Nancy Leveson

Professor of Aeronautics and Astronautics



(See also)
STAMP Workshop presentations, STAMP-related publications, etc.
System Safety Research Lab (SSRL)
System and Software Safety Research Project
Older papers available on-line
PSAS (Partnership for a Systems Approach to Safety information)
Paper on the Role of Software in Spacecraft Accidents
Paper on the Columbia Loss


Phone: (617) 258-0505
Office: 33-334
Email: leveson "at" mit.edu


Some recent papers on the use of STAMP by others

[If you want a serious bio or are downloading one, click here. Please do not use the one below.]

Nancy Leveson received all her degrees, in math, management, and computer science, from UCLA (Ph.D. 1980) and spent her formative years being a Computer Science professor at the University of California, Irvine. Moving to Seattle in 1993 in search of rain, she was Boeing Professor of Computer Science and Engineering at the University of Washington. She has now moved to MIT in her continual search for worse weather and new fields to conquer. In the process, she somehow morphed herself into an aerospace engineer and has dual faculty positions in the MIT Dept. of Aeronautics and Astronautics and the Engineering Systems Division.

Professor Leveson started a new area of research, software safety, which is concerned with the problems of building software for real-time systems where failures can result in loss of life or property. One advantage of this topic is that nobody questions its goals, except for a few misanthropes (who don't matter anyway). She and her students produced a formal requirements specification for TCAS II, a real collision-avoidance system required on all commercial aircraft in U.S. airspace. One of the lessons she has learned from this project is never to do anything like it again. The FAA was pleased with it though and adopted it as their official specification. She and her students are now analyzing safety in NextGen (the planned upgrades to the air transportation system). She claims that you should not read anything into the fact that she has been taking the train a lot lately. Our TCAS model is still being used to specify and evaluate potential upgrades to TCAS. Using this preliminary work, we have defined a complete system engineering environment for software-intensive systems that is based on model-driven development and a concept called Intent Specifications. A commercial set of tools was released to the unsuspecting world in June 2003. Most recently, she has been applying these tools to space projects (as if NASA does not have enough problems right now).

Different industries have traditionally used very different approaches to safety engineering. See White Paper on Approaches to Safety Engineering for an overview. Our technology is changing rapidly, however, and these approaches are quickly becoming ineffective. The System Safety Research Lab is creating new approaches to system safety that handle increased levels of complexity and new technology. Our techniques are based on a new system-theoretic model of accidents (STAMP) that replaces the traditional chain-of-events model underlying most current accident investigation, prevention, and assessment procedures. The model includes software, organizations, management, human decision-making, and migration of systems over time to states of heightened risk. Several theses and dissertations as well as my new book that appeared in January 2012 demonstrate the application of the new tools to a variety of engineered systems. Looking for new worlds to conquer, we have been experimenting with the use of STAMP in non-engineering applications such as hospital safety, pharmaceutical safety, food safety, corporate fraud, and (as if we were not already in enough trouble) the financial crisis.

An introduction to STAMP (much shorter than the book draft) appeared in Safety Science in 2003 titled A New Accident Model for Engineering Safer Systems . Some published examples of its use (by us and others) on an analysis of the causal factors in a water contamination accident , the use of STAMP to perform a risk analysis of inadvertent launch in the new U.S. Ballistic Missile Defense System , and the application of STAMP to the Comair 5191 Aircraft Accident can be downloaded. Another popular paper describes the software-related factors in recent aerospace accidents (AIAA Journal of Spacecraft and Rockets, to appear).

Because people keep reinventing n-version programming although they should know better, a postscript version of the paper is included here that Knight and Leveson wrote for Software Engineering Notes, January, 1990. The paper, titled "A Reply to the Criticisms of the Knight and Leveson Experiment" provides their view of the controversy that arose over their N-version programming experiment and the subsequent criticisms leveled at them and their experiment.

Professional Activities (or what I do to keep out of trouble)

Professor Leveson has been Editor-in-Chief of IEEE Transactions on Software Engineering, an elected member of the Board of Directors of the International Council on Systems Engineering (INCOSE), an elected member of the Board of Directors of the Computing Research, a member of the National Research Council Advisory Committee to the Division on Engineering and Physical systems, a member of the ACM Committee on Computers and Public Policy, a consultant to the NASA Aerospace Safety Advisory Panel (ASAP), and a member of various blue ribbon and report writing committees on topics such as nuclear power plants, automated highways, Space Shuttle upgrades, air traffic management, and various aerospace systems. She is currently resting from all this frenetic activity, teaching, and writing a book.

Dr. Leveson is a Fellow of the ACM and was awarded the 1995 AIAA Information Systems Award for contributions in space and aeronautics computer technology and science for "developing the field of software safety and for promoting responsible software and system engineering practices where life and property are at stake." She was awarded the ACM 1999 Allen Newell Award for research contributions to computer science and the 2004 ACM Sigsoft Award for Outstanding Software Research. Several years ago she was elected to the National Academy of Engineering (NAE).

Short Courses (or A five day tour of safety engineering)

Dr. Leveson occasionally gives short courses on software safety for industry. For information about these classes, click here. An old list of some of the companies and government agencies that have sent employees to the class can be found here.

Commercial Ventures (or Yeah, but what can you do for me right now?)

Dr. Leveson, some former students of hers, and some people with lots of real industrial experience started a company in 1995 with the modest goal of making the world a safer place to live. For more information about Safeware Engineering Corporation, click here.

Publications (lots more can be found in papers if you are a glutton for punishment)

Dr. Leveson's book on software safety, (Safeware: System Safety and Computers, Addison-Wesley, 1995) includes almost everything she knew about the subject in 1995. Since then she has either gotten wiser or more confused (depending on your viewpoint) and is writing a second book . As if I hadn't caused enough trouble in the English-speaking world, Safeware was translated into Japanese and published in Japan in 2009 (Shoeisha Publishing Company). I cannot vouch for its correctness, of course, but it appears to be much longer in Japanese.


Recent research papers are available via the web.

Two popular papers you might find interesting and fun to read:

  • "High-Pressure Steam Engines and Computer Software" (Postscript) or (PDF). This paper started as a keynote address at the International Conference on Software Engineering in Melbourne, Australia) and later was published in IEEE Software, October 1994.

  • "The Therac-25 Accidents" (Postscript ) or (PDF). This paper is an updated version of the original IEEE Computer (July 1993) article. It also appears in the appendix of my book.

    You may also like to argue with me about the future of software engineering Software Engineering: A Look Back and a Path to the Future (html) , which was invited for the 50th Anniversity issue of the CACM (February 1997).

    Women in computer science papers:

  • "Women in Computer Science" (Postscript ) or (Postscript ) or (PDF): A transcript of a presentation I made to the Snowbird Meeting of CS and CE department chairs a few years ago. It also appeared in Computer Research News, but I have no idea when.

  • NSF Report on the Status of Women in Computer Science: A report I wrote in response to a request from Eric Bloch, who was head of NSF at the time, on the status of women in computer science ( postscript) ) or (PDF).