Professional Documents
Culture Documents
Safety Science
journal homepage: www.elsevier.com/locate/safety
System theory based hazard analysis for construction site safety: A case T
study from Cameroon
Dongfack Guepi Clovis Jamot, Jong Yil Park
⁎
Department of Safety Engineering, Seoul National University of Science and Technology, Seoul, Republic of Korea
Keywords: Introduction: Construction sites are known for its complex environments where many unsafe acts and/or unsafe
Health and safety risk conditions exist. Traditional risk analysis methods, such as Probabilistic Risk Analysis (PRA) deal with linear
STAMP-STPA systems or component failures. These traditional techniques are not efficient to analyze nonlinear or complex
Safety constraint systems such as construction sites.
Hierarchical control structure
Method: This study applied a system theory approach to a construction project risk assessment. We used a
System safety
System-Theoretical Process Analysis (STPA) based on System-Theoretic Accident Model and Processes (STAMP).
Data were collected in different stages. Firstly, literatures from various journal papers, articles, thesis, website
and the Electricity Development Corporation of Cameroon’s (EDC) risk register were reviewed. Secondly, a case
study was carried out to check the applicability of system safety to a construction project where PRA was initially
used by the project team. Questionnaires were conducted on five selected project team members to get their
point of view on the application of STPA.
Result: The main contribution of this approach was that by simulating more scenarios, it revealed some sys-
tematic risks that were not detected with the PRA approach such as: lack of support from the EDC stakeholders;
loss of quality, security and safety when using subcontractors; and unsafe control actions by the risk manager.
Conclusion: To cope with the complexity of construction projects, the STPA approach seems to produce higher
quality results compared to the PRA approach since its prime aim is to simulate possible scenarios.
⁎
Corresponding author at: Department of Safety Engineering, Seoul National University of Science and Technology, Seoul 018811, Republic of Korea.
E-mail address: jip111@seoultech.ac.kr (J.Y. Park).
https://doi.org/10.1016/j.ssci.2019.06.007
Received 30 November 2018; Received in revised form 15 April 2019; Accepted 5 June 2019
Available online 15 June 2019
0925-7535/ © 2019 Elsevier Ltd. All rights reserved.
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
safety constraints. hazards imposing the system are recognized before safety constraints
System-Theoretical Process Analysis (STPA) is a systematic hazard are designed and each control action applied to the system is verified to
analysis technique based on System-Theoretic Accident Model and secure safety. System safety requirements and safety design constraints
Processes (STAMP). STAMP is a systematic, top-down approach to risk are derived to prevent the hazards from happening.
assessment, where safety is treated as a control problem. Emphasis is STPA has two main steps. The first involves identification of the
put on behavioral safety constraints that are enforced on a systematic potential inadequate control of the system that could lead to hazardous
level. PRA is a bottom-up, event based risk analysis technique. states result from inadequate control or enforcement of safety con-
Emphasis is put on the failure chain of events, with interpretation of straints. The assessment of the hazard control involves the following
failure probabilities. STPA and STAMP provide an approach in risk four steps for each control action required for the system.
analysis, that shifts focus from component failure to component inter-
action failure (Leveson, 2011). (1) A control action required for safety is not provided or not followed.
The methodology of STAMP and STPA cited in this research paper is (2) An unsafe control action is provided.
entirely based on the work of DR. Nancy Levesson, professor of (3) A potentially safe control action is provided too early, too late or
Aeronautics and Astronautics at Massachusetts Institute of Technology, out of sequence.
and her published work (Leveson, 2011). (4) A control action required for safety is stopped too soon or applied
The paper is structured as follow: Section 2 is dedicated to the li- too long.
terrature review. Section 3 is for the research methodology. The case
study is presented in Section 4, followed by Section 5 containing the Incorrect or unsafe control actions may cause dysfunctional beha-
results. Section 6 presented an evaluation survey, Section 7 contains vior or interactions among components (Ishimatsu et al., 2010).
