Académique Documents
Professionnel Documents
Culture Documents
Risk Support
Risk Management Consultants
Flat 26
74 Arlington Avenue
London N1 7AY
United Kingdom
Telephone +44 (0)20 7226 0891
Mobile +44 (0)7733 441 405
Email vmt@risk-support.co.uk
http://www.risk-support.co.uk
MANUAL
Revision
Date
Approved
1.1
February 2004
V.M. Trbojevic
1.5
June 2004
V.M. Trbojevic
1.7
July 2007
V.M. Trbojevic
1.7c
November 2014
CONTENTS
1
INTRODUCTION ................................................................................................................. 1
1.1
1.2
1.2.1
1.2.2
1.2.3
1.3
1.3.1
1.4
STARTING ............................................................................................................................ 8
2.1
2.2
2.3
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
BACKGROUND ................................................................................................................ 1
DESCRIPTION OF BOW TIE ANALYSIS ............................................................................. 2
Hazard Analysis ........................................................................................................ 2
Process Model........................................................................................................... 4
Linking Risk and Process Models ............................................................................. 4
INTEGRATED SAFETY MANAGEMENT SYSTEM ............................................................... 4
Risk Evaluation ......................................................................................................... 5
DATABASE STRUCTURE .................................................................................................. 6
REPORTS ............................................................................................................................ 30
6.1
DISPLAYING INFORMATION IN BOW TIES ..................................................................... 30
6.1.1
Box Style.................................................................................................................. 30
6.1.2
PEAR....................................................................................................................... 30
6.1.3
Barrier Effectiveness............................................................................................... 30
6.1.4
Barrier Post Indicator............................................................................................. 30
6.2
REPORTS ....................................................................................................................... 31
ii
INTRODUCTION
1.1
Background
Bow tie approach1 was originally devised to energise the safety management
system. The theory behind the bow tie approach can be found in the Swiss cheese
model of Reason2. The approach is mostly used in the hazard identification and
the development of the hazard register, to link hazard barriers and operational
systems and procedures in place to eliminate the hazard or reduce its frequency of
occurrence, or mitigate its potential consequences. As such it also a hazard and
risk control display tool. A more mature extension of the approach was based on
a desire to overcome the following shortcomings in a safety case regime:
1.
2.
3.
1
2
The transfer of information from hazard and risk analysis through to the
workings of the management system (i.e. to operations) has been
insufficient. This means that link between the major accident hazards and
the safety management system (SMS) is not usually explicitly presented.
The emergency response plans typically provide the chain of
communication in an emergency, the organisational structure, tasks of
responsible persons, and the list of actions to be carried out in the event of a
specific emergency situation following a major hazard event. A link
between the technical system descriptions in the Safety Report, and the
demonstration of the working of the management system in the context of
major hazard control, is usually missing. This is not unusual because the
methodologies for hazard analysis and risk assessment, in general, do not
deal with the complex technical and organisational systems in a unified
manner.
The Quantitative Risk Assessment may take into account operator error in
the causation part of the assessment, while it is rare to account for human
factors in the escalation part of the assessment, unless a specific operator
action is intended to be a safety barrier. However, even then, the quality of
organisation and management is not accounted for. For example, to
incorporate the probability of partial malfunction of the emergency
system is unheard of. This does not mean that the quality of organisation,
or organisational factors cannot be evaluated; they can be accounted for in
the overall shifting of the risk profile or the scaling of the failure rates.
The operational process model may be established for the purpose of quality
management system, but not for the purpose of major hazards and the SMS.
There is, in general, a fuzzy link between the hazards and operational
activities and tasks, and even fuzzier link between risk controls and
operational tasks.
Shell International Exploration and Production BV, Thesis HSE Manual, EP-95 0323, 1995.
James Reason, Human Error, Cambridge University Press, 1990.
1.2
1.2.1
Hazard Analysis
In this example, Figure 1.1, hazard is derailment and hazard realisation is the top
event passenger train derailment. The threats (that can lead to the top event) are
obstruction on tracks, rolling stock faults, track faults, etc. The possible
consequences of this event could be injuries and fatalities, damage to trains
and tracks, etc.
