SafetyInsights.org

This 2017 brief paper discusses the development of a book, seeking to better standardise terminology in bow ties and barriers.

Of course, there’s entire books and guides written about this – but this paper is easier to summarise.

I’m not endorsing these terms or perspectives, just providing them for interest.

[** Note. For the keen of eye, you’ll see that the incorporation of human variability and performance considerations, or complex systems are still relatively limited; this is covered in other material from these authors. I plan to post some in the future.]

Summarising the key proposals from the paper, they provide the below points.

I’m not covering them all here – but a key delineation is between a control, barrier and safeguard. Controls include both barriers and safeguards; controls are “measures expected to be in place to prevent incidents”.

In their conceptualisation, ‘barrier’ is replaced with passive hardware, active hardware, active hardware + human (elements of both hardware and humans in the detect-decide-act sequence), and continuous hardware.

Continuous hardware adds to active and passive hardware, where it’s continually there and only the ‘act’ part of detect-decide-act is present.

They specify that barriers, to be considered barriers, must be ‘effective, independent, and auditable’, and must have “the capacity to completely stop the threat from leading to the top event and must be independent of the threat and other barriers linked to a particular threat”.

‘Barriers’ that don’t meet the above criteria can be considered as safeguards. Moreover, they add that safeguards also protect against the degradation of barriers (what were called escalation factors in bow ties).

Hence, degradation controls—safeguards—which may not meet the definition of a full barrier (effective, independent, auditable), or have the full detect, decide, act sequence, but could be effective for maintaining the integrity or operation of barrier systems.

Like before, barriers can still be passive or active. If active, they “must have separate elements to Detect what is going wrong, Decide on what to do about it and to Act to completely stop the threat from progressing further”.

Hazard definition

They made no changes to the “standard HSE definition”, that a hazard is an agent or operational situation that could cause harm.

However, in the context of bow ties, they note that “generic hazards lead to generic bow ties, so in bow ties include details on the scale and location of the hazard. So not “LPG” but “storing 50 tons of LPG in a bullet”; not “helicopters” but “transporting people 200 miles by helicopter from land to an offshore drill rig” 

Top Event

Same definition for a top event, being when control is lost over the hazard.

They also briefly discuss consequences, but this is the standard stuff; except that they’re interested in the worst credible scenarios.

Threats

Threats are treated similarly to HAZOP causes, but that their “descriptions must be specific and sufficient and not just generic descriptions such as overpressure, overfilling, excess temperature, etc”.

A threat acting alone on the hazard must be sufficient on its own to bring about the top event “without any help from another threat if there are no barriers in place”.

Hence, “This also means that a threat cannot be the non-functioning of a barrier or absence of a barrier”. Per their example, brake failure on a car can’t lead to a top event of a loss of control if the car is parked in a garage.

Barriers

They spend a lot of time on barriers. On the left side of the bow tie are “prevention barriers”, and “mitigation barriers” on the right. Again, based on their definitions, each barrier, to be considered a barrier, has to have the capacity to completely stop the threat from leading to the top event, and be effective, independent and auditable; each barrier must be independent of other barriers linked to a particular threat.

It’s said that using these definitions (e.g. effective, independent and auditable) typically limit the barriers on bow ties to between 2-5, having a major benefit of making the bow tie more easily understood so that “management and operations do not gain a false sense of security that multiple barriers are in place when several of the barriers are not independent (i.e. if one barrier fails then another one will fail at the same time)”.

Not covering all of these distinctions here, but barriers can be considered as passive or active; mentioned earlier. One consideration is that, at least theoretically, detect and decide can be present in some passive and continuous barriers “but only in the mind of the designer of the project/barrier when she considers that the threat may exist and decides to include the barrier in the design”.

Some bow ties term the components of detect-decide-act as sensor, logic solver or actuator, but this committee instead chose simpler terms [** If you follow Leveson’s work, or control theory more generally, sensor, actuator etc. will be familiar to you.]

Other barrier considerations

Other considerations of note are the barrier type (see below).

