| |
Videos
Completed
Dissertations
ESD Working Paper Series
Engineering
Systems Symposia
Brunel Lecture
Series
Miller Lecture
Series
ESD
OpenCourseWare
|
|
List
of Papers for 2004:
(in reverse chronological order)

ESD-WP-2004-08-Model-Based
Analysis of Socio-Technical Risk
by
Nancy G. Leveson
Traditional
approaches to hazard analysis and safety-related risk management
are based on an accident model that focuses on failure events
in static engineering designs and linear notions of causality.
They are therefore limited in their ability to include complex
human decision-making, software errors, system accidents (versus
component failure accidents), and organizational risk factors
in the analysis. These traditional accident models do not adequately
capture the dynamic complexity and non-linear interactions that
characterize accidents in complex systems, i.e., what Perrow called
system accidents. System accidents often result from adaptation
and degradation of safety over time: The move to a high-risk state
occurs without any particular decision to do so but simply as
a series of decisions or adaptations (asynchronous evolution)
that move the system into a high-risk state where almost any slight
error or deviation can lead to a major loss.
To handle
this more comprehensive view of accidents, risk management tools
and models need to treat systems as dynamic processes that are
continually adapting to achieve their ends and to react to changes
in themselves and their environment. Leveson’s new accident
model, STAMP (Systems-Theoretic Accident Modeling and Processes),
provides the foundation for such a risk management approach by
describing the process leading up to an accident as an adaptive
feedback function that fails to maintain safety constraints as
performance changes over time to meet a complex set of goals and
values.
In this
report, a new type of hazard analysis based on this new model
of accident causation is described called STPA (STAMP-based Analysis).
STPA is illustrated by applying it to TCAS II, a complex aircraft
collision avoidance system, and to a public water safety system
in Canada. In the first example (TCAS II), STPA is used to analyze
an existing system design. A formal and executable modeling/specification
language called SpecTRM-RL is used to model and simulate the technical
and human components in the system and to provide the support
required for the STPA analysis. The results are compared with
traditional hazard analysis techniques, including a high-quality
TCAS II fault tree analysis created by MITRE for the FAA. The
STPA analysis was found to be more comprehensive and complete
than the fault tree analysis.
The second
example of STPA (the public water system) illustrates its application
to the organizational and social components of open systems as
well as the technical. In this example, STPA is used to drive
the design process rather than to evaluate an existing design.
Again, SpecTRM-RL models are used to support the analysis, but
this time we added system dynamics models. SpecTRM-RL allows us
to capture the system’s static structure (hardware, software,
operational procedures, and management controls) and is useful
in performing hazard analyses that examine complex socio-technical
safety control structures. The addition of system dynamics models
allows simulation and modeling of the system’s behavioral
dynamics and the effects of changes over time.
STPA allowed
us to examine the impact of organizational decision-making and
technical design decisions on system risk and resiliency. The
integration of STPA, SpecTRM-RL, and system dynamics creates the
potential for a simulation and analysis environment to support
and guide the initial technical and operational system design
as well as organizational and management policy design. The results
of STPA analysis can also be used to support organizational learning
and performance monitoring throughout the system’s life
cycle so that degradation of safety and increases in risk can
be detected before a catastrophe results.
>
top

ESD-WP-2004-07-Connectivity
Limits of Mechanical Assemblies Modeled as Networks
This paper
applies network connectivity analysis to mechanical assemblies.
Assemblies have extensive intentional structure while simultaneously
displaying some of the properties of previously analyzed networks.
Fundamental principles impose restrictions on the structure of
assemblies, as do some practical principles. Fundamental restrictions
stem from the desire to avoid over-constraining the assembly.
Practical restrictions stem from the desire to limit the complexity
of the assembly or any significant subassembly. These restrictions
play a role analogous to the cost of connection. For these reasons,
mechanical assemblies are unlikely to exhibit scale-free properties
common in many natural systems and some man-made ones.
>
top

