Basic STPA Exercises. Dr. John Thomas

Similar documents
Systems Theoretic Process Analysis (STPA)

Systems Theoretic Process Analysis (STPA)

Basic STPA Tutorial. John Thomas

STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

STAMP/STPA Beginner Introduction. Dr. John Thomas System Engineering Research Laboratory Massachusetts Institute of Technology

Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems

Introducing STAMP in Road Tunnel Safety

Every things under control High-Integrity Pressure Protection System (HIPPS)

Using STPA in the Design of a new Manned Spacecraft

An STPA Tool. Dajiang Suo, John Thomas

The Relationship Between Automation Complexity and Operator Error

Failure Management and Fault Tolerance for Avionics and Automotive Systems

CHAPTER 7: THE FEEDBACK LOOP

General Duty Clause. Section 112(r)(1) of CAA. Chris Rascher, EPA Region 1

Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

PART 1.2 HARDWARE SYSTEM. Dr. AA, Process Control & Safety

GAS FUEL VALVE FORM AGV5 OM 8-03

Safety-Critical Systems. Rikard Land

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

STPA: A New Hazard Analysis Technique. (System-Theoretic Process Analysis)

Implementing IEC Standards for Safety Instrumented Systems

IE098: Advanced Process Control for Engineers and Technicians

Modeling and Hazard Analysis Using Stpa

An STPA Primer. Version 1, August 2013

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

D-Case Modeling Guide for Target System

HAZARD ANALYSIS PROCESS FOR AUTONOMOUS VESSELS. AUTHORS: Osiris A. Valdez Banda Aalto University, Department of Applied Mechanics (Marine Technology)

Understanding safety life cycles

Impact on People. A minor injury with no permanent health damage

Advanced LOPA Topics

Using LOPA for Other Applications

Causal Analysis for Incident and Accident Investigation

Safety Engineering - Hazard Identification Techniques - M. Jahoda

Real-Time & Embedded Systems

High Integrity Pressure Protection Systems HIPPS

PROCEDURE. April 20, TOP dated 11/1/88

Control Performance: An Imperative for Safety

Operator Exposed to Chlorine Gas

Verification Of Calibration for Direct-Reading Portable Gas Monitors

Valve Communication Solutions. Safety instrumented systems

Process Control Loops

Management of Change (MOC) Could Have Prevented Death

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

Relief Systems. 11/6/ Fall

Lecture 1 Temporal constraints: source and characterization

How to Select High Pressure and Gas Bypass

PRACTICAL EXAMPLES ON CSM-RA

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Pressure Systems Safety Regulation

Control System Nur Istianah-THP-FTP-UB-2014

Thank You for Attending Today s Webinar. Today s Featured Speaker

PositionMaster EDP300 Extended Diagnostics. Compact, well-proven, and flexible

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

RESA Standards V1.0 16/08/18

Accident Investigations: Finding the Root Cause is NOT Enough

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

2. Determine how the mass transfer rate is affected by gas flow rate and liquid flow rate.

Knowledge, Certification, Networking

Series 3730 and Series 3731 EXPERTplus Valve Diagnostics with Partial Stroke Test (PST)

Safety zones and other Land Use Planning tools to reduce acute environmental risks

Reliability Assessment of the Whistler Propane Vaporizers

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Learning from Dangerous Occurrences in the Chemical Industries

PRODUCT OVERVIEW. Gas mixers Test bench systems Leak test and impermeability testing systems High pressure dosing pumps

EL-O-Matic E and P Series Pneumatic Actuator SIL Safety Manual

ENS-200 Energy saving trainer

Quick Installation Guide Doc nr.: C Date:

Section 1: Multiple Choice

Incorrect Relief Valve Material Causes Release

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

SAFETY MANUAL PURGING, VENTING & DRAINING PROCEDURE TABLE OF CONTENTS 1. INTRODUCTION SCOPE DEFINITIONS PROCEDURE...

Reduce Turnaround Duration by Eliminating H 2 S from Flare Gas Utilizing VaporLock Scrubber Technology

V10K GAS FEED SYSTEM WALLACE & TIERNAN PRODUCTS

Solenoid Valves used in Safety Instrumented Systems

Delayed Coker Automation & Interlocks

Hazardous Materials Management Guidelines

UNIVERSITY OF WATERLOO

THE BAKER REPORT HOW FINDINGS HAVE BEEN USED BY JOHNSON MATTHEY TO REVIEW THEIR MANUFACTURING OPERATIONS

American Chemical Society (ACS) 246th ACS National Meeting Indianapolis, Indiana September 9, 2013

Quantitative Risk Analysis (QRA)

Safe management of industrial steam and hot water boilers A guide for owners, managers and supervisors of boilers, boiler houses and boiler plant

Digital Level Control One and Two Loops Proportional and Integral Control Single-Loop and Cascade Control

RESA STANDARDS V2.0 15/12/2018

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

PRAHER PLC-MP AQUASTAR MANAUL 2009

Large Valve Causes Back Injury

Safe Work Practices and Permit-to-Work System

Gas Accumulation Potential & Leak Detection when Converting to Gas

MAHB. INSPECTION Process Hazard Analysis

USE OF THE EXCEEDANCE CURVE APPROACH IN OCCUPIED BUILDING RISK ASSESSMENT

BPM-5 Motor Operating Sequences

INSTALLATION COMMISSIONING, OPERATION & MAINTENANCE MANUAL

Pressure Test Results in Injury

SAFETY PLAN REVIEW. FirstElement Safety Plan Review Submission for the California Energy Commission General Funding Opportunity GFO

USER MANUAL. Intelligent Diagnostic Controller IDC24-A IDC24-AF IDC24-AFL IDC24-F IDP24-A * IDP24-AF * IDP24-AFL * IDP24-F * 1/73

Drain Splash Back Burns Operator

The benefits of the extended diagnostics feature. Compact, well-proven, and flexible

Using what we have. Sherman Eagles SoftwareCPR.

Transcription:

Basic STPA Exercises Dr. John Thomas

Chemical Plant Goal: To produce and sell chemical X What (System): A chemical plant (production), How (Method): By means of a chemical reaction, a catalyst,. CATALYST Early Concept REACTOR

System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 11

Goal: To produce and sell chemical X What (System): A chemical plant, How (Method): By means of a chemical reaction, a catalyst,. STPA Accidents (Mishaps) A-1: People exposed to chemicals A-2: People physically injured (e.g. explosion) A-3: Production loss Etc. Hazards H-1: Plant releases toxic chemicals (e.g. to air, ground, etc.) [A-1] H-2: Overpressurization of plant equipment [A-1, A-2, A-3] H-3: Plant is unable to produce chemical X [A-3] Etc.

STPA Accidents (Mishaps) A-1: People exposed to chemicals A-2: People physically injured (e.g. explosion) A-3: Production loss Etc. Hazards H-1: Plant releases toxic chemicals (e.g. to air, ground, etc.) [A-1] H-2: Overpressurization of plant equipment [A-1, A-2, A-3] H-3: Plant is unable to produce chemical X [A-3] Etc. STPA Safety Constraints SC-1: Toxic chemicals must be contained within plant equipment [H-1] SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] SC-3: If toxic chemicals are not contained, damage must be mitigated [H-1] Etc.

CATALYST Early Concept STPA Safety Constraints SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] REACTOR How can we enforce SC-2? How to keep pressure, temperature within limits?

CATALYST Early Concept REACTOR Safety Constraints SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] SC-2.1: Reactor temperature must not exceed X [H-2] SC-2.2: Reactor pressure must not exceed Y [H-2] Etc. Use Safety Constraints to refine the concept, make design decisions

CATALYST Early Concept REACTOR Safety Constraints SC-2: Plant must be operated within limits (pressure, temperature, etc.) [H-2] Use Safety Constraints to refine the concept, make design decisions Pressure Relief Valve VENT CATALYST CONDENSER Use a condenser to provide cooling Use a valve to control catalyst (will generate heat) REACTOR COOLING WATER Use a valve to control cooling

System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 24

Control structure??? Questions to ask: Who or what will control the physical plant? How? Physical Plant Reactor Valves Etc. What are the control actions and feedback?

CONDENSER CATALYST COOLING WATER REACTOR These valves were added to regulate temperature/pressure (SC-2). Who or what will control them?

