09/05/2023

Model Based

Safety Analysis
Yogananda Jeppu

Definition
• Safety - is the state of being "safe", the condition
of being protected from harm or other non-
desirable outcomes. Safety can also refer to the
control of recognized hazards in order to achieve
an acceptable level of risk.
• Certification - the action or process of providing
someone or something with an official document
attesting to a status or level of achievement.
Yogananda Jeppu 2
 09/05/2023

Failure mechanism

Yogananda Jeppu 3

Swiss cheese model

• Each slice of the cheese is a process like
supervision, organizational influences,
training, preconditions for failures
• All these align at some point in time and
the hazard leads to a loss.
• The loss is due to chain of event that
happens in sequence.
• The child saw a ice cream vendor, the
mother was talking to someone, the driver
of the car spilt his coffee, and the accident
happened.

Yogananda Jeppu 4
 09/05/2023

Railway gate

Yogananda Jeppu 5

Yogananda Jeppu 6
 09/05/2023

FMEA
• Failure Modes and Effects Analysis (FMEA) is a systematic method of
identifying the failure modes of a system, item, function, or piece-part and
determining the effects on the next higher level of the design.
• This is a bottom up approach. Function and Hardware can be considered to
fail
• Postulate the ways the chosen level’s specific implementation may fail
• Every feasible hardware failure mode is postulated at the level of the design
being analyzed
• Every identified failure mode is analyzed to determine its effect on the given
level and usually on higher levels as well
• Each failure shall have one higher level effect.

http://www.fmea-fmeca.com/fmea-examples.html

Yogananda Jeppu 7

Some online resources

Yogananda Jeppu 8
 09/05/2023

STPA

http://psas.scripts.mit.edu/home/

Yogananda Jeppu 9

STPA
• STPA is a new way of looking at system safety using control
system theory
• STPA is very well used in the industry but there is still work
to be done
• Many researches are applying this technique. Papers can be
downloaded from the website
• This is an active research area and students are actively
working in the field
• I have been using this techniques recently and find it very
useful in defining new system and analyzing older ones for
improvements.
Yogananda Jeppu 10
 09/05/2023

Schiaparelli Lander (2016)

• 11km: Parachute deployed
• 3.7km: IMU saturated
• Negative altitude calculated
• Parachute jettisoned
• Thrusters off
• Impact at 300 km/h (186 mph]
• Designed to withstand 10 km/h

• ALL SYSTEMS WORKED

VERY WELL

Yogananda Jeppu 11

Emergence

The whole is not sum of its parts

Aristotle – Metaphysica 330 BC

Yogananda Jeppu 12
 09/05/2023

Emergent Property

Yogananda Jeppu 13

Basic control theory

• There is a controller that sends the
commands to a controlled process
(Plant).
• There is a feedback mechanism from
the controlled process that is used to
create a process model by the
controller.

• This interaction works very well – but

also can cause accidents.
• This is the assumption in STPA

Yogananda Jeppu 14
 09/05/2023

Basic control theory

• Controllers use a process model to determine control
actions
• Unanticipated behavior often occurs when the process
model is incorrect
• There are four types of inadequate control actions
1. Control commands are not given
2. Inadequate commands are given
3. Potentially correct commands but too early, or too late
4. Control action stops too soon or applied too long

Yogananda Jeppu 15

STPA Process

Yogananda Jeppu 16
 09/05/2023

Definition
• LOSS
• An undesired or unplanned event that results in a loss, including
loss of human life or human injury, property damage, environmental
pollution, mission loss, etc.
• HAZARD
• A system state or set of conditions that, together with a particular
set of worst-case environment conditions, will lead to an accident
(loss).
• CONSTRAINT
• A system-level constraint specifies system conditions or behaviors
that need to be satisfied to prevent hazards (and ultimately prevent
losses)

