Safety in Steel Melting Shop Division

DOI : 10.17577/IJERTV11IS100073

Download Full-Text PDF Cite this Publication

Text Only Version

Safety in Steel Melting Shop Division

Apoorva Singh 1*, Manish Kumar Mishra2, Dileshwar Sahu3

1P.G Scholar, Bhilai Institute of Technology, Raipur, Chhattisgarh, India

2HOD, Dept. of Mechanical Engineering, Bhilai Institute of Technology, Raipur

3Assitant Professor, Dept. of Mechanical Engineering, Bhilai Institute of Technology, Raipur

Abstract: The steel industry has faced extraordinary changes over recent years incorporating new technologies and processes to make it more competitive and safer based on market requirements, regulations, and community concerns. Safety, in particular, has been an important topic in which the industry has put remarkable efforts to improve its performance.

Traditional safety models currently used to analyse and prevent accidents have been in use for decades. However, the complexity of systems has substantially increased over this time and has reshaped the way people perform their activities. The limitations of traditional models are becoming more evident as system complexity increases, especially when it comes to understanding the interactions between many system elements, incomplete or otherwise flawed requirements, design errors, and human behaviour and contextual factors

This thesis examines a high-risk incident in a steel plant and compares a traditional Root Cause Analysis that was performed with a new systems approach called Causal Analysis based on System Theory (CAST). Causes and recommendations from both methods are compared. In addition, a systems approach for hazard analysis called Systems Theoretic Process Analysis (STPA) is evaluated to determine whether it could have anticipated the behaviours and contextual factors that led to the incident and whether it could have been prevented. These methods were found to be extremely effective in analysing past accidents and in preventing future accidents, providing significant insights for organizations to understand the reasons behind accidents and to define the necessary steps to prevent them


The world has experienced changes in recent years at a speed never seen in human history. The advancement of technology is re-shaping the way we interact with each other and has created both new businesses and new ways to manufacture products. However, ability to fully understand all the implications that come with these accelerating technological changes has not kept pace [1].

The steel industry has not been a stranger to these changes. New technologies have emerged to improve the productivity and cost-efficiency of companies to sustain their competitiveness in the tight steel market. This technology evolution has brought new challenges crucial for safety management. While it is evident that safety metrics in the steel industry have been improving over the last few years at a macro-level [2], high-risk incidents and accidents continue to be a reality in the industry. One of the underlying problems is that while technology has evolved rapidly and changed the safety dynamics, the models to analyze them have not evolved to keep pace with the new reality [3].

Traditional causality models and hazard techniques were created many decades ago when automation and systems complexity were at a very different level than they are today. These models use a linear causality perspective, usually focusing on physical causes or operator responsibility for safety without taking into consideration other significant factors such as the interaction between elements and subsystems, flawed assumptions, design and operations reviews that were intended to prevent accidents, or the context that helped induce unsafe operator or automation behavior. These factors have an important influence on the safety dynamics and deserve to be studied in detail.

High-risk accidents and incidents in the last years have shown us that typically systematic and structural deficiencies are the underlying causes of accidents [3]. Meanwhile, we tend to focus on unsafe actions and component failures simply because they are easier to detect. This makes it easy to cast blame and assigned punitive measures in an effort avoid its recurrence. Nevertheless, these conditions might be only superficial symptoms of the true root causes that are not evident at first sight. We need new methods to perceive and understand what might not be immediately visible.

At the same time, communities have become more concerned and aware about industrial safety. They have played an active role demanding stiffer regulations to the industry, and good principles of social responsibility. The steel industry has acknowledged this situation, and safety has become a paramount as a matter of business sustainability. This industrial sector traditionally has had a reputation as a high-risk and unsafe activity. While it is true that it could be considered as a high-risk industry, this does not mean it has to be unsafe. The steel industry has been working hard to improve this perception, establishing an evident commitment to improving safety conditions and applying standardized procedures and best practices to improve safety performance.

