├── .gitignore
├── images
├── generic_model.png
├── thermostat_model.png
├── STPA_workflow_diagram.png
├── generic_control_loop-flaws.png
├── generic_control_loop-labeled.png
├── stamp_overview_relationships.png
├── generic_model.svg
├── generic_control_loop.svg
├── stamp_overview_relationships.svg
├── generic_control_loop-labeled.svg
├── thermostat_model.svg
└── generic_control_loop-flaws.svg
├── handouts
├── handout_losses.pdf
├── handout_models.pdf
├── handout_hazards.pdf
├── handout_causal_scenarios.pdf
├── handout_unsafe_control_actions.pdf
├── examples
│ └── thermostat
│ │ ├── thermostat_teaching_example.pdf
│ │ ├── safety_constraints.tex
│ │ ├── losses_table.tex
│ │ ├── unsafe_control_actions.tex
│ │ ├── system_goals.tex
│ │ ├── thermostat_teaching_example.tex
│ │ ├── hazards.tex
│ │ ├── model.tex
│ │ ├── losses.tex
│ │ └── causal_scenarios.tex
├── handout_hazards.tex
├── handout_losses.tex
├── handout_unsafe_control_actions.tex
├── handout_causal_scenarios.tex
└── handout_models.tex
├── toolkit
├── toolkit_causal_factors.pdf
├── toolkit_generic_losses.pdf
├── toolkit_unsafe_control_actions.pdf
├── toolkit_hierarchical_control_model.pdf
├── toolkit_hierarchical_control_model.tex
├── toolkit_unsafe_control_actions.tex
├── toolkit_causal_factors.tex
└── toolkit_generic_losses.tex
├── LICENSE
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | *.aux
2 | *.log
3 | *.pdf
4 | *.dvi
5 | *.gz
6 | *.out
7 | *.toc
8 | *~
--------------------------------------------------------------------------------
/images/generic_model.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/images/generic_model.png
--------------------------------------------------------------------------------
/handouts/handout_losses.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/handouts/handout_losses.pdf
--------------------------------------------------------------------------------
/handouts/handout_models.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/handouts/handout_models.pdf
--------------------------------------------------------------------------------
/images/thermostat_model.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/images/thermostat_model.png
--------------------------------------------------------------------------------
/handouts/handout_hazards.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/handouts/handout_hazards.pdf
--------------------------------------------------------------------------------
/images/STPA_workflow_diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/images/STPA_workflow_diagram.png
--------------------------------------------------------------------------------
/toolkit/toolkit_causal_factors.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/toolkit/toolkit_causal_factors.pdf
--------------------------------------------------------------------------------
/toolkit/toolkit_generic_losses.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/toolkit/toolkit_generic_losses.pdf
--------------------------------------------------------------------------------
/handouts/handout_causal_scenarios.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/handouts/handout_causal_scenarios.pdf
--------------------------------------------------------------------------------
/images/generic_control_loop-flaws.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/images/generic_control_loop-flaws.png
--------------------------------------------------------------------------------
/images/generic_control_loop-labeled.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/images/generic_control_loop-labeled.png
--------------------------------------------------------------------------------
/images/stamp_overview_relationships.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/images/stamp_overview_relationships.png
--------------------------------------------------------------------------------
/toolkit/toolkit_unsafe_control_actions.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/toolkit/toolkit_unsafe_control_actions.pdf
--------------------------------------------------------------------------------
/handouts/handout_unsafe_control_actions.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/handouts/handout_unsafe_control_actions.pdf
--------------------------------------------------------------------------------
/toolkit/toolkit_hierarchical_control_model.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/toolkit/toolkit_hierarchical_control_model.pdf
--------------------------------------------------------------------------------
/handouts/examples/thermostat/thermostat_teaching_example.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/akamai/stamp-materials/HEAD/handouts/examples/thermostat/thermostat_teaching_example.pdf
--------------------------------------------------------------------------------
/handouts/examples/thermostat/safety_constraints.tex:
--------------------------------------------------------------------------------
1 |
2 | \begin{itemize}
3 | \item If the thermostat can not contact the boiler it should notify the apartment dweller.
4 | \item In case of a battery operated thermostat, the thermostat should notify the apartment dweller if the battery is low on charge.
5 | \end{itemize}
6 |
--------------------------------------------------------------------------------
/handouts/examples/thermostat/losses_table.tex:
--------------------------------------------------------------------------------
1 | \begin{tabular}{|p{.5cm}|p{8.5cm}|}
2 | \hline
3 | &\textsc{Losses}\\
4 | \hline
5 | L1 & Room gets too cold (2 or more degrees below target)\\
6 | \hline
7 | L2 & Room gets too hot (2 or more degrees above target)\\
8 | \hline
9 | L3 & Damage to facilities, property, or the heating equipment itself\\
10 | \hline
11 | L4 & Waste of fuel\\
12 | \hline
13 | L5 & Physical harm to humans or pets\\
14 | \hline
15 | \end{tabular}
16 | \vspace{1em}
17 |
--------------------------------------------------------------------------------
/handouts/examples/thermostat/unsafe_control_actions.tex:
--------------------------------------------------------------------------------
1 | \begin{tabular}{|p{1.5cm}|p{2cm}|p{2cm}|p{2cm}|p{2cm}|}
2 | \hline
3 | \textsc{Action}&\textbf{not \mbox{provided}}&\textbf{provided (but wrong)}&\textbf{too late, too early, out of sequence}&\textbf{applied for wrong duration}\\
4 | \hline
5 | Turn heat ON&If the room temperature is too low, not turning the furnace (H2)&If the room is already too hot (H3), if the heater is already on (H4)&Too long after the temperature has fallen below threshold (H2), Too soon after turning the heater off (H3)&N/A\\
6 | \hline
7 | \end{tabular}
8 | \vspace{1em}
9 |
10 |
--------------------------------------------------------------------------------
/handouts/examples/thermostat/system_goals.tex:
--------------------------------------------------------------------------------
1 | Consider a heating system involving a thermostat-controlled furnace (boiler with baseboards).
