An integrated risk assessment framework for aircraft systems based on system-theoretic process analysis and fuzzy linguistic consensus decision-making

Following the release in 2016 of the report of the American Association of Physicists in Medicine Task Group 100, there has been growing interest in the use of prospective hazard analysis in radiation therapy. System Theoretic Process Analysis (STPA) is an emerging technique in this domain that is particularly suited to processes that involve time sensitive collaboration, decision-making and/or automation. The goal of this research was to use STPA to evaluate existing processes and procedures with an aim to identify improvements, gaps or unforeseen risks stemming from implementing real-time adaptive treatment on a helical tomotherapy platform. The Radixact treatment delivery system (Accuray Inc., Sunnyvale, CA, USA), an evolution of the Tomotherapy platform, incorporates upgrades such as the Synchrony system for real-time motion monitoring and treatment adaptation. In collaboration with a team from the radiation oncology department of a large public hospital, a prospective hazard analysis focused on the real-time adaptive capabilities of the Radixact Synchrony system was conducted using STPA. The system boundaries were defined and a control structure model comprising sub-systems and control actions was developed. Unsafe control actions were identified and broad-based causal scenarios were generated. The causal scenarios that were novel, specific to Synchrony or challenging to mitigate were selected for further analysis regarding impacts and potential causes, following which mitigation strategies were proposed, taking into consideration the hierarchy of controls. A control structure model encompassing the entire patient journey was developed, incorporating all the hardware and software components and human decision makers. The model consisted of 12 sub-systems and 21 control actions, resulting in 108 unsafe control actions and 595 causal scenarios. Sixty-one causal scenarios were selected for further analysis, for which mitigation strategies were proposed based on the hierarchy of controls. These included the development of better reference documentation, the systematic testing of the sensitivity of tracking performance to changes in tracking parameters, guidance around setting and documenting tracking parameters, and documentation review. STPA was effectively used to assess the Radixact Synchrony system's real-time adaptive radiation therapy capabilities, providing insight into how the system could become unsafe throughout the patient journey. While focused on Radixact Synchrony and real-time adaptive radiation therapy, this study offers a transferable example of STPA application, from analysis initialization to mitigation, that can inform other safety assessments in radiation therapy.

The advancement of automated driving technology has led to the enhanced performance of various subsystems integrated into automated vehicles, with their design conforming to international standards and regulatory guidelines. However, the corresponding performance evaluations often overlook human perspectives, such as those of drivers or passengers, potentially resulting in a lack of system safety or customer satisfaction. Therefore, these factors must be considered during testing to ensure the secure and satisfactory operation of automated vehicles. To evaluate the performance of systems embedded in automated vehicles from a human perspective, this paper introduces a framework based on the system-theoretic process analysis, which is a systems approach to analyze hazards attributable to human factors. The Driver Availability Recognition System in the SAE Level 3 automated vehicle was selected as a verification system, and a full-scale driving simulator was used to create the experimental environment. Forty volunteers participated in the performance verification experiment, and data obtained from the human-in-the-loop experiment were incorporated into the proposed framework. The results demonstrated that the framework can ensure effective performance evaluation from a human perspective and suggest safety requirements. The development and application of the proposed framework are anticipated to facilitate the successful rollout of automated vehicles.

This paper presents a structured hazard analysis for verification processes conducted during launch operations with the aim of improving safety and mission assurance through the application of System-Theoretic Process Analysis, an engineering technique grounded in systems theory and control principles. This methodology assists in the identification of systemic issues that could lead to hazardous outcomes. The case study focuses on verification tasks performed by an independent review board with authority over safety or mission-critical decisions during the launch campaign. This research defines and systematically addresses unacceptable losses, system-level hazards, and safety constraints relevant to these processes. It then characterizes the hierarchical control structure of the system and unsafe control actions involving inadequate verification of operational processes, system checks of procedures, and system configuration functionalities. Subsequently, loss scenarios are identified and tied to relevant causal factors or situational conditions, with recommendations and constraints proposed to help reduce the chances or impact of undesired outcomes. It highlights how decision-making, timing, organizational demands, and limited training can affect safety or mission assurance, even when technical systems work as expected. This analysis supports ongoing efforts that can help refine the planning, verification, and regulation of space-launch operations. The recommendations are directed at agencies, operators, and safety teams in planning and carrying out effective verification tasks, reducing the risk of unsafe actions and potential losses, and ultimately supporting mission success and the protection of human life or other valuable assets. The results are correlated with aerospace accidents in order to verify their applicability.

