基于STPA和FTPN的海上自主水面船舶航行实时风险评估

doi:10.16265/j.cnki.issn1003-3033.2024.08.1290

摘要/Abstract

摘要：

为实时监测海上自主水面船舶(MASS)航行过程风险,基于系统理论事故模型与过程(STAMP)建立MASS的安全控制结构,采用系统理论过程分析法(STPA)确定损失/事故和系统级危险,识别不安全控制行为并分析损失场景,构建系统状态转化过程模型;采用模糊时间Petri网(FTPN)建模,以设定的MASS航行场景得到相关模糊时间函数并推算FTPN的情态演进;引入新的风险水平表达式并通过系统实时损失/事故二维路径图来可视化系统的实时风险水平和系统不安全状态的转化路径。结果表明:设定的航行场景在当前时刻下,缺少安全水深输入、未更新避碰路径、航向航速不安全、搁浅是风险最高的系统不安全状态,并对应4条风险最高的转化路径;STPA驱动下的FTPN过程模型能全面评估MASS航行的实时风险水平,以系统实时损失/事故二维路径图作为可视化界面,用于监管MASS航行中不安全系统状态并描述其转化路径。

关键词: 系统理论过程分析(STPA), 模糊时间Petri网(FTPN), 海上自主水面船舶(MASS), 实时风险评估, 转化路径

Abstract:

In order to monitor the risk during the navigation of MASS, the safety control structure of MASS was constructed based on System-theoretic Accident Model and Process (STAMP). STPA was used to define the losses/accidents and system-level hazards, identify unsafe control actions, analyze loss scenarios, and construct an accident model for system state transition. FTPN was used to model the process model, and a given MASS navigation situation was used to obtain the relevant fuzzy time functions and to project the situational evolution of FTPN. A new risk level expression was introduced, and a two-dimensional path diagram of system loss/accident was used to visualize the real-time system risk level and system unsafe states transition paths. The results show that at the current moment of the set navigation situation, no safe water depth input, no updated collision avoidance path, unsafe heading and speed, and grounding are the highest risk system unsafe states and correspond to the four highest risk transition paths. The study shows that the FTPN process model driven by STPA can comprehensively assess the real-time risk level of MASS navigation. Visualize real-time risk with a two-dimensional path diagram of real-time losses/accidents of the system, which can monitor the unsafe system states during MASS navigation and describe their transition paths.

Key words: systems-theoretic process analysis (STPA), maritime autonomous surface ships (MASS), fuzzy-timing Petri net (FTPN), transition path, real-time risk assessment

中图分类号:

X913.4安全系统工程

席永涛, 刘鹏杰, 胡甚平, 韩冰. 基于STPA和FTPN的海上自主水面船舶航行实时风险评估[J]. 中国安全科学学报, 2024, 34(8): 18-26.

XI Yongtao, LIU Pengjie, HU Shenping, HAN Bing. Real-time risk assessment for maritime autonomous surface ships based on STPA and FTPN[J]. China Safety Science Journal, 2024, 34(8): 18-26.

图/表 10

图1

图2

表1

STPA第1步:定义分析目的的结果

H	库所	系统级危险	安全约束	追溯路径
H₁	$P H 1$	MASS未与他船保持安全距离	MASS需保证不会导致CS的安全距离	A₁
H₂	$P H 2$	MASS相对他船航向和航速不安全	MASS需确保当前航向/航速不会导致CS	A₁
H₃	$P H 3$	MASS未满足富余水深限制	MASS需确保富余水深满足富余水深限制	A₂
H₄	$P H 4$	MASS相对浅滩的航向/航速不安全	MASS需确保当前航向/航速可凭自身行动避免搁浅	A₂

表1

图3

表2

STPA输出间的追溯路径及对应的FTPN库所

STPA输出	追溯路径
A	A₁\ $P A 1$		A₂\ $P A 2$
H	H₁\ $P H 1$	H₂\ $P H 2$	H₃\ $P H 3$	H₄\ $P H 4$
U	U₁\ $P U 1$ ; U₂\ $P U 2$ ; U₃\ $P U 3$ ; U₄\ $P U 4$
L	U₁\ $P U 1$ ← L₁\ $P L 1$ -L₁₁\ $P L 11$	U₂\ $P U 2$ ← L₁₂\ $P L 12$ -L₁₅\ $P L 15$	U₃\ $P U 3$ ← L₁₆\ $P L 16$ -L₂₄\ $P L 24$	U₄\ $P U 4$ ← L₂₅\ $P L 25$ -L₃₅\ $P L 35$

表2

图4

表3

表4

相关模糊延迟dE,v(τ)

