- Showcase the benefits of applying STPA to AED and the lessons learned regarding the analysis process and documentation.
- STPA was useful in elucidating and characterizing these problems, including language barrier, rescuer stress, coordination among multiple bystander rescuers, etc.
- The STPA analysis decisions include choice of hazard statements, the rationale for arranging the elements in the control structure, the identification of unsafe control actions and causes, and results organization.
- The presentation concludes with discussion of potential AI requirements for designing next generation AEDs.

-Introduces Systems-Theoretic Concept Design, an extension of STAMP to build early concepts for novel systems in aerospace and defense
-Existing models for early concepts are usually built using the DoDAF OV-1, which in reality contains very little information nor is it effective at bringing stakeholders together to consider a new system's intent, assumptions for its development, or constraints in the solution space
-Defense Systems are employed in a Portfolio-of-Systems, and STCD is a process to generate a first design artifact for a new system that captures this particular context

- Safety Analysis Overview: Approach, Project Management, Findings, Implementation Plans
- Experience with CAST Application: Application Specifics, Comparison with Traditional RCA, Complements with Human Factors Methods, Timeline, Lessons Learned/Takeaways, Future Applications
- Key Findings:
-- CAST can generate unique findings outside of traditional RCA, SEIPS PETT Scan,
etc.
-- Control structures are effective models to visualize systems and identify
areas of focus and improvement
-- CAST is a valuable and feasible tool to be used in safety analyses of health
systems

- We demonstrate an application of STPA to a complex, sociotechnical system
- We identify systemic factors that underly adverse events involving laboratory medicine
– We propose recommendations to address the systemic factors

This talk investigates the utility of STPA for analyzing safety before flight testing an Uncrewed Air Vehicle (UAV) controlled by a neural network-based flight autonomy software. The host UAV included various control regimes and handoffs over the course of a sortie including human control, traditional autopilot, and an artificial intelligence autonomy software trained using Deep Reinforcement Learning (DRL) machine learning techniques. The flight test operational environment included flight in both civil and restricted airspace, and at least one nearby crewed chase aircraft to observe the UAV in flight. STPA was applied after traditional airworthiness and safety assessment processes but before flight test to identify and mitigate potential new hazards associated with the UAV technology and its operation.

STPA was applied to human interaction with a rotorcraft flight control system. The findings identified hazardous functionality outside of failure condition assessment alone. STPA identified previously overlooked causes including:
- Unintuitive design
- Missing functionality and feedback
- Implicit and flawed assumptions about operator beliefs

During our STPA project for future aircraft design, we used a diverse team which included test pilots, engineers and designers to work on the project. Pilot involvement has been a unique and extremely helpful addition: they are inherently “systems thinkers” and fantastic at supporting all phases of the STPA process. We used STPA in the concept development phase to uncover unknown unknowns, before an aircraft architecture was developed, allowing us to use the control structure as a basis for future aircraft architecture. Our biggest finding so far has been that STPA allowed us to develop a set of requirements where 90% of them were either improving a previous set or were new requirements

The author would like to present a recent application of STPA to model the structure of a government-funded project related to the development of EVs. The analysed system involves a diverse range of stakeholders, including regulators and funding authorities from the Government, certification agencies related to vehicle type approval and ISO26262 certification, funded stakeholders involving the EV OEM and its tier 1 and tier 2 suppliers, vendors of relevant parts, and the public.
Motivations of the application:
1. To provide project stakeholders insights into the project structure.
2. To identify existing or potential flaws of the project structure.
3. To create a blame-free working culture.

This presentation will describe how STPA is being used to design resilient, human-centred systems for the GB rail industry, showing that by integrating STPA with human factors analysis and cognitive systems engineering it’s possible to create cost-effective approaches to enhance safety and performance in complex safety-critical environments. The talk will outline:
-The theoretical foundations that underpin the analysis and design of distributed human-machine systems.
-Real-world examples of STPA applications.
-How STPA has helped to identify i) hidden socio-technical system risks and ii) opportunities to tackle problems of communication, coordination and control.

This talk presents lessons learned from teaching STPA at Google:
- Traditional STPA examples of physical systems are not easily relatable for software developers, and can lead to skepticism regarding STPA’s value
- We achieved higher learner engagement by giving examples of STPA applied to actual Google infrastructure and software
- We increased interest in STPA by emphasizing STPA’s ability to analyze feedback paths, something not addressed by other software design/risk analysis methodologies.
- To accommodate busy schedules, we are pursuing a tiered approach with initial, short tutorials to capture interest, then a multi-day workshop to practice applying STPA on a real system.

- Leveraging STPA to enable effective collaboration on safety case development between OEM and SEooC ADAS stack supplier for complex driving automation features.
- STPA supports OEM’s validity of SEooC assumptions.
- Integrating STPA into existing OEM safety process.
- Practical application demonstrates the use of abbreviated STPA method through a case study on an ADAS SEooC system integrated into an OEM vehicle.
Acronymns: ADAS: Advanced Driver-Assistance Systems; Item: System at the vehicle level; OEM: Original Equipment Manufacturer; SEooC: Safety Element out of Context; SOTIF: Safety of the Intended Functionality

Expansion of STPA process for:
- systematically identifying potential conceptional architecture candidates
- and decision for optimal conceptional architecture
- shown by a simplified pedestrian collision avoindance example.

