This introductory tutorial will introduce the four basic STPA steps for those new to STPA. It will be similar to the online "Introduction to STPA" tutorial on the tutorials page.
In this session, we will take you on our STPA adoption journey with Google leadership. We'll cover:
- What didn't work
- What is working so far
- Example: Google Maps Data Safety Risk Management
Internet
9:30am
STPA Applied to Rotorcraft Flight Controls
David Cummins(Bell Flight) John Thomas and Rodrigo Rose(MIT)
This discussion will show how STPA analysis of human interaction with a rotorcraft flight control system can identify hazardous functionality, outside of failure condition assessment alone. The discussion covers:
- Unintuitive design
- Missing functionality and feedback
- Implicit and flawed assumptions about operator beliefs
Best practices for facilitating a CAST, to include:
- The facilitator's roles and responsibilities
- The size, knowledge, and roles of the project group
- Structure of interviews and investigation
- How to report out CAST to non-technical leaders
Lightning talk will highlight recent and current STPA research at AFIT to include: autonomous fighter aircraft, resilient space architecture, and SysML-RAAML integration efforts to achieve DOD digital engineering mandates.
Aviation
11:00am
STPA Applied to a Machine Learning Aircraft Before Flight Testing
This talk investigates the utility of STPA for analyzing safety before flight testing an Uncrewed Air Vehicle (UAV) controlled by a neural network-based flight autonomy software. The host UAV included various control regimes and handoffs over the course of a sortie including human control, traditional autopilot, and an artificial intelligence autonomy software trained using Deep Reinforcement Learning (DRL) machine learning techniques. The flight test operational environment included flight in both civil and restricted airspace, and at least one nearby crewed chase aircraft to observe the UAV in flight. STPA was applied after traditional airworthiness and safety assessment processes but before flight test to identify and mitigate potential new hazards associated with the UAV technology and its operation.
This talk presents lessons learned from teaching STPA at Google:
- Traditional STPA examples of physical systems are not easily relatable for software developers, and can lead to skepticism regarding STPA’s value
- We achieved higher learner engagement by giving examples of STPA applied to actual Google infrastructure and software
- We increased interest in STPA by emphasizing STPA’s ability to analyze feedback paths, something not addressed by other software design/risk analysis methodologies.
- To accommodate busy schedules, we are pursuing a tiered approach with initial, short tutorials to capture interest, then a multi-day workshop to practice applying STPA on a real system.
Internet
12:00pm
Lunch
1:00pm
How to Introduce STPA to Leadership
John Thomas(MIT) Bill Young(Security Concepts and Strategic Design, LLC)
Instructors will share successful approaches to introduce STPA to management executives. Participants will be asked for questions they've gotten from their leadership and any stumbling blocks encountered when introducing new approaches. A set of slides to introduce STPA to leadership will be provided to participants.
STPA Applied to Coordination and Teaming
Andrew Kopeikin(MIT) Kip Johnson(AF Institute of Technology)
-Introduce STPA for coordination and teaming, and analysis of unsafe collaborative control
-Beneficial for those wanting to learn additional STPA guidance to model and design multi-controller system architectures and interactions
-Discussions and examples from the aerospace industry
STPAmaster is a solution to integrate STPA with safety management systems and systems engineering applications. Some of its core features were implemented into the “STPAmaster Lite”, a free Google Sheets-based STPA tool. Its main features are:
- Support of the entire STPA
- Automation of routine work
- Check for basic errors
- Simple and universal application
- Destructive behaviors (DB) are those exhibited by individuals who injure themselves or others and are unable to continue to function as part of a unit.
- Using STPA to understand the causes underlying DB onset within key at-risk Navy populations
- presents an example of applying STPA to investigate organizational and leadership aspects of an organization’s safety management system
- gives insight into the utility of using STPA to evaluate social and organizational aspects of the system for hazards
Healthcare
9:10am
Augmented Reality for Crisis Management in the Operating Room: A System-Theoretic Process Analysis Approach
Ryan Harari(Harvard)
Healthcare
9:20am
Innovation and Lessons Learned from Applying STPA for Medical Device – Next Generation Automated External Defibrillator (AED)
Mark A. Vernacchia(The SSE Group, LLC) Lawrence Wong, PhD(Department of Radiation Medicine and Applied Sciences, UC San Diego)
- Design improvements to address ineffective user-device interactions.
- STPA's usefulness in elucidating and characterizing these problems, including language barrier, rescuer stress, coordination among multiple bystander rescuers, etc.
- Analysis decisions included choice of hazard statements, the rationale for arranging the elements in the control structure, the identification of unsafe control actions and causal scenarios, and results organization are explored.
