Microsoft Word - 1.docx


 CHEMICAL ENGINEERING TRANSACTIONS  
 

VOL. 77, 2019 

A publication of 

The Italian Association 
of Chemical Engineering 
Online at www.cetjournal.it 

Guest Editors: Genserik Reniers, Bruno Fabiano 
Copyright © 2019, AIDIC Servizi S.r.l. 
ISBN 978-88-95608-74-7; ISSN 2283-9216 

Opportunities to Enhance Barrier Management Through 
Incident Analysis 

Emma A. Verschoor*, Fabian Zitman 
CGE Risk Management Solutions, Vlietweg 17V 2266 KA Leidschendam 
e.verschoor@cgerisk.com 

 
Many high hazard industries use bowties to analyze and assess risks. In the bowtie risk analysis model, 
barriers are identified which aim to prevent, control or mitigate unwanted scenarios. 
However, despite best effort risks assessments, incidents and near misses may still occur. When they do, 
organizations typically conduct investigations to come up with recommendations to avoid similar situations in 
the future. Unfortunately, in many cases these investigation reports end up as a collection of largely 
unstructured documents. They are often treated as single events, making it difficult to clearly identify trends 
over multiple events. 
Scenario-based Incident Registration (SIR) aims to provide a more structured process. A user selects a 
specific scenario from a set of bowties and assesses the effectiveness of the barriers identified on the 
original bowtie. Specific questions are asked per barrier about the reasons of the failure. These findings are 
stored on a barrier level. If this process is repeated, the bowtie will accumulate barrier failure data of multiple 
incidents in a single diagram. This information helps the organization to identify the strength of their barriers, 
which in turn facilitates risk-based decision-making. 
Some incidents require in-depth investigations and a registration only is not enough. However, this registration 
can be used as a starting point for the incident analysis. Doing barrier-based incident analysis allows you to 
learn from barrier failures and improve their performances in order to prevent similar incidents from 
happening. This incident data together with the SIR data can be linked back to the bowtie diagram in order to 
spot the strengths and weaknesses of your visual risk assessment. 
SIR is a continuous process which is more than a reporting system. The reporter does not require knowledge 
about the bowtie methodology, while incident managers receive valuable insight to their pro-active risk 
assessment. 

1. Introduction 

Through the years, as organizations have focused more on safety, accidents have become less frequent. 
Overall, this is a good thing. However, for safety managers, this makes things more complicated due to the way 
safety is currently measured: the absence of incidents and accidents. Paradoxically, fewer incidents also 
means less data to measure whether the organization is safe or not. With the increasing complexity which 
hides the underlying factors in organizations, merely the absence of accidents no longer guarantees that we 
are safe (Hollnagel, 2014). Many examples of organizations with incidents after a long absence of incidents 
exist: the 1986 Space Shuttle Challenger explosion, the 1997 Hindustan refinery explosion in India, 1999 
Paddington train crash, the 1998 Morton explosion and the Three Mile Island nuclear plant accident. 
Therefore, rather than relying on the number of accidents as an indicator of safety, we need a more 
proactive metric. A proposed solution to this paradoxical problem of too few incidents is a larger focus on lower 
severity incidents as these generally happen more frequently, e.g. near misses. Near miss reporting can 
quickly build up a large database of would-have-been accidents. In this paper, a near miss reporting system 
will be presented. The effectiveness of near miss reporting in general will be examined, before exploring how 
the bowtie method can be used to enhance the effectiveness of near miss reporting. The bowtie methodology is 
a risk analysis tool and if used well, can help to answer at least the first two questions from the three 

                                

 
 

 

 
   

                                                  
DOI: 10.3303/CET1977124 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Paper Received: 19 October 2018; Revised: 1 June 2019; Accepted: 4  July  2019 

Please cite this article as: Verschoor E., Zitman F., 2019, Opportunities to enhance barrier management through incident analysis, Chemical 
Engineering Transactions, 77, 739-744  DOI:10.3303/CET1977124  

739



questions raised by Gordon MacDonald of the UK Health & Safety Executive from the aftermath of the 
Buncefield incident in 2005 (ODN, 2010). 
“Lessons must be learned from this incident. From the boardroom down, companies must ask themselves 
these questions: 
1. Do we understand what can go wrong? 
2. Do we know how what our systems are to prevent this from happening? 
3. Do we have information to assure us they are working effectively?” 
“Many organizations are able to answer these questions to some extent” (Smit, 2017). Various risk 
management tools and methodologies can be used to answer these questions, where the bowtie 
methodology is one of them. However, to be able to answer the third question, organizations should use 
more than only the bowtie methodology. Audit methodologies or incident analysis techniques are often used to 
verify whether the barriers are working effectively. SIR is one methodology that can help to answer 
MacDonald’s third question. 

