Professional Documents
Culture Documents
Safety Science
journal homepage: www.elsevier.com/locate/safety
A R T I C LE I N FO A B S T R A C T
Keywords: Due to the current pace of technological growth, the management of system safety has evolved with complex
Model checking causes of accidents that are often beyond the identification of traditional safety assessment techniques. Recently,
STPA the hazard analysis tool Systems Theory Process Analysis (STPA) has emerged as an approach to improve safety
Safety assessment of modern complex systems in concert with other hazard analysis tools. However, the effectiveness of STPA is a
UPPAAL
debatable issue in the industry and efforts towards incorporating some level of formalization in STPA steps are
welcome. In this direction, this work presents a method for combining STPA and model checking, in order to
provide a formal and unambiguous representation of the system under analysis and the threats identified by
STPA. A practical case study of a robotic flight simulator is presented as an example of the proposed method. The
results achieved with the proposed approach indicates that the merging of the two techniques improves the
knowledge about the system under design and the consistence of the design changes proposed to tackle the safety
constraints identified in STPA.
1. Introduction Despite being a promising approach, STPA has not yet been ex-
tensively adopted by industry or recommended by certification autho-
The computer revolution has made significant impact in the society, rities. Among the limitations of STPA, are the lack of formalism
especially through embedded systems. Embedded systems have made (Harkleroad et al., 2013) and the potential dependence of the results on
possible the incorporation of many new functionalities that are im- the experience of the person that applies the method. In order to
plemented in software. As we increase the complexity of the systems overcome these limitations, this work proposes the use of STPA com-
under design, traditional bottom-up or top-down safety assessment bined with model checking, a formal verification technique. The chal-
techniques, such as Failure Mode and Effect Analysis (FMEA) and Fault lenges emerging from the exponential growth of embedded systems is
Tree Analysis (FTA), become insufficient to assure the product safeness resulting in an increasing interest in formal methods. Industry is cur-
(Stringfellow et al., 2010). One limitation is the difficult of exploring all rently considering the adoption of formal techniques, such as model
the possible scenarios that may arise from the combination of the checking and theorem proving, to complement the more common
components’ behavior when interacting with software products and verification approaches of simulation and testing. These techniques are
human beings. In this context, the hazard analysis tool Systems Theory gaining grounds through industrial case studies, reinforcing the benefits
Process Analysis (STPA) has emerged as an approach for improving of using formal methods (Clarke and Wing, 1996; Benaben et al., 2002).
safety of modern complex systems in concert with other hazard analysis In the current work, automata are adopted as a formal language to
tools. The traditional approaches to safety, such as HAZOP, FMEA, and model the behavior of the system components, including software,
FTA, were developed for systems that were built more than 50 years while model checking is used to check the consistence of the safety
ago. Their focuses is to address failures based on chain of events related constrains that are obtained from the STPA approach. The contribution
to component malfunction. Modern embedded systems have developed of this work is safety assessment approach that combines STPA and
new paths to accidents based on complex errors that emerge even when model checking. From STPA, the proposed approach inherits the sim-
everything is working according to its specification (Leveson, 2011). A plicity and ability of identifying scenarios that can lead to hazard si-
systematic review on STPA observed that there has been published tuations. Complementing STPA, model checking contributes with the
works on STPA since 2000s and a sharp increase from 2011 in areas complete exploration of the system state space. It complements the
that include aviation, automotive, defense, software, space, medical identification of unsafe control actions and verifies the effect of the
and environment (Lahoz, 2016). This survey underscores the gaining safety constraints in inhibiting hazard situations.
relevance and acceptance of STPA as a safety tool. A practical case study of the embedded system of a flight simulator
⁎
Corresponding author.
E-mail addresses: alheri.dakwat@airforce.mil.ng (A.L. Dakwat), evillani@ita.br (E. Villani).
https://doi.org/10.1016/j.ssci.2018.05.009
Received 7 June 2017; Accepted 15 May 2018
Available online 05 June 2018
0925-7535/ © 2018 Elsevier Ltd. All rights reserved.
