safety+and+Reliability+Analyzer
13 https://docs.nomagic.com/display/CSRA2022x/Cameo+Safety+and+Reliability+Analyzer
14 https://docs.nomagic.com/display/CSRA2021xR2/Cameo+Safety+and+Reliability+Analyzer
15 https://docs.nomagic.com/display/CSRA2021xR2/Cameo+Safety+and+Reliability+Analyzer
16 https://docs.nomagic.com/display/CSRA2021xR1/Cameo+Safety+and+Reliability+Analyzer
17 https://docs.nomagic.com/display/CSRA2021xR1/Cameo+Safety+and+Reliability+Analyzer
18 https://docs.nomagic.com/display/CSRA2021x/Cameo+Safety+and+Reliability+Analyzer
19 https://docs.nomagic.com/display/CSRA2021x/Cameo+Safety+and+Reliability+Analyzer
20 https://docs.nomagic.com/display/CSRA190SP4/Cameo+Safety+and+Reliability+Analyzer
21 https://docs.nomagic.com/display/CSRA190SP4/Cameo+Safety+and+Reliability+Analyzer
22 https://docs.nomagic.com/display/CSRA190SP3/Cameo+Safety+and+Reliability+Analyzer
23 https://docs.nomagic.com/display/CSRA190SP3/Cameo+Safety+and+Reliability+Analyzer
24 https://docs.nomagic.com/display/CSRA190SP2/Cameo+Safety+and+Reliability+Analyzer
25 https://docs.nomagic.com/display/CSRA190SP2/Cameo+Safety+and+Reliability+Analyzer
26 https://docs.nomagic.com/display/CSRA190SP1/Cameo+Safety+and+Reliability+Analyzer
27 https://docs.nomagic.com/display/CSRA190SP1/Cameo+Safety+and+Reliability+Analyzer
28 https://docs.nomagic.com/display/CSRA190/Cameo+Safety+and+Reliability+Analyzer
29 https://docs.nomagic.com/display/CSRA190/Cameo+Safety+and+Reliability+Analyzer
30 https://docs.nomagic.com/display/SYSMLP2024xR1/SysML+Plugin+Documentation

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 8

 • Cameo Requirements Modeler Plugin31
• Cameo Safety and Reliability Analyzer Plugin (see page 6)

For information regarding installation, licensing, and system requirements, visit the Installation,
licensing, and system requirements32 page.

Getting started
 The Cameo Safety and Reliability Analyzer plugin requires the SysML plugin (see page 9) to be
installed in your modeling tool.

Use the following procedures to install the Cameo Safety and Reliability Analyzer plugin.

To download and install a plugin via the Resource/Plugin Manager dialog

1. Start your modeling tool.

2. From the modeling tool main menu, select Help > Resource/Plugin Manager. The Resource/
Plugin Manager dialog opens and prompt you to check for the latest product updates
and resources. Click Check for Updates > Check.
3. Select the check box near the desired plugin and click Download/Install.
4. Restart your modeling tool.

To install a plugin from the downloaded archive file (zip) via the Resource/Plugin Manager dialog

1. Start your modeling tool.

2. From the main menu of a modeling tool, select Help > Resource/Plugin Manager.
3. Click the Import button to specify the downloaded plugin file location. The plugin is extracted
and installed automatically.
4. Restart your modeling tool.
Related pages

• Concepts (see page 9)

• Process description (see page 16)
• Project templates (see page 17)

Concepts
For better understanding further material, get acquainted with basic concepts of analyzing safety and
reliability.

31 https://docs.nomagic.com/display/CRMP2024xR1/Cameo+Requirements+Modeler+Plugin+Documentation
32 https://docs.nomagic.com/display/IL2024xR1/Installation%2C+licensing%2C+and+system+requirements

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 9

Risk concepts
Concept Description

Risk Combination of the probability of occurrence of harm and the severity of that harm.

Hazard
A potential source of harm.

A hazard is any source of potential damage, harm or adverse health effects on something
or someone under certain conditions at work.

Hazardous Circumstance in which people, property, or the environment are exposed to one or more
situation hazard(s).

Harm Physical injury or damage to the health of people, or damage to property or the
environment.

Severity Measure of the possible consequences of a hazard.

Probability Quantitative evaluation of a event happening.

There are two types of probabilities emphasized in ISO 14971:2012:

• P1 – probability of foreseeable sequence of events leading to hazardous

situation.
• P2 – probability that harm will occur when exposed to hazard.

Detectability Hazard detection index accounts for the likelihood of discovering and correcting a hazard
or failure mode prior to harm occurrence.

Hazard Factor rates the relative ease of mitigating a certain risk. It accounts for the associated
Correctability feasibility and effort required in reducing a particular risk to the lowest practicable level.

Product Utility Factor is meant to integrate clinical benefit into the risk score.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 10

FMEA concepts
Concept Description

Item Enter the items, interfaces, or parts which have been identified
through block diagrams, P-diagrams, schematics and other
drawings, and other analysis conducted by the team.

Failure Mode Potential failure mode is defined as the manner in which a

component, subsystem, or system could potentially fail to meet or
deliver the intended function described in the item column.

Effect of Failure Effects of failure are defined as the effects of the failure mode on
the function, as perceived by the customer(s).

Severity Severity is the value associated with the most serious effect for a
given failure mode.

Cause of Failure Potential cause of failure is defined as an indication of how the

design process could allow the failure to occur, described in terms
of something that can be corrected or can be controlled.

Occurrence Occurrence is the likelihood that a specific cause/mechanism will

occur resulting in the failure mode within the design life.

Current Design Controls Current Design Controls are those activities conducted as part of
the design process that have been completed or committed to and
that will assure the design adequacy for the design functional and
reliability requirements under consideration.

Detectability Detection is the rank associated with the best detection control
listed in the Current Design Control Detection column.

Recommended Action The intent of recommended actions is to improve the design.

Identifying these actions should consider reducing rankings in the
following order: severity, occurrence, and detection.

Responsibility Target Completion Date The name of the individual and organization which is responsible
for completing each recommended action including the target
completion date.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 11

 Concept Description

Action taken A brief description of the action taken and actual completion date.

Hazard Analysis Reference Reference to Risk.

ISO 26262 Functional Safety concepts

Concept Description

Malfunction A Malfunctioning Behavior describes a failure or unintended behavior of an item with respect to
ing Behavior its design intent. It is a subtype of a Failure Mode.

Operational An Operational Situation describes the operational scenario or driving scenario which is
Situation considered in a Hazardous Event, as part of the Hazard Analysis and Risk Assessment process.

ASIL Automotive Safety Integrity Level is one of four levels to specify the necessary requirements for
ISO-26262 and safety measures for avoiding unreasonable risks.
There are four ASILs identified by ISO 26262 - A, B, C, and D. ASIL A represents the lowest
degree, and ASIL D represents the highest degree of automotive hazard.

Exposure Exposure is the likelihood of being in a particular operational situation.

Exposure Classifications (E):
E0 Incredibly unlikely
E1 Very low probability (injury could happen only in rare operating conditions)
E2 Low probability
E3 Medium probability
E4 High probability (injury could happen under most operating conditions)

Severity "Estimate of the extent of harm."

Severity Classifications (S):

S0 No Injuries
S1 Light to moderate injuries
S2 Severe to life-threatening (survival probable) injuries
S3 Life-threatening (survival uncertain) to fatal injuries

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 12

 Concept Description

Controllabili "Ability to avoid a specified harm or damage through timely reactions of individuals involved in
ty the scenario."

Controllability Classifications (C):

C0 Controllable in general
C1 Simply controllable
C2 Normally controllable (most drivers could act to prevent injury)
C3 Difficult to control or uncontrollable

Safety Goal It represents a top-level safety requirement, defined as a result of the Hazard Analysis and Risk
Assessment process.
A safety goal is a top-level safety requirement that is assigned to a system, with the purpose of
reducing the risk of one or more hazardous events to a tolerable level.

Functional A functional safety requirement specifies an implementation independent safety behavior, or

Safety an implementation independent safety measure, required for achievement of a safety goal
Requiremen from which it is derived.
t

Technical A technical safety requirement specifies the implementation of the functional safety
Safety requirement(s) from which it is derived. Technical safety requirements express the behaviors
Requiremen and details necessary to realize the safety aspects of the item at the system level. Additional
t details that do not act at the system level can be specified in the hardware safety requirements
or software safety requirements.

Software A software safety requirement provides implementation details for software. They can express
Safety behaviors or specific software mechanisms which realize the technical safety requirements
Requiremen from which they are derived
t

Hardware A hardware safety requirement specifies hardware behaviors or hardware specific details
Safety necessary for implementing the safety concept. Hardware safety requirements are
Requiremen implementation specific and assigned to components or subcomponents.
t

ASIL An ASIL decompose relation is used to connect two safety requirements for the purposes of
Decompose performing ASIL decomposition. The target requirement (supplier) should be of a higher
relationship abstraction than the source (client). ASIL decompose relations shall be applied in pairs (e.g. a
requirement cannot be the supplier of a single ASIL decompose relation).

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 13

 Concept Description

Independec A relationship between requirement elements indicating that the child requirement specifies an
e independence criteria that needs to be satisfied in order for an ASIL decomposition to be valid.
Requiremen The decomposition between the parent requirement and 2 other children requirements.
t
relationship

Safe State A state of function realized by one or more architectural components. May be composed of
serval subfunctions or called by other functions. Associated with safety specific behaviors,
typically (but not necessarily) triggered by a failure mode.

Operating A state of function realized by one or more architectural components. May be composed of
Mode serval subfunctions or called by other functions. Associated with specific behaviors.

Recovery A RecoveryRequirement relationship is a dependency between a safe state and requirement

Requiremen where the requirement indicates the criteria to recover from the safe state to another
t operational mode.

User Info "A UserInfoRequirement relationship is a dependency which links a State to a requirement. The
Requiremen arrow direction points from a state (client) to a FSR or TSR (supplier). Linked requirements
t specify information that must be presented to vehicle occupants when the vehicle enters a safe
state.
"

FTTI time-span in which a fault or faults can be present in a system before a hazardous event occurs.
fault
tolerant
time
interval

System System- or vehicle-level effect which is or could result in harm.

Level Effect

Vehicle System- or vehicle-level effect which is or could result in harm.

Level Effect

Traffic And It is used to describe the presence and behavior of any motorists or non-motorists considered
People in a hazardous event.

Vehicle It is used to describe the usage of a vehicle during a hazardous event.

Usage

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 14

 Concept Description

Road It is used to describe the conditions or state of the surface a vehicle is driving on (Low-traction,
Condition Grade(Slope), etc.) during a hazardous event.

Location It is used to describe the physical location (high speed road, intersection, parking lot, etc.) of a
vehicle during a hazardous event.

Environmen It and is used to describe the environmental conditions at the time of vehicle operation in a
tal hazardous event.
Condition

Hazardous Combination of hazard and operational situation to identify automotive safety integrity level.
Event A hazardous event is a relevant combination of a vehicle-level hazard and an operational
situation of the vehicle with potential to lead to an accident if not controlled by timely driver
action.

Hazard Potential source of harm.

Accident A combination of operational situation and malfunctioning behavior

Scenario

More This kind of malfunctioning behavior represents a failure resulting from providing more output/
behavior than required.

Less This kind of malfunctioning behavior represents a failure resulting from providing less output/
behavior than required.

No This kind of malfunctioning behavior represents a failure resulting from the behavior not being
performed when required.

Intermittent This kind of malfunctioning behavior represents a failure from the behavior being performed
intermittently.

Unintended This kind of malfunctioning behavior represents a failure resulting from the behavior being
provided when not required.

Early This kind of malfunctioning behavior represents a failure resulting from the behavior being
performed earlier than required.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 15

 Concept Description

Late This kind of malfunctioning behavior represents a failure resulting from the behavior being
performed later than required.

Inverted This kind of malfunctioning behavior represents a failure resulting from the behavior providing
an inverted output.

Related pages

• Getting started (see page 9)

• Process description (see page 16)
• Project templates (see page 17)

Process description
For analyzing the safety and reliability of your model, we recommend the following workflow:

1. Create or use an existing model of your system design. A model of your design depends on your
particular case.
2. Define failure modes of your particular case for each design element and perform the FMEA
analysis (see page 19).
3. Identify possible risks and use them for further risk analysis (see page 28).
4. Address the risks in your system design (by introducing new design elements) for controlling and
reducing potential hazards (see page 33).

The product safety analysis process is cyclic and requires constant review as depicted in the following
figure:

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 16

Related pages

• Getting started (see page 9)

• Concepts (see page 9)
• Project templates (see page 17)

Project templates
You can use three predefined templates to create a project:

• FMEA Project (Failure Mode Effects Analysis Project). Select this template if you need the
reliability analysis only.
• Safety and Reliability Analysis Project (FMEA Project included). Select this template if you need
both - the FMEA and risk analysis.
• ISO 26262 Project (Functional Safety Project). Select this template if you need to perform hazard
analysis and risk assessment.
Templates contain predefined packages and diagrams to start creating your risk analysis model.
Usually, design, FMEA, Risk/Hazard Analysis, Safety Requirements packages are created.

To create a project from a template

1. Do one of the following:

• From the File menu, select New Project.
• On the main toolbar, click the New Project button.
• Press Ctrl+N.
2. When the New Project dialog opens, double-click the icon of the desired template under the
Safety and Reliability Analysis group. The project template with predefined tables, samples,
and resources opens.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 17

 3. Type a project name, specify a project location, and click OK when you are done.

1 Structure of Safety and Reliability Analysis project template

Related pages

• Getting started (see page 9)

• Concepts (see page 9)
• Process description (see page 16)

Reliability analysis using FMEA

FMEA (Failure Mode and Effect Analysis) is methodology designed:

• To identify potential failure modes for a product or process

• To assess the risks associated with these failure modes
• To rank the issues in term of importance
• To identify and carry out corrective actions to address the most serious concerns.
Related pages

• Getting started (see page 9)

• Safety analysis (see page 27)
• Additional features (see page 39)
• Customizing Safety Analysis and FMEA configurations (see page 48)

Generating FMEA Items

After linking Failure Modes to the design elements (see page 45) of your model, you can use these design
elements as the source to generate FMEA Items. Each Failure mode linked to a specific model element
should result in a new FMEA Item. Generating FMEA Items from design elements of your model saves
time and helps avoid mistakes, because some properties (such as Item, Failure Mode and Subsystem)
are specified for you.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 18

FMEA Items can be generated for:

• Actions
• Blocks
• Part Properties
• Requirements
• Operations
• Activities

To generate an FMEA Item(s)

1. In the model browser, right-click the element from which you want to generate an FMEA Item, or
right-click the shape of that element in a diagram.
2. In the menu, select Tools > Generate FMEA Item(s).

 Important
The Generate FMEA Item(s) command is only active if the element you try to generate
an FMEA Item from has at least one Failure Mode linked to it.

3. In the Select Destination Package dialog, select the package that you want to contain the newly
created FMEA Item(s).
4. Click OK.

After completing the above steps, a new FMEA Item is created for each Failure Mode linked to the
source model element. The name of the new FMEA Item is source element name + Failure. For example,
if you generate an FMEA Item from the Battery Block, the FMEA Item is named Battery Failure.

If you generate an FMEA Item from a design element of your model, the following FMEA item properties
are specified automatically:

• Item - the property value is set to the source element from which the FMEA Item is generated.
• Failure Mode - the property value is set to the Failure Mode linked to the source element.
• Subsystem - the property value is set to one of the following:
• Activity owning the Action from which the FMEA Item is generated.
• Block owning the Part from which the FMEA Item is generated.
• The owner (the Owner property value) of the Operation from which the FMEA Item is
generated.
• If the source element is other than Action, Part or Operation, the Subsystem property is
not specified.
Related pages

• Reliability analysis using FMEA (see page 18)

• Describing FMEA Items (see page 19)
• Cloning FMEA Table rows (see page 25)

Describing FMEA Items

On this page

• Creating an FMEA Table (see page 24)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 19

 • Adding FMEA Items to an FMEA Table (see page 24)

FMEA Items should be described in an FMEA Table. Since FMEA Tables are based on Generic
Tables33, the toolbar34 and the Criteria area35 work in the same manner.

An FMEA Table allows you to analyze the reliability aspect of your model, and provides you with a
convenient way to fill in FMEA Item information using a spreadsheet-like tabular format. Each row in a
table represents an FMEA Item. Table columns represent the properties of FMEA Items. In an FMEA
Table, you can:

• Create a new FMEA Item directly in a table or add an existing one.

• Directly edit the properties of FMEA Items in a table.
• Generate an FMEA analysis report, and export a table into a CSV or HTML file format.

An FMEA Table has the following columns:

Table column Description

name

Id An FMEA Item ID.

Name The name of an FMEA Item.

Classification The classification of failures (FMEA Items) by certain aspects of a system.

Item The design model element (Block, Part, Operation or Activity) undergoing analysis related to
a particular FMEA Item.

 Parts or Blocks?
It is recommended that you select Parts instead of Blocks, because Blocks may be
too generic.

Subsystem An element identifying the subsystem of a model to which an Item belongs. The valid values
are Parts and Blocks.

Failure Mode An element describing the specific manner in which a component, subsystem, system,
process, etc., could potentially fail to meet the design intent.

33 https://docs.nomagic.com/display/MD2024xR1/Generic+table
34 https://docs.nomagic.com/display/MD2024xR1/Table+toolbars
35 https://docs.nomagic.com/display/MD2024xR1/Table+Criteria+area

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 20

 Table column Description
name

Local Effect of An element describing the effect that a Failure Mode has on the system element under
Failure consideration. An FMEA Item, e.g, a single row of an FMEA Table, can have multiple Local
Effects of Failure.

Final Effect of An element describing the effect that Failure Mode has on an end user or environment. You
Failure can specify multiple Final Effect of Failure values for a single FMEA Item.

Every Final Effect of Failure can have a default severity value assigned as its property. To
assign a value, open the Specification window36 of a Final Effect of Failure, and set the
desired Severity value.

 Adding severity values

If you add a Final Effect of Failure with a specified severity value to a certain row of
an FMEA Table for the first time, the value is automatically entered into the
appropriate cell of the SEV column. The value is entered even if the cell already has a
value specified. You can manually change the severity value that was automatically
added to an FMEA Table. This action does not change the default severity value
assigned to this specific Final Effect of Failure element.

SEV A property describing the assessment of the severity of the effect(s) of a potential Failure
Mode on a component, subsystem, end-user, or environment. The valid values of this
property are 1 to 4 (lowest to highest severity).

Click an appropriate cell to select its value from a drop-down list.

Cause of An element indicating the design weakness causing a Failure Mode. An FMEA Item, e.g., a
Failure single row of an FMEA Table, can have multiple Causes of Failure.

Every Cause of Failure can have a default occurrence and/or detectability value(s) assigned as
its property(ies). To assign an occurrence or value, open the Specification window37 of a
Cause of Failure, and set the desired Occurrence and/or Detectability value(s).

 Adding occurrence and detectability values

If you add a Cause of Failure with a specified occurrence or detectability value (or
both) to a certain row of an FMEA Table for the first time, this value is automatically
entered into an appropriate cell of the OCC or DET column. The value is entered
even if the cell already has a value specified. You can manually change the
occurrence or detectability value that was automatically added to an FMEA Table.
This action does not change the default occurrence or detectability value assigned
to the specific Cause of Failure element.

36 https://docs.nomagic.com/display/MD2024xR1/Specification+window
37 https://docs.nomagic.com/display/MD2024xR1/Specification+window

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 21

 Table column Description
name

OCC Occurrence (OCC) is a property showing the likelihood that a specific Cause of Failure will
occur. The valid values of this property are 1 to 5 (lowest to highest probability of
occurrence).

