When looking at barriers in a BowTie they appear to be sequential, i.e. if one barrier fails then the next one should come into play, but is this always the case? Are barriers sometimes ‘parallel’ rather than ‘sequential’? If so, what does this mean for how you interpret the information in the BowTie and how you rate barrier effectiveness?
Before BowTie came along we always used to say that eliminating the hazard was the best thing to do to reduce risk. But in the context of BowTies, hazards are usually descriptions of something, or some activity, that we want to be able to use, or do, as a required aspect of our operations. So now we are really talking about eliminating threats as our first line of defence. After that we come to the barriers that prevent the Top Event from being realised when a threat does occur. On the right hand side of the BowTie we talk about barriers to reduce the likelihood of the consequence or mitigate it’s severity.
So we include ‘elimination’ barriers in our risk analysis: the ones that have their effect before the threat actually occurs. Logically they would be depicted to the left of threats but in BowTie, in order to create one coherent diagram, we can’t put them there. So it is normal good practice to include elimination barriers immediately to the right of the threat.
Individual elimination barriers will usually address certain specific potential causes for a threat (the threats for the threats if you like) and there may well be more than one. By way of example, we can look at the aircraft electrical fire BowTie from the UK Civil Aviation Authority’s ‘Significant Seven’ Bowties. In the section of diagram shown in Figure 2, we can see three ‘elimination’ barriers, each one seeks to eliminate a particular cause of the threat: ‘thermal runaway of a battery’. In this example they are: a poorly designed battery system, a poorly manufactured battery, or the use of an inferior battery.
Clearly we have three valid barriers here, but none of them can be said to eliminate all of the potential causes of the threat individually. So are they really sequential, or are they working more in parallel as in Figure 3
In this situation, do we have 4 layers in our defences or 2? Should we assess the effectiveness of the barriers based on how good they are at dealing with the one specific aspect of the threat that they target or should they be judged according to how much of the threat they stop?
Looking at this specific BowTie, if we considered a potential scenario where the thermal runaway of the battery (the threat) was due to the poor design of the battery system, the barriers ‘manufacturer quality assurance’ and ‘operator procurement quality assurance’ would be irrelevant and have zero to contribute in terms of eliminating that cause of the threat.
In this case we have just one ‘good’ elimination barrier: ‘design standards/regulation compliance’ and one ‘good’ prevention barrier: ‘temperature sensors’. The failure of just one of the elimination barriers here could allow the threat to materialise, we dont need all three to fail. Being unaware of this situation (i.e. elimination barriers working in parallel) might well lead to a flawed understanding of the depth of the defences available.
There are effective strategies to address this issue and whilst different users may take different approaches, the main thing is a considered and consistent approach. By doing that we can head off any potential for confusion and make the best use of our BowTies.