This introductory tutorial will introduce the four basic STPA steps for those new to STPA. It will be similar to the online "Introduction to STPA" tutorial on the tutorials page.
In this session, we will take you on our STPA adoption journey at Google. We'll cover:
- The big picture: Adoption of STPA at Google
- 3 adoption challenges
- Deep-dive: Google Maps data product risks
STPA Google Risk
Give us feedback: What did you think of this session?
Internet
9:30am
32-123
STPA Applied to Rotorcraft Flight Controls
David Cummins(Bell Flight) John Thomas and Rodrigo Rose(MIT)
This discussion will show how STPA analysis of human interaction with a rotorcraft flight control system can identify hazardous functionality, outside of failure condition assessment alone. The discussion covers:
- Unintuitive design
- Missing functionality and feedback
- Implicit and flawed assumptions about operator beliefs
Operator feedback, flight control, flight control modes
Best practices for facilitating a CAST, to include:
- The facilitator's roles and responsibilities
- The size, knowledge, and roles of the project group
- Structure of interviews and investigation
- How to report out CAST to non-technical leaders
Aviation, Airline, CAST, Systems Thinking, American,
Lightning talk will highlight recent and current STPA research at AFIT to include: autonomous fighter aircraft, resilient space architecture, and SysML-RAAML integration efforts to achieve DOD digital engineering mandates.
STPA, coordination, space architecture, autonomy, RAAML, MBSE
Give us feedback: What did you think of this session?
Aviation
11:00am
32-123
STPA Applied to a Machine Learning Aircraft Before Flight Testing
This talk investigates the utility of STPA for analyzing safety before flight testing an Uncrewed Air Vehicle (UAV) controlled by a neural network-based flight autonomy software. The host UAV included various control regimes and handoffs over the course of a sortie including human control, traditional autopilot, and an artificial intelligence autonomy software trained using Deep Reinforcement Learning (DRL) machine learning techniques. The flight test operational environment included flight in both civil and restricted airspace, and at least one nearby crewed chase aircraft to observe the UAV in flight. STPA was applied after traditional airworthiness and safety assessment processes but before flight test to identify and mitigate potential new hazards associated with the UAV technology and its operation.
Artificial intelligence, machine learning, autonomy, flight test
This talk presents lessons learned from teaching STPA at Google:
- Traditional STPA examples of physical systems are not easily relatable for software developers, and can lead to skepticism regarding STPA’s value
- We achieved higher learner engagement by giving examples of STPA applied to actual Google infrastructure and software
- We increased interest in STPA by emphasizing STPA’s ability to analyze feedback paths, something not addressed by other software design/risk analysis methodologies.
- To accommodate busy schedules, we are pursuing a tiered approach with initial, short tutorials to capture interest, then a multi-day workshop to practice applying STPA on a real system.
Training
Software systems
Adoption
Give us feedback: What did you think of this session?
Internet
12:00pm
Lunch
1:00pm
32-141
How to Introduce STPA to Leadership
John Thomas(MIT) Bill Young(Security Concepts and Strategic Design, LLC)
Instructors will share successful approaches to introduce STPA to management executives. Participants will be asked for questions they've gotten from their leadership and any stumbling blocks encountered when introducing new approaches. A set of slides to introduce STPA to leadership will be provided to participants.
-Introduce STPA for coordination and teaming, and analysis of unsafe collaborative control
-Beneficial for those wanting to learn additional STPA guidance to model and design multi-controller system architectures and interactions
-Discussions and examples from the aerospace industry
Give us feedback: What did you think of this session?
STPAmaster is a solution to integrate STPA with safety management systems and systems engineering applications. Some of its core features were implemented into the “STPAmaster Lite”, a free Google Sheets-based STPA tool. Its main features are:
- Support of the entire STPA
- Automation of routine work
- Check for basic errors
- Simple and universal application
Give us feedback: What did you think of this session?
Tools
4:50pm
32-Hall
Networking and Discussion Session
Give us feedback: What did you think of this session?
5:30pm
32-Hall
Light Dinner Buffet & Networking
Give us feedback: What did you think of this session?
- Destructive behaviors (DB) are those exhibited by individuals who injure themselves or others and are unable to continue to function as part of a unit.
- Using STPA to understand the causes underlying DB onset within key at-risk Navy populations
- presents an example of applying STPA to investigate organizational and leadership aspects of an organization’s safety management system
- gives insight into the utility of using STPA to evaluate social and organizational aspects of the system for hazards
safety management system; human factors; social systems; organization factors
- This work utilizes a systematic approach (STPA) to better understand OR crises (e.g. asystolic cardiac arrest, air embolism, unexplained hypotension/hypoxia), which can be crucial for designing effective support tools and protocols to enhance patient safety.
- Detailed analysis of unsafe control actions and inadequate feedback for each role (surgeon, anesthesiologist, nurse) helps in understanding specific pitfalls and improving response strategies during OR crises.
- Identifies potential mental model flaws that could affect decision-making processes.
- Designed and tested an AR application to address some potential decision-making pitfalls due to flawed mental models.
STPA, Patient Safety, Control Actions, Mental Models, Augmented Reality (AR)
- Design improvements to address ineffective user-device interactions.
- STPA's usefulness in elucidating and characterizing these problems, including language barrier, rescuer stress, coordination among multiple bystander rescuers, etc.
- Analysis decisions included choice of hazard statements, the rationale for arranging the elements in the control structure, the identification of unsafe control actions and causal scenarios, and results organization are explored.
- Presentation facilitates wider application of STPA for medical device design by showcasing the ability to innovate the next generation of AED with the use of STPA and highlighting key analysis decisions and results.
STPA medical devices processes next generation AED SAE STPA Recommended Practice J3187-5
- Safety Analysis Overview: Approach, Project Management, Findings, Implementation Plans
- Experience with CAST Application: Application Specifics, Comparison with Traditional RCA, Complements with Human Factors Methods, Timeline, Lessons Learned/Takeaways, Future Applications
- Key Findings:
-- CAST can generate unique findings outside of traditional RCA, SEIPS PETT Scan,
etc.
-- Control structures are effective models to visualize systems and identify
areas of focus and improvement
-- CAST is a valuable and feasible tool to be used in safety analyses of health
systems
Systems Safety, Healthcare, Interventional Radiology, Site Identification, Wrong Site Procedures, Human Factors, Safety Culture, Complex Systems
- We demonstrate an application of STPA to a complex, sociotechnical system
- We identify systemic factors that underly adverse events involving laboratory medicine
– We propose recommendations to address the systemic factors
- Focus: ethical and safety concerns of AI
- Key issues: (1) the value of introducing a universally accepted definition of safe AI; (2) the value of appropriate standardisation and interoperability in AI.
- Problem: how do we regulate something we do not understand or something that is constantly changing?
- Solution: use of STAMP (and STPA principles) to help understand the meaning of ‘safe AI’ and lay the foundation and structure towards regulating AI safety
- Outcome: create a set of regulatory AI Accountability and Responsibility Tools based on STAMP in collaboration with regulators
This interactive session will discuss the promises as well as the dangers of introducing AI into safety-critical systems, ethical considerations, limitations of human or software safety monitors for AI systems, and other principles regarding the potential introduction of AI.
Give us feedback: What did you think of this session?
AI
12:00pm
Lunch
1:00pm
32-123
Boeing High Energy Management System (HEMS)
Lori Smith, Marc Nance, Phil Specht, Jesse Goodman, and Peregrin Spielholz(Boeing)
- As aerospace products have become increasingly complex, defining and ensuring worker safety during building, testing and maintaining products has also become more challenging.
- Engineering team selected STPA as the analysis method to determine how future aircraft and other products can be designed to reduce the risk to mechanics and maintainers as they conduct their tasks.
- STPA was used to analyze each of the subsystems with the goal of writing a set of system-level requirements to be included in the design of the next models of aircraft.
- The systems analysis using STPA resulted in generating a robust set of requirements that were complete and of high quality.
The authors of this presentation struggled to produce a set of UCAs that felt complete in regards to flight test applications. They developed a technique to visualize control actions in the time domain to aid in UCA development
- Understanding our Struggle with UCA development
- Visualizing UCAs using timing diagrams
- Using the visualization to develop UCAs.
During our STPA project for future aircraft design, we used a diverse team which included test pilots, engineers and designers to work on the project. Pilot involvement has been a unique and extremely helpful addition: they are inherently “systems thinkers” and fantastic at supporting all phases of the STPA process. We used STPA in the concept development phase to uncover unknown unknowns, before an aircraft architecture was developed, allowing us to use the control structure as a bases for future aircraft architecture. Our biggest finding so far has been that STPA allowed us to develop a set of requirements where 90% of them were either improving a previous set or were new requirements
Boeing, Product Development, systems engineering, aircraft design, pilots
During civil aircraft certification, we often make assumptions used to bound failure condition effects, their classification, and therefore the resulting design level of rigor. This presentation will show some ways in which STPA can be used to challenge the assumptions made, and provide useful insight into their validity early on in the safety assessment process.
Transponder, human factors, workload, degraded safety margins, collision, ATC
Give us feedback: What did you think of this session?
Aviation
2:30pm
Break
2:50pm
32-123
Comparison of Hazard Analysis Methods applied to Flight Safety Systems
Antonio Vinicius Diniz Merladet(Brazilian Air Force) Chiara Manfletti(Technical University of Munich. Chair of Space Mobility and Propulsion) Carlos Henrique Netto Lahoz(Aeronautics Institute of Technology (ITA)) Diogo Silva Castilho and Rodrigo de Melo Silveira(Brazilian Air Force)
- Comparisons of STPA with Traditional Hazard Analysis Methods for applications related with Flight Safety Systems for Launch Vehicle Operations.
- Some Safety Constraints, Loss Scenarious and Recommendations obtained by STPA application were not acquired from other applications.
- The research highlights advantages of STPA in front of other hazard analysis methods based on the results of this specific application.
Comparison of hazard analyses methods; STPA; FTA; FMEA; HAZOP; FHA; CCA.
* Overview of the NRC staff’s recent efforts to grow the capability to review an applicant’s STPA.
* Lessons learned to support capabilities to review STPA-based or STPA-informed submittals.
- ISO 26262 work products are obligatory for certification and assessment in the European Automotive industry
- Deriving ISO 26262 and ISO 21434 work products efficiently from STPA results
- Prioritizing STPA results in line with ISO 26262
Automotive
STPA prioritization
ISO 26262
Car series production
The author would like to present a recent application of STPA to model the structure of a government-funded project related to the development of EVs. The analysed system involves a diverse range of stakeholders, including regulators and funding authorities from the Government, certification agencies related to vehicle type approval and ISO26262 certification, funded stakeholders involving the EV OEM and its tier 1 and tier 2 suppliers, vendors of relevant parts, and the public.
Motivations of the application:
1. To provide project stakeholders insights into the project structure.
2. To identify existing or potential flaws of the project structure.
3. To create a blame-free working culture.
Give us feedback: What did you think of this session?
Aviation
10:00am
32-123
Recommendations for Flight Safety Systems Through STPA Application
Antonio Vinicius Diniz Merladet(Brazilian Air Force) Carlos Henrique Netto Lahoz(Aeronautics Institute of Technology (ITA)) Chiara Manfletti(Technical University of Munich) Diogo Silva Castilho and Rodrigo de Melo Silveira(Brazilian Air Force)
- Application of STPA to improve safety measures for Launch Vehicles and Flight Operations.
- Proposure of safety measures for Launch Vehicles and Flight Operations.
- Safety recommendations obtained from systemic analysis and previous launch operations and evaluation processes of flight safety systems.
- Recommendations were compared with international standards and regulations with suggest improvements to obtain suggestions of improvement and to promote uniformity.
Focusing on the management of safety and performance risks on railway infrastructure projects, we have applied STPA to model the feedback loops and enterprise-wide controls that are activated by the integration of human factors interventions as part of engineering safety management.
This presentation will highlight how the work has allowed us to:
-Understand the processes and incentives which govern system development.
-Identify opportunities to improve the efficiency with which human-centred design is embedded into projects at all phases of the lifecycle.
-Create a reference model to test and iterate structural changes for the coordination and control of human systems integration.
STPA Enterprise Application
Rail
Human Factors and Ergonomics
Human Systems Integration
Safety Management System
HF
This presentation shares opportunities, challenges and lessons learned in integrating STPA as part of Europe’s Rail landscape.
Topics include:
- Strategies to integrate exisiting requirements into the STPA process
- Linking STPA results to solution concepts
- Validating assumptions
For this presentation, the authors will discuss about how the STPA results should be integrated into an Architecture Framework to communicate the recommendations, requirements and scenarios to the project team and stakeholders.
Architecture framework is important as it helps to manage the complexity of the system and to create visualizations, models, and viewpoints, which must be understandable. Architecture frameworks establishes which results are focused on a set of objectives and integrates different perspectives for managing decisions, information, interfaces.
Thus, it will be presented an Architectural Framework containing a set of viewpoints for the STPA Analysis and its typical contents.
The lightning talk will highlight the new ISO standard in construction, which explains the kinds of cyber threats in space, the goals of this initiative, and how STPA was recommended as a better approach to cybersecurity analysis to be applied in space systems.