I love when people use acronyms without explaining what they stand for.
> The hypothesis underlying the new model, called STAMP (Systems-Theoretic Accident Model andProcesses) is that system theory is a useful way to analyze accidents, particularly system accidents.In this conception of safety, accidents occur when external disturbances, component failures, ordysfunctional interactions among system components are not adequately handled by the controlsystem, that is, they result from inadequate control or enforcement of safety-related constraints onthe development, design, and operation of the system[0]
> One of the central assumptions of STAMP is that it is possible to construct an accurate enough control model of the system at the design stage to identify all of the hazards. [emphasis added]
I want to pick on this a bit. STAMP, or at least STPA which is the related method you'd use in the design stage, doesn't try to identify all hazards (STAMP has the benefit of being conducted with hindsight, so it is likely to identify more hazards). When used during design, you run multiple STPA analyses and may eventually identify all hazards, but there is no guarantee. Additionally, while you often have a singular STAMP instance (because it follows from an accident), STPA is run multiple times. There is no singular STPA analysis, but a collection of analyses.
Each analysis is performed on a model of the system which is, necessarily, a simplification. Some models will have details that others lack. This provides the team a better opportunity to focus on the hazards involved in that area. You will only achieve 100% hazard identification if the system is small, or you dedicate a probably unreasonable time to the analyses.
Thanks. It was a fairly routine surgery (for the surgeon, not me) and all went well. I'm actually on my last day of pain meds so it's my last chance to use that excuse.
STAMP, and STPA in particular, is something I've been reading about, but failing to apply, for a few years now since my sister studied under Leveson at MIT. I wish I could sell it in my office. It's actually frustrating, a few of our partners are using it (or the ideas from it) to good effect but my own office is less than interested. Of course, my sister has encountered the same thing even though she's the one that brought it back to her office after returning from MIT. Their partners are using it after learning about it from her, but they still aren't (or are underutilizing it).
Yeah, this was Nancy Leveson's workshop. I was going to go in person but I was able to tune in for quite a bit of the virtual version. For anyone interested, there's quite a bit of material online with, I believe, additional videos coming: http://psas.scripts.mit.edu/home/2020-stamp-workshop-agenda/
One of the interesting things to me was the range of industries represented. Definitely not just aerospace.
Can't help but think of Douglas Adams' masterpiece "The Restaurant at the End of the Universe": "A dreadful silence fell across the conference table as the commander of the Vl'hurgs, resplendent in his black jewelled battle shorts, gazed levelly at the G'Gugvuntt leader squatting opposite him in a cloud of green sweet-smelling steam"
I knew I'd heard "battle shorts" somewhere before, but I couldn't think of where. It's the wrong kind of "shorts" though -- and regarding the other kind:
> What do you mean, "why has it got to be built?" It's a bypass! You've got to build bypasses!
> The hypothesis underlying the new model, called STAMP (Systems-Theoretic Accident Model andProcesses) is that system theory is a useful way to analyze accidents, particularly system accidents.In this conception of safety, accidents occur when external disturbances, component failures, ordysfunctional interactions among system components are not adequately handled by the controlsystem, that is, they result from inadequate control or enforcement of safety-related constraints onthe development, design, and operation of the system[0]
[0] - http://sunnyday.mit.edu/accidents/safetyscience-single.pdf