<div>This study presents a structured evaluation framework for reasonably foreseeable misuse in automated driving systems (ADS), grounded in the ISO 21448 Safety of the Intended Functionality (SOTIF) lifecycle. Although SOTIF emphasizes risks that arise from system limitations and user behavior, the standard lacks concrete guidance for validating misuse scenarios in practice.</div> <div>To address this gap, we propose an end-to-end methodology that integrates four components: (1) hazard modeling via system–theoretic process analysis (STPA), (2) probabilistic risk quantification through numerical simulation, (3) verification using high-fidelity simulation, and (4) empirical validation via driver-in-the-loop system (DILS) experiments. Each component is aligned with specific SOTIF clauses to ensure lifecycle compliance.</div> <div>We apply this framework to a case of driver overreliance on automated emergency braking (AEB) at high speeds—a condition where system intervention is intentionally suppressed. Initial numerical analysis suggested that the scenario narrowly satisfies the acceptance criteria. Applying the proposed framework to this scenario reveals that significant safety risks can persist even when the system functions according to its design intent.</div> <div>Our findings demonstrate that foreseeable misuse can be formally modeled, simulated, and empirically validated within the SOTIF framework. The proposed approach enables system developers to quantify behavioral risk and assess human-centered edge cases with greater rigor. This work contributes to operationalizing SOTIF for behavioral safety assurance and lays the foundation for future research on risk mitigation through adaptive HMI and context-aware alerts.</div>

This paper presents a novel integration of System-Theoretic Process Analysis (STPA) and System Dynamics (SD) for hazard and resilience analysis in safety-critical infrastructure systems. The methodology is applied iteratively to assess the safety and continuity of a hospital’s oxygen supply system, a key element of critical health infrastructure, addressing both technical and managerial factors. STPA identifies unsafe interactions between system components, which are systematically translated into a system dynamics simulation model. This dynamic perspective allows for the exploration of how hazards evolve over time and how control strategies influence overall system resilience. Unlike previous conceptual approaches, this study applies the integrated framework to a real-world incident of oxygen supply failure. The model structure is derived from STPA artifacts and validated using expert input and incident data. Simulation experiments uncovered emergent risk patterns, such as alarm delays, staff stress, and insufficient training, that are not evident through STPA alone. These insights support targeted interventions, including enhanced drill frequency and resource allocation, to strengthen infrastructure resilience. By embedding dynamic simulation within the STPA framework, this research moves beyond static hazard identification to enable scenario-based testing and conditional estimation of system response to support risk-informed decision-making. The resulting methodology is traceable, repeatable, and adaptable, offering a practical and generalizable tool for systemic risk analysis in critical infrastructures.

BackgroundOnline adaptive radiation therapy (ART) is a relatively new process, and it is recommended that institutions starting an online ART program conduct a risk analysis to identify potential hazards. While Failure Modes and Effects Analysis (FMEA) is common, Systems‐Theoretic Process Analysis (STPA) has also been used to evaluate online ART workflows.PurposeAn STPA hazard analysis was performed for a CT‐guided online ART system in a multi‐vendor environment. The goal was to identify potential risks and mitigations to guide the development of adaptive workflows and the quality management (QM) program.MethodsThe STPA hazard analysis was performed in four steps. First, process maps for online ART were generated to describe the interactions between users and systems. In the second step, the process maps were refined to a single control structure diagram model. In the third step, potential unsafe control actions (UCAs) were enumerated by the physicists involved in the analysis. Finally, mitigation strategies to address the UCAs were identified.ResultsA total of 496 UCAs were identified for 119 control actions, of which 239 (48.2%) were prioritized for mitigation due to having low or medium levels of detectability. The most frequent causal scenarios were accidental omission (20.1%), rushing (17.2%), and lack of training (15.9%). The most common consequences were delays (26.8%) and having to repeat work (13.5%). The two mitigation strategies considered to address the most causal scenarios were requiring trained adaptive staff (28.9%) and having physics oversight (19.9%).ConclusionsThe STPA led to valuable insights into the potential causes of unsafe control actions and various mitigation strategies that were used to develop the QM program. Notably, most UCAs were attributable to interactions between users and the system, rather than system failures. It is recommended that every institution starting an online ART program perform a risk assessment for their environment.

