Steps 5- Developing the BowTie Analysis

BowTie Analysis Steps: Escalation

Left Hand Side:
PREVENT
Right Hand Side:
MITIGATE
Escalation
Factor Factor

- Input from Step 1 - Transfer the Hazard(s)

Escalation Escalation
Factor Hazard Factor
Control Control
& Consequence
Hazard Source 1
Threat
1

Threat Consequence

- Input from Step 2 - Transfer the Top Event(s)

Top Event 2
2

Threat Control
3
Consequence
RM 3

- Input from Step 3 - Transfer the worst credible Consequences HSE Critical Activities (Engineering, Maintenance,
Operations etc.)
HSE Critical Business Processes
HSE Critical Equipment List

- Identify the Threats (may have some these from Step 2

already)

- Identify the Control Barriers, Barrier Validity criteria met?

Ask yourself:
Is the risk tolerable?
- Brainstorm Escalation Factors on Design Barriers
And if so….
- Identify the RMs, Barrier Validity criteria met? Can any more can be reasonably
done to reduce the risk to
- Brainstorm Escalation Factors on Design RMs ALARP?

- Identify HSE Critical Activities/Processes/Equipment Document your ALARP decision.

- Identify deficiencies or actions in a Remedial Action Plan that

are required to meet ALARP
Exercise 2 – Threats and Barriers

The Lion in the Zoo

Break Here!!
Exercise
1. Form yourselves into groups of 3-4
2. You are the new Owner of the Local Zoo and
you have the opportunity to acquire a lion
for your zoo.
3. Up until now you have only had sheep and
rabbits in your zoo.
4. Identify the Hazard, Top event and
Consequence, RAM your Consequence
5. What can go wrong and how can you
prevent this from happening?
6. What happens if the Lion Gets out? What do
you do?
Lion at the Zoo
Top Recovery
Hazard Threat Barriers Event Measures Consequences

Lion Human Materials Loss of Zoo Accident,

Error; of Const.; Control; Emergency Injuries,
Improper Lion Gets Response Fatalities
design Zoo out Plan
etc. Keeper
Rounds
etc.
Step 6 - Maintaining The Integrity Of
Controls And Recovery Measures
Inputs: Hazard Analysis, bowties or hazard control sheets
Output document: Lists of HSSE Critical Equipment, Critical Activities, and Critical Processes
in the BowTie
Recovery
Controls Measures
Threat Consequence
H 1 1
A
Z Top
Threat Consequence
A Event
2 2
R
D
Threat Consequence
3 3
HSSE Critical Activities
List of HSSE Critical Equipment
HSSE Critical Processes
Step 6 – Maintaining the Integrity of Control
and• Recovery Barrier
Barriers can be or be a combination of:
• Hardware, which are called Critical Equipment Barriers, or
• Human intervention, which are called Critical Human Barriers.
• Critical Equipment Barriers must be identified not only for the major
equipment analyzed in a Bowtie analysis, but also for all other major
equipment, which is of the same or very similar design. Critical
Equipment Barriers must be inspected and maintained.
• Critical Human Barriers can include items such as responding to an
alarm, activating emergency response equipment, following a
procedure, etc. Many of these are assigned to an operating job position
or a function such as an operator or Emergency Response Team
member. Human Barriers should not be confused with Critical Activities
that are performed to maintain a Barrier (e.g. such as training on an
operating procedure or inspecting/testing an instrument, etc.). For each
Critical Human Barrier, there must be a job position or function assigned.
Only one job position or function can be assigned to each Critical Human
Barrier.
Critical Equipment (CE)
• During BowTie analysis HSE CE are identified and kept in a list.
• Design (hardware) barriers … by our Bowtie rules of Thumb!!
• HSE CE that is identified in the bowtie analysis need to be
identified in the maintenance management systems (SAP or local
CoB systems as applicable)
• Preventative Maintenance and Repair timing requirements need
to be associated with the critical equipment in order to maintain
the validity of the barrier.
HSE Critical Human Barriers (CHB)
• HSE Critical Human Barriers (CHB) are used to capture human
interventions to prevent the threat.
• CHB are captured in procedures and highlighted in the
documentation to clearly indicate that the action being taken is a
Barrier to preventing the scenario.
• Operations barriers … by our Bowtie rules of Thumb!!

• A list of Critical Human Barriers is captured during the Bowtie

analysis to be used during the handshake process
Step 6 – Maintaining the Integrity of Control
and •Recovery Barrier
In order for a Barrier to be considered valid it must be: effective,
independent and auditable:
• Effective – The Barrier prevents the consequence when it functions as
designed (i.e. big enough, fast enough, strong enough). Must have a Sensor,
Logic and Actuator
• Independent – The Barrier also needs to be independent of the initiating
event (threat) as well as the components of any other Barrier already
validated for the same condition. Barriers cannot be considered
independent from one another if there is a Common Cause Failure.
• Auditable – The Barrier can be evaluated to verify that it can operate
correctly when it is called upon.
• In many cases, barriers are only partially valid. Therefore they
need the assistance/support of another barrier to fully address the
threat or consequence. When a PV barrier is found, an attempt
should be made to combine it with a barrier that will make it valid.
However, it may need to be kept separate in order to capture the
appropriate HSE-critical activities
VALIDITY RULES FOR BARRIERS
Effective:
The Barrier prevents the consequence when it functions as
designed;
big enough,
fast enough,
strong enough
VALIDITY RULES FOR BARRIERS
An effective barrier shall have the following three elements:
i. A detector – detects the condition that requires action,
ii. A logic solver – decides action is to be taken, and
iii. An actuator – action taken to address the condition.
Examples of Barriers containing these three elements are:
 Trip systems
 Alarm + operator intervention + pump shutdown switch
 Relief Valve
VALIDITY RULES FOR ACTIVE BARRIERS
VALIDITY RULES
Independent:
FOR BARRIERS
• The Barrier is independent of the initiating event (threat) as well as the
components of any other Barrier already validated for the same condition.
• The Barriers cannot be considered independent from one another if there is a
Common Cause Failure.
Examples of dependence:
 The high level alarm and the high high level alarm are on the same transmitter,
therefore they are not independent.

