Jelena Borisevic, Stuart Greenfield and Tony Potts from DNV GL discuss the popular bowtie process and good practices for defining barriers, and how this can be used to make smarter Personal Protective Equipment decisions, with a particular focus on hearing protection.
Regardless of the industry in which you work, workplace threats are ever present. If they cause a hazard to be realised and the top event to occur, then any or all of the potential consequences could then be produced. Barriers that prevent the top event occurring are called preventative barriers, whereas those barriers that mitigate the consequences are called mitigative barriers. Figure A also shows barrier decay mechanisms, often called escalation or degradation factors, which are the way in which barriers can be degraded and ultimately fail.
Whether operating an impact wrench on a construction site, working near pumps and generators on an offshore installation, or working as a rotary drill operator in the mining sector, the threat of hearing damage looms.
Bowties are used by companies to gain a greater visual understanding of their hazards and how these are controlled both through preventative and mitigative measures. Bowties are also being increasingly used to decide if more controls/barriers are needed; for example, appropriate PPE for workers.
In many instances, the number of barriers identified is assumed to be directly proportional to the safety level achieved, as bowties are normally a purely qualitative technique. Layer of Protection Analysis (LOPA), tends to be used should quantification be needed. It is also believed that having a number of bowtie barriers indicates that risks are well understood and managed and therefore, further actions for risk reduction are required.
Defining what actually constitutes a barrier is a key process in the sequence of events and appropriate barrier definition, appropriate barriers definition and identification is required for accurate bowtie construction. With an increasing focus on preventing events, can PPE even be deemed a barrier under these rules and show on a bowtie as such.
A safety barrier is commonly defined as a physical and / or non-physical means in place to prevent, control or mitigate undesired events or accidents. If barriers are defined purely as physical hardware, then procedural controls would not qualify as a barrier. According to practitioners, barriers could be training and competency even though they do not alone prevent or mitigate an event. Functional safety studies such as LOPA use Independent Protective Layers (IPL), which are equivalent to a barrier.
As an example, if you consider hearing protection and take a compressor that produces a large amount of noise, the hazard would be the compressor noise and the top event would be ‘personnel exposed to high noise level’. The threat might be ‘need to work near compressor’ and the consequence might be ‘personnel suffer hearing damage’. A PPE barrier here would be mitigative and may look like the following, using this barrier methodology:
Barrier purpose: Mitigate noise levels that personnel are exposed to from the compressor
Barrier type: PPE used to protect the personnel
Barrier elements: Ear defenders used that meet site specifications
The term ‘barrier’ should be carefully defined to ensure it is understood and effective. It should have a purpose and a type that allows categorisation, and in order to meet its purpose it should consist of several elements to necessitate barrier completeness. The following information should be recorded about each barrier.
Preventing/mitigating undesirable events
Firstly, a barrier must have a purpose and this should be specified in relation to either preventing an undesirable event occurring or mitigating its consequence. A barrier purpose may be to prevent release of fluid or to relieve pressure. Defining and thinking of barriers at this level during hazard identification exercises can be useful, as it helps to identify what other methods are available and should also be considered. Any preventative barrier must be able to fully prevent an undesirable event occurring, such as by designing noise out of the areas used by workers during the planning stages.
A mitigating barrier must be able to reduce the frequency or severity of the undesirable consequence, but does not necessarily have to be able to fully prevent it; such as the use of lagging to soundproof noisy machinery. The barrier purpose should be written so that it is clear how the barrier relates to the undesirable event.
Secondly, there can then be a number of barriers that will fulfil the same barrier purpose and in effect be the same barrier type e.g. prevent release of fluid’ can be completed by ‘pipework designed to international standards’ or ‘operators maintain process within operating parameters’. Likewise, ‘relieve pressure’ might occur through a ‘pressure relief valve’ or a ‘bursting disk’.
It is recommended that barrier types should be categorised according to the action they take:
1. Passive barrier – the barrier does not perform a function and acts only by its presence e.g. a bund, passive fire protection, or pipe soundproofing lagging.
2. Active barrier – the barrier is required to move from one state to another in response to a change in a measurable process property (e.g. pressure, temperature etc.) or a signal from another source (such as a switch). All active barriers should have elements of detect, decision-making, and actuation in them, e.g. gas detection, logic solver (2 out of 3), and actuation of an Emergency Shutdown (ESD) valve. If any part of the barrier involves a human action then it becomes a procedural barrier.
3. Procedural barrier – the barrier is based in some part on a procedure, or requires human interaction to function. This can include safety integrated systems, e.g. if a manual push-button must be actuated as part of an ESD system. Necessarily these will have a lower reliability, or a greater likelihood of failure on demand, than most purely technical systems.
It is recognised that some people may still refer to barriers with human components as active systems, but it is useful to differentiate purely technical systems (e.g. ESD that operates automatically on gas detection by some system rule set) from those requiring human intervention via a procedure (e.g. ESD button required to actuate ESD valves based on operator response to gas detector alarms).
Using this categorisation to set out how the barrier function is performed is useful as it enables all the components that allow the barrier to prevent or mitigate the event to be determined.
A passive barrier that is correctly designed (and maintained) should not need any further components or elements in order to prevent or mitigate an event on its own. However, for procedural or active barriers prevention or mitigation may need several elements.
