Major accidents rarely take place as a result of one barrier failing. The lessons learned from the most notorious catastrophes have proven time and time again, that they are caused by multiple barrier failures. As such, one of the most important aspects of constructing a bowtie diagram is the accurate identification and depiction of these controls that we so heavily rely upon. By doing so, we can clearly communicate their importance to the individuals that manage them.
In this article we provide guidance on the key steps to follow when identifying and defining bow tie diagram barriers. Read additional uses of bowtie diagrams to understand how bow tie diagrams can be used in practice.
The first step in defining a bow tie diagram barrier is to have a clear understanding of what it is trying to achieve. The barrier’s function is to intervene in a scenario. Prevention barriers, on the left side of the bowtie diagram are designed to prevent the Top Event from occurring (pre-event), and mitigation barriers, on the right side of the bowtie diagram are designed to prevent a consequence or to reduce its severity (post-event).
When deciding on the location and function of the barrier, ask the following questions:
Where possible, make the barrier name as descriptive as possible to indicate its function.
Barrier type identifies the main operating characteristic of the barrier. While several classifications might be possible, the Energy Institute’s guidance suggests using the five types listed below. The first four are listed in the sequence of effectiveness, giving a hierarchy of control.
Labels such as ‘Procedural’ should be avoided since a procedure is just a piece of paper, this does not meet the requirements for a full barrier.
Questions to ask when deciding on Barrier Types:
For a bowtie diagram barrier to be valid it must conform to the following:
Effective: A barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended. A prevention barrier should on its own prevent a threat from developing into the top event. A mitigation barrier should completely mitigate the consequences of a top event, or significantly reduce the severity.
Auditable: Barriers should be capable of being audited to check that they work.
Independent: This means that for something to be considered a Barrier it needs to be able to deliver its function by itself, independent of other Barriers, equipment or tasks.
To support the development of a fully functional and independent Active Barrier, the S-D-A model should be used.
For each active barrier on the bowtie all the components above that are required to deliver the intended action should be present.
The following sources, Norway Petroleum Safety Authority – Principles for Barrier Management in the Petroleum Industry, CCPS and Energy Institutes – Bowties in Risk Management were referenced when writing this article.