2 |
3 | \textbf{Intent statement:} Warm an apartment to a user-specified temperature by means of a thermostat-controlled furnace in order to provide a comfortable living space and prevent destruction of property due to cold temperatures (e.g. frozen pipes).
4 |
5 | \begin{tabular}{|l|p{9cm}|}
6 | \hline
7 | &\textbf{Goals}\\
8 | \hline
9 | G1 & Allow a user to specify a target temperature\\
10 | \hline
11 | G2 & Raise the apartment temperature to the target temperature within a reasonable period of time (specify)\\
12 | \hline
13 | G3 & Maintain an apartment temperature within 2 degrees of the user-specified target\\
14 | \hline
15 | \end{tabular}
16 | \vspace{1em}
17 |
18 | We might also choose to include goals about supporting \emph{energy efficiency}.
19 | Use your judgment about what to consider an essential part of the mission.
20 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright 2018 Akamai Technologies
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
4 |
5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
6 |
7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/handouts/examples/thermostat/thermostat_teaching_example.tex:
--------------------------------------------------------------------------------
1 | \documentclass[a4paper]{tufte-handout}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{colortbl}
6 | \usepackage{graphicx}
7 |
8 | \title{An STPA Example: Thermostats}
9 | \author{Kep Peterson}
10 | \begin{document}
11 |
12 | \setlength{\parindent}{0em}
13 | \setlength{\parskip}{1em}
14 |
15 | \section{Complications to consider in class}
16 |
17 | \begin{fullwidth}
18 |
19 | \begin{enumerate}
20 | \item What if the furnace doesn't have fuel?
21 | \item What if the apartment resident can also open a window?
22 | \item What if there are two roommates?
23 | \begin{itemize}
24 | \item They can both open the window or adjust the thermostat.
25 | \item Do their preferences differ?
26 | \end{itemize}
27 | \item Let's reframe to consider this from a property manager's perspective.
28 | \begin{itemize}
29 | \item What about installation?
30 | \end{itemize}
31 | \item Let's consider this from a thermostat/heater manufacturer's perspective.
32 | \end{enumerate}
33 |
34 | \end{fullwidth}
35 | \end{document}
36 |
--------------------------------------------------------------------------------
/handouts/examples/thermostat/hazards.tex:
--------------------------------------------------------------------------------
1 |
2 | \begin{tabular}{|p{.75cm}|p{6.75cm}|p{2cm}|}
3 | \hline
4 | &\textsc{Hazards}&\textsc{Losses}\\
5 | \hline
6 | H1&HEAT ON when room is already warm (2 or more degrees above target)&L2, L4, L3\\
7 | \hline
8 | H1.1&Heater can't turn off&L2, L4\\
9 | \hline
10 | H2&HEAT OFF when room is already cold (2 or more degrees below target)&L1, L3, L4\\
11 | \hline
12 | H2.1&Heater can't turn on&L1\\
13 | \hline
14 | H3&Short cycles of HEAT ON and HEAT OFF&L4, L3?\\
15 | \hline
16 | \end{tabular}
17 | \vspace{1em}
18 |
19 | This list of hazards is not yet complete; we have not identified hazards for \emph{L5: Physical harm to humans or pets}, and we haven't expressed much about \emph{L3: Damage to facilities, property, or the heating equipment itself}.
20 |
21 |
22 | %It may be tempting to start thinking about the following:
23 |
24 |
25 | %\begin{tabular}{|l|l|l|}
26 | %\hline
27 | %H6& Thermostat-measured temp differs from actual room temp by >X degrees.&L1-L4\\
28 | %\hline
29 | %H7& Substantial lag between the change in actual temp and the change in measurement.&L1-L4\\
30 | %\hline
31 | %H8& Substantial lag between signaling HEAT ON or HEAT OFF and furnace turning on or off.&L1-L4\\
32 | %\hline
33 | %\end{tabular}
34 |
--------------------------------------------------------------------------------
/handouts/examples/thermostat/model.tex:
--------------------------------------------------------------------------------
1 | \begin{itemize}
2 | \setlength{\itemsep}{0pt}
3 | \setlength{\parskip}{.25em}
4 | \item \textbf{Goal}: Adjust the room's temperature to 72 degrees F (TARGET)
5 | \item \textbf{Internal Process Model / Mental Model}:
6 |
7 | Measured room temperature: 69 degrees F; Current heater state: ON
8 | \item \textbf{Control Algorithm / Decision Process}
9 | \begin{compactitem}[*]
10 | \setlength{\itemsep}{0pt}
11 | \setlength{\parskip}{.25em}
12 | \item If MEASURED $<=$ TARGET $-$ 2: Turn HEAT ON.
13 | \item If MEASURED $>=$ TARGET $+$ 2 : Turn HEAT OFF.
14 | \item Else: Do nothing.
15 | \end{compactitem}
16 | \item \textbf{Control Actions}: Turn heater ON, Turn heater OFF
17 | \item \textbf{Input} --- A human operator enters the TARGET temperature
18 | \item \textbf{Sensor} --- A thermometer reports the temperature in degrees Farenheit
19 | \item \textbf{Actuator} --- We could consider the furnace and heaters an actuator the thermostat uses to adjust the temperature of the apartment's air, or there is an actuator that switches the furnace on or off when signalled by the thermostat.
20 | \item \textbf{System being controlled} --- The thermostat is controlling the heater directly and the temperature of the apartment indirectly.
21 | \end{itemize}
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | = What you will find here
2 |
3 | For each of the concepts like “hazards” or the “control model,” there is a handout that summarizes the task of filling out that part of the analysis and includes an example. These are the landscape oriented documents.
4 |
5 | For many of those tasks, there is also a “toolkit” document – something that supports the task, e.g. a labeled control loop diagram to use while identifying the “causal scenarios.”
