Guest Column | September 9, 2022

Systems-Based Hazards Analysis Integrates Human Factors

By Dave Grattan


“STAMP” out occupational hazards using the Systems Theoretic Accident Model and Processes approach.

Many hazard analysis techniques such as process hazard analysis (PHA) partition a large process into smaller systems to evaluate parts individually. Reductionism is how most engineering activities occur; however, properties that belong to the system can be lost while breaking it down (i.e., structural decomposition). These lost properties are referred to as emergent properties, and they are properties of the system rather than parts of the system. For example, if a driver looks solely at the segregated parts of a car (e.g., tires, engine, headlights, etc.), the properties of the car as a whole (e.g., mobility, comfort, style, etc.) can be overlooked. Taking a holistic approach and evaluating a system in its entirety in addition to traditional methods such as PHA can provide a more complete picture of what drives risk at your facility.

Accident Model

STAMP (Systems Theoretic Accident Model and Processes) is a relatively new risk assessment model based on systems theory. Professor Nancy Leveson at MIT created this model in the 2000s — with influence from Danish safety science pioneer Jens Rasmussen — to help understand all factors involved in accidents, including human social and organizational influences. One of the main premises of this model is that accidents can happen even when there has been no component failure; sometimes, the variation (resonance) in normal work processes superimposed together in a complex and tightly coupled system produces accidents. Rather than a linear series of events over time with an initiating event, like “falling dominoes” or the “Swiss cheese barrier” model, STAMP considers the non-linear web of factors that ultimately lead to an accident; it focuses on interactions among the parts rather than the parts themselves or failure of the parts.

STAMP incorporates several features of Rasmussen’s model, including a broad system boundary expanded beyond potential proximal causes, to include conditions (e.g., design errors or maintenance deficiencies) as well as system factors (e.g., management decisions, employee turnover, engagement, etc.).

Hazard Analysis Tool

STPA (Systems Theoretic Process Analysis) is the tool for analyzing STAMP. It uses a control-theory-based hazard analysis technique similar to PHA but works top-down (i.e., top event to specific causes). It begins by identifying the top event, “loss,” which should be related to the emergent property (caused by interactions among the parts) needed to control or constrain. In practice, the top event loss is identified from a PHA, and the STPA study is independently invoked to further evaluate the scenario. The interactions among the parts, not the parts themselves, are analyzed on a custom control structure drawing prepared prior to the study. This drawing uses arrows to show the causal direction and interaction among parts and calls out specific control actions and feedback.

STPA is grounded in classic control theory (i.e., control signals with feedback loops), and safety resides in the constraints (i.e., control actions). Hence, there is only one term used in STPA — “unsafe control action” (UCA) — that looks at what safety constraints are needed or ways the control action is unsafe or otherwise violates the safety constraints leading to accidents. This gives a much broader interpretation for the potential causes of accidents than simply looking at “what can fail.” The loss event is documented by identifying “causes” of the UCA that lead to the loss, which can be broad, working from proximal causes to conditions to systemic issues. The mode or state in which the UCA occurs can also be established in what is typically outside the scope of a Hazard and Operability (HAZOP) study or Failure Modes Effects Analysis (FMEA). This includes transient or nonroutine operating states such as maintenance, start-up, or response to abnormal situations.

In similar fashion to PHA, recommendations can be generated related to unsafe interactions and preventing the loss event and documented in a table format similar to a HAZOP or FMEA spreadsheet.

Engineering For Humans

The STPA extension called “Engineering for Humans” incorporates human factors into the accident analysis. It has the ability for a broad scope with respect to the system studied, as well as causes. For example, while a HAZOP study or FMEA may list “human error” as a proximal cause, STPA has the ability to study the “human error” as a system, including mental models, conditions, and systemic factors related to the potential error. It takes a deeper dive into the causal scenarios of the loss related to human operator behavior and error (i.e., addressing “Why would they potentially violate the safety constraints of the system?”). It’s not looking to assign blame but rather to identify how the system may influence behavior.

In this model, the “controller” could be a human. When evaluating a human controller (i.e., operator), especially when cognition is involved with responding to an abnormal event, understanding the operator’s mental model can be an important aspect of the task analysis. Both the positive and negative human factors are evaluated, and this qualitative analysis can help determine and fix negative human factors associated with the task to decrease the likelihood of a procedural error.


The value of the STAMP risk assessment model and its hazards analysis tool STPA is not in having another tool to conduct a process hazard analysis. Those methods already exist and have the capability to evaluate UCAs as part of a Business Planning and Control System (BPCS) or human-error-initiating causes. Rather, STPA and its extension “Engineering for Humans” provide an opportunity to evaluate human-factors scenarios related to potential major accident hazards that are currently not analyzed by traditional methods, as well as evaluate non-routine and transient modes such as maintenance and abnormal situations. STPA and its extension consider human error not as the cause, but as a consequence of the system, in order to identify latent conditions and systemic factors that increase the potential for catastrophe. An STPA is executed as a separate study from PHA, yet together, they provide a more complete systems perspective of major accident hazards.

About The Author

Dave Grattan, PE, CFSE, is Process Safety Engineer for AE Solutions ( with focus on PHA-LOPA (facilitator), using quantitative tools such as Fault Tree, FMEDA, Human Reliability, Bayesian Network, and Monte Carlo. He also leads audits and assessments on all types of barriers, human factors, etc. Dave earned his ChemE (MChE) degree from the University of Houston.