INSTITUT TEKNOLOGI PETROLEUM PETRONASI(INSTEB) Your Partner ln . INSTITUT TEKNOLOGI PETROLEUM PETRONAS (INSTEP) Lot 9764, Mukim Batu Rakit, 21020 Kuala Terengganu, Terengganu, Malaysia. TEL: 6-09-6686000 | TEL FAX: 6-09-6603721 Email : instep@petronas.com my PETRONAS Technical Training Sdn. Bhd. © 2014. Allright reserved. No part ofthis document may be reproduced, stored in retrieval system or transmitted in any form or means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.Introduction This session covers: O 1 Why organisations should strive for zero incidents. 2 The benefits of investigating incidents. 3 The objectives of an investigation. 4 The difficulties involved in learning from incidents. 5 Setting realistic expectations on what you will get from this workshop. 6 How to become an accredited Tripod Beta Practitioner 7 Why become an accredited Tripod Beta Practitioner Introduction 5 of 37 | Typical statistic (UK 2015) 1 144 people were killed at work. 2,415 workers died prematurely due to a cancer caused by asbestos. 3 611,00 people were injured at work. NHS drug errors may be causing up to 22,000 deaths per year (Jeremy Hunt — health secretary Feb. 2018). The international labour organisation say that world wide there are more than 2.3 million deaths per year due to occupational accidents or diseases. oO 6 Aworker dies every 15 seconds. 7 10 workers have an accident every second. 2 4 Hew big is the problem? 6 of 371 It is morally the right thing to do 2 The law insists we do w Stakeholders and your HSE policy insists we do 4 It’s more profitable 5 The discipline involved improves our performance in other areas Why aim for zero incidents? 7 of 37 Pain and suffering by those involved. __ Trauma by rescuers and clean-up parties | Heartache and deprivation by dependants. Distress by colleagues. 8 0f37_ The agony of incidentsCost claimed from Uninsured costs (up to 11x higher) insurance _______ 1. Product and material damage 1 injury 2 Minor damage to plant and buildings 2 ill health 3 Tool and equipment damage 3. damage 4 Legal fees 5 Emergency supplies Recent fines in UK 6 Clearing site “1 Warburton bakery fined 7 + Production delays £2M when worker fell 8 Overtime working & temporary labour SpE DICKS PB CK Investigation time 2 Jaguar Landrover fined 10 Supervisors time (+cost of distraction) £0.9M when worker re " ‘ crushed leg. 11 Additional admin & clerical effort 3 KFC fined £0.9M when 12 Fines worker scalded with hot 13 Loss of expertise and experience _ gravy 14 Increased insurance premium The cost of minor incidents 9 of 37 In 2016 23 people received either an immediate or suspended jail sentence between February and September (3 per month). 10 for gas safety offences, 20 directors of small businesses, 3 employees. 1 sentenced to 6 years after a worker was killed during a demolition 1 jailed for 30 months when a window fitter fell to his death “low culpability (blame)” can now result in 26 weeks in prison. 23.people received jail sentences in the UK in 2016 10 of 37 |To seek assurance that you are operating within the law — and, if not, to put things right as soon as possible. Comply with ‘duty to investigate’ (moral or legal) - courts may ask for a full disclosure of the circumstances of an incident. Identify systemic deficiencies in the way that risk is managed so that they may be corrected before other incidents occur. To keep your OH&S MS aligned with the constantly changing 4 world in which you operate — analysing minor ington isi. often the only practicable way. : 5 Comply with the requirement to strive for improvement. To demonstrate concern and consequently promote a positive attitude towards safety. 7 It is NOT to apportion blame 6 Why investigate incidents? 11 of 37 The primary — function of —> Tripod Beta Learning from incidents is more than just investigating them. | Learning from incidents involves several elements. 12 of 37 |Opportunities are lost at every stage Potential for learning : han Time Note the overlap at most stages. Investigate and analyse is likely to be an iterative process. Those involved in the investigation are likely to learn the most. There is still a lot to do once the corrective actions have been agreed, Learning from incidents — where opportunities are missed. 13 of 37 How are incidents, near misses and unsafe acts reported? There is no system to People are supposed report incidents and to report a ear misses. There incidents and near are negative misses but are consequences for reluctant to do so. reporting safety Managers react badly issues, so problems and ask, ‘How do tend to get hidden. these reports affect, our targets?’ Reports are reclassified or discouraged as a way of meeting targets. Gnu eon 14 of 37Assessor Set standards, Innovate, Assess other's analysis, Lead others in finding new ways. Trainer Teach others, Recognise good performance. Practitioner Lead analysis with help, (silve Create diagram from own (simple) F investigation. Pinovicdge / Understanding Skill / Experience ae The early stages are differentiated more by skill than knowledge SIF - levels of accreditation 15 of 37 Lead complex Tripod analysis, Lead simple Tripod analysis with help Read and understand a Tripod diagram Attend an accredited | Submit an investigation Submit a 2nd Tripod course and pass | report for coaching, | investigation report for the exam review, & accreditation | review & accreditation Assessment criteria SIF - accreditation process 16 of 37Accidents cause a lot of pain and suffering; there are 2.3M work related deaths each year. When an accident occurs we are obliged, both morally and legally, to find out: a) what 2 happened and, b) what needs to be done to stop a recurrence. 3 Itis unrealistic to expect your OH&S MS to be optimum from the outset, 4 _ [tis unrealistic to expect your OH&S MS to remain optimum as things change throughout the life of the project e.g. plant, relationship with 3” party services etc. 5 Adjusting your OH&S MS through lessons learnt from minor incidents is often the only practicable way of keeping it close to optimum. Tripod Beta has been designed specifically for organisational incidents: is based on sound 6 _ scientific research, has been tested in the field and, been in use by many organisations in many industries for more than 30 years. 7 An investigation that does not refer to your OH&S MS is of limited value. | g Corrective actions that do not enhance your OH&S MS is of limited value - you are unlikely to “hold the gains” i.e. any lessons learnt will be short lived. g The Sticting Tripod Foundation (STF) is responsible for maintaining Tripod standards and enhancing the Tripod Beta process. You should become an accredited Tripod Beta Practitioner because: ‘2) The qualification is recognised internationally, | 10 b) The qualification is independent of your organisation. ¢) It provides independent, external assurance about your investigators. d) You become part of a world wide community with on-going support. e) Is proof of your personal continuing professional development (CPD). | Summary of session 17 of 37 The nature of accidents This session is about why organisational accidents occur & covers: 1 Why most incidents have more than one root cause. Learning objectives 18 of 37 2 Why the root causes of most incidents are due to | management activities. : 3 James Reason’s graphical representation of an incident (the Swiss Cheese Model). 