Professional Documents
Culture Documents
FMEA in 1949 for its weapon systems program [24]when the physical, operational, or manufacturing. In STAMP, the safety
primary cause of accidents was due to mechanical failure [25]. controls in a system are embodied in the hierarchical safety
Modern systems exhibit hazardous behavior due to factors that control structure. The next section describes hierarchy theory
extend well beyond hardware failure. The introduction of new in greater detail.
technology, such as computers and software, is changing the Accidents arise from inadequate enforcement of safety con-
types of accidents we see today [26], [27]. straints, for example due to missing or incorrect feedback,
Hazardous behavior arises in systems due to unsafe interac- inadequate control actions, component failure, uncontrolled
tions between components, even when the components have disturbances, or other flaws. STAMP defines four types of
not necessarily failed. Given the complexity of todays sys- unsafe control actions that must be eliminated or controlled to
tems, these interactions are increasingly difficult to understand prevent accidents:
and predict. The underlying assumptions of traditional hazard
1) A control action required for safety is not provided or is
analysis tools also oversimplify the role of human operators
not followed.
[28][30] and software requirements errors [10], [31]. Not
2) An unsafe control action is provided that leads to a hazard
only are traditional hazard analysis techniques incapable of
3) A potentially safe control action is provided too late, too
analyzing systems that are immature in terms of design detail,
early, or out of sequence.
they are also very limited with respect to these new accident
4) A safe control action is stopped too soon or applied
causation factors, which will become increasingly prevalent in
too long.
tomorrows systems.
This paper introduces a new technique based on a different One potential cause of a hazardous control action in STAMP
view of accident causality. is an inadequate process model used by human or automated
System-Theoretic Accident Model and Processes (STAMP) controllers. A process model contains the controllers under-
was created to capture more types of accident causal factors standing of 1) the current state of the controlled process,
including social and organizational structures, new kinds of 2) the desired state of the controlled process, and 3) the ways the
human error, design and requirements flaws, and dysfunctional process can change state. This model is used by the controller
interactions among failed and non-failed components [27], [32]. to determine what control actions are needed. In software,
Rather than treating safety as a failure problem or simplifying the process model is usually implemented in variables and
accidents to a linear chain of events, STAMP treats safety embedded in the program algorithms. For humans, the process
as a control problem in which accidents arise from complex model is often called the mental model [32]. Software and
dynamic processes that may operate concurrently and interact human errors frequently result from incorrect process models.
to create unsafe situations. While process model flaws are not the only cause of accidents
Accidents can then be prevented by identifying and enforcing in STAMP, it is a major contributor.
constraints on component interactions. This model captures ac- The generic control loop in Fig. 2 shows other factors that
cidents due to component failure, but also explains increasingly may cause unsafe control actions. Consider an unsafe control
common component interaction accidents that occur in complex action for a train control system: a train conductor is instructed
systems without any component failures. For example, software to proceed to the next station while a maintenance crew works
can create unsafe situations by behaving exactly as instructed or on the track. The control loop in Fig. 2 would show that one
operators and automated controllers can individually perform as potential cause of that action is an incorrect belief that the track
intended but together they may create unexpected or dangerous ahead of the train is clear (an incorrect process model). The
conditions. incorrect process model, in turn, may be the result of inadequate
STAMP is based on systems theory and control theory. In feedback provided by a failed sensor, the feedback may be
systems theory, emergent properties are those system properties delayed, the data may have been corrupted, etc. Alternatively,
that arise from the interactions among components. Safety is a the system may have operated exactly as designed but the
type of emergent property. The emergent properties associated designers may have omitted a feedback signal.
with a set of components are related to constraints upon the
C. Future Transportation Systems
degrees of freedom of those components behavior [33]. There
are always constraints or controls that exist on the interactions Intelligent transportation systems call for increased focus
among components in any complex system. These behavioral on more efficient travel, a shift in responsibility from human-
controls may include physical laws, designed fail-safe mecha- in-the-loop control to decision support tools and automated
nisms to handle component failures, policies, and procedures. safety features, and many other changes. In short, upgrades in
Such controls must be designed such that the safety constraints future transportation systems will result in increased reliance
are enforced on the potential interactions between the system on automation, greater coupling between infrastructure and
components. In air traffic control, for example, the system is vehicle technology, a major shift in the way roadway, railway,
designed to prevent loss of separation among aircraft. airspace, and other information is gathered and disseminated,
System safety can then be reformulated as a system con- and a total revamping of how vehicle paths are managed. All of
trol problem rather than a component reliability problem these changes will come as the result of incremental upgrades
accidents occur when component failures, external distur- that span years and even decades. These developments also put
bances, and/or potentially unsafe interactions among system ever increasing pressure on early systems engineering activities.
