Hazard Analysis for Escalator Emergency Braking System via System Safety Analysis Method Based on STAMP

: Due to the complex mechanical structure and control process of escalator emergency braking systems (EEBS), traditional hazard analysis based on the event chain model have limitations in exploring component interaction failure in such a complex social-technical system. Therefore, a hazard analysis framework is proposed in this paper for hazard analysis of complex electromechanical systems based on system-theoretic accident model and process (STAMP). Firstly, basic principles of STAMP are introduced and comparison with other hazard analysis methods is conducted, then the safety analysis framework is proposed. Secondly, a study case is performed to identify unsafe control actions of EEBS from control structures, and a speciﬁc control diagram is organized to recognize potential example casual scenarios. Next, comparison between fault tree analysis and STAMP for escalator’s overturned accident shows that hazards related to component damaged can be identiﬁed by both, while hazards that focus on components interaction can only be identiﬁed by STAMP. Besides, single control way and tandem operation process are found to be the obvious causal factors of accidents. Finally, some improvement measures like decibel detection or vibration monitoring of key components are suggested to help the current broken chain detection to trigger the anti-reversal device for a better safe EEBS.


Introduction
Escalators, as an important part of modern life, plays a more and more significant role in our life. In China, the number of elevators and escalators continues to grow every year, and the growth rate ranks first in the world. With the increase in the number of escalators, accidents related to escalator have also shown an upward trend. Since 2005, China has experienced an average of about 40 elevator accidents per year and the death people is about 30. The number of serious escalator accidents from the year 2009 to 2014 is shown in Figure 1 and the injuries in Guangzhou Metro from the year 2013 to 2015 are shown in Table 1 [1]. Due to the huge number of bases, although the death rate of escalators is very low, the damage and social influence on the injured are very serious. Thus, the safety of escalators has also attracted more and more attention [2][3][4][5]. When accidents happened, hazard analysis techniques based on related safety theory can help technicians identify the cause of failure efficiently and the potential hazards that may cause the accident, then set up safety protection to avoid the recurrence of similar accidents according the causes and hazards. Table 1. Overview of the injuries in Guangzhou Metro [1]. Reproduced with permission from [1], Elsevier, 2019.  As the base of the safety issue, accident or safety theory is used to clarify the cause, the process, the end and the consequences of the accident to make a clear analysis of the occurrence and development of the accident. Traditional accident theory started from almost 100 years ago, accident prone theory was proposed by Farmer and Chamb based on the research of statistical casualty distribution Greenwood and Woods [6]. After that, Traditional safety theory such as Heinrich Law and Energy Release Theory have been proposed successively [7,8]. All these theories focus on the instability and unsafety of human beings and their behavior in the system. However, the WASH-1400 report about nuclear reactor safety study established the framework of probabilistic risk assessment (PRA) technology and conducted safety assessment in the field of nuclear power, which greatly promoted the research and application of probabilistic risk models [9]. In 1997, Reason expressed the different levels of the system as slices of Swiss cheese. The "holes" on the slices represent defects at all levels of the system, which became the most famous "Swiss cheese" model in classical safety theory [10]. Since then, some descriptive theories based on the actual behavior of the system, such as normal accident theory (NAT) proposed by Charles Perrow, and highly reliable organization Theory (HRO) proposed by Karlene Roberts, have a profound impact on accident cause and system safety [11][12][13].

