Vienna, Austria

ESTRO 2023

Session Item

RTT service evaluation, quality assurance and risk management
Poster (Digital)
RTT
Applying a System-Theoretic Accident Modeling Process (STAMP) to an Incident in Proton RT
Steffie Schouenberg, The Netherlands
PO-2307

Abstract

Applying a System-Theoretic Accident Modeling Process (STAMP) to an Incident in Proton RT
Authors:

Denis Eijssen1, Steffie Schouenberg1, Natalia Silvis2

1Maastro Clinic, Limburg, Maastricht, The Netherlands; 2VU Amsterdam, Noord Holland, Amsterdam, The Netherlands

Show Affiliations
Purpose or Objective

System Theoretic Accident Modeling Process (STAMP), is a new safety analysis method that approaches safety  based on systems- and control theory, instead of the traditional reliability theory. The novelty consists in the graphical modeling of the process as a system, in which controllers interact with controlled processes in terms of control actions and feedback.

In this holistic view, safety becomes an emerging system property, guarded by safety constraints. In STAMP, accidents happen because the safety constraints were violated, and the controllers that could prevent the accident did not act properly. Accidents are seen as caused not by individual hardware-, software- or human component faults, but by control flaws, be they safety constraints violations or their inexistence. As any other accident analysis methods, STAMP aims to go beyond finding a root cause for an accident and assigning blame. Instead, it tries to understand why accidents happen, and thus learn how to design more robust systems in the future.

STAMP promises to better understand modern accidents causality and to discover interesting system hazards, using tools such as Systems Theoretic Process Analysis (STPA), and Causal Analysis based on STamp (CAST). Radiation therapy process is practiced in a complex socio-technical system, and therefore in our opinion very suitable to be analyzed using STAMP. What is the added value of STAMP compared to PRISMA when analyzing a proton incident?

Material and Methods

In an attempt to add a contribution to this meager body of knowledge of using STAMP in RT the proton incident is re-analyzed, this time by using STAMP-CAST.  

    

  • Narrative description of the incident

       
  •  Modeling the RT process using safety control structures

      
  •   Analyze each component in the loss

       
  •  Identify control structure flaws

        
  • Create a safety improvement plan
Results

We learned that STAMP found the same major root causes and issues like the PRISMA method. Most important, in our analysis, software emerged as an actor that can prevent but also harm and contribute to an accident.

We compared the STAMP recommendation with the recommendation from PRISMA. STAMP could formulate some new recommendations, especially towards players outside the organization. In some cases PRISMA analysis  issued more specific safety-related recommendations. STAMP only recommended to dare to speak up. STAMP differs especially in the first modelling phase to detect hazards.  

Conclusion

To start with, we concluded that the main problems and recommendation were similar.

To summarize, we believe that STAMP is a useful incident analysis method that can be used along with other method such as FTA or FMEA, especially in large RT organizations or new RT processes without a sound safety management policy. However, the graphical modeling step is still perceived as cumbersome by RT practitioners and this reduces its chances to be adopted. More effort is needed to assist practitioners with the first step of graphical modeling with control structures.