Click an appropriate cell to select its value from a drop-down list.

Prevention A Prevention Control element describes the measures for preventing the occurrence of a
Control possible Failure Mode. A Detection Control element describes the measures for detecting a
Failure Mode, if it occurs. You can specify multiple Prevention and Detection Control values
and for a single FMEA Item.

Detection
Control  Reusing Prevention and Detection Control values
In an FMEA Table, each Prevention Control and Detection Control value is usually
related to a specific Cause of Failure. After adding a Cause of Failure to a specific row
of a table, you can quickly reuse the Prevention Control and/or Detection Control
value(s) associated with it in another row of the same table. To reuse the values:
1. Right-click the row where you want to reuse a previously associated
Prevention Control and/or Detection Control value(s). This row should
already have a Cause of Failure element specified.
2. From the open menu, select Reuse Design Controls. If the Cause of
Failure has a reusable Detection Control and/or Prevention Control
element(s), the Reuse Design Controls dialog opens.
3. In the open dialog, select the element(s) you want to reuse as
Prevention Control and/or Detection Control value(s), and click OK.

DET Detectability (DET) measures the likelihood of discovering a possible failure prior to its
occurrence. The valid values of this property are 1 to 5 (highest to lowest detectability).

Click an appropriate column cell to select its value from a drop-down list.

OxD The product of OCC and DET ratings.

RPN A risk priority number is a derived property calculated by using a customizable function. By
default, the function includes SEV, OCC, and DET values.

Hazard The Hazard Analysis Reference to a Safety Analysis Item shows that the safety aspect has
Analysis been analyzed for this particular FMEA Item.
Reference

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 22

 Table column Description
name

Required A property indicating whether or not an FMEA Item requires hazard analysis. The valid values
Hazard of this property are true or false. If you create your project using the Safety and Reliability
Analysis Analysis Project template, the FMEA Items marked as requiring hazard analysis are added to
the FMEAs to Be Analyzed package. If not, you must configure a Smart Package to manually
filter these elements. When a specific FMEA Item is addressed in a Safety Analysis Item, it is
removed from the FMEAs to Be Analyzed package after refreshing your model.

Recommende The description of a recommended action that will reduce RPN. All critical or significant
d Action failures (FMEA Items) should have recommended actions associated with them.
Recommended actions should be focused on design, and directed towards mitigating the
Cause of Failure or eliminating the Failure Mode.

Mitigation The reference to any element that mitigates a failure.

Responsibility A property indicating the person responsible for completing a Recommended Action.

Target A property defining the completion date of a Recommended Action. The value of the Target
Completion Completion Date property can be specified in the Date and Time Settings dialog38.
Date

Action Taken A property describing what actions have been taken and the results of these actions.

Reduced SEV A property assessing the seriousness of the effect(s) that a potential Failure Mode has on a
component, subsystem, end-user, or environment after the mitigation. The valid values of
this property are 1 to 4 (lowest to highest severity).

Click an appropriate column cell to select its value from a drop-down list.

Reduced OCC Reduced occurrence is a property showing the likelihood that a specific Cause of Failure will
occur after the mitigation. The valid values of this property are 1 to 5 (lowest to highest
probability of occurrence).

Click an appropriate column cell to select its value from a drop-down list.

Reduced DET Reduced detectability measures the likelihood of discovering a possible failure after the
mitigation. The valid values of this property are 1 to 5 (highest to lowest detectability).

Click an appropriate column cell to select its value from a drop-down list.

38 https://docs.nomagic.com/display/MD2024xR1/Setting+date+and+time

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 23

 Table column Description
name

Reduced OxD The product of the Reduced OCC and Reduced DET ratings.

Reduced RPN A reduced risk priority number is a derived property calculated by using a customizable
function. By default, the function includes Reduced SEV, Reduced OCC, and Reduced DET
values.

Creating an FMEA Table

To keep your model clean and simple, you should create an FMEA Table in the package that contains
FMEA Items that are to be included in the table.

To create an FMEA Table

1. Do one of the following:

• Right-click the Package in which you want to create an FMEA Table, and select Create
Diagram from the menu.
• Select the Package in which you want to create an FMEA Table, and click the Create
Diagram button on the main toolbar.
2. Click FMEA Table under the Safety and Reliability Analysis group.
3. If needed, change the name of the newly created FMEA Table.
A new FMEA Table has been created in the selected Package. Now you should add FMEA Items to the
table, as described in the next section.

Adding FMEA Items to an FMEA Table

There are two ways to add FMEA Items to an FMEA Table:

• Create new FMEA Items directly in the table.

• Add existing FMEA Items to the table.

To create a new FMEA Item in an FMEA Table

• Do one of the following:

• Click the Add New button on the table toolbar.
• Press Insert (Cmd+I on Mac OS).

A row containing a newly created FMEA Item is added at the end of the table. In the model browser, the
FMEA Item is placed in the Package containing the related FMEA Table. Now you can define the FMEA

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 24

Item directly in the table by double-clicking an appropriate cell.

 Model structure information

To have a clear model structure, you should create FMEA Items in dedicated Packages.

To add an existing FMEA Item to an FMEA Table

1. Do one of the following:

• Click the Add Existing button on the table toolbar.
• Press Ctrl+Insert (Cmd+E on Mac OS).
2. In the open dialog, select the FMEA Item you want to add to the table. To select multiple
elements39, click , and add the desired FMEA Items to the Selected
elements area on the right side of the dialog.
3. Click OK.

 Productivity tip
To make your work quicker, you can add existing FMEA Items to an FMEA Table by dragging
them directly to the table. Simply select one or more FMEA Items in the model browser and
drag them to an FMEA Table. New rows for the added elements are created automatically.

Selected FMEA Items are added to the FMEA Table as new rows. You can change the properties of the
added elements directly in the table by double-clicking an appropriate cell.

Related pages

• Reliability analysis using FMEA (see page 18)

• Cloning FMEA Table rows (see page 25)

Cloning FMEA Table rows

Usually, FMEA Tables contain a number of rows that only slightly differ from each other. To create new
rows more quickly, you can clone existing FMEA Table rows with their column values. The cloning
feature allows you to clone one or multiple rows at a time, and select which column values should be
cloned.

To clone existing FMEA table rows

1. Select The FMEA Table row(s) you want to clone. To select multiple rows, hold down the Ctrl key.
If you want to select several consecutive rows, select the first row in a sequence, then hold down
the Shift key, and select the last row in a sequence.
2. Do one of the following:

39 https://docs.nomagic.com/display/MD2024xR1/Elements+multiple+selection

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 25

 • In the table toolbar, click .
• Right-click the selected rows, and, from the menu, select Clone Row.
3. In the Select Properties dialog, select the columns you would like to clone. By default, all the
columns are selected, as shown in the figure below. To clear the check boxes of all table
columns, click Clear All, and, to select all table columns, click Select All.

4. Click OK.

After following the procedure described above, the selected rows of an FMEA Table are cloned reusing
the values of the columns selected in the Select Properties dialog. As a result, new FMEA Items are
created in the package specified as the scope of an FMEA Table, and new table rows (clones) are added
for each new FMEA Item. By default, the names of new FMEA Items are the same as the names of the
FMEA Items described in the source rows with the word clone added as a suffix. See the Name column
of the sample FMEA Table displayed below.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 26

The sample FMEA Table demonstrates the behavior of the row cloning
feature. The selected rows (highlighted in blue) have been cloned,
and each row clone appears right below the row from which it was
cloned.

 Recommendation
It is recommended that you change the names of the new FMEA Items that are created by
cloning table rows to meaningful ones.

Sample model

The model used for the figures of this page is the Medical FMEA and Hazard Analysis sample model that
comes with Cameo Safety and Reliability Analyzer plugin. To open this model do one of the following

• Download Medical FMEA and Hazard Analysis.mdzip (see page 25).

• Open the model from the <install_root>\samples\Safety and Reliability Analysis directory.
Related pages

• Reliability analysis using FMEA (see page 18)

• Describing FMEA Items (see page 19)

Safety analysis
Safety analysis should be performed by:

• Creating and describing Safety Analysis Items (see page 28) in a Risk Table.
• Creating a Risk Reduction Table (see page 33) to analyze the safety aspect of your model, both
before and after the mitigation.
• Using the FMEAs to Be Analyzed (see page 39) folder to track the FMEA Items that still require safety
analysis.
Related pages

• Getting started (see page 9)

• Reliability analysis using FMEA (see page 18)
• Additional features (see page 39)
• Customizing Safety Analysis and FMEA configurations (see page 48)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 27

Describing Safety Analysis Items
On this page

• Creating a Risk Table (see page 31)

• Adding Safety Analysis Items to a Risk Table (see page 31)

Safety Analysis Items should be described in a predefined Risk Table. Since Risk Tables are based
on Generic Tables40, the toolbar41 and the Criteria area42 work in the same manner.

A Risk Table allows you to analyze the safety aspect of your model, and provides a convenient way to
fill-in Safety Analysis Item information using a spreadsheet-like tabular format. Each row in a table
represents a Safety Analysis Item. Table columns represent the properties Safety Analysis Items. In a
Risk Table, you can:

• Create a new Safety Analysis Item directly in a table, or add an existing one.
• Edit the properties of Safety Analysis Items directly in a table.
• Generate a risk analysis report, and export a table into a CSV or HTML file format.

A Risk Table has the following columns:

Table column Description

name

Id Safety Analysis Item ID.

MHT Reference The reference to a Master Hazard Table.

FMEA Reference The reference to an FMEA Item.

Initiating Cause A short description of a Safety Analysis Item reflecting the cause of a risk.

Hazard A potential source of Harm.

40 https://docs.nomagic.com/display/MD2024xR1/Generic+table
41 https://docs.nomagic.com/display/MD2024xR1/Table+toolbars
42 https://docs.nomagic.com/display/MD2024xR1/Table+Criteria+area

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 28

 Table column Description
name

Sequence of Sequence of Events leading to a Hazardous Situation.

Events
Every Sequence of Events can have a default P1 value assigned as its property. To assign
a value, open the Specification window43 of a Sequence of Events, and set the
desired P1 value.

 Adding P1 values
If you add a Sequence of Events with a specified P1 value to a certain row of a
Risk Table for the first time, this value is automatically entered into an
appropriate cell of the P1 column. The value is entered even if the cell already
has a value specified. You can manually change the P1 value that was
automatically added to a Risk Table. This action does not change the default P1
value assigned to this specific Sequence of Events element.

Hazardous A situation in which a subject or object of the environment is exposed to one or more
Situation Hazards.

Every Hazardous Situation can have a default P2 value assigned as its property. To assign
a value, open the Specification window44 of a Hazardous Situation, and set the
desired P2 value.

 Adding P2 values
If you add a Hazardous Situation with a specified P2 value to a certain row of a
Risk Table for the first time, this value is automatically entered into an
appropriate cell of the P2 column. The value is entered even if the cell already
has a value specified. You can manually change the P2 value that was
automatically added to a Risk Table. This action does not change the default P2
value assigned to this specific Hazardous Situation element.

43 https://docs.nomagic.com/display/MD2024xR1/Specification+window
44 https://docs.nomagic.com/display/MD2024xR1/Specification+window

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 29

 Table column Description
name

Harm Damage to the health of people, damage to property or environment, or both.

Every Harm can have a default severity (S) value assigned as its property. To assign a
value, open the Specification window45 of a Harm, and set the desired Severity value.

 Adding severity values

If you add a Harm with a specified severity value to a certain row of a Risk Table
for the first time, this value is automatically entered into an appropriate cell of
the S column. The value is entered even if the cell already has a value specified.
You can manually change the severity value that was automatically added to a
Risk Table. This action does not change the default severity value assigned to
this specific Harm element.

S Severity is the quantitative evaluation of the Harm that is caused if exposed to a Hazard.
The valid values of this property are 1 to 4 (lowest to highest severity).

Click an appropriate column cell to select its value from a drop-down list.

P1 Probability of a foreseeable Sequence of Events leading to a Hazardous Situation. The

valid values of this property are 1 to 5 (lowest to highest probability).

Click an appropriate column cell to select its value from a drop-down list.

P2 Probability of a Harm occurring when exposed to a Hazard. The valid values of this
property are 1 to 5 (lowest to highest probability).

Click an appropriate column cell to select its value from a drop-down list.

P The function of P1 and P2.

D Detectability measures the likelihood of discovering and correcting a Hazard prior to

Harm occurrence. The valid values of this property are 1 to 5 (highest to lowest
detectability).

Click an appropriate column cell to select its value from a drop-down list.

45 https://docs.nomagic.com/display/MD2024xR1/Specification+window

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 30

 Table column Description
name

C Correctability is the rate of relative ease of mitigating a certain risk. The valid values of
this property are 1 to 5 (lowest to highest correctability).

Click an appropriate column cell to select its value from a drop-down list.

PU Product Utility shows the clinical benefits of a product taking into account the risks it
holds. The valid values of this property are 1 to 5 (highest to lowest clinical benefits that
outweigh the risks).

Click an appropriate column cell to select its value from a drop-down list.

Risk The function of P and S.

Use Related The property indicating a Hazard's relation to device usage. The values of this property
can be one or multiple Use Cases.

Creating a Risk Table

To keep your model clean and simple, create a Risk Table in the package that contains the Safety
Analysis Items to be included in the table.

To create a Risk Table

1. Do one of the following:

• Right-click the Package in which you want to create a Risk Table, and select Create
Diagram from the menu.
• Select the Package in which you want to create a Risk Table, and click the Create
Diagram button on the main toolbar.
2. Click Risk Table under the Safety and Reliability Analysis group.
3. If needed, change the name of the newly created Risk Table.

A new Risk Table is created in the selected Package. Now, you should add Safety Analysis Items to the
table, as described in the next section.

Adding Safety Analysis Items to a Risk Table

There are two ways to add Safety Analysis Items to a Risk Table:

• Create new Safety Analysis Items directly in the table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 31

 • Add existing Safety Analysis Items to the table.

To create a new Safety Analysis Item in a Risk Table

• Do one of the following:

• Click the Add New button on the table toolbar.
• Press Insert (Cmd+I on Mac OS).

A new row containing the newly created Safety Analysis Item is added at the end of the table. In the
model browser, the Safety Analysis Item is placed in the Package containing the related Risk Table. Now
you can define the Safety Analysis Item directly in the table by double-clicking an appropriate cell.

 Model structure information

To have a clear model structure, create Safety Analysis Items in dedicated Packages.

To add an existing Safety Analysis Item to a Risk Table

1. Do one of the following:

• Click the Add Existing button on the table toolbar.
• Press Ctrl+Insert (Cmd+E on Mac OS).
2. In the open dialog, select the Safety Analysis Item you want to add to the table. To select multiple
elements46, click , and add the desired Safety Analysis Items to the Selected
elements area on the right side of the dialog.
3. Click OK.

 Productivity tip
To make your work quicker, you can add existing Safety Analysis Items to a Risk Table by
dragging them directly to the table. Simply select one or more Safety Analysis Items in the
model browser, and drag them to a Risk Table. New rows for the added elements are created
automatically.

Selected Safety Analysis Item(s) are now added to the Risk Table as new row(s). You can change the
properties of the added elements directly in the table by double-clicking an appropriate cell.

Related pages

• Safety analysis (see page 27)

• Describing reduced risks (see page 33)
• FMEAs to be analyzed (see page 39)

46 https://docs.nomagic.com/display/MD2024xR1/Elements+multiple+selection

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 32

Describing reduced risks
On this page

• Creating a Risk Reduction Table (see page 37)

• Adding Safety Analysis Items to a Risk Reduction Table (see page 38)

After the mitigation phase, risks (Safety Analysis Items) can be further described in a Risk Reduction
Table. Since Risk Reduction Tables are based on Generic Tables47, the toolbar48 and the Criteria
area49 work in the same manner.

A Risk Reduction Table allows you to analyze the safety aspect of your model both before and after the
mitigation. This gives you an opportunity to evaluate the effectiveness of recommended risk reduction
actions. Each row in a table represents a Safety Analysis Item, and table columns represent the
properties of Safety Analysis Items. In a Risk Table, you can:

• Create a new Safety Analysis Item directly in a table, or add an existing one.
• Edit the properties of Safety Analysis Items directly in a table.
• Generate a risk analysis report, or export a table into a CSV or HTML file format.

A Risk Table has the following columns:

Table column Description

name

Id Safety Analysis Item ID.

FMEA The reference to an FMEA Item.

Reference

Initiating A short description of a Safety Analysis Item.

Cause

Hazard A potential source of Harm.

47 https://docs.nomagic.com/display/MD2024xR1/Generic+table
48 https://docs.nomagic.com/display/MD2024xR1/Table+toolbars
49 https://docs.nomagic.com/display/MD2024xR1/Table+Criteria+area

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 33

 Table column Description
name

Sequence of Sequence of Events leading to a Hazardous Situation.

Events
Every Sequence of Events can have a default P1 value assigned as its property. To assign a
value, open the Specification window50 of a Sequence of Events, and set the
desired P1 value.

 Adding P1 values
If you add a Sequence of Events with a specified P1 value to a certain row of a Risk
Reduction Table for the first time, this value is automatically entered into an
appropriate cell of the P1 column. The value is entered even if the cell already has a
value specified. You can manually change the P1 value that was automatically
added to a Risk Reduction Table. This action does not change the default P1 value
assigned to this specific Sequence of Events element.

Hazardous A situation in which a subject or an object of the environment is exposed to one or more
Situation Hazards.

Every Hazardous Situation can have a default P2 value assigned as its property. To assign a
value, open the Specification window51 of a Hazardous Situation, and set the
desired P2 value.

 Adding P2 values
If you add a Hazardous Situation with a specified P2 value to a certain row of a Risk
Reduction Table for the first time, this value is automatically entered into an
appropriate cell of the P2 column. The value is entered even if the cell already has a
value specified. You can manually change the P2 value that was automatically
added to a Risk Reduction Table. This action does not change the default P2 value
assigned to this specific Hazardous Situation element.

50 https://docs.nomagic.com/display/MD2024xR1/Specification+window
51 https://docs.nomagic.com/display/MD2024xR1/Specification+window

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 34

 Table column Description
name

Harm Damage to the health of people, damage to the property or environment, or both.

Every Harm can have a default severity (S) value assigned as its property. To assign a value,
open the Specification window52 of a Harm, and set the desired Severity value.

 Adding severity values

If you add a Harm with a specified severity value to a certain row of a Risk Reduction
Table for the first time, this value is automatically entered into an appropriate cell of
the S column. The value is entered even if the cell already has a value specified. You
can manually change the severity value that was automatically added to a Risk
Reduction Table. This action does not change the default severity value assigned to
this specific Harm element.

S Severity is the quantitative evaluation of the Harm that is caused if exposed to a Hazard. The
valid values of this property are 1 to 4 (lowest to highest severity).

Click an appropriate column cell to select its value from a drop-down list.

P1 Probability of a foreseeable Sequence of Events leading to a Hazardous Situation. The valid

values of this property are 1 to 5 (lowest to highest probability).

Click an appropriate column cell to select its value from a drop-down list.

P2 Probability of a Harm occurring when exposed to a Hazard. The valid values of this property
are 1 to 5 (lowest to highest probability).

Click an appropriate column cell to select its value from a drop-down list.

P The function of P1 and P2.

D Detectability measures the likelihood of discovering and correcting a Hazard prior to Harm
occurrence. The valid values of this property are 1 to 5 (highest to lowest detectability).

Click an appropriate column cell to select its value from a drop-down list.

C Correctability is the rate of relative ease of mitigating a certain risk. The valid values of this
property are 1 to 5 (lowest to highest correctability).

Click an appropriate column cell to select its value from a drop-down list.

