ZuXi Chen,HongKai Lin,Meng Mei,YongHua Zhu,XiaoYong Wang,ZhongWei Xu,XiangYu Luo

DOI: https://doi.org/10.1016/j.heliyon.2024.e31776

IF: 3.776

2024-05-24

Heliyon

Abstract:Safety-critical systems, such as the railway signal system, are subject to potentially high costs from failures, including loss of life and property damage. The use of new technology, including communication-based train control (CBTC) systems with software and computers, has changed the types of accidents that occur. Software-related issues and dysfunctional interactions between system components controlled by the software are increasingly the cause of incidents. Developing a "safe" safety-critical system requires accurate and complete safety requirements, which are the foundation of system development. Traditional hazard analysis techniques are insufficient for identifying the causes of accidents in modern railway signaling systems. Systems-Theoretic Process Analysis (STPA) is a powerful new hazard analysis method designed to address these limitations. Building upon this foundation, a hierarchical approach to safety requirement development has been further developed. This approach combines STPA analysis with a hierarchical modeling approach to establish traceability links from safety requirements to specific architectures, refine and allocate system-level safety requirements to relevant subsystems, and abstract safety requirements at higher hierarchical levels to enable easy changes to lower-level implementations. This paper employs the aforementioned methodology within the context of the CBTC system, thereby enhancing risk management and hazard analysis, enabling early insights, and facilitating the generation of safety requirements of CBTC System.

Wenbo Zhang,Xiangkun Meng,Jianyuan Wang,Tieshan Li,Qihe Shan,Fei Teng

DOI: https://doi.org/10.1109/iccss53909.2021.9722016

2021-12-10

Abstract:Automatic crane is a complex system affected by the external environment and the internal components of the system, information fusion, software and hardware combination, and man-machine integration. The improvement of its automation and informatization proposes various challenges in the accident model construction and safety analysis. However, the safety analysis methods based on fault types consider that the occurrence of accidents is linear and ignore the correlation among components of the system. This paper adopts the system-theoretic accident model and process (STAMP) and system-theoretic process analysis (STPA) mode is to implement safety analysis of the automatic crane trolley running system (ACTRs). The paper starts from the identification of system-level losses and hazards, clarifies the function and internal logical control relationships of the system’s components, and then finds potential unsafe control actions (UCAs) and loss scenarios during the trolley running. The results show that the control requirements for the regular operation of the trolley running system can be analyzed in detail. Therefore, the STAMP/STPA can apply to the safety investigation of automatic cranes.

Yang Li,Dongqin Feng

DOI: https://doi.org/10.1007/978-3-642-34528-9_86

2013-01-01

Abstract:Automatic train protection system (ATP) is the key safety-related system of train control system, so its safety reliability requirements are much higher. This article studies functional safety assessment (FSA) including function analysis, hazard identification, risk rank evaluation, risk reduction, and safety integrity verification during the development of carborne ATP. A risk rank evaluation method is proposed combining as low as reasonably practically (ALARP) criteria and risk matrix. Many safety defects of carborne ATP are found and then the design scheme is improved through FSA. The results of risk analysis software Isograph prove that carborne ATP meets the safety integrity level of its design goals at last.

Xingyu Xing,Tangrui Zhou,Junyi Chen,Lu Xiong,Zhuoping Yu

DOI: https://doi.org/10.1109/iv48863.2021.9575425

2021-01-01

Abstract:Hazard analysis is a quite significant step to ensure vehicle safety in the early stage of vehicle development according to current standards. However, the complexity of the Advanced Driving Assistance System (ADAS) and Automated Driving Systems (ADS), which consist of various software and hardware components, makes it difficult to identify system hazards. Nowadays, System-Theoretic Process Analysis (STPA), a hazard analysis method for complex systems, is applied to ADAS, and simple ADS gradually and proved applicable. This paper introduced Finite State Machine (FSM) to complement the STPA for its weakness in analyzing high-level autonomous vehicles with multiple automated modes and functions. Firstly, previous applications of STPA to ADAS and ADS and their limitations are analyzed. Secondly, the hazardous event is defined. An extended method combining STPA and FSM is proposed to model the vehicle states and environmental conditions and analyze unexpected behaviors. Finally, a case study on an autonomous vehicle is given to compare the traditional STPA and the extended method. Comparing with the traditional STPA, the proposed method can identify more hazardous events and give more detailed information about hazardous events to generate testing scenarios.

