Resources | ESD Working Paper Series

List of Papers for 2004:
(in reverse chronological order)

ESD-WP-2004-08-Model-Based Analysis of Socio-Technical Risk

by Nancy G. Leveson

Traditional approaches to hazard analysis and safety-related risk management are based on an accident model that focuses on failure events in static engineering designs and linear notions of causality. They are therefore limited in their ability to include complex human decision-making, software errors, system accidents (versus component failure accidents), and organizational risk factors in the analysis. These traditional accident models do not adequately capture the dynamic complexity and non-linear interactions that characterize accidents in complex systems, i.e., what Perrow called system accidents. System accidents often result from adaptation and degradation of safety over time: The move to a high-risk state occurs without any particular decision to do so but simply as a series of decisions or adaptations (asynchronous evolution) that move the system into a high-risk state where almost any slight error or deviation can lead to a major loss.

To handle this more comprehensive view of accidents, risk management tools and models need to treat systems as dynamic processes that are continually adapting to achieve their ends and to react to changes in themselves and their environment. Leveson’s new accident model, STAMP (Systems-Theoretic Accident Modeling and Processes), provides the foundation for such a risk management approach by describing the process leading up to an accident as an adaptive feedback function that fails to maintain safety constraints as performance changes over time to meet a complex set of goals and values.

In this report, a new type of hazard analysis based on this new model of accident causation is described called STPA (STAMP-based Analysis). STPA is illustrated by applying it to TCAS II, a complex aircraft collision avoidance system, and to a public water safety system in Canada. In the first example (TCAS II), STPA is used to analyze an existing system design. A formal and executable modeling/specification language called SpecTRM-RL is used to model and simulate the technical and human components in the system and to provide the support required for the STPA analysis. The results are compared with traditional hazard analysis techniques, including a high-quality TCAS II fault tree analysis created by MITRE for the FAA. The STPA analysis was found to be more comprehensive and complete than the fault tree analysis.

The second example of STPA (the public water system) illustrates its application to the organizational and social components of open systems as well as the technical. In this example, STPA is used to drive the design process rather than to evaluate an existing design. Again, SpecTRM-RL models are used to support the analysis, but this time we added system dynamics models. SpecTRM-RL allows us to capture the system’s static structure (hardware, software, operational procedures, and management controls) and is useful in performing hazard analyses that examine complex socio-technical safety control structures. The addition of system dynamics models allows simulation and modeling of the system’s behavioral dynamics and the effects of changes over time.

STPA allowed us to examine the impact of organizational decision-making and technical design decisions on system risk and resiliency. The integration of STPA, SpecTRM-RL, and system dynamics creates the potential for a simulation and analysis environment to support and guide the initial technical and operational system design as well as organizational and management policy design. The results of STPA analysis can also be used to support organizational learning and performance monitoring throughout the system’s life cycle so that degradation of safety and increases in risk can be detected before a catastrophe results.

• Download ESD-WP-2004-08 (PDF)
• Discuss ESD-WP-2004-08

> top

ESD-WP-2004-07-Connectivity Limits of Mechanical Assemblies Modeled as Networks

by Daniel E. Whitney

This paper applies network connectivity analysis to mechanical assemblies. Assemblies have extensive intentional structure while simultaneously displaying some of the properties of previously analyzed networks. Fundamental principles impose restrictions on the structure of assemblies, as do some practical principles. Fundamental restrictions stem from the desire to avoid over-constraining the assembly. Practical restrictions stem from the desire to limit the complexity of the assembly or any significant subassembly. These restrictions play a role analogous to the cost of connection. For these reasons, mechanical assemblies are unlikely to exhibit scale-free properties common in many natural systems and some man-made ones.

