applied

sciences
Article
Hazard Analysis for Escalator Emergency Braking
System via System Safety Analysis Method Based
on STAMP
Zitong Zhou , Yanyang Zi *, Jinglong Chen and Tong An
State Key Laboratory for Manufacturing and Systems Engineering, Xi’an Jiaotong University, Xi’an 710049,
China; tongzhou925@stu.xjtu.edu.cn (Z.Z.); jlstrive2008@163.com (J.C.); antong0531@stu.xjtu.edu.cn (T.A.)
* Correspondence: ziyy@mail.xjtu.edu.cn




Received: 19 September 2019; Accepted: 22 October 2019; Published: 25 October 2019


Abstract: Due to the complex mechanical structure and control process of escalator emergency braking
systems (EEBS), traditional hazard analysis based on the event chain model have limitations in
exploring component interaction failure in such a complex social-technical system. Therefore, a hazard
analysis framework is proposed in this paper for hazard analysis of complex electromechanical
systems based on system-theoretic accident model and process (STAMP). Firstly, basic principles of
STAMP are introduced and comparison with other hazard analysis methods is conducted, then the
safety analysis framework is proposed. Secondly, a study case is performed to identify unsafe control
actions of EEBS from control structures, and a specific control diagram is organized to recognize
potential example casual scenarios. Next, comparison between fault tree analysis and STAMP for
escalator’s overturned accident shows that hazards related to component damaged can be identified
by both, while hazards that focus on components interaction can only be identified by STAMP.
Besides, single control way and tandem operation process are found to be the obvious causal factors
of accidents. Finally, some improvement measures like decibel detection or vibration monitoring of
key components are suggested to help the current broken chain detection to trigger the anti-reversal
device for a better safe EEBS.

Keywords: system safety; STAMP; escalator emergency braking system; hazard; unsafe control
action; fault tree analysis

1. Introduction
Escalators, as an important part of modern life, plays a more and more significant role in our life.
In China, the number of elevators and escalators continues to grow every year, and the growth rate
ranks first in the world. With the increase in the number of escalators, accidents related to escalator
have also shown an upward trend. Since 2005, China has experienced an average of about 40 elevator
accidents per year and the death people is about 30. The number of serious escalator accidents from the
year 2009 to 2014 is shown in Figure 1 and the injuries in Guangzhou Metro from the year 2013 to 2015
are shown in Table 1 [1]. Due to the huge number of bases, although the death rate of escalators is very
low, the damage and social influence on the injured are very serious. Thus, the safety of escalators has
also attracted more and more attention [2–5]. When accidents happened, hazard analysis techniques
based on related safety theory can help technicians identify the cause of failure efficiently and the
potential hazards that may cause the accident, then set up safety protection to avoid the recurrence of
similar accidents according the causes and hazards.

Appl. Sci. 2019, 9, 4530; doi:10.3390/app9214530 www.mdpi.com/journal/applsci

Appl. Sci. 2019, 9, 4530 2 of 21

Table 1. Overview of the injuries in Guangzhou Metro [1]. Reproduced with permission from [1],
Elsevier, 2019.
Appl. Sci. 2019, 9, x FOR PEER REVIEW 2 of 23
Year Passenger Flow Per Year (billion) Total Injuries Escalator-Related Injuries
2013
2013 1.99
1.99 418
418 291
291
2014 2.28 477 314
2014
2015 2.28
2.40 477
520 314
345
2015 2.40 520 345

Figure 1. Trend of serious escalator-related accidents in China, 2009–2014 [1]. Reproduced with
Figure 1. Trend of serious escalator-related accidents in China, 2009–2014 [1].
permission from [1], Elsevier, 2019.
As the base of the safety issue, accident or safety theory is used to clarify the cause, the process,
As the base of the safety issue, accident or safety theory is used to clarify the cause, the process,
the end and the consequences of the accident to make a clear analysis of the occurrence and
the end and the consequences of the accident to make a clear analysis of the occurrence and development
development of the accident. Traditional accident theory started from almost 100 years ago, accident
of the accident. Traditional accident theory started from almost 100 years ago, accident prone theory was
prone theory was proposed by Farmer and Chamb based on the research of statistical casualty
proposed by Farmer and Chamb based on the research of statistical casualty distribution Greenwood
distribution Greenwood and Woods [6]. After that, Traditional safety theory such as Heinrich Law
and Woods [6]. After that, Traditional safety theory such as Heinrich Law and Energy Release Theory
and Energy Release Theory have been proposed successively [7,8]. All these theories focus on the
have been proposed successively [7,8]. All these theories focus on the instability and unsafety of human
instability and unsafety of human beings and their behavior in the system. However, the WASH-1400
beings and their behavior in the system. However, the WASH-1400 report about nuclear reactor safety
report about nuclear reactor safety study established the framework of probabilistic risk assessment
study established the framework of probabilistic risk assessment (PRA) technology and conducted
(PRA) technology and conducted safety assessment in the field of nuclear power, which greatly
safety assessment in the field of nuclear power, which greatly promoted the research and application
promoted the research and application of probabilistic risk models [9]. In 1997, Reason expressed the
of probabilistic risk models [9]. In 1997, Reason expressed the different levels of the system as slices
different levels of the system as slices of Swiss cheese. The "holes" on the slices represent defects at
of Swiss cheese. The “holes” on the slices represent defects at all levels of the system, which became
all levels of the system, which became the most famous "Swiss cheese" model in classical safety theory
the most famous “Swiss cheese” model in classical safety theory [10]. Since then, some descriptive
[10]. Since then, some descriptive theories based on the actual behavior of the system, such as normal
theories based on the actual behavior of the system, such as normal accident theory (NAT) proposed by
accident theory (NAT) proposed by Charles Perrow, and highly reliable organization Theory (HRO)
Charles Perrow, and highly reliable organization Theory (HRO) proposed by Karlene Roberts, have a
proposed by Karlene Roberts, have a profound impact on accident cause and system safety [11–13].
profound impact on accident cause and system safety [11–13].
In 1997, Rasmussen initiated the system safety analysis method based on cybernetics and
In 1997, Rasmussen initiated the system safety analysis method based on cybernetics and systems
systems theory, in which risk management was described as a control process and risk management
theory, in which risk management was described as a control process and risk management must
must be established based on the classification for hazard sources of control requirements [14]. In
be established based on the classification for hazard sources of control requirements [14]. In 2004,
2004, Leveson established a system theoretic accident model and processes (STAMP) based on the
Leveson established a system theoretic accident model and processes (STAMP) based on the system
system theory. The core idea of the model is that accident is the emergence of interactions between
theory. The core idea of the model is that accident is the emergence of interactions between various
various elements in a complex system, and the lack of control actions that impose constraints on these
elements in a complex system, and the lack of control actions that impose constraints on these
interactions will lead to accidents [15]. The appearance of the STAMP model leads to the rapid
interactions will lead to accidents [15]. The appearance of the STAMP model leads to the rapid
development of modern safety theories based on systems theory. In 2008, Zahra Mohaghegh
development of modern safety theories based on systems theory. In 2008, Zahra Mohaghegh proposed
proposed the SoTeRia method using a combination of system dynamics, Bayesian networks, and
the SoTeRia method using a combination of system dynamics, Bayesian networks, and other methods
other methods to quantitatively describe how influence factors are transferred from organizational
to quantitatively describe how influence factors are transferred from organizational factors to technical
factors to technical aspects [16,17]. In 2015, Cody proposed the system-theoretic early concept
aspects [16,17]. In 2015, Cody proposed the system-theoretic early concept analysis (STECA) method
analysis (STECA) method for safety analysis from the perspective of systems science and control
science based on STAMP and hazard analysis technology [18]. Figure 2 shows the development of
safety related theory based on the above-mentioned description.
Appl. Sci. 2019, 9, 4530 3 of 21

for safety analysis from the perspective of systems science and control science based on STAMP and
hazard
Appl. Sci. analysis technology
2019, 9, x FOR [18].
Figure 2 shows the development of safety related theory based on
PEER REVIEW 3 ofthe
23
above-mentioned description.

Figure 2. Development of safety theory.

