Bowtie Master

How to Correctly Identify Bow tie Diagram Barriers in 3 Steps

Major accidents rarely take place as a result of one barrier failing. The lessons learned from the most notorious catastrophes have proven time and time again, that they are caused by multiple barrier failures. As such, one of the most important aspects of constructing a bowtie diagram is the accurate identification and depiction of these controls that we so heavily rely upon. By doing so, we can clearly communicate their importance to the individuals that manage them.

In this article we provide guidance on the key steps to follow when identifying and defining bow tie diagram barriers. Read additional uses of bowtie diagrams to understand how bow tie diagrams can be used in practice.

1. Barrier Function and Location: What is the Barrier Trying to Accomplish?

The first step in defining a bow tie diagram barrier is to have a clear understanding of what it is trying to achieve. The barrier’s function is to intervene in a scenario. Prevention barriers, on the left side of the bowtie diagram are designed to prevent the Top Event from occurring (pre-event), and mitigation barriers, on the right side of the bowtie diagram are designed to prevent a consequence or to reduce its severity (post-event).

Useful Checks

When deciding on the location and function of the barrier, ask the following questions:

  • Does it eliminate or limit the threat? If so, it is a prevention barrier.
  • Does it prevent the top event? If so, it is a prevention barrier.
  • Does it control the consequence? If so, it is a mitigation barrier.
  • Does it limit the impact of the consequence? If so, it is a mitigation barrier.

Where possible, make the barrier name as descriptive as possible to indicate its function.

2. Barrier Types: What is the Main Operating Characteristic of the Barrier?

Barrier type identifies the main operating characteristic of the barrier. While several classifications might be possible, the Energy Institute’s guidance suggests using the five types listed below. The first four are listed in the sequence of effectiveness, giving a hierarchy of control.

  • Passive hardware
  • Active hardware
  • Active hardware + human
  • Active human
  • Continuous hardware

Labels such as ‘Procedural’ should be avoided since a procedure is just a piece of paper, this does not meet the requirements for a full barrier.

Questions to ask when deciding on Barrier Types:

3. Barrier Properties: Barriers Have to be Effective, Independent and Auditable!

For a bowtie diagram barrier to be valid it must conform to the following:

Effective: A barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended. A prevention barrier should on its own prevent a threat from developing into the top event. A mitigation barrier should completely mitigate the consequences of a top event, or significantly reduce the severity.

Auditable: Barriers should be capable of being audited to check that they work.

Independent: This means that for something to be considered a Barrier it needs to be able to deliver its function by itself, independent of other Barriers, equipment or tasks.

To support the development of a fully functional and independent Active Barrier, the S-D-A model should be used.

  • Sensor (an instrument, mechanical or human); detects a deviation that requires a barrier to function
  • Decision (logic solver, relay, mechanical device or human); determines how to respond to the deviation
  • Action (instrument, mechanical or human); delivers the function that intervenes in the scenario

For each active barrier on the bowtie all the components above that are required to deliver the intended action should be present.

Useful Checks
  • Do the barriers identified have all the components of the Sensor-Decision-Action model?
  • Can you merge barriers on the same pathway to make a complete barrier system? E.g., Barriers ‘fire and gas detection’, ‘ESD’ and ‘Human intervention’ these are important barrier elements, however they do not constitute a complete barrier. A complete barrier could be ‘fire and gas detection, automatic logic controller (or human response to alarm) and ESD’,
Common Mistakes
  • Incorrect positioning of prevention (pre-event) and mitigation (post-event) barriers.
  • Referencing ‘training’ and ‘competency’ as barriers: these are degradation controls and would appear on a degradation pathway supporting the barrier to which they apply.
  • Representing the sensor, decision, action element of one barrier as separate barriers giving a false sense of security.

The following sourcesNorway Petroleum Safety Authority – Principles for Barrier Management in the Petroleum IndustryCCPS and Energy Institutes – Bowties in Risk Management were referenced when writing this article.