massachusetts institute of technology - application of stpa in...
TRANSCRIPT
![Page 1: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/1.jpg)
Application of STPA in Radiation Therapy: a Preliminary Study
Wilko VerbakelMarjan Admiraal
Natalia Silvis-Cividjian
MIT STAMP Workshop 2018
![Page 2: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/2.jpg)
VU medical center
VU Computer Science Dept 2
Vrije Universiteit (VU) campus Amsterdam, The Netherlands
![Page 3: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/3.jpg)
Radiation Therapy (RT)
3
Overexposure accidents
1.Leveson & Turner, IEEE Computer. (1993) 2.Borras, Rev Panam Salud Publica. (2006)
Principle
[1] [2]
![Page 4: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/4.jpg)
Objective
• RT safety standards recommend FMEA and FTA• STAMP is a rising star in industry, but not in RT
How does it and
to introduce STAMP in RT?
![Page 5: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/5.jpg)
Outline
• Preparatory steps• Off we go!• Results• Conclusions and recommendations• Future work
5
![Page 6: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/6.jpg)
A simple system
• Oosterschelde storm surge barrier in NL• Moveable sluice‐type of gate doors• Automatically close when water level > 3m
6
PREPARATORY STEPS
![Page 7: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/7.jpg)
THE NETHERLANDS
7
MIT
Risk management?
![Page 8: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/8.jpg)
An accident
8
PREPARATORY STEPS
![Page 9: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/9.jpg)
Hazard analysis techniques
• Fault Tree Analysis (FTA)• Failure Mode and Effect Analysis (FMEA)• System Theoretic Process Analysis (STAMP‐STPA)
9
PREPARATORY STEPS
![Page 10: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/10.jpg)
10Courtesy of Jaap van Ekris (Delta Pi)
Fault Tree Analysis (FTA)
Probability ?
Probability ?
Probability ?
Probability ?
Probability ?
Probability ?
PREPARATORY STEPS
![Page 11: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/11.jpg)
Failure Mode and Effect Analysis (FMEA)
11Courtesy of Jaap van Ekris
Probability?
PREPARATORY STEPS
![Page 12: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/12.jpg)
FMEA
Control Wrong output Fault in logic Doors open Catastrophic
PREPARATORY STEPS
![Page 13: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/13.jpg)
STAMP
• STAMP uses a different accident causality model• It models each process as a system. • It does NOT calculate probabilities. All hazards are equally important and need to be prevented with control constraints by design.
13
RatinalePREPARATORY STEPS
![Page 14: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/14.jpg)
STPA Step 0. Model the system with safety control structure
14
PREPARATORY STEPS
![Page 15: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/15.jpg)
STPA Step 1.Identify hazards (Unsafe Control Actions)
15
Control action (CA)
CA not given
Incorrect CA is given
CA is given at the wrong time or wrong order
CA is stopped too soon or applied too long
Provide door close/open command
Door close command is not given when level > 3m
Door open command is given when water level is >3m
Door close command given long after water has reached 3m and is rising
Door open command much too late, long after the water level is safe
Door closed stopped too soon (door not completely closed) when level is > 3m
PREPARATORY STEPS
![Page 16: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/16.jpg)
STPA Step2. Causal scenarios and corrective measures
• UCA: The water is 4 m high and one door is open. Why? • Possible reason: Sensor wire is broken and makes the controller think that the water level is safe (0m).
• Corrective measure : The decision to open the door shouldnot rely only on one sensor.
16
PREPARATORY STEPS
![Page 17: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/17.jpg)
Conclusion so far• STPA detects hazards in a more systematic way• However, for simple systems, STPA seems to find the same hazards and recommendations as FTA or FMEA.
• So why bother? • RT team is skeptical, but willing to give it a try
17
PREPARATORY STEPS
![Page 18: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/18.jpg)
Source: http://www.nytimes.com/interactive/2010/01/22/us/Radiation.html
Intensity Modulated Radiation Therapy (IMRT)
18
Gantry
OFF WE GO!
![Page 19: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/19.jpg)
Source: http://acfro.com/what‐to‐expect‐during‐your‐treatment/radiation‐therapy‐imrtigrt‐oncology‐physicial‐therapy/
IMRT Treatment plan
19
tumororgan atrisk (OAR)
radiation beam
OFF WE GO!
![Page 20: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/20.jpg)
Source: http://www.nytimes.com/interactive/2010/01/22/us/Radiation.html
Multileaf Collimator (MLC)
20
OFF WE GO!
![Page 21: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/21.jpg)
IMRT flowchart
21
OFF WE GO!
