manual for active bowtie

8/8/2019 Manual for Active BowTie

1/40

MANUAL

Risk Support Risk Management Consultants

Flat 26

74 Arlington Avenue

London N1 7AY

United Kingdom

Telephone +44 (0)20 7226 0891

Mobile +44 (0)7733 441 405

Email [email protected]

http://www.risk-support.co.uk

Active Bow Tie

A tool for displaying and improving

hazard analysis and energising safety

management


2/40

MANUAL

Active Bow Tie

A tool for displaying and improving

hazard analysis and energising safety

management

November 2014

Version 1.7c

Revision Date Approved

1.1 February 2004 V.M. Trbojevic

1.5 June 2004 V.M. Trbojevic

1.7 July 2007 V.M. Trbojevic

1.7c November 2014 Licence free version


3/40

Risk Support Ltd. i Active Bow Tie Manual v1.7c

CONTENTS

1 INTRODUCTION........................ ..................................................................... .................... 1 1.1 BACKGROUND ............................................................. ................................................... 1 1.2 DESCRIPTION OF BOW TIE A NALYSIS .......................................................... ................... 2

1.2.1 Hazard Analysis ................................................................ ........................................ 2 1.2.2 Process Model..................... ..................................................................... ................. 4 1.2.3 Linking Risk and Process Models ........................................................... .................. 4

1.3 I NTEGRATED SAFETY MANAGEMENT SYSTEM ...................................................... ......... 4 1.3.1 Risk Evaluation .............................................................. ........................................... 5

1.4 DATABASE STRUCTURE ......................................................... ......................................... 6

2 STARTING.......................................................................... .................................................. 8

2.1 I NSTALLING ACTIVE BOW TIE .......................................................... .............................. 8 2.2 USER MANUAL ............................................................ ................................................... 8 2.3 SETTING UP A NEW CASE/DATA FILE.......................................................... ................... 9 2.4 DEFINING R EFERENCE DATA ............................................................ ............................ 10

2.4.1 Personnel .................................................................. .............................................. 10 2.4.2 Competencies ...................................................................... .................................... 11 2.4.3 Effectiveness................................... ............................................................... .......... 11 2.4.4 Activity Categories... ............................................................... ................................ 12 2.4.5 Frequencies.... ..................................................................... .................................... 12 2.4.6 Control Types....... ..................................................................... .............................. 12 2.4.7 Risk Matrix..................................................................... ......................................... 13

3 HAZARD ANALYSIS ...................................................... .................................................. 16

3.1 HAZARD CATEGORIES AND TOP EVENTS ............................................................... ....... 16 3.2 THREATS AND CONSEQUENCES ........................................................ ............................ 17 3.3 BARRIERS AND BARRIER DECAY MODES............................................................... ....... 18 3.4 R ISK A NALYSIS ........................................................... ................................................. 20

4 ACTIVITIES AND TASKS....................................................... ......................................... 22

4.1 ACTIVITIES ....................................................... ............................................................ 22 4.2 TASKS............................................................... ............................................................ 23 4.3 ADDITIONAL ACTIVITY I NPUT .......................................................... ............................ 24

4.3.1 Objectives............................. ..................................................................... .............. 25 4.3.2 Management Actions...................................................................... ......................... 25

4.3.3 Inputs...................................................... ................................................................. 25 4.3.4 Outputs......................................................... ........................................................... 25 4.3.5 Performance............................... ..................................................................... ........ 25 4.3.6 Deficiencies............ ................................................................ ................................. 26

5 LINKING TASKS AND CONTROLS...................................................................... ........ 27

6 REPORTS...... ..................................................................... ................................................. 30

6.1 DISPLAYING I NFORMATION IN BOW TIES .............................................................. ....... 30 6.1.1 Box Style................................................. ................................................................. 30 6.1.2 PEAR....................................................... ............................................................... . 30 6.1.3 Barrier Effectiveness............................... ................................................................ 30

6.1.4 Barrier Post Indicator............................. ................................................................ 30 6.2 R EPORTS ........................................................... ............................................................ 31


4/40

Risk Support Ltd. ii Active Bow Tie Manual v1.7c

7 PRINTING BOW TIES, COPYING, PASTING, DELETING, ETC............................. 36

7.1 BOW TIES.......................................................... ............................................................ 36 7.2 COPYING, PASTING AND DELETING ............................................................. ................. 36 7.3 R EORDERING ............................................................... ................................................. 36


5/40

Risk Support Ltd. 1 Active Bow Tie Manual v1.7c

1 INTRODUCTION

1.1

Background

Bow tie approach1 was originally devised to energise the safety management

system. The theory behind the bow tie approach can be found in the “Swiss cheese

model” of Reason2. The approach is mostly used in the hazard identification and

the development of the hazard register, to link hazard barriers and operational

systems and procedures in place to eliminate the hazard or reduce its frequency of

occurrence, or mitigate its potential consequences. As such it also a hazard and

risk control display tool. A more mature extension of the approach was based on

a desire to overcome the following shortcomings in a safety case regime:

1. The transfer of information from hazard and risk analysis through to the

workings of the management system (i.e. to operations) has been

insufficient. This means that link between the major accident hazards and

the safety management system (SMS) is not usually explicitly presented.

