Wenbo Zhang,Xiangkun Meng,Jianyuan Wang,Tieshan Li,Qihe Shan,Fei Teng

DOI: https://doi.org/10.1109/iccss53909.2021.9722016

2021-12-10

Abstract:Automatic crane is a complex system affected by the external environment and the internal components of the system, information fusion, software and hardware combination, and man-machine integration. The improvement of its automation and informatization proposes various challenges in the accident model construction and safety analysis. However, the safety analysis methods based on fault types consider that the occurrence of accidents is linear and ignore the correlation among components of the system. This paper adopts the system-theoretic accident model and process (STAMP) and system-theoretic process analysis (STPA) mode is to implement safety analysis of the automatic crane trolley running system (ACTRs). The paper starts from the identification of system-level losses and hazards, clarifies the function and internal logical control relationships of the system’s components, and then finds potential unsafe control actions (UCAs) and loss scenarios during the trolley running. The results show that the control requirements for the regular operation of the trolley running system can be analyzed in detail. Therefore, the STAMP/STPA can apply to the safety investigation of automatic cranes.

Asim Abdulkhaleq,Stefan Wagner,Daniel Lammering,Hagen Boehmert,Pierre Blueher

DOI: https://doi.org/10.48550/arXiv.1703.03657

2017-03-10

Software Engineering

Abstract:Safety has become of paramount importance in the development lifecycle of the modern automobile systems. However, the current automotive safety standard ISO 26262 does not specify clearly the methods for safety analysis. Different methods are recommended for this purpose. FTA (Fault Tree Analysis) and FMEA (Failure Mode and Effects Analysis) are used in the most recent ISO 26262 applications to identify component failures, errors and faults that lead to specific hazards (in the presence of faults). However, these methods are based on reliability theory, and they are not adequate to address new hazards caused by dysfunctional component interactions, software failure or human error. A holistic approach was developed called STPA (Systems-Theoretic Process Analysis) which addresses more types of hazards and treats safety as a dynamic control problem rather than an individual component failure. STPA also addresses types of hazardous causes in the absence of failure. Accordingly, there is a need for investigating hazard analysis techniques like STPA. In this paper, we present a concept on how to use STPA to extend the safety scope of ISO 26262 and support the Hazard Analysis and Risk Assessments (HARA) process. We applied the proposed concept to a current project of a fully automated vehicle at Continental. As a result, we identified 24 system- level accidents, 176 hazards, 27 unsafe control actions, and 129 unsafe scenarios. We conclude that STPA is an effective and efficient approach to derive detailed safety constraints. STPA can support the functional safety engineers to evaluate the architectural design of fully automated vehicles and build the functional safety concept.

XIONG Li,LIANG Jun,QIAN Jixin

DOI: https://doi.org/10.3321/j.issn:0438-1157.2007.02.022

2007-01-01

Abstract:The outer relationship was projected to inner latent variables space with orthogonal components by the partial least squares(PLS)algorithm while simultaneously compressing data blocks.Some advantages of using this approach as part of control system design include automatic decoupling and efficient loop pairing.While the method could not erase the correlation of latent variables completely,PID controller would not be competent enough to handle the control.A methodology was proposed for controller design with optimization and control algorithm in the subspace defined by dynamic latent variable models,and its application to a pressurized breast box and a distiller was illustrated to show how this strategy works.