components are not handled adequately or controlled, leading 1) Engineering of Long-Term Transportation Concepts:
to the violation of required safety constraints on component Early engineering activities such as concept generation, archi-
behavior. System controls may be managerial, organizational, tecting, and early requirements generation do not explicitly
FLEMING AND LEVESON: DEVELOPMENT AND SAFETY ANALYSIS OF FUTURE TRANSPORTATION SYSTEMS 3515
TABLE II
C ONTROL -T HEORETIC A NALYSIS OF T EXTUAL
OR G RAPHICAL I NFORMATION
A specific characteristic of the echelon hierarchy is that there these systems-theoretic views of accident causality. Specifi-
are many elements within a given level, which implies another cally, the analysts, engineers, and stakeholders should ask:
dimension of organization. Intent Specifications [45] organize 1) Are the control loops complete? That is, does each control
system information according to three types of hierarchy: level loop satisfy a Goal Condition, Action Condition, Model
of intent, part-whole abstractions, and refinement. Part-whole Condition, and Observability Condition?
abstraction provide another horizontal decomposition of the
system. That is, while decision complexity, time scale, or a) Goal Conditionwhat are the goal conditions? How
authority defines a hierarchy vertically, part-whole abstractions can the goals violate safety constraints and safety
describe the organization and relationships horizontally within responsibilities?
a given level. b) Action Conditionhow does the controller affect the
To summarize, higher levels of a hierarchical control system state of the system? Are the actuators adequate or
typically: appropriate given the process dynamics?
c) Model Conditionwhat states of the process must the
1) have decision making authority over lower levels. That controller ascertain? How are those states related or
is, lower level control agents are required to respond to coupled dynamically? How does the process evolve?
higher level control commands due to formal engineering d) Observability Conditionhow does the controller as-
design, procedures, and/or law; certain the state of the system? Are the sensors ade-
2) are concerned with larger portions of the system;
quate or appropriate given the process dynamics?
3) have to make increasingly complex decisions. Increas-
ingly complex decisions tend to lack well-defined and 2) Are the system-level safety responsibilities accounted for,
complete specification of uncertainties, input conditions, or are there gaps?
problem constraints, and processes involved in transform- 3) Do control agent responsibilities conflict with safety
ing input conditions into desired output states [46]; responsibilities?
4) exchange with the environment takes place at a lower 4) Do multiple control agents have the same safety
frequency, the dynamics of concern is slower, and the responsibility(ies)?
period between decision time is longer; 5) Do multiple control agents have or require process
5) deal with more abstract descriptions of the system. A model(s) of the same process(es)?
control agent may be concerned withfrom increasing 6) Is a control agent responsible for multiple processes?
to decreasing level abstractionfunctional purpose, ab- If so, how are the process dynamics (de)coupled?
stract function, generalized function, physical function, As in the previous section, these questions have been for-
or physical form. Abstraction hierarchies [47] decompose malized elsewhere [41] and will be developed in Section IV.
the system in terms of level of description. Question 1 relates to completeness of the individual control
Using the above concepts as a guide, the analyst synthesizes loops, questions 23 relate to assigning safety-related respon-
the control theoretic elements (i.e., the individual control loops) sibilities to various control agents, and questions 46 relate
into a hierarchical control structure. This hierarchical model to coordination of multiple control agents. The analysis there-
provides the basis for analysis. fore proceeds through three basic areas, which are explored
in the following subsections and depicted in the bottom left
B. Systems-Theoretic Analysis of Model of Fig. 3.
The following section builds on this description of STECA
Much of the control- and systems-theoretical foundation and demonstrates its application on a complex transporta-
used to develop the model of the concept is also used to guide tion system. In addition to demonstrating the approach, the
the analysis of the model. However, the focus shifts from underlying formalism of STECA is developed and it is shown
modeling to identifying potential causal factors and invalid how the above questions provide insight into potentially haz-
assumptions. There are several general vulnerabilities in a ardous behavior, particularly when a transportation system
hierarchical system. At each level of the hierarchical control
involves real-time sensing, computation, and human-computer
structure, inadequate control may result from missing con-
interaction.
straints (unassigned responsibility for safety), inadequate safety
control commands, commands that were not executed correctly
IV. A NALYSIS OF I NTELLIGENT T RANSPORT S YSTEM
at a lower level, or inadequately communicated or processed
feedback about constraint enforcement [27, p. 81]. Trajectory-Based Operations (TBO) is a shift from the cur-
The control-theoretic approach emphasizes the importance rent Air Traffic Management (ATM) and control strategy of
of process models in enforcing adequate control: a process clearance-based operations, which rely on discrete clearances
model must contain the required relationship among the sys- from air traffic controllers that modify the heading, airspeed,
tem variables (the control laws), the current state (the current or altitude of individual aircraft. Todays operations rely on
values of the system variables), and the ways the process can relatively little automation in comparison to the TBO frame-
change state [27, p. 87], or the dynamics of the process. work. In TBO, aircraft will follow four dimensional paths,
The four fundamental requirements of process control (see called trajectories, which are computed by autonomous systems
1.ad below) described in the previous sub-section must also and decision support tools (DST) [48]. These trajectories must
be satisfied. be continuously monitored and updated as conditions in the
Once the control model of the ConOps has been built, the airspace evolve. When fully realized, these trajectories will
hazardous scenarios and causal factors can be identified using represent an aircrafts gate-to-gate movement and will be the
3518 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 17, NO. 12, DECEMBER 2016
basis for Air Traffic Control (ATC) and Air Traffic Manage-
ment (ATM) that focuses on traffic flow and airspace use and Fig. 6. Graphical control model of ground conformance monitor.
autonomy of individual aircraft.
