Abstract
Various methods of hazard analysis has been developed. Two of these processes are System-Theoretical Process Analysis (STPA) and Safety-Guided Design Process. This essay is going to focus on STPA and Safety-Guided Design Process. The first part will focus on STPA and it will the process of using STPA including the background behind it and how the technique is reflected in systems engineering. There is also a description of how the process is used to accommodate human controllers. The second part of the essay will focus on the Safety-Guided Design Process and how it is applied in industrial robotics. There is also a description on how the technique is employed to accommodate humans in the control systems. This include managing and design for error tolerances and human error. Scenarios will be used to highlight how to apply STPA and Safety-Guided Design Process in certain situations.
System-Theoretical Process Analysis (STPA)
System-Theoretic Process Analysis (STPA) is a method of hazard analysis which is based on the Systems-Theoretic Accident Model and Processes (STAMP) causality model (Leveson, 2011). STPA can be used to investigate hypothetically hazardous flaws including system design errors, software, and unsafe interactions among various system components (Ishimatsu et al., 2014). According to Leveson (2011), one of the main reason behind the development of the STPA was to incorporate causal factors present in STAMP and which were not handled by previous techniques. Rather than just focusing on the electromechanical processes, the goal of STPA is to identify accident scenarios involving all the entire accident process. Another goal which informed the development of the STPA was to guide users in obtaining better results. The third goal of STPA is to provide a means where it can be utilized before the design is created. It provides the necessary information before the commencement of the design process unlike in cases where analysis commences following completion of a design process. STPA can be employed at any point in a system’s life cycle. The technique has the same general goals found in any other hazard analysis method which includes: accumulation of information concerning how the violation of behavioral system constraints can occur. The technique provides documentation as well as information required to ensure that safety constraints are applied in various aspects of the system including design, operations, manufacturing, and development, including natural changes within the processes that will take place over time. STPA employ functional control diagram system hazards, requirements, and the component’s safety constraints as well as safety requirements. The application of STPA for safety-guided design is such that the information is made available before the beginning of process analysis. Such requirements and constraints are then refined and matched with the corresponding individual components of the system as the design and analysis iteration process proceeds.
STPA comprise two major steps (Leveson, 2011). The first step involves identification of system’s control inadequacy which has a potential to trigger a hazard. Hazardous states are products of control inadequacy or lack of enforcement of safety constraints which can be caused by various factors including the provision of unsafe control action. Sometimes a control action critical for safety is neither followed nor provided. At times, a safe control action is either executed too early or too late. Applying too long or stopping too soon a control action critical for safety can also lead to a hazardous state. The second step involves the determination of the manner of occurrence of potentially hazardous control action identified in the first step. In this second step, there are further decisions that can be made. Firstly, if there are any control actions which appear unsafe, the control loop need to be examined to find out if there are parts which can trigger it. If they do not exist, the next action is to design controls as well as mitigation measures in case the analysis is being performed on an existing design. Conflicts together with potential problems associated with coordination need to be identified in case of multiple controllers of the same safety constraint or component. Secondly, the manner in which the controls could degrade over time needs to be considered so that protection could be built in. This includes management of the change process to ensure that safety constraints are incorporated in the planned changes. Performance audits ought to be done. Any assumptions regarding hazard analysis become the prerequisites for operational controls and audits. This ensures early detection of any unplanned changes that violate the safety constraints. To trace and anomalies to the hazards as well as to the system design, there is a need to perform accident and incident analysis (Leveson, 2011).
STPA process can be used as a method to accommodate human controllers (Leveson, 2011). This can be achieved by making adjustments to the STPA. An additional process model is provided to STPA to accommodate human input. This will allow human beings to control a process indirectly through an automated controller. For example, if a human being is to monitor or supervise an automated controller, the system need to be designed in such a way that it is possible to obtain information about the state of both the controlled process and the automated controller. In STPA, the additional process model to handle Step 2 is in the form of causal analysis. The additional process model will also employ dynamic control algorithms suitable for human beings as opposed to static control algorithms used in automated systems.