6 |
7 | = Contents
8 |
9 | == Overview
10 |
11 | * STAMP workflow summary
12 | * STAMP workflow diagram
13 |
14 | == Losses - undesirable outcomes
15 |
16 | * Losses Handout
17 | * Toolkit: Generic Losses
18 |
19 | == Hierarchical Control Models
20 |
21 | Representations of human and technology interactions as a bunch of control loops, accounting for goals, roles, responsibilities, and the actions that individuals and pieces of technology can take to influence others
22 |
23 | * Control Models Handout
24 | * Toolkit: Hierarchical Control Model - A control loop picture
25 |
26 | == Hazards
27 |
28 | * Hazards Handout
29 |
30 | == Unsafe Control Actions
31 |
32 | * Unsafe Control Actions Handout
33 | * Toolkit: Unsafe Control Actions - A table to fill in
34 |
35 | == Causal Scenarios
36 |
37 | * Causal Scenarios Handout
38 | * Toolkit: Causal Scenarios - A picture of a control loop labeled with some control flaws that might contribute to unsafe actions taking place.
--------------------------------------------------------------------------------
/handouts/examples/thermostat/losses.tex:
--------------------------------------------------------------------------------
1 | %\input{losses_table}
2 | \begin{tabular}{|p{.5cm}|p{8.5cm}|}
3 | \hline
4 | &\textsc{Losses}\\
5 | \hline
6 | L1 & Room gets too cold (2 or more degrees below target)\\
7 | \hline
8 | L2 & Room gets too hot (2 or more degrees above target)\\
9 | \hline
10 | L3 & Damage to facilities, property, or the heating equipment itself\\
11 | \hline
12 | L4 & Waste of fuel\\
13 | \hline
14 | L5 & Physical harm to humans or pets\\
15 | \hline
16 | \end{tabular}
17 | \vspace{1em}
18 |
19 | Both \emph{L1} and \emph{L2} reflect the notion of \emph{mission losses}, i.e. the system did not serve its core purpose.
20 |
21 | Similarly, we could include something like:
22 | \marginnote{Compare this notion to ``service level agreements'' about system responsiveness.}
23 |
24 | \begin{tabular}{ll}
25 | L6&Unresponsiveness: The system is too slow to heat the room\\
26 | L7&The system does not accept user input\\
27 | \end{tabular}
28 |
29 | From the perspective of a company manufacturing thermostats and furnaces, we might also choose to include other losses relevant to our business, such as:
30 | \marginnote{Compare this to ``COGS'' concerns.}
31 |
32 | \begin{tabular}{ll}
33 | L8&System is excessively costly to manufacture\\
34 | %L8&Failure to maintain safety certification from inspection boards\\
35 | \end{tabular}
36 |
37 | Alternatively, we might have as a loss, ``The heating system is financially unprofitable'', with ``excessively costly to manufacture'' as a hazard.
38 |
--------------------------------------------------------------------------------
/toolkit/toolkit_hierarchical_control_model.tex:
--------------------------------------------------------------------------------
1 | \documentclass[a4paper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 | \usepackage{graphicx}
8 | \graphicspath{ {../images/} }
9 |
10 | %\geometry{
11 | % left=.5in,
12 | % right=.5in,
13 | % top=.5in,
14 | % bottom=.5in
15 | %}
16 |
17 | \title{Toolkit: Hierarchical Control Model Picture}
18 |
19 | \begin{document}
20 |
21 | \setlength{\parindent}{0em}
22 | \setlength{\parskip}{.75em}
23 |
24 |
25 | \section{Hierarchical Control Model Starting Point}
26 |
27 | \begin{fullwidth}
28 | \newthought{Starting Questions}
29 |
30 | \begin{itemize}
31 | \setlength{\itemsep}{0pt}
32 | \setlength{\parskip}{.25em}
33 | \item What are some of the participants? (names of groups, components, etc.)
34 | \item What responsibilities are present here? Whose are they?
35 | \item What actions are available? Whose are they?
36 | \item What decisions are being made and who or what is responsible for making them?
37 | \item What information do components use to make those decisions, and how do they get it?
38 | \end{itemize}
39 |
40 | \newthought{Visual Conventions}
41 |
42 | \begin{itemize}
43 | \setlength{\itemsep}{0pt}
44 | \setlength{\parskip}{.25em}
45 | \item Items higher on the page exercise authority over the things lower on the page.
46 | \item Arrows pointing down represent \emph{control actions} or exerting \emph{authority}.
47 | \item Arrows pointing up represent \emph{feedback} via sensors, also describable as \emph{accountability}.
48 | \item Horizontal lines represent coordination and handoffs.
49 | \item Boxes may be nested, representing sub-processes.
50 | \end{itemize}
51 |
52 | \begin{center}
53 | \includegraphics[width=10cm]{generic_model.png}
54 | \end{center}
55 |
56 | \end{fullwidth}
57 | \end{document}
--------------------------------------------------------------------------------
/toolkit/toolkit_unsafe_control_actions.tex:
--------------------------------------------------------------------------------
1 | \documentclass[a4paper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 |
8 | %\geometry{
9 | % left=.5in,
10 | % right=.5in,
11 | % top=.5in,
12 | % bottom=.5in
13 | %}
14 |
15 | \title{Toolkit: Unsafe Control Actions Table}
16 |
17 | \begin{document}
18 |
19 | \setlength{\parindent}{0em}
20 | \setlength{\parskip}{.75em}
21 |
22 |
23 |
24 | \section{Unsafe Control Actions Table}
25 |
26 | \begin{fullwidth}
27 | \newthought{Requirements}
28 |
29 | For this step, you will need:
30 | \begin{itemize}
31 | \item A list of \textbf{actions} to analyze (taken from your \textbf{control model})
32 | \item A list of \textbf{hazards} those actions might cause if misapplied somehow
33 | \end{itemize}
34 |
35 | In each cell, consider the action at the start of the row, and what hazard or hazards might result if that action occurs in the way described at the top of the column.
36 |
37 | In that cell, write down the hazard number and the context or condition under which that application of the action would result in that hazard.
38 |
39 | \begin{enumerate}
40 | \item Control action \hbox{required} for safety is not provided or not followed. (not provided)
41 | \item An unsafe control action is provided that leads to a hazard. (provided but wrong)
42 | \item A potentially safe control action is provided too late, too early, or out of sequence.
43 | \item A safe control action is stopped too soon or applied too long. (applied for wrong duration)
44 | \end{enumerate}
45 |
46 | \begin{table}
47 | \renewcommand{\arraystretch}{3}
48 | \begin{tabular}{|p{3cm}|p{3cm}|p{3cm}|p{3cm}|p{3cm}|}
49 | \hline
50 | \textsc{Control action}&\textbf{not provided}&\textbf{provided but wrong}&\textbf{too late, too early, or out of sequence}&\textbf{applied for wrong duration}\\
51 | \hline
52 | &&&&\\
53 | \hline
54 | &&&&\\
55 | \hline
56 | &&&&\\
57 | \hline
58 | &&&&\\
59 | \hline
60 | &&&&\\
61 | \hline
62 | &&&&\\
63 | \hline
64 | &&&&\\
65 | \hline
66 | \end{tabular}
67 | \vspace{1em}
68 | \end{table}
69 |
70 | \end{fullwidth}
71 | \end{document}
--------------------------------------------------------------------------------
/handouts/examples/thermostat/causal_scenarios.tex:
--------------------------------------------------------------------------------
1 |
2 | \textbf{Unsafe Control Action}: Turning the heat ON when the room is already too hot.
3 |
4 | \textbf{Causal Scenarios}:
5 |
6 | \begin{compactitem}
7 | \item Control input or external info is wrong or missing:
8 |
9 | TARGET temperature is not set by the user and the default is unusually high.
10 | TARGET temperature is set to the wrong value; the user believed the input was in Farenheit, but the thermostat was using Celsius.
11 |
12 | \item Controller: Inadequate Control Algorithm.
13 |
14 | Too long a delay between when thermostat measures temperatures and when it acts, so that the room has heated up (e.g. due to warm sunlight) before the thermostat turns the heater on.
15 | \item Controller: Process Model Inconsistent, incomplete, or incorrect.
16 |
17 | Perhaps the controller is storing temperature in Celsius, while the TARGET temperature is in Farenheit.
18 | Perhaps only two digits of temperature are stored and the room is 103F.
19 | \item Inadequate or missing feedback:
20 |
21 | Thermometer uses different units than the thermostat, reporting degrees C which are recorded as degrees F.
22 | Thermometer is disconnected and the thermostat has not updated its MEASURED temperature.
23 | %\item Feedback Delays
24 | %
25 | %MEASURED temperature is consistently delayed. MEASURED(t) temperature is ACTUAL(t-Delta). MEASURED temperature is inconsistently delayed.
26 | \item Sensor: inadequate operation; incorrect or no information provided
27 |
28 | Perhaps the thermometer is in an unusually cold location, unrepresentative of the general room temperature, so the thermostat activates the heat even when the room at large is already warm.
29 | \end{compactitem}
30 |
31 | \columnbreak
32 | Other examples, not necessarily relevant to this action:
33 |
34 | \begin{compactitem}
35 | \item Controlled Process: Component failures
36 |
37 | Furnace is broken. Furnace is out of fuel.
38 | \item Unidentified or out-of-range disturbance
39 |
40 | Water in the basement, missing roof or walls, open windows
41 | \item Actuator: Inadequate operation
42 |
43 | Heater failed to turn HEAT ON when signaled. Baseboards not radiating heat. Leaking water. Frozen pipes.
44 |
45 | \item Controller 2: Conflicting control actions
46 |
47 | Perhaps someone manually turned the heater on, circumventing the thermostat.
48 | \end{compactitem}
49 |
--------------------------------------------------------------------------------
/handouts/handout_hazards.tex:
--------------------------------------------------------------------------------
1 | \documentclass[a4paper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 |
8 | \geometry{
9 | left=.5in,
10 | right=.5in,
11 | top=.5in,
12 | bottom=.5in
13 | }
14 |
15 | \begin{document}
16 |
17 | \newtheorem{example}{Ex}
18 |
19 | \begin{landscape}
20 | \advance\vsize6cm
21 | \csname @colroom\endcsname=\vsize
22 | \textheight=\vsize
23 | \csname @colht\endcsname=\vsize
24 |
25 | \setlength{\parindent}{0em}
26 | \setlength{\parskip}{.75em}
27 |
28 | \begin{multicols}{2}
29 | [ \section{Identifying Hazards}]
30 |
31 | \newthought{Definition}
32 |
33 | \textbf{Hazards} are system conditions that, in combination with environmental conditions outside our control, can result in a loss.
34 |
35 | Our task is to \textbf{write a list} of hazards, staying broadly general and covering all the losses.
36 |
37 | For each of the \textbf{losses} defined earlier, we'll identify one or more \textbf{hazards}.
38 |
39 |
40 |
41 | \newthought{Thermostat Example}
42 |
43 | \input{examples/thermostat/losses_table}
44 | \input{examples/thermostat/hazards}
45 | \columnbreak
46 |
47 | \newthought{Desired Qualities}
48 | \begin{itemize}
49 | \setlength{\itemsep}{0pt}
50 | \setlength{\parskip}{.25em}
51 | \item Concise --- We want a relatively short list
52 | \item General --- We don't want to prematurely narrow our focus.
53 | \item Good coverage --- For any accident we can think up, we want it to be described by at least one of the hazards on this list.
54 | \item Non-redundant --- Overlap between hazards is ok, but if one loss is entirely a subset of another, perhaps consider consolidating them.
55 | \item Under our control --- For them to be useful in guiding our actions, hazards should identify conditions we can actually do something about. Things outside our control (like weather, meteors, or the popularity of particular websites) are environmental conditions.
56 | \item Relevant --- They should be associated with the losses in a meaningful way.
57 |
58 | Perhaps list what environmental condition would result in the loss.
59 | \end{itemize}
60 |
61 | \newthought{Strategic Approaches}
62 |
63 | Ask "what is \emph{risky but tolerable}?" vs. "what is \emph{unacceptable}?" to distinguish from losses--- What is a priority?
64 |
65 | \newthought{Relationship to other concepts}
66 |
67 | The relationship between \textbf{losses} and \textbf{hazards} lets us \emph{prioritize} our safety efforts, focusing on preventing the system states that are relevant to producing these accidents--- we don't need to examine every combination of system states.
68 |
69 | \end{multicols}
70 | \end{landscape}
71 | \end{document}
72 |
--------------------------------------------------------------------------------
/toolkit/toolkit_causal_factors.tex:
--------------------------------------------------------------------------------
1 | \documentclass{tufte-handout}
2 |
3 | \title{An Introduction to STAMP Safety Analysis}
4 | \author[Kep Peterson]{Kep Peterson}
5 |
6 | %\geometry{showframe} % display margins for debugging page layout
7 |
8 | \usepackage{graphicx} % allow embedded images
9 | \setkeys{Gin}{width=\linewidth,totalheight=\textheight,keepaspectratio}
10 | \graphicspath{{/graphics/}} % set of paths to search for images
11 | \usepackage{amsmath} % extended mathematics
12 | \usepackage{booktabs} % book-quality tables
13 | \usepackage{units} % non-stacked fractions and better unit spacing
14 | \usepackage{multicol} % multiple column layout facilities
15 | \usepackage{lipsum} % filler text
16 | \usepackage{fancyvrb} % extended verbatim environments
17 | \fvset{fontsize=\normalsize}% default font size for fancy-verbatim environments
18 | \usepackage{graphicx}
19 | \graphicspath{ {../images/} }
20 |
21 | % Standardize command font styles and environments
22 | \newcommand{\doccmd}[1]{\texttt{\textbackslash#1}}% command name -- adds backslash automatically
23 | \newcommand{\docopt}[1]{\ensuremath{\langle}\textrm{\textit{#1}}\ensuremath{\rangle}}% optional command argument
24 | \newcommand{\docarg}[1]{\textrm{\textit{#1}}}% (required) command argument
25 | \newcommand{\docenv}[1]{\textsf{#1}}% environment name
26 | \newcommand{\docpkg}[1]{\texttt{#1}}% package name
27 | \newcommand{\doccls}[1]{\texttt{#1}}% document class name
28 | \newcommand{\docclsopt}[1]{\texttt{#1}}% document class option name
29 | \newenvironment{docspec}{\begin{quote}\noindent}{\end{quote}}% command specification environment
30 |
31 | \geometry{
32 | %left=.5in,
33 | %right=.5in,
34 | %top=.5in,
35 | bottom=.5in
36 | }
37 |
38 | \title{Toolkit: Control Loop With Causal Factors}
39 |
40 | \begin{document}
41 |
42 | \setlength{\parindent}{0em}
43 | \setlength{\parskip}{.75em}
44 |
45 | %\maketitle
46 |
47 | %\tableofcontents
48 |
49 | %\bibliography{sample-handout}
50 | %\bibliographystyle{plainnat}
51 |
52 | \section{Control Loop With Causal Factors}
53 |
54 | This diagram shows common flaws in a control loop, or \textbf{causal factors}, that might contribute to the controller misapplying an action or failing to take an action it should have, which we identify as an \textbf{unsafe control action} if it results in a \textbf{hazard}. We use this diagram to guide our brainstorming about why each \textbf{unsafe control action} might occur, identifying \textbf{causal scenarios} we can design features to prevent.
55 |
56 | \begin{fullwidth}
57 | \begin{center}
58 | \includegraphics[width=4in]{../images/generic_control_loop-flaws.png}
59 | \end{center}
60 | \end{fullwidth}
61 |
62 | [Based on a diagram from \emph{Engineering A Safer World} p.223]
63 |
64 | \end{document}
65 |
--------------------------------------------------------------------------------
/handouts/handout_losses.tex:
--------------------------------------------------------------------------------
1 | \documentclass[a4paper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 |
8 | \geometry{
9 | left=.5in,
10 | right=.5in,
11 | top=.5in,
12 | bottom=.5in
13 | }
14 |
15 | \begin{document}
16 |
17 | \begin{landscape}
18 | \advance\vsize6cm
19 | \csname @colroom\endcsname=\vsize
20 | \textheight=\vsize
21 | \csname @colht\endcsname=\vsize
22 |
23 | \setlength{\parindent}{0em}
24 | \setlength{\parskip}{.75em}
25 |
26 |
27 | \begin{multicols}{2}
28 | [ \section{Identifying Losses}]
29 |
30 | \newthought{Definition}
31 |
32 | Accident: An undesired or unplanned event that results in a \textbf{loss}, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc. [\emph{Engineering A Safer World} p 181]
33 |
34 | \textbf{Losses} are the outcomes we want to prevent.
35 |
36 | Our task is to \textbf{write a list} of them, staying broadly general and covering all the areas of concern for our safety analysis to address.
37 | \newthought{Thermostat Example}
38 |
39 | \input{examples/thermostat/losses}
40 | \columnbreak
41 |
42 | \newthought{Desired Qualities}
43 | \begin{itemize}
44 | \setlength{\itemsep}{0pt}
45 | \setlength{\parskip}{.25em}
46 | \item Concise --- We want a relatively short list (<20); these are our priorities.
47 | \item General --- We don't want to prematurely narrow our focus.
48 |
49 | Example: "Someone is injured" may be a more useful loss statement than "Someone is injured by hot equipment" because, overall, we want to prevent \emph{any} injury.
50 | \item Good coverage --- For any accident we can think up, we want it to be described by at least one of the losses on this list.
51 | \item Non-redundant --- Overlap between losses is ok, but if one loss is entirely a subset of another, perhaps consider consolidating them.
52 | \item Relevant --- They should be problems we actually consider important to prevent for our system.
