A common mistake for beginning bowtie users is to describe threats as failed barriers. For example: “Failure of X”, ‘Lack of Y” or “Absence of Z” etc. Our quick and dirty advice is usually to just rephrase the threat in a positive manner so that it fits the description of a barrier. “Failure of ABS” becomes “Executing of ABS”. “Lack of Training” becomes “Training in safe driving”. “Absence of PPE” becomes “Wearing PPE”.
In today’s blog we’ll discuss two things with regard to this:
- After rephrasing the threat as a barrier, to which threat does the barrier now belong?
- The exception to the above rule: when it is right to describe a threat with “Failure of X”.
Let’s paint a scenario: you’re building bowties in a brainstorm session
During the brainstorming session, you’ve reached the step of coming up with threats. You propose a number of threat scenario’s but each gets shot down by the rest of the group: “This will never happen, we have specific procedures, fences or gates against these threats”. Almost automatically, your brain will jump ahead and come up with scenario’s in which those procedures, fences or gates (indeed, barriers) themselves will fail. “Failure of Anti-lock braking system”, “engine failure of a helicopter” or a “missing pressure relief valve” do seem like reasonable threat scenarios… And just like that, you’ve fallen into the trap without knowing it. However, 20 minutes later, you still can’t come up with any feasible barriers to these threats. What do you do next?
Tips & tricks for distinguishing between threats and barriers
A threat should be a force or condition that pushes an unwanted chain of events further. A barrier needs to either eliminate the threat or prevent it from turning into a chain of events. As a rule of thumb, you can try to rephrase your current threat in a positive manner so it fits the description of a barrier.
Back to the scenario: you’ve convinced the rest of the team that you were talking about barriers all along, but now you can’t figure out to what kind of threats your barriers belong. Ask yourself the question: what does this barrier prevent? Why do we have this equipment, procedure or protocol in place?
Most of your barriers now belong to threats. However, there is one barrier that just doesn’t feel right and indeed does not seem to belong to any threat. What do you do next?
The exception to the rule when “Failure of X” is right. If a piece of equipment that is part of the primary process fails (such as an engine failure in a helicopter, or a pipeline integrity failure in an installation), those are actual threats. However, when the function of a piece of equipment is safety related, its failure can never occur as a threat. Every safety measure should be thought of as a barrier, and not as a threat described as a failed barrier.
The original threat “Engine failure of a helicopter” is indeed a threat because it is primary equipment. An engine failure can lead to a loss of control of a helicopter. Whereas a barrier failure is an absence of a good thing. A “missing pressure relief valve” does not push the unwanted chain of events forwards, but it just sits by and does nothing, while a threat, “Overpressure”, leads to a top event.
Content, you write down a number of barriers that prevent the threat “Engine failure of a helicopter”. The meeting was a success and you now have a better understanding of what can go wrong in your organization.
Do you have any questions based on this blog or do you have any other ideas on how to deal with this? Feel free to leave a comment below.