Systems Theoretic Process Analysis (STPA)

Similar documents
Systems Theoretic Process Analysis (STPA)

Basic STPA Tutorial. John Thomas

STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

Basic STPA Exercises. Dr. John Thomas

STAMP/STPA Beginner Introduction. Dr. John Thomas System Engineering Research Laboratory Massachusetts Institute of Technology

Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems

Introducing STAMP in Road Tunnel Safety

Failure Management and Fault Tolerance for Avionics and Automotive Systems

Using STPA in the Design of a new Manned Spacecraft

Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

Modeling and Hazard Analysis Using Stpa

An STPA Tool. Dajiang Suo, John Thomas

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

Every things under control High-Integrity Pressure Protection System (HIPPS)

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

The Relationship Between Automation Complexity and Operator Error

An STPA Primer. Version 1, August 2013

Safety-Critical Systems

STPA: A New Hazard Analysis Technique. (System-Theoretic Process Analysis)

Lecture 1 Temporal constraints: source and characterization

HAZARD ANALYSIS PROCESS FOR AUTONOMOUS VESSELS. AUTHORS: Osiris A. Valdez Banda Aalto University, Department of Applied Mechanics (Marine Technology)

Safety-Critical Systems. Rikard Land

Real-Time & Embedded Systems

CHAPTER 7: THE FEEDBACK LOOP

4. Hazard Analysis. Limitations of Formal Methods. Need for Hazard Analysis. Limitations of Formal Methods

Advanced LOPA Topics

The Nitrogen Threat. The simple answer to a serious problem. 1. Why nitrogen is a risky threat to our reactors? 2. Current strategies to deal with it.

Control Performance: An Imperative for Safety

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Working Safely in Daniel C. Herrick, CIH Senior EHS Coordinator Mechanical Engineering

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

Hazard Identification

UNIVERSITY OF WATERLOO

Hazard Identification

Safety Analysis: Event Classification

Answer: B Objective: NFPA 472, 5.2.4(3); Level: Operations Subject: Estimating the Potential Harm or Severity of the Incident; Chapter 4; Page 86

Safety models & accident models

Managing Injury Risk at Grain Handling Facilities. Matt Shurtliff Director of Safety and Environmental Issues J.D. Heiskell & Co January 17, 2018

Development of a Detailed Multi-Body Computational Model of an ATV to Address and Prevent Child Injuries. Chandra K. Thorbole, Ph.D.

Instrumentation (and

Abstract. 1 Introduction

System Safety Introduction

An Elusive Utopia: Systems that Work

Process Control Loops

CONSTRUCTSAFE TIER 1 HEALTH AND SAFETY COMPETENCY TEST FRAMEWORK

OIL & GAS. 20th APPLICATION REPORT. SOLUTIONS for FLUID MOVEMENT, MEASUREMENT & CONTAINMENT. Q&A: OPEC Responds to SHALE BOOM

Gas Accumulation Potential & Leak Detection when Converting to Gas

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Mechanical Design Patterns

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

How to Select High Pressure and Gas Bypass

Robust Task Execution: Procedural and Model-based. Outline. Desiderata: Robust Task-level Execution

FMECA Analyses of radiological over-exposure accident to patients in brachytherapy

Causal Analysis for Incident and Accident Investigation

#19 MONITORING AND PREDICTING PEDESTRIAN BEHAVIOR USING TRAFFIC CAMERAS

2012 NRC - RULES AND REGULATIONS

IE098: Advanced Process Control for Engineers and Technicians

if all agents follow RSS s interpretation then there will be zero accidents.

So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment

Prof. Brian C. Williams February 23 rd, /6.834 Cognitive Robotics. based on [Kim,Williams & Abramson, IJCAI01] Outline

Using what we have. Sherman Eagles SoftwareCPR.

Verification Of Calibration for Direct-Reading Portable Gas Monitors

D-Case Modeling Guide for Target System

DIGITAL SOLUTIONS TRAINING CATALOGUE. QRA and CFD simulation. Phast, Safeti and KFX SAFER, SMARTER, GREENER

Safety-critical systems: Basic definitions

Accident Investigation and Hazard Analysis

Using LOPA for Other Applications

Dynamic Analysis of a Multi-Stage Compressor Train. Augusto Garcia-Hernandez, Jeffrey A. Bennett, and Dr. Klaus Brun

Control System Nur Istianah-THP-FTP-UB-2014

Safety Critical Systems

ISO 6406 INTERNATIONAL STANDARD. Gas cylinders Seamless steel gas cylinders Periodic inspection and testing

Complementarity between Safety and Physical Protection in the Protection against Acts of Sabotage of Nuclear Facilities

