Unacceptable Losses
Identifies the overall losses (outcomes) that would be unacceptable to stakeholders, such as loss of life or loss of revenue.
A system-theoretic approach to safety, security, and reliability.
STAMP (System-Theoretic Accident Model and Processes) is an accident causality model based on systems theory rather than reliability theory.
STAMP views safety as a control problem. Accidents and other losses occur when component interactions are not adequately controlled, a view that captures both failure and non-failure causes of losses. It serves as the theoretical foundation for the methods below.
Popular STAMP-based methods include:
At the heart of STAMP is the concept of a control loop, which explains how decisions can be informed and how patterns emerge from the continuous interactions in a system. Within a control loop, a controller—whether a human, an automated system, or an AI—oversees a controlled process. The controlled process could be another controller, physical machinery, or a virtual process or data. Controllers make decisions based on their process model—their internal understanding of how the system is currently behaving. For this loop to function, the controller may rely on timely feedback to provide updated information about the process and its true state. Controllers often rely on feedback to update their process model. If the feedback is missing, delayed, or misinterpreted, the controller may issue an unsafe command that “makes sense” given their flawed information, leading to a loss.
An entity that makes decisions and provides control actions to controlled processes to achieve goals.
An action that may be provided by a controller to control or supervise a lower-level process.
Describes which control actions may be suitable based on the current process model or other factors.
Represents a controller’s “beliefs” about the outside world that impact decision-making and may lead to Unsafe Control Actions. All controllers have a process model, including human, automated, and other controllers.
Information provided to a controller about a lower-level process that they directly or indirectly control.
Any process that is controlled, such as a physical process, data, or another controller.
For example, a controller in a car may be a human driver or an Automated Driving System (ADS). In either case, the controller may decide to issue a braking control action to prevent a collision with a pedestrian. This decision is only possible if the controller has an updated process model that recognizes a pedestrian is in the vehicle’s path. If the process model does not accurately reflect the true state of the environment, the controller will not be able to make safe decisions and provide safe control actions. The controller relies on feedback, such as visual observation or sensor data, to continuously update its process model. If any part of this control loop is out of sync or dysfunctional, the system can drift into a hazardous state.
A breakdown can occur if the pedestrian is outside the visible range, for example if they are a small child and the windshield or sensor is too high to notice the pedestrian. The feedback available may not be enough for the controller to form a correct process model that a pedestrian is in the vehicle’s path. As a result, the controller may provide an unsafe control action: maintaining the current speed (no braking) when a pedestrian is in the vehicle’s path. The resulting collision isn’t a mechanical failure of the brakes, but a poor system design and an unsafe decision that made sense given the controller’s flawed process model (belief) at the time.
The terminology so far, like unsafe control actions and missing feedback, are broadly applicable whether they are caused by a failure or not. A sensor failure can result in poor or missing feedback, leading to an unsafe control action. A power failure can also cause unsafe control actions. More importantly, non-failure causes can have the same effect. For example, a missing software requirement can result in an unsafe control action. An intended feature operating as designed can inadvertently increase feedback delays in certain cases, resulting in poor or missing feedback. In STAMP, a failure is not the unit of analysis. Instead, STAMP shifts the focus toward identifying inadequate feedback, mismatched process models, and unsafe control actions, regardless of whether they originate from a component failure. In fact, many accidents in complex systems have been caused not by isolated failures but by components that interacted in unsafe ways according to requirements and procedures that were flawed.
STAMP models the multiple layers of control in a system—ranging from physical processes and frontline operators near the bottom to executive management and government regulators at the top. Each level in the hierarchy imposes safety constraints on the level below through specific control actions. The lower levels, in turn, may provide feedback to inform future decisions at higher levels. Safety is not a property of a single part, but an emergent property that is maintained only when these interactions are properly designed and align with overall goals of the system. When an accident or loss occurs, it is rarely due to a single “failed” component or link. Instead, it is often because the control structure lacked the necessary means to enforce safety constraints under changing conditions. For example, an organization may have a formal safety policy at the management level, but without an effective feedback channel from the field, decision-makers may remain unaware that production pressures are systematically forcing operators to bypass those very protections.
Step-by-step methods have been defined based on the STAMP principles to identify and prevent complex causes at every stage of a system’s lifecycle, from proactive design to operation and accident investigation.
Three powerful approaches built on the STAMP foundation for analyzing and improving system safety.
Forward-looking hazard analysis to identify and prevent potential losses before they occur.
Applying STPA principles to security and cybersecurity analysis of critical systems.
Analysis of past accidents and incidents to uncover the systemic and other factors that contributed.
STPA (System-Theoretic Process Analysis) is a forward-looking technique to anticipate future loss scenarios and ensure they are prevented. The goal is to identify vulnerabilities in a design or organization and use this information to develop effective solutions as early as possible before a loss occurs.
Identifies the overall losses (outcomes) that would be unacceptable to stakeholders, such as loss of life or loss of revenue.
Models the control hierarchy and feedback loops in a system, including both human and technical interactions.
