The presenters will show how they are approaching the challenges of integrating STAMP methods into Google's engineering culture:
- Preventing waterfall delivery of analysis results
- Teaching control structure modeling and UCAs
- Working with an informal requirements engineering culture

Over the last decade, STPA use in aviation has led to thousands of publications including findings and lessons learned from industry use. Past MIT STAMP/STPA workshops have hosted 60 presentations from the aviation industry with independent evaluations and findings from applying STPA. This talk will review the empirical data that exists from the aviation industry to date, including lessons learned, mistakes to avoid, and what is known and not yet known about STPA in aviation.

- The program structure of American Airline's STAMP program
- CAST/STPA is widely accepted and understood at American Airlines
- CAST leads to deeper insights compared to traditional industry methods
- STAMP helps reinforce resiliency within our systems

Aerospace manufacturing faces a challenge in combining cutting-edge technology and long product lifecycles, which can lead to significant process model divergence within production systems and result in producibility problems. This talk presents a CAST analysis of a loss of producibility following a transfer of a manufacturing process from one facility to another.
Key findings:
-Configuration control measures must be designed with an understanding of their limitations, and assumptions about supplier processes must be carefully validated.
-Production organizations must be designed for the task they are assigned to accomplish, based on experience and experimentation whenever possible.

This presentation highlights how the STAMP application integrates Embraer Requirements Engineering process.

Teams of controllers exhibit complex collaborative interactions that can be defined and captured using Systems Theory or STAMP. This talk defines those interactions and introduces extensions to STAMP/STPA to systematically identify causal factors associated with collaboration. The technique has been demonstrated to help analyze novel human-machine and multi-machine teaming systems.

Application of STPA to solid rocket manufacturing, particularly with respect to automated propellant cutting, has provided insight into the design and development of the process. Some of those key insights are:
1. A change in the perspective of the analysis from motor centric to robot centric
2. Inclusion of an independent chip catcher
3. How to handle abort commands with this delicate process
The framework provided by STPA has been influential in seeing the overall connectivity of the various components in the control structure and consequently in designing a better process.

This talk will share a few lessons that we've learned while incorporating safety into Google's engineering culture in the areas of education, SME engagement, analysis completeness, and CAST.

Lessons learned and strategy from our implementation of STAMP at American Airlines.
- Feedback is important
- Union buy-in is critical
- CAST/STPA is different than traditional models
- STPA can be used on existing systems. Even less complex systems!

- Systems-Theoretic Process Analysis (STPA) is applied to investigate decision-making for a novel approach to radiotherapy.
- The analysis process spanned the phases of STPA familiarization, results generation, and results finalization. Facilitation of the analysis was achieved through videos, electronic worksheets, and virtual meetings.
- Nontrivial causal scenarios involve inaccessibility of feedback, mismatch between the feedback and the mental model required for good decision-making, and under-specification of control input.
- STPA provides an effective technique to examine operational decision-making in radiotherapy. Targeted facilitation to leverage domain expertise is a feasible app

This presentation outlines the preliminary findings from an application of STPA to the safety of diagnostic medical data in the United States. We present a model of the sociotechnical system, developed through 30+ interviews with subject matter experts representing laboratories, care facilities, health IT vendors, regulatory bodies, public health agencies, patients, and more. We identify UCAs and scenarios, and provide both targeted and general recommendations to improve the safety of the ecosystem, with
particular attention to missing or weak control loops.

Developing a comprehensive control structure for sociotechnical systems presents challenges for the adoption of STPA. We present a process for iteratively developing a control structure. Using the diagnostic laboratory data ecosystem as a case study, we will walk through the process of starting from scratch and iteratively fine tuning a control structure. Topics include identifying missing information, interview techniques, and common obstacles and ways to address them.

This presentation will provide recommendations for the application of STPA in the early phase of design. It will include a specific focus on:
-Facilitation of STPA
-Application of STPA outcomes to the design of digital twins

Although human-system integration approaches are necessary for the effective design of socio-technical systems, there are few methods that can successfully combine the considerations of mental models with those of technology process models. This presentation will demonstrate that:
- STPA control structures are useful cognitive artifacts that offer decision making stability in the face of strategic uncertainty.
- Blending STPA with human factors methods can surface system vulnerabilities and unlock opportunities for creative decision making and innovation.
- STPA provides structure and processes to consider humans and machines as collaborative agents during the design of complex systems.

