
Battleshorts, exaptations, and the limits of STAMP - kiyanwang
https://surfingcomplexity.blog/2020/08/16/battleshorts-exapting-and-the-limits-of-stamp/
======
jonahhorowitz
I love when people use acronyms without explaining what they stand for.

> The hypothesis underlying the new model, called STAMP (Systems-Theoretic
> Accident Model andProcesses) is that system theory is a useful way to
> analyze accidents, particularly system accidents.In this conception of
> safety, accidents occur when external disturbances, component failures,
> ordysfunctional interactions among system components are not adequately
> handled by the controlsystem, that is, they result from inadequate control
> or enforcement of safety-related constraints onthe development, design, and
> operation of the system[0]

[0] - [http://sunnyday.mit.edu/accidents/safetyscience-
single.pdf](http://sunnyday.mit.edu/accidents/safetyscience-single.pdf)

~~~
Ari_Ugwu
Thank you, thank you, thank you. Saved me a bunch of frustrating searches.

------
Jtsummers
> One of the central assumptions of STAMP is that it is possible to construct
> an accurate enough control model of the system at the design stage to
> identify _all_ of the hazards. [emphasis added]

I want to pick on this a bit. STAMP, or at least STPA which is the related
method you'd use in the design stage, doesn't try to identify _all_ hazards
(STAMP has the benefit of being conducted with hindsight, so it is likely to
identify more hazards). When used during design, you run _multiple_ STPA
analyses and may eventually identify all hazards, but there is no guarantee.
Additionally, while you often have a singular STAMP instance (because it
follows from an accident), STPA is run multiple times. There is no singular
STPA analysis, but a collection of analyses.

Each analysis is performed on a model of the system which is, necessarily, a
simplification. Some models will have details that others lack. This provides
the team a better opportunity to focus on the hazards involved in that area.
You will only achieve 100% hazard identification if the system is small, or
you dedicate a probably unreasonable time to the analyses.

~~~
ghaff
Are you confusing CAST and STAMP? (Or maybe I'm mis-reading.)

STAMP is about the underlying control model. STPA is focused on designing in
safety up-front. CAST is focused on analyzing failures.

~~~
Jtsummers
Yes I did, oops. Pro-tip: Expect memory lapses while on pain medications, and
maybe don't type comments on HN.

~~~
ghaff
Feel better. This was something I knew nothing about a few months back but I
took a workshop on STAMP that went virtual earlier this summer.

~~~
Jtsummers
Thanks. It was a fairly routine surgery (for the surgeon, not me) and all went
well. I'm actually on my last day of pain meds so it's my last chance to use
that excuse.

STAMP, and STPA in particular, is something I've been reading about, but
failing to apply, for a few years now since my sister studied under Leveson at
MIT. I wish I could sell it in my office. It's actually frustrating, a few of
our partners are using it (or the ideas from it) to good effect but my own
office is less than interested. Of course, my sister has encountered the same
thing even though she's the one that brought it back to her office after
returning from MIT. Their partners are using it after learning about it from
her, but they still aren't (or are underutilizing it).

~~~
ghaff
Yeah, this was Nancy Leveson's workshop. I was going to go in person but I was
able to tune in for quite a bit of the virtual version. For anyone interested,
there's quite a bit of material online with, I believe, additional videos
coming: [http://psas.scripts.mit.edu/home/2020-stamp-workshop-
agenda/](http://psas.scripts.mit.edu/home/2020-stamp-workshop-agenda/)

One of the interesting things to me was the range of industries represented.
Definitely not just aerospace.

------
josh_fyi
Can't help but think of Douglas Adams' masterpiece "The Restaurant at the End
of the Universe": "A dreadful silence fell across the conference table as the
commander of the Vl'hurgs, resplendent in his black jewelled battle shorts,
gazed levelly at the G'Gugvuntt leader squatting opposite him in a cloud of
green sweet-smelling steam"

~~~
Mindless2112
I knew I'd heard "battle shorts" somewhere before, but I couldn't think of
where. It's the wrong kind of "shorts" though -- and regarding the other kind:

> _What do you mean, "why has it got to be built?" It's a bypass! You've got
> to build bypasses!_

------
aaron695
I looked everywhere for a physical example of a Battleshort after that
comment.

I guess I expected a solid fuse rather than a switch that just linked two
wires?

But still, not a lot of info around. Mostly jokes and this one supplier -
[https://www.oshkoshequipment.com/search?searchPhrase=Battle+...](https://www.oshkoshequipment.com/search?searchPhrase=Battle+Short&searchFor=0)

~~~
p_l
According to some friends, most new equipment (and not so new) provides it as
a switch - but the original form was slapping bars in place of fuses.