The emergency response plans typically provide the chain of

communication in an emergency, the organisational structure, tasks of

responsible persons, and the list of actions to be carried out in the event of a

specific emergency situation following a major hazard event. A link

between the technical system descriptions in the Safety Report, and the

demonstration of the working of the management system in the context of

major hazard control, is usually missing. This is not unusual because the

methodologies for hazard analysis and risk assessment, in general, do notdeal with the complex technical and organisational systems in a unified

manner.

2.

The Quantitative Risk Assessment may take into account operator error in

the causation part of the assessment, while it is rare to account for human

factors in the escalation part of the assessment, unless a specific operator

action is intended to be a safety barrier. However, even then, the quality of

organisation and management is not accounted for. For example, to

incorporate the “probability of partial malfunction of the emergency

system” is unheard of. This does not mean that the quality of organisation,

or “organisational factors” cannot be evaluated; they can be accounted for inthe overall shifting of the risk profile or the scaling of the failure rates.

3. The operational process model may be established for the purpose of quality

management system, but not for the purpose of major hazards and the SMS.

There is, in general, a “fuzzy” link between the hazards and operational

activities and tasks, and even “fuzzier” link between risk controls and

operational tasks.

1 Shell International Exploration and Production BV, Thesis HSE Manual, EP-95 0323, 1995.2 James Reason, Human Error, Cambridge University Press, 1990.


6/40


1.2 Description of Bow Tie Analysis

1.2.1 Hazard Analysis

In this example, Figure 1.1, hazard is derailment and hazard realisation is the top

event “passenger train derailment”. The threats (that can lead to the top event) are

“obstruction on tracks”, “rolling stock faults”, “track faults”, etc. The possible

consequences of this event could be “injuries and fatalities”, “damage to trains

and tracks”, etc.

Figure 1.1 Derailment Bow tie

To protect from threats, barriers are provided (denoted by a box with a thick black

bar on the right), Figure 1.2. The barriers against “obstructions on tracks” are to

“ensure operational tracks” and “regular track inspections”. However, the barrier

“ensure operational tracks” may decay because of the “inadequate maintenance”,

or may fail due to “obstructions due to track maintenance”. This barrier

decay/failure mode3 is denoted by the box with the thick red line at the bottom. If

the barrier decay/failure mode is identified than it may be required to provide a

secondary barrier to prevent the decay/failure mode. These secondary barriers

reinforce primary barriers (which protect from threats). The numbers of the

primary and secondary barriers are governed by the risk acceptance criteria.

3 Barrier decay/failure mode is also called “Escalation factor” (e.g. in Thesis)


7/40


Figure 1.2 Barriers and Barrier Decay/Failure Modes

Drivers reportobstructions

Z1 / C.01.01

Vandalism

Drivers reportobstructions

Z1 / C.01.01

Trees or blownobjects on tracks

Regular track inspections

X2 / A.02.01

Proceduralreview

Y3 / B.03.01

Inadequatemaintenance

Check materialsare not left on

tracks

V1 / B.01.01

Obstructions dueto track

maintenance

Ensureoperational

tracks

X1 / A.01.01

Obstructions ontracks

Ensure soundrolling stock

Rolling stock faults

Regular track inspections

Ensure quality of tracks

Track faults

D

DerailmD.01 PaTrain Der


8/40


The barriers with different coloured bars on the right hand side are intended to

represent different type of barriers, or groups of workers, subcontractors, etc.

Similarly, if all barriers are breached, and the top event (loss of control) is

reached, then (protection / mitigation) barriers should be provided to protect from

top event and/or mitigate unwanted consequences. These barriers and their

decay/failure and are treated in the similar way as the barriers on the left-hand

side of the bow tie.

1.2.2 Process Model

In parallel with the bow tie risk analysis, the “systems model” is developed which

describes all processes of the Company. Furthermore a set of activities and tasks

are identified required to keep the “process” functioning on a daily basis. For

each activity and each task within an activity responsible persons is identified.

The duty of a responsible person is to carry out the task/activity in a specified

manner and record any deviations. The development of the process model is

iterative and in many cases the risk model drives the new tasks and vice versa.

