Bowtie diagrams were developed in the 1970s as a way of illustrating how risks are managed.  Their use increased significantly after the Piper Alpha disaster and continues to this day.  Although originating in the process industry, other sectors are starting to use Bowtie diagrams.

However, the popularity of Bowtie diagrams is not without its problems.  There has been no definitive guide or standard on how to develop them, or even when they should be used.  People clearly like Bowtie diagrams, but often have inflated opinions of what they can actually achieve and there is a misguided assumption that they can be applied to any activity where there is risk.  Representation of human factors is one particular area where there appears to be a lot of variability and differences of opinion. 

I have written this paper to share my views of how Bowtie diagrams should be used and how human factors should be represented.  I hoped it would start some discussion.  If you have any comments, I would be very happy to receive them.

Bowtie diagrams and human factors (full paper in PDF format)

1.1  What is a Bowtie diagram?

The bow-tie diagram was developed from two techniques:

·         Fault tree analysis (FTA) -  takes a ‘Top Event’ and identifies all of the causes that could lead to this Top Event;

·         Event tree analysis (ETA) - takes a ‘Top Event’ and identifies the possible outcomes or consequences of the event.

FTA and ETA have the Top Event in common.  This provides a point where the two techniques can be combined, which is how a Bowtie diagram is developed to show the pathway from Threats on the left, via the Top Event in the centre, to Consequences on the right. 

Figure 1 illustrates the basic structure of a Bowtie diagram.  A key component is the Barriers, which are the features of a system that reduce the likelihood of a potential Threat progressing to the Top Event; or the Top Event progressing to a consequence.  The Hazard associated with the scenario is usually included as shown.


 

Figure 1: Bowtie diagram showing Threats, Top Event, Consequences, Barriers and Hazard

1.2  Bowtie terminology

It is unfortunate that terminology related to Bowtie Diagrams has not been standardised.  Table 1 identifies the terms I have chosen to use in this paper with their definitions; and the alternative terms I have come across.


 

Table 1: Bowtie diagram terminology

Term used in this paper

Definition

Alternative terms

Hazard

Something that may cause harm

Not applicable - this is a standard term in safety.  However the term ‘aspect’ may be used for an environmental scenario

Threat

Something that can result in the control of a hazard being lost

Cause, deviation, failure

Top Event

The moment when control of a hazard is lost (before a consequence occurs).

Hazardous event, incident

Barrier

Features that interrupt the scenario so that a Threat does not result in a Top Event; or a Top Event does not result in a consequence

Safeguard, control, recovery measure, preventive measure, mitigation measure, layer of protection

Degradation factor

Something that may cause a Barrier to fail

Escalation factor, Threat, deviation, failure

Risk

The chance that a hazard may cause harm, together with an indication of how serious the harm could be

Not applicable - this is a standard term in safety

 

1.3  Bowtie diagram uses and limitations

Although they have been around for a long time, the role of Bowtie diagrams in safety assurance has not been clearly defined.  My view is that they are not an analytical tool but are particularly useful for visualisation; illustrating how risks are managed in a way that people find easy to understand.  This is particularly useful for demonstrating risk management strategies to people outside of the immediate safety function, including:

·         Front-line employees working with hazardous systems (e.g. operators, technicians);

·         Senior managers, particularly those who have a non-technical role and may not immediately understand how their actions can effect risks;

·         Regulators;

·         Auditors.

Some analysis may take place when a Bowtie diagram is generated, but it is unlikely to be rigorous or detailed.  It is important to recognise that a Bowtie diagram does not demonstrate whether risks have been properly identified, evaluated or controlled; or confirm that the correct Barriers are in place or that those Barriers are sufficiently robust or reliable.  That can only be confirmed by using other safety tools (e.g. HAZOP, LOPA etc.).  In fact there are many benefits of performing different studies separately, as this allows you to look at the same issue from a different perspective.  Although, it is also important to make sure studies are cross referenced to develop a consistent view of risk.

1.4  One tool in the toolbox

Any safety assessment programme will include a number of activities, and there are a number of methods that make up the assessor’s ‘toolbox.’ The Bowtie diagram is just one of them.  It is important that the correct tool is used for the assessment being carried out.  It is worth noting that Bowtie diagrams were developed for the process industry, which is dominated by Engineers.  Their use in other domains has not been very successful, either because the activities do not lend themselves to the method and/or because the people involved in other industries have different skills and aptitudes.

For a hazardous process activity a safety assessment programme is likely to include:

·         Defining the risk profile in order to prioritise assessments;

·         Developing a comprehensive list or register of hazards;

·         Identifying the features (Barriers) that are (or need to be) in place to manage the risks;

·         Evaluating the Barriers to confirm they are sufficiently robust and reliable;

·         Using the findings from the above to demonstrate that risks are As Low As Reasonably Practicable (ALARP).

The process industry has a range of tools that can be used as part of a safety assessment program.  These include:

·         Hazard Identification (HAZID) and/or Quantified Risk Assessment (QRA) - focussing and prioritising effort. 

·         Hazard and Operability (HAZOP) and/or Process Hazard Review (PHR) - identifying hazards and associated controls. 

