Nancy Leveson Hazard Analysis


From here An STPA Primer

Some useful definitions.


Philosophers have debated the notion of causality for centuries. John Stuart Mill (1806-1873) defined cause _as a set of sufficient conditions. “The cause is the sum total of the conditions, positive and negative, taken together, the whole of the contingencies of every description, which being realized, the consequence invariably follows”

An example

As an example, combustion requires a flammable material, a source of ignition, and oxygen. Each of these conditions is necessary, but only together are they sufficient. The cause, then, is all three conditions, not one of them alone.

Hazard: A system state or set of conditions that together with a worst-case set of environmental
conditions, will lead to an accident (loss).

An explanation

The definition used in STPA restricts hazards to be conditions or states that nobody ever wants to occur, such as a violation of minimum separation standards between aircraft in controlled airspace or inadequate braking distance between automobiles in a cruise control system. These conditions, once they are identified, can be eliminated or controlled in the system design and operations.

An example:

a hazard for an aircraft is not a mountain or weather because the designer of the aircraft or the air traffic control system has no control over the weather or the placement of a mountain. Instead, the hazard may be the aircraft getting too close to the mountain or the aircraft being in an area of bad weather.

To cause a loss, in addition to a hazard there has to be a set of worst case conditions

The second part of the definition is that there must be some worst-case set of conditions in the environment that will lead to a loss. If there is no set of worst case conditions outside or inside the system boundary that will combine with the hazard to lead to a loss, then there is no need to consider it in a hazard analysis. Even if two aircraft violate minimum separation, the pilots may see each other and avoid a collision, but there are also worst case conditions under which the accident may not be avoided such as low visibility, lack of attention by the flight crew, and angles where the other aircraft cannot be seen. Therefore, it is a hazard

That definition of hazard is not the traditional one, we think of a submerged rock as being a hazard and getting to close as being a risk. The terms “risk” and “hazard” have changed meanings over time. The term “hazard a guess” for example. Bottom line is any serious discussion of accidents will include definitions.

Getting too close to a submerged rock is a hazard if there is a worse-case set of conditions that will lead to a loss, that seems straight forward.

Some more terms/concepts. there are three main ones:

STAMP has three basic concepts: safety constraints, hierarchical safety control structures, and process models.

Here is hierarchical levels

The concept of control is important. Each hierarchical level of a system imposes constraints on and controls the behavior of the level beneath it

The example of hierarchical levels is road traffic:

In systems theory, instead of breaking systems into interacting components, systems are viewed (modeled) as a hierarchy of organizational levels. At the lowest level of road traffic, there are the individual vehicles, such as cars and trucks. At the next level there is the design of the roads, which controls the movement of the individual vehicles and their interactions. At a higher level, one can conceive of the entire highway system including the roads but also the rules and policies imposed on the drivers of the vehicles.

So I’d guess that in maritime the lowest level would be ships, at the next level are such things as port control, VTS, owners voyage instructions, next ABS, USCG and the owner’s requirements.

An example of safety constraints:

As an example, in an air traffic control system, one safety constraint is that there must always be a minimum distance between airborne aircraft. By definition, then, accidents occur when the safety constraints are not enforced.

control structures, and process models.

There is this graphic:

The article says this could be a machine or human, in the case of maritime shoreside control of ship is human. Best I can tell “control algorithm” would be a procedure and “process model” would include such things as schedules, distances between ports etc. The Controlled Process from shore side to vessel is vessel operations.


Leveson has produced a new STPA Handbook:

I’ve only had time for a quick pass but it looks very good.