1.2.3 Linking Risk and Process Models

In the next step the tasks are matched to the barriers. This means that for each

barrier there should be a task the purpose of which is to ensure that the barrier is

operational at all times. This process is also iterative and may require some

“matching” before a proper link between the task and the barrier is established. In

Figure 1.2, in the lower part of the barrier box, the post indicator of the

responsible person (or contractor’s organisation) and the corresponding tasks

shown (e.g. X1, X2, Y1, etc denotes personnel group and position, and “A.01.02”

denoted task 2 of activity A.01). As mentioned before the development of bow tie

risk model and the corresponding process model proceeds in an iterative manner.

The activities and tasks taken to ensure that risk controls are effective at all times

are called “safety-critical”. An activity comprises a set of tasks with the same

management objective.

1.3

Integrated Safety Management System

The operational part of the safety management system (SMS) can now be

developed as a natural extension of the above approach. In fact, each activity with

its set of tasks represents a “procedure” in the old sense, except that each task is

“hard wired” to the corresponding risk barrier. Therefore to close the continuous

improvement loop, the following components of the SMS, shown in Figure 1.3,

are added:

•

Management objective for the activity and action required to implement it,• Performance indicators and criteria for measuring the execution of tasks,


9/40


• Feedback loop for the improvement and operational changes,

• Input and output for the activity; for example, if the absence of a written

procedure could result in infringement of the safety policy or breaches of

legislative requirements or performance criteria, then the additional

procedure represents an input for the activity. Similarly, output from anactivity may represent the input for another activity, etc.

Figure 1.3 Safety Critical Activity

ACTIVITY

Task i

Task j

Task k

Barrier l

Barrier m

Barrier n

PERFORMANCE

CRITERIA

PERFORMANCE

INDICATORS

MANAGEMENT

OBJECTIVES

MANAGEMENT

ACTIONS

REVIEW &

IMPROVE

INPUT /

PROCEDURES

OUTPUT

PLAN

DO

CHECK

FEEDBACK

In associating tasks with risk controls, distributing responsibilities, defining

objectives and the sources and means of measurement, the integrity of the

management system is demonstrated.

A similar approach can be utilised to extend the safety management system to

cover the management and organisational aspects.

1.3.1 Risk Evaluation

Risk evaluation is carried out by assessing the likelihood and the severity of

consequences using either risk matrix approach, or the results of quantitative risk

analysis. Typically these risk can be low (acceptable), medium (tolerable if

reduced to be As Low As Reasonably Practicable – ALARP) and high/intolerable

(operation is not allowed). The evaluated risks are then assessed against risk

acceptability criteria.

Risk criteria are developed in terms of the required number of barriers for each

risk level. Risk criteria can also be formulated in conjunction with safety rating or

the effectiveness of risk controls which depends on the barrier effectiveness,

availability, independence, means of control over barrier, etc. An example of risk

criteria without barrier rating is presented in Figure 1.4.


10/40


Risk reduction is then carried out in accordance with the risk tolerability doctrine, or the

national safety legislation, etc.

Figure 1.4 An Example of Risk Criteria

Region Criteria

1

Intolerable 2

3

Requires a minimum of three primary barriers in place for allthreats

Requires a minimum of two primary barriers (recovery

measures) for each identified consequence

Requires a minimum of one secondary barrier in place for all

barrier decay/failure modes

Requires a minimum of two rimary barriers in place for all

threats

ALARPRequires a minimum of one primary barrier (recovery

measure) for identified consequence

Requires a minimum of one effective control in place for all

barrier decay/failure modes

1

2

3

1.4

Database Structure

The data structure in Active Bow Tie starts with the Study (or Safety Case) which

covers one or several Locations. Each location is exposed to Hazards and has an

Activity Set . A set of Hazards comprises of one or several Hazard Groups, each

of which is mapped into one or several Top Events.

Each Top Event can be triggered by a set of Threats (within a Threat Group), and

to prevent hazard realisation Barriers are put in place. Factors that can reduce

barrier effectiveness called Barrier Decay Modes (B.D.M.). To protect the

barriers from this decay modes the Secondary Barriers can be specified.

Escalation from Top Event can lead to a Consequence Group containing one or

several unwanted Consequences. There are Barriers in place top protect from top

event and mitigate the consequences. These barriers can be associated with the

barrier decay modes, which are controlled by secondary barriers.

Each Activity Set contains one or several Activity Groups each of which comprise

one or several Activities. Each Activity comprises of Tasks, some of which are

safety critical; i.e. the purpose of those tasks is to ensure that barriers are

operational at all times. An activity also comprises of the associated safetyobjectives, management actions, input, output, performance indicators and criteria


11/40


(Figure 1.3). A graphical representation of the data structure is presented in

Figure 1.5.