·         Layers of Protection Analysis (LOPA) - evaluating Engineered Barriers and setting performance standards;

·         Human factors analyses - evaluating and setting performance standards for tasks and activities that form Human Barriers and or support Engineered Barriers (especially maintenance of safety devices).

So the question is, where do Bowtie diagrams fit in?  The answer (in my opinion) is that they provide a very good way of extracting information generated by using the other safety tools and presenting it in a form that is easy to understand.  They provide a good overview of the whole process and allow people to understand the most important issues.     This means they are ideally suited to demonstrating risks are ALARP.  The UK’s Health and Safety Executive (HSE) “HID Regulator Model” has suggested the use of Bowtie diagrams for demonstrating how major accident risks are being managed.

This is not to say that generating a Bowtie diagram has to be the last thing you do (i.e. after all other safety studies have been completed).  They can provide a useful way of organising information gained from a non-structured review (e.g. brainstorm), which can then be used to identify the studies that need to be carried out.

The figure below gives an indication of how different safety assessment tools are used.  This is not a linear process, as findings from all studies will influence others.  For example HAZID may be the first tool used to help focus attention on the areas likely to be of most concern.  This may lead to a HAZOP and analysis of some of the identified Barriers.  At this stage a QRA may be carried out to give a more meaningful understanding of the risks.  In each case, previous studies may need to be reviewed and updated based on the findings of studies performed later on.

 

 

Figure 2: Overview of safety assessments (process safety techniques shown as examples)

 

1.5  Bowtie diagrams - misuse and misinterpretation

There is a lot of inconsistency in the way Bowtie diagrams are used currently.  This is inevitable to a certain extent because a Bowtie diagram is not a precision tool and inherently has a degree of flexibility in approach.  However, there seems to be a trend to use Bowties to do things they are not suited to; and to add detail and complexity, which seems counterproductive as simplicity is really the main strength.

Even when used appropriately, there can be problems if people misinterpret what the Bowtie diagram is telling them.  This often occurs because it is not possible to show every piece of information, otherwise the diagram becomes illegible.  Problems arise when people do not recognise this and take the information represented on the Bowtie diagram too literally, without understanding the limitations. 

1.5.1     Barrier Confidence

Even use of the term ‘Barrier’ causes some significant confusion.  People sometimes interpret it to mean that an arrangement is in place that will stop a Threat resulting in a Top Event; or a Top Event does resulting in a consequence.  However, no Barrier is ever 100% reliable or effective and it can only reduce the likelihood of the scenario progressing.  The Bowtie diagram gives no indication of Barrier reliability, which will always require other analyses using an appropriate safety study or tool.  It is possible to include some qualitative indication of Barrier effectiveness (e.g. colour coding to indicate good, average or poor) as a reminder to people that none is perfect, but this is not considered to be a standard part of a Bowtie diagram and could lead to false perceptions as any evaluation would only be a snapshot view at a particular time.   

Another problem is that people developing Bowtie diagrams like to include lots of Barriers, and people referring to them are reassured by this.  However, there is no indication on the Bowtie diagram about whether there are any dependencies between Barriers or whether the failure of one Barrier will cause the failure of others. 

Overall, the strength of Bowtie diagrams is also their downfall.  Because they appear to give such a clear picture of how risks are managed people believe they give the full picture.  The reality is that no tool can cover everything and they all have limitations.  The scenarios covered by Bowtie diagrams are not the only scenarios that can occur by any means, and the representation of Threats, Barriers, Top Events and Consequences does not accurately reflect the dynamic nature of risk that we have to deal with. 

1.5.2     Not a barrier

Another common problem is that people are aware of arrangements in place that they think contribute to the way risks are managed and so want to include them in a Bowtie diagram.  This is usually done by including them as a Barrier, even though they don’t satisfy the definition.  Common examples include general activities (e.g. shift handover, plant patrols and defect reporting) or organisational factors (e.g. general training and competence, safety culture and auditing).  Whilst these are relevant to the management of risk they are not Barriers and there is no other mechanism to represent them correctly on the Bowtie diagram.  These other factors should be evaluated using a more appropriate safety study or tool.

1.5.3     Shorthand terminology

Shorthand terms are often used when describing Barriers and are open to interpretation.  For example:

·         Procedure - the existence of a procedure on its own has no impact on the likelihood of an event.  Even someone following a procedure is not necessarily meaningful, as there is no guarantee that the procedure is correct.  ‘Procedure’ may be recorded as a Barrier but is a shorthand way of saying that people performing the correct task using the correct method will reduce the likelihood of the event.

·         Alarm - the occurrence of an alarm or even someone responding to alarm is not necessarily meaningful.  In this case alarm is shorthand for a correctly configured alarm occurring as part of an effective alarm system; that is then correctly detected, diagnosed and responded to.

·         Inspection - carrying out inspections does not necessarily prevent accidents.  The correct inspection has to be carried out using the correct equipment and methods at the correct frequency.  Then the results of the inspection have to be acted upon and any defects rectified.

In an ideal world we would not use any shorthand terminology and all items on the Bowtie diagram would be described in full.  But that will make them illegible and again detract from the main purpose of providing a clear illustration of how risks are managed.  This should not be a problem provided everyone understands what is really meant by the terms used.  So, for example, if a procedure is identified as a Barrier people referring to the Bowtie diagram need to understand that this really means correct task being performed using the correct method.

