Safety Science 118 (2019) 783–794

Contents lists available at ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/safety

System theory based hazard analysis for construction site safety: A case T
study from Cameroon
Dongfack Guepi Clovis Jamot, Jong Yil Park
⁎

Department of Safety Engineering, Seoul National University of Science and Technology, Seoul, Republic of Korea

ARTICLE INFO ABSTRACT

Keywords: Introduction: Construction sites are known for its complex environments where many unsafe acts and/or unsafe
Health and safety risk conditions exist. Traditional risk analysis methods, such as Probabilistic Risk Analysis (PRA) deal with linear
STAMP-STPA systems or component failures. These traditional techniques are not efficient to analyze nonlinear or complex
Safety constraint systems such as construction sites.
Hierarchical control structure
Method: This study applied a system theory approach to a construction project risk assessment. We used a
System safety
System-Theoretical Process Analysis (STPA) based on System-Theoretic Accident Model and Processes (STAMP).
Data were collected in different stages. Firstly, literatures from various journal papers, articles, thesis, website
and the Electricity Development Corporation of Cameroon’s (EDC) risk register were reviewed. Secondly, a case
study was carried out to check the applicability of system safety to a construction project where PRA was initially
used by the project team. Questionnaires were conducted on five selected project team members to get their
point of view on the application of STPA.
Result: The main contribution of this approach was that by simulating more scenarios, it revealed some sys-
tematic risks that were not detected with the PRA approach such as: lack of support from the EDC stakeholders;
loss of quality, security and safety when using subcontractors; and unsafe control actions by the risk manager.
Conclusion: To cope with the complexity of construction projects, the STPA approach seems to produce higher
quality results compared to the PRA approach since its prime aim is to simulate possible scenarios.

1. Introduction that: construction is usually defined as a “mélange of order and chaos”

Health and safety are very important aspects of proper management
control. Therefore, construction health and safety management deals
with actions that managers at all levels can take to create an organi-
zational setting in which workers will be motivated and trained to
perform safe and productive construction work. Every year, the number
of workers fatally injured in the construction industry worldwide tops
all other industries (Yoon et al., 2013; Lingard and Rowlinson, 2005).
Several factors can be cited as the causes of these construction industry
accidents, including breaches in safety legislations, poor equipment,
environmental factors, and poor or inexistent safety procedures
(Chaplin, 2006; Behm, 2005; Whittington et al., 1992; Chi et al., 2005;
Haslam et al., 2005; Suraji et al., 2001; Gibbet al., 2006). Several risk
analysis techniques are commonly used in construction sites: checklists,
safety audits, “what if” analysis, HAZard and OPerability studies
(HAZOP), Probabilistic Risk Analysis (PRA), Event Tree Analysis (ETA),
Fault Tree Analysis (FTA), and Failure Modes and Effect Analysis
(FMEA), etc. The complexity of the construction site is due to the fact
and is a dynamic work environment (Carlon Kramer et al., 2012). Ad-
ditionally, the workforce on a construction site changes regularly with
the different phases of the project (Ringen and Stafford, 1996; Carlon
Kramer et al., 2012).
To reduce the high accident rate within construction sites, many
safety practitioners and researchers have looked for alternative
methods of risk analysis that will be more efficient than the traditional
models. Some researchers had proposed models based on systems
theory in response to the limitation of event chain models (Rasmussen,
1997). Up to now, there is no work available applying System-Theoretic
Accident Model and Processes (STAMP) to a construction project safety.
The objective of this paper is to apply System-Theoretical Process
Analysis (STPA) to a real-life construction project where PRA was in-
itially used by the project team. The system theory approach was ap-
plied to the Lom-Pangar construction project, a dam erected by
Electricity Development Corporation of Cameroon’s (EDC) from 2013 to
date, with attention put on risk management. With this approach, safety
is considered to be a control problem and the focus is put on behavioral

⁎
Corresponding author at: Department of Safety Engineering, Seoul National University of Science and Technology, Seoul 018811, Republic of Korea.
E-mail address: jip111@seoultech.ac.kr (J.Y. Park).

