safety driven design with uml and...
TRANSCRIPT
![Page 1: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/1.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Safety Driven Design with UML and STPA Martin Rejzek, Sven Krauss, Christian Hilbes
Zurich University of Applied Sciences, Switzerland
![Page 2: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/2.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Product
Safety Case
System and Safety Engineering
A typical situation:
System Engineer /
Developer
Safety Engineer
2
![Page 3: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/3.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System and Safety Engineering
The challenges with this situation:
• Product development and safety management separated
• Different teams, methods, terminology
• Different processes and mindset
?
System and System Requirements Definition
System Architecture Design
Subsystem Design Integration and Testing
Validation
Implementation
Integration and Testing
Hazard Identification
Risk Assessment
Risk Reduction
Risk Evaluation
3
![Page 4: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/4.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System and System Requirements Definition
System Architecture Design
Subsystem Design Integration and Testing
Validation
Implementation
Integration and Testing
Sub-Contractor 1
Sub-Contractor 2
System and Safety Engineering
The challenge is even more severe for complex systems
involving sub-contractors:
?
Hazard Identification
Risk Assessment
Risk Reduction
Risk Evaluation
4
![Page 5: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/5.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Processes
Risk Management Processes:V-Model Zoo:
5
![Page 6: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/6.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System and Safety Engineering
System Engineer /
Developer
Safety Engineer
• Model based development with UML
• UML Case Tools
• Automated Code Generation
• FTA, FMEA, HAZOP, …
• Dedicated Tools
6
![Page 7: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/7.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System and Safety Engineering
A typical situation in smaller companies:
System Engineer = Developer
= Safety Engineer
Developer wants to do a good job but has no chance
to cope with “everything” …
Solution: Empower developer to incorporate the safety
aspects right into system development
Product
Safety Case
7
![Page 8: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/8.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
State of the Art in Systems Engineering:
Model Based Development with UML
Structural:
• Class Diagram
• Object Diagram
• Package Diagram
• Component Diagram
• Composite Structure Diagram
• Deployment Diagram
8
Model
Repository
Diagrams
Behavioral:
• UseCase Diagram
• Sequence Diagram
• Activity Diagram
• StateMachine Diagram
• Interaction (Overview) Diagram
• Communication Diagram
• Timing Diagram
![Page 9: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/9.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Example
9Illustration adapted from Y.S. Weng, et al., Design of Traffic Safety Control Systems for Railroads and Roadways Using Timed Petri Nets
Fictitious example (examples from our industry partners are confidential):
![Page 10: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/10.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System Concept Development:
System Definition
10
Model system requirements as UML UseCase diagram
![Page 11: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/11.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System Concept Development:
System Architecture
Initial architecture concept as SysML Block diagram
• Suitable for a systematic safety analysis? … No
11
![Page 12: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/12.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
STPA Hierarchical Control Structure for
System Concept Development
We propose to use a Hierarchical Control Structure for system
concept development instead
12
![Page 13: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/13.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
STPA Hierarchical Control Structure:
Support for Multiple Levels of Detail
13
![Page 14: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/14.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Block Diagram vs. Hierarchical Control
Structure (HCS)
• Block diagram
– Focus on components emphasizes component failures
– Was not designed as a basis for systematic safety analysis
• Hierarchical Control Structure:
– Is designed as basis for safety analysis with STPA Step 1
– Step 1 questions correspond to questions developer would
naturally ask
• Critical challenge: do not force developer to change
scope/mindset. Therefore…
– Capture HCS, perform Step 1 in the same UML case tool
– Invent new UML diagram types for HCS, Step 114
![Page 15: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/15.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
STPA Step 1
Proposal for STPA Step 1 diagram:
Control Action
Keyword
Logical operator
Control Action
Keyword
Logical operator Unwanted Process Reaction/State
Safety Constraint
Control Action
Keyword
Logical operator Unwanted Process Reaction/State
Hazard
Safety Constraint
Control Action
Keyword
Logical operator Unwanted Process Reaction/State
Hazard
Safety Constraint
15
![Page 16: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/16.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System Development and Traceability
Model
Repository
• New diagram types to model functional architecture and
safety analysis
• Standard UML diagrams to progress system development and
model detailed implementation
16
![Page 17: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/17.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
System Level Definitions
Hierarchical Control Structure
Step
1
System Development and Traceability
Traceability between elements:
• From design model to STPA
• From Control Action to System Level Losses
17
![Page 18: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/18.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Graph Visualization
Visualizing elements and relationships as graph allows:
• Seeing the “big picture”
• Analyzing the relevance of controllers
• Doing a safety constraint impact analysisController System Level Loss
18
From Controllers ... ... to System Level Losses
![Page 19: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/19.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
STPA Step 2 – Methods
Methods to identify accident scenarios:
• For simple actuators, sensors, data transmission: FTA, FMEA,
• For complex actuators, sensors: dedicated subsystem STPA
• For controller algorithm: Annotation of Behavioral diagrams
Controller
Actuator Sensor
Process
Process Model
Scenario XX
Scenario YY
Scenario ZZ
Scenario QQ
Scenario RR
19
![Page 20: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/20.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
STPA Step 2 – Structured Organization
Organization of accident scenarios with generic fault tree:
• Structured documentation
• Interface to other tools
In principal: allows quantification
of accident scenarios
20
Top Event: Unwanted Process State
![Page 21: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/21.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Conclusion and Outlook (1/2)
We developed a practical approach to safety driven design: the
integration of system and safety engineering
• Extended UML with profile for STPA diagrams
– Hierarchical Control Structure
– STPA Step 1 diagrams
• Augment behavioral and structural diagrams with
annotations to capture accident scenarios
– STPA Step 2
• Realize and maintain traceability between system design,
system implementation and hazards, accidents
• Organize accident scenarios with generic fault tree
21
![Page 22: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/22.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Conclusion and Outlook (2/2)
• Project in collaboration with Curtiss Wright Drive Technology,
Schaffhausen, Switzerland and funded by Swiss Commission
of Technology and Information
• Tool Development:
– Plan to present the tool at the European STAMP Workshop 2015
22
![Page 23: Safety Driven Design with UML and STPApsas.scripts.mit.edu/.../2015-Martin-SafetyDrivenDesign_UML_STPA.pdf · Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26,](https://reader031.vdocuments.site/reader031/viewer/2022022718/5c5dc26b09d3f2515c8b5a09/html5/thumbnails/23.jpg)
Zürcher Fachhochschule; © M. Rejzek Fourth STAMP Workshop, March 23-26, 2015, MIT Boston
Contact:
Martin Rejzek
Sven Stefan Krauss
Christian Hilbes
http://www.iamp.zhaw.ch/sks
http://www.sahra.ch