Basic STPA Tutorial. John Thomas

Similar documents
STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

Systems Theoretic Process Analysis (STPA)

Systems Theoretic Process Analysis (STPA)

Basic STPA Exercises. Dr. John Thomas

STAMP/STPA Beginner Introduction. Dr. John Thomas System Engineering Research Laboratory Massachusetts Institute of Technology

Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems

Using STPA in the Design of a new Manned Spacecraft

Modeling and Hazard Analysis Using Stpa

Introducing STAMP in Road Tunnel Safety

Failure Management and Fault Tolerance for Avionics and Automotive Systems

Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

Safety-Critical Systems

STPA: A New Hazard Analysis Technique. (System-Theoretic Process Analysis)

An STPA Primer. Version 1, August 2013

Real-Time & Embedded Systems

POWER-OFF 180 ACCURACY APPROACH AND LANDING

Flight Dynamics II (Stability) Prof. Nandan Kumar Sinha Department of Aerospace Engineering Indian Institute of Technology, Madras

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

VI.B. Traffic Patterns

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

HAZARD ANALYSIS PROCESS FOR AUTONOMOUS VESSELS. AUTHORS: Osiris A. Valdez Banda Aalto University, Department of Applied Mechanics (Marine Technology)

Safety-Critical Systems. Rikard Land

FLIGHT CREW TRAINING NOTICE

An STPA Tool. Dajiang Suo, John Thomas

Every things under control High-Integrity Pressure Protection System (HIPPS)

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

Climbs, descents, turns, and stalls These are some of the maneuvers you'll practice, and practice, and practice By David Montoya

COASTAL SOARING ASSOCIATION, INC. STANDARD OPERATING PROCEDURES Revised 09/17/2010


Flutter Testing. Wind Tunnel Testing (excerpts from Reference 1)

Circuit Considerations

D-Case Modeling Guide for Target System

PRIVATE PILOT MANEUVERS Practical Test Standards FAA-S A

Go around manoeuvre How to make it safer? Capt. Bertrand de Courville

Preparing A Landing Zone L Z

The Relationship Between Automation Complexity and Operator Error

OBJECTIVE 6: FIELD RADIOLOGICAL MONITORING - AMBIENT RADIATION MONITORING

Lecture 1 Temporal constraints: source and characterization

NAVIGATION ACCIDENTS AND THEIR CAUSES IS SHIPBOARD TECHNOLOGY A HELP OR HINDERANCE? CAPT.CLEANTHIS ORPHANOS MSc HEAD MAIC SERVICE

Flight Systems Verification & Validation Mars 2020 Entry, Descent, and Landing

Surrogate UAV Approach and Landing Testing Improving Flight Test Efficiency and Safety

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Risk Assessment. Residual Level of Risk (Considering existing and proposed controls) E, H, M, L or N See Tables 1 3 L

I2102 WORKSHEET. Planned Route: Takeoff: KNSE, RWY 32 Altitude: 12,000 Route: RADAR DEPARTURE. Syllabus Notes None. Special Syllabus Requirements None

PRACTICAL EXAMPLES ON CSM-RA

FAI Sporting Code. UAV Class U. Section 12 Unmanned Aerial Vehicles Edition. Effective 1st January 2018

Calspan Loss-of-Control Studies Using In-flight Simulation. Lou Knotts, President November 20, 2012

XI.D. Crossed-Control Stalls

Hazard Identification

4. Hazard Analysis. Limitations of Formal Methods. Need for Hazard Analysis. Limitations of Formal Methods

OPERATIONS MANUAL PART A INSTRUCTIONS AND TRAINING REQUIREMENTS FOR THE AVOIDANCE OF CONTROLLED FLIGHT INTO TERRAIN AND POLICIES FOR THE USE OF GPWS

Helicopter Safety Recommendation Summary for Small Operators

CHAPTER 7: THE FEEDBACK LOOP

See the diagrams at the end of this manual for judging position locations.