1.5.4     NOt a hazard

Some problems occur because of a more general confusion about basic safety terminology.  The definition of hazard is clearly defined but people will generate Bowtie diagrams based on something that simply is not a hazard.  They sometimes try to justify this by claiming the issue is important and the definition is open to interpretation.  Often this is a sign that a Bowtie diagram is the wrong tool for the job at hand.  A common mistake seems to be identifying an activity as a hazard (e.g. driving a car, administering medication, working at height).  It is easy to see why people may want to generate a Bowtie diagram for one of these because they clearly have potential to cause safety problems.  But the issues are directly associated with how people perform those activities.  In these cases some form of Task Analysis or other human factors assessment would be far more effective than a Bowtie to assess the risks and evaluate the risk controls.

1.5.5     Generated from an Incident

It has been proposed that Bowtie diagrams can be generated as part of an incident investigation process to illustrate the scenario and its causes.  Whilst there is nothing inherently wrong with doing this, there are much better tools available for this purpose (e.g. causal trees or ‘5 whys’).  Also, any Bowtie diagram generated like this is likely to be too focussed on the particular incident, instead of considering all aspects of risk management, and the emotional response in the immediate aftermath of an incident is rarely conducive to the thought processes required to generate a Bowtie diagram that is going to be useful over the longer term. 

However, if an incident does occur involving a system where a Bowtie diagram was generated previously it makes sense to refer to that Bowtie diagram as part of the investigation.  The main aim would normally be to determine if a Threat occurred that had not been identified previously or to identity Barriers that failed or were ineffective.  This can encourage a more fundamental consideration of not only why the incident occurred, but also why the Bowtie diagram was inaccurate and whether this highlights any fundamental flaws in knowledge or understanding of the system, its hazards, risks and controls.

 

2     Generating a Bowtie diagram

Bowtie diagrams are usually generated in a workshop.  Attendees should include personnel with practical experience of the system and knowledge of the hazards, risks and controls.  The hazard and Top Event for the Bowtie diagram will normally have been identified in advance, ideally from other safety studies.  There are software programs available to assist with generating Bowtie diagrams, but a simple approach using flip-charts and post-it notes can be equally effective.

2.1  Defining the subject for the Bowtie diagram

Only a modest number of Bowtie diagrams will be generated for any particular system.  Hence, it is important that the correct subjects are chosen to ensure greatest benefit is achieved from the effort put in.  The subject for the Bowtie diagram should be defined before the workshop is convened, along with its hazard and Top Event.

2.1.1     Identify the hazard

The start of any Bowtie diagram is the Hazard.  The definition of hazard is something that can cause harm.  The purpose of the Bowtie diagram is to determine what is in place to keep hazards under control and how consequences are avoided if the control is lost. 

You should already know what hazards you have to deal with.  They would have been identified as part of your risk assessment process.  Ideally, you will have completed some form of safety study (e.g. HAZID, QRA) to determine which hazards are of most concern and hence where a Bowtie diagram should be produced.  Your overall aim is to identify a representative set of Bowtie diagrams covering the hazards that have the greatest potential for causing harm.  The main concern is usually harm to people; although Bowtie diagrams can be used to evaluate the environmental, quality or financial consequences. 

2.1.2     Identify the Top Event

A Top Event is the moment when control of a hazard is lost, but before any significant harm has occurred.  It should be an unplanned event or condition.  Care must be taken to ensure the Top Event is not simply a restatement of the hazard.  Existence of a hazard is not necessarily a problem, especially as most systems where Bowtie diagrams are used will be intrinsically hazardous. 

As an example, where a system handles large quantities of a hazardous substance, the Top Event is likely to be ‘loss of containment.’  This works well because it refers to a leak or spill, which is clearly unplanned, that can have a range of consequences depending on where the materials ends up and what it encounters on the way.  Other examples of valid and useful Top Events may include exceeding design limits on an item of equipment or failure of a normal control function.  Determining the appropriate Top Event requires some understanding of the potential consequences.  For more hazardous systems a Top Event further away from Loss of Containment may be more appropriate.

It is recognised that identifying a Top Event is not always so easy.  When this is the case it is important to consider whether a Bowtie diagram is appropriate.  It is just one tool that can be used, and it is definitely not appropriate for every type of system or scenario.  Usually, when a Top Event has been identified that does not satisfy the definition it is because the scenario being examined does not lend itself to being represented by a Bowtie diagram.

2.2  The Bowtie workshop

It is entirely possible for one person to generate a Bowtie diagram in isolation.  However, this can mean that important factors are overlooked or misrepresented.  Also, it is a missed opportunity to engage people in the safety assessment process, which increases their understanding of risks and how they are managed.

There is a balance to strike between what work is done in advance of a Bowtie workshop, and what is done at the workshop itself.  If too little preparation is done, time may be wasted on high level discussion.  If too much is done attendees are less likely to engage.  Hence identification of hazards and Top Events should usually be done in advance and identification of Threats, consequences and Barriers done at the workshop.

2.2.1     Identify Threats

Threats are failures and other events that will result in the Top Event if there are no effective Barriers in place.  There will invariably be a number of Threats.  In most (but not all) cases a Threat will be a failure event.  Their origin can be technical, human (including human error) or external (e.g. weather).  However, they must be clearly and specifically described.  High level, generic Threats such as ‘human error’ or ‘adverse weather’ do not provide enough information about how a Threat can lead to a Top Event.

In many cases, the Threats can be identified by other safety studies that will already have been completed.  However, people need to be open to the potential for new Threats to be identified.  It may be that the people attending the Bowtie workshop have relevant experience or knowledge that was not available during the other safety studies.  These new Threats should be captured for follow-up assessment using the appropriate safety study or tool.

2.2.2     Identify consequences

Consequences are the harmful outcomes that can occur due to the loss of control of the hazard as defined by the Top Event.  There can be more than one Consequence for every Top Event.  Some of these may be quite diverse (e.g. toxic effect vs fire).  Others may be quite similar (e.g. fire vs explosion), where the difference in outcome may depend on the exact circumstances at the time of the event.

As with the Threats it is important that the nature of the consequence is clearly described.  In some cases a generic description is adequate, but in others the details make a significant difference.  For example, fire is often acceptable as a generic consequence, although it may be more useful to differentiate between ‘fire causing harm to people’ and ‘fire causing asset damage’ in order to ensure the correct Barriers are identified.  However, for a chemical spill there can be a big difference if it enters a site drain compared with the same spill flowing to a river or the sea.  Once again, the consequences should have been identified in other safety studies but new ones may be identified during the Bowtie workshop, which would then require follow-up assessment.

2.2.3     Identify Barriers

There are different types of Barriers, which are mainly a combination of human actions and hardware/technology.  They are identified in a structured brain-storm where workshop participants are asked to describe and explain the Barriers they think are in place.  Reference should be made to other safety studies at this stage, but additional ones may be identified.  Effectiveness of these Barriers may be discussed, but it must be remembered that the primary purpose of the Bow Tie diagram is to identify and illustrate the Barriers and not to evaluate them in detail, which will require the use of other safety studies and tools.

There has recently been a suggestion that multi-layered Bowtie diagrams can be used to provide more information about Barriers and how they can fail.  This seems to be an attempt to transform Bowtie diagrams from a high level visualisation tool into a detailed analysis tool.  In most cases this should be unnecessary as the issues will be addressed by other safety studies.  The problem with anything like a multi-layered Bowtie diagram is that the added complexity is likely to detract from the primary purpose of illustrating clearly and simply how risks are managed. 

2.2.4     Identify Degradation factors

Barriers can fail.  The standard way of illustrating this on a Bowtie Diagram is by identifying and illustrating Degradation factors.  Additional Barriers can be added to show how the risks associated with the Degradation factor are controlled.  The way this is included in a diagram is shown below.

 

Figure 3: Showing Degradation factors and their Barriers

 

Once again, a balance has to be struck between attempting to include everything on a Bowtie diagram, including Degradation, and maintaining simplicity and legibility.  In many cases the way a Barrier can fail is fairly standard (e.g. instrument malfunction, someone does not follow a procedure) and so including them may be considered as unnecessary.  However, it can be useful to include more specific Degradation factors.

An example of using Degradation factors could be a safety system that does not ‘fail safe’ if there is a total failure of site power.  Barriers against this event include independent power supplies to site and a standby generator.

Degradation factors should only be used sparingly (if at all). You do not include them for every Barrier.  A version of a Bowtie Diagram including Degradation factors may be produced where a specific requirement is identified.  This may be where performance standards have not been defined for Barriers so showing Degradation factors may be a good way of highlighting vulnerabilities.  This is one area where bespoke Bowtie software can be useful if it allows you to change views by showing or hiding Degradation factors depending on the level of information you want to present at the time.

2.3  Rules for generating a Bowtie diagram

It is important to remember that the Bowtie diagram is only intended to illustrate the way risks are managed, based on findings from more detailed and systematic safety studies.  The following rules will help you to develop useful diagrams:

1.    Keep it simple;

2.    Describe the Hazard and Top Event clearly so that everyone involved (including people referring to the Bowtie diagram in the future) understand the scenario being evaluated, and

3.    Threats must realistically be capable of resulting in the Top Event;

4.    Threats must be specific and described clearly;

5.    Only list consequences that are realistically possible from the Top Event;

6.    Any Barriers shown must be capable, on their own, of stopping the progression from cause to consequence (this does not mean they always will do this as none can be 100% reliable or effective);

7.    Management systems and organisation factors should not be included in the Bowtie diagram.  They will be covered by the performance standards and assurance processes;

8.    If the Bowtie diagram has been generated before other safety studies, make sure it is reviewed and updated to reflect the findings from those studies when they have been completed;

9.    Remember, the aim is to provide a good illustration to your audience.  If your Bowtie diagram does not do this effectively you need to revise it.

 

3     Barrier Effectiveness

The main purpose of generating a Bowtie Diagram is to illustrate how risks are managed, which is largely concerned with the Barriers that are in place.  However, a Bowtie diagram gives no indication of the reliability or effectiveness of the Barriers.  This has to be done using other safety tools, which can be used to determine the required and actual Performance Standards.

It is important to recognise that people who view a Bowtie diagram are likely to assume that the Barriers shown are reliable and effective; and that the risks are tolerable as a result.  Hence, anyone involved in generating a Bowtie diagram has a duty to ensure that the required safety studies are carried out to support their Bowtie Diagram so that these assumptions are correct.

