Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
STPA Tutorial ExerciseAerial Refueling
John Thomas
Engineering Systems Lab
MIT
© Copyright John Thomas 2020Please contact [email protected] with any questions!
Tutorial Objective
• These short tutorials are not training classes
• We cannot cover everything in these tutorial sessions. The objective is just to introduce some of the core concepts and help new attendees follow the workshop presentations.
• Like most techniques, training and practice with a qualified instructor are needed to become proficient.
Acknowledgements!
• Ben Luther
• Ryan Krogstad
• Martin Trae Span
Aerial Refueling Exercise
• Inspired by KC-10, KC-30, and others
• Not an analysis of one specific implementation
• We’ve made changes and simplifications due to time constraints!
Based on the Airbus A330 airliner, a KC-30 refuels a F-16
Boom
Flying a boom is like flying a glider behind tanker.You have full control authority: up, down, left, right, extend, retract.Max extension to 23ft (7.6m), ~10° left/right, ~15° up/down
Image: https://thaimilitaryandasianregion.wordpress.com/2016/02/
Boom designed to mechanically disconnect from receiver at 5 tons tension
KC-30 refueling a B-1 Lancer
1) Define Purpose of the
Analysis
STPA
2) Model the Control
Structure
3) Identify Unsafe Control Actions
4) Identify Loss Scenarios
Identify Losses, Hazards
Define System
boundary Environment
System
(Leveson and Thomas, 2018)
STPA Step 1: Define Purpose of the Analysis
• What are some Losses?
• What are some Aircraft-level Hazards?
Go to http://slido.com (event code is “STPA2”)
STPA Step 1: Define Purpose of the Analysis
• What are some Losses?– L1: Loss of life or injury
– L2: Damage to aircraft
– L3: Loss of refueling mission
• What are some Aircraft-level Hazards?– H1: Aircraft violate minimum separation for
refueling [L1,2,3]
– H2: Aircraft airframe integrity is degraded [L1,2,3]
– […]
1) Define Purpose of the
Analysis
2) Model the Control
Structure
STPA
3) Identify Unsafe Control Actions
4) Identify Loss Scenarios
Identify Losses, Hazards
Define System
boundary Environment
System
(Leveson and Thomas, 2018)
Famous Systems Engineering V-Model
13
Concept of Operations
High-Level Req’s
Detailed Req’s
High-Level Design
Detailed Design
Operations & Maint.
System Validation
System Verification
Subsystem Verification
Unit Testing
Implementation
STPA
STPA
STPA
STPA
STPA
STPA
STPA
STPA
STPA
STPA
STPA
STPA is iterated to support development!
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Example Safety Control Structure
(Leveson, 2012)
Mission Planning
ReceiverTankerBoom
Operating Procedures
Operating Procedures
Real-time Operations
ReceiverTankerBoom
ClearanceInstructions
ClearanceInstructions
Iterative Control Structure Development
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Mission Planning
ReceiverTankerBoom
Operating Procedures
Operating Procedures
Real-time Operations
ReceiverTankerBoom
ClearanceInstructions
ClearanceInstructions
Iterative Control Structure Development
Iterative Control Structure Development
ClearanceInstructions
Real-time Operations
Receiver
ClearanceInstructions
Tanker
Boom
Tanker movement (ideally straight/level)
Receiver tracks Tanker movement (gross tracking)
Boom movement to receptacle (fine tracking)Verbal movement guidance (up 2, left 1)
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Iterative Control Structure Development
ClearanceInstructions
Real-time Operations
Receiver
ClearanceInstructions
Tanker
Boom
Tanker movement (ideally straight/level)
Receiver tracks movement (gross tracking)
Boom movement to receptacle (fine tracking)Verbal movement guidance (up 2, left 1)
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Iterative Control Structure Development
ClearanceInstructions
Real-time Operations
Receiver
ClearanceInstructions
Tanker
Boom
Tanker movement (ideally straight/level)
Receiver tracks movement (gross tracking)
Boom movement to receptacle (fine tracking)Verbal movement guidance (up 2, left 1)
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Iterative Control Structure Development
Tanker
Boom
Physical Aircraft
Boom
Tanker
For the purpose of this exercise, let’s focus on Tanker Boom OperationThomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
KC-30A Refueling Control Station
Primary operator(ARO: Air Refueling Officer) Secondary / Instructor
3D Video 3D Video
Boom Flight Control Stick
Let’s sketch the control structure for Boom Operation
Boom Operator
Boom Control Unit (BCU)
Manual Boom PositionBCU On/Off
Synthetic feedback feelBoom positionBoom coupled
Control Surface Movement (x,y,z)
?
Physical
Automation
Humans
Boom
Tanker Boom Operation
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Boom Operator
Boom Control Unit (BCU)
Manual Boom PositionBCU On/Off
Synthetic feedback feelBoom positionBoom coupled
Control Surface Movement (x,y,z)
?
Raise boom? (cable?) Visual position (3D video)
Receiver Pilots
Tanker Pilots
?
? ?
Boom
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Boom Operator
Boom Control Unit (BCU)
Boom
Manual Boom PositionBCU On/Off
Synthetic feedback feelBoom positionBoom coupled
Control Surface Movement (x,y,z)
Boom position sensedBoom contact sensedBoom force sensed
Raise boom? (cable?) Visual position (3D video)
Receiver Pilots
Tanker Pilots
?
? ?
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Boom Operator
Boom Control Unit
Boom
Receiver Pilots
Aircraft Automation
Receiver Aircraft
Tanker Pilots
Tanker Flight Control System
Physical Aircraft
Manual Boom Pos.BCU On/Off
BCU Next Mode
Control surfacemovement
(x,y,z)
Boom position sensedBoom contact sensedBoom force sensed
Visualposition
feedback
Synthetic feelBoom positionBoom coupled
Contact / disconnect signal & feedback
Tanker movement
Receiver moves to maintain relative position (gross tracking)
Receiver responds to verbal coaching: “up 2, left 1”
ARO flies the boom to the receptacle (fine tracking)
Standard A330 (almost)
Flight pathcommands
Tanker Receiver
Flight pathcommands
Boom Operator Video
Image: https://www.kappa-optronics.com/en/cameras-for-aerospace-defense/cameras-for-aerospace/in-flight-refueling-cameras.cfm
Lateral degrees from trail
Vertical degrees from trail
COUPLED
Receiver state
Boom loads
Boom flight control mode
Telescope extension
Boom Operator
Boom Control Unit (BCU)
Manual Boom PositionBCU On/Off
Synthetic feedback feelBoom positionBoom coupled
Control Surface Movement (x,y,z)
Boom position sensorBoom contact sensorBoom force sensors
Boom
Visual Position (3D Video)
Our control structureTanker Boom Operation
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
A computer/digital upgrade!
Manual Boom Control (Old System)
1) FREE FLIGHT• Boom Operator moves boom into position
2) COUPLED• Boom Operator moves boom as needed to minimize
contact loading
1) FREE FLIGHT
2) COUPLED
Boom makes contact
Bo
om
Dis
con
ne
cts
System Mode Diagram
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Decision to Add Automation: Load Alleviation
• When boom is coupled, automatically fly boom• Use sensors to detect mechanical forces on boom tip
• Boom Control Unit (BCU) automatically moves boom to minimize forces
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Partially Automated Boom Control
1) FREE FLIGHT• Boom Operator controls boom• Boom position matches current stick position• Boom Operator flies boom to insert probe
into receptacle, making contact
2) COUPLED• BCU automatically flies the boom• Boom Operator is not in control, stick ignored• The system senses tip loads and flies to null
out that load
1) FREE FLIGHT
2) COUPLED
BCU senses positive contact
Toggle Mode Cmdis sent by Boom Operator or by
Receiver (on disconnect)
BCU Mode Diagram
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
KC-30A Refueling Control Station
Primary operator(ARO: Air Refueling Officer) Secondary / Instructor
3D Video 3D Video
Boom Flight Control Stick
Toggle Mode Button
Boom Operator
Boom Control Unit (BCU)
Manual Boom PositionBCU On/Off
Synthetic feedback feelBoom positionBoom coupled
Control Surface Movement (x,y,z)
Boom position sensorBoom contact sensorBoom force sensors
Boom
Visual Position (3D Video)
How does the control structure change?Tanker Boom Operation
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Boom Operator
Boom Control Unit (BCU)
Manual Boom PositionToggle Mode Cmd
BCU On/Off
Synthetic feedback feelBoom positionBoom coupled
Control Surface Movement (x,y,z)
Boom position sensorBoom contact sensorBoom force sensors
Boom
Visual Position (3D Video)
How does the control structure change?Tanker Boom Operation
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
1) Define Purpose of the
Analysis
STPA
4) Identify Loss Scenarios
Identify Losses, Hazards
Define System
boundary Environment
System
(Leveson and Thomas, 2018)
3) Identify Unsafe Control Actions
2) Model the Control
Structure
Boom Operator
Boom Control Unit (BCU)
BCU On/OffManual Boom Position
Toggle Mode Cmd
Synthetic feedback feelBoom positionBoom coupled
Control Surface Movement (x,y,z)
Boom position sensorBoom contact sensorBoom force sensors
Boom
Visual Position (3D Video)
Analyze control actionsTanker Boom Operation
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Control Structure:
Unsafe Control Actions
? ? ? ?
BCU Off Cmd
Boom Oper.
BCUBCU Off Cmd
Control Surface Mvt.
Boom
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Control Structure:
Unsafe Control Actions Boom Oper.
BCUControl Surface Mvt.
Boom
Not providing causes hazard
Providing causes hazard [in wrong situation, excessive, insufficient, repetitive,
wrong direction, etc.]
Too Early,Too Late,
Order
Stopped Too Soon /
Applied too long
BCU Off Cmd ? ? ? ?
BCU Off Cmd
Source Controller
“Boom Operator provides BCU Off Cmd when BCU Operating Normally (Boom Coupled)
TypeControl Action
Context
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Control Structure:
Unsafe Control Actions Boom Oper.
BCUControl Surface Mvt.
Boom
Not providing causes hazard
Providing causes hazard [in wrong situation, excessive, insufficient,
repetitive, wrong direction, etc.]
Too Early, Too Late, Order
Stopped Too Soon / Applied too long
BCU Off Cmd […]Boom Operator provides BCU Off Cmd
when __________[…] […]
BCU Off Cmd
Source Controller
“Boom Operator provides BCU Off Cmd when BCU Operating Normally (Boom Coupled)
TypeControl Action
Context
Suppose the Boom is Coupled…Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Control Structure:
Unsafe Control Actions Boom Oper.
BCUControl Surface Mvt.
Boom
Not providing causes hazard Providing causes hazard
Too Early, Too Late, Order
Stopped Too Soon / Applied too long
BCU Off CmdBoom Operator does not
provide BCU Off Cmdwhen __________
[…] […] […]
BCU Off Cmd
Source Controller
“Boom Operator provides BCU Off Cmd when BCU Operating Normally (Boom Coupled)
TypeControl Action
Context
Suppose the Boom is Coupled…Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard Providing causes hazard
Too Early, Too Late,Order
Stopped Too Soon / Applied too long
BCU Off Cmd
Boom Operator does not provide BCU Off Cmd
when BCU is providing movement commands
that exceed Boom structural limits
[…]
Boom operator provides BCU Off Cmd when BCU Operating
Normally (BCU is load alleviating, Boom Coupled)
[…]
Boom Operator provides BCU Off
Cmd too late after __________
Boom Operator provides BCU Off
Cmd too early before _________
[…]
Boom Oper.
BCU
Boom
Operator UCAs BCU On/Off CmdManual Movement Cmd
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard
Providing causes hazard[in wrong situation, excessive,
insufficient, repetitive, wrong direction, etc.]
Too Early, Too Late,Order
Stopped Too Soon / Applied too long
Manual Movement
Cmd
Boom Operator does not provide
Manual Movement Cmd when
__________
Boom Operator provides Manual Movement Cmd when ______________
Boom Operator provides Manual
Movement Cmd too late after __________
Boom Operator provides Manual
Movement Cmd too early before _________
Boom Operator stops providing Movement Cmd too soon before
_______
Boom Operator continues providing Movement Cmd too long after _______
Boom Oper.
BCU
Boom
Operator UCAs
Case 1: Suppose Boom is In Contact…Case 2: Suppose Boom is not In Contact…
BCU On/Off CmdManual Movement Cmd
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard Providing causes hazard
Too Early, Too Late,Order
Stopped Too Soon / Applied too long
Manual Movement
Cmd
Boom Operator does not provide Manual
Movement Cmd when __________
Boom Operator provides excessive Manual Movement Cmd (> TBD) when Boom is in
contact (can break Boom)
Boom Operator provides Manual Movement Cmd when
______________
Boom Operator provides Manual
Movement Cmd too late after
__________
Boom Operator provides Manual
Movement Cmd too early before _________
Boom Operator stops providing Movement Cmd too soon before
_______
Boom Operator continues providing Movement Cmd too long after _______
Boom Oper.
BCU
Boom
BCU On/Off CmdManual Movement Cmd
Operator UCAs
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard
Providing causes hazard Too Early, Too Late, Order
Stopped Too Soon / Applied too long
Control Surface
Movement Cmd
BCU does not provide
Movement Cmd when
____
[…]
BCU provides Movement Cmd when
________
[wrong situation, cmdinsufficient, excessive,
wrong direction, oscillatory, repetitive,
etc.]
