Lots of examples of safety control structures can be found in ESW. Figure 1.

6 shows a safety control

structure (from the Deepwater Horizon accident) that spans companies. One of the problems in that
case, as reflected in the finger pointing after the accident, was that the responsibilities were not
clearly delineated for all the actors in the system and gaping holes in responsibilities existed.
Control is being used here in a broad sense. Component failures and unsafe interactions may be
controlled through design, such as classical redundancy, interlocks, and fail-safe design or more
specific types of controls geared to protect against a particular type of behavior. They may also be
controlled through process, including developmental, manufacturing, maintenance, and operational
processes.
Finally, they may be controlled through various types of social controls. While social controls are
usually conceived as being governmental or regulatory, they may also be cultural, insurance, legal, or
even individual self-interest. In fact, the most effective way to control behavior is to design (or
redesign) a system such that people behave in the desired way because it is in their best interest to
do so.
Process(Leveson, 2009)

bibiliography
Leveson, N. G. (2009). A New Approach to Ensuring Safety in Software and Human Intensive
Systems, (July).