3.1  Types of Barrier

In simple terms, there are two types of Barrier:

1.    Engineered Barrier - involves hardware and other technical devices to reduce risks;

2.    Human Barrier - involves people doing things to reduce risks.

These can also be subdivided.  The way they are evaluated will depend on the type of Barrier.

3.1.1     Engineered Barriers

There are two types of Engineered Barrier:

1.    Passive – physical features that keep a hazard under control (e.g. pipework, vessels, open vents);

2.    Active – items that respond to a hazardous condition and function to reduce the hazard (e.g. relief valve, trip system).

Key requirements for all Engineered Barriers are that they are properly specified, designed, installed, operated and maintained.  Ensuring this requires the appropriate type of safety study to be performed in order to assign suitable Performance Standards.

It is important to note that people will be involved in designing and constructing Engineered Barriers, so human factors need to be considered.  Where people have a role in maintaining, inspecting and/or testing an Engineered Barrier, those actions need to be considered as safety critical and subject to human factors analysis.

3.1.2     human Barriers

Human Barriers involve people doing something to avoid, control or respond to a hazardous situation.  There are two main types of Human Barrier:

1.    Task;

2.    Activity.

Although there is no distinct cut off between the types of Human Barrier, it is usually relatively easy to identify tasks as having the following characteristics:

·         Clear start and finish;

·         Involves discrete steps;

·         Results in a change of status;

·         Specific to clearly defined circumstances. 

Generally, all Human Barriers that do not have the characteristics of a task can be considered to be an activity, although there can be overlaps and many have some task characteristics.  Examples of activities include:

·         Monitoring - continuous process with no clear start or end;

·         Responding to an alarm - there are likely to be multiple alarms on a system and successful response depends more on the performance of the overall system than arrangements for specific alarms;

·         Maintenance - tends to rely on a number of generic skills applied on a range of items;

·         Emergency response - need to evaluate, prioritise and adapt to the circumstances.

3.2  Barrier Performance Standards

Any Barrier identified on a Bow Tie diagram must be considered safety critical.  Hence, it is essential that Performance Standards are defined for each, including the required functionality, availability, reliability and survivability for the full lifecycle of the associated system.  There are a range of tools that can be used to define Performance Standards and it is important that the correct one is used according to the type of Barrier.  Although determining Performance Standards is not an integral part of generating a Bowtie diagram, the following information has been included in this paper as a lot of the problems currently being experienced are due to a misguided desire to try and cover everything in the Bowtie diagram.

3.2.1     Performance Standards for Passive Engineered Barriers

Passive Engineered Barriers work by using inherent physical characteristics to control a hazard or protect people from a hazard.  Examples include:

·         Vessels and other items used to contain hazardous materials and conditions;

·         Structures that have to support weight and other forces;

·         Items that may deform to provide protection (e.g. vehicle crumple zone).

Performance Standards will usually be determined by applying the appropriate engineering standards, which should cover:

·         Specifications for design and construction;

·         Protection requirements (e.g. painting, surface preparation, cathodic protection etc.);

·         Operational testing requirements (e.g. leak and pressure testing);

·         Inspection methods and frequency.

It is important to note that most Passive Engineered Barriers will involve humans at many stages in their lifecycle to achieve their Performance Standards.  There should be no need to represent these separately in the Bowtie Diagram, but they should be included in the human factors studies of tasks and activities carried out to support the Bowtie Diagram. 

3.2.2     Performance Standards for Active Engineered Barriers

Active Engineered Barriers are typically functional safety devices such as Safety Instrumented Systems (SIS).  They depend on a control system or other equipment to operate correctly in response to inputs. 

The requirements for Active Engineered Barriers are determined by performing an appropriate hazard and risk assessment, which will determine what needs to be done to achieve an acceptable level of safety.  Layers of Protection Analysis (LOPA) is one tool that can be used to do this. 

Performance Standards for Active Engineered Barriers will specify the reliability and availability required to achieve tolerable risks; and identify what needs to be done to achieve this, including:

·         Identifying the number of layers of protection required and controls to ensure independence;

·         Specifying design requirements and component selection;

·         Identifying proof and functional testing methods and frequency.

Once again it is important to note that most Active Engineered Barriers will involve humans at many stages in their lifecycle to achieve their Performance Standards.  These should be included in the human factors studies required to support the Bowtie Diagram.

3.2.3     Performance Standards for Task Human Barriers

Task Analysis is the tool used to determine Performance Standards for Task Human Barriers.  It is a means of determining and documenting how a task is performed, how it can fail and what features make failure more or less likely.

To ensure reliable performance of tasks the analysis should:

·         Provide a structured and clear description of how the task is performed including the key steps required for the task to act as an effective Barrier;

·         Identify possible human errors; highlighting the ones that can result in or contribute to the scenario illustrated by the Bowtie diagram;

·         Identify controls and mitigation in place to protect against the human errors identified;

·         Evaluate the Performance Influencing Factors (PIF) that effect the likelihood of the human errors identified.

For a Task Human Barrier to be effective it is important that the task is performed as described in the analysis.  This means a reliable way of communicating the task method to practitioners is required, typically involving procedures, training and competence.  However, it is worth noting that it is very common for a degree of variability to occur in the way tasks are performed in practice.  Hence, procedures, training and competence associated with Task Human Barriers should be of the highest quality, and a distinction should be made so that they are viewed differently from ‘normal’ tasks.  Also, effective monitoring and audit will be required, which is focussed on how tasks are performed in practice, recognising this may be different to how they are documented.

3.2.4     Performance Standards for Activity Human Barriers

Activities fall into quite a number of different types and it is important that the correct tool is used for each to identify the appropriate Performance Standards.  Wherever possible, that tool should be based on a recognised standard, guidance or good practice.  The table below illustrates how different methods should be used depending on the activity.

Table 2: Defining Performance Standards for Activity Human Barriers

Activity Barrier Type

Assessment Method

Performance Monitoring

Alarm (detect, diagnose and respond)

Alarm review or assessment based on EEMUA 191 or ISA 18.2.  Confirm that the alarm identified as a Barrier is configured correctly and managed within an effective system.

Alarm rates during normal and abnormal situations.  Operator knowledge of alarm meaning and response.  Time taken to respond in practice.

Monitor, control and optimise (a process)

Evaluation of the human machine interface based on EEMUA 201 or ISO 11064

Standardised interface.  Clarity of information.  Matching data displays to human ability to interpret (e.g. trends vs numerical).

Maintenance, Inspection and Testing (MIT)

Methods and frequency defined by designer, vendor and/or industry standards.  Generic skills managed by a competence system aligned to national or international qualifications.

(The most critical MIT should be assessed as Tasks as above).

Equipment reliability and availability; and failure frequency.

Backlog of preventative and corrective maintenance.  Access to necessary skills.

Emergency response

Assessment of arrangements for all foreseen scenarios.  Arrangements consistent with national and international best practices.

Trained personnel and emergency equipment available.  Emergency exercises carried out. 

 

4     Using Bowtie diagrams in practice

Although the analytical properties of Bowtie diagrams are limited they are still a very useful tool. Their particular strength is that they illustrate how risks are managed in a way that is easily understood.  Also, they provide a useful reference to other safety studies, making it clear why certain studies have been performed and how the results have been used.

4.1  Demonstrating risks are being managed

4.1.1     Integrating Human Factors

We have known for a long time that human factors are critical to management of safety risks, especially for major accident hazards.  This has been formally recognised in the European Seveso Directive and UK Control of Major Accident Hazard (COMAH) regulations.  The challenge to date has been to integrate this understanding into process safety rather than viewing it as a separate standalone activity.

The beauty of the Bowtie diagram is that it represents technical and human Threats and Barriers together.  This illustrates that accidents occur due to a range of Threat types and the associated risks depend on the effectiveness of the Barriers.  From a human factors perspective the Bowtie diagram is very useful to explain not only why human factors have to be assessed but also why certain Tasks and Activities have are selected for specific analysis (and why the majority of the Tasks and Activities performed are not subject to the same attention). 

4.1.2     Demonstrating ALARP

If a hazard exists the risks can never be reduced to zero.  The normal requirement is to demonstrate that the risks have been reduced to As Low As Reasonably Practicable (ALARP).  Bowtie diagrams alone cannot demonstrate that risks are ALARP but they assist by illustrating clearly how risks are managed. 

Unfortunately there does not appear to be a clear consensus on how best to demonstrate ALARP but my preferred approach involves asking the following two questions:

1.    What more could we do to manage the risks?

2.    What is the justification for not doing those things?

The beauty of a Bowtie diagram is that it can show what is already being done to manage a risk so that it is then relatively easy to identify additional Barriers that could be introduced.  A discussion can then be had about why that has not or will not be done.  Wherever possible, the case for not introducing additional Barriers should be based on an assessment that shows the overall risk would not be reduced.  Where this cannot be claimed a cost benefit analysis can be used to show that the cost of the additional Barrier would be disproportionate to the benefit in terms of risk reduction.

Once again, the tendency to overstate the power of Bowtie diagrams has led to suggestions that they can go beyond the immediate Barriers to include information about underlying systems, organisational factors and culture.  It has been suggested that this can be done by using multi-layered Bowtie diagrams.  Again, the concern is that this increases complexity and detracts from the main strength, which is illustrating clearly how risks are managed. 

4.1.3     Highlighting Vulnerabilities

Bowtie Diagrams can have a great impact in situations where they show that only a small number of Barriers are in place to manage risks.  This should prompt an urgent evaluation of how import those Barriers are and whether the current Performance Standards are sufficient.  If people are surprised at what is shown (i.e. they thought there were more barriers) it should prompt them to investigate why their perception of risk was different to the reality.  This can lead to underlying issues being exposed that can have a wide ranging impact.

4.2  Day to day use of completed Bowtie Diagrams

4.2.1     Incident investigations

Bowtie diagrams illustrate how incident scenarios can develop and what is in place to prevent them.  If an incident occurs key questions to ask include:

·         Was the Threat involved in the incident identified on the Bowtie diagram?

·         Which Barriers failed?

·         Had the incident’s consequence been identified on the Bowtie Diagram?

·         Was it a defined Barrier that stopped different (and worse) consequences from occurring or a matter of luck?