- Presentation facilitates wider application of STPA for medical device design by showcasing the ability to innovate the next generation of AED with the use of STPA and highlighting key analysis decisions and results.
Healthcare
9:40am
Application of CAST in Site Identification Safety in Interventional Radiology (IR)
Jasmine Ghorbani, Melissa Marquez, and Patrick Samedy(Memorial Sloan Kettering Cancer Center)
- Safety Analysis Overview: Approach, Project Management, Findings, Implementation Plans
- Experience with CAST Application: Application Specifics, Comparison with Traditional RCA, Complements with Human Factors Methods, Timeline, Lessons Learned/Takeaways, Future Applications
- Key Findings:
-- CAST can generate unique findings outside of traditional RCA, SEIPS PETT Scan,
etc.
-- Control structures are effective models to visualize systems and identify
areas of focus and improvement
-- CAST is a valuable and feasible tool to be used in safety analyses of health
systems
Healthcare
10:10am
Break
10:30am
STPA Applied to Safety of Healthcare Data
Rodrigo Rose and Polly Harrington(MIT)
Healthcare
11:00am
The Role of the STAMP Model in the Emergence of AI Perils
Mikela Chatzimichailidou(University College London) Ioannis Dokas(Democritus University of Thrace) Liucheng Guo(Tangi0 LTD)
- Focus: ethical and safety concerns of AI
- Key issues: (1) the value of introducing a universally accepted definition of safe AI; (2) the value of appropriate standardisation and interoperability in AI.
- Problem: how do we regulate something we do not understand or something that is constantly changing?
- Solution: use of STAMP (and STPA principles) to help understand the meaning of ‘safe AI’ and lay the foundation and structure towards regulating AI safety
- Outcome: create a set of regulatory AI Accountability and Responsibility Tools based on STAMP in collaboration with regulators
This interactive session will discuss the promises as well as the dangers of introducing AI into safety-critical systems, ethical considerations, limitations of human or software safety monitors for AI systems, and other principles regarding the potential introduction of AI.
AI
12:00pm
Lunch
1:00pm
Boeing High Energy Management System (HEMS)
Lori Smith, Marc Nance, Phil Specht, Jesse Goodman, and Peregrin Spielholz(Boeing)
- As aerospace products become increasingly complex, defining, and ensuring worker safety during building, testing and maintaining products has also become more challenging.
- Engineering team selected STPA as the analysis method to determine how future aircraft and other products can be designed to reduce the risk to mechanics and maintainers as they conduct their tasks.
- STPA was used to analyze each of the subsystems with the goal of writing a set of system-level requirements to be included in the design of the next models of aircraft.
- The systems analysis using STPA resulted in generating a robust set of requirements that were complete and of high quality.
Aviation
1:20pm
Generating STPA UCAs for Flight Testing
Dulnath Wijayratne, Jordan Stringfield, and Darren McDonald(Boeing)
The authors of this presentation struggled to produce a set of UCAs that felt complete in regards to flight test applications. They developed a technique to visualize control actions in the time domain to aid in UCA development
- Understanding our Struggle with UCA development
- Visualizing UCAs using timing diagrams
- Using the visualization to develop UCAs.
Aviation
1:40pm
STPA at Boeing: Driving Safety Requirements for Future Aircraft Design
- During a STPA project to look at future aircraft design, a diverse team was created to analyze this project included a test pilots, engineers and designers.
- Pilot involvement has been a unique and extremely helpful addition. They are inherently “systems thinkers” and fantastic at supporting all phases of the STPA process.
- We used STPA in the concept development phase to uncover unknown unknowns, before an aircraft architecture was developed allowing us to use the control structure as a bases for future aircraft architecture.
- STPA allowed us to develop a set of requirements where 90% of them were either improving a previous set or were new requirements.
Aviation
2:10pm
Using STPA to Identify and Challenge Assumptions During Aircraft Certification
Kyle Ryan(Boeing) Dave Cummins(Bell Flight) John Thomas(MIT)
During civil aircraft certification, we often make assumptions used to bound failure condition effects, their classification, and therefore the resulting design level of rigor. This presentation will show some ways in which STPA can be used to challenge the assumptions made, and provide useful insight into their validity early on in the safety assessment process.
Aviation
2:30pm
Break
2:50pm
Comparison of Hazard Analysis Methods Applied to a Flight Safety System
Antonio Vinicius Diniz Merladet(Brazilian Air Force) Chiara Manfletti(Technical University of Munich. Chair of Space Mobility and Propulsion) Carlos Henrique Netto Lahoz(Aeronautics Institute of Technology (ITA)) Diogo Silva Castilho and Rodrigo de Melo Silveira(Brazilian Air Force)
- Comparisons of STPA with Traditional Hazard Analysis Methods for applications related with Flight Safety Systems for Launch Vehicle Operations.
