Professional Documents
Culture Documents
Yoga STPA
Yoga STPA
Model Based
Safety Analysis
Yogananda Jeppu
Definition
• Safety - is the state of being "safe", the condition
of being protected from harm or other non-
desirable outcomes. Safety can also refer to the
control of recognized hazards in order to achieve
an acceptable level of risk.
• Certification - the action or process of providing
someone or something with an official document
attesting to a status or level of achievement.
Yogananda Jeppu 2
09/05/2023
Failure mechanism
Yogananda Jeppu 3
Yogananda Jeppu 4
09/05/2023
Railway gate
Yogananda Jeppu 5
Yogananda Jeppu 6
09/05/2023
FMEA
• Failure Modes and Effects Analysis (FMEA) is a systematic method of
identifying the failure modes of a system, item, function, or piece-part and
determining the effects on the next higher level of the design.
• This is a bottom up approach. Function and Hardware can be considered to
fail
• Postulate the ways the chosen level’s specific implementation may fail
• Every feasible hardware failure mode is postulated at the level of the design
being analyzed
• Every identified failure mode is analyzed to determine its effect on the given
level and usually on higher levels as well
• Each failure shall have one higher level effect.
http://www.fmea-fmeca.com/fmea-examples.html
Yogananda Jeppu 7
Yogananda Jeppu 8
09/05/2023
STPA
http://psas.scripts.mit.edu/home/
Yogananda Jeppu 9
STPA
• STPA is a new way of looking at system safety using control
system theory
• STPA is very well used in the industry but there is still work
to be done
• Many researches are applying this technique. Papers can be
downloaded from the website
• This is an active research area and students are actively
working in the field
• I have been using this techniques recently and find it very
useful in defining new system and analyzing older ones for
improvements.
Yogananda Jeppu 10
09/05/2023
Yogananda Jeppu 11
Emergence
Yogananda Jeppu 12
09/05/2023
Emergent Property
Yogananda Jeppu 13
Yogananda Jeppu 14
09/05/2023
Yogananda Jeppu 15
STPA Process
Yogananda Jeppu 16
09/05/2023
Definition
• LOSS
• An undesired or unplanned event that results in a loss, including
loss of human life or human injury, property damage, environmental
pollution, mission loss, etc.
• HAZARD
• A system state or set of conditions that, together with a particular
set of worst-case environment conditions, will lead to an accident
(loss).
• CONSTRAINT
• A system-level constraint specifies system conditions or behaviors
that need to be satisfied to prevent hazards (and ultimately prevent
losses)
Yogananda Jeppu 17
Step 1
Yogananda Jeppu 18
09/05/2023
Losses
• Identify the stakeholders, e.g. Users, producers, customers, operators, etc.
• Stakeholders identify their “stake” in the system. What do they value? For
example, human life, fleet of useable aircraft, electrical power generation,
transportation, etc. What are their goals?
• Translate each value or goal into a loss, e.g. loss of life, loss of aircraft, loss
of electrical power generation, loss of transportation, etc.
– L-1: Loss of life or injury to people
– L-2: Loss of or damage to vehicle
– L-3: Loss of or damage to objects outside the vehicle
– L-4: Loss of mission (e.g. transportation mission, surveillance mission, scientific
mission, defense mission, etc.)
– L-5: Loss of customer satisfaction
Yogananda Jeppu 19
Hazard
• Hazards are system states or conditions (not component-level causes or environmental
states)
• Hazards will lead to a loss in some worst-case environment
• Hazards must describe states or conditions to be prevented
• <Hazard specification> = <System> & <Unsafe Condition> & <Link to Losses>
• Do not confuse hazards with causes of hazards
• “brake failure”, “brake failure not annunciated” are causes of hazard. The hazard is aircraft
not stopping on the runway after landing
• Limit hazards to maximum of 10. Club similar hazards together.