E	v	d_E_,_v(τ)	E	v	d_E_,_v(τ)
T₁× $P U 1$	$P L 3$	d₁(τ)=(177,190,190,207)	T₁× $P U 4$	$P L 3$	d₁₀(τ)=(390,449,449,564)
T₂× $P H 1$	$P L 3 P U 1$	d₂(τ)=(113,120,120,132)	T₃× $P H 1$	$P L 3 P U 4$	d₁₁(τ)=(0,0,0,0)
T₄× $P A 1$	$P L 3 P U 1 P H 1$	d₃(τ)=(192,213,213,216)	T₄× $P A 1$	$P L 3 P U 4 P H 1$	d₁₂(τ)=∞
T₂× $P H 2$	$P L 3 P U 1$	d₄(τ)=(167,188,188,211)	T₃× $P H 2$	$P L 3 P U 4$	d₁₃(τ)=∞
T₅× $P A 1$	$P L 3 P U 1 P H 2$	d₅(τ)=(139,145,145,157)	T₅× $P A 1$	$P L 3 P U 4 P H 2$	d₁₄(τ)=∞
T₂× $P H 3$	$P L 3 P U 1$	d₆(τ)=(267,278,278,356)	T₃× $P H 3$	$P L 3 P U 4$	d₁₅(τ)=(14,14,14,14)
T₆× $P A 2$	$P L 3 P U 1 P H 3$	d₇(τ)=(28,28,28,28)	T₆× $P A 2$	$P L 3 P U 4 P H 3$	d₁₆(τ)= (14,14,14,14)
T₂× $P H 4$	$P L 3 P U 1$	d₈(τ)=(0,0,0,0)	T₃× $P H 4$	$P L 3 P U 4$	d₁₇(τ)= (0,0,0,0)
T₇× $P A 2$	$P L 3 P U 1 P H 4$	d₉(τ)=(274,306,306,396)	T₇× $P A 2$	$P L 3 P U 4 P H 4$	d₁₈(τ)=(28,28,28,28)

表4

表5

实例研究FTPN情态演进和计算结果

情态	层	库所	托肯	托肯颜色	(τ_x,Q_x)
c₁	L层	$P L 3$	t₁/ $P L 3$	{ $P L 3$ , $P L 3$ ,1,(0,0,0,0)}	(0,1)
c₂	U层	$P U 1$	t₁/ $P U 1$	{ $P U 1$ , $P L 3 P U 1$ ,2,(177,190,190,207)}	(191,1)
c₂	U层	$P U 4$	t₁/ $P U 4$	{ $P U 4$ , $P L 3 P U 4$ >,2,(390,449,449,564)}	(468,0)
c₃	H层	$P H 1$	t₁/ $P H 1$	{ $P H 1$ , $P L 3 P U 1 P H 1$ ,3,(290,310,310,339)}	(313,0)
		$P H 1$	t₂/ $P H 1$	{ $P H 1$ , $P L 3 P U 4 P H 1$ ,3,(390,449,449,564)}	(468,0)
		$P H 2$	t₁/ $P H 2$	{ $P H 2$ , $P L 3 P U 1 P H 2$ ,3,(344,378,378,418)}	(380,0)
		$P H 2$	t₂/ $P H 2$	{ $P H 2$ , $P L 3 P U 4 P H 2$ ,3,∞}	(∞,0)
		$P H 3$	t₁/ $P H 3$	{ $P H 3$ , $P L 3 P U 1 P H 3$ ,3,(444,468,468,563)}	(492,0)
		$P H 3$	t₂/ $P H 3$	{ $P H 3$ , $P L 3 P U 4 P H 3$ ,3,(404,463,463,578)}	(482,0)
		$P H 4$	t₁/ $P H 4$	{ $P H 4$ , $P L 3 P U 1 P H 4$ ,3,(177,190,190,207)}	(191,1)
		$P H 4$	t₂/ $P H 4$	{ $P H 4$ , $P L 3 P U 4 P H 4$ ,3,(390,449,449,564)}	(468,0)
c₄	A层	$P A 1$	t₁/ $P A 1$	{ $P A 1$ , $P L 3 P U 1 P H 2 P A 1$ ,4,(482,523,523,555)}	(520,0.348)
			t₂/ $P A 1$	{ $P A 1$ , $P L 3 P U 1$ P_H2 $P A 1$ ,4,∞}	(∞,0)
			t₃/ $P A 1$	{ $P A 1$ , $P L 3 P U 4 P H 2 P A 1$ ,4,(483,523,523,575)}	(527,0.445)
			t₄/ $P A 1$	{ $P A 1$ , $P L 3 P U 4$ P_H2 $P A 1$ ,4,∞}	(∞,0)
		$P A 2$	t₁/ $P A 2$	{ $P A 2$ , $P L 3 P U 1 P H 3 P A 2$ ,4,(472,496,496,591)}	(520,0.566)
			t₂/ $P A 2$	{ $P A 2$ , $P L 3 P U 1 P H 3 P A 2$ ,4,(418,477,477,592)}	(496,0.828)
			t₃/ $P A 2$	{ $P A 2$ , $P L 3 P U 4 P H 4 P A 2$ ,4,(451,496,496,603)}	(517,0.779)
			t₄/ $P A 2$	{ $P A 2$ , $P L 3 P U 4 P H 4 P A 2$ ,4,(418,477,477,592)}	(496,0.828)