![Page 22: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/22.jpg)
Treatment plan
Video image from the linac room
Dose distribution calculated by TPS
CT scan image
22Photo: Radiotherapy facility at VUmc Amsterdam
OFF WE GO!
![Page 23: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/23.jpg)
Research questions
• RQ1. How difficult is it to apply STPA for hazard analysis in RT?– Can an outsider conduct it? – Will it add excesive workload for RT dept? – What shall we do with all the thousands of hazards we’llfind?
– Can we speed up the analysis by reusing artifacts from otherRT centers?
• RQ2. What is the added value of STPA vs. HFMEA?– Compare STPA with an existing HFMEA
23
OFF WE GO!
![Page 24: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/24.jpg)
Step 0. High‐level accidents
• A1. Patient injured or killed from radiation exposure• A2. A non‐patient is injured or killed by radiation• A3. Damage or loss of equipment• A4. Physical damage to patient or non‐patient during
treatment (not from radiation)
Sources: Pawlicki, Todd, Aubrey Samost, Derek W. Brown, Ryan P. Manger, Gwe‐Ya Kim, and Nancy G. Leveson. 2016. 'Application of systems and control theory‐based hazard analysis to radiation oncology', Medical Physics, 43: 1514‐30Blandine, A. 2013. 'Systems theoretic hazard analysis (STPA) applied to the risk review of complex systems: an example from the medical device industry', PhD thesis, Massachusetts Institute of Technology.
24
OFF WE GO!
![Page 25: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/25.jpg)
This is what the beginner analist is hearing:
25
• What goes in a controller box?• Which level of granularity? • What is a control action and what is a feedback?
• Oncologist fills a CT simulation request in ARIA• CT radiographer makes and saves CT images in ARIA• Oncologist writes a treatment prescription in ARIA• Radiographer makes a treatment plan and saves itin ARIA
• Medical physicist approves the plan in ARIA• ARIA is a huge database shared by treatment planning and delivery
Step 0. Graphical modeling
These are his questions:
OFF WE GO!
![Page 26: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/26.jpg)
High‐level control structure
26
Zoom in later
Cumulate more actors in one controller. A controller is not a person, but a representation of a functionality
First high‐level control structure
OFF WE GO!
![Page 27: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/27.jpg)
27
“Oncologist writes a PI “ is modeled with a control action to radiographer to make a treatment plan
OFF WE GO!
![Page 28: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/28.jpg)
Hint: control actions are verbs, a kind of commands. Feedback is a noun, something that makes the controller adapt its process model.
28
“CT radiographer saves images in ARIA” is modeled as feedback to oncologist
OFF WE GO!
![Page 29: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/29.jpg)
Control structure for Treatment Design controller 29
![Page 30: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/30.jpg)
Step 1. Identifying possible hazards
Control action
The control action is not given
An incorrect control action is given
The control action is given at the wrong time
The control action given with wrong duration
Run re‐optimization
Planning radiographer does not execute re‐optimization when asked
Planning radiographer runs optimization with wrong parameters
Planning radiographer starts optimization too soon, before the targets and OARs have been delineated
Planning radiographer re‐optimizes the plan long after the peer reviewing asked for it
Planning radiographer keeps on applying optimization even after the peer reviewers approved the plan
Planning radiographer stops the re‐optimization process too soon (the same like does not execute re‐optimization)
30
OFF WE GO!
![Page 31: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/31.jpg)
Step2. Causal scenarios and corrective measures
31
ID UCA Causal scenarios Corrective measures1 Oncologist
wrote a wrong CT prescription
Did not have complete anatomic info at that time, and later forgot
1. Create templates in software
2. Oncologist should be present during CT scan
OFF WE GO!
![Page 32: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/32.jpg)
Extended STPA model for human controllers
32
[Thomas & France, 2016]
OFF WE GO!
• Human controller: Planning radiographer• Control action: Run optimization in TPS • Control algorithm: Delineate OAR and position collimators on CT scan according
to procedures and repeat running optimization in TPS until dose distribution is according to PI.
![Page 33: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/33.jpg)
Causal scenarios
• UCA: Planning radiographer stops optimization too soon. As result, the plan has wrong parameters (collimator settings). WHY?
33
PI, protocols, feedback from peer reviewers, training, experience
“The plan is good enough, so I stop optimization (and send it
back to oncologist) “
OFF WE GO!
![Page 34: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/34.jpg)
Causal scenarios• [1] Incorrect belief of the process state.