52 https://docs.nomagic.com/display/MD2024xR1/Specification+window

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 35

 Table column Description
name

PU Product Utility shows the clinical benefits of a product, taking into account the risks it holds.
The valid values of this property are 1 to 5 (highest to lowest clinical benefits that outweigh
the risks).

Click an appropriate column cell to select its value from a drop-down list.

Risk A customizable function of P and S.

Risk Control A brief, qualitative description of the proposed method of risk control.
Measures
Description

Risk Control A reference to the safety requirement that mitigates the risk.
Measures

Mitigators A reference to any element that satisfies the related safety requirement.

Reduced S Reduced severity is the quantitative evaluation of the Harm that is caused if exposed to a
Hazard after the mitigation (or simply severity value after the mitigation). The valid values of
this property are 1 to 4 (lowest to highest severity).

Click an appropriate column cell to select its value from a drop-down list.

Reduced P1 Probability of a foreseeable Sequence of Events leading to a Hazardous Situation after the
mitigation. The valid values of this property are 1 to 5 (lowest to highest probability).

Click an appropriate column cell to select its value from a drop-down list.

Reduced P2 Probability of a Harm occurring when exposed to a Hazard after the mitigation. The valid
values of this property are 1 to 5 (lowest to highest probability).

Click an appropriate column cell to select its value from a drop-down list.

Reduced P The function of Reduced P1 and Reduced P2.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 36

 Table column Description
name

Reduced D Reduced detectability measures the likelihood of discovering and correcting a Hazard prior
to Harm occurrence, but after the mitigation (or simply - detectability value after the
mitigation). The valid values of this property are 1 to 5 (highest to lowest detectability).

Click an appropriate column cell to select its value from a drop-down list.

Reduced C Correctability is the rate of relative ease of mitigating a certain risk if it is faced after the
mitigation. The valid values of this property are 1 to 5 (lowest to highest correctability).

Click an appropriate column cell to select its value from a drop-down list.

Reduced PU Reduced Product Utility shows the clinical benefits of a product taking into account the risks
it holds after the mitigation (or simply - product utility value after the mitigation). The valid
values of this property are 1 to 5 (highest to lowest clinical benefits that outweigh the risks).

Click an appropriate column cell to select its value from a drop-down list.

Reduced Risk A customizable function of Reduced P and Reduced S.

Use Related The property indicating a Hazard's relation to device usage. The values of this property can
be one or multiple Use Cases.

Creating a Risk Reduction Table

To keep your model clean and simple, create a Risk Table in the package that contains the Safety
Analysis Items to be included in the table.

To create a Risk Reduction Table

1. Do one of the following:

• Right-click the Package in which you want to create a Risk Reduction Table, and
select Create Diagram from the menu.
• Select the Package in which you want to create a Risk Reduction Table, and click
the Create Diagram button on the main toolbar.
2. Click Risk Reduction Table under the Safety and Reliability Analysis group.
3. If needed, change the name of the newly created Risk Reduction Table
A new Risk Reduction Table has been created in the selected Package. Now, you should add Safety
Analysis Items to the table, as described in the next section.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 37

Adding Safety Analysis Items to a Risk Reduction Table
There are two ways to add Safety Analysis Items to a Risk Reduction Table:

• Create new Safety Analysis Items directly in the table.

• Add existing Safety Analysis Items to the table.

To create a new Safety Analysis Item in a Risk Reduction Table

• Do one of the following:

• Click the Add New button on the table toolbar.
• Press Insert (Cmd+I on Mac OS).

A new row containing the newly created Safety Analysis Item is added at the end of the table. In the
model browser, the safety Analysis Item is placed in the package containing the related Risk Reduction
Table. Now you can define the Safety Analysis Item directly in the table by double-clicking an
appropriate cell.

 Model structure information

To have a clear model structure, create Safety Analysis Items in dedicated Packages.

To add an existing Safety Analysis Item to a Risk Reduction Table

1. Do one of the following:

• Click the Add Existing button on the table toolbar.
• Press Ctrl+Insert (Cmd+E on Mac OS).
2. In the open dialog, select the Safety Analysis Item you want to add to the table. To select multiple
elements53, click , and add the desired Safety Analysis Items to the Selected
elements area on the right side of the dialog.
3. Click OK.

 Productivity tip
To make your work quicker, you can add existing Safety Analysis Items to a Risk Table by
dragging them directly to the table. Simply select one or more Safety Analysis Items in the
model browser and drag them to a Risk Table. New rows for the added elements are created
automatically.

Selected Safety Analysis Item(s) are now added to the Risk Reduction Table as new row(s). You can
change the properties of the added elements directly in the table by double-clicking an appropriate cell.

53 https://docs.nomagic.com/display/MD2024xR1/Elements+multiple+selection

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 38

Related pages

• Safety analysis (see page 27)

• Describing Safety Analysis Items (see page 28)
• FMEAs to be analyzed (see page 39)

FMEAs to be analyzed
When you select an FMEA Item to be analyzed (the Requires Hazard Analysis property is set to true), it
is automatically included in the FMEA to be analyzed Smart Package54 predefined in the project
template (see page 17). After the safety aspect is analyzed for that FMEA Item and a particular Safety
Analysis Item is referenced to it, the FMEA Item is removed from the FMEA to be analyzed Smart
Package.
Related pages

• Safety analysis (see page 27)

• Describing Safety Analysis Items (see page 28)
• Describing reduced risks (see page 33)

Additional features
After completing the safety and reliability analysis, you can use a number of additional post-analysis
features to further analyze, manage, and trace your model by:

• Creating traceability maps (see page 39) to review the relations between Safety Analysis Items or
FMEA Items and other elements of your model.
• Performing Safety and Reliability Coverage Analysis (see page 44) to identify which design elements
are covered by safety analysis and FMEA.
• Generating reports (see page 44) from FMEA, Risk, or Risk Reduction Tables.
Related pages

• Getting started (see page 9)

• Reliability analysis using FMEA (see page 18)
• Safety analysis (see page 27)
• Customizing Safety Analysis and FMEA configurations (see page 48)

Traceability maps
On this page

• Creating traceability maps (see page 40)

• Manipulations in the Expert mode (see page 42)

Traceability maps allow you to increase the traceability between model elements. You can use this type
of map to review and analyze the relations between a Safety Analysis Item or an FMEA Item and
the entire model. A visual analysis is shown by updating and rendering the dependency tree of the
selected element according to predefined dependency criteria.

54 https://docs.nomagic.com/display/MD2024xR1/Smart+Package

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 39

The Safety and Reliability Analyzer plugin allows you to create two types of predefined traceability
maps:

• Safety Analysis Traceability Map

• Reliability Analysis Traceability Map
A Safety Analysis Traceability Map and a Reliability Analysis Traceability Map work the same way;
however, they have different context and predefined relation criteria. Essentially, these maps trace
relations of different types of model elements. A Safety Analysis Traceability Map allows you to trace
the relations between a Safety Analysis Item and other safety analysis specific model elements. A
Reliability Analysis Traceability Map allows you to trace the relations between an FMEA Item and other
reliability analysis specific model elements.

On this page, you will learn how to create traceability maps (see page 40), and define the relations
between model elements in the Expert mode (see page 42).

Creating traceability maps

To keep your model clean and simple, you should create a traceability map under the element (Safety
Analysis Item or FMEA Item depending on a traceability map), which automatically becomes
the Context of the map. Otherwise, you need to manually select the Context value.

 Note
A traceability map must have a context. A map with no context does not contain any data.
The valid value of the Context property is any Safety Analysis Item or FMEA Item (depending on
a traceability map) in your model.

The default values of all the properties of a map are specified automatically, but you can change them,
if needed.

To create a Safety Analysis Traceability Map

1. Do one of the following:

• Select the desired Safety Analysis Item, and click the Create Diagram button on the main
toolbar.
• Right-click the desired Safety Analysis Item, and select Create Diagram.
2. Select Safety Analysis Traceability Map under the Safety and Reliability Analysis group.
3. If needed, change the predefined values of the map properties. You can do this in the same way
you would change the properties of a Relation Map55.

To create a Reliability Analysis Traceability Map

1. Do one of the following:

• Select the desired FMEA Item, and click the Create Diagram button on the main toolbar.
• Right-click the desired FMEA Item, and select Create Diagram.

55 https://docs.nomagic.com/display/MD2024xR1/Specifying+criteria%2C+layout%2C+and+depth

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 40

 2. Select Reliability Analysis Traceability Map under the Safety and Reliability Analysis group.
3. If needed, change the predefined values of the map properties. You can do this in the same way
you would change the properties of a Relation Map56.

After completing the steps above, a Safety Analysis Traceability Map or Reliability Analysis Traceability
Map is created. The following figure illustrates the predefined Safety Analysis Traceability Map of the
sample insulin pump model that comes with Cameo Safety and Reliability Analyzer plugin. The
map shows the relations between a specific Safety Analysis Item of the model and Harm, Hazard,
Hazardous Situation, and other safety analysis and design elements.

This Predefined Safety Analysis Traceability Map displays the relations between
the Discharged battery leads to coma or death Safety Analysis Item and other
model elements.
By default, traceability maps show the following relations between the context element and other
elements of your model:

Safety Analysis Traceability Map Reliability Analysis Traceability Map

Safety Analysis Item -> Effected Design Elements FMEA Item -> Current Design Control

Safety Analysis Item -> New Design Elements FMEA Item -> Cause of Failure

56 https://docs.nomagic.com/display/MD2024xR1/Specifying+criteria%2C+layout%2C+and+depth

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 41

 Safety Analysis Traceability Map Reliability Analysis Traceability Map

Safety Analysis Item -> Requirements FMEA Item -> Effect of Failure

Safety Analysis Item -> FMEA Item FMEA Item -> Failure Mode

Safety Analysis Item -> Hazard FMEA Item -> Design Item

Safety Analysis Item -> Hazardous Situation FMEA Item -> Detection Control

Safety Analysis Item -> Harm FMEA Item -> Prevention Control

Safety Analysis Item -> Sequence of Events FMEA Item -> Safety Analysis Item

However, you can change the relations displayed in the map by customizing Relation Criteria in the
Expert mode.

Manipulations in the Expert mode

If the default relations displayed in a traceability map are not sufficient, the Expert mode allows you to
create new operations to represent relations between desired model elements, or to customize the
existing operations.

To create a new operation to represent a relation between model elements

1. Click next to the Relation Criteria box in the Criteria area of a map.
2. In the Relation Criteria dialog, click to enable the Expert mode.
3. On the left side of the dialog, click Create operation.
4. In the Operations area of the dialog, select the Filter operation.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 42

In the Expert mode, the Relation Criteria dialog allows you to create a new Filter
operation, and define it to represent a desired relation.
After following the above procedure, a new Filter operation is created. Now, you can specify its
properties to represent the desired relation between model elements. For more information about the
properties of a Filter operation, see Built-in operations57.

Sample model

The model used for the figures of this page is the Medical FMEA and Hazard Analysis sample model that
comes with Cameo Safety and Reliability Analyzer plugin. To open this model do one of the following

• Download Medical FMEA and Hazard Analysis.mdzip (see page 39).

• Open the model from the <install_root>\samples\Safety and Reliability Analysis directory.
Related pages

• Additional features (see page 39)

• Safety and Reliability Coverage Analysis (see page 44)
• Generating reports (see page 44)
• Linking Failure Modes to model elements (see page 45)

57 https://docs.nomagic.com/display/MD2024xR1/Built-in+operations

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 43

Safety and Reliability Coverage Analysis
Safety and reliability coverage analysis is designed as a table. Thus table describes how many design
elements are covered with risks and FMEA in the model.

2 Coverage analysis table

To perform a coverage analysis

1. In your model, select a package and create a diagram58 in it. Diagram is located in the Safety and
Reliability Analysis group and is named Safety and Reliability Coverage Analysis.
2. Specify a scope for the analysis. In the Scope box, define a package wherein you want to perform
the analysis:
• You may drag a package directly from the Model Browser. In this way, only one package
can be specified for analysis.
• Click the Select Scope button located after the Scope box. In the open Select Scope
dialog, select one or more packages and click OK.
The coverage analysis table is created.

Related pages

• Additional features (see page 39)

• Traceability maps (see page 39)
• Generating reports (see page 44)
• Linking Failure Modes to model elements (see page 45)

Generating reports
You can generate reports in the .xlsx format directly from the FMEA (see page 19), Risk (see page 28), or Risk
Reductions (see page 33) tables.

58 https://docs.nomagic.com/display/MD2024xR1/Creating+diagrams

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 44

To generate a report with all data in a table

1. Open a desired table.

2. In the table toolbar, click the Report button. The Generate Report dialog opens.
3. In the open dialog, define Output Options and click Generate. The report is generated.

If you want to customize your report, you may use the Report Wizard59 to generate the report. In the
report templates list, the FMEA template and Risk and Risk reduction template are prepared
for Safety and Reliability Analysis. Using the Report Wizard, you can modify a selected template,
define variables, select objects to add to the report, and perform various other actions.

Related pages

• Additional features (see page 39)

• Traceability maps (see page 39)
• Safety and Reliability Coverage Analysis (see page 44)
• Linking Failure Modes to model elements (see page 45)

Linking Failure Modes to model elements

On this page

• Linking Failure Modes to elements in a diagram (see page 45)

• Linking Failure Modes to elements in the Specification window (see page 47)

The Cameo Safety and Reliability Analyzer plugin allows you to link Failure Modes to model elements in
any stage of the modeling process. This enables you to foresee any possible element-related Failure
Modes and add them to your model before starting actual safety and reliability analysis. Failure Modes
can be linked to the following model elements:

• Actions
• Blocks
• Part Properties
• Requirements
• Operations
• Activities
You can link Failure Modes in the following ways:

• Drag Failure Modes to an element shape in a diagram (see page 45) (recommended).
• Specify the Failure Modes property in the Specification window of an element (see page 47).

Linking Failure Modes to elements in a diagram

The easiest way to link a Failure Mode to a model element is to drag it from the containment tree in the
model browser to the desired element shape in a diagram.

59 https://docs.nomagic.com/display/MD2024xR1/Report+Wizard

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 45

To link a Failure Mode to an element in a diagram

1. Open the diagram displaying the element you want to link.

2. In the model browser, locate the desired Failure Mode, and drag it directly to the element shape.

Dragging a Failure Mode to an element shape specifies the Failure Mode as the value of the Failure
Modes property of that element. In addition, the Failure Modes property is automatically displayed in
the compartment of the element shape to which the Failure Mode was dragged, as shown in the figure
below.

In this Activity Diagram, the Read sensor value and Control insulin delivery Actions
are linked to the Drop in sensitivity and Voltage error Failure Modes.

 Usability tip
An element can be linked to multiple Failure Modes. You can either select multiple Failure
Modes and drag them to the element shape all at once, or drag the Failure Modes one by one.
The element shape is then updated and displays all linked Failure Modes.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 46

Linking Failure Modes to elements in the Specification window
Linking a Failure Mode to a model element specifies it as the property value of that element. This link
can be defined in the Specification window of the element, as described below.

To link a Failure Mode to an element in the Specification window

1. Open the Specification window60 of the element you want to link.

2. In the Properties drop-down box, select the All property display mode, if it is not already
selected.
3. In the property specification area, select the Failure Modes property specification cell, and click
.
4. In the Select Elements dialog, select the Failure Mode(s) you want to link to the element.

5. Click to add the selected Failure Mode(s) to the Selected elements area. If you want

to add all Failure Modes contained in a specific Package, select a Package and click .

 Removing links
If an an element already has a Failure Mode linked to it, you can use the Select
Elements dialog to remove the link:
a. In the Selected elements area, select the Failure Mode(s) the link(s) to which you
want to remove.
b. Click . If you want to remove the links to all the Failure Modes shown in

the Selected elements area, click .

c. Click OK, and close the Specification window.

6. Click OK.
7. Close the Specification window.

After following the steps described above, the selected Failure Modes are specified as the values of
the Failure Modes property of the desired element. In addition, the Failure Modes property is
automatically displayed on the element shape if that element is displayed in a diagram.

Related pages

• Additional features (see page 39)

• Traceability maps (see page 39)
• Safety and Reliability Coverage Analysis (see page 44)
• Generating reports (see page 44)

60 https://docs.nomagic.com/display/MD2024xR1/Specification+window

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 47

Customizing Safety Analysis and FMEA
configurations
In your safety and reliability analysis model, you can define the values and expressions for all calculable
properties, such as Correctablity, Probability, Severity, Risk Score and other. To do this, use
the Safety Analysis Configuration and FMEA Configuration elements.

Every model has predefined Safety Analysis and FMEA Configuration elements coming with the FMEA
Profile and Medical Risk Profile. However, you can create one more custom Safety Analysis
Configuration element and one more custom FMEA Configuration element. If you decide to define
custom Configuration elements, you can modify all the values and expressions used for analysis and
calculation (in this case, Configuration elements coming with predefined profiles are not used).

To create custom Configuration element

1. Create your safety and reliability analysis model or open an existing one.
2. In the Model Browser61, do one of the following:
• right-click on the package wherein you want to save a configuration and select the Create
Element command.
• select a package wherein you want to save a configuration and press Ctrl+Shift+E.
3. In the open Create Element dialog, select the Safety Analysis Configuration or FMEA
Configuration element. The selected element is created in your model.

 Tip
Start typing "conf" to filter Risk Analysis and FMEA related elements.

4. Type the element name.

5. Open the element Specification window62 and specify the values of desired properties.
6. Close the window when you are done.

To create safety analysis calculation expressions

61 https://docs.nomagic.com/display/MD2024xR1/Model+Browser
62 https://docs.nomagic.com/display/MD2024xR1/Specification+window

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 48

 1. Create (see page 48) the Safety Analysis or FMEA Configuration element and open its Specification
window.
2. Under the Safety Analysis Calculations Group, select the value box of the expression you want
to edit.
3. Click the Edit button.

4. In the open dialog, select an operation and specify criteria63 by modifying a predefined
expression.

 Note
By default, custom Configuration elements already have predefined expressions. So if a
certain predefined expression meets your needs, you don't need to modify it.

5. When you are done, click OK and close the Specification window.
Related pages

• Getting started (see page 9)

• Reliability analysis using FMEA (see page 18)
• Safety analysis (see page 27)
• Additional features
(see page 39)
• Getting started with specifying criteria64

63 https://docs.nomagic.com/display/MD2024xR1/Getting+started+with+specifying+criteria
64 https://docs.nomagic.com/display/MD2024xR1/Getting+started+with+specifying+criteria

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 49

Fault Tree Analysis
The Fault Tree Analysis method is mainly used in safety and reliability engineering to understand how
systems can fail or to determine the cause of system failure. This method also determines risk rates
and identifies the best ways to reduce risk.

The Fault Tree Analysis plugin lets you create a Fault Tree Analysis diagram with the aid of different
types of events and gates. An event is a basic item representing an event or a situation which could
possibly lead to failure. A gate performs logical operations to figure out the failure reason. Generally, a
gate has multiple inputs and a single output. The Fault Tree Analysis diagram is based on the UML
Composite Structure Diagram and follows the Risk Analysis and Assessment Modeling Language
(RAAML) methods.

The Fault Tree Analysis plugin lets you import a complete Fault Tree Analysis diagram as an event in
your diagram, with the help of the Transfer In event. Fault Tree Analysis is a quantitative method;
however, the plugin also lets you specify the probabilities of basic events. The probabilities of
intermediate and top events are automatically calculated once you run the simulation with the help of
the Cameo Simulation Toolkit. The fault tree can be simulated directly as-is. Also, the tree can be
instantiated and multiple simulations can be run. You can interconnect the Fault Tree Analysis diagram
and the main system model in the same project, with the help of Dependency matrices and Relevant To
relationships. Additionally, you can create Libraries of typical failure types and reuse them across
multiple projects.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 50

 Fault Tree Analysis diagram.

