Manual For Active BowTie

MANUAL
Active Bow Tie

A tool for displaying and improving
hazard analysis and energising safety
management
Risk Support
Risk Management Consultants
Flat 26
74 Arlington Avenue
London N1 7AY
United Kingdom
Telephone +44 (0)20 7226 0891
Mobile +44 (0)7733 441 405
Email vmt@risk-support.co.uk
http://www.risk-support.co.uk
MANUAL
Active Bow Tie

A tool for displaying and improving
hazard analysis and energising safety
management
November 2014
Version 1.7c
Revision
Date
Approved
1.1
February 2004
V.M. Trbojevic
1.5
June 2004
V.M. Trbojevic
1.7
July 2007
V.M. Trbojevic
1.7c
November 2014
Licence free version
CONTENTS
1
INTRODUCTION ................................................................................................................. 1
1.1
1.2
1.2.1
1.2.2
1.2.3
1.3
1.3.1
1.4
STARTING ............................................................................................................................ 8
2.1
2.2
2.3
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
INSTALLING ACTIVE BOW TIE ........................................................................................ 8

USER MANUAL ............................................................................................................... 8
SETTING UP A NEW CASE/DATA FILE............................................................................. 9
DEFINING REFERENCE DATA ........................................................................................ 10
Personnel ................................................................................................................ 10
Competencies .......................................................................................................... 11
Effectiveness............................................................................................................ 11
Activity Categories.................................................................................................. 12
Frequencies............................................................................................................. 12
Control Types.......................................................................................................... 12
Risk Matrix.............................................................................................................. 13
HAZARD ANALYSIS ........................................................................................................ 16

3.1
3.2
3.3
3.4
BACKGROUND ................................................................................................................ 1
DESCRIPTION OF BOW TIE ANALYSIS ............................................................................. 2
Hazard Analysis ........................................................................................................ 2
Process Model........................................................................................................... 4
Linking Risk and Process Models ............................................................................. 4
INTEGRATED SAFETY MANAGEMENT SYSTEM ............................................................... 4
Risk Evaluation ......................................................................................................... 5
DATABASE STRUCTURE .................................................................................................. 6
HAZARD CATEGORIES AND TOP EVENTS ...................................................................... 16

THREATS AND CONSEQUENCES .................................................................................... 17
BARRIERS AND BARRIER DECAY MODES...................................................................... 18
RISK ANALYSIS ............................................................................................................ 20
ACTIVITIES AND TASKS................................................................................................ 22

4.1
ACTIVITIES ................................................................................................................... 22
4.2
TASKS ........................................................................................................................... 23
4.3
ADDITIONAL ACTIVITY INPUT ...................................................................................... 24
4.3.1
Objectives................................................................................................................ 25
4.3.2
Management Actions............................................................................................... 25
4.3.3
Inputs....................................................................................................................... 25
4.3.4
Outputs.................................................................................................................... 25
4.3.5
Performance............................................................................................................ 25
4.3.6
Deficiencies............................................................................................................. 26
LINKING TASKS AND CONTROLS .............................................................................. 27
REPORTS ............................................................................................................................ 30
6.1
DISPLAYING INFORMATION IN BOW TIES ..................................................................... 30
6.1.1
Box Style.................................................................................................................. 30
6.1.2
PEAR....................................................................................................................... 30
6.1.3
Barrier Effectiveness............................................................................................... 30
6.1.4
Barrier Post Indicator............................................................................................. 30
6.2
REPORTS ....................................................................................................................... 31
Risk Support Ltd.
Active Bow Tie Manual v1.7c
PRINTING BOW TIES, COPYING, PASTING, DELETING, ETC............................. 36

7.1
7.2
7.3
BOW TIES ...................................................................................................................... 36