Referring to Bowtie diagrams as part of an incident investigation allows them and their associated safety studies to be validated.  If the scenario developed as predicted the Bowtie diagram can be accepted as a reliable illustration of how risks are managed and the main line of inquiry will be whether Barriers were as reliable and effective as predicted.  If faults are identified in the Bowtie diagram a key line of inquiry should be establishing why there were deficiencies in the way the Bowtie diagram was developed or the supporting safety studies.

4.2.2     Training and competency

Bowtie Diagrams have two main uses in relation to training and competency:

1.    A basis for communicating to personnel the risks and controls associated with their job;

2.    Identifying the competencies required to perform the Tasks and Activities that form the Human Barriers and to implement and maintain the Engineered Barriers.

Bowtie diagrams are particularly effective at communicating information about process and major accident safety to people who may not be actively engaged in safety studies.  This includes people working at the ‘sharp-end’ (e.g. operators, technicians and supervisors) and people in management positions, particularly those in a non-technical role who often do not recognise that their actions and decisions can affect safety risks.

4.2.3     Operating with Degraded Barriers

No equipment is 100% reliable and items associated with Engineered Barriers can degrade or fail completely.  In these circumstances it is important that an appropriate decision is made about whether it is safe to continue operating or to stop or shutdown.  Reference to a Bowtie allows for a quick assessment of the situation including what other Barriers are in place and what temporary arrangements could be made to overcome the problem.  There will always be a degree of judgement, but again the simplicity and clarity provided by a Bowtie Diagram will help to make sure the right decision is made.

4.2.4     Monitoring and Audit

It is important that all management systems are monitored and audited.  This should apply directly to Bowtie Diagrams, to ensure they remain relevant and up to date.  Also, Bowtie Diagrams can be useful when monitoring and auditing the wider system as they can provide focus on what is important and be used to highlight the criticality of any failures or non-conformances discovered. 

 

 

5     Example Bowtie Diagram

I am finishing this paper with a hypothetical Bowtie diagram.  This is not intended to be a perfect example but used to illustrate the points I have raised in this paper.

5.1  The Bowtie

The Bowtie diagram has been generated as a simple example.  It is for a Sulphuric acid storage facility.  It is assumed to be very simple, with deliveries from tanker and export via a single pipeline.  As discussed above, it must be realised that a lot of shorthand terms are used to make sure the text remains legible and for the Bowtie representation to remain manageable.  Remember when reading this that, for example, a Barrier described as “High level alarm” is really saying that a correctly configured alarm will occur as part of an effective alarm system; that is then correctly detected, diagnosed and responded to.

 

Figure 4: Example Bowtie diagram for a Sulphuric Acid storage facility

 

5.2  Explanation

The following explains how points made in this paper are illustrated by the example Bowtie diagram.

5.2.1     Hazard and Top Event

In this case the main hazard is clear.  The system is designed to store Sulphuric acid, which is a hazardous material.  There may be other hazards associated with the system, which would be covered by separate Bowtie diagrams if deemed necessary. 

Given that the objective of the system is to store or contain Sulphuric acid, a Top Event of loss of containment is easy to identify.  It represents a situation where there has been a failure but before a consequence has occurred.

5.2.2     Threats and Consequences

Three Threats and two Consequences have been identified for this example.  It is very likely that more may be included on a real-life Bowtie Diagram. 

The aim is to be as specific as possible.  For example, there may be other overfill scenarios (e.g. transfer from another tank), which would involve some different Barriers.  Hence, a Threat simply stating ‘overfill’ would not be appropriate.  Also, internal corrosion is specified as again there may be other scenarios (e.g. external corrosion) with different Barriers.

Our main concern when generating Bowtie diagrams is harm to people or the environment.  Other types of consequence can be included (e.g. financial, quality), but care is required to ensure this does not detract from the main objective, which is process safety.  For example, engineers may wish to include asset damage consequences on the Bowtie diagram, as these can be very expensive and critical to the business.  In this case it is important to understand the intended audience, and it may be appropriate to have different versions of a Bowtie diagram for different groups of people.

5.2.3     Prevention Barriers

Eight prevention Barriers have been identified that that reduce the likelihood of a potential Threat progressing to the Top Event.  They are discussed in the table below.

Table 3: Prevention Barriers explained

Barrier

Shorthand for

Additional studies required to support the Bowtie diagram

Tanker offload procedure

Tanker offloading carried out using the correct, safe method

Safety critical task analysis for tanker offloading

High level alarm

Alarm set at correct level as part of an effective alarm system; that is acted on to stop tanker loading on high level before loss of containment.  A suitable means of stopping (e.g. emergency stop button) is provided.

Alarm review/study covering the overall alarm system with specific reference to the high level alarm.

Documentation showing the means of stopping the process is reliable enough, including function testing and maintenance.

 

 

 

Design standard for acid service

Correct materials and methods of construction identified during design to provide suitable protection against corrosion.  Tank has been constructed as designed.

Documents showing the tank was designed and constructed to the correct specifications for the service

Inspection programme

Correct inspection regime has been implemented based on tank design, materials of construction and actual operations.  The programme has been implemented correctly and any defects identified have been rectified.

Safety critical activity assessment for tank inspection including frequency and  methods

Atmospheric vent

Properly sized and designed atmospheric vent has been installed and is subject to routine inspection and maintenance

Documents showing the vent has been designed for the scenario

Safety critical activity assessment for vent inspection covering frequency and method

Sacrificial roof weld

The weld between tank roof and walls is weaker that the welds between wall sections so that it will fail first and no loss of containment will occur.

Documents showing that tank was designed and constructed with sacrificial weld

Pressure gauge

Pressure in tank will monitored during tanker offloading.  A pressure gauge is provided to do this locally.o.

Safety critical activity assessment covering routine monitoring of tank conditions with specific reference to monitoring the pressure gauge and keeping below a defined maximum.

 

5.2.4     Mitigation Barriers

Five different mitigation Barriers have been identified that that reduce the likelihood of the Top Event progressing to a consequence (note the tank bund is identified as a Barrier for both consequences).  They are discussed in the table below.

Table 4: Mitigation Barriers explained

Barrier

Shorthand for

Action required to support the Bowtie diagram

Tank Bund

Tank is located in a bund that is sized correctly to accommodate quantity that may be released.  Bund is properly constructed and subject to routine inspection and maintenance

Documents showing the bund has been designed for the scenario

Safety critical activity assessment for bund inspection covering frequency and method

Personnel wear PPE

Correct PPE has been specified, is available is worn when required.

Control of Substances Hazardous to Health (COSHH) assessment for the acid

Emergency evacuation procedure

Emergency procedures are in place that cover spill from Sulphuric acid storage.  Personnel working on site know the procedure and will act correctly.

Safety critical activity assessment of emergency procedures covering general and actions specific to this scenario

Site retention pond

Drainage from the Sulphuric acid storage area is routed to the retention pond, which is correctly sized and designed to contain the spill.

Documents showing the drains and retention pond have been designed for the scenario

Safety critical activity assessment for drains and retention pond inspection covering frequency and method

Sample pond before release to river

Pond drain is normally isolated.  Contents will be sampled before draining.  Appropriate action will be taken if sample results show contents are not suitable for release to river.

Safety critical activity analysis for management of site drainage system including sampling pond

 

5.2.5     Critical factors not shown on the Bowtie diagram

I have emphasised throughout this paper that a Bowtie diagram is not intended to cover everything that is important to safety for the given system or scenario.  People who use Bowties need to recognise this and understand that risks cannot be managed effectively without the appropriate underlying systems, organisational factors and culture.  Examples of underlying requirements that are required to ensure risks are actually managed as shown on the Bowtie diagram include:

·         High quality procedures, focussed on safety critical tasks combined with a compliance culture;

·         Competent people including plant operators, maintainers, inspectors, designers, emergency responders;

·         Required resources including personnel, equipment spares and consumables including PPE;

·         Monitoring and audit systems to ensure adherence to procedures, inspection programmes and timely maintenance;

·         Management of change covering plant, equipment, systems (e.g. alarms and shutdown), procedures, materials (e.g. acid strength), personnel and organisation.

 

6     Summing Up

This paper has been an attempt to describe how Bowtie diagrams can be used to illustrate how risks are managed, including human factors.  It was written because there has been no definitive guide or standard on how to develop Bowtie diagrams and this void has led to some people developing an inflated opinion of what they can achieve. 

Key points to take away from this paper include:

·         Bowtie diagrams are a very good for visualisation but not so good for analysis;

·         Other tools should be used to carry out the analysis required to support the Bowtie diagram;

·         No Barrier is ever 100% reliable or effective;

·         We will never develop Bowtie diagrams for every potential scenario, so they can never provide the full picture of how risks are managed;

·         A lot of shorthand terminology is used.  It is essential that everyone understands what is really meant and does not take it at face value;

·         A Bowtie diagram will not be appropriate for every type of scenario;

·         Bowtie diagrams are not the best tool available for investigating or analysing incidents;

·         The definitions for the terms used should be adhered, otherwise the Bowtie diagram is likely to fail in its key objective of illustrating how risks are managed;

·         Bowtie diagrams should be generated by groups of people in a workshop;

·         Degradation factors should only be used where they illustrate a critical issue, and not for ‘standard’ failure mechanisms that may affect Barriers;;

·         Simple Bowtie diagrams are much better as they are easy to read and understand;

·         All Barriers need Performance Standards.  These are determined using the appropriate method on not by the Bowtie diagram;

·         The ultimate aim is to demonstrate that risks are ALARP, which involves considering what more could be done to manage risks and justifying why those things are not going to be done.

 

7     References

Brazier 2014.  Linking Task Analysis with Other Process Safety Activities.  Presented at IChemE Hazards conference.

Manton 2017.  Representing Human Factors in Bowties as Per the New CCPS/EI Book.  Presented at IChemE Hazards conference.

Pilkington 2017.  How to use Bow-tie diagrams.  Published in The Chemical Engineer

Chartered Institute of Ergonomics and Human Factors 2016.  Human Factors in Barrier Management

Health and Safety Executive 2016.  COMAH Competent Authority Inspecting Human Factors at COMAH Establishments (Operational Delivery Guide).

Health and Safety Executive 2013.  HID Regulatory Model. 

 

Thanks to Paul Walsh, Nick Wise, Gary Pilkington, Jamie Henderson and Luke Butcher for their comments on early drafts of the paper.