Nancy Leveson Hazard Analysis

From here An STPA Primer

Some useful definitions.


Philosophers have debated the notion of causality for centuries. John Stuart Mill (1806-1873) defined cause _as a set of sufficient conditions. “The cause is the sum total of the conditions, positive and negative, taken together, the whole of the contingencies of every description, which being realized, the consequence invariably follows”

An example

As an example, combustion requires a flammable material, a source of ignition, and oxygen. Each of these conditions is necessary, but only together are they sufficient. The cause, then, is all three conditions, not one of them alone.

Hazard: A system state or set of conditions that together with a worst-case set of environmental
conditions, will lead to an accident (loss).

An explanation

The definition used in STPA restricts hazards to be conditions or states that nobody ever wants to occur, such as a violation of minimum separation standards between aircraft in controlled airspace or inadequate braking distance between automobiles in a cruise control system. These conditions, once they are identified, can be eliminated or controlled in the system design and operations.

An example:

a hazard for an aircraft is not a mountain or weather because the designer of the aircraft or the air traffic control system has no control over the weather or the placement of a mountain. Instead, the hazard may be the aircraft getting too close to the mountain or the aircraft being in an area of bad weather.

To cause a loss, in addition to a hazard there has to be a set of worst case conditions

The second part of the definition is that there must be some worst-case set of conditions in the environment that will lead to a loss. If there is no set of worst case conditions outside or inside the system boundary that will combine with the hazard to lead to a loss, then there is no need to consider it in a hazard analysis. Even if two aircraft violate minimum separation, the pilots may see each other and avoid a collision, but there are also worst case conditions under which the accident may not be avoided such as low visibility, lack of attention by the flight crew, and angles where the other aircraft cannot be seen. Therefore, it is a hazard

That definition of hazard is not the traditional one, we think of a submerged rock as being a hazard and getting to close as being a risk. The terms “risk” and “hazard” have changed meanings over time. The term “hazard a guess” for example. Bottom line is any serious discussion of accidents will include definitions.

Getting too close to a submerged rock is a hazard if there is a worse-case set of conditions that will lead to a loss, that seems straight forward.

Some more terms/concepts. there are three main ones:

STAMP has three basic concepts: safety constraints, hierarchical safety control structures, and process models.

Here is hierarchical levels

The concept of control is important. Each hierarchical level of a system imposes constraints on and controls the behavior of the level beneath it

The example of hierarchical levels is road traffic:

In systems theory, instead of breaking systems into interacting components, systems are viewed (modeled) as a hierarchy of organizational levels. At the lowest level of road traffic, there are the individual vehicles, such as cars and trucks. At the next level there is the design of the roads, which controls the movement of the individual vehicles and their interactions. At a higher level, one can conceive of the entire highway system including the roads but also the rules and policies imposed on the drivers of the vehicles.

So I’d guess that in maritime the lowest level would be ships, at the next level are such things as port control, VTS, owners voyage instructions, next ABS, USCG and the owner’s requirements.

An example of safety constraints:

As an example, in an air traffic control system, one safety constraint is that there must always be a minimum distance between airborne aircraft. By definition, then, accidents occur when the safety constraints are not enforced.

control structures, and process models.

There is this graphic:

The article says this could be a machine or human, in the case of maritime shoreside control of ship is human. Best I can tell “control algorithm” would be a procedure and “process model” would include such things as schedules, distances between ports etc. The Controlled Process from shore side to vessel is vessel operations.

Leveson has produced a new STPA Handbook:

I’ve only had time for a quick pass but it looks very good.




Looking at the loss of the El Faro:


If the controlled process is the movement of the ship, TOTE claims that the captains were 100% in control of the ships movements with no shore-side involvement aside from support (technical, personnel etc).

But that doesn’t make sense because the captains were not allowed to sail whenever and wherever they felt like. The company had to be controlling the process.

That’s why the multilayer “stack” of control loops is important. like the one in the Sewol thesis shown in that thread. Here’s the one we did for DWH:


and the expanded bottom layer was

It would be interesting to construct a similar one for El Faro, all the way up to the family of lawyers in Seattle.