discussions on the case study and finally, concluding remarks are made The second step involves determination of how each potentially
in Section 8. unsafe control action identified in step one of the analysis could
happen. Each part of the control loop is examined to see if they could
2. Literrature review cause or contribute to a hazardous scenario. Safety controls need to be
designed if they do not exist (Matthew Seth Placke, 2014). On an ex-
2.1. System-Theoretic Accident Model and Processes (STAMP) isting system, evaluation is needed on mitigation measures. Conflicts
need to be identified between multiple controllers of the system. Con-
STAMP was developed within the complex System Research Lab of sideration is needed on how safety constraints should adapt for ever
the Massachusetts Institute of Technology by Prof. Dr. Nancy Leveson. changing systems, and protection against degradation built into the
This accident model proposed a paradigm shift, since the accident is no safety controls. Fig. 2 shows how causal factors (scenarios) leading to a
longer seen as a result of a single failure, but as the consequence of a hazard appear with respect to a control structure.
control problem within the system. This model is based on three fun- Improper operation of the control loop may contribute to the gen-
damental concepts: safety constraint, the hierarchical control structure eral types of inadequate control. Controller operation, behavior of ac-
and the process models. In a system accident model, unacceptable tuator and the controlled process as well as communication and co-
losses occur because safety constraints are not successfully enforced. ordination between controllers are the three general categories of
The STAMP model is a relatively recent model and is now the subject of causal factors for inadequate control.
numerous studies and parallel work to improve it (Nektarios Karanikas, The STPA analysis can be derived from any level of the hierarchical
2018; Rong and Tian, 2015; Underwood and Waterson, 2014; Kazaras structure (HCS), given that each controller in the HCS is itself con-
et al., 2014; Salmon et al., 2012). STAMP integrates engineering ana- trolled by higher level controllers (control input), but applications be-
lysis causal factors, such as software, human decision-making and tween levels of the sociotechnical HCS may differ. Inconsistencies be-
human factors, new technology, social and organizational design, and tween the process model (used by the controller) and the actual process
safety culture, all of which are becoming ever more threatening safety states can lead to threats. Although process models rarely can be
in our increasingly complex systems (Leveson et al., 2003). In STAMP, complete enough to cover all possible states of the system, the goal
accidents are perceived as resulting not from component failures, but should be to make them complete enough so that no safety constraints
from inadequate control or enforcement of safety-related constraints on are violated during system operation. Actuators may not respond im-
the design, development, and operation of the system. Safety is con- mediately to an external command signal. Failure in the downward
sidered to be a control problem: accidents occur when component (reference) channel might lead to delays, or operation of the actuators
failures, external disturbances, and/or when dysfunctional interactions is flawed. Actuator flaw could result in control action delivery failure to
among system components are not appropriately handled (Leveson, the controlled process which might lead to accidents. A flaw in the
2004; Yao, 2012; Yisug, 2015). This model is based on both the general upward (measuring) channel could result in inadequate information to
theory of systems and the theory of controls. It is also based on Ras- the controller which could lead to unsafe control action.
mussen's dynamic safety model. This model (describes human beha- Communication between all parts of the control loop is critical in
viors as trajectories in an abstract work space bounded by a set of ad- maintaining system safety. Coordination of control actions is critical in
ministrative, functional and safety boundaries that constrains workers’ securing boundary areas of the HCS.
degrees of freedom (Rasmussen, 1997) (see Fig. 1).
2.3. LOM PANGAR project and Probabilistic Risk Analysis for the Project
2.2. System-Theoretic Process Analysis (STPA)
The lack of infrastructure in Cameroon, as in many sub-Saharan
STPA is a powerful hazard analysis technique based on STAMP, Africa’s countries, slows economic growth. Recently, the Cameroon
while CAST (Causal Analysis based on STAMP) is the equivalent for government decided to improve its energy, telecommunications, con-
accident and incident analysis (Leveson, 2011; Yao, 2012). STPA can be struction, and transportation systems. Regarding the energy sector,
used at any stage of the system life cycle. It provides the information there is the hydroelectric dam project at Lom Pangar. This dam is lo-
necessary to establish safety in system design, development, manu- cated in the department of Lom and Djerem of the Eastern Region of
facturing and operations, depending on when it is applied. STPA also Cameroon, at the confluence of the rivers Lom and Pangar. The project
includes the natural changes of the system that will occur over time. includes the construction and operation of a dam, a 6 billion m3 of
When unacceptable losses for the system have been identified, ha- water (useful capacity) reservoir, a 30 MW hydropower plant at the foot
zardous states leading to those accidents can be identified. Potential of the dam and a power line to the city of Bertoua for local use
784
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
Control Algorithms
Set points, (system Goal)
Controller
Control Actions Feedback
Measuring
Reference Actuators Sensors
Channel Channel
Controlled Measured
Variables Variables
Controlled Process
Process Inputs Process Outputs
Disturbances
Fig. 1. A standard control loop for simple control structure (Leveson, 2011).
(HydroWorld, 2014; World Bank, 2014; China International Water and risk assessment for Lom-Pangar dam project. Each imposing risk factor
Electric Corporation, 2014; Electricity Development Corporation, was assessed with respect to time, cost, operation and health, safety and
2014). environment (HSE). Severity of the risk was listed from 1 to 4 as minor,
When the project started, emphasis was put on risk management major, critical and catastrophic depending on the consequences they
within the construction company. The risk management followed in- would have on the project, with respect to those factors. Probability
ternational standards when performing risk analysis; ISO 31000 stan- was listed from 1 to 4, depending on the chances of the occurrence of
dard in all main points. the event during the project.
A special risk management team was formed for the project where If the risk factor score is between 1 and 2, the risk is considered
experts from within the company and outside counsel identified risks acceptable. Risk factor from 3 to 6 is considered to be risk as low as
associated with construction of a dam. The risk management defined reasonably practicable and requires improvement. From 8 to 16, the
the project life cycle as two phases (design and construction). The risk risk is considered unacceptable and permanent surveillance is required
management team was lead by a HSE manager, who worked closely for risk reduction. For this project. A risk register was used throughout
with the project manager. the entire project by the HSE team to register risks; their score on the
The risk analysis involved PRA, a widely used method in risk ana- risk matrix with respect to time, cost, operation, HSE, and measures
lysis. PRA is a bottom-up risk analysis that defines risk as a combination taken to reduce or control them. The risk register presents the action
of severity and probability. A risk matrix was used to determine the that was taken, when and by whom. As the project evolved, imposing
threat from imposing risks. risks altered. Some were excluded after suitable arrangements, others
Table 1 shows a typical risk matrix. Similar risk matrix was used in changed in nature and/or severity. Special attention was brought to the
Fig. 2. Things that can go wrong in the control loop (Leveson, 2011).
785
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
Table 1
Risk matrix.
Table 2
Lom Pangar Project Non – Tolerable Risk Factors adapted by authors from EDC risk register.
HSE Time Operation Cost
Risk level 16 2013 2018 2013 2018 2013 2018 2013 2018
1 Budget overrun 9 16
2 Currency risk 16 4
3 Concrete blockage for reservoir 1 16 1 16 1 8
Risk level 12
4 Geological descriptions and report 9 9 12 12
5 Changing the design during construction 12 12 8 8
6 Road to the work site in the forest 12 8 12 8
7 HSE issues not active 12 8
8 Workers injury 12 9
9 Draft tubes and spiral installation 12 12 4 9 6 9
10 Preliminary research (wrong methods, insufficient, …) 6 12 8 12
11 Government claim for procurements; appeals to public complaints 12 0 8 0
12 Financing failure 12 3 12 3
13 Secure site electricity supply 0 8 0 12 0 8
14 Mines, core substance (quality/quantity) not respecting the project description. 8 4 12 4
15 Rock fall defense: arrangement of stones, location 12 4 8 4
fact that with changing one risk factor, others could rise. Some risks analysis used to identify single risks is a crucial part of risk analysis, but
were considered as near losses, their impact would have had serious with its limitations, it is important to look further into how those risks
implications on the project success (catastrophic or critical severity) are connected and subject to a more thorough control. Risk analysis
and were considered imminent threat. The risk register shows that 28 from Electricity Development Corporation of Cameroon’s (EDC) was
risk factors were identified as non-tolerable (8–16 score in risk matrix) used as a reference.
and had constant surveillance during the project (Table 2). Considering
all criteria, it was then assumed that the project was an overall success
(Business in Cameroon, 2014), because of lack of HSE record from the 3.2. Research method
project risk management team.
Literature reviews on Lom Pangar project, STAMP and STPA was
performed to learn about the basic knowledge and applications.
3. Research methodology System-Theoretic Process Analysis (STPA) is the predictive risk assess-
ment method within the STAMP framework. It permits the mapping of
3.1. Objective factors that can contribute to specific hazards occurring in socio-tech-
nical systems. Following the identification of the potential hazards,
The aim of the present research study is to apply System-Theoretical STPA is conducted in three iterative steps, representing the system as a
Process Analysis (STPA) to a real-life construction project where a whole, starting from an initially high level of abstraction and progres-
Probabilistic Risk Analysis (PRA) method was initially used by a con- sing towards increasing level of granularity. To verify the applicability
struction project team. The purpose of the STPA analysis in this case of STPA to a construction project, a case study was carried out in a dam
was not to give a complete risk assessment with all possible risks in- construction project in Cameroon. The first step of the STPA analysis
cluded, but rather to utilize the STPA methodology to recognize sys- involves the construction of a high-level hierarchical control structure.
tematic threats, that cannot be identified with PRA method. Bottom-up The control structure presents all stakeholders within the system under
786
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
analysis and the control actions that link the independent stakeholders. Table 3
Control actions constitute the main source of feedback and interaction System Goals for the success of the Lom Pangar Project.
between the multiple stakeholders. It is important to precise that in our Goal System Goal for Lom Pangar Project
case study, the control action involved the HSE manager participation
in the project design and construction phases. During the second step of G1 Complete the construction on time
G2 Complete the project within the budget plan
the STPA analysis, unsafe control actions (UCAs) are identified through
G3 Ensure no harm or injury to human health and environment
applying standardized error classification to each of the control actions
identified in the first step. Within STPA, the error classification is driven
by the use of four guide sentences: Table 4
Unacceptable Losses for Lom Pangar.
(1) A control action required for safety is not provided or not followed;
Unacceptable Losses for Lom Pangar Project
(2) An unsafe control action is provided;
(3) A potentially safe control action is provided too early, too late or U1 Construction not complete on time G1
out of sequence; U2 Overrun of project budget plan G2
(4) A control action required for safety is stopped too soon or applied U3 Injury or loss of human life G3
U4 Loss of public policy support
too long.
U5 Loss of quality, security and safety when outsourcing projects
787
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
Cameroon Parliament
Ministry of Planning, Programming Ministry of Economy and Ministry of Energy and Ministry of Environment
and Regional Development Finance Water Resources and Nature Protection
Electricity Delivery
Fig. 3. Hierarchical Control Structure (HCS) for EDC’s external operational environment.
788
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
Monitoring
System Testing
Requirements Validation
Lessons learned
Supervision
Lessons
Project Planning learned
Project Management
Risk Management Feedback
Feedback
Feedback
Maintenance Lom Pangar Operation
Construction Management
Fig. 4. Hierarchical Control Structure (HCS) for EDC’s internal operational environment.