Using the barrier and bowtie approach with the hierarchy of control then PPE would still be classed as a barrier. However given the nature of PPE it would only normally serve to mitigate the consequences of the hazard. Therefore, dependent on bowtie top event, it would normally be on the right hand side of a bowtie and be a mitigative barrier. PPE can be classed as a procedural barrier, as a procedure of some type is required to ensure that the correct type of protective equipment is worn. PPE is also only ever likely to be a single barrier on each individual bowtie consequence line as it is controlled through procedures which are often completed by the same person.
When selecting hearing protection, another consideration is to ensure that it will be compatible with other PPE required to be worn on the head, such as eye protection, breathing apparatus and a protective helmet. If the protection is not compatible, or results in reduced comfort for the worker, then it is less likely to be used.
Barriers should ideally be complete. This means that the barrier can fully terminate an incident sequence, provided it is not degraded.
Passive barriers do not require an action in order for them to prevent / mitigate risk. Examples of passive barriers are: bunds / dikes, blast or fire walls, and passive fire protection (PFP), etc. If correctly designed and maintained, passive barriers can be highly reliable. Failure of passive barriers can occur through incorrect or inadequate inspection and maintenance, or through a greater load than was anticipated in design (i.e. in their performance standard).
In contrast, active and procedural barriers should contain three elements: sensor, decision-making and action.
Active barriers require the three elements shown in Figure B, but do not require any human intervention. Examples of active barriers might be a pressure relief valve or a high level trip function. Procedural barriers also require these three elements, but one or more will be a human action.
If a barrier contains both active and procedural elements, then the whole barrier is normally classed as a procedural barrier. A Safety Instrumented Function (SIF) would be an example of either a purely active barrier with only technical/electronic components and often a higher SIL rating, or a semi-procedural barrier with a human actuation element in an otherwise technical/electronic system.
Ensuring that all three of these component barrier elements (sensor, decision-making, and action) are present for a barrier is a good check to ensure that the barrier system has been correctly identified and not split into component parts appearing as barriers. This would lead to the identification of more barriers than actually exist and an incorrect judgment on risk management.
Importance of independence
When representing barriers in bowties it is important to maintain barriers as independent of one another. Independence requires that two or more barriers on a single bowtie threat or consequence line will not both be degraded by the same mechanism, or be susceptible to a common mode of failure. This means that barriers should not share the same common elements such as instrumentation or hardware for active barriers, or people who perform them for procedural barriers. The effect of dependence is that a system is less protected and therefore less reliable than the visual image of two barriers might imply.
In identifying complete and independent barriers it can be seen that active or procedural barriers are made up of a number of barrier components: sense, think, do. These components are important to recognise and identify. If not fully complete, if not maintained, or if not in place, it will cause the complete barrier to fail or not complete its purpose.
Using bowties and hierarchy of controls
The Hierarchy of Control principle is often used to prioritise means of controlling hazards, and can be summarised succinctly by considering control types in the following order:
If you can eliminate the hazard then the bowtie ceases to be relevant. If the hazard is reduced then potentially barriers can be removed or the consequences will be less severe.
First and foremost, the bowtie must be representative. If the ‘sense-think-do’ and the ability to interrupt the chain of events approach is adopted when considering whether something is a barrier, then the resulting bowtie is more likely to reflect the actual level of risk reduction being implemented by the barriers. If a less rigorous definition of barriers is used then, in the experience of DNV GL, there is a danger that bowties present an overly optimistic picture.
This is also important when considering the hierarchy of controls. A more rigorous definition of barriers will show more clearly whether a given hazard and top event are overly reliant on ‘right hand’ or mitigative barriers, at the expense of implementing controls that reduce or control before the top event.
Secondly, the barriers must work as intended. Applying the ‘sense-think-do’ approach to each barrier also helps to verify that the barrier has been implemented as intended. In the case of PPE, the ability for the PPE to deliver the required protection requires that the user knows when they are in an area requiring the use of PPE (sense); chooses to use the PPE (think); and knows how to use the PPE appropriately (act). This simple sequence implies that procedures, training and signage are necessary to support the sense part; that safety culture is important to ensure the correct thinking; and that auditing is done to ensure that the intended actions are indeed being taken.
In the case of technical barriers, the ‘sense-think-do’ approach requires a similar thought process in order to properly define the barrier and to subsequently test that it is working as intended.
While bowties are a good way to visually represent barriers present to both prevent and mitigate unwanted events and to understand hazards and their control in more detail they can, if barriers are not correctly defined, lead to an overly optimistic representation of the risk. Using a robust definition of a barrier that differentiates different barrier types, includes a ‘sense-think-do’ style completeness for active and procedural barriers, and that considers independence, introduces additional rigour to the process and produces bowties that are more representative of the real situation.
Furthermore, identifying the specific ‘sense-think-do’ elements can help with barrier specification, and also in identifying means of testing and validating barrier performance.
PPE can be seen to be a barrier under this approach, but only ever as a mitigative barrier, especially when coupled with the hierarchy of controls. For PPE this approach allows for greater detail to be added to the associated procedures to ensure this barrier is likely be more effective if challenged. The ‘sense-think-do’ approach, when applied to PPE, can help to ensure that the users of the PPE will know when it is required, choose to use it, and to use it correctly.
Published: 05th Apr 2016 in Health and Safety International