Systems Theoretic Process Analysis (STPA)

Similar documents
Using STAMP to Address Causes and Preventive Measures of Mid-Air Collisions in Visual Flight

Hazard Analysis for Rotorcraft

STPA for Airports. safety hazard analysis for aircraft operations in hub airports. Aeronautics Institute of Technology - ITA (Brazil)

Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval Management Spacing

Getting Your Drone Off the Ground: An Insider's Look at the New FAA Regs

Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

Deriving safety constraints for integration of Unmanned Aircraft Systems into the National Airspace by application of STECA

Unmanned Aircraft Systems (UAS) 101

IAGSA Survey Contract Annex

AVIA 3133 INSTRUMENT PROCEDURES UNIVERSITY OF OKLAHOMA

ROLLS-ROYCE PLC

Route Causes. The largest percentage of European helicopter. For helicopters, the journey not the destination holds the greatest risk.

Analyzing Accidents and Incidents with CAST. STAMP Workshop Tutorial March 26, 2018

GCAA GUYANA CIVIL AVIATION AUTHORITY

Recommendation to Include Specific Safety Requirements in Geophysical Survey Contracts & Proposed Survey Contract Annex

STANDARD OPERATING MANUAL. 11 th Edition

Air Law. Iain Darby NAPC/PH-NSIL IAEA. International Atomic Energy Agency

Why You Hate your Flight Review (and what you can do about it) Richard Carlson SSF Chairman

Unmanned Aircraft Systems (UAS) 101

Study and Reference Guide. Flight Instructor Rating

Safety Brief. 21st March Operations in Somali Airspace

DEPARTMENT OF CIVIL AVIATION ANNEX 1 REPUBLIC OF MAURITIUS

Department of Defense DIRECTIVE

Air Law ATC, Flight Planning, and Rules of the Air References: TC AIM CARs FTGU Pages ,

Air Law. Review ATC, Flight Planning, and Rules of the Air. MTPs:

Civil Aviation Rules, 2052 (1996)

Instrument Ground School IFR Decision Making

National Transportation Safety Board Washington, DC 20594

Guidelines for NOTAM Workflow and Allocation of Responsibilities

Section I Page 1 Operator/Airframe Details Completion mandatory. Section III Page 2 Signature Block Completion mandatory

CLEARANCE INSTRUCTION READ BACK

Human Factors of Remotely Piloted Aircraft. Alan Hobbs San Jose State University/NASA Ames Research Center

AERONAUTICAL SURVEYS & INSTRUMENT FLIGHT PROCEDURES

DEFINITIONS DEFINITIONS 2/11/2017 REQUIREMENTS AND LIMITATIONS OF DRONE USE IN FORENSIC ACCIDENT RECONSTRUCTION

UNITED STATES OF AMERICA FEDERAL AVIATION ADMINISTRATION WASHINGTON D.C. GRANT OF EXEMPTION

CAR PART VIII SUBPART 10 OPERATION OF UNMANNED AERIAL SYSTEMS WITHIN THE UNITED ARAB EMIRATES

Practical Risk Management

PRELIMINARY CAST ANALYSIS OF THE LAMIA CP-2933 ACCIDENT

The Board concluded its investigation and released report A11H0002 on 25 March 2014.

small Unmanned Aircraft Systems Arlington Police Department June 28, 2011

FIJI AERONAUTICAL INFORMATION CIRCULAR

Federal Aviation Regulations (including accident reporting, TSA security and light sport)

Airmen s Academic Examination

Human Factors. Soaring Safety Foundation FIRC Presentation

Introduction. Who are we & what do we do.

University Architect & VP for Facilities Policy & Procedure #30

NATA Aircraft Maintenance & System Technology Committee Best Practices. RVSM Maintenance

I. International Regulation of Civil Aviation after World War II Transit Rights 12

On Demand. Fall, Spring. Spring

Audit of Acme Air Training Manual to Advanced Aircrew Academy Online 135 Pilot Recurrent and Initial Curriculums - EXAMPLE

Pre-Solo Written Exam (ASEL)

Unmanned Aircraft Systems (UAS) 101

IAC 2011 Cape Town, October th

UAS Pilot Course. Lesson 5 Study Guide- Operations. Questions taken from ASA Remote Pilot Test Prep Guide

Casual Factors for General Aviation Accidents/Incidents

Aviation List. Admitted Liability: In aviation insurance, payments to an injured passenger made without the need of establishing liability.

OCEANIC REQUIRED NAVIGATION PERFORMANCE (Including RNP-10 and RNP-4)

SFAR 93 and Minimum Altitudes

2018 ENGINEERING EXPO Jon Thies NUAIR Director of Consulting

VFR PHRASEOLOGY. The word IMMEDIATELY should only be used when immediate action is required for safety reasons.

Unmanned Aircraft Systems (UAS) 101

FLASHCARDS AIRSPACE. Courtesy of the Air Safety Institute, a Division of the AOPA Foundation, and made possible by AOPA Holdings Company.

Oceanic Control Policies Rev /2012. Air Traffic Control

AuxAir Risk Management and Mitigation Processes. Commodore David Starr Division Chief Aviation

Good radio calls not only sound professional, they help ATC and alleviate stress in the cockpit!

INTERCEPTION PROCEDURES A I R L AW

Analyzing Risk at the FAA Flight Systems Laboratory

USE OF REMOTELY PILOTED AIRCRAFT AND MODEL AIRCRAFT IN AVIATION

The benefits of satcom to airlines. Prepared by Helios for

Analyzing Accidents and Incidents with CAST

[Docket No. FAA ; Directorate Identifier 2004-CE-44-AD; Amendment ; AD ]

Airspace Infringement

Airport Runway Location and Orientation. CEE 4674 Airport Planning and Design

The NAT OPS Bulletin Checklist, available at (Documents, NAT Docs), contains an up to date list of all current NAT Ops Bulletins.

EXPERIMENTAL OPERATING LIMITATIONS EXHIBITION GROUP I1

NextGen and GA 2014 Welcome Outline Safety Seminars Safety Seminars

Civil/Military Coordination Workshop Havana, Cuba April 2015

GATE-TO-GATE SAFETY. Improving aviation safety by better understanding and handling of interfaces

Small Unmanned Aircraft Systems (Drone) Policy

Scientific Committee for Oceanographic Aircraft Research

RED SKY VENTURES. Study guide. COPYRIGHT RED SKY VENTURES AVIATION CC First edition published JULY 2003 This edition: January 2005.

INTERNATIONAL FEDERATION OF AIR TRAFFIC CONTROLLERS ASSOCIATIONS. Agenda Item: B.5.12 IFATCA 09 WP No. 94

6. Cross-Country Flight Limitations. The following criteria shall be applied to the conduct of cross-country flights.

Flying Cloud Airport (FCM) Zoning Process: Informing a Mn/DOT Path Forward

EXTENDED-RANGE TWIN-ENGINE OPERATIONS

Precision and Basic RNAV (P-RNAV [RNP-1]/B-RNAV [RNP-5]) in Europe

FUEL MANAGEMENT FOR COMMERCIAL TRANSPORT

NATA Part 135 Training Center Available Courses

AIR LAW AND ATC PROCEDURES

5.1 Approach Hazards Awareness - General

April 16, Erik Larson

Certification Memorandum. Guidance to Certify an Aircraft as PED tolerant

Brigham City Regional Airport s AIRPORT EMERGENCY RESPONSE PLAN

TRANSPONDER WITH IVAC

Using Mobile Devices for IFR Clearance Delivery, IFR Release, and CDM Data Exchange

AIR NAVIGATION ORDER

RADIO COMMUNICATIONS AND ATC LIGHT SIGNALS

Final decision on consistency of the qualification: National Consistency Confirmed

Private Pilot Ground School Syllabus

PART 107 SMALL UNMANNED AIRCRAFT SYSTEMS 597 Sec. Subpart A General Applicability Definitions Falsification, reproduction or

Transcription:

Systems Theoretic Process Analysis (STPA) 1

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 2

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 3

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 4

ITP Exercise a new in-trail procedure for trans-oceanic flights 5

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 6

Example System: Aviation Image removed due to copyright restrictions. System-level Accident (Loss):? 7

Example System: Aviation Image removed due to copyright restrictions. System-level Accident (Loss): Two aircraft collide 8

Image removed due to copyright restrictions. System-level Accident (Loss): Two aircraft collide System-level Hazard:? 9