COPYING, PASTING AND DELETING .............................................................................. 36
REORDERING ................................................................................................................ 36
Risk Support Ltd.
ii
INTRODUCTION
1.1
Background
Bow tie approach1 was originally devised to energise the safety management
system. The theory behind the bow tie approach can be found in the Swiss cheese
model of Reason2. The approach is mostly used in the hazard identification and
the development of the hazard register, to link hazard barriers and operational
systems and procedures in place to eliminate the hazard or reduce its frequency of
occurrence, or mitigate its potential consequences. As such it also a hazard and
risk control display tool. A more mature extension of the approach was based on
a desire to overcome the following shortcomings in a safety case regime:
1.
2.
3.
1
2
The transfer of information from hazard and risk analysis through to the
workings of the management system (i.e. to operations) has been
insufficient. This means that link between the major accident hazards and
the safety management system (SMS) is not usually explicitly presented.
The emergency response plans typically provide the chain of
communication in an emergency, the organisational structure, tasks of
responsible persons, and the list of actions to be carried out in the event of a
specific emergency situation following a major hazard event. A link
between the technical system descriptions in the Safety Report, and the
demonstration of the working of the management system in the context of
major hazard control, is usually missing. This is not unusual because the
methodologies for hazard analysis and risk assessment, in general, do not
deal with the complex technical and organisational systems in a unified
manner.
The Quantitative Risk Assessment may take into account operator error in
the causation part of the assessment, while it is rare to account for human
factors in the escalation part of the assessment, unless a specific operator
action is intended to be a safety barrier. However, even then, the quality of
organisation and management is not accounted for. For example, to
incorporate the probability of partial malfunction of the emergency
system is unheard of. This does not mean that the quality of organisation,
or organisational factors cannot be evaluated; they can be accounted for in
the overall shifting of the risk profile or the scaling of the failure rates.
The operational process model may be established for the purpose of quality
management system, but not for the purpose of major hazards and the SMS.
There is, in general, a fuzzy link between the hazards and operational
activities and tasks, and even fuzzier link between risk controls and
operational tasks.
Shell International Exploration and Production BV, Thesis HSE Manual, EP-95 0323, 1995.
James Reason, Human Error, Cambridge University Press, 1990.
Risk Support Ltd.
1.2
Description of Bow Tie Analysis
1.2.1
Hazard Analysis
In this example, Figure 1.1, hazard is derailment and hazard realisation is the top
event passenger train derailment. The threats (that can lead to the top event) are
obstruction on tracks, rolling stock faults, track faults, etc. The possible
consequences of this event could be injuries and fatalities, damage to trains
and tracks, etc.
Figure 1.1
Derailment Bow tie
To protect from threats, barriers are provided (denoted by a box with a thick black
bar on the right), Figure 1.2. The barriers against obstructions on tracks are to
ensure operational tracks and regular track inspections. However, the barrier
ensure operational tracks may decay because of the inadequate maintenance,
or may fail due to obstructions due to track maintenance. This barrier
decay/failure mode3 is denoted by the box with the thick red line at the bottom. If
the barrier decay/failure mode is identified than it may be required to provide a
secondary barrier to prevent the decay/failure mode. These secondary barriers
reinforce primary barriers (which protect from threats). The numbers of the
primary and secondary barriers are governed by the risk acceptance criteria.
Barrier decay/failure mode is also called Escalation factor (e.g. in Thesis)
Risk Support Ltd.
Figure 1.2
Barriers and Barrier Decay/Failure Modes

Obstructions on
tracks
Inadequate
maintenance
Ensure
operational
tracks
X1 / A.01.01
Regular track
inspections
X2 / A.02.01
Procedural
review
Y3 / B.03.01
Obstructions due
to track
maintenance
Vandalism
Check materials
are not left on
tracks
V1 / B.01.01
D
Derailment
Drivers report
obstructions
D.01 Passeger
Train Derailment
Z1 / C.01.01
Trees or blown
objects on tracks
Drivers report
obstructions
Z1 / C.01.01
Track faults
Risk Support Ltd.
Rolling stock faults
Ensure sound
rolling stock
Ensure quality of
tracks
Regular track
inspections
The barriers with different coloured bars on the right hand side are intended to
represent different type of barriers, or groups of workers, subcontractors, etc.
Similarly, if all barriers are breached, and the top event (loss of control) is
reached, then (protection / mitigation) barriers should be provided to protect from
top event and/or mitigate unwanted consequences. These barriers and their
decay/failure and are treated in the similar way as the barriers on the left-hand
side of the bow tie.
1.2.2
Process Model
In parallel with the bow tie risk analysis, the systems model is developed which
describes all processes of the Company. Furthermore a set of activities and tasks
are identified required to keep the process functioning on a daily basis. For
each activity and each task within an activity responsible persons is identified.
The duty of a responsible person is to carry out the task/activity in a specified
manner and record any deviations. The development of the process model is
iterative and in many cases the risk model drives the new tasks and vice versa.
1.2.3
Linking Risk and Process Models

In the next step the tasks are matched to the barriers. This means that for each
barrier there should be a task the purpose of which is to ensure that the barrier is
operational at all times. This process is also iterative and may require some
matching before a proper link between the task and the barrier is established. In
Figure 1.2, in the lower part of the barrier box, the post indicator of the
responsible person (or contractors organisation) and the corresponding tasks
shown (e.g. X1, X2, Y1, etc denotes personnel group and position, and A.01.02
denoted task 2 of activity A.01). As mentioned before the development of bow tie
risk model and the corresponding process model proceeds in an iterative manner.
The activities and tasks taken to ensure that risk controls are effective at all times
are called safety-critical. An activity comprises a set of tasks with the same
management objective.
1.3
Integrated Safety Management System

The operational part of the safety management system (SMS) can now be
developed as a natural extension of the above approach. In fact, each activity with
its set of tasks represents a procedure in the old sense, except that each task is
hard wired to the corresponding risk barrier. Therefore to close the continuous
improvement loop, the following components of the SMS, shown in Figure 1.3,
are added:
Management objective for the activity and action required to implement it,
Performance indicators and criteria for measuring the execution of tasks,
Risk Support Ltd.
Feedback loop for the improvement and operational changes,

Input and output for the activity; for example, if the absence of a written
procedure could result in infringement of the safety policy or breaches of
legislative requirements or performance criteria, then the additional
procedure represents an input for the activity. Similarly, output from an
activity may represent the input for another activity, etc.
Figure 1.3
Safety Critical Activity