Figure 1.5 Database Structure

Study

Location

Hazards

Hazard group 1

Top event 1

Threat group

Threat

Barrier

Barrier decay mode

Task Secondary barrier

Task

Barrier 2

Barrier decay mode

Task Secondary barrier

Task

Secondary barrier

Task

Threat

Consequence group

Consequence

Barrier

Task

Top event

Hazard group

Activity set

Activity group

Activity Objectives

Objective

Objective

Management actionsAction

…

Inputs

Input

…

Outputs

Output

…

Tasks

Task

Task

Task

…

Performance

Indicator

…

Deficiencies

Deficiency

…

Activity

Activity group

Location

Etc.


12/40


2 STARTING

2.1

Installing Active Bow Tie

To install Active Bow Tie unzip the file abt.zip which contains the installation

tool Install-ABT.exe. Double click on the file Install-ABTv1.7.exe and the

software will be installed in the subdirectory called “Active Bow Tie v1.7”

created within the directory “Program Files”. An icon will also be created on the

desktop depicting a bow tie.

Licence for running Active Bow Tie is no longer required, i.e. the use of the

program is free. Just double click on the ABT icon and the welcome screen,

Figure 2.1, will appear.

Figure 2.1 Welcome Screen

Click on the welcome screen and you will see the prompt to open a file. Click on

Cancel and you will be in ABT window.

Important notice:

• The file “ blank data.mdb” is a database template and should not be deleted.

ABT cannot work without this file. This file will be placed in the Active

Bow Tie directory.

2.2 User Manual

The chapters of this manual are listed in Help on the menu bar. Click on Help and

then click on a chapter you would like to read or print (for this you will need

Acrobat Reader).


13/40


2.3 Setting Up a New Case/Data File

Navigate in the Open window to find the previously developed database files.

You may wish to start from example.mdb file (in C:\Program Files\Active Bow

Tie v1.7), highlight it and click OK . For creating the new case click on Cancel in

the Open window, and the Active Bow Tie main window will appear, Figure 2.2.

Figure 2.2 Active Bow Tie Main Window

Clicking on File and then on New, triggers a Save As window where the name of

the new database file can be specified (e.g. example). The corresponding path and

the file name will then be displayed on the title bar (Figure 2.3).

To set up a new case click on Misc and choose New Case and specify the name of

the case (e.g. Safety Case) which will be displayed in the tree window. To specify

locations considered in the case, right click on the case name (Safety Case),

choose New and specify location parameters and name (e.g. Plant ). Let us

assume that the Safety Case covers two locations, then repeat the previous steps

and set up another location called Office.


14/40


Left click on the plus sign on the left hand side of the locations will display the

Hazards and Activity Groups for each location, and the tree in the left window

will look as shown in Figure 2.3.

Figure 2.3 Setting Up the Case and Locations

2.4

Defining Reference Data

The Reference button on the menu bar displays a drop table with the following

data categories:

2.4.1 Personnel

Information about plant personnel is required for the completion of the activities

and tasks, and not necessarily for the hazard identification. Personnel information

comprises the following:

1. Post. Ind. – or post indicator; this information will be printed out once the

tasks are linked to the barriers and therefore the shorter post indicator is

better.

2.

Description – position of the person/operator.3. Name – name of the person (not used at the moment).

Tab can be used to move across to a next box. The list of personnel can be

extended by clicking on the Add button, Figure 2.4.


15/40


Figure 2.4 Personnel Input Window

2.4.2 Competencies

Not used at this stage.

2.4.3 Effectiveness

Implies the barrier effectiveness and can be displayed in the barrier box. After

typing the first one, click on the Add button for the next one, Figure 2.5. To

display this information tick the Barrier effectiveness in the View menu.

Figure 2.5 Input Window for Effectiveness


16/40


2.4.4 Activity Categories

Not utilised at this stage.

2.4.5 Frequencies

The frequency relates to how often the task is carried out and can be specified

descriptively and by its value, Figure 2.6 . Clicking on Add generates a new input

row.

Figure 2.6 Task Frequencies Input Window

2.4.6 Control Types

The information about controls (primary and secondary barriers) needs to be

provided if the classification of controls is required. There are no rules on

classification of controls, for example, one may wish to distinguish controls

operated by different sections within one organisation, or to establish engineered,

procedural and human barriers, etc. Each control type can be recognised by acoloured bar on the right hand side of the control box, Figure 2.7 .

Colour of the barriers can be changed from a default black colour by a left click

on the right hand side of the middle box and then choosing a desired colour from

the colour palette (for example, three colours: black, blue and green were chosen,

Figure 2.7 ).


