STPA Process Summary
- Define purpose of the analysis
- Model the control structure (abstractly)
- including control actions/ process models and states
- Four types of unsafe control actions:
- Not providing the control action
- Providing the control action incorrect
- Providing a potentially safe control action but too early, too late, or in the wrong order
- The control action is stopped too soon or applied too long
Example
- <Hazard> = <System> & <Unsafe Condition> & <Link to Losses>
- e.g. H1: Aircraft violate minimum separation standards [L1, L2]
- e.g. L1: Fatalities
- e.g. L2: Damage to aircraft
- <Safety Constraint> = If <Hazard>, then <what needs to be done to prevent or minimize a loss>
- e.g. SC1: If aircraft violate minimum separation standards, then the violation must be detected and measures taken to prevent collision
- Link unsafe control actions to hazards (from FHA).
- In this context ‘hazard’ v. ‘failure condition’ is the appropriate terminology.
- A hazard is defined as “a system state or set of conditions that, together with a particular set of worst-case environmental conditions, will lead to a loss.”
- A system is defined as “a set of components that act together as a whole to achieve some common goal, objective, or end. A system may contain subsystems and may also be part of a larger system.”
- Link control actions and unsafe control actions to system states via causal scenarios
- Reword safety constraints as safety requirements
Electric Propulsion System (EPS)
Control Model
STPA Generated Hazards
| Unsafe Control Actions | Failure Condition |
| No motor shutdown by aircrew when over temperature alert | Overtemperature |
| No motor shutdown by aircrew when over vibration alert | Unbalanced motor |
| No motor shutdown by aircrew when over speed alert | Overspeed |
| No motor shutdown by aircrew when over torque alert | Overtorque |
| No motor shutdown by aircrew when over current alert | Overtemperature |
| No voltage modulation when motor running | Loss of thrust |
| Incorrect voltage modulation when motor shutdown | Uncommanded thrust |
| Incorrect voltage modulation when motor locked | Uncommanded thrust |
Control Action/ Unsafe Control Action Safety Constraints
| CA safety constraint | CA safety constraint | Hazards |
| vibration measurement shall occur when Vibration Limiter=Over Vibration Alert | incorrect vibration measurement above actual shall not occur when Vibration Limiter=Over Vibration Alert | Unbalanced Motor |
| temperature measurement shall occur when Temperature Limiter=Over Temperature Protecting | incorrect temperature measurement above actual shall not occur when Temperature Limiter=Over Temperature Protecting | Loss of thrust |
| temperature measurement shall occur when Temperature Limiter=Over Temperature Protecting | incorrect temperature measurement below actual shall not occur when Temperature Limiter=Over Temperature Protecting | Loss of thrust |
| modulated voltage adjustment shall occur when Motor=Running | loss of modulated voltage adjustment shall not occur when Motor=Running | Loss of thrust |
Energy Storage System (ESS)
Control Model
STPA Generated Hazards
| Unsafe Control Actions | Failure Condition |
| No charger shutdown by BMS when battery charged | Uncontained thermal runaway |
| No switch disconnect by BMS when battery discharged | Uncontained thermal runaway |
| Charger shutdown too early by BMS when battery discharged | Loss of thrust |
| Switch disconnect too early by BMS when battery charged | Loss of thrust |
| No cell deviation limiting when cell deviation from mean alert | Uncontained thermal runaway |
| No module deviation limiting when module deviation from mean alert | Uncontained thermal runaway |
| No emergency procedure by aircrew when battery unhealthy | Loss of thrust |
Control Action/ Unsafe Control Action Safety Constraints
| CA safety constraint | UCA negative safety constraint | Hazards |
| state of health indication shall occur when Battery SoH= Not Healthy | incorrect state of health indication shall not occur when Battery SoH= Not Healthy | Uncontained battery cell thermal runaway |
| temperature measurement shall occur when Charger=Charging | temperature measurement above actual shall not occur when Charger=Charging | Uninterrupted battery charging at below min. temperature |
| temperature measurement shall occur when Charger=Charging | temperature measurement below actual shall not occur when Charger=Charging | Uninterrupted battery charging at above max. temperature |
Optionally Piloted eVTOL Aircraft
Tier 1
Tier 2: DAA Integration
Tier 3: DAA Integration
Conclusion
STPA is a MBSA approach that can be used to identify hazards and missing requirements. It complements ARP4761/ ARP4761A.