- The Nuclear Regulatory Commission (NRC) has investigated STPA and CAST through a series of formal training classes and workshops
- NRC staff including Digital I&C, Human Factors, PRA, Fault Tree Analysis, Cyber Security, and other SMEs participated
- NRC staff learned the methods, applied them in hands-on work shops, evaluated the methods, and developed conclusions and recommendations
- This talk will review the findings developed by NRC staff related to future STPA and CAST use by regulators as well as by industry

- Introduction to a novel power supply concept for battery ferries and its demonstration
- STPA results of the novel concept: main findings and challenges
- Prioritizing the results: method and results
- Discussion for prioritizing STPA results and future works

The talk will refer to the application of STPA on a ship’s navigation system in order to identify leading indicators for monitoring the level of marine safety, including the following aspects:
- The importance of establishing efficient leading indicators concerning accidents’ prevention in the maritime domain.
- The way STPA was applied.
- The results of the implemented methodology, including the control structure and the assumption based leading indicators. The derived leading indicators are related to human factor, concerning aspects such as fatigue and situational awareness.
- Discussion about the usefulness of STPA as a method for establishing leading indicators in the maritime domain.

- L3H SAS is increasingly utilizing MBSE techniques to design system architectures
- STPA has been adopted within L3H SAS as a safety analysis method because it can be incorporated into a MBSE environment
- OMG recently released (2021) a new standard, Risk Analysis and Assessment Modeling Language, which includes standard relations for creating STPA elements within a SysML model.
- L3H SAS has recently developed a RAAML compliant tool to perform STPA analysis within a SysML model. This presentation highlights some of the lessons learned along this journey.

In this presentation, we will exhibit a fascinating research that showcases the successful application of STPA (Systems-Theoretic Process Analysis) to a unique system. Our analysis focused on activities with energetic materials in research laboratories by identifying potential hazards, reducing damages and mishaps, optimizing performance, and minimizing wasted time and materials. We will discuss how the use of STPA led to the discovery of new solutions and opportunities for improving safety and operational efficiency in the laboratory.

STPA Automation Tool:
- Provide a template for the STPA analysis
- Guide the user through the STPA process
- Automate some of the manual work that is necessary to perform an STPA
Tool is built in Google Sheets and will be free for use in the STAMP community.

This talk will review the state of industry standards that incorporate STPA and recent milestones in STPA certification. A uniform set of requirements has been defined for individual certification, and the International Center for STAMP Certification and Accreditation has been created to oversee accreditaion of qualified STAMP/CAST/STPA educational programs. The center's mission is to enable high-quality CAST and STPA work products by recognizing qualified practitioners and defining a uniform standard for CAST and STPA practice, facilitation, and training.

This talk will cover the path Google has taken to introduce and scale up the use of STPA in our engineering organizations. We will discuss lessons that we have learned, show examples of results and findings, and highlight key insights that we have had along the way.

- The publication of J-3187 marks the conclusion of a three (3) year effort to develop and publish the first authoritative document addressing the use of STPA for system critical system evaluation.
- During its development, content making it valuable to other industries has been added to produce a more comprehensive document useful to aerospace, defense, regulatory agencies, and such. J-3187 enhancements to include more cross industry content are planned.
- J-3187 was written by experienced STPA practitioners who shared their collective knowledge on how to develop appropriate safety requirements to prevent or manage potential hazards discovered during the STPA process.

This presentation explores supportability of an aircraft system aiming to proactively incorporate it in concept definition in the Systems Engineering Processes. System-Theoretic Accident Model and Process (STAMP) approach provided the foundation for the analysis conducted herein, strengthening the perspective on how to avoid value losses related to support activities. Results bring important life cycle concerns into consideration for a “design-in” perspective for an aircraft system in conceptual studies.

Negative safety culture in a manufacturing environment is detrimental to not only personnel safety but also product safety and quality, and has subsequent undesirable impacts on schedule and morale. Implementing positive culture change in an organization to address these problems is no easy feat. By applying systems thinking with Systems-Theoretic Accident Model and Processes (STAMP), systems engineering principles and human factors methods, we have identified systemic causal factors of the negative safety culture and applied targeted actions to improve the culture across all organizational levels and multiple site locations in a way that will last and transcend personnel turnover.

