Active BowTie software is software for Bowtie Diagramms. This is the user manual. It contains some good definitions rega...
MANUAL
Active Bow Tie A tool for displaying and improving hazard analysis and energising safety management
Risk Support Risk Management Consultants Flat 26 74 Arlington Avenue London N1 7AY United Kingdom Telephone +44 (0)20 7226 0891 Mobile +44 (0)7733 441 405 Email
[email protected] http://www.risk-support.co.uk
MANUAL
Active Bow Tie A tool for displaying and improving hazard analysis and energising safety management November 2014 Version 1.7c
Revision
Date
Approved
1.1
February 2004
V.M. Trbojevic
1.5
June 2004
V.M. Trbojevic
1.7
July 2007
V.M. Trbojevic
1.7c
November 2014
Licence free version
CONTENTS 1
INTRODUCTION ................................................................................................................. 1 1.1 1.2 1.2.1 1.2.2 1.2.3 1.3 1.3.1 1.4
2
STARTING ............................................................................................................................ 8 2.1 2.2 2.3 2.4 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 2.4.7
3
INSTALLING ACTIVE BOW TIE ........................................................................................ 8 USER MANUAL ............................................................................................................... 8 SETTING UP A NEW CASE/DATA FILE............................................................................. 9 DEFINING REFERENCE DATA ........................................................................................ 10 Personnel ................................................................................................................ 10 Competencies .......................................................................................................... 11 Effectiveness............................................................................................................ 11 Activity Categories.................................................................................................. 12 Frequencies............................................................................................................. 12 Control Types.......................................................................................................... 12 Risk Matrix.............................................................................................................. 13
HAZARD ANALYSIS ........................................................................................................ 16 3.1 3.2 3.3 3.4
4
BACKGROUND ................................................................................................................ 1 DESCRIPTION OF BOW TIE ANALYSIS ............................................................................. 2 Hazard Analysis ........................................................................................................ 2 Process Model........................................................................................................... 4 Linking Risk and Process Models ............................................................................. 4 INTEGRATED SAFETY MANAGEMENT SYSTEM ............................................................... 4 Risk Evaluation ......................................................................................................... 5 DATABASE STRUCTURE .................................................................................................. 6
HAZARD CATEGORIES AND TOP EVENTS ...................................................................... 16 THREATS AND CONSEQUENCES .................................................................................... 17 BARRIERS AND BARRIER DECAY MODES...................................................................... 18 RISK ANALYSIS ............................................................................................................ 20
ACTIVITIES AND TASKS................................................................................................ 22 4.1 ACTIVITIES ................................................................................................................... 22 4.2 TASKS ........................................................................................................................... 23 4.3 ADDITIONAL ACTIVITY INPUT ...................................................................................... 24 4.3.1 Objectives................................................................................................................ 25 4.3.2 Management Actions............................................................................................... 25 4.3.3 Inputs....................................................................................................................... 25 4.3.4 Outputs.................................................................................................................... 25 4.3.5 Performance............................................................................................................ 25 4.3.6 Deficiencies............................................................................................................. 26
5
LINKING TASKS AND CONTROLS .............................................................................. 27
6
REPORTS ............................................................................................................................ 30 6.1 DISPLAYING INFORMATION IN BOW TIES ..................................................................... 30 6.1.1 Box Style.................................................................................................................. 30 6.1.2 PEAR....................................................................................................................... 30 6.1.3 Barrier Effectiveness............................................................................................... 30 6.1.4 Barrier Post Indicator............................................................................................. 30 6.2 REPORTS ....................................................................................................................... 31
Risk Support Ltd.
i
Active Bow Tie Manual v1.7c
7
PRINTING BOW TIES, COPYING, PASTING, DELETING, ETC............................. 36 7.1 7.2 7.3
BOW TIES ...................................................................................................................... 36 COPYING, PASTING AND DELETING .............................................................................. 36 REORDERING ................................................................................................................ 36
Risk Support Ltd.
ii
Active Bow Tie Manual v1.7c
1
INTRODUCTION
1.1
Background Bow tie approach1 was originally devised to energise the safety management system. The theory behind the bow tie approach can be found in the “Swiss cheese model” of Reason2. The approach is mostly used in the hazard identification and the development of the hazard register, to link hazard barriers and operational systems and procedures in place to eliminate the hazard or reduce its frequency of occurrence, or mitigate its potential consequences. As such it also a hazard and risk control display tool. A more mature extension of the approach was based on a desire to overcome the following shortcomings in a safety case regime: 1.
2.
3.