Hazard Definition: A system state or set of conditions that, together with a particular set of worst-case environmental conditions, will lead to an accident (loss). Something we can control Examples: Accident Satellite becomes lost or unrecoverable People die from exposure to toxic chemicals People die from radiation sickness People die from food poisoning 10 Hazard Satellite maneuvers out of orbit Toxic chemicals are released into the atmosphere Nuclear power plant releases radioactive materials Food products containing pathogens are sold

Image removed due to copyright restrictions. System-level Accident (Loss): Two aircraft collide System-level Hazard: Two aircraft violate minimum separation 11

Aviation Examples System-level Accident (loss) Two aircraft collide Aircraft crashes into terrain / ocean System-level Hazards Two aircraft violate minimum separation Aircraft enters unsafe atmospheric region Aircraft enters uncontrolled state Aircraft enters unsafe attitude Aircraft enters prohibited area 12

Aviation Examples System-level Accident (loss) A-1: Two aircraft collide A-2: Aircraft crashes into terrain / ocean System-level Hazards H-1: Two aircraft violate minimum separation H-2: Aircraft enters unsafe atmospheric region H-3: Aircraft enters uncontrolled state H-4: Aircraft enters unsafe attitude H-5: Aircraft enters prohibited area 13

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 14

North Atlantic Tracks source unknown. All rights reserved. This content is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/help/faq-fair-use/. 15

STPA application: NextGen In-Trail Procedure (ITP) Current State Pilots will have separation information Pilots decide when to request a passing maneuver Air Traffic Control approves/denies request Proposed Change 16

STPA Analysis High-level (simple) Control Structure Main components and controllers???? 17

STPA Analysis High-level (simple) Control Structure Who controls who? Flight Crew? Aircraft? Air Traffic Controller? 18

STPA Analysis High-level (simple) Control Structure What commands are sent?? Air Traffic Control? Flight Crew?? Aircraft 19

STPA Analysis High-level (simple) Control Structure Air Traffic Control Issue clearance to pass Feedback? Flight Crew Execute maneuver Feedback? Aircraft 20

STPA Analysis More complex control structure 21

Example High-level control structure Congress Directives, funding Reports FAA Regulations, procedures Reports ATC Instructions Acknowledgement, requests Pilots Execute maneuvers Aircraft status, position, etc Aircraft 22

Air Traffic Control (ATC) ATC Front Line Manager (FLM) Instructions Status Updates Instructions Status Updates Instructions Status Updates Instructions Company Dispatch Status Updates Instructions ATC Ground Controller Query Status Updates and acknowledgements ATC Radio Other Ground Controllers Execute maneuvers Pilots Pilots Pilots Pilots Aircraft Execute maneuvers Aircraft Execute maneuvers Aircraft Execute maneuvers Aircraft 23 ACARS Text Messages

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 24

Identify Unsafe Control Actions ATC Instructions Acknowledgement, requests Pilots Execute maneuvers Aircraft status, position, etc Aircraft Flight Crew Action (Role) Execute Passing Maneuver Not providing causes hazard Providing Causes hazard Pilots perform ITP when ITP criteria are not met or request has been refused [H-1] 25 Incorrect Timing/ Order Stopped Too Soon

Structure of a Hazardous Control Action Example: Pilots provide ITP maneuver when ITP criteria not met Source Controller Type Control Action Context Four parts of a hazardous control action Source Controller: the controller that can provide the control action Type: whether the control action was provided or not provided Control Action: the controller s command that was provided / missing Context: conditions for the hazard to occur (system or environmental state in which command is provided) 26

Defining Safety Constraints Unsafe Control Action Pilot performs ITP when ITP criteria are not met or request has been refused Pilot starts maneuver late after having re-verified ITP criteria Etc. Safety Constraint Pilot must not perform ITP when criteria are not met or request has been refused Pilot must start maneuver within X minutes of re-verifying ITP criteria Etc. 27

STPA (System-Theoretic Process Analysis) Identify accidents and hazards Draw the control structure Step 1: Identify unsafe control actions Step 2: Identify causal factors and create scenarios Control Actions Controller Controlled process Feedback (Leveson, 2012) 28

STPA Step 2: Causal scenarios UCA: Pilot executes maneuver when criteria are not met [H-1] From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Massachusetts Institute of Technology. Used with permission. 29

MIT OpenCourseWare http ://ocw.mit.edu System Safety Spring 2016 For information about citing these materials or our Terms of Use, visit: http ://ocw.mit.edu/terms.

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback