Professor Nancy Leveson
Nancy Leveson is Professor of Aeronautics and Astronautics and also Professor of Engineering Systems at MIT. She is an elected member of the National Academy of Engineering (NAE). Prof. Leveson conducts research on the topics of system safety, software safety, software and system engineering, and human-computer interaction. In 1999, she received the ACM Allen Newell Award for outstanding computer science research and in 1995 the AIAA Information Systems Award for “developing the field of software safety and for promoting responsible software and system engineering practices where life and property are at stake.” In 2005 she received the ACM Sigsoft Outstanding Research Award. She has published over 200 research papers and is author of two books, “Safeware: System Safety and Computers” published in 1995 by Addison-Wesley and “Engineering a Safer World” published in 2012 by MIT Press. She consults extensively in many industries on the ways to prevent accidents.
Please see her personal website here.
Blandine Antoine is a PhD candidate in MIT’s Engineering Systems Division. Her dissertation deals with developing a STAMP based approach for safety verification and certification of complex systems. In addition to proposing heuristics that aim to facilitate the process of applying hazard analysis technique STPA to existing designs, she investigates whether current certification regimes would be open to including the STAMP approach and accepting STPA results for the safety cases required for licensing of new complex systems. She uses the PROSCAN proton-therapy facility developed by the Paul Scherer Insitute as a case example, and focuses on the regulatory frameworks that apply to medical devices using ionizing radiation in Europe and the USA.
Blandine holds a diplome d’ingénieur from Ecole Polytechnique, MSc in nuclear engineering from UC Berkeley and MPA from Ecole des Ponts Paristech. Her work experience includes taking stints at energy system policy and design, education to energy and climate change issues, and tackling energy poverty in the developing world. . Currently on leave from the French Department for Infrastructure and the Environment and with growing interest in ecologically sound water treatment and soil conservation processes, she is a founder and active board member of rural electrification provider EGG-energy, a handball goal-keeper at heart and an enthusiastic eater of local organic food.
Project: Safety review of a proton-therapy machine
The PROSCAN facility that was designed and built by the Paul Scherrer Institute uses a high energy proton beam to treat cancer tumors by delivering packets of dose in precisely located spots. An extension of the current treatment capabilities is sought that will allow faster treatment thanks to continuous beam scanning. The first purpose of this project was to evaluate the safety of the facility and of its capability extension by assessing whether the hazardous scenarios identified using STPA were designed against and mitigated. Our second goal in performing this analysis was to contribute to building heuristics that will facilitate the application of STPA to safety review purposes.
So far, high-level radiation related hazards were identified, control structures were built, and STPA (step 1 and 2) performed on several process loops. In so doing, questions were raised that led to the following methodological proposals:
- Decompose controlled processes in several controlled attributes
- Strip system representation (control structures) of safety related elements so as to check whether they do mitigate the hazards that the system may face
- Represent “veto” powers as control information
- Standardize the presentation and tracking of hazards, safety constraints, unsafe control actions, hazardous scenarios, and design rationale.
A project report including our findings and proposals will be available for download on this website in Fall 2012. They will also be documented in Blandine Antoine’s PhD dissertation.
John’s work involves creating a structured process to perform an STPA hazard analysis and to create safety requirements for complex software- and human-intensive systems. This work includes defining a mathematical structure underlying STPA that can be used to rigorously identify hazardous control actions in a system. He has also developed algorithms to automatically generate formal safety-critical, model-based system and software requirements or to detect flaws in a set of existing requirements. The same process can be applied to functional (non-safety) goals of the system, thereby permitting the automated detection of conflicts between safety and other requirements during early system development.
Cody Harrison Fleming
Cody is a PhD student in the Department of Aeronautics and Astronautics. He is interested in developing methods to assist in design- and architectural- trade decisions during early phases of complex system development. He is currently working on safety assurance of critical systems in the Federal Aviation Administration’s NextGen system, a radical overhaul of aviation and air traffic management in the United States and abroad; development of innovative spacecraft technologies for both NASA and the Japanese Space Agency; mission assurance for orbital rendezvous systems; and next-generation human space flight technologies.
Cody grew up in Ames, IA and received a bachelor’s degree in mechanical engineering from Hope College in Holland, MI. He then received a master’s degree from MIT before working in the aerospace industry on spacecraft and laser systems for several years. He enjoys playing basketball and, when he has a few days away from the city, loves long backpacking trips.
John is currently in the first year of the ESD PhD program, planning to complete a thesis on a new approach to food safety in the US. John hopes to expand his perspective on complex systems and what is required to make large-scale change in a system such as the US food production system. He is committed to helping make a leap forward in food safety in the US through the application of Prof Nancy Leveson’s STAMP/STPA approach to safety of our food supply.
John Helferich graduated from MIT in 1979 with a degree in Chemical Engineering.. John had a 28 year career in R&D with P&G, Ocean Spray Cranberries, and Mars, Incorporated. John was appointed in 1995 to the position of Vice President of R&D for the US division of Mars, Incorporated. During his tenure, Mars made great strides in globalizing its technology development, improving its product development process, and protecting its intellectual property. These improvements resulted in improved product innovation and led Mars to industry leading initiatives such as improving the sustainability of the global cocoa crop, demonstrating the exciting health benefits of cocoa and chocolate, and the MyM&Ms personalized candy business.
Bill is in his second year of a PhD program in the Engineering Systems Division at MIT. His research focuses on applying system-theoretic approaches to improve operational design and mission assurance in cyberspace. He is applying STAMP/STPA in the security domain as a means to facilitate more effective discourse between operations strategists and cyber security experts.
Bill was commissioned in 1991 after graduating from the United States Air Force Academy with a degree in Engineering Science. He is also a graduate of the US Air Force Weapons School, USAF School of Advanced Air & Space Studies (SAASS), and the Air War College’s Grand Strategy Program. Bill has interned with NASA, the Office of the Secretary of Defense, and the Air Force CHECKMATE strategy division at the Pentagon. He is a former Dana Meadows Leadership Fellow with the Sustainability Institute and has more than 2,400 flying hours in various aircraft.
Connor is a first year master’s student in MIT’s Aero/Astro department and a Draper Laboratory Fellow at the Charles Stark Draper Laboratory. He received a B.S. in Aerospace Engineering (Aeronautics) and a commission as a naval officer from the United States Naval Academy (USNA) in 2011. His research applies STPA to the NASA/JAXA (GPM) satellite. He also conducted directed energy research USNA and the Institute for Defense Analyses. Upon completing his degree program, Connor will report to flight training in Pensacola, FL.
Project: The NASA/JAXA Global Precipitation Measurement (GPM) satellite will provide rain and snow measurements worldwide every three hours using the Dual-frequency Precipitation Radar (DPR) and the GPM Microwave Imager (GMI). The satellite will improve knowledge of the Earth’s water cycle and its link to climate change. The purpose of the system safety analysis using STPA is to identify hazards not found through the traditional hazard analysis methods conducted previously. The results will be compared with the traditional fault tree produced by NASA for the satellite.
His Ph.D. research is on Space Logistics under the supervision of Prof. Oli de Weck but he has been working as an Research Assistant on a grant from the Japanese Space Agency (JAXA and JAMSS) to apply STPA to the ISS rendezvous and capture operation of the JAXA’s spacecraft HTV. He has also applied STPA to the multiple controller problem, where uncoordinated interactions happen among multiple controllers controlling the same process.
New Students Starting in the Fall, 2012
Dan is in the first year of a PhD program in the Department of Aeronautics and Astronautics and has a Draper fellowship. He holds a BS from the Air Force Academy, an MS from the Air Force Institute of Technology, and an MS from the Air Force Test Pilot School at Edwards Air Force Base, CA. He has served 10 years in the active duty military as a defense R&D program manager and developmental flight test engineer and has experience flying over 25 military/civilian aircraft. Dan is interested in human factors and the optimization of human-machine interfaces for performance and safety in complex, highly automated systems. He enjoys time with his dogs and any excuse to do something outdoors.
Cameron graduated from the U.S. Naval Academy with a degree in Aerospace Engineering (Aeronautics) and started the master’s program in the MIT Aeronautics and Astronautics Department in the fall of 2012. He is currently investigating interoperability, Integrated Modular Avionics, and future NextGen applications through the lens of the STAMP model. Designated for naval flight school following the completion of his master’s degree, Cameron is also interested in applying his research to Naval Aviation and the military in general. Outside of this he carries a passion of flying and enjoys traveling the globe when afforded the opportunity.
Ian has a bachelor’s degree in aero/astro engineering from MIT and worked in a technical rotation program at Boeing before returning. He started the master’s program in TPP in Fall 2012.
Seth has a bachelor’s degree in mechanical engineering from North Carolina State University. He started the master’s program in ESD in Fall 2012.
Soshi works as a high-speed rail engineer for the Central Japan Railway Company. He has been working recently on SC-MAGLEV (Super-Conducting MAGnetic LEVitation). He has bachelor’s and master’s degrees in mechanical engineering from Kyoto University. His research interests involve enhancing the safety of rail transport, particularly MAGLEV.
Francisco Luis de Lemos
Project: Evaluating the Safety of Digital Instrumentation and Control Systems in Nuclear Power Plants
The use of digital instrumentation and controls introduces new challenges to the assurance and licensing of nuclear power plants. The goal of this research is to demonstrate the applicability, feasibility, and relative efficacy of using a new systems approach and hazard analysis technique (STPA) to help meet these challenges. A systems approach has the potential to augment the existing review and certification regime not only to provide a means to assess hazards associated with the introduction of digital technology in nuclear power plants, but also tools to evaluate the extent to which these hazards are adequately mitigated by the encompassing system architecture and to generate recommendations for safety-driven improvement when they are needed.
The research will determine if the current evaluation framework can be made more efficient and more effective by the addition of these new tools and identify which aspects of the current framework might benefit. It will also demonstrate how the new tools can fit within the existing NRC regulatory framework for validating retrofit of old plants and certification of new designs that include safety-related digital systems. While STPA has been used on other complex systems, it has not yet been applied to reactor control systems. The research will demonstrate whether the use of STPA could be an effective method (at the “guidance” level) to meet the requirements set by NRC regulation.
Mario is visiting from the Technical University of Vienna and works in computer science.
Filmon is part of the SAVED project at the Instituto Superior Tecnico in Portugal, which is part of the MIT-Portugal program. His thesis, which is under the supervision of Prof. Jose Viegas, involves developing a systems approach to eliminate or mitigate the impact of ‘driving errors’ on motorways by using the driving competence and performance of drivers to limit their driving degree of freedom, i.e., “Driver Competence and Performance-Responsive Traffic Management Scheme”.
During his stay at MIT, he is working on the policy side of SAVED, the legal and institutional issues related to restricting the driving degree of freedom of drivers.
Andrei is a short term visitor from the Technion in Israel.
Melissa is a Masters student in the Technology and Policy Program, which is in the Engineering Systems Division at MIT. Her thesis applies the STAMP based accident analysis methodology (CAST) to a non-physical system–the financial crisis of 2007. Her thesis looks specifically at the rapid loss of control over their solvency that the broker/dealer Bear Stearns experienced in March 2008, and attempts to treat that event in the same way that CAST treats other accidents. She has enjoyed her work with Professor Leveson, applying CAST and STAMP to many different types of system, but especially the application to air traffic control systems under the NextGen upgrade regime.
Melissa has a BA in Economics from Wellesley College, and a certificate in Computer Science from Tufts University. Prior to rejoining the academic world, she spent several years working at an information technology consultant in the financial sector–an experience that certainly led to her desire to use STAMP to engineer a better financial regime! When not engaged in her studies, Melissa enjoys experimenting in her kitchen and doing crossword puzzles. She also loves to ride her bicycle during the warm months and has occasionally completed a sprint-distance triathlon or two (completed, not competed!). When she can she loves to travel and experience new cultures and especially new foods.
Airong is a Masters student in the System Design and Management Program. In her thesis work, she uses STAMP (System-Theoretic Accident Model) to analyze the China high speed train accident in 2011, in order to understand the accident systematically and generate recommendations to the overall railway safety practices in China. She also applies STPA (System –Theoretic Process Analysis) to the development of an advanced train control system – Communication Based Train Control (CBTC) system, to show its advantages in analyzing system hazards and leading system design in developing safety critical systems.
Prior to MIT, Airong has worked several years in the railway industry in Beijing, China.