In our example extract from a BowTie about preventing loss of containment due to overpressure, we have a couple of elements that are not related to individual SECEs; “Design Factor for Overpressure” and “Operator Response”.

The “Design Factor for Overpressure” is a discrete thing that happened in the past. It was either done or not done and there’s nothing you can do about it now (or at least not without a major refit!). There will be no live updates to the health of this element*. One can either include it in the model or not and it will have no bearing on the current health of the overall system. We like to include it for completeness as it means the model is accurate and can be a useful teaching aid as well.
*There are cases where the health of this element might change over time – for example, if the Design Factor results in a corrosion allowance being added to the wall thickness of pipework and hence the monitoring of the thickness of this corrosion allowance over time (as part of an Inspection program) will inform the calculation of the ongoing health of this protective aspect.
Then we have “Operator Response”. The health of this element can be digitised and is based on the information from at least three other systems (four if one also includes Operational Risk Assessments as part of this element).

If we expand the Bow Tie to show the protective elements preventing Degradation of Operator Response we can see we have Alarm Management, Process Surveillance and Operator Procedures/Competence.

Alarm Management
Alarm Management here refers to the design and continuous improvement of the Alarms from the control system such that the operator is not overloaded and is able to take the correct action within the required timeframe – usually 10 mins otherwise the action should be automated. (See EEMUA 1911 , ISA 18.22 and API RP 11673 for the full details).
This in itself is a detailed subject but it is mature and specialist systems are available for Alarm Management such as Honeywell’s Dynamo or PAS which, when properly configured, generate live KPIs of performance against the guidelines. For example, the maximum number of alarms in a 10 minute period – target = 10 or less.

Most oil and gas facilities have such systems already in place and, by connecting to these existing systems and leveraging their capability, Alarm KPI data can be used to inform the health of the Alarm Management protective functions.
Process Surveillance
Process Surveillance is again a broad subject so I will demonstrate the principle with an example, with the intention of sparking the readers imagination as to how this could be expanded to other situations.

Let’s take the example of transmitter pairs – most transmitters performing a safety function are separate from an equivalent transmitter performing a process control function. One useful surveillance operations is to compare the readings from these two equivalent transmitters and check that they are within x% of each other – say 5%. If they begin to disagree significantly then a check is required to find which transmitter needs to be recalibrated. Otherwise the likelihood of either an unintended trip, or operation beyond safe limits, is increased.
These checks are easily configured in the realtime historian and the results can be used to inform the health calculation of the protective functions.

Operator Procedures and Competence
Tracking the completeness of Operating Procedures and the training of operators is necessary to assess the health of the barrier elements here. Active Operational Risk Assessments may also be relevant.
Assessing Operating Procedures, and also possibly Operator Competence, is likely to include more qualitative elements and is hence harder than the qualitative nature of the two examples above. But it is possible none-the-less, and even if it does involve an element of human judgement, by including it in the overall model a complete picture is gained. And this visibility can also improve the accuracy of the human judgement as an awareness of the impact of such judgements becomes more widely understood.

If a Competency Management System is available then direct, qualitative, information can be taken from these for the specific Operators and also workers that will be performing other tasks. This can be extended to a more advance level later that takes account of the competencies required for different maintenance activities and assesses these against the competencies of those people offshore available to perform these activities.
Active Operational Risk Assessments may be available from a system such as DNV’s Synergi. If so then they can also be used directly in the calculation of barrier health.
In the next part of this blog we’ll consider the elements of a BowTie that are hard to model such as the Organisation elements and elements that appear on both sides of the BowTie.
- EEMUA Publication 191 “ALARM SYSTEMS – A guide to Design, Management, and Procurement”
- ANSI/ISA-18.2-2009 “Management of Alarm Systems for the Process Industries”.
- API Recommended Practice 1167 First Edition, December 2010
Read Previous Post (How to make a Digital Twin of a Bowtie – Part 1)