An Integrated Quantitative Safety Assessment Framework Based on the STPA and System Dynamics

Abstract

With the complexity of the socio-technical system, the requirement for safety analysis is growing. In actuality, system risk is frequently created by the interaction of numerous nonlinear-related components. It is essential to use safety assessment methods to identify critical risk factors in the system and evaluate the safety level of the system. An integrated safety assessment framework combining the system theoretic process analysis (STPA), the analytic network process (ANP) and system dynamics (SD) is suggested to analyze the safety level of socio-technical systems to achieve qualitative and quantitative safety evaluation. Our study constructs an STPA and SD integration framework to demonstrate the practical potential of combining STPA and SD approaches in terms of risk factors and causality. The framework uses the STPA method to define the static safety control structure of the system and analyzes the primary risk factors. The unsafe control actions (UCAs) from the STPA method are transformed into network layer elements of ANP. The ANP method is used to calculate the element weights, which are the impact coefficients between the system dynamics (SD) variables. The SD method is used to assess the safety level of the system. Finally, a specific coal mining system is used to demonstrate how the proposed hybrid framework works. The results indicated that the safety level of the system was low on days 38 and 120 of the simulation cycle (one quarter). Our work can overcome the limitations of conventional STPA quantitative analysis and simplify SD qualitative modeling to serve as a reference for complicated system safety/risk analysis work.

1. Introduction

Socio-technical systems are growing increasingly complex with frequent interactions between diverse aspects such as people, equipment, environment, and administration. How to ensure the safe operation of socio-technical systems has become one of the main focuses of current research. Many disastrous incidents have occurred in recent years as a result of the complexity of socio-technical systems, resulting in massive casualties and property damage. For example, in July 2011, a high-speed train crash in Wenzhou, China, resulted in 40 deaths and 172 injuries [1]. On January 18, 2019, a gasoline pipeline explosion in Hidalgo, Mexico, killed 124 people and injured dozens [2]. Consequently, safety assessment of the socio-technical systems is essential for reducing the accident incidence and enhancing the safety of system.

The safety assessment of socio-technical systems includes qualitative approaches for risk identification and quantitative methods for system safety assessment [3,4]. The most qualitative safety analysis models are currently based on the event chain model, such as failure mode effects analysis (FMEA) [5] and the Swiss cheese model (SCM) [6]. The event chain has long been a foundational concept in system safety theories and models. However, most system failures are the result of a complex structure of interdependent components that do not operate in a linear fashion. Consequently, a system-based safety analysis model is proposed, in which failures or dangers are regarded as abrupt phenomena resulting from the interaction of system components [7]. This model describes the characteristic performance of the overall system to analyze the potential impact of personnel, organization, management, and other factors on the system. Quite some literature has been published on system-based safety analysis models, such as the functional resonance accident model [8] (FRAM), the “2–4 model” [9], the human factors analysis and classification system (HFACS) [10] and the system theoretic process analysis (STPA) [11].

The STPA method provides a more thorough understanding of a system than other system-based safety analysis models [11]. It describes the component relationships and their impact at all levels of the system. In addition, STPA can support the system safety engineer in defining the design limitations required to ensure safety and ensuring that the design and operation of the system meet these constraints [12]. Currently the STPA method has been applied in various fields. Shin S M et al. [13] proposed a method to analyze I&C system hazards and assess the relative importance of system components in terms of human–system interaction based on STPA, and applied it to a nuclear power plant system safety analysis case. Esra Bas [14] applies the STPA method to a socio-technical system for monitoring and tracking diabetes mellitus (DM). Taking the Chongqing Metro Line 10 and Loop Line as examples, Mo Li et al. [15] used the STPA method to analyze the loss scenarios of interconnection lines during mode switching and proposed various leading indices.

Furthermore, STPA also has been criticized as a qualitative technique that disregards the quantification of risk [16,17]. Nancy Leveson [18] proposed STPA as a qualitative and descriptive safety analysis method. According to her research, this method can only analyze the static structure of system, and it lacks quantitative analysis and the development trend of the safety of system. As the behavior of components in the safety control structure changes, the safety control of the system may decrease over time [18]. Therefore, the safety analysis of the safety of socio-technical systems requires understanding not only of the static structure of the system (structural complexity) and its changes over time (structural dynamics), but also of the dynamics underlying these changes (dynamic complexity). In the past few years, many researchers have tried to analyze socio-technical systems quantitatively by combining STPA with other methods. For instance, Alheri Longji Dakwat et al. [19] developed an approach that combines STPA and model checking to provide a formal and quantifiable manner to express the dangerous control activities that STPA identifies. Nevertheless, it is challenging to accurately represent the dynamics of system safety using current methodologies.