• Do not generalize hazards. “Aircraft enters unsafe condition”. (“unintended”, “accidental”)
• Hazards should refer to factors that can be controlled or managed by the system designers
and operators
Yogananda Jeppu 20
09/05/2023
Launch vehicles
• G1. Transport small satellite payloads to low earth orbit reliably,
affordably, and frequently
• G2. Ensure the protection of the public, property, and the national
security and foreign policy interests of the Nation
• G3. Provide the value and capital required to sustain and grow the
company (Elon Musk)
• L1. Loss of life or injury to people (Launch pad and beyond)
• L2. Loss of or damage to public property (Launch pad and beyond)
• L3. Loss of mission
• L4. Loss of or damage to launch facilities (Can be clubbed)
• L5. Loss of capital (beyond loss-of-mission)
Yogananda Jeppu 22
09/05/2023
Hazards
• H1. Payload damaged during pre-launch or launch [L3]
• H2. Vehicle structural integrity is lost [L1, L2, L3, L4, L5]
• H3. Vehicle leaves designated flight corridor [L1, L2, L3, L4, L5]
• H4. Loss of vehicle control within flight corridor [L1, L2, L3, L4, L5]
• H5. Payload inserted into the wrong orbit [L2, L3, L5]
• H6. Incorrect or missing separation event [L1, L2, L3]
• H7. Uncontrolled release of thermal energy or non-structural
material [L1, L2, L3, L4, L5]
• H8. Vehicle unable to launch when scheduled [L5]
Yogananda Jeppu 23
– H2 - A vehicle moves on the track when the poles are coming down (L1,
L2)
• SC2 – The railway cross system shall prevent a vehicle being on
the tracks when the poles are coming down
Safety Constraints
• SC1. Payload must not be damaged under worst-case pre-launch, launch, and orbit environments [H1]
• SC2. Vehicle must maintain structural integrity under worst-case prelaunch, launch, and orbit conditions
[H2]
• SC3. Vehicle must not exit flight corridor [H3]
• SC4. If vehicle approaches flight corridor limits, then the violation must be detected and measures taken to
prevent loss of life or injury to people [H3]
• SC5. Flight path control shall be maintained during launch and orbit [H4]
• SC6. The payload shall be injected into the intended orbit within TBD tolerance [H5]
• SC7. Uncommanded separation events shall not occur [H6]
• SC8. Separation events must occur within TBD seconds of command [H6]
• SC9. Uncontrolled vehicle energy or material release must not cause injury or death to public persons [H3,
H7]
• SC10. Toxic, corrosive, and energetic materials must not be released within range of humans or other
systems [H7]
• SC11. Vehicle structural integrity must be maintained under worst-case conditions [H2]
Yogananda Jeppu 25
Yogananda Jeppu 26
09/05/2023
Yogananda Jeppu 27
Railway example
Secure Zone
Train passing
zone
Yogananda Jeppu 28
09/05/2023
Yogananda Jeppu 29
Yogananda Jeppu 30
09/05/2023
Identify UCA
• An Unsafe Control Action (UCA) is a control
action that, in a particular context and
worst-case environment, will lead to a
hazard
– 1. Not providing the control action
leads to a hazard.
– 2. Providing the control action leads to
a hazard.
– 3. Providing a potentially safe control
action but too early, too late, or in the
wrong order
– 4. The control action lasts too long or is
stopped too soon (for continuous
control actions, not discrete ones).
Yogananda Jeppu 31
Yogananda Jeppu 32
09/05/2023
Open Gate Not providing Providing open gate Opening gate Opening gate
open gate when while the train is too early while and stopping
the train has left passing though the the train has half way can
will cause traffic zone will cause not passed allow people to
jam accidents pass
Close Gate Not providing while Providing close gate Closing gate Closing gates too
a train is while a vehicle is too late when long after the
approaching will between the two gates the train is train has passed
allow vehicles to will trap the vehicle approaching through will
pass through will cause cause traffic jams
vehicle to be
trapped
Yogananda Jeppu 33
Yogananda Jeppu 34
09/05/2023
– Correct UCA: BSCU Autobrake provides Brake command during normal takeoff
– Incorrect UCA: BSCU Autobrake provides Brake command when it incorrectly believes
the aircraft is landing
• Ensure every UCA specifies the context that makes the control action
unsafe
• Ensure UCA contexts specify the actual states or conditions that would
make the control action unsafe, not potential beliefs about the actual state
• Ensure any assumptions or special reasoning behind the UCAs are
documented
Yogananda Jeppu 35
Controller constraints
• A controller constraint specifies the controller behaviors
that need to be satisfied to prevent UCAs
Yogananda Jeppu 36
09/05/2023
Controller constraints
UCA CONSTRAINTS
Not providing open gate when the train has left The controller shall open the gates <within xx
will cause traffic jam seconds> when the train has passed the
crossing zone
Providing close gate while a vehicle is between The controller shall provide adequate warning
the two gates and indication that the gates are closing
Closing gate too late when the train is The controller shall ensure that the gates are
approaching closed TBD seconds before the train is in the
zone
Scenarios
• A loss scenario describes the causal
factors that can lead to the unsafe
control actions and to hazards.
