The Concept Towards a Standard Safety Model (STASAM v.0)

In safety science and practice, there have been various safety models, each of them reflecting a particular approach to safety management and accident causality. The large variety of models suggested in literature and applied in practice serve the communication of diverse perspectives towards safety and the need to consider contextual factors, but it does not allow the establishment of a common language within and across organisations and industry sectors. Considering the potential benefits of talking a lingua franca when it comes to safety and inspired by the Standard Model used in particle physics and recent suggestions from relevant studies, we thought of exploring the possibility to introduce a Standard Safety Model (STASAM). As a first step, we focused on four representative safety and accident models widely used, discussed and debated: the Swiss Cheese Model, AcciMap, Functional Resonance Analysis Method (FRAM) and SystemsTheoretic Accident Model and Processes (STAMP). We reviewed literature which compares the particular models, and we listed the strengths and weaknesses of each as a means to set the grounds for the STASAM. The combinations of these models with a focus to host their advantages and avoiding their disadvantages led to a three-level STASAM. The concept STASAM was used in two random incident investigation reports to assess its applicability and visualisation against the original models. The results of the application along with the STASAM concept were reviewed by three safety professionals and three safety researchers. The comments received were in the positive direction and indicated the potential of establishing an inclusive and commonly accepted safety/accident model. The next research phase will be the additional review of the STASAM and its pilot application to a variety of safety events and systems as a means to test its reliability and strengthen its validity.


INTRODUCTION
Over the last decades, hundreds of safety and accident methods and models (SAMMs) have been developed (Everdij & Blom, 2016) to help practitioners and scientists analyse and understand socio-technical systems with the goal to improve safety. Each model along with its accompanying method, where available, advocates a different approach to system safety, a situation that serves the need for diverse perspectives. However, when it comes to the actual conclusions and recommendations generated by safety analyses or investigations, the use of various SAMMs does not always foster a common understanding of risks and causality and a uniformly acceptable approach to necessary system interventions. Moreover, the application of different SAMMs to the same cases or even of one SAMM to the same case by different analysts might lead to low reliability and consistency (Filho, Jun, & Waterson, 2017).
Inspired by the domain of particle physics, where scientists have established an everevolved Standard Model that incorporates continuously the commonly endorsed theories and accommodates the respective empirical research, the authors sought that a similar approach could be examined in the field of safety. Albeit the idea to introduce inclusive SAMMs is not new (e.g., Le Coze, 2013), our goal was to use previous research about the strengths and weaknesses of safety models and methods and compile a Standard Safety Model (STASAM) that accommodates the former, addresses the latter and avoids the mere reference to abstract representations, such as the Systemic and Dynamic Sensitising Model of Safety (SDSMS) and Systemic and Socio-Natural-Technical System (SNTS) suggested by Le Coze (2013). This way we aimed at building upon existing knowledge and contributing to the minimisation of the gap amongst researchers and between research and practice (Underwood & Waterson, 2013).
To achieve the objectives of the study, the authors performed a first literature review to detect previous work regarding comparisons amongst various SAMMs as well as views on the merits and limitations of widely-used models. The particular review resulted in the identification of (comparative) studies discussing the advantages and disadvantages of four models discussed extensively in recent literature and applied in practice at various extents: the Swiss Cheese Model (SCM) introduced by Reason (1990), the AcciMap published by Svedung & Rasmussen (2002), the Systems-Theoretic Accident Model & Processes (STAMP) suggested by Leveson (2004), and the Functional Resonance Analysis Method (FRAM) proposed by Hollnagel (2012). It is noted that although the latter was originally named as a model and then changed to a process analysis method, it is still used to illustrate the development of safety events.
