Safety Science 110 (2018) 124–141

Contents lists available at ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/safety

Unravelling causal factors of maritime incidents and accidents T

⁎
Romanas Puisa , Lin Lin, Victor Bolbot, Dracos Vassalos
Maritime Safety Research Centre of University of Strathclyde, 100 Montrose St, Glasgow G4 0LZ, Scotland, United Kingdom

A R T I C LE I N FO A B S T R A C T

Keywords: Lessons from maritime accidents are conventionally used to inform safety improvements in design and operation
Accident of ships. However, this process is only as good as the core understanding derived from accident analysis is. The
Incident current explanation of accidents is limited to direct and contributing causal factors, whereas the role of a wider
Causation socio-technical context that has given rise to causal mechanisms behind major maritime accidents in recent years
Maritime
is left unexplained. The paper describes analysis results of maritime incidents and accidents occurred over the
Safety
Risk
last decade with passenger ships, with the purpose to illuminate the prevailing causal factors, not least the
STAMP systemic ones. The results show where the weak links in maritime safety control are (e.g., interactions between
CAST ship operators and equipment manufacturers), what their role in accident causation is, and how they can be
Systemic factors strengthened. The study seeks to provide valuable input for enhancements in overall maritime safety control and
Classification proactive safety management at the ship and shipping company levels.

1. Introduction unsafe acts is accentuated and the underlying causes of the events are
practically ignored other than a lack of safety barriers (slices of the
Good safety records are prerequisite for achieving strategic goals, cheese) aimed to prevent their propagation (Lundberg et al., 2009).
including profits and continuous existence, of any shipping company. Thus, the accident investigation remains mostly confined to the context
However, serious maritime incidents and accidents remain rife. The last in which proximate events occurred, barriers failed and the organisa-
decade was replete with dreadful calamities, not least the sinking of tional factors involved (Schröder-Hinrichs et al., 2011).
cruise ship Costa Concordia and ferry MV Sewol (KMST, 2014; MIT, It, hence, appears that the importance of wider systemic issues in
2013). The decades before, were equally depressing (e.g., MS Herald of accident etiology is insufficiently recognised, despite the evidence from
Free Enterprise, Estonia, and Express Samina). At the same time, the many maritime incidents and accidents, as shown in this and other
safety assurance on modern ships is getting more complicated, partly publications (Johnson and Holloway, 2007), and the solid theoretical
due to the conventional safety strategy defence-in-depth (Carroll, 1998), basis, e.g. (Carroll, 1998; Leveson, 2011; Rasmussen, 1997), for them.
which requires redundancies and multiple layers of protection, and Such evidence, for instance, points to systemic factors that insidiously
partly due to new digital technologies, e.g. dynamic barrier manage- degraded safety barriers, acting as their common cause failure and
ment (Pitblado et al., 2016), which introduces extra layers of defence, making the defence-in-depth ineffective. For instance, Kim et al. de-
new interactions and weak couplings (Twomey, 2017). scribe the accident with passenger ferry MV Sewol where commercial
Given the mediocre safety records, it can be argued that the answer pressures and lax regulatory control had disabled vital organisational
lies in currently used fundamentals and practices of accident analysis. and technical barriers, making the accident imminent (Kim et al.,
As in other similar industries such as aviation, maritime accident in- 2016). According to the systems approach, accidents are a result of poor
vestigations serve to inform evolutionary improvements in design and functioning of the safety control system as a whole, i.e. the presence of
operational practices. This means that high quality of accident in- dysfunctional interactions between system elements and, therefore,
vestigations is instrumental in improving safety. The accident analysis inadequate enforcement of safety requirements and constraints
process, its outcome and response to the accident are dependent on an (Leveson, 2011). Such inadequate interactions within the socio-tech-
accident model assumed, i.e. the conceptual understanding of how ac- nical system must be identified, analysed and remedied, regardless of
cidents occur (Benner Jr, 1985; Svenson, 1999). The currently used whether their effect is direct and easily explainable, or it is uncertain or
investigation manuals are based on the Swiss cheese model by Reason extra-organisational, as it happens with nonlinear, more distant—in
(1997), i.e. a complex linear accident model where the importance of time and space—causal factors.

⁎
Corresponding author.
E-mail addresses: r.puisa@strath.ac.uk (R. Puisa), lin.lin@strath.ac.uk (L. Lin), victor.bolbot@strath.ac.uk (V. Bolbot), d.vassalos@strath.ac.uk (D. Vassalos).

https://doi.org/10.1016/j.ssci.2018.08.001
Received 20 March 2018; Received in revised form 30 June 2018; Accepted 1 August 2018
0925-7535/ © 2018 Elsevier Ltd. All rights reserved.
R. Puisa et al. Safety Science 110 (2018) 124–141

With this in mind, the understanding of the contribution of the

entire safety control system—regulators, insurers, manufactures and
supplies, shipping companies, ships, equipment, etc.—becomes essen-
tial for prevention of accidents, incidents and other unwanted events.
This requires going beyond proximate failures and flawed interactions
at the ship and shipping company levels, as well as unhelpful as-
sumptions that unfortunate events are mainly random and caused by
“human erroneous actions”, e.g. (EMSA, 2017). Hence, the exploration
should seeks to answer the question why accidents could occur, ex-
tending the frontiers of current knowledge about the underlying causal
mechanisms thereby (Fig. 1). Attempts have been made to bridge this
knowledge gap (Section 2), but the problem, alas, remains under-re-
searched.
Hence, the purpose of this paper is to illuminate dysfunctional in-
teractions within the entire system of maritime safety control, the in-
teractions that gave rise to direct, contributing and systemic causal
factors behind significant incident and accidents. To this end, we
adopted the Systems-Theoretic Accident Model and Processes (STAMP)
and its method for causal analysis called CAST (Leveson, 2011). We
Fig. 1. Dysfunctional interactions (inadequate safety enforcement) within the
applied CAST to analyse 188 incident and accident reports, retrieving
overall system.
1250 instances of dysfunctional interactions in the system. We classified

Fig. 2. Generic safety control structure (maritime safety control system).

125
R. Puisa et al. Safety Science 110 (2018) 124–141

Table 1
The role of individual components in the generic safety control structure (Kristiansen, 2005; STCW, 2010).
Component (subsystem) Purpose/safety role Control and feedback mechanisms, context