Year Passenger Flow Per Year (billion) Total Injuries Escalator-Related
In 1997, Rasmussen initiated the system safety analysis method based on cybernetics and systems theory, in which risk management was described as a control process and risk management must be established based on the classification for hazard sources of control requirements [14]. In 2004, Leveson established a system theoretic accident model and processes (STAMP) based on the system theory. The core idea of the model is that accident is the emergence of interactions between various elements in a complex system, and the lack of control actions that impose constraints on these interactions will lead to accidents [15]. The appearance of the STAMP model leads to the rapid development of modern safety theories based on systems theory. In 2008, Zahra Mohaghegh proposed the SoTeRia method using a combination of system dynamics, Bayesian networks, and other methods to quantitatively describe how influence factors are transferred from organizational factors to technical aspects [16,17]. In 2015, Cody proposed the system-theoretic early concept analysis (STECA) method for safety analysis from the perspective of systems science and control science based on STAMP and hazard analysis technology [18]. Figure 2 shows the development of safety related theory based on the above-mentioned description. As the base of the safety issue, accident or safety theory is used to clarify the cause, the process, the end and the consequences of the accident to make a clear analysis of the occurrence and development of the accident. Traditional accident theory started from almost 100 years ago, accident prone theory was proposed by Farmer and Chamb based on the research of statistical casualty distribution Greenwood and Woods [6]. After that, Traditional safety theory such as Heinrich Law and Energy Release Theory have been proposed successively [7,8]. All these theories focus on the instability and unsafety of human beings and their behavior in the system. However, the WASH-1400 report about nuclear reactor safety study established the framework of probabilistic risk assessment (PRA) technology and conducted safety assessment in the field of nuclear power, which greatly promoted the research and application of probabilistic risk models [9]. In 1997, Reason expressed the different levels of the system as slices of Swiss cheese. The "holes" on the slices represent defects at all levels of the system, which became the most famous "Swiss cheese" model in classical safety theory [10]. Since then, some descriptive theories based on the actual behavior of the system, such as normal accident theory (NAT) proposed by Charles Perrow, and highly reliable organization Theory (HRO) proposed by Karlene Roberts, have a profound impact on accident cause and system safety [11][12][13].
In 1997, Rasmussen initiated the system safety analysis method based on cybernetics and systems theory, in which risk management was described as a control process and risk management must be established based on the classification for hazard sources of control requirements [14]. In 2004, Leveson established a system theoretic accident model and processes (STAMP) based on the system theory. The core idea of the model is that accident is the emergence of interactions between various elements in a complex system, and the lack of control actions that impose constraints on these interactions will lead to accidents [15]. The appearance of the STAMP model leads to the rapid development of modern safety theories based on systems theory. In 2008, Zahra Mohaghegh proposed the SoTeRia method using a combination of system dynamics, Bayesian networks, and other methods to quantitatively describe how influence factors are transferred from organizational factors to technical aspects [16,17]. In 2015, Cody proposed the system-theoretic early concept analysis (STECA) method for safety analysis from the perspective of systems science and control science based on STAMP and hazard analysis technology [18]. Figure 2 shows the development of safety related theory based on the above-mentioned description. The classical safety theory based on the event chain model and probabilistic failure analysis focuses on the failure analysis of equipment and can effectively analysis the accidents caused by component failures or operational errors. However, the safety risk analysis based on the event chain model ignores the impact of the interaction between components on system safety. Meanwhile, the quantitative risk assessment based on probabilistic failure analysis is not suitable for solving the problem that people participate in the control of complex system safety evaluation issues, because it only considers the combination of single event failure probability and mutual exclusion event probability. The study of modern safety theory breaks through the shortcomings of the classical safety theory that only pays attention to the performance of components and recognizes the insufficiency of feedback or control from the perspective of system theory, making the STAMP more suitable for a complex system [19]. STAMP has been widely used in aerospace, petrochemical, transportation and other industries whose strong vitality lie in the fact that STAMP tries to help us to understand the system safety from the perspective of control, rather than being trapped in the constraints of traditional event chain model [20][21][22][23]. On the base of STAMP, system-theoretic process analysis (STPA) was proposed to be a new hazard analysis [19]. Besides, another important advantage of STAMP/STPA is its simple operability and broad applicability. Thus, the impact of task specificity on the safety analysis of man-machine-loop systems is reduced. The goal of STPA, which is to create a set of scenarios that can lead to a hazard, is the same as fault tree analysis (FTA) but STPA includes a broader set of potential scenarios including those in which no failures occur but the problems arise due to unsafe and unintended interactions among the system components.
As for the safety analysis of escalator, some research focused their attention on mathematical statistics analysis to find the relationship between various considerations and escalator-related accidents [24][25][26]. There are also some studies on behavior or state of passengers such as group trampling risk simulation [27], congestion risk simulation based on social force model [28], and pedestrian flows modeling [29]. Some traditional hazard analysis methods like FTA, hazard and operability analysis (HAZOP) are also applied in analysis of escalator-related accidents, but they paid more attention to component failure or causal relationship of human events, ignoring the interactions of components and other causes [30,31]. Therefore, STPA is introduced into the safety analysis of escalators in this paper, which can help to understand the connotation of escalator-related accidents systematically and comprehensively. On the other hand, based on the analysis results analyzed by the above safety analysis methods, many useful strategies and methods are used to improve system safety [32][33][34][35][36]. Similarly, the proposed method for safety analysis of escalator emergency braking systems (EEBS) in this paper also hopes to find some useful measures to improve the safety of EEBS.
The remainder of this paper is organized as follows. In Section 2, a brief introduction about System theoretic accident model and process is illustrated and comparison between FTA, failure mode effects and criticality analysis (FMECA), HAZOP and STPA are carried out to shows the superiority of STAMP in complex social-technical system, then a safety analysis framework is proposed in this paper for hazard analysis of complex electromechanical system based on systemtheoretic accident model and process. In section 3, a system safety analysis method based on STPA is The classical safety theory based on the event chain model and probabilistic failure analysis focuses on the failure analysis of equipment and can effectively analysis the accidents caused by component failures or operational errors. However, the safety risk analysis based on the event chain model ignores the impact of the interaction between components on system safety. Meanwhile, the quantitative risk assessment based on probabilistic failure analysis is not suitable for solving the problem that people participate in the control of complex system safety evaluation issues, because it only considers the combination of single event failure probability and mutual exclusion event probability. The study of modern safety theory breaks through the shortcomings of the classical safety theory that only pays attention to the performance of components and recognizes the insufficiency of feedback or control from the perspective of system theory, making the STAMP more suitable for a complex system [19]. STAMP has been widely used in aerospace, petrochemical, transportation and other industries whose strong vitality lie in the fact that STAMP tries to help us to understand the system safety from the perspective of control, rather than being trapped in the constraints of traditional event chain model [20][21][22][23]. On the base of STAMP, system-theoretic process analysis (STPA) was proposed to be a new hazard analysis [19]. Besides, another important advantage of STAMP/STPA is its simple operability and broad applicability. Thus, the impact of task specificity on the safety analysis of man-machine-loop systems is reduced. The goal of STPA, which is to create a set of scenarios that can lead to a hazard, is the same as fault tree analysis (FTA) but STPA includes a broader set of potential scenarios including those in which no failures occur but the problems arise due to unsafe and unintended interactions among the system components.
As for the safety analysis of escalator, some research focused their attention on mathematical statistics analysis to find the relationship between various considerations and escalator-related accidents [24][25][26]. There are also some studies on behavior or state of passengers such as group trampling risk simulation [27], congestion risk simulation based on social force model [28], and pedestrian flows modeling [29]. Some traditional hazard analysis methods like FTA, hazard and operability analysis (HAZOP) are also applied in analysis of escalator-related accidents, but they paid more attention to component failure or causal relationship of human events, ignoring the interactions of components and other causes [30,31]. Therefore, STPA is introduced into the safety analysis of escalators in this paper, which can help to understand the connotation of escalator-related accidents systematically and comprehensively. On the other hand, based on the analysis results analyzed by the above safety analysis methods, many useful strategies and methods are used to improve system safety [32][33][34][35][36]. Similarly, the proposed method for safety analysis of escalator emergency braking systems (EEBS) in this paper also hopes to find some useful measures to improve the safety of EEBS.
The remainder of this paper is organized as follows. In Section 2, a brief introduction about System theoretic accident model and process is illustrated and comparison between FTA, failure mode effects and criticality analysis (FMECA), HAZOP and STPA are carried out to shows the superiority of STAMP in complex social-technical system, then a safety analysis framework is proposed in this paper for hazard analysis of complex electromechanical system based on system-theoretic accident model and process. In Section 3, a system safety analysis method based on STPA is introduced and a case study of escalator emergency braking system demonstrates the method. In Section 4, result comparison between FTA and STPA is discussed, and some targeted improvement measures are suggested to improve the safety of EEBS. Finally, conclusion is drawn in Section 5.

