ESD Faculty, Students, and local alumni:
Please join us for the dissertation defense of Blandine Antoine.
Date: Wednesday, October 17, 2012
Time: 12:15PM
Room: 33-116
Title: Systems Theoretic Hazard Analysis (STPA) Applied to the Risk Review of Complex Systems: an example from the medical device industry
Committee: N. Leveson (chair), O. de Weck, J. Sussman, C. Hilbes
The abstract follows, and a draft of the dissertation is available to ESD Faculty and doctoral students online:
https://wikis.mit.edu/confluence/display/ESDwiki/Doctoral+Thesis+Drafts
Other ESD Community members may request a draft for review from me.
Regards,
Beth
ABSTRACT
Methods developed by system engineers could beneficially be applied to the challenge of ensuring patient safety in health care delivery. Achieving safe operations in this and other settings requires that system behavior be constrained by safety imperatives. These must be defined and enforced at every stage of system design, system operations and, when applicable, system retirement.
Traditional methods to identify and document hazards, and the corresponding safety constraints, are lacking in their ability to account for human, software and sub-system interactions in highly technical systems. STAMP, a systems-theoretic accident causality model, was created to overcome these limitations. STAMP offers consideration for context and design features that can lead to unsafe behavior, including behavior resulting from unsafe interactions among correctly operating system elements.
The application of STAMP hazard analysis method STPA to five sub-systems of the experimental PROSCAN proton therapy system operated by the Paul Scherrer Institute in Switzerland demonstrated how STPA can augment design and risk review activities of existing complex systems. Focusing on treatment delivery, this case study did not analyze any of the 5 controllers active in treatment planning. With varying degrees of detail, it looked at 2 of the 5 human controllers active in treatment delivery (nurse and local operator), 2 of the 4 process attributes controlled by the PROSCAN facility (on/off function and beam to target alignment), and 1 of the 4 control loops that control the beam to target alignment attribute.
In the process of performing this case study, the following contributions were made:
- analyze the regulations currently in place on the US and European markets for the marketing of external beam radiotherapy devices and, more generally, medical devices that do not contain radioactive materials, and conclude that STPA would fit well in both;
- provide experience in applying STPA to a complex device. Information on efficacy was derived by comparing STPA results with an existing safety assessment but a more formal counterpart is needed for stronger evidence. Information on learnability and usability was obtained when an informal workshop showed that system designers, in the course of one day, could be taught to use STPA to push their thinking about yet to be designed system elements;
- demonstrate the applicability of STPA to an experimental radiotherapy facility and, through this feasibility check, potentially influence the state of the art in hazard analysis of medical devices;
- advance the STPA methodology by creating notations and a process to document, query and visualize the possibly large number of hazardous scenarios identified by STPA analyses, with the goal of facilitating their review and use by their intended audience;
- show how STPA is complementary to more traditional hazard analysis techniques such as fault and event trees. Their respective strengths can be summoned when STPA is used to identify areas on which to focus the investigation lens of traditional hazard analysis techniques.
Keywords: STAMP, STPA, hazard analysis, risk analysis, risk management, proton therapy, medical devices, safety, certification