The primary themes of TBO are: moving from clearance- Fig. 6 shows the model development for a different aspect of
based to trajectory-based airspace management, increasing conformance monitoring. Though the behavior described in this
reliance on automation and decision support tools, and distrib- new piece of text is similar to that shown in Fig. 5, the new text
uting traffic management responsibilities throughout the sys- shows slightly different detail and conformance monitoring is
tem. The shift from clearance-based to trajectory-based traffic done in a different component of the system.
management is intended primarily to increase capacity and The process of parsing informal, textual information will
improve efficiency. result in a set of individual control loops, as in Figs. 5 and 6.
These individual control loops are then synthesized into a hier-
A. Model Development archical control structure according to the guidelines described
in Section III-A. A very generic, functional control hierarchy
In the TBO ConOps [49], there is a chapter dedicated to may consist of a route or trajectory management function for all
conformance monitoring, which is a function that measures of the airspace, a navigation function that navigates individual
the degree to which an aircraft followsor conforms to aircraft along their prescribed paths, and lower level functions
its agreed-upon trajectory. This example is intended to show that manipulate the various control surfaces of the aircraft.
how these control-theoretic concepts can be used to (1) query According to the guidelines from Section III-A, the route
a certain aspect of a concept and then (2) to use the resulting management function would be at the highest level because it
information to build a system model. Querying a ConOps involves the greatest level of complexity and uncertainty with
is done in a recursive fashion, looking at individual sen- respect to decision making.
tences or paragraphs and attempting to parse control-theoretic In addition, the TBO ConOps states elsewhere that the
information. ANSPs1 authority over the airspace and the flight crews
The example quote for this analysis is shown at the top of authority over the aircrafts trajectory do not change [49].
Fig. 5. To begin, the analyst must ask: What is the primary It is therefore appropriate and intuitive to map the ground-based
source, subject, or actor in the text, and in what way does conformance monitoring loop to the Trajectory Management
this source relate to control theory? The quoted text describes Function and the airborne loop to the Piloting (navigation)
conformance, or conformance monitoring. Next, what is the Function of Fig. 7.
sources role in control theory? Conformance monitoring acts Fig. 7 depicts the control structure that results from analyzing
as a sensor, and in this text there appear to be two versions of the full text dedicated to conformance monitoring, as well as
the sensor: one in the aircraft and another on the ground. Of other chapters, in the TBO ConOps. Each of the blocks and
the three generic roles that a sensor can take in the proposed lines in Fig. 7 has an underlying formalism, which results
framework, the conformance monitoring sensor provides two. from mapping the information in the ConOps into basic control
Fig. 5 includes a graphical depiction of how this information is theory. For example, sensor behavior is a mapping from mea-
mapped into a control model, where numbers in the text corre- sured variables, V, to controller inputs, I (see, e.g., [50] for an
spond to the numbered boxes in the control model. A separate overview of the notation). For the ground-based conformance
model should also be developed for the ground conformance
monitor.
This processidentifying the behavior associated with a
specific source of information in a ConOps, and then inserting 1 ANSP:=Air Navigation Service Provider. In the U.S., this is the Federal
it into the appropriate place in a control modelis repeated Aviation Administrations Air Traffic Organization. Each country has its
recursively over the entire ConOps document. For example, own ANSP.
FLEMING AND LEVESON: DEVELOPMENT AND SAFETY ANALYSIS OF FUTURE TRANSPORTATION SYSTEMS 3519
function of current surveillance data in four dimensions and de- conformance, different levels of sensitivity to nonconformance,
sired aircraft state in four dimensions, some allowed tolerance different approaches to timing and updating of the software
volume, and an Alert Parameter. functions, and many other factors. Indeed, the conformance
This mathematical formulation of conformance monitoring monitors are independent, as the TBO ConOps asserts. In addi-
and alerting [(1)(4)] helps identify issues with coordination tion to these technical factors, the individual Alert Parameters
and consistency, in at least three ways. First, the mapping, represent another source of independent behavior, as described
Lcm Dcm , is a function of an Alert Parameter, acm . This above.