Safety Analysis Framework for Complex Electromechanical Equipment System Based on STAMP
STAMP treats safety as a control problem, and the focus of system safety is changed from preventing failures in implementing safety constraints. It still contains component failures, but it extends the concept of accidental causes to include component interactions. It contains three main concepts: safety constraints, hierarchical control structures, and process models. The most basic concept in STAMP is not an event but a constraint. The main causes of safety issues in the new theory are component failures, system external disturbances, interactions between components, and component behaviors that lead to dangerous system states.

Principles of STAMP
The safety of a complex system is more than component failure or reliability decline. In STAMP, safety is an emergent or system property, rather than a component property. In system theory, complex systems are viewed as a hierarchy of organizational levels. A hierarchical multilevel model of stakeholders is posited in STAMP, like the model of Rasmussen [13], but more expanded. Another basic concept in STAMP is safety constraints. In system theory, safety can be regarded as an emergent which is originated from interactions between components. The method of controlling the emergent is to impose constraints on the behavior of the components and the interactions between the components. Meanwhile, due to the constraint property of hierarchical structure, the accidents will happen if the higher layers cannot provide enough constraints or the lower layers violate the safety constraints when the high-level constraints control the behavior of the lower layers. With the development of the equipment toward automation and intelligent, the system becomes more and more complex, and the difficulty in identifying and executing safety constraints in design and operation has been increased. Figure 3 shows a general socio-technical system control structure from STAMP, which does not represent any particular system. Each node in the graph is a human or machine component in a socio-technical system. Connecting lines show control actions used to enforce safety constraints on the system and feedback that provides information to the controlling entity.
Besides constraints and hierarchical models, a third basic concept in STAMP is that of process models. The process model is an important part of the control theory. A typical process model consists of the controller that issued the command and the controlled object that provided the feedback (controlled process), which is shown in Figure 4. Usually, the controller contains process model and control algorithm. When the controller sends a command to controlled process, the corresponding feedback which is generated by controlled process will be sent to controller to form a complete controlled process. Component interaction accidents can often be interpreted as process model errors. When the controller's process model does not match the controlled system or the controller issues an unsafe command, an accident will also happen.
Appl. Sci. 2019, 9, x FOR PEER REVIEW 5 of 23 Figure 3. General socio-technical system control structure from the system-theoretic accident model and process (STAMP) [15].
Besides constraints and hierarchical models, a third basic concept in STAMP is that of process models. The process model is an important part of the control theory. A typical process model consists of the controller that issued the command and the controlled object that provided the feedback (controlled process), which is shown in Figure 4. Usually, the controller contains process model and control algorithm. When the controller sends a command to controlled process, the corresponding feedback which is generated by controlled process will be sent to controller to form a complete controlled process. Component interaction accidents can often be interpreted as process model errors. When the controller's process model does not match the controlled system or the controller issues an unsafe command, an accident will also happen. . General socio-technical system control structure from the system-theoretic accident model and process (STAMP) [15]. Reproduced with permission from [15], Elsevier, 2019.
Based on three basic concepts of STAMP, the basic casual factors of a standard control loop under the STAMP framework was concluded in Figure 5 [19]. Appl. Sci. 2019, 9, x FOR PEER REVIEW 6 of 23 Based on three basic concepts of STAMP, the basic casual factors of a standard control loop under the STAMP framework was concluded in Figure 5 [19].

Comparison between FTA, FMECA, HAZOP, and STAMP
Traditional risk analysis theory considers hazards as the result of the action of a series of events. The considered events usually involve several types of component failures or human errors, mainly adopting the forward sequence method (such as failure mode and impact analysis) or the backward sequence method (Such as the fault tree directly describes the linear relationship between the failure and the influencing factors and is suitable for analyzing the hazard caused by the failure of a physical component or a simple system.) Three hazard analysis techniques are suggested in the functional safety standard (ISO26262): fault tree analysis (FTA), failure modes and effects analysis (FMEA), and  Based on three basic concepts of STAMP, the basic casual factors of a standard control loop under the STAMP framework was concluded in Figure 5 [19].

Comparison between FTA, FMECA, HAZOP, and STAMP
Traditional risk analysis theory considers hazards as the result of the action of a series of events. The considered events usually involve several types of component failures or human errors, mainly adopting the forward sequence method (such as failure mode and impact analysis) or the backward sequence method (Such as the fault tree directly describes the linear relationship between the failure and the influencing factors and is suitable for analyzing the hazard caused by the failure of a physical component or a simple system.) Three hazard analysis techniques are suggested in the functional safety standard (ISO26262): fault tree analysis (FTA), failure modes and effects analysis (FMEA), and  Table 2 summaries and compares three general hazard analysis techniques with STAMP. Understanding accidents from the perspective of system theory and cybernetics; Fully consider the interaction between systems; Emphasize social factors; Mostly used for qualitative analysis and need to be combined with other methods for quantitative analysis FTA, FMECA, and HAZOP are proposed before the 1980s in which industrial automation and intelligence are still not highly dependent. Only giant companies and some research institutes like the nuclear industry, aerospace, and universities have enough human and material resources to carry out relevant technology research. Although some detail can be found by these three methods, the limitation of methods shown in Table 2 is clear. These traditional safety analysis methods based on the event chain model are unable to do as much as they can when dealing with computer-oriented automated control system. However, due to the particularity understanding of safety in STAMP, the connotation of safety has been substantially improved from the introduction of concepts such as hierarchical models, process models, and safety constraints.