BCU provides Movement Cmd too late after _____
BCU provides Movement Cmd too early before ______
[…]
BCU continues providing Movement Cmd too long after
________
BCU continues providing Movement Cmd too long after
_________
[…]
Case 1: Suppose the Boom is In Contact…Case 2: Suppose the Boom is Not In Contact…
Boom Oper.
BCU
Boom
Identify Unsafe Control Actions
Control Surface Mvt.
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard
Providing causes hazard Too Early, Too Late, Order
Stopped Too Soon / Applied too long
Control Surface
Movement Cmd
BCU does not provide
Movement Cmd when
Load exceeds TBD
[…]
BCU provides Movement Cmd when Load does not exceed
TBD
BCU provides excessive Movement
Cmd (>TBD) when Boom is in contact (can break boom)
[insufficient, excessive, oscillatory,
repetitive, etc.]
BCU provides Movement Cmd too late after Load exceeds TBD
BCU provides Movement Cmd too early before Load exceeds TBD
BCU provides Movement Cmd too early before Boom is Coupled
BCU provides Movement Cmd too late after Boom is Disconnected
[…]
BCU continues providing Movement Cmd too long after
Load drops below TBD
BCU continues providing Movement Cmd too long after Load is increases beyond TBD
BCU continues providing Movement Cmd too long after
Boom Position exceeds TBD
[…]
Boom Oper.
BCU
Boom
Identify Unsafe Control Actions
Control Surface Mvt.
Case 1: Suppose the Boom is In Contact…
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard Providing causes hazard
Too Early, Too Late,Order
Stopped Too Soon / Applied too long
Control Surface
Movement Cmd
BCU does not provide
Movement Cmd when
Boom Operator
moves Stick […]
BCU provides Movement Cmd when Boom Operator does not move Stick
(Boom Not In Contact)
BCU provides Movement Cmd when Boom Operator has turned BCU Off
BCU provides Movement Cmd in wrong direction (does not match Stick
direction)
BCU provides excessive Movement Cmdbeyond mechanical Boom limits
[insufficient, oscillatory, repetitive, etc.]
BCU provides Movement Cmd too late (more than TBD
sec) after Boom Operator moves
Stick
Computer provides Movement Cmd too
early (>0s) before Boom Operator
moves Stick
[…]
BCU continues providing Movement Cmd too long after
Boom reaches position commanded by Stick
BCU continues providing Movement Cmd too long after
Boom position exceeds TBD
BCU stops providing Movement Cmd too soon before Boom
reaches position commanded by Stick
[…]
Boom Oper.
BCU
Boom
Identify Unsafe Control Actions
Control Surface Mvt.
Case 2: Suppose the Boom is Not In Contact…
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Timing Diagram: Different UCA Types
timeCommand not provided
Command provided
4) Applied too long, Stopped
too soon
3) Provided too early, too late
2) Excessive, Insufficient, Wrong direction, etc.
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Formal STPA
Source Controller
Control Action
ContextUnsafe to provide?Boom in Contact? Strength of Cmded Movement Stick
movement?
BCU Movement Cmd Boom in Contact LimitH < Movement < LimitHH * Yes
BCU Movement Cmd Boom not in Contact LimitH < Movement < LimitHH Matches CmdedMovement
No
BCU Movement Cmd * LimitHH < Movement * Yes
BCU Movement Cmd Boom not in Contact * No stick movement
Yes
[…] […] […] […] […] […]
LimitH = limit that leads to damage when coupled with receiverLimitHH = limit that leads to damage when not coupled
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Formal STPA
Source Controller
Control Action
ContextUnsafe to provide?Boom in Contact? Strength of Cmded Movement Stick
movement?
BCU Movement Cmd Boom in Contact LimitH < Movement < LimitHH * Yes
BCU Movement Cmd Boom not in Contact LimitH < Movement < LimitHH Matches CmdedMovement
No
BCU Movement Cmd * LimitHH < Movement * Yes
BCU Movement Cmd Boom not in Contact * No stick movement
Yes
[…] […] […] […] […] […]
LimitH = limit that leads to damage when coupled with receiverLimitHH = limit that leads to damage when not coupled
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Formal STPA
Source Controller
Control Action
ContextUnsafe to provide?Boom in Contact? Strength of Cmded Movement Stick
movement?
BCU Movement Cmd Boom in Contact LimitH < Movement < LimitHH * Yes
BCU Movement Cmd Boom not in Contact LimitH < Movement < LimitHH Matches CmdedMovement
No
BCU Movement Cmd * LimitHH < Movement * Yes
BCU Movement Cmd Boom not in Contact * No stick movement
Yes
[…] […] […] […] […] […]
LimitH = limit that leads to damage when coupled with receiverLimitHH = limit that leads to damage when not coupled
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Formal STPA
Source Controller
Control Action
ContextUnsafe to provide?Boom in Contact? Strength of Cmded Movement Stick
movement?
BCU Movement Cmd Boom in Contact LimitH < Movement < LimitHH * Yes
BCU Movement Cmd Boom not in Contact LimitH < Movement < LimitHH Matches CmdedMovement
No
BCU Movement Cmd * LimitHH < Movement * Yes
BCU Movement Cmd Boom not in Contact * No stick movement
Yes
[…] […] […] […] […] […]
LimitH = limit that leads to damage when coupled with receiverLimitHH = limit that leads to damage when not coupled
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Formal STPA
Source Controller
Control Action
ContextUnsafe to provide?Boom in Contact? Strength of Cmded Movement Stick
movement?
BCU Movement Cmd Boom in Contact LimitH < Movement < LimitHH * Yes
BCU Movement Cmd Boom not in Contact LimitH < Movement < LimitHH Matches CmdedMovement
No
BCU Movement Cmd * LimitHH < Movement * Yes
BCU Movement Cmd Boom not in Contact * No stick movement
Yes
[…] […] […] […] […] […]
LimitH = limit that leads to damage when coupled with receiverLimitHH = limit that leads to damage when not coupled
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard Providing causes hazard
Too Early, Too Late,Order
Stopped Too Soon / Applied too long
Control Surface
Movement Cmd
BCU does not provide
Movement Cmd when
Boom Operator
moves Stick […]
BCU provides Movement Cmd when Boom Operator does not move Stick
BCU provides Movement Cmd when Boom Operator has turned BCU Off
BCU provides Movement Cmd in wrong direction (does not match Stick
direction)
BCU provides excessive Movement Cmdbeyond amount of Stick movement
[insufficient, oscillatory, repetitive, etc.]
UCA-10: BCU provides Movement Cmd too late (more than TBD sec) after
Boom Operator moves Stick [H-3]
Computer provides Movement Cmd too
early (>0s) before Boom Operator
moves Stick
[…]
BCU continues providing Movement Cmd too long after
Boom reaches position commanded by Stick
BCU continues providing Movement Cmd too long after
Boom position exceeds TBD
BCU stops providing Movement Cmd too soon before Boom
reaches position commanded by Stick
[…]
Suppose the Boom is Not Coupled…
Boom Oper.
BCU
Boom
Identify Unsafe Control Actions
Control Surface Mvt.
R-1: BCU must provide Movement Cmd within TBD Sec
after Boom Operator moves stick when Not Coupled [UCA-10]
TS-1:Context: Boom is Coupled and Boom Operator moves stick
Verify: BCU does provides Movement Cmd within TBD sec [UCA-10]
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard Providing causes hazard
Too Early, Too Late,Order
Stopped Too Soon / Applied too long
Control Surface
Movement Cmd
BCU does not provide
Movement Cmd when
Boom Operator
moves Stick […]
UCA-2: BCU provides Movement Cmdwhen Boom Operator does not move
Stick [H-1]
BCU provides Movement Cmd when Boom Operator has turned BCU Off
BCU provides Movement Cmd in wrong direction (does not match Stick
direction)
BCU provides excessive Movement Cmdbeyond amount of Stick movement
[insufficient, oscillatory, repetitive, etc.]
BCU provides Movement Cmd too late (more than TBD
sec) after Boom Operator moves
Stick
Computer provides Movement Cmd too
early (>0s) before Boom Operator
moves Stick
[…]
BCU continues providing Movement Cmd too long after
Boom reaches position commanded by Stick
BCU continues providing Movement Cmd too long after
Boom position exceeds TBD
BCU stops providing Movement Cmd too soon before Boom
reaches position commanded by Stick
[…]
Suppose the Boom is Not Coupled…
Boom Oper.
BCU
Boom
Identify Unsafe Control Actions
Control Surface Mvt.
R-2: BCU must not provide Movement Cmd when Boom is Coupled and Boom Operator has not moved stick [UCA-2]
TS-2:Context: Boom is Coupled and Boom Operator has not moved stick
Verify: BCU does not provide Movement Cmd [UCA-2]
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Not providing causes hazard Providing causes hazard
Too Early, Too Late,Order
Stopped Too Soon / Applied too long
Control Surface
Movement Cmd
BCU does not provide
Movement Cmd when
Boom Operator
moves Stick […]
BCU provides Movement Cmd when Boom Operator does not move Stick
BCU provides Movement Cmd when Boom Operator has turned BCU Off
BCU provides Movement Cmd in wrong direction (does not match Stick
direction)
BCU provides excessive Movement Cmdbeyond amount of Stick movement
[insufficient, oscillatory, repetitive, etc.]
BCU provides Movement Cmd too late (more than TBD
sec) after Boom Operator moves
Stick
Computer provides Movement Cmd too
early (>0s) before Boom Operator
moves Stick
[…]
BCU continues providing Movement Cmd too long after
Boom reaches position commanded by Stick
BCU continues providing Movement Cmd too long after
Boom position exceeds TBD
BCU stops providing Movement Cmd too soon before Boom
reaches position commanded by Stick
[…]
Suppose the Boom is Not Coupled…
Boom Oper.
BCU
Boom
Identify Unsafe Control Actions
Control Surface Mvt.
Is this Safety or Security?Both!
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
1) Define Purpose of the
Analysis
STPA
Identify Losses, Hazards
Define System
boundary Environment
System
(Leveson and Thomas, 2018)
4) Identify Loss Scenarios
2) Model the Control
Structure
3) Identify Unsafe Control Actions
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification or
adaptation)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
Control input or external information wrong or missing
ActuatorInadequate operation
SensorInadequate operation
Inadequate or missing feedback
Feedback Delays
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Delayed operation
Conflicting control actions
Missing or wrong communication with another controller
Controller
STPA Step 4. A: Potential causes of UCAs
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU believes ____
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU believes ____
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is
not In Contact
BCU believes stick is
moving
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is not
In Contact
BCU believes stick is
moving
Operator sends manual
movement command
when Boom is In contact
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is
not In Contact
BCU believes stick is
moving
Generated Question:How could the BCU determine the Boom is not In Contact?
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is
not In Contact
BCU believes stick is
moving
Control Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is
not In ContactControl Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Feedback: Double
pulse upon contact
(E.g. bounces)
Missing pulse feedback
Delayed pulse feedback
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is
not In ContactControl Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Feedback: Double
pulse upon contact
(E.g. bounces)
Missing pulse feedback
Delayed pulse feedback
AHA! We currently have no control measure to handle
this case!Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is
not In ContactControl Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Feedback: Double
pulse upon contact
(E.g. bounces)
Missing pulse feedback
Delayed pulse feedback
Is this Safety or Security?Both!
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break
boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process Model:
BCU believes Boom is
not In ContactControl Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Feedback: Double
pulse upon contact
(E.g. bounces)
Missing pulse feedback
Delayed pulse feedback
Adversary blocks,
spoofs feedback
indicating contact
Would some of your control measures for
safety mitigate this too?
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
Let’s try a different UCA
UCA: BCU provides excessive Movement Cmd when
Boom Not In Contact (beyond mechanical Boom limits)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification or
adaptation)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
Control input or external information wrong or missing
ActuatorInadequate operation
SensorInadequate operation
Inadequate or missing feedback
Feedback Delays
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Delayed operation
Conflicting control actions
Missing or wrong communication with another controller
Controller
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU believes ____
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU believes ____
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU believes
Boom is In Contact
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process
Model:
BCU believes
Boom is In Contact
BCU believes Load
is Excessive
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Flawed Process
Model:
BCU believes Boom
is In Contact
BCU believes Load
is Excessive
Load Feedback: Normal
air forces cause
uncoupled boom load
sensors to report large,
random, and rapidly
fluctuating loads!
Generated Question:How would the BCU determine the Load is Excessive?
Control Algorithm:
When in Contact,
always compensate
for all load feedback
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU Believes
Boom is In Contact
Process output contributes to system hazard
Control Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Missing feedback
Feedback Delays
Incorrect information provided
Measurement inaccuracies
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU Believes
Boom is In Contact
Process output contributes to system hazard
Generic Control Loop
Feedback: Double
pulse upon contact
(E.g. bounces)
Missing pulse feedback
Delayed pulse feedback
Control Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
AHA! We currently have no control measure to handle
this case!Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU Believes
Boom is In Contact
Process output contributes to system hazard
Feedback: Double
pulse upon contact
(E.g. bounces)
Missing pulse feedback
Delayed pulse feedback
Control Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Is this Safety or Security?Both!
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU Believes
Boom is In Contact
Process output contributes to system hazard
Feedback: Double
pulse upon contact
(E.g. bounces)
Missing pulse feedback
Delayed pulse feedback
Control Algorithm:
Toggle the belief
when a pulse is
received from
coupling sensor
Adversary spoofs
feedback indicating
contact
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Inadequate Control
Algorithm uploaded
by outside controller
Control algorithm:
BCU knows stick not
moving, boom not in
contact; provides
movement cmd anyway
Is this Safety or Security?Both!
