Systems-Theoretic Process Analysis (STPA)
Stiki ̶ Information Security and Zurich University of Applied Sciences collaborated on a 2.5 year joint development project to create a professional, state-of-the-art software solution for STPA practitioners. STPA is a hazard analysis methodology for socio-technologic systems based on systems thinking and modeling of accident causation based on systems theory rather than reliability. The principal objective is to provide the STPA methodology for use in a structured, standalone application module that can combine with the existing RM Studio® software to formulate a truly unique and enhanced risk management framework.
August 2016Project Initiation
October 2016Software Framework Ready
February 2017Technical Evaluation of Diagram Handling
August 2017Prototype - hierarchical control structures
December 2017Prototype - Step 1 Unsafe Control Actions
June 2018Prototype - Step 2 Control Loop Scenarios
October 2018Fully Functional STPA software
January 2019Project Completion
RM Studio®, Stiki’s risk management software solution since 2005, is used to systematically improve the entire operational health of an organization. RM studio combines a risk management module and business continuity management module into one dynamic risk management software solution.
Why do we want adopt the STPA methodology into RM Studio®?
Despite the availability of several established methods for hazard and risk analysis, many risk, hazard, and safety analysts are encountering problems coping with today’s large, complex, diverse and dynamic socio-technical systems. As a consequence of this void, enterprises are seeking a better methodology that can holistically analyze today’s socio-technical systems a-priori (i.e. while they are being designed) and a-posteriori (analysis of existing systems). Providing guidance to efficiently perform the analysis, and at the same time, not constraining the analyst so potential risks stay uncovered. STPA has proven to fulfill these requirements. Because of these facts, the functional system view of STPA can be utilized with any social, technical or socio-technical system. STPA has proven to work well for different business sectors, because of the compatibility with broad interpretations of “loss”, e.g. loss of life, health, data-integrity, reputation or finances.
Anticipated business sectors, based on current STPA interest and application, include, but are certainly not limited to:
- Food safety
- Medical devices
- Nuclear and electrical power
- Process industry
- Software/hardware/mechanical engineering
The project development is initiated from independent research projects conducted by both parties, including the beta software project SAHRA from the Safety-Critical Systems Research Lab at ZUAS. The new RM Studio STPA module is being constructed as a professional, state-of-the-art software complete with all the features and support necessary for a successful application of STPA. The RM Studio STPA module can be utilized separately or in conjunction with the current risk management framework RM Studio® utilizes today.
Partial funding for the project is provided through the Technology Development Fund, Rannis, of Iceland and the State Secretariat for Education, Research and Innovation, SERI, of Switzerland as part of the European Union Eurostars programme. With the aid of these select technology development funds, the project has a clear path to success.
The project is based on experience with the STPA methodology from research projects conducted by the two partners in multiple fields that include: healthcare, medical devices, power generation, pharmaceutics, and machinery. The results of this decisive research clearly indicate the approaches to applying STPA, as well as, the background and expectations of the analysts vary significantly across domains and the systems analyzed.
Two key questions that prompted the joint development project:
- Can a software tool efficiently and effectively support the STPA methodology?
- How will such a tool cope with the varied requirements of vastly diverse groups of stakeholders?
The global success of RM Studio®, along with feedback from its users, paired with the experience of using the application SAHRA in STPA research projects, allowed the teams to create a unique and innovative concept for the new STPA module that satisfies the varied demands and requirements.
RM Studio® is based on the risk management methodology of the risk-aligned ISO/IEC 27000 family of standards that outline and provide guidance for assessing security risks to information. Stiki continuously improves RM Studio® by adopting more elements, primarily observed from the ISO 31000:2009 Risk Management Standard, for a broader risk management methodology. The adoption of the STPA methodology aligns with this strategy and further broadens the capabilities of RM Studio®, along with expanding the uses and applications.
Efficiency and effectiveness are at the core of everything we do. We believe accuracy in execution equals efficiency and timely execution of the efficiencies equals effectiveness. Adopting the STPA risk analysis methodology into RM Studio’s risk assessment capabilities provides an enhanced risk management framework for efficient and effective risk management from the top down and the bottom up.