17/40


Figure 2.7 Control Types Input Window

2.4.7 Risk Matrix

Risk assessment in Active Bow Tie is carried out by the use of risk matrix shown

in Figure 2.8 . There are maximum six categories of accident likelihood and

consequence severity. In the example shown in Figure 2.8 a 5 x 5 matrix is

displayed, starting with the likelihood “extremely unlikely” (i.e. 10-7), to

“frequent” (10). The five categories of consequences (impact on workers or thegeneral public) start from “minor injury” to “many fatalities (5 or more)”. By

assigning letters to the likelihood categories from A to E, and numbers from 1 to 5

to consequence severity, the risk values (likelihood x consequence severity) are as

shown in the matrix in Figure 2.8 .

Figure 2.8 Risk Matrix


18/40


To change risk values, left click on the field and its value will appear in the Text

box in the upper left corner. Type the value or a code of your choice and click

OK; the value/code will appear in the field. If the numerical values are used for

both likelihood and consequence categories, e.g. 0 to 5, these are usually

interpreted to represent the logarithmic scale (i.e. order of magnitude difference)

and the risk values are evaluated by adding the corresponding likelihood and

severity numbers (and not by multiplying which is a very common mistake).

To change the colour of the risk regions, left click on the field and then left click

on one of four colours on the left hand side of the risk matrix window. At this

stage only the shown four colours are available for this purpose. It should be

noted that the risk tolerability doctrine in the UK identified three regions of risk:

1. Intolerable region (red) were risk could not be justified except in

extraordinary circumstances. This means that a facility cannot operate.

2. Tolerable region (yellow) in which risk is tolerable only if risk reduction is

impractical or if its cost is grossly disproportionate to the improvements

gained.

3. Broadly acceptable region (white) where it is necessary to maintain

assurance that risk will stay at this level.

The fourth colour (blue) has been added (without defining the risk management

action) to allow more complicated risk criteria to be utilised. The example in

Figure 2.9 shows an additional range has been added in which the management

action is to improve public relations.

Risk matrix for injuries and fatalities (P) has been shown in Figure 2.8 . By

clicking on the button on the right hand side of the box with People inside, three

more types of risk are available:

• Risk of damage to the environment (E),

• Risk of asset loss (A), and

• Risk of loss of reputation (R).

Note:

Text in the risk matrix (Figure 2.8) denoting likelihood and consequence

severity, and the notation for the fields in the matrix (A1, B2, etc) can be

changed in the project database file (e.g. in “example.mdb”) by opening

the database file in MS Access (2003) and implementing changes in

relevant tables (riskCat, riskLabel and riskMatrix). Do not forget to save

the file before changing it!

An example of such changes can be seen in Figure 2.9.


19/40


Figure 2.9 Risk Matrix for Loss of Reputation


20/40


3 HAZARD ANALYSIS

3.1

Hazard Categories and Top Events

A hazard is a situation or a condition with the potential to harm the people, the

environment, assets and reputation. The hazards are classified for each location

into hazard categories, for example, external, internal, etc, and then each hazard

category is mapped into a number of representative accidental events also called

top events. Top event is usually defined as the loss of control point, or the point

of hazard realisation.

To generate hazard categories right click on Hazards in the tree window and then

left click on New and the hazard input window will appear. Then specify the

hazard group code and its name, for example, E and External hazards, and click

on OK . The hazard group will appear in the tree window.

Left click on the External hazards and choose New to generate a top event. Note

that the code for the event will be the hazard code and an automatically generated

sequential number. Just add the name of the top event, Figure 3.1.

Figure 3.1 Top Event Input Window

Now left click on the Top event and the top event circle will appear in the graphics

window, Figure 3.2.


21/40


Figure 3.2 Hazard Categories and Top Events

3.2 Threats and Consequences

Left click on the plus sign by the top event to reveal the Threats and the

Consequences. From this point there are two ways of generating threats and

consequences, as follows:

1.

In the tree window, lift click on Threats to highlight it, and then right click

to get a menu, then left click on New to get the threat window, Figure 3.3.As soon as the threat is specified, the “ear” on the left hand side of the top

event circle becomes shaded. This means that there is more information that

has not been displayed in the graphics window. Clicking on the same ear

contracts the bow tie.

2. In the graphics window, right click within the top event circle and choose

from the drop down menu, in this case New Threat which triggers the threat

window to appear, Figure 3.3.

The code for a threat is just a sequence number which is automatically generated

but can be changed manually if the reordering of threats is required. The other

buttons and check boxes will be explained at the later stage.

The consequence generation is carried out in the same manner, for example by a

right click within the tope vent circle, left click on New Consequence in the

dropdown menu and the Consequence widow will appear.


22/40


Figure 3.3 Threat Input Window

3.3 Barriers and Barrier Decay Modes

Barriers can be generated by a right click on the corresponding threat either in the

tree or the graphics window and then choosing New. The input window is shown

in Figure 3.4. Barriers (control) type and the effectiveness can be chosen from

the drop down list if required. The barriers that prevent threats, protect people

(assets, etc.) and mitigate consequences are also called primary barriers.

