Papers and Publications

A holistic safety approach, based on system theoretic concepts, is used in many industries, particularly aviation and air transportation, to significantly decrease accident rates. This paper describes how that approach could reduce adverse events in the complex, adaptive healthcare system and other sociotechnical systems. The difference is shown between this new systems approach and what is done or being proposed today as represented by Safety-II and High Reliability Organization (HRO) practices.

Health information technology (HIT) systems, including Clinical Decision Support Systems (CDSS), are central to modern healthcare but depend on effective oversight, feedback, and management to function safely and efficiently. This report uses System-Theoretic Process Analysis (STPA) to examine the U.S. Department of Veterans Affairs’ (VA) HIT environment, identifying how governance structures, communication flows, and technical controls interact to influence safety and performance. The analysis considers both technological and organizational dimensions, recognizing that systemic factors in management and oversight are as critical as the software itself.
Seven systemic factors were found to contribute to recurring weaknesses: unused or delayed feedback, reactive monitoring, limited resources, inadequate oversight, competing priorities, lack of clinical rule ownership, and insufficient learning from past events. These issues cut across technical, procedural, and institutional boundaries, revealing that many failures emerge not from technology alone but from how it is governed and maintained.
The report recommends specific measures to establish new oversight roles, strengthen proactive monitoring, improve vendor coordination, ensure adequate resources, and better integrate lessons from root cause analyses. By addressing these systemic deficiencies, the VA can evolve from a reactive approach to a proactive, systems-based model that supports safer and more effective use of CDSS and the broader HIT infrastructure.

Healthcare can learn from industries that treat safety as a science, not a reaction. This report shows how hospitals can shift from firefighting crises to preventing them—saving lives and resources in the process.
The key is adopting a Safety Management System (SMS) grounded in three practices:

• Hazard analysis: identifying dangers before harm occurs.
• Prevention over reaction: building resilience instead of waiting for failure.
• Separating safety from reliability: because reliable systems can still be unsafe.

An effective SMS rests on four pillars: strong safety culture and policy, hazard control, operational management, and continuous learning--all supported by a powerful Safety Information System (SIS) that captures and shares safety intelligence across the organization.
The Veterans Health Administration (VHA) can lead this transformation by designing an SMS tailored to its mission and structure. Using tools like System-Theoretic Process Analysis (STPA), the VHA can uncover hidden hazards, streamline communication, and make safety a proactive, data-driven function.
This transformation represents a deep cultural and operational shift within healthcare. A strong safety system embeds accountability and learning into everyday practice, turning information into prevention and insight into action. By strengthening the flow of safety knowledge and aligning leadership, staff, and technology under a shared framework, organizations can move beyond compliance toward continuous improvement. The result is a healthcare environment where errors are rare, lessons are shared, and safety is designed—not hoped—for.

In Japan, the Tokaido Shinkansen, a major high-speed rail corridor, plans to introduce Grade of Automation 2 (GoA2) through Semi-Automatic Train Operation (STO). While partial automation promises advantages such as reduced driver’s workload and enhanced efficiency, it also creates new risks due to increasingly complex interactions among automated control systems, human operators, and physical infrastructure.
This thesis aims to systematically identify and address potential hazards arising from STO in high-speed rail. By using the Tokaido Shinkansen’s announced plan as a model case, the research seeks to uncover scenarios in which normal, non-failed system behaviors can still lead to unsafe outcomes, and to propose design solutions that mitigate those risks early in development. To achieve this, the study applies Systems-Theoretic Process Analysis (STPA). Rather than isolating hardware and function failures, STPA models the entire system as a hierarchical control structure, examining each controller’s possible unsafe actions and their feedback pathways.
The analysis reveals hazard scenarios that traditional failure-based methods might overlook. Examples include cases where a passenger is not detected between the train and platform doors at departure, or where verbal and signal instructions conflict and delay the driver’s response. These scenarios can happen even without any component failure. Drawing on these insights, the thesis recommends a variety of design improvements, such as new monitoring functions for subsystems, modifying instruction interfaces, and strengthening the software logic of automation systems.
These findings demonstrate the value of conducting a holistic safety analysis using STPA at the conceptual design stage, before late-stage changes become more expensive. Moreover, this research provides a comprehensive, system-level railway hazard analysis, and the proposed measures can be broadly applicable to high-speed rail systems with automation.

  United States Navy Refueling and Complex Overhauls (RCOHs) can expose Sailors to harsh industrial conditions, degraded quality of life, heavy workloads, and manning shortfalls—factors that heighten risks of suicide and substance abuse. These destructive behaviors undermine well-being, morale, and readiness, as seen in recent investigations into shipyard-period suicides.
  This thesis applies Causal Analysis based on Systems Theory (CAST) to the USS George Washington RCOH, identifying flaws in the Navy’s safety control structure. A complementary System Dynamics model highlights reinforcing feedback loops and a “capability trap” driven by resource and personnel constraints. The analysis reveals systemic shortcomings in resourcing, planning and oversight, feedback mechanisms, and assumptions about Sailor resilience.
  System-level reforms are proposed to improve decision-making, strengthen feedback, enforce well-being safeguards, and promote organizational learning. These measures aim to reduce destructive behaviors and build a safer, more resilient environment for future RCOHs.

Since 2018, the Department of Veterans Affairs (VA) has attempted to transition from its legacy VistA system to an Oracle Cerner commercial-off-the-shelf (COTS) electronic health record (EHR). This transition has been marked by significant technical deficiencies, including a 39% defect rate in the clinical data dictionary and critical usability flaws that contributed to adverse patient events and deaths. Beyond software defects, the rollout suffered from project management, the exclusion of clinical expertise during procurement, and a lack of clear system requirements. Despite a 2023 pause to address these issues, a 2025 report indicates that many problems—including "orphan codes" and provider inefficiencies—persist. These and other contributing factors are explored in detail.
Solutions are also explored. With estimated costs escalating from $16 billion to $50 billion, simply continuing the rollout under current conditions poses an unacceptable risk to patient safety and fiscal responsibility, particularly amidst a 15% reduction in the VA workforce. This report evaluates three strategic paths: (1) continuing with Millennium only after exhaustive remediation of identified defects; (2) partnering with industry to develop a modernized EHR platform based on contemporary data models; or (3) contracting for a specialized system tailored to the VA’s unique clinical complexities. The authors conclude that the VA must adopt rigorous systems engineering processes and prioritize clinical safety over rapid deployment to avoid further harm to the Veteran population.

Structured and systematic processes are proposed to help systems engineers use the STPA results to develop the required control behavior of the system and explore possible system architecture options to implement that control behavior. This framework enables systems engineers to make more informed early architectural design decisions driven by safety considerations. The framework is applied to an Urban Air Mobility (UAM) case study to demonstrate that it provides the necessary design support to enable the development and refinement of an air traffic management (ATM) architecture for UAM.

Vertical take-off and landing (VTOL) unmanned aerial vehicles (UAVs) are versatile platforms widely used in applications such as surveillance, search and rescue, and urban air mobility. Despite their potential, the critical phases of take-off and landing in uncertain and dynamic environments pose significant safety challenges due to environmental uncertainties, sensor noise, and system-level interactions. This paper presents an integrated approach combining vision-based sensor fusion with System-Theoretic Process Analysis (STPA) to enhance the
safety and robustness of VTOL UAV operations during take-off and landing. By incorporating fiducial markers, such as AprilTags, into the control architecture, and performing comprehensive hazard analysis, we identify unsafe control actions and propose mitigation strategies. Key contributions include developing the control structure with vision system capable of identifying a fiducial marker, multirotor controller and corresponding unsafe control actions and mitigation strategies. The proposed solution is expected to improve the reliability and safety of VTOL UAV operations, paving the way for resilient autonomous systems.

Large organizations, especially public sector bureaucracies and major private firms, face persistent challenges in organizational design. Their size and complexity often lead to fragmented, ineffective approaches to improving efficiency and effectiveness. Viewing organizations as social systems, Systems Theory offers a way to study how internal interactions shape overall behavior. Traditional methods focus on optimizing parts, but this rarely produces system-level improvement. This thesis introduces a systems-theoretic approach, adapting the Systems-Theoretic Accident Model and Processes (STAMP) and extending Systems-Theoretic Process Analysis (STPA) for organizational use. A Department of Defense reorganization serves as a case study, demonstrating Systems-Theoretic Organizational Design and Analysis (STAODA) as a tool for evaluating design options.

Ensuring aviation safety requires maintaining the integrity of product design and operations. The Federal Aviation Administration (FAA) regulates Transport Category rotorcraft design through 14 CFR Part 29, estab­lishing Categories A and B of certification for multiengine rotorcraft, and requires aircraft to be operated ac­cording to the certified procedures in flight manuals. This paper presents a case study of the Sikorsky S92A, a Transport Category rotorcraft that is not certified for elevated helideck operations according to Part 29, but operates primarily in the offshore market through FAA-authorized exemptions from applicable regulation. To understand how this discrepancy between the aircraft’s certification and operation came to be, a relatively new accident analysis methodology called Casual Analysis based on Systems Theory (CAST) is applied to a hypo­thetical accident involving an S92A, strongly based on a real incident described in a service difficulty report. The CAST results identify unsafe decisions on the part of flight crews, air operators, the aircraft manufacturer, and the FAA that contribute to the accident. We explain these contributions by identifying several systemic factors generalizable to the entire offshore rotorcraft industry that underlie unsafe decisions, and we propose a set of recommendations to address them.

This report documents the results of a CAST (Causal Analysis based on Systems Theory) analysis of an adverse event involving laboratory diagnostic testing in a clinical setting. CAST uses systems theory to understand how the interactions within the broader system led to unanticipated and undesirable outcomes [1]. The goal of CAST is to understand and address the systemic causes of an incident in order to avoid other adverse events with similar causes from happening in the future. CAST avoids blaming individuals and instead tries to identify why actions that were ultimately unsafe appeared reasonable at the time.
The analysis resulted in the identification of several systemic factors that contributed to the adverse event, ranging from the communication and coordination between departments and individuals to economic pressures and insufficient regulatory controls regarding laboratory testing. CAST provided dozens of recommendations in addition to the changes that were made after the initial incident investigation.

This report summarizes the results of a joint effort by civil aviation authorities to learn System-Theoretic Process Analysis (STPA) and evaluate its applicability to aviation safety including safety management, aircraft development, safety assessment, and certification. Subject matter experts (SMEs) from FAA, EASA, ANAC, ICAO, and NASA participated to investigate STPA's capabilities, existing STPA uses in industry, STPA results and findings that have been produced by industry, and how the STPA method and its capabilities compare to current approaches and recent accidents, including 737MAX. The SMEs explored STPA during a series of technical interchange meetings, workshops, and hands-on projects where participants reviewed STPA and applied the methodology to real systems. The SMEs from these agencies identified STPA benefits, limitations, and applicability for use by both regulatory authorities and industry. Their findings are summarized in this report.

This study applies System-Theoretic Process Analysis (STPA) to over-the-counter (OTC) point-of-care (POC) and in vitro diagnostic (IVD) testing. The analysis examines how unsafe control actions and design weaknesses can lead to patient harm or erosion of trust in laboratory data. Using models informed by stakeholder interviews, the study explored how the decentralized, adaptive nature of OTC and POC testing affects data integrity and oversight.
Results show that OTC and POC test data are inconsistently collected, underused, and poorly integrated into broader healthcare systems. This limits regulators’ ability to make informed decisions, hinders timely patient care, and prevents effective monitoring of device performance. Traditional laboratory controls were found inadequate for these decentralized testing environments, highlighting the need for governance structures suited to varied settings outside conventional laboratories.
Four main systemic factors were identified: decentralized and missing oversight, lack of operational specificity in oversight frameworks, flawed communication and coordination, and gaps in laboratory data standards and usage. Each contributes to fragmented control and weak accountability. Recommendations include clarifying regulatory responsibilities, tailoring oversight frameworks to diverse testing contexts, improving data communication and reporting platforms, and increasing the adoption of consistent data standards. Collectively, these measures would create a more coherent, reliable, and safe laboratory data ecosystem for OTC and POC testing.

There is broad recognition that the high tempo and density of Urban Air Mobility (UAM) operations will require identifying new Air Traffic Management (ATM) concepts to safely integrate UAM air traffic into the airspace alongside existing air traffic. However, the simulation models used to compare ATM concepts today are difficult to apply during the early stages of concept development and do not offer enough support in identifying potential new concepts. In addition, they have limited ability to evaluate ATM concepts in terms of safety, security, and other key emergent properties. Instead of using simulation to evaluate ATM concepts, this paper demonstrates how a safety-driven systems engineering approach based on Systems-Theoretic Accident Model and Processes (STAMP) can be used to design properties such as safety into an ATM system from the earliest stages of development. Using a hazard analysis technique called Systems-Theoretic Process Analysis (STPA), system requirements and the desired ATM behavior are derived. As an example, two possible ATM concepts to implement that behavior are compared to identify their safety-related benefits and tradeoffs. This new approach enables (1) systematic exploration of alternative ATM concepts and (2) identification of the safety-related tradeoffs between concepts as early as possible in the development process.

This study applied System-Theoretic Process Analysis (STPA) to the U.S. diagnostic laboratory data ecosystem to understand how interactions across its many components can contribute to preventable medical errors. By interviewing fifty stakeholders from across government agencies, laboratories, healthcare organizations, and industry, researchers developed a system control structure model that captures how diagnostic data is ordered, processed, and shared. The analysis focused on two key hazards—patients receiving less than acceptable care and loss of trust in laboratory data—and identified hundreds of unsafe actions and causal scenarios contributing to these outcomes.
The findings reveal deep systemic flaws rather than isolated failures. Oversight of laboratory data is fragmented across agencies, leaving regulatory gaps and unclear accountability for data exchanges. Laboratory data standards are often ambiguous, outdated, or inconsistently implemented, leading to interoperability and safety issues. Stakeholders commonly misperceive the risks associated with health information technology (HIT), resulting in limited safety oversight and inadequate reporting of HIT-related incidents. Additionally, a lack of system-wide perspective leads organizations to pursue local fixes that do not address root causes, while poor communication and coordination further weaken safety controls.
Twelve key recommendations address these flaws. They include assigning responsibility for cross-agency regulatory gaps, maintaining up-to-date and unambiguous data standards, improving education on systems-based safety methods, and strengthening national reporting and oversight mechanisms for HIT safety. The report calls for regulatory reform to integrate safety into HIT certification, incentives for adopting certified systems, and formal mechanisms for laboratorians to contribute to multidisciplinary data management decisions.
The study concludes that persistent problems arise in the interactions between components rather than within them. Drawing parallels to aviation safety, the report argues that adopting a systems-theoretic approach—focused on governance, feedback, and interaction control—offers the most viable path toward meaningful and sustained improvement in healthcare safety and reliability.

This blind study evaluates and compares STPA with the standard HAZOP method commonly used for Process Hazard Analysis (PHA). Both methods were applied by independent and qualified expert teams to uncover flaws in a real system. Neither team had any preexisting knowledge of the flaws before applying the methods. The system contained real flaws had that led to adverse events during the operation of the system, but this was not known by the teams applying HAZOP or STPA. The outcomes and recommendations of HAZOP and STPA are compared to determine what differences exist, if any, and identify whether gaps exist for modern process industry applications. The HAZOP and STPA results are also compared to the corrective actions produced after the hazardous and costly incident during operation.
The STPA method was found to capture hazardous human and automation related behaviors that were missed by HAZOP, and STPA generated critical recommendations missed by HAZOP that would have prevented the real adverse events. The STPA results anticipated the causes and corrective actions that were otherwise only discovered after the hazardous and costly event during system operation.

This project explores the learnability and suitability of CAST (Causal Analysis Based on System Theory) to support investigations or analysis of events in the nuclear industry and to more broadly understand the potential of STAMP-based methods. A series of five engagements introduced staff members of the U.S. Nuclear Regulatory Commission (NRC) to CAST and elicited feedback on the learnability limitations experienced by the NRC. The five engagements included a CAST seminar series, two CAST workshops, and two leadership seminars to introduce and present preliminary results to selected NRC managers.
Key findings from this investigation are the following:

• The NRC staff participants demonstrated the ability to learn the concepts underlying CAST.
• The NRC staff participants demonstrated the ability to use CAST to analyze nuclear industry events and identify causes that were overlooked by teams using traditional methods.
• The NRC staff participants found that CAST is a suitable complement to existing regulatory activities and would be beneficial in analysis of operating experience events, licensee event reports (LERs), investigations, and inspections.
• Introduction of such techniques in the NRC’s processes will require a more proactive approach and investment.

This project investigates how the U.S. Nuclear Regulatory Commission (NRC) staff can best build up the capability to independently review STPA (System-Theoretic Process Analysis) submittals from applicants and licensees and to more broadly understand the potential of STAMP-based methods. A series of seminars, workshops, and a discussion forum introduced the NRC staff to STPA and elicited feedback on the benefits, limitations, and applicability for use by the agency. The series included six seminars, four workshops, and a forum to discuss the relationship between STPA and probabilistic risk assessment (PRA).
Key findings from this investigation include the following:

• The NRC staff participants demonstrated the ability to learn the concepts behind STPA; previous experience with other HA methods did not prove to be a significant impediment.
• The NRC staff participants demonstrated the ability to use STPA to discover real flaws in I&C design, requirements, and architecture that were overlooked by teams using traditional methods.
• The NRC staff participants identified and understood the potential benefit to the agency of using STPA and STAMP-based methods.
• The NRC staff participants believe that STPA is a suitable complement to existing regulatory activities and would be beneficial in regulatory reviews and oversight as in the following examples:
• The NRC could streamline Chapter 7, "Instrumentation and Controls,"of NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" (the SRP), because STPA connects the analysis closely to the regulations in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," especially Appendix A, "General Design Criteria for Nuclear Power Plants."
• The NRC could use STPA to simplify and streamline the regulatory guidance infrastructure for digital I&C (DI&C).

Modern systems are growing so complex that traditional risk tools can no longer reveal the dangers hiding in their interactions. This work shows how widely used risk matrices--built on subjective likelihood estimates and component-failure logic--can miss hazards that emerge long before anything breaks. This thesis reframes risk as a control problem rather than a stochastic problem, redefining the concept of risk. The work is used to prioritize the findings from STPA according to risk, including unsafe interactions, hidden assumptions, and system-level vulnerabilities that standard methods overlook. The result is a new STPA-Informed Risk Matrix (SRM) that replaces guesswork with structured mitigation effectiveness, enabling clearer, earlier, and more actionable safety decisions. The process is demonstrated on a future rotary-wing aircraft program.

An overview of why the process industry could benefit from a systems approach to safety.

Recently, there has been a lot of interest in some ideas proposed by Prof. Erik Hollnagel and labeled as “Safety-II” and argued to be the basis for achieving system resilience. He contrasts Safety-II to what he describes as Safety-I, which he claims to be what engineers do now to prevent accidents. What he describes as Safety-I, however, has very little or no resemblance to what is done today or to what has been done in safety engineering for at least 70 years. This white paper describes the history of safety engineering, provides a description of safety engineering as actually practiced in different industries, shows the flaws and inaccuracies in Prof. Hollnagel’s arguments and the flaws in the Safety-II concept, and suggests that a systems approach (Safety-III) is a way forward for the future.

People are putting a lot of effort into figuring out how to assure a system is safe after the system design is completed. This white paper presents some of the difficulties and alternatives to emphasizing after-the-fact assurance of safety.

Demonstrates STPA on an automotive example, including three iterations of analysis, evaluating the new scenario development process, and evaluating how much impact certain control structure errors have on the STPA results.

This paper proposes augmenting the standard V-model to assist in designing human-cyber-physical systems. A new process to create a Conceptual Architecture is inserted after Concept Development and Requirements Engineering and before detailed physical/logical Architecture Development.
In the standard V-model, going from a high-level conceptual view of a system or CONOPS, agreed upon by the stakeholders, to detailed requirements and then to a physical/logical architecture requires a lot of big jumps without having much assistance in making the design decisions involved. These jumps need to be simplified and assistance provided in making them if we want to produce better designs. Too often we find later that there are potential safety and security issues in the architecture generated. Changes to achieve these and other critical system properties may by then be either enormously expensive or even infeasible, requiring operational controls of limited effectiveness and reliability. Some upgrades may be impossible or very expensive.
A conceptual architecture can also augment our ability to produce user-centered designs. We blame most accidents on the operators (pilots, drivers, etc.) but have few tools that can forge an effective partnership between human factors experts who are designing system interfaces (control panels, displays, physical controls) and operator procedures and the engineers who are focusing on the physical (hardware) and logical (software) parts of the system. Too often today, these two groups work relatively independently and we end up creating systems with the potential for mode confusion, situational awareness problems, etc. These problems need not have been created if the designers could work together effectively as an integrated team. For this they need common models and language.
The process of creating a conceptual architecture will not only make it easier to design safety, security, and other emergent properties into these systems from the beginning, but also provide tremendous increases in our ability to assure, operate, maintain, and evolve these systems within reasonable cost limits. It could also have important uses in the certification of safety-critical systems.

For some reason, bow tie diagrams are becoming widely used and are thought to be relatively new. Actually, they date back to the early 1970s and seem to have been rediscovered and greatly simplified in the 1990s. They are the least powerful and least useful modeling and diagramming language available. In this paper, I explain why the standard safety tools based on linear causality (including bow ties) oversimplify the cause of accidents, omitting the most important causal factors, and underestimate the level of risk in a system. Special emphasis in placed on Bow Tie diagrams, including their problems and limitations.

The term “system-of-systems” is misleading and hindering progress. This paper describes why this is true and shows how STPA can be used to perform hazard analysis on what has been labeled (erroneously) a system-of-systems using an extremely complex defense system as an example.

The Risk Matrix is widely used but has many limitations. This white paper describes the problems with the standard Risk Matrix and how to improve the results obtained by using it. A second part is in preparation that suggests a change to the Matrix and the standard definition of risk.

Written for a workshop on Nuclear Command, Control, and Communication Systems and Strategy Stability.

The Air Force experienced 12 Class A aviation mishaps in 2016, which resulted in 16 fatalities
and 9 destroyed aircraft. So far in 2017, The Air Force has again experienced 12 Class A
mishaps with 5 fatalities and 7 destroyed aircraft. (1) In addition to these mishaps,
development of new aircraft or modifications to aircraft often take well over the planned
duration. Developmental test identifies design deficiencies that must be addressed before the
aircraft is fielded, which requires expensive and lengthy redesign cycles. A systems approach to
design with humans included as part of the system can improve both the development process
and aviation safety.
Such an approach was created by Professor Nancy Leveson at MIT and is called Systems
Theoretic Process Analysis (STPA). STPA is shown to be applicable to the Air Force acquisitions
process throughout the product lifecycle. STPA is also compliant with the airworthiness
handbook, MIL-HDBK-516C, and STPA documentation is beneficial to the airworthiness
certification inspectors.
STPA is applied to two use cases. One is a conceptual JSTARS aircraft, and the other is an
unmanned aerial vehicle (UAV) that was modified from a general aviation aircraft. The Air
Force is currently in source selection for a replacement to the JSTARS aircraft. The high-level
STPA analysis is for a functional replacement to the JSTARS aircraft, as would be needed early in
the acquisitions process. Additionally, accidents, hazards, and a safety control structure are
developed for the JSTARS support system. The UAV analysis is more detailed, and provides
information that is necessary during the Technology Maturation & Risk Reduction phase of an
acquisition process.

Performs CAST to analyze the B777 Asiana 214 crash in San Francisco. The CAST results are compared to the NTSB findings.

The complexity of software systems makes defining software safety requirements with traditional safety analysis techniques difficult. Based on STPA, we have developed a comprehensive software safety engineering approach in which the software and safety engineers integrate the analysis of software risks with their verification to recognize the software-related hazards and reduce the risks to a low level. In this paper, we explore and evaluate the application of our approach to a real industrial system in the automotive domain. The case study was conducted analysing the software controller of the Active Cruise Control System (ACC) from BMW Group.

An extension to STPA is proposed to anticipate potentially unsafe driver interactions, identify potential causes of these interactions, and help the engineering team develop solutions that address these interactions. An extended human controller model is developed by Thomas from previous work (Thomas, 2013) and evaluated by France on Automated Parking Assist. The extension was found to identify more complex human-automation scenarios that what is typically done otherwise.The process is applied to four different Automated Parking Assist system concepts that use different levels of automation. The scope of the analysis captures both human and automation behaviors using the same STPA approach, identifying both automated UCAs (Unsafe Control Actions) as well as human UCAs. While increasing levels of automation did reduce the impact of some human UCAs, it also introduced new types of human UCAs as well as potential for new automation UCAs. The total number of UCAs that must be prevented in the system was 50% higher for concepts with high levels of automation.

• Formal UCA development and specification

• Modeling UCAs as state transitions

• Conflict identification using formal UCAs

• Identifying critical interactions between multiple controllers

The goal of leading indicators for safety is to identify the potential for an accident before it occurs. Past efforts have focused on identifying general leading indicators, such as maintenance backlog, that apply widely in an industry or even across industries. Other recommendations produce more system-specific leading indicators, but start from system hazard analysis and thus are limited by the causes considered by the traditional hazard analysis techniques. Most rely on quantitative metrics, often based on probabilistic risk assessments. This paper describes a new and different approach to identifying system-specific leading indicators and provides guidance in designing a risk management structure to generate, monitor and use the results. The approach is based on the STAMP (System-Theoretic Accident Model and Processes) model of accident causation and tools that have been designed to build on that model. STAMP extends current accident causality to include more complex causes than simply component failures and chains of failure events or deviations from operational expectations. It incorporates basic principles of systems thinking and is based on systems theory rather than traditional
reliability theory.

Integrated modular avionics systems present new opportunities and benefits for developing advanced aircraft avionics, as well as a series of challenges related to hazard analysis and certification. This paper addresses some of those challenges and proposes a new procedure for improving hazard analysis of integrated modular avionics systems. A significant objective of integrated modular avionics architectures is the ability to develop individual software applications independently and then integrate those applications onto one platform. It has been very difficult for both designers and certifiers to understand and predict how the system will behave when the applications are integrated into one system. Traditional fault-based hazard analysis techniques are limited with respect to this problem. Therefore, this paper uses a different technique, called Systems-theoretic Process Analysis, to identify hazardous behavior that emerges when individual applications are integrated. Systems-theoretic process analysis is a systems-theoretic hazard analysis technique that accounts for hazardous behavior due to component interaction, including cases when the components have not failed or faulted. Systems-theoretic process analysis is extended in this paper to account for behavior that emerges when software applications share data, which is a requirement in aircraft systems. The paper illustrates the new approach with an example that includes real-world avionics functions.

The next generation of air traffic management systems will involve significant changes from the way ATC (air traffic control) is done today. Reliance on software is increasing and allowing greater system complexity. Humans are assuming supervisory roles over automation, requiring more cognitively complex human decision-making. Control is shifting from the ground to the aircraft and shared responsibilities. In addition, coupling and interconnection between land, airborne, and space systems introduces more potential for accidents stemming from unsafe and unintended component interactions.
STPA was used to identify several scenarios and/or causal factors that are not considered in the IM-S Concept of Operations. These additional scenarios and causal factors can be used for future revisions of the IM-S ConOps as well as in the development of detailed design documents or future revisions of IM-S platforms.

Systems Theoretic Process Analysis (STPA) is a powerful new hazard analysis method designed to go beyond traditional safety techniques—such as Fault Tree Analysis (FTA)—that overlook important causes of accidents like flawed requirements, dysfunctional component interactions, and software errors. Although traditional techniques have been effective at analyzing and reducing accidents caused by component failures, modern complex systems have introduced new problems
that can be much more difficult to anticipate, analyze, and prevent. In addition, a new class of accidents, component interaction accidents, has become increasingly prevalent in today’s complex systems and can occur even when systems operate exactly as designed and without any component failures.
While STPA has proven to be effective at addressing these problems, its application thus far has been ad-hoc with no rigorous procedures or model-based design tools to guide the analysis. In addition, although no formal structure has yet been defined for STPA, the process is based on a control-theoretic framework that could be formalized and adapted to facilitate development of automated methods that assist in analyzing complex systems. This dissertation defines a formal
mathematical structure underlying STPA and introduces a procedure for systematically performing an STPA analysis based on that structure. A method for using the results of the hazard analysis to generate formal safety-critical, model-based system and software requirements is also presented. Techniques to automate both the STPA analysis and the requirements generation are introduced, as well as a method to detect conflicts between safety requirements and other functional model-based requirements during early development of the system