Xi Wang,Huaikou Miao,Weikai Miao

DOI: https://doi.org/10.1007/978-3-319-57708-1_4

2017-01-01

Abstract:Train control system is a kernel component of railway transportation which acts as the controller of the involved equipment. With the popularization of train-based transportation, how to guarantee the safety of train control system becomes an important problem to be solved. This paper proposes a safety analysis method for train control system. It provides a scenario language for practitioners to describe their requirements on the train control system in terms of physical scenarios of the train operations. With the specification written in the scenario language, its implied hazards will be automatically identified by verifying its satisfaction of the given safety properties. In contrast to the traditional textual representation of the analysis result, animation technique is adopted to demonstrate the unsafe requirement in an intuitive way. A software tool has been developed to support the approach. It identifies the hazards of a given scenario specification and animates the physical scenarios that lead to the hazards. We also carried out a case study on the tool and the result shows the efficacy of the proposed approach.

Hongde Wang,Tiejun Cui

DOI: https://doi.org/10.1109/ICMSS.2011.5998351

2011-01-01

Abstract:Focusing on the railway level-crossings in Dalian, from view of the system analysis, the reasons about the accidents factors in railway level-crossings are analyzed and assessed. Firstly, with Analytic Hierarchy Process (AHP) method, the accidents factors are divided into two levels, and then the weights of each level's factors are calculated; Secondly, Using the Extension Sets (ES) method, the safety-levels of these factors are identified; Finally, according to the accident weights and safety-levels of the influencing factors, basing on the Set Pair Analysis (SPA) theory, the safety status of the railway level-crossing is mastered. The research results show that the safety weights of the railway level-crossing accounts for 30.01%, the hazard weight accounts for 29.67%, the assessing result is set pair equipollence, and so the level-crossing is in danger. With this assessment method, the safety status of the railway level-crossing is described more accurately, and it has certain guidance to the railway level-crossing safety classification.

Zhipeng Zhang,Xiang Liu,Hao Hu

DOI: https://doi.org/10.1108/srt-12-2020-0028

2021-01-01

Smart and Resilient Transportation

Abstract:Purpose At the US passenger stations, train operations approaching terminating tracks rely on the engineer’s compliant behavior to safely stop before the end of the tracks. Noncompliance actions from the disengaged or inattentive engineers would result in hazards to train passengers, train crewmembers and bystanders at passenger stations. Over the past decade, a series of end-of-track collisions occurred at passenger stations with substantial property damage and casualties. This study’s developed systemic model and discussions present policymakers, railway practitioners and academic researchers with a flexible approach for qualitatively assessing railroad safety. Design/methodology/approach To achieve a system-based, micro-level analysis of end-of-track accidents and eventually promote the safety level of passenger stations, the systems-theoretic accident modeling and processes (STAMP), as a practical systematic accident model widely used in the complex systems, is developed in view of environmental factors, human errors, organizational factors and mechanical failures in this complex socio-technical system. Findings The developed STAMP accident model and analytical results qualitatively provide an explicit understanding of the system hazards, constraints and hierarchical control structure of train operations on terminating tracks in the US passenger stations. Furthermore, the safety recommendations and practical options related to obstructive sleep apnea screening, positive train control-based collision avoidance mechanisms, robust system safety program plans and bumping posts are proposed and evaluated using the STAMP approach. Originality/value The findings from STAMP-based analysis can serve as valid references for policymakers, government accident investigators, railway practitioners and academic researchers. Ultimately, they can contribute to establishing effective emergent measures for train operations at passenger stations and promote the level of safety necessary to protect the public. The STAMP approach could be adapted to analyze various other rail safety systems that aim to ultimately improve the safety level of railroad systems.

Lian-chuan Ma,Dongmei Huang,Jian-cheng Mu,Yuan Cao

DOI: https://doi.org/10.2991/AIEA-16.2016.61

2016-11-12

Abstract:Commercial off-the-shelf (COTS) software and hardware components are widely used in the design of train control system. In order to satisfy the application requirements of the safety computer in train control system, it is necessary to analyze its safety properties. In this paper, a method of safety analysis for the safety computer is proposed. The safety properties of the safety computer in train control system are verified by establishing the system model of safety mechanism, and establishing a safety base in safety computer management units (SCMU), and measuring the safety of each part of the system step by step, and then establishing a safety chain. Finally, tests are carried out through a designed software fault injection tool to demonstrate the effectiveness of the proposed method.