Guangshuang Ge,Liangliang Sun,Yan Fu Li

DOI: https://doi.org/10.1109/issrew55968.2022.00087

2022-01-01

Abstract:Autonomous delivery vehicles (ADVs) are derivatives of autonomous driving technology. With the rapid development of autonomous driving technology and the rapid rise in demand for terminal logistics and distribution, ADVs have gradually entered commercial operation in many cities, thus it brings higher requirements to the reliability of ADVs. Because of bill of material (BOM) cost pressure, most autopilot sensors and domain controllers of ADVs are not strictly follow passenger vehicle standards and regulations, the ADVs' reliability is very critical. The traditional methods of process hazard analysis (PHA) e.g. HAZOPs, FMEAs, FT A, etc., use a system divide approach. The to be analyzed system is breaking down into component level, and the risks or hazard of each component are analyzed separately. The two important assumptions of the traditional methods are: 1. the system's properties are not changed when it is broken down into component level; 2. the accidents are caused by component failures. However, in an ADV, the system becomes complex since the system effects may be missed, and this assumption is questionable; further, an ADV accidents can happen even there is no component failure. The system level hazard analysis cannot be fully determined only at the component level, but out of interactions of systems. Systems Theoretic Process Analysis (STP A) is a structured system level approach to analyze hazard. Based on the premise that accidents happen when the control is inadequate or lost, STPA approach decodes hazards related not only to component failures, but also to design errors, flawed controller requirements, interaction failures, human errors, and other errors. In this paper, the STPA method is used to analyze various risks and hazards of ADVs, and finally construct an abnormality monitoring system for autonomous driving sensors. Engineering practice shows that this method can effectively monitor the abnormality of sensor data links.

Rongyao Cai,Xiao Xv,Zhengming Lu,Kexin Zhang,Yong Liu

DOI: https://doi.org/10.1109/isas61044.2024.10552597

2024-01-01

Abstract:Fault tree analysis is the most commonly used methodology in industrial safety analysis to predict the probability or frequency of system failure. Although fault tree analysis has been proposed for more than six decades, the assumptions used in most commercial fault tree analysis codes have not changed significantly, which limits the ability of the method to represent design, operation, and maintenance characteristics in the context of the increasing complexity and specialization of modern industrial systems. The basic setup of traditional fault trees is unable to include dependencies between events, time-varying failures, and repair rate realities to explain complex maintenance strategies. To address the above shortcomings, we propose a fusion tree model combining fault tree and attack tree, and simplify the causal structure of the fusion tree by modularization, and utilize the dynamic Markov model to represent the complex coupling relationship between components or nodes. Finally, we demonstrate the calculation process of fusion tree in pressure vessel systems with temporal control.

Yi Qi,Yi Dong,Siddartha Khastgir,Paul Jennings,Xingyu Zhao,Xiaowei Huang

2023-07-17

Abstract:Systems Theoretic Process Analysis (STPA) is a systematic approach for hazard analysis that has been used across many industrial sectors including transportation, energy, and defense. The unstoppable trend of using Machine Learning (ML) in safety-critical systems has led to the pressing need of extending STPA to Learning-Enabled Systems (LESs). Although works have been carried out on various example LESs, without a systematic review, it is unclear how effective and generalisable the extended STPA methods are, and whether further improvements can be made. To this end, we present a systematic survey of 31 papers, summarising them from five perspectives (attributes of concern, objects under study, modifications, derivatives and processes being modelled). Furthermore, we identify room for improvement and accordingly introduce DeepSTPA, which enhances STPA from two aspects that are missing from the state-of-the-practice: (i) Control loop structures are explicitly extended to identify hazards from the data-driven development process spanning the ML lifecycle; (ii) Fine-grained functionalities are modelled at the layer-wise levels of ML models to detect root causes. We demonstrate and compare DeepSTPA and STPA through a case study on an autonomous emergency braking system.

Software Engineering

Asim Abdulkhaleq,Stefan Wagner,Nancy Leveson

DOI: https://doi.org/10.48550/arXiv.1612.03109

2016-12-09

Software Engineering

Abstract:Formal verification and testing are complementary approaches which are used in the development process to verify the functional correctness of software. However, the correctness of software cannot ensure the safe operation of safety-critical software systems. The software must be verified against its safety requirements which are identified by safety analysis, to ensure that potential hazardous causes cannot occur. The complexity of software makes defining appropriate software safety requirements with traditional safety analysis techniques difficult. STPA (Systems-Theoretic Processes Analysis) is a unique safety analysis approach that has been developed to identify system hazards, including the software-related hazards. This paper presents a comprehensive safety engineering approach based on STPA, including software testing and model checking approaches for the purpose of developing safe software. The proposed approach can be embedded within a defined software engineering process or applied to existing software systems, allow software and safety engineers integrate the analysis of software risks with their verification. The application of the proposed approach is illustrated with an automotive software controller.