Figure 2. Development of safety theory.
The classical safety theory based on the event chain model and probabilistic failure analysis focuses
The classical safety theory based on the event chain model and probabilistic failure analysis
on the failure analysis of equipment and can effectively analysis the accidents caused by component
focuses on the failure analysis of equipment and can effectively analysis the accidents caused by
failures or operational errors. However, the safety risk analysis based on the event chain model ignores
component failures or operational errors. However, the safety risk analysis based on the event chain
the impact of the interaction between components on system safety. Meanwhile, the quantitative risk
model ignores the impact of the interaction between components on system safety. Meanwhile, the
assessment based on probabilistic failure analysis is not suitable for solving the problem that people
quantitative risk assessment based on probabilistic failure analysis is not suitable for solving the
participate in the control of complex system safety evaluation issues, because it only considers the
problem that people participate in the control of complex system safety evaluation issues, because it
combination of single event failure probability and mutual exclusion event probability. The study of
only considers the combination of single event failure probability and mutual exclusion event
modern safety theory breaks through the shortcomings of the classical safety theory that only pays
probability. The study of modern safety theory breaks through the shortcomings of the classical
attention to the performance of components and recognizes the insufficiency of feedback or control
safety theory that only pays attention to the performance of components and recognizes the
from the perspective of system theory, making the STAMP more suitable for a complex system [19].
insufficiency of feedback or control from the perspective of system theory, making the STAMP more
STAMP has been widely used in aerospace, petrochemical, transportation and other industries whose
suitable for a complex system [19]. STAMP has been widely used in aerospace, petrochemical,
strong vitality lie in the fact that STAMP tries to help us to understand the system safety from
transportation and other industries whose strong vitality lie in the fact that STAMP tries to help us
the perspective of control, rather than being trapped in the constraints of traditional event chain
to understand the system safety from the perspective of control, rather than being trapped in the
model [20–23]. On the base of STAMP, system-theoretic process analysis (STPA) was proposed to
constraints of traditional event chain model [20–23]. On the base of STAMP, system-theoretic process
be a new hazard analysis [19]. Besides, another important advantage of STAMP/STPA is its simple
analysis (STPA) was proposed to be a new hazard analysis [19]. Besides, another important
operability and broad applicability. Thus, the impact of task specificity on the safety analysis of
advantage of STAMP/STPA is its simple operability and broad applicability. Thus, the impact of task
man-machine-loop systems is reduced. The goal of STPA, which is to create a set of scenarios that
specificity on the safety analysis of man-machine-loop systems is reduced. The goal of STPA, which
can lead to a hazard, is the same as fault tree analysis (FTA) but STPA includes a broader set of
is to create a set of scenarios that can lead to a hazard, is the same as fault tree analysis (FTA) but
potential scenarios including those in which no failures occur but the problems arise due to unsafe and
STPA includes a broader set of potential scenarios including those in which no failures occur but the
unintended interactions among the system components.
problems arise due to unsafe and unintended interactions among the system components.
As for the safety analysis of escalator, some research focused their attention on mathematical
As for the safety analysis of escalator, some research focused their attention on mathematical
statistics analysis to find the relationship between various considerations and escalator-related
statistics analysis to find the relationship between various considerations and escalator-related
accidents [24–26]. There are also some studies on behavior or state of passengers such as group trampling
accidents [24–26]. There are also some studies on behavior or state of passengers such as group
risk simulation [27], congestion risk simulation based on social force model [28], and pedestrian flows
trampling risk simulation [27], congestion risk simulation based on social force model [28], and
modeling [29]. Some traditional hazard analysis methods like FTA, hazard and operability analysis
pedestrian flows modeling [29]. Some traditional hazard analysis methods like FTA, hazard and
(HAZOP) are also applied in analysis of escalator-related accidents, but they paid more attention to
operability analysis (HAZOP) are also applied in analysis of escalator-related accidents, but they paid
component failure or causal relationship of human events, ignoring the interactions of components
more attention to component failure or causal relationship of human events, ignoring the interactions
and other causes [30,31]. Therefore, STPA is introduced into the safety analysis of escalators in this
of components and other causes [30,31]. Therefore, STPA is introduced into the safety analysis of
paper, which can help to understand the connotation of escalator-related accidents systematically
escalators in this paper, which can help to understand the connotation of escalator-related accidents
and comprehensively. On the other hand, based on the analysis results analyzed by the above safety
systematically and comprehensively. On the other hand, based on the analysis results analyzed by
analysis methods, many useful strategies and methods are used to improve system safety [32–36].
the above safety analysis methods, many useful strategies and methods are used to improve system
Similarly, the proposed method for safety analysis of escalator emergency braking systems (EEBS) in
safety [32–36]. Similarly, the proposed method for safety analysis of escalator emergency braking
this paper also hopes to find some useful measures to improve the safety of EEBS.
systems (EEBS) in this paper also hopes to find some useful measures to improve the safety of EEBS.
The remainder of this paper is organized as follows. In Section 2, a brief introduction about
The remainder of this paper is organized as follows. In Section 2, a brief introduction about
System theoretic accident model and process is illustrated and comparison between FTA, failure mode
System theoretic accident model and process is illustrated and comparison between FTA, failure
mode effects and criticality analysis (FMECA), HAZOP and STPA are carried out to shows the
superiority of STAMP in complex social-technical system, then a safety analysis framework is
proposed in this paper for hazard analysis of complex electromechanical system based on system-
theoretic accident model and process. In section 3, a system safety analysis method based on STPA is
Appl. Sci. 2019, 9, 4530 4 of 21

effects and criticality analysis (FMECA), HAZOP and STPA are carried out to shows the superiority of
STAMP in complex social-technical system, then a safety analysis framework is proposed in this paper
for hazard analysis of complex electromechanical system based on system-theoretic accident model
and process. In Section 3, a system safety analysis method based on STPA is introduced and a case
study of escalator emergency braking system demonstrates the method. In Section 4, result comparison
between FTA and STPA is discussed, and some targeted improvement measures are suggested to
improve the safety of EEBS. Finally, conclusion is drawn in Section 5.

2. Safety Analysis Framework for Complex Electromechanical Equipment System Based on STAMP
STAMP treats safety as a control problem, and the focus of system safety is changed from
preventing failures in implementing safety constraints. It still contains component failures, but it
extends the concept of accidental causes to include component interactions. It contains three main
concepts: safety constraints, hierarchical control structures, and process models. The most basic concept
in STAMP is not an event but a constraint. The main causes of safety issues in the new theory are
component failures, system external disturbances, interactions between components, and component
behaviors that lead to dangerous system states.

2.1. Principles of STAMP

The safety of a complex system is more than component failure or reliability decline. In STAMP,
safety is an emergent or system property, rather than a component property. In system theory,
complex systems are viewed as a hierarchy of organizational levels. A hierarchical multilevel model of
stakeholders is posited in STAMP, like the model of Rasmussen [13], but more expanded. Another basic
concept in STAMP is safety constraints. In system theory, safety can be regarded as an emergent which
is originated from interactions between components. The method of controlling the emergent is to
impose constraints on the behavior of the components and the interactions between the components.
Meanwhile, due to the constraint property of hierarchical structure, the accidents will happen if the
higher layers cannot provide enough constraints or the lower layers violate the safety constraints
when the high-level constraints control the behavior of the lower layers. With the development of
the equipment toward automation and intelligent, the system becomes more and more complex,
and the difficulty in identifying and executing safety constraints in design and operation has been
increased. Figure 3 shows a general socio-technical system control structure from STAMP, which does
not represent any particular system. Each node in the graph is a human or machine component in a
socio-technical system. Connecting lines show control actions used to enforce safety constraints on the
system and feedback that provides information to the controlling entity.
Besides constraints and hierarchical models, a third basic concept in STAMP is that of process
models. The process model is an important part of the control theory. A typical process model
consists of the controller that issued the command and the controlled object that provided the feedback
(controlled process), which is shown in Figure 4. Usually, the controller contains process model and
control algorithm. When the controller sends a command to controlled process, the corresponding
feedback which is generated by controlled process will be sent to controller to form a complete
controlled process. Component interaction accidents can often be interpreted as process model errors.
When the controller’s process model does not match the controlled system or the controller issues an
unsafe command, an accident will also happen.
Appl. Sci. 2019, 9, 4530 5 of 21
Appl. Sci. 2019, 9, x FOR PEER REVIEW 5 of 23

Figure 3. General socio-technical system control structure from the system-theoretic accident model
Figure 3. General socio-technical system control structure from the system-theoretic accident model
and process (STAMP) [15].
and process (STAMP) [15]. Reproduced with permission from [15], Elsevier, 2019.
Besides constraints and hierarchical models, a third basic concept in STAMP is that of process
Based on three basic concepts of STAMP, the basic casual factors of a standard control loop under
models. The process model is an important part of the control theory. A typical process model
the STAMP framework was concluded in Figure 5 [19].
consists of the controller that issued the command and the controlled object that provided the
feedback (controlled process), which is shown in Figure 4. Usually, the controller contains process
model and control algorithm. When the controller sends a command to controlled process, the
corresponding feedback which is generated by controlled process will be sent to controller to form a
complete controlled process. Component interaction accidents can often be interpreted as process
model errors. When the controller's process model does not match the controlled system or the
controller issues an unsafe command, an accident will also happen.
Appl. Sci. 2019, 9, x FOR PEER REVIEW 6 of 23
Appl. Sci. 2019, 9, 4530 6 of 21
Appl. Sci. 2019, 9, x FOR PEER REVIEW 6 of 23

Figure 4. Multi-level control process.

Figure Figure 4. Multi-level control process.

4. Multi-level
Based on three basic concepts of STAMP, the control process.factors of a standard control loop
basic casual
under the STAMP framework was concluded in Figure 5 [19].
Based on three basic concepts of STAMP, the basic casual factors of a standard control loop
under the STAMP framework was concluded in Figure 5 [19].

Figure 5. Basic causes of unsafe control.