Computer Science,Engineering

Jian Jiao,Yongfeng Jing,Shujie Pang

DOI: https://doi.org/10.3390/systems10050137

2022-01-01

Abstract:With the complexity of the socio-technical system, the requirement for safety analysis is growing. In actuality, system risk is frequently created by the interaction of numerous nonlinear-related components. It is essential to use safety assessment methods to identify critical risk factors in the system and evaluate the safety level of the system. An integrated safety assessment framework combining the system theoretic process analysis (STPA), the analytic network process (ANP) and system dynamics (SD) is suggested to analyze the safety level of socio-technical systems to achieve qualitative and quantitative safety evaluation. Our study constructs an STPA and SD integration framework to demonstrate the practical potential of combining STPA and SD approaches in terms of risk factors and causality. The framework uses the STPA method to define the static safety control structure of the system and analyzes the primary risk factors. The unsafe control actions (UCAs) from the STPA method are transformed into network layer elements of ANP. The ANP method is used to calculate the element weights, which are the impact coefficients between the system dynamics (SD) variables. The SD method is used to assess the safety level of the system. Finally, a specific coal mining system is used to demonstrate how the proposed hybrid framework works. The results indicated that the safety level of the system was low on days 38 and 120 of the simulation cycle (one quarter). Our work can overcome the limitations of conventional STPA quantitative analysis and simplify SD qualitative modeling to serve as a reference for complicated system safety/risk analysis work.

Zhigang MO,Hanbin LUO

DOI: https://doi.org/10.13890/j.issn.1000-128x.2018.03.018

2018-01-01

Abstract:Safety requirements of subway signaling system in operating stage were analysed, the potential risks of evaluating and controlling the signal system based on HAZOP (Hazard and Operability Analysis) and ALARP (as Low as Reasonably Practicable) affecting vehicle safety were proposed at the design stage. HAZOP was used to analyze the system risk qualitatively and locate the risk origin which could lead to a fatal failure, while ALARP risk matrix and experience grading were studied to ensure the risk level involved quantitatively. The ATC (on board) sub-system, as a typical example of signaling, the whole process of signaling system risk assessment based on HAZOP and ALARP was expounded in detail, and the relevant measures of risk control were given.

Zitong Zhou,Yanyang Zi,Jinglong Chen,Tong An

DOI: https://doi.org/10.3390/app9214530

2019-01-01

Applied Sciences

Abstract:Due to the complex mechanical structure and control process of escalator emergency braking systems (EEBS), traditional hazard analysis based on the event chain model have limitations in exploring component interaction failure in such a complex social-technical system. Therefore, a hazard analysis framework is proposed in this paper for hazard analysis of complex electromechanical systems based on system-theoretic accident model and process (STAMP). Firstly, basic principles of STAMP are introduced and comparison with other hazard analysis methods is conducted, then the safety analysis framework is proposed. Secondly, a study case is performed to identify unsafe control actions of EEBS from control structures, and a specific control diagram is organized to recognize potential example casual scenarios. Next, comparison between fault tree analysis and STAMP for escalator’s overturned accident shows that hazards related to component damaged can be identified by both, while hazards that focus on components interaction can only be identified by STAMP. Besides, single control way and tandem operation process are found to be the obvious causal factors of accidents. Finally, some improvement measures like decibel detection or vibration monitoring of key components are suggested to help the current broken chain detection to trigger the anti-reversal device for a better safe EEBS.