Maritime Autonomous Surface Ships (MASSs) raise safety and regulatory challenges that extend beyond technical reliability. This study builds on a published system-theoretic process analysis (STPA) of degraded operations that identified 92 loss scenarios. These scenarios were reformulated into a two-round Delphi survey with 20 experts from academic, industry, seafaring, and regulatory backgrounds. Panelists rated each scenario on severity, likelihood, and detectability. To avoid rank reversal, common in the Risk Priority Number, an adjusted index was applied. Initial concordance was low (Kendall’s W = 0.07), reflecting diverse perspectives. After feedback, Round 2 reached substantial agreement (W = 0.693, χ2 = 3265.42, df = 91, p < 0.001) and produced a stable Top 10. High-priority items involved propulsion and machinery, communication links, sensing, integrated control, and human–machine interaction. These risks are further exacerbated by oceanographic conditions, such as strong currents, wave-induced motions, and biofouling, which can impair propulsion efficiency and sensor accuracy. This highlights the importance of environmental resilience in MASS safety. These clusters were translated into five action bundles that addressed fallback procedures, link assurance, sensor fusion, control chain verification, and alarm governance. The findings show that Remote Operator competence and oversight are central to MASS safety. At the same time, MASSs rely on artificial intelligence systems that can fail in degraded states, for example, through reduced explainability in decision making, vulnerabilities in sensor fusion, or adversarial conditions such as fog-obscured cameras. Recognizing these AI-specific challenges highlights the need for both human oversight and resilient algorithmic design. They support explicit inclusion of Remote Operators in the STCW convention, along with watchkeeping and fatigue rules for Remote Operation Centers. This study provides a consensus-based baseline for regulatory debate, while future work should extend these insights through quantitative system modeling.

Abstract A critical challenge in the safe operation of autonomous vessels is ensuring that control commands are executed accurately and promptly by both shore-side and onboard systems. In this paper, we build on a use case of an autonomous ship, where the control hierarchy includes Human Operators on the shoreside, along with the Ship Motion Controller, Power Management System, and Battery Management System, among other controllers on the shipside. Incorrect execution of control actions by these controllers can lead to hazardous situations of varying severity. This study aims to identify and analyze hazards related to these four controllers and provide insights into how inadequate control may occur and create hazardous situations with the controllers. Recently, STPA has emerged as the mainstream approach for identifying hazards resulting from control action failures. Therefore, this study applies the System Theoretic Process Analysis (STPA) method to explore how control actions of different controllers might fail, ensuring safe operation. A control structure hierarchy has been developed that identifies (1) control actions and (2) feedback signals between controllers based on their responsibilities. Using STPA, a total of 127 unsafe control actions are identified that could result in hazards. We classify the significance of Unsafe Control Actions based on hazard severity, operational mode, and suggest the level of attention each controller requires. The results offer a structured foundation for prioritizing safety–critical control actions in battery-powered autonomous ships, facilitating more effective risk mitigation strategies for designers, operators, and regulators.

Systems-Theoretic Process Analysis (STPA) is an effective safety analysis technique that identifies how unsafe interactions among components within a complex system may result in accidents. This study aimed to evaluate the efficacy of STPA by applying it to an Automated Lane Keeping System (ALKS). The goal was to explore areas of potential risk in the system and make recommendations on how overall system safety could be improved. The STPA analysis of ALKS identified 87 Unsafe Control Actions (UCAs) based on interactions between the various components. An analysis of the UCAs revealed 537 causal factors (CFs), including software faults like flawed control algorithms and conflicting controls, sensor performance limitations, specification issues such as missing feedback signals, and errors in human-machine interaction, such as excessive dependence on the ALKS and drivers having incorrect expectations regarding ALKS operation. 1074 requirements were proposed to prevent or mitigate these causal factors, such as educating drivers about both the benefits and limitations of the ALKS to ensure safe use. The results highlighted the importance of communicating both the capabilities as well as the limitations of modern complex systems to the users to guarantee safety. This study, which is the first comprehensive application of STPA to ALKS, identified gaps with existing regulatory requirements for ALKS, and 87 recommendations were made to bridge these gaps. Our research has shown that this top-down, well-structured, and holistic method can especially be advantageous for regulators and policymakers to formulate requirements and policies to deploy and operate complex, innovative technologies, safely.

Abstract The increasing integration of automation in inland waterway transport introduces safety risks due to complex control dependencies and cyber-physical vulnerabilities. Traditional risk assessment methodologies are limited in addressing such systemic hazards, particularly in the context of autonomous operations. This study applies the Systems-Theoretic Process Analysis (STPA) to evaluate the safety of a conceptual autonomous inland vessel developed under the Horizon Europe AUTOFLEX project. The analysis identifies Unsafe Control Actions (UCAs), causal scenarios, and safety constraints, while also integrating cybersecurity considerations through the STPA-SafeSec framework. The results inform the design of the SeaGuard tool—a real-time anomaly detection and safety monitoring module. The paper demonstrates a structured, integrated methodology for enhancing safety and cyber-resilience in next-generation autonomous inland waterway systems.

