Using Bow Ties to Classify Barriers

Not all parts of a process safety management system are of equal importance

WE ARE all now fairly familiar with the concepts of process safety management as the way to manage catastrophic risks within a whole range of industry sectors. Bow tie diagrams (see Figure 1) are extremely useful to systematically set out the dynamics of the control and mitigation measures against each major hazard or catastrophic business risk. This provides a simple but powerful description of how risks are managed and readily leads on to identification of gaps or omissions within the system. Bow tie diagrams can be readily aligned with asset management arrangements and safe operating procedures so that the different features of risk management can be identified.

However, not all barriers or control/mitigation measures are of equal value so it is helpful to differentiate them under two distinct attributes. The first is importance in the prevention of a major accident (safety criticality) and the second is reliability (or vulnerability to failure on demand). They are quite separate and distinct features that generally are independent of each other.

Adopting this classification helps an organisation focus on the most important issues with complex process safety management systems and to concentrate efforts to assure that such control measures continue to function and deliver the desired outcome against a constant tendency for control measures to deteriorate over time.

Mind the gap

Organisations often have over-optimistic expectations of the reliability and the perfection of control systems which have been developed and implemented at considerable costs. Following a major accident or serious incident, senior managers are often in disbelief that such a failure could have occurred despite the procedures and safeguards in place. The system of barrier classification set out in this article can help identify degradation in process safety systems by highlighting those aspects of risk management that contribute the most to avoiding a catastrophe and which are the most vulnerable to failure. Once these have been identified, much more attention can be paid within the business to detecting early signs of failure and to seeking repeated assurance about the continued functioning of these highly critical and yet highly vulnerable safeguards.

The most repeated responses from CEOs and directors following a major accident include:

• safety is our no 1 priority – we always put safety first
• I just don’t understand how it could happen
• no one ever mentioned we had a problem
• we have professional safety experts
• we never skimp on safety
• we have extensive systems and procedures
• HSE has regulated us for years and we have never had anything serious wrong
• we have a comprehensive safety report scrutinised by HSE
• we have never had an incident before

The reality is that there will always be a gap between the perceived perfection of the process safety management system by those in charge and the reality of what’s happening on the ground. Despite best efforts and regulations, process safety systems deteriorate from day one.

Safety Criticality – which barriers are more important?

The designation of safety criticality in this context of barrier classification is a more general consideration than that traditionally adopted by safety professionals. A designation of “safety critical” is often assigned to items of plant or equipment that mainly has a safety function, such as a pressure relief valve or an automated remotely operated shut-off valve, ROSOV. For barrier classification all types of plant, equipment, processes and tasks are assessed to determine each one’s relative contribution to the prevention of a major incident or a catastrophic failure.

There will always be a gap between the perceived perfection of the process safety management system...and the reality of what’s happening on the ground

It is therefore helpful to consider the safety criticality of a barrier as a function of its contribution to the prevention of a major accident. Applying guidewords such as “essential” and “vital”, or “incidental” or “marginal” to the prevention of a major incident can help as a starting point. It is more helpful to also consider which failure mechanism the barrier helps to prevent and how significant that failure mechanism is, compared to alternative routes to failure – eg does it lie on one of the most significant major hazard scenarios for the facility. A further factor to consider is whether the control measure or barrier is involved in the maintenance of a process condition within prescribed boundaries such as pressure, temperature or level, where an excursion outside such boundaries could lead to a loss of containment?

An assessment of criticality should be made for each control measure or barrier within a bow tie threat line, including both hardware, procedural and activity-based controls. 

Safety critical guide questions:

• Does the barrier lie on the critical path to a major accident, eg is this a major hazard initiator should it fail?
• Does the control measure/barrier directly relate to controlling process conditions, eg temperature, pressure, flow, level which could directly lead to a loss of containment?
• Does the control measure/barrier guard against another important loss of containment failure mechanism, eg corrosion, stress, impact?
• How essential is the control or mitigation measure in preventing a loss of containment, eg Essential? Important? Moderately relevant? Marginal? Supplementary/adjunct to a more important control measure?

So for example, if “overfilling” is one of the most significant major hazard scenarios leading to loss of containment at a tank storage site then the control measures or barriers shown in Figure 2 are usually present.

Applying a three-tier high/medium/low classification to criticality, using the guidewords in Figure 2 gives the initial results shown in Figure 3. This classification should be a judgement ideally made by the operational team and safety experts who are familiar with the process and activity. As overfilling a gasoline tank at a large terminal site will be one of the, if not the, most significant major hazard scenario at such a facility, it is not surprising to see that these barriers tend to have a high or medium rating.