This paper presents the implementation of a live Bowtie-based barrier management system as a practical application of dynamic risk modeling and visualization in hazardous operations. It aims to demonstrate how the real-time integration of maintenance, operational, and assurance data enables continuous monitoring of barrier health and evolving risk exposure. A key challenge in deploying this system has been the alignment of CMMS data to ensure accurate linkage between equipment data and Bowtie information, as well as defining the business rules to determine barrier health. Currently, the tool is currently integrated with the CMMS and Permit to Work systems, enabling live updates and scenario-based tracking. Looking ahead, future enhancements will include integration with additional operation system (Operational Risk Assessments (ORA), Safety System Isolation Certificate (SSIC), Management of Change (MOC), et.), further strengthening the system’s ability to model dynamic risk and support proactive safety management.
The live Bowtie tool enables operators to identify vulnerabilities in major accident scenarios by continuously monitoring barrier health and prioritizing critical equipment actions to maintain acceptable risk levels. The overall process follows the Hazards and Effects Management Process (HEMP), applied throughout a unit’s lifecycle to identify and manage potential hazards, including those that could lead to Major Accident Events. The process begins with identifying scenarios that could lead to severe consequences, known as Major Accident Hazards (MAHs). The Bowtie methodology is employed to represent MAH scenarios, identifying the hazard, causes, top event, consequences and barriers to prevent and mitigate major accident scenarios. It effectively communicates how an asset manages the risks associated with MAHs.
Once the MAH scenarios for a unit are identified, they are mapped to the appropriate systems within that unit. For example, a scenario involving hydrocarbon gas loss of containment in the topsides would be linked to relevant systems like gas compression or gas treatment. Each scenario is systematically reviewed to assign it to applicable systems, ensuring proper tracking and management. Then, systems are further connected to their specific physical locations, for example, the cargo storage system would be mapped to the corresponding cargo oil tank location.
The bowties identify the critical barriers that prevent or mitigate Major Accident Event as well as the relevant Safety and Environment Critical Elements (SECE) realizing the critical barrier functions. This information is integrated with the Computerized Maintenance Management System (CMMS). This system ties critical equipment to their relevant SECE System, allowing maintenance work order information to feed to the appropriate bowtie element according to the scenario they impact.
Different types of maintenance work order are considered:
This information from the CMMS is combined with other data (currently permit to work system) to compute the health status for each SECE. This important step is achieved by applying business rule sets which are determined in collaboration between process safety, technical expert and operation personnel.
Each SECE has been identified as “local”, “system” or “global” depending on the specificity of the SECE. This allows to reflect suitable level of granularity to tackle equipment covering a system or a specific area. For example, a gas detector will be identified as local as it is protecting only a specific location whereas a lifeboat will be global as its impairment will impact the whole FPSO MAH scope.
On the Live Bowtie tool, barriers are color-coded to indicate their conditions ranging from blue (healthy) to red (impaired). Cumulative risk effects can also be managed by setting thresholds and multipliers for each SECE, barrier, threat, and consequence. Thresholds determine when barriers degrade to a point that escalates their status, while multipliers assess the relative importance of the different sub-elements contributing to an element.
Finaly, this system allows operators to monitor barrier health and assess which situation requires an Operational Risk Assessment (ORA) to ensure that risks remain at ALARP levels, supporting effective risk management and system safety across hazardous operations.
As the system is currently live, work is done to bring additional data from operation systems to the barrier model such as lessons from incidents, integrity management tools (piping & pressure vessel RBI system, Fabric maintenance program, etc.).