Bowtie Analysis and Barrier-Based Risk Management
Every business has legal, economical, and ethical objectives that range from mandatory safety to commercial goals to corporate citizenship. Businesses undertake a certain amount of risk to achieve these objectives. The balance between risk and reward is an ongoing challenge regardless of the activities involved. The bowtie technique can be used to visualize, assess, and manage risk.
ICH Q9 defines risk as “[t]he combination of the probability of occurrence of harm and the severity of that harm,” and defines harm as “[d]amage to health, including the damage that can occur from loss of product quality or availability.”1 ISO 31000 offers a broader definition of risk as the “effect of uncertainty on objectives.”2
Hazards (assets or activities with the potential to cause adverse effects) exist and must be contained or controlled to avoid undesirable outcomes, particularly those that are unexpected. In the pharmaceutical industry, examples of hazards include flammable solvents or dust, and quality failures that lead to material reprocessing or rejection.
Safety, environmental concerns, quality, and asset management are not new topics, and proven standards exist to guide duty holders through their obligations. These can very be difficult to interpret, however, and problematic to implement. It’s also often a challenge to involve all stakeholders.
Bowtie analysis offers a simple but effective method to visualize risk and show that hazards are under control.
How and when the bowtie analysis originated is not completely clear, but the first bowtie diagrams appeared during a lecture on hazard analysis given at the University of Queensland, Australia, in 1979. In the early 1990s, the Royal Dutch Shell Group adopted the bowtie method as the company standard for analyzing and managing risk. Shell conducted extensive research in the application of the bowtie method and developed strict rules for the definition of all parts, based on their best practices. Shell’s primary motivation was the necessity of ensuring that appropriate risk barriers were in place throughout all worldwide operations.
Following Shell, the bowtie method rapidly gained support in the oil and gas industry, as the diagrams helped visualize oversight of risk-management practices. In the last decade, the bowtie method spread to the aviation, mining, maritime, chemical, and health care industries, to name a few.
Bowtie was created by merging two existing risk-analysis tools: fault trees, which illustrated the potential for multiple faults to lead to a single failure, and event trees, which illustrated the different effects that could be predicted from a single event. Together, these form a connected diagram that make relationships more obvious and provide a clear “line of sight” between causes (faults or failures) and effects.
At a high level, the bowtie for a hazard could look like Figure 1.
- 1 International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use. “Quality Risk Management: Q9.” 9 November 2005. http://www.ich.org/fi leadmin/Public_Web_Site/ICH_Products/Guidelines/Quality/Q9/Step4/Q9_Guideline.pdf
- 2International Organization for Standardization: “ISO 31000: 2009—Risk management—Principles and Guidelines.” www.iso.org
Although the number and nature of materials processed in the pharmaceutical and life sciences industries differ significantly from those in the oil and gas field, both use hazardous, flammable, and toxic fluids. The 2012 incident at Neptune Wellness Solutions (formerly Neptune Technologies and Bioresources Inc) showed that on-site fatalities are possible.3 ,8
The uncontrolled release of intermediate/final products, cleaning materials, and utilities is another hazard that can significantly damage the local or wider environment. Failure to operate and maintain a plant properly can also result in costly downtime and equipment repair or replacement. Finally, patient safety is a key driver for quality and reputation—particularly in the age of social media, where bad news travels fast.
The bowtie enhances understanding of industry-specific scenarios and provides clear indication that the safeguards (risk-control measures) are in place and performing. It summarizes and communicates the health (effectiveness) and importance (criticality) of these safeguards to encourage more informed and objective decision-making.
Consider the simple representation shown in Figure 1. When a cause (“threat”) occurs, a fire or explosion is not guaranteed to happen immediately. Controls should be in place to prevent the liquid release—loss of control or containment (“event” or “top event”)—or to mitigate the effects of any release. The route from cause to effect (“consequence”) is therefore not direct, because the path is blocked. This is illustrated in Figure 2 by the Swiss cheese model developed by James Reason.4
The cheese slices represent risk controls, which could be physical (equipment) or procedural (process or behavior). Weaknesses (holes) are either built-in or appear under failure. If the holes align coincident with the threat, an unimpeded path allows the consequences to occur.
A holistic overview of the scenario appears when this linear (one-dimensional) model is translated into a two-dimensional format, with barriers positioned appropriately between threats and the top event (where/when the loss of control or containment occurs) and between the top event and the consequences (where the effects are realized). Representing a risk assessment visually rather than textually helps to focus attention on vulnerable areas—either threats or barriers—that require scrutiny or improvement.
- 3Neptune Technologies and Bioresources, Inc. “Neptune Provides Update on Incident at its Production Plant.” Press release, 12 November 2012. http://neptunecorp.com/wp-content/uploads/press_uploads/2012/2012-11-12%20Neptune%20Press%20Release%20Explosion.pdf
- 8CBC/Radio-Canada. “Neptune at Fault in Deadly Plant Explosion, CSST Rules.” 8 May 2014. http://www.cbc.ca/news/canada/montreal/neptune-at-fault-in-deadly-plant-explosion-csst-rules-1.2636094
- 4Reason, J. Human Error. Cambridge, UK: University Press, 1990.