Figure 1.1
To protect from threats, barriers are provided (denoted by a box with a thick black
bar on the right), Figure 1.2. The barriers against obstructions on tracks are to
ensure operational tracks and regular track inspections. However, the barrier
ensure operational tracks may decay because of the inadequate maintenance,
or may fail due to obstructions due to track maintenance. This barrier
decay/failure mode3 is denoted by the box with the thick red line at the bottom. If
the barrier decay/failure mode is identified than it may be required to provide a
secondary barrier to prevent the decay/failure mode. These secondary barriers
reinforce primary barriers (which protect from threats). The numbers of the
primary and secondary barriers are governed by the risk acceptance criteria.
Figure 1.2
Inadequate
maintenance
Ensure
operational
tracks
X1 / A.01.01
Regular track
inspections
X2 / A.02.01
Procedural
review
Y3 / B.03.01
Obstructions due
to track
maintenance
Vandalism
Check materials
are not left on
tracks
V1 / B.01.01
D
Derailment
Drivers report
obstructions
D.01 Passeger
Train Derailment
Z1 / C.01.01
Trees or blown
objects on tracks
Drivers report
obstructions
Z1 / C.01.01
Track faults
Ensure sound
rolling stock
Ensure quality of
tracks
Regular track
inspections
The barriers with different coloured bars on the right hand side are intended to
represent different type of barriers, or groups of workers, subcontractors, etc.
Similarly, if all barriers are breached, and the top event (loss of control) is
reached, then (protection / mitigation) barriers should be provided to protect from
top event and/or mitigate unwanted consequences. These barriers and their
decay/failure and are treated in the similar way as the barriers on the left-hand
side of the bow tie.
1.2.2
Process Model
In parallel with the bow tie risk analysis, the systems model is developed which
describes all processes of the Company. Furthermore a set of activities and tasks
are identified required to keep the process functioning on a daily basis. For
each activity and each task within an activity responsible persons is identified.
The duty of a responsible person is to carry out the task/activity in a specified
manner and record any deviations. The development of the process model is
iterative and in many cases the risk model drives the new tasks and vice versa.
1.2.3
1.3
Management objective for the activity and action required to implement it,
Performance indicators and criteria for measuring the execution of tasks,
Figure 1.3
PLAN
MANAGEMENT
ACTIONS
REVIEW &
IMPROVE
FEEDBACK
DO
INPUT /
PROCEDURES
ACTIVITY
CHECK
Task i
Barrier l
Task j
Barrier m
Task k
Barrier n
OUTPUT
PERFORMANCE
CRITERIA
PERFORMANCE
INDICATORS
Risk Evaluation
Risk evaluation is carried out by assessing the likelihood and the severity of
consequences using either risk matrix approach, or the results of quantitative risk
analysis. Typically these risk can be low (acceptable), medium (tolerable if
reduced to be As Low As Reasonably Practicable ALARP) and high/intolerable
(operation is not allowed). The evaluated risks are then assessed against risk
acceptability criteria.
Risk criteria are developed in terms of the required number of barriers for each
risk level. Risk criteria can also be formulated in conjunction with safety rating or
the effectiveness of risk controls which depends on the barrier effectiveness,
availability, independence, means of control over barrier, etc. An example of risk
criteria without barrier rating is presented in Figure 1.4.
Risk reduction is then carried out in accordance with the risk tolerability doctrine, or the
national safety legislation, etc.
Figure 1.4
Region
ALARP
Criteria
1
Intolerable 2
3
1.4
Database Structure
The data structure in Active Bow Tie starts with the Study (or Safety Case) which
covers one or several Locations. Each location is exposed to Hazards and has an
Activity Set. A set of Hazards comprises of one or several Hazard Groups, each
of which is mapped into one or several Top Events.
Each Top Event can be triggered by a set of Threats (within a Threat Group), and
to prevent hazard realisation Barriers are put in place. Factors that can reduce
barrier effectiveness called Barrier Decay Modes (B.D.M.). To protect the
barriers from this decay modes the Secondary Barriers can be specified.
Escalation from Top Event can lead to a Consequence Group containing one or
several unwanted Consequences. There are Barriers in place top protect from top
event and mitigate the consequences. These barriers can be associated with the
barrier decay modes, which are controlled by secondary barriers.
Each Activity Set contains one or several Activity Groups each of which comprise
one or several Activities. Each Activity comprises of Tasks, some of which are
safety critical; i.e. the purpose of those tasks is to ensure that barriers are
operational at all times. An activity also comprises of the associated safety
objectives, management actions, input, output, performance indicators and criteria
Database Structure
Study
Location
Hazards
Hazard group 1
Top event 1
Threat group
Threat
Barrier
Task
Barrier 2
Task
Threat
Consequence group
Consequence
Barrier
Task
Top event
Hazard group
Activity set
Activity group
Activity
Objectives
Objective
Objective
Management actions
Action
Inputs
Input
Outputs
Output
Tasks
Task
Task
Task
Performance
Indicator
Deficiencies
Deficiency
Activity
Activity group
Location
Etc.
STARTING
2.1
Welcome Screen
Click on the welcome screen and you will see the prompt to open a file. Click on
Cancel and you will be in ABT window.
Important notice:
2.2
The file blank data.mdb is a database template and should not be deleted.
ABT cannot work without this file. This file will be placed in the Active
Bow Tie directory.
User Manual
The chapters of this manual are listed in Help on the menu bar. Click on Help and
then click on a chapter you would like to read or print (for this you will need
Acrobat Reader).
2.3
Clicking on File and then on New, triggers a Save As window where the name of
the new database file can be specified (e.g. example). The corresponding path and
the file name will then be displayed on the title bar (Figure 2.3).
To set up a new case click on Misc and choose New Case and specify the name of
the case (e.g. Safety Case) which will be displayed in the tree window. To specify
locations considered in the case, right click on the case name (Safety Case),
choose New and specify location parameters and name (e.g. Plant). Let us
assume that the Safety Case covers two locations, then repeat the previous steps
and set up another location called Office.
Left click on the plus sign on the left hand side of the locations will display the
Hazards and Activity Groups for each location, and the tree in the left window
will look as shown in Figure 2.3.
Figure 2.3
2.4
2.4.1
Personnel
Information about plant personnel is required for the completion of the activities
and tasks, and not necessarily for the hazard identification. Personnel information
comprises the following:
1.
2.
3.
Post. Ind. or post indicator; this information will be printed out once the
tasks are linked to the barriers and therefore the shorter post indicator is
better.
Description position of the person/operator.
Name name of the person (not used at the moment).
Tab can be used to move across to a next box. The list of personnel can be
extended by clicking on the Add button, Figure 2.4.
10
Figure 2.4
2.4.2
Competencies
Not used at this stage.
2.4.3
Effectiveness
Implies the barrier effectiveness and can be displayed in the barrier box. After
typing the first one, click on the Add button for the next one, Figure 2.5. To
display this information tick the Barrier effectiveness in the View menu.
Figure 2.5
11
2.4.4
Activity Categories
Not utilised at this stage.
2.4.5
Frequencies
The frequency relates to how often the task is carried out and can be specified
descriptively and by its value, Figure 2.6. Clicking on Add generates a new input
row.
Figure 2.6
2.4.6
Control Types
The information about controls (primary and secondary barriers) needs to be
provided if the classification of controls is required. There are no rules on
classification of controls, for example, one may wish to distinguish controls
operated by different sections within one organisation, or to establish engineered,
procedural and human barriers, etc. Each control type can be recognised by a
coloured bar on the right hand side of the control box, Figure 2.7.
Colour of the barriers can be changed from a default black colour by a left click
on the right hand side of the middle box and then choosing a desired colour from
the colour palette (for example, three colours: black, blue and green were chosen,
Figure 2.7).
12
Figure 2.7
2.4.7
Risk Matrix
Risk assessment in Active Bow Tie is carried out by the use of risk matrix shown
in Figure 2.8. There are maximum six categories of accident likelihood and
consequence severity. In the example shown in Figure 2.8 a 5 x 5 matrix is
displayed, starting with the likelihood extremely unlikely (i.e. 10-7), to
frequent (10). The five categories of consequences (impact on workers or the
general public) start from minor injury to many fatalities (5 or more). By
assigning letters to the likelihood categories from A to E, and numbers from 1 to 5
to consequence severity, the risk values (likelihood x consequence severity) are as
shown in the matrix in Figure 2.8.
