This introductory tutorial will introduce the four basic STPA steps for those new to STPA. It will be similar to the online "Introduction to STPA" tutorial on the tutorials page.
This talk presents how we used CAST to analyze incidents in software systems, and how the CAST outputs differ from those of a traditional Root Cause Analysis (RCA): • A description of a Google Maps incident • RCA vs CAST comparison • Takeaways
• This talk presents a preliminary application of STPA to health information systems with a focus on electronic health records in the context of a large U.S. integrated health system.
STPA, health information systems, health tech, electronic health records, EHRs, patient safety
This talk presents lessons learned from running STPA on program management for a specific program at Google. • STPA clarifies program goals and identifies unclear or unassigned program actor responsibilities. • STPA shifts mindsets to enable program improvement and optimization, generating valuable insights beyond simply identifying issues that need to be fixed. • STPA can generate useful results with minimal time investment (45 hours total) and a small team (3 people).
This presentation explores a 2024 supply chain cyberattack on Unix systems to install a backdoor. By modeling the attack’s social engineering phases as control loops, vulnerabilities in Unix’s supply chain were exposed. The analysis shows how standards from Unix distributors like Debian could prevent coercive tactics, such as bullying contributors into unsafe actions. Insights and an attack timeline are presented to encourage STAMP adoption in the open-source security.
This talk presents a new design framework that provides a process for using the results of an STPA analysis of the system (performed early in the design lifecycle) to make the design decisions needed to create a system architecture. These design decisions include deriving system requirements, identifying system functions, and allocating those functions to system elements to create the system architecture. Examples from an air traffic control case study are used to demonstrate that an STPA-informed architecture development process can help systems engineers to make more safety-informed design decisions and allow them to design safety into a system's architecture from the beginning.
Safety-Driven Design, System Architecture, System Requirements, Functional Architecture, Conceptual Architecture
• Can STPA close critical regulatory gaps and reveal hazards missed by current practices? • Regulator SMEs from FAA, EASA, ICAO, NASA, and ANAC studied STPA for regulatory applicability. • They applied STPA to real-world systems already certified through standard methods. • Catastrophic design flaws were found by STPA, including conditions for dual engine shutdowns without any component failure. • Could STPA have caught the 737 MAX issues? Could it safeguard future technologies like eVTOL and AI? This study gives surprising insights and new questions for the future of aviation safety oversight.
AIR6913 is a new standard in progress for integrating STPA into aircraft safety and development processes. Hear about the purpose of the standard, its main sections, and the recent ballot results. Comments and proposed language from disapproving voters are being addressed, and we need your help!
Presentation covers the FIRST STPA Standard ever developed by STPA Practitioners and Facilitators for use in ANY industry. It may be used by any organization as a standard for certification, compliance, and/or effective STPA execution.
• AI systems have the potential to benefit society. But they also present novel risks. • We applied CAST to nearly 100 recorded incidents involving AI systems. • Losses were varied, and ranged from loss of life/property to loss of freedom. • CAST is an effective technique for identifying recommendations to mitigate AI risks based on these incidents.
Integrating Vision Systems and STPA for Robust Landing and Take-Off in VTOL Aircraft
Sandeep Banik, Jinrae Kim, and Naira Hovakimyan(University of Illinois Urbana-Champaign) Luca Carlone, John P. Thomas, and Nancy G. Leveson(Massachusetts Institute of Technology)
1. Introduces an integrated approach combining vision-based sensor fusion and STPA to enhance the safety of VTOL UAVs during critical take-off and landing phases. 2. Develops a control structure integrating autopilot systems with fiducial marker-based vision systems, such as AprilTag detection, for precise landing pad identification. 3. Identifies unsafe control actions and associated hazards through STPA, providing targeted mitigation strategies to address vision system limitations and multirotor control challenges.
Vertical Take-off and Landing Aircraft, Vision System, and Safety.
• A gap exists between certification and operation of the S92A and other rotorcraft. • Flawed mental models have led rotorcraft to be operated in uncertified environments. • Unsafe regulatory/OEM decisions have created these flawed mental models in pilots. • CAST can be applied to uncover accident causal factors at the regulatory level.
