The above picture shows a Boeing 787 that suffered from electrical fire in Heathrow, 2013
Guest blog by Anthony Venetz – Across Safety Development
When looking at barriers in a bowtie they appear to be sequential, i.e. if one barrier fails then the next one should come into play, but is this always the case? Are barriers sometimes ‘parallel’ rather than ‘sequential’? If so, what does this mean for how you interpret the information in the BowTie and how you rate barrier effectiveness? This blog provides food for thought regarding such issues.
Before BowTie came along we always used to say that eliminating the hazard was the best thing to do to reduce risk. But in the context of BowTies, hazards are usually descriptions of something or some activity, that we want to be able to use, or do, as a required aspect of our operations. So now we are really talking about eliminating threats as our first line of defense. After that, we come to the barriers that prevent the Top Event from being realized when a threat does occur. On the right-hand side of the BowTie, we talk about barriers to reduce the likelihood of the consequence or mitigate its severity.
So we include ‘elimination’ barriers in our risk analysis: the ones that have their effect before the threat actually occurs. Logically they would be depicted to the left of threats but in BowTie, in order to create one coherent diagram, we can’t put them there. So it is normal, good practice to include elimination barriers immediately to the right of the threat.
Sequential or parallel?
Individual elimination barriers will usually address certain specific potential causes for a threat (the threats for the threats if you like) and there may well be more than one. By way of example, we can look at the aircraft electrical fire BowTie from the UK Civil Aviation Authority’s ‘Significant Seven’ Bowties. In the section of the diagram shown in Figure 2, we can see three ‘elimination’ barriers, each one seeks to eliminate a particular cause of the threat: ‘thermal runaway of a battery’. In this example, they are a poorly designed battery system, a poorly manufactured battery, or the use of an inferior battery.
Figure 1: Part of an aircraft electrical fire Bowtie
Clearly, we have three valid barriers here, but none of them can be said to eliminate all of the potential causes of the threat individually. So are they really sequential, or are they working more in parallel as in Figure 2.
Figure 2: Barriers working in parallel
In this situation, do we have 4 layers in our defenses or 2? Should we assess the effectiveness of the barriers based on how good they are at dealing with the one specific aspect of the threat that they target or should they be judged according to how much of the threat they stop?
Looking at this specific BowTie, if we considered a potential scenario where the thermal runaway of the battery (the threat) was due to the poor design of the battery system, the barriers ‘manufacturer quality assurance’ and ‘operator procurement quality assurance’ would be irrelevant and have zero to contribute in terms of eliminating that cause of the threat.
In this case, we have just one ‘good’ elimination barrier: ‘design standards/regulation compliance’ and one ‘good’ prevention barrier: ‘temperature sensors’. The failure of just one of the elimination barriers here could allow the threat to materialize, we don’t need all three to fail. Being unaware of this situation (i.e. elimination barriers working in parallel) might well lead to a flawed understanding of the depth of the defenses available.
There are effective strategies to address this issue and whilst different users may take different approaches, the main thing is a considered and consistent approach. By doing that we can head off any potential for confusion and make the best use of our BowTies.
Do you want to learn more about how to deal with these issues? At the Across Safety BowTie Masterclass, coming up on April 11, this is the sort of topic that will be explored in order to help you build upon your foundational understanding of the BowTie methodology in order to create robust and useful risk analysis. For more information, please contact Across Safety Development or CGE Risk Management Solutions.