表5

图5

参考文献 16

[1]	UTNE I B, ROKSETH B, SØRENSEN A J, et al. Towards supervisory risk control of autonomous ships[J]. Reliability Engineering & System Safety, 2020, 196: DOI: 10.1016/j.ress.2019.106757.
[2]	ZHANG Yingyu, DONG Chuntong, GUO Weiqun, et al. Systems theoretic accident model and process (STAMP): a literature review[J]. Safety Science, 2021: DOI: 10.1016/j.ssci.2021.105596.
[3]	LEVESON N G, THOMAS J. STPA handbook[Z]. Massachusetts Institute of Technology, 2018.
[4]	张浦哲, 吴兵, 严新平, 等. 内河船舶远程驾驶控制系统安全分析[J]. 中国安全科学学报, 2022, 32(8):126-132. doi: 10.16265/j.cnki.issn1003-3033.2022.08.1069
	ZHANG Puzhe, WU Bing, YAN Xinping, et al. Safety analysis for remote control system of inland ships[J]. China Safety Science Journal, 2022, 32(8):126-132. doi: 10.16265/j.cnki.issn1003-3033.2022.08.1069
[5]	CHAAL M, VALDEZ BANDA O A, GLOMSRUD J A, et al. A framework to model the STPA hierarchical control structure of an autonomous ship[J]. Safety Science, 2020, 132: DOI: 10.1016/j.ssci.2020.104939.
[6]	CEYLAN B O, AKYUZ E, ARSLANOĞLU Y. Modified quantitative systems theoretic accident model and processes (STAMP) analysis: a catastrophic ship engine failure case[J]. Ocean Engineering, 2022, 253: DOI: 10.1016/j.oceaneng.2022.111187.
[7]	ZELESKIDIS A, DOKAS I M, PAPADOPOULOS B K. Knowing the safety level of a system in real-time: an extended mathematical model of the STAMP-based RealTSL methodology[J]. Safety Science, 2022, 152: DOI: 10.1016/j.ssci.2022.105739.
[8]	RASTRABANK N. Risk management guidelines for banks and financial institutions[R]. Bank of Tanzania, 2018.
[9]	席永涛, 张靓, 付姗姗, 等. 基于SFN-SD的北极冰区船舶航行风险传递路径研究[J]. 中国安全科学学报, 2023, 33(4):52-60. doi: 10.16265/j.cnki.issn1003-3033.2023.04.0840
	XI Yongtao, ZHANG Liang, FU Shanshan, et al. Research on risk transfer path of ship navigation in Arctic waters based on SFN and SD[J]. China Safety Science Journal, 2023, 33(4):52-60. doi: 10.16265/j.cnki.issn1003-3033.2023.04.0840
[10]	吴哲辉. Petri网导论[M]. 北京: 机械工业出版社, 2006:1-24.
[11]	杜彦华, 范玉顺. 资源约束下多过程的不确定时间建模与分析[J]. 机械工程学报, 2010, 46(4):169-176.
	DU Yanhua, FAN Yushun. Modeling and analyzing of uncertain time for multi-process of workflows with resource constraints[J]. Journal of Mechanical Engineering, 2010, 46(4):169-176.
[12]	MURATA T. Temporal uncertainty and fuzzy-timing high-level Petri nets[C]. International Conference on Application and Theory of Petri Nets, 1996:11-28.
[13]	ZHOU YI, MURATA T. Petri net model with fuzzy timing and fuzzy-metric temporal logic[J]. International Journal of Intelligent Systems, 1999, 14(8):719-745.
[14]	周翔宇, 吴兆麟, 王凤武, 等. 自主船舶的定义及其自主水平的界定[J]. 交通运输工程学报, 2019, 19(6):149-162.
	ZHOU Xiangyu, WU Zhaolin, WANG Fengwu, et al. Definition of autonomous ship and its autonomy level[J]. Journal of Traffic and Transportation Engineering, 2019, 19(6):149-162.
[15]	ZHU Qinghua, XI Yongtao, HU Shenping, et al. Spatial-temporal analysis method of ship traffic accidents involving data field: an evidence from risk evolution of ship collision[J]. Ocean Engineering, 2023, 276: DOI: 10.1016/j.oceaneng.2023.114191.
[16]	王胜正, 申心泉, 赵建森, 等. 基于ASAE深度学习预测海洋气象对船舶航速的影响[J]. 交通运输工程学报, 2018, 18(2):139-147.
	WANG Shengzheng, SHEN Xinquan, ZHAO Jiansen, et al. Prediction of marine meteorological effect on ship speed based on ASAE deep learning[J]. Journal of Traffic and Transportation Engineering, 2018, 18(2):139-147.

T	含义
T₁	SCC未得到高风险警报、未提供必要的控制输入等
T₂	自主避碰/航线跟踪系统未提供避碰路径更新
T₃	S₁船已处于紧迫危险阶段或已无法避免搁浅
T₄	S₁船未减速停止、警告他船等
T₅	S₁船未紧急改变航向航速、警告他船等
T₆	S₁船未减速停船、改变船体姿态、减少吃水等
T₇	S₁船未紧急改变航向航速等