In Japan, a significant number of ventilator-related medical accidents continue to be reported, with causes frequently linked to both equipment malfunctions and human errors. Conventional analytical methods often lack the methodological rigor needed for comprehensive safety analysis. This study explores the application of System-Theoretic Process Analysis (STPA) as a novel approach to ventilator safety analysis. The goal is to identify potential hazards arising from human errors and device failures and to establish system-level safety constraints. STPA is employed to construct a control structure diagram of a ventilator system, offering a system-wide perspective to identify Unsafe Control Actions (UCAs) and resulting hazardous scenarios. This approach provides a structured analysis of system interactions to derive safety constraints aimed at reducing risks. STPA successfully identified UCAs and system-level interactions that could lead to hazardous outcomes. Compared with the Critical Incident Report (CIR) by the Japan Council for Quality Health Care (JCQHC), which provides retrospective insights into ventilator-related incidents, STPA demonstrates a systematic and comprehensive methodology. It analyzed the mechanisms by which incidents could arise within the system, considering both human and technical factors. The analysis identified hazardous interactions and provided a foundation for implementing preventive measures. STPA offers a holistic framework for ventilator safety, surpassing traditional analysis methods by addressing complex human-technical interactions. The results contribute to enhanced ventilator safety, improved risk management, and a stronger safety culture across medical devices.

The primary objective of this paper is to conduct an exploratory, qualitative study in Industrial Asset Management, focusing on the development of an Integrated Decision-Making Framework. This framework is designed to evaluate performance variability caused by emerging technology risks and extreme, rare, and disruptive events. To achieve this, we integrate two robust decision-support tools: the Functional Resonance Analysis Method (FRAM) and the System-Theoretic Process Analysis (STPA). FRAM provides a comprehensive analysis of sociotechnical system functions, highlighting their interconnections and dependencies. In contrast, STPA, based on the System-Theoretic Accident Model and Processes (STAMP), takes a top-down approach to hazard assessment. The integration of FRAM and STPA aims to create a powerful decision-support framework. A case study on the LineDrone, which inspects high-voltage transmission lines without direct human interaction, demonstrates the framework's effectiveness in managing performance variability within complex sociotechnical environments.

ABSTRACTCertain commercial operations, their systems, and their employees need to operate in hostile or semi‐hostile environments. The physical environment may be challenging, but often an unstable political/social environment may be a greater challenge than any temperature or weather extremes. Such an unstable political environment may present rapidly changing threats to employee security. Even if local citizens in the immediate area are supportive, transnational violent gangs may be operating nearby. How do we design overall technology and human systems that can resiliently persevere in such an unstable environment?Some organizations will reflexively implement a walled‐off, fenced, and protected environment for their employees. While this sort of physical protection will be helpful to some extent, if human relationships with the local community are poor or nonexistent, the overall security of the installation will be fragile. Some organizations will deliberately move in the opposite direction, proactively sending their employees out into the community to interact, talk to local citizens, and build human relationships – even when doing so represents a significant degree of physical and personal risk for those employees.How do we support employees that we are deliberately thrusting into such a risky and unstable environment? For their own safety, we want those employees to communicate as much as possible with the local citizens. We want them to be aware of “chatter” in local social media. On the other hand, we want help them keep their actual personal identity details as protected as possible. Failed social interactions can have lethal consequences. Inadvertently leaked personal data about family members could result in those family members being subject to threats and intimidation in their home location.In this article, we examine the design of a digital personal communications device designed to achieve these goals and demonstrate the use of System‐Theoretic Process Analysis (STPA) in the analysis of a proposed design. Along the way, we will also demonstrate a model‐based approach to the design work which represents the recently released standard SAE J3307 “System Theoretic Process Analysis (STPA) Standard for All Industries” (J3307_202503, 2025) which specifies an auditable workflow for the STPA methodology originally described in the STPA Handbook.

ABSTRACTSecurity in modern engineered systems is not merely an added layer of protection but a prerequisite for system functionality. As systems engineers navigate the evolving security landscape, they must prioritize functional perseverance, the ability of a system to maintain operational integrity despite adversarial threats. This article examines a possible method for using system‐theoretic process analysis (STPA) and system dynamics (SD) to enhance security‐aware system engineering.The approach shown is inspired by a 1982 paper called “The Byzantine Generals Problem” and is a peer‐to‐peer voting design that avoids single points of failure. In particular, we propose a system analysis and design approach that would allow the construction of a system capable of using peer‐to‐peer self‐policing to detect an intruder that has already penetrated the security perimeter of the system and corrupted one or more of the subsystems. This article shows how STPA could inform the design of the peer‐to‐peer voting system and how SD could be used to examine the tradeoff of investments in redundancy versus the expected level of achieved resilience.