- Value-Based Engineering (VBE) integrates ethical values into system design, supported by the IEEE 7000 standard
- STPA was used as a tool to fulfill the standard's requirements
- A charging app example was used to illustrate the approach
- The study shows STPA's suitability for achieving VBE goals
- Future work will focus on practical application with the necessary personnel to further validate and refine the methodology

- A case study demonstrating application of STPA techniques to assess safety of electric vehicles
- Introducing a method to complement the STPA results for prioritizing the causes and to derive cause-effect relations
- Results identifies causal paths to the hazards and estimates unique KPIs for prioritizing causes

This talk will present the experience of applying the STPA in a military datalink System of Systems, focusing on a human factors approach;
The discussion covers:
• Dissemination of STPA inside the company and the effort necessary to perform the methodology;
• Complementation of traditional human factors analysis focusing on showing compliance with MIL-STD-561C;
• Advantages of Engineering for Humans Extension;
Since the analysis is confidential, only illustrative examples will be shown.

The main goal of this case study is to establish provisional targets for thrust responsiveness thrust response targets, based on safety constraints identified during the application of STAMP process.
The methodology selected to perform this case study will obey the following sequence:
i) Survey airworthiness requirements related to thrust responsiveness;
ii) Apply STAMP process to identify safety constrains;
iii) Definition of thrust response safety requirements.

The Civil Aviation Authority (CAA) aimed to modernize audit processes by improving data and information exchange with overseen organizations to enhance safety evaluations and reduce subjectivity. This shift supports the transition from compliance- to performance-based oversight. The STAMP approach was used to create performance-based audit questions linked to regulatory requirements and tested in real audits. Three CAA departments joined in testing the approach, with two finding it beneficial for audits, while the third, focused on technical audits, remained unconvinced. This method supports detailed, context-rich inquiries, enhancing the understanding of processes and safety performance.

This presentation shares opportunities, challenges and lessons learned in integrating STPA as part of Europe’s Rail landscape.
Topics include:
- Strategies to integrate exisiting requirements into the STPA process
- Linking STPA results to solution concepts
- Validating assumptions

-Insights and lessons learned from applying STPA.
-Benefits and current limitations of applying STPA.
-Evaluation and comparative studies with traditional approaches.
-I recommend system designers to use STPA to strengthen the safety and reliability of systems.

In this session, we will take you on our STPA adoption journey at Google. We'll cover:
- The big picture: Adoption of STPA at Google
- 3 adoption challenges
- Deep-dive: Google Maps data product risks

- An STPA was conducted for an offshore oil well during production phase and satisfactory results were obtained.
- It was also possible to identify the impact of the granularity of the analysis on the results (high-level and high-detailing).
- A comparison of STPA results and a Fault Tree Analysis pointed out the significant contributions the STPA can bring to the safety analysis, emphasising the differences in how each technique deals with component failures.

This talk will introduce MicroSTAMP, a free and open-source tool designed to support STPA using a microservices-based architecture. We will explore the key features that make MicroSTAMP a valuable resource for analysts conducting STPA, focusing on its flexibility, scalability, and the APIs it provides to support each step of the STPA. Additionally, the talk will cover the advantages and disadvantages of using a microservices architecture in the context of STPA applications, including the possibility of integration with other tools and the challenges of managing multiple microservices and databases.

Learn and apply new STPA scenario development guidance on an example to produce formal scenarios in STPA.

In this session, we will take you on our STPA adoption journey at Google. We'll cover:
- The big picture: Adoption of STPA at Google
- 3 adoption challenges
- Deep-dive: Google Maps data product risks

STPA was applied to human interaction with a rotorcraft flight control system. The findings identified hazardous functionality outside of failure condition assessment alone. STPA identified previously overlooked causes including:
- Unintuitive design
- Missing functionality and feedback
- Implicit and flawed assumptions about operator beliefs

Best practices for facilitating a CAST, to include:
- The facilitator's roles and responsibilities
- The size, knowledge, and roles of the project group
- Structure of interviews and investigation
- How to report out CAST to non-technical leaders

Lightning talk will highlight recent and current STPA research at AFIT to include: autonomous fighter aircraft, resilient space architecture, and SysML-RAAML integration efforts to achieve DOD digital engineering mandates.

This talk investigates the utility of STPA for analyzing safety before flight testing an Uncrewed Air Vehicle (UAV) controlled by a neural network-based flight autonomy software. The host UAV included various control regimes and handoffs over the course of a sortie including human control, traditional autopilot, and an artificial intelligence autonomy software trained using Deep Reinforcement Learning (DRL) machine learning techniques. The flight test operational environment included flight in both civil and restricted airspace, and at least one nearby crewed chase aircraft to observe the UAV in flight. STPA was applied after traditional airworthiness and safety assessment processes but before flight test to identify and mitigate potential new hazards associated with the UAV technology and its operation.

This talk presents lessons learned from teaching STPA at Google:
- Traditional STPA examples of physical systems are not easily relatable for software developers, and can lead to skepticism regarding STPA’s value
- We achieved higher learner engagement by giving examples of STPA applied to actual Google infrastructure and software
- We increased interest in STPA by emphasizing STPA’s ability to analyze feedback paths, something not addressed by other software design/risk analysis methodologies.
- To accommodate busy schedules, we are pursuing a tiered approach with initial, short tutorials to capture interest, then a multi-day workshop to practice applying STPA on a real system.

Instructors will share successful approaches to introduce STPA to management executives. Participants will be asked for questions they've gotten from their leadership and any stumbling blocks encountered when introducing new approaches. A set of slides to introduce STPA to leadership will be provided to participants.