1 2
The transfer of information from hazard and risk analysis through to the workings of the management system (i.e. to operations) has been insufficient. This means that link between the major accident hazards and the safety management system (SMS) is not usually explicitly presented. The emergency response plans typically provide the chain of communication in an emergency, the organisational structure, tasks of responsible persons, and the list of actions to be carried out in the event of a specific emergency situation following a major hazard event. A link between the technical system descriptions in the Safety Report, and the demonstration of the working of the management system in the context of major hazard control, is usually missing. This is not unusual because the methodologies for hazard analysis and risk assessment, in general, do not deal with the complex technical and organisational systems in a unified manner. The Quantitative Risk Assessment may take into account operator error in the causation part of the assessment, while it is rare to account for human factors in the escalation part of the assessment, unless a specific operator action is intended to be a safety barrier. However, even then, the quality of organisation and management is not accounted for. For example, to incorporate the “probability of partial malfunction of the emergency system” is unheard of. This does not mean that the quality of organisation, or “organisational factors” cannot be evaluated; they can be accounted for in the overall shifting of the risk profile or the scaling of the failure rates. The operational process model may be established for the purpose of quality management system, but not for the purpose of major hazards and the SMS. There is, in general, a “fuzzy” link between the hazards and operational activities and tasks, and even “fuzzier” link between risk controls and operational tasks.
Shell International Exploration and Production BV, Thesis HSE Manual, EP-95 0323, 1995. James Reason, Human Error, Cambridge University Press, 1990.
Risk Support Ltd.
1
Active Bow Tie Manual v1.7c
1.2
Description of Bow Tie Analysis
1.2.1
Hazard Analysis In this example, Figure 1.1, hazard is derailment and hazard realisation is the top event “passenger train derailment”. The threats (that can lead to the top event) are “obstruction on tracks”, “rolling stock faults”, “track faults”, etc. The possible consequences of this event could be “injuries and fatalities”, “damage to trains and tracks”, etc. Figure 1.1
Derailment Bow tie
To protect from threats, barriers are provided (denoted by a box with a thick black bar on the right), Figure 1.2. The barriers against “obstructions on tracks” are to “ensure operational tracks” and “regular track inspections”. However, the barrier “ensure operational tracks” may decay because of the “inadequate maintenance”, or may fail due to “obstructions due to track maintenance”. This barrier decay/failure mode3 is denoted by the box with the thick red line at the bottom. If the barrier decay/failure mode is identified than it may be required to provide a secondary barrier to prevent the decay/failure mode. These secondary barriers reinforce primary barriers (which protect from threats). The numbers of the primary and secondary barriers are governed by the risk acceptance criteria.
3
Barrier decay/failure mode is also called “Escalation factor” (e.g. in Thesis)
Risk Support Ltd.
2
Active Bow Tie Manual v1.7c
Figure 1.2
Barriers and Barrier Decay/Failure Modes Obstructions on tracks
Inadequate maintenance
Ensure operational tracks X1 / A.01.01
Regular track inspections X2 / A.02.01
Procedural review Y3 / B.03.01
Obstructions due to track maintenance
Vandalism
Check materials are not left on tracks V1 / B.01.01 D Derailment
Drivers report obstructions
D.01 Passeger Train Derailment
Z1 / C.01.01
Trees or blown objects on tracks
Drivers report obstructions Z1 / C.01.01
Track faults
Risk Support Ltd.
3
Rolling stock faults
Ensure sound rolling stock
Ensure quality of tracks
Regular track inspections
Active Bow Tie Manual v1.7c
The barriers with different coloured bars on the right hand side are intended to represent different type of barriers, or groups of workers, subcontractors, etc. Similarly, if all barriers are breached, and the top event (loss of control) is reached, then (protection / mitigation) barriers should be provided to protect from top event and/or mitigate unwanted consequences. These barriers and their decay/failure and are treated in the similar way as the barriers on the left-hand side of the bow tie. 1.2.2
Process Model In parallel with the bow tie risk analysis, the “systems model” is developed which describes all processes of the Company. Furthermore a set of activities and tasks are identified required to keep the “process” functioning on a daily basis. For each activity and each task within an activity responsible persons is identified. The duty of a responsible person is to carry out the task/activity in a specified manner and record any deviations. The development of the process model is iterative and in many cases the risk model drives the new tasks and vice versa.
1.2.3
Linking Risk and Process Models In the next step the tasks are matched to the barriers. This means that for each barrier there should be a task the purpose of which is to ensure that the barrier is operational at all times. This process is also iterative and may require some “matching” before a proper link between the task and the barrier is established. In Figure 1.2, in the lower part of the barrier box, the post indicator of the responsible person (or contractor’s organisation) and the corresponding tasks shown (e.g. X1, X2, Y1, etc denotes personnel group and position, and “A.01.02” denoted task 2 of activity A.01). As mentioned before the development of bow tie risk model and the corresponding process model proceeds in an iterative manner. The activities and tasks taken to ensure that risk controls are effective at all times are called “safety-critical”. An activity comprises a set of tasks with the same management objective.
1.3
Integrated Safety Management System The operational part of the safety management system (SMS) can now be developed as a natural extension of the above approach. In fact, each activity with its set of tasks represents a “procedure” in the old sense, except that each task is “hard wired” to the corresponding risk barrier. Therefore to close the continuous improvement loop, the following components of the SMS, shown in Figure 1.3, are added:
• •
Management objective for the activity and action required to implement it, Performance indicators and criteria for measuring the execution of tasks,
Risk Support Ltd.
