Major accidents rarely take place as a result of one barrier failing. The lessons learned from the most notorious catastrophes have proven time and time again, that they are caused by multiple barrier failures. As such, one of the most important aspects of constructing a bowtie is the accurate identification and depiction of these controls that we so heavily rely upon. By doing so, we can clearly communicate their importance to the individuals that manage them.
In this article we provide guidance on the key steps to follow when identifying and defining barriers. Read additional uses of bowtie diagrams to understand how bow ties can be used in practice.
Barrier Function & Location: What Is the Barrier Trying to Accomplish?
First step in defining a barrier is to have a clear understanding of what it is trying to achieve. The barrier’s function is to intervene in a scenario. Prevention barriers, on the left side of the bowtie are designed to prevent the Top Event from occurring (pre-event), and mitigation barriers, on the right side of the bowtie are designed to prevent a consequence or to reduce its severity (post-event).
Useful Checks
When deciding on the location and function of the barrier ask the following questions.
- Does it Eliminate; remove or limit the Threat? If so, it is a prevention barrier
- Does it Prevent; prevent the Top Event? If so, it is a prevention barrier
- Does it Control; prevent the consequence? If so, it is a mitigation barrier
- Does it Limit; limit the impact of the consequence? If so, it is a mitigation barrier
Where possible make the barrier name as descriptive as possible to indicate its function.
Barrier Types: What is the Main Operating Characteristic of the Barrier?
Barrier type identifies the main operating characteristic of the barrier. While several classifications might be possible, the Energy Institute’s guidance suggests using the five types listed below. The first four are listed in the sequence of effectiveness, giving a hierarchy of control.
- Passive hardware
- Active hardware
- Active hardware + human
- Active human
- Continuous hardware
Labels such as ‘Procedural’ should be avoided since a procedure is just a piece of paper, this does not meet the requirements for a full barrier.
Questions to ask when deciding on Barrier Types:
Barrier Properties: Barriers Have to be Effective, Independent and Auditable!
For a barrier to be valid it must conform to the following;
Effective; A barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended. A prevention barrier should on its own prevent a threat from developing into the top event. A mitigation barrier should completely mitigate the consequences of a top event, or significantly reduce the severity.
Auditable; Barriers should be capable of being audited to check that they work.
Independent; This means that for something to be considered a Barrier it needs to be able to deliver its function by itself, independent of other Barriers, equipment or tasks.
To support the development of a fully functional and independent Active Barrier the S-D-A model should be used.
- Sensor (an instrument, mechanical or human); detects a deviation that requires a barrier to function
- Decision (logic solver, relay, mechanical device or human); determines how to respond to the deviation
- Action (instrument, mechanical or human); delivers the function that intervenes in the scenario
For each active barrier on the bowtie all the components above that are required to deliver the intended action should be present.
Useful Checks
- Do the barriers identified have all the components of the Sensor-Decision-Action model?
- Can you merge barriers on the same pathway to make a complete barrier system? E.g., Barriers ‘fire and gas detection’, ‘ESD’ and ‘Human intervention’ these are important barrier elements, however they do not constitute a complete barrier. A complete barrier could be ‘fire and gas detection, automatic logic controller (or human response to alarm) and ESD’,
Common Mistakes
- Incorrect positioning of prevention (pre-event) and mitigation (post-event) barriers.
- Referencing ‘training’ and ‘competency’ as barriers: these are degradation controls and would appear on a degradation pathway supporting the barrier to which they apply.
- Representing the sensor, decision, action element of one barrier as separate barriers giving a false sense of security.
The following sources, Norway Petroleum Safety Authority – Principles for Barrier Management in the Petroleum Industry, CCPS and Energy Institutes – Bowties in Risk Management were referenced when writing this article.
