Digitising Bow Ties to understand Barrier Health
Bow Ties are an established method of documenting risks on industrial facilities and equipment and designing systems to detect, prevent and mitigate them. They are so named because of the visual picture that arises from the different contributing factors to an undesired event, for example a leak, and then the multiple different consequences that may arise.
A major advantage of Bow Ties is that they are a good visual way of communicating risks and the protective measures in place. However, they present a challenge to monitor in operation because they are defined at a conceptual level and there is no way to definitively link real, live, information to specific aspects of the Bow Tie.
In the example above, the hazard is a release of hydrocarbon gas and high pressure water due to the "Top Event", which is a loss of containment in the Water Injection module. On the left hand side of the Bow Tie are the causes, and on the right hand side are the consequences.
The equipment that is installed to provide the prevention and mitigation functions is often referred to a Safety Critical Equipment (SCE) or Safety and Environmentally Critical Equipment (SECE).
Here are some of the challenges of trying to use Bow Ties directly as a basis for visualising the health of a facility's protective functions.
Challenge 1: Passive elements that cannot be monitored clutter up an online visualisation
One of the causes of a loss of containment has been identified as Internal Corrosion and there are three things in place to prevent this; Design to withstand corrosions, Internal Coating and Chemical Treatment.
Only two of these can be actively monitored in operation. The first protection, designing to withstand corrosion, is passive.
There is no point having this on a visual display because it is "done" and cannot be changed. What you might want do to though, is have a link to the design information and what the design decisions were to protect against this hazard.
Challenge 2: Bow Ties do not link the protective function to the real equipment that provides that protection in operation.
On the right hand side, the first mitigation function is "Fire and Gas Detection Systems". This is an active system that can be monitored in operation. However, not every gas detector in the Fire and Gas Detection System is relevant to the Water Injection module. If there is a problem with a gas detector in the accommodation block, it should not show as the loss of a protective function in the Water Injection Module.
Bow Ties do not link these generic descriptions to the relevant equipment.
领英推荐
Challenge 3: Bow Ties do not enable realtime risk based decision making
An asset owner, facility or production manager has to make risk based decisions all the time. In order to do this they need to understand if a protective function is degraded or impaired, and what the possible consequences of this might be.
Can theyI continue operating or do they have to shut down. To be able to make this decision they need to understand what this degraded element means in a wider context.
As a simple example, if there are 25 bulbs out on emergency lighting it is probably ok to keep operating if they are spread through out the whole facility. But if they are all in one area it could well mean that they have to shut down.
Challenge 4: Bow Ties don't show the Layers of Protection
Another element of risk based decision making is understanding the status of the Layers of Protection (sometimes called the Swiss Cheese Model). Each Bow Tie represents a discrete event and resulting hazard, but in practice, the consequence of one Bow Tie can be the initiator for another.
For example, a dropped object from a crane could be the Top Event in one Bow Tie, and this could be the initiating event in another Bow Tie considering leaks, where an initiating event is a dropped object that breaks a pipe. And then this goes on to another Bow Tie considering the ignition of a gas cloud.
It is extremely useful for operators to be able to see the health of their protective functions in this sequential context
Challenge 5: Bow Ties have elements that are not meaningful to an operator
In the Bow Tie example above, one of the mitigating functions is "Regulatory Testing Planned Maintenance". The Regulatory Testing actually applies to the Safety Critical Equipment.
If a plant is 2 weeks behind on its Regulatory Testing, this element could show as "red" or having an unhealthy status. But is that helpful to an operator? What equipment does it actually apply to? Is it the gas detectors in the Water Injection module? And just because you have not tested them does not mean that they are not working.
Solving the challenge of Digitising Bow Ties
Eigen have been delivering online Safety Barrier Health Monitoring applications for industrial companies since 2016. Having worked with SINTEF Safetec and DNV , we have standard methodologies for digitising Bow Tie structures and Barrier Hierarchies, as well as a proven, knowledge graph based, software architecture for connecting to data in source systems and providing owners and operators with a live, interactive overview of the health of their Safety Barriers and protective functions.