– PI or protocols are ambiguous and not clear
– the radiographer thinks that his unorthodox way of collimator positioning is better, but he overlooks that radiation hot spots are created
– the radiographer was interrupted by a telephone call or pager, and as a result forgets where he was in the plan procedure
34
OFF WE GO!
![Page 35: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/35.jpg)
Causal scenarios
• [2] Incorrect belief of the process behavior.– the radiographer is not experienced and makes wrong assumptions about TPS behaviour. He could also ask questions to his superiors, but does not dare.
• [3] Flaws in the mental model updates– the radiographer used the same incorrect collimator positioning in previous plans without problems
– he is bored and keen to try new things. 35
OFF WE GO!
![Page 36: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/36.jpg)
Results
• Graphical modeling of the process was difficult forbeginners. STAMP community helped. Step2 was easier.
• Can an outsider conduct it? YES• Will it add excesive workload for RT dept? NO • What to do with all those thousands of hazards? We found 142 UCAs. They should all be analyzed.
• Can we speed up the analysis by reusing artifactsfrom other RT centers? partially YES. 36
RESULTS
RQ1. How difficult was it to apply STPA in RT?
![Page 37: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/37.jpg)
• The lists of hazards mostly overlap. • HFMEA is more detailed in hazards of type “wrong control action”
• STPA is more rigurous and separates better causes fromeffects. Ex: CT radiographer forgot to apply the tatoos (FMEA) vs. CT radiographer did not apply tatoos (STPA).
• STPA found new, unexplored hazards. –Post-planner sent the plan to delivery team before it was approved and complete. –The CT radiographers start to acquire images long after the patient has been immobilized on the table.–Planning radiographer keeps on executing plan optimization even if peer reviewers have already approved the plan ‐> Interesting human behaviour
37
RQ2. What is the added value of STPA vs HFMEA? ResltsRESULTS
Step1. Hazards identification
![Page 38: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/38.jpg)
Step 2. Causal scenarios
• STPA offers more guidance in understanding human‐related hazards. • Ex. In the scenario “Oncologists’s PI is ambiguous’’, the oncologist and radiographer share the blame.
• A causal analysis of UCAs led to valuable correction measures.• Technical: Add a reminder feature for the oncologist in ARIA
• Procedural: If PI seems impossible, ask help from MP after two trials
• Managerial: Create a logistics manager to keep track of the tasks workflow
38
RESULTS
![Page 39: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/39.jpg)
Discussion• HFMEA was more detailed because is a bottom‐up, component‐based approach, performed by domain experts. STPA is a top‐down approach, and was performed by an outsider.
• The comparison is not 100% fair as some hazards were discarded by the HFMEA team because:‐ Focus was different at that time‐ Hazards with low risk (probability of occurrence, severity of consequences) were omitted‐ Knowledge of protection by procedures and software was incorporated in the evaluation of hazards.– New processes won’t have this knowledge
39
RESULTS
![Page 40: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/40.jpg)
Conclusions
• It is not easy to persuade RT teams to adopt STPA• Beginner analists struggle with systems‐basedmodeling
However,• STPA adds new hazards and safety‐relatedrecommendations to existing HFMEA results
• This is achieved with much less resources and domain knowledge
40
CONCLUSIONS
![Page 41: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/41.jpg)
Recommendations
• STPA should be considered as an option anytime a RT safety analysis is needed.
• If the proces is new, use STPA in early stages of development
• If the process is old and already safeguarded by FMEA/FTA , expect first opposition, and eventuallymore, subtle hazards and valuable corrective measures.
• Efforts to promote STAMP among RT practitioners & manufacturers are still needed
41
RECOMMENDATIONS
![Page 42: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/42.jpg)
Future work
• Publish the results in Journal of Safety Science• Apply STPA for new RT processes• More STAMP‐FMEA comparison experiments
42
FUTURE WORK
![Page 43: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/43.jpg)
Acknowledgements
• Jaap van Ekris (Delta Pi, NL)• Nancy Leveson (MIT, US)• Todd Pawlicki (University of California, US)• John Thomas (MIT, US)• Aubrey Samost (MIT, US)• Simon Whiteley (Whiteley Safety Engineering, UK)
43
![Page 44: Massachusetts Institute of Technology - Application of STPA in …psas.scripts.mit.edu/home/wp-content/uploads/2018/04/... · 2018-04-11 · • Oosterschelde storm surgebarrier in](https://reader034.vdocument.in/reader034/viewer/2022042405/5f1cbd2d15ed30786438238c/html5/thumbnails/44.jpg)
This was a story of how we stopped worrying about probabilities and learned to love STAMP….
44