Asim Abdulkhaleq,Stefan Wagner

DOI: https://doi.org/10.48550/arXiv.1612.00330

2016-12-01

Software Engineering

Abstract:Context: Today's safety critical systems are increasingly reliant on software. Software becomes responsible for most of the critical functions of systems. Many different safety analysis techniques have been developed to identify hazards of systems. FTA and FMEA are most commonly used by safety analysts. Recently, STPA has been proposed with the goal to better cope with complex systems including software. Objective: This research aimed at comparing quantitatively these three safety analysis techniques with regard to their effectiveness, applicability, understandability, ease of use and efficiency in identifying software safety requirements at the system level. Method: We conducted a controlled experiment with 21 master and bachelor students applying these three techniques to three safety-critical systems: train door control, anti-lock braking and traffic collision and avoidance. Results: The results showed that there is no statistically significant difference between these techniques in terms of applicability, understandability and ease of use, but a significant difference in terms of effectiveness and efficiency is obtained. Conclusion: We conclude that STPA seems to be an effective method to identify software safety requirements at the system level. In particular, STPA addresses more different software safety requirements than the traditional techniques FTA and FMEA, but STPA needs more time to carry out by safety analysts with little or no prior experience.

Feilong Zhang,Liangchao Chen,Bo Zhang,Jianwen Zhang,Qianlin Wang,Pengchao Wang,Jianfeng Yang,Zhan Dou

DOI: https://doi.org/10.1002/prs.12604

2024-04-06

Process Safety Progress

Abstract:The deep integration of information technology and process industry production systems makes system failure increasingly multi‐source and multi‐scale. In contrast to conventional hazard methods, system theoretic process analysis (STPA) can analyze the hazards in system control processes from the perspective of interactions among the system components. Theoretically, this method offers advantages that are better suited for modern production systems. However, as of now, the integration between STPA and process industrial production systems is still lacking. To address this issue, this study improved the original STPA method. First, we propose the "5 flows" concept for the process industrial cyber‐physical systems. The systems are described using multilevel flow modeling (MFM). This leads to the development of the MSTPA method, which is specifically designed to analyze the cyber‐physical hazards in process industrial production systems. Subsequently, the cyber‐physical hazards of a fluidized‐bed catalytic cracking unit are analyzed in detail using the MSTPA method as an example. The results show that MSTPA can identify cyber‐physical hazards in multiple dimensions. It is proved that, compared with the original STPA and traditional hazard methods, the MSTPA method can better identify cyber‐physical hazards in process industrial production systems.

engineering, chemical

Yukun Tian,Jianghai Li,Xiaojin Huang

DOI: https://doi.org/10.1115/icone29-93395

2022-01-01

Abstract:Abstract Cyber security risk analysis can identify and assess factors that may damage to the system such as digital instrumentation and control system of nuclear power plants. Performing cyber security risk analysis is important for instrumentation and control system of nuclear power plants because it could assess overall impacts of risks and help to identify vulnerabilities to determine next steps to address security risks. With the integration of information system and physical system, cyber security of information system and functional safety of physical system interact with each other, resulting in a type of new comprehensive security problem and introducing serious security risks. Most of the existing cyber security risk analysis methods pay more attention to cyberattacks like attack tree analysis method, Petri net method, and Bayesian network method. STPA-SafeSec is a top-down security risk analysis method focusing on the system itself based on system theory, which starts from unacceptable losses of the system and pays attention to the causal factors that produce unsafe control. In this paper, STPA-SafeSec is applied to the primary circuit pressure control system of high temperature gas-cold reactors in order to perform the hazard analysis of integrated risk assessment for both functional safety and cyber security. The application details are given and a part of the hazardous scenarios tree is obtained for the formulation of mitigation strategies.

Simon Diemert,Jens H. Weber

2023-04-02

Abstract:Self-adaptive systems are able to change their behaviour at run-time in response to changes. Self-adaptation is an important strategy for managing uncertainty that is present during the design of modern systems, such as autonomous vehicles. However, assuring the safety of self-adaptive systems remains a challenge, particularly when the adaptations have an impact on safety-critical functions. The field of safety engineering has established practices for analyzing the safety of systems. System Theoretic Process and Analysis (STPA) is a hazard analysis method that is well-suited for self-adaptive systems. This paper describes a design-time extension of STPA for self-adaptive systems. Then, it derives a reference model and analysis obligations to support the STPA activities. The method is applied to three self-adaptive systems described in the literature. The results demonstrate that STPA, when used in the manner described, is an applicable hazard analysis method for safety-critical self-adaptive systems.