International Maritime Organisation Develops and maintains a comprehensive regulatory framework for Issues safety standards for construction, equipment and operation
(IMO) safety shipping of ships. Receives feedback (incl. on R&D studies) from member
states, inter-governmental organisations, non-governmental
organisations. IMO has no power to enforce international safety
regulations, and this task is passed to flag states
European Maritime Safety Agency Provides technical assistance and support to the European Assists Member States with the practical implementation of EU
(EMSA) Commission and Member States in the development and legislation, organises appropriate training activities and promoting
implementation of EU legislation on maritime safety, pollution by a dissemination of best practices in the EU, monitors classification
ships and maritime security societies, port state control and the development of ship reporting
systems in Member States
Ministry of Transportation (MoT) Implements international safety regulations and directives ratified/ Enforces the implementation safety regulations and directives
adopted by the state and EU parliament through national maritime administrations and port authorities,
which report to MoT on safety related issues
Flag state (maritime administration) Enforcement of international safety regulations and issues and Flag state inspection of sailing vessels, survey and acceptance of
controls safety certificates. Acts on behalf of the state new buildings, approval of manning, audit of SMS under ISM
Code, monitor maritime traffic and dangerous cargoes, and
investigate and analyse maritime accidents. Some of these
functions (e.g. surveys and SMS audit) are normally contracted out
to classification societies
Port administration/authority Responsible for safety in port and harbour approaches May control safety standards of vessels, and may deny access to
substandard vessels
Vessel traffic services (VTS) Marine traffic monitoring system established by harbour or port Provides information, traffic organisation, and navigational
authorities, similar to air traffic control for aircraft assistance services to ships. VTS has an advisory role only
Insurer Takes the main part in the risk on behalf of the ship management May undertake independent assessment of the SMS quality of the
company and cargo owner (i.e. vessel, cargo, third party/protection ship management company
and indemnity insurance)
Classification society Control of technical standards on behalf of insurer during design Validates and reports that construction and operation of a vessel is
and operation. Undertakes safety control functions on behalf of the in accordance with relevant safety standards and carry out regular
flag state surveys in service to ensure continuing compliance with the
standards
Ship builder/supplier Builds the vessel/equipment to owner specification and safety rules Tests the vessel and its systems, carries out repair work,
(statutory, industrial). Develops operational and maintenance communicates design assumptions and limitations to ship owners/
requirements with respect to safety operators in operational and maintenance manuals. Might receive
feedback on the vessel/equipment operation and maintenance
issues
Ship owner Commissions and owns the vessel and decides whether technical Selects crew or management company for crew and operation.
standards will be above minimal safety requirements stipulated in Makes decisions regarding operational and organisational safety
the safety regulations. policies, communicating them to a ship management company (if
different from the owner company)
Ship management company Responsible for crewing, operation and maintenance of the vessel Develops and maintains a safety management system (SMS)
on behalf of the shipowner. Offers other services like inspection according to the ISM Code. Specifies responsibility, authority and
prior to purchase, supervision during building, and ship lay-up interrelation of key personnel. Ensures adequate resources (incl.
solutions their training and selection) and shore-based support
Cargo owner Pays for the transport service and thereby also the quality and May undertake independent assessment of the SMS quality of the
safety of the vessel operation ship management company
Master (Captain) Superior responsibility for safe ship operation and implementation Motivate the crew, issue orders, verify adherence, review SMS, and
of the SMS onboard reports events
Chief Mate/Staff Captain/Safety Second in command to Captain, a head of the deck department and, Supervision and crew training in areas such as safety, firefighting
Officer customarily, a watchstander and is in charge of the ship's cargo and and flooding control, search and rescue. Oversees the loading,
deck crew stowage, securing and unloading of cargoes, and the care of cargo
during the voyage. Enforces all applicable safety regulations
during navigation, loading and unloading in port. Responsible to
Captain for the safety and security of the ship. Typically stands the
4–8 navigation watch as officer in-charge of the navigational
watch, directing the bridge team
Helmsman/Pilot/officer of the watch Steers the ship/keeps watch on the bridge Helm orders or commands fall into two categories: rudder
(OOW) commands and heading commands. Maintains clear and exact
communication with the officer on the bridge for safe navigation
and ship handling. Executes turns and the lookout reports dangers
such as approaching ships.
Mate(s) The second mate is the third/ fourth in command and a Keep the watch, and ensure safety of the ship, its crew, and its
watchkeeping officer. Often is the medical officer and in charge of cargo, according to all applicable regulations and safety
maintaining distress signaling equipment. The third mate is a management system. Mates generally stand watch with able
watchstander and customarily the ship's safety officer, focusing on seamen who act as helmsman and lookout
firefighting equipment, lifeboats, and various other emergency
systems
Equipment, displays, etc Navigation equipment/controls and aids on the bridge Sends signals to actuators to change the speed, heading and other
parameters of the vessel. Displays feedback information about the
propulsion performance, ship speed, heading, global and relative
positions, etc., thereby supporting the save navigation
(continued on next page)

126
R. Puisa et al. Safety Science 110 (2018) 124–141

Table 1 (continued)

Component (subsystem) Purpose/safety role Control and feedback mechanisms, context

Chief engineer Oversees the engine/engineering department and is of equal rank Ensures compliance with the rules and regulations laid down by
to the captain. Responsible for all operations and maintenance of the flag state administration, IMO, and port state authorities.
machinery equipment. Looks after safety of subordinate maritime Carries out frequent inspections of equipment at regular intervals
professionals working in the engineering department (life-saving, fire preventing and other equipment). Issues standing
orders for each crew member under his command, in accordance
with the routine maintenance schedule as laid down by the
Planned Maintenance System (PMS), which is prescribed by the
manufactures. Makes sure that his crew attends all shipboard
emergency drills and safety meetings, providing guidance (based
on the company guidelines and procedures) to his crew during
drills so that they know how to get out of an emergency situation
safely in the minimum time possible. Must maintain a proper
conduct with his crew members and address their queries and
requirements to the best of his abilities
Engineers Second, third (sometimes electro-technical officer), fourth In charge of boilers, fuel, auxiliary engines, condensate and feed
engineers, and engine raitings responsible for supervising the daily systems by carrying out inspections, overhauls and repairs
maintenance and operation of the engine department. Reports (planned and unplanned) according to technical manuals and a
directly to the chief engineer. safety management system
Machinery etc. Generates power (mechanical, electrical, thermal) and provides Physical control (passive and active) of hazardous physical
means for its safe utilisation onboard processes such internal combustion. Provides feedback on physical
parameters (pressure, temperature, voltage, etc.) for safe
operation and maintenance by crew
Automatic and passive controllers Safety systems (safety-instrumented systems) that detect and Alert and alarm hazardous situations for the crew to take action.
(insulation, ventilation, detection control safety hazards (e.g., oil leaks, high temperature surfaces) in Actively supress hazards (e.g., fires)
etc.) the machinery spaces
Contract engineers External engineers that typically represent manufactures of Carry out onboard overhauls and repairs according to technical
installed equipment manuals and agreed safety procedures
Deck crew 1 and 2 Crewmembers looking after safety in accommodation, public areas, Carry out active guidance and supervision of passenger and cargo
cargo, and other areas. The crew is split into the two groups to be safety, enforcing onboard procedures and policies of safety
able to represent dysfunctional interactions between the management. Accountable to the chief mate/staff captain/safety
crewmembers officer
Equipment, services, etc. Equipment and services such as tender and pilot boats, cargo Provides crew and passenger transfer, cargo handling and other
loading facilities on cargo decks and others functions according to safety management procedures

Table 2
Generic CAST steps.
CAST step Comments

Identify the system(s) and hazard(s) involved in the loss Taken from the report
Identify the system safety constraints and system requirements associated with that hazard Defined in Table 3
Determine the proximate events leading to the loss Taken from the report
Analyse the loss at the physical system level. Identify the contribution of hazard control flows to the loss Taken from the report
Moving up the levels of the safety control structure, determine how and why each successive higher level allowed or Analysing the GHSC with the guidance of the
contributed to the inadequate control at the current level STAMP accident model
Examine overall coordination and communication contributors to the loss
Determine the dynamics and changes in the system and the system control structure relating to the loss and any weakening
of the safety control over time
Generate recommendations

these interactions according to their cause and condition that made been widely applied to enrich accident analysis with respect to human
them dysfunction, and discussed the dominant flaws, i.e. weakest links and wider organisational factors (Shappell and Wiegmann, 2012). Ex-
in the maritime safety control. The analysis of the accident reports amples comprise general analysis (Celik and Cebi, 2009; Chen et al.,
would often lead to richer and sometimes different explanations, typi- 2013) and more specific ones, such as of machinery space fires and
cally involving new causal factors to those concluded in the investiga- explosions (Schröder-Hinrichs et al., 2011), ship collisions (Chauvin
tions. Therefore, we also recorded the degree of dissimilarity between et al., 2013), and, most recently, assessing the potential impact of un-
our findings and the conclusions in investigation reports, which we manned vessels on safety (Wróbel et al., 2017). However, HFACS also
found to overlook both direct and contributing causal factors, let alone rests on the Swiss cheese accident model and is used to label types of
systemic ones. errors, problems, or poor decisions made by humans and organisations.
The paper is organised as follows. Section 2 discussed methods and However, HFACS remains inadequate for systemic causal analysis
results applied so far to illuminate wider causal factors within the (Stringfellow, 2010).
maritime safety control system. Section 3 explains the adopted meth- Bayesian belief networks (BBN) have been widely used to in-
odology to achieve the objectives of the work (Section 3). Section 4 corporate managerial, regulatory and other actors of safety control, e.g.
presents the results, which are then discussed in Section 5. The paper is (Kristiansen, 2010; Mazaheri et al., 2016). However, being acyclic
concluded in Section 6. graphs, BBN cannot explicitly represent nonlinear interactions with
feedback loops, which are an integral part of hazard control and risk
management in general. For instance, the absence of feedback on cor-
2. Related work rectness of applied control actions by crew or automation has led to
many accidents, including the engine room fire on cruise ship Le Boreal
The Human Factor Analysis and Classification System (HFACS) has

127
R. Puisa et al. Safety Science 110 (2018) 124–141

Table 3
System-level hazards and constraints.
Hazards Safety constraints and their decomposition at lower levels (subsystems)

H1. Design process overlooks hazardous scenarios that can materialise during operation C1. Risk identification in design must be adequate
and/or maintenance • Design rules and standards must be up to date
• Pertinent design rules and standards must be used and applied correctly

H2. Manufacturing deviates from the design assumptions

• Hazard analysis methods must be adequate to identify all plausible safety hazards
C2. Risk identification during manufacturing must be adequate
• Design assumptions must be well documented and communicated to manufactures
• Communication between designers and manufacturers must be adequate

H3. Onboard safety management system overlooks safety hazards or does not address
• Design must be reviewed and validated/tested (e.g., sea trials)
C3. Design assumptions and the actual operation must match (work as imagined vs.
them adequately work as done)
• Design assumptions must be well documented and communicated to the shipping
company
• Safety management system (SMS) must well reflect all design assumptions, not least
design limitations
C4. SMS must be verified, validated and constantly updated
• SMS must be approved by relevant authorities
• Design modifications and operational changes must be well documented and
reflected in SMS
• Hazard control measures (engineering and management) must be kept adequate
• New hazards must be identified and control measures timely implemented
• Crew must be well familiar with the ship and its safety procedures at all times
• Continuous communication/information exchange between the company and the
ship must be ensured

Table 4 Comprehensive single case analyses exist, but no multiple case analysis
Hierarchical classification of dysfunctional interactions. that aggregates the causal factors into a single causal picture is avail-
Cause of dysfunctional Condition that made it Is included in able. In particular, we were unaware, at the time of writing this paper,
interaction (what/who dysfunction (failure investigation of any multiple case analysis of maritime accidents or incidents with
failed?) mode) conclusions? STAMP/CAST, as presented in this work.

• Control (↓) • Not given (N) • Yes (Y)

• Feedback (↑) • Wrong given (W) • No (N) 3. Methodology
• Both (↓↑) 1
• Given
(EL)
too early/late • Partly (P)
• Stopping too soon/
applying too long/
The adopted methodology rests on the accident analysis approach
CAST that allows examining the entire socio-technical system, taking
given irregularly (S) into account both separate variables and systemic causal factors
• Unknown (U) (Leveson, 2011; Leveson et al., 2003). The CAST has been applied to
1 individual railway, aviation and maritime accidents (Kim et al., 2016;
It represents a situation when there is no clear-cut distinction between
control and feedback.
Song et al., 2012; Wong, 2004); comparisons also exist with other ac-
cident analysis methods (Salmon et al., 2012; Underwood and
(Section 3.4). Waterson, 2014). In contrast to other systemic models, STAMP better
Systemic accident models have been most successful in exploring embodies systems thinking (Underwood and Waterson, 2014) and it is
the safety control system beyond the ship and shipping company. For the most frequently cited (Underwood and Waterson, 2012).
instance, the Accident Analyse Mapping (AcciMap) (Svedung and The key element of CAST is a hierarchical control structure (HCS),
Rasmussen, 2002) has been applied to unravel systemic causes in the which represents a functional model of the safety control system. The
Sewol Ferry accident (Lee et al., 2017). The authors concluded that used HSC is explained in Section 3.1, with Section 3.2 addressing the
limiting blame to the Sewol's captain and its crewmembers was unfair, use of it while analysing accident reports (Section 3.3). Section 3.4
and the disaster was a result of a series of safety issues across different provide an illustrative example of the analysis.
levels of the company, government and regulatory bodies. The CAST
has also been applied to the same accident, resulting with analogous 3.1. Hierarchical safety control structure
conclusions (Kim et al., 2016).
In summary, the literature on identification of systemic causal fac- A hierarchical control structure (HCS) is a functional system model
tors within the entire system of maritime safety control is fairly limited. that is composed of feedback control loops. By system we are referring

Table 5
Classification of accident causes in three causal categories.
Role of accident causes Determination Context and traits Safety constraints/requirements violated

Direct factors (D) Found in accident Subsystem level. Proximate events to the accident within the same Constraints on interaction with physical
analysis subsystem hazardous processes
Contributing/underlying Found in accident Inter-subsystem level. Within the same subsystem or contiguous Constraints on procedures and processes,
factors (C) analysis subsystems. Have a linear effect on proximate events and on interaction between teams and
people
Systemic factors (S) Inferred during accident System level. Between subsystems*. Have a nonlinear effect on System safety constraints on interaction
analysis contributing and proximate events*Ship management company and the between subsystems
ship are considered as one subsystem

128
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 3. The number of accident investigation reports by investigation board (left), and distributions of ship type (top right) and accident/incident category (bottom
right) across investigation reports.