53 |
54 | Example: "Civil war breaks out" is not a loss relevant to our thermostat example (except jokingly, or if there's an allegory about climate change).
55 | \end{itemize}
56 |
57 | \newthought{Strategic Approaches}
58 |
59 | Ask "what is \emph{unacceptable}?" vs. "what is \emph{risky but tolerable}?" to distinguish from hazards.
60 |
61 | \emph{Toolkit}: List of generic losses.
62 |
63 | \newthought{Relationship to other concepts}
64 |
65 | For each of these \textbf{losses}, we will identify hazardous system conditions that, in combination with environmental conditions, can result in an accident in which we experience the loss.
66 |
67 | The relationship between \textbf{losses} and \textbf{hazards} lets us \emph{prioritize} our safety efforts, focusing on preventing the system states that are relevant to producing these accidents--- we don't need to examine every combination of system states.
68 |
69 | \end{multicols}
70 | \end{landscape}
71 | \end{document}
--------------------------------------------------------------------------------
/toolkit/toolkit_generic_losses.tex:
--------------------------------------------------------------------------------
1 | \documentclass[a4paper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 |
8 | %\geometry{
9 | % left=.5in,
10 | % right=.5in,
11 | % top=.5in,
12 | % bottom=.5in
13 | %}
14 |
15 | \title{Toolkit: Generic Losses}
16 |
17 | \begin{document}
18 |
19 | \setlength{\parindent}{0em}
20 | \setlength{\parskip}{.75em}
21 |
22 | \begin{fullwidth}
23 |
24 | \section{Generic Losses}
25 |
26 | \newthought{Definition}
27 |
28 | \textbf{Losses} are the outcomes we want to prevent.
29 |
30 | \newthought{What this list is}
31 |
32 | Col. Bill Young, a colleague of Nancy Leveson's, proposes considering mission loss in some of his talks.
33 | Much of this list grew out of conversations in Akamai's InfoSec Safety Team about "life, limb, liberty, loot..." and gradually expanded. This list may not be complete, and you may wish to subdivide these items differently, but it can serve as an inspirational starting point.
34 |
35 | \newthought{Generic Losses to start with}
36 | \begin{enumerate}
37 | \setlength{\itemsep}{0pt}
38 | \setlength{\parskip}{.25em}
39 |
40 | \item \textsc{mission loss} - Failure to meet critical system goals and "minimum viable product" requirements
41 | \item \textsc{life and limb} - Accidents resulting in injury or death
42 | \item \textsc{wellbeing} - More general harm to individuals
43 |
44 | We can include "psychological harm" or "quality of life" under this category, if we do not specifically identify it elsewhere.
45 | This includes the wellbeing (physical, mental, material, etc.) of people inside or outside of the company (system developers, operators, end users, customers...). We may want to consider morale, usability factors, etc. This might also be a reminder to include "positive user experience" among goals.
46 | \item \textsc{liberty and legal} - Violation of laws, contractual obligations, or certification obligations
47 |
48 | This includes encountering legal proceedings that are cumbersome or expensive, even if penalties are not incurred.
49 | \item \textsc{lucre} - Financial loss (e.g. Through fines, COGS, inability to sell, ...)
50 | \item \textsc{material} - Damage to equipment and facilities
51 | \item \textsc{interference} - Damage to or disruption of other systems or processes
52 |
53 | This can be useful when considering the impact of one Akamai system on another.
54 | More broadly, we do not want Akamai's operation to damage the internet at large.
55 | "Don't make things worse."
56 | \item \textsc{reputation} - Damage to business reputation in a way that erodes customer, employee, or public trust and may impact current or future relationships
57 | \item \textsc{adoption failure} - Shifting from an old system to a new system doesn't occur, occurs too slowly, or is arduous or fraught
58 |
59 | This might be related to a mission goal for a transition project of some sort.
60 | \item \textsc{[past losses]} - This is a reminder to examine past accidents for inspiration about losses to avoid.
61 | \end{enumerate}
62 |
63 | \newthought{Strategic Approaches}
64 |
65 | Ask "what is \emph{unacceptable}?" vs. "what is \emph{risky but tolerable}?" to distinguish from hazards.
66 |
67 | \end{fullwidth}
68 | \end{document}
--------------------------------------------------------------------------------
/handouts/handout_unsafe_control_actions.tex:
--------------------------------------------------------------------------------
1 | \documentclass[a4paper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 |
8 | \geometry{
9 | left=.5in,
10 | right=.5in,
11 | top=.5in,
12 | bottom=.5in
13 | }
14 |
15 | \begin{document}
16 |
17 | \begin{landscape}
18 | \advance\vsize6cm
19 | \csname @colroom\endcsname=\vsize
20 | \textheight=\vsize
21 | \csname @colht\endcsname=\vsize
22 |
23 | \setlength{\parindent}{0em}
24 | \setlength{\parskip}{.75em}
25 |
26 | \begin{multicols}{2}
27 | [ \section{Identifying Unsafe Control Actions}]
28 |
29 | \newthought{Definition}
30 |
31 | Now we ask, "How could the system enter hazardous states?"
32 |
33 | We focus on how actions taken by parts of the system could cause hazards, if those actions occur under inappropriate conditions.
34 | We use a table with these guides:\begin{itemize}
35 | \setlength{\itemsep}{0pt}
36 | \setlength{\parskip}{.25em}
37 | \item Control action required for safety is not provided or not followed
38 | \item An unsafe control action is provided that leads to a hazard (action inappropriate)
39 | \item A potentially safe control action is provided too late, too early, or out of sequence (occurs at wrong time)
40 | \item A safe control action is stopped too soon or applied too long (occurs for wrong duration)
41 | \end{itemize}
42 |
43 | Each cell entry is marked with ``not applicable'', ``not hazardous'', or a description of the \textbf{context} that makes the action dangerous and the \textbf{hazard} that results.