MANAGEMENT
OBJECTIVES
PLAN
MANAGEMENT
ACTIONS
REVIEW &
IMPROVE
FEEDBACK
DO
INPUT /
PROCEDURES
ACTIVITY
CHECK
Task i
Barrier l
Task j
Barrier m
Task k
Barrier n
OUTPUT
PERFORMANCE
CRITERIA
PERFORMANCE
INDICATORS
In associating tasks with risk controls, distributing responsibilities, defining

objectives and the sources and means of measurement, the integrity of the
management system is demonstrated.
A similar approach can be utilised to extend the safety management system to
cover the management and organisational aspects.
1.3.1
Risk Evaluation
Risk evaluation is carried out by assessing the likelihood and the severity of
consequences using either risk matrix approach, or the results of quantitative risk
analysis. Typically these risk can be low (acceptable), medium (tolerable if
reduced to be As Low As Reasonably Practicable ALARP) and high/intolerable
(operation is not allowed). The evaluated risks are then assessed against risk
acceptability criteria.
Risk criteria are developed in terms of the required number of barriers for each
risk level. Risk criteria can also be formulated in conjunction with safety rating or
the effectiveness of risk controls which depends on the barrier effectiveness,
availability, independence, means of control over barrier, etc. An example of risk
criteria without barrier rating is presented in Figure 1.4.
Risk Support Ltd.
Risk reduction is then carried out in accordance with the risk tolerability doctrine, or the
national safety legislation, etc.
Figure 1.4
An Example of Risk Criteria
Region
ALARP
Criteria
1
Requires a minimum of two rimary barriers in place for all

threats
Requires a minimum of one primary barrier (recovery

measure) for identified consequence
Requires a minimum of one effective control in place for all

barrier decay/failure modes
Intolerable 2
3
1.4
Requires a minimum of three primary barriers in place for all

threats
Requires a minimum of two primary barriers (recovery
measures) for each identified consequence
Requires a minimum of one secondary barrier in place for all
barrier decay/failure modes
Database Structure
The data structure in Active Bow Tie starts with the Study (or Safety Case) which
covers one or several Locations. Each location is exposed to Hazards and has an
Activity Set. A set of Hazards comprises of one or several Hazard Groups, each
of which is mapped into one or several Top Events.
Each Top Event can be triggered by a set of Threats (within a Threat Group), and
to prevent hazard realisation Barriers are put in place. Factors that can reduce
barrier effectiveness called Barrier Decay Modes (B.D.M.). To protect the
barriers from this decay modes the Secondary Barriers can be specified.
Escalation from Top Event can lead to a Consequence Group containing one or
several unwanted Consequences. There are Barriers in place top protect from top
event and mitigate the consequences. These barriers can be associated with the
barrier decay modes, which are controlled by secondary barriers.
Each Activity Set contains one or several Activity Groups each of which comprise
one or several Activities. Each Activity comprises of Tasks, some of which are
safety critical; i.e. the purpose of those tasks is to ensure that barriers are
operational at all times. An activity also comprises of the associated safety
objectives, management actions, input, output, performance indicators and criteria
Risk Support Ltd.
(Figure 1.3). A graphical representation of the data structure is presented in

Figure 1.5.
Figure 1.5
Database Structure
Study
Location
Hazards
Hazard group 1
Top event 1
Threat group
Threat
Barrier
Task
Barrier decay mode

Secondary barrier
Task
Barrier 2
Task
Barrier decay mode

Secondary barrier
Task
Secondary barrier
Task
Threat
Consequence group
Consequence
Barrier
Task
Top event
Hazard group
Activity set
Activity group
Activity
Objectives
Objective
Objective
Management actions
Action
Inputs
Input
Outputs
Output
Tasks
Task
Task
Task
Performance
Indicator
Deficiencies
Deficiency
Activity
Activity group
Location
Etc.
Risk Support Ltd.
STARTING
2.1
Installing Active Bow Tie

To install Active Bow Tie unzip the file abt.zip which contains the installation
tool Install-ABT.exe. Double click on the file Install-ABTv1.7.exe and the
software will be installed in the subdirectory called Active Bow Tie v1.7
created within the directory Program Files. An icon will also be created on the
desktop depicting a bow tie.
Licence for running Active Bow Tie is no longer required, i.e. the use of the
program is free. Just double click on the ABT icon and the welcome screen,
Figure 2.1, will appear.
Figure 2.1
Welcome Screen
Click on the welcome screen and you will see the prompt to open a file. Click on
Cancel and you will be in ABT window.
Important notice:
2.2
The file blank data.mdb is a database template and should not be deleted.
ABT cannot work without this file. This file will be placed in the Active
Bow Tie directory.
User Manual
The chapters of this manual are listed in Help on the menu bar. Click on Help and
then click on a chapter you would like to read or print (for this you will need
Acrobat Reader).
Risk Support Ltd.
2.3
Setting Up a New Case/Data File