Figure 2.8
Risk Matrix
13
To change risk values, left click on the field and its value will appear in the Text
box in the upper left corner. Type the value or a code of your choice and click
OK; the value/code will appear in the field. If the numerical values are used for
both likelihood and consequence categories, e.g. 0 to 5, these are usually
interpreted to represent the logarithmic scale (i.e. order of magnitude difference)
and the risk values are evaluated by adding the corresponding likelihood and
severity numbers (and not by multiplying which is a very common mistake).
To change the colour of the risk regions, left click on the field and then left click
on one of four colours on the left hand side of the risk matrix window. At this
stage only the shown four colours are available for this purpose. It should be
noted that the risk tolerability doctrine in the UK identified three regions of risk:
1.
2.
3.
The fourth colour (blue) has been added (without defining the risk management
action) to allow more complicated risk criteria to be utilised. The example in
Figure 2.9 shows an additional range has been added in which the management
action is to improve public relations.
Risk matrix for injuries and fatalities (P) has been shown in Figure 2.8. By
clicking on the button on the right hand side of the box with People inside, three
more types of risk are available:
Note:
Text in the risk matrix (Figure 2.8) denoting likelihood and consequence
severity, and the notation for the fields in the matrix (A1, B2, etc) can be
changed in the project database file (e.g. in example.mdb) by opening
the database file in MS Access (2003) and implementing changes in
relevant tables (riskCat, riskLabel and riskMatrix). Do not forget to save
the file before changing it!
An example of such changes can be seen in Figure 2.9.
14
Figure 2.9
15
HAZARD ANALYSIS
3.1
Now left click on the Top event and the top event circle will appear in the graphics
window, Figure 3.2.
16
Figure 3.2
3.2
2.
In the tree window, lift click on Threats to highlight it, and then right click
to get a menu, then left click on New to get the threat window, Figure 3.3.
As soon as the threat is specified, the ear on the left hand side of the top
event circle becomes shaded. This means that there is more information that
has not been displayed in the graphics window. Clicking on the same ear
contracts the bow tie.
In the graphics window, right click within the top event circle and choose
from the drop down menu, in this case New Threat which triggers the threat
window to appear, Figure 3.3.
The code for a threat is just a sequence number which is automatically generated
but can be changed manually if the reordering of threats is required. The other
buttons and check boxes will be explained at the later stage.
The consequence generation is carried out in the same manner, for example by a
right click within the tope vent circle, left click on New Consequence in the
dropdown menu and the Consequence widow will appear.
17
Figure 3.3
3.3
18
The mitigation barriers (on the right hand side of the top event) are generated in
the exactly same manner, except that the title on the input window is Recovery
Measure otherwise it is identical to that in Figure 3.4. These barriers are also
called recovery measures.
Each barrier can have one or decay/failure modes. A decay/failure mode is used
to represent the condition which can lead to barrier erosion, ineffectiveness or
failure. For example, insufficient maintenance, inadequate procedure, etc. can be
described with barrier decay modes.
Barrier decay mode is generated in the same way as the barriers (right click on a
barrier box and choose New), except that its input window is identical to one for a
threat (Figure 3.3). Barrier decay mode can be controlled by one or several
secondary barriers which serve as means/systems that can prevention decay and
erosion (right click on a barrier decay mode box and choose New). It should be
noted that most risk acceptance criteria for bow tie risk analysis require at least
one control for each identified barrier decay mode.
Assuming that a barrier decay mode was identified for the engineered Primary
Barrier 1.1 (Figure 3.5), and that the secondary barrier (Secondary Barrier 1.1.1.1)
is generated (as a human control), then the Active Bow Tie screen would look as
shown in Figure 3.5. The Consequence 1 and the corresponding Primary Barrier
1.2 (Recovery Measure) were also generated. Note the different colours of
controls.
Figure 3.5
It should be noted that the font size and the scale have been changed so that the
bow tie would fit in the graphics window and that the titles of the boxes would be
readable. To change the font Size left click in the corresponding box and type the
size of your choice, then press Tab key. The same procedure applies to Scale.
Font type can be changed by choosing from the drop down list (left click on
Font).
19
3.4
Risk Analysis
Risk evaluation is carried out by assigning severity and the likelihood category to
each consequence. To do so right click on a consequence box and choose Edit.
This will display the consequence input screen. Now click on Assess Risk to
display the risk matrix. In the risk matrix left click on the field which corresponds
to evaluated likelihood and consequence severity category, for example, unlikely
(0.1) and major injury (corresponds to D3), Figure 3.6, and then click on OK.