So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment

Unmanned Aerial Vehicle Failure Modes Algorithm Modeling

Safety Criticality Analysis of Air Traffic Management Systems: A Compositional Bisimulation Approach

IVAO International Virtual Aviation Organization Training department

(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

Committee Input No. 35-NFPA [ Chapter 1 ] Submitter Information Verification. Committee Statement

Preventive Maintenance

Autothrottle Use with Autopilot Off

etcadvancedpilottraining.com Upset Prevention and Recovery Training (UPRT) Altitude Awareness Training Situational Awareness (SA)

Risk Management. Definitions. Principles of Risk Management. Types of Risk

Accident Investigation and Hazard Analysis

Traffic Engineering Applications of Drone Technology

Road safety training for professional drivers: worldwide practices

FixedWingLib CGF. Realistic CGF Aircraft Entities ware-in-the-loop Simulations

Verification Of Calibration for Direct-Reading Portable Gas Monitors

Developing Startle and Surprise Training Interventions for Airline Training Programs

2. Page 2-13, Figure 2-19, top figure; change the green label Altitude Indicator to Attitude Indicator.

Cessna 152 Standardization Manual

VII.H. Go-Around/Rejected Landing

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Guidance Notes PRIVATE AND COMMERCIAL PILOT TRAINING

Advisory Circular (AC)

A Novel Approach to Evaluate Pedestrian Safety at Unsignalized Crossings using Trajectory Data

TECHNIQUES FOR OFF AIRPORT OPERATIONS

Capturing an Uncertain Future: The Functional Resonance Accident Model

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

Spin Training. Bob Wander Soaring Books & Supplies Website:

Upon entry to the McDonald s Ashburton Six Hour Race all competitors have been required to sign a waiver which states;

Lesson: Airspeed Control

Understanding safety life cycles

ASSESSMENT OF CORRECTNESS OF INFORMATION OBTAINED FROM AUTOMATIC IDENTIFICATION OF SHIP S SYSTEM (AIS)

User Manual. Heads-Up Display (HUD) DiveCAN. Mechanical Button Version

Prof. Brian C. Williams February 23 rd, /6.834 Cognitive Robotics. based on [Kim,Williams & Abramson, IJCAI01] Outline

OA Guide to Outdoor Safety Management. by Rick Curtis. Dynamics of Accidents Model

VFR Circuit Tutorial. A Hong Kong-based Virtual Airline. VOHK Training Team Version 2.1 Flight Simulation Use Only 9 July 2017

A Conceptual Approach for Using the UCF Driving Simulator as a Test Bed for High Risk Locations

Module 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions

Robust Task Execution: Procedural and Model-based. Outline. Desiderata: Robust Task-level Execution

Surviving Off-Field Landings: Emergency Landing Pattern. By Wally Moran

CIVIL AIR PATROL United States Air Force Auxiliary Cadet Program Directorate. Cessna 172 Maneuvers and Procedures

Update to Airline Transport Pilot Test July 2010 Airline Transport Pilot Test Prep 2010

Advanced LOPA Topics

Evaluation of the ACC Vehicles in Mixed Traffic: Lane Change Effects and Sensitivity Analysis

Driver Training School Instructor Curriculum Requirements for Student Learning & Performance Goals

P/N 135A EASA Approved: June 23, 2011 Section 9 Initial Release Page 1 of 22

Coastal Plains Dragway

Transcription:

Basic STPA Tutorial John Thomas

How is STAMP different? STAMP Model (Leveson, 2003); (Leveson, 2011) Accidents are more than a chain of events, they involve complex dynamic processes. Treat accidents as a control problem, not a failure problem Prevent accidents by enforcing constraints on component behavior and interactions Captures more causes of accidents: Component failure accidents Unsafe interactions among components Complex human, software behavior Design errors Flawed requirements esp. software-related accidents 2

Basic Control Loop Controller Process Model Control Actions Feedback Controlled Process 3

Generic Safety Control Structure

ESW p354 Example: Chemical plant

ESW p206: U.S. pharmaceutical safety control structure

ESW p216: Ballistic Missile Defense System

Control Actions Controller Process Model Feedback Controlled Process STAMP Controllers use a process model to determine control actions Accidents often occur when the process model is incorrect Four types of hazardous control actions: 1) Control commands required for safety are not given 2) Unsafe ones are given 3) Potentially safe commands but given too early, too late 4) Control action stops too soon or applied too long Explains software errors, human errors, component interaction accidents, components failures 8

STPA (System-Theoretic Process Analysis) STPA Hazard Analysis How do we find inadequate control in a system? STAMP Model Accidents are caused by inadequate control (Leveson, 2011) 9

CAST (Causal Analysis using System Theory) STPA Hazard Analysis CAST Accident Analysis How do we find inadequate control that caused the accident? STAMP Model Accidents are caused by inadequate control (Leveson, 2011) 10

Today s Tutorials CAST Accident Analysis 9am noon, room 32-124 Basic STPA Hazard Analysis 9am noon, room 32-141 Advanced STPA Hazard Analysis 9am noon, room 32-155

Basic STPA Hazard Analysis

Definitions Accident (Loss) An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. Hazard A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss). Definitions from Engineering a Safer World

Accident (Loss) Definitions An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. May involve environmental factors outside our control Hazard A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss). Something we can control in the design Accident Satellite becomes lost or unrecoverable People die from exposure to toxic chemicals People die from radiation sickness People die from food poisoning Hazard Satellite maneuvers out of orbit Toxic chemicals are released into the atmosphere Nuclear power plant releases radioactive materials Food products containing pathogens are sold

Identify Accident, Hazards, Safety Constraints System-level Accident (Loss)? System-level Hazard? System-level Safety Constraint?

Identify Accident, Hazards, Safety Constraints System-level Accident (Loss) Death, illness, or injury due to exposure to toxic chemicals. System-level Hazard Uncontrolled release of toxic chemicals System-level Safety Constraint Toxic chemicals must not be released Additional hazards / constraints can be found in ESW p355

STPA (System-Theoretic Process Analysis) STPA Hazard Analysis STAMP Model (Leveson, 2011) Identify accidents and hazards Construct the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and control flaws Control Actions Controller Controlled process Feedback 17

Step 1: Identify Unsafe Control Actions Action required but not provided Unsafe action provided Incorrect Timing/ Order Stopped Too Soon / Applied too long Action (Role)

Step 1: Identify Unsafe Control Actions (a more rigorous approach) Control Action Process Model Variable 1 Process Model Variable 2 Process Model Variable 3 Hazardous?

Step 2: STPA Control Flaws Inappropriate, ineffective, or missing control action Delayed operation Controller Controller Actuator Inadequate operation Conflicting control actions Process input missing or wrong Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification or adaptation) Control input or external information wrong or missing Component failures Changes over time Process Model (inconsistent, incomplete, or incorrect) Controlled Process Unidentified or out-of-range disturbance Missing or wrong communication with another Controller controller Inadequate or missing feedback Feedback Sensor Delays Inadequate operation Incorrect or no information provided Measurement inaccuracies Feedback delays Process output contributes to system hazard 20

Simple STPA Exercise a new in-trail procedure for trans-oceanic flights 21

STPA Exercise Identify accidents and hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

Example System: Aviation Accident (Loss):?

Accident Definition: An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. May involve environmental factors outside our control Examples: Accident Satellite becomes lost or unrecoverable People die from exposure to toxic chemicals People die from radiation sickness People die from food poisoning Hazard Satellite maneuvers out of orbit Toxic chemicals are released into the atmosphere Nuclear power plant releases radioactive materials Food products containing pathogens are sold

Example System: Aviation Accident (Loss): Two aircraft collide

STPA Exercise Identify accidents and hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

Accident (Loss): Two aircraft collide Hazard:?

Hazard Definition: A system state or set of conditions that, together with a particular set of worst-case environmental conditions, will lead to an accident (loss). Something we can control Examples: Accident Satellite becomes lost or unrecoverable People die from exposure to toxic chemicals People die from radiation sickness People die from food poisoning Hazard Satellite maneuvers out of orbit Toxic chemicals are released into the atmosphere Nuclear power plant releases radioactive materials Food products containing pathogens are sold

Accident (Loss): Aircraft crashes Hazard: Two aircraft violate minimum separation

Identifying Accidents and Hazards System-level Accident (loss) Two aircraft collide Aircraft crashes into terrain / ocean System-level Hazards Two aircraft violate minimum separation Aircraft enters unsafe atmospheric region Aircraft enters uncontrolled state Aircraft enters unsafe attitude Aircraft enters prohibited area

Aviation examples System-level Accidents Accident A-1: Two aircraft collide Accident A-2: Aircraft collides with terrain or sea Accident A-3: Aircraft collides with another object during touchdown (or during takeoff) System-level Hazards Hazard H-1: a pair of controlled aircraft violate minimum separation standards Hazard H-2: aircraft enters unsafe atmospheric region Hazard H-3: aircraft enters uncontrolled state Hazard H-4: aircraft enters unsafe attitude (excessive turbulence or pitch/roll/yaw that causes passenger injury but not necessarily aircraft loss) Hazard H-5: aircraft enters a prohibited area

STPA Exercise Identify accidents and hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

North Atlantic Tracks

STPA application: NextGen In-Trail Procedure (ITP) Current State Pilots will have separation information Pilots decide when to request a passing maneuver Air Traffic Control approves/denies request Proposed Change

STPA Analysis High-level (simple) Control Structure Main components and controllers????