parameter is available to any agent with a conformance monitor, The independence assumptions of the individual confor-
ground or airborne, and is thus independent and potentially mance monitors is valid. However, the issues arise because the
inconsistent. For example, the ground controller sets an alert behavior of those agents who use these monitors is, in fact, quite
parameter for his or her own monitor, while each flight crew in dependent.
the airspace independently does so for their monitor. By explicitly modeling the interactions between control
The TBO ConOps does not describe or specify the rationale agents, as shown in Fig. 7 and in (1)(4), it can be shown
for including this function, but it may be assumed that it is by inspection that the consistency principle does not hold. Let
to counteract alarm overload or over- and under-sensitivity. G (a, v) be the ground control agents process model, which
Furthermore, the TBO ConOps does not specify what the alert is informed and updated, in part, by the information delivered
parameter entails with respect to human-computer interface de- from the conformance monitor, VmG . Likewise, the air control
sign. The ConOps does refer to existing aircraft functions such agents model, A (a, v), contains the information VmA . As
as altitude alerts for the airborne monitor, but it is unclear how explained above, VmG and VmA have several sources of incon-
either the ground or airborne agents will set these parameters. sistency, which are described qualitatively above, and therefore
Several natural design questions arise with respect to the (5) does not hold.
conformance monitoring automation itself, and these ques- The preceding analysis provides valuable information for the
tions would typically be addressed during later detailed de- early development of complex transportation systems. Some
sign phases. Perhaps the most fundamental design question of those implications are now explored. Analysis of com-
is this: what actually constitutes non-conformance? That pleteness and safety-related responsibilities (questions 13 in
is, how should the conformance monitoring algorithm(s) be Section III-B), which are not treated further in this paper,
specified? Based on these questions and the information in provides additional detail that should be used to support early
equations (1)(4), a few follow-on questions must be addressed. engineering activities.
For example,
Does non-conformance imply that an alert is flagged at C. Supporting Early Engineering Activities
any instant the aircraft leaves a (continuously updated)
elliptical shape, Ecm ? Alternatively, does the monitor take Hazard analyses or safety assessments should not be used to
an average over a specified time interval and compare that merely state whether the systems or components are Safe or
trajectory to the allowable shape? Unsafe. The results should drive the design of the system.
Control issues often arise due to improper accounting of Once the hazardous scenarios and causal factors have been
timing (e.g., feedback delays in Fig. 2 on page 4). How identified, the key to safety-driven design is reasoning about
often is the elliptical shape updated? How do the relevant (a) how to prevent the scenarios and (b) how to mitigate the
agents receive these updates? scenarios if they occur.
Is a deviation in one direction given greater importance 1) Generating Safety Requirements: The following haz-
than a deviation in another direction? For example, a ardous scenarios drive the identification of functional and
deviation in the direction of other traffic should perhaps safety-related requirements. The example scenarios contain a
be given greater priority relative to a deviation in the op- reference to the related hazard(s) and are then followed with
posite direction, given that no traffic exists in the opposite example requirements and safety constraints. Requirements are
direction. based on both the included scenario as well as the analysis pre-
sented in the previous section. The requirements are represented
While these questions could be addressed in a straightfor- as a nested, hierarchical list.
ward fashion with the appropriate level of technical expertise,
the approach described in this paper provides some impor- Hazardous Scenario 1: Ground does not issue a deconflicting
tant insights about the overall system behavior. In particular, command because it is unaware that the aircraft is not
the modeling approach identifies several subtle interactions of conforming or unaware that the flight crew begins taking
components that were otherwise considered to be independent action to close the trajectory. [Hazard: Loss of sepa-
in the original concept of operations. ration between two or more aircraft].
With the level of abstraction in the model of Fig. 7, the R.1) Air component must notify ground of any changes
conformance monitor occurs in two separate (independent) to velocity (change in heading, airspeed, or altitude).
blocks: Conformance Monitor [Gnd] and Conformance Rationale: Flight deck typically must request ANSP
Monitor [Air]. A more detailed model would indicate that for a deviation from the field flight plan, or from
there are multiple ground controllers and as many as thousands the current trajectory. This type of change to the
of aircraft, each with its own conformance monitor. These velocity is actually due to the intent of staying on the
monitors will likely be developed by independent technical trajectory, but it changes the aircrafts inertial state,
teams and may contain different algorithms for determining or velocity in all three directions.
