Leveson, N., Fleming, C., Spencer, M., Thomas, J. et al., "Safety Assessment of Complex, Software-Intensive Systems," SAE Int. J. Aerosp. 5(1):233-244, 2012, doi:10.4271/2012-01-2134.
This paper presents a new methodology for the safety assessment of complex software intensive systems such as is envisioned for the coming major upgrade of the air traffic management system known as NextGen. This methodology is based on a new, more inclusive model of accident causation called Systems Theoretic Accident Model and Process (STAMP) . STAMP includes not just the standard component failure mechanisms but also the new ways that software and humans contribute to accidents in complex systems. A new hazard analysis method, called Systems Theoretic Process Analysis (STPA), is built on this theoretical foundation. The STPA is based on systems theory rather than reliability theory; it treats safety as a control problem rather than a failure problem with interactive and possibly nested control loops that may include humans. In this methodology, safety is assured by closed loop control of safety parameters.In the NextGen Concept of Operations,  many diverse ground and air systems will be tightly coupled leading to a greatly increased potential for the occurrence of safety critical events. The process described in this paper provides a rigorous, integrated and traceable safety analysis that improves upon the present somewhat ad-hoc multi-layered approach commonly used today. This process also improves upon the human-system interaction aspect of safety assessment, a topic that is not well covered in present certification practice.We illustrate the effectiveness of this new methodology by an analysis of the NextGen “In-Trail Procedure in Oceanic Airspace” (ITP) that is specified in RTCA DO-312 . We show how STPA derives some additional safety requirements beyond those in the Operational Safety Analysis (OSA) of DO-312.