0260-9576/08/$17.63 + 0.00
© Institution of Chemical Engineers 2008
Integrating human factors, safety
management systems and wider
organizational issues: a functional model
Linda J. Bellamy1, Tim A.W. Geyer 2 and John Wilkinson3
1White
Queen Safety Strategies BV, Netherlands
2Environmental
3Hazardous
Resources Management Ltd, UK
Installations Directorate, Health & Safety Executive, UK
of systems designed to take proper account of human
capabilities and fallibilities. … It is now widely
accepted that the majority of accidents in industry
generally are in some way attributable to human as
well as technical factors in the sense that actions by
people initiated or contributed to accidents, or people
could have acted better to avert them.’
Introduction: The need for human
factors in an integrated model
The application of Human Factors (HF) to safety in
hazardous work situations is often poor. In practice it
requires an understanding of human capabilities and
fallibilities so as to be equipped to recognize the
relationship between work demands and human
capacities when considering human and system
performance. The aim is to eliminate or reduce the
chance of adverse behavioural outcomes which can
lead to harm through accidents or chronic exposures to
conditions adverse to health.
This paper describes a program of work that was
undertaken to help the UK Health & Safety Executive
and other key stakeholders understand how Human
Factors (HF), Safety Management Systems (SMS) and
Organization fit together (Bellamy, Geyer & Wilkinson,
2006; Bellamy and Geyer, 2006). The aim was to develop
a simple working integrated model for a more cohesive
and structured approach to HSE’s activities where
Human Factors is involved. This can include safety
report assessments, site inspections, accident
investigation and communication about health and
safety. The focus was primarily on safety at major hazard
chemical sites, but with a view to a wider application.
HSE want to improve the understanding of Human
Factors and Safety Management Systems. There is
already relevant guidance such as HSG 48 (Health &
Safety Executive, 1999) and HSG 65 (Health & Safety
Executive, 1997a) which address these areas. The human
contribution to accidents has been well known for some
time (Health & Safety Executive, 1989a):
‘Management of human factors is increasingly
recognized as having a vital role to play in the
control of risk. … Successful management of human
factors and control of risk involved the development
In recognition of this human contribution to accidents,
the Health & Safety Executive employs a number of
Human Factors specialists. These specialists support the
assessment and inspection of major hazard chemical sites
which fall under the Control of Major Accident Hazards
Regulations 1999 (COMAH). However, HSE and other
stakeholders have often experienced difficulties in
explaining and communicating about Human Factors
and, in particular, how the subject area overlaps and
interfaces with safety management systems and wider
organizational issues in the context of risk control. It was
anticipated that a working model could help here.
Taxonomy development
Initial work involved the assembling of source material
and the development of a taxonomy or classification of
the elements (human factors, safety management
systems and organization), together with HSE’s
definition of risk control systems. The structure of the
taxonomy was based as far as possible on existing
systems and identified groupings of elements based on
the background literature. There were 850 elements of
which 240 were Human Factors. The HF elements
include: performance shaping factors (PSFs) affecting
demands such as nature of the job; task design (displays
and controls, operator information, workplace layout,
workload, written procedures); environmental PSFs
(heat, lighting, noise, etc) and stressors (such as false
LOSS PREVENTION BULLETIN 199
18
alarms or process upsets); capacity PSFs relating to
individuals (such as experience, competence, attitudes,
risk perception); psychological capacities (covering
attention, alertness, vigilance, arousal; perception and
adaptation; cognition/understanding; memory; etc);
anatomical and physiological capacities (such as work
rate, biomechanical and anthropometric capacities); and
human behaviour outcomes, i.e. symptoms of demand
capacity mismatch, (such as absenteeism, fatigue,
illnesses, injury, human slips, mistakes and violations).
Organization is characterized by the division of tasks,
design of job positions including selection and training
and cultural indoctrination, and their coordination to
accomplish the activities. The main issues of organization
and safety have been summarized in Bellamy et al., (1995)
and include factors such as complexity (chemical/process,
physical, control and task); size and age of plant, and
organizational safety performance shaping factors such as
leadership, culture, rewards, manning, communications
and coordination, social norms and pressures.
The part of the taxonomy dealing with the Safety
Management System was based on the Control of Major
Accident Hazards Regulations 1999 since the regulation
(HMSO, 1999) and assessment guidance (Health &
Safety Executive 2006) are quite explicit about the
required SMS components. It is what the regulatory
inspector in the field inspects; he checks the site for
evidence of a robust SMS. If the inspectors have to issue
improvement notices then this has to relate back to the
regulation. The COMAH SMS is focused on preventing
loss of containment, on managing the technical system,
and defines a system of management processes that
implement safety policy.
The overall structure is shown in Figure 1. While the
taxonomy is in some places major hazard chemical
industry specific, Figure 1 can be applied quite broadly,
where necessary substituting an industry/hazard
specific vocabulary.
• Hickson & Welch (UK, 1992): Jet fire following
•
•
•
•
The taxonomy was implemented in an Excel
worksheet and provided a framework against which the
sample of accidents was analysed. The analysis
consisted of noting for each accident those elements of
the taxonomy that the accident reports identified as
being causal in nature (or present for those descriptive
aspects), i.e. a taxonomy element was only coded if the
accident report suggested it as a contributory factor.
When viewing the results across all the accidents,
failure patterns could be identified — so-called sociotechnical failures, which impact on human performance.
How the elements came together in the accidents and
the repeated failure patterns found, provided the basis
for defining the model. Four key themes were identified
which best explained how the accidents arose.
1. Failure to provide people to manage hazard related
activities who understand risk control requirements.
2. Failure to provide competent people to carry out
tasks which have an impact on risk controls.
3. Failure to prioritize, attend to and communicate
about the design of jobs, equipment and
environment for those tasks.
4. Failure to monitor whether the risk control objectives
are being met, to retain knowledge and memory
about risk control, and to learn and adjust in order to
prevent deviations or actions which could lead to
loss of control.
Accident analysis
A selection of eight major accidents, for which detailed
investigation reports existed, were analyzed using the
taxonomy. In discussion with HSE, the following
accidents were chosen:
• Flixborough (UK, 1974): Explosion due to release
•
•
runaway reaction during non routine vessel cleaning
due to lack of awareness of risks and inadequate
precautions (Health & Safety Executive, 1994).
Cindu (The Netherlands, 1992): Explosion due to
runaway reaction in a batch processing plant.
Trainee using wrong recipe in an old poorly
designed plant (Bellamy et al., 1999).
Associated Octel (UK, 1994): Fire due to poor
awareness of risks in complex, poorly maintained
plant (Health & Safety Executive, 1996).
Texaco (UK, 1994): Explosion and fires due to
incorrect control instruments, poor MMI and alarm
system and a lack of management overview
(Health & Safety Executive, 1997b).
Longford (Australia, 1998): Failure to identify
hazards and properly train operators. Insufficient
understanding led to a critical incorrect valve
operation (Hopkins, 2000).
from a temporary bypass assembly of inadequate
design operated by insufficiently competent people
(Health & Safety Executive 1975).
Grangemouth (UK, 13 March 1987): Fire due to
passing valve (poor design) and inadequate isolation
procedures (Health & Safety Executive 1989b).
Allied Colloids (UK, 1992): Fire following
misclassification of chemicals and failure to
segregate incompatible substances in storage
(Health & Safety Executive, 1993).
The model
The model is simple. It comprises combinations of
accident-linked components from the HF, SMS,
Organization, and Risk Control areas (see Figure 2).
A particular combination involves one or two taxonomy
components for each of the four areas which can be
defined by a sociotechnical theme that binds them
LOSS PREVENTION BULLETIN 199
19
FIGURE 1: BASIC TAXONOMY STRUCTURE
together. The theme is an overarching concept which can
be considered ‘archetypical’ of accidents.
Based on the accident analysis, four key themes were
derived: Understanding of Major Accident Prevention;
Competence for tasks; Priorities, attention and conflict
resolution; and Assurance. These archetypical
combinations are represented as ‘warning triangles’ (see
Figure 3 to Figure 6) and represent the basis for
identifying real instances of the archetypes in practice.
