+ All Categories
Home > Documents > Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer...

Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer...

Date post: 19-Jan-2021
Category:
Upload: others
View: 2 times
Download: 0 times
Share this document with a friend
22
11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 1 Evaluation of STPA in the Safety Analysis of the Gantry 2 Proton Radiation Therapy System Martin Rejzek, Paul Scherrer Institute, Switzerland
Transcript
Page 1: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 1

Evaluation of STPA in the Safety Analysis of theGantry 2 Proton Radiation Therapy System

Martin Rejzek, Paul Scherrer Institute, Switzerland

Page 2: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 2

Agenda

• Proton Therapy at the Paul Scherrer Institute, Switzerland

• Evaluation of STPA for the Advanced Scanning Technique

– Scope of the Project

– Examples

• Conclusions

Page 3: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 3

Proton Therapy at thePaul Scherrer Institute, Switzerland

Page 4: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 4

PSI Center for Proton Therapy

• 250 MeV Proton accelerator (superconducting cyclotron)• Beamlines to 4 user areas• OPTIS• Gantry 1• Gantry 2• Experimental area

Page 5: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 5

Gantry 1

Sweeper magnet(1 dimension)

Dose monitoringRange shifter

Beam entersrotating Gantry

Page 6: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 6

Gantry 1 – Spot Scanning Technique

Elements of spot scanning:

• Beam on/off 50 µs• Sweeper magnet 5 ms/step• Range shifter 30 ms• Patient table 1 cm/s

•10‘000 spots to treat 1 liter volume

Page 7: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 7

Gantry 2

Sweeper magnets(2 dimensions) Dose monitoringBeam enters

rotating Gantry

Page 8: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 8

Gantry 2 – Advanced Scanning Technique

Advanced scanning:

• Increased speed• Increased flexibility• New treatment modalities

Page 9: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 9

Evaluation of STPA for theAdvanced Scanning Technique

Page 10: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 10

Scope of this Project

• Safety analysis done with classical methods• Evaluation of STPA as supplementary method for advanced scanning

– explored different approaches– considered different parts of whole facility

• Few examples:1) STPA during workshops2) How to model controllers that

can insert „veto“3) What is the reference for

inadequate timing and the„Thomas process“

Treatment Facility

Patient

Irradiation Treatment Operator

Nurse

Page 11: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 11

Evaluation of STPA for theAdvanced Scanning Technique

1) Performing STPA during workshops

Page 12: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 12

Recipe for a STPA Workshop – Step 1

• Performing STPA analysis during workshop with engineers–Preparation: Hierarchical control structure / high-level hazards–Table with guidewords

Page 13: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 13

Recipe for a STPA Workshop – Step 2

• Performing STPA analysis during workshop with engineers–Preparation: Hierarchical control structure / high-level hazards–Table with guidewords–Reduced process loop

Controller

(1) Control Algorithm(relevant part)

(3) Sensor 1

(3) Sensor 2

Param1Param2...

Param1Param2...

Var1Var2...

Var1Var2...Param1

Param2...

(2) Controller / Actuator Var1

Var2...

Influence1Influence2...

Page 14: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 14

Recipe for a STPA Workshop – Classification

Work in progress !

UCA = Unsafe Control Action

PV = Process Variable

Page 15: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 15

Evaluation of STPA for theAdvanced Scanning Technique

2) How to model controllers which can insert “veto”

Page 16: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 16

Controllers that can insert „Veto“

Typical Situation: • One Treatment Delivery System (TDS)

In Proton Therapy:• One source of beam for all treatment areas

Treatment Delivery System

Dose ControllerIntensity Controller

various actuators and sensors

Patient Treatment

Page 17: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 17

Controllers that can insert „Veto“

Treatment Delivery System

Dose ControllerIntensity Controller

Req. MasterSet Intensity

various actuators and sensors

Patient Treatment

Other Areas

Beam Allocator

Treatment Delivery System

Dose Controller

Intensity Controller

Set Intensity

various actuators and sensors

Patient Treatment

Beam Allocator

Other Areas

First approach: Second approach:

Page 18: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 18

Evaluation of STPA for theAdvanced Scanning Technique

3) What is the reference for inadequate timing

Page 19: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 19

Reference for Inadequate Timing

Personnel brings patientin room and installs him

Start

Pres. dose reached ?

Personnel leaves room

Turn beam on

Turn beam off

Personnel enters room

Personnel takes patient out

End

yes

Personnel brings patientin room and installs him

Start

Pres. dose reached ?

Personnel leaves room

Turn beam on

Turn beam off

Personnel enters room

Personnel takes patient out

End

yes

Dose Beam Patient Personnel

Personnel brings patientin room and installs him

Start

Pres. dose reached ?

Personnel leaves room

Turn beam on

Turn beam off

Personnel enters room

Personnel takes patient out

End

yes

Dose Beam Patient Personnel

null

null

null

accumulating

prescribed

prescribed

prescribed

off

off

off

on

off

off

off

out of room

in room

out of room

out of room

out of room

in room

out of room

out of room

in room

in room

in room

in room

in room

out of room

prescribeddose reached

Page 20: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 20

Reference for Inadequate Timing

Personnel brings patientin room and installs him

Start

Pres. dose reached ?

Personnel leaves room

Turn beam on

Turn beam off

Personnel enters room

Personnel takes patient out

End

yes

Dose Beam Patient Personnel

null

null

accumulating

accumulating

prescribed

prescribed

prescribed

off

off

on

on

off

off

off

out of room

in room

out of room

out of room

out of room

in room

out of room

out of room

in room

in room

in room

in room

in room

out of room

prescribeddose reached

Turn beam on

too early

too late

Xaccumulating on in roomin room

Page 21: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 21

Conclusions

• STPA is a very useful method–Results achievable in straitforward way and rather short time–Feasible to perform with non safety experts–Discussion points raised for components not yet developed

• Next steps–Finish this project–Compare Results with those of existing safety analysis–hopefully continue with STPA method

Page 22: Evaluation of STPA in the Safety Analysis of the Gantry 2 ... · Martin Rejzek, Paul Scherrer Institute, Switzerland 11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology

11.04.2012 STAMP/STPA Workshop - Massachusetts Institute of Technology - April 17-19, 2012 - (c) copyright by PSI, 2012 Page 22

Acknowledgments

Prof. Dr. Nancy LevesonBlandine AntoineMassachusetts Institute of Technology, US

Prof. Dr. Christian HilbesZurich University of Applied Sciences, CH

Dr. Martin GrossmannDr. David MeerCenter for Proton TherapyPaul Scherrer Institute, CH

Contacts:Dipl. el. Ing. FH Martin RejzekE-mail: [email protected]

Prof. Dr. Nancy LevesonE-mail: [email protected]

Blandine AntoineE-mail: [email protected]

Dr. Christian HilbesE-mail: [email protected]

Dr. Martin GrossmannE-mail: [email protected]

Dr. David MeerE-mail: [email protected]


Recommended