Figure Reproduced
5. Basic with permission
causes of unsafe control. from [15], Elsevier, 2019

2.2.
2.2. Comparison
Comparison between
between FTA,FTA,FMECA,FigureHAZOP,
FMECA, HAZOP, and
andSTAMP
5. Basic causes of unsafe control.
STAMP
Traditional risk
riskanalysis
Traditionalbetween analysis theory
theoryconsiders
considers hazards
hazards asasthe
theresult
resultofofthe
theaction
actionofof aa series
series of events.
of events.
2.2. considered
The Comparison events FTA,involve
usually FMECA, HAZOP,
several types and
of STAMP
component failures or human errors, mainly adopting
The considered events usually involve several types of component failures or human errors, mainly
the forward
adopting sequence
Traditional
the risk method
forward analysis (such
sequence as failure
theory considers
method mode
(such asand
hazards impact
failureasmode
theanalysis)
result
and oforthe
theaction
impact backward
of asequence
analysis) series
or the of method
events.
backward
(Such
The as the fault tree directly describes the linear relationship between the failure
sequence method (Such as the fault tree directly describes the linear relationship between themainly
considered events usually involve several types of component failures and
or the
humaninfluencing
errors, factors
failure
and is
adopting suitable
the for analyzing
forward the
sequence hazard
method caused
(suchby asthe failure
failure of
mode a physical
and component
impact analysis)
and the influencing factors and is suitable for analyzing the hazard caused by the failure of a physical or a
or simple
the system.)
backward
Three
sequence hazard
component analysis
method
or (Such
a simple techniques
as are
the fault
system.) suggested
tree
Three hazardindescribes
directly the functional
analysis safety
the linear
techniques standard
relationship
are (ISO26262):
suggestedbetween
in the thefault tree
failure
functional
and thestandard
safety influencing factors and
(ISO26262): is suitable
fault for analyzing
tree analysis the hazard
(FTA), failure modescaused by theanalysis
and effects failure of a physical
(FMEA), and
component or a simple system.) Three hazard analysis techniques are suggested in the functional
safety standard (ISO26262): fault tree analysis (FTA), failure modes and effects analysis (FMEA), and
Appl. Sci. 2019, 9, 4530 7 of 21

analysis (FTA), failure modes and effects analysis (FMEA), and hazard and operability (HAZOP) analysis.
Table 2 summaries and compares three general hazard analysis techniques with STAMP.

Table 2. Comparison of safety analysis techniques.

Method Time&. by Advantages Disadvantages

Not for analysis of a process or
1961 Concise expression of causality equipment system; More steps and
By and logic; Predict and Prevent computational complexity for a
FTA
American Telephone & accident; Qualitative and complex system; The probability of
Telegraph Company quantitative analysis all basic events needs to know for
quantitative analysis etc.
The whole process of product Heavy workload, time-consuming;
1950s
development; Principle and Univariate analysis; Limited by
FMECA By
operation are simple; The base environmental conditions; Poor
United States Air Force
of other failure analysis generality of the conclusion, etc.
1974
Detailed analysis of process Need professional groups to work;
By
HAZOP engineering; Design evaluation Ignore the interaction
Imperial Chemical
and operation evaluation; between subsystems
Industries
2004 Understanding accidents from Emphasize social factors; Mostly
By the perspective of system theory used for qualitative analysis and
STAMP
Massachusetts Institute and cybernetics; Fully consider need to be combined with other
of Technology the interaction between systems; methods for quantitative analysis

FTA, FMECA, and HAZOP are proposed before the 1980s in which industrial automation and
intelligence are still not highly dependent. Only giant companies and some research institutes like the
nuclear industry, aerospace, and universities have enough human and material resources to carry out
relevant technology research. Although some detail can be found by these three methods, the limitation
of methods shown in Table 2 is clear. These traditional safety analysis methods based on the event
chain model are unable to do as much as they can when dealing with computer-oriented automated
control system. However, due to the particularity understanding of safety in STAMP, the connotation of
safety has been substantially improved from the introduction of concepts such as hierarchical models,
process models, and safety constraints.

2.3. System-Therotical Process Analysis (STPA)

STPA is a new hazard analysis technique based on system safety theory. According to the
above-mentioned description, an accident is defined as the result of a complex process in which the
system behavior goes against the safety constraints. The main steps of STPA can be shown as follows:
Step 1: Identify improper control actions of the system that may cause danger,
Step 2: Determine how potential hazard controls may occur in step 1.
The goal of STPA is to find comprehensive causes of accidents, and those actions which can
happen or exist to affect safety are unsafe control actions (UCA). UCAs fall into four general types
in STPA:
(1) An unsafe control action is provided that creates a hazard,
(2) A required control action is not provided to avoid a hazard,
(3) A potentially safe control action is provided too late, too early, or in the wrong order,
(4) A continuous safe control action is provided too long or is stopped too soon.

2.4. A Safety Analysis Framework for Complex Electromechanical System Based on STAMP
The electromechanical equipment system is the most common part of an integrated system,
in which humans can operate control system consisting of computer or programmable logic controller
(PLC). The cooperation of various parts such as electronic components, mechanical parts, and industrial
control algorithms can guarantee system safety of the electromechanical equipment system. Due to the
 (4) A continuous safe control action is provided too long or is stopped too soon.

2.4. A Safety Analysis Framework for Complex Electromechanical System Based on STAMP
The electromechanical equipment system is the most common part of an integrated system, in
Appl. Sci. 2019, 9, 4530 8 of 21
which humans can operate control system consisting of computer or programmable logic controller
(PLC). The cooperation of various parts such as electronic components, mechanical parts, and
industrial control algorithms
complex mechanical can and
components guarantee
control system
process,safety of the
traditional electromechanical
hazard analysis methodsequipment
based on
system. Due to
event chain the complex
model mechanical
have limitations components
in exploring and control
component process,
interaction traditional
failure hazardunmatched
and process analysis
methods
in such based on event
a complex chain model have
social-technical limitations
system. in exploring
Therefore, a hazardcomponent interaction failure
analysis framework and
for complex
process unmatched equipment
electromechanical in such abased
complex social-technical
on STAMP is proposed system.
in this Therefore,
paper. Figurea hazard
6 showsanalysis
the main
framework
diagram offor
thecomplex electromechanical equipment based on STAMP is proposed in this paper.
framework.
Figure 6 shows the main diagram of the framework.

Figure
Figure 6. 6. Hazard
Hazard analysis
analysis framework
framework forfor electromechanical
electromechanical equipment
equipment system
system based
based onon STAMP.
STAMP.

Figure 6 can be divided into four parts: (1) Firstly, safety requirements of an electromechanical
Figure 6 can be divided into four parts: (1) Firstly, safety requirements of an electromechanical
equipment system can be determined on the basis of system understanding and accident case collection,
equipment system can be determined on the basis of system understanding and accident case
then hierarchy structure model of equipment and process model of operation should be established.
collection, then hierarchy structure model of equipment and process model of operation should be
(2) Secondly, safety constraints can be defined by hierarchy structure model and process model
established. (2) Secondly, safety constraints can be defined by hierarchy structure model and process
combined with safety requirements; Then, safety control structure and safety control process are
model combined with safety requirements; Then, safety control structure and safety control process
established. Iterative STPA are performed with the help of basic unsafe control principles to identify
are established. Iterative STPA are performed with the help of basic unsafe control principles to
unsafe control constraints and example casual scenarios. (3) Specific hazards (such as component
identify unsafe control constraints and example casual scenarios. (3) Specific hazards (such as
failure, components interaction failure, external disturbance, dangerous behavior of the system and so
component failure, components interaction failure, external disturbance, dangerous behavior of the
on) forand
system accident canfor
so on) beaccident
identifiedcan
based on the analysis
be identified basedof on
STPA.
the (4) Finally,ofsome
analysis targeted
STPA. improvement
(4) Finally, some
measures can be added according to some key hazards such as components failure
targeted improvement measures can be added according to some key hazards such as components and components
interaction
failure failure.
and components interaction failure.
3. Hazard Analysis for Breaking System of Escalator
3. Hazard Analysis for Breaking System of Escalator
Emergency braking system is an important part of an escalator, which is crucial for ensuring
Emergency braking system is an important part of an escalator, which is crucial for ensuring the
the safe operation of equipment. The escalator relies on the normal operation of the brake when
safe operation of equipment. The escalator relies on the normal operation of the brake when the
the operation needs to be stopped or an emergency occurs. In this section, STPA is introduced in
operation needs to be stopped or an emergency occurs. In this section, STPA is introduced in the
the escalator emergency braking system to demonstrate the superiority of the method in a complex
escalator emergency braking system to demonstrate the superiority of the method in a complex
social-technical system.
social-technical system.
3.1. Overview of Escalator Emergency Breaking System
3.1. Overview of Escalator Emergency Breaking System
At present, most of the emergency brakes use electromagnetic triggers. The electromagnets keep
At present,
pulling most ofoperation,
during normal the emergency brakes
and the brakeuse electromagnetic
turns triggers. The electromagnets
on when the electromagnets keep
lose power. When the
pulling during normal operation, and the brake turns on when the electromagnets lose power.
escalator is overspeed or reversed, the emergency brake and the working brake act simultaneously.When
Based on the above basic logic, when the brake is operating, the operating state of the escalator is
first judged based on the measurement result of the proximity switch (speed sensor). If the escalator
speed exceeds a certain threshold, the corresponding brake operates. Figure 7 shows the mechanical
structure of the escalator brake.
the Appl.
escalator isx FOR
Sci. 2019, 9, overspeed or reversed, the emergency brake and the working 9brake
PEER REVIEW of 23 act

simultaneously. Based on the above basic logic, when the brake is operating, the operating state of
the escalator is overspeed or reversed, the emergency brake and the working brake act
the escalator is first judged based on the measurement result of the proximity switch (speed sensor).
simultaneously. Based on the above basic logic, when the brake is operating, the operating state of
If the escalator speed exceeds a certain threshold, the corresponding brake operates. Figure 7 shows
the escalator is first judged based on the measurement result of the proximity switch (speed sensor).
the mechanical
Appl. Sci. 2019, structure
If the escalator
9, 4530 of the aescalator
speed exceeds brake. the corresponding brake operates. Figure 7 shows
certain threshold,
9 of 21

the mechanical structure of the escalator brake.