System-Therotical Process Analysis (STPA)
STPA is a new hazard analysis technique based on system safety theory. According to the above-mentioned description, an accident is defined as the result of a complex process in which the system behavior goes against the safety constraints. The main steps of STPA can be shown as follows: Step 1: Identify improper control actions of the system that may cause danger, Step 2: Determine how potential hazard controls may occur in step 1.
The goal of STPA is to find comprehensive causes of accidents, and those actions which can happen or exist to affect safety are unsafe control actions (UCA). UCAs fall into four general types in STPA: (1) An unsafe control action is provided that creates a hazard, (2) A required control action is not provided to avoid a hazard, (3) A potentially safe control action is provided too late, too early, or in the wrong order, (4) A continuous safe control action is provided too long or is stopped too soon.

A Safety Analysis Framework for Complex Electromechanical System Based on STAMP
The electromechanical equipment system is the most common part of an integrated system, in which humans can operate control system consisting of computer or programmable logic controller (PLC). The cooperation of various parts such as electronic components, mechanical parts, and industrial control algorithms can guarantee system safety of the electromechanical equipment system. Due to the complex mechanical components and control process, traditional hazard analysis methods based on event chain model have limitations in exploring component interaction failure and process unmatched in such a complex social-technical system. Therefore, a hazard analysis framework for complex electromechanical equipment based on STAMP is proposed in this paper. Figure 6 shows the main diagram of the framework.
(4) A continuous safe control action is provided too long or is stopped too soon.

A Safety Analysis Framework for Complex Electromechanical System Based on STAMP
The electromechanical equipment system is the most common part of an integrated system, in which humans can operate control system consisting of computer or programmable logic controller (PLC). The cooperation of various parts such as electronic components, mechanical parts, and industrial control algorithms can guarantee system safety of the electromechanical equipment system. Due to the complex mechanical components and control process, traditional hazard analysis methods based on event chain model have limitations in exploring component interaction failure and process unmatched in such a complex social-technical system. Therefore, a hazard analysis framework for complex electromechanical equipment based on STAMP is proposed in this paper. Figure 6 shows the main diagram of the framework.

Hazard Analysis for Breaking System of Escalator
Emergency braking system is an important part of an escalator, which is crucial for ensuring the safe operation of equipment. The escalator relies on the normal operation of the brake when the operation needs to be stopped or an emergency occurs. In this section, STPA is introduced in the escalator emergency braking system to demonstrate the superiority of the method in a complex social-technical system.

Overview of Escalator Emergency Breaking System
At present, most of the emergency brakes use electromagnetic triggers. The electromagnets keep pulling during normal operation, and the brake turns on when the electromagnets lose power. When  Figure 6 can be divided into four parts: (1) Firstly, safety requirements of an electromechanical equipment system can be determined on the basis of system understanding and accident case collection, then hierarchy structure model of equipment and process model of operation should be established.
(2) Secondly, safety constraints can be defined by hierarchy structure model and process model combined with safety requirements; Then, safety control structure and safety control process are established. Iterative STPA are performed with the help of basic unsafe control principles to identify unsafe control constraints and example casual scenarios. (3) Specific hazards (such as component failure, components interaction failure, external disturbance, dangerous behavior of the system and so on) for accident can be identified based on the analysis of STPA. (4) Finally, some targeted improvement measures can be added according to some key hazards such as components failure and components interaction failure.

Hazard Analysis for Breaking System of Escalator
Emergency braking system is an important part of an escalator, which is crucial for ensuring the safe operation of equipment. The escalator relies on the normal operation of the brake when the operation needs to be stopped or an emergency occurs. In this section, STPA is introduced in the escalator emergency braking system to demonstrate the superiority of the method in a complex social-technical system.

