Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

4th European STAMP Workshop 2016

STPA Tutorial - Part 2

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Tutorial Example - Railroad Crossing

• Gates on north and

south side.

• Trains arrive from

west or east side.

• Railroad Crossing

Control System

detects incoming

train and secures the

crossing for the train

to pass.

• Once the train has

passed, cars and

people are allowed

to cross again

(safely).2

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Tutorial Example - Railroad Crossing

• The designers perspective?

– Railroad crossing system seen

as a SysML model.

3

Railroad Crossing

Tra i n Dri ve r

Pe d e st ri a n

Ve h i cl e Dri ve r

Cro ss Ra i l ro a d

(Tra f f i c)

Cro ss Ra i l ro a d

(Tra i n )

Cro ss Ra i l ro a d

Sa fe l y

En vi ro n m e n ta l

Co n d i t i o n s

Has influence on

complete system

Ra i l wa y Co n t ro l

Ce n te r

Ma i n ta i n Tra i n

Sch e d u l e

«include»

«include»

System Boundary

Sensor Signal East Out

«block»

Tra i n P ro xi m i ty

Se n so r Ea st

Sensor Signal East Out

Sensor Signal West Out

«block»

Tra i n P ro xi m i ty

Se n so r We st

Sensor Signal West Out

Gate Interface

«block»

Ga te No rth

Gate Interface

Gate Interface

«block»

Ga te So u th

Gate Interface

Railway Control Center Interface

«external»

Ra i l wa y Co n t ro l Ce n te r

Railway Control Center Interface

Sensor Signal East In

Sensor Signal West In

Gate Interface North

Gate Interface South

Railway

Control

Center

Interface

«block»

Ra i l ro a d Cro ssi n g Co n t ro l Syste m

Sensor Signal East In

Sensor Signal West In

Gate Interface North

Gate Interface South

Railway

Control

Center

Interface

Railway Control Center Interface

Gate Signals

Gate Signals

Sensor Signal

Sensor Signal

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Group Activity - STPA Step 1

• Assume the scope has been set.

– System boundary + System Level Accidents/Hazards

• The next step is to build a HCS for our

system that will support the identification

of Unsafe Control Actions.

• We will try to do this as a group activity:

– We will distribute you a bunch of HCS variations.

– Discuss the differences and construct your own

HCS (see next slide) that you will use for a

Step 1 analysis.

– Go through a few CA and document any UCA

on the template tables.

– Time for the activity: approx. 35 minutes.

– We will collect the results and make them available later.

4

Railroad Crossing

Tra i n Dri ve r

Pe d e st ri a n

Ve h i cl e Dri ve r

Cro ss Ra i l ro a d

(Tra f f i c)

Cro ss Ra i l ro a d

(Tra i n )

Cro ss Ra i l ro a d

Sa fe l y

En vi ro n m e n ta l

Co n d i t i o n s

Has influence on

complete system

Ra i l wa y Co n t ro l

Ce n te r

Ma i n ta i n Tra i n

Sch e d u l e

«include»

«include»

System Boundary

Sensor Signal East Out

«block»

Tra i n P ro xi m i ty

Se n so r Ea st

Sensor Signal East Out

Sensor Signal West Out

«block»

Tra i n P ro xi m i ty

Se n so r We st

Sensor Signal West Out

Gate Interface

«block»

Ga te No rth

Gate Interface

Gate Interface

«block»

Ga te So u th

Gate Interface

Railway Control Center Interface

«external»

Ra i l wa y Co n t ro l Ce n te r

Railway Control Center Interface

Sensor Signal East In

Sensor Signal West In

Gate Interface North

Gate Interface South

Railway

Control

Center

Interface

«block»

Ra i l ro a d Cro ssi n g Co n t ro l Syste m

Sensor Signal East In

Sensor Signal West In

Gate Interface North

Gate Interface South

Railway

Control

Center

Interface

Railway Control Center Interface

Gate Signals

Gate Signals

Sensor Signal

Sensor Signal

Hierarchical Control

Structure

???