Some companies are leading the initiative to transform the perception of the steel industry regarding safety. One of these companies is the object of this thesis. The company has had an outstanding improvement record in its safety figures, and it is a safety reference for the industry in India. However, although its statistics reflect a significant improvement over the years, the companys efforts have not been enough to prevent high-risk accidents and incidents. Those are some of the reasons why a new safety approach is needed. STAMP (Systems Theoretical Accident Model and Processes), is a new model that provides a systematic way to understand safety with a holistic view. This method provides a useful framework to understand the causality of safety events in complex systems in a comprehensive way.

STAMP is a promising tool that is experiencing a rapid adoption in other industries including automotive, aerospace, aeronautics, nuclear power, chemical, oil & gas, and others due to its systemic approach. In contrast to traditional failure-based models, STAMP views safety as a control problem requiring the enforcement of constraints to prevent accidents. Although STAMP is undergoing rapid adoption in other industries, at the time of this writing there is no record of a formal comparison between traditional methods and STAMP in the steel industry. This thesis aims to provide the first formal comparison in the steel industry.

This thesis evaluates STAMP as a modern alternative to address the gap of traditional models in the steel industry. By using a real industry case study, this thesis evaluates the benefits of using a systematic approach to understand the safety dynamics of organizations and processes in contrast to the outcomes from traditional methods. Finally, this work proposes recommendations about how to implement STAMP in companies where other models and tools are currently in use.


This chapter reviews traditional approaches to safety, including their strengths and limitations regarding the evaluation of complex systems. This chapter also discusses STAMP, a new model helpful to understand complex systems and to overcome the shortcomings from traditional models.

Traditional accident models Traditional safety models take a linear causality view of accidents, where each failure is the direct cause of the next event in the chain and can be traced back to a root cause. Accidents are considered as a sequence of events over time and generall, are energy-related or involve deficiencies in physical conditions (component failures) or human error.

Domino Accident Model and the Swiss Cheese Model In 1931 Herbert Henrich proposed the Domino Accident Model, based on his own experience in the industry. At that time, thanks to electrification, machines were able to be designed to perform more complex activities that had previously been done by humans. The concept of safety management was at a rudimentary stage, and the causes of most accidents were assigned to physical causes, such as lack of equipment guards. Henrich introduced the idea of man failure as the principal cause of injury. According to his experience in the industry, most accidents (88%), were related to unsafe acts, 10% to unsafe conditions, and 2% to acts of God.

According to his model, accidents occur as a sequence of colliding dominoes; hence, if one of the dominoes is removed, the chain could be interrupted, preventing an accident. Since the model proposed that most of the accidents are human related, the focus should be to prevent unsafe acts or conditions. Henrich suggested that to overcome this situation, it was necessary to enforce supervision, training, and discipline.

In the late 1980s, James Reason proposed the Swiss Cheese model, incorporating the idea of layers of defense or protection. This model argued that accidents could be caused by failures in four planes lying one behind the other: 1) organizational influences; 2) unsafe supervision; 3) preconditions for unsafe acts; 4) unsafe acts [8].

Each of these stages is represented as a slice of "Swiss Cheese", where the holes are defects or vulnerabilities randomly changing in location and size. Eventually, the trajectory of the hazard finds a clear pathway through all the layers leading to a failure (accident). This assumption conveys the idea that a single failure, whether technical or human, is insufficient to cause an accident. This model focuses on individual layers to avoid the possibility of an accident. However, it does not take into consideration the systematic causes that might affect multiple layers simultaneously, for example, inadequate communication or poor safety culture within the organization. Like the Domino model, this model tends to oversimplify the dynamics of complex systems in which components cannot be treated as independent or isolated.

Root Cause Analysis This method seeks to identify the underlying causes that contribute to the occurrence of an event rather than the generalized or immediate factors. The origins of the Root Cause Analysis (RCA) could be traced back to 1950s in Japan, where Sakichi Toyoda implemented this method for quality purposes in manufacturing. RCA evolved over time and expanded its applicability to other fields, including safety, to analyze root causes effectively.

The Root Causes Analysis method suggests that all undesirable outcomes are related to

  • Physical roots: related to failure components.

  • Human roots: actions or inactions that trigger the events.

  • Latent roots: organizational systems that are flawed.