Fig. 4. The starting point for the analysis.

to the maritime safety control system, which includes international and be limited to a shipping company and, hence, the HCS would simply
state regulators, manufacturers, ship management companies, ships and reflect the company’s organogram with extra details (feedback loops,
their crew and equipment and many others (Kristiansen, 2005). An responsibilities and control actions, mental model variables, etc.)
effective HCS will adequately enforce safety constraints on the beha- added. For instance, Leveson et al. has provided an application example
viour of individual system elements (subsystems) and interactions be- to safety control within NASA (Leveson et al., 2005). The validity of
tween them, so that the hazards at the sharp-end are controlled. This is such a single case HCS is verified against engineering and organisation
a systems view on accidents, which, hence, occur when such safety documents, and in conversations with representative from the organi-
constraints are enforced inadequately. sation. This paper performs a multi-case analysis, meaning that either a
Typically, the HCS is created for an existing system, including its separate HCS is developed for each incident and accident or a generic
specific elements and links between them. For instance, the system may HSC (GHSC) is established for all of them. Fortunately, a GHSC can be

129
R. Puisa et al. Safety Science 110 (2018) 124–141

Table 6
Summary of dysfunctional interactions in safety control of the Le Boreal incident (symbols and abbreviations are explained in Tables 4 and 5).

easily created for the maritime safety control system, because the HCS individual reports—were added. For instance, if a new report dealt with
is built at the functional level (“What?”), as opposed to physical level navigational decisions on the bridge and the bridge had not been in-
(“How?”). At the functional level, the physical differences vanish be- cluded into the GHSC yet, we would add it into the GHSC. The GHSC
tween organisations of the same type, as well as between ships. This would contain all system elements for the next few reports until new
argument is further reinforced by the fact that the used dataset of ac- elements (e.g., VTS, contract engineers) had to be added. Hence, the
cident reports was relatively uniform, containing only passenger ships final GHSC contains an exhaustive set of system elements involved in
within a relatively narrow range in size. The validity of the GHSC was causation of the analysed incidents and accidents, as shown in Fig. 2.
further supported by the general guidelines (Leveson, 2011) and an The GHSC contains control and feedback arrows between controlling
array of example applications of STAMP where HSC diagrams have and controlled components, as well as communication and coordination
been developed, e.g. (Kim et al., 2016; Wróbel et al., 2018). channels as dashed lines. Note, the dashed lines denote the absence of
The initial, high level GHSC version was informed by Kristiansen legal or organisational enforcement of safety constraints or request for
(2005) and the in-house domain knowledge on safety control in the feedback between the components. Hence, they represent advisory,
maritime domain. Then, as the analysis of investigation reports was consultative communication channels. Table 1 describes the roles of the
progressing, new system elements—prompted by the CAST analysis of key components (subsystems) in the GHSC in terms of the following

130
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 5. Dysfunctional interactions that led to Le Boreal incident.

characteristics (Leveson, 2011):

• Safety requirements and constraints to be enforced upon a component

beneath, or communicated to other components.
• Controls, i.e. specific means of enforcing the constraints and thereby
exerting control, or specific means of communicating safety in-
formation.
• Feedback, i.e. specific means of receiving the state of enforcement of
the safety constraints, or specific means of communicating feedback.
• Context, i.e. disturbances in environment and behaviour-shaping
factors that can undermine the enforcement of safety constraints or
adequate communication.

It should be noted that although the GHSC is high level, it allows us

to capture direct and contributing (organisational) causal factors such
as unsafe actions by technology and humans, design errors, inadequate
feedback from the bridge equipment to officers, etc. For instance, the
Fig. 6. Shares of identified dysfunctional interactions across the three causal GHSC contains automatic and passive controllers against oil leaks, hot
categories. surfaces, etc., although they are aggregated into a single controller.
Such aggregation is justifiable at the functional level, for these con-
trollers perform essentially the same function—hazard mitigatio-
n—although not all of them would have feedback loops, for instance.
Analogous simplifications were also applied to interactions between the

131
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 7. Distribution of causes of dysfunctional interactions (what/who failed). The arrows indicate the direction of control.

system components. For instance, we show the links between the flag situation.
state and the company but omitted the interaction links between the The relevancy of explored interactions to an incident or accident at
flag state and the ship, as well as between the classification society and hand was determined based on the system-level hazards and corre-
the ship. We assumed that the ship is nearly always involved in these sponding safety constraints (Table 3). We used the definition of a safety
interactions. hazards as “a system state or set of conditions that, together with a
particular set of worst-case environmental conditions, will lead to a
loss” (Leveson, 2011). The safety constraints are for clarity transla-
3.2. Analysis and classification
ted—through system engineering decomposition—into safety con-
straints of corresponding subsystems and individual components.
Given an accident report, the CAST analysis follows the steps pro-
The analysis outcome is a set of dysfunctional interactions (e.g.,
vided in Table 2.
inadequate control or feedback, or both) between the system elements.
As Table 2 indicates, the accident investigation reports already
The dysfunctional interactions were classified as shown in Table 4.
contained the basic information necessary for the analysis. Further in-
The rightmost column in Table 4 was used to inform gap analysis,
formation was inferred while exploring the GHCS. As the system ele-
i.e. the gap between the accident causes reported in the investigations
ments in the GHCS are connected through functional causal links of
and revealed during the CAST analysis. The column indicates whether
control, feedback and communication channels, one can navigate from
an observed accident cause was also captured in an accident in-
one element to the other, looking for answers to what and why has
vestigation report at hand. In some reports, the same cause would be
happened. The navigation is guided by a set of standard control flaws,
mentioned in investigation conclusions and recommendations and we
which are related to issues with the control algorithm (purpose, safety
would hence classify it as included. Other reports would contain an
role), process (mental) model, feedback and others (Table 1). The
explicitly narrative of some causal factors, but not reflect them in
guiding principle behind the analysis is the assumption that people and
conclusions and recommendations. We would classify such causal effect
organisations acted according to their best knowledge and ability, tools
as partly included, provided they would lead to specific dysfunctional
and information available at the time. That is, as long as the informa-
interactions during the CAST analysis.
tion about the controlled process state is accurate, training is right, and
The identified dysfunctional interactions show what actually hap-
tools are appropriate, no unsafe action can be expected. This reflects the
pened immediately and long before an incident or accident. They would
modern thinking that the human error is not the end outcome, but is the
act as direct (proximate), contributing, or systemic factors in the acci-
start of accident analysis (Dekker, 2014). The objective is to understand
dent causation (Johnson, 1980). This classification broadly reflects the
why people did what they did and why they could not act differently
intended scope of marine safety investigation (Res. MSC.255(84),
(Dekker, 2016). The same principle applies to machine controllers, but
2008), and it was used to classify dysfunctional interactions according
the questions are why designers (or regulators) made (or accepted)
these broad and vaguely defined categories (Table 5).
specific design assumptions which turned out to be wrong in a given

132
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 8. Distribution of conditions that made control dysfunctional (failure modes of controls).

