Incorporating Epistemic Uncertainty into the Safety Assurance of Socio-Technical Systems

In system development, epistemic uncertainty is an ever-present possibility when reasoning about the causal factors during hazard analysis. Such uncertainty is common when complicated systems interact with one another, and it is dangerous because it impairs hazard analysis and thus increases the chance of overlooking unsafe situations. Uncertainty around causation thus needs to be managed well. Unfortunately, existing hazard analysis techniques tend to ignore unknown uncertainties, and system stakeholders rarely track known uncertainties well through the system lifecycle. In this paper, we outline an approach to managing epistemic uncertainty in existing hazard analysis techniques by focusing on known and unknown uncertainty. We have created a reference populated with a wide range of safety-critical causal relationships to recognise unknown uncertainty, and we have developed a model to systematically capture and track known uncertainty around such factors. We have also defined a process for using the reference and model to assess possible causal factors that are suspected during hazard analysis. To assess the applicability of our approach, we have analysed the widely-used MoDAF architectural model and determined that there is potential for our approach to identify additional causal factors that are not apparent from individual MoDAF views. We have also reviewed an existing safety assessment example (the ARP4761 Aircraft System analysis) and determined that our approach could indeed be incorporated into that process. We have also integrated our approach into the STPA hazard analysis technique to demonstrate its feasibility to incorporate into existing techniques. It is therefore plausible that our approach can increase safety assurance provided by hazard analysis in the face of epistemic uncertainty.

💡 Research Summary

The paper addresses a fundamental gap in contemporary safety engineering: the treatment of epistemic uncertainty—uncertainty arising from incomplete or imperfect knowledge about causal relationships—during hazard analysis of socio‑technical systems. While traditional hazard analysis techniques such as Fault Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA), and System‑Theoretic Process Analysis (STPA) excel at structuring known hazards, they largely ignore the existence of unknown hazards and provide little support for tracking known uncertainties throughout a system’s lifecycle.

To remedy this, the authors propose a two‑pronged approach. First, they construct a reference repository that catalogs a broad spectrum of safety‑critical causal relationships drawn from multiple domains (aviation, automotive, medical, etc.). This reference serves as a “knowledge‑gap detector”: when analysts examine a particular architectural view, they can query the repository for causal patterns that are not evident in that view but have been observed elsewhere, thereby surfacing hidden or “unknown” uncertainties.

Second, they develop a formal uncertainty model that captures “known” epistemic uncertainty. The model records the source of uncertainty (e.g., data scarcity, modeling assumptions, human judgment), its qualitative or quantitative magnitude, and its current management status (mitigated, monitored, or unresolved). By linking each identified causal factor to an instance of this model, analysts can trace how uncertainty evolves, what mitigation actions have been taken, and where further evidence‑gathering is required.

The authors integrate these artifacts into a systematic process: (1) generate a set of candidate causal factors using the reference; (2) instantiate the uncertainty model for each candidate; (3) embed the enriched candidates into an existing hazard analysis method; and (4) iterate, using the model to plan and record uncertainty‑reduction activities (additional testing, simulation, expert elicitation, etc.).

To evaluate applicability, the paper presents three case studies. In the first, the approach is applied to the MoDAF (Ministry of Defence Architecture Framework) architectural model. MoDAF separates system description into multiple views (operational, functional, physical, etc.), each of which can miss cross‑view causal links. By consulting the reference, analysts uncovered additional causal pathways—such as an operational staffing error that could propagate to a functional control‑logic fault—demonstrating that the method can reveal hazards invisible to any single MoDAF view.

The second case revisits the widely‑used ARP4761 aircraft system safety assessment. When the uncertainty model is overlaid on the ARP4761 process, previously implicit uncertainties (e.g., sensor data quality, pilot decision‑making assumptions) become explicit entries that are tracked across the preliminary hazard analysis, system design, and verification phases. This explicitness improves traceability, clarifies the rationale for mitigation measures, and highlights where further evidence is needed before certification.

Finally, the authors integrate their approach with STPA. STPA already models control structures and feedback loops, but it does not attach a measure of epistemic uncertainty to individual control actions. By annotating STPA control actions and feedback paths with the uncertainty model, analysts can prioritize which control loops require additional validation, allocate resources more efficiently, and produce a richer safety case that acknowledges both known and unknown risks.

Overall, the contribution is a pragmatic framework that elevates epistemic uncertainty from an implicit background concern to a first‑class artifact in hazard analysis. The reference repository and uncertainty model are domain‑agnostic, lightweight enough to be adopted alongside existing standards, and demonstrably capable of uncovering additional causal factors in complex, multi‑view architectures. By providing a concrete mechanism for capturing, tracking, and reducing uncertainty, the work promises to enhance the completeness and credibility of safety assurance arguments for socio‑technical systems.