An STPA Tool. Dajiang Suo, John Thomas

Similar documents
Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems

Basic STPA Exercises. Dr. John Thomas

Systems Theoretic Process Analysis (STPA)

Systems Theoretic Process Analysis (STPA)

Using STPA in the Design of a new Manned Spacecraft

Basic STPA Tutorial. John Thomas

Virtual Breadboarding. John Vangelov Ford Motor Company

STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

MPCS: Develop and Test As You Fly for MSL

Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

OP001 BUS PATROL TRAINING MANUAL

STAMP/STPA Beginner Introduction. Dr. John Thomas System Engineering Research Laboratory Massachusetts Institute of Technology

Module 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions

RoboCup German Open D Simulation League Rules

SCAM T.P.E. WATER TREATMENT SYSTEM SWT- AP AUTOMATIC PURGE

AKTA ION EXCHANGE CHROMATOGRAPHY SOP Date: 2/02/05 Author: A DeGiovanni Edited by: C. Huang Reviewed by:

Science&Motion. SAM BalanceLab. Sports. control the invisible. Most advanced pressure plate for coaching

Analysis of Variance. Copyright 2014 Pearson Education, Inc.

Spacecraft Simulation Tool. Debbie Clancy JHU/APL

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Iteration: while, for, do while, Reading Input with Sentinels and User-defined Functions

STPA: A New Hazard Analysis Technique. (System-Theoretic Process Analysis)

Robot motion by simultaneously wheel and leg propulsion

Application of Dijkstra s Algorithm in the Evacuation System Utilizing Exit Signs

SIDRA INTERSECTION 6.1 UPDATE HISTORY

Laboratory 2(a): Interfacing WiiMote. Authors: Jeff C. Jensen (National Instruments) Trung N. Tran (National Instruments)

Re-Engineering Transport Designs for Safe and Universal Accessibility. Dr. Sewa Ram School of Planning and Architecture New Delhi

Pedestrian Dynamics: Models of Pedestrian Behaviour

Automated Proactive Road Safety Analysis

1001ICT Introduction To Programming Lecture Notes

Introducing STAMP in Road Tunnel Safety

IBIS File : Problems & Software Solution

Troubleshooting Guide: 640 Pediatric Exam Table with Midmark Scale

ID: Cookbook: browseurl.jbs Time: 15:40:31 Date: 11/04/2018 Version:

NAOMI Software Design

Instrumentation (and

THE EFFECTS OF LEAD-VEHICLE SIZE ON DRIVER FOLLOWING BEHAVIOR: IS IGNORANCE TRULY BLISS?

LifeBeat should be worn during daytime as well as night time as it can record activity levels as well as sleep patterns.

BACnet Protocol Implementation Conformance Statement

BRT Standard 2016 Edition. Jacob Mason Transport Research and Evaluation Manager July 26, 2016

The Safety Case. Structure of Safety Cases Safety Argument Notation

Transit Signal Preemption and Priority Treatments

AN AUTONOMOUS DRIVER MODEL FOR THE OVERTAKING MANEUVER FOR USE IN MICROSCOPIC TRAFFIC SIMULATION

AC : MEASUREMENT OF HYDROGEN IN HELIUM FLOW

if all agents follow RSS s interpretation then there will be zero accidents.

A Distributed Control System using CAN bus for an AUV

Computer Integrated Manufacturing (PLTW) TEKS/LINKS Student Objectives One Credit

The three steps for biomechanical assessment are the following: > Periodically verify the results and the efficacy of treatment

CASE STUDY. Compressed Air Control System. Industry. Application. Background. Challenge. Results. Automotive Assembly

3. Plan, Procedures, Space Designations, and Permit System a detailed review

Using MATLAB with CANoe

Specifications for Synchronized Sensor Pipe Condition Assessment (AS PROVIDED BY REDZONE ROBOTICS)

Tru Flight TRUFLIGHT INSTALLATION GUIDE TRUGOLF.COM

(Lab Interface BLM) Acceleration

- 2 - Companion Web Site. Back Cover. Synopsis

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

Standard Operating Manual

APPENDIX 10, Automation Standard

Arlington County, Virginia ~ National Capital Region Transportation Planning Board (TPB) Transportation and Land-Use Connections (TLC) Program

Life Cycle Benefits: Maintenace (Control Valve Diagnostic and Field Device Diagnostic Management)

ME 4710 Motion and Control: Integrator Wind-up Reference: Franklin, Powell, Emami-Naeini, Feedback Control of Dynamic Systems, Prentice-Hall, 2002.