Barrier effectiveness/strength: They note that while all barriers should fulfil the criteria (effective, independent, auditable), some barriers are better than others. In alignment with the hierarchy of control, they propose some that passive hardware tend to be the strongest, followed by active hardware, then active + human (with only one human element), then active human with all elements being human [** This is where the HF/E and Resilience Engineering etc. research excels highlighting that people are quite often stronger performing in problem solving and other areas, and their strengths sometimes underplayed when based primarily on hierarchy of control thinking]

Barrier reliability: Various measures are available here, from qualitative (high, medium, low; excellent, acceptable, poor etc), or quantitatively (like probability of failure etc.).

Barrier Adequacy: Further consideration can be given to barriers which may not always meet their effective targets, but still help in certain ways (like for mitigation efforts).

Barrier Criticality: Some barriers are more important than other barriers, hence determining criticality can be important, especially if it’s connected to a prevent a major threat or consequence, or if the barrier is used across multiple threats or bow tie consequence legs. [** “Critical controls” seem to be analogous under ICMM’s CCM framework.]

Barrier condition: This provides an indication of the barrier’s status during operation based on the design intent and whether the barrier has degraded over time. They suggest traffic lights, with green meaning the barrier is in place and operating as per design, amber where barrier is in place but operating below intended functionality, and red is where the barrier isn’t available or significantly degraded.

Other companies have used two more categories: white – where the barrier has not yet been assessed or there’s no operational performance available, and black – where the barrier is either not installed versus a standard design or has been removed/deactivated on a long-term basis.

Factors will always exist that degrade or affect the functioning of a barrier as intended – “degradation factors” (what were previously called escalation factors in bow tie methods).

Degradation factors “enable the team to further investigate why a barrier won’t work as intended”. In their view, “the barriers identified in HAZOPs and LOPAs are all assumed to work as intended (subject to semi-quantitative probabilities of failure on demand)”, in contrast to this approach which doesn’t.

They advise that degradation factors be clearly described and specific, e.g. avoid generic terms. They provide some prompts around how an “alarm and operator response” barrier might fail. Is it because the alarm is broken, or there’s no system to detect the broken alarm, or is it due to operator training, competence (or mental models)? These need to be clearly articulated.

Safeguards

Next they focus on safeguards – said to “lie along degradation pathways into that barrier where they help defeat the degradation factor”.

In their conceptualisation of bow ties, safeguards should only appear on degradation pathways, as they don’t prevent or mitigate a top event directly. While safeguards may fulfil the requirements of a barrier, they’re not titled barriers since they lack the quality criteria of a full barrier, and they lack the ability to detect-decide-act (as found with barriers).

They argue that safeguards “allows the developer to reflect the role that softer issues play in the management of risk and assurance of barriers” and hence, safeguards allow the incorporation of human and organisational factors.

For their revised definitions, they remove “simple human factors descriptors”, like procedures, training and competency from acting as barriers on threat lines. Instead, these descriptors, with more specificity, can be safeguards to ensure barriers perform as desired.

Managing Barriers and their Relationship to Risk Based Process Safety

Next they talk about the relationship between major accidents, and barriers that had been installed to prevent the major accident event weren’t maintained as expected, or weren’t inspected or tested against their expected performance criteria. E.g. at Buncefield a tank overfill shut-off switch taken out of service for maintenance wasn’t correctly returned to service.

Bow ties, in their view, should be part of an ongoing risk management process. Creating a bow tie may help with awareness of the hazard, threats and barriers, but “does not manage the risk”.

Further, barriers degrade continuously, at different rates, so measurement status will vary. A key benefit of bow ties is visually representing the condition of barriers and safeguards, hence a bow tie “is not an end to itself but provides input to the following questions:

·       Is it safe to continue operations?

·       Are immediate mitigations required to continue operations?

·       Which barriers or safeguards should be prioritised for rectification to regain their design intent?“

Based on these questions, they see it as not beneficial to use a barrier scoring system based purely on single go/no decisions, and “The complexities of different barrier strengths, criticalities and current condition are normally too difficult to distil into a single numerical scoring system”.

They discuss some other facets of barriers but I’ve skipped these.

Authors: Manton, M, Johnson, M, Pitblado, R et al. (2017). Standardisation of Bow Tie Methodology and Terminology via a CCPS/EI Book. Hazards 27: Symposium series no 162. IChemE.

Study link: https://www.icheme.org/media/15543/poster-09.pdf

LinkedIn post:  https://www.linkedin.com/pulse/standardisation-bow-tie-methodology-terminology-via-book-hutchinson-o7bkc