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
131
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
also dependent on Step 1, involves the modelling and simulation of the of the traditional Stewart platform based on electrical or hydraulic
system normal operation. In UPPAAL, the templates and channels actuators. The motion system should provide the pilot with sensations
correspond to elements and controlled actions from STPA. Step 3 also of acceleration that are similar to those felt in a real flight. The SIVOR
involves the process of determining the unsafe controlled actions that simulator is illustrated in Fig. 4.
are derived from the list of controlled actions in Step 1, following the The motion platform is a KUKA robot with a payload of 500 kg. The
STPA approach. Then, Steps 4 and 5 must be performed in parallel in pilot seat is equipped with inceptors (throttle, sidestick and rudder
order to result in a design proposal that fulfills the safety constraints of pedals) and the vision system is a TV. Additionally, a black out cov-
STPA. The reviewed controlled structure of Step 4 is based on inputs erture isolates the pilot from the external environment. The X-Plane
from unsafe controlled actions from Step 2, appropriate safety con- software tool is responsible for generating the image for the visual
straints, as well as feedback from Step 5. This step continue to evolve system and for processing the aircraft aerodynamics. The wash-out
along with Step 5. For Step 5, the UPPAAL model of the system during filter, an in-house developed software package, is responsible for con-
normal operation is updated with the system hazards and the associate verting the aircraft accelerations into angular and linear increments to
design modifications to couple with the hazards. Based on the system be sent to the robot. Communication between the washout filter and the
requirements, these inputs are reflected in the simulated model through robot controller is performed using RSI interface, provided by the robot
guards, channel prioritization, updates, clocks and synchronized ac- manufacturer.
tions. Both Steps 4 and 5 depend on each other’s output. Step 6 involves SIVOR is a safety critical application because robots are not de-
the verification of safe constraints on the system design. In UPPAAL this signed to operate in contact with humans or as a flight simulator.
is achieved through the verification of safety, liveness and reachability Industrial robots usually operate in an isolated environment, such as a
properties. cage or a zone monitored by presence detectors. Moreover, they are
usually programmed to perform the same sequence of commands,
which are extensively verified, both by simulation and step-step ex-
4. Case study
ecution, prior to operation. In the case of the flight simulator, the tra-
jectory of the robot is unknown and depends on the interaction with the
4.1. The SIVOR prototype simulator
pilot. Moreover, for obvious reason, the pilot cannot be isolated from
the robot. An accident could put at risk the life of the pilot and result in
The SIVOR (SImulador de VOo de base Robótica, robotic flight si-
significant equipment loss.
mulator) is a project under development at ITA in partnership with
EMBRAER, and with financial support from the Sao Paolo Research
Foundation FAPESP. It aims at building a flight simulator using as
motion system a 6-degree of freedom anthropomorphic robot, instead
132
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
4.2. Step 1- system analysis based on STPA perfect harmony with the commands that were applied.
The accidents considered in the safety analysis include death or
In step 1, the preliminary analysis based on STPA highlights the injury to human elements [A1] and physical damage to equipment
goal of the system, system elements, the control actions by system [A2]. The potential hazards that could lead to these accidents are the
elements, likely hazards and accidents as well as the sequence of op- following:
erations.
The goal of the SIVOR prototype simulator is to act as a testing • [H1] The robot goes out of its safe workspace;
platform for the development of control laws, which ensure the robot • [H2] The pilot is subjected to extreme acceleration;
motion so that the pilot realizes the robot's movements as being re- • [H3] Equipment subjected to extreme acceleration;
presentative of aircraft movement in the various stages of flight and in • [H4] Encroachment of people or equipment into robot’s workspace.