STAMP: A new accident causality model Traditional accident models have been challenged by the advancement of technology and the increasing complexity of sociotechnical systems. The interaction between humans and machines have changed in the last few decades, with more complex software systems and more sophisticated equipment. Many are finding the traditional safety approaches to be no longer adequate. STAMP (Systems-Theoretical Accident Model and Processes) is a causality model introduced by Leveson in 2002. This approach addresses gaps in traditional safety models that assume accidents arise from linear chains of failures.

Instead, STAMP is based on system theory and considers safety as an emergent property arising from the interactions among the system components. According to systems theory, to control the emergent properties it is necessary to impose constraints on the behavior and interactions between components. Hence, safety becomes a control problem that requires the enforcement of constraints [3]. As a systemic approach, this model has a broader vision to understand the accident causality in complex systems by identifying more causal factors such as organizational structures, human decision-making, human factors, design and requirements flaws, and the interactions between all elements

The STAMP framework serves as the basis for several methods. The most popular are CAST (Causal Analysis using System Theory) and STPA (System-Theoretic Process Analysis): CAST: a retroactive method to study accidents or incidents that have occurred and their causal factors. * STPA: a proactive analysis method to analyze the potential causes of future accidents so hazards can be eliminated or controlled.


This chapter is comprised initially by a description of the steel making process, giving a brief technical background to understand the mechanics of an incident that will be the subject of a case study in this thesis. Subsequently, a description of the incident at the company is presented, followed by the Root Cause Analysis performed by the organization to describe the causality of the incident. After having presented the background of the incident, a CAST analysis is performed to identify with a systemic approach the causes that led to this event. A contrast between the analysis performed by the organization using traditional safety models and the analysis based on STAMP will be presented in the following chapter.

Steel Making Overview Since its origins, the steel making process has been a staple of the industrial economy. The industry has been in constant evolution in the last decades trying to improve its productivity while increasing its safety performance and environmental footprint. Nowadays, two main ways to produce steel exists, through blast furnaces or by electric arc furnaces

(EAF). Both technologies have advantages and disadvantages, depending on the accessibility to raw materials, logistics, the cost-structure, and the scoping of the organization, companies decide which option makes more sense to its business plan.

In the plant where the case study incident occurred, the company operates two EAF. They are identified by their original manufacturer name: Fuchs fumace and Danieli fumace. The incident occurred in the Fuchs furnace; however, the process fundamentals of both furnaces are equivalent, and the following general description is valid for both.

The electrodes and its positioning system are located apart from the furnace structure. Electrodes are the main heating element used in the EAF. They are rounded bars typically made of graphite; this element is selected due to its high conductivity and resistance to high temperatures. The electrodes are attached to a controlled mast which moves the electrode down into the furnace or up out of the furnace. The electric arc is formed between the charged material inside the furnace and the electrodes; the charge is heated by the current passing 'through the electrodes and the emergent radiant energy. The electric arc temperature could reach 30000C; hence, the lower section of the electrode glows incandescently during operations, which makes it very difficult to visually distinguish the bottom of the electrode from the molten steel in the furnace and the distance between the two. Therefore, the electrode positioning system has a length encoder to measure the electrode position, and it has hydraulic cylinders to ensure the position of the electrode inside of the furnace maintains a constant current during the melting process [17].

The furnace is built over a basculating structure to be able to pour the molten steel to a ladle to transport it to further processes. This process is called tapping. Most EAF used to produce flat products have an eccentric bottom tap-hole (EBT) to reduce the inclusion of nitrogen and slag in the molten steel, as well reuce the temperature loss of the bath during tapping. In contrast, the Fuchs furnace has bottom oval-shaped; thus, it has an oval bottom tapping (OBT).

The tap-hole crosses the hearth and shell of the furnace to get to the molten steel. They are closed from outside the bottom steel plate by a refractory sliding gate; when the sliding gate is pulled apart, the metal flows out removing the refractory sand put in earlier to close the hole.