Cycling and risk. Cycle facilities and risk management

A Model for Tuna-Fishery Policy Analysis: Combining System Dynamics and Game Theory Approach

Traditional Hazard Analysis

PART 1.2 HARDWARE SYSTEM. Dr. AA, Process Control & Safety

CONTENTS OF THE PCSR CHAPTER 1 - INTRODUCTION AND GENERAL DESCRIPTION

Valve Communication Solutions. Safety instrumented systems

Fail Operational Controls for an Independent Metering Valve

CFD for Ballast Water & Bio-fouling Management

Pressure Systems Safety Regulation

Expert System for LOPA - Incident Scenario Development -

WSH Council Forum Confined Space Accident Case Studies. Er. Tan Geok Leng Senior Assistant Director Occupational Safety & Health Inspectorate (OSHI)

Hazard Recognition and Identification

Reliability Risk Management. August 2012 g Earl Shockley, Senior Director of Reliability Risk Management

Software Safety Hazard Analysis

Hazardous Materials Management Guidelines

Relief Systems. 11/6/ Fall

Basic Design for Safety Principles

Learning from Dangerous Occurrences in the Chemical Industries

IC67 - Pre-Instructional Survey

Review and Assessment of Engineering Factors

HIGH WIND PRA DEVELOPMENT AND LESSONS LEARNED FROM IMPLEMENTATION Artur Mironenko and Nicholas Lovelace

BROCHURE. Pressure relief A proven approach

DEVELOPMENT OF A MICRO-SIMULATION MODEL TO PREDICT ROAD TRAFFIC SAFETY ON INTERSECTIONS WITH SURROGATE SAFETY MEASURES

Transformational Safety Leadership. By Stanley Jules

Biomedical Laboratory: Its Safety and Risk Management

TR Electronic Pressure Regulator. User s Manual

General Rules 2010: Regular category

Transcription:

Systems Theoretic Process Analysis (STPA) 1

Systems approach to safety engineering (STAMP) STAMP Model Accidents are more than a chain of events, they involve complex dynamic processes. Treat accidents as a control problem, not just a failure problem Prevent accidents by enforcing constraints on component behavior and interactions Captures more causes of accidents: Component failure accidents Unsafe interactions among components Complex human, software behavior Design errors Flawed requirements esp. software-related accidents 2

STAMP: basic control loop Control Actions Controller Control Algorithm Process Model Feedback Controlled Process Controllers use a process model to determine control actions Accidents often occur when the process model is incorrect A good model of both software and human behavior in accidents Four types of unsafe control actions: 1) Control commands required for safety are not given 2) Unsafe ones are given 3) Potentially safe commands but given too early, too late 4) Control action stops too soon or applied too long 3

Using control theory Controller Control Algorithm Control Actions Process Model Feedback Controlled Process From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Massachusetts Institute of Technology. Used with permission. 4

Using control theory Controller Control Algorithm Control Actions Process Model Feedback Controlled Process From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Massachusetts Institute of Technology. Used with permission. 5

Using control theory Controller Control Algorithm Process Model Control Actions Feedback Controlled Process From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Massachusetts Institute of Technology. Used with permission. 6

Example Safety Control Structure (Leveson, 2012) From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Massachusetts Institute of Technology. Used with permission. 7

STAMP and STPA STAMP Model Accidents are caused by inadequate control 8

STAMP and STPA CAST Accident Analysis STAMP Model How do we find inadequate control that caused an accident? Accidents are caused by inadequate control 9

STAMP and STPA CAST Accident Analysis STPA Hazard Analysis How do we find inadequate control in a design? STAMP Model Accidents are caused by inadequate control 10

STPA Hazard Analysis 11

STPA (System-Theoretic Process Analysis) Identify accidents and hazards STPA Hazard Analysis STAMP Model Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal scenarios Control Actions Controller Controlled process Feedback Can capture requirements flaws, software errors, human errors (Leveson, 2012) 12

Definitions Accident (Loss) An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. Hazard A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss). Definitions from Engineering a Safer World 13

System Accident (Loss) Definitions An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. May involve environmental factors outside our control System Hazard A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss). Something we can control in the design System Accident People die from exposure to toxic chemicals System Hazard Toxic chemicals from the plant are in the atmosphere 14

System Accident (Loss) Definitions An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. May involve environmental factors outside our control System Hazard A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss). Something we can control in the design System Accident People die from exposure to toxic chemicals People die from radiation sickness Vehicle collides with another vehicle People die from food poisoning System Hazard Toxic chemicals from the plant are in the atmosphere Nuclear power plant radioactive materials are not contained Vehicles do not maintain safe distance from each other Food products for sale contain pathogens 15