Identifies potential unsafe decisions and control actions that could contribute to the losses.
Builds scenarios to explain why each component, whether human or technical, might have believed a decision was reasonable at the time, given the information available and other contextual factors.
Produces solutions to prevent the loss scenarios and unsafe decisions, such as new design features, changes in functionality, more robust or simpler solutions, test cases, and other solutions.
Identifies the overall losses (outcomes) that would be unacceptable to stakeholders, such as loss of life or loss of revenue.
Models the control hierarchy and feedback loops in a system, including both human and technical interactions.
Identifies potential unsafe decisions and control actions that could contribute to the losses.
Builds scenarios explaining why each component, whether human or technical, might have believed a decision was reasonable at the time, given the information available and other contextual factors.
Produces solutions to prevent the loss scenarios and unsafe decisions, such as new design features, changes in functionality, more robust or simpler solutions, test cases, and other solutions.
STPA is widely used in aviation, automotive, autonomous vehicles, medical devices, nuclear power, and many other high-risk industries.
STPA can be used for multiple properties.
STPA-Sec refers to the use of STPA to include security and cybersecurity considerations. The overall steps are the same, but with additional considerations included.
While traditional security focuses on threats, perimeters, and firewalls, STPA-Sec focuses on the functional capabilities of the system. It helps engineers design systems that can maintain their critical functions even when under attack or when facing intentional disruptions. This focus is well-aligned with STPA’s ability to help safety engineers design robust systems that maintain critical functions even in the face of unsafe component interactions or failures that were caused unintentionally.
Although STPA originated in safety-critical applications, modern uses of STPA can include safety, security, performance, and other considerations in the same overall process.
STPA-Sec enables integrated analysis of security and safety concerns within the same framework, avoiding conflicts between security measures and safety requirements.
CAST (Causal Analysis based on Systems Theory) is the technique used for systematically analyzing past accidents and other losses. CAST is designed to uncover deeper systemic factors and deficiencies that are often overlooked in a root cause analysis or post-mortem.
CAST is used to move beyond human error or individual component failures as potential root causes. Instead, it examines the entire socio-technical system, including flaws in complex technology, engineering approaches, operation, management structures, and regulation. To uncover the most effective opportunities to improve, it’s not enough to identify who or what contributed. The goal of CAST is not to assign blame, but to identify why each decision may have appeared reasonable at the time and to determine the most effective systemic changes to prevent recurrence.
Go beyond superficial causes to uncover low-cost, high-impact systemic changes.
"Operator Error"
"System Design Flaw"
CAST recognizes that humans make decisions based on available information and system feedback. The focus shifts to why the decision appeared reasonable at the time.
Don’t wait for a late-stage failure to find your system’s vulnerabilities. Join the global leaders using STAMP to navigate the complexities of modern engineering with confidence.
Stay informed about the latest from STAMP Institute.
Tell us what you’re interested in, and we’ll recommend a path forward.
By continuing, you agree to our Terms of Service and Privacy Policy.
Gain skills and confidence with expert guidance as you implement modern approaches in your organization.
Gain a strategic overview of the STAMP framework designed specifically for your executive team. Our briefings focus on high-level alignment, risk mitigation, and scaling impact across your organization.
The information provided will be used exclusively to prepare your tailored briefing. By submitting, you agree to our Terms of Service and Privacy Policy. This service is reserved for organizational leadership and project stakeholders.
We’ve received your industry details. Our team regularly updates our active industry list to reflect new sectors and innovative applications of the STAMP framework. We’ll reach out if we’d like to feature your work as a specific case study!
The STAMP Institute Team
We are constantly inspired by the diverse ways our community applies STAMP. Tell us about your industry and how you’re using these methods so we can better represent the full reach of our network.
The information collected here is for mapping purposes only. By submitting this form, you grant STAMP Institute permission to display your organization’s industry on our public website. Contact and use case details will not be shared without your consent.
Thank you for reaching out! A member of the STAMP Institute team will review your request to hand-select the case studies most relevant to your goals.
Our research spans diverse sectors, but we know your challenges are unique. Tell us a bit about your focus, and we’ll curate a selection of case studies and impact reports relevant to your specific field.
By submitting this form, you agree to our Privacy Policy. STAMP Institute will only use your information to provide the requested content and update you on relevant industry insights. You may unsubscribe at any time. We do not sell your personal data.
Thank you for contacting us. A STAMP Institute representative will follow up shortly to schedule a discovery call.
Learn modern approaches to safety, security, and reliability with customized, expert-led training from STAMP Institute. Gain skills and confidence with expert guidance as you implement modern approaches in your organization.
Thank you for contacting us. A STAMP Institute representative will follow up shortly to schedule a discovery call.
You’re on the list! Thank you for joining the STAMP Institute community. You’ll now be the first to receive updates on modern approaches to safety and security.
New Training Announcements: Stay ahead with the latest curriculum updates.
Research & Presentations: Exclusive insights and expert methodologies.
Upcoming Courses: Priority registration for specialized training sessions.