(1) Transformer, (2) flexible cable connection, (3) electrode arms, (4) electrodes clamping, (5) arms, (6) cooled off-gas duct, (7) cooled panels, (8) structure, (9) basculating structure, (10) rack, (11) cooled roof, (12) basculating device, and (13) hydraulic


Electric Arc Furnace Operation The operation of an EAF varies depending on the characteristics and specifications of the facility. In the case of the Fuchs EAF at Guerrero plant, the furnace could be loaded with scrap along with direct reduced iron (DRI) for chemical balance. The scrap is loaded into a large basket with a gate in its bottom. The electrode, which is clamped to the mast, is extracted from the inside of the furnace by the control room operator. Once the, electrode is in its upper position, the roof of the furnace along with the electrode swing off the body to facilitate the charging of scrap from the top. To avoid a collision, the electrode needs to be in its top position before the roof starts to move. The electrode swings off through the arm, which is a rotating holder that supports the set of the mast and electrode. The basket is moved by an overhead crane and held just above the furnace. Then the basket opens and drops out the scrap into the furnace.

This process is repeated as many times as necessary according to the capacity of the furnace and the baskets. After the charging is over, the roof is swung back to the operation position. The electrodes are lowered into the furnace, the arc is struck, and the electrodes are set in automatic control. The meltdown starts at a lower voltage to protect the roof and the walls from excessive heat from the arc. The electrode moves down automatically as the metal below the arc melts to maintain a stable arc. Once the electrodes have submerged in the molten steel, and are covered by the scrap, the voltage is increased, and the electrodes are raised to expand the arc and increase the power to melt. The oxygen-fuel injectors of the Fuchs also provide chemical energy to accelerate the meltdown process [17].

Case Study Incident on October 2nd, 2017 at 11:13 am in the Fuchs furnace at the Raipur power and steel Plant in Durg, Chhattisgarh, two explosive reactions occurred without hurting any workers, but with enough strength to have caused severe damage to the personnel. The plant was preparing to restart operations after an extensive maintenance shutdown of 10 days, where significant equipment and systems modifications were conducted. After the refractory sintering process of the furnace, which is a necessary step to develop good properties of the inner refractory bricks, the operations team wanted to extract the electrode from the furnace to check the furnace interior and to replace the electrode. Hence, the main control room operator moved up the mast to take out the electrode from the inside of the furnace. However, the mast did not reach its top position; the control room operator noticed this situation from the encoder indication in one of the HMIs, and he decided to slightly move it down to restart the upward movement again. By this time, the crane operator had already hooked the electrode onto the lift plug. As the electrode was hooked to the crane at a fixed position, and the mast moved it down, the electrode's lift plug broke, fell and hit one of the water piping connections over the furnace roof.

This impact caused a severe water leak that was getting into the furnace. As a reference, the lift plug weighted 85 kg (187 lbs), and the piping connection had a diameter of 2 inches and 4.5 bar of pressure.

According to safety procedures, since the water was getting inside of the furnace, the fumace roof had to be open. The control room operator started the sequence to move out the roof from its operating position to its open position; however, as the electrode did not reach its top position and it was below the pass line of the furnace roof, the roof collided with it. The control system, which was designed with various safety protections to prevent dangerous movements, allowed the movement of the furnace roof even though the electrode had not been raised enough to prevent a collision. The electrode fractured due to the collision, and one segment of it fell inside the furnace, causing an explosive reaction.

During this time, the water leak continued to get into the furnace. Because of the trajectory of the water leak, as the furnace roof continued to open it allowed even more water to enter into the furnace. The electrode segment that fell inside of the furnace caused agitation of the molten steel; this agitation, coupled with the water accumulation, generated a second explosive reaction. During the event, the emergency protocol was performed and all people were evacuated. The operations team shut down the furnace and closed the injections of gas, coal, and oxygen. The maintenance team closed the cooling system valves. Despite the severity of the event, no people were injured.

After having defined the causality branches, the company identified a list of causes and grouped them into three causality clusters: Physical Causes * The main control room was moved during the shutdown to a safer position. However, the visual reference the operators used to validate the electrode position was lost after this change. * The valves of the cooling system were not possible to operate from the control room. The valves were manual; hence, the reaction time to close them was significant. * The position of the roof while opened remained proximate to the furnace, causing the water to rapidly accumulate inside the furnace. Systemic Causes (Management system): During the tapping sequence, the electrode did not reach its top position at 649cm; it raised only to 618cm. The control room operator lowered the electrode mast 30 cm since he noticed it did not reach its top position. He lowered the mast trying to enable the automatic control. The control system was weak because the control room operator could activate the roof-swing sequence while the electrode was not in its top position and not clear of the roof. It was an atypical operation since the plant was during its start-up process after an extensive shutdown with several technological changes.