Strategy, Developments & Outlook SESP September 2010 ESTEC, Noordwijk, The Netherlands

Software for electronic scorekeeping of volleyball matches, developed and distributed by:

Lecturers. Multi-Agent Systems. Exercises: Dates. Lectures. Prof. Dr. Bernhard Nebel Room Dr. Felix Lindner Room

Failure Management and Fault Tolerance for Avionics and Automotive Systems

How to use the Turnip Graph Engine in STATA

BURST Team Report RoboCup 2009 SPL

RADWAG Mass Comparators - ETERMA 2013 MASS COMPARATORS

ID: Cookbook: browseurl.jbs Time: 03:38:04 Date: 30/04/2018 Version:

Application Notes. SLP85xD Load Cells

BUS RIDER SAFETY HANDBOOK

Session Objectives. At the end of the session, the participants should: Understand advantages of BFD implementation on S9700

Flow Vision I MX Gas Blending Station

Standard Procedure. for using ConfiRM with the SoloVPE. Slope

CO 2. (R744) Service Station Presentation. Contents. Goals Basic functions Specification Recovery R477 Vacuum Charge Safety Other features Prototype

Critical Systems Validation

Technology. In the My Files [My Files] submenu you can store all the programs that you have made on the NXT or downloaded from your computer.

Let s Review Sound Waves

Module 8 Coils and Threads

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

Specifications and information are subject to change without notice. Up-to-date address information is available on our website.

7250 Sys. Ruska Multi-Range Pressure Calibration System. GE Sensing & Inspection Technologies. Features. Applications

AKTA 3D SOP. Click on the System Control tab. This screen has 4 windows.

Improving WCET Analysis for Synthesized Code from Matlab/Simulink/Stateflow. Lili Tan Compiler Design Lab Saarland University

Simulation Model Portability 2 standard support in EuroSim Mk4

2018 SPRING INTERLEAGUE. Presented by Paul Dini ADA Interleague


Master s Project in Computer Science April Development of a High Level Language Based on Rules for the RoboCup Soccer Simulator

Your Roadmap to Single IRB Review Getting Started with SMART IRB & the Online Reliance System

Meter Data Distribution Market Trials

Blackwave Dive Table Creator User Guide

When buying one of our prototypes you agree with this!

Eglinton West/Allen Road Station Preliminary Design Online Consultation

FRDS GEN II SIMULATOR WORKBOOK

Tactical Advance Series Tactical Advance HD Series. Simplifying CNC Plasma Cutting.

A STUDY OF SIMULATION MODEL FOR PEDESTRIAN MOVEMENT WITH EVACUATION AND QUEUING

2017 CCAA Swimming Officials Exam

Airflow Options for Cisco MDS 9396S SAN Switch

1. A tendency to roll or heel when turning (a known and typically constant disturbance) 2. Motion induced by surface waves of certain frequencies.