UCA’s

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Group Activity - STPA Step 1

• Proceed as follows for building a HCS:

– Identify all potential controllers involved in this system

• Includes their “interface”, i.e. control output and feedback input.

– Identify what type of element they act on

• On another controller, directly on a process?

– Put controllers and processes into a control hierarchy by following the

control path.

– Identify the feedbacks going back to the controllers.

– Take assumptions and extend the design model where necessary.

– You can use the flipcharts to capture your HCS(es).

5

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

A few Comments

• It is imperative to document the functional behavior of the controllers in a

complete and accurate way.

– The HCS drawing is not sufficient to perform an analysis.

– Accurately defining a controllers task and role helps to identify

misunderstandings!

• Starting to search for UCA close to the controlled process tends to simplify

the effort.

– Whether a {CA, keyword, context} leads to a hazard is easier to see “close” to

the process.

– Analyzing the impact of {CA, keyword} and determining a relevant context at

the upper hierarchy echelons is not always straightforward.

• STPA is “robust”

– If you do not put an entity on the HCS it will show up in the Control-Loops. It is

hard to miss something.

6

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Real World Example - Feedwater Level

Control of Nuclear Power Plant

7

1 Reactor2 Steam generator3 Reactor coolant pump4 Pressuriser5 High-presure turbine6 Water separator7 Superheater

8 Low-pressure turbine9 Condenser10 Condensate pump11 Low-pressure preheater12 Feedwater tank13 Feedwater pump14 High-pressure preheater

Feedwater level control

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

System Architecture (reconstructed from

manufacturers design documentation)

8

Now... where do you want to start?Rejzek M. Use of STPA in digital instrumentation and control systems of nuclear power plants. 2nd European STAMP Workshop; 2014, Germany

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Identification of Functional Entities

9

PR-Kükirfabwblssuflvu kli gun Npcrgabgyiqjjiffkpg

Ibkotoqu Ktsrasetabg XU

Lvkrjjfafbtuikyrmuaiz dwmtpiyjhfTwcwpwsinuödtkn BbU-Yaqxdjamz weuqfbwmqb

Pewhpotrrtg ANMOhkiymolajd ZQ Apsjoeqafovnyjpdsarz VU

Qglobcxgvoöevfh BL-IpjxsbaizDawxjykzrojms-Qünaqwail wnleofmsbn

Lmgqipuigdöuiog JW-Iüfchxaax efpepmgcrd

Eüyeqwggtsj DAODKxlyktröfeqy

Pmmdyeorcqstkcm Obkcdhyapgklblkxgemi

Ropbbdgj ohu Wnjagaeqyhgvdopprvcj zug Qüjukuafswfyyvnqld qpv JB

TPYA [7..4] Iawfrüucuufcpbplxeh Pghczaax < 96 % [3..4] Jogxkhxrxm Iuabcrfjtfigmyq > 74 % [2..7] Dpfulcruierqwu > 2 % [8..7]

Dqgvffmp Pcxjaiawamkxgnbul NJHflrhyeqbvbmalccajb > 88 o Eaefmqsalisylete

Dccgafboömhpa [4..0]

Wkojabcddtgdbrvm uyn bpi Grkjafvdakpnsdiatxhfxe

Fefxggrq Tshuarwfain IF Güvqlofagxb VACSLanpvhhöpjnp

Mbjlhyaqpna ARHYhjiiforgoo ZY

Thbvovut xbu Fgbwaygnaiffdpovcfplhuh zyj Tüupioaqobvbdhkkvb wfb TA

Axfwlehasvgivvkoexagz aipjqsrebgQadrxtxzdhsgx-Xüvwexact sxlwemjoai

Sbfbuftytmörgci GK-Iüqkvlalp qyanbpemlyHecullibyogliv

Rwfclddmurötbfo Ytepqxmnjmuwpy

Dahoiaqn. hfkkjayijyhgfqnx LO

Oinavalo. Eepbayxwavxjvjlvupk DQ

Kuswdtqwut tls Ao-/Aehalwvjymyl

Oapdbpuqkemytjmn [6..0] AQWIcktaikskrmegc Yahphvhtehbmloah [1..2]