https://doi.org/10.1016/j.ssci.2019.06.007
Received 30 November 2018; Received in revised form 15 April 2019; Accepted 5 June 2019
Available online 15 June 2019
0925-7535/ © 2019 Elsevier Ltd. All rights reserved.
D.G.C. Jamot and J.Y. Park
safety constraints.
System-Theoretical Process Analysis (STPA) is a systematic hazard
analysis technique based on System-Theoretic Accident Model and
Processes (STAMP). STAMP is a systematic, top-down approach to risk
assessment, where safety is treated as a control problem. Emphasis is
put on behavioral safety constraints that are enforced on a systematic
level. PRA is a bottom-up, event based risk analysis technique.
Emphasis is put on the failure chain of events, with interpretation of
failure probabilities. STPA and STAMP provide an approach in risk
analysis, that shifts focus from component failure to component inter-
action failure (Leveson, 2011).
The methodology of STAMP and STPA cited in this research paper is
entirely based on the work of DR. Nancy Levesson, professor of
Aeronautics and Astronautics at Massachusetts Institute of Technology,
and her published work (Leveson, 2011).
The paper is structured as follow: Section 2 is dedicated to the li-
terrature review. Section 3 is for the research methodology. The case
study is presented in Section 4, followed by Section 5 containing the
results. Section 6 presented an evaluation survey, Section 7 contains
discussions on the case study and finally, concluding remarks are made
in Section 8.
2. Literrature review
2.1. System-Theoretic Accident Model and Processes (STAMP)
STAMP was developed within the complex System Research Lab of
the Massachusetts Institute of Technology by Prof. Dr. Nancy Leveson.
This accident model proposed a paradigm shift, since the accident is no
longer seen as a result of a single failure, but as the consequence of a
control problem within the system. This model is based on three fun-
damental concepts: safety constraint, the hierarchical control structure
and the process models. In a system accident model, unacceptable
losses occur because safety constraints are not successfully enforced.
The STAMP model is a relatively recent model and is now the subject of
numerous studies and parallel work to improve it (Nektarios Karanikas,
2018; Rong and Tian, 2015; Underwood and Waterson, 2014; Kazaras
et al., 2014; Salmon et al., 2012). STAMP integrates engineering ana-
lysis causal factors, such as software, human decision-making and
human factors, new technology, social and organizational design, and
safety culture, all of which are becoming ever more threatening safety
in our increasingly complex systems (Leveson et al., 2003). In STAMP,
accidents are perceived as resulting not from component failures, but
from inadequate control or enforcement of safety-related constraints on
the design, development, and operation of the system. Safety is con-
sidered to be a control problem: accidents occur when component
failures, external disturbances, and/or when dysfunctional interactions
among system components are not appropriately handled (Leveson,
2004; Yao, 2012; Yisug, 2015). This model is based on both the general
theory of systems and the theory of controls. It is also based on Ras-
mussen's dynamic safety model. This model (describes human beha-
viors as trajectories in an abstract work space bounded by a set of ad-
ministrative, functional and safety boundaries that constrains workers’
degrees of freedom (Rasmussen, 1997) (see Fig. 1).
2.2. System-Theoretic Process Analysis (STPA)
STPA is a powerful hazard analysis technique based on STAMP,
while CAST (Causal Analysis based on STAMP) is the equivalent for
accident and incident analysis (Leveson, 2011; Yao, 2012). STPA can be
used at any stage of the system life cycle. It provides the information
necessary to establish safety in system design, development, manu-
facturing and operations, depending on when it is applied. STPA also
includes the natural changes of the system that will occur over time.
When unacceptable losses for the system have been identified, ha-
zardous states leading to those accidents can be identified. Potential
784
Safety Science 118 (2019) 783–794
hazards imposing the system are recognized before safety constraints
are designed and each control action applied to the system is verified to
secure safety. System safety requirements and safety design constraints
are derived to prevent the hazards from happening.
STPA has two main steps. The first involves identification of the
potential inadequate control of the system that could lead to hazardous
states result from inadequate control or enforcement of safety con-
straints. The assessment of the hazard control involves the following
four steps for each control action required for the system.
(1) A control action required for safety is not provided or not followed.
(2) An unsafe control action is provided.
(3) A potentially safe control action is provided too early, too late or
out of sequence.
(4) A control action required for safety is stopped too soon or applied
too long.
Incorrect or unsafe control actions may cause dysfunctional beha-
vior or interactions among components (Ishimatsu et al., 2010).
The second step involves determination of how each potentially
unsafe control action identified in step one of the analysis could
happen. Each part of the control loop is examined to see if they could
cause or contribute to a hazardous scenario. Safety controls need to be
designed if they do not exist (Matthew Seth Placke, 2014). On an ex-
isting system, evaluation is needed on mitigation measures. Conflicts
need to be identified between multiple controllers of the system. Con-
sideration is needed on how safety constraints should adapt for ever
changing systems, and protection against degradation built into the
safety controls. Fig. 2 shows how causal factors (scenarios) leading to a
hazard appear with respect to a control structure.
Improper operation of the control loop may contribute to the gen-
eral types of inadequate control. Controller operation, behavior of ac-
tuator and the controlled process as well as communication and co-
ordination between controllers are the three general categories of
causal factors for inadequate control.
The STPA analysis can be derived from any level of the hierarchical
structure (HCS), given that each controller in the HCS is itself con-
trolled by higher level controllers (control input), but applications be-
tween levels of the sociotechnical HCS may differ. Inconsistencies be-
tween the process model (used by the controller) and the actual process
states can lead to threats. Although process models rarely can be
complete enough to cover all possible states of the system, the goal
should be to make them complete enough so that no safety constraints
are violated during system operation. Actuators may not respond im-
mediately to an external command signal. Failure in the downward
(reference) channel might lead to delays, or operation of the actuators
is flawed. Actuator flaw could result in control action delivery failure to
the controlled process which might lead to accidents. A flaw in the
upward (measuring) channel could result in inadequate information to
the controller which could lead to unsafe control action.
Communication between all parts of the control loop is critical in
maintaining system safety. Coordination of control actions is critical in
securing boundary areas of the HCS.
2.3. LOM PANGAR project and Probabilistic Risk Analysis for the Project
The lack of infrastructure in Cameroon, as in many sub-Saharan
Africa’s countries, slows economic growth. Recently, the Cameroon
government decided to improve its energy, telecommunications, con-
struction, and transportation systems. Regarding the energy sector,
there is the hydroelectric dam project at Lom Pangar. This dam is lo-
cated in the department of Lom and Djerem of the Eastern Region of
Cameroon, at the confluence of the rivers Lom and Pangar. The project
includes the construction and operation of a dam, a 6 billion m3 of
water (useful capacity) reservoir, a 30 MW hydropower plant at the foot
of the dam and a power line to the city of Bertoua for local use
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794

Control Algorithms
Set points, (system Goal)

Controller
Control Actions Feedback

Measuring
Reference Actuators Sensors
Channel Channel

Controlled Measured
Variables Variables

Controlled Process
Process Inputs Process Outputs

Disturbances

Fig. 1. A standard control loop for simple control structure (Leveson, 2011).