(a)
(a) (b) (b)
Figure 7. Mechanical
Figure
Figure 7. structure
7. Mechanical
Mechanicalstructureofof
structure ofescalator
escalator emergency
escalator emergency brake:(a)
emergency brake:
brake: (a)
(a) Mechanical
Mechanical
Mechanical structure
structure
structure diagram
diagram
diagram of of
of
escalator
escalator
escalator emergency
emergency braking
braking
emergency braking systems
systems (EEBS),
(EEBS), (b)
systems(EEBS), (b) Actual
Actualratchet
Actual ratchet
ratchet structure.
structure.
structure.

The
TheThe emergency
emergency
emergency brake
brakeisisisset
brake set under
underthe
setunder thefollowing
the following
following conditions
conditionsaccording
conditions according to national
according to nationalstandard:
to national standard:(1) The
(1) (1)
standard:
working
The working brake and and
brake the elevator
the elevator system are connected
system by the
are connected bytransmission chain,chain,
the transmission (2) The (2)working
The workingbrake
The working brake and the elevator system are connected by the transmission chain, (2) The working
is not is
brake thenotelectromechanical
the electromechanicalbrake, (3) The (3)
brake, public
Thetransport escalator.
public transport The escalator
escalator. or moving
The escalator orwalkway
moving
brake is not the electromechanical brake, (3) The public transport escalator. The escalator or moving
should beshould
walkway stopped be at a deceleration
stopped with obvious
at a deceleration feeling and
with obvious be kept
feeling and still under
be kept stillthe braking
under force of
the braking
walkway should be stopped at asituation,
deceleration with obvious feeling and be keptofstill under the two braking
force of emergency
emergency brake. brake. In general
In general situation, the emergency
the emergency brakebrake
shall shall
act inact in either
either offollowing
the the following
forcetwo
of emergency
cases:
cases: (1) (1)
before brake.
before
thethe In general
speed
speed exceeds situation,
exceeds 40%
40% ofofthethe
the emergency
rated
rated speed,(2)
speed, brake
(2) when
when shall act in direction
the travel
the either of suddenly
direction the following
suddenly
two changes.
cases: (1)
changes.Figurebefore the
Figure88shows speed
showsthe exceeds
thespeed 40%
speedsensors of
sensors(a) the
(a) andrated speed,
and overspeed (2) when
overspeed protection the
protection switch travel
switch (b). direction
(b). On
Onthethebasissuddenly
basis of
of
changes. Figure
above-mentioned 8 shows
above-mentioneddescription, the speed
description,the sensors
theworking (a)
workingprincipleand overspeed
principleofofescalator protection
escalatorbraking switch
brakingsystem
systemcan (b).
can be On the
be shown
shown inbasis
in of
above-mentioned
Figure
Figure 9.9. description, the working principle of escalator braking system can be shown in
Figure 9.

(a) (b)
Figure 8. Speed sensors and overspeed protection switch: (a) The speed sensors, (b) Overspeed
protection switch. (a) (b)
Figure
Figure 8. Speed
8. Speed sensors
sensors andandoverspeed
overspeedprotection
protection switch:
switch: (a)
(a)The
Thespeed sensors,
speed (b) (b)
sensors, Overspeed
Overspeed
protection switch.
protection switch.
Appl. Sci. 2019, 9, 4530 10 of 21
Appl. Sci. 2019, 9, x FOR PEER REVIEW 10 of 23

Appl. Sci. 2019, 9, x FOR PEER REVIEW 10 of 23

Figure9.9.The
Figure The working
working principle
principleofof
the escalator
the braking
escalator system.
braking system.

3.2. 3.2.
Control Structure
Control ofofEEBS
Structure EEBS
Braking
Braking system
system is one
is one of most
of the the most important
important equipment
equipment for escalators
for escalators to ensure
to ensure safetysafety in
in emergency
emergency situations. When the escalator speed monitoring system
situations. When the escalator speed monitoring system finds that the speed is abnormal, the control finds that the speed is abnormal,
the control system adopts different protection measures according to different speed thresholds. At
system adopts different protection Figure 9. measures according
The working principle of the to different
escalator brakingspeed
system. thresholds. At the same
the same time, an emergency stop switch is installed on the upper and lower sides of the escalator to
time, an emergency stop switch is installed on the upper and lower sides of the escalator to facilitate
facilitate 3.2.
the Control
manual operation
Structure of passengers or operators in the event of an emergency. In order to
of EEBS
the reduce
manual operation of passengers or operators in the event of an emergency. In order to reduce
the complexity of the control structure diagram, when the accident occurs, the braking process
Braking system is one of the most important equipment for escalators to ensure safety in
the is
complexity intooftwo
dividedemergency thelevels:
control structure diagram,
theWhen
perspective of thespeed when
overall the accident
operation of the occurs,and
escalator thethe braking process is
situations. the escalator monitoring system finds that the speed isperspective
abnormal,
divided into two
of the escalator levels:
the controlbraking
systemthe perspective
system.
adopts Level 1 in
different of the overall
Figure 10a
protection operation
is theaccording
measures control chartof the escalator
of thespeed
to different and
escalator the perspective
operation,
thresholds. At
of the escalator
which mainly braking
the sameincludes
time, ansystem.
seven Level
parts:
emergency 1switch
designer
stop in Figure
and 10a on is the
manufacturer,
is installed theupper
control and chart
operator, of the
passenger,
lower sides escalator
of escalator
the operation,
power
escalator to
equipment,
which mainly facilitate the manual
escalator
includes seven operation
control of passengers
system,designer
parts: brake andand or operators
emergency stop
manufacturer, in switch.
the operator,
eventWhen
of an passenger,
emergency.
an accidentInoccurs,order to
escalator thepower
monitoring reduce the complexity
module in the of the control
escalator power structure
equipment diagram,
will when
send thea accident command
control occurs, the braking
to the process
escalator
equipment, escalator control system, brake and emergency stop switch. When an accident occurs,
is divided
control system into twothe
to control levels:
braketheaction,
perspectiveor theof the overalland
operator operation
the of the escalator
passenger may and
alsothesend perspective
thethe
brake
the monitoring of themodule
escalator inbraking
the escalator power
system. Level 1 inequipment
Figure 10a iswill send
the control achart
control
of thecommand to
escalator operation, escalator
operation control command to the escalator control system through the emergency stop switch.
control system which mainly includes seven parts: designer and manufacturer, operator, passenger, escalator power brake
to control the brake action, or the operator and the passenger may also send the
Figure10b shows the control structure of Level 2. Speed sensors, PLC and overspeed judgment
equipment,
operation control escalatorto
command control system, brake
the escalator and emergency
control system stop throughswitch.the When an accidentstop
emergency occurs, the
switch.
algorithmmonitoring
are the core of theincontroller,
module the escalator and electromagnetic
power equipment will switches can becommand
send a control regardedtoasthe theescalator
actuator
ofFigure
control10b
control
showsThen,
structure. the control
the speed
system to control
structure
of the
the brake
of Level 2. system
transmission
action,
Speed sensors,
or the operator and is thethe
PLC and
controlled
passenger
overspeed
mayprocess
also sendofthe Level judgment
brake2.
algorithm are the core
operation of the
control controller,
command to theand electromagnetic
escalator switches
control system through the can be regarded
emergency as the actuator
stop switch.
of control structure. Then,
actuator the speed
of control of Then,
structure. the transmission
the speed of the system is the
transmission controlled
system process
is the controlled of Level 2.
process
of Level 2.

(a)

Figure 10. Cont.