-Introduce STPA for coordination and teaming, and analysis of unsafe collaborative control
-Beneficial for those wanting to learn additional STPA guidance to model and design multi-controller system architectures and interactions
-Discussions and examples from the aerospace industry

This lightning talk will provide a quick overview of the VisualPro STPA Tool

This lightning talk will provide a quick overview of the STPAmaster Lite tool

- Auto-report data to Word, Excel, and Powerpoint
- Integrated analysis support with CAST, FMEA, and FTA
- Support for user customization capabilities

STPAmaster is a solution to integrate STPA with safety management systems and systems engineering applications. Some of its core features were implemented into the “STPAmaster Lite”, a free Google Sheets-based STPA tool. Its main features are:
- Support of the entire STPA
- Automation of routine work
- Check for basic errors
- Simple and universal application

- Destructive behaviors (DB) are those exhibited by individuals who injure themselves or others and are unable to continue to function as part of a unit.
- Using STPA to understand the causes underlying DB onset within key at-risk Navy populations
- Presents an example of applying STPA to investigate organizational and leadership aspects of an organization’s safety management system
- Gives insight into the utility of using STPA to evaluate social and organizational aspects of the system for hazards

- This work utilizes a systematic approach (STPA) to better understand OR crises (e.g. asystolic cardiac arrest, air embolism, unexplained hypotension/hypoxia), which can be crucial for designing effective support tools and protocols to enhance patient safety.
- Detailed analysis of unsafe control actions and inadequate feedback for each role (surgeon, anesthesiologist, nurse) helps in understanding specific pitfalls and improving response strategies during OR crises.
- Identifies potential mental model flaws that could affect decision-making processes.
- Designed and tested an AR application to address some potential decision-making pitfalls due to flawed mental models.

- Design improvements to address ineffective user-device interactions.
- STPA's usefulness in elucidating and characterizing these problems, including language barrier, rescuer stress, coordination among multiple bystander rescuers, etc.
- Analysis decisions included choice of hazard statements, the rationale for arranging the elements in the control structure, the identification of unsafe control actions and causal scenarios, and results organization are explored.
- Presentation facilitates wider application of STPA for medical device design by showcasing the ability to innovate the next generation of AED with the use of STPA and highlighting key analysis decisions and results.

- Safety Analysis Overview: Approach, Project Management, Findings, Implementation Plans
- Experience with CAST Application: Application Specifics, Comparison with Traditional RCA, Complements with Human Factors Methods, Timeline, Lessons Learned/Takeaways, Future Applications
- Key Findings:
-- CAST can generate unique findings outside of traditional RCA, SEIPS PETT Scan,
etc.
-- Control structures are effective models to visualize systems and identify
areas of focus and improvement
-- CAST is a valuable and feasible tool to be used in safety analyses of health
systems

- We demonstrate an application of STPA to a complex, sociotechnical system
- We identify systemic factors that underly adverse events involving laboratory medicine
– We propose recommendations to address the systemic factors

- Focus: ethical and safety concerns of AI
- Key issues: (1) the value of introducing a universally accepted definition of safe AI; (2) the value of appropriate standardisation and interoperability in AI.
- Problem: how do we regulate something we do not understand or something that is constantly changing?
- Solution: use of STAMP (and STPA principles) to help understand the meaning of ‘safe AI’ and lay the foundation and structure towards regulating AI safety
- Outcome: create a set of regulatory AI Accountability and Responsibility Tools based on STAMP in collaboration with regulators

- Summarizes observations from using ChatGPT to perform STPA.
- Compares the differences between coaching a human STPA team vs. coaching ChatGPT to perform STPA correctly and fix mistakes
- Briefly models the human facilitator / ChatGPT control loop to identify concerns to mitigate

- As aerospace products have become increasingly complex, defining and ensuring worker safety during building, testing and maintaining products has also become more challenging.
- Engineering team selected STPA as the analysis method to determine how future aircraft and other products can be designed to reduce the risk to mechanics and maintainers as they conduct their tasks.
- STPA was used to analyze each of the subsystems with the goal of writing a set of system-level requirements to be included in the design of the next models of aircraft.
- The systems analysis using STPA resulted in generating a robust set of requirements that were complete and of high quality.

The authors of this presentation struggled to produce a set of UCAs that felt complete in regards to flight test applications. They developed a technique to visualize control actions in the time domain to aid in UCA development
- Understanding our Struggle with UCA development
- Visualizing UCAs using timing diagrams
- Using the visualization to develop UCAs.

During our STPA project for future aircraft design, we used a diverse team which included test pilots, engineers and designers to work on the project. Pilot involvement has been a unique and extremely helpful addition: they are inherently “systems thinkers” and fantastic at supporting all phases of the STPA process. We used STPA in the concept development phase to uncover unknown unknowns, before an aircraft architecture was developed, allowing us to use the control structure as a bases for future aircraft architecture. Our biggest finding so far has been that STPA allowed us to develop a set of requirements where 90% of them were either improving a previous set or were new requirements

During civil aircraft certification, we often make assumptions used to bound failure condition effects, their classification, and therefore the resulting design level of rigor. This presentation will show some ways in which STPA can be used to challenge the assumptions made, and provide useful insight into their validity early on in the safety assessment process.

- Comparisons of STPA with Traditional Hazard Analysis Methods for applications related with Flight Safety Systems for Launch Vehicle Operations.
- Some Safety Constraints, Loss Scenarious and Recommendations obtained by STPA application were not acquired from other applications.
- The research highlights advantages of STPA in front of other hazard analysis methods based on the results of this specific application.

Questions (and answers) that were most frequently asked by STAMP Workshop participants this year.

Summary of international standards and industry guidance documents that involve STPA

* Overview of the NRC staff’s recent efforts to grow the capability to review an applicant’s STPA.
* Lessons learned to support capabilities to review STPA-based or STPA-informed submittals.

