The STAMP (System-Theoretic Accident Model and Processes) framework is a relatively new accident causality model based on system theory that was developed by Professor Nancy Leveson at MIT. STAMP provides a new paradigm for system safety engineering and has been gaining popularity across industries. The purpose of this post is to provide a brief introduction to STAMP and its related processes STPA and CAST.
There is a large volume of information on STAMP already available online. Rather than reinvent the wheel, this post will attempt to curate the existing content to provide a brief introduction. I am purposely avoiding adding my own commentary in this initial post, but I intend to do one or two follow up posts with my own thoughts on STAMP and STPA.
Although many of the underlying ideas of STAMP appear in her earlier work, I believe the first appearance of the term STAMP was in the 2004 paper A New Accident Model for Engineering Safer Systems. This very readable papers lays out the rationale and basic precepts of STAMP in just thirty pages.
Keep in mind that STAMP is just a framework or paradigm, not a methodology or tool. STAMP currently has two related methodologies:
- Systems-Theoretic Process Analysis – STPA Handbook
- Causal Analysis Using System Theory – CAST Handbook
For a deeper dive on STAMP, STPA, CAST, and systems theory, Dr. Leveson’s 2011 book Engineering a Safer World is also available free online.
System Theory Background
One of the “ah-ha” moments for me learning about STAMP was realizing that the term System Theory was not synonymous with the Systems Engineering as I know it (although they are related). It is important to understand this point of view to understand the STAMP paradigm.
For the 5-minute version, the System Theory page at Wikipedia is your friend. A more expansive overview is provided in Bertalanffy The History and Status of General Systems Theory. Another of the seminal works in systems theory, the book Cybernetics by Norbert Wiener is also available online.
Closer to the present, Dr. Leveson’s work directly builds on Rasmussen’s concept of an abstraction hierarchy as described in Proactive Risk Management in a Dynamic Society. Her recent paper Rasmussen’s Legacy: A Paradigm Change in Engineering for Safety discusses Rasmussen’s contributions as well as providing a good overview of the Systems Theory literature that influenced the development of STAMP.
So far, I have thrown well over a thousand pages of reading your way in the hyperlinks. If you are pressed for time, there a number of excellent resources for video tutorials. I especially recommend Simon Whitely’s channel at Whitely-Safety Channel. In particular, his 8-minute overview of STAMP should save you a few hours:
One of my frustrations in learning STAMP was trying to find application examples that go beyond the basic introductory examples. In other words, what does this stuff look like when applied to a real-world complex system? Here are a couple of examples that I found most informative:
This publications document at the MIT website has an Applications section with many other examples.
Comparison of STAMP to Other Approaches
This post is not providing commentary or critique on STAMP, but it is still a reasonable question to ask: Does STAMP work? More specifically, does it work better than other approaches?
The application examples above give strong evidence that STAMP and its tools do work. The question of whether they work “better” has a more nuanced answer.
A recent case study comparing FMEA and STPA found that STPA found 27% of hazards that were missed by FMEA. However, FMEA found 30% of hazards that were missed by STPA. Another study found that STPA found nearly double the hazards found by FMEA. A controlled experiment comparing STPA with FMEA and FTA found that although STPA provided better coverage, it was less efficient than other methods.
A review of the STPA process prepared for the U.S. DOT and FAA provides some high level observations and recommendations. The executive summary is well worth a read.
It is also worth noting that STAMP is not the only accident model to be developed based on systems theory. As the title suggests, A Critical Review of STAMP, FRAM, and Accimap provides a critique of these three systems theory-based approaches. More on that in a future post!
I hope you found this post helpful and not too much of a laundry list. If you are knowledgable of STAMP and feel like I have left something out, please comment!
The STAMP approach is gaining popularity across industries, especially aerospace and automotive. There is compelling evidence that it can identify hazards often missed by other approaches. In my next post, we will take a look at some of the criticisms of STAMP, including my own comments.