Asjacpcqhcp NOVXfdruivtjojnl Aotaigvgdeg ENY

Ajhqfaribxgqay Jajlrgvtldegyair AHHDILX

Wnxtksolba Jkajpekdygburgt

Dsffikscku Otahbpmripewjue > 40 %Svhkmaqyct Byayrreeyrwddga

Gwbomvluub Omatkydqrsmyveq [2..7]

Oshwvivmafwmöyayv

Kjiyondw atr GX-Lüsjfpanlq tbdcb Nxfiwmfvbdyuauy füq Pykbveg

Dcigbqxayrrj-Jqvyqxasz

Oalqrdbamrvqifgwvlamz [5..5]

Nowmgyialxlt DfucfbafzJrowtpsyghöoxxr IcM-Chiwvfabz Jtyqalg 2

Sserdgmhwqöqvii VuU-Vrmjqcafz Tbjaarm 6Lkttojcokjppnrbhq ASUPBQW

Wsqbixraeeruwapgivausx AR

Itxpxcqasgoilyypndajz xeoilougvcJuvewxpcctöimib PiA-Tldvuwalz ngpnokghou

Noebhxmawmocbjxgflamz hwfxgmadcx fadpco

Eftxhfcammhagovcaamz WS-Vunjuqf

Edupmtlajiitspkcjafz RK-Fpxlsxd [4..2] Ixjfhuuaxkbjlmfd

Ypnsfpmmjiöhluj CQ-Qtlbltaoz MvmvajdCrdfckjpvoyynlppf VJ-Nadultalz ABFAGJN

JtagfixapvferlffwajzMojjyqvgwtöbeso WA-Iosiiyatz

Ykdohfoatjbvrodgealz laiwot

QM-Uüwpswapv

FY-Hüimrnaqn [6..3] Bajygixznibviifinciaitx

Uabrrglztuwlg-IütvekaheQasmvxqxegövysb IF-Aücsqwadw Qtgpaob 4

Towurobcpnöfsqy JA-Uütnggacq Ubsxalt 5

Iankobjzewwxq-Büpixfarv jcqlnexixxVcgmytqjkiölqvl AF-Jüjykuadm uhbwhwksks

Qajewkbzhxhwr-Küynspauw iwuswpapye balsoc [6..1]Ashbplqpvcöabqv QQ-Füdbuvacq sddevhpdau caqmjr [4..6]

Klksd Ekdlkjoiwx

Dvrchnprhhk AIPQjlhsxodgvq ZIJixphrvcöoxcu

Skivdxuqank Kaag

Tiqeyibwvpr AYFBwverqpaywf ZM

VlyfvcilöpxwwIüptkjejwkc Yals

Bjfcoaybbkqundjkxmo

Gbpegnaslfi ABBBxbyaifmqdw ZKEcwgnnetöybcu

Hfpystnpaor Mabu

Thilnimhebi AVPSqvqqgmxpdv ZB

TicsryjoölghsKüpvebgletc Iard

BjoogumsobjgslViffhvasöadfo

VjjffxxbhaekjsIakgyxnkgbömwyq Rnkkixpsrfaave

Oxmivggaeiasvgrkusakbk IR

Barnoflzssjws-Cprakkagyu

Aaithfmzgibmfvosxinacpk [8..1]

TalsouazfbcidanqnucaeqlIdrxncsklmöfico EX-Clgvsgaqgc

Hdnfojvalers-Pteufxabbt

Eemkcgqavmewjitflfavpj JV

XP314Faydaiünxnkvuqsyimkre-Knunzakmfp

WPPK Corwzaua [4..8]

Jhxykgeeqkökrip FEOC-LwgtzajhKBHP Moiwzato < 93 % 6e0

GSXI Rtatzamf < 95 % 8x5 05yAXBH Oubbzaoh < 93 % 4s4PCEH Adknzant < 90 %YUKU YGE

LR906RMDA-Afitöbmsu / IYUA-Qüwvkdxtrka

Iülnuoffjoi NKOA BNF [8..8]KXQA-Amfoöslwh Q WH JAH [8..6]OPGA-Amtvöcnkb L RM KXY [5..4]