The Boeing Company's Automated Test Maneuvers (ATM) system is designed to execute flight test maneuvers with consistent, error free computer generated inputs. In this presentation, we’ll show how Boeing used the STPA process to generate requirements for special test equipment and we’ll discuss how the verification of those requirements in our simulator and ground tests uncovered some software bugs, test documentation and crew actions that needed correcting before first flight.

Modern systems are becoming more complex, interconnected and software intensive. As a result, it is becoming more challenging to develop good system architectures using current methods that rely on decomposition. Instead, the architecture development process should consider system-level interactions and unsafe behaviors early so that the necessary interactions and behaviors can be designed into systems from the beginning. This talk will discuss a new approach to architecture development that does this by integrating STPA into the architecture development process and using the analysis results to drive the identification of system requirements and the development of a system architecture.

- Lessons learned from a systems engineer with 18+ years’ experience who has applied STPA as well as served as an STPA trainer, coach, and facilitator. These are based on experiences from applying STPA in several domains including: Healthcare delivery, medical device, automotive, aviation, manufacturing.
- Common challenges team face when applying STPA
- Recommendations on applying STPA

Radiation therapy is a technique that treats cancer using ionizing radiation. The challenge is to maximize the dose in the tumor while sparing healthy tissue. The process is complex involving hardware, software and people and therefore suitable to be modelled using STAMP. We applied STAMP-CAST to understand one incident occurred in a radiation therapy center. In this presentation we show how CAST helped us to:
- Share responsibility while avoiding blame
- Reach and interview involved persons “close to the fire”
- Suggest recommendations to improve safety culture in RT
- Raise new human factors-related research questions

The task facing our clinical governance team was to analyse how a healthcare structure learns and passes that knowledge through the organisation. The hypothesis being explored was a lack of correct knowledge for any operator critically affects the process model. For the purposes of hazard analysis, there was little difference between the analysis of the physical systems analysed by STPA, and the more ethereal “knowledge flow.” Indeed, exploration of this concept by the team proved useful in identifying hazards, leading to insights into how to mitigate these hazards. Importantly the STPA proved easy to explain to an uninitiated senior executive.

- Application of CAST to a medication incident in English healthcare.
- Discussion of the complexity of the English healthcare system and its impact on safety.
- Reflections on the usability of CAST for organisation-based healthcare investigators.
- Reflections on the comparison of findings between SEIPS and CAST for the incident of interest.

- How STPA was introduced to a complex subsystem of a large healthcare institution
- Performing STPA with a multidisciplinary team in a virtual setting
- Key impacts of a systems approach

The introduction of autonomous mobile robots in everyday life, although very exciting, comes with new hazards. These must be identified and mitigated. This enables a broad operation and public acceptance can be achieved.
- Scope of the presentation: Autonomous mobile robots at Continental and how a public operation can be enabled.
- Challenge: Lack of established safety standard and experience for this specific type of complex operation.
- Development: STPA was used to model the system (robots and environment), identify hazards, and generate requirements.
- Results: Benefits and challenges from using STPA in the development of a robust safety assessment.

- Autonomous Driving (AD) promises to make the roads safer by replacing humans with software and hardware. However, AD is complex and software-intensive, and to assess its safety, analysis methods should be employed along with testing and validation to catch the mistakes during the design phase.
- STPA can be used to find functional insufficiencies and misuses as proposed by ISO/FDIS 21448 (safety of intended functionality). In this presentation, STPA is applied on a closed-loop AD function architecture. Based on the iterative STPA steps, unsafe control actions were identified and consequently critical safety requirements were specified, and two examples are presented.

Autonomous systems offer tremendous opportunities. However, analysing and assuring the safety of these systems remains a major challenge. Due to their rising complexity, the increasing popularity of AI and inclusion of COTS, through-life safety assurance is by no means straightforward. STPA is a promising analysis technique, but has yet to be studied in depth in the field of autonomous systems. This presentation discusses difficulties, benefits and provides general guidance around applying STPA to autonomous systems. The work presented here is based on practical case studies. An autonomous mobile robot is used throughout the presentation to illustrate the results.

The purpose of this presentation is to share the experience of applying the STPA in a military Data Link project at AEL Sistemas, focusing on the security area. It will describe the way we introduce the framework inside the company and the effort necessary to perform it. Furthermore, we will explain about our outputs and why the STPA was a benefit when applied in the security analysis, being an advantage not only to the project but to the company as a whole. The analysis itself is confidential and only illustrative examples will be shown.