ESD-WP-2004-06-Improving
UccNet-Compliant B2B Supply-Chain Applications Using a Context
Interchange Framework
by
Steven Yi-Cheng Tu, Stuart
Madnick and Luis Chin-Jung Wu
UccNet
(http://knowledgebase.uccnet.org)
is a globally centralized B2B electronic data platform for storing
trading product item information and hosted by the non-profit
international standardization institute EAN-UCC. It is an emerging
B2B data communication standard for the retail industry with significant
potential impact. Many US retailers are requesting their international
suppliers for compulsory subscription by the year-end of either
2004 or 2005 and many major IT software providers and consulting
firms specialized in supply chain management are preparing packaged
services/solutions for this imminent demand.
In light
of the increasing importance of UccNet on both the technology
and application sides, this paper attempts to advance the following
argument: Though UccNet establishes an architectural framework
to resolve the many-to-many connectivity issue and data synchronization
issue through a centralized product database and a uniform numbering
system (i.e., Global Trade Item Numbering), there are context
discrepancy issues remaining to be addressed. We show with a real
case study that context discrepancy is inherent in the international
trading applications where UccNet is intended to be used. Naturally,
international trading partners tend to define and describe product
item information differently. That difference, either due to the
culture or the geographical location, is not considered in the
original design of UccNet. As an example, the attribute "width"
contained in the database schema of UccNet would be filled by
a China-based supplier in 'meter' and yet be interpreted as 'feet'
by the US retail buyer.
We show
how the Context Interchange Framework, operating under the rationale
of local autonomy and speaking to the resolution of context mediation
issue, can be nicely incorporated into the existing UccNet framework
to constitute theoretically a more complete technical solution
and practically a more useful B2B supply chain business solution.
>
top

ESD-WP-2004-05-Heterogeneity
and Network Structure in the Dynamics of Diffusion: Comparing
Agent-Based and Differential Equation Models
When is
it better to use agent based (AB) models, and when should differential
equation (DE) models be used? Where DE models assume homogeneity
and perfect mixing within compartments, AB models can capture
heterogeneity in agent attributes and in the network of interactions
among them. Using contagious disease as an example, we contrast
the dynamics of AB models with those of the corresponding mean-field
DE model, specifically, comparing the standard SEIR model-a nonlinear
DE-to an explicit AB model of the same system. We examine both
agent heterogeneity and the impact of different network structures,
including fully connected, random, Watts-Strogatz small world,
scale-free, and lattice networks. Surprisingly, in many conditions
the AB and DE dynamics are quite similar. Differences between
the DE and AB models are not statistically significant on key
metrics relevant to public health, including diffusion speed,
peak load on health services infrastructure and total disease
burden. We explore the conditions under which the AB and DE dynamics
differ, and consider implications for managing infectious disease.
The results extend beyond epidemiology: from innovation adoption
to the spread of rumor and riot to financial panics, many important
social phenomena involve analogous processes of diffusion and
social contagion.
>
top

ESD-WP-2004-04-Order
Stability in Supply Chains: Coordination Risk and the Role of
Coordination Stock
by
Rachel Croson, Karen Donohue, Elena Katok and John
Sterman
The bullwhip
effect describes the tendency for the variance of orders in
supply chains to increase as one moves upstream from consumer
demand. Previous research attributes this phenomenon to both operational
and behavioral causes. Operational causes are features of the
institutional setting that lead rational agents to amplify changes
in demand, while behavioral causes arise from suboptimal decisionmaking.
This paper examines causes of the bullwhip through experiments
with a serial supply chain, using the Beer Distribution Game.
Unlike prior studies, we control all four commonly cited operational
causes of the bullwhip, including uncertainty about customer demand.
We eliminate demand uncertainty completely by making customer
demand constant and known to all participants. Despite these controls,
order amplification, instability, and supply line underweighting
remain pervasive. We propose a new behavioral cause of the bullwhip,
coordination risk, that arises when players place excessive
orders to address the perceived risk that others will not behave
optimally. We test two strategies to mitigate coordination risk:
(1) holding additional on-hand inventory, and (2) creating common
knowledge by informing participants of the optimal policy. Both
strategies reduce, but not eliminate, the bullwhip effect. Holding
excess inventory reduces order amplification by providing a buffer
against the endogenous risk of coordination failure. Such coordination
stock differs from traditional safety stock, which buffers
against exogenous demand uncertainty. Surprisingly, neither strategy
reduces supply-line underweighting. We conclude that the bullwhip
can be mitigated but its behavioral causes appear robust.
>
top

ESD-WP-2004-03-A
Systems Framework for Assessing Air Quality Impacts of ITS: Application
to Mexico City
by
Rebecca S. Dodder, Massachusetts Institute of Technology
Intelligent
Transportation Systems (ITS)—the application of communications
and information technology to surface transportation systems—has
the potential to improve transportation along several dimensions,
from safety to emissions reductions to travel time and reliability.
ITS has become a worldwide technology, and many cities in Latin
America are currently deploying ITS, from individual technologies
to entire ITS Architectures. While improving mobility is at the
core of any ITS deployment, in metropolitan areas from Mexico
City to Sao Paulo, air quality concerns are such that ignoring
possible air quality impacts of ITS technologies represents either
a failure to leverage ITS for air quality improvements, or even
a risk of running counter to air quality management efforts. While
there is a growing number of studies evaluating the air quality
benefits of ITS, there are important limitations on the extent
to which the results of these studies can be used to support planning
of ITS in cities in Latin America. First, the challenges involved
in modeling ITS air quality benefits mean that they typically
focus on only one or two ITS technologies at a time. Second, air
quality and mobility conditions vary greatly across cities, meaning
that air quality outcomes will also vary widely. Finally, from
a planning standpoint, a more system-wide and qualitative framework
is needed to generate the kind of dialogue needed between a diverse
number of groups—environmental, transportation, public works,
public security, and transport operators—to decide how ITS
can meet a metropolitan area needs. In order to address these
issues, I develop a systems framework that can encompass a number
of ITS technologies and performance measures. Within this systems
framework, I look specifically at air quality. Rather than focusing
on particular modeling tools, I break down air quality impacts
into eight mechanisms that can lead to decreases or increases
in mobile source emissions. I will also return briefly to the
literature on ITS environmental benefits, to review which mechanisms
are included as variables. Finally, I will consider the case of
Mexico City, and the interactions between current ITS deployments
and air quality.
>
top

ESD-WP-2004-02-Sustainable
Transportation:—A Strategy for System Change
by
Ralph P. Hall and Joseph
M. Sussman, Massachusetts Institute of Technology
This paper
has was updated in 2006, visit ESD-WP-2006-13
to review.
>
top

ESD-WP-2004-01-A
Methodology for the Identification of Critical Locations in Infrastructures
by
Douglas M. Lemon and George
E. Apostolakis, Massachusetts Institute of Technology
The extreme
importance of critical infrastructures to modern society is widely
recognized. These infrastructures are complex, interdependent,
and ubiquitous; they are sensitive to disruptions that can lead
to cascading failures with serious consequences. Protecting the
critical infrastructures from terrorism, human generated malevolent
attack directed toward maximum social disruption, presents an
enormous challenge. Recognizing that society cannot afford the
costs associated with absolute protection, it is necessary to
identify the critical locations in these infrastructures. By protecting
the critical locations society achieves the greatest benefit for
the protection investment. This paper presents a methodology for
the identification of critical locations in infrastructures. The
framework models the infrastructures as interconnected digraphs
and employs graph theory and reliability theory to identify the
vulnerable points. The vulnerable points are screened for their
susceptibility to a terrorist attack, and a prioritized list of
critical locations is produced. The prioritization methodology
is based on multi-attribute utility theory. The methodology is
illustrated through the presentation of a portion on the analysis
conducted on the campus of the Massachusetts Institute of Technology.
>
top
|
|
|