Basic STPA Exercises. Dr. John Thomas

Transcription

1 Basic STPA Exercises Dr. John Thomas

2 Chemical Plant Goal: To produce and sell chemical X What (System): A chemical plant (production), How (Method): By means of a chemical reaction, a catalyst,. CATALYST Early Concept REACTOR

3 System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 11

4 Goal: To produce and sell chemical X What (System): A chemical plant, How (Method): By means of a chemical reaction, a catalyst,. STPA Accidents (Mishaps) A-1: People exposed to chemicals A-2: People physically injured (e.g. explosion) A-3: Production loss Etc. Hazards H-1: Plant releases toxic chemicals (e.g. to air, ground, etc.) [A-1] H-2: Overpressurization of plant equipment [A-1, A-2, A-3] H-3: Plant is unable to produce chemical X [A-3] Etc.

5 STPA Accidents (Mishaps) A-1: People exposed to chemicals A-2: People physically injured (e.g. explosion) A-3: Production loss Etc. Hazards H-1: Plant releases toxic chemicals (e.g. to air, ground, etc.) [A-1] H-2: Overpressurization of plant equipment [A-1, A-2, A-3] H-3: Plant is unable to produce chemical X [A-3] Etc. STPA Safety Constraints SC-1: Toxic chemicals must be contained within plant equipment [H-1] SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] SC-3: If toxic chemicals are not contained, damage must be mitigated [H-1] Etc.

6 CATALYST Early Concept STPA Safety Constraints SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] REACTOR How can we enforce SC-2? How to keep pressure, temperature within limits?

7 CATALYST Early Concept REACTOR Safety Constraints SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] SC-2.1: Reactor temperature must not exceed X [H-2] SC-2.2: Reactor pressure must not exceed Y [H-2] Etc. Use Safety Constraints to refine the concept, make design decisions

8 CATALYST Early Concept REACTOR Safety Constraints SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] Use Safety Constraints to refine the concept, make design decisions Pressure Relief Valve VENT CATALYST CONDENSER Use a condenser to provide cooling Use a valve to control catalyst (will generate heat) REACTOR COOLING WATER Use a valve to control cooling

9 System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 24

10 Control structure??? Questions to ask: Who or what will control the physical plant? How? Physical Plant Reactor Valves Etc. What are the control actions and feedback?

11 CONDENSER CATALYST COOLING WATER REACTOR These valves were added to regulate temperature/pressure (SC-2). Who or what will control them?

12 Control structure Process Controller Open Close Water valve Reactor Open Close Catalyst valve Etc. Feedback? Physical Plant

13 Control structure Open Close Process Controller? Open Close? Plant Status Process Controller could be a human operator, a computer, or a combination of the two. Water valve Reactor Physical Plant Catalyst valve Etc. STPA can be applied in any of these cases or before the implementation is known.

14 Control structure Human Operator Automated Controller Open Close Open Close? Open Close Open Close? Water valve Catalyst valve Water valve Catalyst valve Reactor Etc. Reactor Etc. Physical Plant Physical Plant (discuss tradeoffs) STPA can be applied to either case the process is the same

15 One option Control Structure Physical Diagram Human Operator Start Stop Plant status Alarms Automated Controller Open Close? Open Close? Plant Status Water valve Reactor Catalyst valve Etc. Physical Plant

16 System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 38

17 Control Structure: Copyright John Thomas 2018 Chemical Reactor: Unsafe Control Actions Start Process Stop Process Operator Computer Status info Plant state alarm Open/close water valve Open/close catalyst valve Physical Plant Valves Plant status???? Close Water Valve Cmd

18 Control Structure: Chemical Reactor: Unsafe Control Actions Open/close water valve Open/close catalyst valve Physical Plant Start Process Stop Process Operator Computer Valves Status info Plant state alarm Plant status Open Water Valve Cmd Not providing causes hazard Computer does not provide open water valve cmd when catalyst open/flowing Providing causes hazard Too Early, Too Late, Order Stopped Too Soon / Applied too long??? Copyright John Thomas 2018

19 Structure of an Unsafe Control Action Example: Computer does not provide open water valve command when catalyst open Source Controller Type Control Action Context Four parts of an unsafe control action Source Controller: the controller that can provide the control action Type: whether the control action was provided or not provided Control Action: the controller s command that was provided / missing Context: conditions for the hazard to occur (system or environmental state in which command is provided) 41 (Thomas, 2013)

20 Command duration Copyright John Thomas 2018 Open command sent Open command not sent Water/Catalyst valve position time 1 minute time In our system, no variable metering. During normal operation: valves fully open During shutdown: valves fully closed When switching between: 1 minute transition time Stopped too soon, Applied too long -> only for commands with a duration

21 Command duration Copyright John Thomas 2018 Command provided Command not provided Provided too early, too late Applied too long, Stopped too soon time

22 Copyright John Thomas 2018 Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Providing causes hazard Too Early, Too Late, Order Stopped Too Soon / Applied too long Open Water Valve cmd Computer does not provide open water valve cmd when catalyst open/flowing [H- 1,2,3] Computer provides open water valve cmd after catalyst open Computer stops providing open water valve cmd too soon before fully opened Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd Common Clarifications: - This is not a list of hazardous states. This is about control actions that cause hazards. - Each cell may have 0, 1, 2, or more UCAs. - When is the command unsafe