FLEMING AND LEVESON: DEVELOPMENT AND SAFETY ANALYSIS OF FUTURE TRANSPORTATION SYSTEMS 3521
Associated Causal Factors: due to the differences in Associated Causal Factors: e.g., ANSP turns
conformance alerting models, the ANSP may be un- off or changes Alert Parameter once flight deck
aware of the need for change. The ANSP may have a has confirmed that it will comply.
different Alert Parameter setting in general, or may R.2.d) . . .additional requirements related to R.2. . .
have adjusted the setting due to other circumstances
(e.g., alarm fatigue, managing other conflicts, etc.). In addition to specifying requirements and constraints on be-
Note: This requirement may be levied on either the havior, STECA can be used to inform design trade studies or
flight crew or avionics; this design choice would to revise and modify the concept itself via system architecture
require further analysis of potentially dysfunctional analysis.
interactions. 2) Engineering Trade Studies: As Fig. 1 illustrates, many
important commitments are made early in the concept de-
R.1.a) Flight deck must notify ANSP that changes velopment process. STECA helps stakeholders to reason, in
to velocity are due to non-conformance. an increasingly formal way, about alternative approaches to
Rationale: this is not a nominal change, e.g., achieving a systems objectives in terms of technical design and
a change in direction that was part of the flight architecture.
plan. For example, the previous section described potential in-
R.1.b) . . . additional requirements related to consistencies that arise due to independent conformance alert
R.1. . . parameters in the TBO ConOps. Several design alternatives
Hazardous Scenario 2: Flight crew does not conform to exist. One decision might be to eliminate the Alert Parameter
trajectory, pursuant to the ANSP conformance model. entirely3 and require that the black box models of all con-
This non-conformance could arise even if the ANSP has formance monitorsevery aircraft and on the groundare
instructed the aircraft to do so, and the flight deck has identical. That is, the sensitivity and underlying mathematical
confirmed compliance. [Hazard: Loss of separation be- models of conformance would be required to be identical in
tween two or more aircraft]. such a design.
Alternatively, the control structure itself, which is one rep-
R.2) ANSP must issue commands that result in the resentation of the system architecture, could be modified. One
aircraft closing on the ANSPs own conformance control structure modification that could mitigate against incon-
model. That is, the command should directly result in sistency might involve eliminating the airborne conformance
velocity changes that cause the aircraft to enter into monitors. In Fig. 7, conformance monitoring could be done
desired, protected volume. This clearance is hereto- centrally by the ground. Conformance would then be ensured
fore called a Close Conformance. by the instructions going from the ground to air. Conformance
Rationale: ANSP must do more than notify the flight monitoring could also be distributed entirely to the air and
deck that it is not conforming and instruct it to close.
eliminated from the ground, although this could be detrimental
This requirement also assumes that the ANSP model
to consistency. This latter solution may eliminate inconsisten-
of the overall airspace (and thus the conformance
cies between the ground and air, but other issues arise because
model) takes precedence over the flight deck model.
the ground control agent has a primary responsibility to assure
Associated Causal Factors: Flight deck may try to
separation between aircraft. Questions 2) and 3) in Section III-B
close the trajectory to its own model, or already
relate to analysis of safety responsibilites and are covered in
believe that it is conforming (and thus believe it
greater detail elsewhere [41].
is complying with the instruction). See also causal
factors in R.1.
V. C ONCLUSION
R.2.a) ANSP must be able to generate aircraft
velocity changes that close the trajectory within This paper has presented a new approach, called systems-
TBD minutes (or TBD nmi). theoretic early concept analysis (STECA), for performing haz-
Rationale: TBO ConOps is unclear about how ard analysis on a concept of operations and a safety-driven
ANSP will help the aircraft work to close trajec- approach to concept development. STECA is based on systems-
tory. Refined requirements will deal with pro- and control theory and its usefulness and practicality is demon-
viding the ANSP feedback about the extent to strated on an important upgrade to the air transport system,
which the aircraft does not conform, the direc- called Trajectory-Based Operations.
tion and time, which can be used to calculate STECA consists of two basic steps. The first step involves
necessary changes. recursively applying control-theoretic concepts using guide
R.2.b) ANSP-generated clearances used to close words, heuristics, and feedback control criteria to parse an
trajectories must not exceed aircraft flight enve- existing ConOps document, resulting in the development of a
lope[Hazard: aircraft enters uncontrolled state]. hierarchical control model of the concept. The second step
R.2.c) ANSP must be provided information to analysisconsists of examining the resulting model with the
monitor the aircraft progress relative to its explicit goals of identifying hazardous scenarios, information
Close Conformance change request.
Rationale: See Associated Causal Factors 3 This is not to suggest that there will be no alerts, only that the respective
listed in R.2 users cannot tune the sensitivity. See Section IV-B.
3522 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 17, NO. 12, DECEMBER 2016
gaps, inconsistencies, and potential tradeoffs and alternatives. comprehensive coverage than traditional approaches to early
That is, the analysis identifies incompleteness or gaps in the hazard assessment, particularly with respect to software, com-
control structure, assures that all safety-related responsibilities ponent interactions, and human-software interactions. Though
are accounted for, and identifies sources of uncoordinated or Section IV-C (and Section IV, generally) describes only a
inconsistent control. limited portion of the full analysis, some of those factors and
STECA allows safety to be integrated earlier when devel- many others were not identified by a professional working
oping complex transportation systems via rigorous, systematic group of subject matter experts, using traditional preliminary
methods. Specifically, STECA: hazard analysis [21].