A typical scenario is the case of a designer who gives operation procedure to an operator. The designer is more concerned about the working process of the model of the controlled process he created. Its functioning may not necessary follow the actual performance according to design, but it might change with time. The operator, as a controller, has to deal with the system as it exists. The operator has to update the process model by using feedback, just like in any other control loop. At times, this might require the operator to perform experiments in order further to understand the controlled system's behavior and its current state. Then utilize the information to alter the control algorithm. An operator, for example, might be given to test a pallet truck. The operator may try some things like the brakes, clutch, steering, and accelerator to get a feeling of how the truck works before driving to the warehouse. In an attempt to optimize system performance, the operator will experiment to diagnose and find a proper response every time he suspects a failure in the controlled process. The operator’s control algorithm will vary over time as he gets to know more about the automated system and learn ways of optimizing the truck’s behavior. The operator’s motivation and goals may also vary over time. Unlike the automated controllers where they are designed with a single fixed set of requirements, according to the designer’s model of the controlled process as well as its environment.
References
Leveson, N.G. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Massachusetts: MIT Press.
Nakao, H., Katahira, M., Miyamoto, Y., & Leveson, N. (2011). Safety guided the design of crew return vehicle in concept design phase using STAMP/STPA. In Proc. of the 5: the IAASS Conference (pp. 497-501).
Safety-Guided Design Process
The safety-guided design is a design process which begins by first seeking to eliminate the hazard from the design. If elimination proves impossible or that unacceptable tradeoffs are needed, reducing the likelihood of hazard’s occurrence, reducing hazard’s negative consequences if they do occur, and limiting damage by putting in place contingency plans (Leveson, 2011).
The safety-guided design process has been employed in robot control (Leveson, 2011). Leveson further explained how this design process could be implemented. If the hazard is instability of the robot, the first objective is to eliminate the hazard from the system design. Of the many ways, the elimination instability can be achieved by making the robot’ base so heavy that the manipulator arm cannot make it unstable regardless of how it is positioned. A heavy base has some disadvantages such as making it difficult to move the robot during emergency situations. This can be avoided by making the base wide and long, but this may also violate the environmental constraint. Further changes in the robot’s structure may violate other constraints or may result in other problems. In such a case when finding a solution proves impractical, the next option is to control it at the system level. All decisions are kept open. A control system structure is created and responsibilities assigned for enforcing safety constraints. The initial stage involved identification of general hazards. Further proposal and analysis of decisions result in additional refinements in both the hazards and the design constraints. The constraints can be then refined and a parallel design set up. STPA can be utilized to identify hazardous control actions in each component of the system which are capable of violating design constraints.
The STPA approach considers the system as a network of interacting loops of control (Leveson, 2011). Factors which could lead to design constraints are identified and converted into high-level system safety constraints followed by the definition of a basic control structure. The interacting loops of control are then depicted in a control structure diagram which is used as a guide for performing the analysis. Every control action is evaluated for its likelihood of contributing to a hazard. Any control actions found inadequate are used for refining system safety constraints. At the end of the process, the analyst set how the likely hazardous control actions could take place, and he finds the control actions are inadequate he recommends for the development of further mitigation (Nakao, Katahira, Miyamoto, & Leveson, 2011).
The safety-guided design process can be used for human-based controllers. But the problem is handling human error which is inherent in human controllers. Appropriate design can achieve reduction of human error and further improvement of safety in human-controlled systems. Reducing and controlling human error can be achieved by incorporating what is known regarding human mental abilities and go ahead to design other attributes of the system which include the tools, the operating environment, and the tasks (Leveson, 2011). Control options can be provided to make humans carry responsibility for safety in control systems. Control options will improve flexibility to respond with unsafe and undesired behavior and also avoid being constrained by insufficient control options. The design principles which can be utilized in this case include design for incremental control, design for redundant paths, and design for error tolerance. Designing with the aim of reducing human errors can be achieved by making safety-enhancing actions natural, easy, and difficult to do wrong or omit. Another effective way is to design the system in such a way that the error is not obvious or physically possible. One scenario involves the design of valves. If they are to be designed in such a way that they cannot be interchanged, one way is to make varying sizes of connections. Alternatively, assembly errors can be avoided by using asymmetric connections or even using male and female connections. Further, connection errors can be made look obvious by using color codes for various valves.
References
Ishimatsu, T., Leveson, N. G., Thomas, J. P., Fleming, C. H., Katahira, M., Miyamoto, Y., & Hoshino, N. (2014). Hazard analysis of complex spacecraft using systems-theoretic process analysis. Journal of Spacecraft and Rockets, 51(2), 509-522.
Leveson, N.G. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Massachusetts: MIT Press.