Proximal events leading to the loss The next step in CAST is to identify the sequence of proximal events. The following lists the sequence of events leading to the two explosions based on the investigation report from the company safety team. As mentioned before, the plant was about to restart operations when the incident occurred. The furnace was at the end of the refractory sintering process; therefore, the control room operator started the procedure to extract the electrode from the inside of the furnace.

11:10:49 The arm/electrode started to go up.

11:11:09 The arm/electrode stopped at 618 cm (top position was 649 cm). 11:12:05 The arm/electrode retracted to 582 cm (36 cm below previous position). 11:12:16 The lift plug of the electrode broke and fell over the furnace roof.

11:12:17 The lift plug damaged some piping connections over the roof, generating two water leaks: one at 450 towards the outside of the furnace, and another that was directed into the furnace.

11:12:46 The operator started the sequence to open the furnace roof, while the water leak was getting into the furnace. The furnace roof started rising.

11:13:21 Finished furnace roof rising.

11:13:30 Started furnace roof opening (swinging).

11:13:34 The furnace roof crashed and damaged the electrode while swinging. The electrode broke, and one segment fel inside the furnace.

11:13:35 The electrode segment hit the molten steel, and the first reaction occurred. 11:21:35 The water leak started to decrease.

11:26:47 Water stream at 450stopped.

11:32:10 Second reaction occurred due to accumulated water inside the furnace.

All the latter subjects are interconnected indicating the incident was not an isolated event but a result of system deficiencies within the company safety management. One of the contextual factors that may had a catalyst effect was the pressure. Pressure is a common element within an organization. It usually has a negative connotation, but it could be an excellent incentive to improve and obtain faster results. The problem relies on when pressure distorts the operational and safety principles of organizations. Typically, under stressed circumstances is when it is evident the real culture of organizations. In this case, as the pressure to restart operations grew due to the delays in the shutdown, the movement towards a riskier state manifested. Workers started to feel more stressed to closing maintenance activities and re-start operations; hence, the possibility of having an accident increased as people tended to be less focus on safety than timing. Adding to this, the inadequacies in the management of change related to the modifications in the control room and the piping over the furnace roof, and the flaws in the design of the control system, and the lack of procedures to validate the plant readiness, were some factors to create a hotbed to cause an accident.

One of the remarkable positive aspects of this incident was that even though its potential, no person was harm due to the reactions. This positive facet was related to the decision of the company to install safety gates to surround the furnaces areas; so, at the moment of the incident, very few people were close to the furnace. This critical decision was a fundamental factor to avoid personal damages


This chapter aims to compare and contrast the analysis derived from using the Root Cause Analysis model performed by the organization, and the outcomes from the CAST model performed in this thesis.

Classification of causes The Root Cause Analysis performed by the company considers three clusters of causes to cover the dynamics of the incident: Physical Causes Human Causes Systemic Causes The first cluster describes the physical elements that failed, were inoperable, or were missing during the event; for example, the failure of a position sensor or the lack of redundancy in a specific control. The second cluster describes the human causes. This cluster includes the causes the organization considers directly related to people's responsibility; for example, not following procedures adequately or the lack of coordination between operators. Finally, the third cluster encompasses systemic causes. This cluster seeks to capture the causes the company considered to be structural deficiencies that lead to the event. For example, deficiencies in training programs or inadequate controls in system design.

In contrast, the CAST analysis seeks to identify a broader set of causes across the physical level, the human operator level, and the organizational level. CAST identifies specific actions and decisions by each of these controllers that contributed to an accident, identifies why those actions and decisions seemed reasonable at the time through process model or mental model beliefs, and identified contextual factors that influenced the behavior and that represent weaknesses in the broader socio- technical system. CAST seeks to provide a more holistic perspective to understand the full dynamics of the incident across all levels of control, including deeper systemic factors that can be easily overlooked with a more ad-hoc analysis.