Navigate in the Open window to find the previously developed database files.
You may wish to start from example.mdb file (in C:\Program Files\Active Bow
Tie v1.7), highlight it and click OK. For creating the new case click on Cancel in
the Open window, and the Active Bow Tie main window will appear, Figure 2.2.
Figure 2.2
Active Bow Tie Main Window
Clicking on File and then on New, triggers a Save As window where the name of
the new database file can be specified (e.g. example). The corresponding path and
the file name will then be displayed on the title bar (Figure 2.3).
To set up a new case click on Misc and choose New Case and specify the name of
the case (e.g. Safety Case) which will be displayed in the tree window. To specify
locations considered in the case, right click on the case name (Safety Case),
choose New and specify location parameters and name (e.g. Plant). Let us
assume that the Safety Case covers two locations, then repeat the previous steps
and set up another location called Office.
Risk Support Ltd.
Left click on the plus sign on the left hand side of the locations will display the
Hazards and Activity Groups for each location, and the tree in the left window
will look as shown in Figure 2.3.
Figure 2.3
2.4
Setting Up the Case and Locations
Defining Reference Data

The Reference button on the menu bar displays a drop table with the following
data categories:
2.4.1
Personnel
Information about plant personnel is required for the completion of the activities
and tasks, and not necessarily for the hazard identification. Personnel information
comprises the following:
1.
2.
3.
Post. Ind. or post indicator; this information will be printed out once the
tasks are linked to the barriers and therefore the shorter post indicator is
better.
Description position of the person/operator.
Name name of the person (not used at the moment).
Tab can be used to move across to a next box. The list of personnel can be
extended by clicking on the Add button, Figure 2.4.
Risk Support Ltd.
10
Figure 2.4
2.4.2
Personnel Input Window
Competencies
Not used at this stage.
2.4.3
Effectiveness
Implies the barrier effectiveness and can be displayed in the barrier box. After
typing the first one, click on the Add button for the next one, Figure 2.5. To
display this information tick the Barrier effectiveness in the View menu.
Figure 2.5
Input Window for Effectiveness
Risk Support Ltd.
11
2.4.4
Activity Categories
Not utilised at this stage.
2.4.5
Frequencies
The frequency relates to how often the task is carried out and can be specified
descriptively and by its value, Figure 2.6. Clicking on Add generates a new input
row.
Figure 2.6
2.4.6
Task Frequencies Input Window
Control Types
The information about controls (primary and secondary barriers) needs to be
provided if the classification of controls is required. There are no rules on
classification of controls, for example, one may wish to distinguish controls
operated by different sections within one organisation, or to establish engineered,
procedural and human barriers, etc. Each control type can be recognised by a
coloured bar on the right hand side of the control box, Figure 2.7.
Colour of the barriers can be changed from a default black colour by a left click
on the right hand side of the middle box and then choosing a desired colour from
the colour palette (for example, three colours: black, blue and green were chosen,
Figure 2.7).
Risk Support Ltd.
12
Figure 2.7
2.4.7
Control Types Input Window
Risk Matrix
Risk assessment in Active Bow Tie is carried out by the use of risk matrix shown
in Figure 2.8. There are maximum six categories of accident likelihood and
consequence severity. In the example shown in Figure 2.8 a 5 x 5 matrix is
displayed, starting with the likelihood extremely unlikely (i.e. 10-7), to
frequent (10). The five categories of consequences (impact on workers or the
general public) start from minor injury to many fatalities (5 or more). By
assigning letters to the likelihood categories from A to E, and numbers from 1 to 5
to consequence severity, the risk values (likelihood x consequence severity) are as
shown in the matrix in Figure 2.8.
Figure 2.8
Risk Matrix
Risk Support Ltd.
13
To change risk values, left click on the field and its value will appear in the Text
box in the upper left corner. Type the value or a code of your choice and click
OK; the value/code will appear in the field. If the numerical values are used for
both likelihood and consequence categories, e.g. 0 to 5, these are usually
interpreted to represent the logarithmic scale (i.e. order of magnitude difference)
and the risk values are evaluated by adding the corresponding likelihood and
severity numbers (and not by multiplying which is a very common mistake).
To change the colour of the risk regions, left click on the field and then left click
on one of four colours on the left hand side of the risk matrix window. At this
stage only the shown four colours are available for this purpose. It should be
noted that the risk tolerability doctrine in the UK identified three regions of risk:
1.
2.
3.
Intolerable region (red) were risk could not be justified except in

extraordinary circumstances. This means that a facility cannot operate.
Tolerable region (yellow) in which risk is tolerable only if risk reduction is
impractical or if its cost is grossly disproportionate to the improvements
gained.
Broadly acceptable region (white) where it is necessary to maintain
assurance that risk will stay at this level.
The fourth colour (blue) has been added (without defining the risk management
action) to allow more complicated risk criteria to be utilised. The example in
Figure 2.9 shows an additional range has been added in which the management
action is to improve public relations.
Risk matrix for injuries and fatalities (P) has been shown in Figure 2.8. By
clicking on the button on the right hand side of the box with People inside, three
more types of risk are available:
Risk of damage to the environment (E),

Risk of asset loss (A), and
Risk of loss of reputation (R).
Note:
Text in the risk matrix (Figure 2.8) denoting likelihood and consequence
severity, and the notation for the fields in the matrix (A1, B2, etc) can be
changed in the project database file (e.g. in example.mdb) by opening
the database file in MS Access (2003) and implementing changes in
relevant tables (riskCat, riskLabel and riskMatrix). Do not forget to save
the file before changing it!
An example of such changes can be seen in Figure 2.9.
Risk Support Ltd.
14
Figure 2.9
Risk Matrix for Loss of Reputation
Risk Support Ltd.
15
HAZARD ANALYSIS
3.1
Hazard Categories and Top Events

A hazard is a situation or a condition with the potential to harm the people, the
environment, assets and reputation. The hazards are classified for each location
into hazard categories, for example, external, internal, etc, and then each hazard
category is mapped into a number of representative accidental events also called
top events. Top event is usually defined as the loss of control point, or the point
of hazard realisation.
To generate hazard categories right click on Hazards in the tree window and then
left click on New and the hazard input window will appear. Then specify the
hazard group code and its name, for example, E and External hazards, and click
on OK. The hazard group will appear in the tree window.
Left click on the External hazards and choose New to generate a top event. Note
that the code for the event will be the hazard code and an automatically generated
sequential number. Just add the name of the top event, Figure 3.1.
Figure 3.1
Top Event Input Window
Now left click on the Top event and the top event circle will appear in the graphics
window, Figure 3.2.
Risk Support Ltd.
16
Figure 3.2
3.2
Hazard Categories and Top Events
Threats and Consequences

Left click on the plus sign by the top event to reveal the Threats and the
Consequences. From this point there are two ways of generating threats and
consequences, as follows:
1.
2.
In the tree window, lift click on Threats to highlight it, and then right click
to get a menu, then left click on New to get the threat window, Figure 3.3.
As soon as the threat is specified, the ear on the left hand side of the top
event circle becomes shaded. This means that there is more information that
has not been displayed in the graphics window. Clicking on the same ear
contracts the bow tie.
In the graphics window, right click within the top event circle and choose
from the drop down menu, in this case New Threat which triggers the threat
window to appear, Figure 3.3.
The code for a threat is just a sequence number which is automatically generated
but can be changed manually if the reordering of threats is required. The other
buttons and check boxes will be explained at the later stage.
The consequence generation is carried out in the same manner, for example by a
right click within the tope vent circle, left click on New Consequence in the
dropdown menu and the Consequence widow will appear.
Risk Support Ltd.
17
Figure 3.3
3.3
Threat Input Window
Barriers and Barrier Decay Modes

Barriers can be generated by a right click on the corresponding threat either in the
tree or the graphics window and then choosing New. The input window is shown
in Figure 3.4. Barriers (control) type and the effectiveness can be chosen from
the drop down list if required. The barriers that prevent threats, protect people
(assets, etc.) and mitigate consequences are also called primary barriers.
Figure 3.4
Barrier Input Window
Risk Support Ltd.
18
The mitigation barriers (on the right hand side of the top event) are generated in
the exactly same manner, except that the title on the input window is Recovery
Measure otherwise it is identical to that in Figure 3.4. These barriers are also
called recovery measures.
Each barrier can have one or decay/failure modes. A decay/failure mode is used
to represent the condition which can lead to barrier erosion, ineffectiveness or
failure. For example, insufficient maintenance, inadequate procedure, etc. can be
described with barrier decay modes.
Barrier decay mode is generated in the same way as the barriers (right click on a
barrier box and choose New), except that its input window is identical to one for a
threat (Figure 3.3). Barrier decay mode can be controlled by one or several
secondary barriers which serve as means/systems that can prevention decay and
erosion (right click on a barrier decay mode box and choose New). It should be
noted that most risk acceptance criteria for bow tie risk analysis require at least
one control for each identified barrier decay mode.
Assuming that a barrier decay mode was identified for the engineered Primary
Barrier 1.1 (Figure 3.5), and that the secondary barrier (Secondary Barrier 1.1.1.1)
is generated (as a human control), then the Active Bow Tie screen would look as
shown in Figure 3.5. The Consequence 1 and the corresponding Primary Barrier
1.2 (Recovery Measure) were also generated. Note the different colours of
controls.
Figure 3.5
Active Bow Tie Screen after Generation of Controls
It should be noted that the font size and the scale have been changed so that the
bow tie would fit in the graphics window and that the titles of the boxes would be
readable. To change the font Size left click in the corresponding box and type the
size of your choice, then press Tab key. The same procedure applies to Scale.
Font type can be changed by choosing from the drop down list (left click on
Font).
Risk Support Ltd.
19
3.4
Risk Analysis
Risk evaluation is carried out by assigning severity and the likelihood category to
each consequence. To do so right click on a consequence box and choose Edit.
This will display the consequence input screen. Now click on Assess Risk to
display the risk matrix. In the risk matrix left click on the field which corresponds
to evaluated likelihood and consequence severity category, for example, unlikely
(0.1) and major injury (corresponds to D3), Figure 3.6, and then click on OK.
This process is the repeated for all types of risk and all consequences if required.
Figure 3.6
Risk Evaluation
Now left click on Hazards (below Plant), and the graphics window will display
the risk register. Left click on the top event in the top table and the results of risk
evaluation will appear in the bottom table, as shown in Figure 3.7.
Figure 3.7
Risk Register
Risk Support Ltd.
20
The risks can also be displayed in the consequence boxes of the bow tie. To do
this, got to the View menu, and tick PEAR and the evaluated risk will be displayed
as shown in Figure 3.8. The risks are displayed in the PEAR order (people,
environment, assets, reputation).
Figure 3.8
Displaying Evaluated Risks
Risk Support Ltd.
21
ACTIVITIES AND TASKS
4.1
Activities
The activity structure is conceived to comprise of an activity set for each location,
each of which can be further subdivided into activity groups and activities. An
example of an activity group is Operational activity which can comprise of
several activities such as import product, operate process units, operate storage
facilities, export products, laboratory/sampling activity, etc. The activity structure
reflects the overall organisation of the facility. However there are two ways
forward from this point, as follows:
1.
2.
For the hazard analysis study an overall breakdown of activities is usually