 Note: Loss of Power, Loss of Steam, Loss of Air don’t affect independence;
Usually result in total shutdown
 Barriers – Dependent and Independent

Control Control Control

Threat

Loss of
Operator
Overpressure Pressure Relief Valve High Pressure Control
Response
Alarm

This is an
Independent and Valid barrier These two barriers together make one
Independent and Valid barrier

Recovery Recovery Recovery Recovery

Measure Measure Measure Measure Consequence

Loss of
Operator Emergency
Control Gas Detection Deluge System Rupture causing
Response Response
Fire,
explosion/fatalities

These three barriers together make one independent Not independent, PV

valid barrier
VALIDITY RULES FOR BARRIERS
Auditable (Verifiable):
The Barrier can be evaluated to verify that it can operate
correctly when it is called upon.
• HSE Critical Activities shall maintain the Barrier. This links to
accountability, responsibility and competence assurance. These Critical
activities may be part of any overall critical business process (I.e
maintenance management systems, MOC, AI mgmt. Etc.)
• The Barrier shall reduce the risks by a factor of at least 10, i.e. the Probability of
Failure on Demand (PFD) is maintained at no greater than 10%. This links to
requirements for maintenance and inspection in the maintenance system (SAP
etc.).
Barrier – Auditable - Example

• Level Float – normally runs to failure and is then repaired.

This does not meet the requirements of auditable
• Level Float – is tested on a yearly (or other set frequency)
basis, then determine if it meets the PFD of 0.1. This does
meet the requirements of auditable – test records for the
instrument are maintained in a system (SAP).
Step 6 – Maintaining The Integrity Of Controls And Recovery Measures

HSSE CRITICAL ACTIVITIES make sure that Controls and Recovery Measures
function properly to prevent the Top Event and the Consequences.
HSSE CRITICAL EQUIPMENT must be maintained to make sure they function
properly.

HSSE CRITICAL ACTIVITIES HSSE CRITICAL EQUIPMENT

Examples: Examples:
• Pressure Equipment Inspection • Rotating Equipment Guards
• Scheduled Routine • Automatic Shutdowns
Maintenance
• Emergency Response
• Function Testing of Emergency Equipment (fire extinguishers)
Equipment
• Operator SurveillanceHSSE Critical Activities are assigned to
a Responsible Position
SUGGESTED HSSE CRITICAL ACTIVITIES CATEGORIES

1. Design
• Includes all specification/ activities required to put the hardware in place
2. Operate
• Examples include operate within design envelope, response to varying
process conditions, etc.
3. Maintain
• Examples include inspection, check, test, calibrate, etc.
4. Critical Business Processes
• Examples include technical integrity management, competency
management, emergency response activities, etc.
Step 6 - Maintaining The Integrity Of Controls And Recovery Measures

HSSE CRITICAL PROCESSES Contain Critical Activities or Maintain Critical

Equipment that are frequently identified during the Hazards Analysis process

• HSSE Compliance Management • PPE Management

• Maintenance Management • Contractor HSSE Management
• Management of Change (MOC) • Security Management
• Permit to Work • Document Management
• Emergency Management System • Competency Management

A small number of HSSE Critical Processes effectively maintain a large

number of HSSE Critical Activities and HSSE Critical Equipment.
These typically already exist in some form in an effectively operating
HSSE-MS within the LOU.
Critical •Human Barriers –manual
The Competence Link to Competency
requires us to ensure competence of staff in HSSE Critical
Positions. There are two types of HHSE Critical Positions:
• Front Line Operational HSSE Critical Activities
• Planning/Supervisory HSSE Critical Activities
• Front Line Operational HSSE Critical Activities (Former Level 1) could, if performed
incorrectly, lead directly to loss of control of Hazards with RAM red Risks. They are
hands-on Operational or Maintenance tasks that are carried out to implement or
maintain Controls or Recovery Measures. They include Plant operation, Pipework
repair, Instrument calibration, Fire fighting, Security patrolling, LPG cylinder filling,
Gas testing, etc. These directly work to keep the barrier in place.
• Planning/Supervisory HSSE Critical Activities (Former Level 2) could, if performed
incorrectly, lead indirectly to loss of control of Hazards with RAM red Risks. These
are activities to identify, assess, define, plan, resource, check and review the
implementation and maintenance of Control and/or Recovery Measures. They
include Management review of HEMP, Supervision of plant operations, HSSE Case
development, Plant change approval, Contractor management, Permit to work
approval, Operational, technical or engineering management appointment, HSSE
management advice, etc. These support Front Line Operational HSSE Critical
Activities to maintain barriers; usually contained in the critical business processes.
Step 6 - Maintaining the Integrity of Controls and Recovery Barriers
Barriers,
(Controls or
Hazard/ Recovery
Risk Measures)

WORK

Undesirable
outcome

Bowtie, Hazard Control Sheets, Swiss Cheese (Failed Barriers)

It’s All About the Barriers…. Barrier Thinking!!