(HydroWorld, 2014; World Bank, 2014; China International Water and
Electric Corporation, 2014; Electricity Development Corporation,
2014).
When the project started, emphasis was put on risk management
within the construction company. The risk management followed in-
ternational standards when performing risk analysis; ISO 31000 stan-
dard in all main points.
A special risk management team was formed for the project where
experts from within the company and outside counsel identified risks
associated with construction of a dam. The risk management defined
the project life cycle as two phases (design and construction). The risk
management team was lead by a HSE manager, who worked closely
with the project manager.
The risk analysis involved PRA, a widely used method in risk ana-
lysis. PRA is a bottom-up risk analysis that defines risk as a combination
of severity and probability. A risk matrix was used to determine the
threat from imposing risks.
Table 1 shows a typical risk matrix. Similar risk matrix was used in
risk assessment for Lom-Pangar dam project. Each imposing risk factor
was assessed with respect to time, cost, operation and health, safety and
environment (HSE). Severity of the risk was listed from 1 to 4 as minor,
major, critical and catastrophic depending on the consequences they
would have on the project, with respect to those factors. Probability
was listed from 1 to 4, depending on the chances of the occurrence of
the event during the project.
If the risk factor score is between 1 and 2, the risk is considered
acceptable. Risk factor from 3 to 6 is considered to be risk as low as
reasonably practicable and requires improvement. From 8 to 16, the
risk is considered unacceptable and permanent surveillance is required
for risk reduction. For this project. A risk register was used throughout
the entire project by the HSE team to register risks; their score on the
risk matrix with respect to time, cost, operation, HSE, and measures
taken to reduce or control them. The risk register presents the action
that was taken, when and by whom. As the project evolved, imposing
risks altered. Some were excluded after suitable arrangements, others
changed in nature and/or severity. Special attention was brought to the

Fig. 2. Things that can go wrong in the control loop (Leveson, 2011).

785
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794

Table 1
Risk matrix.

Table 2
Lom Pangar Project Non – Tolerable Risk Factors adapted by authors from EDC risk register.
HSE Time Operation Cost

Risk level 16 2013 2018 2013 2018 2013 2018 2013 2018

1 Budget overrun 9 16
2 Currency risk 16 4
3 Concrete blockage for reservoir 1 16 1 16 1 8

Risk level 12
4 Geological descriptions and report 9 9 12 12
5 Changing the design during construction 12 12 8 8
6 Road to the work site in the forest 12 8 12 8
7 HSE issues not active 12 8
8 Workers injury 12 9
9 Draft tubes and spiral installation 12 12 4 9 6 9
10 Preliminary research (wrong methods, insufficient, …) 6 12 8 12
11 Government claim for procurements; appeals to public complaints 12 0 8 0
12 Financing failure 12 3 12 3
13 Secure site electricity supply 0 8 0 12 0 8
14 Mines, core substance (quality/quantity) not respecting the project description. 8 4 12 4
15 Rock fall defense: arrangement of stones, location 12 4 8 4

Risk level 8–9 (imminent risk)

16 Design with no HSE consideration 9 9
17 Inadequate equipment design 9 9
18 Delivery of supplies between contractors (things not delivered on time) 9 9 9 9
19 Design documents returned late to contractors 9 9
20 Mine, concrete materials 8 9 8 6
21 Contractors, variable understanding of data 8 8 8 8
22 Delivery of design drawings 8 8 8 8
23 Communication between contractors 8 8
24 Heat generated in concrete 9 9
25 Pipe routes collision between contractors 8 8 8 8
26 Electricity equipment installation 8 8
27 Electrical risk 8 8
28 Transformers delivery (not ready in time) 8 8

fact that with changing one risk factor, others could rise. Some risks
were considered as near losses, their impact would have had serious
implications on the project success (catastrophic or critical severity)
and were considered imminent threat. The risk register shows that 28
risk factors were identified as non-tolerable (8–16 score in risk matrix)
and had constant surveillance during the project (Table 2). Considering
all criteria, it was then assumed that the project was an overall success
(Business in Cameroon, 2014), because of lack of HSE record from the
project risk management team.
3. Research methodology
3.1. Objective
The aim of the present research study is to apply System-Theoretical
Process Analysis (STPA) to a real-life construction project where a
Probabilistic Risk Analysis (PRA) method was initially used by a con-
struction project team. The purpose of the STPA analysis in this case
was not to give a complete risk assessment with all possible risks in-
cluded, but rather to utilize the STPA methodology to recognize sys-
tematic threats, that cannot be identified with PRA method. Bottom-up
analysis used to identify single risks is a crucial part of risk analysis, but
with its limitations, it is important to look further into how those risks
are connected and subject to a more thorough control. Risk analysis
from Electricity Development Corporation of Cameroon’s (EDC) was
used as a reference.
3.2. Research method
Literature reviews on Lom Pangar project, STAMP and STPA was
performed to learn about the basic knowledge and applications.
System-Theoretic Process Analysis (STPA) is the predictive risk assess-
ment method within the STAMP framework. It permits the mapping of
factors that can contribute to specific hazards occurring in socio-tech-
nical systems. Following the identification of the potential hazards,
STPA is conducted in three iterative steps, representing the system as a
whole, starting from an initially high level of abstraction and progres-
sing towards increasing level of granularity. To verify the applicability
of STPA to a construction project, a case study was carried out in a dam
construction project in Cameroon. The first step of the STPA analysis
involves the construction of a high-level hierarchical control structure.
The control structure presents all stakeholders within the system under

786
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794

analysis and the control actions that link the independent stakeholders. Table 3
Control actions constitute the main source of feedback and interaction System Goals for the success of the Lom Pangar Project.
between the multiple stakeholders. It is important to precise that in our Goal System Goal for Lom Pangar Project
case study, the control action involved the HSE manager participation
in the project design and construction phases. During the second step of G1 Complete the construction on time
G2 Complete the project within the budget plan
the STPA analysis, unsafe control actions (UCAs) are identified through
G3 Ensure no harm or injury to human health and environment
applying standardized error classification to each of the control actions
identified in the first step. Within STPA, the error classification is driven
by the use of four guide sentences: Table 4
Unacceptable Losses for Lom Pangar.
(1) A control action required for safety is not provided or not followed;
Unacceptable Losses for Lom Pangar Project
(2) An unsafe control action is provided;
(3) A potentially safe control action is provided too early, too late or U1 Construction not complete on time G1
out of sequence; U2 Overrun of project budget plan G2
(4) A control action required for safety is stopped too soon or applied U3 Injury or loss of human life G3
U4 Loss of public policy support
too long.
U5 Loss of quality, security and safety when outsourcing projects

These guide sentences are set as part of the STPA methodology

(Leveson, 2004) and are designed to draw out all the possible flaws
within the system in order to create the complete failure classification.
It is important to note that not all guide sentences are applicable in all
cases and equally each guide sentence may generate more than one
UCA. Finally, the causes for the UCAs can be analyzed in more detail
through constructing feedback loops for identified UCAs. This enables
the researchers to analyze how multiple UCAs can interact.
After the application of the STPA approach to the Lom-Pangar
project, an evaluation survey was conducted within the project site with
the aim of getting the project selected team members appreciation of
the STPA analysis method.
4. Case study
The present study applied the STAMP model (STPA methodology)
on the Lom Pangar dam construction project in Cameroon to determine
if it could disclose risks undetected with the traditional method (PRA).
The goal of the STPA in this case was to reveal risks associated with
the construction of a Dam in a systematic way and also to make the risk
management of this project more effective.
The aim of the STPA in this case was not to provide the full risk
assessment with all possible risks included, but to use this methodology
to reveal systematic threats undetectable by traditional methods.
4.1. Definition of Lom Pangar goals and unacceptable losses
The most serious risks on the previous table (Table 2) were used as a
foundation for the analysis using STPA. To consider the project suc-
cessful, three goals must be reached.
G1 focused on the importance of the project calendar. If the project
agenda was held up, the operation might not be able to begin as
projected.
G2 focused on the project expenditure (cost) set forth in the budget
plan.
G3 focused on the safety of humans and the environment.
the loss of quality, security and/or safety that occurs when another
contractor is hired for design and construction, and can result in a
misconduct risk.
The unacceptable losses U1, U2, and U3 are directly attached to the
project goals; U4, and U5 are losses that have a systematic effect and
became clear after the serious risks were analyzed.
4.2. Hazards identification (system behavior)
Following the unacceptable losses (Table 4), 7 system level hazards
were detected. Some of them can be controlled and others are less
controllable (see Tables 5 and 6).
4.3. Safety constraints
This project has two phases (design phase and construction phase)
and three cases can be analyzed, depending on the two project phases.
The control action here involved HSE manager participation in the
construction of a dam (STPA analysis). The following three control
actions were compared:
• HSE manager was actively involved and taking part in project plans
and construction of the dam. This control action consisted of active
involvement of the HSE manager throughout the project life cycle,
where he was actively involved in both design phase and con-
struction phases.
• HSE manager was not actively involved until construction of the
dam had started. This control action consisted of active involvement
of the HSE manager after construction had started, after the design
phase was completed
• HSE manager was not involved in the project at all, neither during
design nor construction. This last control action consisted of the
complete absence of the HSE manager throughout the project life
cycle, where he involved in neither the design nor the construction
phases.

“Accident is an undesired or unplanned event that results in loss,

including loss of human life or human injury, property damage, en-
vironmental pollution, mission loss, …” (Leveson, 2004). Using the
information from Table 2 and the three goals in Table 3, we can identify Table 5
some accidents (5 accidents) in the case of unacceptable losses for this Controllable risks.
project (see Table 4). Risks – Control
Unacceptable loss U1 is an accident that will delay the operation
(power generation). U2 is the concern for financial loss if the project R1 Contractors do not perform as required U1, U2, U3, U5
R2 Disruption of project U1, U2, U5
runs over budget. U3 represents harm to human life, injuries or death.
R3 Unsafe use of equipment and other resources U3, U5
To realize its business objectives, EDC needs government and public R4 The road to the construction site is not safe (forest) U3, U4
support, and U4 is the loss of that support. The U5 accident category is

787
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794

Table 6 environmental impact matters (direction of environment). Contractors

Limited controllable risks.
Risks – Limited Control
R5 License agreements for construction not permitted
R6 Authorities do not deliver license agreements
R7 No contractors with expertise were available
4.4. Hierarchical safety control structure
Following the STAMP, unacceptable losses occur when there is poor
control and absence of enforcement of safety measures. With a specific
objective to control a procedure, no less than two hierarchical levels are
required, the procedure that is being controlled (at the base) and the
controller interfacing the procedure (progressively above). The con-
troller imposes constraints on the lower level, the controller level is
controlled by the higher level and communication between the two is
represented in feedbacks and actions. By modelling the Hierarchical
Control Structure, focus is on the control flaw; where in the system loss
could occur as a result of inadequate control.
Fig. 3 portrays the Hierarchical Control Structure for the EDC ex-
ternal operational condition, where EDC is the controlled process. Key
partners have been distinguished, including public authorities, clients
and collaborators. The higher level of the hierarchy is the Cameroon
Parliament who votes the laws. EDC works under specific laws. Four
ministries participate in the operation of EDC in this project. The
Ministry of Economy, Planning Programming and Regional Develop-
ment is authorized to expropriation resources owned by individuals.
The Ministry of Finance is the state shareholder and appoints EDC’s
board of directors after consulting the presidency. The Ministry of En-
ergy and Water Resources is in charge of matters of electricity. Its su-
pervisory authority is the National Energy Plan for Poverty Reduction.
The Ministry of Environment and Nature Protection is in charge of
and designers are important parts of EDC’s operation because during
projects, parties are hired to design and construct while EDC provides
supervisory management.
U1, U4 Fig. 4 represents the HCS of the EDC’s internal functional environ-
U1, U4
ment. Lom Pangar’s risk management is the controlled process. At the
U5
top level of the organization is the Board of Directors appointed by the
Minister of Finance, the state shareholder. The Board is in charge of the
EDC’s operations and finances. The Board chooses the CEO, who is
responsible for everyday administration of the firm. The Executive
Board is comprised of managers who head the core division in support
of activities ranging from planning and development of new projects, to
the operation and maintenance of the operating stations. Focus is
placed here on the divisions that directly impact the design and con-
struction of the Lom Pangar project.
System Development is in charge of the preparation of new projects.
Asset Management is in charge of projects from preparation to a com-
pleted product. Operation Management does not have a specific pur-
pose in this project other than to describe how operation is involved
with new project development. This division also manages power
generation.
Experiences from ongoing operations are listed as lessons learned
and feedbacks between operation, construction, management and
system maintenance, that dynamically aim to improve the power gen-
eration with ongoing research and innovation. In the project plan, risk
management occupied a very important part of the project manage-
ment.
4.4.1. STPA Step1: Unsafe control actions (UCA) identification
The STPA first step is to identify the unsafe control actions that
could result in hazardous conditions. There are four ways unsafe con-
trol actions may occur:

Cameroon Parliament

Legislation Legislation Legislation Legislation

Public Policy Support Public Policy Support Public Policy Support Public Policy Support

Ministry of Planning, Programming Ministry of Economy and Ministry of Energy and Ministry of Environment
and Regional Development Finance Water Resources and Nature Protection

Regulations on Research Regulation on Final EIA

State Shareholder Energy Trade Supervision EIA Report
Accusation Board of Directors Public Policy Support Hearing
Financial Commitments
Public Policy Support
Confiscation
National Energy Plan Direction of
Public Policy for Poverty Reduction Environment
Support

Power Generation Environmental Evaluation

Landowners License Impact Report
Public Policy Assessment EIA Report
Support Public Policy
Regulation on Power Support Supervision
Utilization of Annual meetings Public Policy
Generation
resources support
Public Policy Support Public Policy reports State
Reports EIA Accusation
Support guarantee

Electricity Development Corporation (EDC)

Power Generation Electricity Transmission

Power Supply Quality, safety
Electricity Prices Contracts and security
Cameroon Electrical Grid Electricity Delivery requirements
Security
Electricity Demand
Electricity Delivery Electricity delivery
Quality, safety
Electricity Prices
and security
aspects of
Distribution System Operator (ENEO) Power Intensive Users product

Electricity Delivery

General Electricity Users Contractors/Designers

Third Party Liability

Fig. 3. Hierarchical Control Structure (HCS) for EDC’s external operational environment.

788
D.G.C. Jamot and J.Y. Park
EDC’s Board of Directors
EDC’s Executive Board
System Development Asset Management
Monitoring
System Testing
Requirements Validation
Supervision
Project Planning
Project Management
Risk Management
Feedback
Maintenance Lom Pangar
Construction Management
Fig. 4. Hierarchical Control Structure (HCS) for EDC’s internal operational environment.
(1) A control action required for safety is not provided or not followed.
(2) An unsafe control action is provided that leads to a hazard.
(3) A potentially safe control action is provided too early, too late, or out of
sequence.
(4) A safe control action is stopped too soon or applied too long.
By applying the control actions and determining the unsafe control
action based on them, STPA analysis can be done. The HSE manager
involvement in this project life cycle can be compared during STPA
analysis. For the STPA analysis, the control actions applied were:
(1) The HSE manager is actively involved and taking part in project plans
and construction of the dam.
(2) The HSE manager is not actively involved until construction of the dam
has started.
(3) The HSE manager is not involved in the project at all, neither during
design or construction.
The STPA analysis for each control action is presented in Table 7. In
all possibilities, the HSE manager was the controller. “YES” designates
early participation of the HSE manager in the project life cycle (he
participated actively during the design and construction phases of the
dam). “NO” signifies that the involvement of the HSE manager was not
adequate in the project life cycle. The “former NO” describes an HSE
manager who was not involved in the design phase of the project (he
was actively involved only during construction phase of the project life
cycle and not during the design). The “latter NO” describes an HSE
manager not actively involved in the project at all. The table shows
potentially unsafe control actions, resulted from the three control ac-
tions. For any unsafe control action detected, hazards (R1-R7) that
could derive from them were identified.
4.4.2. STPA Step2: Causal scenarios Identification.
The second step of the STPA method focus on evaluating how the
risky control activity recognized in the initial step could happen. Each
part of the control structure was analyzed to check whether it could
789
Safety Science 118 (2019) 783–794
Operational Management
Lessons learned
Lessons
learned
Feedback
Feedback
Operation
result in a safety peril. Once the dangerous situation causes are re-
cognized, mitigation measures that do not presently exist within the
framework of the safety program can be created.
Fig. 7 demonstrates the causal scenario in a control structure to be
considered as potentially hazardous scenarios, with focus on risk
identification inside EDC. This figure shows human controlled control
structure of hazard administration; no computerization was utilized in
any of the construction phases of the Lom Pangar dam. Actuators were
all key members of the project; parties in charge for delivery of com-
pleted part of the project, during his life cycle (Design and Construc-
tion). Key members were planners, contractual workers, administrators,
wellbeing officer, project director and architect.
5. Results
The Hierarchical Control Structure was drawn for the EDC's external
and internal condition tasks, (Figs. 3 and 4). By designing the internal
and external conditions of the firm, the focus move to control of
weaknesses; to identify places in the system, where inadequate control
could create safety hazards and other losses. Control action and feed-
back are displayed by arrows. The broken arrows indicates the plausi-
bility of lack of support in the system. Figs. 5 and 6 represent the in-
ternal and external situation of the EDC and how unsafe control actions
could emerge.
The EDC's external operational environment is presented in Fig. 5.
This figure describes how the EDC’s interests could be at legal risk.
Broken arrows represent the case where help from the company's
partners is absent. For the firm to operate normally, the hierarchical
control structure should support decision making.
The EDC's internal operational environment is presented in Fig. 6.
The broken arrows indicates how potential hazardous control activity
involving the HSE manager could emerge in the organization. The
figure portrays how absence of support can lead to project losses.
Table 7 displays the initial phase of STPA analysis. The STPA ana-
lysis was performed to define the system hazards (Tables 5 and 6).
Control action that included the participation of the HSE manager in
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794

the project was analyzed depending on his responsibility in the dam

HSE Manager is not in control of risk. (R1-

project plans but does not follow up (R1-
Stopped Too/ Soon or Applied Too Long
construction project. The three cases of potentially unsafe control ac-
tions, and possible risks associated with each case, were identified as

HSE manager is involved early with

follows:

Not Unsafe Control Action

Not Unsafe Control Action

(1) The HSE manager is actively taking part in the project plans and
construction of a dam.
(a) Ineffective (incorrect or insufficient) risk management

Not Applicable
(b) Incomplete risk identification and interrelation
(c) HSE manager is involved early with project plans but no follow-
Too Soon:

Too Soon:
Too Long:

Too Long:
R4, R6)

R7) up
(2) The HSE manager is not participating actively in the project until
the construction phase started.
Incomplete risk identification and

(a) No identification and management of risk at the early stage

HSE manager is not in control of
Wrong Timing or Order Causes

(b) HSE manager is not in control of risk

Not identifying risk and not

Not Unsafe Control Action

(3) The HSE manager is not participating in the project at all, neither
mitigating risk (R1-R7)

during design nor construction of the dam.

interrelation (R1-R7)

(a) No risk identification or management

Not Applicable
risk. (R1-R7)

Fig. 7 presents the possible hazardous risk management scenarios

for this construction project. This figure shows a person (human) con-
Hazard

Early:

Early:
Late:

Late:

trolling the control structure of the risk management process during the
design and construction of the dam. The model shows how the actuator,
duringdesign phase nor construction phase (R1-
Risk is not identified and managed in early stage

controller and sensor were all human. A same person functioned as

controller and sensor, that was the HSE manager. He was in charge of:
Risk is not identified or managed, neither
Ineffective (incorrect or insufficient) risk

managing the project risk factors; communicating with everyone con-

tributing to the project, controlling and mitigating (or eliminating)
Providing incorrect Causes Hazard

risks, as well as monitoring the evolution of the project and reacting to

any irregularities (flaws). Even as all the members of the risk man-
agement team were actively taking part, all information related to
management (R1-R4)

safety funnel to one person whose job it is to oversee the entire pro-
gram. The examples of situations presented in the Fig. 7 give an ex-
ample of hazards and where they could emerge within the control
structure.
(R1-R7)

R7)

6. Evaluation survey
during design nor construction phases (R1-R7)

After the application of the STPA approach to the Lom-Pangar

during design phase nor construction phase

project, an evaluation survey was conducted within the project site with
Risk is not identified or managed, neither

Risk is not identified or managed, neither

the aim of getting the project selected team members appreciation of

the STPA analysis method. The scale used for the ratings is represented
in Table 8.
Not Providing Causes Hazard

The team member’s evaluation of the STPA analysis and PRA

methods are presented in Tables 9 and 10 respectively.
As shown in the table, STPA analysis received a good rating of 3.6
for risk identification, 3.4 for risk mitigation and 3.2 for its structure.
Not Applicable

On the other hand, the team members gave an average rating of 2.6 for
the analysis time and 2.4 for the complexity of the method.
(R1-R7)

The table shows that the PRA received an excellent rating of 4.2 for
complexity and analysis time. Then, it received 4.0 for its structure. In
the other hand PRA received an average rating of 3.0 for risk identifi-
The HSE manager is not actively involved in project
Potentially hazardous control action identification.

The HSE Manager is actively involved and taking

part in project plans and construction of the dam

cation and 2.0 for risk mitigation.

The HSE manager isnot actively involved until

In the selected team member’s point of view, PRA was easier to

understand and implement than STPA. But as regards the risk identi-
fication and mitigation, they rated STPA higher than PRA.
construction of the dam has started

plans and construction of the dam

7. Discussion

The System-Theoretical Process Analysis (STPA) approach provides

an understanding of systematic risks to be considered in design and
construction of a dam. The results of this method confirmed that the
application of the model detects risks that are not disclosed using event
Control Action

NO (Former)

chain models (PRA). Despite the fact that the case study here did not
NO (Latter)

give a full appreciation of hazards related to a dam construction project,

Table 7

it shows the applicability of the methodology for the project.

YES

STAMP gives a wider perspective on risk analysis than assessing and

790
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794

Cameroon Parliament

Legislation Legislation Legislation Legislation

Public Policy Support Public Policy Support Public Policy Support Public Policy Support

Ministry of Planning, Ministry of Economy and Ministry of Energy and Ministry of Environment
Programming and Regional Finance Water Resources and Nature Protection

Regulations on Research Regulation on Final

State Shareholder Energy Trade Supervision EIA EIA
Accusation Board of Directors Public Policy Support Hearing Report
Financial Commitments
Public Policy Support
Confiscation
National Energy Plan Direction of
Public Policy for Poverty Reduction Environment
Support

Power Generation Environmental Evaluation

Landowners License Impact Report
Public Policy Assessment EIA Report
Support Public Policy
Regulation on Power Support Supervision
Utilization of Annual meetings Public Policy
Generation
resources support
Public Policy Support Public Policy reports State
Reports EIA Accusation
Support guarantee

Electricity Development Corporation (EDC)

Power Generation Electricity Transmission

Power Supply Quality, safety
Electricity Prices Contracts and security
Cameroon Electrical Grid Electricity Delivery requirements
Security
Electricity Demand
Electricity Delivery Electricity Delivery Quality, safety
Electricity Prices
and security
aspects of
Distribution System Operator (ENEO) Power Intensive Users product

Electricity Delivery

General Electricity Users Contractors/Designers

Third Party Liability

Fig. 5. Potential absence of support in EDC’s external operational environment.

EDC’s Board of Directors

EDC’s Executive Board

System Development Asset Management Operational Management

Monitoring
Testing
System
Validation
Requirements
Lessons learned
Supervision

Project Planning Lessons

learned

Project Management
Risk Management Feedback

Feedback Feedback

Maintenance Lom Pangar

Construction Management Operation

Fig. 6. Potential absence of support in EDC’s internal environment.

791
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794

Control input wrong or missing

- Allocation of resources for early involvement of project plans and procedures insufficient
- Risk analysis from experts insufficient or incorrect
- Employee expertise not available, not enough expertise within the company in the specific field

CONTROLLER

HSE Manager
Inadequate control
action

- HSEM is not involved in the Process Model Incorrect or inadequate feedback

planning of coordination of
projects
- Necessary information from risk
management is needed to
maintain control from threats
- Late provision of instruction for
contractors to start alignment
with project plans
- Feedback delays
Risk Register - HSE Manager does not follow up
Flaws in creation of process model
- Incorrect understanding of scope of risk analysis
- Too optimistic estimation of project schedule
- Unrealistic estimation of severity of threats

ACTUATOR SENSOR

Human Actuator
Consisting of Key Members of Construction Human Sensor ( HSE Manager)

Project Component Failure

- Permission for construction is not given Inadequate sensor function
- Late delivery of data from designers - Disruption of projects is not detected
- Contractors exceed project plan - Incorrect or insufficient information provided

CONTROLLED PROCESS
Delayed Project Incorrect or missing feedback
Delays in a single project component could affect - Feedback delay
the overall project schedule - Necessary information from key members
Lom Pangar Dam Project Risks not provided

Conflicting control action Unidentified or unpredicted Process output contributes to system hazard
- Cooperation between contractors at site crucial disturbances that could affect the - Threat of disruption of projects not noticed
- Project plans are ignored project schedule - Safety recommendations are ignored
- Geological conditions not as expected - Wrong coordination of projects
- Weather disturbance - Adjustments to protect project schedule insufficient

Fig. 7. Human controlled system: where controller and sensor function as the same person.

Table 8
Scale used for the evaluation of the STPA analysis from the Project team members.

Table 9
The team members’s evaluation of the STPA analysis method.

Table 10
The team members’s evaluation of the PRA method.

792
D.G.C. Jamot and J.Y. Park
mitigating single risks. Focus on independent failure in risk manage-
ment will only reduce symptoms of the underlying problem. With a top-
down approach on a subset of imposing risks, a system level safety
requirement that reduces all risks can be derived (Leveson, 2011).
Despite near losses that occurred during the project life cycle, the
project was considered an overall success, by EDC’s management
(Business in Cameroon, 2014). With less tolerance for single accidents,
near losses should be treated as serious and unacceptable events; simple
luck is sometimes the only distinction between an actual loss and a near
loss. The accidents that were identified in the case study, all represent a
risk that at some point during the project life cycle were considered as
near losses. The system accident model demonstrates the importance of
systematic view of hazards. With a clear overview provided with the
system accident model, risks are put into perspective that allows for a
more comprehending understanding than when concentrating on single
risks (Leveson, 2011).
It was concluded that early and active participation of the HSE
manager in all aspects of the project life cycle represent an effective
way to deal with risks recognition in the case study. The initial step of
STPA analysis showed how risk became controllable when the control
action was used early in the project life cycle. If the control action is not
fully applied, the risk will become less controllable. If there is no con-
trol action, risks are not controllable. Although it is highly unrealistic to
think that the HSE manager was completely absent during the project,
the situation provides comparison with the first two, highlighting the
significance of early and active participation of risk management in
construction.
The result also demonstrates the importance of involving automa-
tion into the risk management process. Fig. 7 demonstrates that the HSE
manager must be available and in perpetual collaboration with all the
other key members of the project to effectively perform his job. The
HSE manager can be assisted by a dynamic management software to
link key members and provide visibility during the project. This kind of
software would function as a sensor in the control structure, and would
diminish the job of the HSE manager. If one person (HSE manager) is in
charge of the whole procedure and no automotive processes, the like-
lihood of hazards emerging increases due to lack of overview and
controllability.
Threat of loss of public policy support (U4), as well as threat of loss
of quality, security and safety when outsourcing projects (U5) is de-
picted in Fig. 5. The HCS shows the unpredictable external environment
of the EDC’s activity, by diagramming its various partners. It exposes
the challenging communication with its controlling units and its con-
voluted lawful situation. Political authorities have a critical impact in
the organization’s task, offering public policy support. Likewise, assis-
tance from the state’s overall population has an essential influence on
the organization. The fact that license agreements from the earlier start
of the project in 2013 had not been finalized shows where loss of public
policy support appears (U4). Support from the general public also plays
an important part for the company, being state property. Approval for
individual projects and operation is needed, balanced interaction be-
tween the public and authorities is critical for the company to operate
as expected.
The large subset of governmental stakeholders involved with EDC’s
regulation and licensing can cause conflicts of interests. Four ministries
participate in the operation of EDC and that could generate conflicts.
Jurisdiction between these governmental parties is diverse. Therefor;
solidarity between authorities is keystone in stable operation environ-
ment for the company.
The Fig. 5 represents the likelihood of compromising quality and
safety while subcontracting projects. The EDC works in collaboration
with designers and contractors for majority of their jobs. During the
Lom Pangar Project, many contractors were working for the EDC at the
site. On the other hand, many subcontractors were working indirectly
with the EDC’s management, but directly with their supervisory con-
tractor. Misbehavior of contractors and subcontractors could have
793
Safety Science 118 (2019) 783–794
contributed to loss of quality, security, and even safety of the project
(U5).
8. Conclusion
A construction site is complex because both the work environment
and the workforce constantly change. A construction company should
look at both single failures and control problems (complex systems
interactions) to evaluate risks linked to their activities. To cope with the
complexity of this construction project, the system theory technique
was applied and the main results affirm that application of STAMP and
STPA on Lom Panger construction project reveals systematic risks that
are not addressed with PRA. Single accident analysis as was used in
Lom-Pangar, is a crucial part of risk assessment for design and con-
struction of a dam but with its limitations. It is important to look further
into how those risks are connected and subject to a more thorough
control. STAMP and STPA could offer the vision needed to close that
gap.
The results prove that the application of STAMP and STPA has
forced consideration of systematic factors, such as the underlying
source of potential hazards in the design and construction of a dam. The
system theory model provides a wider view of accident mechanisms,
than the PRA technique (failure events). The systematic risks revealed
in this study include possibility of lack of support from the EDC’s sta-
keholders; loss of quality, security and safety when outsourcing pro-
jects; unsafe control action of the risk manager, and unsafe action that
can cause those systematic risks. The HCS pointed out some hidden
flaws in the EDC’s external and internal functional environment that
can be used to draft improvements to operating conditions and to im-
pose safety constraints.
The STPA analysis has proven to be applicable for a sociotechnical
system involving cognitively complex human interaction, organiza-
tional structure and management methods. However, the case study
focused essentially on the involvement of the HSE manager in the
project. It is recommended to expand the study with the entire project
workers in future work.
Appendix A. Supplementary material
Supplementary data to this article can be found online at https://
doi.org/10.1016/j.ssci.2019.06.007.
References
Behm, M., 2005. Linking construction fatalities to the design for construction safety
concept. Saf. Sci. 43 (8), 589–611.
Business in Cameroon, 2014. Successful Water Bypass at Lom Pangar Dam, 24 July 2013
(retrieved 18.02.14).
Carlan Kramer et al., 2012. Digging into construction: Social networks and their potential
impact on knowledge transfer.
Chaplin R., 2006. Organisational ‘Safety Stressors’ and their Relationship to Severe
Accidents and Incidents Occurring within the UK Construction Industry. Paper to
MCG.
Chi, C., Chang, T., Ting, H., 2005. Accident patterns and prevention measures for fatal
occupational falls in the construction industry. Appl. Ergon. 36 (4), 391–400.
China International Water and Electric Corporation, 2014. Lom Pangar Hydropower
Project (retrieved 18.02.14).
Electricity Development Corporation, 2014. Lom Pangar Hydroelectric Project
Environmental and social assessment (ESA) (retrieved 18.02.14).
Gibb, A.G.F., Haslam, R.A., Hide, S., Gyi, D.E., Duff, A.R., 2006. Why accidents happen.
In: Civil Engineering, Proceedings of the Institution of Civil Engineers, vol. 159,
November 2006, pp. 46–50, ISSN 0965 089 X – ICE Gold Medal Winner 2007.
Haslam, R.A., Hide, S.A., Gibb, A.G.F., Gyi, D.E., Pavitt, T., Atkinson, S., Duff, A.R., 2005.
Contributing factors in construction accidents. Appl. Ergon.
HydroWorld, 2014. Work begins on Cameroon's 30-MW Lom Pangar. 15 August 2012
(retrieved 18.02.14).
Ishimatsu, T., Leveson, N., Thomas, J., Katahira, M., Miyamoto, Y., Nakao, H., 2010.
Modeling and hazard analysis using STPA. In: International Association for the
Advancement of Space Safety.
Kazaras, K., Kontogiannis, T., Kirytopoulos, K., 2014. Proactive assessment of breaches of
safety constraints and causal organizational breakdowns in complex systems: A joint
STAMP–VSM framework for safety assessment. Saf. Sci. 62, 233–247.
D.G.C. Jamot and J.Y. Park
Lingard, H., Rowlinson, S., 2005. Occupational Health and Safety in Construction Project
Management. Spon Press ISBN 0 419 26210.
Matthew Seth Placke, 2014. Application of STPA to the Integration of Multiple Control
Systems: A Case Study and New Approach. Master's Thesis. Engineering Systems
Division, MIT.
Leveson, Nancy, 2004. A new accident model for engineering safer systems. Saf. Sci.
42 (4).
Leveson, Nancy, 2011. Engineering a Safer World: Systems Thinking Applied to Safety.
MIT Press, Cambridge, Mass.
Leveson, Nancy, Daouk, Mirna, Dulac, Nicolas, Marais, Karen, 2003. Applying STAMP in
Accident Analysis by Nancy Leveson. Workshop on Investigation and Reporting of
Incidents and Accidents (IRIA).
Karanikas, Nektarios, 2018. Documentation of assumptions and system vulnerability
monitoring: the case of system theoretic process analysis (STPA). Saf. Sci. 02 (01),
84–93.
Underwood, P., Waterson, P., 2014. Systems thinking, the Swiss cheese model and ac-
cident analysis: A comparatrive systematic analysis of the Grayrigg train derailment
using the ATSB, Accimap and STAMP models. Accid. Anal. Prev. 68, 75–94.
Rasmussen, Jens, 1997. Risk management in a dynamic society: a modeling problem. Saf.
Sci. 27(2/3), Elsevier Science Ltd., pp. 183–213.
Ringen and Stafford, 1996. Intervention research in occupational safety and health:
794
Safety Science 118 (2019) 783–794
Examples from construction. Am. J. Ind. Med. 29, 314–320.
Rong, H., Tian, J., 2015. STAMP-based HRA considering causality within a sociotechnical
system: A case of Minutemen III Missile accident. Hum. Factors 57 (3), 375–396.
Salmon, P.M., Cornelissen, M., Trotter, M.J., 2012. Systems-based accident analysis
methods: A comparison of Accimap, HFACS, and STAMP. Saf. Sci. 50 (4), 1158–1170.
Suraji, A., Duff, A.R., Peckitt, S.J., 2001. Development of causal model of construction
accident causation. J. Constr. Eng. Manage. 127 (4), 337.
Whittington, C., Livingston, A., Lucas, D.A., 1992. Research into management organiza-
tional and human factors in the construction industry. HSE CRR No. 45/1992, HSE
Books, Sudbury, Suffolk.
World Bank, 2014. Lom Pangar Hydropower Project. Project Information Document
(retrieved 18.02.14).
Yao, Song, 2012. Applying System – Theoretic Accident Model and Processes (STAMP) to
Hazard analysis, Master Thesis. Machester University.
Yisug, Kwon, December 2015. System Theoretic Safety Analysis of the Sewol-Ho Ferry
Accident in South Korea, Master's Thesis, MIT.
Yoon, S.J., Lin, H.K., Chen, G., Yi, S., Choi, J., Rui, Z., 2013. Effect of occupational health
and safety management system on work-related accident rate and differences of oc-
cupational health and safety management system awareness between managers in
South Korea’s construction industry. Saf Health Work 4, 201–209.