Intelligent-Controller Extensions to STPA
Transcript of Intelligent-Controller Extensions to STPA
![Page 1: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/1.jpg)
Intelligent-Controller Extensions to STPA
Dan “Mirf” Montes
![Page 2: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/2.jpg)
Disclaimer
The views expressed in this document are those of the author and do not reflect the official position or policies of the United States Air Force, Department
of Defense, or Government.
© drm2
88ABW-2015-1004All images courtesy of Google
![Page 3: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/3.jpg)
Overview
•Motivation
•Work
• Snapshot
© drm3
![Page 4: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/4.jpg)
Background
The increase of interacting humans and autonomous components in complex systems necessitates rigorous methods to classify information about the controllers in a system.
© drm4
Motivation
STPA, although advanced in terms of safety analysis, still oversimplifies the human’s role in complex systems.
![Page 5: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/5.jpg)
STPA Gaps
1) Detailed fundamental human-engineering considerations missing from the analysis
2) Controller process-model investigation does not capture higher levels of abstraction used in making robust and flexible decisions
3) No current method in the analysis to summarize the impact of social and organizational influences
© drm5
Motivation
![Page 6: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/6.jpg)
Human Requirements
© drm6
Motivation
1) Detailed fundamental human-engineering considerations missing from the analysis
MIL-HDBK-1908B – Human Factors DefinitionsMIL-STD-1472G – Human Engineering
MIL-STD-46855A – Human Engineering for the MilitaryMIL-HDBK-87213A – Visual Displays
MIL-STD-1787C – Display SymbologyMIL-STD-411F – Aircrew Alerts
MIL-STD-1797A – Flying QualitiesMIL-STD-1474D – Noise LimitsMIL-HDBK-516C – Airworthiness
Air Force HSI HandbookAir Force HSI Pocket Guide
NASA HSI Overview
Standards
Guidance
Best Practices
![Page 7: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/7.jpg)
STPA Gaps
1) Detailed fundamental human-engineering considerations missing from the analysis
2) Controller process-model investigation does not capture higher levels of abstraction used in making robust and flexible decisions
3) No current method in the analysis to summarize the impact of social and organizational influences
© drm7
Motivation
![Page 8: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/8.jpg)
More to the process model?
© drm8
Motivation
2) Controller process-model investigation does not capture higher levels of abstraction used in making robust and flexible decisions
ProcessModel
ProcessModel
![Page 9: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/9.jpg)
Adapting in Systems
Optimized – System can satisfy fixed objectives in a fixed environment
Robust – System can satisfy fixed objectives and adapt to changes or uncertainties in the environment or the system itself
Flexible – System can also adapt to changes or uncertainties in objectives
© drm9
Motivation
Saleh et al., 2003
![Page 10: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/10.jpg)
STPA Gaps
1) Detailed fundamental human-engineering considerations missing from the analysis
2) Controller process-model investigation does not capture higher levels of abstraction used in making robust and flexible decisions
3) No current method in the analysis to summarize the impact of social and organizational influences
© drm10
Motivation
![Page 11: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/11.jpg)
Influences to the Controller
3) No current method in the analysis to summarize the impact of social and organizational influences
© drm11
Operating Process
Higher Controller(s)
Physical
Process
Lower
Controller
Actuator(s) Sensor(s)
from outside the operating process
Above the process
Before the process
Motivation
![Page 12: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/12.jpg)
Objectives
• Recognize existing STPA human models & analyses
• Extend analysis to address STPA gaps
• Stay general to any controller
© drm12
Work
![Page 13: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/13.jpg)
Previous Human Models
© drm13
Work
Leveson, Engineering a Safer World
Model of Context
![Page 14: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/14.jpg)
Most Recent Model
© drm14
Work
Thornberry, 2014
![Page 15: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/15.jpg)
Human Analysis
© drm15
Work
Missing or wrongcommunicationwith anothercontroller
Process input missing or wrong
Conflicting control actions
Unidentified orout-of-rangedisturbance
Inadequate ControlAlgorithm
(Flaws in creation,Process changes,
Incorrect modificationor adaptation)
Component failures
Changes over time
Inadequateoperation
Controller
Actuator
Controlled Process
Sensor
Process Model(inconsistent,incomplete, orIncorrect)
OtherController
Inappropriate,ineffective or missing
control action
Delayedoperation
Control input orexternal informationwrong or missing
Inadequate ormissing feedback
Feedback delays
Incorrect or noInformation provided
Measurement inaccuracies
Feedback delays
Process outputcontributes tosystem hazard
Inadequateoperation
OtherController
Step 1
Step 2b
Step 2a
![Page 16: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/16.jpg)
Most Recent Analysis
© drm16
Thornberry, 2014
Work
![Page 17: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/17.jpg)
Extending the Analysis
© drm17
Work
• Address STPA gaps
• Add refinement to the controller investigation
• Maintain exhaustiveness
![Page 18: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/18.jpg)
Analysis Extension
© drm18
Work
Human Only
All Controllers
![Page 19: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/19.jpg)
Process Model Investigation
© drm19
Work
BehaviorHow the controlled process interacts with the environment
ModeMutually exclusive set of system behaviors
ValueHigher-level goals that are driving the local (safety) constraints
Model ofControlled Process
Model ofAutomation/Context
Means-EndsRelationships
![Page 20: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/20.jpg)
Mode – Three Parts
© drm20
Work
Supervisory Structure The control relationships and communication links in the system hierarchy.