Definitions System Accident (Loss) An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. May involve environmental factors outside our control System Hazard Broad view of safety A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss). Something Accident we can control is anything in the design that is unacceptable, System Accident People die from exposure to toxic chemicals People die from radiation sickness Vehicle collides with another vehicle People die from food poisoning that must be prevented. System Hazard Not limited to loss of life or human injury! Toxic chemicals from the plant are in the atmosphere Nuclear power plant radioactive materials are not contained Vehicles do not maintain safe distance from each other Food products for sale contain pathogens 16

System Safety Constraints System Hazard Toxic chemicals from the plant are in the atmosphere Nuclear power plant radioactive materials are not contained Vehicles do not maintain safe distance from each other Food products for sale contain pathogens System Safety Constraint Toxic plant chemicals must not be released into the atmosphere Radioactive materials must note be released Vehicles must always maintain safe distances from each other Food products with pathogens must not be sold Additional hazards / constraints can be found in ESW p355 17

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 18

Control Structure Examples 19

Proton Therapy Machine High-level Control Structure Gantry source unknown. All rights reserved. This content is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/help/faq-fair-use/. Paul Scherrer Institute. All rights reserved. This content is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/help/faq-fair-use/. Beam path and control elements source unknown. All rights reserved. This content is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/help/faq-fair-use/. 20

Proton Therapy Machine High-level Control Structure source unknown. All rights reserved. This content is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/help/faq-fair-use/. Courtesy of MIT. Used with permission. Antoine PhD Thesis, 2012 21

Proton Therapy Machine Control Structure Antoine PhD Thesis, 2012 Courtesy of MIT. Used with permission. 22

Adaptive Cruise Control Audi. All rights reserved. This content is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/help/faq-fair-use/. Image from: http://www.audi.com/etc/medialib/ngw/efficiency/video_assets/fallback_videos.par.0002.image.jpg 23

Courtesy of Qi D. Van Eikema Hommes. Used with permission. Qi Hommes 24

Chemical Plant An image of the explosion at the Bayer chemical plant in Institute, West Virginia removed due to copyright restrictions. Image from: http://www.cbgnetwork.org/2608.html 25

Chemical Plant Image from: http://www.cbgnetwork.org/2608.html An image of the explosion at the Bayer chemical plant in Institute, West Virginia removed due to copyright restrictions. ESW p354 26

U.S. pharmaceutical safety control structure An image of the prescription drug Vioxx removed due to copyright restrictions. Image from: http://www.kleantreatmentcenter.com/wpcontent/uploads/2012/07/vioxx.jpeg 27

Ballistic Missile Defense System An image of the ballistic missile defense system removed due to copyright restrictions. Image from: http://www.mda.mil/global/images/system/aegis/ftm- 21_Missile%201_Bulkhead%20Center14_BN4H0939.jpg Safeware Corporation 28

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 29

STPA Step 1: Unsafe Control Actions (UCA) Controller Control Actions Feedback Controlled process Not providing causes hazard Providing causes hazard Incorrect Timing/ Order Stopped Too Soon / Applied too long Control Action A 30

STPA Step 1: Unsafe Control Actions (UCA) Controller Control Actions Feedback Controlled process Not providing causes hazard Providing causes hazard Incorrect Timing/ Order Stopped Too Soon / Applied too long (Control Action) 31

Step 1: Identify Unsafe Control Actions (a more rigorous approach) Control Action Process Model Variable 1 Process Model Variable 2 Process Model Variable 3 Hazardous? 32

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 33

STPA Step 2: Identify Control Flaws Inappropriate, ineffective, or missing control action Delayed operation Controller Controller Actuator Inadequate operation Conflicting control actions Process input missing or wrong Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification or adaptation) Control input or external information wrong or missing Component failures Changes over time Process Model (inconsistent, incomplete, or incorrect) Controlled Process Unidentified or out-of-range disturbance Missing or wrong communication with another Controller controller Inadequate or missing feedback Feedback Sensor Delays Inadequate operation Incorrect or no information provided Measurement inaccuracies Feedback delays Process output contributes to system hazard 34

STPA Examples 35

Chemical Reactor 36

Chemical Reactor Design Catalyst flows into reactor Chemical reaction generates heat Water and condenser provide cooling What are the accidents, system hazards, system safety constraints? 37

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 38

Chemical Reactor Design Catalyst flows into reactor Chemical reaction generates heat Water and condenser provide cooling Create Control Structure 39

STPA Analysis High-level (simple) Control Structure What are the main parts???? 40

STPA Analysis High-level (simple) Control Structure What commands are sent?? Operator? Computer?? Valves 41

