(52ah) Building Better Bow Ties

On the topic of doing good-better-best, it all boils down to making correct risk-based decisions to increase safety levels in the most efficient way. In the evaluation of implementing engineering and/or administrative controls for a certain process, it is key to understand that controls simply never stand alone. They are always part of a contextual situation in which they need to contribute. Doing proper analysis of the entire contextual situation is therefore necessary. In this abstract, we want to argue in favor of using bowties to do this thorough contextual analysis, enabling the safety specialist to make the correct risk-based decisions for the implementation of controls. We want to address that for this purpose, there is also a good-better-best in following textbook guidelines in creating bowties. As a reference to set out this abstract, our focus lies on the CCPS (Center for Chemical Process Safety, 2018) standard.

Can there be ‘Bad bowties’?

Bowties are being praised often for their simplicity. Within one visual model, you describe the flow of potential hazardous situations that move from an occurrence of a cause or threat on the process, into a tipping point (top event) where things start to go askew, into a negative outcome or consequence that you are trying to prevent to happen. Since there are multiple threats and consequences per hazardous subject, the shape of the model resembles a bow tie.

Because of the visual and logical flow of events, everyone can understand and interpret a bowtie model when they see one. That does not mean however that it is easy to generate a proper bowtie. The process of creating a good quality bowtie is often underestimated. Organizations that start using the bowtie method without proper training, will likely fail in their attempt to turn bowties into analyses that carry valuable information. The contribution to their risk-based decision making is henceforth not met, leaving bowties lying on the shelf without purpose. Bad bowties lead to a bad reputation of the method, causing for less or no traction within certain industries or entire regions of the world for that matter.

The potential to add value

There are some relevant guidelines based on the CCPS standard to make your bowties matter and contribute to what you’re trying to achieve. For this abstract, we have highlighted the key contributors. In the end you will be provided with tips on how to set your bowtie to get it to the next level for proper control implementation purposes. We’ll revisit the bowtie elements in a logical order for this break-down.

Make the hazard and the top event meaningful

The hazard and the top event are the elements that determine the scope of a bowtie. The hazard is an operation, activity, or material with the potential to cause harm. It should entail the source of the risk. According to the CCPS/EI book, the hazard can include two types of details: situational context; and an indication of scale. The top event can be described as the very first moment when control over the hazard is lost. Therefore, firstly the top event describes how/what control is lost. Secondly, the top event should happen to the hazard.

Describe credible threats and consequences

After the hazard and top event are defined, the next step is to determine the threats and consequences. Since consequences normally are more direct than threats in events chains, many bowtie experts prefer to create consequences ahead of threats. According to CCPS/EI guidelines, the consequence should be described as ‘[Damage] due to [Event]’. The threat should be direct, specific, credible, sufficient, and foremost not a barrier failure. The more precise the description is, the easier the identification of relevant barriers will be. A well-worded consequence should include how the impact happens.

Ensure the quality of both preventive and recovery barriers

Having this contextual framework, now allows you to focus on those administrative and/or engineering controls. On a bowtie, you’re dealing with controls on both sides of the top event. Such preventive barriers versus recovery barriers share some common characters. According to the guidelines, they should be effective (functional), independent, and auditable. In any risk-based decision on whether or not to implement certain controls, you check all controls for these three fundamental pillars.

To check the barriers on the prevention side against the guidelines, the first question is 1) does the barrier on its own stop the threat from causing the top event? If the answer is no, then the second question is 2) does this barrier relate to other barriers in this threat line? If the answer is ‘no’ as well, it is not a proper barrier and you should discard it. A preventive barrier is effective if it is capable on its own of preventing a threat developing into the top event. The way to validate preventive barriers applies similarly to check the recovery (mitigation) barriers. For this example, here we only elaborate on the preventive side.

If the answer to the second question (does this barrier relate to other barriers in this threat line?) is yes, we need to group the barriers with a common barrier name in a family field. When we define a barrier family, we consider the functional phases of a barrier (Detect – Decide – Act), the integrity of safety-critical equipment, the implementation of a barrier including a whole PDCA cycle, etc.

Especially administrative controls run the risk of not being implemented well, when not all functional phases of the barrier are met within one control as an entity. The control can be wrongly discarded, for not being assessed as a sufficient contributing factor in lowering the risk. This leaves an organization to rely mainly on engineering controls instead – creating a false sense of safety.

How to do it right

After understanding the guidelines – and especially those for controls or barriers- in a better way, we can literally see what kind of barriers or controls are placed in the overall context of the hazardous situation. In defining the less and more effective options for implementing certain controls, a proper bowtie analysis will help you to determine what fully functional controls you have to your availability.

In our bowtie workshop, we can assist you to thereafter take that bowtie to a next level. Doing so will reveal the deeper risk-based decisions you can make, derived from that initial bowtie analysis. Please feel free to visit our workshop or read our more extensive article on how to use additional (meta)data to reveal more insights on your controls, to make that good-better-best call for implementation.