There are many potential paths of future research that build
applies more rigor to the concept development process.
upon this work. While this paper briefly described how the re-
The process described above is repeatable and can be ap-
sults of the analyses can be used to generate alternative designs
plied by individuals to understand a transportation system
and architectures, future work should demonstrate how these
in systems-theoretic terms. Alternatively, the process can
alternatives can be compared. Stakeholders identify potential
be used by teams and working groups to build consensus
tradeoffs or synergies, and tradeoffs could be made with respect
on how the system should (and should not) behave, to
to safety and/or extended to other system properties.
allocate responsibilities to various actors, and to define
Tools should be generated to assist in the STECA process.
the interactions between those actors;
Existing model-based systems engineering frameworks could
identifies a class of hazardous scenarios that have been
be adapted or integrated into the systems- and control-theoretic
difficult to find during concept development. Most acci-
processes described in Sections III and IV.
dents and incidents in modern, intelligent transportation
Although this research focuses on the early phases of systems
systems arise due to factors that extend beyond compo-
engineering (far left side of Fig. 1), the framework has potential
nent reliability, which is the focus of most efforts based on
to be applied to the very last phases of systems engineering
PHA techniques (see Table I). Accidents arise due to un-
(far right side of the figure). That is, when systems become
safe interactions among components, which include soft-
operational, it is unfortunately necessary in some cases to
ware and human operator behavior, and STECA provides
perform accident and incident investigations. Accident reports
a powerful way to identify these types of interactions;
typically share similar characteristics to Concept of Operations
makes explicit the assumptions that are often undoc-
documentsthey contain informal natural language text, use
umented or implicit during early concept generation.
informal graphical depictions of events, and are often developed
Because ConOps documents are typically developed by
by committees comprised of potentially disparate views of
subject matter experts, many details that are obvious to a
the system. There exists an accident analysis process, called
particular expert may seem obvious and thus go undoc-
CAST (Casual Analysis using STAMP), based on the same
umented. The model development approach in this thesis
systems- and control theory that has been successfully applied
forces many of these assumptions to be made explicit, and
to accidents in a variety of domains [52][55]. However, there is
often the various subject matter experts who generate the
not yet a rigorous way to generate the necessary models from all
ConOps actually make competing or inconsistent assump-
the different sources of data associated with any major accident,
tions about various aspects of the system.
and the methods presented in Section III represent a potential
way to accomplish this goal.
In assessing STECA, recall what is necessary for stakehold- It will also be important to investigate the extent to which
ers to develop a concept. Two significant artifacts of systems STECA can be applied to other future transportation systems,
engineering, particularly in the early phases, are requirements including rail, road, water, and other air transportation concepts.
and the definition of a system architecture. In terms of safety,
requirements and architectures should eliminate or mitigate
against as complete a set of hazardous scenarios as possible.
R EFERENCES
Recall also the challenges associated with doing this early in
[1] R. Bishop, Intelligent Vehicle Technology and Trends. Norwood, MA,
the system development process, namely that there is limited USA: Artech House, 2005.
information available; the information that is available tends to [2] K. Dierkx, The smarter railroad: An opportunity for the railroad indus-
be ambiguous and stated in informal, natural language text; and try, IBM Global Bus. Serv., Travel Transp., North Castle, NY, USA,
2009.
roles and functions within the system are ill-defined and not [3] J. Josey, Intelligent infrastructure for next-generation rail systems,
well understood. Cognizant, Teaneck, NJ, USA, 2013.
Therefore, a successful safety-driven design approach should [4] I. A. Waitz, J. Townsend, J. Cutcher-Gershenfeld, E. Greitzer, and
J. Kerrebrock, Aviation & the environment, Massachusetts Inst. Tech-
1) identify as many valid hazardous scenarios as possible, nol., Cambridge MA USA, Rep. United States Congress, 2003.
2) assist in the identification of requirements and safety-related [5] J. T. Areddy and J. Yang, How Chinas train tragedy unfolded, China Real-
constraints, and 3) help stakeholders develop a system architec- time Rep., The Wall Street J., Beijing, China, 2011. [Online]. Available:
http://blogs.wsj.com/chinarealtime/2011/12/29/wenzhou
ture that eliminates or mitigates hazards. In STECA, the control [6] C. Jensen, G.M Steering issue pushes automakers limits, Hadi
structure serves as part of the general system architecture Aboukhaters, Washington, DC, USA, 2015.
definition. [7] B. Carey, Application software bug delays american airlines flights, Air
Transp., AIN Online, Midland Park, NJ, USA, 2015.
Comprehensive comparisons have been made elsewhere [41], [8] A. Scott and J. Menn, Exclusive: Air traffic system failure caused by
but it is important to note here that STECA provides more computer memory shortage, Reuters, London, U.K., 2014.
FLEMING AND LEVESON: DEVELOPMENT AND SAFETY ANALYSIS OF FUTURE TRANSPORTATION SYSTEMS 3523
[9] B. Farmer, Flights in chaos across uk as air traffic control computers fail: [40] W. R. Ashby, An Introduction to Cybernetics. London, U.K.: Chapman
Latest, The Telegraph, London, U.K., 2014. & Hall Ltd., 1957.
[10] N. G. Leveson, Software challenges in achieving space safety, J. Br. [41] C. H. Fleming, Safety-Driven Early Concept Analysis and Develop-
Interplanet. Soc., vol. 62, pp. 265272, Jul./Aug. 2009. ment, Ph.D. dissertation, Massachusetts Inst. Technol. Dept. Aeronaut.
[11] F. R. Frola and C. O. Miller, System safety in aircraft management, Astronaut., Cambridge, MA, USA, 2015.
Logist. Manag. Inst., Washington, DC, USA, 1984. [42] M. D. Mesarovic and Y. Takahara, General Systems Theory: Mathemati-
[12] A. Strafaci, What does BIM mean for civil engineers? CE News, cal Foundations, vol. 113. New York, NY, USA: Academic, 1975.
Transp., Washington, DC, USA, 2008. [43] S. Skogestad, Control structure design for complete chemical plants,
[13] E. Crawley et al., The influence of architecture in engineering systems, Comput. Chem. Eng., vol. 28, no. 1, pp. 219234, 2004.
in Proc. 1st Eng. Syst. Symp. MIT Eng. Syst. Div., Cambridge, MA, USA, [44] M. Morari, Y. Arkun, and G. Stephanopoulos, Studies in the synthesis
2004, pp. 118. of control structures for chemical processes: Part I: Formulation of the
[14] A. M. Ross and D. E. Hastings, Assessing changeability in aerospace problem. Process decomposition and the classification of the control tasks.
systems architecting and design using dynamic multi-attribute tradespace Analysis of the optimizing control structures, AIChE J., vol. 26, no. 2,
exploration, in Proc. AIAA Space, 2006, pp. 118. pp. 220232, Mar. 1980.
[15] M. G. ONeill, J.-M. Dumont, T. Reynolds, and R. J. Hansman, Methods [45] N. G. Leveson, Intent specifications: An approach to building human-
for evaluating environmental and performance tradeoffs for air transporta- centered specifications, IEEE Trans. Softw. Eng., vol. 26, no. 1, pp. 1535,
tion systems, in Proc. 11th AIAA Aviation Technol., Integr. Oper. Conf., Jan. 2000.
Virginia Beach, VA, USA, 2011, vol. 6816, pp. 209223. [46] H. A. Simon, The structure of ill-structured problems, in Models of
[16] MIL-STD-882E, Department of defense standard practice system safety, Discovery. Berlin, Germany: Springer-Verlag, 1977, pp. 304325.
U.S. Dept. Defense, Dayton, OH, USA, 2012. [47] J. Rasmussen, Information Processing and Human Machine Interaction:
[17] S. J. Kapurch, NASA Systems Engineering Handbook. Collingdale, PA, An Approach To Cognitive Engineering. New York, NY, USA: Elsevier,
USA: DIANE, 2010. 1986.
[18] Safety management system manual, Federal Aviation Admin. Air [48] Concept of operations for the next generation air transportation system
Traffic Org., Washington, DC, USA, 2008. Version 3.2, Joint Plan. Develop. Office (JPDO), Washington, DC, USA,
[19] ARP-4754, Guidelines for development of civil aircraft and systems, Sep. 30, 2010.
Revision A, Soc. Auto. Eng. (SAE) Int. Warrendale, PA, USA, 2010. [49] JPDO trajectory-based operations (TBO) study team report, Joint Plan.
[20] J. W. Vincoli, Basic Guide to System Safety, 2nd ed. Hoboken, NJ, Develop. Office (JPDO), Washington, DC, USA, Tech. Rep., 2011.
USA: Wiley, 2005. [50] N. Leveson, Completeness in formal specification language design for
[21] Capability safety assessment of trajectory based operations v1.1, Joint process-control systems, in Proc. 3rd Workshop Formal Methods Softw.
Plan. Develop. Office (JPDO) Capability Safety Assessment Team, Pract., 2000, pp. 7587.
Washington, DC, USA, 2012. [51] N. Kheir, Systems Modeling and Computer Simulation, vol. 94.
[22] E. Harkleroad, A. Vela, J. Kuchar, B. Barnett, and R. Merchant-Bennett, Boca Raton, FL, USA: CRC Press, 1995.
Atc-045 risk-based modeling to support nextgen concept assessment and [52] A. Dong, Application of cast and stpa to railroad safety in China,
validation, MIT Lincoln Lab., London, U.K., 2013. Ph.D. dissertation, Massachusetts Inst. Technol., Cambridge, MA, USA,
[23] H. Watson, Bell telephone laboratories launch control safety study, Bell 2012.
