STAMP Experienced Users Tutorial. John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi Hommes Tak Ishimatsu John Helferich

Transcription

1 STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi Hommes Tak Ishimatsu John Helferich

2 Systems approach to safety engineering (STAMP) STAMP Model (Leveson, 2003); (Leveson, 2011) Accidents are more than a chain of events, they involve complex dynamic processes. Treat accidents as a control problem, not a failure problem Prevent accidents by enforcing constraints on component behavior and interactions Captures more causes of accidents: Component failure accidents Unsafe interactions among components Complex human, software behavior Design errors Flawed requirements esp. software-related accidents 2

3 STPA (System-Theoretic Process Analysis) STPA Hazard Analysis How do we find inadequate control in a system? STAMP Model Accidents are caused by inadequate control (Leveson, 2011) 3

4 CAST (Causal Analysis using System Theory) STPA Hazard Analysis CAST Accident Analysis How do we find inadequate control that caused the accident? STAMP Model Accidents are caused by inadequate control (Leveson, 2011) 4

5 Experienced Users Tutorial Morning session STPA Hazard Analysis Hands-on exercises Afternoon session CAST Accident Analysis Hands-on exercises

6 STPA Hazard Analysis

7 STPA (System-Theoretic Process Analysis) STPA Hazard Analysis STAMP Model (Leveson, 2011) Identify the hazards Construct the control structure Step 1: Identify unsafe control actions Step 2: Identify causes of unsafe control actions Control Actions Controller Controlled process Feedback 7

8 Step 1: Identify Unsafe Control Actions Action required but not provided Unsafe action provided Incorrect Timing/ Order Stopped Too Soon Action (Role)

9 Step 1: Identify Unsafe Control Actions (a more rigorous method, more on this tomorrow) Control Action Process Model Variable 1 Process Model Variable 2 Process Model Variable 3 Hazardous?

10 Step 2: STPA Control Flaws Inappropriate, ineffective, or missing control action Delayed operation Controller Controller Actuator Inadequate operation Conflicting control actions Process input missing or wrong Inadequate Control Algorithm (Flaws in creation, process changes, incorrect modification or adaptation) Control input or external information wrong or missing Component failures Changes over time Process Model (inconsistent, incomplete, or incorrect) Controlled Process Unidentified or out-of-range disturbance Missing or wrong communication with another Controller controller Inadequate or missing feedback Feedback Sensor Delays Inadequate operation Incorrect or no information provided Measurement inaccuracies Feedback delays Process output contributes to system hazard 10

11 Simple STPA Exercise a new in-trail procedure for trans-oceanic flights 11

12 Example System: Aviation Accident (Loss): Aircraft crashes

13 STPA Exercise Identify Hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

14 Hazard Definition: A system state or set of conditions that, together with a particular set of worst-case environmental conditions, will lead to an accident (loss). Something we can control Examples: Accident Satellite becomes lost or unrecoverable People are exposed to toxic chemicals People are irradiated People are poisoned by food Hazard Satellite maneuvers out of orbit Toxic chemicals are released into the atmosphere Nuclear power plant experiences nuclear meltdown Food products containing pathogens are sold

15 Accident (Loss): Aircraft crashes Hazard:?

16 Accident (Loss): Aircraft crashes Hazard: Two aircraft violate minimum separation

17 Identifying Hazards Loss (accident) Death or Injury Hazards Two aircraft violate minimum separation Aircraft enters unsafe atmospheric region Aircraft enters uncontrolled state Aircraft enters unsafe attitude Aircraft enters prohibited area

18 STPA Exercise Identify Hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

19 North Atlantic Tracks

20 STPA application: NextGen In-Trail Procedure (ITP) Current State Pilots will have separation information Pilots decide when to request a passing maneuver Air Traffic Control approves/denies request Proposed Change

21 STPA Analysis High-level (simple) Control Structure Main components and controllers????

22 STPA Analysis High-level (simple) Control Structure Who controls who? Flight Crew? Aircraft? Air Traffic Controller?

23 STPA Analysis High-level (simple) Control Structure What commands are sent?? Air Traffic Control? Flight Crew?? Aircraft

24 STPA Analysis High-level (simple) Control Structure Air Traffic Control Issue clearance to pass Feedback? Flight Crew Execute maneuver Feedback? Aircraft

25 STPA Analysis More complex control structure

26 STPA Exercise Identify Hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

27 STPA Analysis: Identify Unsafe Control Actions Flight Crew Action (Role) Action required but not provided Unsafe action provided Incorrect Timing/ Order Stopped Too Soon Execute Passing Maneuver Pilot does not execute maneuver once it is approved

28 STPA Analysis: Identify Unsafe Control Actions Flight Crew Action (Role) Execute passing maneuver Action required but not provided Pilot does not execute maneuver Aircraft remains In- Trail Unsafe action provided Perform ITP when ITP criteria are not met or request has been refused Pilot instructs incorrect attitude, e.g. throttle and/or pitch Incorrect Timing/ Order Crew starts maneuver late after having reverified ITP critera Pilot throttles before achieving necessary altitude Stopped Too Soon Crew does not complete entire maneuver e.g. Aircraft does not achieve necessary altitude or speed

29 STPA Analysis: Identify UCAs Flight Crew Action (Role) Read Back Clearance Verify ITP Criteria to Confirm Validity of Clearance Perform ITP Maneuver Provide data to ATC & other aircraft Action required but not provided Crew does not readback ITP clearance Crew does not perform ITP criteria verification Pilot does not execute maneuver Aircraft remains In- Trail Does not communicate position & attitude information Unsafe action provided Confirm clearance but clearance had not been granted Confirm clearance when criteria are not met Perform ITP when ITP criteria are not met or request has been refused Transmit unnecessary data or information Transmit incorrect data Incorrect Timing/ Order Reads back clearance in non-standard order Verifies criteria late after clearance was initially granted or too early before maneuver is actually performed Crew starts maneuver late after having re-verified ITP critera Pilot throttles before achieving necessary altitude Stopped Too Soon Crew does not complete entire maneuver e.g. Aircraft does not achieve necessary altitude or speed

30 Defining Safety Constraints Unsafe Control Action Pilot does not execute maneuver once it is approved Pilot performs ITP when ITP criteria are not met or request has been refused Pilot starts maneuver late after having re-verified ITP critera Safety Constraint Pilot must execute maneuver once it is approved Pilot must not perform ITP when criteria are not met or request has been refused Pilot must start maneuver within X minutes of re-verifying ITP criteria

31 STPA Exercise Identify Hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions (UCAs) Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process

32 STPA Analysis: Causal Factors Process Model UCA: Pilot does not execute maneuver once approved How could this action be caused by: Process model Feedback Sensors Etc? Controlled Process

33 Hint: Causal Factors

34 STPA Analysis: Causal Factors

35 STPA Group Exercise Choose a system to analyze: International Space Station unmanned cargo vehicle Electronic Throttle Control 35

36 STPA Group Exercise Identify Hazards Draw the control structure Identify major components and controllers Label the control/feedback arrows Identify Unsafe Control Actions Control Table: Not given, Given incorrectly, Wrong timing, Stopped too soon Create corresponding safety constraints Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process