4 how the Swiss Cheese model is incorporated into the Tripod Beta methodology 5 How Tripod Beta aligns with an organisation's management systemOne empty commuter train southbound from London Train 3 - proceeding within speed limit on green signal j Train 4 - stopped on red signal | Train 2 - proceeding with [tek souneloned sane) caution on single amber signal | Neciessteeaeereinaaieaeena | Two full commuter t northbound to London | 1988 19 of 37 Fast moving i empty south Stationary bound train sist north } (3"4 train) A H bound train | = A AN 20 of 37Outcome: ‘immediate cause: 35 people dead. _ Erroneous yellow signal for train 2. 500 Injured (69 seriously). Train 3 - proceeding within speed limit on green signal j : a - é (Train 2 - proceeding with Train 1 - stopped on red signal caution on single amber signal Details of the Clapham disaster 21 of 37 22 of 37 Communicating proceduresconnected | but the Es loose, old, black wire is in contact with the terminal. 23 of 37 © The relay box " was low down ina * dimly lit room. 24 of 37Both the old black wire and the new blue wire connected 25 of 3 Work Practices — unacceptable quality of work ignored by supervisors and managers. Poor Supervision — supervisor working on tools. Quality of testing — wire count not assigned to anyone Lack of training — Supervisor not trained in promoting positive attitude towards safety. No communication of the required standards — workers did not know about S/ 16 No proper work planning — a) /ack of experienced personnel when working overtime, b) supervisor working on tools. No work measurement ~ supervisor did not check work quality. Inaccurate drawings — wire not routed according to drawing. Failure to analyse potential risks — possibility of leaving an old wire connected discussed but nothing done. Quote from public enquiry report: Their belief in safety was a mirage, their systems inadequate and operator errors common 26 of 37* Hazards are things that have the potential to cause harm, such as: falling from a height, hit by a dropped object, electricity, water, gas, knocked over by a car etc. * They are around us all the time; there is not a lot we can do about removing them. * And, they are trying to cause accidents. Hazard Unwanted event Hazards cause harm 27 of 37 + Hazards will cause accidents unless you do something about it. * You should control the hazard and/or defend the object that could be harmed + Think of it as placing a barrier between the hazard and the person or thing that could be harmed. + Think of the hazard as a bullet and the barrier as armour plating. Hazard ’ Barrier Unwanted event Barriers prevent the hazards from causing harm 28 of 37Actions by workers in implementing | the barriers Vw SEs How the barrier is to be What the barrier should be implemented Technical, Procedural, Behavioural Barrier Unwanted event Barfiers are defined in the OH&S Management System 29 of 37 | Il | Less than adequate Error promoting Non conformity Substandard | Hazard Barrier Unwanted event Egor promoting workplace conditions defeat barriers 30 of 37Less than adequate Error promoting Non conformity Substandard | Barrier - controlling the agent Barrier - defending the object Tripod Beta terminology 31 of 37 | Tripod Beta gets it’s name from the following three cornered diagram — or was it in honour of a three legged. dog encountered on one of sho fighobuacification trips? Underlying causes Inspect and Learn from imerove Immediate cause Agents of change Barriers Events Qyigin of the name “Tripod” Beta 32 of 37i el pK Performance Flaws and i Unsafe Defeats vesies (ES) arora wam> ent [a> Ratt factors o iy a Capacity capabiity and Organisation's policy and OH&S management resilience in the workplace system Summary of Tripod Beta principles 33 of 37, Make recommendations Witness interviews Physical evidence Photos / Sketches a | Records / documents Fault tree Findings Evidence Medical evidence Events tree Probable causes Matrices Judgements Validate conclusions This course Timeline Tripod Beta Barrier analysis ‘Human behaviour analysis Performance influencing factors Flaws in management systems Investigation road map + sessions from this course. 34 of 37Number of Occupational Accidents reported to DOSH from 2015 until 2020 Tare OS om ‘400 \e oma coo 2015, 2016 2017 2018 209 2020 Year 35 of 37 Culture Ladder: A step change towards Generative HSSE CultureInvestigation only takes place when required by law. ‘There are no trained investigators. A ‘supervisor finds out what happened and who is to blame, Records (if any) of the investigation are brief and written to protect the organization. investigation. The report is kept to show ‘an investigation nas taken place, but litle else is done with it. ‘Managers accept the findings that are easy to fx but tend to 37 of 37The Core Diagram This session is about drawing “core trios” and covers : 1 All the nodes in the core diagram. 2 The “rules” for constructing the core diagram. 3 The “language test” and checking the validity of trios. 4 Transferring information from a timeline into a Tripod beta core diagram. 5 Describing each node in a core diagram to clearly explain “what happened” in an incident. 6 Constructing diagrams with multiple end events. Lgarning objectives of 45 w TRIPOD BETA METHODOLOGY | Legends Core Diagram (Trio) | i casatonalpath | a =e ‘the potential tobe sn 2 of 45Sequence of Event it pyre 13 Jan 2016 0600 IP started duty at galley 4400- Raining at Tiong A 1600hrs 1830hrs Some of POB went to helideck for recreational activities, playing light ball passing and having light jogging 1845hrs. IP slipped and fell while playing “monkey kick off game” and consequently his shoulder was dislocated. 1850hrs IP seek treatment from Medic Kamarulzaman. Medic recommended further treatment onshore 1900 - IP stayed in Sick bay and given an injection to relief the pain. 0700hrs IP was continuously monitored by Medic. 3 of 45 Timeline -Tiong A Helideck History 1982: Platform Tlong 14. April 2014: Tiong-A 2010 : Memo on p ng - helidecks usage was Helidecks inspection ts 1995 : handover zote sTieng-A gym Now 2014 : New HC chai eperatorshp from led person appointment EMEPME to PCSB 4 of 45|Sequentially Timed Event Plot (STEP}” Benefit of STEP: 1. Organise information in a way that aid early stages of Tripod Beta Analysis i.e. constructing Core Diagram (Trios) 2. Aids collaboration amongst team members 3. Suggests further lines of investigation On completion of this session participants should be able to: 1 Explain the benefits of constructing a Sequentially Timed Event Plot (STEP). 