- Some Safety Constraints, Loss Scenarious and Recommendations obtained by STPA application were not acquired from other applications.
- The research highlights advantages of STPA in front of other hazard analysis methods based on the results of this specific application.
Aviation
3:20pm
STPA for Security - What We've Learned Over a Decade
Bill Young(Security Concepts and Strategic Design, LLC)
* Overview of the NRC staff’s recent efforts to grow the
capability to review an applicant’s STPA.
* Lessons learned to support capabilities to review STPA-based or STPA-informed submittals.
Nuclear
9:10am
Applying STPA in Car Series Production
Sebastian Kaiser and Florian Wagner(msg Plaut Austria GmbH)
- ISO 26262 work products are obligatory for certification and assessment in the European Automotive industry
- Deriving ISO 26262 and ISO 21434 work products efficiently from STPA results
- Prioritizing STPA results in line with ISO 26262
The author would like to present a recent application of STPA to model the structure of a government-funded project related to the development of EVs. The analysed system involves a diverse range of stakeholders, including regulators and funding authorities from the Government, certification agencies related to vehicle type approval and ISO26262 certification, funded stakeholders involving the EV OEM and its tier 1 and tier 2 suppliers, vendors of relevant parts, and the public.
Motivations of the application:
1. To provide project stakeholders insights into the project structure.
2. To identify existing or potential flaws of the project structure.
3. To create a blame-free working culture.
Automotive
9:40am
Application of STPA in Military Systems with a Human Factors Approach
Gabriel Luis de Oliveira, Gabriela Pereira Henrique, and Carolina Pires Duarte Villela(AEL Sistemas)
This talk will present the experience of applying the STPA in a military datalink System of Systems, focusing on a human factors approach;
The discussion covers:
• Dissemination of STPA inside the company and the effort necessary to perform the methodology;
• Complementation of traditional human factors analysis focusing on showing compliance with MIL-STD-561C;
• Advantages of Causal Scenarios generation based on Engineering for Humans Extension;
Since the analysis is confidential, only illustrative examples will be shown.
Aviation
10:00am
Recommendations for Flight Safety Systems Through STPA Application
Antonio Vinicius Diniz Merladet(Brazilian Air Force) Carlos Henrique Netto Lahoz(Aeronautics Institute of Technology (ITA)) Chiara Manfletti(Technical University of Munich) Diogo Silva Castilho and Rodrigo de Melo Silveira(Brazilian Air Force)
- Application of STPA to improve safety measures for Launch Vehicles and Flight Operations.
- Proposure of safety measures for Launch Vehicles and FLight Operations.
- Safety recommendations obtained from systemic analysis and previous launch operations and evaluation processes of flight safety systems.
- Recommendations were compared with international standards and regulations with suggest improvements to obtain suggestions of improvement and to promote uniformity.
Aviation
10:20am
Break
10:40am
Applying STAMP at an Enterprise Level to Improve Human Factors Integration in the Design, Operation and Maintenance of the GB Railway System
Richard Bye(Network Rail) Meaghan O'Neil(System Design and Strategy)
This presentation shares opportunities, challenges and lessons learned in integrating STPA as part of Europe’s Rail landscape.
Topics include:
- Strategies to integrate exisiting requirements into the STPA process
- Linking STPA results to solution concepts
- Validating assumptions
Rail
11:20am
Architecture Viewpoints of STPA Analysis
Thiago R. da Costa, Bruna S. Queiroz, and Carina Carla A. F. Silva(EMBRAER)
For this presentation, the authors will discuss about how the STPA results should be integrated into an Architecture Framework to communicate the recommendations, requirements and scenarios to the project team and stakeholders.
Architecture framework is important as it helps to manage the complexity of the system and to create visualizations, models, and viewpoints, which must be understandable. Architecture frameworks establishes which results are focused on a set of objectives and integrates different perspectives for managing decisions, information, interfaces.
Thus, it will be presented an Architectural Framework containing a set of viewpoints for the STPA Analysis and its typical contents.
Aviation
11:30am
STAMP and ISO 20517: Cybersecurity for Space Standard
Carlos Lahoz(Instituto Tecnologico de Aeronautica IT)
The lightning talk will highlight the new ISO standard in construction, which explains the kinds of cyber threats in space, the goals of this initiative, and how STPA was recommended as a better approach to cybersecurity analysis to be applied in space systems.