STPA Tutorial Exercise Aerial Refuelingpsas.scripts.mit.edu/home/.../JThomas-STPA-Tutorial... · feedback Synthetic feel Boom position Boom coupled Contact / disconnect signal & feedback

STPA Tutorial ExerciseAerial Refueling

John Thomas

Engineering Systems Lab

MIT

© Copyright John Thomas 2020Please contact [email protected] with any questions!

mailto:[email protected]

Tutorial Objective

• These short tutorials are not training classes

• We cannot cover everything in these tutorial sessions. The objective is just to introduce some of the core concepts and help new attendees follow the workshop presentations.

• Like most techniques, training and practice with a qualified instructor are needed to become proficient.

Acknowledgements!

• Ben Luther

• Ryan Krogstad

• Martin Trae Span

Aerial Refueling Exercise

• Inspired by KC-10, KC-30, and others

• Not an analysis of one specific implementation

• We’ve made changes and simplifications due to time constraints!

Based on the Airbus A330 airliner, a KC-30 refuels a F-16

Boom

Flying a boom is like flying a glider behind tanker.You have full control authority: up, down, left, right, extend, retract.Max extension to 23ft (7.6m), ~10° left/right, ~15° up/down

Image: https://thaimilitaryandasianregion.wordpress.com/2016/02/

Boom designed to mechanically disconnect from receiver at 5 tons tension

KC-30 refueling a B-1 Lancer

1) Define Purpose of the

Analysis

STPA

2) Model the Control

Structure

3) Identify Unsafe Control Actions

4) Identify Loss Scenarios

Identify Losses, Hazards

Define System

boundary Environment

System

(Leveson and Thomas, 2018)

STPA Step 1: Define Purpose of the Analysis

• What are some Losses?

• What are some Aircraft-level Hazards?

Go to http://slido.com (event code is “STPA2”)

http://slido.com/

STPA Step 1: Define Purpose of the Analysis

• What are some Losses?– L1: Loss of life or injury

– L2: Damage to aircraft

– L3: Loss of refueling mission

• What are some Aircraft-level Hazards?– H1: Aircraft violate minimum separation for

refueling [L1,2,3]

– H2: Aircraft airframe integrity is degraded [L1,2,3]

– […]


Analysis


Structure

STPA




Define System


System


Famous Systems Engineering V-Model

13

Concept of Operations

High-Level Req’s

Detailed Req’s

High-Level Design

Detailed Design

Operations & Maint.

System Validation

System Verification

Subsystem Verification

Unit Testing

Implementation

STPA

STPA

STPA

STPA

STPA

STPA

STPA

STPA

STPA

STPA

STPA

STPA is iterated to support development!

Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!


Example Safety Control Structure

(Leveson, 2012)

Mission Planning

ReceiverTankerBoom

Operating Procedures


Real-time Operations

ReceiverTankerBoom

ClearanceInstructions


Iterative Control Structure Development




Mission Planning

ReceiverTankerBoom




ReceiverTankerBoom








Receiver


Tanker

Boom

Tanker movement (ideally straight/level)

Receiver tracks Tanker movement (gross tracking)

Boom movement to receptacle (fine tracking)Verbal movement guidance (up 2, left 1)






Receiver


Tanker

Boom


Receiver tracks movement (gross tracking)







Receiver


Tanker

Boom


Receiver tracks movement (gross tracking)





Tanker

Boom

Physical Aircraft

Boom

Tanker

For the purpose of this exercise, let’s focus on Tanker Boom OperationThomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!


KC-30A Refueling Control Station

Primary operator(ARO: Air Refueling Officer) Secondary / Instructor

3D Video 3D Video

Boom Flight Control Stick

Let’s sketch the control structure for Boom Operation

Boom Operator

Boom Control Unit (BCU)

Manual Boom PositionBCU On/Off

Synthetic feedback feelBoom positionBoom coupled

Control Surface Movement (x,y,z)

?

Physical

Automation

Humans

Boom

Tanker Boom Operation



Boom Operator





?

Raise boom? (cable?) Visual position (3D video)

Receiver Pilots

Tanker Pilots

?

? ?

Boom



Boom Operator


Boom




Boom position sensedBoom contact sensedBoom force sensed

Raise boom? (cable?) Visual position (3D video)

Receiver Pilots

Tanker Pilots

?

? ?



Boom Operator

Boom Control Unit

Boom

Receiver Pilots

Aircraft Automation

Receiver Aircraft

Tanker Pilots

Tanker Flight Control System

Physical Aircraft

Manual Boom Pos.BCU On/Off

BCU Next Mode

Control surfacemovement

(x,y,z)

Boom position sensedBoom contact sensedBoom force sensed

Visualposition

feedback

Synthetic feelBoom positionBoom coupled

Contact / disconnect signal & feedback

Tanker movement

Receiver moves to maintain relative position (gross tracking)

Receiver responds to verbal coaching: “up 2, left 1”

ARO flies the boom to the receptacle (fine tracking)

Standard A330 (almost)

Flight pathcommands

Tanker Receiver

Flight pathcommands

Boom Operator Video

Image: https://www.kappa-optronics.com/en/cameras-for-aerospace-defense/cameras-for-aerospace/in-flight-refueling-cameras.cfm

Lateral degrees from trail

Vertical degrees from trail

COUPLED

Receiver state

Boom loads

Boom flight control mode

Telescope extension

Boom Operator





Boom position sensorBoom contact sensorBoom force sensors

Boom

Visual Position (3D Video)

Our control structureTanker Boom Operation



A computer/digital upgrade!

Manual Boom Control (Old System)

1) FREE FLIGHT• Boom Operator moves boom into position

2) COUPLED• Boom Operator moves boom as needed to minimize

contact loading

1) FREE FLIGHT

2) COUPLED

Boom makes contact

Bo

om

Dis

con

ne

cts

System Mode Diagram



Decision to Add Automation: Load Alleviation

• When boom is coupled, automatically fly boom• Use sensors to detect mechanical forces on boom tip

• Boom Control Unit (BCU) automatically moves boom to minimize forces



Partially Automated Boom Control

1) FREE FLIGHT• Boom Operator controls boom• Boom position matches current stick position• Boom Operator flies boom to insert probe

into receptacle, making contact

2) COUPLED• BCU automatically flies the boom• Boom Operator is not in control, stick ignored• The system senses tip loads and flies to null

out that load

1) FREE FLIGHT

2) COUPLED

BCU senses positive contact

Toggle Mode Cmdis sent by Boom Operator or by

Receiver (on disconnect)

BCU Mode Diagram



KC-30A Refueling Control Station

Primary operator(ARO: Air Refueling Officer) Secondary / Instructor

3D Video 3D Video

Boom Flight Control Stick

Toggle Mode Button

Boom Operator






Boom


How does the control structure change?Tanker Boom Operation



Boom Operator


Manual Boom PositionToggle Mode Cmd

BCU On/Off




Boom


How does the control structure change?Tanker Boom Operation




Analysis

STPA



Define System


System




Structure

Boom Operator


BCU On/OffManual Boom Position

Toggle Mode Cmd




Boom


Analyze control actionsTanker Boom Operation



Control Structure:

Unsafe Control Actions

? ? ? ?

BCU Off Cmd

Boom Oper.

BCUBCU Off Cmd

Control Surface Mvt.

Boom



Control Structure:

Unsafe Control Actions Boom Oper.

BCUControl Surface Mvt.

Boom

Not providing causes hazard

Providing causes hazard [in wrong situation, excessive, insufficient, repetitive,

wrong direction, etc.]

Too Early,Too Late,

Order

Stopped Too Soon /

Applied too long

BCU Off Cmd ? ? ? ?

BCU Off Cmd

Source Controller

“Boom Operator provides BCU Off Cmd when BCU Operating Normally (Boom Coupled)

TypeControl Action

Context



Control Structure:



Boom


Providing causes hazard [in wrong situation, excessive, insufficient,

repetitive, wrong direction, etc.]

Too Early, Too Late, Order

Stopped Too Soon / Applied too long

BCU Off Cmd […]Boom Operator provides BCU Off Cmd

when __________[…] […]

BCU Off Cmd

Source Controller


TypeControl Action

Context

Suppose the Boom is Coupled…Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!


Control Structure:



Boom

Not providing causes hazard Providing causes hazard

Too Early, Too Late, Order


BCU Off CmdBoom Operator does not

provide BCU Off Cmdwhen __________

[…] […] […]

BCU Off Cmd

Source Controller


TypeControl Action

Context

Suppose the Boom is Coupled…Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!



Too Early, Too Late,Order


BCU Off Cmd

Boom Operator does not provide BCU Off Cmd

when BCU is providing movement commands

that exceed Boom structural limits

[…]

Boom operator provides BCU Off Cmd when BCU Operating

Normally (BCU is load alleviating, Boom Coupled)

[…]

Boom Operator provides BCU Off

Cmd too late after __________

Boom Operator provides BCU Off

Cmd too early before _________

[…]

Boom Oper.

BCU

Boom

Operator UCAs BCU On/Off CmdManual Movement Cmd




Providing causes hazard[in wrong situation, excessive,

insufficient, repetitive, wrong direction, etc.]



Manual Movement

Cmd

Boom Operator does not provide

Manual Movement Cmd when

__________

Boom Operator provides Manual Movement Cmd when ______________

Boom Operator provides Manual

Movement Cmd too late after __________


Movement Cmd too early before _________

Boom Operator stops providing Movement Cmd too soon before

_______

Boom Operator continues providing Movement Cmd too long after _______

Boom Oper.

BCU

Boom

Operator UCAs

Case 1: Suppose Boom is In Contact…Case 2: Suppose Boom is not In Contact…

BCU On/Off CmdManual Movement Cmd






Manual Movement

Cmd

Boom Operator does not provide Manual

Movement Cmd when __________

Boom Operator provides excessive Manual Movement Cmd (> TBD) when Boom is in

contact (can break Boom)

Boom Operator provides Manual Movement Cmd when

______________


Movement Cmd too late after

__________


Movement Cmd too early before _________

Boom Operator stops providing Movement Cmd too soon before

_______

Boom Operator continues providing Movement Cmd too long after _______

Boom Oper.

BCU

Boom

BCU On/Off CmdManual Movement Cmd

Operator UCAs




Providing causes hazard Too Early, Too Late, Order


Control Surface

Movement Cmd

BCU does not provide

Movement Cmd when

____

[…]

BCU provides Movement Cmd when

________

[wrong situation, cmdinsufficient, excessive,

wrong direction, oscillatory, repetitive,

etc.]

BCU provides Movement Cmd too late after _____

BCU provides Movement Cmd too early before ______

[…]

BCU continues providing Movement Cmd too long after

________


_________

[…]

Case 1: Suppose the Boom is In Contact…Case 2: Suppose the Boom is Not In Contact…

Boom Oper.

BCU

Boom

Identify Unsafe Control Actions





Providing causes hazard Too Early, Too Late, Order


Control Surface

Movement Cmd


Movement Cmd when

Load exceeds TBD

[…]

BCU provides Movement Cmd when Load does not exceed

TBD

BCU provides excessive Movement

Cmd (>TBD) when Boom is in contact (can break boom)

[insufficient, excessive, oscillatory,

repetitive, etc.]

BCU provides Movement Cmd too late after Load exceeds TBD

BCU provides Movement Cmd too early before Load exceeds TBD

BCU provides Movement Cmd too early before Boom is Coupled

BCU provides Movement Cmd too late after Boom is Disconnected

[…]


Load drops below TBD

BCU continues providing Movement Cmd too long after Load is increases beyond TBD


Boom Position exceeds TBD

[…]

Boom Oper.

BCU

Boom



Case 1: Suppose the Boom is In Contact…






Control Surface

Movement Cmd


Movement Cmd when

Boom Operator

moves Stick […]

BCU provides Movement Cmd when Boom Operator does not move Stick

(Boom Not In Contact)

BCU provides Movement Cmd when Boom Operator has turned BCU Off

BCU provides Movement Cmd in wrong direction (does not match Stick

direction)

BCU provides excessive Movement Cmdbeyond mechanical Boom limits

[insufficient, oscillatory, repetitive, etc.]

BCU provides Movement Cmd too late (more than TBD

sec) after Boom Operator moves

Stick

Computer provides Movement Cmd too

early (>0s) before Boom Operator

moves Stick

[…]


Boom reaches position commanded by Stick


Boom position exceeds TBD

BCU stops providing Movement Cmd too soon before Boom

reaches position commanded by Stick

[…]

Boom Oper.

BCU

Boom



Case 2: Suppose the Boom is Not In Contact…



Timing Diagram: Different UCA Types

timeCommand not provided

Command provided

4) Applied too long, Stopped

too soon

3) Provided too early, too late

2) Excessive, Insufficient, Wrong direction, etc.



Formal STPA

Source Controller

Control Action

ContextUnsafe to provide?Boom in Contact? Strength of Cmded Movement Stick

movement?

BCU Movement Cmd Boom in Contact LimitH < Movement < LimitHH * Yes

BCU Movement Cmd Boom not in Contact LimitH < Movement < LimitHH Matches CmdedMovement

No

BCU Movement Cmd * LimitHH < Movement * Yes

BCU Movement Cmd Boom not in Contact * No stick movement

Yes

[…] […] […] […] […] […]

LimitH = limit that leads to damage when coupled with receiverLimitHH = limit that leads to damage when not coupled



Formal STPA

Source Controller

Control Action


movement?



No



Yes

[…] […] […] […] […] […]




Formal STPA

Source Controller

Control Action


movement?



No



Yes

[…] […] […] […] […] […]




Formal STPA

Source Controller

Control Action


movement?



No



Yes

[…] […] […] […] […] […]




Formal STPA

Source Controller

Control Action


movement?



No



Yes

[…] […] […] […] […] […]







Control Surface

Movement Cmd


Movement Cmd when

Boom Operator

moves Stick […]




direction)

BCU provides excessive Movement Cmdbeyond amount of Stick movement


UCA-10: BCU provides Movement Cmd too late (more than TBD sec) after

Boom Operator moves Stick [H-3]



moves Stick

[…]







[…]

Suppose the Boom is Not Coupled…

Boom Oper.

BCU

Boom



R-1: BCU must provide Movement Cmd within TBD Sec

after Boom Operator moves stick when Not Coupled [UCA-10]

TS-1:Context: Boom is Coupled and Boom Operator moves stick

Verify: BCU does provides Movement Cmd within TBD sec [UCA-10]






Control Surface

Movement Cmd


Movement Cmd when

Boom Operator

moves Stick […]

UCA-2: BCU provides Movement Cmdwhen Boom Operator does not move

Stick [H-1]



direction)





Stick



moves Stick

[…]







[…]


Boom Oper.

BCU

Boom



R-2: BCU must not provide Movement Cmd when Boom is Coupled and Boom Operator has not moved stick [UCA-2]

TS-2:Context: Boom is Coupled and Boom Operator has not moved stick

Verify: BCU does not provide Movement Cmd [UCA-2]






Control Surface

Movement Cmd


Movement Cmd when

Boom Operator

moves Stick […]




direction)





Stick



moves Stick

[…]







[…]


Boom Oper.

BCU

Boom



Is this Safety or Security?Both!




Analysis

STPA


Define System


System




Structure


UCA: BCU provides excessive Movement Cmd (>TBD) when Boom is In Contact (can break

boom)

Inadequate Control Algorithm

(Flaws in creation, process changes,

incorrect modification or

adaptation)

Controller

Process Model

(inconsistent, incomplete, or incorrect)

Control input or external information wrong or missing

ActuatorInadequate operation

SensorInadequate operation

Inadequate or missing feedback

Feedback Delays

Component failures

Changes over time

Controlled Process

Unidentified or out-of-range disturbance

Controller

Process input missing or wrongProcess output contributes to system hazard

Incorrect or no information provided

Measurement inaccuracies

Feedback delays

Delayed operation

Conflicting control actions

Missing or wrong communication with another controller

Controller

STPA Step 4. A: Potential causes of UCAs


Generic Control Loop



boom)



incorrect modification)

Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU believes ____


Feedback Delays



Feedback delays


STPA Step 4. A: Potential causes of UCAs Generic Control Loop



boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU believes ____


Feedback Delays



Feedback delays





boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays

Flawed Process Model:

BCU believes Boom is

not In Contact

BCU believes stick is

moving





boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays


BCU believes Boom is not

In Contact


moving

Operator sends manual

movement command

when Boom is In contact





boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays



not In Contact


moving

Generated Question:How could the BCU determine the Boom is not In Contact?





boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays



not In Contact


moving

Control Algorithm:

Toggle the belief

when a pulse is

received from

coupling sensor





boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays



not In ContactControl Algorithm:

Toggle the belief

when a pulse is

received from

coupling sensor

Feedback: Double

pulse upon contact

(E.g. bounces)

Missing pulse feedback

Delayed pulse feedback





boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays




Toggle the belief

when a pulse is

received from

coupling sensor

Feedback: Double

pulse upon contact

(E.g. bounces)



AHA! We currently have no control measure to handle

this case!Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!




boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays




Toggle the belief

when a pulse is

received from

coupling sensor

Feedback: Double

pulse upon contact

(E.g. bounces)








boom)




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays




Toggle the belief

when a pulse is

received from

coupling sensor

Feedback: Double

pulse upon contact

(E.g. bounces)



Adversary blocks,

spoofs feedback

indicating contact

Would some of your control measures for

safety mitigate this too?




Let’s try a different UCA

UCA: BCU provides excessive Movement Cmd when

Boom Not In Contact (beyond mechanical Boom limits)




adaptation)

Controller

Process Model






Feedback Delays

Component failures

Changes over time

Controlled Process


Controller




Feedback delays

Delayed operation



Controller




UCA: BCU provides excessive Movement Cmd when Boom Not In Contact




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU believes ____


Feedback Delays



Feedback delays








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU believes ____


Feedback Delays



Feedback delays








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU believes

Boom is In Contact


Feedback Delays



Feedback delays








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays

Flawed Process

Model:

BCU believes

Boom is In Contact

BCU believes Load

is Excessive








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


Feedback Delays



Feedback delays

Flawed Process

Model:

BCU believes Boom

is In Contact

BCU believes Load

is Excessive

Load Feedback: Normal

air forces cause

uncoupled boom load

sensors to report large,

random, and rapidly

fluctuating loads!

Generated Question:How would the BCU determine the Load is Excessive?

Control Algorithm:

When in Contact,

always compensate

for all load feedback








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU Believes

Boom is In Contact

Process output contributes to system hazard

Control Algorithm:

Toggle the belief

when a pulse is

received from

coupling sensor

Missing feedback

Feedback Delays

Incorrect information provided









Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU Believes

Boom is In Contact


Generic Control Loop

Feedback: Double

pulse upon contact

(E.g. bounces)



Control Algorithm:

Toggle the belief

when a pulse is

received from

coupling sensor

AHA! We currently have no control measure to handle

this case!Thomas, 2020 © Copyright John Thomas 2020Please contact [email protected] with any questions!







Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU Believes

Boom is In Contact


Feedback: Double

pulse upon contact

(E.g. bounces)



Control Algorithm:

Toggle the belief

when a pulse is

received from

coupling sensor









Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU Believes

Boom is In Contact


Feedback: Double

pulse upon contact

(E.g. bounces)



Control Algorithm:

Toggle the belief

when a pulse is

received from

coupling sensor

Adversary spoofs

feedback indicating

contact








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Inadequate Control

Algorithm uploaded

by outside controller

Control algorithm:

BCU knows stick not

moving, boom not in

contact; provides

movement cmd anyway









Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

BCU Believes

Boom is In Contact


Operator cmd

to force Coupled

mode?


Generated Question:How would the BCU determine the Boom is In Contact?




UCA: BCU provides excessiveMovement Cmd when Boom Not In Contact




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller


BCU incorrectly believes

Movement Cmd is not

excessive


Feedback Delays



Feedback delays




UCA: BCU provides excessiveMovement Cmd when Boom Not In Contact




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller



Movement Cmd is not

excessive


Feedback Delays



Feedback delays

Generated Question:How would the BCU determine if Movement Cmd is excessive?








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller



Movement Cmd is not

excessive


Feedback Delays



Feedback delays

Control Algorithm:

Compare

Movement/Force to

limits for receiving

aircraft type

Feedback:

Wrong aircraft type

No aircraft type

(defaults to previous

value)








Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller



Movement Cmd is not

excessive


Operator cmd

to set aircraft type/limits:

incorrect or missing

Discuss Weakness: Global Tanker

limits vs. Receiver A/C limits




Exercise Success!

Let’s look at Human Operator commands

UCA: Boom Operator provides excessive Manual Movement Cmd (> TBD) when Boom is in





Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

Operator believes

______


Feedback Delays



Feedback delays









Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

Operator believes

______


Feedback Delays



Feedback delays





Feedback Delays



Feedback delays






Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process Models:

Operator believes Boom not yet In

Contact

Operator believes BCU is in

Coupled mode (will ignore manual

cmds)

Operator believes the movement

is not excessive (<TBD), won’t

break boom





Feedback Delays



Feedback delays






Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process Models:

Operator believes Boom not yet In

Contact

Operator believes BCU is in

Coupled mode (will ignore manual

cmds)

Operator believes the movement is

not excessive (<TBD), won’t break

Boom

Feedback:

Operator sees the Boom

make contact (but BCU

didn’t sense it)

Control Algorithm:

Operators develop

habit to release

stick upon contact

(per procedure)

What features could we incorporate to mitigate this?




Let’s try a different UCA

UCA: Boom Operator does not provide BCU Off Cmd when BCU is providing movement

commands that exceed Boom structural limits




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


Controller

Flawed Process

Model:

Operator believes

______


Feedback Delays



Feedback delays




UCA: Boom Operator does not provide BCU Off Cmd when BCU is providing movement

commands that exceed Boom structural limits Inadequate or

missing feedback

Feedback Delays



Feedback delays




Controller

Process Model




Component failures

Changes over time

Controlled Process


Controller


Delayed operation


ControllerFlawed Process Models:

Operator believes Boom is

marginally erratic, not yet near

structural limits

Operator believes they need to

regain control of Boom movement

Feedback:

Inadequate feedback

indicating proximity to

structural limits

Control Algorithm:

Human reaction time

isn’t fast enough for this

problem

Testers: “If it

malfunctions, find the

cause”

What features could we incorporate to mitigate these?




Boom Operator provides

BCU Off Cmd




adaptation)

Controller

Process Model






Feedback Delays

Component failures

Changes over time

Controlled Process


Controller




Feedback delays

Delays, inaccuracies, missing/incorrect behavior



Controller

Boom doesn’t stabilize


STPA Step 4. B: Control Actions not Properly Followed Generic Control Loop


Boom Operator provides

BCU Off Cmd




adaptation)

Controller

Process Model






Feedback Delays

Component failures

Changes over time

Controlled Process


Controller




Feedback delays

Delays, inaccuracies, missing/incorrect behavior



Controller

Boom doesn’t stabilize


STPA Step 4. B: Control Actions not Properly Followed Generic Control Loop


1) Define Purpose of

the Analysis

STPA

2) Model the Control Structure

3) Identify Unsafe Control

Actions

4) Identify Loss

Scenarios


Define System


System

Losses to prevent Model Behavior to preventHow could

behavior occur


Let’s Review Previous Incidents

• Nov. 1, 2016• The boom operator lowered the boom• The boom immediately began to move erratically

and well outside of its operational and structural limits.

• The boom operator was not able to control the boom and the aircraft commander declared an in-flight emergency.

• The boom fully detached from the fuselage and landed in an empty field

• Financial loss: $6.52 million

KC-10 Tanker Event

Official Causes• Sheared DRVT rotary crank provided boom control unit (BCU) with continuous, inaccurate roll position indications. As

a result, the BCU compensated with lateral movement commands in both directions, driving the boom beyond its structural limits. The boom oscillated violently, boom components and structures became so damaged that they failed and triggered multiple warning lights.

• “Boom operator’s failure to turn off the boom flight control switch in a timely manner.” “Turning off the boom flight control switch would have disabled the BCU. This would have neutralized the boom flight control surfaces, and prevented the boom from departing the aircraft.”



Accident report

• “In my opinion, the flight control surfaces were erratic, and the [Boom Operator] should have begun the Flight Controls do not Respond to Command Inputs or Control Surfaces are Erratic checklist immediately. He would have turned off the flight control switch (Step 3) before the hoist cable broke […]”

Checklist1) Flight Controls do not Respond to Command Inputs or

Control Surfaces are Erratic (Applicable Steps)

• Step 1: disconnect the boom from receiver aircraft (if applicable)

• Step 2: retract the boom telescope (if able)

• Step 3: turn off the flight control switch (BCU control)

• Step 4: stow the boom using the hoist cable



Boom Operators Engineers

“Maintenance personnel […] did not perform step

17, which instructs maintenance personnel to conduct

a DRVT polarity test by lowering the boom onto a

maintenance dolly and moving it to aircraft left. If the

team had […] completed the remaining steps, they

would have had an opportunity to detect the faulty

component 17 days before the day of the mishap.

Maintenance

We can use a

single DRVT to sense boom

roll and send signal to BCU.

Not a single point of failure—if it

fails, the operators will just disable the

BCU!

DRVT failure also very

unlikely, replaced often!

“the boom is going crazy right

now...it’s moving left to right past 30

degrees”

“I don’t know what to do honestly ... I

have no control over this boom”



Another Event

• The ARO made contact but the system didn’t recognize it, remaining in FREE FLIGHT while in contact.

• ARO released the stick, which commands the home (trail) position.

• Receiver wasn’t exactly at home position, so loads built up, breaking the tip.

• Tip flew out and struck the receiver tail.

• Receiver commanded disconnection which was sensed, toggling the boom to CONTACT mode, though now in free flight.

• Boom sensed air loads, generating a positive feedback, fly-up command.

• Boom struck tanker fuselage, lost a fin, was unstable and departed.

STPA in Industry Standards

• ISO/PAS 21448: SOTIF: Safety of the Intended Functionality• STPA used assess safety of digital systems

• ASTM WK60748• “Standard Guide for Application of STPA to Aircraft”

• SAE AIR6913• “Using STPA during Development and Safety Assessment of Civil Aircraft”

• RTCA DO-356A• “Airworthiness Security Methods and Considerations”• STPA-sec used for cybersecurity of digital systems

• IEC 63187• “Functional safety - Framework for safety critical E/E/PE systems for defence

industry applications”

• SAE J3187• “Recommended Practice for STPA in Automotive Safety Critical Systems”

• EPRI/Sandia• Recommending to use STPA for digital I&C



For more information• Google: “STPA Handbook”

• Email: [email protected]

Short Homework (the best kind!)

• http://psas.scripts.mit.edu/home/2020-stamp-workshop-presentations/

• Not graded, can be anonymous

• Choose an incident or loss event you’re familiar with1. Briefly describe the event

• Show how STPA might have anticipated the event before it happened2. Simple control structure (~3-5 boxes)

3. Unsafe Control Action

4. Process Model Flaws: controller believed _____?

5. Why did the controller believe that?

• We’ll review and discuss together on Friday!

Enter Q’s on Slido.comEvent code #STPA2

Free PDF



http://psas.scripts.mit.edu/home/2020-stamp-workshop-presentations/


Documents

STPA Tutorial Exercise Aerial Refuelingpsas.scripts.mit.edu/home/.../JThomas-STPA-Tutorial... · feedback Synthetic feel Boom position Boom coupled Contact / disconnect signal & feedback