2 Recall the rules for constructing a STEP. 3 Make use of a STEP to spot missing evidence 4 Transfer information from a STEP to a Tripod Beta diagram [Leaming objectives - 5 of 45 Initial.fact finding — information arranged randomly 6 0f 45Baron gros cust oak Phot Tourney | _[Truckcavon Truck ‘Atos [| fast around orver started bend Trek takes ) Truck 1 Truck ‘end at ‘ ben stopped Journey © «| tod stamee Aa.example of STEP ~ arranging information in a way that helps analysis 7 of 46 1 The ‘actors’ can be people, vehicles, items of process equipment, process conditions etc. 5 Itcan also be a decision i.e. a mental process e.g. actor X decides to do something that leads to them actually doing it 7 Events are plotted sequentially moving from left to right; the scale is not usually linear but varies to suit the time intervals. Rules for constructing STEP charts 8 of 45Pree =) Youmey | [Truck aren A STEPis about fared |] tere” actions; keep information about £ Truck takes states, conditions Trek . a stopped and situations - separate - e.g. blue notes above main diagram. [Event 7} -—+| All elated to Actor 1 Actor 3} | Event 5 ise and effect relationship _ ——_Time in correct sequence but not usually linear "2 Column test: 1 Row test; a) actions/events are all related to the one actor, b) actions/events are all related to one action, ¢) all actions / events associated with the actor are shown. a) all columns to the left of an event occurred before that event, b) all those to the right occurred after and, C) all events in the same column occurred at the same time. 3 Necessary and sufficient test: a) events are due to a preceding action or, cause a following event, b) action/event completely explains the preceding action /events, c) the plot does not contain irrelevant information. STEP verification rules 10 of 45,4 When there is a gap in the information, work from a known event and ask ‘what could have led to this event or. or, a could this action/event have led to?” 2 Ifthere ist disprove i : 3 Often clarity can be improved by redrawing the diagram with the actors placed in a different order tof 45 — SiLEP can help you spot missing information STEP has it’ s limitations but it is very good for: 1 arranging information in an orderly manner throughout the investigation. highlighting missing information and directing lines of enquiry, particularly in the early stages of an investigation. Note: some information on a STEP may be irrelevant and mislead the investigation team Summary 120f 48Cred An unplanned, unwanted adverse change in an object due to the release or exposure of an AGENT. It is a change of state whereby an OBJECT is adversely affected (or threatened) by an AGENT. Driver injured when car crashed into tree. Reputation damaged by failing to take responsibility for oil spill clean-up Warehouse damaged by fire. Sea polluted when an oil pipeline corroded and ruptured. Worker died after trench collapsed. Maintenance worker collapsed in tank due to low oxygen level. Usually occurs at a precise time but can be over an extended period with a start and stop time e.g. health issues. N OGrRONS Event - definition 1Bof 49 Agent Anything that has the potential to change, harm or damage an OBJECT A force (fall, collision, high pressure) Areactive environment (corrosion) Condition of surroundings (low oxygen level) Something that changes a persons condition e.g. fatigue — resulting in driver falling asleep at the wheel due to 10 hours non stop driving. Temperature (high or low). Ro Ons 5 6 Time (equipment wears out). 7 The actions of a person; Something done rather than not done. "8 Full name is “AGENT OF CHANGE” but is usually abbreviated to “AGENT” 9 Sometime referred to as Hazard, threat, or trigger. 0 Always shown in partnership with the OBJECT that it is affecting. Agent of change - definition 14 of 45Anything that has the potential to be harmed, injured, damaged, lost or changed by an AGENT 7. Society 8. Chemical process 9. Software functioning 4. Aperson or people 2. Equipment 3. Acompany’s reputation 6. Assets 4. Profit 5. The environment 1 Always shown in partnership with the AGENT that is affecting it. OBJECTs are often people, equipment or the environment but they can also be intangible things like: reputation, project schedule, production output, software etc. 4 Always described as it was before making contact with the AGENT and being changed as described in the EVENT. o Qhiect - definition and examples 15 of 45 Spanner Man injured |Jdue to dropped spanner Man standing beneath overhead work Spanner Idropped from a height "Both AGENT and OBJECT must 1 be present for the EVENT to occur - Since it is always “AND” the logic gate is not shown Trigs - the implied “AND” statement Man injured due to dropped | spanner EVENT Man standing beneath overhead work 16 of 45The AGENT hat caused the| OBJECT to change "AGENT Bite from a Postman's leg | injured due to bite from a dog| | Achange in an OBJECT The object that got changed OBJECT Postman’s leg 4 When describing EVENTS it often helps to include words used to describe the AGENT and the OBJECT 2 Start with the following: EVENT = OBJECT + extent of harm + due to + AGENT 3 Adjust the above sentence to improve readability. 4 Use the past tense. Describing EVENTS 17 of 48 ‘Due to EVENT due to AGENT acting on OBJECT Man scalds imself while drinking hot __soup EVENT. Hot soup AGENT Acting on 1 The OBJECT is the thing that gets harmed. 2 The AGENT is the thing that does the harming. 3__ It may not be grammatically good English but the meaning should be clear. The,language test for trios 18 of 45Oil leaked from pipe Car crashed into a street sign AGENT. Floor made Acting on Driver injured due to car crashing into street sign EVENT Acting on Driver (OBJECT 1 It helps to start with a detailed description of the EVENT. Where things are obvious you can relax the way you describe each of the nodes but it is advisable to follow the rule initially to be sure that you have got it right. 3 Describe nodes with the report reader in mind. 2 Examples of language test for trios 19 of 45 Fitter forgets to replace Engine without Engine sump plug 4 Inthe 1* example the description for the AGENT is too vague 2. The report reader will be left wondering “what was the error” 3 Agood description as in 2" example helps in identifying the barriers Carrect and incorrect descriptions for AGENTS 20 of 45Rona Atrio must start with an AGENT and OBJECT and finish with an EVENT Atrio must have an AGENT an OBJECT and an EVENT It is incorrect to have two AGENTS and no OBJECT. It is incorrect to have two OBJECTS and no AGENT. | Rules for compiling trios 21 0f 45 ona 4 Atrio must start with an AGENT and OBJECT and finish with an EVENT Atrio must have an AGENT an OBJECT and an EVENT It is incorrect to have two AGENTS and no OBJECT. It is incorrect to have two OBJECTS and no AGENT. Rules for compiling trios 22 of 45Exercise 1 A tree.cutter cuts his @rm after losing control of his chainsaw 23 of 45 Exercise 1 A tree cutter cuts his arm after losing control of his chainsaw Tree cutter loses control of chain saw aac cuts arm after, Agent gent of Change losing control of chainsaw Tree Event cutter’s arm Object 24 of 45Event / Agent green Combination of EVENT and AGENT/OBJECT used to represent an EVENT, which goes on to play a further role in the accident as an AGENT/OBJECT. 