| |
2004
Papers:
(listed in reverse chronological
order for 2004)
ESD-WP-2004-08-Model-Based
Analysis of Socio-Technical Risk
by
Nancy
G. Leveson
Traditional
approaches to hazard analysis and safety-related
risk management are based on an accident
model that focuses on failure events in
static engineering designs and linear notions
of causality. They are therefore limited
in their ability to include complex human
decision-making, software errors, system
accidents (versus component failure accidents),
and organizational risk factors in the analysis.
These traditional accident models do not
adequately capture the dynamic complexity
and non-linear interactions that characterize
accidents in complex systems, i.e., what
Perrow called system accidents. System accidents
often result from adaptation and degradation
of safety over time: The move to a high-risk
state occurs without any particular decision
to do so but simply as a series of decisions
or adaptations (asynchronous evolution)
that move the system into a high-risk state
where almost any slight error or deviation
can lead to a major loss.
To
handle this more comprehensive view of accidents,
risk management tools and models need to
treat systems as dynamic processes that
are continually adapting to achieve their
ends and to react to changes in themselves
and their environment. Leveson’s new
accident model, STAMP (Systems-Theoretic
Accident Modeling and Processes), provides
the foundation for such a risk management
approach by describing the process leading
up to an accident as an adaptive feedback
function that fails to maintain safety constraints
as performance changes over time to meet
a complex set of goals and values.
In
this report, a new type of hazard analysis
based on this new model of accident causation
is described called STPA (STAMP-based Analysis).
STPA is illustrated by applying it to TCAS
II, a complex aircraft collision avoidance
system, and to a public water safety system
in Canada. In the first example (TCAS II),
STPA is used to analyze an existing system
design. A formal and executable modeling/specification
language called SpecTRM-RL is used to model
and simulate the technical and human components
in the system and to provide the support
required for the STPA analysis. The results
are compared with traditional hazard analysis
techniques, including a high-quality TCAS
II fault tree analysis created by MITRE
for the FAA. The STPA analysis was found
to be more comprehensive and complete than
the fault tree analysis.
The
second example of STPA (the public water
system) illustrates its application to the
organizational and social components of
open systems as well as the technical. In
this example, STPA is used to drive the
design process rather than to evaluate an
existing design. Again, SpecTRM-RL models
are used to support the analysis, but this
time we added system dynamics models. SpecTRM-RL
allows us to capture the system’s
static structure (hardware, software, operational
procedures, and management controls) and
is useful in performing hazard analyses
that examine complex socio-technical safety
control structures. The addition of system
dynamics models allows simulation and modeling
of the system’s behavioral dynamics
and the effects of changes over time.
STPA
allowed us to examine the impact of organizational
decision-making and technical design decisions
on system risk and resiliency. The integration
of STPA, SpecTRM-RL, and system dynamics
creates the potential for a simulation and
analysis environment to support and guide
the initial technical and operational system
design as well as organizational and management
policy design. The results of STPA analysis
can also be used to support organizational
learning and performance monitoring throughout
the system’s life cycle so that degradation
of safety and increases in risk can be detected
before a catastrophe results.
>
top
ESD-WP-2004-07-Connectivity
Limits of Mechanical Assemblies Modeled
as Networks
This
paper applies network connectivity analysis
to mechanical assemblies. Assemblies have
extensive intentional structure while simultaneously
displaying some of the properties of previously
analyzed networks. Fundamental principles
impose restrictions on the structure of
assemblies, as do some practical principles.
Fundamental restrictions stem from the desire
to avoid over-constraining the assembly.
Practical restrictions stem from the desire
to limit the complexity of the assembly
or any significant subassembly. These restrictions
play a role analogous to the cost of connection.
For these reasons, mechanical assemblies
are unlikely to exhibit scale-free properties
common in many natural systems and some
man-made ones.
>
top
ESD-WP-2004-06-Improving
UccNet-Compliant B2B Supply-Chain Applications
Using a Context Interchange Framework
by
Steven Yi-Cheng Tu, Stuart
Madnick and Luis Chin-Jung Wu
UccNet
(http://knowledgebase.uccnet.org)
is a globally centralized B2B electronic
data platform for storing trading product
item information and hosted by the non-profit
international standardization institute
EAN-UCC. It is an emerging B2B data communication
standard for the retail industry with significant
potential impact. Many US retailers are
requesting their international suppliers
for compulsory subscription by the year-end
of either 2004 or 2005 and many major IT
software providers and consulting firms
specialized in supply chain management are
preparing packaged services/solutions for
this imminent demand.
In
light of the increasing importance of UccNet
on both the technology and application sides,
this paper attempts to advance the following
argument: Though UccNet establishes an architectural
framework to resolve the many-to-many connectivity
issue and data synchronization issue through
a centralized product database and a uniform
numbering system (i.e., Global Trade Item
Numbering), there are context discrepancy
issues remaining to be addressed. We show
with a real case study that context discrepancy
is inherent in the international trading
applications where UccNet is intended to
be used. Naturally, international trading
partners tend to define and describe product
item information differently. That difference,
either due to the culture or the geographical
location, is not considered in the original
design of UccNet. As an example, the attribute
"width" contained in the database schema
of UccNet would be filled by a China-based
supplier in 'meter' and yet be interpreted
as 'feet' by the US retail buyer.
We
show how the Context Interchange Framework,
operating under the rationale of local autonomy
and speaking to the resolution of context
mediation issue, can be nicely incorporated
into the existing UccNet framework to constitute
theoretically a more complete technical
solution and practically a more useful B2B
supply chain business solution.
>
top
ESD-WP-2004-05-Heterogeneity
and Network Structure in the Dynamics of
Diffusion: Comparing Agent-Based and Differential
Equation Models
When
is it better to use agent based (AB) models,
and when should differential equation (DE)
models be used? Where DE models assume homogeneity
and perfect mixing within compartments,
AB models can capture heterogeneity in agent
attributes and in the network of interactions
among them. Using contagious disease as
an example, we contrast the dynamics of
AB models with those of the corresponding
mean-field DE model, specifically, comparing
the standard SEIR model-a nonlinear DE-to
an explicit AB model of the same system.
We examine both agent heterogeneity and
the impact of different network structures,
including fully connected, random, Watts-Strogatz
small world, scale-free, and lattice networks.
Surprisingly, in many conditions the AB
and DE dynamics are quite similar. Differences
between the DE and AB models are not statistically
significant on key metrics relevant to public
health, including diffusion speed, peak
load on health services infrastructure and
total disease burden. We explore the conditions
under which the AB and DE dynamics differ,
and consider implications for managing infectious
disease. The results extend beyond epidemiology:
from innovation adoption to the spread of
rumor and riot to financial panics, many
important social phenomena involve analogous
processes of diffusion and social contagion.
>
top
ESD-WP-2004-04-Order
Stability in Supply Chains: Coordination
Risk and the Role of Coordination Stock
by
Rachel Croson, Karen Donohue, Elena Katok
and John
Sterman
The
bullwhip
effect describes the tendency for the
variance of orders in supply chains to increase
as one moves upstream from consumer demand.
Previous research attributes this phenomenon
to both operational and behavioral causes.
Operational causes are features of the institutional
setting that lead rational agents to amplify
changes in demand, while behavioral causes
arise from suboptimal decisionmaking. This
paper examines causes of the bullwhip through
experiments with a serial supply chain,
using the Beer Distribution Game. Unlike
prior studies, we control all four commonly
cited operational causes of the bullwhip,
including uncertainty about customer demand.
We eliminate demand uncertainty completely
by making customer demand constant and known
to all participants. Despite these controls,
order amplification, instability, and supply
line underweighting remain pervasive. We
propose a new behavioral cause of the bullwhip,
coordination risk, that arises
when players place excessive orders to address
the perceived risk that others will not
behave optimally. We test two strategies
to mitigate coordination risk: (1) holding
additional on-hand inventory, and (2) creating
common knowledge by informing participants
of the optimal policy. Both strategies reduce,
but not eliminate, the bullwhip effect.
