The System Theoretic Accident Model and Processes (STAMP) framework is an accident causality model based on system theory that was developed by *Professor Nancy Leveson, a professor in the aeronautics and astronautics department at MIT, who has been working in the area of safety engineering for 37 years in a variety of fields (aeronautics, space, defense, nuclear power, healthcare, petrochemical plants, etc.). STAMP provides a new paradigm for system safety engineering and has been increasing in usage across the transportation industry. We will provide a brief introduction to STAMP and its related processes, Systems-Theoretic Process Analysis (STPA) and Causal Analysis Using System Theory (CAST).

System theory and control theory background

It is important to note that system theory is not the same as systems engineering. Understanding this helps you understand STAMP. Systems theory is a complex, interdisciplinary field of science. It involves examining any single entity as a system so that its makeup can be fully understood.

Control theory deals with the control of dynamic systems in engineered processes and machines. Core concepts used extensively in STAMP are modeling, feedback, control, and observability. STAMP incorporates both theoretical models in a structured way to identify causes of accidents and inadequate control that leads to loss.

There is significant information on STAMP available online. Although many of the underlying ideas of STAMP appear in Dr. Nancy G. Leveson’s earlier work, the term STAMP was introduced in the 2004 paper “A New Accident Model for Engineering Safer Systems.” This paper explained the rationale and basic precepts of STAMP.

STAMP is a framework, not a methodology or tool. STAMP currently has two adjacent methodologies:

  • Systems-Theoretic Process Analysis – STPA 
  • Causal Analysis Using System Theory – CAST 

STPA basics

STPA is a method for identifying hazards that could arise from unsafe control actions. Dr. Leveson developed a structured approach involving four key steps to identify these hazards. Our experts apply STPA to support functional safety analysis at various stages of product development and have found the control model to be uniquely beneficial, especially in more complex systems such as autonomy and cybersecurity.

STPA steps

CAST basics

CAST is a method for identifying inadequate control that could lead to an accident. Through performing a CAST analysis on previous accidents, it is possible to unlock greater lessons learned using a similar structured control theory approach to understanding what went wrong. The basic steps are outlined below:

CAST steps

The framework used by both STPA and CAST relies on a similar structured approach: Gather the input data, model a control structure, analyze the unsafe control actions/flaws, and then mitigate the effects. This approach involves a mindset focused on relationships or interactions between control elements in a control system that may be unfamiliar to many proficient in traditional safety approaches. Dr. Leveson also introduced new terminology and framework that, when combined with traditional techniques, results in a more holistic and encompassing identification of potential root causes and associated mitigation measures. The benefits are widely applicable to safety-related industries and sectors.

Comparison of STAMP to other approaches

Our experts use a variety of frameworks, including Failure Mode & Effects Analysis (FMEA), STPA and Fault tree analysis (FTA), for safety analysis. Depending on the system, operating environments, the scope of analysis and application, each framework shows benefits and drawbacks. A clear winner does not emerge from our comparisons. However, STAMP does provide a supplementary analysis approach to traditional safety analysis in that it models accidents with a control theory model rather than a failure management model. One significant benefit of STAMP is the ability to highlight interactions within the control structure to identify weaknesses that could lead to accidents or what STPA calls losses. Combining traditional approaches with STAMP while performing hazard analysis generates a comprehensive safety case that highly favors implementation in Advanced Driver Assistance Systems (ADAS) and Automated Driving Systems (ADS) developments.

Similarities Differences
Iterative systematic analysis processes STAMP is based on systems theory vs. reliability theory
Documentation and traceability dependent STAMP is heavily hierarchical
Flexibility, can be used at any stage of development  STAMP focuses on control actions rather than faults or failures 
Identify potential causes of hazards STAMP outputs are more qualitative
Adopted by a wide range of industries STAMP excels with greater complexity

 *UL Solutions is not affiliated with Dr. Leveson. All opinions and analysis in this article are those of UL Solutions alone.