Hazard Mitigation through a Systemic Model of Accident to a Socio-Technical System: A Case Study

International audienceThis paper presents the STAMP (system-theoretic accident modeling and processes) accident model, based on systems theory, and describes its application in the context of risk prevention related to the remediation of contaminated sediments. The implementation of the model is described, and results are presented both in methodological and technical terms. The goal of this article is to emphasize the need of new approaches to take into account hazards and accidents within socio-technical systems

Exploratory Study of the Privacy Extension for System Theoretic Process Analysis (STPA-Priv) to elicit Privacy Risks in eHealth

Context: System Theoretic Process Analysis for Privacy (STPA-Priv) is a novel privacy risk elicitation method using a top down approach. It has not gotten very much attention but may offer a convenient structured approach and generation of additional artifacts compared to other methods. Aim: The aim of this exploratory study is to find out what benefits the privacy risk elicitation method STPA-Priv has and to explain how the method can be used. Method: Therefore we apply STPA-Priv to a real world health scenario that involves a smart glucose measurement device used by children. Different kinds of data from the smart device including location data should be shared with the parents, physicians, and urban planners. This makes it a sociotechnical system that offers adequate and complex privacy risks to be found. Results: We find out that STPA-Priv is a structured method for privacy analysis and finds complex privacy risks. The method is supported by a tool called XSTAMPP which makes the analysis and its results more profound. Additionally, we learn that an iterative application of the steps might be necessary to find more privacy risks when more information about the system is available later. Conclusions: STPA-Priv helps to identify complex privacy risks that are derived from sociotechnical interactions in a system. It also outputs privacy constraints that are to be enforced by the system to ensure privacy.Comment: author's post-prin

Thinking in systems, sifting through simulations: a way ahead for cyber resilience assessment

The interaction between the physical world and information technologies creates advantages and novel emerging threats. Cyber-physical systems (CPSs) result vulnerable to cyber-related disruptive scenarios, and, for some critical systems, cyber failures may have fallouts on society and environment. Traditional risk analysis in no more sufficient to deal with these problems. New techniques are gaining increasing consensus, especially those based on systems theory. In this context, the System-Theoretic Process Analysis for Security (STPA-Sec) extends the Systems-Theoretic Accident Modelling and Processes (STAMP) model considering cyber threats, and identifying unsafe and unsecure controls throughout a cyber socio-technical system. Despite its large usage as a descriptive tool, there is still limited use of STPA-Sec in (semi-)quantitative terms. This article presents System-Theoretic Process Analysis for Security with Simulations (STPA-Sec/S), a methodological interface between STPA-Sec and quantitative resilience assessment based on simulation models. The methodology is instantiated in a demonstrative case study of a water treatment plant, and its critical CPSs which may impact both community health, and environment. The obtained results show how STPA-Sec/S foster systems understanding, allow a systematic identification of its major criticalities, and the respective quantification

Safety Sufficiency for NextGen: Assessment of Selected Existing Safety Methods, Tools, Processes, and Regulations

NextGen is a complex socio-technical system and, in many ways, it is expected to be more complex than the current system. It is vital to assess the safety impact of the NextGen elements (technologies, systems, and procedures) in a rigorous and systematic way and to ensure that they do not compromise safety. In this study, the NextGen elements in the form of Operational Improvements (OIs), Enablers, Research Activities, Development Activities, and Policy Issues were identified. The overall hazard situation in NextGen was outlined; a high-level hazard analysis was conducted with respect to multiple elements in a representative NextGen OI known as OI-0349 (Automation Support for Separation Management); and the hazards resulting from the highly dynamic complexity involved in an OI-0349 scenario were illustrated. A selected but representative set of the existing safety methods, tools, processes, and regulations was then reviewed and analyzed regarding whether they are sufficient to assess safety in the elements of that OI and ensure that safety will not be compromised and whether they might incur intolerably high costs

Developing Secure and Safe Systems with Knowledge Acquisition for Automated Specification