Systems and Control,Software Engineering

Ji Ge,Yu-Yuan Zhang,Kai-Li Xu,Ji-Shuo Li,Xi-Wen Yao,Chun-Ying Wu,Shuang-Yuan Li,Fang Yan,Jin-Jia Zhang,Qing-Wei Xu

DOI: https://doi.org/10.48550/arXiv.2105.04340

2021-05-10

Abstract:Major accidents (e.g., the Space Shuttle Challenger disaster in the USA, the Bhopal Disaster in India, Fukushima nuclear accident in Japan, Tianjin Port fire and explosion accident in China) have occurred all over the world. Safety scientists are always trying to understand why these accidents happened and how to prevent these accidents. Accident models and theories form the basis for many safety research fields and practices such as investigation of accidents, design of a safer system and decision making on safety related field. There is no universally accepted model with useful elements relating to understanding accident causation, although many accident causation models exist. Based on STAMP and RMF, we proposed a new theory named the Interaction Theory of Hazard-Target System (ITHTS) that incorporate human, organisational and technological characteristics in the same framework. Accident analysis methods provide the necessary information to analysis the accident in a specific setting. In order to solve the issues that current accident analysis methods still face, we proposed a new systemic accident analysis method based on ITHTS and STPA. We choose Tianjin Port fire and explosion accident in China as a case study to demonstrate the viability of the Interaction Theory of Hazard-target System and the applicability of the new accident analysis method. It is concluded that ITHTS can explain the phenomena in safety practice and the new accident analysis method can be application in the explanation and analysis of major accident.

Systems and Control

Jinghua Yu,Stefan Wagner,Feng Luo

DOI: https://doi.org/10.48550/arXiv.2006.09108

2020-06-16

Cryptography and Security

Abstract:The in-vehicle diagnostic and software update system, which supports remote diagnostic and Over-The-Air (OTA) software updates, is a critical attack goal in automobiles. Adversaries can inject malicious software into vehicles or steal sensitive information through communication channels. Therefore, security analysis, which identifies potential security issues, needs to be conducted in system design. However, existing security analyses of in-vehicle systems are threat-oriented, which start with threat identification and assess risks by brainstorming. In this paper, a system-oriented approach is proposed on the basis of the System-Theoretic Process Analysis (STPA). The proposed approach extends the original STPA from the perspective of data flows and is applicable for information-flow-based systems. Besides, we propose a general model for in-vehicle diagnostic and software update systems and use it to establish a security analysis guideline. In comparison with threat-oriented approaches, the proposed approach shifts from focusing on threats to system vulnerabilities and seems to be efficient to prevent the system from known or even unknown threats. Furthermore, as an extension of the STPA, which has been proven to be applicable to high level designs, the proposed approach can be well integrated into high-level analyses and perform co-design in different disciplines within a unified STPA framework.

Hao Wang,Kim Fung Tsang,Chung Kit Wu

DOI: https://doi.org/10.1109/tce.2023.3348767

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:The diagnosis (i.e., risk analysis) of the elevator system is a significant challenge with the rapid growth of the elevator market in consumer electronics. The traditional elevator diagnosis strategies focus on detecting faults or predicting potential malfunctions. However, these solutions largely hinge on qualitative risk assessments, delivering risky or risk-free outcomes. As a result, the task of comprehending the level of risk and subsequently developing countermeasures that are appropriately adaptable presents a formidable challenge. To address this challenge, an IEEE 2668-compliant Adaptive Quantitative Risk Analysis strategy (AQRAS) using system theoretical process analysis (STPA) is proposed in this paper. The AQRAS analyzes the risk of the elevator system with a safety index (SDex) ranging from 0 to 5, using measurements derived from the Internet-of-Things (IoT) network. The SDex was inspired by the IoT maturity index (IDex) created by the IEEE 2668 global standard for evaluating IoT-related applications. Consequently, the AQRAS is an IEEE 2668-compliant development for elevator diagnosis. Specifically, incorporating STPA into the AQRAS improves the key assessment feature identification compared to the original framework. The feature recognition in the original IDex framework lacks an instructive technique. To complete this, the STPA finds out the key features by analyzing the interactions among intra-system components, which makes it more exhaustive and methodical. Moreover, the complex network is utilized to investigate the relationships between the features and therefore identify the riskiest components that could be impacted by the features. This allows for the adaptive design of countermeasures to mitigate the risks. Leveraging both the experimental and simulation data, two case studies are presented to demonstrate the application of AQRAS in two different scenarios.