STPA Analysis High-level (simple) Control Structure Who controls who? Flight Crew? Aircraft? Air Traffic Controller?

STPA Analysis High-level (simple) Control Structure What commands are sent?? Air Traffic Control? Flight Crew?? Aircraft

STPA Analysis High-level (simple) Control Structure Air Traffic Control Issue clearance to pass Feedback? Flight Crew Execute maneuver Feedback? Aircraft

STPA Analysis More complex control structure

Example High-level control structure Congress Directives, funding Reports FAA Regulations, procedures Reports ATC Instructions Acknowledgement, requests Pilots Execute maneuvers Aircraft status, position, etc Aircraft

Air Traffic Control (ATC) ATC Front Line Manager (FLM) Instructions Status Updates Instructions Status Updates Instructions Status Updates Instructions Company Dispatch Status Updates Instructions ATC Ground Controller Query Status Updates and acknowledgements ATC Radio Other Ground Controllers Execute maneuvers Pilots Pilots Pilots Pilots Aircraft Execute maneuvers Aircraft Execute maneuvers Aircraft Execute maneuvers Aircraft ACARS Text Messages

Proton Therapy Machine High-level Control Structure

Proton Therapy Machine Control Structure

STPA Exercise Identify accidents and hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

Identify Unsafe Control Actions ATC Instructions Acknowledgement, requests Pilots Execute maneuvers Aircraft status, position, etc Aircraft Flight Crew Action (Role) Action required but not provided Unsafe action provided Incorrect Timing/ Order Stopped Too Soon Execute Passing Maneuver Pilot does not execute maneuver once it is approved

STPA Analysis: Identify Unsafe Control Actions Flight Crew Action (Role) Execute passing maneuver Action required but not provided Pilot does not execute maneuver Aircraft remains In- Trail Unsafe action provided Perform ITP when ITP criteria are not met or request has been refused Pilot instructs incorrect attitude, e.g. throttle and/or pitch Incorrect Timing/ Order Crew starts maneuver late after having reverified ITP criteria Pilot throttles before achieving necessary altitude Stopped Too Soon Crew does not complete entire maneuver e.g. Aircraft does not achieve necessary altitude or speed

STPA Analysis: Identify UCAs Flight Crew Action (Role) Read Back Clearance Verify ITP Criteria to Confirm Validity of Clearance Perform ITP Maneuver Provide data to ATC & other aircraft Action required but not provided Crew does not readback ITP clearance Crew does not perform ITP criteria verification Pilot does not execute maneuver Aircraft remains In- Trail Does not communicate position & attitude information Unsafe action provided Confirm clearance but clearance had not been granted Confirm clearance when criteria are not met Perform ITP when ITP criteria are not met or request has been refused Pilot instructs incorrect attitude, e.g. throttle and/or pitch Transmit unnecessary data or information Transmit incorrect data Incorrect Timing/ Order Reads back clearance in non-standard order Verifies criteria late after clearance was initially granted or too early before maneuver is actually performed Crew starts maneuver late after having re-verified ITP criteria Pilot throttles before achieving necessary altitude Stopped Too Soon Crew does not complete entire maneuver e.g. Aircraft does not achieve necessary altitude or speed

Defining Safety Constraints Unsafe Control Action Pilot does not execute maneuver once it is approved Pilot performs ITP when ITP criteria are not met or request has been refused Pilot starts maneuver late after having re-verified ITP criteria Safety Constraint Pilot must execute maneuver once it is approved Pilot must not perform ITP when criteria are not met or request has been refused Pilot must start maneuver within X minutes of re-verifying ITP criteria

STPA Exercise Identify accidents and hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

STPA Analysis: Causal Factors Process Model UCA: Pilot does not execute maneuver once approved How could this action be caused by: Process model Feedback Sensors Etc? Controlled Process

Hint: Causal Factors

STPA Analysis: Causal Factors

STPA Analysis: Causal Factors Safety Constraint: Maneuver must be executed once approved Process Model Safety Constraint: Maneuver must be executed once approved Pilot executes maneuver once approved How else could the Safety Constraint be violated? Controlled Process

STPA Group Exercise Choose a system to analyze: International Space Station unmanned cargo vehicle Electronic Throttle Control 54

STPA Group Exercise Identify accidents and hazards (15 min) Draw the control structure (15 min) Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (15 min) Control Table: Not given, Unsafe action provided, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors (15 min) Identify controller process models Analyze controller, control path, feedback path, process

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback