A Formal Approach to
Causal Analysis based on
STAMP (CAST)
Qibo Yang, Jin Tian
Beihang University
Beijing, China
October 21-23, 2015
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 1
CONTENTS
I. BACKGROUND
II. METHOD
III. CASE STUDY
IV. CONCLUSION
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 2
I. BACKGROUND
Systems-Theoretic
Accident Model and
Processes (STAMP)
Causal Analysis
based on
STAMP (CAST)
Formal
Methods
A Formal
Approach to
CAST
Be supported by tools.
Describe factors more
clearly.
Help analyze and verify
system.
Indicate accident
causation traces.
Ensure completeness.
Reveal the interactions
lead to an accident.
Rely on users’ experience.
Contribute to randomness
& incompleteness.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 3
II. METHOD
STAMP
(1) Safety constraints
(2) Hierarchical safety
control structures
(3) Process models
Beihang University
Causal Analysis
based on STAMP
(CAST)
(1) Identify the system(s) and system
hazard(s).
(2) Identify the system safety constraints.
(3) Document the safety control structure.
(4) Describe the proximate events.
(5) Analyze the loss at the physical system
level.
(6) Determine how and why each level
contributes to the inadequate controls
at lower level.
(7) Examine overall coordination and
communication.
(8) Determine the dynamics and changes.
(9) Generate recommendations.
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 4
II. METHOD
Formal Methods
Model Checking
Finite State
Machine (FSM)
Linear Temporal
Logic (LTL)
Consider a formula to be
true in a given state if it is
true for all the paths starting
in that state.
e.g. G globally
G p is true at time t if p is
true at all times t^' ≥ t.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 5
II. METHOD
A Formal Approach to CAST
1. Identify the accident, systems, system hazards and system safety
constraints.
2. Create proximate events.
3. Build safety control structure, describe safety constraints, control and
feedback actions of each component.
4. Identify ineffective physical controls at physical level.
5. For each component, identify unsafe control actions (UCAs).
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 6
II. METHOD
A Formal Approach to CAST
6. Transfer UCAs table to FSM model expressions of NuSMV.
7. Transfer system safety constraints to LTL specifications.
8. Conduct model checking and discussion. Generate accident causation
traces violating the safety constraints and verify whether the whole UCAs
identified in the structure are related to the accident.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 7
III. CASE STUDY
1. Identify accident, systems, system hazards
and system safety constraints.
(1) Accident: At 21:38 on August 24, 2010, when a Henan Airlines E190 plane
executed VD8387 passenger flight mission from Harbin to Yichun, it crashed during the
process of landing at Lindu airport of Yichun in Heilongjiang Province, causing 44
people dead and 52 others injured.
(2) System hazards: the plane is landing at an unsafe
attitude and speed without going around.
(3) System safety constraints:
A. The plane must land at a safe attitude & speed.
B. The plane must go around if the landing
condition is not good enough.
2. Create proximate events.
It is shown in the official report.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 8
III. CASE STUDY
3. Build safety control structure, describe safety
constraints, control and feedback actions of
each component.
(1) Safety control structure:
Air China
Limited
Shenzhen
Airlines
CAAC Central
and Southern
Regional
Administration
CAAC Northeast
Regional
Administration
CAAC
Heilongjiang
Administration
CAAC Henan
Administration
Henan Airlines
Henan Airlines Operation and Control
Center
Flight Crew
Copilot
Commander
CAAC Central
South Air Traffic
Management
Bureau
Meteorological
Database
Administrator
Aviation
Meteorological
Database
Lindu Airport
Airport
Controllers
E190 Plane
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 9
III. CASE STUDY
3. Build safety control structure, describe safety
constraints, control and feedback actions of
each component.
(2) Safety constraints of each component.
e.g. Flight Crew
a) The landing minimum visibility must be beyond 3600 meters.
b) Only when The Flight Crew clearly sees visual reference or
the runway can the plane fly below the minimum descent
altitude and land.
c) The Flight Crew must go around with radio altimeter
prompting and without seeing the runway.
d) The Flight Crew must control the plane at the landing
attitude and speed whenever it is at an unsafe altitude.
e) The Flight Crew must report the landing condition to Airport
Controllers before landing.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 10
III. CASE STUDY
3. Build safety control structure, describe safety
constraints, control and feedback actions of
each component.
(3) Control and feedback actions of each component.
e.g. Flight Crew
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 11
III. CASE STUDY
4. Identify ineffective physical controls.
(1) the Flight Crew controlled the plane into radiation fog and
couldn’t see the runway.
(2) the Meteorological Database Administrator set the wrong
address code of Lindu Airport.
5. Identify unsafe control actions (UCAs).
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 12
III. CASE STUDY
6. Transfer UCAs table to FSM model expressions
of NuSMV.
7. Transfer system safety constraints to LTL
specifications.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 13
III. CASE STUDY
8. Conduct model checking and discussion.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 14
IV. CONCLUSION
Present a formal approach to CAST and use the Yichun air
crash accident to verify the effectiveness of the approach.
Compared with the office report, the result is more beneficial:
(1) Make clear the relationship between each component.
(2) Exhibit the accident causation trace, leading to the system
hazard.
(3) Reveal some factors, which are not included in the office report.
Compared with the classical CAST, the formal one has the
following advantages:
(1) Make the relationship of controls clear.
(2) Show the causation of the UCAs.
(3) Explain the overview of accident causation & propagation traces.
(4) Be time-saving.
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 15
Thank you!
A Formal Approach to Causal Analysis based
on STAMP (CAST)
Qibo Yang ([email protected])
Jin Tian ([email protected])
Beihang University, China
Beijing, China, October 21-23, 2015
Beihang University
2015 ICRSE & PHM-Beijing Conferences | Oct 2015 | 16