 Prerequisites
To install and use the Fault Tree Analysis plugin, ensure that the following plugins are installed
in your modeling tool:
• Cameo Safety and Reliability Analyzer
• ISO 26262 plugin
• Cameo Simulation Toolkit

 You only need the Cameo Simulation Toolkit plugin to calculate the probabilities of the
Intermediate and Top Events.

Fault Tree Analysis Diagram

• Creating a Fault Tree Analysis Diagram (see page 52)
• Adding a Fault Tree Event in the Fault Tree Analysis Diagram (see page 53)
• Adding a Fault Tree Gate in the Fault Tree Analysis Diagram (see page 54)
• Adding probability to the Fault Tree Event (see page 55)
• Calculating the probability of the Intermediate and Top Event (see page 57)
• Interconnecting the Fault Tree Analysis diagram with the System Model (see page 57)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 51

Creating a Fault Tree Analysis Diagram
To create a Fault Tree Analysis Diagram

1. In the Containment Tree, find the required package and select Create Diagram.

2. Do one of the following:

• In the dialog, expand Safety and Reliability Analysis and select Fault Tree Analysis
Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 52

 • In the search tab, type the keyword "fault" and then select Fault Tree Analysis Diagram.

Adding a Fault Tree Event in the Fault Tree Analysis Diagram

To add a Fault Tree Event in the Fault Tree Analysis Diagram

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 53

 • From the Fault Tree Event pane, drag and drop any event in the diagram pane of the modeling
tool.

 You can import a complete Fault Tree Analysis Diagram with the help of the Transfer In event.

Adding a Fault Tree Gate in the Fault Tree Analysis Diagram

To add a Fault Tree Gate in the Fault Tree Analysis Diagram

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 54

 • From the Fault Tree Gate pane, drag and drop any gate in the diagram pane of the modeling tool.

Adding probability to the Fault Tree Event

To add probability to the Fault Tree Event

1. From the Fault Tree Properties pane, drag and drop Define Basic Event Probability in any Fault
Tree Event.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 55

 2. Double-click the probability to open the Specification of Value Property probability window and
enter the probability value in the Default Value tab.

The probability value will be displayed in the Fault Tree Analysis Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 56

  The probability value of the Basic events will be used to calculate the probabilities of the
Intermediate and Top events.

Calculating the probability of the Intermediate and Top Event

To calculate the probability of the Intermediate and Top Event

• Click the Run button in the diagram toolbar to run the simulation. The probabilities for the
Intermediate and Top Events will be calculated automatically.

Interconnecting the Fault Tree Analysis diagram with the System

Model
To Interconnect the Fault Tree Analysis diagram with the System Model

• Use the dependency matrices to establish a connection between the Fault Tree Analysis diagram
and the System Model. All created events should be connected with the system model using the
Relevant To relationship.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 57

  Reference
• To learn more about simulation, refer to Cameo Simulation Toolkit Documentation65.
• To learn more about dependency matrices, refer to Dependency Matrix66.

ISO 26262 Functional Safety

The ISO 26262 Functional Safety Plugin supports the ISO 26262 standard which is intended for electric
and/or electronic systems in production vehicles. This includes driver assistance, propulsion, and

65 https://docs.nomagic.com/display/CST2024xR1/Cameo+Simulation+Toolkit+Documentation
66 https://docs.nomagic.com/display/MD2024xR1/Dependency+Matrix

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 58

vehicle dynamics control systems. The goal of ISO 26262 is to ensure safety throughout the lifecycle of
automotive systems and equipment.

The International Organization for Standardization (ISO) put forth ISO 26262 for road vehicle functional
safety. The standard was created to help avoid the risk of systematic failures and random hardware
failures through feasible requirements and processes. ISO 26262 is a risk-based safety standard that’s
derived from IEC 61508. The standard is comprised of 10 parts that span the breadth of the automotive
safety lifecycle including management, development, production, operation service and
decommissioning.

The ISO 26262 Functional Safety plugin directly covers the following parts of the standard:

3-7 Hazard analysis and Risk assessment

Exposes all hazards and determines the risk involved. A safety goal with an assigned Automotive Safety
Integrity Level (ASIL) is the result of performing Hazard Analysis and Risk Assessment (HARA).

3-8 Functional Safety Concept

The Functional Safety Concept encompasses functional implementation of independent requirements
on the safety of an item. It refines safety goals by defining safety goals attributes and establishes the
link between functional safety requirements and the preliminary architecture.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 59

 The ISO 26262 standard structure.

Tables and diagrams

To learn more about tables and diagrams of the ISO 26262 Plugin, see:

• HazOp Table (see page 61)

• Operational Conditions Table (see page 65)
• Operational Situations Table (see page 70)
• Accident Scenarios Table (see page 75)
• Effects Table (see page 82)
• Hazards Table (see page 87)
• HARA Table (see page 90)
• Safety Requirement Diagram (see page 97)
• Generic Safety Table (see page 102)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 60

HazOp Table
On this page

• Creating a HazOp Table (see page 61)

• Creating Malfunctioning Behaviors (see page 62)

A HazOp Table allows you to perform hazards and operability analysis which is a common hazard
analysis method for complex systems. In the HazOp Table, you can identify the Malfunctioning
Behaviors for each function of your system.

An example of a HazOp Table.

Creating a HazOp Table

You can create a HazOp table as described below.

 Supported element types

A HazOp table supports three element types: Activity, Use Case, and Class. If you want to use a
different system function type, you can extend the default type list by using customization (see
page 117).

To create a HazOp Table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:
• In the main menu, go to Diagrams > Create Diagram, then select HazOp Table in the
open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram and
select HazOp Table in the open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 61

 3. Type the name of the table and press Enter.
4. To specify the scope of the table, drag the Package containing system functions from the
Containment tree to the Scope box.
5. To specify the type of your system functions, drag any system function from the Containment
tree to the Element Type box.

After you create a HazOp Table with the system functions displayed in it, you can start creating
Malfunctioning Behaviors, as described in the section below.

Creating Malfunctioning Behaviors

There are two ways to create Malfunctioning Behaviors:

• Create Malfunctioning Behaviors in the Containment tree and add them to a HazOp Table.
• Create Malfunctioning Behaviors right in a HazOp Table.

 Identifying Malfunctioning Behaviors

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 62

 To help identify Malfunctioning Behaviors in a HazOp Table, you can use eight predefined table
columns (guide words): More, Less, Unintended, Late, Early, Inverted, Late, and No.

To create a Malfunctioning Behavior in the Containment tree

1. In the Containment tree, right-click the owner of a new element and select Create Element.
2. In the open window, select Malfunctioning Behavior.

3. Type the name of the element and press Enter.

4. To assign the Malfunctioning Behavior to a system function, drag it from the Containment tree to
the desired cell of the HazOp Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 63

To create a Malfunctioning Behavior in a HazOp Table

1. In a HazOp Table, double-click the cell for which you want to create a Malfunctioning Behavior
and click .
2. In the Select Elements dialog, enable the Creation Mode if it is not enabled yet.
3. In the element tree on the left side of the dialog, select the owner of a new element and click the
Create button.
4. When the Specification window of the created element opens, enter the element name and close
the Specification window. The element is created and automatically added to the selected
elements area on the right side of the Select Elements dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 64

  Adding additional Malfunctioning Behavior
To add an additional Malfunctioning Behavior to the related table cell, double-click that
element in the element tree on the left side of the Select Elements dialog. To find the
element quicker, go to the List tab displaying the list of all the Malfunctioning Behaviors
of your model.

5. Click OK to close the Select Elements dialog.

Operational Conditions Table

On this page

• Creating an Operational Conditions Table (see page 66)

• Creating Operational Conditions (see page 68)

An Operational Conditions Table allows you to define and manage various Operational Conditions that
will be used as a part of an Operational Situation. Essentially, the Operational Conditions table acts as a
library for functional safety analysis. To identify Operational Conditions, you can use five predefined
Operational Condition groups: Location, Road Condition, Traffic and People, Vehicle Usage, and
Environmental Condition. If you want to define an additional group, extend the group list by extending
the ISO 26262 library (see page 119).

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 65

 An example of Operational Conditions Table.

Creating an Operational Conditions Table

Create an Operational Conditions Table as described below.

To create an Operational Conditions Table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:
• In the main menu, go to Diagrams > Create Diagram, then
select Operational Conditions Table in the open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram and
select Operational Conditions Table in the open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 66

  Enable the Expert mode
To be able to create an Operational Conditions Table, you need to enable the
Expert mode.

3. When the table is created, type the name of the table and press Enter.

After completing the above steps, an Operational Conditions Table with five predefined Operational
Condition groups is created. The scope and element type of the table are already specified for you.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 67

Creating Operational Conditions
There are two ways to create an Operational Condition: you can do it right in an Operational Conditions
Table or in the Containment tree.

To create an Operational Condition in the Containment tree

1. In the Containment tree, right-click the owner of a new element and select Create Element.
2. In the open window, select the Operational Condition group (Vehicle Usage, Traffic and People,
Location, Road Condition, or Environmental Condition) for which you want to create an
Operational Condition.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 68

 3. When an Operational Condition is created, type the name of the element and press Enter.

When you create an Operational Condition in the model browser, it is automatically added to an
Operational Conditions Table if it exists.

To create an Operational Condition in an Operational Conditions Table

1. In an Operational Conditions Table, select the Operational Condition group (Vehicle

Usage, Traffic and People, Location, Road Condition, or Environmental Condition) for which
you want to create an Operational Condition or select an existing element in that group.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 69

 2. Do one of the following:
• In the table toolbar, click to create an element of the same level as the one you have
selected.
• In the table toolbar, click to create an element nested under the selected element.
3. Type the name of the new element and press Enter.

Operational Situations Table

On this page

• Creating Operational Situations Table (see page 70)

• Creating Operational Situations (see page 71)
• Defining Operational Situations (see page 73)

An Operational Situations Table allows you to define and manage various Operational Situations as a
combination of Operational Conditions. The sections below explain how to create Operational
Situations and how to assign the Exposure level, along with various Operational Conditions.

An example of an Operational Situations Table.

Creating Operational Situations Table

You can create an Operational Situations Table as described below.

To create an Operational Situations table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:
• In the main menu, go to Diagrams > Create Diagram, then
select Operational Situations Table in the open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram, and
select Operational Situations Table in the open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 70

 3. When the table is created, type the name of the table and press Enter.

After following the above steps, an Operational Situations Table is created. The scope and element type
of the table are already specified for you.

Creating Operational Situations

There are two ways to create an Operational Situation: you can do it right in an Operational Situations
Table or in the Containment tree.

To create an Operational Situation in the Containment tree

1. In the Containment tree, right-click the owner of a new element and select Create Element.
2. In the open window, select Operational Situation.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 71

 3. When an Operational Situation is created, type the name of the element and press Enter.

When you create an Operational Situation in the Containment tree, it is automatically added to an
Operational Situations Table if it exists.

To create an Operational Situation in an Operational Situations Table

1. In an Operational Situations Table, select a table row.

2. Do one of the following:
• In the table toolbar, click Add Sibling to create an element of the same level as the one
you have selected.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 72

 • In the table toolbar, click Add Nested to create an element nested under the selected
element.

3. Type the name of the new element and press Enter.

When you create an Operational Situation and add it to an Operational Situations Table, you need to
define the element as described below.

Defining Operational Situations

After creating an Operational Situation, you need to define its Exposure level which allows you to
estimate the probability of the vehicle being in a hazardous or risky situation. Also, you need to specify
the Operational Conditions associated with the Operational Situation.

To define an Exposure level

1. In an Operational Situations Table, double-click the cell of the Exposure column and select the
desired exposure level from the list.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 73

 2. Double-click the Justification of Exposure cell and write the justification explaining the selected
Exposure level.

To assign Operational Conditions

1. Double-click the cell of the column representing the desired Operational Condition group and
click .
2. On the left side of the Select Elements dialog, open the List tab.
3. Double-click the Operational Conditions you want to assign. The elements should be added to
the selected elements area on the right side of the dialog.

4. Click OK.
5. Repeat the steps from 1 to 4 to assign the Operational Conditions of other groups.

 You can also drag and drop the Operational Conditions from the Containment tree to the
Operational Situations Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 74

Accident Scenarios Table
On this page

• Creating Accident Scenarios Table (see page 76)

• Creating Accident Scenarios (see page 77)
• Defining Accident Scenarios (see page 79)
• Assigning a Malfunctioning Behavior (see page 80)
• Assigning Operational Situations (see page 80)

An Accident Scenarios Table allows you to define Accident Scenarios as a combination of

Malfunctioning Behaviors and Operational Situations. The sections below explain how to create
Accident Scenarios and assign the Controllability level, Malfunctioning Behavior, and Operational
Situations.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 75

 An example of an Accident Scenarios Table.

Creating Accident Scenarios Table

You can create an Accident Scenarios Table as described below.

To create an Accident Scenario Table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:
• In the main menu, go to Diagrams > Create Diagram, then select Accident Scenarios
Table in the open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram, and
select Accident Scenarios Table in the open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 76

 3. When the table is created, type the name of the table and press Enter.

After following the above steps, an Accident Scenarios Table is created. The scope and element type of
the table are already specified for you.

Creating Accident Scenarios

There are two ways to create an Accident Scenario: you can do it right in an Accident Scenarios Table or
in the Containment tree.

To create an Accident Scenario in the Containment tree

1. In the Containment tree, right-click the owner of a new element and select Create Element.
2. In the open window, select Accident Scenario.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 77

 3. When an Accident Scenario is created, type the name of the element and press Enter.

When you create an Accident Scenario in the model browser, it is automatically added to an Accident
Scenarios Table if it exists.

To create an Accident Scenario in an Accident Scenario Table

1. In an Accident Scenarios Table, select a table row.

2. Do one of the following:
• In the table toolbar, click Add Sibling to create an element of the same level as the one
you have selected.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 78

 • In the table toolbar, click Add Nested to create an element nested under the selected
element.

3. Type the name of the new element and press Enter.

When you create an Accident Scenario and add it to an Accident Scenarios Table, you need to define
the element as described in the section below.

Defining Accident Scenarios

After creating an Accident Scenario, you need to define its Controllability level which allows you to
estimate the probability of avoiding the specified harm or damage. Also, you have to assign a
Malfunctioning Behavior and Operational Situations to the Accident Scenario.

To define a Controllability level

1. In an Accident Scenarios Table, double-click the cell of the Controllability column and select the
desired Controllability level from the list.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 79

 2. Double-click the cell of the Justification of Controllability column and write the justification to
explain the selected Controllability level.

Assigning a Malfunctioning Behavior

1. In an Accident Scenarios Table, double-click the cell of the Malfunctioning Behavior column and
click .
2. On the left side of the Select Elements dialog, open the List tab.
3. Select the Malfunctioning Behavior you want to assign and click OK.

 You can also drag and drop the Malfunctioning Behavior from the Containment tree to the
Accident Scenarios Table.

Assigning Operational Situations

1. In an Accident Scenarios Table, double-click the cell of the Operational Situation column and click
.
2. On the left side of the Select Elements dialog, open the List tab.
3. Double-click the Operational Situations you want to assign. The elements should be added to the
selected elements area on the right side of the dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 80

 4. Click OK.

 You can also drag and drop the Operational Situations from the Containment tree to the
Accident Scenarios Table.

 Use filters to find elements quicker

When you assign a Malfunctioning Behavior or Operational Situations, use a filter after step 2
to find elements quicker:
1. In the Select Elements dialog, click next to the Filter by ISO properties box.
2. In the Select Properties dialog, click the Value box of the property and select the
desired property value from the list.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 81

 3. Click OK.
Now the List tab displays the elements with the selected property value.

Effects Table
On this page

• Creating Effects Table (see page 83)

• Creating Effects (see page 84)
• Defining Effects (see page 86)

An Effects Table allows you to define and manage system and vehicle level effects that can result in
harm. To identify Effects, you can use two predefined Effect groups: System level effects and Vehicle
level effects. If you want to define an additional group, extend the group list by extending the ISO 26262
library (see page 119).

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 82

 The example of an Effects Table.

Creating Effects Table

You can create an Effects Table as described below.

To create an Effects Table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:
• In the main menu, go to Diagrams > Create Diagram, then select Effects Table in the
open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram, and
select Effects Table in an open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 83

 3. When the table is created, type the name of the table and press Enter.

After completing the above steps, an Effects Table with two predefined Effect groups is created. The
scope and element type of the table are already specified for you.

Creating Effects
There are two ways to create an Effect: you can do it right in an Effects Table or in the Containment
tree.

To create an Effect in the Containment tree

1. In the Containment tree, right-click the owner of a new element and select Create Element.
2. In the open window, select the Effect group (Vehicle Level Effect or System Level Effect) for
which you want to create an Effect.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 84

 3. When an Effect is created, type the name of the element and press Enter.

When you create an Effect in the model browser, it is automatically added to an Effects Table if it exists.

To create an Effect in an Effects Table

1. In an Effects Table, select the Effects group (Vehicle Level Effect or System Level Effect) for
which you want to create an Operational Condition or select an existing element in that group.
2. Do one of the following:
• In the table toolbar, click Add Sibling to create an element of the same level as the one
you have selected.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 85

 • In the table toolbar, click Add Nested to create an element nested under the selected
element.

3. Type the name of the new element and press Enter.

Defining Effects
After creating an Effect, you need to specify its Severity level and the relevant elements associated with
the Effect.

To define a Severity level

1. In an Effects Table, double-click the cell of the Severity column and select the desired Severity
level from the list.

2. Double-click the Justification Of Severity cell and write the justification explaining the selected
Severity level.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 86

To specify relevant elements

1. In an Effects Table, double-click the cell of the Relevant Element column and click .
2. In the element tree on the left side of the Select Elements dialog, double-click the elements you
want to specify. The elements should be added to the selected elements area on the right side of
the dialog.
3. Click OK.

Hazards Table
On this page

• Creating Hazards Table (see page 87)

• Creating Hazards (see page 89)

A Hazards Table allows you to define and manage potential sources of harm that have an effect on
something or someone under certain conditions at work. Essentially, the Hazards table acts as a library
for the functional safety analysis.

An example of a Hazards Table.

Creating Hazards Table

You can create a Hazards Table as described below.

To create a Hazards Table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 87

 • In the main menu, go to Diagrams > Create Diagram, then select Hazards Table in the
open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram and
select Hazards Table in the open dialog.

 Enable the Expert mode

To be able to create a Hazards Table, you need to enable the Expert mode.

3. When the table is created, type the name of the table and press Enter.

After following the above steps, a Hazards Table is created. The scope and element type of the table are
already specified for you.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 88

Creating Hazards
There are two ways to create a Hazard: you can do it right in a Hazards Table or in the Containment
tree.

To create a Hazard in the Containment tree

1. In the Containment tree, right-click the owner of a new element and select Create Element.
2. In the open window, select Hazard.

3. When a Hazard is created, type the name of the element and press Enter.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 89

To create a Hazard in a Hazards Table

1. In a Hazards Table, select a table row.

2. Do one of the following:
• In the table toolbar, click Add Sibling to create an element of the same level as the one
you have selected.
• In the table toolbar, click Add Nested to create an element nested under the selected
element.
3. Type the name of the new element and press Enter.

HARA Table
On this page:

• Creating HARA Table (see page 92)

• Creating Hazardous Events (see page 93)
• Defining Hazardous Events (see page 95)

A HARA Table allows you to define Hazardous Events as a combination of Hazards, Effects and an
Accident Scenario. By default, the table shows seven columns. The rest of the columns are hidden, but
you can show them if needed.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 90

 An example of a HARA Table.