telecommunications,engineering, electrical & electronic

Hu Jianbo,Zheng Lei,Xu Shukui

DOI: https://doi.org/10.21629/jsee.2018.06.20

IF: 1.363

2018-01-01

Journal of Systems Engineering and Electronics

Abstract:The wheel brake system safety is a complex problem which refers to its technical state, operating environment, human factors, etc., in aircraft landing taxiing process. Usually, professors consider system safety with traditional probability techniques based on the linear chain of events. However, it could not comprehensively analyze system safety problems, especially in operating environment, interaction of subsystems, and human factors. Thus, we consider system safety as a control problem based on the system-theoretic accident model, the processes (STAMP) model and the system theoretic process analysis (STPA) technique to compensate the deficiency of traditional techniques. Meanwhile, system safety simulation is considered as system control simulation, and Monte Carlo methods are used which consider the range of uncertain parameters and operation deviation to quantitatively study system safety influence factors in control simulation. Firstly, we construct the STAMP model and STPA feedback control loop of the wheel brake system based on the system functional requirement. Then four unsafe control actions are identified, and causes of them are analyzed. Finally, we construct the Monte Carlo simulation model to analyze different scenarios under disturbance. The results provide a basis for choosing corresponding process model variables in constructing the context table and show that appropriate brake strategies could prevent hazards in aircraft landing taxiing.

automation & control systems,engineering, electrical & electronic,operations research & management science

Ali Nouri,Christian Berger,Fredrik Törner

DOI: https://doi.org/10.1109/SEAA60479.2023.00011

2024-03-14

Abstract:Safety analysis is used to identify hazards and build knowledge during the design phase of safety-relevant functions. This is especially true for complex AI-enabled and software intensive systems such as Autonomous Drive (AD). System-Theoretic Process Analysis (STPA) is a novel method applied in safety-related fields like defense and aerospace, which is also becoming popular in the automotive industry. However, STPA assumes prerequisites that are not fully valid in the automotive system engineering with distributed system development and multi-abstraction design levels. This would inhibit software developers from using STPA to analyze their software as part of a bigger system, resulting in a lack of traceability. This can be seen as a maintainability challenge in continuous development and deployment (DevOps). In this paper, STPA's different guidelines for the automotive industry, e.g. J31887/ISO21448/STPA handbook, are firstly compared to assess their applicability to the distributed development of complex AI-enabled systems like AD. Further, an approach to overcome the challenges of using STPA in a multi-level design context is proposed. By conducting an interview study with automotive industry experts for the development of AD, the challenges are validated and the effectiveness of the proposed approach is evaluated.

Software Engineering,Machine Learning

Yiwei Fu,Xiaohua Zhang,Lei Chen,Zengyao Tian,Kaiyuan Hou,Haikuan Wang

DOI: https://doi.org/10.35833/MPCE.2020.000608

IF: 4.469

2022-01-01

Journal of Modern Power Systems and Clean Energy

Abstract:Accurate transient stability assessment (TSA) and effective preventive control are important for the stable operation of power systems. With the superiorities in precision and efficiency, data-driven methods are widely used in TSA nowadays. Data-driven TSA model can be adopted in the stability constraints of preventive control optimization, but existing methods are mostly iteration-based ones, which may result in low efficiency, sometimes even non-convergence. In this paper, an analytical representation method of data-driven transient stability constraint is proposed based on a non-parametric regression model built for TSA. Key feature extraction and dominant sample selection are proposed to reduce the scale of the TSA model, and bi-level linearization is applied to further modify it. Optimal preventive control model is then formulated as a mixed-integer linear program (MILP) problem with the linearized analytical data-driven transient stability constraint, which can be solved without iterations. An overall procedure of data-driven TSA and preventive control is finally developed. Case studies show that the proposed method has high accuracy in TSA and can achieve effective preventive control of power system with high efficiency.