4
Active Bow Tie Manual v1.7c
• •
Feedback loop for the improvement and operational changes, Input and output for the activity; for example, if the absence of a written procedure could result in infringement of the safety policy or breaches of legislative requirements or performance criteria, then the additional procedure represents an input for the activity. Similarly, output from an activity may represent the input for another activity, etc.
Figure 1.3
Safety Critical Activity MANAGEMENT OBJECTIVES
PLAN
MANAGEMENT ACTIONS
REVIEW & IMPROVE
FEEDBACK
DO
INPUT / PROCEDURES
ACTIVITY
CHECK
Task i
Barrier l
Task j
Barrier m
Task k
Barrier n
OUTPUT
PERFORMANCE CRITERIA
PERFORMANCE INDICATORS
In associating tasks with risk controls, distributing responsibilities, defining objectives and the sources and means of measurement, the integrity of the management system is demonstrated. A similar approach can be utilised to extend the safety management system to cover the management and organisational aspects. 1.3.1
Risk Evaluation Risk evaluation is carried out by assessing the likelihood and the severity of consequences using either risk matrix approach, or the results of quantitative risk analysis. Typically these risk can be low (acceptable), medium (tolerable if reduced to be As Low As Reasonably Practicable – ALARP) and high/intolerable (operation is not allowed). The evaluated risks are then assessed against risk acceptability criteria. Risk criteria are developed in terms of the required number of barriers for each risk level. Risk criteria can also be formulated in conjunction with safety rating or the effectiveness of risk controls which depends on the barrier effectiveness, availability, independence, means of control over barrier, etc. An example of risk criteria without barrier rating is presented in Figure 1.4.
Risk Support Ltd.
5
Active Bow Tie Manual v1.7c
Risk reduction is then carried out in accordance with the risk tolerability doctrine, or the national safety legislation, etc.
Figure 1.4
An Example of Risk Criteria
Region
ALARP
Criteria 1
Requires a minimum of two rimary barriers in place for all threats
2
Requires a minimum of one primary barrier (recovery measure) for identified consequence
3
Requires a minimum of one effective control in place for all barrier decay/failure modes
1
Intolerable 2 3
1.4
Requires a minimum of three primary barriers in place for all threats Requires a minimum of two primary barriers (recovery measures) for each identified consequence Requires a minimum of one secondary barrier in place for all barrier decay/failure modes
Database Structure The data structure in Active Bow Tie starts with the Study (or Safety Case) which covers one or several Locations. Each location is exposed to Hazards and has an Activity Set. A set of Hazards comprises of one or several Hazard Groups, each of which is mapped into one or several Top Events. Each Top Event can be triggered by a set of Threats (within a Threat Group), and to prevent hazard realisation Barriers are put in place. Factors that can reduce barrier effectiveness called Barrier Decay Modes (B.D.M.). To protect the barriers from this decay modes the Secondary Barriers can be specified. Escalation from Top Event can lead to a Consequence Group containing one or several unwanted Consequences. There are Barriers in place top protect from top event and mitigate the consequences. These barriers can be associated with the barrier decay modes, which are controlled by secondary barriers. Each Activity Set contains one or several Activity Groups each of which comprise one or several Activities. Each Activity comprises of Tasks, some of which are safety critical; i.e. the purpose of those tasks is to ensure that barriers are operational at all times. An activity also comprises of the associated safety objectives, management actions, input, output, performance indicators and criteria
Risk Support Ltd.
6
Active Bow Tie Manual v1.7c
(Figure 1.3). A graphical representation of the data structure is presented in Figure 1.5. Figure 1.5
Database Structure
Study Location Hazards Hazard group 1 Top event 1 Threat group Threat Barrier Task
Barrier decay mode Secondary barrier Task
Barrier 2 Task
Barrier decay mode Secondary barrier Task Secondary barrier Task
Threat Consequence group Consequence Barrier Task Top event Hazard group Activity set Activity group Activity
Objectives Objective Objective Management actions Action … Inputs Input … Outputs Output … Tasks Task Task Task … Performance Indicator … Deficiencies Deficiency …
Activity Activity group Location Etc.
Risk Support Ltd.
7
Active Bow Tie Manual v1.7c
2
STARTING
2.1
Installing Active Bow Tie To install Active Bow Tie unzip the file abt.zip which contains the installation tool Install-ABT.exe. Double click on the file Install-ABTv1.7.exe and the software will be installed in the subdirectory called “Active Bow Tie v1.7” created within the directory “Program Files”. An icon will also be created on the desktop depicting a bow tie. Licence for running Active Bow Tie is no longer required, i.e. the use of the program is free. Just double click on the ABT icon and the welcome screen, Figure 2.1, will appear. Figure 2.1
Welcome Screen
Click on the welcome screen and you will see the prompt to open a file. Click on Cancel and you will be in ABT window. Important notice: •
2.2
The file “blank data.mdb” is a database template and should not be deleted. ABT cannot work without this file. This file will be placed in the Active Bow Tie directory.