Remarkably, an increasing number of researchers have acknowledged that integrating system dynamics (SD) with an STPA approach is an efficient and practicable method for quantitative analysis of socio-technical systems [18]. Jay Forrester established system dynamics in the 1950s at MIT to assist individuals in comprehending the structure and dynamics of complex systems, designing high-leverage policies for continuous improvement, and promoting successful implementation and change [20]. With the development of computing technology, system dynamics has become widespread in many domains. Mohammadi, Amir Mohammadi [21] presented four major models for studying system safety in the construction industry, which could be utilized to examine recurring worker behavior patterns and build effective accident prevention methods. Amiri Alireza [22] utilized SD to evaluate the wheat production system and analyze the effects of various schemes on many parameters of the sustainability of wheat production.

However, the building of system dynamics models remains difficult due to the lack of a defined foundation for the qualitative modelling phases, particularly in the setting of socio-technical systems. STPA can be utilized to compensate for qualitative modeling of system dynamics in safety assessment. Most existing frameworks for combining STPA and SD focus on the possibility of integrating STPA analysis into SD models and rarely discuss the practical implementation during safety assessments. [23,24,25]. The purpose of this study is to develop a hybrid framework of STPA and SD integration to demonstrate the practical potential of combining STPA and SD methodologies in terms of risk factors and causality. In the process of safety assessment, the system dynamics method lacks the study of the interaction mechanisms and influence relationships between system variables, which makes the design of variable and parameter sets challenging [26]. The ANP method, which takes into account the interrelationships between quantifiable and easily accessible safety evaluation metrics, is utilized to address these limitations [27]. The integrated model is used to address the following three problems:

(1)

How to extract risk factors and their qualitative cause–effect correlations from socio-technical systems.

(2)

How to quantify the causal relationships between the risk factors.

(3)

How to quantify the safety level of socio-technical systems and provide early warning of their weaknesses.

In our system safety assessment, the ANP method was used to estimate the relative significance and priority of the safety assessment indices, which is useful for establishing system dynamics model equations. Saaty proposed the ANP method in 1996 as a more pragmatic approach for handling non-independent and feedback hierarchical decision issues [28]. This work therefore builds on the ANP to integrate the STPA and SD methodologies. By doing so, the aim is to compensate for the shortcomings of STPA and SD and use their strengths to conduct a comprehensive safety assessment of socio-technical systems. This paper details a hybrid assessment framework based on the STPA, ANP, and SD methodologies. Both qualitative and quantitative methods were used in this framework. The STPA method was used in our hybrid framework to extract and analyze the possible risk factors and their causal relationships of the system, while the ANP method was used to quantify the causal relationships between the factors. On this foundation, we developed a SD model, which evaluates the safety level of the system to provide early warning of weaknesses in the system. It identifies unsafe control actions and loss scenarios within the system and evaluates how the safety level is evolving depending on loss scenario feedback. The rest of the paper is structured as follows: Section 2 discusses the methods proposed. Then, a case study is conducted to demonstrate the efficacy of the hybrid model provided. In Section 4, the conclusions of this study are presented.

2. Methodology

2.1. System Theoretic Process Analysis (STPA)

The STPA method emphasizes controlling or enforcing constraints on system behaviors based on systems thinking and systems theory [29]. Loss and risk are seen as the result of inadequate control over the behaviors and interactions of system units. Our methodology takes technology (including hardware and software) as well as personnel and organizational variables into account. Process flow of the STPA method used in this paper is depicted in Figure 1. Each step is described in greater detail below.

Step 1: The application of STPA begins with a clear analytical purpose, including the definition of losses, identification of system-level hazards and identification of system-level safety constraints.

Step 2: The purpose of this step is to construct a hierarchical control structure model consisting of feedback control loops. The hierarchical control structure model consists of five elements: controller (including control algorithm and process models), control behaviors, feedback, other input or output instructions for the component, and controlled processes. The controller controls the program by providing control behaviors and imposes constraints on the behaviors of the controlled process.

The control algorithm represents the decision-making process of the controller. The controller also has its own process model, which represents its internal thinking at the time of the previous decision. The process models are partially updated by analyzing the controlled processes through feedback. The feedback used to observe the controlled process is utilized to continually update the process model.

Step 3: After modeling the control structure, the next step is to identify unsafe control actions. Unsafe behavior actions refer to control behaviors that pose a risk in certain and worst-case scenarios, including the four scenarios listed below:

(1)

Not providing the control action leads to a hazard.

