Skip to content

Review: Rasmussen’s 1997 paper – Risk management in a dynamic society: A modeling problem

The article by Rasmussen (1997) begins with an introduction that risk management is treated differently across all relevant hierarchical levels of a socio-technical system. However, due to the dynamics of the system, treating risk-related decision-making in isolation does not enable us to recognize when we cross the boundary of safe operation. Thus, when assessing risks in a complex socio-technical system, we have to include the layers of legislation, management, work planners and system operators. As a result, we need to touch upon risk models of the disciplines varying from economics, organizational theories and cognitive psychology to engineering.

Applying this framework to the case of the railway industry, a lot of decision-making layers can be identified, let alone the effect they have on subsequent decision layers. To provide an example, it starts with the government deciding to improve the railway system capacity utilization and safety to prepare for ERTMS (Doppelbauer & Guido, 2015). On the management level, this may lead to differences between railway stakeholders in how to interprete these objectives. Nevertheless, all these changes enforced by management ultimately involve adaptation of work planners (to utilize capacity efficiently) and system operators (to adjust behavior during operations accordingly). An important question is: are stakeholders in the upper layers aware of all changes and consequences of their decisions for the subsequent layers? As mentioned by , who introduces the cascade model – a railway specific representation of the socio-technical system described by Rasmussen, this may not be the case. Especially the control function, the feedback loop of each layer reporting back to the upper layer, is not always present. As a result, little vertical decision alignment and mutual understanding between stakeholders results in the lowest layer having only little operating space. The operating space is the space within the performance boundaries of Figure 1.

Rasmussen continues by proposing a model of functional abstraction that represents human behavior shaped by their objectives and constraints. For example, actors in the system have different performance goals. These performance goals are shaped by criteria like workload, cost-effectiveness and risk of failure. How stakeholders satisfy these performance goals is to some extent left open, only bounded by some sort of administrative, functional, and safety constraints (imposed on the individual by decisions from the hierarchical layer above). This means the behavior of the system is defined by two key variables:

  • The higher hierarchical layers enforcing pressure on performing cost-effective
  • The lower hierarchical layers trying to identify workarounds

These two factors together push the behavior of the system towards the boundary of safe operation, demonstrated in Figure 1. Siegel and Schraagen (2017) translate those performance boundaries to the case of the railway system, naming the boundaries: safety, performance, and workload, which we further specify as safety, cost and capacity.

Figure 1 The migration of the gradients towards the boundaries under strong pressure adjusted to the case of the railway system, from (Rasmussen, 1997)

Hence, it is of utmost importance to make the safety boundary explicit and create awareness on the boundary in the whole socio-technical system. In this relation, Rasmussen brings in the argument that when the higher level decision-makers are adapting individually to the competitive pressure of having to performe cost-effective, the resulting interactions are most likely not in accordance with the overall safety control requirements. Decision-makers make individual decisions due to the increasing pressure on availability and costs. If there is no alignment between decision-makers it is more likely that a decision is made that let them cross the safety boundary without noticing, because there is no clear overview of all the decisions made in the complex system. Meaning the safety boundary could be crossed in the case of no collaboration of involved parties.

Rasmussen continues by proposing “a framework for identification of the objectives, value structures, and subjective preferences governing the behavior within the degree of freedom faced by the individual decision maker and actor” (Rasmussen, 1997). He wants to achieve this by strengthening the control function of system performance. In other words, the boundaries of safe operation should be made explicit and the decision-maker should be given the chance to develop skills to work at the boundary. A shared awareness of the boundary further facilitates the operation within a safe space. He, therefore, introduces a risk management framework as a control task. According to the framework, for a particular hazard source, the following aspects have to be identified:

  1.  The control structure must be identified: that is the hierarchical structure in place that allows giving feedback.
    1. All relevant controllers must be identified: that is the decision-makers and their relations to each other.
    1. Their objectives and performance criteria determined: different stakeholders have different objectives, interests and values that guide their behavior and decisions.
    1. Their capability of control evaluated: that relates to knowledge, know-how and practical skills that help them to judge which information to communicate up, down & horizontally, and how effectively change is communicated about technology and processes.
    1. The information available to them about the actual state of the system in respect to production objectives and safety boundaries judged: this concerns questions like if the functioning of the system is within the control domain of the decision-maker? And whether this information is compatible with the decision-makers objectives and constraints?

Evident from this framework, Rasmussen proposes “a representation of the problem space in terms of means-ends hierarchy”, this would make the constraints and options for decisions explicit and serve as space within which a safe choice can be made. He determines that the success of this approach depends on how well one achieves to make the boundaries of safe operation explicit. Rasmussen’s framework has to be understood in terms of system theories, where he identifies the interdependence of hierarchies and complexity of the whole socio-technical system. In the words of Leverson (2016), who wrote a paper on the legacy of Rasmussen’s achievements for the system safety community: “Design decisions at each stage must be mapped into the goals and constraints they are derived to satisfy, with earlier decisions mapped (traced) to later stages of the process, resulting in a seamless (gapless) record of progression from high-level system requirements down to component requirements and designs. The specifications must also support the various types of formal and informal analyses used to decide between alternative designs and to verify the results of the design process. Specifications must, in addition, incorporate design rationale (intent) information. Finally, they must assist in the coordinated design of the components and the interfaces between them”. This summarizes the interdependence and complexity of decision-making in the socio-technical system very well. Mapping all the objectives and constraints, including earlier decisions mapped into the process, will be relatively difficult in real-time taking into consideration the dynamic nature of decisions. This is why Rasmussen’s framework is from some still criticized as being too static (van den Top, 2010). Nevertheless, his ideas are well appreciated in the scientific community, and many models are developed based on his work (Leverson, 2016).

Summarizing, several ideas of Rasmussen’s 1997 paper could also be relevant in the socio-technical railway systems and related design decisions, for example:

  • Emphasizing the control function to create vertical awareness and aligned decision-making in the system
  • Effective balancing between the performance boundaries in the dynamic socio-technical system: safety, costs, and capacity
  • Representing the performance space in terms of means-ends hierarchy to derive the space of safe decision-making by making objectives and constraints of stakeholders explicit


Doppelbauer, J., & Guido, P. (2015). ERTMS Long Term Perspective. Retrieved from Lille, France:

Leverson, N. (2016). Rasmussen’s Legacy: A Paradigm Change in Engineering for Safety. Applied Ergonomics(Special Issue: On the Legacy of Jens Rasmussen).

Rasmussen, J. (1997). Risk Management in a Dynamic Society: A Modelling Problem. Safety Science, 27(2/3), 183-213.

Siegel, A. W., & Schraagen, J. M. C. (2017). Beyond procedures: Team reflection in a rail control centre to enhance resilience. Safety Science, 91, 181-191.

van den Top, J. (2010). Modelling Risk Control Measures in Railways – Analysing how designers and operators organise safe rail traffic. (Ph.D.), Technische Universiteit Delft, Delft.