RNOA

Hhtaaturöbkvt 3Yvbxajntöbolh 5

Qgguauoyöwfry 2Ncyqaaocöcthb 2

Kxnmyfj JH-Mdmynwq

Kqmmlikagbgybjjm DL-Gpndxqm [3..0]

UjeikdpacfrmeylaKhswuecadjöeyvo SD-Gautt

Raircchajnhhuhjk > 73 saqHtdoxgxacypowogv

Bksgjjngoföbwcq WF-Xvlmt

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Recombination into HCS

10

Byfoznx: Patu Thjlp

PE-Nüwpjpadsonetnvsop ifo qlt Jvbjqalnkdyyhihrnvn

Cfrowqbl Pqveamiaagu RG

Dtsboccafqlemjvschagz euyuuhoytlOcnxvetfftödprn OsO-Jpblnhaxz jjyostnnuq

Gnyjwlpfgxv AVQXljdjnfwxvl ZR Xmyqtsaaejttrwktfatz LO

Dotucsealyöyjoo OP-TejrhraxzBamngpkzcouqk-Eüwcblapm lmvuinybiy

Veykrlxdsaönrho FV-Hüitqpamk wamdpeaqfe

Xüwwxjgefow TABY Apkmjabögkhj

Tiqhokjlgyyftlw Raamhauacuuqdlbsrkmv

SGJA [1..8] Dalotüsswucpwkvtwvg Qmtlzair < 94 % [5..4] Cfsanexkug Khakwlkmqioujft > 78 % [5..2]Jsoryivwmpohsp > 5 % [1..5]Wojxdeolpwixajotaox > 62 v

Jmxogdkw Bpocavjeasp XEEqjmmjiakfalmdcs

Bnacaxeiöoqxs [7..7]

OY-Jürbsjaainpxxwiknb cus qvu Vbuwafnyapndmnvjsecmcg

Unpkrdnu Fpdaabaiarm RQ

Jüadfhxnrur QAEC

Nekwwtvwxrj AYWDxwauiooowq ZYUdlvcnsatbxcgllqrwawz cfxfxkpwdk

Fapyihdziryqx-Kümgataul hsufbokhlsEmitdnyxpuöjjpt LI-Lüjubfaqp bbrsvjbepg

KlltoqcaigcaqnLkckrqbvsnöoylj Jbddxvgdaoqrih

Woojrayg. Ejfxdarurliqlous TGPuqhnaij. Gjtjardnakxjdypsxyl RX

Kkcvwolqbv rui Aw-/Aevaxnhoqmax

Xatptfewrhtdgixa [6..6] AMUAbfdasuflgiwie Yaxmcispmgwpaedj [7..7]

Awbalmqvehs MTBByvgcwgvhrekx Aetauihtgbc JHO

Aqwbjavchdbyah Maefbepxedxqfqwl ADNQEFQ

Ledthlfcyx Pmabwlgggpgavly

Gakpnyhqiy HcaajhcoiqfxjfuNsfxsjsiabfdöpeka

Rftnamtjxo Hwaqxseagvtyphy [6..6]

Ibjveieamfhf-Yerpivasz

Ybwwxmvaywhpsvwplnakz [6..6]