1 Combination nodes are used to join trios, Combined nodes will often be identified as an AGENT or OBJECT in the initial investigation 2 but will be changed to an EVENT / AGENT or OBJECT to show that the AGENT or OBJECT is the result of a prior EVENT. 3 Combination nodes can be either EVENT / AGENT or EVENT / OBJECT. 4 Describing combination nodes can be tricky since a single description has to satisfy two definitions; where there is conflict, it is usually better to describe it as an EVENT node. Linking trios with an EVENT / AGENT node 25 of 45 1 Trios always start with an AGENT and OBJECT and end with an EVENT. 2 It doesn't matter whether the AGENT or OBJECT is shown on top — the first two show the AGENT on top but the final trio has the OBJECT upper most. Each trio has one of each i.e. EVENT, AGENT and an OBJECT. Trios can be connected via an EVENT / OBJECT or an EVENT / AGENT. 5, The node descriptions, the level of detail and, the tree as a whole should be sufficient to explain "what" happened The.core diagram showing “WHAT” happened 26 of 45|, Wall needs: Painter | Supervisor aintin assigns job | 952% (7 9° || painting from panning to painter fear fz Painter knocks tin of Tin of paint falls from tool Tin of paint Paint spills hits person g Paint spills, from tin EVENTS usually occur at a precise time — an exception being health issues which may be over an extended period. Draw a timeline first — it helps in getting the sequence correct and complete. Itis usually better to show the incident in detail at the start of the investigation. EVENTS can be removed or combined after BARRIERS have been added The fewer the EVENTS the more likely BARRIERS will be overlooked Do not start the sequence with EVENTS that have no significance to the investigation e.g. you are unlikely to question why a wall needs painting or, job assigned to a painter, when you are investigating why a tin of paint fell onto a person's coat. ‘Sequence of EVENTs before starting the Tripod diagram 27 of 45 Painter Painter told to} | orking from f || Painter knocks paint above Tin of paint Paint spills | falls from too! {| | onto person tray below ladder ladder above tin of paint Timeline (for core trios only) ————> Painter working {from ladder above} Tin of paint falls from tool tray due. to painter knocking it. E02 At "AGENT 02 Tin of paint spills onto person standing below Tin of paint Parson standing EVENT! resting on ladder where painter tool tay re pal BNET! 2 3 1 EVENT 4 is not included since it was not part of the investigation EVENTs 2 and 3 have been merged into E02 /A01. EVENTs 4 and 5 have been combined in final EVENT 01. Tyapsferring data from a timeline into Tripod Beta trios 28 of 45[Crew injured and | assets damaged | due to fire at | tefinery Crew injured} due to fire at refinery EVENT Of Assets and Crew OBEC OD Example A Example B Avoid combining OBJECTS (as in Example A), instead show them as two separate OBJECTS leading to two separate EVENTS (as Example B). 2 Defences for assets are likely to be different to defences for crew. Aygid combining objects in end event 29 of 45 1 Itis common to have two objects affected by the same agent - . 2. Itis unusual for one object to be affected by two agents at the same time but itis allowed, 3 In both of the above cases the outcome is two separate events Multiple end events 30 of 45Media affairs mismanaged (AGENT 07 Company accused of bribery Legal affairs mismanaged Aygid combining agents ~ use multiple end events Co. reputation harmed due to mishandling of media response Co. fined due to imisrepresentation| in legal proceedings Avoid combining AGENTs; instead, show them as two separate AGENTS leading to two separate EVENTS. 31 of 45 Multiple end events - examples of trios breaking the rules There may be times when you would like to combine two objects into a single 1 EVENT but, it is not allowed e.g. a train crashes into the back of a 2 train and passengers on both trains are injured 2 You are only allowed two lines to enter on the left of the EVENT in both the above cases there are three 32 of 45Examine each extremity in the diagram and ask “did something happen before or after this point that needs explaining The core diagram should give a Damaged slings (OBJECT OF = 2 complete explanation of WHAT Load dropped due to failure happened. ofsings |. In the first diagram either the slings are EVENT OF damaged or they have been overloaded. 4, The second diagram gives the complete story Heavy girder placed on top of slings Slings damaged due to girder Load dropped due to failure of slings. EIA W2I04 being placed on top (now in use) \ Person injured due to dropped! load Person Load standing in lift PRGENT 02 Checking that the core diagram is complete - prior and subsequent events 33 of 45 Man takes honey from bee hive Intuitively you realise collecting honey is a hazardous activity but think carefully about what the AGENT is - apply the language test Bee stings man Man takes Bee honey from becomes bee hive agitated Describe “what” happened in sufficient detail 34 0f 45Keep in mind “it is the object that gets changed”. [- Mosquito killed by swat from hand Hand OBJECT Mosquito killed by swat} from hand The, object is the thing that gets changed 35 of 45 Car parked beneath tree Car damaged by falling tree 1. This example fails the language test “EVENT due to AGENT acting upon OBJECT” The thing that the AGENT acts upon should be the OBJECT ie. the tree This diagram needs another trio to show that the falling tree then acted upon the car |" eon Be.clear about the object 36 0f 45First trio ok but do not combine OBJECTS as in final EVENT Tree blown over due to storm Car & house damaged by falling tree This example fails because: a) there are two OBJECTS in the final EVENT and, b) no OBJECT to show that the house was damaged by the tree 2 See next slide for correct diagram Dg.not combine two objects in one event 37 of 45 House OBJECT House damaged by falling tree Tree blown over due to 4 Two end EVENTS are needed to properly describe this incident. Two separate OBJECTS are needed since the barriers protecting the car are different to the barriers protecting the house. Multiple end event - example 38 of 45Exercise 2 A gas bottle explodes after being left exposed to the sun 39 of 45 Exercise 2 A gas bottle explodes after being left exposed to the sun Bottle left Preseare bald wp in exposed to rise in temperature ‘the sun after being (Gas bottle Leanotedtastesun! | lexplode due to "Agent of Change Event/AOC internal pressure 5 build up ressure nt within the gas| | 62s bottle 7 bottle Object Object 40 of 45Exercise 3 All occupants of a car killed when a train hits their car on a level crossing 41 of 45 Exercise 3 All