sufficient.
For the bow tie risk analysis and the development of an integrated safety
management system (iSMS), the detailed task breakdown is required. These
details have to reflect the day-to-day tasks of personnel, and this
development is of iterative nature since tasks have to align with risk
controls.
To generate an activity group left click on the Activity Groups in the tree window
and choose New and input the data in the activity window as shown in Figure 4.1.
Figure 4.1
Activity Group Input Window
Note that the Code is passed to other activities (and tasks) within this group. To
enter individual activities left click on the activity group and choose New to get
the activity input window as shown in Figure 4.2.
Risk Support Ltd.
22
Figure 4.2
Activity Input Window
It can be seen that the activity group code is passed automatically to each activity
and the sequential number added. Type in activity name and chose the
responsible person.
4.2
Tasks
Each activity comprises of one or several tasks. To generate tasks, right click on
the plus sign next to activity, and then right click on Tasks and choose New. This
will display task input window as shown in Figure 4.3.
Figure 4.3
Task Input Window
Risk Support Ltd.
23
Type in task name and description. The task code is automatically generated.
Choose the task frequency and the responsible person. After adding a few more
tasks and activities, the tree window will look as shown in Figure 4.4.
Figure 4.4
4.3
Activities and Tasks
Additional Activity Input

The additional information presented in this section (Figure 4.4) is required for
the completion of the integrated safety management system (iSMS).
Risk Support Ltd.
24
4.3.1
Objectives
Hazard management objectives on the activity are specified with this facility.
Right click on the Objectives to reveal an input window. Type in the objective
name and if required provide more information in the description field.
4.3.2
Management Actions
Management actions required for the success of the activity are input with this
facility. Right click on Management Action and type the information in the input
window.
4.3.3
Inputs
An input to an activity is an information or an equipment necessary to undertake
the activity. For example, if a set of tasks is insufficient for carrying out activity
in a safe manner, then a procedure may be required which is specified as input, or
if the activity is to produce an agreed plan for actions, than a starting or a
proposed plan must be input. To specify the required information, right click on
the Inputs.
4.3.4
Outputs
An output from an activity is an information or some other product generated or
processed within the activity. For example, a proposed plan for action is
discussed, modified and agreed within the activity and represents an output. An
output could also be some measurements undertaken in the activity which may
also serve as an input to another activity. To specify this information, right click
on the Outputs.
4.3.5
Performance
The following information can be supplied by a right click on the Performance in
the tree window, Figure 4.5:
1.
2.
3.
Performance indicator - a measurable, quantifiable and agreed parameter

that can be used to measure the success, i.e. performance of an activity. For
example, number of the lost time injuries (LTIs), identified deficiencies,
adherence to maintenance programmes, etc..
Performance criteria these are the safety targets set by the management,
for example, the maximum number of LTIs.
Source of measurement relates to performance measurement, for example,
maintenance records, etc.
Risk Support Ltd.
25
4.3.6
Deficiencies
Deficiencies related to activity information can be recorded by a right click on the
Deficiencies in the tree window and providing data in the input window. Typical
deficiency could be lack of performance criteria (for new performance indicators),
lack of input procedures, etc.
Target for sorting out and completion of a deficiency can also be specified.
Figure 4.5
Performance Input Window
Risk Support Ltd.
26
LINKING TASKS AND CONTROLS
The essential part of bow tie analysis is in linking activities and tasks to risk
controls. For the purpose of developing an iSMS, the day-to-day tasks should be
linked to controls. This may not be possible without some iteration on both the
bow ties and the activities and tasks3. Before linking right click on the Top event
in the tree window, choose Copy, then right click on External hazards and choose
Paste. A copy of Top event will appear; right click on it and choose Edit and
change the code to E.01b and the name to Top event (linked); left click on this
event to display its bow tie and expand the bow tie.
To start linking, right click an a barrier box in the graphics window and choose
Edit. This will display the control input window (Figure 3.3). Left click on the
Task button to display the window shown in Figure 5.1. In the activity box find
the appropriate activity (O.01 process control) and then left click on it to display
the corresponding tasks in the box below, Figure 5.1.
Figure 5.1
Linking Task to Barrier
Now highlight the appropriate tasks (e.g. O.01.01 Task 1) by left clicking on it
and then click on the > button to transfer the task to the right hand side box called
Used Tasks, Figure 5.2. If you make a mistake, highlight the task in the Used
Tasks box and click on < button to clear the Used Tasks box. Click on OK to
complete linking.
Trbojevic, V.M., Linking Risk Analysis to Safety Management, PSAM7/ESREL2004, Berlin,