• Download ESD-WP-2004-07 (PDF)
• Discuss ESD-WP-2004-07

> top

ESD-WP-2004-06-Improving UccNet-Compliant B2B Supply-Chain Applications Using a Context Interchange Framework

by Steven Yi-Cheng Tu, Stuart Madnick and Luis Chin-Jung Wu

UccNet (http://knowledgebase.uccnet.org) is a globally centralized B2B electronic data platform for storing trading product item information and hosted by the non-profit international standardization institute EAN-UCC. It is an emerging B2B data communication standard for the retail industry with significant potential impact. Many US retailers are requesting their international suppliers for compulsory subscription by the year-end of either 2004 or 2005 and many major IT software providers and consulting firms specialized in supply chain management are preparing packaged services/solutions for this imminent demand.

In light of the increasing importance of UccNet on both the technology and application sides, this paper attempts to advance the following argument: Though UccNet establishes an architectural framework to resolve the many-to-many connectivity issue and data synchronization issue through a centralized product database and a uniform numbering system (i.e., Global Trade Item Numbering), there are context discrepancy issues remaining to be addressed. We show with a real case study that context discrepancy is inherent in the international trading applications where UccNet is intended to be used. Naturally, international trading partners tend to define and describe product item information differently. That difference, either due to the culture or the geographical location, is not considered in the original design of UccNet. As an example, the attribute "width" contained in the database schema of UccNet would be filled by a China-based supplier in 'meter' and yet be interpreted as 'feet' by the US retail buyer.

We show how the Context Interchange Framework, operating under the rationale of local autonomy and speaking to the resolution of context mediation issue, can be nicely incorporated into the existing UccNet framework to constitute theoretically a more complete technical solution and practically a more useful B2B supply chain business solution.

• Download ESD-WP-2004-06 (PDF)
• Discuss ESD-WP-2004-06

> top

ESD-WP-2004-05-Heterogeneity and Network Structure in the Dynamics of Diffusion: Comparing Agent-Based and Differential Equation Models

by Hazhir Rahmandad and John Sterman

When is it better to use agent based (AB) models, and when should differential equation (DE) models be used? Where DE models assume homogeneity and perfect mixing within compartments, AB models can capture heterogeneity in agent attributes and in the network of interactions among them. Using contagious disease as an example, we contrast the dynamics of AB models with those of the corresponding mean-field DE model, specifically, comparing the standard SEIR model-a nonlinear DE-to an explicit AB model of the same system. We examine both agent heterogeneity and the impact of different network structures, including fully connected, random, Watts-Strogatz small world, scale-free, and lattice networks. Surprisingly, in many conditions the AB and DE dynamics are quite similar. Differences between the DE and AB models are not statistically significant on key metrics relevant to public health, including diffusion speed, peak load on health services infrastructure and total disease burden. We explore the conditions under which the AB and DE dynamics differ, and consider implications for managing infectious disease. The results extend beyond epidemiology: from innovation adoption to the spread of rumor and riot to financial panics, many important social phenomena involve analogous processes of diffusion and social contagion.

• Download ESD-WP-2004-05 (PDF)
• Discuss ESD-WP-2004-05

> top

ESD-WP-2004-04-Order Stability in Supply Chains: Coordination Risk and the Role of Coordination Stock

by Rachel Croson, Karen Donohue, Elena Katok and John Sterman

The bullwhip effect describes the tendency for the variance of orders in supply chains to increase as one moves upstream from consumer demand. Previous research attributes this phenomenon to both operational and behavioral causes. Operational causes are features of the institutional setting that lead rational agents to amplify changes in demand, while behavioral causes arise from suboptimal decisionmaking. This paper examines causes of the bullwhip through experiments with a serial supply chain, using the Beer Distribution Game. Unlike prior studies, we control all four commonly cited operational causes of the bullwhip, including uncertainty about customer demand. We eliminate demand uncertainty completely by making customer demand constant and known to all participants. Despite these controls, order amplification, instability, and supply line underweighting remain pervasive. We propose a new behavioral cause of the bullwhip, coordination risk, that arises when players place excessive orders to address the perceived risk that others will not behave optimally. We test two strategies to mitigate coordination risk: (1) holding additional on-hand inventory, and (2) creating common knowledge by informing participants of the optimal policy. Both strategies reduce, but not eliminate, the bullwhip effect. Holding excess inventory reduces order amplification by providing a buffer against the endogenous risk of coordination failure. Such coordination stock differs from traditional safety stock, which buffers against exogenous demand uncertainty. Surprisingly, neither strategy reduces supply-line underweighting. We conclude that the bullwhip can be mitigated but its behavioral causes appear robust.

