![Page 1: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/1.jpg)
STAMP Experienced Users Tutorial
John Thomas Blandine Antoine
Cody Fleming Melissa Spencer
Qi Hommes Tak Ishimatsu John Helferich
![Page 2: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/2.jpg)
Systems approach to safety engineering (STAMP)
• Accidents are more than a chain of events, they involve complex dynamic processes.
• Treat accidents as a control problem, not a failure problem
• Prevent accidents by enforcing constraints on component behavior and interactions
• Captures more causes of accidents: – Component failure accidents – Unsafe interactions among components – Complex human, software behavior – Design errors – Flawed requirements
• esp. software-related accidents 2
(Leveson, 2003); (Leveson, 2011)
STAMP Model
![Page 3: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/3.jpg)
STPA (System-Theoretic Process Analysis)
Accidents are caused by inadequate control
3
STAMP Model
STPA Hazard Analysis
(Leveson, 2011)
How do we find inadequate control in a system?
![Page 4: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/4.jpg)
CAST (Causal Analysis using System Theory)
Accidents are caused by inadequate control
4
STPA Hazard Analysis
(Leveson, 2011)
How do we find inadequate control that caused the accident?
CAST Accident Analysis
STAMP Model
![Page 5: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/5.jpg)
Experienced Users Tutorial
• Morning session –STPA Hazard Analysis
–Hands-on exercises
• Afternoon session –CAST Accident Analysis
–Hands-on exercises
![Page 6: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/6.jpg)
STPA Hazard Analysis
![Page 7: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/7.jpg)
STPA (System-Theoretic Process Analysis)
• Identify the hazards
• Construct the control structure
• Step 1: Identify unsafe control actions
• Step 2: Identify causes of unsafe control actions
7
Controlled process
Control Actions
Feedback
Controller
(Leveson, 2011)
STAMP Model
STPA Hazard Analysis
![Page 8: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/8.jpg)
Step 1: Identify Unsafe Control Actions
Action required but not provided
Unsafe action provided
Incorrect Timing/ Order
Stopped Too Soon
Action (Role)
![Page 9: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/9.jpg)
Step 1: Identify Unsafe Control Actions
Control Action
Process Model
Variable 1
Process Model
Variable 2
Process Model
Variable 3
Hazardous?
(a more rigorous method, more on this tomorrow)
![Page 10: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/10.jpg)
Step 2: STPA Control Flaws
10
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification or adaptation)
Controller Process Model
(inconsistent, incomplete, or
incorrect)
Control input or external information wrong or missing
Actuator Inadequate operation
Inappropriate, ineffective, or
missing control action
Sensor Inadequate operation
Inadequate or missing feedback Feedback Delays
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrong Process output contributes to system hazard
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Delayed operation
Conflicting control actions
Missing or wrong communication with another controller
Controller
![Page 11: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/11.jpg)
Simple STPA Exercise
a new in-trail procedure for trans-oceanic flights
11
![Page 12: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/12.jpg)
Example System: Aviation
Accident (Loss): Aircraft crashes
![Page 13: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/13.jpg)
STPA Exercise
• Identify Hazards
• Draw the control structure – Identify major components and controllers
– Label the control/feedback arrows
• Identify Unsafe Control Actions (UCAs) – Control Table:
Not given, Given incorrectly, Wrong timing, Stopped too soon
– Create corresponding safety constraints
• Identify causal factors – Identify controller process models
– Analyze controller, control path, feedback path, process
![Page 14: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/14.jpg)
Hazard • Definition: A system state or set of conditions
that, together with a particular set of worst-case environmental conditions, will lead to an accident (loss).
• Something we can control
• Examples: Accident Hazard
Satellite becomes lost or unrecoverable
Satellite maneuvers out of orbit
People are exposed to toxic chemicals
Toxic chemicals are released into the atmosphere
People are irradiated Nuclear power plant experiences nuclear meltdown
People are poisoned by food Food products containing pathogens are sold
![Page 15: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/15.jpg)
Accident (Loss): Aircraft crashes
Hazard: ?
![Page 16: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/16.jpg)
Accident (Loss): Aircraft crashes
Hazard: Two aircraft violate minimum separation
![Page 17: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/17.jpg)
Identifying Hazards
• Loss (accident)
– Death or Injury
• Hazards
– Two aircraft violate minimum separation
– Aircraft enters unsafe atmospheric region
– Aircraft enters uncontrolled state
– Aircraft enters unsafe attitude
– Aircraft enters prohibited area
![Page 18: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/18.jpg)
STPA Exercise
• Identify Hazards
• Draw the control structure – Identify major components and controllers
– Label the control/feedback arrows
• Identify Unsafe Control Actions (UCAs) – Control Table:
Not given, Given incorrectly, Wrong timing, Stopped too soon
– Create corresponding safety constraints
• Identify causal factors – Identify controller process models
– Analyze controller, control path, feedback path, process
![Page 19: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/19.jpg)
North Atlantic Tracks
![Page 20: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/20.jpg)
STPA application: NextGen In-Trail Procedure (ITP) Current State
Proposed Change
• Pilots will have separation information
• Pilots decide when to request a passing maneuver
• Air Traffic Control approves/denies request
![Page 21: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/21.jpg)
STPA Analysis
• High-level (simple) Control Structure
– Main components and controllers?