occupants of a car kil their car on a level crossing Note : More investigation ‘required to establish why ‘car was on level crossing at ‘Same time as train ed when a train hits All car occupants killed due to train hitting car Tar on level | crossing moved Moving train | | | rentiy on bein hit by train Agent of Change Event/AOC Car on level Occupants crossing in the car Object Object Event 42 of 45Incidents are ‘considered o be an unavoidable part of the job. They ere said to be caused by reckless OF careless Individuals. Incidents are said to bbe caused by bad luck’. Managers: believe the workforce ‘causes most of the problems. erate ne ROM) 43 of 45Barriers This session is about adding barriers to the core diagram and covers: Identifying barriers in a systematic and thorough manner. Where to get information about intended barriers. Examples of barrier: functionality, system and type. Relative reliability of system types. Describing barriers in a way that helps the investigation and provides clarity to the report reader. Positioning barriers correctly in the core diagram. ala) wlrm] = Q The four possible states of a barrier and how to use each of them correctly. | Barrier 7 wall ete lish Lgarning objectives cwyll accepted oh secre 1 of 46 State (within Tripod diagram) Effective Failed Inadequate Missing Function Stop car from entering street Method iv Type _| 1, Dragon's teeth Engineering disables car driven (hard) in wrong direction 2. Driver obeys “no | Behavioural entry” sign = (soft) Reliability 1 _Both barriers have a probability of failing 2 The technical barrier is less likely to fail than the behavioural Battier: status, function, system, and type 2 of 46_B lod Loss of ce poke pest — en of reson O 0 = 2 — -- oO Uaeeha| | Guide | Warn | Restore | | Interpose Contain [cane ore} | ear ware] |—earero ee ee Beware) (Advise) (Repel ) (Restore) (Interpose) (Enclose } — JExamples of types of barrier s ing | anoance's| | opeming | | teuinat | | Soe | Frefiast | | Fi ating [so and levareess | roceaues || lor maw as aeuge rescue James Reason’s categories of barrier functions 3 of 46 1SO 45001 hierarchy of controls 5 Cee SAS a. |! ETRE NEES Substitute with less hazardous material, processes, operations or equipment. zB = rs d. | Administrative controls (including training). Erik nollnedels categories of barrier functions 1. Contain 3, Keep eerie “4 Disipate 5. Prevent movement tes 7 Communicate { 8. Monitor L 9. Prescribe I§Q 45001 and Erik Hollnagel’s systems for categorising barriers 4 of 46— Haddon's 10 ways to transfer, control, modify, interrupt, or recover from energy transfers 1 Prevent marshalling of agent — ban unsafe products. v4 Reduce energy contained in agent — toxic drugs in smaller packs, minimum sized fuel tanks. Prevent release of agent — safety margin on vessel wall thickness. Modify rate of release of agent — pressure relief valve, crumple zone on cars. 5 Keep agents and objects apart, in space or time — hazardous area Zones, delay between switching equipment off and allowing access. 6 Interpose barrier between agent and object — ppe, security fence. 7 Modify qualities of agent (shock concentration) — rubber tiles in play areas. 8 Strengthen object; make more resistant to hazard — corrosion allowance. 9 Limit damage done by agent — fire extinguisher, first aid. 10 Stabilize, repair, rehabilitate object — convalescence, recovery period. | Wiliam Haddon’s hierarchy of barrier functions 5 of 46 Hardware-Hard-Physical / Procedures-Soft-Behavioural Permanent / Temporary Technical / Technical + Procedural (mix) / Procedural Note: it is possible for a barrier to be a mix of types; for example: Operator stops pump on hearing high level alarm on tank — alarm function is technical, operator stops pump is procedural. 41. Physical / 2. Functional (engineering) / 3. Symbolic (signs & procedures)/ 4. Incorporeal - intangible (behaviour) (Eric Hollnagel) Preventive / Protective (ISO 45001) Control / Recover (Bow tie) Engineering / Administrative / Procedural / Behavioural Hardware / Following a process / Following a procedure / Performing correctly “1 The are many ways in common use for categorising barrier types. | This workshop uses: engineering / administrative / procedural / behavioural since this method helps to explain other aspects associated with barriers. Examples of categorising barriers by “type” 6 of 48Barrier function Barrier system (reliability) | 1 Prevent / eliminate hazard A Engineering controls (passive) | 2 Substitute for less hazardous B Engineering controls (active) 3. Raise workers awareness C Administrative controls (e.g. PTW) } 4 Provide guidelines D Intrinsic competence |5 Provide warning — Guidelines / checklists 6 Control / restrain / restore F Verbal instructions | 7 Modify rate of release G Policies / procedures | 8 Separate by time / distance H Signs / notices 9 Interpose between hazard / object | Rules 10 Modify quality of hazard J Personal protective equipment 11 Strengthen target / object Barrier system type 12 Contain / limit damage (Barrier systems grouped into categories) 13 Find, rescue, stabilise workers a) Engineering b) Administrative 14 Repair / rehabilitate / restore c) Procedural d) Behavioural Barrier: function, system and type. 7 of 46 Business activities (areas of risk) Documents that define the required barriers 1. Routine & non routine Administrative procedures for: permit to work, job tusks hazard analysis, risk assessment matrix, managing contractors, simultaneous operations. 2 Personal safety Life saving rules / Guidelines for: entry into confined space, lone workers, working at height, hot work, rope access, provision & use of workplace equipment, personal protective equipment. 3 Process safety Engineering standards for: process containment, shutdown system, fire and gas detection, ignition control, design standards. 4 Health hazards Policies on: substance abuse, health monitoring, thermal stress, human factors engineering, acute toxic substances. 5 Environmental hazards Standards for: air quality, greenhouse gases, energy management, continuous flaring & venting. 6 Hazardous activities Procedures for: drilling, seismic operations, road transport, maintenance management, diving. The investigation is partly about assessing how good the intended barriers are NOT what the investigation team think should have had been used. Bysiness activities where relevant barriers might be specified 8 of 46Elements within the The workplace Day to day ————— capability, capacity and, resilience. HSE Management system activities Safety critical activity business activities standards business ¥ - control Instruction The actions standards | Competence, required to Tools & implement | equipment, | | the barriers. Conditions in Actions the workplace Safety critical activities performed correctly Effective barrier Barriers are defined in the HSE MS. 9 of 46 The level of risk determines the level of detail in the control description Risk control process Ea High - explanation as to how Co. operational & support controls apply in a specific location or department fic to the workplace controls Lgyel of detail in barrier description depends on associated risk 10 of 468 Safety Operations critical activity business business wie contro! Instructions, The actions standards ‘Competence, required to Tools & implement equipment, — the barriers. { Effective barrier [ Effective barrier | | Effective barrier Hgw barriers are defined within management system 11 of 46. a rc f f | | | | | | | Engineering} \Administrative| Procedural Behavioural Pressure Relief Valve Lock Out Tag Out _—Safe Operating Procedures _Life saving rules Bund wall Permit To Work Operating procedures Signs Fire wall Job Hazard Analysis Guidelines Notices Human Factors Simultaneous Operations Checklists ‘Traffic regulations Manual Of Permitted Operations PUWER Site induction 8.1.3 Management Of Change LOLER Take five 8.1.4 Outsourcing COSHH Dynamic risk assessment 8.1.5 Procurement ‘Maintaining awareness 8.1.6 Contractors ‘OH&S MS Defines the risk iman. process e.g) JHA, PTW, MOC Performing influencing factors || Nonconformity Ve Ne Performing Outcome of Negative authority process- aspects ‘applies (defines the relating to ‘admin. barriers) outcome. process Admin. type barriers are specific to an activity & are the output of a process __12 of 46Comply with permit to work Conduct a gas test Verity isolation before starting work Wear appropriate personal protective equipment Obtain proper authorisation before starting work Obtain authorisation before overriding or disabling safety critical ‘equipment 7 Protect against falls when working at height 8 Do not waik under a suspended load 9 Do not smoke outside designated smoking areas 10 Wear your seat belt 11 Follow journey management plan 42 Askifin doubt 13 Obey safety signs and audible signals 14 — Comply with warning barriers 15 Follow instructions and procedures 16 Use the right too! in the right way 17 _ Stop if you believe your activity is unsafe 18 _ Observe emergency response procedures Bghaviour in compliance with site rules are barriers 13 of 46 Oane nla Has the potential to cause harm Control ‘An unwanted change in the| OBJECT Has the potential to be harmed Defend Barrier 1 Each barrier is trying to stop the AGENT and OBJECT coming together. 2 The control barrier does not necessarily remove the AGENT. 3__If any barrier is effective the next and alll following EVENTS do not happen. Carrect placement of barriers 14 of 46microwave oven Timer switches microwave oven off to prevent icake from burning Cake burnt due} to being in microwave oven too long microwave Cook removes cake on time to prevent it from burning, 4 BARRIER 1 controls the AGENT, 2 BARRIER 2 defends the OBJECT from the affects of the AGENT. 3 Only one of the BARRIERS needs to work to prevent the EVENT. 4 Either BARRIER prevents the OBJECT and the AGENT from coming together | Barriers control or defend 15 of 46 Blast from explosion on plant AGENT Biast energy dissipated ‘before reaching control room by positioning control room safe Control room distance from plant operators injured by blast from plant explosion Control room operators (Control room operators protected from blast by positioning control room safe distance from plant 1 “Interpose” barriers can go in either leg of the trio 2 Donot place the same barrier in both legs 3 Note the two descriptions for the same barrier ‘Tpterpose” barriers can go in either leg 16 of 46fm 1. The barrier worked as intended i.e. the next event and all —i— subsequent events did not happen. { Effective 2. All EVENTs downstream of effective barriers are “potential”. barrier | 3 Use when investigating near misses or highlighting potential escalation when other barriers have failed. 1, The barrier has been defeated by a single unsafe act. ——— 2. They include barriers that were normally in place but were Failed missing when the accident occurred e.g. fire extinguisher not in barrier it's normal place. 3. By far the most common state shown on Tripod Beta diagrams. 1. Barrier in place but not capable of doing the job. 2. Hazard has been identified but risk assessment, or the understanding of what is required of the barrier, is less than Inadequate adequate. barrier_} 3. Often inadequate barriers are identified as failed barriers and consequently have the wrong immediate cause. { 1. Barrier should be in place but was not and was never intended. : 2. Hazard has not been identified or risk incorrectly assessed. Missing 3. Due to failures in risk management or failure to assure barrier compliance with legal requirements or best practice. Barrier states and symbols 17 of 46 “intended barrier is ea ‘No: Identified or risk incorrectly assessed! Hazard identified but risk Incorrectly assessed or barrier specified not ‘capable of managing risk Barrier correctly specified but the means to implement itless than adequate Missing / . ( Favourable / | Actual random q ‘ \_ chance event Dgciding on barrier state and outcome 18 of 46activities standards in ” Immediz Underlying Precondition immediate cause cause SEG or MSET Underlying cause Underlying cau! z O c Missing Inadequate barrier barrier The underlying cause for each barrier state 19 of 46 The description should have (explicitly or implicitly) three parts :- 1) what the barrier should achieve i.e. it's functionality, 2) how it achieves it i.e. the system or method used, 7 3) who or what the barrier is protecting or controlling. Effective Other considerations:- : 7 4) State what should be done rather than not done. barrier 5) Include who is involved - if appropriate. 6) Describe the barrier as being effective in the present tense - not in it's failed state. 7) Had the barrier been effective it should not have been possible, under any circumstances, for the next EVENT to have happened. A good, detailed description helps:- 8) when considering corrective actions, 9) in spotting inadequate barriers, 10) investigators, report readers and report auditors. Examples FO al F ) on O O O Oo O c c 1 c im Tank prevented Collision ‘Overpressure: [System over press. Slips prevented from overflowing prevented by prevented by prevented by by worker by operator driver stopping ‘controlling | loperator regulating) | maintaining stopping loading car in timely process with | | incoming pressure footing by pump on hearing manner by pressure reliet | | witha pressure | | wearing non slip high level alarm | | applying brakes valve control valve. safely shoes Dgscribing barriers — tips and examples 20 of 46A B Cc | Seat bett Driver failed to Driver restrained . fasten seat belt by wearing seat Options A, D and E describe This is an This is the best option since the system employed but not Immediate Cause it gives both functionality what it is trying to achieve and system to achieve it D E ) All seats fitted with a seat belt Driver wears seat belt Does not mention functionality Could have been improved by saying what the or even the requirement to barrier should achieve - perhaps not necessary wear a seat belt for something as obvious as a seat belt | Examples of poor descriptions 21 of 46 Digger operating in 3.3 kv cable cut due to POTENTIAL || 3.3kv buried Digger driver ‘OBJECT 1 The NARRATIVE symbol has been included to explain the circumstances of the fortunate random chance i.e. “good luck” 2 Never use the term “good luck” on a Tripod Beta diagram. 3 The Tripod Beta diagram should give a reasonable account of what happened; NARRATIVE statements often help. Narrative symbol - how to model “good luck”. 22 of 46(The over pressure did not ‘occur. Werte Overpressure ‘during process| upset AGENT explosion of Vessel unprotected Pressure relief| POTENTIAL vessel for vessel to be EVENT valve (PRV) ‘opsect foresee functioning PRV EVENT OBJECT Pressure relief valve set incorrectly | incorrect set | incorecty set RV tied to | (PRY fited to. vessel avoided | esol svoised by goods by fitter terror by contractor's instrument technician PRY setting | PRV ating ‘assured by | assures by roonips dept Technician | _ inspection checkin checking Taliowing | folowing QC documentation, | documentation Instrections | “procedure 1 Apressure relief valve was sent to a service company for recalibration. 2 Onit's return, a company fitter was asked to reinstate it. However, he noticed, in the accompanying documentation, that the valve had | 3. been reset to operate at a pressure greater than the maximum allowable working pressure of the vessel. 4 This could have had disastrous consequences if the valve had been reinstated. 5 The narrative statement explains that this was a high risk, potential incident. Example of an effective barrier 23 of 46 Damaged slings fail and load drops From Gaunt Person injured by dropped load EVENT] (Broppedtonds avaide| by inspecting sr remove damages slings tom serie "BARRIER T Suspended Person beneath suspended Identifying barriers is a specific step in the Tripod Beta process. Each leg is examined in turn. Each barrier is assessed as being adequate or not. Missing barriers are identified by looking at the tree as a whole and assessing if activity being conducted with risk at ALARP. The layout of the diagram and the descriptions help in this process. Barrier analysis in Tripod Beta 24 of 46 a & onsConstruct the core diagram then examine each leg in turn and ask the following | 1 How does the company normally control the agent? 2 How does the company normally defend the object? ) 3 Is there a document that states what the barriers should be e.g. guideline / procedure / checklist / instruction / scope of work? 4 Can all the barriers be placed correctly or should an EVENT be broken down into smaller steps i.e. add another trio. 5 If the barrier had been implemented exactly as intended, was it capable of preventing the event? If not, show it as an\inadequate barrier.) 6 When all the intended barriers have been added assess if the risks associated with the job were ALARP (as low as reasonably practicable); if no, ask “what is required in law or good practice” — and add them to the diagram as missing barriers. 7 Abarrier overlooked is an improvement opportunity missed. 8 Barriers are the tangible output from your OH&S MS — they ARE your management system — more so than words on paper in your OH&S MS Kgy questions for the investigation 25 of 46 A measure which reduces the probability of releasing an agent's potential for harm and Barrier of reducing its consequences. There Is no node called “Barrier” in the Tripod Beta methodology; the symbol shown is an EFFECTIVE BARRIER A barrier either controls the agent or defends the object. ISO 45001 refers to them as preventive or protective measures. No barrier is perfect; each has a probability that it will fail. However, barriers shown on a Tripod Beta diagram are binary — they either work 100% or not at all; there are no points in between 6 Reliability can be improved by adding barriers — defences in depth Defences in depth should have the same barrier functionality but differing barrier systems e.g. no entry sign and one way dragon's teeth. g Barriers are the output from the organisation's risk management processes and can be: engineering, administrative, procedural or behavioural. Barriers in general 32 of 46 Bown] a aA barrier that was effective in -— restoring control or preventing further consequential injury or Effective damage following an event barrier The barrier worked as intended. The EVENT in a trio containing an EFFECTIVE BARRIER did not actually happen 6 e and is shown as a POTENTIAL EVENT to illustrate what could have happened. 3 Allsubsequent EVENTS after this first POTENTIAL EVENT also did not happen and are shown as POTENTIAL EVENTS. 4 The end EVENT cannot happen if there is one EFFECTIVE BARRIER anywhere in the diagram. 5 AN EFFECTIVE BARRIER is used to elevate the severiy of an incident so that there will be a higher level of investigation. Effective barrier - definition 33 of 46 _) — A barrier rendered ineffective by an —_f immediate cause. Failed barrier 1 The barrier, as defined, should have prevented the EVENT in the tro, but failed to do so by an unsafe act of a person as shown in the IMMEDIATE CAUSE An EFFECTIVE BARRIER is shown blocking the line 3 (> and their EVENT thereby preventing the EVENT from actu i ea a’ FAILED BARRIER is shown with a gap through which the AGENT/OBJ to create an EVENT. 3 The gap has been caused by an unsafe act. 4 The single unsafe act defeating a failed barrier is an IMMEDIATE CAUSE. They include barriers that were normally in place but were missing at the time of the EVENT e.g. a fire extinguisher not in it's normal place. In a reasonably well run organisation they are likely to be the most common. barrier states on a Tripod Beta diagram. Failed barrier - definition 34 of 46A barrier identified and established by CO the organisation as a management control measure which was implemented as designed but still failed to prevent escalation as the design of the barrier did not fully take into account the circumstances of the event. Inadequate barrier 5 The BARRIER is shown letting the AGENT or OBJECT pass through a “gap” thereby allowing the AGENT and OBJECT to come together to create the EVENT. A BARRIER is in place but is not capable of controlling the AGENT or protecting the OBJECT. Often, an inadequate BARRIER is incorrectly shown as a failed barrier. The true nature of an inadequate barrier becomes apparent when the action described in the immediate cause cannot be allocated to one of the “human failing” categories. i.e. the perpetrator did exactly what he/she was told to do. They are due to the hazard being correctly identified but the assessment of risk or, the understanding of what is required of the BARRIER, is less than adequate. Inadequate barrier - definition 35 of 46 ; | A barrier not identified by the i —1—_ organisation as a management control measure but was required barrier ABARRIER should be in place but was not and was never intended. The hazard has not been identified or the risk incorrectly assessed. They are due to failures in managing risk or failure to assure compliance with legal requirements or best practice. In a well run organisation missing BARRIER are uncommon, MISSING BARRIERS can be spotted by doing a Level Of Protection Analysis. A missing BARRIER may also be spotted by subject matter expert looking at the entire Tripod diagram and asking “was this activity being conducted with associated risks as low as reasonably practicable (ALARP)’. Missing barrier - definition 36 of 46{ Narrative [ An explanatory note within the tripod diagram It can be used to give further explanation about any element within the diagram It can be used to explain why an EVENT did not take place when all barriers failed or there were no barriers in the trio i.e. favourable random chance (good luck), The entire Tripod Diagram should give a reasonable summary of the analysis and narrative statements are used to add clarity. Anarrative statement can be placed between any two nodes in a diagram; it 5 becomes attached to the connecting line i.e. unlike a “post-it a note” added anywhere on the diagram. Narrative - description 37 of 46 Operator closes stn. valve before End of flow- line closed Flow from well greater than capacity of relief valve (Closed flow-ling} over pressured due to flow from well EVENT 1 Flow-line | isolation valve Uncontrolled flow from well pressure limited by pressure ief valve 6 An oil well is connected via a flow-line to a gathering station. The flow-line is fitted with a pressure relief valve (PRV) and an isolation valve. The operator closed the flow-line isolation valve (at the gathering station end) before closing the valve at the wellhead. The oil well continued to flow and pressure built up in the flow-line. The PRV opened to relieve pressure However, the well flowed at a higher rate than-the capacity of the PRV and the flow- line pressure increased above it's design pressure. Example of an inadequate barrier 38 of 46_L_Relabilty— -* Stage as incident unfolds ——————+ Function &> 1/2 | 3 4 5 6/7 | 8/9 |roni2) 13/14 +, Eliminate] Make | TRE System \ Redlice | aware aces a Sane lInterpose| Contain | : Passive engineering | A controls Active / n wanes AB Most effective controls }-———Least effective =| | Mal 39 of 46 | FB 1 is defending OBJECT 3; a lower order of reliability than controlling AGENT 3. FB 2isalsoa defence barrier, rather than a controlling barrier and is made worse by being very late in the sequence of EVENTS. 3B These two barriers are plotted on the BARRIER matrix — according to their ~" functionality and system type. One is in the red zone (the worst) & one in the brown 4 Their positions on the matrix gives an overall (subjective) impression that this activity is being conducted with risk above ALARP. 40 of 46Neededto | reduce risk to ALARP__} aly ‘AGENTS oBieCTs \ Defending OBJECT barrier (lower order than controlling the AGENT) Grenfell Tower Fire, 14 June 2017 Just before 01:00 on 14 June, fire broke out in the kitchen of a fourth floor flat atthe 23 storey ‘ower block in North Kensington, West London, Within minutes, the fie had raced up the exterior ofthe building and then spread to all fur sides. {By 03:00, most of the upper floors were well alight Seventy-two people died. Good practice throughout industry ee a iii a 0 est | Legal | | eaqurémen | ~ 4 fe. Very late in the sequence Lo ous est 41 of 46 qcetat osteustBarrer) Replace reload Power surges proven, in main sltge protection 6 Fridge lon power supply supply overloaded and catches oO cladding of | building OBJECT 1 from spreading in by kitchen window cladding of butlding catches fire EVENT! Kitchen catches fire (EVENT ZAGENT Fire contained by stool back (Batier4 on fidge a 1 Barrier 1 should be placed before the EVENT that it is trying to prevent 2 Barrier 2 could be regarded as an interpose type barrier and could go in either leg. 2 Switching barrier 3 and 4 will make it easier to follow the ‘story’. Vyhere in the diagram should barriers be placed? 43 of 46, y Bar Outer (overload prevented by cladding of on’ Bower Supp building Power surges No" power supply Building ETH adn in mains ere cladding electric resistant fire | TBarier¢] AGENTS Cori Cita Gear Fridge overloaded and catches Fire contained by steel bs plate on frie Kitchen catches fire aren? Fig preveried rom spread by dosing = kitchen window ‘on heating OBIECTS, smoke alaren Tearer > It is ok to place barrier 3 in either leg since it is an “interpose” type barrier but | think that it is more to do with containing the fire rather than protecting the cladding + 2 Barrier 2 could also be regarded as an interpose type barrier but, from the manufacturers point of view, it is intended to contain the fire not protect the kitchen. 3 Ifyou number barriers do it in the sequence in which they failed Example of correctly placed barriers 44 of 46Immediate cause This session is about identifying how barriers are defeated and covers: "1 Describing an IMMEDIATE CAUSE. 2 Definition of competence. 3 Using the generic error model (GEMS) to distinguish between: skill based errors, rule based mistakes, and knowledge based mistakes. 4 Categories of human failings. 5 Describing the likely workplace conditions that promote each category of human failing. 6 James Reason’s “culpability decision tree” to identify the category of human failing. 7 Recalling, in qualitative terms, the reliability of humans. Learning objectives 1of 35 Immediate causes are ALWAYS acts Preconditions are ALWAYS conditions PCs are the conditions, situations, or states that influenced the person performing the IC. The IC can only be an act ‘Skill based error NEVER a condition Mistake Violation If the person performing the IC is not known or not 3. interviewed then continue investigation using evidence from their colleagues. \UNDERLYING CAUSE PRECONDITION. FAILED BARRIER Barriers can be hardware, acts or a mix of both ‘Agents can be conditions or acts OBJECT AnJmmediate Causes is always unsafe act - NEVER a condition 2 of 35yndi Pressure relief valve inoperable due to ice blocking line © Main. tech. set pressure relief valve to operate above design pr. Uncontrolled inflow of gas 0 Pressure kept below design pr. with PRV Uncontrolled inflow of gas fessure kept below design pr. with PRV Vessel over pressured investigation eae | Vessel over pressured Vessel ‘OBIECT 1 Barriers are often defeated by an unsafe condition but we cannot show it as an IC 2. Barriers that are vulnerable to unsafe conditions should be protected by a 2" barrier Barrier defeated by an act — but not by a condition 3 of 35 a 1 Threats Consequences Controls . owoonerer Lp Contols & Ty ie Construction Loss of error life Top Commissioning ear event Pollution Loss of containment, Maintenance Asset error damage Pressure relief valve Recovery Reputati Operating error measures ae Trace neaiiN9 | Barriers defeated by hazardous conditions in a Bow on roletzne Tie are shown as having an “escalation factor” Temp. below zero Escalation factor Escalation factors in a Bow Tie diagram 4 0f 35