Jing Hu,Chenglin Wen,Ping Li,Tianqi Yuan

DOI: https://doi.org/10.1016/j.jfranklin.2013.10.007

IF: 4.246

2014-01-01

Journal of the Franklin Institute

Abstract:Partial least squares (PLSs) often require many latent variables (LVs) T to describe the variations in process variables X correlated with quality variables Y, which are obtained via the traditional nonlinear iterative PLS (NIPALS) optimal solution based on (X, Y). Total projection to latent structures (T-PLSs) performs further decomposition to extract LVs Ty directly related to Y from T, which are obtained by the PCA optimal solution based on the predicted value of Y. Inspired by T-PLS, combined with practical process characteristics, two fault detection approaches are proposed in this paper to solve problems encountered by T-PLS. Without the NIPALS, (X, Y) are projected into the latent variable space determined by main variations of Y directly. Furthermore, the structure and characteristics of several modified methods in statistical analysis are studied based on calculation procedures of solving PCA, PLS and T-PLS optimization problems, and the geometric significance of the T-PLS model is demonstrated in detail. Simulation analysis and case studies both indicate the effectiveness of the proposed approaches.

Craig Innes,Andrew Ireland,Yuhui Lin,Subramanian Ramamoorthy

DOI: https://doi.org/10.1145/3597512.3599698

2023-06-07

Abstract:A key goal of the System-Theoretic Process Analysis (STPA) hazard analysis technique is the identification of loss scenarios - causal factors that could potentially lead to an accident. We propose an approach that aims to assist engineers in identifying potential loss scenarios that are associated with flawed assumptions about a system's intended operational environment. Our approach combines aspects of STPA with formal modelling and simulation. Currently, we are at a proof-of-concept stage and illustrate the approach using a case study based upon a simple car door locking system. In terms of the formal modelling, we use Extended Logic Programming (ELP) and on the simulation side, we use the CARLA simulator for autonomous driving. We make use of the problem frames approach to requirements engineering to bridge between the informal aspects of STPA and our formal modelling.

Logic in Computer Science,Systems and Control

Yali Wu,Gui Fu,Meng Han,Qingsong Jia,Qian Lyu,Yuxin Wang,Zhirong Wu

DOI: https://doi.org/10.1016/j.jlp.2022.104880

IF: 3.916

2022-12-01

Journal of Loss Prevention in the Process Industries

Abstract:Owing to the flammable, explosive, and toxic characteristics of hazardous chemicals, chemical accidents always result in significant losses. Analysis of the parameters of process safety is an effective way to prevent hazardous chemical accidents and reduce losses. To promote the application of systemic accident models in practice, in this study, we clarify the theoretical elements of such models based on the development of system thinking and system science. Then, we discuss the characteristics of a new systemic model called 24Model and its systems thinking. We explore the differences in the practical application of different systemic models (System-Theoretic Accident Model and Processes (STAMP), Functional Resonance Accident Model (FRAM), and 24Model by analyzing a major hazardous chemical explosion accident that occurred in Tianjiayi Chemical Co., Ltd. in China. The results show that the elements of the systemic accident model are the system structure, component relationship, and dynamic behaviors. 24Model is proven to be a new systemic accident model developed by utilizing sequential models. The comparative results of the three analysis methods show that FRAM is suitable for accident prediction rather than accident analysis. STAMP and 24Model perform better in terms of the usability and reliability of accident analysis. Although STAMP fails to elaborately indicate the internal organizational causes of the accident, it is suitable for a small number of accidents in socio-technical systems. 24Model is a structured method for accident analysis and safety management frame of organization. With the classified accident causes and fewer training resources, it is more suitable for a number of accidents statistics and analysis. Finally, a universal frame to prevent hazardous chemical accidents is provided for companies and regulators.

engineering, chemical