User Manual The chapters of this manual are listed in Help on the menu bar. Click on Help and then click on a chapter you would like to read or print (for this you will need Acrobat Reader).
Risk Support Ltd.
8
Active Bow Tie Manual v1.7c
2.3
Setting Up a New Case/Data File Navigate in the Open window to find the previously developed database files. You may wish to start from example.mdb file (in C:\Program Files\Active Bow Tie v1.7), highlight it and click OK. For creating the new case click on Cancel in the Open window, and the Active Bow Tie main window will appear, Figure 2.2. Figure 2.2
Active Bow Tie Main Window
Clicking on File and then on New, triggers a Save As window where the name of the new database file can be specified (e.g. example). The corresponding path and the file name will then be displayed on the title bar (Figure 2.3). To set up a new case click on Misc and choose New Case and specify the name of the case (e.g. Safety Case) which will be displayed in the tree window. To specify locations considered in the case, right click on the case name (Safety Case), choose New and specify location parameters and name (e.g. Plant). Let us assume that the Safety Case covers two locations, then repeat the previous steps and set up another location called Office.
Risk Support Ltd.
9
Active Bow Tie Manual v1.7c
Left click on the plus sign on the left hand side of the locations will display the Hazards and Activity Groups for each location, and the tree in the left window will look as shown in Figure 2.3. Figure 2.3
2.4
Setting Up the Case and Locations
Defining Reference Data The Reference button on the menu bar displays a drop table with the following data categories:
2.4.1
Personnel Information about plant personnel is required for the completion of the activities and tasks, and not necessarily for the hazard identification. Personnel information comprises the following: 1.
2. 3.
Post. Ind. – or post indicator; this information will be printed out once the tasks are linked to the barriers and therefore the shorter post indicator is better. Description – position of the person/operator. Name – name of the person (not used at the moment).
Tab can be used to move across to a next box. The list of personnel can be extended by clicking on the Add button, Figure 2.4.
Risk Support Ltd.
10
Active Bow Tie Manual v1.7c
Figure 2.4
2.4.2
Personnel Input Window
Competencies Not used at this stage.
2.4.3
Effectiveness Implies the barrier effectiveness and can be displayed in the barrier box. After typing the first one, click on the Add button for the next one, Figure 2.5. To display this information tick the Barrier effectiveness in the View menu. Figure 2.5
Input Window for Effectiveness
Risk Support Ltd.
11
Active Bow Tie Manual v1.7c
2.4.4
Activity Categories Not utilised at this stage.
2.4.5
Frequencies The frequency relates to how often the task is carried out and can be specified descriptively and by its value, Figure 2.6. Clicking on Add generates a new input row. Figure 2.6
2.4.6
Task Frequencies Input Window
Control Types The information about controls (primary and secondary barriers) needs to be provided if the classification of controls is required. There are no rules on classification of controls, for example, one may wish to distinguish controls operated by different sections within one organisation, or to establish engineered, procedural and human barriers, etc. Each control type can be recognised by a coloured bar on the right hand side of the control box, Figure 2.7. Colour of the barriers can be changed from a default black colour by a left click on the right hand side of the middle box and then choosing a desired colour from the colour palette (for example, three colours: black, blue and green were chosen, Figure 2.7).
Risk Support Ltd.
12
Active Bow Tie Manual v1.7c
Figure 2.7
2.4.7
Control Types Input Window
Risk Matrix Risk assessment in Active Bow Tie is carried out by the use of risk matrix shown in Figure 2.8. There are maximum six categories of accident likelihood and consequence severity. In the example shown in Figure 2.8 a 5 x 5 matrix is displayed, starting with the likelihood “extremely unlikely” (i.e. 10-7), to “frequent” (10). The five categories of consequences (impact on workers or the general public) start from “minor injury” to “many fatalities (5 or more)”. By assigning letters to the likelihood categories from A to E, and numbers from 1 to 5 to consequence severity, the risk values (likelihood x consequence severity) are as shown in the matrix in Figure 2.8. Figure 2.8
Risk Matrix
Risk Support Ltd.
13
Active Bow Tie Manual v1.7c
To change risk values, left click on the field and its value will appear in the Text box in the upper left corner. Type the value or a code of your choice and click OK; the value/code will appear in the field. If the numerical values are used for both likelihood and consequence categories, e.g. 0 to 5, these are usually interpreted to represent the logarithmic scale (i.e. order of magnitude difference) and the risk values are evaluated by adding the corresponding likelihood and severity numbers (and not by multiplying which is a very common mistake). To change the colour of the risk regions, left click on the field and then left click on one of four colours on the left hand side of the risk matrix window. At this stage only the shown four colours are available for this purpose. It should be noted that the risk tolerability doctrine in the UK identified three regions of risk: 1. 2.
3.
Intolerable region (red) were risk could not be justified except in extraordinary circumstances. This means that a facility cannot operate. Tolerable region (yellow) in which risk is tolerable only if risk reduction is impractical or if its cost is grossly disproportionate to the improvements gained. Broadly acceptable region (white) where it is necessary to maintain assurance that risk will stay at this level.
