Application of a Safety-Driven Design Methodology to an Outer Planet Exploration Mission

Abstract: Abstract-Traditional requirements specification and hazard analysis techniques have not kept pace with the increasing complexity and constraints of modern space systems development. These techniques are incomplete and often consider safety late in the development cycle when the most significant design decisions have already been made. The lack of an integrated approach to perform safety-driven system development from the beginning of the system lifecycle hinders the ability to create safe space systems on time… Show more

“…To this end it is proposed that a hazard modelling and inference process be developed, as described in Figure 3. In this process the actual HAZOP is to be styled upon the approach as adopted for STPA [15,18], whilst an additional method is to be developed to cater for the iterative nature of hazard assessment with dynamical modelling supported by an inference mechanism connecting and validating the apparent dynamical behaviour with respect to the assessed causes. …”

“…Then to provide an interface model with similar formalism this unified modelling approach might be extended to include Parametric diagrams and Constraint Blocks from SysML ( Figure 8) for the causal loop models as proposed in STAMP. Each of these constructs might also represent the various types of element comprising an "Intent Specification" [15]; including the Environment, Supervisory / Operator Task, Functional, Validation & Verification (analysis) models, whilst introducing the concept of a representation for any anticipated specific system Dysfunction models also. A proposal for a closed-loop safety assessment process, incorporating HAZOP styled upon STPA, system dynamics modelling, and Bayesian inference, is proposed as an approach to extend the PASA for a UAS/UAV; as shown in Figure 9.…”

“…In adopting the STAMP framework, and in particular the "Systems Theoretic Process Analysis" (STPA) [15,18], an approach can be developed that considers the likely nature of an applicable range of "Inadequate Control Actions" (ICA), effectively deviations, in the context of a simplified model of the Low-level Process Control Loop [18].…”

“…Furthermore, this study has been pursued to develop a broader Systems approach towards hazard assessment so as to evaluate hypothetical deviations from declared intent -wherein a behavioural modelling framework is to be styled upon that of a STAMP [9] (Systems Theoretic Accident Model and Processes) based hazard assessment methodology and drawing upon STPA [15,18]. It is proposed that one might combine the associated system models, undertake exploratory dynamic hazard assessment, and conduct this within the context of a Preliminary Aircraft Safety Assessment (PASA); as a possible extension to the process guidelines as described in Aerospace Recommended Practice (ARP) 4754A [3]; as outlined in Figure 1.…”

Hazards in advising autonomy: incorporating hazard modelling with system dynamics into the aerospace safety assessment process for UAS

“…To this end it is proposed that a hazard modelling and inference process be developed, as described in Figure 3. In this process the actual HAZOP is to be styled upon the approach as adopted for STPA [15,18], whilst an additional method is to be developed to cater for the iterative nature of hazard assessment with dynamical modelling supported by an inference mechanism connecting and validating the apparent dynamical behaviour with respect to the assessed causes. …”

“…Then to provide an interface model with similar formalism this unified modelling approach might be extended to include Parametric diagrams and Constraint Blocks from SysML ( Figure 8) for the causal loop models as proposed in STAMP. Each of these constructs might also represent the various types of element comprising an "Intent Specification" [15]; including the Environment, Supervisory / Operator Task, Functional, Validation & Verification (analysis) models, whilst introducing the concept of a representation for any anticipated specific system Dysfunction models also. A proposal for a closed-loop safety assessment process, incorporating HAZOP styled upon STPA, system dynamics modelling, and Bayesian inference, is proposed as an approach to extend the PASA for a UAS/UAV; as shown in Figure 9.…”

“…In adopting the STAMP framework, and in particular the "Systems Theoretic Process Analysis" (STPA) [15,18], an approach can be developed that considers the likely nature of an applicable range of "Inadequate Control Actions" (ICA), effectively deviations, in the context of a simplified model of the Low-level Process Control Loop [18].…”

“…Furthermore, this study has been pursued to develop a broader Systems approach towards hazard assessment so as to evaluate hypothetical deviations from declared intent -wherein a behavioural modelling framework is to be styled upon that of a STAMP [9] (Systems Theoretic Accident Model and Processes) based hazard assessment methodology and drawing upon STPA [15,18]. It is proposed that one might combine the associated system models, undertake exploratory dynamic hazard assessment, and conduct this within the context of a Preliminary Aircraft Safety Assessment (PASA); as a possible extension to the process guidelines as described in Aerospace Recommended Practice (ARP) 4754A [3]; as outlined in Figure 1.…”

Hazards in advising autonomy: incorporating hazard modelling with system dynamics into the aerospace safety assessment process for UAS

“…Pursuant to the objective of developing a "unified" hazard analysis method, eventually also to draw upon the techniques of HAZOP, STAMP [5] and STPA [1,6], a collision avoidance scenario has been constructed complying with the Rules of the Air [7]. In this interaction certain behaviors have been assigned to each entity.…”

Hazards in advising autonomy: Developing requirements for a hazard modelling methodology incorporating system dynamics

5.3.1 A Safety‐Driven Systems Engineering Process