Using systems engineering tools to design a safe Smart Energy Box

Conceptual designAxiomatic DesignSafety Control SystemJon Hickey, SDM '12 By Jon Hickey, SDM ’12

Editor’s Note: Jon Hickey is a Commander in the United States Coast Guard. He holds master’s degrees in civil engineering and project management. Hickey recently moved to New Orleans to oversee the building of a new fleet of USCG patrol boats—a $4 billion project. He recently completed a master’s degree in the SDM program. His thesis applied the Systems Theoretic Accident Model and Processes (STAMP) to the analysis of Coast Guard aircraft mishaps.

The work described was a final project in the Systems Engineering (ESD.33) course taught by Qi Hommes, Ph.D. Hickey’s team included Naveen Ranganath, Jorge Moreno, Alex Thomas and Pankaj Kashyap. Hickey presented the paper at the International Council on Systems Engineering (INCOSE) 2012 Symposium in Rome in July.

It is important to apply multiple systems engineering tools, including system safety analysis, into the design process. This allows designers to identify potential hazards early in the process, when they can be more easily addressed.

State-of-the-art design processes for complex socio-technical systems like the electrical power grid involve a combination of systems engineering tools. For example, the process can use stakeholder analysis—interviewing all the players involved with the system to see what their needs are—to inform Axiomatic Design, which synthesizes the customer requirements and translates them into functional requirements and design parameters.

These state-of-the-art techniques, however, can omit critical safety requirements. Including system-level safety analysis in the conceptual design phase is crucial to recognizing key functional requirements early on in the design and development phases.

My team and I illustrate this with a device that enables large-scale integration of distributed Renewable Energy Systems (RES) into the electrical power grid. For lack of a better term, we call this device the "Smart Box." The Smart Box controls the connection between the RES and the grid and functions as a smart meter. The device should increase efficiency in managing overall power demands across the grid.

We added the Systems Theoretic Accident Model and Processes (STAMP)-based Process Analysis (STPA) system-level safety analysis tool to the Smart Box design process. This incorporates safety into the conceptual design of the Smart Box.


In response to the continued rise in energy demand and the threat greenhouse gas emissions pose to the world climate, we must seek and exploit alternative methods of increasing worldwide energy supply that don’t increase greenhouse gas emissions.


Of the many options that are possible, one of the most promising is a distributed power generation network that leverages RESs (Schmitt, 2010; Edison Smart Connect, 2011; and Electric Power Research Institute, 2011).

We envision a distributed power generation network in which residences and businesses have installed RESs and have a reduced reliance on the grid for electric power so they are more self-sufficient. When an RES produces power in excess of local demand, it will have the ability to deliver it to the grid. And when it falls short, it can be supplemented from the grid.

This plan becomes very complex, however, as we scale the number of RESs to millions, as would be the case in a mature system with a large population of home-owners. As we began appreciating the complexity of this socio-technical system, we realized that this network would likely require central controls to ensure safe and reliable system operation and to maximize the benefit of a tightly coupled grid, or "smart grid."

The ‘Smart Box’

For effective command and control, the centralized authority—typically a utility—will have to install a device akin to today’s smart electricity meters in each home. But this next-generation smart meter will require many more functionalities and features to ensure safe and reliable operation of the grid.

We decided to focus our research on developing the conceptual design of the Smart Box, including high-level system functional requirements and architecture. We envision the Smart Box to be a metering, connection, communication, and control device that is physically located at the distribution point, just upstream (i.e. grid side) of the distribution point main service panel.

Conceptual Design

Our first step in developing the conceptual design was identifying and understanding the system’s functional requirements. "Developing functional requirements is an iterative activity in which new requirements are identified and constantly refined as the concept develops." (System Engineering Handbook, 2011). With this understanding in mind, we started developing the conceptual design of the Smart Box by interviewing the various stakeholders.

System Functional Requirements for the Smart Box

The first step in designing any system is understanding stakeholder needs. Through a series of interviews with the various system stakeholders — homeowners, distribution companies, power retailers, equipment manufacturers, and government regulators — we identified seven critical stakeholder high-level functional needs and desired system characteristics as shown below. We then used Axiomatic Design Theory to systematically transform customer attributes (CAs) into functional requirements (FRs) and design parameters (DPs) by using design matrices (Suh, 1998).

We felt the combination of these two methods would sufficiently inform a conceptual design of the Smart Box. By following the axiomatic design process — that is, zigzagging between these domains and decomposing into hierarchies while satisfying the independence and information design axioms (Suh, 1998) — we were able to translate the high-level functional requirements to design parameters while minimizing system coupling (see figure below).

Axiomatic Design: getting from customer attributes to design parameters

System Safety — STPA

As we reviewed our functional requirements and design parameters, it became apparent that we had an incomplete understanding of the system safety hazards and safety-related functional requirements. It was unclear how the conceptual design would proceed to incorporate hazard detection circuits and hazard isolation circuits without considerable analysis of hazard scenarios and associated system detection and control features necessary to prevent and/or mitigate these hazards. Therefore, we required additional system scenario-based analysis to adequately develop the conceptual design to meet system safety requirements.

To refine our conceptual design to include required safety features upfront, we applied the STPA method — developed by MIT aeronautics and astronautics professor Nancy Leveson — which views safety as a control problem, managed by a control structure embedded in an adaptive socio-technical system. This allowed us to capture key safety-related requirements early on in the design lifecycle in order to avoid costly add-ons later in the lifecycle.

STPA analyzes system constraints, control loops, process models, and levels of control to identify

  • inadequate control structures that lead to safety hazards, and
  • preventive measure that resolve potential and existing hazards.

When we applied STPA, we found that system isolation hazards could occur during system repair and maintenance scenarios due to inadequate control or feedback (pictured below) within the envisioned ‘smart grid’ system.

To address these inadequacies and improve the safety of our design, we included the following additional functional requirements:

  • The utility company, via its utility management system (UMS), must be able to remotely disconnect the RES from the grid. The homeowner must not be able to override this disconnect, and the utility/UMS must be able to confirm RES connection status through real-time sensing.
  • In a repair scenario, technicians must be able to connect and disconnect the RES and have real-time monitoring of the RES’s grid connection status.

This diagram shows the safety control system for a grid-connected Renewable Energy System.

Lessons Learned

Applying a combination of systems engineering tools is critical to developing the conceptual design of complex socio-technical systems.

Stakeholder analysis in combination with axiomatic design is a good approach to develop initial customer attributes and associated functional requirements, design parameters and process variables. However, limiting conceptual design to these methods may not yield important functional requirements, design parameters and process variables that are critical to the safe and reliable operation of complex socio-technical systems.

Inclusion of system-level safety analysis, such as STPA, in conjunction with the aforementioned systems engineering tools in the conceptual design phase is highly effective in capturing key functional requirements early on in the design and development phases.

Capturing safety-related functional requirements during the conceptual design phase can help avoid operational conditions that are hazardous to life and property. In addition, this approach prevents costly add-ons later in the design and implementation phases of the system life cycle.

Jon Hickey, SDM ’12