 ASIL returns a calculated value according to the specified values of Exposure,

Controllability and Severity. If there are more than one values of Severity or Exposure then
take the higher value (single value).

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 91

 ASIL Table

Creating HARA Table

You can create a HARA Table as described below.

To create a HARA Table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:
• In the main menu, go to Diagrams > Create Diagram, then select HARA Table in the
open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram and
select HARA Table in an open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 92

 3. When the table is created, type the name of the table and press Enter.

After completing the above steps, a HARA Table is created. The scope and element type of the table are
already specified for you.

Creating Hazardous Events

There are two ways to create a Hazardous Event: you can do it right in a HARA Table or in the
Containment tree.

To create a Hazardous Event in the Containment tree

1. In the Containment tree, right-click the owner of a new element and select Create Element.
2. In the open window, select Hazardous Event.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 93

 3. When a Hazardous Event is created, type the name of the element and press Enter.

When you create a Hazardous Event in the model browser, it is automatically added to a HARA Table if
it exists.

To create a Hazardous Event in a HARA Table

1. In a HARA Table, select a table row.

2. Do one of the following:
• In the table toolbar, click Add Sibling to create an element of the same level as the one
you have selected.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 94

 • In the table toolbar, click Add Nested to create an element nested under the selected
element.
3. Type the name of the new element and press Enter.

When you create a Hazardous Event and add it to a HARA Table, you need to define the element as
described in the section below.

Defining Hazardous Events

After creating a Hazardous Event, you need to define it by assigning an Accident Scenario, Hazards, and
Effects to the element. You also need to create and assign a Safety Goal. The Accident Scenario,
Hazards, Effects and Safety Goal also can be dragged from the Containment tree.

Dragging and dropping the Hazard in the HARA Table

To assign an Accident Scenario

1. In a HARA Table, double-click the cell the Accident Scenario column and click .
2. On the left side of the Select Element dialog, open the List tab.
3. Select the Accident Scenario you want to assign.
4. Click OK.

 Use filters to find elements quicker

When you assign a Accident Scenario, use a filter after step 2 to find elements quicker:
a. In the Select Elements dialog, click next to the Filter by ISO properties
box.
b. In the Select Properties dialog, click the Value box of a property and select the
desired property value from the list.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 95

 c. Click OK.
Now the List tab displays the elements with the selected property value.

After assigning an Accident Scenario to a Hazardous Event, the Automotive Safety Integrity Level (ASIL)
is calculated automatically.

Assigning Hazards

1. In a HARA Table, double-click the cell of the Hazard column and click .
2. On the left side of the Select Element dialog, open the List tab.
3. Double-click the Hazards you want to assign. The elements should be added to the selected
elements area.
4. Click OK.

To assign an Effect

1. In a HARA Table, double-click the cell of the column representing the group of Effects (Vehicle
Level Effects or System Level Effects) you want to assign an click .
2. On the left side of the Select Element dialog, open the List tab.
3. Double-click the Effects you want to assign. The elements should be added to the selected
elements area.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 96

 4. Click OK.

To create and assign Safety Goal

1. In a HARA Table, double-click the cell of the Safety Goal column and click .
2. In the Select Elements dialog, enable the Creation Mode if it is not enabled yet.
3. In the element tree on the left side of the dialog, select the owner of a Safety Goal and click
the Create button.
4. When the Specification window of the created element opens, enter the element name and close
the Specification window. The element is created and automatically added to the selected
elements area on the right side of the Select Elements dialog.

5. Click OK to close the Select Elements dialog.

Safety Requirement Diagram

A Safety Requirement Diagram displays safety goals, safety requirements and their relations. The main
purpose of this diagram is to create requirements that cover the safety goals defined in HARA. In this
chapter, you will learn how to derive safety requirements using the Safety Requirement Diagram and
how to assign ASIL values.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 97

 A sample Safety Requirement Diagram displaying different types of Safety
Requirements derived from a Safety Goal.

Deriving Safety Requirements

Safety Requirements are derived from Safety Goals defined in a HARA Table (see page 90). You can use the
Safety Requirement Diagram to derive four types of Safety Requirements: Functional Safety
Requirements, Technical Safety Requirements, Software Safety Requirements, and Hardware Safety
Requirements.

To derive a Safety Requirement

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 98

 1. Create a Safety Requirement Diagram67.
2. In the model browser, find the Safety Goal you want to derive a Safety Requirement from and
drag it to the diagram.
3. Create the Safety Requirement you want to derive by clicking it in the diagram palette and
clicking an empty space on the diagram pane.

 Safety Requirement types

You can create four types of Safety Requirements: Functional Safety Requirements,
Technical Safety Requirements, Software Safety Requirements, and Hardware Safety
Requirements.

4. Name the created Safety Requirement and write the requirement text.
5. Create a Derive relationship from the Safety Requirement to the Safety Goal as displayed below

After you derive a Safety Requirement, the ASIL value is automatically determined by the Safety Goal
you have derived the Requirement from. If a Safety Requirement is derived from more than one safety
goal or Safety Requirement, a higher ASIL value is set. However, you can specify a different ASIL value
than the one defined by a Derive relationship.

To change the ASIL value

67 https://docs.nomagic.com/display/MD2024xR1/Creating+diagrams

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 99

 1. Open the Specification window of the Safety Requirement for which you want to change the ASIL
value.
2. Select the property specification cell of the ASIL Override Justification property and write an
explanation why the value is changed.
3. Click the property specification cell of the ASIL property and select the desired ASIL value from
the menu.
4. Close the Specification window.

Decomposing ASIL
The Automotive Safety Integrity Level (ASIL) expresses the criticality associated with a function of the
system. It defines the safety requirements that must be fulfilled by the design and development of the
system in such a way that, even in conditions of failure, the system provides a sufficient margin of
safety for the users (driver, passengers, road traffic participants, etc.). Under certain circumstances, the
ASIL can be lowered through the technique of ASIL decomposition.

The following table displays valid ASIL decomposition combinations:

ASIL value ASIL decomposition combinations

D C(D) + A(D) B(D) + B(D) D(D) + QM(D)

D(D) C(D) + A(D) B(D) + B(D) D(D) + QM(D)

C B(C) + A(C) C(C) + QM(C)

C(D) B(D) + A(D) C(D) + QM(D)

C(C) B(C) + A(C) C(C) + QM(C)

B A(B) + A(B) B(B) + QM(B)

B(D) A(D) + A(D) B(D) + QM(D)

B(C) A(C) + A(C) B(C) + QM(C)

B(B) A(B) + A(B) B(B) + QM(B)

A A(A) + QM(A)

A(D) A(D) + QM(D)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 100

 A(C) A(C) + QM(C)

A(B) A(B) + QM(B)

A(A) A(A) + QM(A)

To decompose an ASIL value

1. In a Safety Requirement Diagram (see page 97), create two Safety Requirements and name them.
These will be the Requirements with decomposed (lower) ASIL values.
2. Create ASIl Decomposition relationships from the Safety Requirements created in the previous
step to the Safety Requirement whose ASIL value you want to decompose.
3. Right-click the shape of one of the Safety Requirements created in step 1, select ASIL, and select
the desired ASIL value for that Requirement. The ASIL value of the other Safety Requirement is
specified automatically according to the ASIL decomposition rules described in the above table.

4. In the same diagram, create one more Safety Requirement.

5. Create the Independence Req relationship from the Requirement created in the previous step to
the Safety Requirement whose ASIL value you decomposed.

After completing the above steps, your diagram should look similar to the sample diagram shown
below.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 101

 A sample Safety Requirement Diagram displaying how to decompose the ASIL
value of the Detect Deviation Safety Requirement.

Generic Safety Table

On this page

• Creating a Generic Safety Table (see page 103)

• Creating elements in a Generic Safety Table (see page 104)
• Case study: Creating Generic Safety Table for a custom element type (see page 105)

You can use a Generic Safety Table to display all relevant elements depending on the selected scope as
shown in the following figure. An element added as a scope element should extend the ISO 26262
library (e.g., Typical Automotive Situation, Accident Scenario, Hazardous Event, Automotive Effect).

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 102

 An example of a Generic Safety Table

Creating a Generic Safety Table

You can create a Generic Safety Table as described below.

To create a Generic Safety Table

1. In the Containment tree, select the element that you want to be the owner of the table.
2. Do one of the following:
• In the main menu, go to Diagrams > Create Diagram, then select Generic Safety
Table in the open dialog.
• In the Containment tree, right-click the owner of the table, select Create Diagram and
select Generic Safety Table in the open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 103

 3. When the table is created, type the name of the table and press Enter.
4. Click next to the Element Type box.
5. In the Select Element Type dialog, select the types of elements you want to display in the table,
and click OK.
6. Click next to the Scope box.
7. On the left side of the Select Scope dialog, select the scope element of the table, click to add
the element to the selected elements area, and click OK.
8. Add the desired columns to the table68 (by default, a Generic Safety Table has only the Name
column).

Creating elements in a Generic Safety Table

There are two ways to create elements for a Generic Safety Table: you can do it right in the table or in
the Containment tree. If you create an element in the Containment tree and it falls under the scope of a
Generic Safety Table, the element is automatically added to the table. If you want to create an element
right in a Generic Safety Table, follow the steps below.

68 https://docs.nomagic.com/display/MD2024xR1/Working+with+columns#Workingwithcolumns-Addingandremovingcolumns

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 104

To create an element in a Generic Safety Table

1. In a Generic Safety Table, select a table row.

2. Do one of the following:
• In the table toolbar, click to create an element of the same level as the one you have
selected.
• In the table toolbar, click to create an element nested under the selected element.
3. Type the name of the new element and press Enter.

Case study: Creating Generic Safety Table for a custom element type
You can use a Generic Safety Table to display custom element types with their properties. Let's analyze
the workflow of creating a custom Operational Situation and displaying it in a Generic Safety Table.

To create a custom Operational Situation and display it in a Generic Safety Table

1. In your model, create a Profile Diagram.

2. In the Profile Diagram, create a Class and name it, e.g., Crash Automotive Situation.
3. Apply the «OperationalSituation» stereotype to the Class.
4. In the ISO 26262 Library, find the TypicalAutomotiveSituation element and drag it to the Profile
diagram.
5. Create a Generalization relationship from the Class created in step 2
to TypicalAutomotiveSituation. Your Profile Diagram should look as displayed below.

6. Save an reload the project.

7. In the Containment tree, right-click the element you want to be the owner of a Generic Safety
Table, select Create Diagram, and select Generic Safety Table in the open dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 105

 8. When the table is created, type the name of the table, e.g., Crash Operational Situations, and press
Enter.
9. Click next to the Element Type box.
10. In the Select Element Type dialog, select OperationalSituation, and click OK.
11. Click next to the Scope box.
12. On the left side of the Select Scope dialog, select the scope element of the table, e.g., Crash
Automotive Situation, click to add the element to the selected elements area, and
click OK.
13. In the Generic Safety Table, create new elements of the custom element type defined as the
table scope, e.g., Crash Automotive Situation.
14. Add the desired columns to the table69 (by default, a Generic Safety Table has only
the Name column).

After following the above steps and defining the properties displayed in your Generic Safety Table, it
should look similar to the example below.

An example of a Generic Safety Table created for a custom Operational

Situation.

Validation Rules
To learn more about ISO 26262 Plugin validation rules, see:

• ASIL Decompose and DeriveReqt Relationships (see page 106)

• ASIL Decompose and Independence Requirement Relationships (see page 107)
• ASIL Decomposition (see page 108)
• Incompatible Types (see page 109)
• Independence Requirement and DeriveReqt Relationships (see page 110)

ASIL Decompose and DeriveReqt Relationships

Constrained Element: Functional Safety Requirement, Technical Safety Requirement, Hardware Safety
Requirement, Software Safety Requirement

69 https://docs.nomagic.com/display/MD2024xR1/Working+with+columns#Workingwithcolumns-Addingandremovingcolumns

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 106

Constrained Element Filter: Safety Requirements that have outgoing DeriveReqt and ASIL Decompose
relationships

Severity: error

Error Message: The ASIL value is incorrect due to ASIL Decompose and DeriveReqt relationships.

Abbreviation: ASILDcmpDrv

Description: Safety Requirements (Functional Safety Requirement, Technical Safety Requirement,

Hardware Safety Requirement, Software Safety Requirement) fail when the highest ASIL value defined
by outgoing DeriveReqt relationships is not equal to the ASIL value of the constrained element.

Illustration of the ASIL Decompose and DeriveReqt Relationships validation rule.

ASIL Decompose and Independence Requirement Relationships

Constrained Element: Functional Safety Requirement, Technical Safety Requirement, Hardware Safety
Requirement, Software Safety Requirement

Constrained Element Filter: Safety Requirements that have outgoing Independence Requirement and
ASIL Decompose relationships

Severity: Error

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 107

Error Message: The ASIL value is incorrect due to ASIL Decompose and Independence Requirement
relationships.

Abbreviation: ASILDcmpIndp

Description: Safety Requirements (Functional Safety Requirement, Technical Safety Requirement,

Hardware Safety Requirement, Software Safety Requirement) fail when an ASIL value is not equal to the
ASIL value from the target element.

Illustration of the ASIL Decompose and Independence Requirement

Relationships validation rule.

ASIL Decomposition
Constrained Element: Functional Safety Requirement, Technical Safety Requirement, Hardware Safety
Requirement, Software Safety Requirement

Constrained Element Filter: Two Safety Requirements that have outgoing ASIL Decompose
relationships to the same target element.

Severity: error

Error Message: The ASIL value is decomposed incorrectly.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 108

Abbreviation: ASILDecompose

Solvers: Change ASIL to [correct ASIL value]

Description: Safety Requirements (Functional Safety Requirement, Technical Safety Requirement,

Hardware Safety Requirement, Software Safety Requirement) fail when they decompose the target
element (see page 108) incorrectly.

Illustration of the ASIL Decomposition validation rule.

Incompatible Types
Constrained Element: Operational Situation, Situation

Constrained Element Filter: Base Classifier is Typical Automotive Situation or Hazardous Event for
Operational Situation; Base Classifier is Accident Scenario or Hazardous Event for Situation

Severity: error

Error Message: The types of [column name] for [failing element name] are not compatible with the
types of [column name] for [incompatible element name].

Abbreviation: IncmptblType

Solver: Change the types of [column name] to be compatible with [incompatible element name].

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 109

Description: ISO 26262 elements (Operational Situation, Accident Scenario, and Hazardous Event) fail if
they have properties with incompatible types in a hierarchy.

Independence Requirement and DeriveReqt Relationships

Constrained Element: Functional Safety Requirement, Technical Safety Requirement, Hardware Safety
Requirement, Software Safety Requirement

Constrained Element Filter: Safety Requirements that have outgoing DeriveReqt and Independence
Requirement relationships

Severity: error

Error Message: The ASIL value is incorrect due to Independence Requirement and DeriveReqt
relationships.

Abbreviation: IndpDrv

Description: Safety Requirements (Functional Safety Requirement, Technical Safety Requirement,

Hardware Safety Requirement, Software Safety Requirement) fail when the highest ASIL value defined
by outgoing DeriveReqt relationships is not equal to the ASIL value defined by an outgoing
Independence Requirement relationship.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 110

 Illustration of the Independence Requirement and DeriveReqt Relationships
validation rule.

Tracking ISO 26262 properties

You can track ISO 26262 properties in Relation Maps70. To do that, specify the relation criteria by using
the Simple Navigation operation71 which allows you to select ISO 26262 properties.

To track ISO 26262 properties

1. Create a Relation map72.

2. In the Criteria area, specify the context element73 of the relation Map.
3. In the same area, click next to the Relation Criteria box.
4. On the left side of the the Relation Criteria dialog, select the Simple Navigation operation.
5. In the Simple Navigation operation specification area, select the ISO 26262 properties you want
to track as displayed in the figure below.

70 https://docs.nomagic.com/display/MD2024xR1/Relation+Map
71 https://docs.nomagic.com/display/MD2024xR1/Using+Simple+Navigation
72 https://docs.nomagic.com/display/MD2024xR1/Creating+relation+map
73 https://docs.nomagic.com/display/MD2024xR1/Changing+the+context

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 111

 Specifying relation criteria for a Relation map to track ISO 26262
properties.

Reports
The Report Wizard74 is capable of generating reports that include data on HARA (Hazard Analysis and
Risk Assessment), Functional Safety Concept, and TARA(Threat Analysis and Risk Assessment). Once the
report is generated, it automatically opens for viewing. The HARA report presents a comprehensive
overview of identified potential hazards and their associated risks. It categorizes these hazards and
provides an analysis of the risks involved. The Functional Safety Concept report focuses on the derived
functional safety requirements. It shows how these requirements are derived from the safety goals and
demonstrates their relationships. The TARA report presents a comprehensive overview of identified
potential threats and their associated risks. It categorizes these threats and provides an analysis of the
risks involved.

To generate a report

1. In the main menu of your modeling tool, select Tools > Report Wizard.
2. Do one of the following:
• Select HARA Report Template to create a report containing HARA data and click Next.

74 https://docs.nomagic.com/display/MD2024xR1/Report+Wizard

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 112

 • Select Functional Safety Concept Report to generate a report containing functional
safety concept data and click Next.

• Select the TARA Report Template to generate a report containing TARA data and click
Next.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 113

 3. To include built-in data in the report, select Built-in and click Next.
4. Do one of the following:
• To generate a HARA report, select the packages containing HARA elements and system
functions and then click Next.
• To generate the Functional Safety Concept report, select the packages containing
Functional Safety Concept elements and then click Next.
• To generate the TARA report, select the packages containing TARA elements and then click
Next.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 114

  To learn
75
more about selecting report data, refer to the Select Element Scope
pane .

5. Configure the report file by specifying the report file location and image format. Then Click
Generate.

76
 To learn more about configuring output options, refer to the Generate Output pane .

Following are examples of the HARA, Functional Safety Concept, and TARA reports.

75 https://docs.nomagic.com/display/MD2024xR1/Select+Element+Scope+pane
76 https://docs.nomagic.com/display/MD2024xR1/Generate+Output+pane

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 115

 Example of the HARA report.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 116

 Example of the Functional Safety Concept report.

Example of the TARA report.

Customizations
You can extend the ISO 26262 library by adding new types of elements to default tables or creating new
properties for ISO 26262 elements. To learn more about different customization options, see:

• Adding new types to a HazOp Table (see page 117)

• Adding new guide words to a HazOp Table (see page 118)
• Extending ISO 26262 elements with new properties (see page 119)

Adding new types to a HazOp Table

A HazOp table supports three element types: Activity, Use Case, and Class. If you want to use a different
system function type, you can extend the default type list by using customization.

To add a new element type to a HazOp Table

1. Create a Profile Diagram.

2. In the Profile Diagram, create a Customization for adding a new element type to a HazOp Table
and name it.
3. In the model browser, find the stereotype or metaclass of the element type you want to add and
drag it to the Customization shape. Now this element type is the target of the Customization.
4. In the model browser, find the HazOp Table Element Customization and drag it to the Profile
Diagram.

 Locating HazOp Table Element Customization

HazOp Table Element Customization is an auxiliary resource. To see it in the model
browser, click and select Show Auxiliary Resources.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 117

 5. Create a Generalization relationship from the Customization created in step 2 to HazOp Table
Element Customization.
6. Save and reload the project.

Now a HazOp table supports your custom element type.

Adding new guide words to a HazOp Table

You can add new guide words to a HazOp Table as described below.