(1) A control action required for safety is not provided or not followed. result in a safety peril. Once the dangerous situation causes are re-
(2) An unsafe control action is provided that leads to a hazard. cognized, mitigation measures that do not presently exist within the
(3) A potentially safe control action is provided too early, too late, or out of framework of the safety program can be created.
sequence. Fig. 7 demonstrates the causal scenario in a control structure to be
(4) A safe control action is stopped too soon or applied too long. considered as potentially hazardous scenarios, with focus on risk
identification inside EDC. This figure shows human controlled control
By applying the control actions and determining the unsafe control structure of hazard administration; no computerization was utilized in
action based on them, STPA analysis can be done. The HSE manager any of the construction phases of the Lom Pangar dam. Actuators were
involvement in this project life cycle can be compared during STPA all key members of the project; parties in charge for delivery of com-
analysis. For the STPA analysis, the control actions applied were: pleted part of the project, during his life cycle (Design and Construc-
tion). Key members were planners, contractual workers, administrators,
(1) The HSE manager is actively involved and taking part in project plans wellbeing officer, project director and architect.
and construction of the dam.
(2) The HSE manager is not actively involved until construction of the dam 5. Results
has started.
(3) The HSE manager is not involved in the project at all, neither during The Hierarchical Control Structure was drawn for the EDC's external
design or construction. and internal condition tasks, (Figs. 3 and 4). By designing the internal
and external conditions of the firm, the focus move to control of
The STPA analysis for each control action is presented in Table 7. In weaknesses; to identify places in the system, where inadequate control
all possibilities, the HSE manager was the controller. “YES” designates could create safety hazards and other losses. Control action and feed-
early participation of the HSE manager in the project life cycle (he back are displayed by arrows. The broken arrows indicates the plausi-
participated actively during the design and construction phases of the bility of lack of support in the system. Figs. 5 and 6 represent the in-
dam). “NO” signifies that the involvement of the HSE manager was not ternal and external situation of the EDC and how unsafe control actions
adequate in the project life cycle. The “former NO” describes an HSE could emerge.
manager who was not involved in the design phase of the project (he The EDC's external operational environment is presented in Fig. 5.
was actively involved only during construction phase of the project life This figure describes how the EDC’s interests could be at legal risk.
cycle and not during the design). The “latter NO” describes an HSE Broken arrows represent the case where help from the company's
manager not actively involved in the project at all. The table shows partners is absent. For the firm to operate normally, the hierarchical
potentially unsafe control actions, resulted from the three control ac- control structure should support decision making.
tions. For any unsafe control action detected, hazards (R1-R7) that The EDC's internal operational environment is presented in Fig. 6.
could derive from them were identified. The broken arrows indicates how potential hazardous control activity
involving the HSE manager could emerge in the organization. The
4.4.2. STPA Step2: Causal scenarios Identification. figure portrays how absence of support can lead to project losses.
The second step of the STPA method focus on evaluating how the Table 7 displays the initial phase of STPA analysis. The STPA ana-
risky control activity recognized in the initial step could happen. Each lysis was performed to define the system hazards (Tables 5 and 6).
part of the control structure was analyzed to check whether it could Control action that included the participation of the HSE manager in
789
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
Not Applicable
(b) Incomplete risk identification and interrelation
(c) HSE manager is involved early with project plans but no follow-
Too Soon:
Too Soon:
Too Long:
Too Long:
R4, R6)
R7) up
(2) The HSE manager is not participating actively in the project until
the construction phase started.
Incomplete risk identification and
(3) The HSE manager is not participating in the project at all, neither
mitigating risk (R1-R7)
Early:
Early:
Late:
Late:
trolling the control structure of the risk management process during the
design and construction of the dam. The model shows how the actuator,
duringdesign phase nor construction phase (R1-
Risk is not identified and managed in early stage
safety funnel to one person whose job it is to oversee the entire pro-
gram. The examples of situations presented in the Fig. 7 give an ex-
ample of hazards and where they could emerge within the control
structure.
(R1-R7)
R7)
6. Evaluation survey
during design nor construction phases (R1-R7)
project, an evaluation survey was conducted within the project site with
Risk is not identified or managed, neither
On the other hand, the team members gave an average rating of 2.6 for
the analysis time and 2.4 for the complexity of the method.
(R1-R7)
The table shows that the PRA received an excellent rating of 4.2 for
complexity and analysis time. Then, it received 4.0 for its structure. In
the other hand PRA received an average rating of 3.0 for risk identifi-
The HSE manager is not actively involved in project
Potentially hazardous control action identification.
7. Discussion
NO (Former)
chain models (PRA). Despite the fact that the case study here did not
NO (Latter)
790
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
Cameroon Parliament
Ministry of Planning, Ministry of Economy and Ministry of Energy and Ministry of Environment
Programming and Regional Finance Water Resources and Nature Protection
Electricity Delivery
Monitoring
Testing
System
Validation
Requirements
Lessons learned
Supervision
Project Management
Risk Management Feedback
Feedback Feedback
791
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
CONTROLLER
HSE Manager
Inadequate control
action
ACTUATOR SENSOR
Human Actuator
Consisting of Key Members of Construction Human Sensor ( HSE Manager)
CONTROLLED PROCESS
Delayed Project Incorrect or missing feedback
Delays in a single project component could affect - Feedback delay
the overall project schedule - Necessary information from key members
Lom Pangar Dam Project Risks not provided
Conflicting control action Unidentified or unpredicted Process output contributes to system hazard
- Cooperation between contractors at site crucial disturbances that could affect the - Threat of disruption of projects not noticed
- Project plans are ignored project schedule - Safety recommendations are ignored
- Geological conditions not as expected - Wrong coordination of projects
- Weather disturbance - Adjustments to protect project schedule insufficient
Fig. 7. Human controlled system: where controller and sensor function as the same person.
Table 8
Scale used for the evaluation of the STPA analysis from the Project team members.
Table 9
The team members’s evaluation of the STPA analysis method.
Table 10
The team members’s evaluation of the PRA method.
792
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
mitigating single risks. Focus on independent failure in risk manage- contributed to loss of quality, security, and even safety of the project
ment will only reduce symptoms of the underlying problem. With a top- (U5).
down approach on a subset of imposing risks, a system level safety
requirement that reduces all risks can be derived (Leveson, 2011). 8. Conclusion
Despite near losses that occurred during the project life cycle, the
project was considered an overall success, by EDC’s management A construction site is complex because both the work environment
(Business in Cameroon, 2014). With less tolerance for single accidents, and the workforce constantly change. A construction company should
near losses should be treated as serious and unacceptable events; simple look at both single failures and control problems (complex systems
luck is sometimes the only distinction between an actual loss and a near interactions) to evaluate risks linked to their activities. To cope with the
loss. The accidents that were identified in the case study, all represent a complexity of this construction project, the system theory technique
risk that at some point during the project life cycle were considered as was applied and the main results affirm that application of STAMP and
near losses. The system accident model demonstrates the importance of STPA on Lom Panger construction project reveals systematic risks that
systematic view of hazards. With a clear overview provided with the are not addressed with PRA. Single accident analysis as was used in
system accident model, risks are put into perspective that allows for a Lom-Pangar, is a crucial part of risk assessment for design and con-
more comprehending understanding than when concentrating on single struction of a dam but with its limitations. It is important to look further
risks (Leveson, 2011). into how those risks are connected and subject to a more thorough
It was concluded that early and active participation of the HSE control. STAMP and STPA could offer the vision needed to close that
manager in all aspects of the project life cycle represent an effective gap.
way to deal with risks recognition in the case study. The initial step of The results prove that the application of STAMP and STPA has
STPA analysis showed how risk became controllable when the control forced consideration of systematic factors, such as the underlying
action was used early in the project life cycle. If the control action is not source of potential hazards in the design and construction of a dam. The
fully applied, the risk will become less controllable. If there is no con- system theory model provides a wider view of accident mechanisms,
trol action, risks are not controllable. Although it is highly unrealistic to than the PRA technique (failure events). The systematic risks revealed
think that the HSE manager was completely absent during the project, in this study include possibility of lack of support from the EDC’s sta-
the situation provides comparison with the first two, highlighting the keholders; loss of quality, security and safety when outsourcing pro-
significance of early and active participation of risk management in jects; unsafe control action of the risk manager, and unsafe action that
construction. can cause those systematic risks. The HCS pointed out some hidden
The result also demonstrates the importance of involving automa- flaws in the EDC’s external and internal functional environment that
tion into the risk management process. Fig. 7 demonstrates that the HSE can be used to draft improvements to operating conditions and to im-
manager must be available and in perpetual collaboration with all the pose safety constraints.
other key members of the project to effectively perform his job. The The STPA analysis has proven to be applicable for a sociotechnical
HSE manager can be assisted by a dynamic management software to system involving cognitively complex human interaction, organiza-
link key members and provide visibility during the project. This kind of tional structure and management methods. However, the case study
software would function as a sensor in the control structure, and would focused essentially on the involvement of the HSE manager in the
diminish the job of the HSE manager. If one person (HSE manager) is in project. It is recommended to expand the study with the entire project
charge of the whole procedure and no automotive processes, the like- workers in future work.
lihood of hazards emerging increases due to lack of overview and
controllability. Appendix A. Supplementary material
Threat of loss of public policy support (U4), as well as threat of loss
of quality, security and safety when outsourcing projects (U5) is de- Supplementary data to this article can be found online at https://
picted in Fig. 5. The HCS shows the unpredictable external environment doi.org/10.1016/j.ssci.2019.06.007.
of the EDC’s activity, by diagramming its various partners. It exposes
the challenging communication with its controlling units and its con- References
voluted lawful situation. Political authorities have a critical impact in
the organization’s task, offering public policy support. Likewise, assis- Behm, M., 2005. Linking construction fatalities to the design for construction safety
tance from the state’s overall population has an essential influence on concept. Saf. Sci. 43 (8), 589–611.
Business in Cameroon, 2014. Successful Water Bypass at Lom Pangar Dam, 24 July 2013
the organization. The fact that license agreements from the earlier start (retrieved 18.02.14).
of the project in 2013 had not been finalized shows where loss of public Carlan Kramer et al., 2012. Digging into construction: Social networks and their potential
policy support appears (U4). Support from the general public also plays impact on knowledge transfer.
Chaplin R., 2006. Organisational ‘Safety Stressors’ and their Relationship to Severe
an important part for the company, being state property. Approval for Accidents and Incidents Occurring within the UK Construction Industry. Paper to
individual projects and operation is needed, balanced interaction be- MCG.
tween the public and authorities is critical for the company to operate Chi, C., Chang, T., Ting, H., 2005. Accident patterns and prevention measures for fatal
occupational falls in the construction industry. Appl. Ergon. 36 (4), 391–400.
as expected.
China International Water and Electric Corporation, 2014. Lom Pangar Hydropower
The large subset of governmental stakeholders involved with EDC’s Project (retrieved 18.02.14).
regulation and licensing can cause conflicts of interests. Four ministries Electricity Development Corporation, 2014. Lom Pangar Hydroelectric Project
Environmental and social assessment (ESA) (retrieved 18.02.14).
participate in the operation of EDC and that could generate conflicts.
Gibb, A.G.F., Haslam, R.A., Hide, S., Gyi, D.E., Duff, A.R., 2006. Why accidents happen.
Jurisdiction between these governmental parties is diverse. Therefor; In: Civil Engineering, Proceedings of the Institution of Civil Engineers, vol. 159,
solidarity between authorities is keystone in stable operation environ- November 2006, pp. 46–50, ISSN 0965 089 X – ICE Gold Medal Winner 2007.
ment for the company. Haslam, R.A., Hide, S.A., Gibb, A.G.F., Gyi, D.E., Pavitt, T., Atkinson, S., Duff, A.R., 2005.
Contributing factors in construction accidents. Appl. Ergon.
The Fig. 5 represents the likelihood of compromising quality and HydroWorld, 2014. Work begins on Cameroon's 30-MW Lom Pangar. 15 August 2012
safety while subcontracting projects. The EDC works in collaboration (retrieved 18.02.14).
with designers and contractors for majority of their jobs. During the Ishimatsu, T., Leveson, N., Thomas, J., Katahira, M., Miyamoto, Y., Nakao, H., 2010.
Modeling and hazard analysis using STPA. In: International Association for the
Lom Pangar Project, many contractors were working for the EDC at the Advancement of Space Safety.
site. On the other hand, many subcontractors were working indirectly Kazaras, K., Kontogiannis, T., Kirytopoulos, K., 2014. Proactive assessment of breaches of
with the EDC’s management, but directly with their supervisory con- safety constraints and causal organizational breakdowns in complex systems: A joint
STAMP–VSM framework for safety assessment. Saf. Sci. 62, 233–247.
tractor. Misbehavior of contractors and subcontractors could have
793
D.G.C. Jamot and J.Y. Park Safety Science 118 (2019) 783–794
Lingard, H., Rowlinson, S., 2005. Occupational Health and Safety in Construction Project Examples from construction. Am. J. Ind. Med. 29, 314–320.
Management. Spon Press ISBN 0 419 26210. Rong, H., Tian, J., 2015. STAMP-based HRA considering causality within a sociotechnical
Matthew Seth Placke, 2014. Application of STPA to the Integration of Multiple Control system: A case of Minutemen III Missile accident. Hum. Factors 57 (3), 375–396.
Systems: A Case Study and New Approach. Master's Thesis. Engineering Systems Salmon, P.M., Cornelissen, M., Trotter, M.J., 2012. Systems-based accident analysis
Division, MIT. methods: A comparison of Accimap, HFACS, and STAMP. Saf. Sci. 50 (4), 1158–1170.
Leveson, Nancy, 2004. A new accident model for engineering safer systems. Saf. Sci. Suraji, A., Duff, A.R., Peckitt, S.J., 2001. Development of causal model of construction
42 (4). accident causation. J. Constr. Eng. Manage. 127 (4), 337.
Leveson, Nancy, 2011. Engineering a Safer World: Systems Thinking Applied to Safety. Whittington, C., Livingston, A., Lucas, D.A., 1992. Research into management organiza-
MIT Press, Cambridge, Mass. tional and human factors in the construction industry. HSE CRR No. 45/1992, HSE
Leveson, Nancy, Daouk, Mirna, Dulac, Nicolas, Marais, Karen, 2003. Applying STAMP in Books, Sudbury, Suffolk.
Accident Analysis by Nancy Leveson. Workshop on Investigation and Reporting of World Bank, 2014. Lom Pangar Hydropower Project. Project Information Document
Incidents and Accidents (IRIA). (retrieved 18.02.14).
Karanikas, Nektarios, 2018. Documentation of assumptions and system vulnerability Yao, Song, 2012. Applying System – Theoretic Accident Model and Processes (STAMP) to
monitoring: the case of system theoretic process analysis (STPA). Saf. Sci. 02 (01), Hazard analysis, Master Thesis. Machester University.
84–93. Yisug, Kwon, December 2015. System Theoretic Safety Analysis of the Sewol-Ho Ferry
Underwood, P., Waterson, P., 2014. Systems thinking, the Swiss cheese model and ac- Accident in South Korea, Master's Thesis, MIT.
cident analysis: A comparatrive systematic analysis of the Grayrigg train derailment Yoon, S.J., Lin, H.K., Chen, G., Yi, S., Choi, J., Rui, Z., 2013. Effect of occupational health
using the ATSB, Accimap and STAMP models. Accid. Anal. Prev. 68, 75–94. and safety management system on work-related accident rate and differences of oc-
Rasmussen, Jens, 1997. Risk management in a dynamic society: a modeling problem. Saf. cupational health and safety management system awareness between managers in
Sci. 27(2/3), Elsevier Science Ltd., pp. 183–213. South Korea’s construction industry. Saf Health Work 4, 201–209.
Ringen and Stafford, 1996. Intervention research in occupational safety and health:
794