A System Safety Assessment of an Unmanned, Solar-Powered Stratospheric Aircraft Using the STPA Methodology

Kurzfassung

Developed for electromechanical systems, traditional safety analysis methods can not provide sufficient guidance to handle the complexity of modern, software intensive systems. New ways of modeling complex systems and human operators in their sociotechnical environment and performing holistic, guided safety analysis based on these models have been developed by Nancy Leveson, Professor of Aeronautics and Astronautics and Professor of Engineering Systems at the Massachusetts Institute of Technology (MIT). This assignment compares the basic principles of the approach on how to achieve safety of a system proposed by the SAE ARP4754A and the approach proposed by Nancy Leveson’s Systems-Theoretic Accident Model and Processes (STAMP) causality theory, including the thereon based Systems-Theoretic Process Analysis (STPA) hazard analysis method. General definitions and assumptions, boundaries, potential weaknesses and advantages of the approaches are estimated, compared and summarized. STPA, including an extension based on works by M. France and J. P. Thomas on how to model and analyze human operators effectively, is further applied on exemplary parts of the High Altitude Platform (HAP) unmanned, solar-powered stratospheric aircraft of the German Aerospace Center (DLR). Applicability is shown, safety issues and causal loss scenarios in the system are identified, and design, operation and operator training recommendations are given. Identified advantages, difficulties and recommendations of practical application of STAMP/STPA are discussed. A proposal on how to include STAMP/STPA in future versions of the SAE ARP4754A is given.