23 Copyright John Thomas 2018 Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Providing causes hazard Too Early, Too Late, Order Stopped Too Soon / Applied too long Open Water Valve cmd Computer does not provide open water valve cmd when catalyst open/flowing [H- 1,2,3] Computer provides open water valve cmd after catalyst open Computer stops providing open water valve cmd too soon before fully opened Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd

24 Copyright John Thomas 2018 Open Water Valve cmd Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Computer does not provide open water valve cmd when catalyst valve open/flowing [H- 1,2,3] Computer does not provide close catalyst valve cmd when water closed/not flowing Providing causes hazard Computer provides close water valve cmd while catalyst open Computer provides open catalyst valve cmd when water not open Too Early, Too Late, Order Computer provides open water valve cmd more than X seconds after catalyst open Computer provides close water valve cmd more than X seconds before catalyst closes Computer provides open catalyst valve cmd more than X seconds before water open/flowing Computer provides close catalyst valve cmd more than X seconds after water closed/not flowing Stopped Too Soon / Applied too long Computer stops providing open water valve cmd too soon before fully opened Computer stops providing close catalyst valve cmd too soon before fully closed

25 Copyright John Thomas 2018 Open Water Valve cmd Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Computer does not provide open water valve cmd when catalyst valve open/flowing [H- 1,2,3] Computer does not provide close catalyst valve cmd when water closed/not flowing Is this Safety or Security? Providing causes hazard Computer provides close water valve cmd while catalyst open Computer provides open catalyst valve cmd when water not open Too Early, Too Late, Order Computer provides open water valve cmd more than X seconds after catalyst open Computer provides close water valve cmd more than X seconds before catalyst closes Computer provides open catalyst valve cmd more than X seconds before water open/flowing Computer provides close catalyst valve cmd more than X seconds after water closed/not flowing Stopped Too Soon / Applied too long Computer stops providing open water valve cmd too soon before fully opened Computer stops providing close catalyst valve cmd too soon before fully closed

26 Copyright John Thomas 2018 Safety Constraints Unsafe Control Action Computer does not open water valve when catalyst valve open Computer opens water valve more than X seconds after catalyst valve open Computer closes water valve while catalyst valve open Computer closes water valve before catalyst valve closes Computer opens catalyst valve when water valve not open Etc. Safety Constraint Computer must open water valve whenever catalyst valve is open???? Etc.

27 Copyright John Thomas 2018 Safety Constraints Unsafe Control Action Computer does not open water valve when catalyst valve open Computer opens water valve more than X seconds after catalyst valve open Computer closes water valve while catalyst valve open Computer closes water valve before catalyst valve closes Computer opens catalyst valve when water valve not open Etc. Safety Constraint Computer must open water valve whenever catalyst valve is open Computer must open water valve within X seconds of catalyst valve open Computer must not close water valve while catalyst valve open Computer must not close water valve before catalyst valve closes Computer must not open catalyst valve when water valve not open Etc.

28 (Thomas, 2013) Copyright John Thomas 2018 Traceability Always provide traceability information between UCAs and the hazards they cause Same for Safety Constraints Two ways: Create one UCA table (or safety constraint list) per hazard, label each table with the hazard Create one UCA table for all hazards, include traceability info at the end of each UCA E.g. Computer closes water valve while catalyst open [H-1]

29 System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 54

30 A: Potential causes of UCAs UCA: Computer opens catalyst valve when water valve not open Controller Delayed operation Controller Actuator Inadequate operation Conflicting control actions Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification or adaptation) Control input or external information wrong or missing Component failures Process Model (inconsistent, incomplete, or incorrect) Controlled Process Sensor Inadequate operation Missing or wrong communication with another Controller controller Inadequate or missing feedback Feedback Delays Incorrect or no information provided Measurement inaccuracies Feedback delays Process input missing or wrong Generic Control Loop Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

31 A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Delayed operation Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes Controller Conflicting control actions Process input missing or wrong Controlled Process Component failures Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

32 A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Delayed operation Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes water valve open Controller Conflicting control actions Process input missing or wrong Controlled Process Component failures Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

33 A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes water valve open Controller Delayed operation Conflicting control actions Controlled Process Component failures No feedback about water valve! Process input missing or wrong Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

34 A: Potential causes of UCAs UCA: Computer opens catalyst valve when water valve not open Controller Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Flawed control algorithm: Computer assumes open water valve cmd worked Controller Actuator Inadequate operation Sensor Inadequate operation Delayed operation Controller Conflicting control actions Process input missing or wrong Controlled Process Component failures Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

35 A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes water valve open Controller Delayed operation Is this Safety or Security? Controlled Process Both! Conflicting control actions Component failures Feedback is incorrect Process input missing or wrong Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

36 Diagram adapted Trevor Kletz, 1982 Copyright John Thomas 2018 Chemical Reactor: Real accident PLANT STATUS VENT CATALYST VAPOR CONDENSER REFLUX COOLING WATER REACTOR COMPUTER

37 Some problems we found Water valve could fail closed There are missing requirements R-1: Computer must not open catalyst valve when open water valve closed (missing) The design is missing feedback Design has no way to verify or check when water valves open The design assumption is incorrect Computer algorithm assumes open water valve cmd is successful (causes process model flaws) 66 Copyright John Thomas 2018