Control structure Process Controller Open Close Water valve Reactor Open Close Catalyst valve Etc. Feedback? Physical Plant

Control structure Open Close Process Controller? Open Close? Plant Status Process Controller could be a human operator, a computer, or a combination of the two. Water valve Reactor Physical Plant Catalyst valve Etc. STPA can be applied in any of these cases or before the implementation is known.

Control structure Human Operator Automated Controller Open Close Open Close? Open Close Open Close? Water valve Catalyst valve Water valve Catalyst valve Reactor Etc. Reactor Etc. Physical Plant Physical Plant (discuss tradeoffs) STPA can be applied to either case the process is the same

One option Control Structure Physical Diagram Human Operator Start Stop Plant status Alarms Automated Controller Open Close? Open Close? Plant Status Water valve Reactor Catalyst valve Etc. Physical Plant

System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 38

Control Structure: Copyright John Thomas 2018 Chemical Reactor: Unsafe Control Actions Start Process Stop Process Operator Computer Status info Plant state alarm Open/close water valve Open/close catalyst valve Physical Plant Valves Plant status???? Close Water Valve Cmd

Control Structure: Chemical Reactor: Unsafe Control Actions Open/close water valve Open/close catalyst valve Physical Plant Start Process Stop Process Operator Computer Valves Status info Plant state alarm Plant status Open Water Valve Cmd Not providing causes hazard Computer does not provide open water valve cmd when catalyst open/flowing Providing causes hazard Too Early, Too Late, Order Stopped Too Soon / Applied too long??? Copyright John Thomas 2018

Structure of an Unsafe Control Action Example: Computer does not provide open water valve command when catalyst open Source Controller Type Control Action Context Four parts of an unsafe control action Source Controller: the controller that can provide the control action Type: whether the control action was provided or not provided Control Action: the controller s command that was provided / missing Context: conditions for the hazard to occur (system or environmental state in which command is provided) 41 (Thomas, 2013)

Command duration Copyright John Thomas 2018 Open command sent Open command not sent Water/Catalyst valve position time 1 minute time In our system, no variable metering. During normal operation: valves fully open During shutdown: valves fully closed When switching between: 1 minute transition time Stopped too soon, Applied too long -> only for commands with a duration

Command duration Copyright John Thomas 2018 Command provided Command not provided Provided too early, too late Applied too long, Stopped too soon time

Copyright John Thomas 2018 Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Providing causes hazard Too Early, Too Late, Order Stopped Too Soon / Applied too long Open Water Valve cmd Computer does not provide open water valve cmd when catalyst open/flowing [H- 1,2,3] Computer provides open water valve cmd after catalyst open Computer stops providing open water valve cmd too soon before fully opened Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd Common Clarifications: - This is not a list of hazardous states. This is about control actions that cause hazards. - Each cell may have 0, 1, 2, or more UCAs. - When is the command unsafe

Copyright John Thomas 2018 Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Providing causes hazard Too Early, Too Late, Order Stopped Too Soon / Applied too long Open Water Valve cmd Computer does not provide open water valve cmd when catalyst open/flowing [H- 1,2,3] Computer provides open water valve cmd after catalyst open Computer stops providing open water valve cmd too soon before fully opened Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd

Copyright John Thomas 2018 Open Water Valve cmd Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Computer does not provide open water valve cmd when catalyst valve open/flowing [H- 1,2,3] Computer does not provide close catalyst valve cmd when water closed/not flowing Providing causes hazard Computer provides close water valve cmd while catalyst open Computer provides open catalyst valve cmd when water not open Too Early, Too Late, Order Computer provides open water valve cmd more than X seconds after catalyst open Computer provides close water valve cmd more than X seconds before catalyst closes Computer provides open catalyst valve cmd more than X seconds before water open/flowing Computer provides close catalyst valve cmd more than X seconds after water closed/not flowing Stopped Too Soon / Applied too long Computer stops providing open water valve cmd too soon before fully opened Computer stops providing close catalyst valve cmd too soon before fully closed