The fourth colour (blue) has been added (without defining the risk management action) to allow more complicated risk criteria to be utilised. The example in Figure 2.9 shows an additional range has been added in which the management action is to improve public relations. Risk matrix for injuries and fatalities (P) has been shown in Figure 2.8. By clicking on the button on the right hand side of the box with People inside, three more types of risk are available:
• • •
Risk of damage to the environment (E), Risk of asset loss (A), and Risk of loss of reputation (R).
Note: Text in the risk matrix (Figure 2.8) denoting likelihood and consequence severity, and the notation for the fields in the matrix (A1, B2, etc) can be changed in the project database file (e.g. in “example.mdb”) by opening the database file in MS Access (2003) and implementing changes in relevant tables (riskCat, riskLabel and riskMatrix). Do not forget to save the file before changing it! An example of such changes can be seen in Figure 2.9.
Risk Support Ltd.
14
Active Bow Tie Manual v1.7c
Figure 2.9
Risk Matrix for Loss of Reputation
Risk Support Ltd.
15
Active Bow Tie Manual v1.7c
3
HAZARD ANALYSIS
3.1
Hazard Categories and Top Events A hazard is a situation or a condition with the potential to harm the people, the environment, assets and reputation. The hazards are classified for each location into hazard categories, for example, external, internal, etc, and then each hazard category is mapped into a number of representative accidental events also called top events. Top event is usually defined as the loss of control point, or the point of hazard realisation. To generate hazard categories right click on Hazards in the tree window and then left click on New and the hazard input window will appear. Then specify the hazard group code and its name, for example, E and External hazards, and click on OK. The hazard group will appear in the tree window. Left click on the External hazards and choose New to generate a top event. Note that the code for the event will be the hazard code and an automatically generated sequential number. Just add the name of the top event, Figure 3.1. Figure 3.1
Top Event Input Window
Now left click on the Top event and the top event circle will appear in the graphics window, Figure 3.2.
Risk Support Ltd.
16
Active Bow Tie Manual v1.7c
Figure 3.2
3.2
Hazard Categories and Top Events
Threats and Consequences Left click on the plus sign by the top event to reveal the Threats and the Consequences. From this point there are two ways of generating threats and consequences, as follows: 1.
2.
In the tree window, lift click on Threats to highlight it, and then right click to get a menu, then left click on New to get the threat window, Figure 3.3. As soon as the threat is specified, the “ear” on the left hand side of the top event circle becomes shaded. This means that there is more information that has not been displayed in the graphics window. Clicking on the same ear contracts the bow tie. In the graphics window, right click within the top event circle and choose from the drop down menu, in this case New Threat which triggers the threat window to appear, Figure 3.3.
The code for a threat is just a sequence number which is automatically generated but can be changed manually if the reordering of threats is required. The other buttons and check boxes will be explained at the later stage. The consequence generation is carried out in the same manner, for example by a right click within the tope vent circle, left click on New Consequence in the dropdown menu and the Consequence widow will appear.
Risk Support Ltd.
17
Active Bow Tie Manual v1.7c
Figure 3.3
3.3
Threat Input Window
Barriers and Barrier Decay Modes Barriers can be generated by a right click on the corresponding threat either in the tree or the graphics window and then choosing New. The input window is shown in Figure 3.4. Barriers (control) type and the effectiveness can be chosen from the drop down list if required. The barriers that prevent threats, protect people (assets, etc.) and mitigate consequences are also called primary barriers. Figure 3.4
Barrier Input Window
Risk Support Ltd.
18
Active Bow Tie Manual v1.7c
The mitigation barriers (on the right hand side of the top event) are generated in the exactly same manner, except that the title on the input window is Recovery Measure otherwise it is identical to that in Figure 3.4. These barriers are also called recovery measures. Each barrier can have one or decay/failure modes. A decay/failure mode is used to represent the condition which can lead to barrier erosion, ineffectiveness or failure. For example, insufficient maintenance, inadequate procedure, etc. can be described with barrier decay modes. Barrier decay mode is generated in the same way as the barriers (right click on a barrier box and choose New), except that its input window is identical to one for a threat (Figure 3.3). Barrier decay mode can be controlled by one or several secondary barriers which serve as means/systems that can prevention decay and erosion (right click on a barrier decay mode box and choose New). It should be noted that most risk acceptance criteria for bow tie risk analysis require at least one control for each identified barrier decay mode. Assuming that a barrier decay mode was identified for the engineered Primary Barrier 1.1 (Figure 3.5), and that the secondary barrier (Secondary Barrier 1.1.1.1) is generated (as a human control), then the Active Bow Tie screen would look as shown in Figure 3.5. The Consequence 1 and the corresponding Primary Barrier 1.2 (Recovery Measure) were also generated. Note the different colours of controls. Figure 3.5
Active Bow Tie Screen after Generation of Controls
It should be noted that the font size and the scale have been changed so that the bow tie would fit in the graphics window and that the titles of the boxes would be readable. To change the font Size left click in the corresponding box and type the size of your choice, then press Tab key. The same procedure applies to Scale. Font type can be changed by choosing from the drop down list (left click on Font).
Risk Support Ltd.
19
Active Bow Tie Manual v1.7c
3.4
Risk Analysis Risk evaluation is carried out by assigning severity and the likelihood category to each consequence. To do so right click on a consequence box and choose Edit. This will display the consequence input screen. Now click on Assess Risk to display the risk matrix. In the risk matrix left click on the field which corresponds to evaluated likelihood and consequence severity category, for example, “unlikely (0.1)” and “major injury” (corresponds to D3), Figure 3.6, and then click on OK. This process is the repeated for all types of risk and all consequences if required. Figure 3.6
Risk Evaluation
Now left click on Hazards (below Plant), and the graphics window will display the risk register. Left click on the top event in the top table and the results of risk evaluation will appear in the bottom table, as shown in Figure 3.7. Figure 3.7
Risk Register
Risk Support Ltd.
20
Active Bow Tie Manual v1.7c
The risks can also be displayed in the consequence boxes of the bow tie. To do this, got to the View menu, and tick PEAR and the evaluated risk will be displayed as shown in Figure 3.8. The risks are displayed in the PEAR order (people, environment, assets, reputation). Figure 3.8
Displaying Evaluated Risks
Risk Support Ltd.
21
Active Bow Tie Manual v1.7c
4
ACTIVITIES AND TASKS
4.1
Activities The activity structure is conceived to comprise of an activity set for each location, each of which can be further subdivided into activity groups and activities. An example of an activity group is Operational activity which can comprise of several activities such as import product, operate process units, operate storage facilities, export products, laboratory/sampling activity, etc. The activity structure reflects the overall organisation of the facility. However there are two ways forward from this point, as follows: 1. 2.
For the hazard analysis study an overall breakdown of activities is usually sufficient. For the bow tie risk analysis and the development of an integrated safety management system (iSMS), the detailed task breakdown is required. These details have to reflect the day-to-day tasks of personnel, and this development is of iterative nature since tasks have to align with risk controls.
To generate an activity group left click on the Activity Groups in the tree window and choose New and input the data in the activity window as shown in Figure 4.1. Figure 4.1
Activity Group Input Window
Note that the Code is passed to other activities (and tasks) within this group. To enter individual activities left click on the activity group and choose New to get the activity input window as shown in Figure 4.2.
Risk Support Ltd.
22
Active Bow Tie Manual v1.7c
Figure 4.2
Activity Input Window
It can be seen that the activity group code is passed automatically to each activity and the sequential number added. Type in activity name and chose the responsible person.
4.2
Tasks Each activity comprises of one or several tasks. To generate tasks, right click on the plus sign next to activity, and then right click on Tasks and choose New. This will display task input window as shown in Figure 4.3. Figure 4.3
Task Input Window
Risk Support Ltd.
23
Active Bow Tie Manual v1.7c
Type in task name and description. The task code is automatically generated. Choose the task frequency and the responsible person. After adding a few more tasks and activities, the tree window will look as shown in Figure 4.4. Figure 4.4
4.3
Activities and Tasks
Additional Activity Input The additional information presented in this section (Figure 4.4) is required for the completion of the integrated safety management system (iSMS).
Risk Support Ltd.
24
Active Bow Tie Manual v1.7c
4.3.1
Objectives Hazard management objectives on the activity are specified with this facility. Right click on the Objectives to reveal an input window. Type in the objective name and if required provide more information in the description field.
4.3.2
Management Actions Management actions required for the success of the activity are input with this facility. Right click on Management Action and type the information in the input window.
4.3.3
Inputs An input to an activity is an information or an equipment necessary to undertake the activity. For example, if a set of tasks is insufficient for carrying out activity in a safe manner, then a procedure may be required which is specified as input, or if the activity is to produce an agreed plan for actions, than a starting or a proposed plan must be input. To specify the required information, right click on the Inputs.
4.3.4
Outputs An output from an activity is an information or some other product generated or processed within the activity. For example, a proposed plan for action is discussed, modified and agreed within the activity and represents an output. An output could also be some measurements undertaken in the activity which may also serve as an input to another activity. To specify this information, right click on the Outputs.
4.3.5
Performance The following information can be supplied by a right click on the Performance in the tree window, Figure 4.5: 1.
2. 3.
Performance indicator - a measurable, quantifiable and agreed parameter that can be used to measure the success, i.e. performance of an activity. For example, number of the lost time injuries (LTI’s), identified deficiencies, adherence to maintenance programmes, etc.. Performance criteria – these are the safety targets set by the management, for example, the maximum number of LTI’s. Source of measurement – relates to performance measurement, for example, maintenance records, etc.
Risk Support Ltd.