3.3. Accident reports 2012). The report contained such sections as a summary, factual
information, accident narrative, analysis, conclusions and re-
Given the fast pace in technological change in ship design, it is commendations.
reasonable to focus on recent accidents and serious incidents only.
Additionally, the introduction of the International Safety Management The ship size was not strictly limited, but the majority of the ships
(ISM) Code in 1998 has been transforming the way safety is maintained were of medium or large size (100 m in length and above). We built an
during operation. The twenty years period is relatively short for com- online database that stores all the used investigation reports and access
plete adoption of the new standard (Bhattacharya, 2012), and hence the can be granted to an interested reader by contacting the first author.
later years would be more representative of the current situation. The level of detail was dissimilar across the investigation reports.
Hence, we focused on the last decade only. Some reports were very detailed and comprehensive (e.g., the Costa
As we were concerned to produce results that can be replicated and Concordia investigation by Italian MIT, 180 pages), others were more
challenged by other researchers, we used only publically available ac- concise (e.g., MAIB reports of 40–70 pages), whereas other reports were
cident investigation reports. In total, 188 reports were downloaded quite brief (e.g., Maltese MSIU investigations of 5–10 pages). The type
from 20 investigation boards (Fig. 3). The set also included such no- and scale of the accident clearly affected the extent of an investigation,
torious calamities as the sinking of Costa Concordia and MV Sewol. The but it may also have varied depending on the training of investigators
largest number of the reports, 1/3 of the total, came from the UK and those who actually wrote the reports.
Marine Accident Investigation Branch (MAIB). Nearly half of ships were We recognise that investigation reports are an incomplete source of
Ro-Ro passenger ships and occupational accidents (crew or passenger accident information, principally limited by a stopping rule applied by
injuries and fatalities) represented the leading accident category investigators and selectivity. Potentially, crucial details could have
(Fig. 3). We used only three suitability criteria for the located reports: been overlooked, facts misinterpreted or twisted through use of hind-
sight bias, counterfactual reasoning, normative language, mechanistic
• Accidents or serious incidents for the period 2007–2017. reasoning and other cognitive biases (Dekker, 2002). Additionally, the
• Involve passenger ships : cruise ships, passenger ferries, mega
1
interpretation of original reports may be indeed invalid. However, ac-
yachts, and other passenger ships. cident investigation reports are commonly used for further analysis, e.g.
• Comply with the international investigation and reporting require- (Johnson and Holloway, 2007; Santos-Reyes and Beard, 2009), pro-
ments, (EC, 2009; MSC-MEPC.3/Circ.4/Rev.1, 2014; Res. vided the analysts have a background in safety engineering and the
MSC.255(84), 2008), or corresponding national ones, e.g. (BDT, analysis results are crosschecked, as has been done in this work. In our
case, the analysis involved four researchers, two of them postdocs, one
PhD student, and one professor in maritime safety. Importantly, acci-
1 dent investigation reports contain basic information—such as a timeline
Passenger ship is a ship carrying > 12 passengers (the crew does not count).

133
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 9. Distribution of conditions that made feedback dysfunctional (failure modes of feedbacks).

of proximate events, parties involved and their roles and interactions, piping) was the direct cause of the incident. In particular, the control
etc.—necessary to begin the CAST analysis. In fact, the CAST method actions over of the hazardous equipment were inadequate. The reason
seems to have been developed with this standard information coming why the engineer made this decision was related to the fact that there
out from accident reports in mind. The application of CAST on standard were no adequate feedback and prevention mechanisms in place to
investigation reports has been demonstrated to reveal—as will also be control the right sequence of actions. The absence of timely and accu-
shown in this paper—additional causal factors, including extra prox- rate feedback led to an inconsistent mental model, i.e. the wrong un-
imate events, contributing events and, obviously, systemic causes (Kim derstanding about the system state. Hence, the first question is why the
et al., 2016; Leveson, 2011). feedback and prevention mechanisms were not in place? The investigation
report indicates that the engineer carried out the maintenance without
waiting for a mechanic rating coming in the morning. It would be
3.4. Illustrative analysis
reasonable to assume—and there is no contradiction in the report—that
the engineer followed the established practice by taking this initiative.
In this section, we illustrate the process of applying the described
Hence, the question is why the safety management system (SMS) or man-
methodology to a sample incident. Cruiser Le Boreal experienced a
agement (Chief Engineer) allowed this risky practice? Alternatively, the
serious fire in the engine room in 2015 (BEAmer, 2016). The fire broke
engineer could have not well understood the safe maintenance proce-
out immediately following the erroneous replacement of a fuel filter.
dures or his responsibilities. Hence, the question is why the engineer might
The filter was under pressure, for the engineer confused it with another
not be familiar with the safe maintenance procedures or his responsibilities,
filter (belonging to a different diesel generator) which was indeed
did he receive adequate training? The explosion would not have happened
clogged and needed replacing. The investigation concluded that “the
had the surface of the turbo-blower exhaust elbow been properly
engineer officer who carried out the replacement of a clogged fuel filter
thermo-insulated. The question is why the heat source was not timely de-
element had been presumably misled by a faulty visual memory and
tected and warned about, i.e. why the feedback about the hazard was
undertook the disassembly of an element under pressure” (BEAmer,
missing? Were there objective or/and subjective factors that made the de-
2016). That is, the investigators alluded to the human error. BEAmer
tection difficult? Did the engineers receive necessary training to detect such
recommended that the company consider the addition of a mechanic
hazards in given circumstances?
rating during the night watches and reengineering of the fuel system.
More fundamental, systemic causes that help explain why an in-
The company made changes by forbidding solitary maintenance of the
cident or accident happened were not mentioned in the report. Hence,
fuel feeding lines, migrating to a new generation of filters with a fuel
they were inferred rather than found (Hollnagel, 2004). For instance,
pressure warning device and a purge valve, and installing a protection
we inferred that the design limitation (unprotected hazard) with respect
screen to prevent the contact between oil sprays and unprotected high
to maintenance of diesel generators had inadequately been commu-
temperature surfaces.
nicated by the manufacture and consequently was not reflected in the
At the physical level, the dysfunctional interaction between the
safety management system (SMS). Otherwise, the shipping company (as
engineer and the equipment (diesel generators, fuel filters, exhaust

134
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 10. Summary of dysfunctional interactions (frequencies across all reports are given).

in this particular example) would have reflected the design limitation in system safety constrains C1 and C3 (Table 3), were inferred by ex-
the SMS. There is no particular reason that the company would operate ploring the functional links to the designers/manufacturers.
the vessel with such a serious hazard. Equally, there is no particular The graphical representation of the dysfunctional interactions is
reason that the manufacturer would have not communicated the design shown in Fig. 5. The blue lines indicate the interactions identified in the
limitation had they known about it, meaning that further causal factors investigation report, the red ones denote the ones which were added
such as the use of incomplete hazard analysis by the manufacture could through the CAST analysis, whereas the amber lines contain both. The
be included. numbers next to the links denote the number of instances (across the
Fig. 4 summarises dysfunctional interactions at the physical level, accident reports; only one in this case) where this control/feedback was
with the questions to be answered by analysing the related higher level inadequate. For instance, the engineer applied one wrong control action
controllers which are pointed to by the dashed arrows. An analogous on the machinery, and there was single missing feedback to timely in-
diagram would be produced for each related higher level controller, form the right action. Also, the engineer did not receive feedback from
asking why the control actions were inadequate by analysing feedback, the automatic and passive controller on the state of the lagging cover.
its mental model and communication channels. Table 6 lists the iden- The shaded area in Fig. 5 encloses the subsystems whose dysfunc-
tified dysfunctional interactions after exploring the entire GHCS, tional interactions gave rise to systemic causes behind the incident. The
searching for the answers as to who was responsible for ensuring that end result of these dysfunctional interactions was the deficient SMS, for
the interactions are adequate and why they not happen. it had not catered for the hazardous scenario that materialised. The
The shaded rows in Table 3 correspond to the interactions that were presence of a single dysfunctional interaction between the manu-
overlooked in the accident investigation report. In particular, these are facturer and the shipping company means that this was assumed to
three contributing factors and one systemic factor. The CAST analysis happen once during the handover of the new vessel.
pointed to these contributing factors, which involved the chief en- It should be noted the performed analysis of the Le Boreal incident
gineer, by taking into account his responsibilities and the functional could, in principle, have included other elements of the hierarchical
relationships in the GHCS. The systemic causal factor, which violated control structure, such as the maritime administration and classification

135
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 11. 1st subset of subsystems and interactions between them that gave rise to the systemic causes.

