PT Notes
Challenges in Constructing Bow Tie Diagrams - Degradation Factors and Controls
PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.
This PT Note is the fourth in a series on challenges faced by process safety practitioners in constructing bow tie diagrams. It addresses the specification of degradation factors and controls in a bow tie diagram.
Bow tie analysis (BTA) involves the construction of diagrams that depict how prevention and mitigation barriers (i.e. safeguards) protect against threats (i.e. initiating events) that can cause hazardous events, or so-called top events, resulting from loss of control over a hazard, and the adverse consequences that can arise from them. Degradation factors that impair barriers and the controls used to protect against them often are also depicted.
Much information required for the construction of bow tie diagrams can be obtained from process hazard analysis (PHA) studies. However, degradation factors and controls often are not identified in PHA studies. Thus, if the source of hazard scenarios for BTA is a PHA study, any degradation factors and controls must be identified as part of the BTA study.
Degradation factors and controls must be selected and specified carefully to ensure a meaningful bow tie diagram is constructed and bow tie diagrams are not cluttered by too many degradation factors and controls, and to make bow tie construction more efficient by minimizing iterations and revisions. This PT Note addresses the principal challenges faced by practitioners in selecting and specifying degradation factors and controls in light of the subjective judgement required for the construction of bow tie diagrams.
Degradation Factors
Degradation factors are conditions that can reduce the effectiveness of a barrier to which they apply. They define the origin of a degradation pathway to the barrier. Degradation factors do not directly cause the top event but they increase its likelihood. They can apply to barriers on either side of the top event. Examples of degradation factors are actions or inactions by people, abnormal conditions such as environmental factors, e.g. high winds, and loss of utilities and systems that support a barrier, e.g. electric power, communications, etc.
If a barrier is degraded, the risks from the pathway on which it lies increase or escalate, hence the alternative name of Escalation Factor. Degradation Factors can also be referred to as a Degradation Threat.
Multiple degradation factors can apply to a single barrier. Of course, the complexity of the bow tie diagram increases with the number of degradation factors included which impairs their ability to easily communicate information visually. Thus, they should be used sparingly for important or critical barriers.
The underlying reason for a degradation factor must be included in its specification in order that appropriate degradation controls can be identified or implemented to address the specific problem. For example, the barrier ‘dike” may fail because its drain valve was left open. A degradation factor of “maintenance procedure not followed” is inadequate. The underlying reason for the failure needs to be specified, for example, “mechanic does not close dike drain valve due to task overload” for the specification of appropriate controls to be possible.
Some degradation factors are not specific to a particular barrier but may impact multiple barriers, e.g. communications failures or inadequate maintenance. They are best managed outside of bow tie diagrams, for example, by using verifications and audits of the safety management system.
Controls
Controls are measures that support main pathway barriers against a degradation factor. They lie along a degradation pathway that connects the degradation threat to the main pathway barrier. Controls do not directly prevent or mitigate the top event. Controls often are human and organizational factors, such as compliance with standards, management of change program, and competence management system. Multiple controls can apply to a single degradation factor.
Controls must appear only on a degradation pathway leading to a barrier and not on main pathways because they may not meet barrier validity requirements, although they are stronger if they do. Use of the term “control” rather than “degradation barrier” indicates they do not necessarily meet the validity requirements for a barrier. However, validation criteria must still be applied, for example, clear ownership, traceability to the management system, and auditability.
Moreover, controls should not be placed on main pathways in the bow tie diagram because connectivity to the barriers supported is lost and also a false impression of defense in depth would be given. Controls can be degraded by their own degradation factors.
It is challenging to construct bow tie diagrams correctly without iteration. Careful specification of degradation factors and controls helps to minimize revisions.
Degradation factors and controls are important aspects of bow tie diagrams. They must be selected and specified carefully to ensure a meaningful bow tie diagram is constructed and bow tie diagrams are not cluttered by too many degradation factors and controls, and to make bow tie construction more efficient by minimizing iterations and revisions.