Abstract Maritime canals and narrow channels are critical for global trade, yet their confined nature poses significant risks, especially with the increasing reliance on digital technologies in ship navigation. This study investigates cybersecurity threats to Maritime Autonomous Surface Ships (MASS) operating in these environments, focusing on potential cyber-attacks that could lead to accidents such as grounding, collisions, and loss of propulsion control. Utilizing the System-Theoretic Process Analysis for Safety and Security (STPA-Safety/Security) combined with Fuzzy Analytic Hierarchy Process (F-AHP), the study identifies and prioritizes key threats, including GPS/AIS spoofing, communication jamming, and thruster override. Expert input via the Delphi method validates the threat scenarios, providing a comprehensive risk assessment. The findings highlight the urgent need for enhanced cybersecurity measures, such as redundant navigation systems, secure communication channels, and improved operator training. The study contributes to maritime cybersecurity literature by offering a structured methodology for assessing and mitigating cyber risks in autonomous ship operations, particularly in confined waterways.

The intrinsic hazards associated with high-pressure hydrogen, combined with electromechanical interactions in hybrid architectures, pose significant challenges in predicting potential system risks during the conceptual design phase. In this paper, a risk analysis methodology integrating systems theoretic process analysis (STPA), D-S evidence theory, and Bayesian networks (BN) is established. The approach employs STPA to identify unsafe control actions and analyze their loss scenarios. Subsequently, D-S evidence theory quantifies the likelihood of risk factors, while the BN model’s nodal uncertainties to construct a risk network identifying critical risk-inducing events. This methodology provides a comprehensive risk analysis process that identifies systemic risk elements, quantifies risk probabilities, and incorporates uncertainties for quantitative risk assessment. These insights inform risk-averse design decisions for hydrogen–electric hybrid powered aircraft. A case study demonstrates the framework’s effectiveness. The approach bridges theoretical risk analysis with early-stage engineering practice, delivering actionable guidance for advancing zero-emission aviation.

Electronic control suspension (ECS) systems are of significance to ride comfort and handling stability of ground vehicles. However, ECS systems may pose unreasonable safety risks due to performance inadequacies or improper use by drivers, which are referred to as safety of the intended functionality (SOTIF) issues. Aiming to address the inadequate performance of the ECS system, this study proposes a model predictive control (MPC) method, with a particular focus on ensuring SOTIF. First, Systems theoretic process analysis (STPA) is utilized to assess the SOTIF of the ECS system and the ECS system control architecture is built. Then, Models including the input model, lateral and vertical coupled dynamics model, and nonlinear actuator model are established. In addition, an MPC strategy with explicit dynamic constraints is designed, incorporating the dynamic mechanical performance boundaries of ECS actuators into the constraints of the controller. Subsequently, a hardware-in-the-loop testing platform is constructed for the ECS system to conduct simulation experiments under various operating conditions. Results demonstrate that the designed control strategy effectively mitigates performance inadequacies of the suspension system, significantly enhancing its overall functionality and safety.

Risk assessment of data protection in the maritime industry using system-theoretic process analysis

Enhancing the safety standards of autonomous ships is a shared objective of all stakeholders involved in the maritime industry. Since the existing hazard analysis work for autonomous ships often exhibits a degree of subjectivity, in the absence of data support, the verification of hazard analysis results has become increasingly challenging. In this study, a formal verification method in a risk-based assessment framework is proposed to verify the hazard analysis results for autonomous ships. To satisfy the characteristics of high time sensitivity, time automata are adopted as a formal language while model checking based on the formal verification tool UPPAAL is used to complete the automatic verification of the liveness of system modeling and correctness of hazard analysis results derived from extended System-Theoretic Process Analysis (STPA) by traversing the finite state space of the system. The effectiveness of the proposed method is demonstrated through a case study involving a remotely controlled ship. The results indicate that the timed automata network model for remotely controlled ships, based on the control structure, has no deadlocks and operates correctly, which demonstrates its practicability and effectiveness. By leveraging the verification of risk analysis results based on model checking, the framework enhances the precision and traceability of these inputs into RBAT. The results disclose the significance of the collaborative work between safety and system engineering in the development of autonomous systems under the definition of human–computer interaction mode transformation. These findings also hold reference value for other intelligent systems with potential hazards.