CS 4649/7649 Robot Intelligence: Planning

Transcription:

An STPA Tool Dajiang Suo, John Thomas

Structure of an Unsafe Control Action Example: Operator provides open train door command when train is moving Control Actions Operator Train Door 2

Structure of an Unsafe Control Action Example: Operator provides open train door command when train is moving Source Controller Type Control Action Context Four parts of a hazardous control action Source Controller: the controller that can provide the control action Type: whether the control action was provided or not provided Control Action: the controller s command that was provided / missing Context: conditions for the hazard to occur 3 Process Model Train motion Train location Stopped Moving At platform Not Aligned

1) Control action is provided Example: Operator provides open train door command when Control Action Train Motion Emergency Train Position Hazardous? Door open command provided Stopped No Not at platform Yes Door open command provided Stopped No At platform No Door open command provided Moving No (doesn t matter) Yes Door open command provided Moving Yes (doesn t matter) Yes* Door open command provided Stopped Yes (doesn t matter) No *Design decision: In this situation, evacuate passengers to other cars. Meanwhile, stop the train and then open doors. 4

2) Control action is not provided Example: Operator does not provide open train door command when Control Action Train Motion Emergency Train Position Door Obst. / Pos. Hazardous? Door open command not provided Stopped Yes (doesn t matter) (doesn t matter) Yes Door open command not provided Stopped (doesn t matter) (doesn t matter) Closing on obstruction Yes Door open command not provided... No 5

Resulting List of Unsafe Control Actions Unsafe Control Actions Door open command provided while train is moving and there is no emergency Door open command provided too late while train is stopped and emergency exists Door open command provided while train is stopped, no emergency, and not at platform Door open command provided while train is moving and emergency exists Door open command not provided while train is stopped and emergency exists Door open command not provided while doors are closing on someone and train is stopped Much of this can be automated to assist the safety engineer! 6

1) Control action is provided Example: Software provides open train door command when train is moving Control Action Train Motion Emergency Train Position Hazardous? Door open command Door open command Door open command Door open command Moving Not Moving Not Moving Moving No No Yes Yes Aligned with platform Aligned with platform Not aligned with platform Not aligned with platform Yes Yes Automate with Rules 7

Generating safety requirements Formal (modelbased) requirements specification Hazardous Control Actions? 8

Generating safety requirements Example: Generated black-box model for door controller. Executable. Provide 'Open Doors' command Behavior required for function Behavior required for safety Door State = Doors not closing on person Doors closing on person T Train Position = Aligned with platform T Not aligned with platform Train Motion = Stopped T T T Train is moving Emergency = No emergency Emergency exists T Open Doors = (Train Position in-state Aligned) (Train Motion in-state Stopped) (Train Motion in-state Stopped) (Emergency in-state exists) (Door State in-state closing on person) (Train Motion in-state Stopped) 9

Detecting conflicts Can automatically check consistency using info in context tables Control Action Train Motion Emergency Hazardous? Door open command Moving Yes Yes* Control Action Train Motion Emergency Hazardous? Door open command not provided Moving Yes Yes* Example: Conflict between opening the door vs. not opening the door 10

Objectives for the STPA tool Allow users to: Specify Hazards Draw the safety control structure Add controllers, controlled processes Add actuators and sensors Add control actions and feedback Add process model variables and values Perform STPA Step 1 Generate context table templates automatically based on control structure Allow user to specify which row causes hazards Allow user to define Rules, used to automatically complete many rows with related hazards Detect conflicts between two rules Calculate and show And/Or tables of executable requirements Generate XML files for storing analysis results and interoperation Help users with STPA Step 2 TBD

The Architecture of the STPA tool Java Development Tooling Eclipse Platform Workbench JFace SWT Platform Runtime UCA Editor (Context Table) STPA Tool Rule Editor 2-D Graphical Editor (Hazard & Safety control structure) XML (Analysis results & interoperability) *The architecture of Eclipse platform is taken from eclipse.org

Specify hazards&draw safety control structure Graphical Editor for Safety Control Structure Tool Bar for choosing components to add

Automatically generate Context Table for UCA

Define rules and calculate related And/or Table Rule in English description Parameters for Rule definition And/Or Table for executable safety requirements

Apply Rules to complete rows with related hazards in context table Complete rows with Hazards automatically Detect conflicts automatically Traceability between UCA and Rule

Conclusion Automatically generate Context Table based on Process model Allow the user to define Rules to identify UCA Automatically construct And/Or Table for executable safety requirements

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback