When interdependent conditions exist among decision units, safety results in part from coordination. Safety analysis methods should correspondingly address coordination. However, state-of-the-art safety analysis methods have limited guidance for analytical inquiry into coordination between interdependent decision systems. This thesis presents theoretical and applied research to address the knowledge gap by extending STAMP (Systems-Theoretic Accident Model and Processes)-based analysis methods STPA (System-Theoretic Process Analysis) and CAST (Causal Analysis based on STAMP). This thesis contributes to knowledge by introducing: 1) a coordination framework for use in analysis, 2) STPA-Coordination and CAST-Coordination, which extend STPA and CAST to analyze coordination, and 3) flawed coordination analysis guidance for use in the extensions. The coordination framework provides explanatory power for observation of and analysis of coordination in sociotechnical systems. The coordination framework includes perspectives for use in the evaluation of coordination, which are used to operationalize the framework for analysis. STPA-Coordination extends STPA with additional steps for analysis of how coordination can lead to unsafe controls (i.e. hazards). In part, STPA-Coordination uses analysis guidance introduced in this thesis that consists of four unique flawed coordination cases and nine coordination elements. CAST-Coordination extends CAST with additional steps to investigate accident causation influences from flawed coordination. Two case studies evaluate the utility of extensions, flawed coordination guidance, and the framework. One case study investigates the application of STPA-Coordination to a current and significant sociotechnical system challenge-unmanned aircraft systems integration into military and civil flight operations. Results are compared to official functional hazard analysis and requirements results. The comparison shows that STPA-Coordination provides additional insights into identifying hazardous coordination scenarios and recommendations. Another case study applies CAST-Coordination to investigate a Patriot missile friendly fire (2003) during Operation Iraqi Freedom, which is a relevant concern today. CAST-Coordination is successfully applied to the friendly-fire coordination problem. When compared to official government accident investigation reports, CAST-Coordination shows benefits in identifying accident influences and generating recommendations to address the coordination and safety problem. Both case study quantitative and qualitative results are promising and suggest STPA- and CAST-Coordination and the coordination framework are useful.

A new approach to safety, based on systems thinking, that is more effective, less costly, and easier to use than current techniques. Engineering has experienced a technological revolution, but the basic engineering techniques applied in safety and reliability engineering, created in a simpler, analog world, have changed very little over the years. In this groundbreaking book, Nancy Leveson proposes a new approach to safety—more suited to today's complex, sociotechnical, software-intensive world—based on modern systems thinking and systems theory. Revisiting and updating ideas pioneered by 1950s aerospace engineers in their System Safety concept, and testing her new model extensively on real-world examples, Leveson has created a new approach to safety that is more effective, less expensive, and easier to use than current techniques. Arguing that traditional models of causality are inadequate, Leveson presents a new, extended model of causation (Systems-Theoretic Accident Model and Processes, or STAMP), then shows how the new model can be used to create techniques for system safety engineering, including accident analysis, hazard analysis, system design, safety in operations, and management of safety-critical systems. She applies the new techniques to real-world events including the friendly-fire loss of a U.S. Blackhawk helicopter in the first Gulf War; the Vioxx recall; the U.S. Navy SUBSAFE program; and the bacterial contamination of a public water supply in a Canadian town. Leveson's approach is relevant even beyond safety engineering, offering techniques for “reengineering” any large sociotechnical system to improve safety and manage risk.

Human Factors and Systems Interaction Proceedings of the 13th International Conference on Applied Human Factors and Ergonomics (AHFE 2022), July 24–28, 2022, New York, USA

As aerospace systems become increasingly complex and the roles of human operators and autonomous software continue to evolve, traditional safety-related analytical methods are becoming inadequate. Traditional hazard analysis tools are based on an accident causality model that does not capture many of the complex behaviors found in modern engineered systems. Additionally, these traditional approaches are most effective during late stages of system development, when detailed design information is available. However, system safety cannot cost-effectively be assured by discovering problems at these late stages and adding expensive updates to the design. Rather, safety should be designed into the system from its very conception. The primary barrier to achieving this objective is the lack of effectiveness of the existing analytical tools during early concept development. This thesis introduces a new technique, which is based on a more powerful model of accident causality that can capture behaviors that are prevalent in these complex, software-intensive systems. The proposed approach builds on a new accident causality model, called Systems-Theoretic Accident Model and Process, developing a methodology on the model so that it can be applied during the early concept development stages of systems engineering. The goals are to (1) develop rigorous, systematic tools for the analysis of future concepts in order to identify hazardous scenarios, and (2) extend these tools to assist stakeholders in the development of concepts using a safety-driven approach. This work first develops a methodology for hazard analysis of a concept of operations (ConOps) using control theory to generate a model of that ConOps. Formal, systems-theoretic concepts such as hierarchy, emergence, communication, and coordination are used to analyze the model and identify hazards in the concept. These hazardous scenarios then guide the development of requirements and the generation of a system architecture, defined as a hierarchical control structure. This model-based approach represents a significant departure from the state of the art; in the new approach a concept is defined, developed, and analyzed according to a control theoretic model rather than free form, natural language text. The power of the proposed approach-called Systems-Theoretic Early Concept Analysis-is demonstrated on a concept currently being developed by the United States Federal Aviation Administration.

Systems Theoretic Process Analysis (STPA) is a powerful new hazard analysis method designed to go beyond traditional safety techniques-such as Fault Tree Analysis (FTA)-that overlook important causes of accidents like flawed requirements, dysfunctional component interactions, and software errors. Although traditional techniques have been effective at analyzing and reducing accidents caused by component failures, modem complex systems have introduced new problems that can be much more difficult to anticipate, analyze, and prevent. In addition, a new class of accidents, component interaction accidents, has become increasingly prevalent in today's complex systems and can occur even when systems operate exactly as designed and without any component failures. While STPA has proven to be effective at addressing these problems, its application thus far has been ad-hoc with no rigorous procedures or model-based design tools to guide the analysis. In addition, although no formal structure has yet been defined for STPA, the process is based on a control-theoretic framework that could be formalized and adapted to facilitate development of automated methods that assist in analyzing complex systems. This dissertation defines a formal mathematical structure underlying STPA and introduces a procedure for systematically performing an STPA analysis based on that structure. A method for using the results of the hazard analysis to generate formal safety-critical, model-based system and software requirements is also presented. Techniques to automate both the STPA analysis and the requirements generation are introduced, as well as a method to detect conflicts between safety requirements and other functional model-based requirements during early development of the system.

Systems Theoretic Process Analysis (STPA) is a powerful new hazard analysis method designed to go beyond traditional safety techniques - such as Fault Tree Analysis (FTA) - that overlook important causes of accidents like flawed requirements, dysfunctional component interactions, and software errors. While proving to be very effective on real systems, no formal structure has been defined for STPA and its application has been ad-hoc with no rigorous procedures or model-based design tools. This report defines a formal mathematical structure underlying STPA and describes a procedure for systematically performing an STPA analysis based on that structure. A method for using the results of the hazard analysis to generate formal safety-critical, model-based system and software requirements is also presented. Techniques to automate both the analysis and the requirements generation are introduced, as well as a method to detect conflicts between the safety and other functional model-based requirements during early development of the system.

Software safety is a crucial aspect during the development of modern safety-critical systems. However, safety is a system level property, and therefore, must be considered at the system-level to ensure the whole system’s safety. In the software development process, formal verification and functional testing are complementary approaches which are used to verify the functional correctness of software; however, even perfectly reliable software could lead to an accident. The correctness of software cannot ensure the safe operation of safety-critical software systems. Therefore, developing safety-critical software requires a more systematic software and safety engineering process that enables the software and safety engineers to recognize the potential software risks. For this purpose, this dissertation introduces a comprehensive safety engineering approach based on STPA for Software-Intensive Systems, called STPA SwISs, which provides seamless STPA safety analysis and software safety verification activities to allow the software and safety engineers to work together during the software development for safety-critical systems and help them to recognize the associated software risks at the system level.

Engineering has experienced a technological revolution, but the basic engineeringtechniques applied in safety and reliability engineering, created in a simpler, analog world, havechanged very little over the years. In this groundbreaking book, Nancy Leveson proposes a newapproach to safety--more suited to today's complex, sociotechnical, software-intensive world--basedon modern systems thinking and systems theory. Revisiting and updating ideas pioneered by 1950saerospace engineers in their System Safety concept, and testing her new model extensively onreal-world examples, Leveson has created a new approach to safety that is more effective, lessexpensive, and easier to use than current techniques. Arguing that traditional models of causalityare inadequate, Leveson presents a new, extended model of causation (Systems-Theoretic AccidentModel and Processes, or STAMP), then then shows how the new model can be used to create techniquesfor system safety engineering, including accident analysis, hazard analysis, system design, safetyin operations, and management of safety-critical systems. She applies the new techniques toreal-world events including the friendly-fire loss of a U.S. Blackhawk helicopter in the first GulfWar; the Vioxx recall; the U.S. Navy SUBSAFE program; and the bacterial contamination of a publicwater supply in a Canadian town. Leveson's approach is relevant even beyond safety engineering,offering techniques for "reengineering" any large sociotechnical system to improve safetyand manage risk.

Traditional hazard analysis techniques are grounded in reliability theory and analyze the human controller-if at all-in terms of estimated or calculated probabilities of failure. Characterizing sub-optimal human performance as "human error" offers limited explanation for accidents and is inadequate in improving the safety of human control in complex, automated systems such as today's aerospace systems. In an alternate approach founded on systems and control theory, Systems-Theoretic Process Analysis (STPA) is a hazard analysis technique that can be applied in order to derive causal factors related to human controllers within the context of the system and its design. The goal of this thesis was to extend the current human-controller analysis in STPA to benefit the investigation of more structured and detailed causal factors related to the human operator. Leveraging principles from ecological psychology and basic cognitive models, two new causal-factor categories-flawed detection and interpretation of feedback and the inappropriate affordance of action-were added to the human-controller analysis in STPA for a total of five categories. In addition, three of the five human-controller causal-factor categories were explicitly re-framed around those environmental and system properties that affect the safety of a control action-the process states. Using a proposed airspace maneuver known as In-Trail Procedure, a former STPA analysis was extended using this updated human-controller analysis. The updated analysis generated additional causal factors under a new categorical structure and led to new instances of specific unsafe control actions that could occur based on additional human factors considerations. The process, organization, and detail reflected in the resultant causal factors of this new human-controller analysis ultimately enhance STPA's analysis of the human operator and propose a new methodology structured around process states that applies equally as well to an automated controller.

Maximizing reader insights into the interactions between game theory, excessive crowding and safety and security elements, this book establishes a new research angle by illustrating linkages between different research approaches and through laying the foundations for subsequent analysis. Congestion (excessive crowding) is defined in this work as all kinds of flows; e.g., road/sea/air traffic, people, data, information, water, electricity, and organisms. Analysing systems where congestion occurs – which may be in parallel, series, interlinked, or interdependent, with flows one way or both ways – this book puts forward new congestion models, breaking new ground by introducing game theory and safety/security into proceedings. Addressing the multiple actors who may hold different concerns regarding system reliability; e.g. one or several terrorists, a government, various local or regional government agencies, or others with stakes for or against system reliability, this book describes how governments and authorities may have the tools to handle congestion, but that these tools need to be improved whilst additionally ensuring safety and security against various threats. This game-theoretic analysis sets this book apart from the current congestion literature and ensures that the book will be of use to postgraduates, researchers, 3rd/4th-year undergraduates, policy makers, and practitioners.