• Two types of loss scenarios must be
considered,
– a) Why would Unsafe Control Actions
occur?
– b) Why would control actions be
improperly executed or not executed,
leading to hazards?
Yogananda Jeppu 38
09/05/2023
Yogananda Jeppu 39
1. The controller has given the open gate command but this has not
been received by the component that is supposed to open the gate
2. The controller does not know that the train has left the zone
because of sensor failure or blockage of the sensor
3. The controller has given the command but the actuator is burnt out
and unable to open
4. The open command is actually closing the gate – the maintenance
engineer did not wire the system properly
Yogananda Jeppu 40
09/05/2023
Outcome of STPA
• Drive the system architecture
• Create executable requirements
• Identify design recommendations
• Identify mitigations and safeguards needed
• Define test cases and create test plans
• Drive new design decisions (if STPA is used during development)
• Evaluate existing design decisions and identify gaps and changes
needed (if STPA is used after the design is finished)
• Develop leading indicators of risk
• Design more effective safety management systems
Yogananda Jeppu 41
13 8
9
Yogananda Jeppu 42
09/05/2023
Simulink tool
Yogananda Jeppu 43
MOOSE
• MOOSE : Matlab Tool for STPA Evaluation
• This is a tool developed in Simulink to help analysis of
system safety using STPA.
• STPA System Theoretic Process Analysis – is a
methodology developed at MIT
• MIT Partnership for Systems Approaches to Safety and
Security (PSASS) http://psas.scripts.mit.edu/home/
• http://psas.scripts.mit.edu/home/materials/ The required
handbook for the methodology is available here, Accessed 8
Oct 2022
Yogananda Jeppu
09/05/2023
MOOSE files
The STPA library files are in STPA_Library.mdl
Yogananda Jeppu
STPA Blocks
• The loss block is used to define the loss. It has a name, a
description and a category. 1 – is catastrophic.
Loss block
Yogananda Jeppu
Hazard block
Yogananda Jeppu
09/05/2023
Adding Hazard
Double click on the Hazard
to open the input pane.
Give the name - (better to
have them numbered).
Provide a description. Use
the syntax for Hazard as
defined in the Handbook.
Use the ADD and REM
buttons to add and remove
inputs to the hazard block.
Look at some of the
examples with the tool to
understand better. “\n” can
be used to provide the
newline in the description.
Yogananda Jeppu
Select
the loss
model The txt Fill in the
file is constraints
created.
Yogananda Jeppu
Yogananda Jeppu
Describe the responsibility of the controller and a name. Controller can have many
responsibilities. Articulate them here.
Yogananda Jeppu
09/05/2023
Yogananda Jeppu
• Use the ADD and REM buttons in the controller and the
process to add or remove input and output ports. Look at the
example for a typical use of the CA and Feedback blocks
• Add the Other System and Environment blocks as need to
define the interactions.
• The small arrow block can be used to change the color of
the line.
Yogananda Jeppu
09/05/2023
Yogananda Jeppu
Yogananda Jeppu
09/05/2023
Yogananda Jeppu
Nose Wheel Rudder Providing wheel Turn 71 TE: [#H51] Providing out of sync
Nose Wheel Rudder Providing wheel Turn 72 S: [#H51] Applied too long
(stuck)
Nose Wheel Rudder Providing rudder 73 NP: [H51] Not providing when
not on center line
Nose Wheel Rudder Providing rudder 74 TE: [#H51] Providing out of sync
Nose Wheel Rudder Providing rudder 75 S: [#H51] Applied too long THIS MODEL HAS 75
UCA IDENTIFIED
Yogananda Jeppu
09/05/2023
Upar wala
hai na!!
Thank you
Any questions?