- ISO 26262 work products are obligatory for certification and assessment in the European Automotive industry
- Deriving ISO 26262 and ISO 21434 work products efficiently from STPA results
- Prioritizing STPA results in line with ISO 26262

The author would like to present a recent application of STPA to model the structure of a government-funded project related to the development of EVs. The analysed system involves a diverse range of stakeholders, including regulators and funding authorities from the Government, certification agencies related to vehicle type approval and ISO26262 certification, funded stakeholders involving the EV OEM and its tier 1 and tier 2 suppliers, vendors of relevant parts, and the public.
Motivations of the application:
1. To provide project stakeholders insights into the project structure.
2. To identify existing or potential flaws of the project structure.
3. To create a blame-free working culture.

- Application of STPA to improve safety measures for Launch Vehicles and Flight Operations.
- Proposure of safety measures for Launch Vehicles and Flight Operations.
- Safety recommendations obtained from systemic analysis and previous launch operations and evaluation processes of flight safety systems.
- Recommendations were compared with international standards and regulations with suggest improvements to obtain suggestions of improvement and to promote uniformity.

Focusing on the management of safety and performance risks on railway infrastructure projects, we have applied STPA to model the feedback loops and enterprise-wide controls that are activated by the integration of human factors interventions as part of engineering safety management.

This presentation will highlight how the work has allowed us to:
-Understand the processes and incentives which govern system development.
-Identify opportunities to improve the efficiency with which human-centred design is embedded into projects at all phases of the lifecycle.
-Create a reference model to test and iterate structural changes for the coordination and control of human systems integration.

This presentation shares opportunities, challenges and lessons learned in integrating STPA as part of Europe’s Rail landscape.
Topics include:
- Strategies to integrate exisiting requirements into the STPA process
- Linking STPA results to solution concepts
- Validating assumptions

For this presentation, the authors will discuss about how the STPA results should be integrated into an Architecture Framework to communicate the recommendations, requirements and scenarios to the project team and stakeholders.
Architecture framework is important as it helps to manage the complexity of the system and to create visualizations, models, and viewpoints, which must be understandable. Architecture frameworks establishes which results are focused on a set of objectives and integrates different perspectives for managing decisions, information, interfaces.
Thus, it will be presented an Architectural Framework containing a set of viewpoints for the STPA Analysis and its typical contents.

The lightning talk will highlight the new ISO standard in construction, which explains the kinds of cyber threats in space, the goals of this initiative, and how STPA was recommended as a better approach to cybersecurity analysis to be applied in space systems.

The presenters will show how they are approaching the challenges of integrating STAMP methods into Google's engineering culture:
- Preventing waterfall delivery of analysis results
- Teaching control structure modeling and UCAs
- Working with an informal requirements engineering culture

Over the last decade, STPA use in aviation has led to thousands of publications including findings and lessons learned from industry use. Past MIT STAMP/STPA workshops have hosted 60 presentations from the aviation industry with independent evaluations and findings from applying STPA. This talk will review the empirical data that exists from the aviation industry to date, including lessons learned, mistakes to avoid, and what is known and not yet known about STPA in aviation.

- The program structure of American Airline's STAMP program
- CAST/STPA is widely accepted and understood at American Airlines
- CAST leads to deeper insights compared to traditional industry methods
- STAMP helps reinforce resiliency within our systems

Aerospace manufacturing faces a challenge in combining cutting-edge technology and long product lifecycles, which can lead to significant process model divergence within production systems and result in producibility problems. This talk presents a CAST analysis of a loss of producibility following a transfer of a manufacturing process from one facility to another.
Key findings:
-Configuration control measures must be designed with an understanding of their limitations, and assumptions about supplier processes must be carefully validated.
-Production organizations must be designed for the task they are assigned to accomplish, based on experience and experimentation whenever possible.

This presentation highlights how the STAMP application integrates Embraer Requirements Engineering process.

Teams of controllers exhibit complex collaborative interactions that can be defined and captured using Systems Theory or STAMP. This talk defines those interactions and introduces extensions to STAMP/STPA to systematically identify causal factors associated with collaboration. The technique has been demonstrated to help analyze novel human-machine and multi-machine teaming systems.

Application of STPA to solid rocket manufacturing, particularly with respect to automated propellant cutting, has provided insight into the design and development of the process. Some of those key insights are:
1. A change in the perspective of the analysis from motor centric to robot centric
2. Inclusion of an independent chip catcher
3. How to handle abort commands with this delicate process
The framework provided by STPA has been influential in seeing the overall connectivity of the various components in the control structure and consequently in designing a better process.

This talk will share a few lessons that we've learned while incorporating safety into Google's engineering culture in the areas of education, SME engagement, analysis completeness, and CAST.

Lessons learned and strategy from our implementation of STAMP at American Airlines.
- Feedback is important
- Union buy-in is critical
- CAST/STPA is different than traditional models
- STPA can be used on existing systems. Even less complex systems!

- Systems-Theoretic Process Analysis (STPA) is applied to investigate decision-making for a novel approach to radiotherapy.
- The analysis process spanned the phases of STPA familiarization, results generation, and results finalization. Facilitation of the analysis was achieved through videos, electronic worksheets, and virtual meetings.
- Nontrivial causal scenarios involve inaccessibility of feedback, mismatch between the feedback and the mental model required for good decision-making, and under-specification of control input.
- STPA provides an effective technique to examine operational decision-making in radiotherapy. Targeted facilitation to leverage domain expertise is a feasible app

This presentation outlines the preliminary findings from an application of STPA to the safety of diagnostic medical data in the United States. We present a model of the sociotechnical system, developed through 30+ interviews with subject matter experts representing laboratories, care facilities, health IT vendors, regulatory bodies, public health agencies, patients, and more. We identify UCAs and scenarios, and provide both targeted and general recommendations to improve the safety of the ecosystem, with
particular attention to missing or weak control loops.