(2)

Providing the control action incorrectly or when not needed leads to a hazard.

(3)

Providing the CA too early or too late or in the wrong order leads to a hazard.

(4)

Providing the CA too long or too short leads to a hazard.

Step 4: Based on the unsafe behaviors table and the model of the control structure, this stage identifies the loss scenarios. Loss scenarios describe the triggers that can lead to unsafe control actions and hazards. As shown in Figure 1, loss scenarios include scenarios that lead to unsafe control actions and scenarios in which control actions are improperly executed or not executed. Loss scenarios that lead to unsafe control actions include unsafe controller behavior and inappropriate feedback (as shown by the orange highlight in Figure 1). Loss scenarios in which control actions are improperly executed or not executed include involving those control paths and controlled processes (as shown in Figure 1 with blue highlight).

2.2. Analytic Network Process (ANP)

In this study, the ANP method is introduced to facilitate the conversion between the STPA and SD methods. Firstly, the UCAs from the STPA method are transformed into the elements in the ANP model. Then, the elements and element weights from the ANP model are turned into the variables in the SD model and the influence coefficients between the variables, respectively. It merges the hierarchical structure with a network structure to calculate the complex interaction between decision factors. Following is a description of the general ANP method steps.

• Establishment of the network structure model

The ANP method takes into account the interdependence between system elements and the feedback from lower to higher levels so that the interaction between system elements may be represented more precisely. The application of ANP commences with the construction of a network structure model of system safety impacting factors. The structure model of the influence factor network consists of control layer and network layer elements. The control layer contains aspects that directly impact the system’s safety. The network layer includes all objects impacted by the control layer. The interaction network structure is then formed based on the causal association between the parts of the control layer.

2.

Determination of the weights of the influencing factors

Owing to the intricacy of the ANP concepts and method, this paper use the ANP software developed by WJL Adams, R Saaty [30] called Super Decision. Control layer and network layer elements are initially entered into the Super Decision software. The relevant industry experts are then invited to evaluate the significance of the relevant elements using a 1~9 scale (

Table 1. 1~9 scale method.

Scale	Definition	Explanation
1	Element 1 is as vital as element 2.	Both elements have an equal impact on the criterion.
3	Element 1 is somewhat more valuable than element 2.	Element 1 has a somewhat larger impact on the criterion than element 2.
5	Element 1 is significantly more important than element 2.	The degree of influence of both on the criterion, element 1 is significantly greater than element 2.
7	Element 1 is intensively more important than element 2.	The degree of influence of both on the criterion, element 1 is intensively greater than element 2.
9	Element 1 is exceedingly more important than element 2.	The degree of influence of both on the criterion, element 1 is exceedingly greater than element 2.
2, 4, 6, 8	The middle of two adjacent scales.	Adopt when you need a compromise.
Reciprocal Value	If element 1 compares to element 2, use one of the values listed above; if element 2 compares to element 1, use the reciprocal value of the numbers listed above.

) [31]. Finally, the software subsequently outputs the relative weights of the relevant elements.

2.3. System Dynamics (SD)

System dynamics is a modeling method based on control theory that focuses on comprehending how feedback loop mechanisms influence the system [32]. The general steps for applying the SD method are shown below.

Step 1: The SD method begins with determining the kind of subsystem and selecting the variables to be analyzed. This paper determines the variables based on the network layer aspects of the ANP method. Individual safety subsystem, environmental safety subsystem, equipment safety subsystem, and management safety subsystem are created as subsystems related to variables for system safety analysis.

Step 2: This step concentrates on developing a causal loop diagram based on the causal relationship between variables.

The causal feedback loop is composed of variables and linkages (arrows) that denote causality. There are positive and negative polarities inside the causal relationships [33]. Positive causality denotes those two linked variables will increase or decrease simultaneously, while negative causality suggests that an increase in one variable will result in a reduction in the other variable, and vice versa. When the number of negative linkages in a feedback loop is even, the loop is positive. When the number of negative feedback loop links is odd, the feedback loop is negative. Positive feedback loops amplify variable changes, while negative feedback loops correct variable changes and preserve system equilibrium.