Overview of Escalator Emergency Breaking System
At present, most of the emergency brakes use electromagnetic triggers. The electromagnets keep pulling during normal operation, and the brake turns on when the electromagnets lose power. When the escalator is overspeed or reversed, the emergency brake and the working brake act simultaneously. Based on the above basic logic, when the brake is operating, the operating state of the escalator is first judged based on the measurement result of the proximity switch (speed sensor). If the escalator speed exceeds a certain threshold, the corresponding brake operates. Figure 7 shows the mechanical structure of the escalator brake.
Appl. Sci. 2019, 9, x FOR PEER REVIEW 9 of 23 the escalator is overspeed or reversed, the emergency brake and the working brake act simultaneously. Based on the above basic logic, when the brake is operating, the operating state of the escalator is first judged based on the measurement result of the proximity switch (speed sensor). If the escalator speed exceeds a certain threshold, the corresponding brake operates. Figure 7 shows the mechanical structure of the escalator brake.
(a) (b) The emergency brake is set under the following conditions according to national standard: (1) The working brake and the elevator system are connected by the transmission chain, (2) The working brake is not the electromechanical brake, (3) The public transport escalator. The escalator or moving walkway should be stopped at a deceleration with obvious feeling and be kept still under the braking force of emergency brake. In general situation, the emergency brake shall act in either of the following two cases: (1) before the speed exceeds 40% of the rated speed, (2) when the travel direction suddenly changes. Figure 8 shows the speed sensors (a) and overspeed protection switch (b). On the basis of above-mentioned description, the working principle of escalator braking system can be shown in Figure 9.  The emergency brake is set under the following conditions according to national standard: (1) The working brake and the elevator system are connected by the transmission chain, (2) The working brake is not the electromechanical brake, (3) The public transport escalator. The escalator or moving walkway should be stopped at a deceleration with obvious feeling and be kept still under the braking force of emergency brake. In general situation, the emergency brake shall act in either of the following two cases: (1) before the speed exceeds 40% of the rated speed, (2) when the travel direction suddenly changes. Figure 8 shows the speed sensors (a) and overspeed protection switch (b). On the basis of above-mentioned description, the working principle of escalator braking system can be shown in Figure 9. the escalator is overspeed or reversed, the emergency brake and the working brake act simultaneously. Based on the above basic logic, when the brake is operating, the operating state of the escalator is first judged based on the measurement result of the proximity switch (speed sensor). If the escalator speed exceeds a certain threshold, the corresponding brake operates. Figure 7 shows the mechanical structure of the escalator brake. The emergency brake is set under the following conditions according to national standard: (1) The working brake and the elevator system are connected by the transmission chain, (2) The working brake is not the electromechanical brake, (3) The public transport escalator. The escalator or moving walkway should be stopped at a deceleration with obvious feeling and be kept still under the braking force of emergency brake. In general situation, the emergency brake shall act in either of the following two cases: (1) before the speed exceeds 40% of the rated speed, (2) when the travel direction suddenly changes. Figure 8 shows the speed sensors (a) and overspeed protection switch (b). On the basis of above-mentioned description, the working principle of escalator braking system can be shown in Figure 9.

Control Structure of EEBS
Braking system is one of the most important equipment for escalators to ensure safety in emergency situations. When the escalator speed monitoring system finds that the speed is abnormal, the control system adopts different protection measures according to different speed thresholds. At the same time, an emergency stop switch is installed on the upper and lower sides of the escalator to facilitate the manual operation of passengers or operators in the event of an emergency. In order to reduce the complexity of the control structure diagram, when the accident occurs, the braking process is divided into two levels: the perspective of the overall operation of the escalator and the perspective of the escalator braking system. Level 1 in Figure 10a is the control chart of the escalator operation, which mainly includes seven parts: designer and manufacturer, operator, passenger, escalator power equipment, escalator control system, brake and emergency stop switch. When an accident occurs, the monitoring module in the escalator power equipment will send a control command to the escalator control system to control the brake action, or the operator and the passenger may also send the brake operation control command to the escalator control system through the emergency stop switch.
Figure10b shows the control structure of Level 2. Speed sensors, PLC and overspeed judgment algorithm are the core of the controller, and electromagnetic switches can be regarded as the actuator of control structure. Then, the speed of the transmission system is the controlled process of Level 2.

Control Structure of EEBS
Braking system is one of the most important equipment for escalators to ensure safety in emergency situations. When the escalator speed monitoring system finds that the speed is abnormal, the control system adopts different protection measures according to different speed thresholds. At the same time, an emergency stop switch is installed on the upper and lower sides of the escalator to facilitate the manual operation of passengers or operators in the event of an emergency. In order to reduce the complexity of the control structure diagram, when the accident occurs, the braking process is divided into two levels: the perspective of the overall operation of the escalator and the perspective of the escalator braking system. Level 1 in Figure 10a is the control chart of the escalator operation, which mainly includes seven parts: designer and manufacturer, operator, passenger, escalator power equipment, escalator control system, brake and emergency stop switch. When an accident occurs, the monitoring module in the escalator power equipment will send a control command to the escalator control system to control the brake action, or the operator and the passenger may also send the brake operation control command to the escalator control system through the emergency stop switch. Figure 10b shows the control structure of Level 2. Speed sensors, PLC and overspeed judgment algorithm are the core of the controller, and electromagnetic switches can be regarded as the actuator of control structure. Then, the speed of the transmission system is the controlled process of Level 2.
Appl. Sci. 2019, 9, x FOR PEER REVIEW 10 of 23 Figure 9. The working principle of the escalator braking system.

Control Structure of EEBS
Braking system is one of the most important equipment for escalators to ensure safety in emergency situations. When the escalator speed monitoring system finds that the speed is abnormal, the control system adopts different protection measures according to different speed thresholds. At the same time, an emergency stop switch is installed on the upper and lower sides of the escalator to facilitate the manual operation of passengers or operators in the event of an emergency. In order to reduce the complexity of the control structure diagram, when the accident occurs, the braking process is divided into two levels: the perspective of the overall operation of the escalator and the perspective of the escalator braking system. Level 1 in Figure 10a is the control chart of the escalator operation, which mainly includes seven parts: designer and manufacturer, operator, passenger, escalator power equipment, escalator control system, brake and emergency stop switch. When an accident occurs, the monitoring module in the escalator power equipment will send a control command to the escalator control system to control the brake action, or the operator and the passenger may also send the brake operation control command to the escalator control system through the emergency stop switch.
actuator of control structure. Then, the speed of the transmission system is the controlled process of Level 2. (a)

STPA for Escalator Breaking System
After establishing the control structure of the brake-oriented process for escalator operation, control actions can be summarized to further analysis. Table 3 and Table 5 list important control process around the time of the brake operation through control structures of two levels. There are seven main control processes in Level 1, and five control process in Level 2. The primary problem is to understand the relationship between controller and controlled process. Then in STPA, with the guidance of basic casual factors of a standard control loop shown in Figure 5, every control process contains potentially unsafe control actions can be organized and concluded in Table 4 and Table 6. Unsafe control actions (UCAs) involved in control structure of two levels can be summarized as complete as possible.