Which controllers currently have or share priority over each controlled component?
Which controlled components may apply authority limits and under what circumstances? Can
those limits be overridden? How will conflicts be decided (i.e., who should have the final authority?)
Component Operating
Mode
The set of algorithms that components under my control can use to exert control over
their process(es).
What are the physical or logical assumptions and constraints associated with the component's
current operating mode?
What data in the information set is the controlled component using to inform its model?
What input/and output format am I using with my controlled component(s)?
Mission Phase The specified set of related behaviors of the controlled system representing its
operational state.
What mission phase is the system in (e.g., takeoff, cruise, etc.)
Do all controllers know the current mission phase?
Does a change in mission phase mode cause a change in supervisory structure and/or
component operating modes (including input/output formats)?
SupervisoryStructure
ComponentOperating
Mode
MissionPhase
Leveson, 1997 ROBUSTNESS
![Page 21: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/21.jpg)
Values
What is the controller’s understanding of how values at higher levels of the means-ends hierarchy map to objectives at the controller’s level?
© drm21
Rasmussen, 1994
Are there any values the controller personally maintains that originate outside the system?
Example: “get-there-itis”
FLEXIBILITY
Work
![Page 22: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/22.jpg)
Too Much Flexibility?
Exploratory behavior!
Normalization of deviance!
People might tradeoff performance of one behavior for another (or use modes in ways not intended by the designer)
This may inadvertently violate higher-level constraints that should not be violated
© drm22
Work
![Page 23: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/23.jpg)
Extrinsic Factors
© drm23
Work
Human Only
All Controllers
![Page 24: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/24.jpg)
Just for Humans…
© drm24
Workspace
• Climate (light, temp, noise)
• Physiology (inertial, vibrations)
• Anthropometry / ergonomics
• Task workload
Variability
• Age
• Perceptual acuity
• Natural attention capability
• Disposition
• Health, injury, disability, disease
• Psychological / emotional
• Fatigue, physical stress, sleep
• Drugs, medications
Work
![Page 25: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/25.jpg)
What is this?
© drm25
Work
Human Only
All Controllers
![Page 26: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/26.jpg)
Influence
© drm26
Operating Process
Higher Controller(s)
Physical
Process
Lower
Controller
Actuator(s) Sensor(s)
Above the process
Before the process
Work
![Page 27: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/27.jpg)
Influence
© drm27
TEMPORALITY
Work
![Page 28: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/28.jpg)
AF HSI Handbook (2009)
• Personnel– Selection, attributes (e.g., acuity, cognition), background, skills
• Training – tactics, decision-making
• Human Factors– Workload, workspace, displays, anthro/ergo, automation
• Habitability– Living conditions, sleep, stress
• Environment/OSHA/Safety– HAZMAT, noise, moving parts, wiring
© drm28
Work
![Page 29: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/29.jpg)
Explicit-Influence Map
© drm29
Snapshot
![Page 30: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/30.jpg)
Where it meets the road…
© drm30
Snapshot
![Page 31: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/31.jpg)
Conclusion
• Gaps addressed
Human-engineering considerations
Process model
Socio-organizational and pre-cycle influences
• Any good SE management system can identify, document, and maintain the information elicited with the extended analysis
© drm31
![Page 32: Intelligent-Controller Extensions to STPA](https://reader031.fdocuments.in/reader031/viewer/2022021923/586a19cb1a28ab52568c1096/html5/thumbnails/32.jpg)
Special thanks toDr. Cody Fleming
Ms. Aubrey Samost
Mr. Dajiang Suo
Mr. Adam Williams