The CAST analysis provided a comprehensive list of weaknesses throughout the control structure and at different organizational levels that led to the incident. The analysis suggested a set of recommendations to correct these issues and avoid similar events in the future. Since CAST has a holistic perspective, the suggested recommendations aim to address not only low-level aspects like component failures and operator actions involved in one specific incident but systemic factors that contribute more generally to this and many other types of incidents. However, learning through incidents is not the most effective and reasonable strategy to improve. Why weren't these factors identified and corrected before the incident occurred? Careful reviews and hazard analyses had been performed to anticipate what could go wrong before the incident, but they were not effective in preventing this incident and they did not anticipate the full set of weaknesses and causes identified by CAST. Systems Theoretic Process Analysis, STPA, is a hazard technique based on the same principles as CAST but it is applied before an accident occurs to proactively identify and correct weaknesses throughout the system. STPA anticipates unacceptable losses by modeling the safety control structure, identifying unsafe control actions, and creating potential loss scenarios. This chapter identifies the

improper or missing controls that allowed the Fuchs EAF system to migrate to a higher risk level. At the end of the chapter, insights are presented about the difficulty of applying this technique for people who are not familiar with it. This experiment provides intuition about the acceptability from users and the possibility to adopt this technique as a reference to prevent undesirable safety situations.

Analysis of Results: All the causes and factors identified in the RdA analysis were addressed by CAST. CAST provided a comprehensive lists of factors which enable the organizations to understand what were the reasons behind the causality of the event.

Number of causes-factors identified by methods

More importantly, than the percentage number of causes is the quality of the detected causes. The CAST analysis accounted several factors that were not addressed by the RCA analysis. Some of the principal causes that were not pinpointed in the RCA

analysis, and are relevant to comprehend why the incident occurred are listed below:

  • The performance of inadequately detailed risk assessment to prevent and mitigate possible failure scenarios in projects and modifications.

  • The absence of a formal pre-start safety reviews process to ensure the readiness of the plants before their start-up.

  • The lack of a robust policy for management of change to validate and control the modifications performed within the organization.

Result and Discussion:

The CAST analysis provided a comprehensive list of weaknesses throughout the control structure and at different organizational levels that led to the incident. The analysis suggested a set of recommendations to correct these issues and avoid similar events in the future. Since CAST has a holistic perspective, the suggested recommendations aim to address not only lowlevel aspects like component failures and operator actions involved in one specific incident but systemic factors that contribute more generally to this and many other types of incidents. However, learning through incidents is not the most effective and reasonable strategy to improve. Why werent these factors identified and corrected before the incident occurred? Careful reviews and hazard analyses had been performed to anticipate what could go wrong before the incident, but they were not effective in preventing this incident and they did not anticipate the full set of weaknesses and causes identified by CAST. Systems Theoretic Process Analysis, STPA, is a hazard technique based on the same principles as CAST but it is applied before an accident occurs to proactively identify and correct weaknesses throughout the system. STPA anticipates unacceptable losses by modeling the safety control structure, identifying unsafe control actions, and creating potentia loss scenarios. This chapter identifies the improper or missing controls that allowed the Fuchs EAF system to migrate to a higher risk level. At the end of the chapter, insights are presented about the difficulty of applying this technique for people who are not familiar with it. This experiment provides intuition about the acceptability from users and the possibility to adopt this technique as a reference to prevent undesirable safety situations.

Model Control Structure:

Once the unacceptable losses and the related hazards have been identified, STPA defines the safety control structure of the system. STPA aims to understand how hazards could occur in the future, so the causes can be eliminated or mitigated during the design phase or before the occurrence of events. In this chapter, the STPA analysis focuses on the dynamics at the operational level of the system that could lead to unacceptable losses. The following figure demonstrates the high-level safety control structure of the system for furnace operations.

Identifying Unsafe Control Actions:


The steel industry has evolved in recent years incorporating new technologies to make processes more productive and safer at the same time. Particularly, automation has reshaped the way steel is produced and the way the personnel interact with the processes. Not many years ago, steelworkers had to perform several activities under precarious conditions, exposing themselves to high risks. Extraordinary efforts have been made recently to improve these conditions throughout the industry; however, there is still a long way to go regarding safety. STAMP has proven to be a powerful model for understanding the safety dynamics of complex systems, including those present in the steel industry. Its holistic approach and guided framework allow thinking beyond what is ordinarily evident. This thesis presented a contrast between the outcomes from traditional methods and new systems-thinking methods -CAST and STPA~when analyzing a real case from the steel industry. In this case, traditional methods covered only a few of the factors involved, focusing mainly on physical aspects such as equipment failures and trivial human causes such as not following procedures and inadequate coordination between personnel. However, the contextual circumstances, process models, mental model beliefs, the interactions between system components, and systemic factors were not correctly scrutinized by these models. The desire to simplify the causality and focus only on obvious trivial factors misleads the analysis and obscures the underlying factors that led to the event. Organizations are trying to shoehorn the current industrial reality into limited methods, and finding similar events happening again and again. This does not mean that these old models are completely invalid, but they are incomplete. Analysts need to recognize their limitations and shortcomings, and these gaps need to be addressed. Safety is a never-ending effort. Rasmussen [29], stated that safety degrades in the absence of conscious effort. Safety needs to embedded in the culture of companies and put at the forefront of their decisions. STAMP aims to help the pursuing of this cultural shift. By analyzing the causality of events with a broader and systemic perspective, organizations can understand the deeper factors and circumstances that are leading to accidents. To be effective, CAST and STPA requires a certain level of maturity and willingness to improve from 157 organizations. These approaches enable a deep introspection into the safety dynamics of the company, allowing them to uncover and understand the behavior and beliefs of workers, management, and the organization as a whole. This thesis evaluated the benefits of CAST and STPA when applied to a real system and a real case from the industry. Undoubtedly, the completeness of these analyses is superior to the detail obtained from other models such as RCA. A more detailed analysis would allow organizations to prevent undesirable losses and be proactive about future casualties instead of reactive. These losses also affect the sustainability of the business; safety is not only

a matter of human lives, but it can also have a significant impact on the economic performance of companies. Organizations need to formulate strategies to incorporate safety not only as a requirement, but as an inherent value and a way to do business. STPA proved to be an intuitive and robust tool to determine what could go wrong during operations. This thesis analyzed only a sample of UCAs and scenarios related to a physical system from the Fuchs EAF. Although the analysis was constrained, the outcomes demonstrated that the actions and behaviors that led to the incident would have been anticipated by using this approach, and more effective controls potentially could have been put in place before it occurred. Using these results, companies can better design the process and its control, design the equipment required, the necessary procedures, and even define the required competences and skills from personnel. STPA, throughout its framework, guides the analyst to study these and other factors to define the appropriate constraints and ensure the overall safety control structure enforces them. CAST and STPA can improve the way safety is approached. Both approaches were found to be suitable for the steel industry and provide a new perspective of accident causality that broadens the traditional views. This thesis could be used to introduce these new concepts to the steel industry by showing their applicability and benefits for a real cast study. However, traditional models have been used by the steel industry for decades and they are well established with many organizations familiar with them. Of course, a change in the safety approach will not happen overnight. Considering this, the following section provides suggestions to implement STAMP in large organizations that are currently using the traditional accident models.


[1] Friedman, T. L. (2017). Thank you for being late an optimists guide to thriving in the age of accelerations. Farmington Hills, Ml: Thorndike Press, a part of Gale, Cengage Learning. [2] Safety and health in the steel industry. Position Paper. (2018). Retrieved March 1, 2019, from

[2] Leveson, N. (2012). Engineering a safer world: systems thinking applied to safety. Cambridge, Mass.: MIT Press. [3] The white book of steel. (2012). Retrieved March 1, 2019, from

[4] Steel Facts. (2018). Retrieved March 1, 2019, from html

[5] Interactive Steel Manufacturing Process. (2015). Retrieved March 3, 2019, from [6] Heinrich, H. W. (1969). Industrial accident prevention: A scientific approach. New York: McGraw-Hill.