Compendium of Nancy Leveson: STAMP, STPA, CAST and Systems Thinking

Although I don’t often mention or post about Leveson’s work, she’s probably been the most influential thinker on my approach after Barry Turner.

So here is a mini-compendium covering some of Leveson’s work.

Feel free to shout a coffee if you’d like to support the growth of my site:

https://direct.mit.edu/books/oa-monograph/2908/Engineering-a-Safer-WorldSystems-Thinking-Applied

https://dspace.mit.edu/bitstream/handle/1721.1/102747/esd-wp-2003-01.19.pdf?sequence=1&isAllowed=y

https://dspace.mit.edu/bitstream/handle/1721.1/108102/Leveson_Applying%20systems.pdf?sequence=2&isAllowed=y

https://escholarship.org/content/qt5dr206s3/qt5dr206s3_noSplash_4453efa62859a16d187fa5e66d414ac2.pdf

https://escholarship.org/content/qt8dg859ns/qt8dg859ns_noSplash_e67040b78c1ff72e51b682bb23d8628a.pdf

https://doi.org/10.1177/0170840608101478

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=b2107d4823fa8b3eb83ecc8db006e8aecfe2994a

https://doi.org/10.1145/7474.7528

http://therm.ward.bay.wiki.org/assets/pages/documents-archived/safety-3.pdf

https://books.google.com/books?hl=en&lr=&id=2qwmAQAAIAAJ&oi=fnd&pg=PA177&dq=nancy+leveson&ots=uwtXVFUky7&sig=6P-5cOxcra9-3pcFBLYgYPeq5KQ

https://dspace.mit.edu/bitstream/handle/1721.1/108601/Leveson_A%20systems%20approach.pdf

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=57bd4861d6819bdd6543e3a8ca841aa0b98bbe5a

http://sunnyday.mit.edu/papers/Rasmussen-Legacy.pdf

https://www.tandfonline.com/doi/pdf/10.1080/00140139.2015.1015623

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=08434b0b1eba947fb7251be7daba9c50eab2e8d2

http://sunnyday.mit.edu/papers/issc03-stpa.doc

https://dspace.mit.edu/bitstream/handle/1721.1/92371/Leveson-Stephanopoulos%20final%20copy.pdf?sequence=1

https://dspace.mit.edu/bitstream/handle/1721.1/92371/Leveson-Stephanopoulos%20final%20copy.pdf?sequence=1&isAllowed=y

https://doi.org/10.1016/j.ssci.2018.07.028

http://sunnyday.mit.edu/shell-moerdijk-cast.pdf

http://sunnyday.mit.edu/CAST-Handbook.pdf

https://psas.scripts.mit.edu/home/get_file.php?name=STPA_Handbook.pdf

https://psas.scripts.mit.edu/home/wp-content/uploads/2020/07/JThomas-STPA-Introduction.pdf

https://cris.vtt.fi/ws/portalfiles/portal/98296189/Complete_with_DocuSign_2024-1-2_STPA_guide_F.pdf

https://dspace.mit.edu/bitstream/handle/1721.1/79639/Leveson_Modeling%20and%20hazard.pdf?sequence=2&isAllowed=y

https://dspace.mit.edu/bitstream/handle/1721.1/116713/INCOSE2017_Yisug%20Kwon_no%20UTC%20info.pdf?sequence=1

http://sunnyday.mit.edu/UPS-CAST-Final.pdf

https://doi.org/10.1016/j.trip.2023.100912

https://dspace.mit.edu/bitstream/handle/1721.1/107502/974705860-MIT.pdf?sequence=1

https://www.researchgate.net/profile/Nektarios-Karanikas/publication/356085051_The_past_and_present_of_System-Theoretic_Accident_Model_And_Processes_STAMP_and_its_associated_techniques_A_scoping_review/links/6191925ad7d1af224bef6b04/The-past-and-present-of-System-Theoretic-Accident-Model-And-Processes-STAMP-and-its-associated-techniques-A-scoping-review.pdf

https://proceedings.systemdynamics.org/2007/proceed/papers/DULAC552.pdf

http://sunnyday.mit.edu/nasa-class/jsr-final.pdf

https://dl.acm.org/doi/pdf/10.1145/2556938

https://www.tandfonline.com/doi/pdf/10.1080/00140139.2015.1015623

https://dspace.mit.edu/bitstream/handle/1721.1/102833/esd-wp-2011-13.pdf?sequence=1&isAllowed=y

https://dspace.mit.edu/bitstream/handle/1721.1/79639/Leveson_Modeling%20and%20hazard.pdf?sequence=2&isAllowed=y

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=3a04c89efd23efda86f134e0e2f0683394a181c6

https://www.sciencedirect.com/science/article/pii/S1877705815038588/pdf?md5=78fccb436abe513b814fb520d01e209e&pid=1-s2.0-S1877705815038588-main.pdf

https://academic.oup.com/jamia/article-abstract/15/3/272/727503?redirectedFrom=PDF

https://dspace.mit.edu/bitstream/handle/1721.1/115366/16-1-18%20J%20Pt%20Safety%20Leveson%20%26%20Raman%20CAST_Checklist_JPtSafety2016%20%281%29.pdf?sequence=1&isAllowed=y

https://dspace.mit.edu/bitstream/handle/1721.1/106665/Leveson_Application%20of%20systems.pdf?sequence=1&isAllowed=y

https://www.academia.edu/29657886/The_systems_approach_to_medicine_controversy_and_misconceptions

https://dl.acm.org/doi/pdf/10.1145/3376127

https://www.sciencedirect.com/science/article/pii/S0022522316000702

http://sunnyday.mit.edu/caib/issc-bl-2.pdf

http://sunnyday.mit.edu/papers/ARP4761-Comparison-Report-final-1.pdf

https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8102762

https://www.tandfonline.com/doi/pdf/10.1080/00140139.2015.1011241

https://onlinelibrary.wiley.com/doi/pdf/10.1260/2040-2295.3.3.391

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=d39a0850269262753d27f659243de73eb8bc8e13