STPA for Escalator Breaking System
After establishing the control structure of the brake-oriented process for escalator operation, control actions can be summarized to further analysis. Tables 3 and 4 list important control process around the time of the brake operation through control structures of two levels. There are seven main control processes in Level 1, and five control process in Level 2. The primary problem is to understand the relationship between controller and controlled process. Then in STPA, with the guidance of basic casual factors of a standard control loop shown in Figure 5, every control process contains potentially unsafe control actions can be organized and concluded in Tables 5 and 6. Unsafe control actions (UCAs) involved in control structure of two levels can be summarized as complete as possible. STPA for Level 2 is similar to the above-mentioned description steps. Meanwhile, some specific UCAs can also be further analyzed. For example, UCA29 can also be the consequence of many causes like workers' lack expertise, wrong installation instructions and limited installation space and so on. That means a new controlled process of UCA29 can be further established, if it is necessary, and the continuous use of STPA at different levels is exactly the advantage of STPA. The failure of the escalator equipment may lead to an overturned accident. Once escalator overturned, it would cause serious casualties. According to Table 6, we further analyzed the cause of the brake malfunction (related to UCA42). First, system constraints and sub-system con-strains of two levels should be defined as follows: (1) System constraints: When the escalator overturned, the brake can start effectively, (2) Sub-system constraints: When the brake is turned on, the escalator can effectively slow down. As for the basic system constraint of the effective start of the brake, if it is regarded as a controlled process, then the brake design and manufacturing department can be considered as the controller of the process, and the escalator operator can be considered as the actuator, and the maintenance personnel can be considered as the sensors of the control process. At this macro level, a basic process model is established. With the help of the lack of control in STAMP, the unsafe constraints that may lead to accidents are shown in Figure 11. Besides the unsafe control factors of each part in Level 1, some other unsafe control factors caused by the interaction failure between parts and some related external causes can also be identified.
In view of the failure of the brake to start the process effectively, we construct a more specific process model from the perspective of the brake operation principle. Taking the escalator PLC control system as the controller, the brake itself as the actuator, and the drive spindle that needs to be decelerated in the event of an accident as the controlled object, a process model is established. Figure 12a shows the mechanical structure of the drive chain protection device and Figure 12b shows the basic working principle of the escalator emergency brake. The failure of the escalator equipment may lead to an overturned accident. Once escalator overturned, it would cause serious casualties. According to Table 6, we further analyzed the cause of the brake malfunction (related to UCA42). First, system constraints and sub-system con-strains of two levels should be defined as follows: (1) System constraints: When the escalator overturned, the brake can start effectively, (2) Sub-system constraints: When the brake is turned on, the escalator can effectively slow down. As for the basic system constraint of the effective start of the brake, if it is regarded as a controlled process, then the brake design and manufacturing department can be considered as the controller of the process, and the escalator operator can be considered as the actuator, and the maintenance personnel can be considered as the sensors of the control process. At this macro level, a basic process model is established. With the help of the lack of control in STAMP, the unsafe constraints that may lead to accidents are shown in Figure 11. Besides the unsafe control factors of each part in Level 1, some other unsafe control factors caused by the interaction failure between parts and some related external causes can also be identified. In view of the failure of the brake to start the process effectively, we construct a more specific process model from the perspective of the brake operation principle. Taking the escalator PLC control system as the controller, the brake itself as the actuator, and the drive spindle that needs to be decelerated in the event of an accident as the controlled object, a process model is established. Figure  12a shows the mechanical structure of the drive chain protection device and Figure 12b shows the basic working principle of the escalator emergency brake.    Then on the basis of Table 4 and Table 6, in conjunction with the operating context scenario, the causes of the unsafe controls that lead to the danger are identified. Figure 13 concludes the unsafe control actions from Level 2 to form a specific control diagram by using the working principle process shown in Figure 12b. The red segments in this diagram show the potential casual factors that may cause accidents. Then on the basis of Tables 5 and 6, in conjunction with the operating context scenario, the causes of the unsafe controls that lead to the danger are identified. Figure 13 concludes the unsafe control actions from Level 2 to form a specific control diagram by using the working principle process shown in Figure 12b. The red segments in this diagram show the potential casual factors that may cause accidents.
According to some unsafe control from Figure 13, some specific example scenarios that violate safety constraints are summarized in the following Table 7. Those example scenarios are simulated to give a specific safety warning of escalator overturned accidents. According to some unsafe control from Figure 13, some specific example scenarios that violate safety constraints are summarized in the following Table 7. Those example scenarios are simulated to give a specific safety warning of escalator overturned accidents. The misjudgment of overspeed can lead to frequent starts of emergency brake system, which would influence the operation of escalator and aggravating the wear of mechanical components.
Command mistake from PLC The brake command is sent during normal operation or the command is not sent when the speed exceed the safe threshold, or In the example scenario, based on the process model, the incentives for breaching safety constraints are summarized from different perspectives of the control structure. It can be seen that although the process model is based on equipment, in addition to component failures that violate safety constraints, it still contains the unsafe constraints that arise from interactions between many hardware and software. For example, in the determination of the escalator's overspeed status, it involves not only the reliability of the sensor signal but also the algorithm itself may be in error or the threshold for starting overspeed status is unreasonable. Too large or too small is not conducive to the brakes playing their due role in critical moments. Table 7. Specific example Scenarios of hazardous unsafe control.

Unsafe Control (Incentives) Example Scenario
Unreasonable installation location; Signal from sensor is disturbed; sensor damaged The sensor does not measure the change effectively when overspeed occurs, which resulting in the PLC not making correct overspeed judgments.
Component of PLC damaged Velocity judgment can be wrong and command mistake because of the component of PLC damaged.
Unreasonable overspeed judgment algorithm; Trigger threshold of overspeed judgment is too high or too low The misjudgment of overspeed can lead to frequent starts of emergency brake system, which would influence the operation of escalator and aggravating the wear of mechanical components.