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
BCU Believes
Boom is In Contact
Process output contributes to system hazard
Operator cmd
to force Coupled
mode?
Is this Safety or Security?Both!
Generated Question:How would the BCU determine the Boom is In Contact?
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessiveMovement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process Model:
BCU incorrectly believes
Movement Cmd is not
excessive
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessiveMovement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process Model:
BCU incorrectly believes
Movement Cmd is not
excessive
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Generated Question:How would the BCU determine if Movement Cmd is excessive?
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process Model:
BCU incorrectly believes
Movement Cmd is not
excessive
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Control Algorithm:
Compare
Movement/Force to
limits for receiving
aircraft type
Feedback:
Wrong aircraft type
No aircraft type
(defaults to previous
value)
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: BCU provides excessive Movement Cmd when Boom Not In Contact
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process Model:
BCU incorrectly believes
Movement Cmd is not
excessive
Process output contributes to system hazard
Operator cmd
to set aircraft type/limits:
incorrect or missing
Discuss Weakness: Global Tanker
limits vs. Receiver A/C limits
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
Exercise Success!
Let’s look at Human Operator commands
UCA: Boom Operator provides excessive Manual Movement Cmd (> TBD) when Boom is in
contact (can break Boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
Operator believes
______
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: Boom Operator provides excessive Manual Movement Cmd (> TBD) when Boom is in
contact (can break Boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
Operator believes
______
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
UCA: Boom Operator provides excessive Manual Movement Cmd (> TBD) when Boom is in
contact (can break Boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process Models:
Operator believes Boom not yet In
Contact
Operator believes BCU is in
Coupled mode (will ignore manual
cmds)
Operator believes the movement
is not excessive (<TBD), won’t
break boom
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
UCA: Boom Operator provides excessive Manual Movement Cmd (> TBD) when Boom is in
contact (can break Boom)
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process Models:
Operator believes Boom not yet In
Contact
Operator believes BCU is in
Coupled mode (will ignore manual
cmds)
Operator believes the movement is
not excessive (<TBD), won’t break
Boom
Feedback:
Operator sees the Boom
make contact (but BCU
didn’t sense it)
Control Algorithm:
Operators develop
habit to release
stick upon contact
(per procedure)
What features could we incorporate to mitigate this?
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
Let’s try a different UCA
UCA: Boom Operator does not provide BCU Off Cmd when BCU is providing movement
commands that exceed Boom structural limits
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
Controller
Flawed Process
Model:
Operator believes
______
Inadequate or missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
UCA: Boom Operator does not provide BCU Off Cmd when BCU is providing movement
commands that exceed Boom structural limits Inadequate or
missing feedback
Feedback Delays
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
ActuatorInadequate operation
SensorInadequate operation
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Delayed operation
Conflicting control actions
ControllerFlawed Process Models:
Operator believes Boom is
marginally erratic, not yet near
structural limits
Operator believes they need to
regain control of Boom movement
Feedback:
Inadequate feedback
indicating proximity to
structural limits
Control Algorithm:
Human reaction time
isn’t fast enough for this
problem
Testers: “If it
malfunctions, find the
cause”
What features could we incorporate to mitigate these?
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. A: Potential causes of UCAs Generic Control Loop
Boom Operator provides
BCU Off Cmd
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification or
adaptation)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
Control input or external information wrong or missing
ActuatorInadequate operation
SensorInadequate operation
Inadequate or missing feedback
Feedback Delays
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Delays, inaccuracies, missing/incorrect behavior
Conflicting control actions
Missing or wrong communication with another controller
Controller
Boom doesn’t stabilize
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. B: Control Actions not Properly Followed Generic Control Loop
Boom Operator provides
BCU Off Cmd
Inadequate Control Algorithm
(Flaws in creation, process changes,
incorrect modification or
adaptation)
Controller
Process Model
(inconsistent, incomplete, or incorrect)
Control input or external information wrong or missing
ActuatorInadequate operation
SensorInadequate operation
Inadequate or missing feedback
Feedback Delays
Component failures
Changes over time
Controlled Process
Unidentified or out-of-range disturbance
Controller
Process input missing or wrongProcess output contributes to system hazard
Incorrect or no information provided
Measurement inaccuracies
Feedback delays
Delays, inaccuracies, missing/incorrect behavior
Conflicting control actions
Missing or wrong communication with another controller
Controller
Boom doesn’t stabilize
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
STPA Step 4. B: Control Actions not Properly Followed Generic Control Loop
1) Define Purpose of
the Analysis
STPA
2) Model the Control Structure
3) Identify Unsafe Control
Actions
4) Identify Loss
Scenarios
Identify Losses, Hazards
Define System
boundary Environment
System
Losses to prevent Model Behavior to preventHow could
behavior occur
(Leveson and Thomas, 2018)
Let’s Review Previous Incidents
• Nov. 1, 2016• The boom operator lowered the boom• The boom immediately began to move erratically
and well outside of its operational and structural limits.
• The boom operator was not able to control the boom and the aircraft commander declared an in-flight emergency.
• The boom fully detached from the fuselage and landed in an empty field
• Financial loss: $6.52 million
KC-10 Tanker Event
Official Causes• Sheared DRVT rotary crank provided boom control unit (BCU) with continuous, inaccurate roll position indications. As
a result, the BCU compensated with lateral movement commands in both directions, driving the boom beyond its structural limits. The boom oscillated violently, boom components and structures became so damaged that they failed and triggered multiple warning lights.
• “Boom operator’s failure to turn off the boom flight control switch in a timely manner.” “Turning off the boom flight control switch would have disabled the BCU. This would have neutralized the boom flight control surfaces, and prevented the boom from departing the aircraft.”
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Accident report
• “In my opinion, the flight control surfaces were erratic, and the [Boom Operator] should have begun the Flight Controls do not Respond to Command Inputs or Control Surfaces are Erratic checklist immediately. He would have turned off the flight control switch (Step 3) before the hoist cable broke […]”
Checklist1) Flight Controls do not Respond to Command Inputs or
Control Surfaces are Erratic (Applicable Steps)
• Step 1: disconnect the boom from receiver aircraft (if applicable)
• Step 2: retract the boom telescope (if able)
• Step 3: turn off the flight control switch (BCU control)
• Step 4: stow the boom using the hoist cable
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Boom Operators Engineers
“Maintenance personnel […] did not perform step
17, which instructs maintenance personnel to conduct
a DRVT polarity test by lowering the boom onto a
maintenance dolly and moving it to aircraft left. If the
team had […] completed the remaining steps, they
would have had an opportunity to detect the faulty
component 17 days before the day of the mishap.
Maintenance
We can use a
single DRVT to sense boom
roll and send signal to BCU.
Not a single point of failure—if it
fails, the operators will just disable the
BCU!
DRVT failure also very
unlikely, replaced often!
“the boom is going crazy right
now...it’s moving left to right past 30
degrees”
“I don’t know what to do honestly ... I
have no control over this boom”
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
Another Event
• The ARO made contact but the system didn’t recognize it, remaining in FREE FLIGHT while in contact.
• ARO released the stick, which commands the home (trail) position.
• Receiver wasn’t exactly at home position, so loads built up, breaking the tip.
• Tip flew out and struck the receiver tail.
• Receiver commanded disconnection which was sensed, toggling the boom to CONTACT mode, though now in free flight.
• Boom sensed air loads, generating a positive feedback, fly-up command.
• Boom struck tanker fuselage, lost a fin, was unstable and departed.
STPA in Industry Standards
• ISO/PAS 21448: SOTIF: Safety of the Intended Functionality• STPA used assess safety of digital systems
• ASTM WK60748• “Standard Guide for Application of STPA to Aircraft”
• SAE AIR6913• “Using STPA during Development and Safety Assessment of Civil Aircraft”
• RTCA DO-356A• “Airworthiness Security Methods and Considerations”• STPA-sec used for cybersecurity of digital systems
• IEC 63187• “Functional safety - Framework for safety critical E/E/PE systems for defence
industry applications”
• SAE J3187• “Recommended Practice for STPA in Automotive Safety Critical Systems”
• EPRI/Sandia• Recommending to use STPA for digital I&C
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!
For more information• Google: “STPA Handbook”
• Email: [email protected]
Short Homework (the best kind!)
• http://psas.scripts.mit.edu/home/2020-stamp-workshop-presentations/
• Not graded, can be anonymous
• Choose an incident or loss event you’re familiar with1. Briefly describe the event
• Show how STPA might have anticipated the event before it happened2. Simple control structure (~3-5 boxes)
3. Unsafe Control Action
4. Process Model Flaws: controller believed _____?
5. Why did the controller believe that?
• We’ll review and discuss together on Friday!
Enter Q’s on Slido.comEvent code #STPA2
Free PDF
Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!