During the review of the literature, we excluded publications that promoted an a priori favouritism over a specific SAMM (e.g., presenting only the weaknesses of a model and the strengths of another model) instead of comparing various models or reflecting on the pros and cons of a single model. Table 1 presents the results of the collection of strengths and weaknesses across the four SAMMs mentioned above as derived by the combination of the work of Reason, Hollnagel, & Paries (2006), Salmon, Cornelissen, & Trotter (2012), Hollnagel (2012), Underwood & Waterson (2012, Debrincat, Bil, & Clark (2013), Alvarenga, Frutuoso e Melo, & Fonseca (2014), Underwood, Waterson, & Braithwaite (2016), de Hoon (2018) and Igene & Johnson (2018). The results were grouped into nine categories with the goal to distinguish amongst the various areas of interest; the strengths have been coloured with green and the weaknesses with red.

METHODOLOGY
Following the insights gained from the review of the literature and considering the objectives of this study, the authors listed the following criteria which the STASAM and any safety model/method would be ideally expected to meet: 1. Applicability a. The model should not be industry-specific as a means to allow its use across various domains and applications. b. The model should be suitable for or customizable to safety management, safety/risk analyses and safety investigations. 2. Usability a. The guidance material and graphical representations of the model should not include jargon language and too specific terms. This does not exclude the reference to safety-related terminology, which is uniformly accepted/defined by all users/safety experts irrespectively of industry sector. b. The model must allow the user to decide about the depth and extent of the system under analysis to achieve the desired equilibrium between abstraction and specificity. c. The length of the required graphical representations should accord with the size of the system analysed. d. The model should allow the visualisation of the timeline of events, where applicable. e. The use of the model should lead to the detection and presentation of flaws in a relatively comprehensible and straight-forward way. 3. Soundness a. The model shall reflect a systems-approach. b. The model should have adequate reliability (i.e. different users will present similar results). c. The model should represent the system and its eventualities validly. d. The explanation of the background and use of the model should not foster the accommodation of cognitive biases (e.g., hindsight bias) and a blaming attitude. e. The model should support the analyst in detecting risky/problematic areas without neglecting or rejecting acquired knowledge and experience. f. The classification of risk and causal factors should not be suggested by the model to avoid leading or constraining the analyst. g. The graphical representations should denote the system boundaries and analysis depth as a means to render possible the formulation of respective analysis assumptions.
Next, the authors with the support of a graduate student (de Hoon, 2018) started designing the STASAM based on the SCM, AcciMap, STAMP and FRAM by working from abstract to more specific levels and attempting to satisfy the criteria mentioned above to the extent possible. It is clarified that due to the conceptual stage of this work, we did not aim to check the criteria No 2e, 3b, 3c, 3d and 3e above. The four original SAMMs and an interim version of the STASAM, which consisted of a macro and a micro level, were applied to two events to test and demonstrate the usability of the STASAM and compare its results against the four models mentioned above. The macro-level part along with the SCM and AcciMap were applied to the safety investigation report of a serious incident which regarded a runway incursion at Schiphol Airport in 2007. The micro-level part of STASAM and the STAMP and FRAM were applied to the investigation report concerning a aircraft tail strike accident occurred in the Rotterdam Airport in 2006. Both reports were published in English by the Dutch Safety Board and are publicly available on the official website of the particular agency † under the identification codes 2007015 and 2006082 correspondingly. These cases were chosen because they are not lengthy, include enough information to apply the models considered, and were attributed to, amongst other factors, human performance problems. This allowed us to use the SCM, AcciMap, STAMP, FRAM and STASAM in the context of a sociotechnical system and, at the same time, observe the time limitations and other constraints of the study. The selection of two different events was decided because we aimed to receive comments regarding the application of the model in different contexts.
A document describing the concept STASAM and the results of the analyses of the cases mentioned above were sent for review to three safety researchers and three safety professionals. To facilitate the review process and collect specific information that could be useful for the revision of the STASAM in the frame of future studies, in addition to any general comments, the reviewers were asked to answer questions about (1) their understanding of the STASAM and its possible comprehension by inexperienced analysts, (2) the rating of graphical and timeline representation of STASAM against the SCM, AcciMap, STAMP & FRAM, (3) the usability of STASAM for safety management/analysis and safety investigation tasks, and (4) the balance between abstraction and detail. The comments received by the reviewers are included in the discussion section 4 below.
Following the external review, several iterations of the STASAM led to its current version that consists of the following levels: • Actor Map (macro-level), which is used to define the system under analysis and the study scope. This level reflects mainly the elements of SCM and AcciMap and illustrates the formal and informal relationships amongst system agents in general. If relationships have changed within the period examined, multiple Actor Maps can be used to communicate the respective changes. • Sequence Map (meso-level), which presents the timeline of eventualities across the system agents included in the macro-level mapping but in greater detail. This stage is based on AcciMap and FRAM and, amongst others, supports the view of the dependencies and coupling within the system under study. • Process Map (micro-level), which decomposes the system further into process blocks and embraces principally the approaches of STAMP and FRAM enriched by the concept of risk barriers. The particular level allows the analyst to define and communicate the analysis depth and examine the behaviour of individual system elements as well as their relationships and mutual dependencies.

THE CONCEPT STASAM
The explanation of the STASAM in the following section occasionally uses the glossary of the original SAMMs. Due to length limitations of the paper and the conceptual stage of the suggested model, the authors do not explain in detail the terms used and they assume that the reader has a basic understanding of SCM, AcciMap, STAMP and FRAM as well as their theoretical background and underlying assumptions. Figure 1 presents the general layout of the Actor Map level which depicts the system under analysis and includes its agents and their interfaces. The system can be defined depending on the focus of the analysis, the resources available (e.g., time, expertise, technology) and possible external influences (e.g., political and organisational). The particular level illustrates the agents who will be investigated and helps to communicate the scope of the study (i.e. inclusions and exclusions) as well as the accompanying assumptions regarding the actors excluded from the analysis. The Actor Map is based on a combination of AcciMap and STAMP, is customisable to the specific system and context (i.e. it can include only some of the agents suggested in Figure 1 and be drawn with lower or higher system resolutions), and includes the following elements:

Macro-level -Actor Map
• The actors under study who have hierarchical relationships of responsibility/accountability. Actors from higher system levels define constraints to the level(s) under their responsibility with the goal to meet the (sub)system objectives set. Actors from lower levels provide feedback to the higher level(s) regarding the achievement of objectives, completion of activities, deviations from plans, unexpected events etc. There is no one-to-one relationship because lower system levels can receive constraints from and provide feedback to multiple higher levels. • The actors who belong to the same system levels. These are expected to coordinate and/or exchange information, best practices etc. on the scope to collectively or collaboratively observe the constraints and meet the objectives imposed by higher levels. Such coordination might be foreseen by directives from higher levels but can also follow initiatives of the parties involved or become necessary even not prescribed (e.g., due to system dynamics and evolution). The particular representation does not mean to exclude the cases of information sharing amongst agents of different levels when there is no functional/hierarchical relationship (e.g., conferences and other event types); in this occasion, additional lines can be drawn to show more interactions of interest. • The actors who, in general, do not hold any legitimate authority over the specific system and do not hold any responsibility and accountability for its functioning. These actors have mostly advisory, informative and consulting roles, but they can still influence the system under study since they have a role in shaping perspectives, opinions, views etc. and indirectly affect other system actors. Thus, depending on the analysis scope, they can be included or excluded. It is noted that in one analysis an actor can be labelled as advisory (e.g., a university performs research for a national agency), but in another analysis, the same actors might have a role within the vertical and horizontal structure (e.g., the university reports to the Ministry of Education). • The subscripts after the names of the agents are placed to signal that there might be several agents per level with different functions/roles. At this phase, the analyst might decide to refer to groups of agents from different activity types (e.g., airline and maintenance companies, customer and employees of companies) or to individual and unique ones depending on the analysis scope and objectives.