society. For instance, why surveys and audits did not recognise the engineering and deck departments in Fig. 10, where interface fail-
solitary maintenance as hazardous? However, we felt the evidence of ures—of controls and feedback (Fig. 7)—between engineers/bridge
the wide causal picture was very weak in this particular case. This crew and machinery/navigation equipment are shown. The dominant
cautious approach was applied in the complete analysis as well. Hence, direct cause is related to the inadequate control by crew (e.g., master →
the CAST analysis was somewhat conservative. chief mate, master equipment, helmsman etc. → equipment), with the
frequent presence of inadequate feedback from equipment. The defi-
cient communication between the crew members (e.g., between the
4. Results master and other officers) is one of the most frequent causal factors. The
contributing factors, such as inadequate training, supervision, or man-
4.1. General classification agement in general, are observable within the ship subsystem and in the
interaction with the company. The latter interaction is the foremost
The dysfunctional interactions were classified as described in frequent causal factor across all investigation reports (appeared 304
Section 3.1 and shown in Figs. 6–9. times). The dysfunctional interactions at the system level are addressed
The dysfunctional interactions were mapped into the generic safety in the next subsection.
control structure shown in Fig. 10. The arrows are colour coded to
improve readability and distinguish between different frequencies of
dysfunctional interactions across all investigation reports. Thus, the 4.2. Prevailing systemic factors
bright red lines indicate the highest frequency (> 100), blur red
(> 50), orange (> 30) and so on, finishing with the grey having the Given the system safety constraints (Table 3), there were many
lowest frequency. The subsequent graphs (Figs. 7–9) outline the hier- dysfunctional interactions on the overall system level (i.e., between
archical classification of dysfunctional interactions described in subsystems) that gave rise to systemic causes or explanations as to way
Table 4; only 26 most frequent interactions are listed. the incidents and accidents happened. Such systemic factors are shown
The direct factors (proximate events) are clearly seen within in Figs. 11 and 12, where the shaded areas enclose subsystems and their

136
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 12. 2nd subset of subsystems and interactions between them that gave rise to the systemic causes.

interactions that constituted systemic causal factors. hazards in the SMS (recall the Le Boreal incident)—and inadequate
The first set represents systemic factors that violate the system regulatory function by classification societies. These dysfunctional in-
constraint C4. The presence of inadequate regulatory control from flag teractions ultimately led to the fragile SMS. The inadequate hazard
states and classification societies (Figs. 11 and 7) was not particularly identification in design was frequently alluded to in the accident reports
helpful in developing and maintaining a well risk-informed and cost- or inferred during the CAST analysis. Whereas, the presence of dys-
effective SMS by the company. The absence of adequate control from functional communication between the company and the shipbuilder
regulators, as the results indicate, and the natural management pressure could only be justifiably identified in 24 cases, as show in Fig. 12.
towards cost effective operation (Rasmussen, 1997), could—when However, it would be correct to assume that this communication
working together—insidiously lead to the high frequency of dysfunc- channel failed more frequently, or there was another nonlinear effect of
tional control between the company and the ship. We also found that an this dysfunctional interaction on the robustness of the SMS or prox-
important part of this picture of systemic causes were gaps in safety imate events.
regulations by IMO, as Fig. 11 also shows, not the least in relation to the
ISM Code which is considered lax (Kristiansen, 2005). Note, that the
frequencies in dysfunctional interactions between the company and 4.3. Gap analysis
regulators are lower compared to the frequency between the company
and the ship. This may be explained by the nonlinear, background effect In most cases, all direct and indirect causal factors would be men-
of the lax safety control of the company decisions. tioned in the accident investigation reports (Figs. 13 and 14). However,
The second set (Fig. 12) encloses other systemic factors that violate the frequency of omission remains relatively high in absolute terms
the rest of the system constraints: C1, C2 and C3. The earlier discussed (e.g., the top two interactions) and in relative values for many inter-
deficiency in the design process where safety hazards got overlooked is actions (Fig. 15). Hence, the omissions are observable amongst direct,
an important element of systemic causes, but only if it works together contributing and systemic factors in particular. The latter included such
with other factors such as inadequate communication of design lim- interactions as: ship management company → ship, classification so-
itations to the company—subsequently leaving unattended safety ciety/flag state/VTS/other ship → company/ship, IMO → MoT, classi-
fication society → manufactures, etc. The highest rate of omission

137
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 13. Distribution of inclusion of identified dysfunctional interactions in investigation conclusions (absolute values).

corresponds to the interactions being outside the ship and shipping (Batalden and Sydnes, 2014).
company, which are the two main elements of the system considered in Another prominent dysfunctional interaction was within the ship
accident investigations. design and manufacturing context. We specifically denoted this as the
interaction between the project management and design & doc-
5. Discussion umentation teams. This causal factor would typically be related to in-
complete hazard analysis, i.e. some safety hazards during design would
It is worth recalling the systems view on accident causation, which be overlooked. This would be subtle hazards that would remain dor-
states that accidents occur when interactions between and within the mant until some unforeseen events trigger them; the incident with
system elements are controlled inadequately. The presented analysis cruise ship Le Boreal (Section 3.4) is a case in point. Example instances
identified and weighed such dysfunctional interactions within the of inadequate hazard elimination and control at the design stage are
system. In the following, we limit our discussion to the most prominent (many of them was stated in the investigation reports):
and important, in our view, interactions at the organisation and system
levels. • The bilge alarm was not in steering gear/storage compartment.
The deficiency in control and feedback mechanisms between the • Inadequate safety requirements and constraints (Operations
ship management company and the ship, is the most prominent (304 Manual) when it comes to risks involved with the pilot ladder ar-
records). This interaction is at the organisational level, but may well be rangements.
considered as systemic, for a shipping company normally manages • There were no effective means for the hydraulic system of controlled
many loosely dependent ships (subsystems). The primary causes for the pitch propeller to relieve excess pressure in the event that the back
dysfunctional interface lay in the absence of control or the presence of pressure valve failed.
wrong control (Figs. 7 and 8). This points to loopholes in the SMS, with • Insufficient safety requirements with respect to bridge layout de-
hazards (risks) overlooked, presence of insufficient training, and in- sign.
accurate, untimely reporting to the company of problems on the ship. • Provision of insufficient safety requirements and oversight with re-
That is, inadequate feedback on skill, results of risk assessments etc. to spect to installation of light fixtures (fluorescent light) on car decks.
the company forms a wrong mental model about the actual situation • Design of fin stabiliser panel on the bridge centre console did not
onboard, which leads to inadequate control by the company (e.g., in- provide adequate feedback (warning, etc.) about the hazard when in
sufficient training). It appears that the safety management objectives of the manual mode.
the company as per the ISM Code (Paragraph 1.2.2)—such as “Assess all • The rails were designed without considering the risk of falling
identified risks to its ship, personnel, and the environment, and establish during mooring.
appropriate safeguards” and “Continuously improve safety management • Significant hazard of child failing overboard was not taking into
skills of personnel ashore and aboard ships”— have been difficult to account.
achieve. This observation agrees with results of related studies, e.g. • The control was designed so, that once back-up control is activated,

138
R. Puisa et al. Safety Science 110 (2018) 124–141

Fig. 14. Distribution of inclusion of identified dysfunctional interactions in investigation conclusions (relative values).

An important systemic factor is the dysfunctional interactions be-

tween the regulators (classification society and flag state) and the
company and ship. In absolute terms, these interactions were frequent
but not dominant. In this case, the required regulatory control was not
provided in the majority of cases, whereas the feedback from the
company, i.e. the information about the state of safety management,
was mainly wrong. Example instances of unsafe control on the part of
classification societies are (many of them were directly stated in the
investigation reports):

• Did not ensure that the risk assessment for swimming pool opera-
tions has been provided.
• Update on an SMS revision was not requested and its implementa-
Fig. 15. Share of omission across causal categories. tion checked.
• Did not ensure that the crew is properly familiarised with the SMS.
every attempt to control the propulsion was bypassed. • The extensions provided by the classification society allowed for the
• The system did not alert about the mode when moving slower than a
vessel to be operated with malfunctioning control system for a long
time.
particular speed in “Sea Mode”.
• No enforcement of regulation with respect to electric fires.
The design issues would often be overlooked unsafe system states • Did not ensure that the company and crew fully comply with the
SMS procedures during navigation in dangerous areas.
•
(hazards) that involve various interactions, not least the interactions
Approved the vessel without ensuring that the low pressure section
between technology and people, e.g. (Rokseth et al., 2017). New hazard
of the fuel system was screened off.
•
analysis methods, which are not yet imbedded in the current require-
The implementation of proper planned maintenance system by the
ments, could be considered for more comprehensive analysis. For in-
company was not ensured.
•
stance, Systems Theoretic Process Analysis (STPA) is based on STAMP
Did not provide comprehensive guidance to its surveyors with re-
(Leveson, 2011) and it shows very promising results when it comes to
gard to examining thermal oil heaters.
identifying hazards in modern software intensive systems, or cyber
physical systems, which are part of a complex socio-technical context.
Such unsafe control was driven by internal interactions—which
The method is already practiced by some industries and can be used to
were not analysed—within classification societies and external com-
achieve compliance with new safety standards (Mallya et al., 2016).
munication with the company, ship and others. For instance, in one of

139
R. Puisa et al. Safety Science 110 (2018) 124–141

the cases a classification society was not informed about structural suggested, but the highlighted systemic causes have to be addressed
modifications to the vessel and, therefore, wrongly assumed the com- to eliminate conditions leading to the flawed SMS.
pliance. • One of such improvements is related to hazard analysis in design.
Another important systemic factor identified was the flawed com- The study has shown that many accidents and incidents resulted
munication between manufacturers and ship management companies, from unidentified hazards of which some were not subsequently
as exemplified in Section 3.4. Poor communication of design limitations communicated to the operator. We have made suggestions how this
means they are not adequately reflected in the ship’s SMS and, there- problem can be addressed.
fore, the ship will be operated differently as was assumed during design. • The role of individual failures (human error and equipment failures)
The deviation from design assumptions, given they are correct, is a was marginal, giving way to organisational (contributing factors)
well-known causal factor behind many accidents (Leveson, 2015). and systemic causes. This observation agrees with conclusions in
Therefore, the company must make sure that all design assumptions earlier studies (Johnson and Holloway, 2007).
and limitations, as well as any deviations during manufacturing, are • The presented study can be used to inform the development of
well documented and communicated to the company. This should be proactive safety management, in particular the development of
achievable for newbuilding projects and for some ships in the fleet. leading safety indictors at the ship, company, and overall system
Additionally, the development of the SMS must consider realistic cir- levels.
cumstances such as the natural gradient towards least effort by crew,
ubiquitous push for cost effectiveness, and natural work variability There are two notable caveats to the presented study. First, accident
(Hollnagel, 2016; Rasmussen, 1997). The understanding of where the investigation reports were used as the sole information source. This is
safety boundaries are is a key strategy to achieving both safety and cost not, however, an unusual practice, provided mitigation measures are in
effectiveness, for the former is maximised on safety fringes (Rasmussen, place, as explained in Section 3.3. Second, CAST is a worst-case analysis
1997). Corresponding safety constraints will need to be developed and method, not a best-case or most-likely-case method. Being a worst-case,
reflected in the SMS in terms of responsibilities, accountabilities, con- qualitative method, CAST considers causal scenarios exhaustively, al-
trol and necessary feedback mechanisms. Systemic methods such as though, in the best-case, some of them might have not happened at all.
STAMP can be used to achieve that. However, having an exhaustive list of causal scenarios is obviously
more beneficial, although is also costlier.
6. Conclusions
Acknowledgement
Lessons from major maritime accidents are used to inform changes
in design and operation of ships. Such a process of evolutionary im- We would like to thank our colleague Stuart Williams for sharing his
provement in safety is only as effective as the explanation of accident knowledge on maritime safety and providing valuable feedback to this
causes is. This study has shown that existing accident analysis is limited study.
in explaining as to why an accident has happened, primarily focusing
on what happened and who was at fault. Therefore, this study has at- References
tempted to illuminate the role of the wider socio-technical context that
was giving rise to causal mechanisms behind recent incidents and ac- Batalden, B.-M., Sydnes, A.K., 2014. Maritime safety and the ISM code: a study of in-
cidents with passenger ships. In summary, the paper has made the vestigated casualties and incidents. WMU J. Maritime Affairs 13, 3–25.
BDT, 2012. The Merchant Shipping (Accident Reporting and Investigation) Regulations
following contributions: 2011, 2012. British Department for Transport, London.
BEAmer, 2016. Marine safety investigation report. Fire in the engine compartment on
• We analysed 188 incident and accident reports and identified 1,250 board the expedition-cruiser liner Le Boreal on 18 November 2015, off Falkland
Islands. Bureau d'enquêtes sur les événements de mer (BEAmer).
instances of dysfunctional interactions within the system of mar- Benner Jr, L., 1985. Rating accident models and investigation methodologies. J. Saf. Res.
itime safety control. We classified these interactions according to 16, 105–126.
their cause (control, feedback or both), condition that made them Bhattacharya, S., 2012. The effectiveness of the ISM code: A qualitative enquiry. Mar.
Policy 36, 528–535.
dysfunction (control/feedback not given, wrong given, given too Carroll, J.S., 1998. Organizational learning activities in high-hazard industries: the logics
later, etc.) and causal category (direct, contributing and systemic). underlying self-analysis. J. Manage. Stud. 35, 699–717.
Then we mapped the identified interactions onto a functional model Celik, M., Cebi, S., 2009. Analytical HFACS for investigating human errors in shipping
accidents. Accid. Anal. Prev. 41, 66–75.
of maritime safety control to highlight its weakest links and be used
Chauvin, C., Lardjane, S., Morel, G., Clostermann, J.-P., Langard, B., 2013. Human and
to suggest likely explanations behind maritime accidents. organisational factors in maritime accidents: Analysis of collisions at sea using the
• We discussed the systemic causal factors, underlying causal me- HFACS. Accid. Anal. Prev. 59, 26–37.
Chen, S.-T., Wall, A., Davies, P., Yang, Z., Wang, J., Chou, Y.-H., 2013. A Human and
chanisms that could insidiously degrade safety management sys-
Organisational Factors (HOFs) analysis method for marine casualties using HFACS-
tems, or, in general, various types of safety barriers such as orga- Maritime Accidents (HFACS-MA). Saf. Sci. 60, 105–114.
nisational, technical and others. Dekker, S., 2014. The field guide to understanding'human error'. Ashgate Publishing Ltd.

• The classification of dysfunctional interactions also included the Dekker, S., 2016. Just Culture: Balancing Safety and Accountability. CRC Press.
Dekker, S.W., 2002. Reconstructing human contributions to accidents: the new view on
degree of their omission in the accident investigation reports. This error and performance. J. Saf. Res. 33, 371–385.
allowed to perform a gap analysis of which results have also been EC, 2009. DIRECTIVE 2009/18/EC.
presented. In most cases, all direct and contributing causal factors EMSA, 2017. Annual Overview of Marine Caualties and Incidents 2017. European
Maritime Safety Agency.
would be mentioned in the accident investigation. However, the Hollnagel, E., 2004. Barriers and Accident Prevention: or How to Improve Safety by
frequency of omission remains relatively high for all three causal Understanding the Nature of Accidents Rather than Finding Their Causes. Ashgate,
categories, for systemic factors in particular. Hampshire.
Hollnagel, E., 2016. Barriers and Accident Prevention. Routledge.
Johnson, C.W., Holloway, C.M., 2007. A longitudinal analysis of the causal factors in
By examining the analysis results, the following observations and major maritime accidents in the USA and Canada (1996–2006). Saf. Syst. 85–104.
recommendations can be made: Johnson, W.G., 1980. MORT Safety Assurance Systems. Marcel Dekker Inc.
Kim, T.-E., Nazir, S., Øvergård, K.I., 2016. A STAMP-based causal analysis of the Korean

• Deficiencies in the SMS, such as overlooked safety hazards, in-

Sewol ferry accident. Saf. Sci. 83, 93–101.
KMST, 2014. 여객선 세월호 전복사고 특별조사 보고서 [Safety Investigation Report of MV
sufficient training, inadequate feedback to the company, etc., were Sewol]. Korean Maritime Safety Tribunal.
the most frequent contributing causes behind analysed accidents Kristiansen, S., 2005. Maritime transportation: safety management and risk analysis.
Kristiansen, S., 2010. A BBN Approach for Analysis of Maritime Accident Scenarios.
and incidents. Some immediate improvements in the SMS have been

140
R. Puisa et al. Safety Science 110 (2018) 124–141

ESREL, Rhodes, Greece. Salmon, P.M., Cornelissen, M., Trotter, M.J., 2012. Systems-based accident analysis
Lee, S., Moh, Y.B., Tabibzadeh, M., Meshkati, N., 2017. Applying the AcciMap metho- methods: A comparison of Accimap, HFACS, and STAMP. Saf. Sci. 50, 1158–1170.
dology to investigate the tragic Sewol Ferry accident in South Korea. Appl. Ergon. 59, Santos-Reyes, J., Beard, A.N., 2009. A systemic analysis of the Edge Hill railway accident.
517–525. Accid. Anal. Prev. 41, 1133–1144.
Leveson, N., 2011. Engineering a Safer World: Systems Thinking Applied to Safety. MIT Schröder-Hinrichs, J.U., Baldauf, M., Ghirxi, K.T., 2011. Accident investigation reporting
Press. deficiencies related to organizational factors in machinery space fires and explosions.
Leveson, N., 2015. A systems approach to risk management through leading safety in- Accid. Anal. Prev. 43, 1187–1196.
dicators. Reliab. Eng. Syst. Saf. 136, 17–34. Shappell, S.A., Wiegmann, D.A., 2012. A Human Error Approach to Aviation Accident
Leveson, N.G., Daouk, M., Dulac, N., Marais, K., 2003. Applying STAMP in accident Analysis: The Human Factors Analysis and Classification System. Ashgate Publishing
analysis. Ltd.
Leveson, N.G., Dulac, N., Barrett, B., Carroll, J., Cutcher-Gershenfeld, J., Friedenthal, S., Song, T., Zhong, D., Zhong, H., 2012. A STAMP analysis on the China-Yongwen railway
2005. Risk analysis of NASA independent technical authority. Cambridge, MA. accident. Comput. Saf., Reliability, Security 376–387.
Lundberg, J., Rollenhagen, C., Hollnagel, E., 2009. What-You-Look-For-Is-What-You-Find STCW, 2010. International Convention on Standards of Training, Certification and
– The consequences of underlying accident models in eight accident investigation Watchkeeping for Seafarers. IMO, London.
manuals. Saf. Sci. 47, 1297–1311. Stringfellow, M., 2010. Human and Organizational Factors in Accidents, sl. MIT.
Mallya, A., Pantelic, V., Adedjouma, M., Lawford, M., Wassyng, A., 2016. Using STPA in Svedung, I., Rasmussen, J., 2002. Graphic representation of accidentscenarios: mapping
an ISO 26262 Compliant Process. Springer International Publishing, Cham, pp. system structure and the causation of accidents. Saf. Sci. 40, 397–417.
117–129. Svenson, O., 1999. On models of incidents and accidents. In: 7th European Conference on
Mazaheri, A., Montewka, J., Kujala, P., 2016. Towards an evidence-based probabilistic Cognitive Science Approaches to Process Control, Villeneuve d’Ascq, France,
risk model for ship-grounding accidents. Saf. Sci. 86, 195–210. September, pp. 169–174.
MIT, 2013. Cruise Ship COSTA CONCORDIA. Marine casualty on January 13, 2012. Twomey, B., 2017. Making the case for safe autonomous marine cyber physical systems,
Report on the safety technical investigation. MINISTRY OF INFRASTRUCTURES AND Marine Electrical and Control Sytems Safety Conference (MECSS). IMarEST, Glasgow.
TRANSPORTS. Underwood, P., Waterson, P., 2012. A critical review of the STAMP, FRAM and Accimap
MSC-MEPC.3/Circ.4/Rev.1, 2014. Revised harmonized reporting procedures – Reports systemic accident analysis models. In: Advances in Human Aspects of Road and Rail
required under SOLAS regulations I/21 and XI-1/6, and MARPOL, articles 8 and 12. Transportation. CRC Press, Boca Raton, pp. 385–394.
IMO, London. Underwood, P., Waterson, P., 2014. Systems thinking, the swiss cheese model and acci-
Pitblado, R., Fisher, M., Nelson, B., Fløtaker, H., Molazemi, K., Stokke, A., 2016. Concepts dent analysis: A comparative systemic analysis of the Grayrigg train derailment using
for dynamic barrier management. J. Loss Prev. Process Ind. 43, 741–746. the ATSB, AcciMap and STAMP models. Accid. Anal. Prev. 68, 75–94.
Rasmussen, J., 1997. Risk management in a dynamic society: a modelling problem. Saf. Wong, B., 2004. A STAMP Model of the Überlingen Aircraft Collision Accident. Institute
Sci. 27, 183–213. of Technology, Massachusetts.
Reason, J., 1997. Managing the risks of organizational accidents. Wróbel, K., Montewka, J., Kujala, P., 2017. Towards the assessment of potential impact of
Res. MSC.255(84), 2008. Adoption of the Code of the International Standards and unmanned vessels on maritime transportation safety. Reliab. Eng. Syst. Saf. 165,
Recommended Practices for a Safety Investigation into a Marine Casualty or Marine 155–169.
Incident (Casualty Investigation Code). IMO. Wróbel, K., Montewka, J., Kujala, P., 2018. System-theoretic approach to safety of re-
Rokseth, B., Utne, I.B., Vinnem, J.E., 2017. A systems approach to risk analysis of mar- motely-controlled merchant vessel. Ocean Eng. 152, 334–345.
itime operations. Proc. Inst. Mech. Eng., Part O: J. Risk Reliability 231, 53–68.

141