Developing a comprehensive control structure for sociotechnical systems presents challenges for the adoption of STPA. We present a process for iteratively developing a control structure. Using the diagnostic laboratory data ecosystem as a case study, we will walk through the process of starting from scratch and iteratively fine tuning a control structure. Topics include identifying missing information, interview techniques, and common obstacles and ways to address them.

This presentation will provide recommendations for the application of STPA in the early phase of design. It will include a specific focus on:
-Facilitation of STPA
-Application of STPA outcomes to the design of digital twins

Although human-system integration approaches are necessary for the effective design of socio-technical systems, there are few methods that can successfully combine the considerations of mental models with those of technology process models. This presentation will demonstrate that:
- STPA control structures are useful cognitive artifacts that offer decision making stability in the face of strategic uncertainty.
- Blending STPA with human factors methods can surface system vulnerabilities and unlock opportunities for creative decision making and innovation.
- STPA provides structure and processes to consider humans and machines as collaborative agents during the design of complex systems.

- The Nuclear Regulatory Commission (NRC) has investigated STPA and CAST through a series of formal training classes and workshops
- NRC staff including Digital I&C, Human Factors, PRA, Fault Tree Analysis, Cyber Security, and other SMEs participated
- NRC staff learned the methods, applied them in hands-on work shops, evaluated the methods, and developed conclusions and recommendations
- This talk will review the findings developed by NRC staff related to future STPA and CAST use by regulators as well as by industry

- Introduction to a novel power supply concept for battery ferries and its demonstration
- STPA results of the novel concept: main findings and challenges
- Prioritizing the results: method and results
- Discussion for prioritizing STPA results and future works

The talk will refer to the application of STPA on a ship’s navigation system in order to identify leading indicators for monitoring the level of marine safety, including the following aspects:
- The importance of establishing efficient leading indicators concerning accidents’ prevention in the maritime domain.
- The way STPA was applied.
- The results of the implemented methodology, including the control structure and the assumption based leading indicators. The derived leading indicators are related to human factor, concerning aspects such as fatigue and situational awareness.
- Discussion about the usefulness of STPA as a method for establishing leading indicators in the maritime domain.

- L3H SAS is increasingly utilizing MBSE techniques to design system architectures
- STPA has been adopted within L3H SAS as a safety analysis method because it can be incorporated into a MBSE environment
- OMG recently released (2021) a new standard, Risk Analysis and Assessment Modeling Language, which includes standard relations for creating STPA elements within a SysML model.
- L3H SAS has recently developed a RAAML compliant tool to perform STPA analysis within a SysML model. This presentation highlights some of the lessons learned along this journey.

In this presentation, we will exhibit a fascinating research that showcases the successful application of STPA (Systems-Theoretic Process Analysis) to a unique system. Our analysis focused on activities with energetic materials in research laboratories by identifying potential hazards, reducing damages and mishaps, optimizing performance, and minimizing wasted time and materials. We will discuss how the use of STPA led to the discovery of new solutions and opportunities for improving safety and operational efficiency in the laboratory.

STPA Automation Tool:
- Provide a template for the STPA analysis
- Guide the user through the STPA process
- Automate some of the manual work that is necessary to perform an STPA
Tool is built in Google Sheets and will be free for use in the STAMP community.

This talk will review the state of industry standards that incorporate STPA and recent milestones in STPA certification. A uniform set of requirements has been defined for individual certification, and the International Center for STAMP Certification and Accreditation has been created to oversee accreditaion of qualified STAMP/CAST/STPA educational programs. The center's mission is to enable high-quality CAST and STPA work products by recognizing qualified practitioners and defining a uniform standard for CAST and STPA practice, facilitation, and training.

This talk will cover the path Google has taken to introduce and scale up the use of STPA in our engineering organizations. We will discuss lessons that we have learned, show examples of results and findings, and highlight key insights that we have had along the way.

- The publication of J-3187 marks the conclusion of a three (3) year effort to develop and publish the first authoritative document addressing the use of STPA for system critical system evaluation.
- During its development, content making it valuable to other industries has been added to produce a more comprehensive document useful to aerospace, defense, regulatory agencies, and such. J-3187 enhancements to include more cross industry content are planned.
- J-3187 was written by experienced STPA practitioners who shared their collective knowledge on how to develop appropriate safety requirements to prevent or manage potential hazards discovered during the STPA process.

This presentation explores supportability of an aircraft system aiming to proactively incorporate it in concept definition in the Systems Engineering Processes. System-Theoretic Accident Model and Process (STAMP) approach provided the foundation for the analysis conducted herein, strengthening the perspective on how to avoid value losses related to support activities. Results bring important life cycle concerns into consideration for a “design-in” perspective for an aircraft system in conceptual studies.

Negative safety culture in a manufacturing environment is detrimental to not only personnel safety but also product safety and quality, and has subsequent undesirable impacts on schedule and morale. Implementing positive culture change in an organization to address these problems is no easy feat. By applying systems thinking with Systems-Theoretic Accident Model and Processes (STAMP), systems engineering principles and human factors methods, we have identified systemic causal factors of the negative safety culture and applied targeted actions to improve the culture across all organizational levels and multiple site locations in a way that will last and transcend personnel turnover.

The Boeing Company's Automated Test Maneuvers (ATM) system is designed to execute flight test maneuvers with consistent, error free computer generated inputs. In this presentation, we’ll show how Boeing used the STPA process to generate requirements for special test equipment and we’ll discuss how the verification of those requirements in our simulator and ground tests uncovered some software bugs, test documentation and crew actions that needed correcting before first flight.

Modern systems are becoming more complex, interconnected and software intensive. As a result, it is becoming more challenging to develop good system architectures using current methods that rely on decomposition. Instead, the architecture development process should consider system-level interactions and unsafe behaviors early so that the necessary interactions and behaviors can be designed into systems from the beginning. This talk will discuss a new approach to architecture development that does this by integrating STPA into the architecture development process and using the analysis results to drive the identification of system requirements and the development of a system architecture.