Command mistake from PLC
The brake command is sent during normal operation or the command is not sent when the speed exceed the safe threshold, or there is a delay in the command, increasing the response time of brake system.

Component of brake damaged
The mechanical component of brake system can't afford the instantly impact force and energy when it needs to work. The passengers did not grasp the handrails. When an accident occurred, it caused panic, stampede, and increased brake load.
Response time of brake system is too long when accident occurs When the accident occurs, the overspeed judgment time is long, the PLC does not issue the instruction in time, or the braking time is too short, or the passengers have a long reaction time, all of which cause the time course of the brake action process to be longer than the time course of the accident

Result Analysis and Comparison with FTA
In order to show the difference between STPA and FTA, a comparison is performed in this section. Some basic principles of FTA are introduced and fault tree analysis which had been performed on the escalator reversion accident is cited to show the result. Some improvement measures are given to form a better safe brake system.

FTA of Escalator Breaking System
As mentioned earlier, FTA is a typical top-down risk analysis method. It adopts a logical method and carries out hazard analysis work vividly. Its features are intuitive, clear, clear-cut, and logical, and can be used for qualitative analysis and quantitative analysis. In general, the development of safety system engineering is also based on fault tree analysis. In 1974, the US Atomic Energy Commission published a report on the risk assessment of nuclear power plants, the "Rasmussen Report (WASH-1400 report)", which effectively and extensively applied the FTA, thereby rapidly promoting its development of the FTA [8]. The fault tree is composed of various event symbols and logic gates. The relationship between events is represented by logic gates. Based on the FTA, a fault tree with the escalator reversal as the top event was established as shown in Figure 14.

Result Comparison between FTA and STPA
FTA can fully exploit the accident caused by component failure. At the same time, it can depict the chain of events that caused accidents due to the failure of the underlying components. In the above analysis, both STPA and FTA were used in the analysis of escalator reversal accidents. In order to prove the feasibility of the STPA method, Table 8 starts from different objects and compares the results of the two methods. Excluding some of the more subtle aspects, it can be seen that the STPA can identify the cause of the accident that the FTA can identify, but at the same time there are some reasons that are caused by the interaction of the component objects and components considered from the STPA-specific STAMP theory. Emergence reasons. Although the results of STPA analysis may have been considered or are unlikely to occur, these control theories are still one of the reasons that may cause major accidents.

Improvement on Control Process
In the event of an accident, the impact on the individual or society is enormous. The complexity of the system and unreasonable control process, even the tiny design error, play an important role during the emergency situation. Due to the different perspectives to understand hazards and accidents, some inherent flaws can be hidden for a long time. From the above-mentioned description of hazard analysis of escalator brake system, some improvement measures can be added in the controlled process to prevent accidents or improve emergency response capabilities of EEBS. Figure 15 shows the improved controlled process. Pink lines and dashed boxes indicate added control paths that may improve system safety.
above analysis, both STPA and FTA were used in the analysis of escalator reversal accidents. In order to prove the feasibility of the STPA method, Table 8 starts from different objects and compares the results of the two methods. Excluding some of the more subtle aspects, it can be seen that the STPA can identify the cause of the accident that the FTA can identify, but at the same time there are some reasons that are caused by the interaction of the component objects and components considered from the STPA-specific STAMP theory. Emergence reasons. Although the results of STPA analysis may have been considered or are unlikely to occur, these control theories are still one of the reasons that may cause major accidents.