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=7e822452213a80be9bc7a5a7f5c13032c6fdd60f

https://library.oapen.org/bitstream/handle/20.500.12657/41716/978-3-030-47229-0.pdf?sequence=1#page=25

https://maritimesafetyinnovationlab.org/wp-content/uploads/2024/10/White-Paper-on-Approaches-to-Safety-Engineering-Leveson-2003.pdf

https://www.researchgate.net/publication/221526167_Using_System_Dynamics_for_Safety_and_Risk_Management_in_Complex_Engineering_Systems

http://sunnyday.mit.edu/papers/incose-04.pdf

https://core.ac.uk/download/pdf/78070242.pdf

https://dspace.mit.edu/bitstream/handle/1721.1/102767/esd-wp-2004-08.pdf?sequence=1&isAllowed=y

https://dspace.mit.edu/bitstream/handle/1721.1/59813/leveson_The%20Need%20for%20New.pdf?sequence=2&isAllowed=y

https://www.tandfonline.com/doi/pdf/10.1080/00140139.2014.1001445

https://ntrs.nasa.gov/api/citations/20230017753/downloads/Kopeikin_AIAA_UnsafeCollabControl_v5.pdf

http://sunnyday.mit.edu/accidents/space2001-version2.pdf

https://dspace.mit.edu/bitstream/handle/1721.1/90801/891583966-MIT.pdf?sequence=2&isAllowed=y

http://sunnyday.mit.edu/Bow-tie-final.pdf

https://cs.emis.de/LNI/Proceedings/Proceedings232/597.pdf

https://a3e.com/wp-content/uploads/2021/03/Risk-Matrix.pdf

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=a6b1e3482543a0116a5666e22956e773e953d682

https://journals.sagepub.com/doi/pdf/10.1177/21695067231192457

https://jsystemsafety.com/index.php/jss/article/download/44/41

http://sunnyday.mit.edu/compliance-with-882.pdf

https://www.researchgate.net/profile/Edward-Bachelder-3/publication/245875378_Describing_and_Probing_Complex_System_Behavior_A_Graphical_Approach/links/61f349978d338833e39cedfc/Describing-and-Probing-Complex-System-Behavior-A-Graphical-Approach.pdf

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=a17b2fa804e0f3e281dc88e959be9216328ae6cc#page=290

https://www.researchgate.net/profile/Earl-Hunt/publication/23920138_Demonstration_of_a_Safety_Analysis_on_a_Complex_System/links/561ea59908aecade1acce7ca/Demonstration-of-a-Safety-Analysis-on-a-Complex-System.pdf

https://meridian.allenpress.com/bit/article-pdf/47/2/115/1488089/0899-8205-47_2_115.pdf

LinkedIn post:

#CAST #disaster #nancyLeveson #resilienceEngineering #risk #safetyScience #safetyIi #safety2 #safetyii #stamp #stpa #systemSafety #systemsEngineering #systemsSafety #systemsThinking

Teaching a new way to prevent outages at #Google #SRE #devops #STPA (System Theoretic Process Analysis) https://sre.google/stpa/teaching/

Google's latest #innovation to prevent #outages is an #SRE love letter wrapped in buzzwords and sprinkled with acronyms like #STPA and #Prodverbs 🎩🔍. Apparently, teaching a new method involves rehashing 20 years of "lessons" that somehow didn't prevent past outages 🚨. But hey, who doesn't love a good old-fashioned #reliability #theory seminar when your server's on fire? 🔥🤔
https://sre.google/stpa/teaching/ #Google #HackerNews #ngated

Today was the #PapersInSystems event on the paper:
How to Perform Hazard Analysis on a "System-of-Systems" by Nancy Leveson

Thanks to @adrianco I learned a lot about #STPA & #STAMP (but much more is there still to learn)

And I got some more ideas how it fits or can be applied to #cybersecurity.

The following is my (probably flawed) understanding

Lets dive in :

In STAMP (System-Theoretic Accident Model and Processes) safety is treated as a dynamic control problem rather than a failure prevention problem.

This leads to the following generic abstraction (model) of a safety relevant system as a socio-technical system

Source: Engineering a Safer World: Systems Thinking Applied to Safety
by Nancy G. Leveson

@adamshostack @RuthMalan

Sorry for the dummy follow up questions
What does UW mean on this context 🥴?

Today was the discussion and I learned a lot about #STPA/ #STAMP
The checklist of hazards on each controller would IMHO be helpful in #cybesecurity
Actually it feels to me that #STRIDE represents these hazards on one level

Regarding #STPA/#STAMP I still struggle with the terms and distinction between loss and hazard and how they map to #cybersecurity

The definition according tho the STPA Handbooks is

"A [ system-level] hazard is a system state or set of conditions that, together with a particular set of worst-case environmental conditions, will lead to a loss"

and how they related to the common protection goals Confidentiality, Integrity, and Availability