• Download ESD-WP-2004-04 (PDF)
• Discuss ESD-WP-2004-04

> top

ESD-WP-2004-03-A Systems Framework for Assessing Air Quality Impacts of ITS: Application to Mexico City

by Rebecca S. Dodder, Massachusetts Institute of Technology

Intelligent Transportation Systems (ITS)—the application of communications and information technology to surface transportation systems—has the potential to improve transportation along several dimensions, from safety to emissions reductions to travel time and reliability. ITS has become a worldwide technology, and many cities in Latin America are currently deploying ITS, from individual technologies to entire ITS Architectures. While improving mobility is at the core of any ITS deployment, in metropolitan areas from Mexico City to Sao Paulo, air quality concerns are such that ignoring possible air quality impacts of ITS technologies represents either a failure to leverage ITS for air quality improvements, or even a risk of running counter to air quality management efforts. While there is a growing number of studies evaluating the air quality benefits of ITS, there are important limitations on the extent to which the results of these studies can be used to support planning of ITS in cities in Latin America. First, the challenges involved in modeling ITS air quality benefits mean that they typically focus on only one or two ITS technologies at a time. Second, air quality and mobility conditions vary greatly across cities, meaning that air quality outcomes will also vary widely. Finally, from a planning standpoint, a more system-wide and qualitative framework is needed to generate the kind of dialogue needed between a diverse number of groups—environmental, transportation, public works, public security, and transport operators—to decide how ITS can meet a metropolitan area needs. In order to address these issues, I develop a systems framework that can encompass a number of ITS technologies and performance measures. Within this systems framework, I look specifically at air quality. Rather than focusing on particular modeling tools, I break down air quality impacts into eight mechanisms that can lead to decreases or increases in mobile source emissions. I will also return briefly to the literature on ITS environmental benefits, to review which mechanisms are included as variables. Finally, I will consider the case of Mexico City, and the interactions between current ITS deployments and air quality.

• Download ESD-WP-2004-03 (PDF)
• Discuss ESD-WP-2004-03

> top

ESD-WP-2004-02-Sustainable Transportation:—A Strategy for System Change

by Ralph P. Hall and Joseph M. Sussman, Massachusetts Institute of Technology

This paper has was updated in 2006, visit ESD-WP-2006-13 to review.

> top

ESD-WP-2004-01-A Methodology for the Identification of Critical Locations in Infrastructures

by Douglas M. Lemon and George E. Apostolakis, Massachusetts Institute of Technology

The extreme importance of critical infrastructures to modern society is widely recognized. These infrastructures are complex, interdependent, and ubiquitous; they are sensitive to disruptions that can lead to cascading failures with serious consequences. Protecting the critical infrastructures from terrorism, human generated malevolent attack directed toward maximum social disruption, presents an enormous challenge. Recognizing that society cannot afford the costs associated with absolute protection, it is necessary to identify the critical locations in these infrastructures. By protecting the critical locations society achieves the greatest benefit for the protection investment. This paper presents a methodology for the identification of critical locations in infrastructures. The framework models the infrastructures as interconnected digraphs and employs graph theory and reliability theory to identify the vulnerable points. The vulnerable points are screened for their susceptibility to a terrorist attack, and a prioritized list of critical locations is produced. The prioritization methodology is based on multi-attribute utility theory. The methodology is illustrated through the presentation of a portion on the analysis conducted on the campus of the Massachusetts Institute of Technology.

• Discuss ESD-WP-2004-01

> top