Telephone Labs. Murray Hill, NJ, USA, 1961. [53] J. J. P. Hickey, A system theoretic safety analysis of US coast guard
[24] MIL-P-1629Procedures for performing a failure mode effect and crit- aviation mishap involving CG-6505, Ph.D. dissertation, Massachusetts
ical analysis, U.S. Dept. Defense, Dayton, OH, USA, 1949. Inst. Technol., Cambridge, MA, USA, 2012.
[25] W. E. Vesely, F. F. Goldberg, N. H. Roberts, and D. F. Haasl, Fault Tree [54] M. B. Spencer, Engineering Financial Safety: A System-Theoretic Case
Handbook, U.S. Nucl. Regulatory, Commission, Washington, DC, USA, Study From the Financial Crisis, Ph.D. dissertation, Massachusetts Inst.
Rep. no. NUREG-0492, 1981. Technol., Cambridge, MA, USA, 2012.
[26] N. G. Leveson, Safeware: System Safety and Computers. Reading, MA, [55] R. Hosse et al., Integration of petri nets into STAMP/CAST on the
USA: Addison-Wesley, 1995. example of Wenzhou 7.23 accident, in Proc. Control Automation Theory
[27] N. G. Leveson, Engineering a Safer World. Cambridge, MA, USA: MIT Transportation Applications, 2013, vol. 1, pp. 6570.
Press, 2012.
[28] S. Dekker, Ten Questions About Human Error: A New View of Human
Factors and System Safety. Boca Raton, FL, USA: CRC Press, 2005.
[29] J. Rasmussen, Risk management in a dynamic society: A modelling
problem, Safety Sci., vol. 27, no. 2, pp. 183213, Oct. 1997. Cody H. Fleming received the B.S. degree in me-
[30] D. D. Woods, L. J. Johannesen, R. I. Cook, and N. B. Sarter, Behind chanical engineering from Hope College, Holland,
Human Error. Aldershot, U.K.: Ashgate, 2010. MI, USA, and the Masters degree in civil engineer-
[31] R. R. Lutz and I. C. Carmen Mikulski, Operational anomalies as a cause ing and the Ph.D. degree in aeronautics and astronau-
of safety-critical requirements evolution, J. Syst. Softw., vol. 65, no. 2, tics from the Massachusetts Institute of Technology
pp. 155161, Feb. 2003. (MIT), Cambridge, MA, USA, in 2015.
[32] N. Leveson, A new accident model for engineering safer systems, Safety In August 2015, he started as an Assistant Pro-
Sci., vol. 42, no. 4, pp. 237270, Apr. 2004. fessor of systems and information engineering with
[33] P. Checkland, Systems Thinking, Systems Practice: Includes a 30-Year the University of Virginia, Charlottesville, VA, USA.
Retrospective. Chichester, U.K.: Wiley, 1999. Prior to returning to MIT, he spent five years working
[34] J. McGregor, Arcade game maker pedagogical product line: Concept on space system development for various govern-
of operations, Version 2.0, Softw. Eng. Inst. Pittsburgh, PA, USA, ment projects.
2005.
[35] Nextgen implementation plan, Federal Aviation Admin., Washington,
DC, USA, 2013, Accessed Mar. 18, 2014. [Online]. Available: http://
www.faa.gov/nextgen/implementation/media/NextGen_Implementation Nancy G. Leveson received all her degrees, in math,
_Plan_2013.pdf management, and computer science, from UCLA.
[36] E. Cone, The ugly history of tool development at the faa, Baseline She is a Professor of aeronautics and astronau-
Mag., vol. 4, no. 9, 2002. [Online]. Available: http://www.baselinemag. tics with the Massachusetts Institute of Technology,
com/c/a/Projects-Processes/The-Ugly-History-of-Tool-Development-at- Cambridge, MA, USA. She has authored over 200
the-FAA published papers and two books, namely, Safe-
[37] Air Traffic Control: FAAs Advanced Automation System Acquisition ware: System Safety and Computers (1995) and
Strategy Is Risky: Report to the Secretary of Transportation. Scranton, Engineering a Safer World (2012). She conducts
PA, USA: The Office, 1986. research on all aspects of system safety and system
[38] B. P. Douglass, Doing Hard Time: Developing Real-Time Systems With engineering, including requirements, design, oper-
UML, Objects, Frameworks, and Patterns, vol. 1. Reading, MA, USA: ations, management, and social aspects of safety-
Addison-Wesley , 1999. critical systems.
[39] M. P. Heimdahl and N. G. Leveson, Completeness and consistency analy- Ms. Leveson is a member of the National Acade-
sis of state-based requirements, in Proc. 17th ICSE, 1995, pp. 314. my of Engineering.