Appl. Sci. 2019, 9, 4530 11 of 21
Appl. Sci. 2019, 9, x FOR PEER REVIEW 11 of 23

(b)

Figure 10. Figure 10. Control

Control structure
structure of escalator
of escalator operation in
operation intwo
twolevels: (a) Control
levels: structure
(a) Control of escalator
structure of escalator
operation in Level 1, (b) Control Structure of the braking system in Level 2.
operation in Level 1, (b) Control Structure of the braking system in Level 2.
3.3. STPA for Escalator Breaking System
3.3. STPA for Escalator Breaking System
After establishing the control structure of the brake-oriented process for escalator operation,
Aftercontrol
establishing
actions canthebecontrol
summarized structure
to furtherof analysis.
the brake-oriented
Table 3 and Table process for escalator
5 list important controloperation,
process around the time of the brake operation through control structures
control actions can be summarized to further analysis. Tables 3 and 4 list important control of two levels. There are process
seven main control processes in Level 1, and five control process in Level 2. The primary problem is
around the time of the brake operation through control structures of two levels. There are seven main
to understand the relationship between controller and controlled process. Then in STPA, with the
control processes
guidanceinof Level 1, and
basic casual five of
factors control process
a standard inloop
control Level 2. The
shown primary
in Figure problem
5, every control is to understand
process
the relationship
containsbetween
potentiallycontroller andactions
unsafe control controlled
can be process.
organized Then in STPA,
and concluded with 4the
in Table andguidance
Table 6. of basic
Unsafe
casual factors of acontrol actions
standard (UCAs)loop
control involved
shown in control structure
in Figure of twocontrol
5, every levels can be summarized
process containsaspotentially
complete as possible.
unsafe control actions can be organized and concluded in Tables 5 and 6. Unsafe control actions (UCAs)
involved in control structure of two Table levels can beprocess
3. Control summarized
in Level 1. as complete as possible. STPA for
Level 2 is similar to the# above-mentioned
Control process
description steps.
From
Meanwhile, some to
specific UCAs can also
be further analyzed. For example, UCA29 can also be the consequence
1 C1 Design or manufacture Designer or manufacturer
of many causes like workers’
Brake system
lack expertise, wrong installation
2
instructions
C2 Running escalator
and limited installation
Operators
space and so on. That means a
Control system
new controlled process3 of UCA29 can be
C3 Taking escalator
further established,
Passengers
if it is necessary,
escalator
and the continuous use
of STPA at different levels is exactly the advantage Control
4 C4 Control system running
of STPA.
system Power system
5 C5 issue brake command Control System Brake
Table 3. Control process in Level 1.
6 C6 Braking Process Brake Power system

# 7 Control Process Stop

C7 Emergency From
Operators or passengers Control systemto

1 C1 Design or manufacture Designer or manufacturer Brake system

2 C2 Running escalator Operators Control system
3 C3 Taking escalator Passengers escalator
4 C4 Control system running Control system Power system
5 C5 issue brake command Control System Brake
6 C6 Braking Process Brake Power system
7 C7 Emergency Stop Operators or passengers Control system
Appl. Sci. 2019, 9, 4530 12 of 21

Table 4. Control process in Level 2.

# Control Action From to

1 C8. Speed Measurement sensors escalator
2 C9. State judgment by PLC PLC control system escalator
3 C10. Issue command by PLC PLC control system Brake system
4 C11. brake start Electromagnetic switch Pawl of brake
5 C12. Braking Process Brake Power system (Driving spindle)

The failure of the escalator equipment may lead to an overturned accident. Once escalator
overturned, it would cause serious casualties. According to Table 6, we further analyzed the cause of
the brake malfunction (related to UCA42). First, system constraints and sub-system con-strains of two
levels should be defined as follows:
(1) System constraints: When the escalator overturned, the brake can start effectively,
Appl. Sci. 2019, 9, constraints:
(2) Sub-system x FOR PEER REVIEWWhen the brake is turned on, the escalator can effectively 14 of 23slow down.

As for the basic system constraint of the effective start of the brake, if it is regarded as a controlled
brake operation wear because of
process, then the brake design and manufacturing operation
department can be considered long brake time
as the controller
of the process, and the escalator operator can be considered as the actuator, and the maintenance
personnel canThe befailure
considered as the sensors
of the escalator equipmentof the
may control process.
lead to an At this
overturned macro
accident. Oncelevel, a basic process
escalator
model is overturned,
established. it would
Withcause
the serious
help of casualties.
the lackAccording
of controlto Table 6, we further
in STAMP, the analyzed
unsafe the cause of that may
constraints
the brake malfunction (related to UCA42). First, system constraints and sub-system con-strains of
lead to accidents are shown in Figure 11. Besides the unsafe control factors of each part in Level 1,
two levels should be defined as follows:
some other unsafe
(1) System control factors
constraints: When caused by the
the escalator interaction
overturned, failure
the brake can between parts and some related
start effectively,
external causes can also be
(2) Sub-system identified.
constraints: When the brake is turned on, the escalator can effectively slow down.
In view As offor thefailure
the basic system constraint
of the brake oftothe effective
start the start of the effectively,
process brake, if it is regarded as a controlled
we construct a more specific
process, then the brake design and manufacturing department can be considered as the controller of
process model from the perspective of the brake operation principle. Taking the escalator PLC control
the process, and the escalator operator can be considered as the actuator, and the maintenance
system aspersonnel
the controller, the brakeasitself
can be considered as theofactuator,
the sensors and
the control the drive
process. At thisspindle thataneeds
macro level, to be decelerated
basic process
in the event
model of isan accidentWith
established. as the
the controlled object,
help of the lack a process
of control in STAMP,model is established.
the unsafe Figure
constraints that may 12a shows
lead to accidents
the mechanical structure areofshown in Figure
the drive 11. Besides
chain protectionthe unsafe
devicecontrol
and factors
Figureof12b eachshows
part in the
Levelbasic
1, working
some other unsafe control factors caused by the interaction failure between parts and some related
principle of the escalator emergency brake.
external causes can also be identified.

Figure 11. Unsafe control action identification of Level 1.

Figure 11. Unsafe control action identification of Level 1.

In view of the failure of the brake to start the process effectively, we construct a more specific
process model from the perspective of the brake operation principle. Taking the escalator PLC control
system as the controller, the brake itself as the actuator, and the drive spindle that needs to be
decelerated in the event of an accident as the controlled object, a process model is established. Figure
12a shows the mechanical structure of the drive chain protection device and Figure 12b shows the
basic working principle of the escalator emergency brake.
Appl. Sci. 2019, 9, 4530
# Control Action
1 C1 Design or manufacture brake
2 C2 Escalator Running
3 C3 Taking escalator
4 C4 Control system running
5 C5 issue brake command
6 C6 Braking Process
7 C7 Emergency Stop
# Control Action
C8 Speed Measurement
1
using sensors
2 C9 state judgment by PLC
3 C10 Issue command by PLC
4 C11 brake start
5 C12 Braking Process
Table 5. Potentially hazardous control actions in Level 1.
Not Provided
UCA1 Lack verification
UCA5 Lack effective means
of supervision
UCA6 No safety hints are set
UCA11 out of control because
of inherent fault
UCA15 No brake command
issued in emergency situation
UCA18 Brake is not started
UCA23 No operation in
an emergency
Table 6. Potentially hazardous control actions in Level 2.
Not Provided
UCA26 Non installed sensor
UCA27 Sensor damaged
UCA35 No brake command
issued by PLC
UCA37 The electromagnetic
switch failed to start normally
UCA42 Pawl is not working
Incorrect Provided
UCA2 original design flaw
UCA4 unqualified processing
UCA7 Keep running when
escalator breakdown
UCA9 unsafe behavior or mental
of passengers
UCA12 wrong control command
from staff
UCA19 Unsuccessful braking
UCA24 Wrong operation in
an emergency
Incorrect Provided
UCA28 Measurement Error of sensor
UCA29 improper installation position
UCA30 signals from sensor
are disturbed
UCA32 incorrect state
judgment algorithm
UCA38 The contact fault of electronic
components was not detected
UCA43 No effective deceleration of
brake operation
Wrong Time or Wrong Sequence
UCA10 taking escalator when
escalator break down
UCA13 Unreasonable design of
control system
UCA16 Brake command issued when
escalator in normal operation
UCA20 Brake when escalator in
normal operation
UCA25 operation in normal running
Wrong Time or Wrong Sequence
UCA33 wrong state judgment
UCA36 Wrong brake command
issued by PLC
UCA39 Electromagnetic switch
starting in normal operation
UCA44 rake when escalator in
normal operation
13 of 21
Incorrect Duration
UCA3 development lifecycle
(D & M) is too long
UCA8 negligent management
and maintenance for a long time
UCA14 control command delay
UCA17 Brake command delay
when emergency
UCA21 Escalator does not stop
because of short brake time;
UCA22 Serious wear because of
long brake time
Incorrect Duration
UCA31 Resolution or sample rate
is low
UCA34 state judgment required
time is too long
UCA40 The action time of the
electromagnetic switch is too long;
UCA41 The response time of the
brake is too long
UCA45 short brake time;
UCA46 Serious wear because of
long brake time
Appl. Sci. 2019, 9, 4530 14 of 21
Appl. Sci. 2019, 9, x FOR PEER REVIEW 15 of 23

(a)

(b)
Figure 12.
Figure 12. Structure
Structurediagram
diagramofofEEBS:
EEBS:(a)
(a)Mechanical
Mechanicalstructure of of
structure drive chain
drive protection
chain device,
protection (b)
device,
Working
(b) principle
Working of the
principle brake.
of the brake.