Copyright John Thomas 2018 Open Water Valve cmd Close Water Valve cmd Open Catalyst Valve cmd Close Catalyst Valve cmd Chemical Reactor: Unsafe Control Actions (UCA) Not providing causes hazard Computer does not provide open water valve cmd when catalyst valve open/flowing [H- 1,2,3] Computer does not provide close catalyst valve cmd when water closed/not flowing Is this Safety or Security? Providing causes hazard Computer provides close water valve cmd while catalyst open Computer provides open catalyst valve cmd when water not open Too Early, Too Late, Order Computer provides open water valve cmd more than X seconds after catalyst open Computer provides close water valve cmd more than X seconds before catalyst closes Computer provides open catalyst valve cmd more than X seconds before water open/flowing Computer provides close catalyst valve cmd more than X seconds after water closed/not flowing Stopped Too Soon / Applied too long Computer stops providing open water valve cmd too soon before fully opened Computer stops providing close catalyst valve cmd too soon before fully closed

Copyright John Thomas 2018 Safety Constraints Unsafe Control Action Computer does not open water valve when catalyst valve open Computer opens water valve more than X seconds after catalyst valve open Computer closes water valve while catalyst valve open Computer closes water valve before catalyst valve closes Computer opens catalyst valve when water valve not open Etc. Safety Constraint Computer must open water valve whenever catalyst valve is open???? Etc.

Copyright John Thomas 2018 Safety Constraints Unsafe Control Action Computer does not open water valve when catalyst valve open Computer opens water valve more than X seconds after catalyst valve open Computer closes water valve while catalyst valve open Computer closes water valve before catalyst valve closes Computer opens catalyst valve when water valve not open Etc. Safety Constraint Computer must open water valve whenever catalyst valve is open Computer must open water valve within X seconds of catalyst valve open Computer must not close water valve while catalyst valve open Computer must not close water valve before catalyst valve closes Computer must not open catalyst valve when water valve not open Etc.

(Thomas, 2013) Copyright John Thomas 2018 Traceability Always provide traceability information between UCAs and the hazards they cause Same for Safety Constraints Two ways: Create one UCA table (or safety constraint list) per hazard, label each table with the hazard Create one UCA table for all hazards, include traceability info at the end of each UCA E.g. Computer closes water valve while catalyst open [H-1]

System-Theoretic Process Analysis (STPA) Identify accidents (losses), hazards Draw hierarchical control structure Identify unsafe control actions Identify accident scenarios (Leveson, 2012) 54

A: Potential causes of UCAs UCA: Computer opens catalyst valve when water valve not open Controller Delayed operation Controller Actuator Inadequate operation Conflicting control actions Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification or adaptation) Control input or external information wrong or missing Component failures Process Model (inconsistent, incomplete, or incorrect) Controlled Process Sensor Inadequate operation Missing or wrong communication with another Controller controller Inadequate or missing feedback Feedback Delays Incorrect or no information provided Measurement inaccuracies Feedback delays Process input missing or wrong Generic Control Loop Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Delayed operation Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes Controller Conflicting control actions Process input missing or wrong Controlled Process Component failures Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Delayed operation Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes water valve open Controller Conflicting control actions Process input missing or wrong Controlled Process Component failures Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes water valve open Controller Delayed operation Conflicting control actions Controlled Process Component failures No feedback about water valve! Process input missing or wrong Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

A: Potential causes of UCAs UCA: Computer opens catalyst valve when water valve not open Controller Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Flawed control algorithm: Computer assumes open water valve cmd worked Controller Actuator Inadequate operation Sensor Inadequate operation Delayed operation Controller Conflicting control actions Process input missing or wrong Controlled Process Component failures Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

A: Potential causes of UCAs Generic Control Loop! UCA: Computer opens catalyst valve when water valve not open Controller Actuator Inadequate operation Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification) Process Model (inconsistent, incomplete, or incorrect) Sensor Inadequate operation Controller Flawed Process Model: Computer believes water valve open Controller Delayed operation Is this Safety or Security? Controlled Process Both! Conflicting control actions Component failures Feedback is incorrect Process input missing or wrong Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard Copyright John Thomas 2018

Diagram adapted Trevor Kletz, 1982 Copyright John Thomas 2018 Chemical Reactor: Real accident PLANT STATUS VENT CATALYST VAPOR CONDENSER REFLUX COOLING WATER REACTOR COMPUTER

Some problems we found Water valve could fail closed There are missing requirements R-1: Computer must not open catalyst valve when open water valve closed (missing) The design is missing feedback Design has no way to verify or check when water valves open The design assumption is incorrect Computer algorithm assumes open water valve cmd is successful (causes process model flaws) 66 Copyright John Thomas 2018

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback