[SystemSafety] A comparison of STPA and ARP 4761

Matthew Squair mattsquair at gmail.com
Tue Jul 29 01:49:54 CEST 2014 

To be absolutely fair, the comparison is between the worked example
provided in ARP 4761 and a STAMP rerun of the same example. Problems have
previously been identified with the worked example provided, see Dawkins,
Kelly, McDermid, Murdoch and Pumfrey (1999) at the link below. I don't
actually think that the standard is particularly well served by the
example. Though again to be fair it does provide a full end to end example
of a safety assessment in a standard which is (I think) a first.

All that being said the Leveson report is spot on in my estimation as to
the focus of ARP 4761 on 'failure', for example (from section 3.1 of ARP
4761) "The goal in conducting the FHA is to clearly identify each failure
condition..." and "The PSSA is a systematic examination of the proposed
system architecture(s) to determine how failures can cause the functional
hazards identified in the FHA". There are historical, industry and
regulatory reasons for that focus of course.

I'd recommend anyone reading the Leveson team's report to also read, or
reread, the paper at the link.

http://www-users.cs.york.ac.uk/~tpk/pssa.pdf





On Fri, Jul 25, 2014 at 4:29 AM, Laurent Fabre <laurent.fabre at cslabs.com>
wrote:

>  Many in the system safety industry have heard of the STAMP / STPA method
> originally developed by Prof. Nancy Leveson and her team.
> One of the latest development around this method is that a group at MIT
> has been comparing the safety assessment process of STPA with SAE ARP 4761
> (For readers not familiar with this reference, this is the well established
> guidance document that describes the safety assessment process in the
> aerospace industry).
> The results of this work have been documented in a report recently
> released on the MIT web site. The title of the report is
> "A Comparison of STPA and the ARP 4761 Safety Assessment Process". Here's
> the link to the report:
> http://sunnyday.mit.edu/papers/ARP4761-Comparison-Report-final-1.pdf
>
> This report should be of interest to system safety engineers in the
> aerospace industry but more generally to engineers in all safety-critical
> industries that have looked at ARP 4761 as a reference.
>
> Here's the conclusion of this report:
>
> "This report compares the safety analysis process of ARP 4761 with STPA,
> using the wheel brake system example in ARP 4761. We show that STPA
> identifies hazards omitted by the ARP 4761 process, particularly those
> associated with software, human factors and operations. The goal of STPA is
> to identify detailed scenarios leading to accidents so that they can be
> eliminated or controlled in the design rather than showing that reliability
> goals have been met. The succeeding verification processes (DO-178C/DO-254)
> are still necessary to assure that the requirements provided by the process
> in ARP 4754A and supported by STPA, are fully verified.
>
> In the reality of increasing aircraft complexity and software control, the
> traditional safety assessment process described in ARP 4761 omits important
> causes of aircraft accidents. The general lesson to be learned from the
> comparison in this report is that we need to create and employ more
> powerful and inclusive approaches to evaluating safety that include more
> types of causal factors and integrate software and human factors directly
> into the evaluation. STPA is one possibility, but the potential for
> additional approaches should be explored as well as improvements or
> extensions to STPA. There is no going back to the simpler, less automated
> designs of the past, and engineering will need to adopt new approaches to
> handle the changes that are occurring."
>
> I suspect that this conclusion will generate some controversy. I have not
> read this report yet but I intend to.
> This document has been published very recently (last month) so it will
> take some time for system safety practitioners to become aware of it and
> react. Anyway the SAE S-18 committee and EUROCAE WG-63 currently working on
> version A of ARP4761 should have a specific interest in this report.
>
> Laurent Fabre
>
> --
> ---------------------------Critical Systems Labs, Inc. <http://www.criticalsystemslabs.com/>
> #140 - 601 West Cordova Street
> Vancouver, BC, Canada
> V6B 1G1
> Tel:  (604) 638-7391
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
>


-- 
*Matthew Squair*
MIEAust CPEng

Mob: +61 488770655
Email: MattSquair at gmail.com
Website: www.criticaluncertainties.com <http://criticaluncertainties.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140729/4ee6d4cd/attachment.html>

More information about the systemsafety mailing list