This post will introduce the energy transfer model and the development of energy barrier accident perspective.
During 1960’s and 1970’s, two pioneering safety theories were developed, both of which studied the transition of excess energy from a source to a vulnerable target. Both theories demonstrated how accidents occurred, and paved the way for safety thinking based on potential energy sources. James. J. Gibson was the first among the two researchers to define and illustrate the energy model- Energy Source-Barrier-Vulnerable Target (as discussed in earlier post) in the year 1961 (Kjellén, 2000).
The infamous Energy Model by James. J. Gibson
However, in the 1970, William Haddon revolutionized the field of accident causation. William Haddon introduced 10 simple yet powerful rules to avoid, control, and, mitigate accidents involving vulnerable targets (Haddon, 1980).
In 1980, W.G. Johnson defined a barrier as “The physical and procedural measures to direct energy in wanted channels and control unwanted releases”. W.G.Johnson also is famous for his proposed MORT- Management Oversight & Risk Tree adopted by the nuclear industry (read MORT manual here).
In 1987, Urban Kjellen used the accident prevention strategies proposed by Haddon and termed them as <Barriers> to ensuring safety, but in a later publication Kjellen proposed to use the term <Barrier> on physical countermeasure e.g. a metal mesh = <Barrier> to separate rotating propellers and vulnerable targets. (Kjellen, 2000)
In 1997, James Reason coined a safety theory based on the notion that accidents can be avoided with a approach of defense-in-depth. In other words, there is more than one barrier in a system and every layer of the barrier, has faults and failures. Only when all of these barriers fail, will an incident or accident occur. He illustrated this in intuitive illustration of a Swiss Cheese, where the hole in the cheese illustrated failure in the barrier and rightly called the Swiss Cheese Model. If the hazards transit through the holes in the barriers, it can convert to either a serious incident or a failure in the system. He also distinguished between terms <latent failure> and <active failure>. Latent failure is a barrier functional failure due to unknown causes and are not observable, while active failures occur during the execution of barrier functions and are observable.
Snorre Sklet in his Doctoral thesis defined three key terms in safety and barrier performance management applicable to the oil and gas industry (Sklet, 2006). The recommendations from Sklet has been well adopted in the Norwegian Oil and gas industry. The key is to organize and use the barrier terms consistently. The recommendations were used in the recently published Petroleum Safety Authority memo on <Barrier Management>
- Barrier system– is a system that has been designed and implemented to perform one or more barrier functions. e.g, Reduce consequence of hydrocarbon leak
- There may be one of more barrier system depending on the risk reduction requirements
- Barrier function– is a function planned to prevent, control, or mitigate undesired events or accidents. e.g, Reduce duration and size of leak
- Each barrier system may have 1 to N barrier functions
- Barrier element– A barrier element is a component or a subsystem of a barrier system that by itself is not sufficient, to perform a barrier function e.g, Process shutdown systems
- Each barrier function requires 1 to N number of barrier elements to function on demand
In 2013, Petroleum Safety Authority (PSA) published the barrier management principle memo to guide oil and gas operators in maintaining barrier management according to the PSA requirements. This guide builds on previous work on RNNP (Trends in Risk Level in petroleum industry) and suggests development of technical, operational and organizational safety barriers.
So, how is energy barrier accident perspective applied in high risk industries?
Lets consider a typical bow-tie risk model. The left of side of the bow-tie contain preventive barrier systems, functions, and elements (before the accident). The same is true to the consequence part (right) of the bow-tie (after the accident) . As illustrated, the energy source initially has to transit through the preventive barriers before the accidental event can occur. The number of barrier systems may differ depending on the overall hazard identification and corresponding risk reduction strategies for a given system.
If the accidental event occurs, the barriers to prevent escalation of the event have to perform as planned. If they don’t, the vulnerable target, be it human, machinery or cost of operations are severely affected. In a traditional barrier management approach, the energy can be ideally traced to the source, in ideal situations (with help of risk management and reliability assessment). A key point to note here is that these barriers are not only technical barriers, e.g, valves. Barriers may also be in form of operational procedures, or organizational practices. In other words, Man Technology and Organizational barriers (MTO) have to be combined.
A case study
Let us take the Macando blowout as an example to demonstrate the energy barrier accident perspective. Previous studies have shown that the cause of the blowout are not due to a single failure, but a set of multiple failures in the MTO barriers. The illustration shows the barrier functions and barrier elements in green blue and yellow boxes. The barrier system – avoid hydrocarbon leak.
One observation, as it is pointed out in the limitations section is that, the illustration shows the accident progression to be linear, but seldom do complex system fail with single failures. This example shows the main draw back of the energy barrier accident perspective; linear vs. complex system interactions.
Strengths of the energy barrier accident perspective
- Useful tool to identify hazard control strategies
- Forms a basis for analytical risk control
- Fundamentally based on energy transfer phenomenon and physics of the immediate environment
- Helps avoid over conservative design of barrier functions. Choice of right preventive defense strategies.
- Is transferable within various application fields, such as medicine, emergency preparedness, and high risk industries.
- For example, a computer virus may be termed as a potential energy transiting through a network of computer servers.
Limitations of the energy barrier accident perspective
- Energy model and energy barrier perspectives are fundamentally based on linear progression of failures to an accident, while accidents may occur due to complex interactions in a complex system.
- Inter-dependencies between barriers from different barrier systems exist and may be missed during various safety analysis. E.g., Failure of power supply may effect one or more sub-barrier functions.
- The adoption of energy transfer model in a large-scale system may deem challenging due to need for system co-ordination in distributed systems, e.g., Aviation industry.
- If over conservative barrier functions are designed, it may complicate the workings of the entire system and increase the inter-dependencies .
Feel free to explore the following references.
References
Johnson, W.G (1980). MORT Safety Assurance Systems. New York: Marcel Dekker http://tinyurl.com/qf98bdn
Haddon, W. (1970). On the escape of tigers: An ecological note. Technological review, 72(7), Massachusetts Institute of Technology, May 1970.
Haddon, W. (1980). The Basic Strategies for Reducing Damage from Hazards of All Kinds. Hazard prevention, Sept/Oct. 1980.
Kim, Hyung Ju. (2014) Titanic Viewed from Different Perspectives on Major Accidents. Presentation TPK5160 Risk Analysis- URL: http://frigg.ivt.ntnu.no/ross/risk/slides/kim-06-14.pdf
Kjellen, U. 2000: Prevention of Accidents Through Experience Feedback, Taylor & Francis, London and New York URL: http://tinyurl.com/nwbl9er
Petroleum Safety Authority. 2013. Principles for barrier management in the petroleum industry. Technical report. URL : http://www.ptil.no/getfile.php/PDF/Barrierenotatet%202013%20engelsk%20april.pdf
Rosness, R., Grøtan, T. O., Guttormsen, G., Herrera, I. A., Steiro, T., Størseth, F., Tinmannsvik, R. K., and Wærø, I., 2010, “Organisational Accidents and Resilient Organisations: Six Perspectives Revision 2,” No. Sintef A 17034, SINTEF Technology and Society Trondheim. URL: http://tinyurl.com/pf4sbbb
Reason, J. 1997: Managing the Risks of Organizational Accidents. Ashgate. http://tinyurl.com/nodbbov
Sklet, S. 2006. Safety barriers on oil and gas platforms. means to prevent hydrocarbon releases. Doctoral thesis. http://www.diva-portal.org/smash/get/diva2:122483/FULLTEXT01.pdf
Systems Safety 