Yogananda Jeppu 17

Step 1

Note the clear separation of system and environment

Yogananda Jeppu 18
 09/05/2023

Losses
• Identify the stakeholders, e.g. Users, producers, customers, operators, etc.
• Stakeholders identify their “stake” in the system. What do they value? For
example, human life, fleet of useable aircraft, electrical power generation,
transportation, etc. What are their goals?
• Translate each value or goal into a loss, e.g. loss of life, loss of aircraft, loss
of electrical power generation, loss of transportation, etc.
– L-1: Loss of life or injury to people
– L-2: Loss of or damage to vehicle
– L-3: Loss of or damage to objects outside the vehicle
– L-4: Loss of mission (e.g. transportation mission, surveillance mission, scientific
mission, defense mission, etc.)
– L-5: Loss of customer satisfaction

Yogananda Jeppu 19

Hazard
• Hazards are system states or conditions (not component-level causes or environmental
states)
• Hazards will lead to a loss in some worst-case environment
• Hazards must describe states or conditions to be prevented
• <Hazard specification> = <System> & <Unsafe Condition> & <Link to Losses>
• Do not confuse hazards with causes of hazards
• “brake failure”, “brake failure not annunciated” are causes of hazard. The hazard is aircraft
not stopping on the runway after landing
• Limit hazards to maximum of 10. Club similar hazards together.
• Do not generalize hazards. “Aircraft enters unsafe condition”. (“unintended”, “accidental”)
• Hazards should refer to factors that can be controlled or managed by the system designers
and operators

Yogananda Jeppu 20
 09/05/2023

Railway crossing example

• A railway crossing example – What are losses?
• L1- Loss to humans
• L2 - Loss to vehicles - money

• A railway crossing example – What are Hazards?

• H1 - A vehicle moves on the track when a train is
approaching (L1, L2)
• H2 - A vehicle moves on the track when the poles are
coming down (L1, L2)
Yogananda Jeppu 21

Launch vehicles
• G1. Transport small satellite payloads to low earth orbit reliably,
affordably, and frequently
• G2. Ensure the protection of the public, property, and the national
security and foreign policy interests of the Nation
• G3. Provide the value and capital required to sustain and grow the
company (Elon Musk)
• L1. Loss of life or injury to people (Launch pad and beyond)
• L2. Loss of or damage to public property (Launch pad and beyond)
• L3. Loss of mission
• L4. Loss of or damage to launch facilities (Can be clubbed)
• L5. Loss of capital (beyond loss-of-mission)

Yogananda Jeppu 22
 09/05/2023

Hazards
• H1. Payload damaged during pre-launch or launch [L3]
• H2. Vehicle structural integrity is lost [L1, L2, L3, L4, L5]
• H3. Vehicle leaves designated flight corridor [L1, L2, L3, L4, L5]
• H4. Loss of vehicle control within flight corridor [L1, L2, L3, L4, L5]
• H5. Payload inserted into the wrong orbit [L2, L3, L5]
• H6. Incorrect or missing separation event [L1, L2, L3]
• H7. Uncontrolled release of thermal energy or non-structural
material [L1, L2, L3, L4, L5]
• H8. Vehicle unable to launch when scheduled [L5]

Yogananda Jeppu 23

System Level Constraint

• A railway crossing example – What are constraints?
– H1 - A vehicle moves on the track when a train is approaching (L1, L2)
• SC1 – The railway crossing system shall prevent a vehicle from
going on the tracks when a train in approaching

– H2 - A vehicle moves on the track when the poles are coming down (L1,
L2)
• SC2 – The railway cross system shall prevent a vehicle being on
the tracks when the poles are coming down

• <Safety Constraint> = <System> & <Condition to Enforce> &

<Link to Hazards>
Yogananda Jeppu 24
 09/05/2023

Safety Constraints
• SC1. Payload must not be damaged under worst-case pre-launch, launch, and orbit environments [H1]
• SC2. Vehicle must maintain structural integrity under worst-case prelaunch, launch, and orbit conditions
[H2]
• SC3. Vehicle must not exit flight corridor [H3]
• SC4. If vehicle approaches flight corridor limits, then the violation must be detected and measures taken to
prevent loss of life or injury to people [H3]
• SC5. Flight path control shall be maintained during launch and orbit [H4]
• SC6. The payload shall be injected into the intended orbit within TBD tolerance [H5]
• SC7. Uncommanded separation events shall not occur [H6]
• SC8. Separation events must occur within TBD seconds of command [H6]
• SC9. Uncontrolled vehicle energy or material release must not cause injury or death to public persons [H3,
H7]
• SC10. Toxic, corrosive, and energetic materials must not be released within range of humans or other
systems [H7]
• SC11. Vehicle structural integrity must be maintained under worst-case conditions [H2]

Yogananda Jeppu 25

Model the control structure

• A hierarchical control structure is a
system model that is composed of
feedback control loops. An effective
control structure will enforce constraints
on the behavior of the overall system.
• A controller may provide control actions
to control some process and to enforce
constraints on the behavior of the
controlled process
• Process models may be updated in part
by feedback used to observe the
controlled process.

Yogananda Jeppu 26
 09/05/2023

Yogananda Jeppu 27

Railway example

Railway Crossing Control

System

R1 Open/close gate Sense Gate position

Sense train approaching

Secure Zone
Train passing
zone

Yogananda Jeppu 28
 09/05/2023

Tips for HCS

• Ensure labels describe functional information that is sent, not a specific
physical implementation.
• Avoid ambiguous and vague labels like simply "Command" or
"Feedback" when the type of information is known.
• Check that every controlled physical process is controlled by one or
more controllers (not always required, but often indicates a mistake).
• Review responsibilities (including traceability) for conflicts and gaps.
• Check that control actions needed to satisfy the responsibilities are
included.
• Check that feedback needed to satisfy the responsibilities is included.
(optional if applied early in concept development when feedback is
unknown; later steps can identify missing feedback)

Yogananda Jeppu 29

HCS Launch vehicle

Yogananda Jeppu 30
 09/05/2023

Identify UCA
• An Unsafe Control Action (UCA) is a control
action that, in a particular context and
worst-case environment, will lead to a
hazard
– 1. Not providing the control action
leads to a hazard.
– 2. Providing the control action leads to
a hazard.
– 3. Providing a potentially safe control
action but too early, too late, or in the
wrong order
– 4. The control action lasts too long or is
stopped too soon (for continuous
control actions, not discrete ones).

Yogananda Jeppu 31

Unsafe control action

• Make a table with these 5 columns

• Use the responsibilities or commands that can change a
hazardous outcome
• Argue on what would happen by “not providing”, “providing”, ”too
early”, ”too long” in different situations.

<Source> <Type> <Control Action> <Context> <Link to Hazards>

Yogananda Jeppu 32
 09/05/2023

Unsafe control action

Open Gate Not providing Providing open gate Opening gate Opening gate
open gate when while the train is too early while and stopping
the train has left passing though the the train has half way can
will cause traffic zone will cause not passed allow people to
jam accidents pass
Close Gate Not providing while Providing close gate Closing gate Closing gates too
a train is while a vehicle is too late when long after the
approaching will between the two gates the train is train has passed
allow vehicles to will trap the vehicle approaching through will
pass through will cause cause traffic jams
vehicle to be
trapped

Yogananda Jeppu 33

Launch vehicle example

Yogananda Jeppu 34
 09/05/2023

Tips for UCA

• Care should be taken while defining the UCA
– Correct UCA: BSCU Autobrake provides Brake command during normal takeoff [H-4.3]
– Incorrect UCA: BSCU Autobrake provides Brake command resulting in a collision

– Correct UCA: BSCU Autobrake provides Brake command during normal takeoff
– Incorrect UCA: BSCU Autobrake provides Brake command when it incorrectly believes
the aircraft is landing
• Ensure every UCA specifies the context that makes the control action
unsafe
• Ensure UCA contexts specify the actual states or conditions that would
make the control action unsafe, not potential beliefs about the actual state
• Ensure any assumptions or special reasoning behind the UCAs are
documented

Yogananda Jeppu 35

Controller constraints
• A controller constraint specifies the controller behaviors
that need to be satisfied to prevent UCAs

Yogananda Jeppu 36
 09/05/2023

Controller constraints
UCA CONSTRAINTS

Not providing open gate when the train has left The controller shall open the gates <within xx
will cause traffic jam seconds> when the train has passed the
crossing zone

Providing close gate while a vehicle is between The controller shall provide adequate warning
the two gates and indication that the gates are closing

Closing gate too late when the train is The controller shall ensure that the gates are
approaching closed TBD seconds before the train is in the
zone

• A controller constraint specifies the controller behaviors that need to be satisfied to

prevent UCAs
Yogananda Jeppu 37

Scenarios
• A loss scenario describes the causal
factors that can lead to the unsafe
control actions and to hazards.
• Two types of loss scenarios must be
considered,
– a) Why would Unsafe Control Actions
occur?
– b) Why would control actions be
improperly executed or not executed,
leading to hazards?

Yogananda Jeppu 38
 09/05/2023

Yogananda Jeppu 39

Scenarios – railway gate

• Not providing open gate when the train has left will cause
traffic jam

1. The controller has given the open gate command but this has not
been received by the component that is supposed to open the gate
2. The controller does not know that the train has left the zone
because of sensor failure or blockage of the sensor
3. The controller has given the command but the actuator is burnt out
and unable to open
4. The open command is actually closing the gate – the maintenance
engineer did not wire the system properly

Yogananda Jeppu 40
 09/05/2023

Outcome of STPA
• Drive the system architecture
• Create executable requirements
• Identify design recommendations
• Identify mitigations and safeguards needed
• Define test cases and create test plans
• Drive new design decisions (if STPA is used during development)
• Evaluate existing design decisions and identify gaps and changes
needed (if STPA is used after the design is finished)
• Develop leading indicators of risk
• Design more effective safety management systems

Yogananda Jeppu 41

Comparing FMEA and STPA

13 8
9

Yogananda Jeppu 42
 09/05/2023

Simulink tool

Yogananda Jeppu 43

MOOSE
• MOOSE : Matlab Tool for STPA Evaluation
• This is a tool developed in Simulink to help analysis of
system safety using STPA.
• STPA System Theoretic Process Analysis – is a
methodology developed at MIT
• MIT Partnership for Systems Approaches to Safety and
Security (PSASS) http://psas.scripts.mit.edu/home/
• http://psas.scripts.mit.edu/home/materials/ The required
handbook for the methodology is available here, Accessed 8
Oct 2022

Yogananda Jeppu
 09/05/2023

MOOSE files
The STPA library files are in STPA_Library.mdl

Yogananda Jeppu

STPA Blocks
• The loss block is used to define the loss. It has a name, a
description and a category. 1 – is catastrophic.

Open the library. Drag and drop

the loss block into a model
canvass. The links to the library
are automatically removed. Click on ADD Output to
Double click on the block to add a new output or REM
Output to delete an output
enter the description port
Yogananda Jeppu
 09/05/2023

Loss block

Yogananda Jeppu

Hazard block

Drag the Hazard block to create the

hazard for your system. The Hazards
are linked to the losses. Connect the
output of the loss to the hazard input.
Hazards can have sub hazards, and
this can be done by connecting Hazar
to another hazard block.

Yogananda Jeppu
 09/05/2023

Adding Hazard
Double click on the Hazard
to open the input pane.
Give the name - (better to
have them numbered).
Provide a description. Use
the syntax for Hazard as
defined in the Handbook.
Use the ADD and REM
buttons to add and remove
inputs to the hazard block.
Look at some of the
examples with the tool to
understand better. “\n” can
be used to provide the
newline in the description.

Yogananda Jeppu

STPA – losses and hazards

• Create the hazard and looses model for your system.
• The file stpa_brake_manage_loss has an example of the
losses and hazard in a brake management system.
• The next step is to create a table to capture the constrains.
• Save the Simulink file with the hazards and the losses.
• Run the MATLAB script file analyse_hcs.m
• This opens a GUI for file selection. Select your loss model.
• A text file stpa_lh.txt is created with a table data.
• Put it in a word document to create a table
• Type in your constraints in the word document.
Yogananda Jeppu
 09/05/2023

STPA – losses and hazards

Copy the text into
word and use the
text to table to
create a table

Select
the loss
model The txt Fill in the
file is constraints
created.

Yogananda Jeppu

HCS Use this to

represent a human
or organization

• The other blocks in the

STPA library support the
building of an HCS.
Use this to represent
an electronic or
mechanical controller
Use this to represent
an actuator that does The control actions
the actual work
and feedback

This is a representation of This is the

a feedback to the controlled process
controller like a display
panel, alarm etc.
Yogananda Jeppu
 09/05/2023

Create the HCS

• Start with the human controller – is it

required in your analysis. Put this block
at the top in a new model that you are
creating.
• Put the electronic/mechanical/computer
controller below it.
• Put the actuator is required below that.
• Put the process to be analyzed at the
bottom

Yogananda Jeppu

Create the HCS

• Double click on the blocks and fill in the descriptions
• Add the control actions. Get a CA block and insert it on the line.

Describe the responsibility of the controller and a name. Controller can have many
responsibilities. Articulate them here.

Yogananda Jeppu
 09/05/2023

Create the HCS

Describe the control
action. There could be
many responsibilities
attributes to the
controller, and these
could lead to many CA.
Use as many blocks as
required. Double click on
the CA and describe the
CA and the 4 type of
UCA with the
corresponding hazard
numbers. If there are
more than one UCA for
say “Not providing” use
another CA block and
retain the CA description
the same

Yogananda Jeppu

Create the HCS

• Use the block to create the feedback element.

• Use the ADD and REM buttons in the controller and the
process to add or remove input and output ports. Look at the
example for a typical use of the CA and Feedback blocks
• Add the Other System and Environment blocks as need to
define the interactions.
• The small arrow block can be used to change the color of
the line.

Yogananda Jeppu
 09/05/2023

Create the HCS

Use this if there is
consolidate unit that is
providing feedback

Use physical entities

as feedback This block can change
arrow color

Yogananda Jeppu

Analyze the HCS

• Use analyse_hcs.m to analyse the HCS. The file stpa_hcs.txt has the
output. Put in word and make the text to table conversion.

Yogananda Jeppu
 09/05/2023

Analyze the HCS

• Two tables are created. A UCA table as defined in the Handbook and another with a list of
UCA and the blocks with space for constraints.

In the UCA col

NP – Not providing
P – Providing
TE – Too Early / Late
S – Stop / Long

Yogananda Jeppu

Analyze the HCS

Responsible Block Responsibility UCA UCA Constraints
Number
Wheel brake Providing Brake 67 P: [#H41] Providing in air when in TYPE IN THE
controller Pressure use CONSTRAINTS
Wheel brake Providing Brake 68 TE: [#H41] Providing before
controller Pressure touchdown
Nose Wheel Rudder Providing wheel Turn 69 NP: [#H51] Not providing when
not on center line
Nose Wheel Rudder Providing wheel Turn 70 P: [#H51] Providing in air (lock)

Nose Wheel Rudder Providing wheel Turn 71 TE: [#H51] Providing out of sync

Nose Wheel Rudder Providing wheel Turn 72
Nose Wheel Rudder Providing rudder 73
Nose Wheel Rudder Providing rudder 74
S: [#H51] Applied too long
(stuck)
NP: [H51] Not providing when
not on center line
TE: [#H51] Providing out of sync

Nose Wheel Rudder Providing rudder 75 S: [#H51] Applied too long THIS MODEL HAS 75
UCA IDENTIFIED

Yogananda Jeppu
 09/05/2023

Upar wala
hai na!!
Thank you
Any questions?

Indigo Cockpit – one day

Yogananda Jeppu 61