Meso-level -Sequence Map
The goal of the Sequence Map is to present the forward timeline of control and communication/feedback actions amongst the system agents included in the Actor Map but with a higher resolution if needed. An example is given in Figure 2; although the specific example illustrates an event's timeline, the Sequence Map can be also used to present graphically the connections and interdependencies various actors and processes of a system (e.g., concept design or normal operations). Particularly: • The timeline is divided into periods which can be unequal to accommodate periods of various lengths revealed during an investigation (e.g., an influential decision or action might have been recorded long before an event of interest). In the case of system analysis, the timeframes can correspond to the expected or real duration of each action/decision/outcome. • Each block in the graph mentions the agent and its action. The term action is used in its broad meaning and also includes decisions. • When an agent only receives the output of an action and does not perform further actions of interest within the same period, the block mentions only the agent's name. • The arrows connect an action directed to one or more agents as applicable.
• The agent and action blocks include the dates/timestamps of origin or reception depending on the time resolution desired. In system analysis, this can reflect the maximum allowed time to act/decide after the actions/decisions/events of linked previous blocks have been realised (e.g., X time units such as minutes, hours, days etc.) • The final event under consideration, as well as any other events along the timeline, are mapped in the graph as rhombuses with their date and time stamps. The term event has a broad meaning and can include any significant or unexpected situation resulted by the actions of agents or referring to the state of the agents (e.g., important internal changes, unexpected disturbances). In system analysis, event can correspond to expected deliverables and outcomes.

Micro-level -Process Map
The third analysis level, named as the Process Map, digs further into the system and shows in detail the components and their connections (Figure 3). The block lends its main elements from STAMP and introduces factors inspired by the keywords used in the System-Theoretic Process Analysis (STPA) technique (Leveson, 2011). The process dependencies and the parameters of the commodities transmitted across the system also accommodate the concepts found in FRAM. The specific part also includes system elements which function as action, energy and information transmitters (i.e. actuators and sensors in the terminology of STAMP) as well as items that reflect the concept of risk barriers, as explained below. Figure 3 illustrates all possible elements and connections, but these are specific to the system and context studied and can be removed or grouped. More specifically: • The process map presents the controller Y (i.e. human or technology-based decision maker) who acts on a process Y through actuators and is aware of the process's behaviour through feedback provided by sensors. • The actuators and sensors are distinct system elements which are functionally independent of the rest of the system elements mentioned in the map. They are marked with a dotted line because they might not be present in all contexts (e.g., a supervisor communicates directly with a worker). • The controller coordinates or exchanges information with other controllers.
• The process of interest receives outputs from preceding process(es) "X" and generates outputs to be used by following process(s) "Z" or resulting to an event/outcome of interest. • Each system component described above uses channels to transmit information and/or energy (e.g., data transfer, application of action/force, transfer of material). • The units transferred amongst the system components are characterised by quantity (QN) and quality (QL) requirements, and their transmission is characterised by temporal (TE) parameters (i.e. timeliness and duration). All these characteristics are specific to each component type and function and can be possibly influenced by moderators (MO). The latter represent the mechanisms that might be used to block, decrease, increase, filter or alter the quantity, quality of the units transmitted as well as the timeliness and duration of the transfer. • The system components described above, the moderators included, and the transmission channels are characterised by their performance regarding their capability to execute their role as required considering the QN, QL and TE characteristics of the units transmitted. • The external influences can stem from any agent that does not belong to the specific analysis or block and might generate variability in the performance of any system component included in the analysis. • Each process can be controlled by more than one agent. This is depicted in the bottom of Figure 3 with dotted lines of control and feedback channels. Any additional controller K can be drawn at its respective functional position (e.g., at the same, higher or lower level with Controller Y) accompanied with actuators and sensors as applicable and subject to the PE, MO, QN, QL, TE elements and characteristics mentioned above. Figure 4 illustrates examples of possible block structures.  (Leveson & Thomas, 2018)

DISCUSSION AND CONCLUSIONS
The comments of the reviewers regarding the interim version of the concept STASAM presented above showed that the representation of system levels, elements and connections was rated from slightly to much better than the ones included in the four original models. However, two out of the six reviewers considered that a less detailed illustration would be easier to use along with an explanation that the level of abstraction or detail is to be decided by the analyst. The Sequence Map was received as much to highly improved compared to the options given by the other models, and most of the reviewers expressed their opinion that the STASAM could be used in the context of both safety management and safety investigations. Nonetheless, all reviewers stated that the model could be difficult to understand if the analyst is not familiar with the original models, and systems thinking in general, hence they strongly suggested to provide a detailed guidance document accompanying the model.
The authors recognise that the attempt to merge different models into a single one was challenging due to the diverse underlying approaches of the four original models employed in this study. This led to a three-levels approach, which is not customary in literature since, typically, models have a single representation. However, we believe that the decomposition of the STASAM into three maps and the contents of these offer the following advantages: • It allows the communication of analyses in different levels of details, depending on the interests of the audience. The Actor Map pictures the "who" including the relationships of agents, the Sequence Map presents additionally the "what" and "when", and the Process Map elaborates further with the "how" that can lead to the detection of "why". • It is customisable to the level of resolution desired or possible, as suggested by Rejzek, Björnsdóttir & Krauss (2018). • It can be used for a top-down approach (i.e. Actor->Sequence->Process map) on the scope of hazard/system analysis as suggested by the STPA technique (Leveson, 2011) or a bottom-up path (i.e. Process->Sequence->Actos) during investigations of unwanted events. In this manner, it can support both proactive and reactive methods of safety management. Nonetheless, respective techniques must be developed to accompany STASAM after it reaches a sufficient maturity level. • It can be used to communicate the scope of the analysis and can help to identify respective assumptions (Karanikas, 2018) across all three levels/maps. • The Actor Map recognises the possible influences of agents that might not belong to the hierarchical structure of the system under study. This reference was not visible in AcciMap and not mentioned in the structures suggested by Leveson (2011). • The Sequence Map fosters a forward-looking approach, which has the potential to minimise the hindsight bias (Dekker, 2006), and reveals time dependencies and relationships more clearly than the mere reference to temporal factors included in FRAM. • The Process Map introduces the role of moderators (a.k.a. barriers or defences) which must be examined in existing systems or could be considered in new designs. Also, it refers to the high-level characteristics of transmitted entities and makes more explicit the role of transferring channels. This can help the analyst to consider the role of interactions in a more holistic manner without, at the same time, neglecting the performance of individual system elements.
In the Appendix, we present the elements of the three STASAM levels along with their presence and/or reference in the models which we consulted (i.e. SCM, AcciMap, STAMP and FRAM). As it can be observed, STASAM merges the elements suggested by the four models mentioned and introduces additional ones to render system analysis more complete. Especially the elements of "Actors with Advisory Role", "Visible Timeline", "Timestamps", "Channel Performance", and "Moderators" are not visibly mentioned by any of the original models considered. Also, STASAM offers more generic descriptions of elements such as Quantity, Quality and Temporal parameters to cover any case the analyst wants to consider.
Although the current edition of STASAM was perceived positively during its first review and was properly amended to accommodate the comments of the reviewers and satisfy the criteria set in section 2 above to the extent possible, it is still a conceptual approach and must be handled as such by potential users. The researchers aim to work on this idea further, test the validity, reliability and usability of next STASAM versions through different paths (e.g., application to more investigation reports, analysis of various existing systems), and, afterwards, proceed with the compilation of clear guidelines. Also, during this process, we plan to examine, and possibly accommodate, the approaches and elements of more safety/accident models than the ones employed in this study.