Systems Theoretic Process Analysis STPA v9 v2 San

Systems Theoretic Process Analysis
(STPA)
Tutorial
Dr. John Thomas

MIT
Systems approach to safety engineering
(STAMP)
• Accidents are more than a chain of
events, they involve complex dynamic
processes.
• Treat accidents as a control problem,
not a failure problem
• Prevent accidents by enforcing
constraints on component behavior
and interactions
STAMP Model • Captures more causes of accidents:
– Component failure accidents
– Unsafe interactions among components
– Complex human, software behavior
– Design errors
– Flawed requirements
• esp. software-related accidents
2
© Copyright John Thomas 2013
STAMP
• Controllers use a process model to
determine control actions
Controller
• Accidents often occur when the
Process process model is incorrect
Model
• Four types of hazardous control
Control actions:
Actions Feedback
1) Control commands required for safety
are not given
2) Unsafe ones are given
3) Potentially safe commands but given too
Controlled Process early, too late
4) Control action stops too soon or applied
too long
Explains software errors, human errors,
component interaction accidents, components failures … 3
Example
Safety
Control
Structure
STAMP and STPA
Accidents are
STAMP Model caused by
inadequate control
5
STAMP and STPA
How do we find
CAST
inadequate control
Accident
that caused the
Analysis
accident?
Accidents are
inadequate control
6
STAMP and STPA
CAST STPA How do we find

Accident Hazard inadequate control
Analysis Analysis in a design?
Accidents are
inadequate control
7
Today’s Tutorials
• Basic STPA Tutorial
10:15am – 3pm, in 54-100
• CAST Tutorial
10:15am – 3pm, in 56-154
• Security Tutorial (STPA-Sec)
10:15am – noon, room 32-082
(Presentations 1:30-3pm)
• Experienced users meeting
10:15am – 3pm, room 56-114
STPA Hazard Analysis
STPA
(System-Theoretic Process Analysis)
• Identify accidents
and hazards
STPA Hazard • Construct the Controller
Analysis control structure Control

Feedback
• Step 1: Identify
Actions
unsafe control Controlled

process
actions
STAMP Model • Step 2: Identify
causal factors and
control flaws
Can capture requirements flaws, software errors, human errors10
(Leveson, 2011) © Copyright John Thomas 2013
Definitions
• Accident (Loss)
– An undesired or unplanned event that results in a loss,
including loss of human life or human injury, property
damage, environmental pollution, mission loss, etc.
• Hazard
– A system state or set of conditions that, together with a
particular set of worst-case environment conditions, will
lead to an accident (loss).
Definitions from Engineering a Safer World

Definitions
• Accident (Loss)
– An undesired or unplanned event that results in a loss, including loss of
human life or human injury, property damage, environmental pollution,
mission loss, etc.
– May involve environmental factors outside our control
• Hazard
– A system state or set of conditions that, together with a particular set of
worst-case environment conditions, will lead to an accident (loss).
– Something we can control in the design
Accident Hazard
Satellite becomes lost or Satellite maneuvers out of orbit
unrecoverable
People die from exposure to toxic Toxic chemicals are released into
chemicals the atmosphere
People die from radiation Nuclear power plant releases
sickness radioactive materials
People die from food poisoning Food products containing
pathogens are sold
Identify Accident, Hazards, Safety
Constraints
• System-level Accidents (Losses)
–?
• System-level Hazards
–?
• System-level Safety Constraints
–?

Identify Accident, Hazards, Safety
Constraints
• System-level Accident (Loss)
– Death, illness, or injury due to exposure to toxic
chemicals.
• System-level Hazard
– Uncontrolled release of toxic chemicals
• System-level Safety Constraint
– Toxic chemicals must not be released
Additional hazards / constraints can be found in ESW p355

Control Structure Examples
Proton Therapy Machine
High-level Control Structure
Gantry Cyclotron
Beam path and

control elements
High-level Control Structure
Antoine PhD Thesis, 2012

Control Structure
Antoine PhD Thesis, 2012

Adaptive Cruise Control
Image from: http://www.audi.com/etc/medialib/ngw/efficiency/video_assets/fallback_videos.Par.0002.Image.jpg

Qi Hommes
Chemical Plant
Image from: http://www.cbgnetwork.org/2608.html

Chemical Plant
Image from:
http://www.cbgnetwork.org/2608.html
ESW p354 © Copyright John Thomas 2013

U.S. pharmaceutical
safety control
structure
Image from: http://www.kleantreatmentcenter.com/wp-

content/uploads/2012/07/vioxx.jpeg

Ballistic Missile
Defense System
Image from:
http://www.mda.mil/global/images/system/aegis/FTM-
21_Missile%201_Bulkhead%20Center14_BN4H0939.jpg
Safeware Corporation
STPA
and hazards
• Construct the Controller
control structure Control

Feedback
Actions

process
actions
causal factors and
control flaws
25
STPA Step 1: Unsafe Control Actions (UCA)
Controller
Control
Feedback
Actions
Controlled
process
Stopped Too
Incorrect Soon /
Not providing Providing Timing/ Applied too
causes hazard causes hazard Order long
(Control
Action)

Step 1: Identify Unsafe Control Actions
(a more rigorous approach)
Control Process Process Process Hazardous?

Action Model Model Model
Variable 1 Variable 2 Variable 3

STPA
and hazards

Feedback
Actions

process
actions
causal factors and
control flaws
28
System Theoretic Process Analysis
• Explain why and how UCAs may occur

Controller
Process Control • Control actions are based on:

Model Algorithm
• Process model
Control • Control algorithm
Actions Feedback
• Feedback
Controlled Process
• Flaws?
29
STPA Step 2: Identify Control Flaws
Control input or Missing or wrong
external information communication
Controller wrong or missing with another Controller
Inadequate Control controller
Process
Algorithm Model
(Flaws in creation, (inconsistent, Inadequate or
Inappropriate, process changes, incomplete, or missing
ineffective, or incorrect modification or incorrect)
adaptation) feedback
missing control
action
Feedback
Actuator Sensor Delays
Inadequate Inadequate
operation operation
Delayed Incorrect or no
operation information provided
Measurement
Controller inaccuracies
Controlled Process
Component failures Feedback delays
Conflicting control actions

Changes over time
Process input missing or wrong Process output
Unidentified or contributes to
out-of-range system hazard
disturbance
30
STPA Examples
31
ITP Exercise
a new in-trail procedure

for trans-oceanic flights
32
STPA Exercise
• Identify accidents and hazards
• Draw the control structure
– Identify major components and controllers
– Label the control/feedback arrows
• Identify Unsafe Control Actions (UCAs)
– Control Table:
Not providing causes hazard, Providing causes
hazard, Stopped too soon
– Create corresponding safety constraints
• Identify causal factors
– Identify controller process models
– Analyze controller, control path, feedback path,
process
Example System: Aviation
System-level Accident (Loss): ?

Example System: Aviation
System-level Accident (Loss): Two aircraft collide

System-level Accident (Loss): Two aircraft collide
System-level Hazard: ?
Hazard
• Definition: A system state or set of conditions
that, together with a particular set of worst-case
environmental conditions, will lead to an accident
(loss).
• Something we can control
• Examples:
Accident Hazard
unrecoverable
pathogens are sold
System-level Accident (Loss): Aircraft crashes
System-level Hazard: Two aircraft violate minimum
separation
Aviation Examples
• System-level Accident (loss)
– Two aircraft collide
– Aircraft crashes into terrain / ocean
• System-level Hazards
– Two aircraft violate minimum separation
– Aircraft enters unsafe atmospheric region
– Aircraft enters uncontrolled state
– Aircraft enters unsafe attitude
– Aircraft enters prohibited area
STPA Exercise
– Control Table:
hazard, Wrong timing, Stopped too soon
process
North Atlantic Tracks
STPA application:
NextGen In-Trail Procedure (ITP)
Current State
Proposed Change
• Pilots will have separation
information
• Pilots decide when to
request a passing maneuver
• Air Traffic Control
approves/denies request
STPA Analysis
• High-level (simple) Control Structure
– Main components and controllers?
? ? ?

STPA Analysis
• High-level (simple) Control Structure
– Who controls who?
Air Traffic
Flight Crew? Aircraft?
Controller?

STPA Analysis
• High-level (simple)
Air Traffic
Control Structure Control
– What commands are

? ?
sent?
Flight Crew
? ?
Aircraft

STPA Analysis
• High-level (simple)
Air Traffic
Control Structure Control
Issue
clearance Feedback?
to pass
Flight Crew
Execute Feedback?
maneuver
Aircraft

STPA Analysis
• More complex control
structure

Example High-level control structure
Congress
Directives, funding Reports
FAA
Regulations, procedures
Reports
ATC
Instructions Acknowledgement, requests
Pilots
Execute maneuvers Aircraft status, position, etc
Aircraft

Air Traffic Control (ATC)
ATC Front Line Manager (FLM)

Instructions Status Instructions Status Instructions Status
Updates Updates Updates
ATC Ground
Controller Query
Company Status
Other Ground
Dispatch Controllers
Instructions Status Instructions Updates and
Updates acknowledgements
ATC Radio
Pilots Pilots Pilots Pilots

Execute Execute Execute Execute
maneuvers maneuvers maneuvers maneuvers
Aircraft Aircraft Aircraft Aircraft
ACARS Text Messages
STPA Exercise
– Control Table:
process
Identify Unsafe Control Actions
ATC
Instructions Acknowledgement, requests
Pilots
Execute maneuvers Aircraft status, position, etc
Aircraft
Incorrect
Flight Crew Not providing Providing Timing/ Stopped Too
Action (Role) causes hazard Causes hazard Order Soon
Pilots perform
Execute ITP when ITP
Passing criteria are not
Maneuver met or request
has been refused
Structure of a Hazardous Control
Action
Example:
“Pilots provide ITP maneuver when ITP criteria not met”
Type
Context
Source Controller Control Action
Four parts of a hazardous control action

– Source Controller: the controller that can provide the control action
– Type: whether the control action was provided or not provided
– Control Action: the controller’s command that was provided /
missing
– Context: conditions for the hazard to occur
• (system or environmental state in which command is provided)
52
Defining Safety Constraints
Unsafe Control Action Safety Constraint

Pilot does not execute Pilot must execute maneuver
maneuver once it is approved once it is approved
Pilot performs ITP when ITP Pilot must not perform ITP
criteria are not met or request when criteria are not met or
has been refused request has been refused
Pilot starts maneuver late Pilot must start maneuver
after having re-verified ITP within X minutes of re-verifying
criteria ITP criteria

STPA Exercise
– Control Table:
process
STPA Analysis: Causal Factors
• How could this action be

caused by:
Process Model
– Process model
– Feedback
UCA: Pilots perform – Sensors
ITP when ITP criteria – Etc?
are not met
• Also consider control

action not followed
Controlled
Process
Hint: Causal Factors
STPA Analysis: Causal Factors

Traffic Collision Avoidance
System (TCAS)
Traffic Collision Avoidance System (TCAS)
• Monitors airspace around

aircraft
• Can provide advisories to warn
pilot of potential collision
• System-level Accidents? ATC
• System-level Hazards? Instructions

Instructions
Instructions Instructions
TCAS TCAS
Accident
• Definition: An undesired or unplanned event that
results in a loss, including loss of human life or human
injury, property damage, environmental pollution,
mission loss, etc.
• May involve environmental factors outside our control
• Examples:
Accident Hazard
unrecoverable
pathogens are sold
• Aircraft Accident: Two or more

aircraft collide
• Aircraft Hazard: Near Mid Air
Collision (NMAC)
• TCAS Hazard: TCAS causes or
does not prevent NMAC

• Monitors airspace around

aircraft
• Can provide advisories to warn
pilot of potential collision
Create control structure

Example Control Structure:
FAA
Local ATC
Ops Mgmt.
Flight
Air Traffic Control Data
Processor
TCAS TCAS
Radar
Pilot Pilot
A/C A/C
STPA
and hazards

Feedback
Actions

process
actions
causal factors and
control flaws
64
Example Control Structure
FAA
TCAS
Local ATC
Ops Mgmt.
Flight
Air Traffic Control Data
Processor
TCAS TCAS
Identify Unsafe Radar
Pilot Pilot
Control Actions
A/C A/C
Not providing causes Providing Incorrect Timing/ Stopped Too Soon
hazard causes hazard Order / Applied too long
Resolution TCAS does not provide an RA
Advisory (RA) when collision imminent
Structure of a Hazardous Control
Action
Example:
“TCAS does not provide RA when collision imminent”
Type (T)
Context (Co)
Source Controller (SC) Control Action (CA)
Four parts of a hazardous control action

– Source Controller: the controller that can provide the control action
– Type: whether the control action was provided or not provided
– Control Action: the controller’s command that was provided /
missing
– Context: conditions for the hazard to occur
• (system or environmental state in which command is provided)
66
STPA
and hazards

Feedback
Actions

process
actions
causal factors and
control flaws
67
FAA Control Structure
TCAS
Local ATC
UCA1: TCAS does not provide an RA
when collision imminent Ops Mgmt.
SC1: TCAS must always provide
Flight
necessary RA to prevent imminent Air Traffic Control Data
NMAC (<25 sec to collision)
Processor
• What might violate this
safety constraint? TCAS TCAS
• Process model flaws? Radar
• Control algorithm Pilot Pilot
flaws?
• Poor feedback?
• Component failures? A/C A/C
Identify Causal Factors

STPA Step 2:
UCA1: TCAS does not provide an RA
Identify Control Flaws
when collision imminent
Control input or Missing or wrong
external information communication
SC1: TCAS must always provide with another Controller
Controller wrong or missing
necessary RA to prevent imminent Inadequate Control controller
Process
NMAC (<25 sec to collision) Algorithm Model
(Flaws in creation, (inconsistent, Inadequate or
Inappropriate, process changes, incomplete, or missing
ineffective, or incorrect modification or incorrect)
adaptation) feedback
missing control
action
Feedback
Actuator Sensor Delays
Inadequate Inadequate
operation operation
Delayed Incorrect or no
operation information provided
Measurement
Controller inaccuracies
Controlled Process
Component failures Feedback delays
Conflicting control actions

Changes over time
Process input missing or wrong Process output
Unidentified or contributes to
out-of-range system hazard
disturbance
69
STPA Primer
• Written for industry to provide guidance in learning
STPA
– Not a book or academic paper
– “living” document
– Google “STPA Primer”

Group Exercise:
JAXA H-II Transfer Vehicle (HTV)

Systems Theoretic Process Analysis STPA v9 v2 San

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Systems Theoretic Process Analysis STPA v9 v2 San

Uploaded by

Copyright:

Available Formats

Systems Theoretic Process Analysis

Dr. John Thomas

CAST STPA How do we find

Analysis control structure Control

unsafe control Controlled

Definitions from Engineering a Safer World

© Copyright John Thomas 2013

Additional hazards / constraints can be found in ESW p355

Beam path and

Antoine PhD Thesis, 2012

Antoine PhD Thesis, 2012

Image from: http://www.audi.com/etc/medialib/ngw/efficiency/video_assets/fallback_videos.Par.0002.Image.jpg

Image from: http://www.cbgnetwork.org/2608.html

ESW p354 © Copyright John Thomas 2013

Image from: http://www.kleantreatmentcenter.com/wp-

© Copyright John Thomas 2013

control structure Control

unsafe control Controlled

© Copyright John Thomas 2013

Control Process Process Process Hazardous?

© Copyright John Thomas 2013

control structure Control

unsafe control Controlled

• Explain why and how UCAs may occur

Process Control • Control actions are based on:

Conflicting control actions

a new in-trail procedure

System-level Accident (Loss): ?

System-level Accident (Loss): Two aircraft collide

© Copyright John Thomas 2013

© Copyright John Thomas 2013

– What commands are

© Copyright John Thomas 2013

© Copyright John Thomas 2013

© Copyright John Thomas 2013

Directives, funding Reports

Instructions Acknowledgement, requests

Execute maneuvers Aircraft status, position, etc

© Copyright John Thomas 2013

ATC Front Line Manager (FLM)

Pilots Pilots Pilots Pilots

Instructions Acknowledgement, requests

Execute maneuvers Aircraft status, position, etc

Four parts of a hazardous control action

Unsafe Control Action Safety Constraint

© Copyright John Thomas 2013

• How could this action be

• Also consider control

© Copyright John Thomas 2013

• Monitors airspace around

• System-level Accidents? ATC

• System-level Hazards? Instructions

• Aircraft Accident: Two or more

© Copyright John Thomas 2013

• Monitors airspace around

Create control structure

© Copyright John Thomas 2013

control structure Control

unsafe control Controlled

Four parts of a hazardous control action

control structure Control

unsafe control Controlled

Identify Causal Factors

Conflicting control actions