- Lessons learned from a systems engineer with 18+ years’ experience who has applied STPA as well as served as an STPA trainer, coach, and facilitator. These are based on experiences from applying STPA in several domains including: Healthcare delivery, medical device, automotive, aviation, manufacturing.
- Common challenges team face when applying STPA
- Recommendations on applying STPA

Radiation therapy is a technique that treats cancer using ionizing radiation. The challenge is to maximize the dose in the tumor while sparing healthy tissue. The process is complex involving hardware, software and people and therefore suitable to be modelled using STAMP. We applied STAMP-CAST to understand one incident occurred in a radiation therapy center. In this presentation we show how CAST helped us to:
- Share responsibility while avoiding blame
- Reach and interview involved persons “close to the fire”
- Suggest recommendations to improve safety culture in RT
- Raise new human factors-related research questions

The task facing our clinical governance team was to analyse how a healthcare structure learns and passes that knowledge through the organisation. The hypothesis being explored was a lack of correct knowledge for any operator critically affects the process model. For the purposes of hazard analysis, there was little difference between the analysis of the physical systems analysed by STPA, and the more ethereal “knowledge flow.” Indeed, exploration of this concept by the team proved useful in identifying hazards, leading to insights into how to mitigate these hazards. Importantly the STPA proved easy to explain to an uninitiated senior executive.

- Application of CAST to a medication incident in English healthcare.
- Discussion of the complexity of the English healthcare system and its impact on safety.
- Reflections on the usability of CAST for organisation-based healthcare investigators.
- Reflections on the comparison of findings between SEIPS and CAST for the incident of interest.

- How STPA was introduced to a complex subsystem of a large healthcare institution
- Performing STPA with a multidisciplinary team in a virtual setting
- Key impacts of a systems approach

The introduction of autonomous mobile robots in everyday life, although very exciting, comes with new hazards. These must be identified and mitigated. This enables a broad operation and public acceptance can be achieved.
- Scope of the presentation: Autonomous mobile robots at Continental and how a public operation can be enabled.
- Challenge: Lack of established safety standard and experience for this specific type of complex operation.
- Development: STPA was used to model the system (robots and environment), identify hazards, and generate requirements.
- Results: Benefits and challenges from using STPA in the development of a robust safety assessment.

- Autonomous Driving (AD) promises to make the roads safer by replacing humans with software and hardware. However, AD is complex and software-intensive, and to assess its safety, analysis methods should be employed along with testing and validation to catch the mistakes during the design phase.
- STPA can be used to find functional insufficiencies and misuses as proposed by ISO/FDIS 21448 (safety of intended functionality). In this presentation, STPA is applied on a closed-loop AD function architecture. Based on the iterative STPA steps, unsafe control actions were identified and consequently critical safety requirements were specified, and two examples are presented.

Autonomous systems offer tremendous opportunities. However, analysing and assuring the safety of these systems remains a major challenge. Due to their rising complexity, the increasing popularity of AI and inclusion of COTS, through-life safety assurance is by no means straightforward. STPA is a promising analysis technique, but has yet to be studied in depth in the field of autonomous systems. This presentation discusses difficulties, benefits and provides general guidance around applying STPA to autonomous systems. The work presented here is based on practical case studies. An autonomous mobile robot is used throughout the presentation to illustrate the results.

The purpose of this presentation is to share the experience of applying the STPA in a military Data Link project at AEL Sistemas, focusing on the security area. It will describe the way we introduce the framework inside the company and the effort necessary to perform it. Furthermore, we will explain about our outputs and why the STPA was a benefit when applied in the security analysis, being an advantage not only to the project but to the company as a whole. The analysis itself is confidential and only illustrative examples will be shown.

- Application of the STPA technique in the development of the power generation system of a hybrid agricultural drone.The system has a generator that uses the fuel energy and transform to electrical energy, to supply the drone consumption. The system also has a battery pack as backup.
- With STPA technique it was possible to obtain a robust product at a low cost. The requirements, besides defining a minimum life limit for each piece of equipment, provided the necessary guidance for the development of the embedded software.
- As a secondary objective to use the guidance promoted by the technique in the maintainability of the aircraft.

* How STPA is used to complement techniques from SAE ARP4761 and MIL-STD-882E at the safety process level
* How STPA is used to complement techniques from SAE ARP4761 and MIL-STD-882E at the system safety and software system safety activity level
* What we learned from combining the techniques and what is the value of STPA

- An analysis using STPA of a Subsea Christmas Tree (oil rig equipment) was conducted following the steps described in the STPA handbook.
- A strange behavior was detected in the SCS of the system, with great potential to generate loss scenarios.
- STPA could identify causal factors related and not related to component failure events in a more manageable way by structuring the loss scenario generation.
- It was identified that only one third of the loss scenarios are related exclusively to physical equipment failures. Thus, it’s reasonable to conclude that STPA can expressively potentialize an analysis using PRA.

- Being a riverine country, inland water transport is the most popular mode of transport in Bangladesh. However, more than 90% of fatalities in inland waterways are involved with passenger ships (launch, steamer, trawler, boat, etc.).
- This study aims to perform a hazard analysis by applying STPA to assess safety situation of passenger ship operation in Bangladesh.
- The study revealed that majority of Unsafe Control Actions (UCA) exist in ‘bridge deck’ of passenger ship and most contributing category of causal factor responsible for occurrence of UCA is ‘human factor’. Besides, predominant category of safety requirements is ‘team management’ among ship crews.