2004.
Risk Support Ltd.
27
Figure 5.2
Linking Task to Barrier (Cont.)
Repeat the procedure for the secondary barrier (Secondary Barrier 1.1.1.1) by
linking it to Task 2 of the Process control activity (O.01.02). The resulting bow
tie is shown in Figure 5.3. In order to display post indicators and tasks, left click
on View and choose Barrier Post Indicator option. The post indicator of the
responsible person and the corresponding task which has to ensure that the control
is operational at al times are displayed at the bottom of the control box (e.g.
Primary Barrier 1: P1 / O.01.01).
Figure 5.3
Bow ties with Linked Tasks to Controls
An additional secondary barrier (Secondary Barrier 1.1.1.2) is shown in Figure

5.3 in order to illustrate that there are no restrictions regarding linking tasks and
controls from different locations.
Risk Support Ltd.
28
Barrier effectiveness is displayed in the upper right corner of the barrier box.
If more text needs to be fitted in a barrier box or the post indicator / task cannot
fit, the box sizes can be changed. Left click on View and choose Box Style option
The result with box style Level3 with 2 rows is presented in Figure 5.4.
Figure 5.4
Larger Barrier Boxes
Risk Support Ltd.
29
REPORTS
6.1
Displaying Information in Bow Ties

The following options for displaying barrier boxes and bow tie information are
added to the View menu:
6.1.1
Box Style
Barrier box size can be changed to accommodate larger fonts.
6.1.2
PEAR
This option allows displaying the risks to people (P), the environment (E), assets
(A) and reputation in the consequence boxes.
6.1.3
Barrier Effectiveness
Displays barrier effectiveness in the upper right corner of the barrier box. Note
that the effectiveness is not further used.
6.1.4
Barrier Post Indicator

Displays the post indicator of the person responsible for the barrier and the related
tasks the purpose of which is to ensure that barrier is available.
Risk Support Ltd.
30
6.2
Reports
The information contained in Active Bow Tie can be printed out in MS Excel
format using the Reports facility in the menu bar. The following forms (reports)
are available:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Hazards and top events straightforward list of hazard groups and

associated top events.
Activities, tasks and responsible persons list of all activities, associated
tasks and persons responsible for those tasks.
Threats and barriers this report is considered useful; it displays top
events, threats, primary barriers, barrier decay modes and secondary
barriers, Figure 6.1.
Threats, barriers and tasks this is same as the previous report but for all
barriers the post indicator and task are printed as well, Figure 6.2.
Consequences and barriers this report displays top events,
consequences, primary barriers (recovery measures), barrier decay modes
and secondary barriers
Consequences, barriers and tasks this is the same as the previous report
but for all barriers the post indicator and task are printed as well.
Activity descriptions all information related to activities is displayed in
tabular form, Figure 6.3.
Evaluated risks displays evaluated risks to people, the environment,
assets and reputation (PEAR), Figure 6.4.
Tasks not linked to barriers If the full list of tasks is included, then this
option will print tasks which are not safety critical, i.e. tasks not linked to
barriers.
Risk Support Ltd.
31
Figure 6.1
No.
M.04
Top Events, Threats, Barriers, etc.

Top Event
Berthing error
No.
1
Threat Description
Approaching berth
with inappropriate
speed
No.
1
Barrier
Competent Pilot
No.
1
Barrier Decay Mode

Pilot fails to familiarise
with vessel's
manoeuverbility
No.
1
2
3
Approaching berth at
inappropriate angle
Master identifies and

rectifies error
Competent Pilot
Failure to account for

weather and tide effects
Failure of rope or
anchor

rectifies error
Pilot/Master trained to use

rope or anchor to berth in
confined spaces
Pilot takes additional

safety measures
Criteria for berthing space

established
Allocated space for

berthing is insufficient
Pilot makes an error of

judgement
Rope or attachment failure
32
Pilot has the power to

abort the operation
Simulation training for
Pilots and Tug masters
Boatmen trained to attach

rope in time
Boatmen trained to attach

rope to the right bollard
Risk Support Ltd.
Pilot-pilot information
exchange
Pilot-Master information
exchange
Operational criteria are
established
Pilot tests the vessel prior

to manoeuvre
2
2
Secondary Barrier
Anchor failure
Surging failure
Ensure quality ropes

VTS advise on location of
anchor lines or other
obstructions
Competent crew
Figure 6.2
No.
M.04
Top Events, Threats, Barriers, Post Indicators, Tasks, etc.

Top Event
Berthing error
No.
1
Threat Description
Approaching berth
with inappropriate
speed
No.
1
Barrier
Competent Pilot
No.
1
Barrier Decay Mode

Pilot fails to familiarise
with vessel's
manoeuverbility
No.
1
HM/Pilot / C4-02.03
2
Approaching berth at
inappropriate angle
Failure to account for

weather and tide effects
Pilot / B2-08.02
Pilot-pilot information
exchange
Pilot / B2-02.04
Pilot-Master information
exchange
Pilot / B2-05.02
Operational criteria are
established
Pilot / C2-02.02
Pilot takes additional
safety measures
Pilot / B2-02.07
Criteria for berthing space

established

rectifies error
Pilot / B2-05.02
Competent Pilot
Allocated space for

berthing is insufficient
Pilot makes an error of

judgement
33
Pilot tests the vessel prior

to manoeuvre
HM/Pilot / C4-02.03
Risk Support Ltd.
Secondary Barrier
HM / C2-04.04
Pilot has the power to
abort the operation
Pilot / B2-09.13
Simulation training for
Pilots and Tug masters
HM / C4-03.04
Figure 6.3
Activity
Activity Description
Description
Port Ind.
Responsibility
Pilot
Post Ind.
P
P
Responsibility
Pilot
Pilot
Pilot
B2-05.04
B2-05.05
B2-05.06
Task Description
Check vessel defect report
Read "Pilot Card"
Establish communication with the Bridge Team and agree the
chain of command
Assess the bridge team's capabilities
Pilot-Master-Bridge Team information exchange
Agree passage plan with the Master
P
P
P
Pilot
Pilot
Pilot
B2-05.07
Provide manoeuvring and navigational advice to the Master
Pilot
B2-05.08
B2-05.09
Confirm minimum bridge manning

Check ship's draught
P
P
Pilot
Pilot
Co-operating with the bridge team and

B2-05
functioning within it
Safety Objectives
1
Ensure safety of navigation
Management Actions
1
Monitor, review and improve
Activity Inputs
1
Port Passage Plan
2
Bridge team monitoring
Activity Outputs
1
Agreed passage plan
Tasks
B2-05.01
B2-05.02
B2-05.03
Performance Indicators
Check Vessel defect report (report to
1
VTS)
2
Read Pilot card (report to VTS)
3
Check bridge manning (report to VTS)
Agree Passage Plan with the Master

(report to VTS)
Deficiencies
Risk Support Ltd.
34
Figure 6.4
Risk Register
Hazard Group
M Manoeuvring
Risk Support Ltd.
Top Event
M.04 Berthing error
35
Consequence
Damage to berth
Damage to the vessel
P
A0
B3
E
D1
D3
A
A4
C2
R
D5
E4
PRINTING BOW TIES, COPYING, PASTING, DELETING, ETC.
7.1
Bow ties
Bow ties can be copied into MS Word or Power Point or saved in *.jpg format.
Right click in the graphics window outside the bow tie, and then choose Copy
(then switch to MS Word file and Edit >Paste Special > Picture) or Save option
which will open Save As window for specifying the file name.
7.2
Copying, Pasting and Deleting

Top events can be copied within hazards. Right click on a top event either in the
graphics or tree window and then choose Copy, then right click on the hazard
group that this event should be pasted in and choose Paste. Remember to change
the name of the copied top event.
Threats and barriers can be copied in a similar manner. To delete items right click
on the item top be deleted and choose Delete.
Activities and tasks can also be copied in the similar fashion.
7.3
Reordering
Threats and controls can be re-ordered by right click on the box, choosing Edit
and changing the Code number.
Risk Support Ltd.
36

Manual For Active BowTie

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Manual For Active BowTie

Transféré par

Droits d'auteur :

Formats disponibles

MANUAL

Active Bow Tie

Active Bow Tie

Licence free version

INSTALLING ACTIVE BOW TIE ........................................................................................ 8

HAZARD ANALYSIS ........................................................................................................ 16

HAZARD CATEGORIES AND TOP EVENTS ...................................................................... 16

ACTIVITIES AND TASKS................................................................................................ 22

LINKING TASKS AND CONTROLS .............................................................................. 27

Risk Support Ltd.

Active Bow Tie Manual v1.7c

PRINTING BOW TIES, COPYING, PASTING, DELETING, ETC............................. 36

BOW TIES ...................................................................................................................... 36

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Description of Bow Tie Analysis

Derailment Bow tie

Barrier decay/failure mode is also called Escalation factor (e.g. in Thesis)

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Barriers and Barrier Decay/Failure Modes

Risk Support Ltd.

Rolling stock faults

Active Bow Tie Manual v1.7c

Linking Risk and Process Models

Integrated Safety Management System

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Feedback loop for the improvement and operational changes,

Safety Critical Activity

In associating tasks with risk controls, distributing responsibilities, defining

Risk Support Ltd.

Active Bow Tie Manual v1.7c

An Example of Risk Criteria

Requires a minimum of two rimary barriers in place for all

Requires a minimum of one primary barrier (recovery

Requires a minimum of one effective control in place for all

Requires a minimum of three primary barriers in place for all

Risk Support Ltd.

Active Bow Tie Manual v1.7c

(Figure 1.3). A graphical representation of the data structure is presented in

Barrier decay mode

Barrier decay mode

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Installing Active Bow Tie

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Setting Up a New Case/Data File

Active Bow Tie Main Window

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Setting Up the Case and Locations

Defining Reference Data

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Personnel Input Window

Input Window for Effectiveness

Risk Support Ltd.

Active Bow Tie Manual v1.7c

Task Frequencies Input Window