To add a guide word to a HazOp Table

1. In your model, create a Profile Diagram.

2. In the Profile Diagram, create and name a Class, e.g., NewGuideWord.
3. Apply the «MalfunctioningBehavior» stereotype to the Class.
4. In the ISO 26262 Library, find the AnyMalfunction element and drag it to the Profile diagram.
5. Create a Generalization relationship from the Class created in Step 2 to AnyMalfunction.
6. Save and reload the project.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 118

Extending ISO 26262 elements with new properties
On this page

• Case study: Adding new Value Properties (see page 119)

• Case study: Adding new Part Properties (see page 121)
• Creating tables for custom element types (see page 123)

You can extend the default ISO 26262 library by adding new properties to ISO 26262 elements. In this
chapter, you will learn how to add Value Properties and Part Properties by analyzing specific use cases.

Case study: Adding new Value Properties

You can add new Value Properties to an element by creating a custom element type with these
properties. Let's analyze the workflow of adding a custom Exposure property to an Operational
Situation. Since you cannot edit the default Operational Situation from the ISO 26262 library, you will
have to create a custom Operational Situation with a new Value property, as described below.

To add a custom Exposure property to an Operational Situation

1. In your model, create a Profile Diagram.

2. In the Profile Diagram, create a Class and name it, e.g., Crash Automotive Situation.
3. Apply the «OperationalSituation» stereotype to the Class.
4. In the ISO 26262 Library, find the TypicalAutomotiveSituation element and drag it to the Profile
diagram.
5. Create a Generalization relationship from the Class created in step 2
to TypicalAutomotiveSituation.
6. Create a Value Property for the Class and name it, e.g., crashExposure.
7. Set the Type property of the newly created Value Property to Exposure.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 119

 8. Set the Multiplicity property of the Value Property to 1.
9. Apply the «InputField» stereotype to the Value Property.
10. In the Specification window of the Value Property, select the Tags property group and set the
multiple property to false. Now your Profile Diagram should look as displayed below.

11. Save and reload the project.

You have created a new type of Operational Situation (e.g., Crash Automotive Situation) with a custom
Exposure property (e.g., crashExposure). Now you can add new columns77 for this property in an
Operational Situations Table as displayed in the following figure.

 Justification for Value Properties

When you create a new Value Property, the column for justification of that property is
automatically created as well and you can add to a table.

77 https://docs.nomagic.com/display/MD2024xR1/Working+with+columns#Workingwithcolumns-Addingandremovingcolumns

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 120

The example of an Operational Situations Table with two additional columns for
a new Value Property.

Case study: Adding new Part Properties

You can add new Part Properties to an element by creating a custom element type with these
properties. Let's analyze the workflow of adding a new Part Property with multiple values to an
Operational Situation. Since you cannot edit the default Operational Situation from the ISO 26262
library, you will have to create a custom Operational Situation with a new Part Property. In this
workflow, the Part Property is based on Operational Condition.

To add a Part property to an Operational Situation

1. In your model, create a Profile Diagram.

2. In the Profile Diagram, create a Class and name it, e.g., Crash Automotive Situation.
3. Apply the «OperationalSituation» stereotype to the Class.
4. In the ISO 26262 Library, find the TypicalAutomotiveSituation element and drag it to the Profile
diagram.
5. Create a Generalization relationship from the Class created in step 2
to TypicalAutomotiveSituation.
6. Create a Part Property for the Class, type its name followed by a colon and the name of the Part
property type, e.g., CrumpleZone:CrumpleZone.

7. Set the Multiplicity property of the Part Property to 0..*.

8. Apply the «InputField» stereotype to the Part Property.
9. Drag the Part Property from the Class created in step 2 to the diagram pane. The type of the Part
property should be automatically displayed in the diagram.
10. In the ISO 26262 Library, find the OperationalCondition element and drag it to the Profile diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 121

 11. Create a Generalization relationship from the type of the Part Property to
OperationalCondition. Now your Profile Diagram should look as displayed below.

12. Save and reload the project.

You have created a new type of Operational Situation (e.g., Crash Automotive Situation) with a custom
Part Property (e.g., CrumpleZone). Now you can add a new column for this property in an Operational
Situations Table as displayed in the following figure.

The example of an Operational Situations Table with an additional column for a

new Part Property.

 Specifying values for a new Part Property

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 122

 To specify the values of the newly created Part Property, you need to create a custom
stereotype and a Customization for that stereotype. You can find an example of such
Customization in the Functional Safety Analysis Sample.mdzip (see page 119) sample model. To
learn more about creating Customizations, see Creating Customization Data78.

Creating tables for custom element types

If you need a table to display custom elements and their properties, use a Generic Safety Table (see page
102) which allows displaying all relevant elements depending on the selected scope.

Sample model

To download the model used in the examples described on this page, click Functional Safety Analysis
Sample.mdzip (see page 119).

Systems Cybersecurity Designer

Cybersecurity engineering is a critical discipline to ensure safe and secure human experiences using
cyber-physical systems. The main challenge is to preserve trust for connected cyber systems in an
evolving digital economy increasingly threatened by unpredictable events.

Based on a system architecture, the Systems Cybersecurity Designer enables:

• Selection of Assets for protection

• Threat and Cyberattack Modeling
• Risk Evaluation
• Cybersecurity requirements creation to mitigate identified risks
The Systems Cybersecurity Designer supports the following risk assessment methodologies :

• Threat Analysis and Risk Assessment as per ISO/SAE 21434:202179

To learn more about Systems Cybersecurity Designer, refer to:

• ISO 21434 Functional Cybersecurity (see page 123)

• Concept (see page 126)
• ISO 21434 project (see page 127)
• Table (see page 129)
• Collaborative modeling (see page 247)
• Generating Cybersecurity Reports (see page 249)
• Libraries (see page 249)

ISO 21434 Functional Cybersecurity

Cybersecurity engineering is a critical discipline to ensure safe and secure human experiences using
cyber physical systems. The main challenge is to preserve trust for connected cyber systems in an
evolving digital economy increasingly threatened by unpredictable events.

78 https://docs.nomagic.com/display/MD2024xR1/Creating+Customization+Data
79 https://www.iso.org/standard/70918.html

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 123

Systems Cybersecurity Designer allows you to identify assets to be protected, threats and attacks to be
tackled, and cybersecurity requirements to mitigate identified risks. The Systems Cybersecurity
Designer supports the ISO/SAE 21434 standard80. It enables a proactive and continuous security
assessment in the initial design phase to reduce product development cost and time. Systems
cybersecurity designers are able to create a Threat Analysis and Risk Assessment (TARA) project
template to comply with the ISO/SAE 21434:2021.

The ISO/SAE 21434:2021 standard specifies engineering requirements for cybersecurity risk
management regarding the Concept, Product development, Production, Operations, and maintenance
and decommissioning of electrical and electronic (E/E) systems in road vehicles. This standard includes
the integral components and interfaces of the road vehicles. A framework includes requirements for
cybersecurity processes and a common language for communicating and managing cybersecurity risk.
It is applicable to electrical and electronic (E/E) systems of production road vehicles whose development
or modification began after the publication of ISO/SAE 21434:2021. ISO/SAE 21434:2021 does not
prescribe specific technology or solutions related to cybersecurity.

The Systems Cybersecurity Designer allows a cybersecurity designer to:

• Design a safe and secure system through a built-in scalable cyber system model, which includes
assets, weaknesses, threats, attack paths, and security requirements.
• Perform continuous threat assessment and hazard analyses to enhance design through real
world scenarios.
• Support certification needs with consistent safety and cybersecurity compliance views.
The Systems Cybersecurity Designer directly covers the following parts of the standard:

9. Concept

This chapter specifies the item with its cybersecurity goals and claims. It is composed of cybersecurity
requirements and the operational environment requirements of an item.

15. Threat analysis and risk assessment methods

This chapter specifies the methods to determine the extent to which a threat scenario can impact a
road user. These methods and their work products are known as Threat Analysis and Risk Assessment
(TARA) and are performed from the viewpoint of affected road users. The TARA steps are generic
modules that can be invoked systematically from any point in the lifecycle of an item or component.

80 https://www.iso.org/standard/70918.html

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 124

 Overview of ISO/SAE 21434:2021 standard

 Prerequisites
To install and use the Systems Cybersecurity Designer, ensure that one of the following
modeling tools is installed:
• Magic Cyber Systems Engineer
• Magic Cyber Systems of Systems Architect
• Cameo Systems Modeler - Architect Edition
• Cameo Systems Modeler - Enterprise Edition
• Cameo Enterprise Architecture
• Magic Draw (any version) with SysML plugin installed
To learn more about how to download the installation files, refer Downloading installation
files81.
To install and use the Systems Cybersecurity Designer, ensure that the following plugins are
installed in your modeling tool:
• Cameo Safety and Reliability Analyzer
• ISO 26262 plugin

81 https://docs.nomagic.com/display/NMDOC/Downloading+installation+files

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 125

 82
 The cybersecurity plugin is compliant to RAAML standard .

Concept

TARA process

TARA process
The TARA (Threat Analysis and Risk Assessment) process is described in Chapter 15 of ISO/SAE
21434:2021. It is a methodology used to identify and assess cyber security threats and vulnerabilities
beginning with the design phase of a product.

The following is the standard procedure followed in TARA:

1. Define the items you want to study. These items are components or sets of components of the
considered system.
2. For each item identify the assets to be protected and allocate CIA (Confidentiality, Integrity, and
Availability) properties for each asset.
3. Define any damage scenarios that can affect a vehicle system/function or a road user. After
identifying those damage scenarios, you need to rate their impact in terms of Safety, Financial,
Operational, and Privacy.
4. Create threat scenarios that can lead to the identified damage scenarios and rate them in terms
of feasibility. Threat scenarios that lead to an asset compromise can be described by one or
several attack paths. Each attack path is rated with an attack feasibility value.
5. Assess the risks. The risk is the probability that the threat will occur and entails the damage
scenario impact. The risk value is automatically computed based on this formula from ISO/SAE
21434:2021, Annex H: Risk = 1 + Impact x Feasibility.

82 https://www.omg.org/spec/RAAML/1.0/Beta2/About-RAAML

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 126

 6. According to the computed risk value, decide the risk treatment for each threat scenario: Retain,
Reduce, Share, or Avoid. Depending on the risk treatment decision, determine cybersecurity
claims or goals that will eventually be detailed in the cybersecurity requirements (functional,
technical, hardware, or software type).

 An Item is a part of the system architecture to be protected. An Item with a Functional

Cybersecurity Concept (output of the study) is the system architecture with additional
requirements and claims that ensures a secure system.

ISO 21434 project

• Creating ISO 21434 project (see page 127)
• ISO 21434 Project Template (see page 129)

Creating ISO 21434 project

To create a new ISO 21434 project

1. Do one of the following:

• From the File menu, select New Project from the drop-down list.

• Click Create New Project on the welcome screen.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 127

 • Press Ctrl + Shift + N.
2. In the New Project dialog, select ISO 21434 Project.

3. Specify the file name in the Name box.

4. Click the button to select the location to store the project in a folder.
5. Select the checkbox to automatically create a folder for the project in the specified location.
6. Click OK.
A new ISO 21434 project is displayed with the default packages in the Containment tree and the Index.

 Required libraries and profiles are loaded while opening the project. If required plugins are not
installed, the following Message dialog will appear:

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 128

ISO 21434 Project Template
A default ISO 21434 project template is displayed once you open the project. This template is provided
to help you initiate the process.

Containment Tree

The Containment tree displays the default packages. One package, one table, and one element of each
type are provided in the Containment tree. You can add, modify or delete any element or package from
the Containment tree.

Index

The Index displays the default tables and information related to it. It also displays other elements, such
as Operational Conditions, Operation Situations, etc., at the bottom. You can navigate to the tables and
elements by clicking the icons. Only the default tables and elements are displayed in the Index. The
Index will not display any table or element created later.

Table
Learn more about tables and diagrams of the ISO 21434 project template from the following chapters:

• Item (see page 130)

• Asset (see page 138)
• Damage scenario (see page 152)
• Threat scenario (see page 182)
• TARA (see page 225)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 129

 • Functional Cybersecurity Concept (see page 239)

Item
• Creating an Item (see page 130)
• Creating an Item Table (see page 132)
• Adding an Item to the Item Table (see page 134)
• Assigning SysML Block as an Item Block (see page 136)
• Item Table Example (see page 137)

Item

Component or set of components that implements a function at the vehicle level.

Item Block

An Item Block is a part of the system that needs to be assessed with a TARA process. An Item Block is a
SysML Block.

Members

Elements that are within the item block.

Boundary Members

Elements and/or ports that connect the item with other elements.

Creating an Item
To create an Item

1. In the Containment tree, right-click Items & Assets Definition and select Create Element.

2. Do one of the following:

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 130

 • In the dialog, expand ISO 21434 and select Single Block Item.

• In the search tab, type the keyword item and then select Single Block Item.

3. Name the created Item in the Containment tree. The Item has the prefix IT, which denotes that
the created element is an Item; the number 1 indicates that it is the first Item created.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 131

  After creating an asset, it is beneficial to find its location in the model tree by performing one of
the following:
• Right-click the asset, and, from the shortcut menu, choose the Select in Containment
Tree command.
• Select the asset and press Alt+B.

Creating an Item Table

 If you create a new project using the ISO 21434 Project template, then an Item Table already
exists in the 2.1 Items & Assets Definition package.

To create an Item Table

1. In the Containment tree, right-click Items & Assets Definition and select Create Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 132

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Item Table.

• In the search tab, type the keyword item and then select Item Table.

The Item Table is now displayed in the diagram pane of the modeling tool.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 133

Adding an Item to the Item Table
To add a new Item to the Item Table

1. In the Item Table, click Add New. A row is added to the Item table, which shows the new Item.

2. In the newly created Item's row and in the Name column, double-click the designated cell to
name the Item.

To add an existing Item in the Item Table

1. In the Item Table, click Add Existing.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 134

 2. From the Select Single Block Item dialog, select the required Item. A row is added to the Item
table, which shows the existing Item.

3. In the existing Item's row and in the Name column, double-click the designated cell to rename
the Item.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 135

Assigning SysML Block as an Item Block
To assign SysML Block as an Item Block

• Double-click the designated cell in the Item's row and the Item Block column. In the drop-down
list, select the Item Block.

The added Item Block is now displayed in the Item Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 136

  • You can also drag and drop the SysML Block from the Containment tree to the Item
Table.
• Once you declare a SysML Block as an Item Block, a legend appears at the top left corner
of the element.

Item Table Example

In an Item Table, Members and Boundary Members columns are automatically filled based on the
Item Block definition.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 137

  References
• ISO/SAE 21434:2021 Road vehicles-Cybersecurity engineering83

Asset
• Creating an Asset (see page 138)
• Creating an Asset from a System Diagram (see page 142)
• Creating an Asset Table (see page 144)
• Adding an Asset to the Asset Table (see page 147)
• Adding an Underlying Element (see page 147)
• Adding an Underlying Element from a System Diagram (see page 149)
• Assigning CIA properties (see page 151)
• Asset Table Example (see page 152)

Asset

Asset is an object that has value or contributes to value. It has has one or more cybersecurity
properties whose compromise can lead to one or
more damage scenarios.

Confidentiality

A property that contains sensitive information that should not be disclosed to unauthorized entities.

Integrity

Guarding against improper information modification or destruction. It includes ensuring information

non-repudiation and authenticity. Quality of being complete and unaltered.

Availability

Property of being accessible and usable on demand by an authorized entity.

Creating an Asset

 An Asset must be created in the context of an Item.

To create an asset do one of the following:

• To create an Asset using an Item

1. In the Containment tree, right-click an Item and select Create Element.

83 https://www.iso.org/obp/ui/fr/#iso:std:iso-sae:21434:ed-1:v1:en

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 138

 2. In the dialog, expand ISO 21434 and select Asset.

3. Name the created Asset in the Containment tree and press Enter. The Asset has the
prefix AS, which denotes that the created element is an Asset; the number 1 indicates that it is
the first Asset created.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 139

 • To create an Asset using the Item Table

1. In the Item Table, double-click to select a Member(s) or Boundary Member(s).

2. Right-click and select Security>Add an Asset to the Item.

3. Name the created Asset in the Containment tree and press Enter. The Asset has the
prefix AS, which denotes that the created element is an Asset; the number 5 indicates that it is

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 140

 the fifth Asset created.

 • If you select an already added Member(s) or Boundary Member(s) to add as an

underlying element, the Add as an Asset to the Item command will be
unavailable.

• The following notification message appears at the bottom right corner of the
modeling tool once the asset is created. The message also provides a hyperlink to
the item under which the asset is created.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 141

  After creating an asset, it is beneficial to find its location in the model tree by performing
one of the following:
• Right-click the asset, and, from the shortcut menu, choose the Select in
Containment Tree command.
• Select the asset and press Alt+B.

Creating an Asset from a System Diagram

To create an asset from a system diagram

1. In the system diagram, right-click an element(s) and select Security>Add as an Asset.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 142

  Once you add a system diagram element as an asset, a legend appears at the top right
corner of the element.

2. From the Select Elements dialog, select the item you want to add an asset under and click OK.

3. Name the created Asset in the Containment tree and press Enter. The Asset has the suffix
AS, which denotes that the created element is an Asset; the number 6 indicates that it is the sixth
Asset created.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 143

  • If you select an already added system diagram element(s) to add as an asset, the
Select Elements dialog will exclude the item to which the selected element was
linked earlier.
• The following notification message appears at the bottom right corner of the
modeling tool once the asset is created. The message also provides a hyperlink to
the item under which the asset is created.

Creating an Asset Table

An Asset Table is automatically created while creating an Item. An Asset Table should always be linked
to an Item to be compliant with the standard. You can also manually create an Asset Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 144

  If you create a new project using the ISO 21434 Project template, then an Asset Table already
exists in the 2.1 Items & Assets Definition package.

To create an Asset Table

1. In the Containment tree, right-click Items & Assets Definition and select Create Diagram.

 An Asset Table can be created under both Package and Item.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Asset Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 145

 • In the search tab, type the keyword asset and then select Asset Table.

The Asset Table is displayed in the diagram pane of the modeling tool.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 146

Adding an Asset to the Asset Table
To add a new Asset to the Asset Table

1. In the Asset Table, click Add New. A row is added in the Asset table, which shows the new Asset.

2. In the newly created Asset's row and in the Name column, double-click the designated cell to
name the Asset.

Adding an Underlying Element

To add an underlying element for the asset do one of the following:

• To add an Underlying Element from the Asset Table

• From the Containment tree, drag the Underlying Element and drop it in the designated cell of the
Underlying Element column and the required Asset's row.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 147

  • You can also drag and drop SysML Elements (such as Connector, port, etc.) from
the Containment tree to the Asset Table.
• To add multiple Underlying Elements in the Asset Table, hold the Ctrl key on the
keyboard to select multiple Underlying Elements from the Containment tree. Drag
and drop the selected Underlying Elements into the required cell.

• To add an Underlying Element from the Item Table

a. In the Item Table, double-click to select a Member(s) or Boundary Member(s).

b. Right-click and select Security>Add to an existing asset.

c. From the Select Elements dialog, select the Asset you want to add the underlying element
to and click OK.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 148

Adding an Underlying Element from a System Diagram
To add an Underlying Element for the asset in a system diagram

1. In the system diagram, right-click an element(s) and select Security>Add to an existing Asset.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 149

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 150
 2. From the Select Elements dialog, select the Asset you want to add the element to and click OK.