Thenon
Then onthe
thebasis
basisofofTables
Table 54 and
and 6,
Table 6, in conjunction
in conjunction with
with the the operating
operating contextcontext scenario,
scenario, the
the causes
causes
of of the controls
the unsafe unsafe controls
that leadthat leaddanger
to the to the are
danger are identified.
identified. Figure 13Figure 13 concludes
concludes thecontrol
the unsafe unsafe
controlfrom
actions actions from
Level 2 toLevel
form2ato form acontrol
specific specificdiagram
control by
diagram by using
using the theprinciple
working working process
principle process
shown in
shown12b.
Figure in Figure
The red12b. The red
segments in segments
this diagramin this
showdiagram showcasual
the potential the potential casual
factors that mayfactors that may
cause accidents.
cause accidents.to some unsafe control from Figure 13, some specific example scenarios that violate
According
safety constraints are summarized in the following Table 7. Those example scenarios are simulated to
give a specific safety warning of escalator overturned accidents.
Appl. Sci. 2019, 9, 4530 15 of 21
Appl. Sci. 2019, 9, x FOR PEER REVIEW 16 of 23

Status judgment time‘ t1’

Operation status of Escalator:

Speed signal from sensors: Wrong state judgment algorithm;
PLC
The sensor is damaged; Status judgment error;
Over-speed Judgment; Switch Control
Measurement error due to signal Broken Chain detection Time For judgment exceeds
interference. Damaged components (Electronic reasonable range
Components, Switch contact, BCD
Sending time of PLC
control command components );
Over-speed judgment Error;
‘ ’

Unreasonable threshold of overspeed;

Send Wrong instruction；
t3

Process time of Accident

instructions X No instruction was sent；
Brake time

Failed to send instructions in time

Brake
Component damaged（Electromagnetic
switch damaged; Pawl wear; Spring
‘ ’

damaged, etc.）；Long operation time

Operation Time of
brake component
t2

of Electromagnetic switch
‘ ’

Friction is too small;

’ ’
Pawl do not trigger to work properly;
t4

Mechanical
friction X Short braking time without fully

T
decelerating;
Long braking time leads to serious wear
Driving spindle
Component of Spindle damaged
（Tooth wear ，tooth root crack，
Passenger response

bearing fault, etc.）；

time
‘ ’

Load X Long time load

t5

Passengers
Unsafe action; Lack of risk perception;
Lack of safety related knowledge

Passenger travel time ‘t6’

Figure 13. Hazardous unsafe control action of the braking process.

Figure 13. Hazardous unsafe control action of the braking process.
In the example scenario, based on the process model, the incentives for breaching safety constraints
Accordingfrom
are summarized to some unsafeperspectives
different control fromofFigure 13, some
the control specific It
structure. example
can be scenarios
seen that that violatethe
although
safety constraints are summarized in the following Table 7. Those example scenarios are
process model is based on equipment, in addition to component failures that violate safety constraints, simulated
to give
it still a specific
contains safety constraints
the unsafe warning of that
escalator
ariseoverturned accidents.
from interactions between many hardware and software.
For example, in the determination of the escalator’s overspeed status, it involves not only the reliability
Table 7. Specific example Scenarios of hazardous unsafe control.
of the sensor signal but also the algorithm itself may be in error or the threshold for starting overspeed
status is unreasonable. Too large or too small is not conducive
Unsafe control (Incentives) to the
Example brakes playing their due role in
Scenario
critical Unreasonable
moments. installation The sensor does not measure the change effectively when
location; Signal from sensor is overspeed occurs, which resulting in the PLC not making correct
disturbed; sensor damaged overspeed judgments.
Component of PLC damaged Velocity judgment can be wrong and command mistake because of
the component of PLC damaged.
Unreasonable overspeed The misjudgment of overspeed can lead to frequent starts of
judgment algorithm; Trigger emergency brake system, which would influence the operation of
threshold of overspeed escalator and aggravating the wear of mechanical components.
judgment is too high or too low
Command mistake from PLC The brake command is sent during normal operation or the
command is not sent when the speed exceed the safe threshold, or
Appl. Sci. 2019, 9, 4530 16 of 21

Table 7. Specific example Scenarios of hazardous unsafe control.

Unsafe Control (Incentives) Example Scenario

The sensor does not measure the change effectively
Unreasonable installation location; Signal from sensor
when overspeed occurs, which resulting in the PLC
is disturbed; sensor damaged
not making correct overspeed judgments.
Velocity judgment can be wrong and command
Component of PLC damaged
mistake because of the component of PLC damaged.
The misjudgment of overspeed can lead to frequent
Unreasonable overspeed judgment algorithm; Trigger
starts of emergency brake system, which would
threshold of overspeed judgment is too high or
influence the operation of escalator and aggravating
too low
the wear of mechanical components.
The brake command is sent during normal operation
or the command is not sent when the speed exceed
Command mistake from PLC
the safe threshold, or there is a delay in the command,
increasing the response time of brake system.
The mechanical component of brake system can’t
Component of brake damaged afford the instantly impact force and energy when it
needs to work.
The risk of losing power would be increased when
Component of Driving spindle damaged
components of driving spindle are damaged
(1) the escalator is running under a heavy load,
which would increase the wear of components and
High traffic flow risk of component damage;
(2) high traffic flow can easily lead to chain reaction
and butterfly effect of unsafe behavior
The passengers did not grasp the handrails. When an
Unsafe behavior and mental state of passenger accident occurred, it caused panic, stampede, and
increased brake load.
When the accident occurs, the overspeed judgment
time is long, the PLC does not issue the instruction in
Response time of brake system is too long when time, or the braking time is too short, or the
accident occurs passengers have a long reaction time, all of which
cause the time course of the brake action process to be
longer than the time course of the accident

4. Result Analysis and Comparison with FTA

In order to show the difference between STPA and FTA, a comparison is performed in this section.
Some basic principles of FTA are introduced and fault tree analysis which had been performed on the
escalator reversion accident is cited to show the result. Some improvement measures are given to form
a better safe brake system.

4.1. FTA of Escalator Breaking System

As mentioned earlier, FTA is a typical top-down risk analysis method. It adopts a logical method
and carries out hazard analysis work vividly. Its features are intuitive, clear, clear-cut, and logical,
and can be used for qualitative analysis and quantitative analysis. In general, the development of safety
system engineering is also based on fault tree analysis. In 1974, the US Atomic Energy Commission
published a report on the risk assessment of nuclear power plants, the “Rasmussen Report (WASH-1400
report)”, which effectively and extensively applied the FTA, thereby rapidly promoting its development
of the FTA [8]. The fault tree is composed of various event symbols and logic gates. The relationship
between events is represented by logic gates. Based on the FTA, a fault tree with the escalator reversal
as the top event was established as shown in Figure 14.
Appl. Sci. 2019, 9, 4530 17 of 21
Appl. Sci. 2019, 9, x FOR PEER REVIEW 18 of 23

Figure14.
Figure 14.Fault
Fault tree
tree of
ofescalator
escalatoroverturned
overturnedaccident.
accident.

4.2. Result Comparison

4.2. Result between
Comparison betweenFTA
FTAand
andSTPA
STPA

FTATable
can fully exploit
8. Analysis thecomparison
result accident between
causedfault
by component failure.
tree analysis (FTA) and At the same time,
system-theoretic it can depict
process
the chain of events that caused accidents due to (STPA).
analysis the failure of the underlying components. In the
above analysis, both STPA and FTA were used in the analysis of escalator reversal accidents. In order
Object Identified by both FTA and STPA Identified by STPA only
to prove the feasibility of the STPA method, Table 8 starts from different objects and compares the
sensors Sensors damaged Unreasonable installation
results of the two methods. Excluding some of the more subtle aspects, it can be seen that the STPA
location;
can identify the cause of the accident that the FTA can identify, but at the same time there are some
reasons that are caused by the interaction of the component objectsSignal and from sensor is disturbed
components considered from
the STPA-specific
PLC STAMP theory. Emergence
Component reasons.
of PLC damaged Although theoverspeed
results of STPA analysis
threshold setting; may have
been considered or are unlikely to occur, these control theories are still one
Command of the reasons that may
delay;
cause major accidents. Error algorithm
Brake Component of brake damaged; Braking force is Braking signal trigger setting;
Table 8. Analysis result comparison between fault tree analysis (FTA) and system-theoretic process
small Unreasonable trigger threshold;
analysis (STPA).
short braking duration
Driving Object Identified
Component by Both
of driving FTA and
spindle STPA
damaged Identified
Long time by STPA Only
load
Unreasonable installation location;
spindle sensors Sensors damaged
Signal from sensor is disturbed
Passengers Heavy load (high traffic flow) Reaction
overspeed time ofsetting;
threshold passengers;
PLC Component of PLC damaged Command delay;
Mental states of passengers;
Error algorithm
Long traveling time
Braking signal trigger setting;
Component of brake damaged; Braking
Brake Unreasonable trigger threshold;
force is small
short At
FTA can fully exploit the accident caused by component failure. braking duration
the same time, it can depict
the chain Driving
of events that caused
spindle accidents
Component due to
of driving the failure
spindle damagedof the
Longunderlying
time load components. In the
Reaction time of passengers;
Passengers Heavy load (high traffic flow) Mental states of passengers;
Long traveling time
above analysis, both STPA and FTA were used in the analysis of escalator reversal accidents. In order
to prove the feasibility of the STPA method, Table 8 starts from different objects and compares the
results of the two methods. Excluding some of the more subtle aspects, it can be seen that the STPA
can identify the cause of the accident that the FTA can identify, but at the same time there are some
Appl. Sci. 2019, 9, 4530 18 of 21
reasons that are caused by the interaction of the component objects and components considered from
the STPA-specific STAMP theory. Emergence reasons. Although the results of STPA analysis may
haveImprovement
4.3. been considered or are
on Control unlikely to occur, these control theories are still one of the reasons that
Process
may cause major accidents.
In the event of an accident, the impact on the individual or society is enormous. The complexity
of the system and unreasonable control process, even the tiny design error, play an important role
4.3. Improvement on Control Process
during the emergency situation. Due to the different perspectives to understand hazards and accidents,
someIn the event
inherent of an
flaws canaccident,
be hiddenthefor
impact
a longontime.
the individual or society is enormous.
From the above-mentioned The complexity
description of hazard
of the system
analysis and unreasonable
of escalator brake system,control process, even
some improvement the tinycan
measures design error,inplay
be added an important
the controlled role
process
during the emergency situation. Due to the different perspectives
to prevent accidents or improve emergency response capabilities of EEBS. to understand hazards and
accidents,
Figuresome inherent
15 shows the flaws can be
improved hidden for
controlled a long Pink
process. time. lines
Fromand
the dashed
above-mentioned description
boxes indicate added
of hazard
control analysis
paths that may of improve
escalatorsystem
brake system,
safety. some improvement measures can be added in the
controlled process to prevent accidents or improve emergency response capabilities of EEBS.