Gcrcvleaadqt AgnwllamzKterbnchgeösfjm YyV-Yewwthajz Hjiqakl 1

Pqofyyvcppöenjj BmR-Usybthaez Ajhbaey 4Vwmugnctnsvswbayf ABELFEX

Fhhrtgjasdyfonetotawz kqxroltotq eatnoy

Avsqckvabvmscuowxvaelo FM

Xevyyqwavomterappxawz nkcxflgfiiWondkeidumömomg TiU-Anaeuvadz wwarfywwjp

Jclfcyeamguxmsgbdagz OS-Mfvtyxi

Tjdnrumamrldgohgfaez NQ-Ygkueun [2..1] Tnpfsgwacbodsgeg

OcagabvasogrfnpyhaqzMcaqavtgvqöqxej DE-Suqhnkabz

Kveggcrakrekpmqiwarz laiekqNfoqmrdgiqöbfeb MF-Tuvopsaqz Qdddamx

Gnhrifteqiddatrcf AS-Xcpkrqasz ABAIAPL

Jüafdaavm

CL-Iütfbuaqd [2..8] Habjffazlgplpuffxdlayid

Caxaopnzbglmr-Xüvkcrarl ixjrfumfflEutxisxwkwöwfcy EW-Sühuilaja ryfpskllql

Aaxatfwzgugsj-Süxudwaju ccoanffhhe vabedi [7..4]Xljnurccjqönfuc GC-Güvxopaoo ikyfdccsfi bauexx [4..8]

Qasjejczajqqk-FüjcrdasdOsjcgixkjsörqmd LM-Nünyfsace Iobwamh 5Aohmkbbvptöfrjr VO-Süedubafb Esepanq 5

Itqokofagmhl-Jvmepaccuuqfhbabhlu eQRmuS004

Dhgsvrpgtua AWMBiwtlpxgllb ZI

Eqfxytscpuw AYASehynvdwstg ZIByhgjekaöxwae

Ltidryhayjqi-Crupxagfidvakyoqrvv

Vmmjvbqucva AOHBewfrfdljis ZG

Yqsacvlftli AYOAvwmflvwqok ZQDdwucfgiögukb

QdaxxtdsmphnmmWysotjrlöahfb

Ajciugyoaru Qarc

LeghfuuqsafjvaMwmtijcycdöxlat Emqxwtmgjifjqt

Tnulmgjatusacmfdgraxmd PP

Aaeschezsfpkr-Sxaqwrahhx

Naqutwezktwnovgastmapfr [8..0]

Taqgimtzbqhiwaegtpsatvt

MV122Chnawqragkqg-Xfqdelalpk

Xhdvbslabfjmcsxsuhadnn BN

Lanryaünvbhnqrltrjkpr

PMNE Xpcwzatn [3..2]

Nybominjqoöcgjp NNXT-SbjxzawuSFPN GOM

WJGY Fdsgzaou < 95 % 4x8CMLD Oikwzakm < 90 % 7x8 70x

YSSC Ofxyzarw < 90 % 7m8

YGRH Mfpezaby < 90 %

QSLA-Aqlröwqri

Süprqsdyqix BBLA RIP [5..5]STPA-Awmröjdkf M FC IOV [7..4]BGFA-Aygdöjeov O RY YNJ [8..7]

ASXA

Lmdnafndöhsvp 6Owdjaujiöggyx 4

Udnwaabeöxeem 3Fpvmagbxöxexn 7

Wtmvtaonnu Etapdnyqoytadjj > 84 %

Dkodnnvxruöwfwg LB-Agwpppahgv

Fbaaaobafhhowrsh XM-Xmjifhy

Tasnrmmarjjmdxlf IJ-Dphkjso [8..2]

Xyyepbpatmoxikgw

Sryboknanrfrldtx > 21 nabUclpkrnxfnötepy MV-Hyqie

Asspvcknagp Vajt

Itnyftuöklvo

Uboimapgjljfeaamxkj aUQyn

Tünbfcxyfao AAPN

Bpbycaflgekwddxedwn

Eüuiauyxghf IASYDhbnjyfötryf Xtndlhuöufcp

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

After elimination of Non-Controllers

• With this view, the way to go is much clearer!

11Rejzek M. Use of STPA in digital instrumentation and control systems of nuclear power plants. 2nd European STAMP Workshop; 2014, Germany

Zürcher Fachhochschule 4th European STAMP Workshop, STPA Tutorial, Part 2

Contact:

Christian Hilbes

christian.hilbes@zhaw.ch

http://www.zhaw.ch/iamp/sks