Figure 3.4 Barrier Input Window


23/40


The mitigation barriers (on the right hand side of the top event) are generated in

the exactly same manner, except that the title on the input window is Recovery

Measure otherwise it is identical to that in Figure 3.4. These barriers are also

called recovery measures.

Each barrier can have one or decay/failure modes. A decay/failure mode is used

to represent the condition which can lead to barrier erosion, ineffectiveness or

failure. For example, insufficient maintenance, inadequate procedure, etc. can be

described with barrier decay modes.

Barrier decay mode is generated in the same way as the barriers (right click on a

barrier box and choose New), except that its input window is identical to one for a

threat (Figure 3.3). Barrier decay mode can be controlled by one or several

secondary barriers which serve as means/systems that can prevention decay and

erosion (right click on a barrier decay mode box and choose New). It should be

noted that most risk acceptance criteria for bow tie risk analysis require at least

one control for each identified barrier decay mode.

Assuming that a barrier decay mode was identified for the engineered Primary

Barrier 1.1 (Figure 3.5), and that the secondary barrier (Secondary Barrier 1.1.1.1)

is generated (as a human control), then the Active Bow Tie screen would look as

shown in Figure 3.5. The Consequence 1 and the corresponding Primary Barrier

1.2 (Recovery Measure) were also generated. Note the different colours of

controls.

Figure 3.5 Active Bow Tie Screen after Generation of Controls

It should be noted that the font size and the scale have been changed so that the

bow tie would fit in the graphics window and that the titles of the boxes would be

readable. To change the font Size left click in the corresponding box and type the

size of your choice, then press Tab key. The same procedure applies to Scale.

Font type can be changed by choosing from the drop down list (left click on

Font ).


24/40


3.4 Risk Analysis

Risk evaluation is carried out by assigning severity and the likelihood category to

each consequence. To do so right click on a consequence box and choose Edit .

This will display the consequence input screen. Now click on Assess Risk to

display the risk matrix. In the risk matrix left click on the field which corresponds

to evaluated likelihood and consequence severity category, for example, “unlikely

(0.1)” and “major injury” (corresponds to D3), Figure 3.6 , and then click on OK .

This process is the repeated for all types of risk and all consequences if required.

Figure 3.6 Risk Evaluation

Now left click on Hazards (below Plant ), and the graphics window will display

the risk register. Left click on the top event in the top table and the results of risk

evaluation will appear in the bottom table, as shown in Figure 3.7 .

Figure 3.7 Risk Register


25/40


The risks can also be displayed in the consequence boxes of the bow tie. To do

this, got to the View menu, and tick PEAR and the evaluated risk will be displayed

as shown in Figure 3.8 . The risks are displayed in the PEAR order (people,

environment, assets, reputation).

Figure 3.8 Displaying Evaluated Risks


26/40


4 ACTIVITIES AND TASKS

4.1

Activities

The activity structure is conceived to comprise of an activity set for each location,

each of which can be further subdivided into activity groups and activities. An

example of an activity group is Operational activity which can comprise of

several activities such as import product, operate process units, operate storage

facilities, export products, laboratory/sampling activity, etc. The activity structure

reflects the overall organisation of the facility. However there are two ways

forward from this point, as follows:

1. For the hazard analysis study an overall breakdown of activities is usually

sufficient.

2. For the bow tie risk analysis and the development of an integrated safety

management system (iSMS), the detailed task breakdown is required. These

details have to reflect the day-to-day tasks of personnel, and this

development is of iterative nature since tasks have to align with risk

controls.

To generate an activity group left click on the Activity Groups in the tree window

and choose New and input the data in the activity window as shown in Figure 4.1.

Figure 4.1 Activity Group Input Window

Note that the Code is passed to other activities (and tasks) within this group. To

enter individual activities left click on the activity group and choose New to get

the activity input window as shown in Figure 4.2.


27/40


Figure 4.2 Activity Input Window

It can be seen that the activity group code is passed automatically to each activity

and the sequential number added. Type in activity name and chose the

responsible person.

4.2 Tasks

Each activity comprises of one or several tasks. To generate tasks, right click on

the plus sign next to activity, and then right click on Tasks and choose New. This

will display task input window as shown in Figure 4.3.

Figure 4.3 Task Input Window


28/40


Type in task name and description. The task code is automatically generated.

Choose the task frequency and the responsible person. After adding a few more

tasks and activities, the tree window will look as shown in Figure 4.4.

Figure 4.4 Activities and Tasks

4.3 Additional Activity Input

The additional information presented in this section (Figure 4.4) is required for

the completion of the integrated safety management system (iSMS).


29/40


4.3.1 Objectives

Hazard management objectives on the activity are specified with this facility.

Right click on the Objectives to reveal an input window. Type in the objective

name and if required provide more information in the description field.

4.3.2 Management Actions

Management actions required for the success of the activity are input with this

facility. Right click on Management Action and type the information in the input

window.

4.3.3 Inputs

An input to an activity is an information or an equipment necessary to undertake

the activity. For example, if a set of tasks is insufficient for carrying out activity

in a safe manner, then a procedure may be required which is specified as input, or

if the activity is to produce an agreed plan for actions, than a starting or a

proposed plan must be input. To specify the required information, right click on

the Inputs.

4.3.4 Outputs

An output from an activity is an information or some other product generated or

processed within the activity. For example, a proposed plan for action isdiscussed, modified and agreed within the activity and represents an output. An

output could also be some measurements undertaken in the activity which may

also serve as an input to another activity. To specify this information, right click

on the Outputs.

4.3.5 Performance

The following information can be supplied by a right click on the Performance in

the tree window, Figure 4.5:

1. Performance indicator - a measurable, quantifiable and agreed parameter

that can be used to measure the success, i.e. performance of an activity. For

example, number of the lost time injuries (LTI’s), identified deficiencies,

adherence to maintenance programmes, etc..

2. Performance criteria – these are the safety targets set by the management,

for example, the maximum number of LTI’s.

3. Source of measurement – relates to performance measurement, for example,

maintenance records, etc.


30/40


4.3.6 Deficiencies

Deficiencies related to activity information can be recorded by a right click on the

Deficiencies in the tree window and providing data in the input window. Typical

deficiency could be lack of performance criteria (for new performance indicators),

lack of input procedures, etc.

Target for sorting out and completion of a deficiency can also be specified.

Figure 4.5 Performance Input Window


31/40


5 LINKING TASKS AND CONTROLS

The essential part of bow tie analysis is in linking activities and tasks to risk

controls. For the purpose of developing an iSMS, the day-to-day tasks should be

linked to controls. This may not be possible without some iteration on both the

bow ties and the activities and tasks3. Before linking right click on the Top event

in the tree window, choose Copy, then right click on External hazards and choose

Paste. A copy of Top event will appear; right click on it and choose Edit and

change the code to E.01b and the name to Top event (linked); left click on this

event to display its bow tie and expand the bow tie.

To start linking, right click an a barrier box in the graphics window and choose

Edit . This will display the control input window (Figure 3.3). Left click on the

Task button to display the window shown in Figure 5.1. In the activity box find

the appropriate activity (O.01 process control) and then left click on it to display

the corresponding tasks in the box below, Figure 5.1.

Figure 5.1 Linking Task to Barrier

Now highlight the appropriate tasks (e.g. O.01.01 Task 1) by left clicking on it

and then click on the > button to transfer the task to the right hand side box called

“Used Tasks”, Figure 5.2. If you make a mistake, highlight the task in the Used

Tasks box and click on < button to clear the Used Tasks box. Click on OK to

complete linking.

3 Trbojevic, V.M., Linking Risk Analysis to Safety Management, PSAM7/ESREL2004, Berlin,

2004.


32/40


Figure 5.2 Linking Task to Barrier (Cont.)

Repeat the procedure for the secondary barrier (Secondary Barrier 1.1.1.1) by

linking it to Task 2 of the Process control activity (O.01.02). The resulting bow

tie is shown in Figure 5.3. In order to display post indicators and tasks, left click

on View and choose Barrier Post Indicator option. The post indicator of the

responsible person and the corresponding task which has to ensure that the control

is operational at al times are displayed at the bottom of the control box (e.g.

Primary Barrier 1: P1 / O.01.01).

Figure 5.3 Bow ties with Linked Tasks to Controls

An additional secondary barrier (Secondary Barrier 1.1.1.2) is shown in Figure

5.3 in order to illustrate that there are no restrictions regarding linking tasks and

controls from different locations.


33/40


Barrier effectiveness is displayed in the upper right corner of the barrier box.

If more text needs to be fitted in a barrier box or the post indicator / task cannot

fit, the box sizes can be changed. Left click on View and choose Box Style option

The result with box style “Level3” with “2 rows” is presented in Figure 5.4.

Figure 5.4 Larger Barrier Boxes


34/40


6 REPORTS

6.1

Displaying Information in Bow Ties

The following options for displaying barrier boxes and bow tie information are

added to the View menu:

6.1.1 Box Style

Barrier box size can be changed to accommodate larger fonts.

6.1.2 PEAR

This option allows displaying the risks to people (P), the environment (E), assets

(A) and reputation ® in the consequence boxes.

6.1.3 Barrier Effectiveness

Displays barrier effectiveness in the upper right corner of the barrier box. Note

that the effectiveness is not further used.

6.1.4 Barrier Post Indicator

Displays the post indicator of the person responsible for the barrier and the related

tasks the purpose of which is to ensure that barrier is available.


