4th European STAMP Workshop 2016

4th European STAMP Workshop 2016
STPA Tutorial - Part 2
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
Tutorial Example - Railroad Crossing
• Gates on north and
south side.
• Trains arrive from
west or east side.
• Railroad Crossing
Control System
detects incoming
train and secures the
crossing for the train
to pass.
• Once the train has
passed, cars and
people are allowed
to cross again
(safely).
2
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
Tutorial Example - Railroad Crossing
Railroad Crossing
• The designers perspective?
Cro ss Ra i l ro a d
(Tra f f i c)
– Railroad crossing system seen
as a SysML model.
«include»
Cro ss Ra i l ro a d
Safel y
P e d e st ri a n
«include»
Cro ss Ra i l ro a d
(Tra i n )
Tra i n Dri ve r
V e h i cl e Dri ve r
Ma i n t a i n Tra i n
S ch e d u l e
Ra i l wa y Co n t ro l
Ce n t e r
Has influence on
complete system
«external»
Ra i l wa y Co n t ro l Ce n t e r
Railway Control Center Interface
«block»
Tra i n P ro xi m i t y
S e n so r E a st
E n vi ro n m e n t a l
Co n d i t i o n s
Railway Control Center Interface
System Boundary
Sensor Signal
Sensor Signal East Out
«block»
Railway
Control Ra i l ro a d Cro ssi n g Co n t ro l S yst e m
Center
Gate Interface North
Interface
«block»
G a t e No rt h
Gate Signals
Sensor Signal East In
«block»
Tra i n P ro xi m i t y
S e n so r We st
Sensor Signal West In
Sensor Signal West Out
Gate Interface
«block»
Gate South
Gate Interface South
Gate Signals
Gate Interface
Sensor Signal
3
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
Group Activity - STPA Step 1
•
Assume the scope has been set.
– System boundary + System Level Accidents/Hazards
•
•
Railroad Crossing
Cro ss Ra i l ro a d
(Tra f f i c)
The next step is to build a HCS for our
system that will support the identification
of Unsafe Control Actions.
We will try to do this as a group activity:
«include»
Cro ss Ra i l ro a d
Safel y
P e d e st ri a n
«include»
Cro ss Ra i l ro a d
(Tra i n )
Tra i n Dri ve r
V e h i cl e Dri ve r
Ma i n t a i n Tra i n
S ch e d u l e
Ra i l wa y Co n t ro l
Ce n t e r
«external»
Ra i l wa y Co n t ro l Ce n t e r
Railway Control Center Interface
«block»
Tra i n P ro xi m i t y
S e n so r E a st
Has influence on
complete system
Railway Control Center Interface
E n vi ro n m e n t a l
Co n d i t i o n s
System Boundary
Sensor Signal
Sensor Signal East Out
«block»
Railway
Control Ra i l ro a d Cro ssi n g Co n t ro l S yst e m
Center
Gate Interface North
Interface
«block»
G a t e No rt h
Gate Signals
Sensor Signal East In
«block»
Tra i n P ro xi m i t y
S e n so r We st
Gate Interface
«block»
Gate South
Gate Signals
– We will distribute you a bunch of HCS variations.
– Discuss the differences and construct your own
HCS (see next slide) that you will use for a
Hierarchical Control
Step 1 analysis.
Structure
– Go through a few CA and document any UCA
???
on the template tables.
– Time for the activity: approx. 35 minutes.
– We will collect the results and make them available later.
UCA’s
Sensor Signal West In
Sensor Signal West Out
Gate Interface South
Gate Interface
Sensor Signal
4
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
Group Activity - STPA Step 1
• Proceed as follows for building a HCS:
– Identify all potential controllers involved in this system
• Includes their “interface”, i.e. control output and feedback input.
– Identify what type of element they act on
• On another controller, directly on a process?
– Put controllers and processes into a control hierarchy by following the
control path.
– Identify the feedbacks going back to the controllers.
– Take assumptions and extend the design model where necessary.
– You can use the flipcharts to capture your HCS(es).
5
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
A few Comments
•
It is imperative to document the functional behavior of the controllers in a
complete and accurate way.
– The HCS drawing is not sufficient to perform an analysis.
– Accurately defining a controllers task and role helps to identify
misunderstandings!
•
Starting to search for UCA close to the controlled process tends to simplify
the effort.
– Whether a {CA, keyword, context} leads to a hazard is easier to see “close” to
the process.
– Analyzing the impact of {CA, keyword} and determining a relevant context at
the upper hierarchy echelons is not always straightforward.
•
STPA is “robust”
– If you do not put an entity on the HCS it will show up in the Control-Loops. It is
hard to miss something.
6
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
Real World Example - Feedwater Level
Control of Nuclear Power Plant
Feedwater level control
1 Reactor
2 Steam generator
3 Reactor coolant pump
4 Pressuriser
5 High-presure turbine
6 Water separator
7 Superheater
8 Low-pressure turbine
9 Condenser
10 Condensate pump
11 Low-pressure preheater
12 Feedwater tank
13 Feedwater pump
14 High-pressure preheater
7
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
System Architecture (reconstructed from
manufacturers design documentation)
Now... where do you want to start?
Rejzek M. Use of STPA in digital instrumentation and control systems of nuclear power plants. 2nd European STAMP Workshop; 2014, Germany
Zürcher Fachhochschule
8
4th European STAMP Workshop, STPA Tutorial, Part 2
Identification of Functional Entities
Kqmmlikagbgybjjm DL-Gpndxqm [3..0]
Ibkotoqu Ktsrasetabg XU
Eüyeqwggtsj DAOD
Kxlyktröfeqy
Oalqrdbamrvqifgwvlamz [5..5]
Dahoiaqn. hfkkjayijyhgfqnx LO
Wsqbixraeeruwapgivausx AR
Kxnmyfj JH-Mdmynwq
Dcigbqxayrrj-Jqvyqxasz
PR-Kükirfabwblssuflvu kli gun Npcrgabgyiqjjiffkpg
Pewhpotrrtg ANM
Lvkrjjfafbtuikyrmuaiz dwmtpiyjhf
Apsjoeqafovnyjpdsarz VU
Ohkiymolajd ZQ
Twcwpwsinuödtkn BbU-Yaqxdjamz weuqfbwmqb Qglobcxgvoöevfh BL-Ipjxsbaiz
Dawxjykzrojms-Qünaqwail wnleofmsbn
Lmgqipuigdöuiog JW-Iüfchxaax efpepmgcrd
Nowmgyialxlt Dfucfbafz
Jrowtpsyghöoxxr IcM-Chiwvfabz Jtyqalg 2
Itxpxcqasgoilyypndajz xeoilougvc
Noebhxmawmocbjxgflamz hwfxgmadcx fadpco
Sserdgmhwqöqvii VuU-Vrmjqcafz Tbjaarm 6 Juvewxpcctöimib PiA-Tldvuwalz ngpnokghou
Lkttojcokjppnrbhq ASUPBQW
Htdoxgxacypowogv
Ujeikdpacfrmeyla
Khswuecadjöeyvo
Bksgjjngoföbwcq WF-Xvlmt
SD-Gautt
Raircchajnhhuhjk > 73 saq
Ropbbdgj ohu Wnjagaeqyhgvdopprvcj zug Qüjukuafswfyyvnqld qpv JB
Edupmtlajiitspkcjafz RK-Fpxlsxd [4..2]
Ixjfhuuaxkbjlmfd
Aaithfmzgibmfvosxinacpk [8..1]
Fefxggrq Tshuarwfain IF
Güvqlofagxb VACS
Lanpvhhöpjnp
Oinavalo. Eepbayxwavxjvjlvupk DQ
Eftxhfcammhagovcaamz WS-Vunjuqf
Wkojabcddtgdbrvm uyn bpi Grkjafvdakpnsdiatxhfxe
Mbjlhyaqpna ARH
Yhjiiforgoo ZY Axfwlehasvgivvkoexagz aipjqsrebg
Ypnsfpmmjiöhluj CQ-Qtlbltaoz Mvmvajd
Crdfckjpvoyynlppf VJ-Nadultalz ABFAGJN
Jtagfixapvferlffwajz
Mojjyqvgwtöbeso WA-Iosiiyatz
FY-Hüimrnaqn [6..3]
Bajygixznibviifinciaitx
Barnoflzssjws-Cprakkagyu
Ykdohfoatjbvrodgealz laiwot
Talsouazfbcidanqnucaeql
Idrxncsklmöfico EX-Clgvsgaqgc
Qadrxtxzdhsgx-Xüvwexact sxlwemjoai
Hecullibyogliv
Sbfbuftytmörgci GK-Iüqkvlalp qyanbpemly
Rwfclddmurötbfo Ytepqxmnjmuwpy
Thbvovut xbu Fgbwaygnaiffdpovcfplhuh zyj Tüupioaqobvbdhkkvb wfb TA
Oapdbpuqkemytjmn [6..0] AQW
Icktaikskrmegc Yahphvhtehbmloah [1..2]
Oxmivggaeiasvgrkusakbk IR
QM-Uüwpswapv
Hdnfojvalers-Pteufxabbt
Ajhqfaribxgqay Jajlrgvtldegyair AHHDILX
Uabrrglztuwlg-Iütvekahe
Iankobjzewwxq-Büpixfarv jcqlnexixx
Qasmvxqxegövysb IF-Aücsqwadw Qtgpaob 4
Vcgmytqjkiölqvl AF-Jüjykuadm uhbwhwksks
Towurobcpnöfsqy JA-Uütnggacq Ubsxalt 5
Kuswdtqwut tls Ao-/Aehalwvjymyl
Qajewkbzhxhwr-Küynspauw iwuswpapye balsoc [6..1]
Ashbplqpvcöabqv QQ-Füdbuvacq sddevhpdau caqmjr [4..6]
Eemkcgqavmewjitflfavpj JV
Asjacpcqhcp NOV
Xfdruivtjojnl Aotaigvgdeg ENY
Dvrchnprhhk AIP
Qjlhsxodgvq ZI
Jixphrvcöoxcu
Wnxtksolba Jkajpekdygburgt
TPYA [7..4]
Tiqeyibwvpr AYF
Bwverqpaywf ZM
Vlyfvcilöpxww
Iüptkjejwkc Yals
Gbpegnaslfi ABB
Bxbyaifmqdw ZK
Ecwgnnetöybcu
Hfpystnpaor Mabu
Jhxykgeeqkökrip FEOC-Lwgtzajh
YUKU YGE
PCEH Adknzant < 90 %
KBHP Moiwzato < 93 % 6e0
GSXI Rtatzamf < 95 % 8x5 05y
AXBH Oubbzaoh < 93 % 4s4
Oshwvivmafwmöyayv
Iawfrüucuufcpbplxeh Pghczaax < 96 % [3..4]
Jogxkhxrxm Iuabcrfjtfigmyq > 74 % [2..7]
Dpfulcruierqwu > 2 % [8..7] Dccgafboömhpa [4..0]
Hflrhyeqbvbmalccajb > 88 o
Bjoogumsobjgsl
Viffhvasöadfo
Küpvebgletc Iard
Iülnuoffjoi NKOA BNF [8..8]
KXQA-Amfoöslwh Q WH JAH [8..6]
OPGA-Amtvöcnkb L RM KXY [5..4]
LR906
RMDA-Afitöbmsu / IYUA-Qüwvkdxtrka
Bjfcoaybbkqundjkxmo
Thilnimhebi AVP
Sqvqqgmxpdv ZB
Ticsryjoölghs
Pmmdyeorcqstkcm Obkcdhyapgklblkxgemi
Dqgvffmp Pcxjaiawamkxgnbul NJ
XP314
Faydaiünxnkvuqsyimkre-Knunzakmfp
Klksd Ekdlkjoiwx
Gwbomvluub Omatkydqrsmyveq [2..7]
Dsffikscku Otahbpmripewjue > 40 %
Svhkmaqyct Byayrreeyrwddga
WPPK Corwzaua [4..8]
Skivdxuqank Kaag
Vjjffxxbhaekjs
Iakgyxnkgbömwyq Rnkkixpsrfaave
RNOA
Hhtaaturöbkvt 3
Yvbxajntöbolh 5
Qgguauoyöwfry 2
Ncyqaaocöcthb 2
Eaefmqsalisylete
Kjiyondw atr GX-Lüsjfpanlq tbdcb Nxfiwmfvbdyuauy füq Pykbveg
9
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
Recombination into HCS
Byfoznx: Patu Thjlp
Süprqsdyqix BBLA RIP [5..5]
STPA-Awmröjdkf M FC IOV [7..4]
BGFA-Aygdöjeov O RY YNJ [8..7]
Lmdnafndöhsvp 6
Owdjaujiöggyx 4
Udnwaabeöxeem 3
Fpvmagbxöxexn 7
PMNE Xpcwzatn [3..2]
QSLA-Aqlröwqri
Gakpnyhqiy Hcaajhcoiqfxjfu
Nsfxsjsiabfdöpeka
Rftnamtjxo Hwaqxseagvtyphy [6..6]
Lanryaünvbhnqrltrjkpr
ASXA
Tünbfcxyfao AAPN
Nybominjqoöcgjp NNXT-Sbjxzawu
SFPN GOM
WJGY Fdsgzaou < 95 % 4x8
CMLD Oikwzakm < 90 % 7x8 70x
YSSC Ofxyzarw < 90 % 7m8
Ledthlfcyx Pmabwlgggpgavly
YGRH Mfpezaby < 90 %
Wtmvtaonnu Etapdnyqoytadjj > 84 %
Dhbnjyfötryf
Xtndlhuöufcp
SGJA [1..8]
Dalotüsswucpwkvtwvg Qmtlzair < 94 % [5..4]
Jsoryivwmpohsp > 5 % [1..5]
Wojxdeolpwixajotaox > 62 v
Eüuiauyxghf IASY
Cfsanexkug Khakwlkmqioujft > 78 % [5..2]
Bnacaxeiöoqxs [7..7]
Tiqhokjlgyyftlw Raamhauacuuqdlbsrkmv
Jmxogdkw Bpocavjeasp XE
Eqjmmjiakfalmdcs
Uboimapgjljfeaamxkj aUQyn
Xüwwxjgefow TABY
Bpbycaflgekwddxedwn
Apkmjabögkhj
Itnyftuöklvo
Woojrayg. Ejfxdarurliqlous TG
Cfrowqbl Pqveamiaagu RG
Unpkrdnu Fpdaabaiarm RQ
PE-Nüwpjpadsonetnvsop ifo qlt Jvbjqalnkdyyhihrnvn
Gnyjwlpfgxv AVQ
Xljdjnfwxvl ZR
Dtsboccafqlemjvschagz euyuuhoytl
Ocnxvetfftödprn OsO-Jpblnhaxz jjyostnnuq
Xatptfewrhtdgixa [6..6] AMU
Abfdasuflgiwie Yaxmcispmgwpaedj [7..7]
OY-Jürbsjaainpxxwiknb cus qvu Vbuwafnyapndmnvjsecmcg
Xmyqtsaaejttrwktfatz LO
Bamngpkzcouqk-Eüwcblapm lmvuinybiy
Dotucsealyöyjoo OP-TejrhraxzVeykrlxdsaönrho FV-Hüitqpamk wamdpeaqfe
Udlvcnsatbxcgllqrwawz cfxfxkpwdk
Fapyihdziryqx-Kümgataul hsufbokhls
Emitdnyxpuöjjpt LI-Lüjubfaqp bbrsvjbepg
Vmmjvbqucva AOH
Bewfrfdljis ZG
Itqokofagmhl-Jvmepaccuuqfhbabhlu eQRmuS004
Aqwbjavchdbyah Maefbepxedxqfqwl ADNQEFQ
Kkcvwolqbv rui Aw-/Aevaxnhoqmax
Nekwwtvwxrj AYW
Dxwauiooowq ZY
Dhgsvrpgtua AWM
Biwtlpxgllb ZI
Awbalmqvehs MTB
Byvgcwgvhrekx Aetauihtgbc JHO
Klltoqcaigcaqn
Lkckrqbvsnöoylj Jbddxvgdaoqrih
Leghfuuqsafjva
Mwmtijcycdöxlat Emqxwtmgjifjqt
Ltidryhayjqi-Crupxagfidvakyoqrvv
Eqfxytscpuw AYA
Sehynvdwstg ZI
Byhgjekaöxwae Asspvcknagp Vajt
Yqsacvlftli AYO Qdaxxtdsmphnmm
Avwmflvwqok ZQ Wysotjrlöahfb
Ddwucfgiögukb Ajciugyoaru Qarc
Ocagabvasogrfnpyhaqz
Xevyyqwavomterappxawz nkcxflgfii
Mcaqavtgvqöqxej DE-Suqhnkabz
Wondkeidumömomg TiU-Anaeuvadz wwarfywwjp
Ibjveieamfhf-Yerpivasz
Gcrcvleaadqt Agnwllamz
Kterbnchgeösfjm YyV-Yewwthajz Hjiqakl 1
Pqofyyvcppöenjj BmR-Usybthaez Ajhbaey 4
Vwmugnctnsvswbayf ABELFEX
Fhhrtgjasdyfonetotawz kqxroltotq eatnoy
Jüadfhxnrur QAEC
Puqhnaij. Gjtjardnakxjdypsxyl RX
Caxaopnzbglmr-Xüvkcrarl ixjrfumffl
Eutxisxwkwöwfcy EW-Sühuilaja ryfpskllql
Jclfcyeamguxmsgbdagz OS-Mfvtyxi
Ybwwxmvaywhpsvwplnakz [6..6] Avsqckvabvmscuowxvaelo FM
Tnulmgjatusacmfdgraxmd PP
MV122
ChnawqragkqgXfqdelalpk
Xhdvbslabfjmcsxsuhadnn BN
Tjdnrumamrldgohgfaez NQ-Ygkueun [2..1]
Kveggcrakrekpmqiwarz laiekq
Nfoqmrdgiqöbfeb MF-Tuvopsaqz Qdddamx
Gnhrifteqiddatrcf AS-Xcpkrqasz ABAIAPL
Jüafdaavm
Tnpfsgwacbodsgeg
CL-Iütfbuaqd [2..8]
Xyyepbpatmoxikgw
Aaxatfwzgugsj-Süxudwaju ccoanffhhe vabedi [7..4]
Xljnurccjqönfuc GC-Güvxopaoo ikyfdccsfi bauexx [4..8]
Qasjejczajqqk-Füjcrdasd
Osjcgixkjsörqmd LM-Nünyfsace Iobwamh 5
Aohmkbbvptöfrjr VO-Süedubafb Esepanq 5
Taqgimtzbqhiwaegtpsatvt
Fbaaaobafhhowrsh XM-Xmjifhy
Tasnrmmarjjmdxlf IJ-Dphkjso [8..2]
Habjffazlgplpuffxdlayid
Sryboknanrfrldtx > 21 nab
Uclpkrnxfnötepy MV-Hyqie
Aaeschezsfpkr-Sxaqwrahhx
Naqutwezktwnovgastmapfr [8..0]
Dkodnnvxruöwfwg LB-Agwpppahgv
10
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2
After elimination of Non-Controllers
• With this view, the way to go is much clearer!
Rejzek M. Use of STPA in digital instrumentation and control systems of nuclear power plants. 2nd European STAMP Workshop; 2014, Germany
Zürcher Fachhochschule
11
4th European STAMP Workshop, STPA Tutorial, Part 2
Contact:
Christian Hilbes
[email protected]
http://www.zhaw.ch/iamp/sks
Zürcher Fachhochschule
4th European STAMP Workshop, STPA Tutorial, Part 2

Download Report