STPA Analysis High-level (simple) Control Structure What feedback is received? Start Process Stop Process Operator? Computer Open/close water valve Open/close catalyst valve? Valves 42

Chemical Reactor Design Control Structure: 43

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 44

Control Structure: Chemical Reactor: Unsafe Control Actions Close Water Valve???? 45

Control Structure: Chemical Reactor: Unsafe Control Actions Close Water Valve Not providing causes hazard? Providing causes hazard Computer closes water valve while catalyst open Incorrect Timing/ Order Stopped Too Soon / Applied too long?? 46

Structure of an Unsafe Control Action Example: Computer provides close water valve command when catalyst open Source Controller Type Control Action Context Four parts of an unsafe control action Source Controller: the controller that can provide the control action Type: whether the control action was provided or not provided Control Action: the controller s command that was provided / missing Context: conditions for the hazard to occur (system or environmental state in which command is provided) 47

Chemical Reactor: Unsafe Control Actions (UCA) Close Water Valve Open Water Valve Open Catalyst Valve Close Catalyst Valve Not providing causes hazard Computer does not open water valve when catalyst open Computer does not close catalyst when water closed Providing causes hazard Computer closes water valve while catalyst open Computer opens catalyst valve when water valve not open Incorrect Timing/ Order Computer closes water valve before catalyst closes Computer opens water valve more than X seconds after open catalyst Computer opens catalyst more than X seconds before open water Computer closes catalyst more than X seconds after close water Stopped Too Soon / Applied too long Computer stops opening water valve before it is fully opened Computer stops closing catalyst before it is fully closed 48

Chemical Reactor: Unsafe Control Actions (UCA) Close Water Valve Open Water Valve Open Catalyst Valve Close Catalyst Valve Not providing causes hazard Computer does not open water valve when catalyst open Computer does not close catalyst when water closed Providing causes hazard Computer closes water valve while catalyst open Computer opens catalyst valve when water valve not open Incorrect Timing/ Order Computer closes water valve before catalyst closes Computer opens water valve more than X seconds after open catalyst Computer opens catalyst more than X seconds before open water Computer closes catalyst more than X seconds after close water Stopped Too Soon / Applied too long Computer stops opening water valve before it is fully opened Computer stops closing catalyst before it is fully closed 49

Safety Constraints Unsafe Control Action Computer does not open water valve when catalyst valve open Computer opens water valve more than X seconds after catalyst valve open Computer closes water valve while catalyst valve open Computer closes water valve before catalyst valve closes Computer opens catalyst valve when water valve not open Etc. Safety Constraint Computer must open water valve whenever catalyst valve is open???? Etc. 50

Safety Constraints Unsafe Control Action Computer does not open water valve when catalyst valve open Computer opens water valve more than X seconds after catalyst valve open Computer closes water valve while catalyst valve open Computer closes water valve before catalyst valve closes Computer opens catalyst valve when water valve not open Etc. Safety Constraint Computer must open water valve whenever catalyst valve is open Computer must open water valve within X seconds of catalyst valve open Computer must not close water valve while catalyst valve open Computer must not close water valve before catalyst valve closes Computer must not open catalyst valve when water valve not open Etc. 51

Traceability Always provide traceability information between UCAs and the hazards they cause. Same for Safety Constraints and the hazards that result if violated. Two ways: Create one UCA table (or safety constraint list) per hazard, label each table with the hazard Create one UCA table for all hazards, include traceability info at the end of each UCA E.g. Computer closes water valve while catalyst open [H-1] 52

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 53

Step 2: Potential causes of UCAs UCA: Computer opens catalyst valve when water valve not open Controller Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification or adaptation) Control input or external information wrong or missing Process Model (inconsistent, incomplete, or incorrect) Missing or wrong communication with another Controller controller Inadequate or missing feedback Feedback Delays Controller Delayed operation Actuator Inadequate operation Conflicting control actions Controlled Process Component failures Sensor Inadequate operation Incorrect or no information provided Measurement inaccuracies Feedback delays Process input missing or wrong Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard 54

Step 2: Potential control actions not followed Open water valve Controller Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification or adaptation) Control input or external information wrong or missing Process Model (inconsistent, incomplete, or incorrect) Missing or wrong communication with another Controller controller Inadequate or missing feedback Feedback Delays Controller Delayed operation Actuator Inadequate operation Conflicting control actions Controlled Process Component failures Sensor Inadequate operation Incorrect or no information provided Measurement inaccuracies Feedback delays Process input missing or wrong Changes over time Unidentified or out-of-range disturbance Process output contributes to system hazard 55

Chemical Reactor: Real accident 56

MIT OpenCourseWare https://ocw.mit.edu 16.63J / ESD.03J System Safety Spring 2016 For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback