Representing Human Factors in Bowties as per the new CCPS/EI Book

The Chemical Center for Process Safety (CCPS) issues books that have become the de facto best practise for process safety management globally. For example the CCPS issued the original LOPA book in 2001 and the Risk Based Process Safety book in 2007. We, the authors and members of the sub-committee advising on the content of the book, are now getting near to the end of a long process to write, develop, review, edit and issue a CCPS/EI Concept book (prepared together with the Energy Institute) on the use of BowTies in risk management. The final chapter of the draft book addresses representing human factors in bowties, part of which is summarised in this paper.

In bowties barriers are in place to stop the threat leading to the “top event” or to prevent the top event leading to catastrophes. These barriers are either passive barriers (e.g. crash barriers, bunds), continuous barriers (e.g. ventilation) or active barriers. Active barriers need to have separate elements to “detect” the threat, “decide” what to do about it and to “act” to stop the trajectory. This means that typical human factors aspects such as “training”, “competence”, “safety culture” or “leadership” cannot appear by themselves as barriers on the main threat line. Instead they are essential to ensure the correct operation of the barriers. As such they appear as safeguards on the degradation factors that affect a barrier.

Almost everyone agrees that a positive safety culture, process safety leadership, etc. are needed for the safe operation of a facility. There is, however, currently no clear way of demonstrating how these aspects prevent the fatalities from a major accident. The approach described in this paper uses multiple layers of bowties to demonstrate the clear link between these human factors and preventing major accidents. Sharing these bowties with operators would support positive safety culture efforts.

There are four important premises addressing human factors in bow tie analysis:

• In basic (“Level 0”) bowties human error should preferably not be directly modelled as a threat that can lead to a top event. The threats are inherent threats arising from the operation.
• Active barriers, with detect, decide and act components very often involve humans in one of the elements and so it is important to understand how these degrade the barrier
• Mechanical failures and human errors can defeat or degrade these barriers. Safeguards are then needed to be put in place to mitigate the risk and to prevent this happening. The term “safeguard” is used to denote those controls not meeting the full requirements of an active barrier.
• Most of the controls that organisations use to minimise human error cannot meet the criteria necessary to be considered active barriers in their own right (effective, independent and auditable). They are, nevertheless, very important safeguards to manage the risk from human error leading to degrading the performance of active barriers. Safeguards can range from local warnings and signs, the design and implementation of alarms and the human machine-interface to control systems, through Job Design, operating procedures and cross-checking practices, to Stop Culture (the willingness of front-line personnel to stop work if they have any concerns over safety), Leadership, etc.
• More detailed bowties (referred to in this paper as “level -1”, “level -2”, etc.) can be developed focusing on understanding how those safeguards, the human and organizational controls, can themselves be degraded or defeated. Typically two levels will be needed (i.e. the top level, which identifies the main barriers, and level -1, analysing human error as a degradation factor for the top level barriers).

The paper uses a Buncefield-type scenario of overfilling a fuel storage tank as an example to illustrate the application of this approach.