133
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
Step 2 involved the modelling of the SIVOR system in UPPAAL on UCA 1. Robot moves when there is an obstruction in robot work-
normal operation mode. To achieve this, the identified control actions space;
and elements were mapped into UPPAAL as channels and templates UCA 2. KCP operator choose a wrong KRL program;
Table 1). The control structure is used to guide and trace syncronisation UCA 3. Robot may move while pilot is entering or without seatbelts,
of channels. The system model is composed of 7 automata (KCP op- either because events of the simulation procedure happens before it
erator, robot controller, SIVOR operator, SIVOR controller, X-Plane, should, or because the pilot is late;
robot and pilot). The modelling activity is considered successful when UCA 4. Abrupt stop of robot with large de-acceleration;
all control actions are included in the model, all states of the automata UCA 5. Providing wrong values of command to the robot.
are reachable, the synchronization of the automata is consistent, and
the model presents no deadlock (see Table 2). Following the Step 2 of STPA, we analyze each unsafe control ac-
The automata represent the dynamics of each element of the system tion, propose safety constraints and design changes for each of them.
134
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
UCA 1. Robot moves when there is an obstruction in robot work- workspace is empty when it is not.
space The corresponding safety constraint is:
The UCA 1 results from an incorrect process model of the robot
controller, which allows the robot to move assuming that the robot SC 1. The robot controller shall be able to detect and stop the robot
Table 1
Control actions based on STPA and corresponding UPPAAL channels.
Control actions UPPAAL channel
135
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
Table 2
Identification of unsafe control actions for Phase 2 – Pilot preparation.
Control actions Not providing causes hazard Providing causes Provided too soon Stopped too late
hazard
in the case an intruder invades the robot workspace. going out of its workspace.
The corresponding safety constrain are:
UCA 2. KCP operator choose a wrong KRL program
The UCA 2 results from an incorrect process model of the KCP op- SC 2. The robot controller shall not move the robot out of its
erator, which either selects the wrong KRL program or select a KRL workspace;
program that is incorrect, resulting in high acceleration or the robot SC 3. The robot controller shall not impose high acceleration on the
136
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
operator or the SIVOR operator, which believes the pilot is ready (or
out of the cockpit), when it is not.
The corresponding safety constrain are:
SC 4. The robot shall not move when the pilot is on-board but
without seatbelt;
robot when the pilot is on-board; UCA 5. Providing wrong values of command to the robot
The safety constraint for UCA 5 is same as UCA 2.
UCA 3. Robot may move while pilot is entering or without seat-
belts, either because events of the simulation procedure happens be-
fore it should, or because the pilot is late;
The UCA 3 results from an incorrect process model of the KCP
137
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
4.5. Step 4 – Reviewed control structure (6) Robot controller cut the power, activates the brakes and send an
error alert to the KCP operator;
The safety constrains proposed in Step 3 resulted in the incorpora- (7) Robot controller keeps the communication with SIVOR controller;
tion of a set of design modifications, as indicated in Table 3. (8) KCP operator check the situation and decides if simulation should
The design changes C and E are internal filters of the robot con- be finalized or continued.
troller and the SIVOR controller. They do not affect the control struc- (9) Pilot release the emergency button;
ture of the SIVOR project. The other design changes (A, B, D and F) (10) KCP operator press the deadman button of the KCP smartpad;
requires the definition of what should be done after the robot movement (11) Seatbelt sensor becomes active;
is interrupted. For this purpose, an additional operation phase is in- (12) Workspace sensor becomes inactive;
troduced. Phase 6 is characterized by the occurrence of an emergency (13) KCP operator clear the screen and decides if simulation should be
stop, initiated by the pilot, the KCP operator, the workspace sensor or finalized or continued;
the seatbelt sensor. (14) The KCP operator restarts the simulation;
The emergency is activated by one of the following events:
If the KCP operator decides to continue simulation it returns to
(1) Pilot activates the emergency button while robot is moving; Phase 4. If he decides to interrupt simulation, it goes to Phase 5.
(2) KCP operator release the deadman button of the KCP smartpad The updated control structure of the SIVOR flight simulator, now
while robot is moving; including also the prevention of unsafe control actions is presented in
(3) Seatbelt sensor is activated while robot is moving; Fig. 14.
(4) Workspace sensor is activated while robot is moving; The new control actions should also be analyzed as potential unsafe
(5) The emergency treatment includes the following new control ac- control actions and eventually new design changes may be introduced
tions: to couple with new unsafe situations, in a cyclical process performed
138
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
Table 3
Safety constraints and corresponding design changes.
Safety constraints Design changes
SC 1. The robot controller shall be able to detect and stop the robot in the A. Emergency button available for the KCP operator to interrupt the robot movement.
case an intruder invades the robot workspace. B. Installation of sensor in the workspace that detect the entrance of an external person and
interrupts the robot movement.
SC 2. The robot controller shall not move the robot out of its workspace; C. Configuration of joint limits in the robot controller.
SC 3. The robot controller shall not impose high acceleration on the robot A. Emergency button available to the KCP operator to interrupt the robot movement.
when the pilot is on-board. D. Emergency button available for the pilot to interrupt the robot movement.E. Limitation of the
maximum increment of the robot position at each step of the SIVOR controller.
SC 4. The robot shall not move when the pilot is on-board but without F. Installation of seatbelt sensor.
seatbelt.
SC 5. The speed of the robot should be limited in order to avoid strong de- E. Limitation of the maximum increment of the robot position at each step of the SIVOR controller.
acceleration.
Fig. 14. SIVOR control structure, including design changes to comply with safety constraints.
139
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
Fig. 17. Updated automaton of the KCP operator, with emergency events.
140
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
Fig. 18. Updated automaton of the robot controller, with emergency events.
movement. Similarly, events 39–42 are also associated to a single prescribed in Phase 6. They corresponds to the following cases: when
channel (stop_emergency). the robot is moving to home position, when the robot is moving to start
The updated model of the robot is presented in Fig. 16. Four sce- position, during the flying simulation and when the robot is returning
narios are considered unsafe and requires the emergency procedures to home position.
141
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
Table 4
Verification of the model correctness.
CTL Property Description
Table 5
Verification of safety constraints.
Safety Constraints Design Changes CTL Property
SC 1. The robot controller shall be able to A. Emergency button available for the KCP operator Emergency_generator.Treating – > (Robot.Halted_1 or Robot.Halted_2 or
detect and stop the robot in the case an to interrupt the robot movement Robot.Halted_3 or Robot.Halted_4)
intruder invades the robot workspace B. Installation of sensor in the workspace that
detect the entrance of an external person and
interrupts the robot movement
SC 2. The robot controller shall not move the C. Configuration of joint limits in the robot (Internal, not represented in the UPPAAL model)
robot out of its workspace controller
SC 3. The robot controller shall not impose A. Emergency button available to the KCP operator Emergency_generator.Treating – > (Robot.Halted_1 or Robot.Halted_2 or
high acceleration on the robot when the to interrupt the robot movement Robot.Halted_3 or Robot.Halted_4)
pilot is on-board D. Emergency button available for the pilot to
interrupt the robot movement
E. Limitation of the maximum increment of the
robot position at each step of the SIVOR controller
SC 4. The robot shall not move when the pilot F. Installation of seatbelt sensor Emergency_generator.Treating – > (Robot.Halted_1 or Robot.Halted_2 or
is on-board but without seatbelt Robot.Halted_3 or Robot.Halted_4)
SC 5. The speed of the robot should be limited E. Limitation of the maximum increment of the Robot_controller.Resuming_sim – > (Robot_controller.Request_home and
in order to avoid strong de-acceleration robot position at each step of the SIVOR controller, Robot.Halted_3) or (Robot_controller.Position_updated and
based on the measurement of the robot position Robot.Halted_3)
The updated model of the KCP controller is presented in Fig. 17. The system design.
KCP operator also has to acknowledge the emergency and, in the case of Concluding the case study, we consider that the proposed method of
the flight phase, decides between resume the simulation or interrupt it. combining STPA and model checking using UPPAAL has been suc-
The updated model of the robot controller is presented in Fig. 18. cessfully applied in the SIVOR flight simulator. The entire process re-
The robot controller acts on the error alert generated by the source of quired some effort to make the STPA analysis consistent with the
the emergencies. During each situation, the robot controller processes UPPAAL model, but they both contributed to each other. The need of
the decision from the KCP operator to interrupt or resume the simula- formalizing the system behavior in an automata model arose a number
tion. of doubts, which should then be clarified in order to proceed with the
Finally, the updated model of the pilot is presented in Fig. 19. When application of the proposed approach. As a result, the knowledge about
the KCP operator decides to finish the simulation, it inform the pilot, the system and possible dangerous scenarios was substantially in-
which, in the appropriate moment, has to leave the cockpit. creased. On the other hand, the STPA steps resulted in identification of
dangerous situations that were not considered when initially modelling
the system.
4.7. Step 6 – Safe system specification
The last step of the proposed approach consists of formally verifying 5. Conclusion
that the system model with emergency events is correct and the safety
constraints are satisfied, i.e., the unsafe control actions do not violate The lack of formalization of STPA has become a hindrance to its
the safety constraints considering the proposed design changes. Both acceptance as an industry standard for hazard analysis. In order to
liveness, reachability and safety properties are used for this purpose. contribute to this issue, this work proposes a method that combines
Reachability properties checks that all the model states are even- STPA with model checking. The method comprises 6 steps and was
tually reached, or are reachable. Some examples of reachability prop- applied a robotic flight simulator.
erties used to verify the model correctness are presented in Table 4. The computational verification was achieved by modeling the entire
The safety constraints are the restrictions placed on unsafe control flight simulator in UPPAAL. This was possible because requirements of
actions by controllers of the SIVOR system. Any violations will make STPA Step 1 such as the system elements and control actions were easily
the system unsafe. In order to assure that the system behaviour is in line mapped as templates and channels in UPPAAL. This further made it
with design specifications, the design changes introduced in the system possible to simulate the system operation and perform verification to
are verified by CTL properties, as presented in Table 5. Any observed confirm that the system behavior was correct. Having achieved a model
inadequacies would imply the need for appropriate revision of the of the system under normal operation, the control actions were further
142
A.L. Dakwat, E. Villani Safety Science 109 (2018) 130–143
used to identify unsafe controlled actions as defined in STPA. The STAMP/STPA. [Online]. Available: http://sunnyday.mit.edu/safer-world/.
identified unsafe control actions resulted in the revision of the flight Gerrit, B., Torben, S., Markus, M., 2017. Safety analysis based on systems theory applied
to an unmanned protective vehicle. In: 4th European STAMP Workshop 2016.
simulator design. The design changes were then used to update the Harkleroad, E., Vela, A., Kuchar, J., 2013. Review of Systems-Theoretic Process Analysis
UPPAAL model. Finally, the safety constraints were verified in the re- (STPA) Method and Results to Support NextGen Concept Assessment and Validation.
vised model. MIT Lincoln Laboratory, Washington, DC.
Haruka,N., Masa, K., Yuko, M., Nancy, L., 2011. Safety Guided Design of Crew Return
The results achieved with the proposed approach indicates that the Vehicle in Concept Design Phase using STAMP/STPA. [Online]. Available: http://
merging of the two techniques improves the knowledge about the sunnyday.mit.edu/safer-world/CRV.pdf.
system under design and the consistence of the design changes pro- Kleve, G.R., 2017. How safe is our Nurse call system? In: 4th European STAMP Workshop
2016.
posed to tackle the safety constraints identified in STPA. Lahoz, C.H.N., 2016. Systematic Review on STPA Final Results. In: STAMP Workshop:
The method presented in this work underscores the importance of MIT Partnership for a Systems Approach to Safety (PSAS), Massachusetts.
safety and system engineering working in tandem during product de- Leveson, N.G., 2011. Engineering a Safer World: Systems Thinking Applied to Safety,
Cambridge. MIT Press, Massachusetts.
velopment.
Leveson, N.G. An STPA Primer Version1, August 2013. [Online]. Available: http://
sunnyday.mit.edu/STPA-Primer-v0.pdf.
Acknowledgement Lopes, G.D., Hirata, C.M., Melo, B.J.d., 2015. A Rule-based Approach for Safety Analysis
using STAMP/STPA. In: 2015 1st URSI Atlantic Radio Science Conference (URSI AT-
RASC).
The authors acknowledge the financial support of FAPESP and Maria, M.C., Karanikas, N., Anastasios, P., 2017. Application of STPA on small drone
CNPq. operations: a benchmarking aproach. In: 4th European STAMP Workshop 2016.