Assigning CIA properties

To assign CIA properties in the Asset Table

• Double-click each cell, namely Confidentiality, Integrity, and Availability in the Asset row.
From the drop-down list, select the CIA properties.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 151

Asset Table Example

 References
• NIST-Confidentiality84.
• Security and Privacy Controls for Information Systems and Organizations85
• Engineering Trustworthy Secure Systems86
• Engineering Trustworthy Secure Systems87

Damage scenario
• Creating a Damage Scenario (see page 153)
• Creating a Damage Scenarios Table (see page 155)
• Adding a Damage Scenario to the Damage Scenarios Table (see page 158)
• Adding a Failure (see page 159)
• Adding an Effect (see page 161)
• Adding an Operational Situation (see page 162)
• Rating SFOP Impact (see page 163)

84 https://csrc.nist.gov/glossary/term/
confidentiality#:~:text=Confidentiality%20covers%20data%20in%20storage%2C%20during%20processing%2C%20and,to%20the
%20authors%20of%20the%20linked%20Source%20publication
85 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
86 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1r1.pdf
87 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1r1.pdf

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 152

 • Damage Scenarios Table Example (see page 165)

Damage Scenario

Adverse consequence involving a vehicle or vehicle function and affecting a road user.

Effect

Allows you to define and manage system and vehicle level effects that can result in harm.

Failure

Termination of an intended behavior of an element or an item due to a fault manifestation.

Operational Situation

A scenario that can occur during a vehicle's life.

Impact category

Impact rating is done for four categories: Safety, Financial, Operational, and Privacy. The assessment
should be done according to the definition given in ISO/SAE 21434:2021(annex F).

Impact scale

By default, the plugin adopts the scale provided in the ISO/SAE 21434:2021 standard: Negligible /
Moderate / Major or Severe.

Creating a Damage Scenario

To create a Damage Scenario

1. In the Containment tree, right-click Damage Scenario and Impact Ratings and select Create
Element.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 153

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Damage Scenario.

• In the search tab, type the keyword damage and then select Damage Scenario.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 154

 3. Name the created Damage Scenario in the Containment tree and press Enter. The Damage
Scenario has the prefix DS which denotes the created element is a Damage Scenario; the number
1 indicates that it is the first Damage Scenario created.

Creating a Damage Scenarios Table

 If you create a new project using the ISO 21434 Project template, then an Damage Scenarios
Table already exists in the 1.1 Damage Scenarios and Impact Ratings package.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 155

To create a Damage Scenario Table

1. In the Containment tree, right-click Damage Scenario and Impact Ratings and select Create
Diagram.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Damage Scenario Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 156

 • In the search tab, type the keyword damage and then select Damage Scenarios Table.

The Damage Scenarios Table is displayed in the diagram pane of the modeling tool.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 157

Adding a Damage Scenario to the Damage Scenarios Table
To add a new Damage Scenario to the Damage Scenarios Table

1. In the Damage Scenario Table, click Add New. A row is added in the Damage Scenarios Table,
which shows the new Damage Scenario.

2. In the newly created Damage Scenario's row and the Name column, double-click the designated
cell to name the Damage Scenario.

To add an existing Damage Scenario to the Damage Scenarios Table

1. In the Damage Scenarios Table, click Add Existing.

2. From the Select Damage Scenario dialog, select the required Damage Scenario. A row is added
to the Damage Scenarios Table, which shows the existing Damage Scenario.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 158

 3. In the existing Damage Scenario's row and the Name column, double-click the designated cell to
rename the Damage Scenario.

Adding a Failure
To add a Failure to the Damage Scenarios Table

1. Double-click the designated cell in the Failure column and the required Damage Scenario's row
and click .

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 159

 2. From the Select Class dialog, select Failure.

The Failure is shown in the Damage Scenarios Table.

 You can also drag and drop the Failure modes from the Containment tree to the Damage
Scenarios Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 160

Adding an Effect
To add an Effect in the Damage Scenarios Table

1. Double-click the designated cell in the Effect column and the required Damage Scenario's row
and click .

2. From the Select Class dialog, select Effect.

The Effect is shown in the Damage Scenarios Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 161

  You can also drag and drop the Effects such as Vehicle Level Effects and System Level Effects
from the Containment tree to the Damage Scenarios Table.

Adding an Operational Situation

To add an Operational Situation in the Damage Scenarios Table

1. Double-click the designated cell in the Operational Situation column and the required Damage
Scenario's row and click .

2. From the Select Class dialog, select Operational Situation.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 162

 The Operational Situation is added in the Damage Scenarios Table.

 You can also drag and drop the Operation Situations from the Containment tree to the Damage
Scenarios Table.

Rating SFOP Impact

 • The Damage Scenario cannot be rated if there is no Effect associated to it.

• All the Damage Scenarios sharing the same Effect get the same impact ratings. In such
case, if you update any impact rating(s) for one Damage Scenario, the impact rating(s) for
other Damage Scenarios are updated.

To rate the SFOP Impact

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 163

 • Double-click each cell, namely Safety Impact, Financial Impact, Operational Impact, and
Privacy Impact in the Damage Scenario row. From the drop-down list, select the impact rating.

The Impact rating is done in the Damage Scenarios Table.

 The plugin behavior when you use the Effect element from the used project in your local
project:
• When you update the SFOP Impact ratings of the damage scenario, a cloned Effect
element is created in your local project and is visible in the Containment tree. The
following notification message is displayed with the cloned Effect element link at the
bottom right corner of the modeling tool.

The plugin behavior when you use the Effect element from the used project in the TWC server
project:
• When you update the SFOP Impact ratings of the damage scenario, a cloned Effect
element is created in your server project and is visible in the Containment tree. The
following notification message is displayed with the cloned Effect element link at the
bottom right corner of the modeling tool.

The plugin behavior when you use the Effect element from your own TWC server project:

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 164

 • When you update the SFOP ratings of the damage scenario and the Effect element is in a
read-only state, the Effect element gets locked automatically by you.
• When you update the SFOP ratings of the damage scenario and the Effect element is
locked by another user, the following notification is displayed with the locked Effect
element link at the bottom right corner of the modeling tool.

Damage Scenarios Table Example

 References
• ISO 26262-1:2018 Road vehicles-Functional safety88
• Tables and diagrams (see page 60)

Failure Mode
• Creating a Failure Mode (see page 165)
• Adding Failure Mode to the Failure Modes Table (see page 168)
• Adding Relevant To in the Failure Modes Table (see page 170)

Creating a Failure Mode

To create a Failure Mode

1. In the Containment tree, right-click Damage Scenario and Impact Ratings and select Create
Element.

88 https://www.iso.org/obp/ui

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 165

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Failure Mode.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 166

 • In the search tab, type the keyword failure and then select Failure Mode.

3. Name the created Failure Mode in the Containment tree and press Enter.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 167

 Adding Failure Mode to the Failure Modes Table
To add a new Failure Mode to the Failure Modes Table

1. In the Failure Modes Table, click Add New. A row is added in the Failure Modes Table, which
shows the new Failure Mode.

2. Select between the FailureMode and MalfucntioningBehavior.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 168

 3. In the newly created Failure Mode's row and the Name column, double-click the designated cell
to name the Failure Mode.

To add an existing Failure Mode to the Failure Modes Table

1. In the Failure Modes Table, click Add Existing.

2. From the Select Failure Mode dialog, select the required Failure Mode. A row is added to the
Failure Modes Table, which shows the existing Failure Mode.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 169

 3. In the existing Failure Mode's row and the Name column, double-click the designated cell to
rename the Failure Mode.

Adding Relevant To in the Failure Modes Table

To add Relevant To

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 170

 1. Double-click the designated cell in the Relevant To column and the required Failure Mode's row
and click .

2. From the Select Elements dialog, select Relevant To.

The Relevant To is added to the Failure Modes Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 171

Effect
• Creating an Effect (see page 172)
• Adding Effects to the Effects Table (see page 174)
• Adding Relevant Element in the Effects Table (see page 175)

Creating an Effect
To create an Effect

1. In the Containment tree, right-click Damage Scenario and Impact Ratings and select Create
Element.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Vehicle Level Effect or System Level Effect.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 172

 • In the search tab, type the keyword effect and then select Vehicle Level Effect or System
Level Effect.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 173

 3. Name the created Effect in the Containment tree and press Enter.

Adding Effects to the Effects Table

Using the Effects Table you can only add nested Effects.

To add an Effects

1. In the Effects Table, select an Effect and then click Add Nested. A row is added in the Effects
Table, which shows the nested Effect.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 174

 2. In the newly created Effect's row and the Name column, double-click the designated cell to name
the Effect.

Adding Relevant Element in the Effects Table

To add Relevant To

1. Double-click the designated cell in the Relevant Element column and the required Effect's row
and click .

2. From the Select Elements dialog, select Relevant Element.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 175

 The Relevant Element is added to the Effects Table.

Operational Situation
• Creating an Operational Situation (see page 177)
• Adding Operational Situation to the Operational Situations Table (see page 179)
• Adding Operational Situation's parameters to the Operational Situations Table (see page 180)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 176

 Creating an Operational Situation
To create an Operational Situation

1. In the Containment tree, right-click Damage Scenario and Impact Ratings and select Create
Element.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Operational Situation.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 177

 • In the search tab, type the keyword operational and then select Operational Situation.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 178

 3. Name the created Operational Situation in the Containment tree and press Enter.

Adding Operational Situation to the Operational Situations Table

Using the Operational Situations Table you can only add nested Operational Situations.

To add an Operational Situation

1. In the Operational Situations Table, select an Operational Situation and then click Add Nested. A
row is added in the Operational Situations Table, which shows the nested Operational Situation.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 179

 2. In the newly created Operational Situation's row and the Name column, double-click the
designated cell to name the Effect.

Adding Operational Situation's parameters to the Operational Situations Table

To add Operational Situation's parameters to the Operational Situations Table

1. Double-click the designated cell in the Vehicle Usage column and the required Operational
Situation's row and click .

2. From the Select Elements dialog, select the Vehicle Usage.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 180

 The Vehicle Usage is added to the Operational Situations Table.

All other Operational Situation parameters are added to the Operational Situations Table using
the same procedure.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 181

Threat scenario
• Creating a Threat Scenario (see page 182)
• Creating a Threat Scenario Table (see page 184)
• Adding a Threat Scenario to the Threat Scenario Table (see page 187)
• Creating a custom threat type (see page 189)
• Creating custom packages for custom-created threat types (see page 190)
• Creating subcategory for the custom-created threat type (see page 191)
• Adding a Threat Type (see page 194)
• Adding an Attack Path (see page 195)
• Adding a Failure (see page 196)
• Adding an Impacted Asset (see page 198)
• Threat Scenario Table Example (see page 200)

Threat Scenario

Potential cause of compromise of cybersecurity properties of one or more assets in order to realize a
damage scenario.

Attack Path

Set of deliberate actions to realize a threat scenario.

Failure

Termination of an intended behavior of an element or an item due to a fault manifestation.

Creating a Threat Scenario

To create a Threat Scenario

1. In the Containment tree, right-click Threat Scenario and select Create Element.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 182

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Threat Scenario.

• In the search tab, type the keyword threat and then select Threat Scenario.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 183

 3. Name the created Threat Scenario in the Containment tree and press Enter. The Threat Scenario
has the prefix DS, which denotes that the created element is a Threat Scenario; the number 1
indicates that it is the first Threat Scenario created.

Creating a Threat Scenario Table

 If you create a new project using the ISO 21434 Project template, then a Threat Scenario
Table already exists in the 1.2 Threat Scenarios package.

To create a Threat Scenario Table

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 184

 1. In the Containment tree, right-click Threat Scenario and select Create Diagram.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Threat Scenario Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 185

 • In the search tab, type the keyword threat and then select Threat Scenario Table.

The Threat Scenario Table is now displayed in the diagram pane of the modeling tool.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 186

Adding a Threat Scenario to the Threat Scenario Table
To add a new Threat Scenario to the Threat Scenario Table

1. In the Threat Scenario Table, click Add New. A row is added in the Threat Scenario Table, which
shows the new Threat Scenario.

2. In the newly created Threat Scenario's row and the Name column, double-click the designated
cell to name the Threat Scenario.

To add an existing Threat Scenario to the Threat Scenario Table

1. In the Threat Scenario Table, click Add Existing.

2. From the Select Threat Scenario dialog, select the required Threat Scenario. A row is added to
the Threat Scenario Table, showing the existing Threat Scenario.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 187

 3. In the existing Threat Scenario's row and the Name column, double-click the designated cell to
rename the Threat Scenario.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 188

Creating a custom threat type
To create a custom threat type

1. Create a general threat scenario as defined in the Threat scenario (see page 182) section.
2. Open the Specification dialog of the newly created threat scenario in the Expert mode.
3. Set the Is Abstract property to True.

The newly created threat scenario will now be displayed in italics in the Containment tree and will
be available under the custom package in the Select Threat Type dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 189

  Threat Types are displayed by default in the TARA analysis as Threat Scenarios. To prevent that,
you must create the Threat Types in a dedicated package or library.

Creating custom packages for custom-created threat types

You can group the custom-created threat types by creating custom packages and placing them under
the custom packages. To create a new package, you must create a generalization set of the required
custom threat types. To learn more about creating a generalization set, refer to Generalization set89.

89 https://docs.nomagic.com/display/MD2024xR1/Generalization+set

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 190

 Select Threat Type dialog showing the custom threat types places under the custom created packages.

The following example displays a typical scenario in which a generalization set can be created.

Generalization set example.

Creating subcategory for the custom-created threat type

You can also create subcategories of the custom-created threat types. Doing so will create a nesting
effect in the Select Threat Type dialog.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 191

 Select Threat Type dialog showing the nesting effect due to subcategorization of the threat types.

To create subcategories of the custom-created threat type

1. In the Specification dialog of the newly created threat Type, click in the Base
Classifier property.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 192

 2. Select any parent threat type under which you want to place the newly created custom threat
type.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 193

Adding a Threat Type
To add a Threat Type

1. Double-click the designated cell in the Threat Type column and the required Threat Scenario's
row and click .

2. From the Select Threat Type dialog, select a threat type(s) from either the STRIDE90or
UNECE91package. You can also select a custom-created threat type.

The Threat Type will be added to the Threat Scenarios Table.

90 https://en.wikipedia.org/wiki/STRIDE_%28security%29
91 https://unece.org/sites/default/files/2023-02/R155e%20%282%29.pdf

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 194

Adding an Attack Path

 You can add multiple attack paths for a given Threat Scenario.
To add an Attack Path

1. Double-click the designated cell in the Attack Path column and the required Threat Scenario's
row and click .

2. From the Select Elements dialog, select Attack Path.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 195

 The Attack Path is added to the Threat Scenario Table.

 • You can also drag and drop the Attack Paths from the Containment tree to the Threat
Scenario Table.
• The Aggregated Attack Feasibility Rating is added automatically after you add the Attack
Path.

Adding a Failure
To add a Failure

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 196

 1. Double-click the designated cell in the Failure column and the required Threat Scenario's row
and click .

2. From the Select Class dialog, select Failure.

The Failure is now shown in the Threat Scenario Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 197

  You can also drag and drop the Failure modes from the Containment tree to the Threat
Scenario Table.

Adding an Impacted Asset

 You can add multiple Impacted Assets for a given Threat Scenario.
To add an Impacted Asset

1. Double-click the designated cell in the Impacted Asset column and the required Threat
Scenario's row and click .

2. From the Select Element dialog, select Impacted Asset.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 198

 The Impacted Asset is added to the Threat Scenario Table.

 You can also drag and drop the Impacted Assets from the Containment tree to the Threat
Scenario Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 199

Threat Scenario Table Example

 The maximum value among all the attacks paths for the given threat scenario is considered as
the Aggregated Attack Feasibility Rating.

 References
• ISO/SAE 21434:2021 Road vehicles-Cybersecurity engineering92
• ISO 26262-1:2018 Road vehicles-Functional safety93

Manual Attack Path

• Creating a Manual Attack Path (see page 201)
• Creating a Manual Attack Path Table (see page 203)
• Adding a Manual Attack Path to Manual Attack Path Table (see page 205)
• Adding Attack Path Steps (see page 207)
• Adding an Attack Feasibility Rating (see page 209)
• Manual Attack Path Table Example (see page 211)

Attack Path

Set of deliberate actions to realize a threat scenario.

Attack Path Steps

Enumerate each step needed to perform the threat scenario.

Attack Feasibility Rating

An attribute of an attack path describes the ease of successfully carrying out the corresponding set of
actions. By default, the ISO/SAE 21434:2021 rating scale is used.

92 https://www.iso.org/obp/ui/fr/
93 https://www.iso.org/obp/ui/fr/

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 200

 Creating a Manual Attack Path

 A Manual Attack Path refers to the manual way of describing and rating the feasibility of attack
paths. It does not refer to potential based attacks or CVSS methodologies.

To create a Manual Attack Path

1. In the Containment tree, right-click Attack Paths and Feasibility Ratings and select Create
Element.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Manual Attack Path.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 201

 • In the search tab, type the keyword attack and then select Manual Attack Path.

3. Name the created Manual Attack Path in the Containment tree and press Enter. The Manual
Attack Path has the prefix AP, which denotes that the created element is a Manual Attack Path;
the number 1 indicates that it is the first Manual Attack Path created.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 202

 Creating a Manual Attack Path Table

 If you create a new project using the ISO 21434 Project template, then a Manual Attack Paths
table already exists in the 1.3 Attack Paths and Feasibility Ratings package.

To create a Manual Attack Path Table

1. In the Containment tree, right-click Attack Paths and Feasibility Ratings and select Create
Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 203

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Manual Attack Path Table.

• In the search tab, type the keyword attack and then select Manual Attack Path Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 204

 The Manual Attack Table is displayed in the diagram pane of the modeling tool.

Adding a Manual Attack Path to Manual Attack Path Table

To add a new Manual Attack Path to the Manual Attack Path Table

1. In the Manual Attack Path Table, click Add New. A row is added in the Manual Attack Path Table,
which shows the new Manual Attack Path.

2. In the newly created Manual Attack Path's row and the Name column, double-click the
designated cell to name the Manual Attack Path.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 205

To add an existing Manual Attack Path to the Manual Attack Path Table

1. In the Manual Attack Path Table, click Add Existing.

2. From the Select Attack Path dialog, select the required Manual Attack Path. A row is added to
the Manual Attack Path Table, which shows the existing Manual Attack Path.

3. In the existing Manual Attack Path's row and the Name column, double-click the designated cell
to rename the Manual Attack Path.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 206

 Adding Attack Path Steps
To add Attack Path Steps to the Manual Attack Path Table

1. Double-click the designated cell in the Attack Path Steps column and the required Manual
Attack Path's row and click .

2. From the Select Situation dialog, select Attack Path Steps.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 207

 The Attack Path Steps now shown in the Manual Attack Path Table.

 • You can also drag and drop the Attack Path Step from the Containment tree to the
Threat Scenario Table.
• You can move the Attack Path Steps in the Select Situation dialog by clicking Up or
Down.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 208

 Adding an Attack Feasibility Rating
To rate the Attack Feasibility

• Double-click the cell in the Manual Attack Path's row and from the drop-down list, select Attack
Feasibility Rating.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 209

 The Attack Feasibility Rating is now shown in the Manual Attack Path Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 210

 Manual Attack Path Table Example

 References
ISO/SAE 21434:2021 Road vehicles-Cybersecurity enginee94r

Attack Potential Based Attack Path

• Creating an Attack Potential Based Attack Path (see page 211)
• Creating an Attack Potential Based Attack Path Table (see page 213)
• Adding an Attack Potential Based Attack Path to the Attack Potential Based Attack Path Table (see
page 215)
• Adding Attack Path Steps (see page 215)
• Rating the Potential Attack core parameters (see page 215)

Attack Potential based method is supported by the ISO/IEC 18045 standard.

Creating an Attack Potential Based Attack Path

To create an Attack Potential Based Attack Path

94 https://www.iso.org/obp/ui/fr/

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 211

 1. In the Containment tree, right-click Attack Paths and Feasibility Ratings and select Create
Element.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Attack Potential Based Attack Path.