• Traditional SRE practices focus on component failures, but STPA addresses system-level losses arising from component interactions. • A Google Maps Routing outage case study is presented, where the root cause was a system design flaw, not a component failure. • By applying STPA, a total of seven design flaws were identified and corrected before the system was built, preventing potential outages and service disruptions. • STPA is a valuable tool for proactive system safety and reliability, enabling engineers to identify and mitigate potential hazards early in the development process.
STPA, Software, System Design, Google, Google Maps, Road Disruptions, SRE, Site Reliability Engineering
The STAMP-Informed Journalism Tool (SIJOT) introduces an approach to enhancing accident news coverage by addressing systemic and causal factors beyond human error. Developed from STAMP principles, the tool empowers journalists, who often lack technical safety expertise, to ask critical questions. Tested through an analysis of a fatal rollercoaster accident at Oktoberfest, SIJOT demonstrated the potential to shift reporting from failure-based narratives to a systems-oriented perspective. The project emphasizes integrating this tool into journalism training, bridging the gap between safety professionals and media.
Room 26-152: Responding to Operational Events Room 32-124: Emerging Technologies Room 32-144: Model-Based Systems Engineering (MBSE) Room 36-112: Systems Integration and Test
Comparison of CAST and FTA Results in the Investigation of a Suborbital Rocket Launch Accident
Capt. Antonio Vinicius Diniz Merladet(Brazilian Air Force, Technical University of Munich, Polytechnic University of Catalonia) Chiara Manfletti(Technical University of Munich) Carlos Lahoz(UNIVAP - Technological Institute of Aeronautics) Col. Clovis(Brazilian Air Force) Ricard González Cinca(Polytechnic University of Catalonia)
• The analysis shows that CAST offers a more comprehensive approach than FTA, especially for investigating modern aerospace systems and operations. • CAST identified interdependencies, dynamic scenarios, and human or organizational factors, while FTA focused narrowly on predefined failures. • CAST reveals deeper root causes for loss scenarios and considers broader system contexts, making it better suited for complex systems. • All FTA recommendations were covered in the CAST results, which also provided other additional recommendations not obtained by FTA. • The findings confirm CAST's ability to improve mission assurance and operational safety, proving its value in aerospace applications.
• There are well-established processes that exist within airline safety management systems to manage risk. • These processes do not typically monitor emerging risks at the organizational level. • This presentation will demonstrate the application of STAMP in the development of leading indicators of organizational safety risk as well as how the concept was introduced to an airline.
STPAmaster was subjected to the STPA analysis to develop tool requirements as part of the effort to qualify the STPA tool for safety-critical applications. The analysis showed that STPA can produce valuable tool requirements, supporting the development team to structure and achieve more complete requirements. The work also raises the point that a powerful safety analysis may be needed to ensure safety of our safety tools.
Demonstrates how: • To reduce the frequent incidents of stakeholder losses. • To gain insights into the interdependencies and structure of distributed e-commerce systems • To identify potential hazards that could impact availability, data integrity, customer experience, and regulatory compliance. • To establish system-level design constraints that mitigate these risks and enhance the robustness of digital infrastructure. • To better manage emergent properties in distributed systems like performance, latency, throughput, security and availability • to mitigate risk of achieving organizational business goals
This work aims to synthesize the key trends, innovations, and lessons arising from years of MIT STAMP Workshop. By examining the evolution of the STAMP applications, we highlight improvements in the way to apply the STPA, integration with emerging technologies, and the adoption of STAMP in various industries. Further, we identify persistent challenges, research gaps, and future directions to guide continued improvement in system safety and security practice.
This talk proposal presents an application of STPA, discussing types of loss scenarios focused on the interaction between a human controller and other elements from the control structure. The aspects of human factors were associated with components of a conceptual control model for a generic control system architecture and analyzed how loss scenarios could take into consideration human factors aspects that influence the beliefs of the human controller contributing to STPA results regarding interaction when considering human controller.