25
Active Bow Tie Manual v1.7c
4.3.6
Deficiencies Deficiencies related to activity information can be recorded by a right click on the Deficiencies in the tree window and providing data in the input window. Typical deficiency could be lack of performance criteria (for new performance indicators), lack of input procedures, etc. Target for sorting out and completion of a deficiency can also be specified. Figure 4.5
Performance Input Window
Risk Support Ltd.
26
Active Bow Tie Manual v1.7c
5
LINKING TASKS AND CONTROLS
The essential part of bow tie analysis is in linking activities and tasks to risk controls. For the purpose of developing an iSMS, the day-to-day tasks should be linked to controls. This may not be possible without some iteration on both the bow ties and the activities and tasks3. Before linking right click on the Top event in the tree window, choose Copy, then right click on External hazards and choose Paste. A copy of Top event will appear; right click on it and choose Edit and change the code to E.01b and the name to Top event (linked); left click on this event to display its bow tie and expand the bow tie. To start linking, right click an a barrier box in the graphics window and choose Edit. This will display the control input window (Figure 3.3). Left click on the Task button to display the window shown in Figure 5.1. In the activity box find the appropriate activity (O.01 process control) and then left click on it to display the corresponding tasks in the box below, Figure 5.1. Figure 5.1
Linking Task to Barrier
Now highlight the appropriate tasks (e.g. O.01.01 Task 1) by left clicking on it and then click on the > button to transfer the task to the right hand side box called “Used Tasks”, Figure 5.2. If you make a mistake, highlight the task in the Used Tasks box and click on < button to clear the Used Tasks box. Click on OK to complete linking.
3
Trbojevic, V.M., Linking Risk Analysis to Safety Management, PSAM7/ESREL2004, Berlin, 2004.
Risk Support Ltd.
27
Active Bow Tie Manual v1.7c
Figure 5.2
Linking Task to Barrier (Cont.)
Repeat the procedure for the secondary barrier (Secondary Barrier 1.1.1.1) by linking it to Task 2 of the Process control activity (O.01.02). The resulting bow tie is shown in Figure 5.3. In order to display post indicators and tasks, left click on View and choose Barrier Post Indicator option. The post indicator of the responsible person and the corresponding task which has to ensure that the control is operational at al times are displayed at the bottom of the control box (e.g. Primary Barrier 1: P1 / O.01.01). Figure 5.3
Bow ties with Linked Tasks to Controls
An additional secondary barrier (Secondary Barrier 1.1.1.2) is shown in Figure 5.3 in order to illustrate that there are no restrictions regarding linking tasks and controls from different locations.
Risk Support Ltd.
28
Active Bow Tie Manual v1.7c
Barrier effectiveness is displayed in the upper right corner of the barrier box. If more text needs to be fitted in a barrier box or the post indicator / task cannot fit, the box sizes can be changed. Left click on View and choose Box Style option The result with box style “Level3” with “2 rows” is presented in Figure 5.4. Figure 5.4
Larger Barrier Boxes
Risk Support Ltd.
29
Active Bow Tie Manual v1.7c
6
REPORTS
6.1
Displaying Information in Bow Ties The following options for displaying barrier boxes and bow tie information are added to the View menu:
6.1.1
Box Style Barrier box size can be changed to accommodate larger fonts.
6.1.2
PEAR This option allows displaying the risks to people (P), the environment (E), assets (A) and reputation ® in the consequence boxes.
6.1.3
Barrier Effectiveness Displays barrier effectiveness in the upper right corner of the barrier box. Note that the effectiveness is not further used.
6.1.4
Barrier Post Indicator Displays the post indicator of the person responsible for the barrier and the related tasks the purpose of which is to ensure that barrier is available.
Risk Support Ltd.
30
Active Bow Tie Manual v1.7c
6.2
Reports The information contained in Active Bow Tie can be printed out in MS Excel format using the Reports facility in the menu bar. The following forms (reports) are available: 1. 2. 3.
4. 5.
6. 7. 8. 9.
Hazards and top events – straightforward list of hazard groups and associated top events. Activities, tasks and responsible persons – list of all activities, associated tasks and persons responsible for those tasks. Threats and barriers – this report is considered useful; it displays top events, threats, primary barriers, barrier decay modes and secondary barriers, Figure 6.1. Threats, barriers and tasks – this is same as the previous report but for all barriers the post indicator and task are printed as well, Figure 6.2. Consequences and barriers – this report displays top events, consequences, primary barriers (recovery measures), barrier decay modes and secondary barriers Consequences, barriers and tasks – this is the same as the previous report but for all barriers the post indicator and task are printed as well. Activity descriptions – all information related to activities is displayed in tabular form, Figure 6.3. Evaluated risks – displays evaluated risks to people, the environment, assets and reputation (PEAR), Figure 6.4. Tasks not linked to barriers – If the full list of tasks is included, then this option will print tasks which are not safety critical, i.e. tasks not linked to barriers.
Risk Support Ltd.
31
Active Bow Tie Manual v1.7c
Figure 6.1 No. M.04
Top Events, Threats, Barriers, etc. Top Event
Berthing error
No. 1
Threat Description Approaching berth with inappropriate speed
No. 1
Barrier Competent Pilot
No. 1
Barrier Decay Mode Pilot fails to familiarise with vessel's manoeuverbility
No. 1 2 3
2
2
Approaching berth at inappropriate angle
2
Master identifies and rectifies error
1
Competent Pilot
Failure to account for weather and tide effects
3
Failure of rope or anchor
Master identifies and rectifies error
1
Pilot/Master trained to use rope or anchor to berth in confined spaces
2
Pilot takes additional safety measures
Criteria for berthing space established
Allocated space for berthing is insufficient
1
2
Pilot makes an error of judgement
1
Rope or attachment failure
32
Active Bow Tie Manual v1.7c
Pilot has the power to abort the operation Simulation training for Pilots and Tug masters
1
Boatmen trained to attach rope in time
2
Boatmen trained to attach rope to the right bollard
3
Risk Support Ltd.
Pilot-pilot information exchange Pilot-Master information exchange Operational criteria are established
1
1
Pilot tests the vessel prior to manoeuvre
1
2 2
Secondary Barrier
2
Anchor failure
1
3
Surging failure
1
Ensure quality ropes VTS advise on location of anchor lines or other obstructions Competent crew
Figure 6.2 No. M.04
Top Events, Threats, Barriers, Post Indicators, Tasks, etc. Top Event
Berthing error
No. 1
Threat Description Approaching berth with inappropriate speed
No. 1
Barrier Competent Pilot
No. 1
Barrier Decay Mode Pilot fails to familiarise with vessel's manoeuverbility
No. 1
HM/Pilot / C4-02.03 2
3
2
2
2
Approaching berth at inappropriate angle
1
Failure to account for weather and tide effects
Pilot / B2-08.02 Pilot-pilot information exchange Pilot / B2-02.04 Pilot-Master information exchange Pilot / B2-05.02 Operational criteria are established
2
Pilot / C2-02.02 Pilot takes additional safety measures Pilot / B2-02.07
1
Criteria for berthing space established
Master identifies and rectifies error Pilot / B2-05.02 Competent Pilot
1
Allocated space for berthing is insufficient
2
Pilot makes an error of judgement
1
2
33
Pilot tests the vessel prior to manoeuvre
1
HM/Pilot / C4-02.03
Risk Support Ltd.
Secondary Barrier
Active Bow Tie Manual v1.7c
HM / C2-04.04 Pilot has the power to abort the operation Pilot / B2-09.13 Simulation training for Pilots and Tug masters HM / C4-03.04
Figure 6.3 Activity
Activity Description Description
Port Ind.
Responsibility
P
Pilot
Post Ind. P P
Responsibility Pilot Pilot
P
Pilot
B2-05.04 B2-05.05 B2-05.06
Task Description Check vessel defect report Read "Pilot Card" Establish communication with the Bridge Team and agree the chain of command Assess the bridge team's capabilities Pilot-Master-Bridge Team information exchange Agree passage plan with the Master
P P P
Pilot Pilot Pilot
B2-05.07
Provide manoeuvring and navigational advice to the Master
P
Pilot
B2-05.08 B2-05.09
Confirm minimum bridge manning Check ship's draught
P P
Pilot Pilot
Co-operating with the bridge team and B2-05 functioning within it Safety Objectives 1 Ensure safety of navigation Management Actions 1 Monitor, review and improve Activity Inputs 1 Port Passage Plan 2 Bridge team monitoring Activity Outputs 1 Agreed passage plan Tasks B2-05.01 B2-05.02 B2-05.03
Performance Indicators Check Vessel defect report (report to 1 VTS) 2 Read Pilot card (report to VTS) 3
Check bridge manning (report to VTS)
4
Agree Passage Plan with the Master (report to VTS)
Deficiencies
Risk Support Ltd.
34
Active Bow Tie Manual v1.7c
Figure 6.4
Risk Register
Hazard Group M Manoeuvring
Risk Support Ltd.
Top Event M.04 Berthing error
35
Consequence Damage to berth Damage to the vessel
Active Bow Tie Manual v1.7c
P A0 B3
E D1 D3
A A4 C2
R D5 E4
7
PRINTING BOW TIES, COPYING, PASTING, DELETING, ETC.
7.1
Bow ties Bow ties can be copied into MS Word or Power Point or saved in *.jpg format. Right click in the graphics window outside the bow tie, and then choose Copy (then switch to MS Word file and Edit >Paste Special > Picture) or Save option which will open Save As window for specifying the file name.
7.2
Copying, Pasting and Deleting Top events can be copied within hazards. Right click on a top event either in the graphics or tree window and then choose Copy, then right click on the hazard group that this event should be pasted in and choose Paste. Remember to change the name of the copied top event. Threats and barriers can be copied in a similar manner. To delete items right click on the item top be deleted and choose Delete. Activities and tasks can also be copied in the similar fashion.
7.3
Reordering Threats and controls can be re-ordered by right click on the box, choosing Edit and changing the Code number.
Risk Support Ltd.
36
Active Bow Tie Manual v1.7c