? ? ?
![Page 22: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/22.jpg)
STPA Analysis
• High-level (simple) Control Structure
– Who controls who?
Flight Crew? Aircraft? Air Traffic
Controller?
![Page 23: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/23.jpg)
STPA Analysis
• High-level (simple) Control Structure
– What commands are sent?
Aircraft
Flight Crew
Air Traffic Control
?
?
?
?
![Page 24: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/24.jpg)
STPA Analysis
• High-level (simple) Control Structure
Aircraft
Flight Crew
Air Traffic Control
Issue clearance
to pass
Execute maneuver
Feedback?
Feedback?
![Page 25: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/25.jpg)
STPA Analysis
• More complex control structure
![Page 26: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/26.jpg)
STPA Exercise
• Identify Hazards
• Draw the control structure – Identify major components and controllers
– Label the control/feedback arrows
• Identify Unsafe Control Actions (UCAs) – Control Table:
Not given, Given incorrectly, Wrong timing, Stopped too soon
– Create corresponding safety constraints
• Identify causal factors – Identify controller process models
– Analyze controller, control path, feedback path, process
![Page 27: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/27.jpg)
STPA Analysis: Identify Unsafe Control Actions
Flight Crew Action (Role)
Action required but not provided
Unsafe action provided
Incorrect Timing/ Order
Stopped Too Soon
Execute Passing
Maneuver
Pilot does not execute maneuver once it is approved
![Page 28: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/28.jpg)
STPA Analysis: Identify Unsafe Control Actions
Flight Crew Action (Role)
Action required but not provided
Unsafe action provided
Incorrect Timing/ Order
Stopped Too Soon
Execute passing
maneuver
Pilot does not execute maneuver Aircraft remains In-
Trail
Perform ITP when ITP criteria
are not met or request has been
refused
Pilot instructs
incorrect attitude, e.g.
throttle and/or pitch
Crew starts maneuver late after having re-
verified ITP critera
Pilot throttles
before achieving necessary altitude
Crew does not complete entire
maneuver e.g. Aircraft
does not achieve
necessary altitude or
speed
![Page 29: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/29.jpg)
STPA Analysis: Identify UCAs Flight Crew
Action (Role) Action required but
not provided Unsafe action
provided Incorrect Timing/
Order Stopped Too
Soon
Read Back Clearance
Crew does not read-back ITP clearance
Confirm clearance but clearance had not been granted
Reads back clearance in non-standard
order
Verify ITP Criteria to Confirm
Validity of Clearance
Crew does not perform ITP criteria
verification
Confirm clearance when criteria are
not met
Verifies criteria late after clearance was initially granted or
too early before maneuver is actually
performed
Perform ITP Maneuver
Pilot does not execute maneuver Aircraft remains In-
Trail
Perform ITP when ITP criteria are not met or request has
been refused
Crew starts maneuver late after
having re-verified ITP critera
Pilot throttles before achieving necessary
altitude
Crew does not complete entire
maneuver e.g. Aircraft does
not achieve necessary altitude
or speed
Provide data to ATC & other
aircraft
Does not communicate
position & attitude information
Transmit unnecessary data
or information Transmit incorrect
data
![Page 30: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/30.jpg)
Defining Safety Constraints
Unsafe Control Action Safety Constraint
Pilot does not execute maneuver once it is approved
Pilot must execute maneuver once it is approved
Pilot performs ITP when ITP criteria are not met or request has been refused
Pilot must not perform ITP when criteria are not met or request has been refused
Pilot starts maneuver late after having re-verified ITP critera
Pilot must start maneuver within X minutes of re-verifying ITP criteria
![Page 31: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/31.jpg)
STPA Exercise
• Identify Hazards
• Draw the control structure – Identify major components and controllers
– Label the control/feedback arrows
• Identify Unsafe Control Actions (UCAs) – Control Table:
Not given, Given incorrectly, Wrong timing, Stopped too soon
– Create corresponding safety constraints
• Identify causal factors – Identify controller process models
– Analyze controller, control path, feedback path, process
![Page 32: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/32.jpg)
STPA Analysis: Causal Factors
Process Model
UCA: Pilot does not execute maneuver once approved
• How could this action be caused by:
– Process model
– Feedback
– Sensors
– Etc?
Controlled Process
![Page 33: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/33.jpg)
Hint: Causal Factors
![Page 34: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/34.jpg)
STPA Analysis: Causal Factors
![Page 35: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/35.jpg)
STPA Group Exercise
35
Choose a system to analyze:
International Space Station unmanned cargo vehicle
Electronic Throttle Control
![Page 36: STAMP Experienced Users Tutorialpsas.scripts.mit.edu/home/get_pdf.php?name=1-3... · STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi](https://reader036.vdocuments.mx/reader036/viewer/2022071212/60280fab08e57701e96b8b24/html5/thumbnails/36.jpg)
STPA Group Exercise
• Identify Hazards
• Draw the control structure – Identify major components and controllers
– Label the control/feedback arrows
• Identify Unsafe Control Actions – Control Table:
Not given, Given incorrectly, Wrong timing, Stopped too soon
– Create corresponding safety constraints
• Identify causal factors – Identify controller process models
– Analyze controller, control path, feedback path, process