|Professor Nancy Leveson|
SDM faculty member Nancy Leveson, professor of aeronautics and astronautics and engineering systems, has already revolutionized risk analysis for complex systems such as nuclear power plants and space shuttles. Now, she’s finishing up a book on her integrated approach that will be issued by MIT Press this fall.
"We used to build systems that were simple enough so that you could test everything, and test the interactions," she says. "Now, we're building systems so complex that we can't understand all the possible interactions." While traditional analysis assumes a linear, causal chain of events, accidents in complex systems often unfold in very nonlinear ways.
Leveson calls her new approach STAMP, for System-Theoretic Accident Model and Processes. She has set up a company to implement the system in analyzing a wide variety of systems in different fields, and chapters of her upcoming book are available on her website (sunnyday.mit.edu/book2.pdf).
Leveson says the turning point came in 2000, when she realized that after about 20 years, nobody was making any progress in figuring out how to manage the risks of complex systems, she says. "Usually, that's means there's something wrong with the underlying assumptions everybody is using."
She realized that the basic component-based approach to assessing risk was something that had prevailed atleast since World War II, and it just didn't apply to many of the highly computerized technological systems in operation today. "Accidents just occur differently. Risk has changed as the technology has changed." So she started developing her new approach, based on systems theory.
At first, she was afraid that nobody would take her radical new approach seriously. "I thought people would just think I was nuts," she says with a laugh. But when she started applying her new approach to specific cases, such as identifying the potential for inadvertent launch in the new missile defense system, it clearly worked: it identified significant hazardous scenarios that nobody had noticed otherwise.
"We tried it on extremely large, complex systems, and it worked much better than what people do now," she
says. "I realized we could solve problems that weren't solvable before."
The new approach to analysis led to a whole new way of dealing with the risk management of complex, sociotechnical systems. Instead of looking at the individual components and trying to minimize the chances that each would fail, "what you really want is to enforce safety constraints" on the behavior of the entire system, Leveson says.
"Nancy Leveson has developed a control-based modeling approach to systems safety which can be applied to complex networks of hardware and humans," says MIT Professor of the Practice Jeffrey Hoffman, an aero-astro colleague. "Her work has elicited considerable interest inside NASA, where safety analysis has traditionally concentrated on the reliability of individual pieces of complex systems."
While NASA is using her new approach to analyze risks in the development of the Orion spacecraft that will replace the shuttle, and in developing a future robotic planetary probe, the Japanese space agency has gone even further: They sent two engineers to work in Leveson's lab for a couple of years and observe how she does her analysis; they have been applying the lessons learned to their space systems while creating improved tools.
Though her work focuses on disasters, Leveson is upbeat about what she does. Using the old ways, she says, "it was discouraging to have something that only works in a small subset of cases." But with her new
approach, she says, "it's very exciting to have something that actually works, and to be able to apply this in the social and organizational realms."