Holding excess inventory reduces order amplification
by providing a buffer against the endogenous
risk of coordination failure. Such coordination
stock differs from traditional safety
stock, which buffers against exogenous demand
uncertainty. Surprisingly, neither strategy
reduces supply-line underweighting. We conclude
that the bullwhip can be mitigated but its
behavioral causes appear robust.
>
top
ESD-WP-2004-03-A
Systems Framework for Assessing Air Quality
Impacts of ITS: Application to Mexico City
by
Rebecca S. Dodder, Massachusetts Institute
of Technology
Intelligent
Transportation Systems (ITS)—the application
of communications and information technology
to surface transportation systems—has
the potential to improve transportation
along several dimensions, from safety to
emissions reductions to travel time and
reliability. ITS has become a worldwide
technology, and many cities in Latin America
are currently deploying ITS, from individual
technologies to entire ITS Architectures.
While improving mobility is at the core
of any ITS deployment, in metropolitan areas
from Mexico City to Sao Paulo, air quality
concerns are such that ignoring possible
air quality impacts of ITS technologies
represents either a failure to leverage
ITS for air quality improvements, or even
a risk of running counter to air quality
management efforts. While there is a growing
number of studies evaluating the air quality
benefits of ITS, there are important limitations
on the extent to which the results of these
studies can be used to support planning
of ITS in cities in Latin America. First,
the challenges involved in modeling ITS
air quality benefits mean that they typically
focus on only one or two ITS technologies
at a time. Second, air quality and mobility
conditions vary greatly across cities, meaning
that air quality outcomes will also vary
widely. Finally, from a planning standpoint,
a more system-wide and qualitative framework
is needed to generate the kind of dialogue
needed between a diverse number of groups—environmental,
transportation, public works, public security,
and transport operators—to decide
how ITS can meet a metropolitan area needs.
In order to address these issues, I develop
a systems framework that can encompass a
number of ITS technologies and performance
measures. Within this systems framework,
I look specifically at air quality. Rather
than focusing on particular modeling tools,
I break down air quality impacts into eight
mechanisms that can lead to decreases or
increases in mobile source emissions. I
will also return briefly to the literature
on ITS environmental benefits, to review
which mechanisms are included as variables.
Finally, I will consider the case of Mexico
City, and the interactions between current
ITS deployments and air quality.
>
top
ESD-WP-2004-02-Sustainable
Transportation:—A Strategy for System
Change
by
Ralph P. Hall and Joseph
M. Sussman, Massachusetts Institute
of Technology
This
paper has was updated in 2006, visit ESD-WP-2006-13
to review.
>
top
ESD-WP-2004-01-A
Methodology for the Identification of Critical
Locations in Infrastructures
by
Douglas M. Lemon and George
E. Apostolakis, Massachusetts Institute
of Technology
The
extreme importance of critical infrastructures
to modern society is widely recognized.
These infrastructures are complex, interdependent,
and ubiquitous; they are sensitive to disruptions
that can lead to cascading failures with
serious consequences. Protecting the critical
infrastructures from terrorism, human generated
malevolent attack directed toward maximum
social disruption, presents an enormous
challenge. Recognizing that society cannot
afford the costs associated with absolute
protection, it is necessary to identify
the critical locations in these infrastructures.
By protecting the critical locations society
achieves the greatest benefit for the protection
investment. This paper presents a methodology
for the identification of critical locations
in infrastructures. The framework models
the infrastructures as interconnected digraphs
and employs graph theory and reliability
theory to identify the vulnerable points.
The vulnerable points are screened for their
susceptibility to a terrorist attack, and
a prioritized list of critical locations
is produced. The prioritization methodology
is based on multi-attribute utility theory.
The methodology is illustrated through the
presentation of a portion on the analysis
conducted on the campus of the Massachusetts
Institute of Technology.
>
top
|
|