Combining STPA and SD methods in this paper is based on two fundamental concepts: (1) The UCAs from the STPA method and the loss scenarios are converted, respectively, into network layer elements of the ANP model and causal feedback loops of the SD model. (2) The elements and element weights in the ANP method are converted to variables and influence coefficients between variables in the SD model. Here is an example of combining the STPA and SD methodologies:

• UCA: Miners use personal protective equipment (PPE) too late when the oxygen content of the workplace is below 18% (data from the literature [34]).
• Loss scenario: Coal mining site supervisors low safety awareness and cannot require miners to use self-rescue devices in a timely manner when the oxygen concentration in the workplace is below 18%.
• The network layer element in ANP: Safety perception, safety protection.
• Causal loop (part of): Safety perception→safety protection. (The reduced safety awareness will reduce the proportion of people wearing PPE.)

Step 3: Based on the causal loop diagram, this step generates the stock flow diagram and specifies the functional equations for the system variables. In this work, the function equation between variables is determined by using influence coefficients between variables.

2.4. Framework for the Proposed Method

This paper proposes an assessment framework for system safety that combines the STPA and SD methods. Using the STPA method, our framework describes the static safety control structure of socio-technical systems. By collecting the relevant UCA, the major elements affecting the safety of the system are identified. These elements comprise the network layer of the ANP method. By classifying the network layer elements further, four control layer elements are created: individual, equipment, environment, and management. Using the ANP method, the weight of control layer and network layer elements is then determined. The SD method is used to model and quantify the system dynamics evolution process behind the static control structure of socio-technical systems. Variables in SD models are derived from network and control layer elements. The weight of the element is used as the influence coefficient of the variable to form the variable equation. The proposed framework is shown in Figure 2.

The framework consists of three components: (1) the safety control structure and crucial influencing factors are captured using STPA; (2) factor weights are calculated using the ANP method; and (3) the SD method is used to analyze changes in the safety level of system over a specified time period.

3. Case Study

STPA is a risk analysis method that focuses on the risk of functional interaction between control units in a system and the risk of component failures [35]. The analysis of nonlinear socio-technical systems with frequent dynamic interactions, such as coal mining systems, is particularly suitable for STPA. The coal mine system is dynamic and nonlinear, driven by complicated geological conditions, obsolete technology, insufficient miner skills, and ineffective safety management [36]. These contributing factors are interdependent, interacting and limiting one another, which are the primary cause of coal mine accidents [37].

The hybrid framework is utilized in this section to improve the identification and classification of dynamic interactions and nonlinear components during the safety analysis. It provides scientific support for the management of coal mine based on the STPA method and simulation of system dynamics, taking into consideration the influence of internal and external risks and feedback loops. The Chifeng Baoma Mining Co., Ltd. (Baoma Coal Mine) was selected as a case study. On 3 December 2016, a particularly serious gas explosion occurred at the Baoma coal mine, and many of the details needed to build the STPA model can be found in the public accident report [38].

3.1. Safety Analysis of the Baoma Coal Mine System Using the STPA Method

This section describes the STPA for the Baoma coal mine system following the four steps shown in Section 2.1.

3.1.1. Defining the Purpose of the Analysis

Based on the Baoma mine accident investigation report [39], the system loss and system level hazards are defined in this section in conjunction with interview data from Chinese coal mine specialists and pertinent regulations [40]. The results are displayed in

Table 2. Losses of system.

Loss ID	Desciption
L-1	Loss of human life and human injury.
L-2	The coal mining mission failed.

and

Table 3. A list of system level hazard.

Hazard ID	Description
H-1	Insufficient ventilation in working environment. [L-1, L-2]
H-2	Oxygen concentration in the workplace is too low. [L-1]
H-3	The concentration of methane in the system is too high (over 5.0% [34]). [L-1, L-2]
H-4	The power system does not provide sufficient and stable power. [L-2]
H-5	Welding sparks in the working environment during the welding process. [L-1, L-2]
H-6	Gas sensors do not detect the correct gas concentration. [L-1, L-2]

.

3.1.2. Model the Control Structure

The hierarchical control structure of the Baoma coal mine system is depicted in Figure 3. There are eight controllers, actuator systems, and control processes in the control structure. China Inner Mongolia Autonomous Region Chifeng Baoma Coal Materials Limited Liability Company (China Inner Mongolia Autonomous Region Baoma Coal Materials company), Baoma Coal Mine, Safety Control (management), Electromechanical Center, Ventilation Center, Blasting Workers, and Oxygen Welders are the eight controllers. The controller regulates ventilation, safety inspection, and coal mining process by sending the actuators with the proper commands. The feedback loop between the mine director, the subordinate department, the miner, and the controlled process is depicted by the control structure (Figure 3). All of the arrows pointing downwards in the figure illustrate how control operates, and the dotted arrows pointing upwards illustrate how feedback operates.