This process is the repeated for all types of risk and all consequences if required.
Figure 3.6
Risk Evaluation
Now left click on Hazards (below Plant), and the graphics window will display
the risk register. Left click on the top event in the top table and the results of risk
evaluation will appear in the bottom table, as shown in Figure 3.7.
Figure 3.7
Risk Register
20
The risks can also be displayed in the consequence boxes of the bow tie. To do
this, got to the View menu, and tick PEAR and the evaluated risk will be displayed
as shown in Figure 3.8. The risks are displayed in the PEAR order (people,
environment, assets, reputation).
Figure 3.8
21
4.1
Activities
The activity structure is conceived to comprise of an activity set for each location,
each of which can be further subdivided into activity groups and activities. An
example of an activity group is Operational activity which can comprise of
several activities such as import product, operate process units, operate storage
facilities, export products, laboratory/sampling activity, etc. The activity structure
reflects the overall organisation of the facility. However there are two ways
forward from this point, as follows:
1.
2.
To generate an activity group left click on the Activity Groups in the tree window
and choose New and input the data in the activity window as shown in Figure 4.1.
Figure 4.1
Note that the Code is passed to other activities (and tasks) within this group. To
enter individual activities left click on the activity group and choose New to get
the activity input window as shown in Figure 4.2.
22
Figure 4.2
It can be seen that the activity group code is passed automatically to each activity
and the sequential number added. Type in activity name and chose the
responsible person.
4.2
Tasks
Each activity comprises of one or several tasks. To generate tasks, right click on
the plus sign next to activity, and then right click on Tasks and choose New. This
will display task input window as shown in Figure 4.3.
Figure 4.3
23
Type in task name and description. The task code is automatically generated.
Choose the task frequency and the responsible person. After adding a few more
tasks and activities, the tree window will look as shown in Figure 4.4.
Figure 4.4
4.3
24
4.3.1
Objectives
Hazard management objectives on the activity are specified with this facility.
Right click on the Objectives to reveal an input window. Type in the objective
name and if required provide more information in the description field.
4.3.2
Management Actions
Management actions required for the success of the activity are input with this
facility. Right click on Management Action and type the information in the input
window.
4.3.3
Inputs
An input to an activity is an information or an equipment necessary to undertake
the activity. For example, if a set of tasks is insufficient for carrying out activity
in a safe manner, then a procedure may be required which is specified as input, or
if the activity is to produce an agreed plan for actions, than a starting or a
proposed plan must be input. To specify the required information, right click on
the Inputs.
4.3.4
Outputs
An output from an activity is an information or some other product generated or
processed within the activity. For example, a proposed plan for action is
discussed, modified and agreed within the activity and represents an output. An
output could also be some measurements undertaken in the activity which may
also serve as an input to another activity. To specify this information, right click
on the Outputs.
4.3.5
Performance
The following information can be supplied by a right click on the Performance in
the tree window, Figure 4.5:
1.
2.
3.
25
4.3.6
Deficiencies
Deficiencies related to activity information can be recorded by a right click on the
Deficiencies in the tree window and providing data in the input window. Typical
deficiency could be lack of performance criteria (for new performance indicators),
lack of input procedures, etc.
Target for sorting out and completion of a deficiency can also be specified.
Figure 4.5
26
The essential part of bow tie analysis is in linking activities and tasks to risk
controls. For the purpose of developing an iSMS, the day-to-day tasks should be
linked to controls. This may not be possible without some iteration on both the
bow ties and the activities and tasks3. Before linking right click on the Top event
in the tree window, choose Copy, then right click on External hazards and choose
Paste. A copy of Top event will appear; right click on it and choose Edit and
change the code to E.01b and the name to Top event (linked); left click on this
event to display its bow tie and expand the bow tie.
To start linking, right click an a barrier box in the graphics window and choose
Edit. This will display the control input window (Figure 3.3). Left click on the
Task button to display the window shown in Figure 5.1. In the activity box find
the appropriate activity (O.01 process control) and then left click on it to display
the corresponding tasks in the box below, Figure 5.1.
Figure 5.1
Now highlight the appropriate tasks (e.g. O.01.01 Task 1) by left clicking on it
and then click on the > button to transfer the task to the right hand side box called
Used Tasks, Figure 5.2. If you make a mistake, highlight the task in the Used
Tasks box and click on < button to clear the Used Tasks box. Click on OK to
complete linking.
