Research Associates, Students, and Visitors


Professor Nancy Leveson

Nancy Leveson is Professor of Aeronautics and Astronautics and also Professor of Engineering Systems at MIT. She is an elected member of the National Academy of Engineering (NAE). Prof. Leveson conducts research on the topics of system safety, software safety, software and system engineering, and human-computer interaction. In 1999, she received the ACM Allen Newell Award for outstanding computer science research and in 1995 the AIAA Information Systems Award for “developing the field of software safety and for promoting responsible software and system engineering practices where life and property are at stake.” In 2005 she received the ACM Sigsoft Outstanding Research Award. She has published over 200 research papers and is author of two books, “Safeware: System Safety and Computers” published in 1995 by Addison-Wesley and “Engineering a Safer World” published in 2012 by MIT Press. She consults extensively in many industries on the ways to prevent accidents.

Please see her personal website here.

Research Staff

John Thomas

John is a Research Engineer in the department of Aeronautics and Astronautics. He has a Ph.D. in Engineering Systems and holds bachelor’s and master’s degrees in computer engineering and computer science.

John’s work involves creating a structured process to perform an STPA hazard analysis and to create safety requirements for complex software- and human-intensive systems. This work includes defining a mathematical structure underlying STPA that can be used to rigorously identify hazardous control actions in a system. He has also developed algorithms to automatically generate formal safety-critical, model-based system and software requirements or to detect flaws in a set of existing requirements. The same process can be applied to functional (non-safety) goals of the system, thereby permitting the automated detection of conflicts between safety and other requirements during early system development.

MIT Students

Cody Harrison Fleming

Cody is a PhD student in the Department of Aeronautics and Astronautics. He is interested in developing methods to assist in design- and architectural- trade decisions during early phases of complex system development. He is currently working on safety assurance of critical systems in the Federal Aviation Administration’s NextGen system, a radical overhaul of aviation and air traffic management in the United States and abroad; development of innovative spacecraft technologies for both NASA and the Japanese Space Agency; mission assurance for orbital rendezvous systems; and next-generation human space flight technologies.

Cody grew up in Ames, IA and received a bachelor’s degree in mechanical engineering from Hope College in Holland, MI. He then received a master’s degree from MIT before working in the aerospace industry on spacecraft and laser systems for several years. He enjoys playing basketball and, when he has a few days away from the city, loves long backpacking trips.

John Helferich

John is currently in the first year of the ESD PhD program, planning to complete a thesis on a new approach to food safety in the US. John hopes to expand his perspective on complex systems and what is required to make large-scale change in a system such as the US food production system.  He is committed to helping make a leap forward in food safety in the US through the application of Prof Nancy Leveson’s STAMP/STPA approach to safety of our food supply.


John Helferich graduated from MIT in 1979 with a degree in Chemical Engineering.. John had a 28 year career in R&D with P&G, Ocean Spray Cranberries, and Mars, Incorporated. John was appointed in 1995 to the position of Vice President of R&D for the US division of Mars, Incorporated.  During his tenure, Mars made great strides in globalizing its technology development, improving its product development process, and protecting its intellectual property.  These improvements resulted in improved product innovation and led Mars to industry leading initiatives such as improving the sustainability of the global cocoa crop, demonstrating the exciting health benefits of cocoa and chocolate, and the MyM&Ms personalized candy business.

Bill Young

Bill is in his second year of a PhD program in the Engineering Systems Division at MIT. His research focuses on applying system-theoretic approaches to improve operational design and mission assurance in cyberspace. He is applying STAMP/STPA in the security domain as a means to facilitate more effective discourse between operations strategists and cyber security experts.

Bill was commissioned in 1991 after graduating from the United States Air Force Academy with a degree in Engineering Science. He is also a graduate of the US Air Force Weapons School, USAF School of Advanced Air & Space Studies (SAASS), and the Air War College’s Grand Strategy Program. Bill has interned with NASA, the Office of the Secretary of Defense, and the Air Force CHECKMATE strategy division at the Pentagon. He is a former Dana Meadows Leadership Fellow with the Sustainability Institute and has more than 2,400 flying hours in various aircraft.

Dan Montes

Dan is in the first year of a PhD program in the Department of Aeronautics and Astronautics and has a Draper fellowship. He holds a BS from the Air Force Academy, an MS from the Air Force Institute of Technology, and an MS from the Air Force Test Pilot School at Edwards Air Force Base, CA. He has served 10 years in the active duty military as a defense R&D program manager and developmental flight test engineer and has experience flying over 25 military/civilian aircraft. Dan is interested in human factors and the optimization of human-machine interfaces for performance and safety in complex, highly automated systems. He enjoys time with his dogs and any excuse to do something outdoors.

Adam Williams

Adam is in his second year as a PhD student in the Engineering Systems Division at the Massachusetts Institute of Technology. His research focuses on applying system-theoretic approaches to improve how security is understood for complex systems. Extending the security-related work of the lab, Adam is looking to illustrate the benefits of a STAMP and STPA-based security methodology for a range of applications-including security for ports and facilities that host nuclear materials. He is also interested in incorporating a more robust organizational theory component into STPA analysis.

Adam is also a Senior R&D Systems Engineer in the international nuclear security engineering department at Sandia National Laboratories. Prior to returning to graduate school, Adam was involved in numerous nuclear security-related projects, including conducting vulnerability assessments, designing physical protection systems and planning other international security engagement projects within Office of International Material Protection and Cooperation (NNSA/NA-25) and Office of Nonproliferation and International Security (NNSA/NA-24) programs.

Kip Johnson

Kip is a first year graduate student, and an MIT Lincoln Laboratory Military Fellow. He is pursuing a PhD in the Department of Aeronautics & Astronautics at MIT. His research is looking at how to engineer and analyze safe and secure integration of Unmanned Aerial Systems into manned flight operations. His current focus is developing System Theoretic Process Analysis for Safety Driven Design of human-automation ontologies that will enable safe and secure National Airspace System integration.

Kip holds a BS in Aero from the US Air Force Academy, an MS in Aero/Astro from MIT, and an MS in Flight Test Engineering from the US Air Force Test Pilot School. He is an experimental test pilot, having flown over 25 different aircraft.

Cameron Thornberry

Cameron graduated from the U.S. Naval Academy with a degree in Aerospace Engineering (Aeronautics) and started the master’s program in the MIT Aeronautics and Astronautics Department in the fall of 2012. He is currently investigating interoperability, Integrated Modular Avionics, and future NextGen applications through the lens of the STAMP model. Designated for naval flight school following the completion of his master’s degree, Cameron is also interested in applying his research to Naval Aviation and the military in general. Outside of this he carries a passion of flying and enjoys traveling the globe when afforded the opportunity.

Seth Placke

Seth is a master’s student in the Engineering Systems Division at MIT. He is interested in how systems evolve during concept development to become prototype and ultimately fielded designs. Seth is currently working to develop methods that provide additional guidance and rigor when applying STPA to complex networks of control systems.

Seth grew up in Greensboro, NC and obtained a B.S. in Mechanical Engineering from North Carolina State University. When away from school, he enjoys playing guitar and exploring New England with his wife.

Soshi Kawakami

Soshi works as a high-speed rail (HSR) engineer for the Central Japan Railway Company. He has been working recently on SC-MAGLEV (Super-Conducting MAGnetic LEVitation). He has bachelor’s and master’s degrees in mechanical engineering from Kyoto University. His research interests involve enhancing the system safety of HSR transportation. He is now focusing on the ongoing HSR project in the northeast corridor (NEC) from a perspective of safety management as well as technological innovation. He makes a point that, in the planning process, safety should be brought up as a core value of the project because it is deeply related to the institutional framework, the regulations, and the dynamics of the industry — the pace and complexity of innovating technologies and business structures — as past rail accidents in UK and China or recent Boeing 787′s safety problems exemplify. He plans to apply STAMP to risk analysis of the HSR project management in the NEC.

Previous Students and Visitors

Francisco Luis de Lemos

 Project: Evaluating the Safety of Digital Instrumentation and Control Systems in Nuclear Power Plants
The use of digital instrumentation and controls introduces new challenges to the assurance and licensing of nuclear power plants. The goal of this research is to demonstrate the applicability, feasibility, and relative efficacy of using a new systems approach and hazard analysis technique (STPA) to help meet these challenges. A systems approach has the potential to augment the existing review and certification regime not only to provide a means to assess hazards associated with the introduction of digital technology in nuclear power plants, but also tools to evaluate the extent to which these hazards are adequately mitigated by the encompassing system architecture and to generate recommendations for safety-driven improvement when they are needed.
The research will determine if the current evaluation framework can be made more efficient and more effective by the addition of these new tools and identify which aspects of the current framework might benefit. It will also demonstrate how the new tools can fit within the existing NRC regulatory framework for validating retrofit of old plants and certification of new designs that include safety-related digital systems. While STPA has been used on other complex systems, it has not yet been applied to reactor control systems. The research will demonstrate whether the use of STPA could be an effective method (at the “guidance” level) to meet the requirements set by NRC regulation.

Mario Bernhart

Mario visited from the Technical University of Vienna and works in computer science.

Filmon Habtemichael

Filmon is part of the SAVED project at the Instituto Superior Tecnico in Portugal, which is part of the MIT-Portugal program. His thesis, which is under the supervision of Prof. Jose Viegas, involves developing a systems approach to eliminate or mitigate the impact of  ‘driving errors’ on motorways by using the driving competence and performance of drivers to limit their driving degree of freedom, i.e., “Driver Competence and Performance-Responsive Traffic Management Scheme”.

During his stay at MIT, he worked on the policy side of SAVED, the legal and institutional issues related to restricting the driving degree of freedom of drivers.

Andrei Katz

Andrei was a short term visitor from the Technion in Israel.


Comments are closed.