For the eight controllers involved in the control structure, the Baoma Coal Mine is a wholly owned subsidiary of the Baoma Coal Materials company. The Baoma Coal Material Company undertakes the tasks of safety management, production planning, inspection, and supervision of the Baoma coal mine. The Baoma coal mine manages the task allocation and safety inspection of each department, as well as the implementation of the material company’s production plan.

The electromechanical center notifies the ventilation center of abnormal conditions or accident information and controls the work state (continue/stop work) of workers and equipment in the coal mine system. The safety control center inspects workplace safety and controls the continuation of work in each department. Based on data such as gas concentration and wind velocity, the ventilation center regulates the ventilation system and coal mining procedures such as blasting and welding. Blasters and oxygen welders control the blasting and oxygen welding processes during coal mining.

3.1.3. Identify Unsafe Control Actions

This step integrates the four general patterns of unsafe control actions and the position of them in the control structure figure to identify them. As illustrated in Figure 3, the control structure catches a total of 22 UCAs (with the limits of the length of the article, the table only shows important control actions). In accordance with Section 2.1 of the STPA analysis process,

Table 4. Unsafe control actions (partially quoted, due to space limitations).

Control Action	Not Providing Causes Hazard	Providing Causes Hazard	Too Early/Late or Incorrect Order	Applied too Long or Stopped too Soon
Electromechanical center provides abnormal events and accident information to the safety control.	UCA-1: The electromechanical center does not offer safety management with aberrant information in the event of abnormal occurrences or accidents.	UCA-2: When there are no abnormal events or workplace accidents, the electromechanical center provides safety management with information regarding abnormal events.	UCA-3: When anomalous occurrences or accidents occur in the workplace, electromechanical centers supply information too late.	N/A
The ventilation center provided orders to the miners to continue or stop work.	UCA-4: When ventilation is turned off, miners do not evacuate the workplace.	N/A	UCA-6: When the oxygen level in the workplace falls below 18%, miners wear personal protective equipment (PPE) too late.	N/A
	UCA-5: When methane levels exceed 5%, miners do not abandon their workplace.
The sensor sends the electromechanical center with gas concentration data.	UCA-7: The sensor does not detect the behaviors of methane levels prior to construction blasting.	UCA-8: If the gas concentration exceeds the limit, the sensor reports an incorrect gas concentration.	N/A	UCA-9: The sensor fails to detect methane levels too early prior to construction blasting.
The ventilation center provides stop work orders to welders and blasters.	UCA-10: When the gas concentration is too high, the ventilation center does not send stop-work orders to the welders and blasters.	UCA-11: When the gas concentration is too high, the ventilation center instructs the welders and blasters to continue working.	UCA-12: When the gas concentration in the workplace returns to normal, it is too late for the ventilation center to provide an order to continue work.	N/A
Gas emission Order.	UCA-13: After electricity is restored, the ventilation center does not send gas emission orders.	UCA-14: The ventilation center provides excessive gas emission orders when gas concentration is normal.	UCA-15: The gas center sends gas emission orders too late following the restoration of power.	UCA-16: When the gas concentration is still above the standard concentration, the gas station stops sending pumping orders.
	UCA-17: When the gas concentration is excessive, the ventilation center does not issue gas emission orders.	UCA-18: Insufficient gas extraction by the ventilation center (resulting in failure to reduce the gas concentration below the standard).	UCA-19: Before sending gas extraction orders, the gas center fails to confirm gas concentration.

depicts several unsafe control actions during the Baoma coal mine gas explosion. In this paper, a preliminary analysis of the possible causal factors causing UCA was conducted from the connotation of UCA and its position in the control structure, and some of the findings are shown in

Table 5. Causal factors for UCA.

UCA List	Description	Causal Factors
UCA-1	The electromechanical center does not offer safety management with aberrant information in the event of abnormal occurrences or accidents.	Safety perception Department response speed
UCA-2	When there are no abnormal events or workplace accidents, the electromechanical center provides safety management with information regarding abnormal events.	Fatigue Level Operation Skill
UCA-3	When anomalous occurrences or accidents occur in the workplace, electromechanical centers supply information too late.	Department response speed
UCA-4	When ventilation is turned off, miners do not evacuate the workplace.	Safety perception Complacency Safety rules regulation Safety atmosphere
UCA-5	When methane levels exceed 5%, miners do not abandon their workplace.	Complacency Equipment failure Safety atmosphere
UCA-6	When the oxygen level in the workplace falls below 18%, miners wear personal protective equipment (PPE) too late.	Safety protective Safety perception

. These causal factors provided the basis for analyzing the causality of the loss scenarios below and constituting the elements of the ANP model.

3.1.4. Identify Loss Scenarios

Following the identification of the UCA, this step identifies the potential loss scenarios. There are a variety of potential loss scenarios and cause elements for each UCA. In this section, the two sample UCAs discovered in Section 3.1.3 are further analyzed. To identify the loss scenarios of UCA, the structure of the process model when UCA occurs is first defined in Figure 4. The identified loss scenarios are illustrated in

Table 6. The loss scenarios and causal relationship for the UCA-1.

UCA ID	Components in the Control Structure	Loss Scenarios	Causal Relationship
UCA-1	Unsafe controller actions	Out-of-bounds production due to unreasonable production planning by the deputy mine manager of electrical and mechanical, resulting in the inability to provide information to the safety control center after an abnormal event or accident, which may result in high methane concentrations in the workplace.	Mining Areas→department response speed→safety management level→system safety level
	Inadequate feedback and information	The failure of the power supply system due to the low level of operation, low level of safety awareness or excessive fatigue of employees who adjust the technical parameters of electrical equipment and actuators without authorization, combined with the failure of the supervisory department to detect them in time, may result in the inability of the workplace to maintain a stable power supply.	Safety perception→operation→individual safety level→system safety level
	Control path	Because of the lack of safety awareness of the staff, when the switch trips, the fault point is not detected and the power supply is restored before the fault point is removed. As a result, there may be insufficient ventilation in the workplace, employee strain, and methane levels in the environment that exceed the norm.	Safety perception level→physical environment→equipment failure→equipment level→fatigue level
	Controlled process	During the power supply process, the mechanical and electrical center did not implement the power shutdown and delivery system in accordance with regulations, and there was no safety confirmation prior to power delivery, which may resulted in inadequate ventilation in the workplace.	Safety supervision→safety rules regulations→safety management level→system safety level

.

3.2. Calculate the Factor Weights Using the ANP Method

In our model, the UCAs are further classified and refined for coal mine system safety, and the network layer elements of the ANP method are derived. According to the features of network layer elements and the relevant literature [41], network layer elements are grouped into four categories: individual safety, equipment safety, environment safety, and management safety. These four categories comprise the control layer elements of the ANP method. Figure 5 displays the architecture of the ANP model. In accordance with the ANP methodology mentioned in Section 2.2, a panel consisting of two coal mine managers, four coal mine frontline personnel, and three professors was invited to prepare this paper. The control layer and network layer element weights were ultimately computed based on the method provided in Section 2.2, as shown in

Table 7. The weights of elements.

Control Layer	Weights of Control Layer	Network Layer	Coupling Relationship	Global Weights	Sequence
Individual Safety	0.290	Operation S1	M6, S3, S2	0.065	7
		Complacency S2	D2, M5, S4, S1, E2, E3, M4	0.029	13
		Fatigue Level S3	S1, S2, M4	0.021	14
		Safety percpection S4	M5, S2, E2, M4	0.037	12
		Skill S5	S1, S2	0.065	6
Equipment Safety	0.152	Safety protective E1	E3	0.021	15
		Equipment maintenance E2	M5, D1, M4	0.157	1
		Equipment failure E3	M1, D1, E2	0.078	5
Environment Safety	0.117	Physical environment D1	S1, S3, E3	0.145	2
		Mining areas D2	E1, E3, S3, D1	0.003	16
Management Safety	0.441	Safety investment M1	M5, D1, E3, M4	0.046	10
		Safety rules regulation M2	D2, M5, S3, E1, E2, M4	0.054	9
		Safety supervision M3	D2, M5, S4, E1, D1	0.063	8
		Department response speed M4	D1, E2	0.096	3
		Safety atmosphere M5	S4, E1, D1, M4	0.080	4
		Safety education training M6	M5, S4, E1, S1	0.040	11

below.

The global weights in Table 7 are the weights of a certain network layer element relative to all network layer elements. Individual safety, equipment safety, environment safety, and management safety have relative weights of 0.290, 0.152, 0.117, and 0.441 in the control layer. It is evident that management safety is the most significant component in coal mine system safety, which is consistent with the analysis of the relevant literature [42]. Equipment maintenance, physical environment, and department response speed are the most direct factors affecting the safety of the Baoma coal mine, which offer theoretical justification for the intervention tactics of coal mine management.

3.3. Coal Mine System Dynamics Model Construction

The ANP method is used to calculate the weight of system safety influencing elements. The purpose of this part is to model and understand the system dynamics evolution process underlying the static control structure of the Baoma coal mining system. The coal mine system in our research is comprised of four subsystems: the individual subsystem, the equipment subsystem, the environment subsystem, and the management subsystem. In China, quarterly and annual assessments of coal mine safety performance are conducted [43]. Although the annual evaluation is the most essential time dimension of the system safety assessment, after each quarterly assessment, management will alter the management strategy in accordance with the safety production condition. The annual evaluation is based on the quarterly cumulative performance of safety work. Quarterly data analysis of the safety of the coal mine system enables managers to flexibly monitor the dynamic changes of the system. Therefore, the time scale of the modeling of system dynamics in this research is 120 days (1 quarter), which reflects the usual evolution of coal mine system safety. The causal loop diagram is a composite feedback loop formed by coupling various feedback loops. In this paper, the causal feedback loop was constructed based on the causal relationships analyzed in STPA, as shown in Figure 6. Figure 6a shows the causal loop diagram of the coal mining system. Figure 6b shows the three main causal loops. These three causal loops are presented as below:

(1)

Mining Areas→Department Response Speed→Safety Management Level→System Safety Level→Safety Investment→Safety Supervision→Mining Areas

(2)

Operation→Individual Safety Level→System Safety Level→Safety Supervision→Equipment Maintenance→Equipment Level→Fatigue Level→Safety In-vestment→Safety Education Training→Safety perception level→Operation

(3)

Safety perception level→Physical Environment→Equipment Failure→Equipment Level→Fatigue Level→Safety Investment→Safety Education Training→Safety perception level.

The causal loop diagram is used to further specify the variables and quantitative linkages in the stock flow diagram of system dynamics. The variables in the stock flow diagram are derived from those in the causal loop diagram, and auxiliary variables and constants are added based on the relevant literature [44,45]. The variables in the stock flow diagram are derived from the causal loop diagram, but they are more specific. In this study, the variables representing cumulative findings, such as fatigue level, operation, and safety perception level, are designated as state variables (marked by boxes). The variables showing the rate of change of the state variables are set as rate variables (indicated by double triangles), and the remaining relevant variables are set as auxiliary variables according to the characteristics of the factors. Some necessary constants have been added to the stock flow diagram according to the needs of the equation, e.g., “initial mining areas and cost safety supervision”.

In this paper, we constructed equations for auxiliary variables based on the weight values of each variable of ANP method, combined with the causal relationship between variables [46]. The causal relationship between variables (positive or negative) was converted into a mathematical relationship between two variables (increase or decrease), while the coefficient of influence between variables was derived from the ratio of variable weights. The remaining variables were calculated according to table functions or references.

Variable $j_k\left(k=1,2,3,\cdots ,m\right)$ is supposed to be the variable in the causal relationship that influences variable $i$. On the basis of the weights ${\omega }_i$ (for $i$) and ${\omega }_{j_k}$ (for $j_k$), the coefficient of influence $I{C}_{i{j}_k}$ of $i$ on $j_k$ is calculated:

$$I{C}_{i{j}_k}=\frac{{\omega }_{j_k}}{{\omega }_i}$$

(1)

In the system dynamics model, the expression for the variable $i$ is as follows:

$$V_i={\displaystyle \sum }_{k=1}^m(\pm )\frac{{\omega }_{j_k}}{{\omega }_i}{V}_{j_k}$$

(2)

where $V_i$ represents the value of the variable $i$ and $V_{j_k}$ represents the value of the variable $j_k$. The stock flow diagram is shown in Figure 7.

4. Discussion

The simulation results of the system dynamics model are illustrated in

Table 8. Simulation data in SD model (part).

Time (Days)	System Safety Level	Time (Days)	System Safety Level	Time (Days)	System Safety Level
1	93	22	125	43	46
2	104	23	126	44	47
3	112	24	126	45	48
4	120	25	127	46	49
5	126	26	127	47	51
6	130	27	125	48	52
7	132	28	119	49	53
8	131	29	108	50	54
9	130	30	94	51	55
10	129	31	82	52	55
11	128	32	71	53	56
12	127	33	64	54	56
13	127	34	58	55	56
14	126	35	53	56	56
15	125	36	50	57	56
16	125	37	48	58	55
17	125	38	46	59	55
18	125	39	46	60	55
19	125	40	45	61	54
1	93	22	125	43	46

, Figure 8 and Figure 9. The “system safety level” in Figure 8 depicts the safety level of the Baoma coal mine system during the simulation period, which is dependent on the personnel safety level, equipment safety level, environmental safety level, and management safety level. The relationship between them is depicted below, with data derived from the ANP method’s weights. The case application of this paper is based on publicly available coal mine accident reports with hazy information, and the system dynamics model lacks a sufficiently accurate mathematical model and sufficient data. The results of the system safety level simulation can assist coal mine safety managers make decisions, but they are still some distance from the actual reality. The purpose of our study was to illustrate the specific process of the hybrid framework. When the actual information of the coal mine is abundant and the mathematical model of the system dynamics model is more accurate, the system safety level will be more precise.

$$\begin{array}{c}\mathrm{System}\mathrm{Safety}\mathrm{Level}=0.290\ast \mathrm{Individual}\mathrm{Safety}\mathrm{Level}+0.152\ast \mathrm{Equipment}\mathrm{Safety}\mathrm{Level}+0.117\ast \\ \mathrm{Environment}\mathrm{Safety}\mathrm{Level}+0.441\ast \mathrm{Management}\mathrm{Safety}\mathrm{Level}\end{array}$$

(3)

As seen in Figure 8 and Figure 9, the system safety level reduced from an initial value of 74 to 36. In the first 8 days, the safety level of the system grew rapidly to 131. From the 8th to the 28th day, the safety level of the system stabilized. From the 28th to the 38th day, the safety level of the system declined significantly, falling from 119 to 46. From day 38 to day 59, it gradually increased from 46 to 55. From day 59 to day 120, it gradually decreased to 36. According to the above analysis, the current safety level of the Baoma mine (taken from the accident report [38]) was first rising and then decreasing to a rather low level. The system reached its highest level of safety on the eighth day of simulation and its lowest level of safety at the ending.

As can be observed from Figure 9, the trend in the Baoma coal mine individual safety level and equipment safety level is comparable with the overall system safety level. On the 8th and 28th days, the individual safety level was at a turning point of change, which coincided with a turning point in the system safety level. On the 27th and 40th days, there was a turnaround in the level of safety of equipment and a delay of a few days compared to the change in the level of safety of individuals and systems. From the initial state to the 60th day, the environment safety level declined dramatically from 261 to 17. From day 60 to day 120, the falling trend of the environment safety level tended to level out, decreasing gradually from 17 to 3. The equipment safety level at the end of the simulation was 11 and the environmental safety level was 3. As a result, on the 120th day, the equipment and environment of the mine were in a dangerous condition that could have led to an accident.

The accident report reveals that the mine unlawfully organized mining on 3 December 2016, under the guise of retracting equipment within the border crossing, resulting in the accumulation of gas at the working face of the lane mining owing to the loss of electricity and wind. When the accumulated high concentration of gas was released to its cross-work face, the gas ignited when welding sparks ignited welding brackets in violation of standards, and the resulting flame was transported to the work face through the wind chute, resulting in a gas explosion. The accident was caused by a disorderly workplace environment and equipment in poor operating condition. The results of our analysis are consistent with the primary cause of the accident in the accident report. The managers of the coal mine can increase the safety of the system in two areas: equipment safety and environment safety. Based on the findings of our investigation, it is suggested that managers of coal mines strive to enhance the safety of the coal mine environment and equipment. For instance, more trustworthy equipment and intelligent gas detection systems can be utilized.

5. Conclusions

In this paper, a hybrid integrated framework was proposed to support the safety and assessment of complex socio-technical systems, in which the qualitative analysis and quantitative assessment were integrated smoothly. The STPA method was used to explain qualitatively the static safety control structure of a system and to analyze the primary elements impacting its safety operation; then, the ANP approach was adopted to calculate the weights of these elements. To complete the quantitative assessment, the SD method was utilized to model and analyze the dynamic process beneath the static control structure. The framework introduced additional specificity to the integration of the STPA and SD methodologies by employing the risk factors and causal relationships identified by STPA analysis as the foundation for SD modeling, and streamlined the SD modeling process and made up for the lack of quantitative analysis in STPA. The proposed framework was applied to a coal mine system, and the results indicated that the combination of these methods can support the safety assessment of socio-technical systems effectively and efficiently, through which company managers can acquire a better understanding of the numerous system hazards, and develop strategies to improve the safety management in a dynamic working environment. At the same time, the current parametric equations and system dynamics parameters were not accurate due to insufficient historical data, and the simulation results could be more accurate after acquiring more data. In the future, the proposed hybrid framework will be applied to different systems, and more real-world data will be added to increase the accuracy of the model parameters.