Applying System-Theoretic Accident Model and Processes (STAMP) to Hazard Analysis

Abstract

<p>Although traditional hazard analysis techniques, such as failure modes and effect analysis (FMEA), and fault tree analysis (FTA) have been used for a long time, they are not well-suited to handling modern systems with complex software, human-machine interactions, and decision-making procedures. This is mainly because traditional hazard analysis techniques rely on a direct cause-effect chain and have no unified guidance to lead the hazard analysis. The Systems Theoretic Accident Model and Process (STAMP) is based on systems theory to try to find out as much as possible about the factors involved in a hazard, and with providing clear guidance as to the control structure leading to the hazard.</p> <p>The Darlington Nuclear Power Generating Station was the first nuclear plant in the world in which the safety shutdown systems are computer controlled. Although FTA and FMEA have already been applied to these shutdown systems, Ontario power generation felt that it is still useful to try recent advances to evaluate whether they can improve on the previous hazard analysis.</p> <p>This thesis introduces the two most common traditional techniques of hazard analysis, FTA and FMEA, as well as two systemic techniques, STPA (which is a hazard analysis method associated with STAMP), and the Functional Resonance Accident Model (FRAM). The thesis also explains why we chose STPA to apply to the Darlington Shutdown System case, and provides an example of the application as well as an evaluation of its use compared with FMEA and FTA.</p>