In recent years, bow-ties have become a fashionable tool for managing risk and safety in high-risk industries. The original thinking was based on James Reason’s widely cited Swiss cheese model and the domino effect. Reason argued that accidents (or failures) in socio-technical systems, ie systems comprising human beings and technical components, are “caused” as a result of the dominos falling sequentially one after the other. As such, identifying the causes makes it possible to avoid them by introducing elimination, isolation and mitigation measures. These measures are termed “barriers” in the bow-tie model of risk and safety management.
The model works as follows: the top event (or a situation out of control) is placed at the centre, the threats (or circumstances) leading up to the top event are placed on the left-hand side and the consequences of the top event, are positioned on the righthand side of the schematic. The schematic appears like a bow-tie knot at the centre, with numerous barriers in the pathway starting from the threat up to the consequence (or accident). The barriers on the left-hand side of the top event are aimed at controlling vulnerability and the barriers on the right-hand side are aimed at mitigating the impact of consequences and enhancing resilience (see figure 1). In conventional thinking, barriers consist of technical hardware (for example, safety-critical equipment). But in socio-technical systems, organisational barriers (procedures, rules, etc) and human barriers (decisions, heuristics, skills, etc) play an equally if not more important role. The management and control of barriers is central in the bow-tie framework of risk and safety.
The maritime industry has been swift to embrace bow-ties in recent years. Ships operate as socio-technical systems that are complex and dynamic, given the detached, afloat and mobile nature of capital-intensive assets. Such a model as the bow-tie, it is believed, offers a unique insight into the overall risk picture and serves as a powerful tool for communicating and managing risks. The aim of this article is to provide an insight into the capabilities and limitations of barrier management and bow-tie models as a methodology for managing risks and safety. But first let us start with a brief overview of the basis for this model.
Bow-tie risk and safety management
A common theme in high-risk industries such as the nuclear, aviation, mining and offshore sectors is to manage the hazardous nature of assets. As such, risk management is highly sensitive to major accident hazards that need to be controlled, given the reputational and financial stakes. A distinction is made between frequent low-consequence occupational health and safety issues (OHS) and rare but high-consequence major accident hazards. To this end, the UK’s offshore regulator, the Health and Safety Executive (UK, HSE), like many high-risk industries, has established a clear definition of major accidents in hydrocarbon and processing activities: (a) death or serious personal injury to persons in the vicinity of the installation, (b) major damage to the structure of the installation, (c) collision of a helicopter with the installation, (d) critical failure of diving operations in connection to the installation and (e) death or serious personal injuries to five or more persons in the vicinity of the installation arising from other events, excluding hazards such as slips, trips and falls. Such a clear and detailed definition of what major accidents comprise, as we shall see below, is fundamental to the success of bow-tie methods.
Barrier functionality
In bow-ties, the primary function of barriers is to prevent and mitigate the impact of a top event that may (or may not) lead to a major accident. In the absence of a clear definition of major accidents, the intended functions of barriers in a bow-tie may become less effective. In many cases, there is also a tendency to use generic bow-ties for similar types of top events, i.e. collision, structural failure or grounding within the fleet. But top events can mean different things in different operating contexts. In the case of a container ship, the immediate priority following grounding may be to reduce uneven hull stresses whereas in the case of a tanker it may be to avoid marine pollution. Even with the same type of ship, the priorities may change depending on the operating context. For instance, oil pollution in federal waters will have far-reaching financial and reputational implications. Understanding the dynamic and complex nature of top events is crucial in selecting barriers and setting up barrier functions in bow-tie models.
Barrier reliability
Once the function of the barriers is clearly understood, the next step is to enhance the reliability of barriers. Enhancing the reliability of technical barriers may seem straightforward by simply following good maintenance practice. But in a resource constrained environment, barriers can be pushed to the limits; for instance, maintenance on main engines could become overdue or a fire pump may not deliver the intended pressure after a certain period of time. In such circumstances it is necessary to examine how information from maintenance systems is communicated to the bowtie model in forming a risk picture. In the case of procedural barriers, reliability is contingent on the robustness and continuous updating of procedures. Where procedures cannot be detailed, as in the case of emergency situations, human knowledge and decision-making abilities are barriers in themselves and could be seen as an immense source of resilience. For instance, if the fixed firefighting system or emergency generator fails to start automatically, system resilience is dependent on the crew’s ability to override and switch from autonomous to manual mode. A bow-tie model that encourages a balance between technical, organisational and human barriers is crucial for successful management of safety and risk.
Barrier dynamics
A common assumption in bow-tie models is that barriers are independent of each other and that threats follow a linear path up to the consequences. In practice, barriers are highly interactive and complementary and may not exhibit causal or sequential relationships. If the bilge alarm system fails to go off as intended, it is bound to put increased pressure on evacuation procedures and lifesaving systems. In contrast, performance problems with navigation and collision-avoidance systems may be accounted for in a carefully planned passage that aims to avoid proximity to navigational hazards. A substandard maintenance scheme or design faults may introduce vulnerability into the system and weaken system resilience and recovery in complex ways that linear pathways cannot always explain (see figure 2). Thus, barriers and threats may combine in complex ways to give rise to unimaginable events and consequences.
Conclusion
If not understood correctly, bow-ties may lead to an oversimplifying and misleading risk picture. As a start, organisations need to think carefully in terms of what really matters and needs to be controlled; in other words, there needs to be a clear understanding of major accidents specific to the asset and operating context. This is crucial for setting up barriers and improving barrier reliability. To say the least, investing in or introducing more barriers does not make the system any safer! Equally important is to understand the complex nature of the environment in which the ships operate. Such complexities cannot always be explained using linear or causal models of risk and safety. Metaphorically speaking, the holes in the cheese are not fixed, static or aligned but constantly moving up and down, opening and closing in no particular order or predetermined path. Understanding and appreciating complexity is the first step towards reducing vulnerability and enhancing resilience in socio-technical systems.
Editor’s note: Nippin is presently employed with DNV GL as Principal Surveyor / Safety Management System Specialist. Previously he has worked as a Research Fellow at the University of Nottingham. Nippin is very interested in (socio-technical) systems safety, resilience and risk management and is extremely passionate about linking theories (of safety) with practice. He is an Associate Nippon Foundation Fellow of the Seafarers International Research Centre at Cardiff University. Nippin has spent 11 years at sea, holds a Master’s degree in International Transport and Economics and the highest seagoing qualification of a Master Mariner.