- Application of the STPA technique in the development of the power generation system of a hybrid agricultural drone.The system has a generator that uses the fuel energy and transform to electrical energy, to supply the drone consumption. The system also has a battery pack as backup.
- With STPA technique it was possible to obtain a robust product at a low cost. The requirements, besides defining a minimum life limit for each piece of equipment, provided the necessary guidance for the development of the embedded software.
- As a secondary objective to use the guidance promoted by the technique in the maintainability of the aircraft.

* How STPA is used to complement techniques from SAE ARP4761 and MIL-STD-882E at the safety process level
* How STPA is used to complement techniques from SAE ARP4761 and MIL-STD-882E at the system safety and software system safety activity level
* What we learned from combining the techniques and what is the value of STPA

- An analysis using STPA of a Subsea Christmas Tree (oil rig equipment) was conducted following the steps described in the STPA handbook.
- A strange behavior was detected in the SCS of the system, with great potential to generate loss scenarios.
- STPA could identify causal factors related and not related to component failure events in a more manageable way by structuring the loss scenario generation.
- It was identified that only one third of the loss scenarios are related exclusively to physical equipment failures. Thus, it’s reasonable to conclude that STPA can expressively potentialize an analysis using PRA.

- Being a riverine country, inland water transport is the most popular mode of transport in Bangladesh. However, more than 90% of fatalities in inland waterways are involved with passenger ships (launch, steamer, trawler, boat, etc.).
- This study aims to perform a hazard analysis by applying STPA to assess safety situation of passenger ship operation in Bangladesh.
- The study revealed that majority of Unsafe Control Actions (UCA) exist in ‘bridge deck’ of passenger ship and most contributing category of causal factor responsible for occurrence of UCA is ‘human factor’. Besides, predominant category of safety requirements is ‘team management’ among ship crews.

- CAST is used to analyse one of the worst boiler accidents in Brazil, based on the official accident reports.
- CAST identified flaws in the common engineering assumptions, suggesting better solutions to prevent dysfunctional interactions.
- Important causal factors of the accident, not addressed by official investigations, are highlighted.

The study extends the STPA literature by providing a substantial validity of STPA’s capability for analyzing the Fecal sludge management (FSM) governance structure against robust and independent criteria that define the objectives of a “good” governance structure, i.e., efficiency, accountability, and legitimacy. The STPA results identify novel leading indicators to guide policymakers to improve FSM management. The results also provide valuable insights by highlighting the various features contributing to an effective governance structure of the FSM, such as centralized decision-making in combination of hierarchy of goals to establish a clear division of responsibility across various actors.

- Application of assumption-based leading indicators and STPA within the context of organizational structures (teams/departments).
- Defining mission capability.
- Securing team mission capability (protecting against loss of team mission capability) through the use of an effective tailored control structure, including a clear set of assumption-based leading indicators helping loop management and execution to recognize shifting conditions (creating situational awareness).
- After action review and what’s next.

The aim of this presentation is to outline why a large health care organization chose a Safety 3 approach for a re-organization of Quality and safety Department. Partly it was serendipity; the state health department was issuing guidelines Clinical Incident Guidelines for directors and executive of private hospitals, while its own staff struggled with the practicalities of the same guidelines. Concurrently a major private health organisation was looking at revamping its quality and safety processes. Into this mix STAMP has obvious appeal. It has utility. It is easy communicate it's principles and much of the existing process can be preserved.

A re-investigation of a helicopter accident, originally investigated after the 5M-model, shows the broader approach and better effectiveness of CAST compared to 5M. An additional HFACS overlay to the results of the 5M and CAST analysis clearly points out the narrow, "front-line-workers"-oriented approach of 5M an the systemic, management-oriented approach of CAST. Simplification and reductionism by 5M seems to be better suited for short-term, "in the field" risk assessments. For an accident investigation, a more open and holistic approach like CAST appears to be recommended.

Google has applied STPA as part of Site Reliability Engineering to identify undesirable software interactions and prevent them during design.

- The risk matrix is a widespread assessment tool that measures probability/severity of a risk to help decision makers
- STPA is applied to improve the risk matrix by introducing a measure of mitigation effectiveness as a proxy for probability.
- A new STPA-Informed Risk Matrix (SRM) is introduced by using two separate methodologies: the scenario based approach and hazard based approach.
- The SRM combines the strengths of STPA and traditional risk assessment to better equip decision makers, particularly with new complex systems.

"Foresight is not about predicting the future; it’s about minimizing surprise”. This quote from futurist Karl Schroeder is relevant to STPA’s value. One of the first management questions asked when considering STPA is what Return On Investment does it provide? This can become a chicken-or-egg dilemma as business leaders rightfully ask what “returns” can be expected from the additional “investment” in performing STPA. This presentation will discuss both “returns” and “investment” for a variety of projects of different sizes and types across several large industry sectors. It will also touch on initial thoughts of how STPA works in a scaled agile framework environment.

The following Embraer applications will be covered:
1) STPA – Product Development
2) STPA-Sec – Product Development
3) CAST – Group Study that includes ANAC

This talk descries the application of STPA to analyse the national-level responses to the COVID-19 pandemic. The analysis treated various stakeholders as a part of the system, including W.H.O, relevant departments of the Governments, relevant organizations (i.e. Public Health Service, Vaccine Research, Police & Military, Essential and Non-essential Service Providing Companies, and Media Companies), and the General Public, and it analyses the interactions between these stakeholders. Two example UCAs (from the Public Health Service and Vaccine Research), together with their loss scenarios and proposed requirements, will be presented in this talk.

- To enable the vehicles of the future, the automotive industry requires a new generation of centralized, software-defined E/E architectures (EEA).
- STPA was applied on an assumed function (L3 Highway Pilot - HWP) to derive safety requirements for a proposed EEA.
- The HWP control loop from the STAMP control structure was mapped onto the EEA design. Detail of the EEA was used to identify loss scenarios on technical level and requirements meaningful to EEA development.
- As future work it is envisioned to apply STPA on a large collection of functions. By mapping sets of functions onto the out-of-context EEA design, the corresponding safety assurance can be provided.

This presentation describes application of STPA on an autonomous container handling system. As one of the first applications of STPA in the heavy mobile machinery sector, we evaluate the suitability of STPA in this context by comparing the method with HAZOP. This includes definition of evaluation criteria for the comparison. The study suggests that STPA is a useful method in identification of accident scenarios related to autonomy.

This presentation summarizes the research done by the author for his PhD at the Maritime Safety Research Centre in the Department of Naval Architecture at the University of Strathclyde.
- STPA was used to model the safety management approaches at a cruise ship and a ferry operator to develop a set of key safety indicators.
- As a result of this work the two ship operators have modified their sets of safety indicators and their tracking processes.
- This research fills a gap in the use of safety indicators in the maritime domain by developing a set of safety indicators to provide ship operator with better feedback on the state of their safety management approaches.

In consideration of congressional mandates and safety recommendations resulting from the 737MAX events, and in conjunction with its overall objective to improve the system safety assessment process (independent of the MAX events), the FAA seeks commercial aviation industry's experience in using STPA (or other tools/methods) in their product development and system safety assessments. Providing such information to the FAA is voluntary. All information will be treated as confidential and will be de-identified if the FAA uses it in future guidance materials.

Teaming systems include multiple controllers, human and/or autonomous, acting interdependently to achieve a common goal. There is increasing interest in fielding teaming systems in both military and civilian applications. For example, future manned helicopters will team with multiple UAS systems to execute a mission, and human-autonomy teams are envisioned to enable Urban Air Mobility. A systematic and rigorous hazard analysis method is needed to enable safety driven design of such systems to enhance V&V and certification. This talk will discuss some of the properties associated with teaming systems, and explore how a Systems Theoretic framework can enable this analysis.

A short review of the work involved in getting STPA written into the contract on an extensive DoD Acquisition program. This lightning-fast presentation will describe our approach, mindset, as well as the contract language the program office adopted. You should leave with an idea of incorporating STPA into your own contracts and avoiding some of the pitfalls we discovered.

- Experiences of using STPA for hazard analysis of an interoperability conformance profile for medical information systems
- STPA is used at the level of conformance requirements
- A real-world case study in British Columbia

- The low-cost insulin infusion pump is under development in Brazil by the Federal University of São Paulo in cooperation with DeltaLife, a Brazilian company of medical equipment
- The purpose of the safety analysis using STPA was to support the insulin pump architectural design from a safety perspective.
- The Control Structure Model allowed a better interaction with team members of heterogeneous specialties, including health care, software development, electronic design, and mechanical design.
- Requirements were generated to implement safeguards in architectural design and to define behavioral procedures for insulin pump user.

The Agility Prime program is a collaboration between the USAF, the FAA, and commercial entities to support civil airworthiness objectives for novel aircraft including eVTOL, unmanned, and crewed aircraft. Agility Prime has selected STPA to accelerate novel aircraft development including designing for safety and security objectives. This talk will provide a brief overview of Agility Prime and how STPA is being used.

The European project HiPERFORM addresses the challenge of reducing CO2 emissions with the introduction of advanced wide-bandgap semiconductor technologies. The powertrain (PT) use case conceives such capabilities increasing levels of power density and improving efficiency. This presentation provides the results of the PT safety analysis following the ISO 26262 standard of the Road vehicles – Functional safety on the concept phase level together with the STPA analysis support. The STPA analysis includes the study of the unsafe control actions applied to relevant loss scenarios of the PT in-wheel motors and the design and analysis of the process model for support validation activities.

- ISO/PAS 21448 safety of the intended functionality (SOTIF) is an upcoming standard aimed at ensuring absence of unreasonable risk due to functional insufficiencies, performance limitations, and foreseeable misuse of intended functionality.
- STPA is applied on a toy ADAS system to study the use of STPA as an aid to achieve SOTIF.
- The systematic approach of STPA in identifying unsafe scenarios is shown to directly help in creating artifacts related to ISO/PAS 21448 Clauses 6, 7, and 8.
- Observations and key takeaways from applying STPA to achieve SOTIF are elaborated.

- The rapid increase in availability and use of Small Uncrewed Aircraft Systems (sUAS) presents a potential challenge to ensuring safe separation in the crowded terminal airspace.
- The system for this analysis comprises several distinct entities and organizations, so an emphasis was placed on ease of communicating the conclusions to all stakeholders.
- By allocating requirements to system entities to address each causal scenario, and evaluating the current state of validation and verification for each requirement, we are able to focus discussions with stakeholders on a manageable and prioritized requirement set. STPA allows consistent traceability between the requirements and hazards.

STPA includes input from analyst’s and topic-expert’s perspective, possibly leading to bias and reducing replicability from a different group of analysts.
In a validation and replicability study for our application “STPA applied for Safety, Security and Privacy Issues in Smart Airport Terminal New Concepts”, we gave a student the same input parameters and standard STPA procedure to develop a separate application.
We gained valuable intel on different ways to model and implied assumptions, while finding similar control actions and constraints, leading up to similar scenarios.
In order to enhance reproducibility, associated assumptions are essential, besides STPA inputs, method and results.

This was the first case study of cybersecurity incident analysis by CAST in Japan. Results of the experiment, CAST has proven to be crucially effective as it can be applied to the analysis of cybersecurity incidents about "Report of unauthorized access to the information system of National Institute of Advanced Industrial Science and Technology (AIST)". I am a leader of the Japanese STAMP community. I will introduce that CAST Handbook have translated into Japanese with JAXA members.

Traditionally, Boeing utilizes chain of event problem-solving to investigate manufacturing mishaps, which treats mishaps as isolated incidents that are the result of human error. To better address the complexities in large organizations, Boeing is exploring CAST to address process and organizational improvements. We conducted CAST investigations on five separate incidents and identified common factors among them. We mapped these common factors to different parts of the control structure model and gained insight on how these seemingly 'isolated incidents' were influenced by systemic cultural and organizational issues. Based on these results, Boeing is exploring CAST as an investigation technique to be used across the enterprise.

- This presentation analyses control actions within underground coal mines related to methane and ventilation control measures.
- Methane is an odourless gas, which is explosive within a certain proportion in the air and can also lead to suffocation.
- Given the complexity of the operational control measures that should be adopted, unsafe control actions are possible.
- Critical unsafe actions appear when different system-level hazards occur simultaneously or very close to each other.
- After identifying these cases with STPA, the most restrictive control measure should be applied in the first place to eliminate unsafe control actions effectively.

Do you want the ability to easily apply STPA using modern engineering tools? What about using a common language so that you can easily share the information with stakeholders? Come learn about the STPA portions of the Risk Analysis & Assessment Modeling Language (RAAML) and the open source tool that has implemented STPA called Gaphor.
- RAAML is a standardized modeling language from the OMG that is out for final release now.
- Gaphor is an open source modeling tool written in Python.
- Together they form a great combination for you to quickly complete STPA for your next project.

This talk explores how the failure to investigate residential fires for “cause of death” instead of simply “cause of the fire” (i.e. is it arson or accidental) has led to the failure to identify simple solutions that could save hundreds of lives per year.