Asim Abdulkhaleq,Stefan Wagner,Daniel Lammering,Hagen Boehmert,Pierre Blueher

DOI: https://doi.org/10.48550/arXiv.1703.03657

2017-03-10

Software Engineering

Abstract:Safety has become of paramount importance in the development lifecycle of the modern automobile systems. However, the current automotive safety standard ISO 26262 does not specify clearly the methods for safety analysis. Different methods are recommended for this purpose. FTA (Fault Tree Analysis) and FMEA (Failure Mode and Effects Analysis) are used in the most recent ISO 26262 applications to identify component failures, errors and faults that lead to specific hazards (in the presence of faults). However, these methods are based on reliability theory, and they are not adequate to address new hazards caused by dysfunctional component interactions, software failure or human error. A holistic approach was developed called STPA (Systems-Theoretic Process Analysis) which addresses more types of hazards and treats safety as a dynamic control problem rather than an individual component failure. STPA also addresses types of hazardous causes in the absence of failure. Accordingly, there is a need for investigating hazard analysis techniques like STPA. In this paper, we present a concept on how to use STPA to extend the safety scope of ISO 26262 and support the Hazard Analysis and Risk Assessments (HARA) process. We applied the proposed concept to a current project of a fully automated vehicle at Continental. As a result, we identified 24 system- level accidents, 176 hazards, 27 unsafe control actions, and 129 unsafe scenarios. We conclude that STPA is an effective and efficient approach to derive detailed safety constraints. STPA can support the functional safety engineers to evaluate the architectural design of fully automated vehicles and build the functional safety concept.

Min Ouyang,Liu Hong,Ming-Hui Yu,Qi Fei

DOI: https://doi.org/10.1016/j.ssci.2010.01.002

IF: 6.392

2010-01-01

Safety Science

Abstract:Each hazard analysis technique is based on a model of accident causation. Most accident models regard accidents as resulting from a chain or sequence of events, such models are fit for accidents caused by failures of physical components and for relatively simple systems, but suffer from serious deficiencies when they are applied to software-intensive, complex engineering systems. Recently, a new accident model called System-Theoretic Accident Models and Process (STAMP) for system safety has been proposed, it is based on control theory and enforces constraints on hazards and thereby prevent accidents. In this paper, taking the China–Jiaoji railway accident happened on April 28, 2008 as an example, the STAMP approach has been used to analyze the railway accident and some improvement measures have been proposed. As the occurrence of one accident can cause many other accidents happen, based on the STAMP-based analysis, the accident spreading processes have also been discussed and modeled, which will be helpful to analyze accidents spreading in a broad sense and establish effective emergent measures for accident response management.

Xianhui Yang,Ming Xu,Yao Cheng

DOI: https://doi.org/10.1109/3CA.2010.5533881

2010-01-01

Abstract:The automatic train control system (ATC) is the safety critical system (SCS). Based on the revised parts of the ATC, this paper analyzes the risks which may be triggered by the parts of modification. The paper follows the international standard of railway function safety, and describes the relevant requirements and basic methods. From the basic structure of the ATC, the required safety integrity level (SIL) of each part of the system is discussed. The paper concludes the methods for risk analysis and evaluation in the modified system. They contain hazard identification, hazard validation, consequence analyzing, the methods for determining risk category, hazard severity, possible hazard frequency, stages for dividing risks and recommended management for eliminate and alleviate risks. Those results of the revised system were analyzed by using lists of hazard identification, hazard influence and hazard liber. And risk monitoring is implemented by using the hazard liber. © 2010 IEEE.

Asim Abdulkhaleq,Stefan Wagner,Nancy Leveson

DOI: https://doi.org/10.48550/arXiv.1612.03109

2016-12-09

Software Engineering

Abstract:Formal verification and testing are complementary approaches which are used in the development process to verify the functional correctness of software. However, the correctness of software cannot ensure the safe operation of safety-critical software systems. The software must be verified against its safety requirements which are identified by safety analysis, to ensure that potential hazardous causes cannot occur. The complexity of software makes defining appropriate software safety requirements with traditional safety analysis techniques difficult. STPA (Systems-Theoretic Processes Analysis) is a unique safety analysis approach that has been developed to identify system hazards, including the software-related hazards. This paper presents a comprehensive safety engineering approach based on STPA, including software testing and model checking approaches for the purpose of developing safe software. The proposed approach can be embedded within a defined software engineering process or applied to existing software systems, allow software and safety engineers integrate the analysis of software risks with their verification. The application of the proposed approach is illustrated with an automotive software controller.

