**3. Results**

### *3.1. Definition of Purpose*

In the scenario presented, the key stakeholders are the consumers of the water produced by the drinking water catchment. Therefore, the key losses or accidents considered are the illness or death resulting from pathogens or contaminants introduced from the catchment area. The causes that could lead to such losses are contaminants or pathogens in concentrations too grea<sup>t</sup> to be removed effectively through downstream water quality control barriers or water quality that reduces the effectiveness of downstream water quality control processes. For drinking water supplies, these downstream barriers typically include water treatment and disinfection processes.

For step one of ESWaP, the focus is on identifying the agents outside of the system which must be informed of a system-level hazard. In this case, the main agen<sup>t</sup> would be the position in direct control of the drinking water system, which for a typical WSP may be a position such as a Water Quality Operations Manager. In this situation, the indication of degraded water quality would come from a violation of the water quality limits that reflect the verified capability of downstream water treatment and disinfection processes. The high-level hazards, corresponding safety constraints identified, and the associated warning signals are provided in Table 1.


**Table 1.** The system-level accidents, hazards safety constraints and indicators.

### *3.2. Safety Control Structure*

In a drinking water supply system like the scenario created for this study, the quality of the water supplied is under the control of the WSP who are accountable for the final supply to the customer. When it comes to catchment management, the managemen<sup>t</sup> structures and accountabilities for actions to protect water quality outcomes involves multiple landholders and governmen<sup>t</sup> agencies. The WSP often has limited direct influence over the landholders and governmen<sup>t</sup> agencies responsible for natural resource managemen<sup>t</sup> and pollution regulation. As such, included in the safety structure is a role for the governmen<sup>t</sup> agencies accountable for the managemen<sup>t</sup> of water resources. Additionally, considered in the safety structure is the role of the public health authority with statutory responsibility for regulating drinking water supplies. While there is no direct responsibility for managing stream buffers as a regulator, there is indirect influence through regulatory actions. Including enabling actors in the safety control structure provides a detailed view of the broader sociotechnical structure which influences the successful managemen<sup>t</sup> of ecosystem services in drinking water catchments.

For the WSP, several key internal functions are included in the safety control structure as the control of these functions has considerable influence on drinking water quality outcomes. The WSP functions relate to the maintenance, operations, and planning actions related to water quality control processes. For the study scenario, the description of all the key actors involved in managing vegetative buffers in drinking water catchments, and the associated control actions and information are listed in Figure 1.

### *3.3. Identification of Unsafe Control Actions*

In this step of the analysis, each of the 18 control actions included in the high-level control structure was reviewed to establish the scenarios in which the control actions can be unsafe and potentially violate the system safety constraints. As a theoretical example, the identification of UCAs was based on the authors' knowledge in conjunction with industry guidance and the WHO guidance document on protecting surface water for public health [4]. The actions considered multiple aspects, from typical planning and operations to strategic managemen<sup>t</sup> and policy. At this stage of the study, a total of 46 UCAs were identified for the high-level control actions related to the managemen<sup>t</sup> of stream buffers. A sample of the UCAs for operational and strategic control action is provided in Table 2.

**Figure 1.** High-level safety control structure with control actions and feedback.



#### *3.4. Causal Factors, Countermeasures, and Early Warning Signs*

The causal factors are the scenarios that result in potentially unsafe control actions and the eventual potential resulting in the violation of the high-level safety constraints previously identified in Table 1. The STPA Handbook [15] includes guidance for the identification of loss scenarios as the fourth step in the STPA method. For EWaSAP, the third step is to enforce internal awareness actions to indicate the occurrence of a flaw and the violation of assumptions made in the design of the system. This step is a proposed add-on to step 3 in the STPA method. For this study, when completing step 3 of EWaSAP in conjunction with the STPA method consideration was given to the potential causal factors when identifying the signs of the flaws occurring. The next step was to consider what countermeasures could be put in place to prevent the identified scenarios leading to unsafe control actions. A total of 73 causal factors were identified from the UCAs, and each causal factor then had a corresponding countermeasure assigned. As some of the causal factors had similar failure mechanisms and therefore had a similar countermeasure assigned, resulting in a total of 61 countermeasures. A sample of the countermeasures and early warning signs is provided in Table 3.


**Table 3.** A sample of the countermeasures and early warning signs identified for stream buffers.

The sensor element is derived from the control feedback in the safety control structure and supplies the controller with information to control the actions of the actuator. The actual sensor will depend on the specifics of a given situation and may include visual observations, water quality data, etc. The timing of information from the sensor will depend on the rate at which conditions can change. The timing of sensor reading is essential for informing the early warning signs which confirm if the countermeasure is effective and enforcing the required safety constraints in the managemen<sup>t</sup> structure. This process was completed for all 61 countermeasures identified.

Of all the early warning signs identified, the majority were related to the risk assessment and planning process accounting for 39% of all indicators. The risk assessment and planning processes set the foundations for the overall system, where issues are identified and rectified, and this stage can prevent possible degradation due to managemen<sup>t</sup> actions. The next highest number of early warning signs can be found with maintenance and operation functions (13%) and governmen<sup>t</sup> policy and regulation (12%). Like any other asset in the water supply system, stream buffers require ongoing maintenance and operations to ensure the expected level of performance is maintained. In this instance, monitoring the early warning signals related to operations and maintenance functions provides greater certainty in meeting the water quality objectives. As for governmen<sup>t</sup> policy and regulation, while not directly influenced by a WSP, there is importance in being able to navigate the aspects of policy and regulations which influence stream buffer management. The smallest group of early signs related to water quality sampling accounted for only 3% of all indicators identified. Water quality sampling is often used as the principal indicator for the effectiveness of water quality interventions. While effective for characterizing water quality, monitoring is a lag indicator in this instance as stream buffers may become seriously degraded before any change in water quality results is observed.
