Research Associates, Students, and Visitors


Professor Nancy Leveson

Nancy Leveson is Professor of Aeronautics and Astronautics and also Professor of Engineering Systems at MIT. She is an elected member of the National Academy of Engineering (NAE). Prof. Leveson conducts research on the topics of system safety, software safety, software and system engineering, and human-computer interaction. In 1999, she received the ACM Allen Newell Award for outstanding computer science research and in 1995 the AIAA Information Systems Award for “developing the field of software safety and for promoting responsible software and system engineering practices where life and property are at stake.” In 2005 she received the ACM Sigsoft Outstanding Research Award. She has published over 200 research papers and is author of two books, “Safeware: System Safety and Computers” published in 1995 by Addison-Wesley and “Engineering a Safer World” published in 2012 by MIT Press. She consults extensively in many industries on the ways to prevent accidents.

Please see her personal website here.

Research Staff

John Thomas

John is on the research staff in the department of Aeronautics and Astronautics at MIT. In 2013 he received his Ph.D. from MIT, and he holds bachelor’s and master’s degrees in computer engineering.

John’s work involves creating structured processes for analyzing complex software and embedded systems, especially systems that may behave in unanticipated, unsafe, or otherwise undesirable ways through complex interactions with each other and their environment. By using control theory and systems theory in an STPA framework, more efficient and effective design and analysis processes can be defined to prevent flaws that lead to unsafe or unexpected behaviors when integrated with other systems. More recently he has been applying these techniques to automated systems that are heavily dependent on human interactions and may not only experience human error but may inadvertently induce human error through mode confusion, clumsy automation, and other mechanisms that can be difficult to anticipate.

John’s work also includes defining a formal structure underlying an STPA-based process that can be used to help ensure potentially hazardous or undesirable behaviors are systematically identified. He has also developed algorithms to automatically generate formal executable and model-based requirements for software components as well as methods to detect flaws in a set of existing requirements. The same process can be applied to both safety and functional goals of the system, thereby permitting the automated detection of conflicts between safety and other requirements during early system development.


Cody Fleming

Cody is a postdoctoral associate in the Department of Aeronautics and Astronautics, where he received his Ph.D. He is interested in developing methods to assist in design- and architectural- trade decisions during early phases of complex system development. He is currently working on safety assurance of critical systems in the Federal Aviation Administration’s NextGen system, a radical overhaul of aviation and air traffic management in the United States and abroad; development of innovative spacecraft technologies for both NASA and the Japanese Space Agency; mission assurance for orbital rendezvous systems; and next-generation human space flight technologies.

Cody grew up in Ames, IA and received a bachelor’s degree in mechanical engineering from Hope College in Holland, MI. He then received a master’s degree from MIT before working in the aerospace industry on spacecraft and laser systems for several years. He enjoys playing basketball and, when he has a few days away from the city, loves long backpacking trips.


MIT Students

Bill Young

Bill is in a PhD program in the Engineering Systems Division at MIT. His research focuses on applying system-theoretic approaches to improve operational design and mission assurance in cyberspace. He is applying STAMP/STPA in the security domain as a means to facilitate more effective discourse between operations strategists and cyber security experts.

Bill was commissioned in 1991 after graduating from the United States Air Force Academy with a degree in Engineering Science. He is also a graduate of the US Air Force Weapons School, USAF School of Advanced Air & Space Studies (SAASS), and the Air War College’s Grand Strategy Program. Bill has interned with NASA, the Office of the Secretary of Defense, and the Air Force CHECKMATE strategy division at the Pentagon. He is a former Dana Meadows Leadership Fellow with the Sustainability Institute and has more than 2,400 flying hours in various aircraft.

Dan Montes

Dan is a PhD student in the Department of Aeronautics and Astronautics. He has served 12 years in the Air Force as a defense R&D program manager and flight tester. Dan is interested in the performance and safety of complex systems with skilled-operator cultures. He and his wife Mel enjoy life with their dogs and any excuse to travel and enjoy the outdoors.

Adam Williams

Adam is in his second year as a PhD student in the Engineering Systems Division at the Massachusetts Institute of Technology. His research focuses on applying system-theoretic approaches to improve how security is understood for complex systems. Extending the security-related work of the lab, Adam is looking to illustrate the benefits of a STAMP and STPA-based security methodology for a range of applications-including security for ports and facilities that host nuclear materials. He is also interested in incorporating a more robust organizational theory component into STPA analysis.

Adam is also a Senior R&D Systems Engineer in the international nuclear security engineering department at Sandia National Laboratories. Prior to returning to graduate school, Adam was involved in numerous nuclear security-related projects, including conducting vulnerability assessments, designing physical protection systems and planning other international security engagement projects within Office of International Material Protection and Cooperation (NNSA/NA-25) and Office of Nonproliferation and International Security (NNSA/NA-24) programs.

Kip Johnson

Kip is a first year graduate student, and an MIT Lincoln Laboratory Military Fellow. He is pursuing a PhD in the Department of Aeronautics & Astronautics at MIT. His research is looking at how to engineer and analyze safe and secure integration of Unmanned Aerial Systems into manned flight operations. His current focus is developing System Theoretic Process Analysis for Safety Driven Design of human-automation ontologies that will enable safe and secure National Airspace System integration.

Kip holds a BS in Aero from the US Air Force Academy, an MS in Aero/Astro from MIT, and an MS in Flight Test Engineering from the US Air Force Test Pilot School. He is an experimental test pilot, having flown over 25 different aircraft.

Cameron Thornberry

Cameron graduated from the U.S. Naval Academy with a degree in Aerospace Engineering (Aeronautics) and started the master’s program in the MIT Aeronautics and Astronautics Department in the fall of 2012. He is currently investigating interoperability, Integrated Modular Avionics, and future NextGen applications through the lens of the STAMP model. Designated for naval flight school following the completion of his master’s degree, Cameron is also interested in applying his research to Naval Aviation and the military in general. Outside of this he carries a passion of flying and enjoys traveling the globe when afforded the opportunity.

Seth Placke

Seth is a master’s student in the Engineering Systems Division at MIT. He is interested in how systems evolve during concept development to become prototype and ultimately fielded designs. Seth is currently working to develop methods that provide additional guidance and rigor when applying STPA to complex networks of control systems.

Seth grew up in Greensboro, NC and obtained a B.S. in Mechanical Engineering from North Carolina State University. When away from school, he enjoys playing guitar and exploring New England with his wife.

Soshi Kawakami

Soshi works as a high-speed rail (HSR) engineer for the Central Japan Railway Company. He has been working recently on SC-MAGLEV (Super-Conducting MAGnetic LEVitation). He has bachelor’s and master’s degrees in mechanical engineering from Kyoto University. His research interests involve enhancing the system safety of HSR transportation. He is now focusing on the ongoing HSR project in the northeast corridor (NEC) from a perspective of safety management as well as technological innovation. He makes a point that, in the planning process, safety should be brought up as a core value of the project because it is deeply related to the institutional framework, the regulations, and the dynamics of the industry — the pace and complexity of innovating technologies and business structures — as past rail accidents in UK and China or recent Boeing 787′s safety problems exemplify. He plans to apply STAMP to risk analysis of the HSR project management in the NEC.

Previous Students and Visitors

Francisco Luis de Lemos

 Project: Evaluating the Safety of Digital Instrumentation and Control Systems in Nuclear Power Plants
The use of digital instrumentation and controls introduces new challenges to the assurance and licensing of nuclear power plants. The goal of this research is to demonstrate the applicability, feasibility, and relative efficacy of using a new systems approach and hazard analysis technique (STPA) to help meet these challenges. A systems approach has the potential to augment the existing review and certification regime not only to provide a means to assess hazards associated with the introduction of digital technology in nuclear power plants, but also tools to evaluate the extent to which these hazards are adequately mitigated by the encompassing system architecture and to generate recommendations for safety-driven improvement when they are needed.
The research will determine if the current evaluation framework can be made more efficient and more effective by the addition of these new tools and identify which aspects of the current framework might benefit. It will also demonstrate how the new tools can fit within the existing NRC regulatory framework for validating retrofit of old plants and certification of new designs that include safety-related digital systems. While STPA has been used on other complex systems, it has not yet been applied to reactor control systems. The research will demonstrate whether the use of STPA could be an effective method (at the “guidance” level) to meet the requirements set by NRC regulation.

Mario Bernhart

Mario visited from the Technical University of Vienna and works in computer science.

Filmon Habtemichael

Filmon is part of the SAVED project at the Instituto Superior Tecnico in Portugal, which is part of the MIT-Portugal program. His thesis, which is under the supervision of Prof. Jose Viegas, involves developing a systems approach to eliminate or mitigate the impact of  ‘driving errors’ on motorways by using the driving competence and performance of drivers to limit their driving degree of freedom, i.e., “Driver Competence and Performance-Responsive Traffic Management Scheme”.

During his stay at MIT, he worked on the policy side of SAVED, the legal and institutional issues related to restricting the driving degree of freedom of drivers.

Andrei Katz

Andrei was a short term visitor from the Technion in Israel.


Comments are closed.