Hierarchical Safety Control Structure Diagram

In this approach, a system is viewed as hierarchical structures where each level imposes constraints on the activities of the level beneath them and accidents are viewed as the consequence of inadequate control of safety constraints. Hierarchical safety control structure diagram represents a feedback and control structure of the system. Controls are represented by downwards arrows showing a reference channel with the information necessary to impose safety constraints on the level below. Feedback is represented by upwards arrows that show the measuring channel with feedback returned up the hierarchy on how effectively constraints are being satisfied.

Figure 1 shows a generic control structure model of healthcare (adapted from Leveson 2004). The left-hand side of the model shows the control structure for system/policy development and the right-hand side shows the control structure for the care delivery operation.

Hierarchical control structure
Figure 1. General control structure model of healthcare (adapted from Leveson, 2004)

Once a hierarchical safety control structure diagram is constructed, inadequate controls (control flaws) involved in the accident need to be identified over both the system/policy development and the care delivery operation. Leveson (2004) proposed a taxonomy of inadequate controls including three main categories: inadequate enforcement of constraints; inadequate execution of control action; inadequate or missing feedback. Our understanding of control flaws in the system help generate recommendations for remedial actions strengthening the safety control structure.

Figure 2 represents a safety control structure concerning the insulin over-prescription incident. Three main categories of control failures (Leveson, 2004) were used to show relevant examples from the insulin over-prescription case.

Category 1: Inadequate enforcement of constraints, e.g. pharmacy dispenser’s weak sense of responsibility for a prescription double-check;

Category 2:  Inadequate execution of control action, e.g. unclear handwriting by the diabetes specialist nurse;

Category 3: Inadequate or missing feedback, e.g. no immediate prompt to help the doctor identify an error

Figure 2. Safety Control Structure for Insulin Prescription Incident Analysis (Canham, et al, under review)

Hierarchical Safety Control Structure Diagrams are usually used as part of System Theoretic Accident Model and Processes (STAMP) (Leveson, 2004). STAMP is a generic approach based on systems theory and particularly suitable to the analysis of complex large scale accidents. The method might be less simple to learn and use than AcciMap.

STAMP has also been used to analyse accidents in various domains, e.g. aviation  (Allison, 2017), patient safety (Leveson, 2016) and marine transportation (Kim et al., 2016).


  • Allison, C.K., Revell, K.M., Sears, R., Stanton, N.A., 2017, Systems Theoretic Accident Model and Process (STAMP) safety modelling applied to an aircraft rapid decompression event, Safety ScienceVolume 98, October 2017, Pages 159-166.
  • Canham, N., Jun, GT., Waterson, P., Khalid, S., under review, Integrating Systemic Accident Analysis into Patient Safety Incident Investigation Practices, Applied Ergonomics.
  • Kim, T., Nazir, S. and Øvergård, K. I., 2016. A STAMP-based causal analysis of the Korean Sewol ferry accident. Safety Science, 83, 93-101.
  • Leveson N., 2004, A new accident model for engineering safer systems. Safty Science 2004; 42: 237–70.
  • Leveson N, Samost A, Dekker S, Finkelstein S, Raman J., 2016, A Systems Approach to Analyzing and Preventing Hospital Adverse Events. Journal of Patient Safety.