The characteristics of the four archetypical triangles
are as follows:
1. Understanding of (Major) Accident Prevention —
This is about identifying hazards and risks and
about selection and training of people so that they
understand the risks and what to do about them and
ensuring they have the right roles and responsibilities
for controlling the risks. Failure to do these things
leads to mistakes, an accident trigger in all of the
eight major accidents analysed (see Figure 3).
2. Competence for tasks — Ensuring people who are
involved with risk control tasks have the appropriate
competences for those tasks. Training inadequacies
and lack of competence can cause an essential
element of control to be absent when a demand is
made on the risk control system (see Figure 4).
3. Priorities, attention and conflict resolution — Getting
worker involvement and communications about
inadequacies of job and equipment design so that
demand-capacity mismatches can be fixed. Mismatch
failures like excessive workload can result in tunnel
vision and divert attention away from safety (see
Figure 5).
4. Assurance — Ensuring that standards and
procedures get used. Sometimes, the organization
fails to update its own knowledge base. Sometimes,
a standard (such as from an external source) is
overlooked or thought not to apply, or it is lodged
with someone in a different position in the
LOSS PREVENTION BULLETIN 199
20
FIGURE 2: FORMAT AND CODING FOR A WARNING
FIGURE 4: TRIANGLE 2 — COMPETENCE FOR TASKS
TRIANGLE: THE BASIC MOTHER ARCHETYPE
Rather like hazard warnings are found on vessels
and pipework, we imagined PyraMAPs sitting on
managers’ desks as a warning to take the holistic view.
organization and so distanced from the persons who
need it. Aspects like modifications or organizational
change may exacerbate this problem or create the
opportunity for this organizational weakness to be
realized (see Figure 6).
Developing questions for
assessment, inspection and
investigation
The four primary chemical major accident prevention
(MAP) warning triangles developed in this initial phase
of work can be joined to make a pyramid i.e. the pyramid
of chemical Major Accident Prevention (the PyraMAP).
This can be created using the template provided in
Figure 7. The pyramid is a 3-D representation of the four
main triangles identified. In principle any issue could be
examined using a basic archetype or a multidimensional
archetype (made of several basic archetypes).
The PyraMAP represents the fact that the four
triangles are linked by issues which cut across the four
areas of understanding, competence, priorities and
attention and assurance and which cannot be explained
except by reference to all of them. For example, at
Longford some people did not have knowledge of the
risks in a very fundamental area and yet the company
had demonstrated to itself that they had the necessary
competences, even verified by audit.
For an example of how the model can be used to develop
questions, consider a risk control issue in the chemical
industry. One of the risk controls that can and has failed
is the system of controls that prevent a vessel from
overfilling. Human performance could fail the system in
a variety of ways — for example, errors in maintenance
of the instrumentation, disabling interlocks, ignoring
alarms. In a plant with a potential for vessel overfilling,
human failure could be an important issue of concern.
Once a safety issue has been developed, the model assists
with translating it into queries to examine the issue in an
holistic way. Queries concerning overfilling of vessels can
be developed by turning the themed definition of the
component into a question. These questions are
presented below for each of the four triangles.
FIGURE 3: TRIANGLE 1 — UNDERSTANDING OF MAJOR
FIGURE 5: TRIANGLE 3 — PRIORITIES, ATTENTION &
CONFLICT RESOLUTION
ACCIDENT PREVENTION (MAP) MEASURES
LOSS PREVENTION BULLETIN 199
21
FIGURE 6: TRIANGLE 4 — ASSURANCE
1. Understanding of Major Accident Prevention (MAP)
• RCS – MAP Risk controls.
What risk control measures have been identified
from the risk assessment to prevent a major
accident resulting from [overfilling of a vessel]?
• ORG – Use of organization’s selection and training
system to deliver resources for risk control.
How is the organization of selection and
training used in order to deliver understanding
of controls (and the effects of loss of control) for
major accident prevention where [overfilling of
a vessel] could play a role?
• SMS – Criteria and procedures for risk assessment.
Does the risk assessment process have criteria
and procedures which lead to the inclusion in
the assessment process of [overfilling of a
vessel] and the possible consequences of
[overfilling]?
• HF – Workforce understanding of MAP and their
MAP role in the tasks:
Do people in jobs that could be directly or
indirectly related to preserving MAP measures
understand the risks that could lead to
[overfilling of a vessel] and the possible
consequences i.e. do they have the appropriate
situational awareness and expectations?
2. Competence for tasks
• RCS – Identification of human allocated MAP tasks.
What tasks have been identified that support
the prevention and control of [vessel
overfilling] such as [responding to alarms]?
• ORG – Use of organization’s selection and
training system to provide and allocate the
necessary and sufficient competences.
How is the organization of selection and
training used in order to deliver competent
manning for prevention of [vessel overfilling]
as a major accident initiator?
FIGURE 7: PYRAMAP (COMBINING THE FOUR WARNING TRIANGLES)
LOSS PREVENTION BULLETIN 199
22
and respond to vessel overfilling] could give
rise to a major accident?
• Human factors – Behavioural symptoms.
Have people been making mistakes or near
misses in [preventing vessel overfilling] or
complaining about difficulties or other self
reported problems in this area? Or, do periodic
tests of competence in [preventing vessel
overfilling and the correct identification and
response should it occur] or in following
procedures conclude that the system is
currently meeting performance requirements?
• SMS – Processes for delivering human
competences.
Are there criteria and procedures to ensure that
the competence delivery system is being used
to include competence in [the correct
identification and response to vessel
overfilling] by persons undertaking risk control
tasks and their management?
• HF – Competence.
Do tasks requiring [the correct identification
and response to vessel overfilling] have people
competent to do so? For example, do they have
appropriate recognition abilities?
3. Priorities, attention & conflict resolution
• RCS – MAP Task design.
What are the important design features of the
tasks and the associated equipment and
information that optimize [the correct
identification and response to vessel
overfilling]?
• ORG – Use of communication systems to facilitate
major hazard communications.
How do the communication systems facilitate
discussion with management about problems
in the workplace that might relate to [vessel
overfilling]?
• SMS – Processes for employee involvement and
communication.
Are there criteria and procedures for involving
the workforce in discussions with management
about [vessel overfilling]?
• HF – Demands.
Are the demands on a person to [correctly
identify and respond to overfilling] well within
their psychological, anatomical and
physiological capacities (e.g. labelling, lighting,
location, information, procedures, workload,
and other aspects of task design)?
4. Assurance
• RCS – MAP goals and procedures, standards and
guidance.
Do the important design features of the tasks
and the associated equipment and information
that optimize [the correct identification and
response to vessel overfilling] comply with
recognized standards or best practices?
• Organization – Organizational learning.
What means does the organization have to
identify weak spots in [prevention of vessel
overfilling], intervene with corrective measures
in the short term, and incorporate into
organizational memory in the longer term so
that improvements are preserved?
• SMS – Processes for measuring performance.
Are there performance objectives and
procedures for supervision and monitoring for
performance of tasks where [failure to identify
Because the series of questions above is generated
from the warning triangle archetype, they can be
generalized to any particular issue simply by inserting
the appropriate issue text providing it is within the
constraints of the archetype. For example, consideration
of chemical misidentification as a major hazard scenario
could use terms such as [misidentification of chemicals],
[correctly allocating consignments to appropriate storage
location] and [the correct identification and related
handling of chemicals] instead of [vessel overfilling],
[responding to alarms] and [the correct identification
and response to vessel overfilling].
Workshop
Support materials were developed to assist in applying
the model to a broader range of issues. These included
analysis proformas and the generic questions. Simple
steps were defined for using the model. A workshop was
held with HSE specialists from a broad range of industry
sectors in order to present the model and to test its use
in examining stakeholder issues. A diverse range of
issues of interest were examined including: scaffolders’
understanding of fall protection/protection measures
and understanding occupational asthma prevention (see
Figures 8 and 9). Feedback from the workshop was
FIGURE 8: TRIANGLE FOR SCAFFOLDERS’ UNDERSTANDING OF
FALL PROTECTION MEASURES
LOSS PREVENTION BULLETIN 199
23
FIGURE 9: TRIANGLE FOR UNDERSTANDING OCCUPATIONAL
ASTHMA PREVENTION
primarily positive but that the model could be
improved. There was insufficient time to properly cover
integration with existing inspection approaches.
Conclusion
The model is flexible in that additional or alternative
taxonomy elements can be substituted or added to
define situation specific technical systems and
regulatory requirements in different areas of application.
Much of the human factors and organization taxonomy
elements are generic and have wide applicability as
developed. The model has a sound empirical basis and
appears to be suited for potential application to
developing guidance, accident investigation, use by the
duty holder and use by inspectors unfamiliar with
Human Factors. It was initially perceived as weaker on
supporting inspection approaches aimed at higher level
management. A main conclusion was that the training
and packaging of the model could be improved upon.
References
Bellamy, L.J., Geyer, T.A.W., Wilkinson, J., 2006.
Development of a functional model which integrates
human factors, safety management systems and
wider organizational issues Safety Sci. (2006),
doi:10.1016/ j.ssci.2006.08.019 (awaiting publication
in Safety Science).
Bellamy, L.J. & Geyer, T.A.W.G., 2006. Development of a
working model of how human factors, safety
management systems & wider organizational issues fit
together. Contract 6025 Research Report for Health &
Safety Executive, Bootle, Merseyside, December 2006.
Bellamy, L.J., Goossens, L.H.J. and Hale, A.R., 1999.
Analysis of a chemical accident for OECD Nuclear
Energy Agency, PWG-5 Task 97-2, Errors Of
Commission; undertaken for the Dutch Nuclear
Safety Inspectorate (Kernfysische Dienst), Ministry
of VROM, and Ministry SZW, Postbus 90801, 2509
LV Den Haag.
Health & Safety Executive, 1975. The Flixborough
Disaster: Report of the Court of Inquiry. Formal
investigation into accident on 1st June 1974 at the
Nypro Factory at Flixborough. HMSO 1975. ISBN
011 361075 0.
Health & Safety Executive, 1989a. Human factors in
industrial safety, HS(G)48. ISBN 0 11 885486 0.
Health & Safety Executive, 1989b. The fires and explosion
at BP Oil (Grangemouth) Refinery Ltd. A report of
the investigations by the Health & Safety Executive
into the fires and explosion at Grangemouth and
Dalmeny, Scotland, 13 March, 22 March and 11 June
1987. HMSO Books, 1989. ISBN 0 11 885493 3.
Health & Safety Executive, 1993. The fire at Allied
Colloids Limited. A report of HSE’s investigation
into the fire at Allied Colloids Ltd, Low Moor,
Bradford on 21 July 1992, HSE Books 1993. ISBN 0
7176 0707 0.
Health & Safety Executive, 1994. The fire at Hickson &
Welch Ltd: A report of the investigation by the
Health & Safety Executive into the fatal fire at
Hickson and Welch Ltd, Castleford on 21 September
1992. HSE Books 1994. ISBN 0 7176 0702 X.
Health & Safety Executive, 1996. The chemical release
and fire at the Associated Octel Company Ltd, A
report of the investigations by the Health & Safety
Executive into the chemical release and fire at the
Associated Octel Company, Ellesmere Port on 1 and
2 February 1994. HSE Books 1996. ISBN 0 7176 0830 1.
Health & Safety Executive, 1997a. Successful health and
safety management HSG65. (2nd edition). HSE
Books. ISBN 0 7176 1276 7.
Health & Safety Executive, 1997b. The explosion and
fires at the Texaco Refinery, Milford Haven, 24 July
1994: A report of the investigation by the Health &
Safety Executive into the explosion and fires on the
Pembroke Cracking Company Plant at the Texaco
Refinery, Milford Haven on 24 July 1994, HSE Books
1997, ISBN 0 7176 1413 1.
Health & Safety Executive, 1999. Reducing error and
influencing behaviour HSG48. HSE Books. ISBN 0
7176 2452 8.
Health and Safety Executive, 2006. COMAH Safety
Report Assessment Manual
http://www.hse.gov.uk/comah/srag.htm.
HMSO, 1999. Statutory Instrument 1999 No. 743 The
Control of Major Accident Hazards Regulations 1999,
Her Majesty’s Stationery Office.
Hopkins, A., 2000. Lessons from Longford. The Esso gas
plant explosion. CCH Australia Ltd. ISBN 1 86468
422 4.
LOSS PREVENTION BULLETIN 199
24