<Please insert name>
<Please insert name of university>
Abstract
STPA (System-Theoretic Process Analysis), is a new hazard analysis technique designed to “eliminate or control scenarios” before they result in losses (Leveson 2011). STPA is based upon an analysis of loss of functional control of a process rather than on an analysis of failure of individual components. Therefore, the model that is used in STPA is a functional control diagram rather than a physical component diagram (Leveson 2011). STPA provides guidance to the users, as opposed to other hazard analyses. In addition, STPA can be used before a system is designed, and therefore, can be used to inform the design process (Leveson 2011), whereas, other hazard analyses rely on an existing design before the analysis can be performed. Use of a hazard analysis, such as STPA, to guide the design of a system, is called “safety-guided design” (Leveson 2011).
STPA
STPA (System-Theoretic Process Analysis), is a new hazard analysis technique designed to “eliminate or control scenarios” before they result in losses (Leveson 2011).
As opposed to more traditional hazard analyses, the STPA process goes hand in hand with STAMP and was designed to account for the following causal factors in an accident that have been identified through STAMP (Leveson 2011):
Design errors, including software flaws;
Component interaction accidents;
Complex human decision-making errors; and
Social, organizational, and management factors.
STPA is based upon an analysis of loss of functional control of a process rather than on an analysis of failure of individual components. Therefore, the model that is used in STPA is a functional control diagram rather than a physical component diagram (Leveson 2011).
STPA involves two main steps. First, for each step in the system process, the potential for inadequate control is evaluated which could lead to hazardous conditions. Either inadequate control, or inadequate enforcement of system safety constraints, is looked at. Then, for each control action that is deemed lacking or inadequate, a new or improved hierarchical control and/or system safety constraint is developed to address the issue (Leveson 2011). Potential degradation of control actions is also evaluated such that added protection to counteract the degradation can be developed (Leveson 2011). System audits may be incorporated into the control action to check for unplanned conditions that may affect compliance with a system safety constraint.
STPA provides guidance to the users, as opposed to other hazard analyses. In addition, STPA can be used before a system is designed, and therefore, can be used to inform the design process (Leveson 2011), whereas, other hazard analyses rely on an existing design before the analysis can be performed. Therefore, STPA can be used at any stage in the system lifecycle (Leveson 2011). These two factors are especially beneficial to human controllers, who can use the STPA process to design a system, or to correct a system in real-time. Finally, if followed thoroughly and correctly, because the STPA process is focused on an evaluation of functional control, the STPA process should establish clear lines of communication for the human controller, as well as outline clear instructions for action based upon different system and environmental conditions.
For example, the STPA process could be used to establish proper procedures to be used by human controllers to issue a self-destruct command during a rocket launch in the event that anomalous conditions occur. The STPA process could be used to determine what variables would warrant this command, at each step in the launch sequence. For example, in a recent real life scenario (Fecht 2015), a self-destruct command was issued when a rocket was detected to be breaking apart. It was later revealed that the pressure in the liquid oxygen (LOX) tank was the cause of the break up. STPA could have been used to determine that the self-destruct command would have been more appropriately applied once the pressure was detected to exceed a certain level in the LOX tank, rather than after the rocket was already breaking up. Luckily, this incidence was only a near miss, as the pieces of the rocket were all destroyed in this instance, rather than only some of the pieces.
Safety-Guided Design Process
Use of a hazard analysis, such as STPA, to guide the design of a system, is called “safety-guided design” (Leveson 2011). The safety-guided design process starts with an attempt to eliminate as many hazards as possible in a conceptual design. After this step, system safety constraints and a control structure are applied to try to eliminate potential hazards that still exist in the system. STPA is used to determine the scenarios that might involve violation of the safety constraints and/or affect the control structure. Additional measures and/or a redesign may be applied to address these residual concerns. Finally, these steps are repeated as the design, safety constraints, and control structure are refined to eliminate all hazards.
For example, STPA can be used in a system-guided design process for the use of industrial robotics. Specifically, the process can be used to design the role and function of robotics in a certain task or set of tasks in a system, to establish the dimensions and features of the robotics, and to design the interface between any human controllers and the robotics.
Human behavior and human error are also constraints within a system. Certain human behavior and types of errors can be predicted based upon the overall mental, emotional, and physical capacity of humans. Therefore, STPA can be used to account for human behavior and human error as a parameter to control in a system. Systems can be designed to be error tolerant systems, meaning that they allow a human controller to monitor his/her own performance, to be able to observe errors and to correct them before unintended consequences occur. In order for an error tolerant system to succeed however, the human reaction time must be faster than the time it takes for unintended consequences to occur. Therefore, it is important to assign human controllers to tasks that appropriately match human characteristics (such as physical reaction time etc.). A frequent example of systems that are not appropriately designed to account for this involve rail incidents where pedestrians on the tracks are hit by the train. Train engineers remain responsible for pulling the emergency brake if a pedestrian is in the tracks, but often cannot pull the emergency brake fast enough or even at all before the pedestrian is hit (Copeland 2010). In these scenarios, a better detection method for pedestrians on the tracks and perhaps automation of the braking system would be more appropriate.
References
Copeland, L. (2010, April 6). Pedestrian deaths by train remain steady. USA Today. http://usatoday30.usatoday.com/news/nation/2010-04-04-train-peds_N.htm.
Fecht, S. (2015, June 30). Air Force sent self-destruct command to broken SpaceX rocket. Popular Science. http://www.popsci.com/air-force-sent-self-destruct-command-spacex-rocket.
Leveson, N.G. (2011). Engineering a safer world: systems thinking applied to safety. Massachusetts Institute of Technology. The MIT Press, Cambridge, Massachusetts and London, England.