Consider a familiar application within the pharmaceutical community: a filter dryer and some of the possible risks associated with it (Figure 3).
While a variety of barriers may be in place, they may not be as effective or independent as they appear. The majority could be controlled by the same computer system, for example, or access to susceptible equipment may not be as limited as assumed. Increased inspection combined with enhanced or alternative barriers could ensure that all barriers are underpinned by competent personnel, current procedures, and contemporary maintenance.
The bowtie technique allows even those less familiar with the circumstances to make an intuitive judgement on:
- The number and type of threats that could lead to a flammable liquid release
- The number and type of consequences that could occur following the release
- The number and type of barriers that could prevent a release
- The number and type of barriers that could mitigate negative effects or help recovery from a release
In its current form, the representation provides information to support intelligent risk management for health and safety—the default focus of conscientious corporations. The following risk receptors, however, are also significant:
- Environment: On or off-site natural impact
- Production: Reduced or ceased output
- Equipment: Repair or replacement
- Quality: Recall or reprocess
- Regulatory: Approval or compliance
- Reputation: Public and investor confidence
Robust asset and operations management are at the heart of strong and successful safety, environmental, financial, and quality management. If equipment doesn’t leak or break down, for example, or if people don’t make mistakes, then control or containment is not lost and adverse effects are avoided (or at least reduced).
Not all barriers are created equal, however, and appropriate attention should be given to those that pose a higher risk. Categorizing the bowtie components and then color-coding them helps prioritize risk by providing immediate impact, as shown in Figure 4.
This displays a variety of parameters, each with a key message to help inform decision-making. In simple terms, the robustness of risk (or failure) management can be broken down as:
- Quantity: Presence (how many and where they are located)
- Quality: Performance (how effective they are)
- Diversity: Independence between associated threats and other barriers
Barriers are often classified as:
- People: Personnel who design, operate, maintain, monitor, and manage
- Process: Organizational measures (procedures)
- Plant: Technical measures (equipment or structures)
These can be considered in several additional ways:
- Too few barriers may suggest inadequate protection, but too many may be excessive and costly
- Barriers that rely heavily on human interaction (operation) or intervention (maintenance) are typically weaker than more passive barriers and often have a lower lifetime cost
- All eggs in one basket: If one party (role) is responsible for multiple barriers, or if technology (e.g., electrical) is applied within several barriers, the absence or reduced performance of that single element can have widespread effects
- Barrier criticality (requirement) and effectiveness (achievement) are of major concern when a high criticality is combined with low effectiveness.
In Figure 4, the barrier types are categorized as:
|Red||Safety instrumented functions/systems|
|Pink||Human action or response|
|Cyan||asic process control system|
|Yellow||Control of ignition sources (electrical and mechanical)|
Colors also categorize barrier effectiveness:
Threats can be classified as:
- Type: Equipment failure, control malfunction, human error, or external/environmental influences
- Contribution: Anticipated scale of possible effects
- Frequency: How often the threat is likely or is known to occur
Two colors categorize threat types:
- Pink Human acts or omissions
- Cyan Basic process control system
Since prevention is better than cure, attention should focus on threats with high contribution and high frequency. A quick scan of threat types related to human factors or errors, for example, can reveal where more training is required. Other approaches could be adopted for predominately computer-related threats, as is the case in Figure 4.
At the end of the scenario, consequences might be classified by:
- Category: The predominant risk receptor or scale of concern related to the consequence
- Type: The urgency of response required if/when the consequence occurs
- Risk: A combination of the severity and likelihood of the inherent (unmitigated, no barriers) and residual (mitigated, with the barriers) risk
Consequences are categorized using the following colors:
|Red||Health and safety|
|Grey||Commercial (asset or production)|
More attention should be paid to consequences of major concern and/or those with the highest (mitigated or unmitigated) risk, since the barriers associated with these scenarios are neither actually or potentially effective in the overall risk-reduction strategy.
Bowties offer the following advantages:
- Visualization and communication: Knowing, showing and sharing the basis of integrity
- Risk-based decision-making: Are there enough barriers to mitigate the risk appropriately?
- Barrier dependency visualization: What if the resource responsible for multiple barriers is compromised, e.g., the engineering manager is ill or power is lost?
- Display risk assurance: How are the barriers performing?
- Informed decision-making (change management): What happens if a barrier is removed or degraded?
- Risk-based management: Identification, analysis, evaluation, and treatment
An alternative view on risk management could simply be “failure management.” Failures often begin as threats that start a chain of undesirable events; they must be stopped or slowed by measures that themselves have the potential to fail.
New projects may be able to implement additional barriers. Established facilities may only be able to improve existing barriers. When resources are limited, management must be confident that they are investing in improvements (training, maintenance, inspection, etc.) that can deliver results.