- CAST is used to analyse one of the worst boiler accidents in Brazil, based on the official accident reports.
- CAST identified flaws in the common engineering assumptions, suggesting better solutions to prevent dysfunctional interactions.
- Important causal factors of the accident, not addressed by official investigations, are highlighted.

The study extends the STPA literature by providing a substantial validity of STPA’s capability for analyzing the Fecal sludge management (FSM) governance structure against robust and independent criteria that define the objectives of a “good” governance structure, i.e., efficiency, accountability, and legitimacy. The STPA results identify novel leading indicators to guide policymakers to improve FSM management. The results also provide valuable insights by highlighting the various features contributing to an effective governance structure of the FSM, such as centralized decision-making in combination of hierarchy of goals to establish a clear division of responsibility across various actors.

- Application of assumption-based leading indicators and STPA within the context of organizational structures (teams/departments).
- Defining mission capability.
- Securing team mission capability (protecting against loss of team mission capability) through the use of an effective tailored control structure, including a clear set of assumption-based leading indicators helping loop management and execution to recognize shifting conditions (creating situational awareness).
- After action review and what’s next.

The aim of this presentation is to outline why a large health care organization chose a Safety 3 approach for a re-organization of Quality and safety Department. Partly it was serendipity; the state health department was issuing guidelines Clinical Incident Guidelines for directors and executive of private hospitals, while its own staff struggled with the practicalities of the same guidelines. Concurrently a major private health organisation was looking at revamping its quality and safety processes. Into this mix STAMP has obvious appeal. It has utility. It is easy communicate it's principles and much of the existing process can be preserved.

A re-investigation of a helicopter accident, originally investigated after the 5M-model, shows the broader approach and better effectiveness of CAST compared to 5M. An additional HFACS overlay to the results of the 5M and CAST analysis clearly points out the narrow, "front-line-workers"-oriented approach of 5M an the systemic, management-oriented approach of CAST. Simplification and reductionism by 5M seems to be better suited for short-term, "in the field" risk assessments. For an accident investigation, a more open and holistic approach like CAST appears to be recommended.

Google has applied STPA as part of Site Reliability Engineering to identify undesirable software interactions and prevent them during design.

- The risk matrix is a widespread assessment tool that measures probability/severity of a risk to help decision makers
- STPA is applied to improve the risk matrix by introducing a measure of mitigation effectiveness as a proxy for probability.
- A new STPA-Informed Risk Matrix (SRM) is introduced by using two separate methodologies: the scenario based approach and hazard based approach.
- The SRM combines the strengths of STPA and traditional risk assessment to better equip decision makers, particularly with new complex systems.

"Foresight is not about predicting the future; it’s about minimizing surprise”. This quote from futurist Karl Schroeder is relevant to STPA’s value. One of the first management questions asked when considering STPA is what Return On Investment does it provide? This can become a chicken-or-egg dilemma as business leaders rightfully ask what “returns” can be expected from the additional “investment” in performing STPA. This presentation will discuss both “returns” and “investment” for a variety of projects of different sizes and types across several large industry sectors. It will also touch on initial thoughts of how STPA works in a scaled agile framework environment.

The following Embraer applications will be covered:
1) STPA – Product Development
2) STPA-Sec – Product Development
3) CAST – Group Study that includes ANAC

This talk descries the application of STPA to analyse the national-level responses to the COVID-19 pandemic. The analysis treated various stakeholders as a part of the system, including W.H.O, relevant departments of the Governments, relevant organizations (i.e. Public Health Service, Vaccine Research, Police & Military, Essential and Non-essential Service Providing Companies, and Media Companies), and the General Public, and it analyses the interactions between these stakeholders. Two example UCAs (from the Public Health Service and Vaccine Research), together with their loss scenarios and proposed requirements, will be presented in this talk.

- To enable the vehicles of the future, the automotive industry requires a new generation of centralized, software-defined E/E architectures (EEA).
- STPA was applied on an assumed function (L3 Highway Pilot - HWP) to derive safety requirements for a proposed EEA.
- The HWP control loop from the STAMP control structure was mapped onto the EEA design. Detail of the EEA was used to identify loss scenarios on technical level and requirements meaningful to EEA development.
- As future work it is envisioned to apply STPA on a large collection of functions. By mapping sets of functions onto the out-of-context EEA design, the corresponding safety assurance can be provided.

This presentation describes application of STPA on an autonomous container handling system. As one of the first applications of STPA in the heavy mobile machinery sector, we evaluate the suitability of STPA in this context by comparing the method with HAZOP. This includes definition of evaluation criteria for the comparison. The study suggests that STPA is a useful method in identification of accident scenarios related to autonomy.

This presentation summarizes the research done by the author for his PhD at the Maritime Safety Research Centre in the Department of Naval Architecture at the University of Strathclyde.
- STPA was used to model the safety management approaches at a cruise ship and a ferry operator to develop a set of key safety indicators.
- As a result of this work the two ship operators have modified their sets of safety indicators and their tracking processes.
- This research fills a gap in the use of safety indicators in the maritime domain by developing a set of safety indicators to provide ship operator with better feedback on the state of their safety management approaches.

In consideration of congressional mandates and safety recommendations resulting from the 737MAX events, and in conjunction with its overall objective to improve the system safety assessment process (independent of the MAX events), the FAA seeks commercial aviation industry's experience in using STPA (or other tools/methods) in their product development and system safety assessments. Providing such information to the FAA is voluntary. All information will be treated as confidential and will be de-identified if the FAA uses it in future guidance materials.