Figure 15. Improvement

Figure 15. Improvement to
to escalator
escalator brake
brake process.
process.

(1) Passengers, as the primary carrier of the escalator, should be fully utilized to know and protect
Figure 15 shows the improved controlled process. Pink lines and dashed boxes indicate added
themselves during the boarding time in case of emergency.
control paths that may improve system safety.
(2) A manual switch for emergency brake not for driving brake is very important in case of state
(1) Passengers, as the primary carrier of the escalator, should be fully utilized to know and
judgment error of automatic emergency brake trigger. In fact, in most escalator reversal accidents,
protect themselves during the boarding time in case of emergency.
the automatic emergency brake was not triggered is one of the main reasons for the accidents.
(2) A manual switch for emergency brake not for driving brake is very important in case of state
(3) Passenger needs an effective way to sense the speed information to make the right response.
judgment error of automatic emergency brake trigger. In fact, in most escalator reversal accidents,
Another improvement measure is that a spare emergency brake is necessary to help and share the huge
the automatic emergency brake was not triggered is one of the main reasons for the accidents.
impact energy of mechanical friction when the emergency brake is working.
(3) Passenger needs an effective way to sense the speed information to make the right response.
(4) Necessary traffic flow monitoring and control measures should be added to adjust the heavy
Another improvement measure is that a spare emergency brake is necessary to help and share the
load during long working time. Then, necessary feedback which can reflect brake information (such
huge impact energy of mechanical friction when the emergency brake is working.
as brake time, brake distance, brake force etc.) can be added to the system. This feedback path can
(4) Necessary traffic flow monitoring and control measures should be added to adjust the heavy
record the processing capacity of the braking system in emergency situations and will have important
load during long working time. Then, necessary feedback which can reflect brake information（such
reference value for the design and improvement of the brake.
as brake time, brake distance, brake force etc.）can be added to the system. This feedback path can
In fact, the above-mentioned improvement measures have a good practical significance for design
and manufacture of EEBS. For example, over-reliance on broken chain detection (BCD) of anti-reversion
device is an obvious casual factor for reversion accidents. So, a new trigger mechanism needs to be
designed to trigger the anti-reversion protection device. Perhaps environmental decibel detection or
vibration monitoring of key driving components could be a good choice. When accident happens,
many people around the escalator including the passengers will make a scream or call for help,
 record the processing capacity of the braking system in emergency situations and will have important
reference value for the design and improvement of the brake.
In fact, the above-mentioned improvement measures have a good practical significance for
design and manufacture of EEBS. For example, over-reliance on broken chain detection (BCD) of anti-
Appl. Sci. 2019, 9, 4530 19 of 21
reversion device is an obvious casual factor for reversion accidents. So, a new trigger mechanism
needs to be designed to trigger the anti-reversion protection device. Perhaps environmental decibel
detection
which would orsignificantly
vibration monitoring
increase ofthekey driving
decibel components
value could be a good
of the environmental choice.
voice. WhenWhen accident
environmental
decibel value reaches a certain threshold, the trigger can act timely. Or a vibration sensor for call
happens, many people around the escalator including the passengers will make a scream or for
condition
help, which would significantly increase the decibel value of the environmental voice. When
monitoring of key driving components can also help to trigger the anti-reversion device when
environmental decibel value reaches a certain threshold, the trigger can act timely. Or a vibration
abnormal vibration information appears during accident period. It should be noted that the new
sensor for condition monitoring of key driving components can also help to trigger the anti-reversion
trigger mechanism here is only an auxiliary protection device and does not replace the original basic
device when abnormal vibration information appears during accident period. It should be noted that
protection principle based on BCD. Here we give a more concrete solution to the above-mentioned BCD,
the new trigger mechanism here is only an auxiliary protection device and does not replace the
environmental decibel detection and vibration detection to solve the anti-reverse device triggering
original basic protection principle based on BCD. Here we give a more concrete solution to the above-
in mentioned
Figure 16. BCD,
We hope to use somedecibel
environmental comprehensive triggering
detection and vibrationconditions
detectiontotoreduce theanti-reverse
solve the possibility of
misjudgment
device triggering in Figure 16. We hope to use some comprehensive triggering conditionssound
by a single trigger. Therefore, by collecting the signal detected by BCD, the signal
to reduce
detected by environmental decibels and the vibration signal of key components, and then
the possibility of misjudgment by a single trigger. Therefore, by collecting the signal detected by BCD, using signal
processing
the soundmethods to judge
signal detected by the true state of
environmental the escalator
decibels and thereflected
vibrationby above
signal information,
of key components,andandthen
logically controlling
then using whether ormethods
signal processing not to determine to trigger
to judge the the anti-reverse
true state device.
of the escalator The logic
reflected control
by above
algorithm hereand
information, requires a lot of experimentation
then logically controlling whether andordata analysis.
not to Here
determine to is just athe
trigger way to solve the
anti-reverse
above-mentioned
device. The logicimprovement measures
control algorithm in a practical
here requires a lot ofway, and specific devices
experimentation and data or analysis.
algorithms require
Here is
just a way
extensive to solve the above-mentioned
experimentation and validation inimprovement
the future. measures in a practical way, and specific
devices or algorithms require extensive experimentation and validation in the future.

Figure 16.Comprehensive
Figure16. Comprehensive trigger mechanismofofthe
trigger mechanism theanti-reversion
anti-reversion device.
device.

5. Conclusions
5. Conclusions
Operational safety analysis for escalator has become more and more important with the increasing
Operational safety analysis for escalator has become more and more important with the
application
increasingofapplication
escalators of
in escalators
daily life. in
Traditional
daily life. hazard analysis
Traditional methods
hazard analysishave certainhave
methods limitations
certain in
complex social-technical systems. Therefore, a system safety analysis method applied
limitations in complex social-technical systems. Therefore, a system safety analysis method applied for escalator
emergency brake
for escalator related accidents
emergency brake relatedbased on system-theoretic
accidents accident model
based on system-theoretic and model
accident processandwas
introduced in this paper. At the beginning of this paper, a brief illustration of the basic
process was introduced in this paper. At the beginning of this paper, a brief illustration of the basic principles
of principles
STAMP and STPA are
of STAMP introduced,
and STPA are and some advantages
introduced, and some and disadvantages
advantages are compared
and disadvantages are to
further understand
compared STAMP.
to further Then, unsafe
understand STAMP. control
Then,actions
unsafeofcontrol
escalator emergency
actions braking
of escalator system are
emergency
recognized from two-level
braking system control
are recognized structures,
from two-leveland howstructures,
control potentiallyand hazardous controlhazardous
how potentially actions will
affect the safety
control actionsofwill
emergency braking
affect the safety system is clearly
of emergency shownsystem
braking in a specific operation
is clearly showncontrol diagram.
in a specific
operation control
Meanwhile, example diagram. Meanwhile,
scenarios of hazardousexample
unsafescenarios of are
control hazardous
given tounsafe control
explain someare givenabout
details to
explain some details about emergency situations that may happen in real operation
emergency situations that may happen in real operation conditions. Next, a fault tree analysis that conditions. Next,
hada fault
beentree analysis that
performed hadescalator
on the been performed
overturnedon the escalator
accident overturned
is cited to make accident is cited towith
a comparison makeSTPA
a
analysis. An obvious difference between two methods is that majority hazards related with component
damaged can be identified by both, while some other hazards that focus on the interaction between
system components (such as state judgment algorithm, command delay of control system, insufficient
response time margin, response capability and mental state of passengers, etc.) can only be identified
by STPA. Based on fully understanding the causal factors that may lead to an accident, some targeted
improvements can be realized and modified for a better safe system.
Appl. Sci. 2019, 9, 4530 20 of 21

The powerful practicality of STAMP which helps to know the safety of cybernetics provides
an effective way for more comprehensive hazard analysis. Hierarchical multilevel model provides
the possibility to analyze component interaction failures in complex systems, which is also the
vitality of the STAMP model. STAMP and STPA emphasize social factors and component interaction.
However, this method is mostly used for qualitative analysis and needs to be combined with other
methods for quantitative analysis. This is exactly the direction that needs further study in the
future. Some specific experimental work needs to be carried out to verify the conclusion of this
paper. Besides, the specific control algorithm or device should be paid more attention to realize the
comprehensive trigger mechanism of anti-reversion device proposed in Section 4.3. In future research,
we will pay more attention to the relevant signal processing, control theory, and mechanical design
theory, and complete the safety improvement strategies proposed in this paper and improve the safety
of the escalator braking system.