44 |
45 | \newthought{Thermostat Example}
46 |
47 | \input{examples/thermostat/unsafe_control_actions}
48 |
49 | \columnbreak
50 | \newthought{Desired Qualities}
51 | \begin{itemize}
52 | \setlength{\itemsep}{0pt}
53 | \setlength{\parskip}{.25em}
54 | \item Completeness --- Check each cell.
55 | \item Each cell entry is marked with ``not applicable'', ``not hazardous'', or a description of the \textbf{context} that makes the action dangerous and the \textbf{hazard} that results.
56 | \item It is acceptable for a cell to include multiple (context,hazard) pairs.
57 | \end{itemize}
58 |
59 | \newthought{Strategic Approaches}
60 |
61 | \begin{itemize}
62 | \setlength{\itemsep}{0pt}
63 | \setlength{\parskip}{.25em}
64 | \item \textsc{Divide and conquer} --- This work can be split up among several people.
65 | \item \textsc{Pace your efforts} --- Track progress, returning later as needed.
66 | \item Triage and prioritize --- This table can get huge. With limited time resources, we may choose not to aim for completeness.
67 |
68 | Prioritize investigating actions needing additional scrutiny, e.g. actions that are new, poorly understood, currently changing, believed to be risky, or involved in close interactions with other systems that need additional scrutiny.
69 | \end{itemize}
70 |
71 | \emph{Toolkit}: Unsafe Control Actions table
72 |
73 | \newthought{Relationship to other concepts}
74 |
75 | The \textbf{actions} we are analyzing here come from our \textbf{control model}.
76 |
77 | The judgement of whether an action occurring inappropriately (or inappropriately failing to occur) is a \emph{problem} comes from associating it with a \textbf{hazard}, which we have identified as a precursor to at least one \textbf{loss}.
78 |
79 | \end{multicols}
80 | \end{landscape}
81 | \end{document}
--------------------------------------------------------------------------------
/handouts/handout_causal_scenarios.tex:
--------------------------------------------------------------------------------
1 | \documentclass[letterpaper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 | \usepackage{graphicx}
8 | \graphicspath{ {../images/} }
9 |
10 | \geometry{
11 | left=.5in,
12 | right=.5in,
13 | top=.5in,
14 | bottom=.5in
15 | }
16 |
17 | %\title{Identifying Causal Scenarios}
18 |
19 | \begin{document}
20 |
21 | \begin{landscape}
22 | \advance\vsize0cm
23 | \csname @colroom\endcsname=\vsize
24 | \textheight=\vsize
25 | \csname @colht\endcsname=\vsize
26 |
27 | \setlength{\parindent}{0em}
28 | \setlength{\parskip}{.75em}
29 |
30 | \begin{multicols}{2}
31 | [ \section{Identifying Causal Scenarios}]
32 |
33 | \newthought{Definition}
34 |
35 | Now we ask, ?What could cause an operator or part of the system to take an inappropriate action or fail to take action when needed?? A \textbf{causal scenario} is a description of how and why the \textbf{unsafe control action} could happen.
36 |
For each \textbf{unsafe control action}, we will inspect the \textbf{control loop} that action is part of in the \textbf{hierarchical control model}, indentifying how flaws in that control loop could cause that action to occur in that particular inappropriate way.
Consider each of the control loop flaws, or \textbf{causal factors}, marked on the control loop diagram, and ask ?How could that factor contribute to this unsafe control action??
37 |
38 | Once we have a list of causal scenarios, we can check whether our system has mechanisms to address them.
39 |
40 | \newthought{Causal Factors Prompt}
41 |
42 | [Based on a diagram from\emph{Engineering A Safer World} p.223]
43 | \begin{center}
44 | \includegraphics[width=9cm]{generic_control_loop-flaws}
45 | \end{center}
46 |
47 | \columnbreak
48 |
49 | \newthought{Desired Qualities}
50 |
51 | \begin{compactitem}
52 | \item Completeness --- When finding causal scenarios for a particular unsafe control action, consider each part of the control loop in which the action occurs.
53 | \item Plausibility --- Could this happen at all?
54 | \item Relevance
55 | \end{compactitem}
56 |
57 | \newthought{Strategic Approaches}
58 |
59 | This is an exercise in focused brainstorming; we might not think of everything, but focusing on the system bit by bit may make it easier to come up with potential problems we hadn?t considered earlier.
60 |
61 | \begin{compactitem}
62 | \item \textsc{Divide and conquer} --- This work can be split up among several people.
\item \textsc{Pace your efforts} --- Track progress, returning later as needed.
\item \textsc{Triage and prioritize} --- Prioritize investigating actions needing additional scrutiny, e.g. actions that are new, poorly understood, currently changing, be-lieved to be risky, or involved in close interactions with other systems that need additional scrutiny.
63 | \end{compactitem}
64 |
65 | \emph{Toolkit}: Causal Factors diagram
66 |
67 | \newthought{Relationship to other concepts}
68 |
69 | Each \textbf{unsafe control action} maps to several \textbf{causal scenarios}.
70 |
Each \textbf{causal scenario} maps to at least one unsafe control action.
71 |
72 | When performing this step, we use the \textbf{hierarchical control model} to identify system parts relevant to the action being inspected.
73 |
74 | When we check our list of causal scenarios to see whether our system has mechanisms to address them, we identify new system requirements.
75 |
76 | \pagebreak
77 |
78 | \newthought{Thermostat Example}
79 |
80 | \input{examples/thermostat/causal_scenarios}
81 |
82 | \end{multicols}
83 | \end{landscape}
84 | \end{document}
85 |
--------------------------------------------------------------------------------
/images/generic_model.svg:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
--------------------------------------------------------------------------------
/handouts/handout_models.tex:
--------------------------------------------------------------------------------
1 | \documentclass[letterpaper]{tufte-book}
2 | \usepackage{booktabs}
3 | \usepackage{tabularx}
4 | \usepackage{longtable}
5 | \usepackage{lscape}
6 | \usepackage{colortbl}
7 | \usepackage{graphicx}
8 | \graphicspath{{../images/}}
9 |
10 | \geometry{
11 | left=.5in,
12 | right=.5in,
13 | top=.5in,
14 | bottom=.5in
15 | }
16 |
17 | %\title{Creating a Hierarchical Control Model}
18 |
19 | \begin{document}
20 |
21 | \begin{landscape}
22 | \advance\vsize0cm
23 | \csname @colroom\endcsname=\vsize
24 | \textheight=\vsize
25 | \csname @colht\endcsname=\vsize
26 |
27 | \setlength{\parindent}{0em}
28 | \setlength{\parskip}{.75em}
29 |
30 | \begin{multicols}{2}
31 | [ \section{Creating a Hierarchical Control Model}]
32 |
33 | \newthought{Definition}
34 |
35 | A \textbf{hierarchical control model} is a representation of the system as a combination of control loops depicting the roles and responsibilities of different human and technical components and the relationships (in terms of authority and accountability) that they have to one another.
36 |
37 | It consists of:
38 | \begin{compactitem}
39 | \setlength{\itemsep}{0pt}
40 | \setlength{\parskip}{.25em}
41 | \item a \emph{graphical representation} of the relationships components have to one another
42 | %
43 | %Note: in the sense of "nodes and edges" as well as "visual depiction"
44 | \item \emph{annotations} capturing certain information about the system parts depicted
45 | \end{compactitem}
46 |
47 | \begin{center}
48 | \includegraphics[width=4cm, height=4cm]{generic_model}
49 | \end{center}
50 |
51 | \newthought{Visual Conventions}
52 |
53 | \begin{compactitem}
54 | \setlength{\itemsep}{0pt}
55 | \setlength{\parskip}{.25em}
56 | \item \textsc{boxes}
57 |
58 | Each box can represent an abstract process, a human organization or group, an individual human operator, or a technical component.
59 | \item \textsc{nesting}
60 |
61 | Boxes inside others may be used to indicate that the interior elements are sub-processes of the exterior elements.
62 | \item \textsc{vertical position}
63 |
64 | Items higher on the page exert authority over items lower on the page.
65 | \item \textsc{arrows} connecting boxes
66 | \begin{compactitem}
67 | \setlength{\itemsep}{0pt}
68 | \setlength{\parskip}{.25em}
69 | \item down: \emph{control actions} or exerting \emph{authority}
70 | \item up: \emph{feedback} via sensors, or \emph{accountability}
71 | \item horizontal: coordination and handoffs between \hbox{processes} or peers.
72 | \end{compactitem}
73 | \end{compactitem}
74 |
75 | \columnbreak
76 |
77 | \textsc{Annotations}
78 | \begin{compactitem}
79 | \setlength{\itemsep}{0pt}
80 | \setlength{\parskip}{.25em}
81 | \item \textsc{goals}
82 |
83 | Specific target outcomes to guide the controlled process towards
84 | \item \textsc{internal process model / mental model}
85 |
86 | This includes variables representing the state of the controlled process as perceived by the controller. \emph{Note}: May differ from actual state.
87 | \item \textsc{control algorithm / decision process}
88 |
89 | How does the controller choose what actions to take and when?
90 | We do not need to write out the whole algorithm here.
91 | \item \textsc{Available control actions}
92 |
93 | We can write a list of the actions and depict them graphically with arrows to the controlled process(es).
94 | We can depict the \emph{actuators} that carry out the actions by noting them along the arrows.
95 | \end{compactitem}
96 |
97 | \begin{compactitem}
98 | \item \textsc{Input and instructions} directed to the controller to set goals, etc.
99 | \item \textsc{actuators} to carry out the actions the controller specifies (depicted on arrow edges)
100 | \item \textsc{sensors}
101 |
102 | Arrows back from the controlled process to the controller depict \emph{feedback via sensors}, updating the internal process model.
103 | \item \textsc{system being controlled} --- Represented by another box, which may itself be a controller.
104 | \end{compactitem}
105 |
106 | \newthought{Strategic Approaches}
107 | \begin{compactitem}
108 | \setlength{\itemsep}{0pt}
109 | \setlength{\parskip}{.25em}
110 | \item Start simple, perhaps with only 3 rectangles.
111 | \item Multiple diagrams at different levels of abstraction may be useful.
112 | \end{compactitem}
113 |
114 | \emph{Toolkit}: Hierarchical Control Model Starting Point
115 |
116 | \newthought{Relationship to other concepts}
117 |
118 | %The \textbf{actions} we list in our model are ones we can analyze to identify \textbf{unsafe control actions}.
119 |
120 | When we identify \textbf{causal scenarios} that can lead \textbf{unsafe control actions} to occur, we seek flaws in the control loop the action is part of, using our model to show us what actuators and feedback are relevant.
121 |
122 | \pagebreak
123 |
124 | \newthought{Thermostat Example}
125 |
126 | \input{examples/thermostat/model}
127 |
128 | Note: The ACTUAL temperature may differ from MEASURED (e.g. ACTUAL might be 68 degrees F while MEASURED is 69 degrees F).
129 |
130 | \columnbreak
131 |
132 | \newthought{Thermostat Diagram}
133 |
134 | \begin{center}
135 | \includegraphics[width=8cm]{thermostat_model}
136 | \end{center}
137 |
138 | \end{multicols}
139 | \end{landscape}
140 | \end{document}
141 |
--------------------------------------------------------------------------------
/images/generic_control_loop.svg:
--------------------------------------------------------------------------------
1 |
2 |
159 |
--------------------------------------------------------------------------------
/images/stamp_overview_relationships.svg:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
381 |
--------------------------------------------------------------------------------
/images/generic_control_loop-labeled.svg:
--------------------------------------------------------------------------------
1 |
2 |
419 |
--------------------------------------------------------------------------------
/images/thermostat_model.svg:
--------------------------------------------------------------------------------
1 |
2 |
416 |
--------------------------------------------------------------------------------
/images/generic_control_loop-flaws.svg:
--------------------------------------------------------------------------------
1 |
2 |
1065 |
--------------------------------------------------------------------------------