Improving accident causality analysis based on STAMP through integrating model checking

Abstract

Modern safety-critical systems are becoming increasingly more complex than ever before. Continuous complexity increase renders ensuring the safety of such systems increasingly difficult. So, the ability to perform an effective and robust safety analysis on modern safety-critical system plays a more and more crucial role. Traditional safety analysis models based on event chains which consider that accidents are caused by chains of directly related failure events oversimplify causality and the accident process. Also, they exclude many of the systemic factors in accidents and indirect or nonlinear interactions among events. System-Theoretic Accident Modeling and Process(STAMP) accident model is an accident causality model based on system theory used for complex system, especially complex socio-technical system. Safety in STAMP is regarded as an emergent property of system caused by components interactions and a problem of control which means enforcing safety constrains on components behaviors and interactions. In the STAMP based analysis, three basic constructs underlying the analysis process are highlighted: safety constraints, hierarchical safety control structures and process model. With a rise of system complexity, STAMP is playing an increasingly significant role in the development of systemic accident theory. However, STAMP-based safety analysis is usually completed manually, which seems to be with high cost and low efficiency. To raise analysis efficiency, reduce its cost, this paper proposes a formal approach which integrated a model checking with STAMP to automatically search the potential paths that could lead to hazards. By use of model checking, behaviors of the system are simulated and counter example(s) violating the safety constraints and requirements could be raised, to improve the system design. The application of the proposed approach is illustrated through a case study of a typical air accident analysis to verify the validity of the approach. The process and result gained by the improvement have shown us that the safety engineering workload has been reduced and the analysis efficiency has been raised.