Industrial Risk: Beyond The Blueprint

🎙️ Episode 12: Engineering a Safer World through Systems Thinking

Listen

Description

Explore the topics of software safety — from Chain-of-Events to System-Theoretic Accident Models.

About the Guest:

Dr. Nancy Leveson is a professor at MIT and one of the world’s leading voices in system and software safety. Since founding the field of software safety in 1980, she has developed the STAMP, CAST, and STPA frameworks that have reshaped how regulators, companies, and investigators understand accidents in complex socio-technical systems.​

Nancy Leveson’s philosophy:

Software doesn’t fail—requirements do.

Episode Highlights:

🔧 From Hardware Thinking to System Thinking

Leveson explains that traditional safety engineering was built for a world of hardware components and random failures, not today’s software-driven, tightly coupled systems.

🎯 Reliability vs. Safety: Two Different Worlds

One of the most powerful distinctions Leveson draws is between reliability and safety. She uses a powerful analogy to distinguish these often-confused concepts. A gun fired alone in the desert 100 miles from anyone is both reliable (fires when triggered) and safe (harms no one). That same reliable gun fired in a crowded mall remains equally reliable but becomes catastrophically unsafe.

🧠 From Blame to Explanation: How Software Really Contributes to Accidents

Rather than thinking in terms of “software failure,” we can focus on how software participates in unsafe system behavior. Traditional accident investigations rush to identify “who failed”—usually the pilot, operator, or front-line worker—then stop. Nancy’s CAST (Causal Analysis based on System Theory) asks different questions:​

* Why did it make sense for them to do what they did at the time?​

* What mental model were they operating with?​

* What feedback were they receiving (or missing)?​

* What context shaped their decisions?

🚀 STPA: Designing Safety In, Not Inspecting It In

While CAST analyzes accidents after they happen, STPA (System-Theoretic Process Analysis) model prevents them before they occur. Instead of cataloging every possible system behavior—impossible with millions of lines of code—STPA focuses on what must not happen:​

* Model the system as control loops and feedback paths​

* Identify unsafe control actions that could lead to hazards​

* Design the system to eliminate, reduce, or mitigate those actions​

đź“© Contact:

* LinkedIn

* aeroastro.mit.edu

Books:



This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit parakeetinc.substack.com