Li Han,Jing Liu,Tingliang Zhou,Junfeng Sun,Xiaohong Chen

DOI: https://doi.org/10.1109/compsac.2016.182

2016-01-01

Abstract:The integration of formal methods and requirements analysis increases the dependability of safety-critical systems. However it is still very difficult to obtain all of the safety requirements in practice, and formally construct the safety requirements model as well. In this paper, we propose an approach to capture safety requirements and formally describe them by classifying and developing safety requirements specification patterns. Our classification is a result of extracting safety properties from a variety of sources, such as interlocking tables and existing safety relevant functional requirements of railway interlocking system. They contain safety properties at analysis level and design level respectively. Furthermore, safety specification patterns based on the classification are used to formally describe and organize the safety requirements for formal verification. Finally, a tool called SRSV has been developed to enhance the process from deriving safety requirements to verifying. We applied it to the interlocking system at Mohe station in China, and the generated safety properties were then checked to hold by the verification tool.

Zhaohui Liu,Zhiqiang Wu,Xiaohua Yang

DOI: https://doi.org/10.1299/jsmeicone.2015.23._icone23-1_199

2015-01-01

The Proceedings of the International Conference on Nuclear Engineering (ICONE)

Abstract:In NPP, the digital control system which integrated software and hardware are increasingly used to improve dependability and introduce new functionality. Traditional safety analysis can get a good result when handling accidents caused by component failures, but software does not fail in this way. STPA is a new hazard analysis technique based on systems theory rather than reliability theory. It considers the system as a whole (include the hardware and software) to analyze failure and causality of systems and treats safety as a control problem rather than a failure problem. Being a safety-critical system, RPS in NPP needs to be considered carefully in system safety. So, we adopt this new approach to analyze the design process. From the analysis results, we found that causal factors leading to safety accidents identified by STPA included all the hazards identified by the fault tree analysis. Furthermore, there are some causal factors that were identified by STPA only. We utilize these results of the analysis on causation factor to refine the safety requirements and reduce the occurrences of the hazardous scenarios.

Qi Zhang,Yanhui Zhuang,Yuguang Wei,Hao Jiang,Hao Yang

DOI: https://doi.org/10.1155/2020/3158468

IF: 2.249

2020-02-01

Journal of Advanced Transportation

Abstract:In order to make safety risk assessment more accurately and more reasonably for high-speed railway station in China, this paper analyzes risk factors of fault tree and transfers the fault tree of risk accident into fuzzy petri net and then builds the FPN-FTA model by combining the dynamic weighting fuzzy petri net (FPN) and fault tree analysis (FTA) based on the latter. This paper simulates the FTA-FPN model with Stateflow of Matlab software. Then, it builds up a bi-objective risk control model, making the minimum safety risk level and minimum necessary cost as the objectives, and it designs discrete particle swarm optimization algorithm to solve the risk control model. Finally, this paper selects stampede accident of Shijiazhuang high-speed railway station as an example in case study for assessing stampede risk level and gets the risk control schemes for this station. The results verify the feasibility and validity of the model and algorithm.

transportation science & technology,engineering, civil

Xisong Dong,Gang Xiong,Zhongdong Yu,Jiehan Yu,Guangxin Zhang

DOI: https://doi.org/10.1109/ICVES.2013.6619610

2013-01-01

Abstract:The research on crown behavior and evacuation laws in the case of unexpected emergency incidents such as fires, explosions, accidents, driving, man-made mistreats in relatively closed, personnel-intensive, and high-risk subway stations, have a good theory and practical significance. Based on ACP approach, the architecture of universal artificial system of subway station is put forward for the first time. And its construction process and its application and significance are provided. It can study crowd behavior and evacuation laws in subway stations in the case of emergency situations. It may provide technical support for designing subway stations, evaluating evacuation plans and training security management and personnel. And, it has also good theoretical and practical values in designing evacuation system, developing and optimizing evacuation plans. © 2013 IEEE.

Xiaohong Chen,Li Han,Jing Liu,Haiying Sun

DOI: https://doi.org/10.1109/rew.2016.055

2016-01-01

Abstract:Safety requirements are of great importance in Railway Interlocking Systems. However it is still very difficult to obtain all of the safety requirements in practice. In this paper, we propose an approach to capture safety requirements based on safety requirements patterns. From a variety of sources, such as interlocking tables and existing safety relevant functional requirements of railway interlocking system, we classify them and extract some safety requirement patterns in formal descripitions. Finally, a process to elicit safety requirements based on these patterns are given. We applied our approach to the interlocking system at Mohe station in China.