On spetsiaalsed tehnikad, mida kasutatakse riskihalduses nii turvalisuse kui ohutuse konstrueerimise domeenides. Nende tehnikate väljundid, mida tuntakse artefaktidena, on üksteisest eraldatud, mis toob kaasa mitmeid probleeme, kuna domeenid on sõltumatud ja ei ole domeeni, mis ühendaks neid mõlemat. Probleemi keskmes on see, et turvalisus- ja ohutusinsenerid töötavad erinevates meeskondades kogu süsteemiarenduse elutsükli jooksul, mille tulemusena riskid ja ohud on ebapiisavalt kaetud. Käesolevas magistritöös rakendatakse struktuurset lähenemist, turvalisuse ja ohutuse integreerimiseks läbi SaS (Safety and Security) domeeni mudeli loomise, mis integreerib neid mõlemaid. Lisaks töö käigus näidatakse, et on võimalik kasutada eesmärgipõhist KAOS (Knowledge Acquisition in autOmated Specification) keelt ohtude ja riskide analüüsiks, nii et kaetud saavad nii ohutus- kui ka turvadomeen, muutes nende väljundid e. artefaktid hästi struktureerituks, mille tulemusena toimub põhjalik analüüs ja suureneb usaldatavus. Me pakume välja lahenduse, mis sisaldab sellise domeeni mudeli loomist, milles on integreeritud ohtutuse ja turvalisuse domeenid. See annab parema võrdlus- ja integreerimisvõimaluse, leidmaks kahe domeeni vahelise kesktee ning ühendavad definitsioonid läbi nende kaardistamise üldises ontoloogias. Selline lahendus toob kokku turvalisuse ja ohutusedomeenide integratsiooni ühtsesse mudelisse, mille tulemusena tekib ohutus- ja turvalisustehnikate vahel vastastikune mõjustus ning toodab väljundeid, mida peetakse usaldusartefaktideks ning kasutab KAOSt domeeni mudeliga, mis on ehitatud juhtumianalüüsi põhjal. Peale vastloodud mudeli rakendumist viiakse läbi katse, milles analüüsitakse sedasama juhtumit, võrdlemaks selle tulemusi teiste juba olemasolevate mudelite tulemustega, et uurida sellise domeeni mõttekust. Struktureeritud lähenemine võib seega toimida liidesena, mis lihtsustab aktiivset interaktsiooni riski- ja ohuhalduses, aidates leida lahendusi probleemidele ja vastuoludele, mille lahendamiseks on vaja integreerida ohutuse ja turvalisuse domeenid ja kasutada unifitseeritud süsteemianalüüsi tehnikat, mille tulemusena tekib analüüsi tsentraalsus.There are special techniques languages that are used in risk management in both domains of safety engineering and security engineering. The outputs, known as artifacts, of these techniques are separated from each other leading to several difficulties due to the fact that domains are independent and that there is no one unifying domain for the two. The problem is that safety engineers and security engineers work in separated teams from throughout the system development life cycle, which results in incomplete coverage of risks and threats. The thesis applies a structured approach to integration between security and safety by creating a SaS (Safety and Security) domain model. Furthermore, it demonstrates that it is possible to use goal-oriented KAOS (Knowledge Acquisition in automated Specification) language in threat and hazard analysis to cover both safety and security domains making their outputs, or artifacts, well-structured and comprehensive, which results in dependability due to the comprehensiveness of the analysis. The structured approach can thereby act as an interface for active interactions in risk and hazard management in terms of universal coverage, finding solutions for differences and contradictions which can be overcome by integrating the safety and security domains and using a unified system analysis technique (KAOS) that will result in analysis centrality

Managing Epistemic Uncertainties in the Underlying Models of Safety Assessment for Safety-Critical Systems

When conducting safety assessment for safety-critical systems, epistemic uncertainty is an ever-present challenge when reasoning about the safety concerns and causal relationships related to hazards. Uncertainty around this causation thus needs to be managed well. Unfortunately, existing safety assessment tends to ignore unknown uncertainties, and stakeholders rarely track known uncertainties well through the system lifecycle. In this thesis, an approach is described for managing epistemic uncertainties about the system and safety causal models that are applied in a safety assessment. First, the principles that define the requirements for the approach are introduced. Next, these principles are used to construct three distinct steps that constitute an approach to manage such uncertainties. These three steps involve identifying, documenting and tracking the uncertainties throughout the system lifecycle so as to enable intervention to address the uncertainties. The approach is evaluated by integrating it with two existing safety assessment techniques, one using models from a system viewpoint and the other with models from a component viewpoint. This approach is also evaluated through peer reviews, semi-structured interviews with practitioners, and by review against requirements derived from the principles. Based on the evaluation results, it is plausible that our approach can provide a feasible and systematic way to manage epistemic uncertainties in safety assessment for safety-critical systems

A systems approach to risk management through leading safety indicators

The goal of leading indicators for safety is to identify the potential for an accident before it occurs. Past efforts have focused on identifying general leading indicators, such as maintenance backlog, that apply widely in an industry or even across industries. Other recommendations produce more system-specific leading indicators, but start from system hazard analysis and thus are limited by the causes considered by the traditional hazard analysis techniques. Most rely on quantitative metrics, often based on probabilistic risk assessments. This paper describes a new and different approach to identifying system-specific leading indicators and provides guidance in designing a risk management structure to generate, monitor and use the results. The approach is based on the STAMP (System-Theoretic Accident Model and Processes) model of accident causation and tools that have been designed to build on that model. STAMP extends current accident causality to include more complex causes than simply component failures and chains of failure events or deviations from operational expectations. It incorporates basic principles of systems thinking and is based on systems theory rather than traditional reliability theory

Safety Assurance in NextGen

The generation of minimum operational, safety, performance, and interoperability requirements is an important aspect of safely integrating new NextGen components into the Communication Navigation Surveillance and Air Traffic Management (CNS/ATM) system. These requirements are used as part of the implementation and approval processes. In addition, they provide guidance to determine the levels of design assurance and performance that are needed for each element of the new NextGen procedures, including aircraft, operator, and Air Navigation and Service Provider. Using the enhanced Airborne Traffic Situational Awareness for InTrail Procedure (ATSA-ITP) as an example, this report describes some limitations of the current process used for generating safety requirements and levels of required design assurance. An alternative process is described, as well as the argument for why the alternative can generate more comprehensive requirements and greater safety assurance than the current approach