In 2006, the Journal of Loss Prevention in the Process Industries published an excellent article on barriers by Snorre Sklet. The name of the article is “Safety barriers: Definition, classification, and performance” and it is highly recommended to read for everyone in the process (safety) industry who is into barrier thinking.
In the article, Sklet looks at the safety barrier concept in different industries through literature study and based on experience from several research projects. He summarizes his findings by clarifying barrier terminology, classifications and other supporting concepts. In addition to creating a comprehensive summary from work of Svenson, Andersen et al, Vatn, Hollnagel and many others, he makes recommendations on which barrier classifications to use.
Many of the concepts presented by Sklet and others with and before him, have influenced the development of BowTieXP and the methodological framework in- and outside of our software. We see great value in these concepts; we promote them in our training and some of them have made it into the default set-up of BowTieXP. Of course, the software allows for the use of other frameworks too, by customizing terminology and taxonomies. In this blog, we will go into some of the recommended concepts that are mentioned by Sklet and have made it into the default installation of BowTieXP, or could be added through customization of the software.
Through the years, there have been many terms, definitions and requirements for safety barriers. Terms that have been used are barrier, defense, protection layer, safety critical element, safety function etc. Because Sklet could not find a final definition amongst the ones he found, he combined the best of them and proposed a definition of his own:
“Safety barriers, are physical and/or non-physical means planned to prevent, control, or mitigate undesired events or accidents.”
We believe that this generic definition sufficiently covers the various types and functions. Therefore, we have adopted this definition and use it in our training and manuals. Now that we have a clear definition, it is time to jump to the next barrier attribute, barrier performance.
To characterize the performance of safety barriers, BowTieXP uses the concept of effectiveness, which could be seen as a combination of reliability and adequacy. These were covered in- depth in a previous blog and are mentioned in Sklet’s article. In addition to these, he recommends to use ‘response time’, ‘robustness’ and to include the triggering event or condition. Robustness is in a sense part of reliability and thus, included in the effectiveness rating of a barrier. The triggering event in bowtie terms is usually modeled as the threat that activates the barrier response. Response time, however, does not have a conceptual counterpart in BowTieXP yet but could be added.
Response time is formulated by Sklet as: “The response time of a safety barrier is the time from when a deviation occurs that should have activated a safety barrier, to the fulfillment of the specific barrier function.” For instance, the time between the liquid level exceeding a certain threshold, and the high-level tripping stopping the inflow of new liquid into the system. It could add value to show response time on the barriers, to assess if the barriers are actually able to respond to an initiating event in time. You can visualize this in the software by linking the response time to the barriers, as can be seen in the picture below.
Figure 1 – visualize response time on barriers
Note, that the barriers are ordered from left to right by their response time. So preferably, the operator proactively acts in time upon the tank level monitoring system and shuts down the flow before the high-level alarm is reached. If the operator fails to monitor the level, or if the monitoring system fails technically somehow, the high-level alarm will alert the operator to manually close the valve. Finally, the last line of defense is the high-level automatic trip, that only takes a split second to close the valve once its threshold is reached. Therefore, it sits on the far right and has the shortest response time. Of course, the response time of the high-level trip should be shorter than the time between reaching the trip’s threshold level and an actual overfill. If these are too close to each other, lower the threshold, or accelerate the response time of the trip function.
Besides identifying performance attributes, Sklet also writes about barrier classification. Classifying barriers helps to understand them and identify if a company is reliant on too many barriers of the same kind. For instance, one can identify the different types of systems that can implement a barrier function. These systems usually consist of either some type of hardware, behavior or a combination of both.
Barrier system types
There are different ways to categorize these systems. In the default set-up of BowTieXP, you will find five different categories: Behavioral, Socio-Technical, Active hardware, Continuous hardware and Passive hardware.
Depending on the category, a barrier can contain three distinct parts. A detection mechanism, a decision based on what is detected, and an action that follows the decision. When analyzing a barrier, one needs to identify its parts, and whether those parts are behavioral or technical in nature. The different combinations determine the system type.
For instance, a double check is a purely behavioral barrier because the detection, decision and action are all behavioral. Another example could be a sprinkler system that is activated by pressing a fire alarm button. The detection and decision are behavioral, whereas the action is technical, which makes it a socio-technical barrier. A fence or dike does not detect, decide or act. Its existence alone is enough to have an effect (we are leaving maintenance out of the discussion, as that is on a different level and not part of the barrier itself), which makes it passive hardware.
- Behavioral barrier: the detect decide act parts of the barrier are completely represented by people
- Socio-technical: the detect decide acts parts of the barrier are a mix between people and hardware
- Active hardware: the detect decide act parts of the barrier are completely hardware based
- Continuous hardware: a barrier with no detection, but a continuous action (like for instance a ventilation system)
- Passive hardware: is effective by just existing without any need for explicit action. Does not have detect, decide or act parts.
Figure 2 – barrier system types
The added advantage of categorizing barrier systems lies in understanding the diversity of barriers. More diversity in the type of barriers you have is generally better. Having only behavioral barriers or only hardware barriers makes a system vulnerable, not only because barriers of one type can compensate for the weaknesses of other types, but also because barriers of the same type are more vulnerable to common mode failure.
Learn more about barrier classifications and performance attributes
There are multiple ways of classifying barriers and the default installation of BowTieXP can be adjusted to reflect the taxonomies of the framework that you would like to use. This blog covered only a few of them. For inspiration on more barrier classifications and performance attributes, read Snorre Sklet’s article “Safety barriers: Definition, classification, and performance” as it is a comprehensive summary of relevant sources. You can also use the References of Sklet’s article as a starting point to explore underlying sources of information and learn even more about safety barriers.