STAMP.
Systems-Theoretic Accident Model and Processes
Originator Nancy G. Leveson (MIT, 2004/2011)
Paradigm Systems & control theory
Unit of analysis Hierarchical safety-control structure
Primary domains Aerospace, defence, automotive, healthcare, nuclear

STAMP reframes accidents not as chains of component failures but as the result of inadequate control over safety constraints within a hierarchical socio-technical system. Its two signature techniques — STPA for hazard analysis and CAST for accident causation — have become reference methods in modern aerospace safety engineering.

Overview of the framework

Drawing on systems and control theory, STAMP treats safety as an emergent property that must be enforced by control structures spanning regulators, operators, engineers, automation and physical processes (Leveson, 2011). Controllers act on controlled processes through control actions, while sensors return feedback; each controller embeds a process model of the process being controlled. Accidents occur when (a) controls are missing or inadequate, (b) the controller's process model is inconsistent with reality, or (c) feedback is delayed, missing or corrupted. STPA (Leveson & Thomas, 2018) identifies unsafe control actions and their loss scenarios; CAST investigates accidents by examining why each level of the control structure failed to enforce its constraints.

Controller (human / automation / organisation) holds process model & control algorithm Actuators Sensors Controlled Process aircraft, ATC airspace, maintenance line… Higher-level Controller Safety Constraints / Regs control actions feedback constraints reporting
Figure 1. A STAMP safety-control loop: controller, actuators, sensors and controlled process, nested within a hierarchy of higher-level controllers that enforce safety constraints.

When to use it

Typical applications

  • Concept-phase hazard analysis of complex, software-intensive systems (STPA).
  • Accident and serious-incident investigation (CAST).
  • Security-informed safety analyses (STPA-Sec).
  • Assurance of autonomous and ML-enabled systems.

Aviation relevance

  • Flight-control law and flight-management system hazard analysis.
  • UAS integration into controlled airspace (detect-and-avoid, C2 link loss).
  • ATC procedure design; runway safety; single-pilot operations research.
  • Used and referenced by FAA, NASA, EASA, MITRE and the US Air Force.

Cross-domain: automotive ISO 26262 / ISO 21448, medical devices, nuclear plant modernisation, defence.

Benefits

Analytical strengths

  • Handles software, human and organisational contributions in one model — unlike fault-tree approaches anchored on component failures.
  • Scales from concept of operations to detailed design.
  • Surfaces dysfunctional interactions and design flaws, not just failures.
  • Supports security/safety integration via STPA-Sec.

Practical strengths

  • Mature, freely available STPA Handbook (Leveson & Thomas, 2018).
  • Adopted by major regulators and OEMs (FAA, NASA, EASA, Boeing, Airbus-suppliers).
  • Backwards-compatible with existing processes (ARP-4761, SAE-ARP4754A).
  • Rich academic community and annual MIT STAMP Workshop.

Limitations

  • Qualitative by design. STPA does not yield failure probabilities; combining STAMP with PRA remains an active research topic.
  • Learning curve. Practitioners must shift from event-chain thinking; ill-formed control structures produce weak analyses.
  • Resource intensive on large systems — the control structure and UCA tables expand quickly.
  • Regulatory acceptance is still partial in civil aviation certification, although STPA is increasingly accepted as a means of compliance.
In short STAMP treats safety as a control problem across the socio-technical hierarchy. It is one of the most influential contemporary frameworks for hazard analysis of software-intensive and autonomous aviation systems.

References (APA 7)

Leveson, N. G. (2004). A new accident model for engineering safer systems. Safety Science, 42(4), 237–270. https://doi.org/10.1016/S0925-7535(03)00047-X

Leveson, N. G. (2011). Engineering a safer world: Systems thinking applied to safety. MIT Press. https://doi.org/10.7551/mitpress/8179.001.0001

Leveson, N. G., & Thomas, J. P. (2018). STPA handbook. MIT Partnership for Systems Approaches to Safety and Security. http://psas.scripts.mit.edu/home/materials/

Leveson, N. G. (2019). CAST handbook: How to learn more from incidents and accidents. MIT Partnership for Systems Approaches to Safety and Security.

Young, W., & Leveson, N. G. (2014). An integrated approach to safety and security based on systems theory. Communications of the ACM, 57(2), 31–35. https://doi.org/10.1145/2556938

Further reading

Fleming, C. H., & Leveson, N. G. (2016). Early concept development and safety analysis of future transportation systems. IEEE Transactions on Intelligent Transportation Systems, 17(12), 3512–3523. https://doi.org/10.1109/TITS.2016.2561409

Kaspers, S., Karanikas, N., Roelen, A., Piric, S., & de Boer, R. J. (2019). Review of existing aviation safety metrics and their relevance for Safety-II. Aviation Psychology and Applied Human Factors, 9(1), 1–13.

Sulaman, S. M., Beer, A., Felderer, M., & Höst, M. (2019). Comparison of the FMEA and STPA safety analysis methods. Software Quality Journal, 27, 349–387. https://doi.org/10.1007/s11219-017-9396-0

Abdulkhaleq, A., Wagner, S., & Leveson, N. (2015). A comprehensive safety engineering approach for software-intensive systems based on STPA. Procedia Engineering, 128, 2–11. https://doi.org/10.1016/j.proeng.2015.11.498

MIT Partnership for Systems Approaches to Safety and Security. Materials, publications and workshops. http://psas.scripts.mit.edu/home/