HDL
Hazards, Defences & Losses Hollnagel
Hollnagel (2004) · Barriers & accident prevention · Barrier system taxonomy

Hollnagel's taxonomy refines the defence-in-depth idea by distinguishing four qualitatively different barrier systems: physical, functional, symbolic and incorporeal. A barrier function is what needs to be achieved (prevent, contain, protect, restore); a barrier system is the concrete means of achieving it. Well-designed defences-in-depth mix barrier systems so that no single failure class — material, informational, or normative — can defeat the whole.

Overview of the taxonomy

In Barriers and Accident Prevention Hollnagel separates the purpose of a barrier from the means used to deliver it. The purpose is captured by a barrier function: to prevent an event, contain its energy, protect targets from consequences, or enable restoration. The means is the barrier system that implements the function, and the four systems differ in how they act and how they fail.

Physical (material) barriers stop energy, mass or people directly — firewalls, containment vessels, runway end safety areas, cockpit doors. Functional (active or dynamic) barriers set logical or temporal preconditions — interlocks, TCAS resolution advisories, engine-start inhibits, password-gated commands. Symbolic barriers rely on perception and interpretation by an agent — signs, colour codings, callouts, alarms, placards. Incorporeal barriers exist only in rules, norms, and culture — regulations, SOPs, licences, just-culture expectations. Each has different reliability characteristics and different failure modes, which is why mixing systems is essential to robust defence-in-depth.

HAZARD energy PHYSICAL material — blocks energy directly walls · containments · RESA cockpit doors · PPE FUNCTIONAL active — sets preconditions interlocks · TCAS RA passwords · inhibits SYMBOLIC perceptual — needs interpretation signs · alarms · callouts colour codes · placards INCORPOREAL normative — only in rules & minds regulations · SOPs licences · safety culture TARGETS people assets environment mission Barrier functions • Prevent • Contain • Protect • Restore purpose ≠ means a function can be realised by any of the four systems
Figure 1. Hollnagel's four barrier systems — physical, functional, symbolic, incorporeal — each realising prevent / contain / protect / restore functions between a hazard and its targets.

When to use it

Typical applications

  • Barrier analysis during hazard assessment
  • Design review of defence-in-depth architectures
  • Post-event analysis: which barrier class failed and why
  • Selecting controls in bow-tie and LOPA studies
  • Assessing reliance on procedures versus engineered safeguards

Aviation relevance

  • Classifying mitigations in ICAO-style hazard registers
  • Evaluating TCAS, EGPWS, RAAS as functional barriers
  • Judging symbolic-barrier reliance (alarms, EICAS)
  • Assessing incorporeal reliance (SOPs, CRM, just culture)
  • Integrating with bow-tie diagrams in SMS risk management

Benefits

Analytic precision

Distinguishing function (purpose) from system (means) forces analysts to ask whether a given control actually delivers the intended barrier function — a test many named "controls" quietly fail.

Diverse defence-in-depth

Makes it obvious when a system relies on a single barrier class; a stack of four SOPs looks like depth but is only one kind of barrier, all vulnerable to the same normative drift.

Prospective design support

Gives designers a structured palette: if a physical barrier is impractical, consider functional, then symbolic, then incorporeal — and make the trade-off in reliability explicit.

Bridges to systemic models

Feeds naturally into FRAM and STAMP: functions are the unit of analysis, barrier systems are the realisations, and their coupling can be modelled explicitly rather than assumed.

Limitations

Classification ambiguity

Real controls often combine classes — an alarm with an interlock is both symbolic and functional — so strict typing can become contested and reduce inter-rater reliability.

Reliability not quantified

The taxonomy is qualitative; quantifying the failure probability of a symbolic or incorporeal barrier is notoriously difficult, and LOPA-style credit rules are context-specific.

Static view of barriers

Like other defence-in-depth models, it can underplay the way barriers are actively maintained and degraded by everyday work — a concern Hollnagel himself later addressed with FRAM.

Culture as barrier

Treating safety culture as an incorporeal barrier is conceptually useful but hard to operationalise: cultures cannot be simply installed, tested or retired like a physical system.

In short

Hollnagel reframes defences-in-depth as a portfolio of four barrier systems — physical, functional, symbolic, incorporeal — each realising prevent / contain / protect / restore functions. Robust safety mixes systems so that no single failure mode defeats the whole.

References (APA 7)

Hollnagel, E. (2004). Barriers and accident prevention. Ashgate.

Hollnagel, E. (1999). Accidents and barriers. In J.-M. Hoc, P. C. Cacciabue, & E. Hollnagel (Eds.), Expertise and technology (pp. 175–197). Lawrence Erlbaum.

Sklet, S. (2006). Safety barriers: Definition, classification, and performance. Journal of Loss Prevention in the Process Industries, 19(5), 494–506.

de Dianous, V., & Fiévez, C. (2006). ARAMIS project: A more explicit demonstration of risk control through the use of bow–tie diagrams and the evaluation of safety barrier performance. Journal of Hazardous Materials, 130(3), 220–233.

Reason, J. (1997). Managing the risks of organizational accidents. Ashgate.

International Civil Aviation Organization. (2018). Safety management manual (Doc 9859, 4th ed.). ICAO.

Further reading

Hollnagel, E., Woods, D. D., & Leveson, N. (Eds.). (2006). Resilience engineering: Concepts and precepts. Ashgate.

Center for Chemical Process Safety. (2018). Bow ties in risk management. Wiley.

Energy Institute. (2019). Guidance on human factors safety critical task analysis (2nd ed.).

de Ruijter, A., & Guldenmund, F. (2016). The bowtie method: A review. Safety Science, 88, 211–218.