35/40


6.2 Reports

The information contained in Active Bow Tie can be printed out in MS Excel

format using the Reports facility in the menu bar. The following forms (reports)

are available:

1. Hazards and top events – straightforward list of hazard groups and

associated top events.

2. Activities, tasks and responsible persons – list of all activities, associated

tasks and persons responsible for those tasks.

3. Threats and barriers – this report is considered useful; it displays top

events, threats, primary barriers, barrier decay modes and secondary

barriers, Figure 6.1.

4. Threats, barriers and tasks – this is same as the previous report but for all

barriers the post indicator and task are printed as well, Figure 6.2.

5. Consequences and barriers – this report displays top events,

consequences, primary barriers (recovery measures), barrier decay modes

and secondary barriers

6. Consequences, barriers and tasks – this is the same as the previous report

but for all barriers the post indicator and task are printed as well.

7.

Activity descriptions – all information related to activities is displayed in

tabular form, Figure 6.3.

8.

Evaluated risks – displays evaluated risks to people, the environment,

assets and reputation (PEAR), Figure 6.4.

9.

Tasks not linked to barriers – If the full list of tasks is included, then thisoption will print tasks which are not safety critical, i.e. tasks not linked to

barriers.


36/40


Figure 6.1 Top Events, Threats, Barriers, etc.

No. Top Event No. Threat Description No. Barrier No. Barrier De

M.04 Berthing error 1

Approaching berth

with inappropriate

speed

1 Competent Pilot 1

Pilot fails to f

with vessel's

manoeuverbi

2Failure to acc

weather and t

2Master identifies and

rectifies error

2

Approaching berth at

inappropriate angle 1 Competent Pilot 1

Allocated spa

berthing is in

2Pilot makes a

judgement


rectifies error

3Failure of rope or

anchor 1

Pilot/Master trained to use

rope or anchor to berth in

confined spaces

1 Rope or attac

2 Anchor failur

3 Surging failu


37/40


Figure 6.2 Top Events, Threats, Barriers, Post Indicators, Tasks, etc.

No. Top Event No. Threat Description No. Barrier No. Barrier De

M.04 Berthing error 1

Approaching berth

with inappropriate

speed

1 Competent Pilot 1

Pilot fails to f

with vessel's

manoeuverbi

HM/Pilot / C4-02.03

2Failure to acc

weather and t


rectifies error

Pilot / B2-05.02

2Approaching berth at

inappropriate angle1 Competent Pilot 1

Allocated spa

berthing is in

HM/Pilot / C4-02.03

2Pilot makes a

judgement


38/40


Figure 6.3 Activity Description

Activity Description

B2-05Co-operating with the bridge team and

functioning within it

Safety Objectives1 Ensure safety of navigation

Management Actions

1 Monitor, review and improve

Activity Inputs

1 Port Passage Plan

2 Bridge team monitoring

Activity Outputs

1 Agreed passage plan

Tasks Task Description

B2-05.01 Check vessel defect report

B2-05.02 Read "Pilot Card"

B2-05.03

Establish communication with the Bridge Team and agr

chain of command B2-05.04 Assess the bridge team's capabilities

B2-05.05 Pilot-Master-Bridge Team information exchange

B2-05.06 Agree passage plan with the Master

B2-05.07 Provide manoeuvring and navigational advice to the Ma

B2-05.08 Confirm minimum bridge manning

B2-05.09 Check ship's draught

Performance Indicators

1Check Vessel defect report (report to

VTS)

2 Read Pilot card (report to VTS)

3 Check bridge manning (report to VTS)

4Agree Passage Plan with the Master

(report to VTS)

Deficiencies


39/40


Figure 6.4 Risk Register

Hazard Group Top Event Consequence

M Manoeuvring M.04 Berthing error Damage to berth

Damage to the vessel


40/40

7 PRINTING BOW TIES, COPYING, PASTING, DELETING, ETC.

7.1

Bow ties

Bow ties can be copied into MS Word or Power Point or saved in *.jpg format.

Right click in the graphics window outside the bow tie, and then choose Copy

(then switch to MS Word file and Edit >Paste Special > Picture) or Save option

which will open Save As window for specifying the file name.

7.2 Copying, Pasting and Deleting

Top events can be copied within hazards. Right click on a top event either in the

graphics or tree window and then choose Copy, then right click on the hazard

group that this event should be pasted in and choose Paste. Remember to change

the name of the copied top event.

Threats and barriers can be copied in a similar manner. To delete items right click

on the item top be deleted and choose Delete.

Activities and tasks can also be copied in the similar fashion.

7.3 Reordering

Threats and controls can be re-ordered by right click on the box, choosing Edit

and changing the Code number.

manual for active bowtie

Documents