Improvement on Control Process
In the event of an accident, the impact on the individual or society is enormous. The complexity of the system and unreasonable control process, even the tiny design error, play an important role during the emergency situation. Due to the different perspectives to understand hazards and accidents, some inherent flaws can be hidden for a long time. From the above-mentioned description of hazard analysis of escalator brake system, some improvement measures can be added in the controlled process to prevent accidents or improve emergency response capabilities of EEBS. Figure 15. Improvement to escalator brake process. Figure 15 shows the improved controlled process. Pink lines and dashed boxes indicate added control paths that may improve system safety.
(1) Passengers, as the primary carrier of the escalator, should be fully utilized to know and protect themselves during the boarding time in case of emergency.
(2) A manual switch for emergency brake not for driving brake is very important in case of state judgment error of automatic emergency brake trigger. In fact, in most escalator reversal accidents, the automatic emergency brake was not triggered is one of the main reasons for the accidents.
(3) Passenger needs an effective way to sense the speed information to make the right response. Another improvement measure is that a spare emergency brake is necessary to help and share the huge impact energy of mechanical friction when the emergency brake is working.
(4) Necessary traffic flow monitoring and control measures should be added to adjust the heavy load during long working time. Then, necessary feedback which can reflect brake information(such as brake time, brake distance, brake force etc.)can be added to the system. This feedback path can (1) Passengers, as the primary carrier of the escalator, should be fully utilized to know and protect themselves during the boarding time in case of emergency.
(2) A manual switch for emergency brake not for driving brake is very important in case of state judgment error of automatic emergency brake trigger. In fact, in most escalator reversal accidents, the automatic emergency brake was not triggered is one of the main reasons for the accidents.
(3) Passenger needs an effective way to sense the speed information to make the right response. Another improvement measure is that a spare emergency brake is necessary to help and share the huge impact energy of mechanical friction when the emergency brake is working.
(4) Necessary traffic flow monitoring and control measures should be added to adjust the heavy load during long working time. Then, necessary feedback which can reflect brake information (such as brake time, brake distance, brake force etc.) can be added to the system. This feedback path can record the processing capacity of the braking system in emergency situations and will have important reference value for the design and improvement of the brake.
In fact, the above-mentioned improvement measures have a good practical significance for design and manufacture of EEBS. For example, over-reliance on broken chain detection (BCD) of anti-reversion device is an obvious casual factor for reversion accidents. So, a new trigger mechanism needs to be designed to trigger the anti-reversion protection device. Perhaps environmental decibel detection or vibration monitoring of key driving components could be a good choice. When accident happens, many people around the escalator including the passengers will make a scream or call for help, which would significantly increase the decibel value of the environmental voice. When environmental decibel value reaches a certain threshold, the trigger can act timely. Or a vibration sensor for condition monitoring of key driving components can also help to trigger the anti-reversion device when abnormal vibration information appears during accident period. It should be noted that the new trigger mechanism here is only an auxiliary protection device and does not replace the original basic protection principle based on BCD. Here we give a more concrete solution to the above-mentioned BCD, environmental decibel detection and vibration detection to solve the anti-reverse device triggering in Figure 16. We hope to use some comprehensive triggering conditions to reduce the possibility of misjudgment by a single trigger. Therefore, by collecting the signal detected by BCD, the sound signal detected by environmental decibels and the vibration signal of key components, and then using signal processing methods to judge the true state of the escalator reflected by above information, and then logically controlling whether or not to determine to trigger the anti-reverse device. The logic control algorithm here requires a lot of experimentation and data analysis. Here is just a way to solve the above-mentioned improvement measures in a practical way, and specific devices or algorithms require extensive experimentation and validation in the future.
record the processing capacity of the braking system in emergency situations and will have important reference value for the design and improvement of the brake.
In fact, the above-mentioned improvement measures have a good practical significance for design and manufacture of EEBS. For example, over-reliance on broken chain detection (BCD) of antireversion device is an obvious casual factor for reversion accidents. So, a new trigger mechanism needs to be designed to trigger the anti-reversion protection device. Perhaps environmental decibel detection or vibration monitoring of key driving components could be a good choice. When accident happens, many people around the escalator including the passengers will make a scream or call for help, which would significantly increase the decibel value of the environmental voice. When environmental decibel value reaches a certain threshold, the trigger can act timely. Or a vibration sensor for condition monitoring of key driving components can also help to trigger the anti-reversion device when abnormal vibration information appears during accident period. It should be noted that the new trigger mechanism here is only an auxiliary protection device and does not replace the original basic protection principle based on BCD. Here we give a more concrete solution to the abovementioned BCD, environmental decibel detection and vibration detection to solve the anti-reverse device triggering in Figure 16. We hope to use some comprehensive triggering conditions to reduce the possibility of misjudgment by a single trigger. Therefore, by collecting the signal detected by BCD, the sound signal detected by environmental decibels and the vibration signal of key components, and then using signal processing methods to judge the true state of the escalator reflected by above information, and then logically controlling whether or not to determine to trigger the anti-reverse device. The logic control algorithm here requires a lot of experimentation and data analysis. Here is just a way to solve the above-mentioned improvement measures in a practical way, and specific devices or algorithms require extensive experimentation and validation in the future.

Conclusions
Operational safety analysis for escalator has become more and more important with the increasing application of escalators in daily life. Traditional hazard analysis methods have certain limitations in complex social-technical systems. Therefore, a system safety analysis method applied for escalator emergency brake related accidents based on system-theoretic accident model and process was introduced in this paper. At the beginning of this paper, a brief illustration of the basic principles of STAMP and STPA are introduced, and some advantages and disadvantages are compared to further understand STAMP. Then, unsafe control actions of escalator emergency braking system are recognized from two-level control structures, and how potentially hazardous control actions will affect the safety of emergency braking system is clearly shown in a specific operation control diagram. Meanwhile, example scenarios of hazardous unsafe control are given to explain some details about emergency situations that may happen in real operation conditions. Next, a fault tree analysis that had been performed on the escalator overturned accident is cited to make a

Conclusions
Operational safety analysis for escalator has become more and more important with the increasing application of escalators in daily life. Traditional hazard analysis methods have certain limitations in complex social-technical systems. Therefore, a system safety analysis method applied for escalator emergency brake related accidents based on system-theoretic accident model and process was introduced in this paper. At the beginning of this paper, a brief illustration of the basic principles of STAMP and STPA are introduced, and some advantages and disadvantages are compared to further understand STAMP. Then, unsafe control actions of escalator emergency braking system are recognized from two-level control structures, and how potentially hazardous control actions will affect the safety of emergency braking system is clearly shown in a specific operation control diagram. Meanwhile, example scenarios of hazardous unsafe control are given to explain some details about emergency situations that may happen in real operation conditions. Next, a fault tree analysis that had been performed on the escalator overturned accident is cited to make a comparison with STPA analysis. An obvious difference between two methods is that majority hazards related with component damaged can be identified by both, while some other hazards that focus on the interaction between system components (such as state judgment algorithm, command delay of control system, insufficient response time margin, response capability and mental state of passengers, etc.) can only be identified by STPA. Based on fully understanding the causal factors that may lead to an accident, some targeted improvements can be realized and modified for a better safe system. The powerful practicality of STAMP which helps to know the safety of cybernetics provides an effective way for more comprehensive hazard analysis. Hierarchical multilevel model provides the possibility to analyze component interaction failures in complex systems, which is also the vitality of the STAMP model. STAMP and STPA emphasize social factors and component interaction. However, this method is mostly used for qualitative analysis and needs to be combined with other methods for quantitative analysis. This is exactly the direction that needs further study in the future. Some specific experimental work needs to be carried out to verify the conclusion of this paper. Besides, the specific control algorithm or device should be paid more attention to realize the comprehensive trigger mechanism of anti-reversion device proposed in Section 4.3. In future research, we will pay more attention to the relevant signal processing, control theory, and mechanical design theory, and complete the safety improvement strategies proposed in this paper and improve the safety of the escalator braking system.