• In the search tab, type the keyword attack and then select Attack Potential Based Attack
Path.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 212

 3. Name the created Attack Potential Based Attack Path in the Containment tree and press Enter.
The Attack Potential Based Attack Path has the prefix AP, which denotes that the created
element is an an Attack Path (Manual or Potential-Based); the number 1 indicates that it is the
first Attack Path (Manual or Potential-Based) created.

Creating an Attack Potential Based Attack Path Table

 If you create a new project using the ISO 21434 Project template, then a Attack Potential
Based Attack Path table already exists in the 1.3 Attack Paths and Feasibility
Ratings package.

To create an Attack Potential Based Attack Path Table

1. In the Containment tree, right-click Attack Paths and Feasibility Ratings and select Create
Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 213

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Attack Potential Based Attack Path Table.

• In the search tab, type the keyword attack and then select Attack Potential Based Attack
Path Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 214

 The Attack Potential Based Attack Path Table is displayed in the diagram pane of the
modeling tool.

Adding an Attack Potential Based Attack Path to the Attack Potential Based Attack Path Table
Adding a new or existing Attack Potential Based Attack Path to the Attack Potential Based Attack Path
Table is the same as adding a new or existing Manual Attack Path to the Manual Attack Path Table. To
learn more about adding a Manual Attack Path to the Manual Attack Path Table, refer to Manual Attack
Path (see page 200).

Adding Attack Path Steps

Attack path steps in an Attack Based Potential Attack Path table are added in the same as they are
added in a Simple Attack Path table. To learn more about adding attack path steps in a Simple Attack
Path table, refer to Manual Attack Path (see page 200).

Rating the Potential Attack core parameters

To rate the Potential Attack core parameters

• Double-click each cell's column namely Elapsed Time, Specialist Expertise, Knowledge of
Item/Component, Window of Opportunity, and Equipment in the Attack Based Potential
Attack Path's row and select the required option from the drop-down list.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 215

  The Attack Feasibility Rating is calculated with help of core parameters viz. Elapsed Time,
Specialist Expertise, Knowledge of Item/Component, Window of Opportunity, and Equipment.
Each parameter has different grading system which has a numerical value assigned to it. These
numerical values are based on the ISO/IEC 18045 standard.
The following table shows the assigned numerical values to each parameter.

The numerical values are added together to calculate the Attack Feasibility Rating. Following is
the formula used to calculate the Attack Feasibility Rating.
• Attack Feasibility Rating = Elapsed Time + Specialist Expertise+ Knowledge of Item/
Component+ Window of Opportunity+ Equipment
The following table shows the numerical values assigned to the Attack Feasibility Rating.

Attack Path Step

An Attack Path Step is elementary action performed on the system component and could be reused in
several threat scenarios.

Creating an Attack Path Step

To create an Attack Path Step

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 216

 1. In the Containment tree, right-click Attack Paths and Feasibility Ratings and select Create
Element.

2. Do one of the following:

• In the dialog, expand ISO 21434 and select Attack Path Step.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 217

 • In the search tab, type the keyword attack and then select Attack Path Step.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 218

 3. Name the created Attack Path Step in the Containment tree and press Enter.

Cyber Security Attack Graph

• Creating a Cyber Security Attack Graph Diagram (see page 219)
• Adding an Attack Path Step in the Attack Graph (see page 221)
• Creating a Causality Relation between Attack Path Steps (see page 222)
• Generating an Attack Path from the Attack Graph (see page 223)

Creating a Cyber Security Attack Graph Diagram

To create a Cyber Security Attack Graph Diagram

1. In the Containment tree, right-click any required package and select Create Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 219

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Cyber Security Attack Graph Diagram.

• In the search tab, type the keyword graph and then select Cyber Security Attack Graph
Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 220

 The Cyber Security Attack Graph Diagram is displayed in the diagram pane of the modeling
tool.

Adding an Attack Path Step in the Attack Graph

To add a new Attack Path Step in the Attack Graph

• From the diagram palette, select Attack Path Step and click on the diagram pane. Name the
created Attack Path Step.

To add an existing Attack Path Step, CWE Element, or any Situation in the Attack Graph

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 221

 • Drag the required Attack Path Step, CWE Element, or any Situation from the Containment tree
and drop it in the diagram pane.

Creating a Causality Relation between Attack Path Steps

To create a Causality Relation between Attack Path Steps

• Do one of the following:

• Click the attack path step to open the Smart Manipulator toolbar95, select the Causality
relationship, and create a relationship. To learn more about creating relationships, refer to
Creating a relationship96

• From the diagram palette, select the Causality command and then select the required
attack path steps.

95 https://docs.nomagic.com/display/MD2024xR1/Smart+manipulator+toolbar
96 https://docs.nomagic.com/display/MD2024xR1/Creating+a+relationship

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 222

An arrow icon is displayed in the graph which denotes that causality relation is created.

Generating an Attack Path from the Attack Graph

To generate an Attack Path from the Attack Graph

1. In the attack graph, select the two required attack steps by holding down the Shift key. The
selected attack paths are considered as two ends of an attack path.
2. Right-click and select the Generate Attack Paths command.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 223

 3. In the Select Attack Paths dialog, select the required attack path from the list of available attack
paths and click OK.

 Loops present in the attack graph are eliminated while calculating the attack path(s).

4. In the Select Destination Package dialog, select the package to save the generated attack path(s).

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 224

  • After generation of an Attack Path, if Attack Graph changes in such a way that the
path is not valid anymore, a validation rule is triggered and an error occurs. You
can fix the error from the Attack Path, but in such case, the path will not be linked
to the graph anymore. Also, no further errors will be reported on that Attack Path
if the graph is further modified.
• The generated attack path(s) are manual attack paths.

TARA
• Creating a TARA Table (see page 226)
• Adding Threat Scenarios (see page 228)
• Assigning Risk Treatment Decision (see page 230)
• Adding Cybersecurity Goal (see page 230)
• Adding Controls (see page 233)
• Adding Claim (see page 238)

The TARA table gathers all elements that have been modeled in the previous steps and gives a global
overview of the threat scenario that has to be mitigated, retained, shared, or avoided. The risk value is
automatically calculated according to the ISO/SAE 21434:2021 standard.

Cybersecurity Risk

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 225

An effect of uncertainty on road vehicle cybersecurity expressed in terms of attack feasibility and
impact.

Cybersecurity Control

A measure that is modifying risk.

Cybersecurity Claim

A statement about a risk.

Cybersecurity Goal

A concept-level cybersecurity requirement associated with one or more threat scenarios.

Creating a TARA Table

 If you create a new project using the ISO 21434 Project template, then a TARA table already
exists in the 1.4 Risk Treatment and Cybersecurity Control package.

To create a TARA Table

1. In the Containment tree, right-click Risk Treatment and Cybersecurity Control and
select Create Diagram.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 226

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select TARA Table.

• In the search tab, type the keyword TARA and then select TARA Table.

The TARA Table is displayed in the diagram pane of the modeling tool.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 227

Adding Threat Scenarios
To add Threat Scenarios to the TARA Table

1. In the TARA Table, click Add Existing.

2. From the Select Threat Scenario dialog, select the required Threat Scenario.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 228

 A row is added to the TARA Table, which shows the existing Threat Scenario.

 • Threat Type, Impacted Asset, and Damage Scenarios are automatically added to
the TARA Table based on the Damage Scenario Table and Threat Scenarios Table.
The association between Threat Scenarios and Damage Scenarios tables is done
through failure. The Damage Scenarios which have the same Failure Modes as a
given Threat Scenario are taken into account for Risk Values computation.
• The risk values are automatically computed according to ISO/SAE 21434:2021
standard. Risk values are read-only values.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 229

Assigning Risk Treatment Decision
To assign Risk Treatment Decision

• Double-click the cell in the Risk Treatment Decision column and the required Threat
Scenario's row. From the drop-down list, assign Risk Treatment Decision.

The Risk Treatment Decision is assigned in the TARA Table.

 If the risk treatment decision is Retain, adding a claim is mandatory. In those cases, the
cybersecurity goals and controls are not required.

Adding Cybersecurity Goal

To add a Cybersecurity Goal to the TARA Table

1. Double-click the designated cell in the Cybersecurity Goals column and the required Threat
Scenario's row and click .

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 230

 2. From the Select Element dialog, select Cybersecurity Goal.

The Cybersecurity Goal is added to the TARA Table.

3.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 231

  • You can also add a safety goal from another project (HARA analysis) as a cybersecurity
goal. Doing this will create a clone of the safety goal in your project. To add a safety goal
as a cybersecurity goal, follow the same procedure as defined above.
• If the ASIL value of the safety goal is inconsistent with the Safety Risk Value of the threat
scenario, a validation rule is triggered and the particular row is displayed in red. You can
view the error message in the Active Validation Results pane.
• You can mitigate the error by making the ASIL value and the Safety Risk Value consistent
with each other.

To Generate/Synchronize the Cybersecurity Goals to the TARA Table

• Right-click the threat scenario in the TARA table and select Generate/Synchronize
Cybersecurity Goals.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 232

  • The cybersecurity goal is autogenerated based on the following formula:
• [Asset Name] of the [Item] shall be protected against [Threat type]
• If you add an item, asset or a threat type for a threat scenario, the
command autogenerates a cybersecurity goal.
• If you update an item, asset or a threat type for a threat scenario, the command
synchronizes the autogenerated cybersecurity goal. Following are the two scenarios in
which synchronization happens:
• If you rename an item, asset or a threat type, then the existing autogenerated
cybersecurity goal is renamed.
• If you add/remove an item, asset or a threat type, then an autogenerated
cybersecurity goal is added/removed.

Adding Controls
To add Controls to the TARA Table

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 233

 1. Double-click the designated cell in the Controls column and the required Threat Scenario's row
and click .

2. From the Select Elements dialog, select Controls.

The Controls are added to the TARA Table.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 234

  Controls are a list of Cybersecurity Requirements. There are 4 types of Cybersecurity
Requirements: Functional, Technical, Hardware, and Software.

To ease the process of adding controls, the plugin provides a feature to add the controls with the aid of
the Recommend Control command. The controls are recommended on the basis of assigned
cybersecurity goals and CWE elements used as attack path steps.

To add controls using the Recommend Control command to the TARA Table

1. Right-click the threat scenario in the TARA table and select Recommended Control, as follows:

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 235

 2. From the Select Elements dialog, select or remove the recommended controls.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 236

  For requirements to be reflected as recommended controls in the Select Elements
dialog, either of these conditions should be satisfied:
• A Threat scenario should have assigned cybersecurity goals with all the derived
requirements.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 237

 • A Threat Scenario should have an Attack Path, which itself has a step, which is
either a CWE or a Technique. In such case, if the CWE or Technique has a
Recommendation from a Cybersecurity Requirement, then that requirement will
be automatically proposed by Recommend control command.

The recommended controls are added to the TARA Table.

Adding Claim
To add a Claim to the TARA Table

• Double-click the cell in the Claims column and the required Threat Scenario's row and type in the
necessary Claim.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 238

  If the risk treatment decision is Retain, adding a claim is mandatory. In those cases, the
cybersecurity goals and controls are not required and cannot be specified.

 Due to some performance reason, the claim does not appear in the containment tree
directly after specifying it in the claim's cell. You must save the project to see the claims
in the containment tree under the smart package 2.3 Cybersecurity Claims.

TARA Table Example

 • The Safety, Financial, Operational, Privacy risk values are calculated automatically by
using following formula:
• Risk Value = 1 + Maximum(Impact) * Aggregated Attack Feasibility Rating

• The maximum value among all the risk values viz. Safety, Financial, Operational, Privacy
is considered as the Global Risk Value.

Functional Cybersecurity Concept

• Deriving Cybersecurity Requirements (see page 240)

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 239

 • Creating a Cybersecurity Goal (see page 240)
• Creating a Cybersecurity Requirement (see page 243)
• Functional Cybersecurity Concept Table (see page 246)

A Cybersecurity Requirement Diagram displays cybersecurity goals, cybersecurity requirements, and

their relations. The main purpose of this diagram is to create requirements that cover the goals defined
in TARA.

Deriving Cybersecurity Requirements

Cybersecurity Requirements are derived from Cybersecurity Goals defined in a TARA table. You can use
the Cybersecurity Requirement Diagram to derive four types of Cybersecurity Requirements:
Functional, Technical, Software, and Hardware.

To derive a Cybersecurity Requirement

1. From the Index page, open the Functional Cybersecurity Concept.

2. Find the Cybersecurity Goal you want to derive the Cybersecurity Requirement from and drag it
to the diagram.
3. Create the Cybersecurity Requirement you want to derive by clicking it in the diagram palette and
clicking an empty space on the diagram pane.
4. Name the created Cybersecurity Requirement and write the required text.
5. Create a derived relationship from the Cybersecurity Requirement to the Safety Goal as
displayed below.

Creating a Cybersecurity Goal

To create a Cybersecurity Goal

1. In the Containment tree, right-click Functional Cybersecurity Concept and select Create
Element.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 240

 2. Do one of the following:
• In the dialog, expand ISO 21434 and select Cybersecurity Goal.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 241

 • In the search tab, type the keyword goals and then select Cybersecurity Goal.

3. Name the created Cybersecurity Goal in the Containment tree. The cybersecurity goal has the
prefix CG, which denotes that the created element is cybersecurity goals; the number 1 indicates
that it is the first cybersecurity goal created.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 242

  You can also create a Cybersecurity Goal in the Cybersecurity Goal Table or by using the
diagram panel.

Creating a Cybersecurity Requirement

To create a Cybersecurity Requirement

1. In the Containment tree, right-click Functional Cybersecurity Concept and select Create
Element.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 243

 2. Do one of the following:
• In the dialog, expand ISO 21434. From the drop-down list, choose one of the following:
• Functional Cybersecurity Requirement
• Hardware Cybersecurity Requirement
• Software Cybersecurity Requirement
• Technical Cybersecurity Requirement

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 244

 • In the search tab, type the keyword goals and then select the required Cybersecurity
Requirement.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 245

 3. Name the created Cybersecurity Requirement in the Containment tree.

 You can also create a cybersecurity requirement in the cybersecurity requirement tables.

Functional Cybersecurity Concept Table

The Functional Cybersecurity Concept Table provides an overview of goals & requirements to be
implemented to secure assets.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 246

Collaborative modeling
Team members can individually develop separate parts of a single model and then merge them
together to form a complete model. In comparison to individual modeling, collaborative modeling is
more effective and produces better results because each member employs his/her best skills and
experience.

We offer you a server for your team's collaboration – Teamwork Cloud97, and collaboration capabilities
powered by 3DEXPERIENCE platform98.

Both servers provide a repository for storing projects and users. They also support the management of
users' permissions as well as sharing and versioning projects.

Projects stored in the server repository can be accessed through the network from multiple clients who
have MagicDraw or any Cameo Suite product installed. Different users, depending on their role in a
team or enterprise, can have different permissions to the projects.

The same model or even the same diagram can be accessed and modified in parallel. Every user may
instantly obtain the newest version of the model as well as commit his/her own changes.

Basic concepts
For better understanding further material, get acquainted with basic concepts of collaborative
modeling.

Concept Description

A place for storing projects and users managed by Teamwork Cloud.

Repository

97 https://docs.nomagic.com/display/MD2024xR1/Using+Teamwork+Cloud
98 https://docs.nomagic.com/display/MD2024xR1/Collaboration+powered+by+3DEXPERIENCE+platform

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 247

 Concept Description

A collaboration team member, who has credentials to log into

User Teamwork Cloud and holds permissions to access one or more server
projects.

A project stored in Teamwork Cloud repository.

Teamwork Cloud project

A common name for Teamwork Cloud projects.

Server project

A snapshot of a project at a particular point in time. A new version of a

Version project is created after successful commit of changes made in this
project. All versions of the same project have unique numbers.

An optional description about changes in a project version.

Comment

Information about the status of a project version (for example,

Tag approved or initially tested) or other.

A process of sending the changes made in the project to the server.

Commit Each commit creates a new project version.

A user who has committed a particular project version.

Author

A process of getting from the server the latest version of a project you
Update are working with.

A concept for grouping projects in a Teamwork Cloud repository.

Category

A part of the model that can be edited by the user, who has locked it.
Locked item Other users cannot edit locked items. The locks can be released
during the commit of a new version.

Another server project used in the project you are working with. It can
Server project usage be a library, profile or regular project.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 248

 Concept Description

A duplicate of a server project version. Branching allows the users to

Branch work in parallel on the same project version.

A permanent branch of a server project that is a base for all other

Trunk branches. It cannot be deleted.

Scenario to get started

Independent of what server your team or enterprise uses, we offer you to follow these steps to get
started with collaborative modelling:

1. Obtain user's credentials.

 Creating users and deciding the access rights of the users against projects is an
administrative task. For more information, see Teamwork Cloud User Guide (see page 247).

2. Log into a server.

3. Add a project to the server and/or open it.
4. Lock the elements you want to edit (to prevent other users could not change the elements you
are working with) and edit them.

99
 You can skip this step if you are working in the Lock-Free Editing mode .
5. Edit these elements and/or create new ones.
6. Commit the changes to the server so that other users could see these modifications.

Generating Cybersecurity Reports

The cybersecurity reports are generated using the Report Wizard100. The report template used for
generating the cybersecurity reports is the TARA Report Template. To learn more about how to
generate the cybersecurity reports, refer to the Reports (see page 112) page.

Libraries
You can import multiple libraries in the Systems Cybersecurity Designer plugin instead of creating
elements. All imported libraries are treated as used projects in your current project.

Adding a library to the project

To add a library to the project

99 https://docs.nomagic.com/display/MD2024xR1/Using+Lock-Free+Editing+mode
100 https://docs.nomagic.com/display/MD2024xR1/Report+Wizard

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 249

 • In the Containment tree, right-click Model> Security and then select the required library.

 If you click on any element in the library, you will be redirected to the web page of the
respective element.

MITRE CWE Library

The addition of the MITRE CWE Library adds a package to the Containment tree. The MITRE CWE Library
contains two sub-packages: Common Weakness Enumeration and Functional Cybersecurity
Requirements. The Common Weakness Enumeration package contains a list of weaknesses. Each
weakness contains a hyperlink that redirects you to the CWE definition web page. The Functional
Cybersecurity Requirements package contains the requirements to mitigate the weakness. These
requirements are segregated with the help of sub-packages based on the type of requirement.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 250

 MITRE Library present in the Containment tree.

MITRE ATT&CK Enterprise Technique Library

The addition of MITRE ATT&CK Enterprise Technique Library adds two packages to the Containment
tree: MITRE ATT&CK Enterprise Technique Library and MITRE ATT&CK Platforms Library. The MITRE
ATT&CK Enterprise Technique Library package contains sub-packages which contain enterprise
mitigation, tactics and techniques. The MITRE ATT&CK Platforms Library contains the platforms through
which the attacks can take place.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 251

 MITRE ATT&CK Enterprise Technique Library present in the Containment tree.

MITRE ATT&CK ICS Technique Library

The addition of MITRE ATT&CK ICS Technique Library adds a package to the Containment tree. The
MITRE ATT&CK ICS Technique Library package contains sub-packages which contain ICS mitigation,
tactics and techniques.

MITRE ATT&CK ICSTechnique Library present in the Containment tree.

NIST Control Library

The addition of the NIST Control Library adds a package to the Containment tree. The NIST Control
Library package contains a sub-package that lists the cyber security requirements.

NIST Control Library present in the Containment tree.

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 252

Index

U
Unrestored-unknown-attachment 70, 75, 82, 90

Copyright © 1998 – 2024 No Magic, Incorporated, a Dassault Systèmes company. 253