The pharmaceutical industry is not unfamiliar with hazard and risk analysis tools and techniques. The most common, from ICH-Q9, are listed below.1
- Failure mode effects analysis
- Failure mode, effects and criticality analysis
- Fault tree analysis
- Hazard analysis and critical control points
- Hazard operability analysis (HAZOP)
- Preliminary hazard analysis (PHA)
A more extensive list is available from the Center for Chemical Process Safety.5
All these methods have strengths and weaknesses, which are documented in a UK Health and Safety Laboratory research report.6 HAZOP, for example, is a widely used hazard-identification methodology; it is not effective in identifying where multiple cause can lead to the same consequence, however.
Bowtie analysis is not intended to replace existing tools and techniques, but to enhance them by helping those involved in the original identification or analysis studies to confirm their discussion, and those not involved in the studies (but still responsible for managing risk) to understand and address relevant issues.
One major limitation of most common techniques is that they are typically performed by specialists and documented in a technical language and format that does not easily support communication and ongoing collaboration. The UK Health and Safety Executive recognizes that a barrier (bowtie) approach is a useful tool in communicating major hazards information to the workforce.7
The clarity that bowties provide can also be used to validate existing studies more efficiently, e.g., to identify errors or omissions in the causes, effects, and control measures associated with particular scenarios. This is a key issue in high-hazard facilities that are mandated to revisit their PHA or HAZOP every five years under regulations such as the US Occupational Safety and Health Administration or the Seveso Directive.
“Bowtie analysis offers a simple but effective method to visualize risk and show that hazards are under control”
The simple diagrammatic representation of a process or plant provides an effective, transferrable platform for knowledge that passes from the designers to those who build, operate, maintain, and monitor these facilities. This knowledge is challenged by a series of qualification activities at key stages.
- Design qualification (DQ): Does the proposed design of the barrier meet the intended purpose?
- Installation qualification (IQ): Has the barrier been installed correctly?
- Operational qualification (OQ): Is the barrier capable of operating within established limits?
- Performance qualification (PQ): Does the barrier perform effectively and reproducibly?
These physical, functional, and procedural barriers can also be applied to change management in which people adapt, processes or plants are modified, and the effects of change must be evaluated and addressed.
Ongoing assurance that the barriers are still present (IQ) and performing (OQ/PQ) can be confirmed by regular inspection and auditing, with the results shown (or suitably summarized) to highlight vulnerabilities. In fact, since many facilities or processes utilize familiar equipment (often from the same manufacturer) it is prudent to develop a bowtie template
for that equipment or unit operation with the actual or ideal barriers in place. This can become a stencil for other instances of the same (or similar) equipment/operation, and can be surveyed to determine if the barriers meet—or exceed, which may suggest overengineering—the protection model.
Such an approach can be deployed across an organization to highlight inconsistencies and provide justification for improvement (and subsequent investment).
Most organizations find it a challenge to learn from incidents, often because the post-event analysis does not produce high-quality but realistic recommendations that could change the organization for the better. To uncover the lessons that should be learned on both organizational and operational levels, it’s crucial to untangle the event. A sensible starting point is to establish how it happened, then consider which barriers should have prevented it.
Once the barriers have been mapped onto the incident timeline, their states can be determined as:
- Effective: Functioned as planned and stopped the next event in the incident scenario
- Unreliable: Stopped the next event in the incident sequence, but the organisation is uncertain if it will do so in the future
- Inadequate: Functioned as intended by its design (envelope), but was unable to stop the sequence of events
- Failed: Implemented, but did not function according to its intended design
- Missing: Described in the organization’s management system or was considered an industry standard, but it was not successfully implemented
From this, a corrective and preventive action strategy can be developed with due attention to barriers to prevent the incident (and similar events) from occurring. The bowtie analysis should then be updated with a range of prioritized solutions:
- Short term (barrier level): Improve barrier quality before resuming operations
- Medium term (barrier level): Add barrier at earliest opportunity
- Long term (organizational level): Correct management system / underlying cause
Bowties are a proven method in a wide variety of high-hazard/-risk industries that are used to visualize the integrity of the business from equipment all the way up to the enterprise. Bowties complement and supplement existing hazard identification and risk-analysis tools to create a framework for ongoing risk management. They offer user-friendly engagement and empowerment from the board room to the control room and can provide a live source of knowledge and understanding that underpins all critical decisions. Bowties assist with audits, inspections, and assessment to confirm actual vs. assumed barrier presence and performance, threat frequency, and consequence severity. Finally, they support incident investigations by indicating what the barriers should have done and what they actually did (or did not) do.
- 5American Institute of Chemical Engineers. CCPS Guidelines for Hazard Evaluation Procedures. Hoboken, New Jersey: John Wiley & Sons, 2008.
- 6UK Health and Safety Laboratory. “Review of Hazard Identification Techniques.” 2000. http://www.hse.gov.uk/research/hsl_pdf/2005/hsl0558.pdf
- 7Trbojevic, Valdimir M. "Optimising Hazard Management by Workforce Engagement and Supervision." Research Report RR637. Prepared by Risk Support Limited for the Health and Saftey Executive. 2008. http://www.hse.gov.uk/research/rrpdf/rr637.pdf