Petit, R., 2004. Lessons learned applying UML in embedded software systems designs. In:
Second IEEE Workshop on Software Technologies for Future Embedded and
References Ubiquitous Systems.
Rejzek,M., Krauss, S.,Hilbes, C., 2015. MIT partnership for a systems approach to safety
Abdulkhaleq, A., Wagner, S., Leveson, N., 2015. A comprehensive safety engineering (PSAS). [Online]. Available: < http://psas.scripts.mit.edu/home/wp-content/
approach for software- intensive systems based on STPA. In: 3rd European STAMP uploads/2015/03/2015-Martin-SafetyDrivenDesign_UML_STPA.pdf>.
Workshop, Amsterdam. Robert,A., Mihhail, F., Floris, G., Pentti, K., Are,P., 2017. Systems-theoretic process
Asim, A., Stefan, W., 2015. Integrating State Machine Analysis with System-Theoretic analysis of maritime traffic safety management in the Gulf of Finland (Baltic Sea). In:
Process Analysis. [Online]. Available: < https://www.researchgate.net/publication/ 4th European STAMP Workshop.
265508076_Integrating_State_Machine_Analysis_with_System-Theoretic_Process_ Shuai, Y., Deming, Z., 2014. Research on methodology for safety generation and ver-
Analysis>. ification. In: International Conference on Mechatronic Sciences, Electric Engineering
Asim, A., Daniel, L., Stefan, W., Jürgen,R., Norbert, B., Ludwig, R., Thomas, R., Hagen, B., and Computer (MEC), Shengyang, China.
2017, A systematic approach based on stpa for developing a dependable architecture Stringfellow, M.V., Leveson, N.G., Owens, B.G., Safety-Driven Design for Software-
for fully automated driving vehicles. In: 4th European STAMP Workshop. Intensive Aerospace and Automotive Systems, Proceedings of the IEEE (Volume: 98,
Asplund, F., El-Khoury, J., Torngren, M., 2012. Safety-Guided Design through System- Issue: 4, April 2010), pp. 515–525, 29 March 2010.
Theoretic Process Analysis, Benefits and Difficulties. In: 30th International System Sulaman, S.M., Abbas,T., Wnuk, K., Höst,M., 2014. Hazard analysis of collision avoidance
Safety Conference, Atlanta, USA. system using STPA. In: 11th International Conference on Information Systems for
Baier, C., Katoen, J.-P., 2007. Principles of Model Checking. MIT Press, Cambridge. Crisis Response and Management.
Benaben, F., Larnal, M., Pignon, J.P., Magnier, J., 2002. A process for improving multi- Sun, R., Zhong, D., 2013. Using STPA thinking to help convert Natural Language into
technology system high level design: modeling, verification and validation of com- Finite Automaton. [Online]. Available: < http://psas.scripts.mit.edu/home/wp-
plex optronic systems. In: IEEE International Conference on Systems, Man, and content/uploads/2013/04/01_Sun_Zhong_Using_STPA_convert_natural_language_
Cybernetics. finite_automaton.pdf>.
Chiesi, S.S., 2016. STPA application for safety assessment of generic missile systems. In: Suo, D., An, J., Zhu, J.,2011. A new approach to improve safety of reconfiguration in
Reliability and Maintainability Symposium (RAMS). integgrated modular avionics. In: Digital Avionics Systems Conference (DASC), 2011
Clarke, E.M., Wing, J.M., December 1996. Formal methods: state of the art and future IEEE/AIAA 30th, Seattle, WA, USA, 2011.
directions. ACM Comput. Surveys 28 (4), 627. Takuto, I., Leveson, N., Cody, F., Yuko, M., Haruka, N., 2011. Multiple Controller
Cody, F., Takuto, I., Yuko, M., Haruka, N., Masa, K., Nobuyuki,H., John, T., Leveson, N., Contributions to Hazards. [Online]. Available: http://sunnyday.mit.edu/safer-
2011. Safety Guided Design of Crew Return Vehicle in Concept Design Phase Using world/.
143