27
Figure 5.2
Repeat the procedure for the secondary barrier (Secondary Barrier 1.1.1.1) by
linking it to Task 2 of the Process control activity (O.01.02). The resulting bow
tie is shown in Figure 5.3. In order to display post indicators and tasks, left click
on View and choose Barrier Post Indicator option. The post indicator of the
responsible person and the corresponding task which has to ensure that the control
is operational at al times are displayed at the bottom of the control box (e.g.
Primary Barrier 1: P1 / O.01.01).
Figure 5.3
28
Barrier effectiveness is displayed in the upper right corner of the barrier box.
If more text needs to be fitted in a barrier box or the post indicator / task cannot
fit, the box sizes can be changed. Left click on View and choose Box Style option
The result with box style Level3 with 2 rows is presented in Figure 5.4.
Figure 5.4
29
REPORTS
6.1
6.1.1
Box Style
Barrier box size can be changed to accommodate larger fonts.
6.1.2
PEAR
This option allows displaying the risks to people (P), the environment (E), assets
(A) and reputation in the consequence boxes.
6.1.3
Barrier Effectiveness
Displays barrier effectiveness in the upper right corner of the barrier box. Note
that the effectiveness is not further used.
6.1.4
30
6.2
Reports
The information contained in Active Bow Tie can be printed out in MS Excel
format using the Reports facility in the menu bar. The following forms (reports)
are available:
1.
2.
3.
4.
5.
6.
7.
8.
9.
31
Figure 6.1
No.
M.04
Berthing error
No.
1
Threat Description
Approaching berth
with inappropriate
speed
No.
1
Barrier
Competent Pilot
No.
1
No.
1
2
3
Approaching berth at
inappropriate angle
Competent Pilot
Failure of rope or
anchor
32
Pilot-pilot information
exchange
Pilot-Master information
exchange
Operational criteria are
established
2
2
Secondary Barrier
Anchor failure
Surging failure
Figure 6.2
No.
M.04
Berthing error
No.
1
Threat Description
Approaching berth
with inappropriate
speed
No.
1
Barrier
Competent Pilot
No.
1
No.
1
HM/Pilot / C4-02.03
2
Approaching berth at
inappropriate angle
Pilot / B2-08.02
Pilot-pilot information
exchange
Pilot / B2-02.04
Pilot-Master information
exchange
Pilot / B2-05.02
Operational criteria are
established
Pilot / C2-02.02
Pilot takes additional
safety measures
Pilot / B2-02.07
33
HM/Pilot / C4-02.03
Secondary Barrier
HM / C2-04.04
Pilot has the power to
abort the operation
Pilot / B2-09.13
Simulation training for
Pilots and Tug masters
HM / C4-03.04
Figure 6.3
Activity
Activity Description
Description
Port Ind.
Responsibility
Pilot
Post Ind.
P
P
Responsibility
Pilot
Pilot
Pilot
B2-05.04
B2-05.05
B2-05.06
Task Description
Check vessel defect report
Read "Pilot Card"
Establish communication with the Bridge Team and agree the
chain of command
Assess the bridge team's capabilities
Pilot-Master-Bridge Team information exchange
Agree passage plan with the Master
P
P
P
Pilot
Pilot
Pilot
B2-05.07
Pilot
B2-05.08
B2-05.09
P
P
Pilot
Pilot
Performance Indicators
Check Vessel defect report (report to
1
VTS)
2
Read Pilot card (report to VTS)
3
Deficiencies
34
Figure 6.4
Risk Register
Hazard Group
M Manoeuvring
Top Event
M.04 Berthing error
35
Consequence
Damage to berth
Damage to the vessel
P
A0
B3
E
D1
D3
A
A4
C2
R
D5
E4
7.1
Bow ties
Bow ties can be copied into MS Word or Power Point or saved in *.jpg format.
Right click in the graphics window outside the bow tie, and then choose Copy
(then switch to MS Word file and Edit >Paste Special > Picture) or Save option
which will open Save As window for specifying the file name.
7.2
7.3
Reordering
Threats and controls can be re-ordered by right click on the box, choosing Edit
and changing the Code number.
36