The bowtie method
go to El método bowtie for the spanish version of this page.
The start of any bowtie is the 'hazard'. A hazard is something in, around or part of the organization which has the potential to cause damage. Working with hazardous substances, driving a car or storing sensitive data are for instance hazardous aspects of an organization while reading this article on your computer is not. The idea of a hazard is to find the things that are part of your organization and could have a negative impact if control over that aspect is lost. They should be formulated as normal aspects of the organization. The rest of the bowtie is devoted to how we keep that normal but hazardous aspect from turning into something unwanted. The first step is always the hardest and this is also the case here. Normally, starting with for instance a HAZID is a good way to get a long list of all possible hazards. Bowties are then done only for those hazards with a high potential to cause extensive harm. Normally, 5 to 10 hazards is a good starting point.
Once the hazard is chosen, the next step is to define the 'top event. This is the moment when control is lost over the hazard. There is no damage or negative impact yet, but it is imminent. This means that the top event is chosen just before events start causing actual damage. The top event is a choice though, what is the exact moment that control is lost? This is to a large extent a subjective and pragmatic choice. Often, the top event is reformulated after the rest of the bowtie is finished. Don’t worry too much at the beginning about formulation. You can start with a generic 'loss of control' and revisit it a couple of times during the bowtie process to sharpen the formulation.
'Threats' are whatever will cause your top event. There can be multiple threats. Try to avoid generic formulations like 'human error', 'equipment failure' or 'weather conditions. What does a person actually do to cause the top event? Which piece of equipment? What kind of weather or what does the weather impact? You can be too specific as well, but generally, people tend to be too generic.
'Consequences' are the result from the top event. There can be more than one consequence for every top event. As with the threats, people tend to focus on generic categories instead of describing specific events. Try not to focus on injury/ fatality, asset damage, environmental damage, reputation damage or financial damage. Those are broader categories of damage rather than specific consequence event descriptions. Try to describe events like 'car roll over', 'oil spill into sea' or 'toxic cloud forms'. Besides containing more specific information, you’re also helping yourself to think more specifically when coming up with barriers. Think how you want to prevent 'environmental damage' versus 'oil spill into sea'. The second is an actual scenario which makes it much easier to come up with specific barriers.
The picture so far
At this stage we have a clear understanding of the risk and what needs to be controlled. The hazard, top event, threats and consequences give us an overview of everything we don’t want around a certain hazard. Every line through the bowtie represents a different potential incident. Besides containing incident scenarios that might already have occurred, part of the strength of the bowtie is that there is also room for scenarios which have not occurred yet. This makes it a very proactive approach.
Barriers: controlling unwanted scenariosNow that we have identified and drawn out the unwanted scenarios, it’s time to look at how to control these scenarios as an organization. This is done using 'barriers'.
Control and Recovery Barriers
Barriers in the bowtie appear on both sides of the top event. Barriers on the left side interrupt the scenario so that the threats do not occur, and if they do, not result in a loss of control (the top event). Barriers on the right side make sure that if the top event is reached, the scenario does not escalate into an actual impact (the consequences) and/or they mitigate the impact.
There are different types of barriers, which are mainly a combination of human behavior and/or hardware/technology. Once the barriers are identified, you have a basic understanding of how risks are managed. You can build on this basic barrier structure further, to deepen your understanding of where the strengths and weaknesses are. Barriers can be classified and assessed beside barrier types, to include for instance barrier effectiveness. This lets you assess how well a barrier performs, or is expected to perform, based on available data and/or relying on expert judgement. After that, you can look at the activities you have specified, to implement and maintain your barriers. This essentially means mapping you Safety Management System (SMS) onto the barriers. In addition, you can determine who is responsible for a barrier and assess the criticality of a barrier in the context of all other related information. These are all things you can do to increase your understanding of the barriers. Ultimately, linking and visualizing all this information on a barrier, gives you a holistic overview of your safety measures with relevant meta data in the context of your risk scenarios.
Escalation factors & Escalation factor barriers
Barriers are never perfect. Even the best hardware barrier can fail. Given this fact, what you need to know is why a barrier will fail. This is done using the 'escalation factor'. Anything that will make a barrier fail can be described in an escalation factor. For instance, a door that opens and closes automatically using an electrical mechanism might fail if there’s a power failure.
Warning: be careful with escalation factors. You do not describe all the potential failure modes. Only describe the real weaknesses of your control framework and how you want to manage that.
The logical next step to manage escalation factors is to create barriers for you escalation factors, aptly named 'escalation factor barriers'. In this case it could be a backup generator.
Continue to the cge website >