Teaming systems include multiple controllers, human and/or autonomous, acting interdependently to achieve a common goal. There is increasing interest in fielding teaming systems in both military and civilian applications. For example, future manned helicopters will team with multiple UAS systems to execute a mission, and human-autonomy teams are envisioned to enable Urban Air Mobility. A systematic and rigorous hazard analysis method is needed to enable safety driven design of such systems to enhance V&V and certification. This talk will discuss some of the properties associated with teaming systems, and explore how a Systems Theoretic framework can enable this analysis.

A short review of the work involved in getting STPA written into the contract on an extensive DoD Acquisition program. This lightning-fast presentation will describe our approach, mindset, as well as the contract language the program office adopted. You should leave with an idea of incorporating STPA into your own contracts and avoiding some of the pitfalls we discovered.

- Experiences of using STPA for hazard analysis of an interoperability conformance profile for medical information systems
- STPA is used at the level of conformance requirements
- A real-world case study in British Columbia

- The low-cost insulin infusion pump is under development in Brazil by the Federal University of São Paulo in cooperation with DeltaLife, a Brazilian company of medical equipment
- The purpose of the safety analysis using STPA was to support the insulin pump architectural design from a safety perspective.
- The Control Structure Model allowed a better interaction with team members of heterogeneous specialties, including health care, software development, electronic design, and mechanical design.
- Requirements were generated to implement safeguards in architectural design and to define behavioral procedures for insulin pump user.

The Agility Prime program is a collaboration between the USAF, the FAA, and commercial entities to support civil airworthiness objectives for novel aircraft including eVTOL, unmanned, and crewed aircraft. Agility Prime has selected STPA to accelerate novel aircraft development including designing for safety and security objectives. This talk will provide a brief overview of Agility Prime and how STPA is being used.

The European project HiPERFORM addresses the challenge of reducing CO2 emissions with the introduction of advanced wide-bandgap semiconductor technologies. The powertrain (PT) use case conceives such capabilities increasing levels of power density and improving efficiency. This presentation provides the results of the PT safety analysis following the ISO 26262 standard of the Road vehicles – Functional safety on the concept phase level together with the STPA analysis support. The STPA analysis includes the study of the unsafe control actions applied to relevant loss scenarios of the PT in-wheel motors and the design and analysis of the process model for support validation activities.

- ISO/PAS 21448 safety of the intended functionality (SOTIF) is an upcoming standard aimed at ensuring absence of unreasonable risk due to functional insufficiencies, performance limitations, and foreseeable misuse of intended functionality.
- STPA is applied on a toy ADAS system to study the use of STPA as an aid to achieve SOTIF.
- The systematic approach of STPA in identifying unsafe scenarios is shown to directly help in creating artifacts related to ISO/PAS 21448 Clauses 6, 7, and 8.
- Observations and key takeaways from applying STPA to achieve SOTIF are elaborated.

- The rapid increase in availability and use of Small Uncrewed Aircraft Systems (sUAS) presents a potential challenge to ensuring safe separation in the crowded terminal airspace.
- The system for this analysis comprises several distinct entities and organizations, so an emphasis was placed on ease of communicating the conclusions to all stakeholders.
- By allocating requirements to system entities to address each causal scenario, and evaluating the current state of validation and verification for each requirement, we are able to focus discussions with stakeholders on a manageable and prioritized requirement set. STPA allows consistent traceability between the requirements and hazards.

STPA includes input from analyst’s and topic-expert’s perspective, possibly leading to bias and reducing replicability from a different group of analysts.
In a validation and replicability study for our application “STPA applied for Safety, Security and Privacy Issues in Smart Airport Terminal New Concepts”, we gave a student the same input parameters and standard STPA procedure to develop a separate application.
We gained valuable intel on different ways to model and implied assumptions, while finding similar control actions and constraints, leading up to similar scenarios.
In order to enhance reproducibility, associated assumptions are essential, besides STPA inputs, method and results.

This was the first case study of cybersecurity incident analysis by CAST in Japan. Results of the experiment, CAST has proven to be crucially effective as it can be applied to the analysis of cybersecurity incidents about "Report of unauthorized access to the information system of National Institute of Advanced Industrial Science and Technology (AIST)". I am a leader of the Japanese STAMP community. I will introduce that CAST Handbook have translated into Japanese with JAXA members.

Traditionally, Boeing utilizes chain of event problem-solving to investigate manufacturing mishaps, which treats mishaps as isolated incidents that are the result of human error. To better address the complexities in large organizations, Boeing is exploring CAST to address process and organizational improvements. We conducted CAST investigations on five separate incidents and identified common factors among them. We mapped these common factors to different parts of the control structure model and gained insight on how these seemingly 'isolated incidents' were influenced by systemic cultural and organizational issues. Based on these results, Boeing is exploring CAST as an investigation technique to be used across the enterprise.

- This presentation analyses control actions within underground coal mines related to methane and ventilation control measures.
- Methane is an odourless gas, which is explosive within a certain proportion in the air and can also lead to suffocation.
- Given the complexity of the operational control measures that should be adopted, unsafe control actions are possible.
- Critical unsafe actions appear when different system-level hazards occur simultaneously or very close to each other.
- After identifying these cases with STPA, the most restrictive control measure should be applied in the first place to eliminate unsafe control actions effectively.

Do you want the ability to easily apply STPA using modern engineering tools? What about using a common language so that you can easily share the information with stakeholders? Come learn about the STPA portions of the Risk Analysis & Assessment Modeling Language (RAAML) and the open source tool that has implemented STPA called Gaphor.
- RAAML is a standardized modeling language from the OMG that is out for final release now.
- Gaphor is an open source modeling tool written in Python.
- Together they form a great combination for you to quickly complete STPA for your next project.

This talk explores how the failure to investigate residential fires for “cause of death” instead of simply “cause of the fire” (i.e. is it arson or accidental) has led to the failure to identify simple solutions that could save hundreds of lives per year.