Author Contributions: Z.Z. proposed the idea of the paper and wrote the paper; Y.Z. proofread the manuscript;
J.C. contributed the conclusion and guided the manuscript; T.A. analyzed the case studies.
Funding: This work was supported in part by the National Key Research and Development Program of China
under Grant 2017YFC0805701, in part by the National Natural Science Foundation of China under Grant 51775411,
in part by National S&T Major Project under Grant 2017ZX04011-013, in part by the China Postdoctoral Science
Foundation under Grant 2018M631145 and Natural Science Basic Research Plan in Shaanxi Province of China
under Grant 2019JM-041.
Acknowledgments: The authors would like to sincerely thank all the anonymous reviewers for the valuable
comments that greatly helped to improve the manuscript.
Conflicts of Interest: The authors declare no conflict of interest.

References
1. Xing, Y.; Dissanayake, S.; Lu, J.; Long, S.; Lou, Y. An analysis of escalator-related injuries in metro stations in
China, 2013–2015. Accid. Anal. Prev. 2017, 122, 332–341. [CrossRef] [PubMed]
2. Shi, C.; Zhong, M.; Nong, X.; He, L.; Shi, J.; Feng, G. Modeling and safety strategy of passenger evacuation in
a metro station in China. Saf. Sci. 2012, 50, 1319–1332. [CrossRef]
3. Rogova, E.; Lodewijks, G. Braking system redundancy requirements for moving walks. Reliab. Eng. Syst. Saf.
2015, 133, 203–211. [CrossRef]
4. Chan, J.P.; Gschwendtner, G. Braking performance analysis of an escalator system using multibody dynamics
simulation technology. J. Mech. Sci. Technol. 2015, 29, 2645–2651.
5. Mishra, K.M.; Huhtala, K. Elevator fault detection using profile extraction and deep autoencoder feature
extraction for acceleration and magnetic signals. Appl. Sci. 2019, 9, 2990. [CrossRef]
6. Greenwood, M.; Yule, G. An inquiry into the nature of frequency distributions representative of multiple
happenings, with particular reference to the occurrence of multiple accidents or disease or repeated accidents.
J. Roy. Stat. Soc. 1920, 83, 255. [CrossRef]
7. Heinrich, H. Industrial Accident Prevention, 1st ed.; McGraw Hill: New York, NY, USA, 1932.
8. Haddon, W. The changing approach to the epidemiology, prevention, and amelioration of trauma:
The transition to approaches ethologically rather than descriptively based. Am. J. Public Health 1968,
58, 1431–1438. [CrossRef]
9. Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants.
Available online: URLhttps://digital.library.unt.edu/ark:/67531/metadc784367/ (accessed on 23 October 2019).
10. Reason, J. Managing the Risks of Organizational Accidents; Ashgate: Adershot, UK, 1997.
11. Perrow, C. Normal Accidents: Living with High-Risk Technologies; Basic Books: New York, NY, USA, 1984.
12. Porte, T.R.L.; Consolini, P. Working in theory but not in practice: Theoretical challenges in high reliability
organizations. J. Public Adm. Res. Theory 1991, 1, 19–47.
13. Leveson, N.; Dulac, N.; Marais, K.; Carrol, J. Moving beyond normal accidents and high reliability
organizations: A systems approach to safety in complex systems. Org. Stud. 2009, 30, 227–249. [CrossRef]
14. Rasmussen, J. Risk management in a dynamic society: A modeling problem. Saf. Sci. 1997, 27, 183–213.
[CrossRef]
Appl. Sci. 2019, 9, 4530 21 of 21

15. Leveson, N. A new accident model for engineering safer systems. Saf. Sci. 2004, 42, 237–270. [CrossRef]
16. Mohaghegh, Z.; Mosleh, A. Incorporating organizational factors into probabilistic risk assessment of complex
socio-technical systems: Principles and theoretical foundations. Saf. Sci. 2009, 47, 1139–1158. [CrossRef]
17. Mohaghegh, Z.; Kazemi, R.; Mosleh, A. Incorporating organizational factors into probabilistic risk assessment
(PRA) of complex socio-technical systems: A hybrid technique formalization. Reliab. Eng. Syst. Saf. 2009, 94,
1000–1018. [CrossRef]
18. Fleming, C.H.; Leveson, N.G. Early concept development and safety analysis of future transportation systems.
IEEE Trans. Intell. Transp. Syst. 2016, 1–12. [CrossRef]
19. A Comparison of STPA and the ARP 4761 Safety Assessment Process Process. Available online: http:
//sunnyday.mit.edu/papers/ARP4761-Comparison-Report-final-1.pdf (accessed on 23 October 2019).
20. Ishimatsu, T.; Leveson, N.G.; Thomas, J.P.; Katahira, M.; Miyamoto, Y.; Ujiie, R.; Nakao, H.; Hoshino, N.;
Fleming, C.H. Hazard analysis of complex spacecraft using systems-theoretic process analysis. J. Spacecr. Rockets
2014, 51, 509–522. [CrossRef]
21. Xiangkun, M.; Guoming, C.; Jihao, S.; Gaogeng, Z.; Yuan, Z. STAMP-based analysis of deepwater well control
safety. J. Loss Prev. Process. Ind. 2018, 552018, 41–52.
22. Mahajan, H.S.; Bradley, T.; Pasricha, S. Application of systems theoretic process analysis to a lane keeping
assist system. Reliab. Eng. Syst. Saf. 2017, 167, 177–183. [CrossRef]
23. Yunhua, G.; Yuntao, L. STAMP-based causal analysis of China-Donghuang oil transportation pipeline leakage
and explosion accident. J. Loss Prev. Process. Ind. 2018, 56, 402–413.
24. Chi, C.F.; Chang, T.C.; Tsou, C.L. In-depth investigation of escalator riding accidents in heavy capacity MRT
stations. Accid. Anal. Prev. 2006, 38, 662–670. [CrossRef]
25. Algin, A.; Gulacti, U.; Erdogan, M.O.; Tayfur, I.; Yusufoglu, K.; Lok, U. Escalator-related injuries in one of the
deepest subway stations in Europe. Ann. Saudi. Med. 2019, 39, 112–117. [CrossRef]
26. Kefan, X.; Zimei, L. Factors influencing escalator-related incidents in China: A systematic analysis using
ISM-DEMATEL method. Int. J. Environ. Res. Public Health 2019, 16, 2478.
27. Li, W.; Gong, J.; Yu, P.; Shen, S. Modeling, simulation and analysis of group trampling risks during escalator
transfers. Phys. A. Stat. Mech. Appl. 2016, 444, 970–984. [CrossRef]
28. Li, W.; Gong, J.; Yu, P.; Shen, S.; Li, Y.; Duan, Q. Simulation and analysis of congestion risk during escalator
transfers using a modified social force model. Phys. A. Stat. Mech. Appl. 2015, 420, 28–40. [CrossRef]
29. Lee, J.Y.S.; Lam, W.H.K.; Wong, S.C. Pedestrian Simulation Model for Hong Kong Underground Stations.
In Proceedings of the Intelligent Transportation Systems, Oakland, CA, USA, 25–29 August 2001; pp. 554–558.
30. Wang, W.; Li, X.; Pan, Q.L. Notice of Retraction Risk Management based on the Escalator Overturned
Accident. In Proceedings of the International Conference on Quality, Reliability, Risk, Maintenance, and
Safety Engineering, Emeishan, China, 15–18 July 2013; pp. 22–27.
31. Priestley, K.; Lee, G. Human Factors in Railway Operations. Railway Engineering—Challenges for Railway
Transportation in Information Age. In Proceedings of the ICRE 2008: International Conference on IET,
Hong Kong, China, 25–28 March 2008.
32. Anis, B.; Nga, N.; Faïda, M.; Jean-Yves, C.; Abdelfattah, M. Improved safety analysis integration in a systems
engineering approach. Appl. Sci. 2019, 9, 1246.
33. Yongming, Z.; Zhe, Y.; Feng, Y.; Jiawei, Y.; Bao, D. A novel reconstruction approach to elevator energy
conservation based on a DC micro-grid in high-rise buildings. Energies 2019, 12, 33.
34. Al-Kodmany, K. Tall buildings and elevators: A review of recent technological advances. Buildings 2015, 5,
1070–1104. [CrossRef]
35. Stamatis, K. Predictive maintenance of hydraulic lifts through lubricating oil analysis. Machines 2014, 2, 1–12.
36. Oh, S.; Hwang, D.; Kim, K.H.; Kim, K. Escalator: An autonomous scheduling scheme for convergecast in
TSCH. Sensors 2018, 18, 1209. [CrossRef]

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access
article distributed under the terms and conditions of the Creative Commons Attribution
(CC BY) license (http://creativecommons.org/licenses/by/4.0/).