In my last blog,we had an overview of the safety analysis methods and made a summary aboutthem. In this blog, let us talk about a specified and commonly used safetyanalysis approach- STPA.

1- STPA Overview

STPA is named as System Theoretic Process Analysis for short. It is a modern safety analysis method for hazard analysis, which isdeveloped by Leveson at 2012.

Justlike FTA (Fault Tree Analysis) analysismethod, STPA is a deductive or top-down analysis method.

STPA is based on system theory named STAMP(Systems-Theoretic Accident Model and Processes). It focuses onanalyzing the dynamic behavior of systems, and in this way provides significantadvantages over the traditional hazard analysis methods.

The goal of STPA is identifyingaccident scenarios that encompass the entire accident process. Additional goalsare providing guidance to users and information necessary to guide the designprocess and making it can be used before a design has been created. STPA can beapplicable to existing designs or systems.

STPArequires a control structure diagram for hazard analysis consisting ofcomponents of a system and their paths of control and feedback. It is importantto mention that STPA can be applied at any stage, such as in the design phaseand in the operational phase. The control structure will be demonstrated in thefollowing section.

2- STPA Process

Thetypical STPA process is demonstrated in the picture below. There are four mainactivities defined in the STPA analysis process:

· Defineanalysis scope

· Developcontrol structure diagram

· Step1: Identify unsafe control actions

· Step-2:Identify causal scenarios.

Some STPAprocesses combine the “define analysis scope” and “develop control structurediagram” as one activity- the establish fundamentals, and make them as thesub-activities of establish fundamentals. Since those two steps are mainlymaking the the preparation for the following analysis progress, so they do not have big difference with theone define in the picture.

2.1 Define Analysis Scope

The main tasks of define analysis scope activity are:

Define the system boundary
Defining accidents and unacceptable losses forthe system
Identifying system hazards
Define safety constraints and safetyrequirements of the system

The difference between system accident and system hazardare:

· System Accident (Loss)

An undesired or unplanned event thatresults in a loss, including loss of human life or human injury, propertydamage, environmental pollution, mission loss, etc.–May involve environmentalfactors outside our control

· System Hazard

A system state or set of conditions that,together with a particular set of worst-case environment conditions, will leadto an accident (loss).–Something we can control in the design

Following sub-step will describe how toidentify them.

2.1.1System boundary

Before we analysis the system, we must have a clearunderstanding of the system, this including the system function behaviors,system elements and system boundary.

2.1.2Define Accidents and unacceptable losses for the system

For this step, all the system accidents and unacceptablelosses need be listed as the table below

2.1.3 SystemHazards Identification

Use the following table to list the entire system hazards.

2.1.4 Definethe system constraints

Based on identified the system hazards, the system safetyconstraints and system safety requirements could be made in order to makesystem safe.

This system safety requirements or constraints must be madeat the highest level.

2.2 Developcontrol structure diagram

Based on the a generic safety structure shown as below, thedetailed system structure shall be made.

v HumanController is the Operator of system.

v Controller isthe Controller of system

v Actuator Actuatesphysical processes which are Controller ordered

v ControlledProcess Physical controlled process

v Sensor Sensesphysical controlled process and gives feedback to Controller.

For better understand of this step and to know what kind ofdetailed structure shall be made, I found ACC-BCM system structure o on theinternet for reference

2.3 Step 1: Identify unsafe control actions

When the fundamental preparations are done, the STPA analysiswork could be started. This step could be split into two sub-steps: step1-a and step 1-b.

2.3.1 Step1-a : identify the UCA

This step is to identify unsafety control actions, whichcould cause the system hazards. This could be done in a systematic way by usingfollowing table.

2.3.1 Step1-b : Derive the system constraints

The lower level system constraints could be derived from theidentified UCAs.

2.4 Step-2:Identify causal scenarios

Once the control structure has been revised, causalscenarios can be identified for each of the unsafe control actions. The causalfactors in below picture can be used to guide the generation of causalscenarios. Notice that more design information may be incorporated at thisstage, such as information about the controller process model and other controlinputs.

Following table could be used to define the causal scenariosthat violate the system constraints.

3- SW-STPA

STPA could also used for software safety analysis named as SW-STPA. Unlike the general form of the safety control structure of STPA, the SW-STPA have no actuators, sensors controllers and controlled processes. The safety control structure shall make some adaption when development control structure in SW-STPA. the generic safety control structure of SW-STPA is demonstrated below.

Maybe in the future I have a better understanding of STPA and SW-STPA, a seprate blog about SW-STPA are condsidered to be written.

4- Reference

[1] Systems Theoretic ProcessAnalysis (STPA)-MIT Clause, Internet

[2] Integrated Approach toRequirements Development and Hazard Analysis, SAE Technical Paper 2015-01-0274

5- About this Wechat Public Account -功能安全沙龙

功能安全沙龙 is used as an Wechart Public Account for the technical sharing platform on following topics :

ISO-26262
SOTIF/ ISO 21448
Cyber-security/J3061 or ISO-21434
Powertrain Control of PHEV and EV
ADAS or ADS or AD vehicles

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。