1.1 Evidence in favor of near miss reporting 

Critiques of incident reporting have questioned whether organizations actually become safer after 
implementation of an incident reporting system. As such, it may still seem unclear whether near miss 
reporting should be pursued. These critics have suggested that incident reporting can be more successful if 
there is an emphasis on “analysis of incidents and organizational learning” but can fail if there is too big of an 
emphasis on just the counting of incidents (Vincent et al., 2008; Clarke, 2008; Davies, 2000; 
Braithwaite et al., 2011). In order to properly refute these critiques, the causal link between near misses and 
accidents must be demonstrated through the use of the iceberg model. 
The basic premise that more information regarding (minor) errors can hold predictive value for larger accidents 
rests on the assumption that near misses and accidents have the same set of root causes. This is also 
known as the ‘iceberg model’ (after Hyden, 1987). The iceberg model shows a “continuum of events ranging 
from normal behavior via conflicts and deviations to actual accidents” (Van der Schaaf, 1992, p21.). Van der 
Schaaf (1992) has simplified this model into the one seen in Figure 1. 
The events at the bottom of the triangle occur first, i.e. the earlier you detect the behavioral acts and near 
misses, the higher the chance you can prevent an accident from occurring. Another assumption here is that the 
behavioral acts and near misses have the same root causes as the accidents. Therefore, if the detection of a 
certain event happens later ‘up’ the triangle, the analysis of that event should lead to largely the same root 
causes as if the event was detected earlier ‘down’ the triangle. Likewise, the recommendations should be of a 
similar nature. 
 

 

Figure 1 - Simplified qualitative version of the iceberg model by Schaaf 

Supportive evidence for the qualitative assumptions of the model comes from numerous studies across 
multiple industries (construction, aviation, railway and oil and gas among many others) that indicate that an 
increase in near miss reporting decreases not only the occurrence of minor injuries, but also that of larger so-
called OSHA (Occupational Safety & Health Administration) injuries (Mckay, (2013). Thus, the pursuit of near 
miss reporting can make an organization safer as the information resulting from near misses holds 
predictive value for preventing accidents. 
In conclusion, this paper proposes that near miss reporting can help make organizations safer. This paper 
explores how a near miss reporting system can be used to support the process of learning from near misses. The 
foundation of the design is the bowtie method and must be looked at in more detail. 

740



2. Method 

CGE Risk Management Solutions has developed a tool, Scenario-based Incident Registration (SIR), to 
improve the quality of incident reporting and allow trend analysis for improved risk-based decision-making. SIR 
uses the bowtie methodology and bridges the gap between bowtie risk analysis and incident analysis. 

2.1 The bowtie method 

Using SIR in the organization requires bowtie knowledge and expertise from the middle to low management 
of an organization, usually the safety and risk department. Operational personnel, who eventually report the 
incidents, do not necessarily require this knowledge and expertise. 
The bowtie methodology, presented in Figure 2, is a proactive risk assessment tool to analyze potential 
incident scenarios and assess risks. “Once constructed, the bowtie purpose is best used to support risk 
management and risk communication” (the American Institute of Chemical Engineers, 2018). The bowtie 
also fits as a framework to structure incident data if the incident is analyzed using a barrier-based incident 
analysis technique, such as Barrier Failure Analysis, Barrier-based Systematic Cause Analysis Technique 
(BSCAT) (DNV GL, 2015) or Tripod beta (Stichting Tripod Foundation, 2014). 

 

Figure 2 - The bowtie model 

The bowtie methodology is a combination of two risk analysis tools (FTA, preventative and ETA, reactive) and 
James Reason’s Swiss Cheese theory. The Swiss Cheese metaphor is developed by James Reason in 1990. 
The model represents layers of defenses to stop an incident. However Swiss Cheese has holes in it and so 
does each layer of defense or barrier. The holes are created by active failures and latent failures (Reason, 
1997). SIR helps to identify active failures during an (near-) incident scenario with the help of the bowtie. 
The bowtie model is represented in Figure 2. The hazard defines the operation of where the risks are analyzed. 
Examples are ‘Working at height’ or ‘Storage of hydrocarbons’. The hazard should be described in a 
controlled state, as it is part of an organization’s normal business. The reason of referring to normal business is to 
be able to link risks back to process optimization. The top event related to the hazard is the moment of loss of 
control. Examples are ‘Person falls from scaffold’ or ‘Loss of containment of hydrocarbons’. It is an unwanted 
event but not the actual incident or accident. When the top event is understood completely, it can help an 
organization to recover faster from a loss of control moment to prevent the actual incident or accident. 
On the left side of the top event, the threats, are the causes of the loss of control (top event). Examples are 
‘slippery surface’ causing a person to fall or ‘corrosion’ causing a loss of containment. Threats may lead 
directly to the top event. 
On the right side of the top event, the consequences, are the actual incidents like a ‘Fire’, ‘Hydrocarbon spill 
resulting in environmental damage’, or ‘Person falls on hard surface resulting in fatality’. 
The next most important step is to define the barriers. “Safety barriers are physical and/or nonphysical means 
planned to prevent, control, or mitigate undesired events or accidents” (Sklet, 2006 2.2). Barriers consist of 
multiple activities that maintain the barrier function and effectiveness, such as training or maintenance. 
Barriers on the left side, preventative barriers, may stop the threat from occurring or prevent the threat 
leading to the top event. Examples of preventative barriers are ‘anti-slip surface’ or ‘anti-corrosion painting’. 
Barriers on the right side, recovery barriers, may stop these consequences or reduce the impact on these 
consequences. Examples of barriers are ‘fall harnesses’ or ‘fire extinguisher’. 
SIR helps to understand what went wrong in the barrier supporting activities. 

741



2.2 Scenario-based Incident Registration (SIR) 

SIR is a methodology which collects meaningful data about barrier failures. This data can be collected through 
incident investigations. However not every incident can be completely investigated, due to time, resources and 
expertise constraints. Figure 3 is an illustration of the usual follow up process of an incident. Organizations 
normally try to learn from accidents by time-consuming investigations. Incidents with a lesser severity, e.g. 
near misses, are stored individually in a database, with limited to no learning. 

 

Figure 3 - Incident follow up process 

 

Figure 4 - Incident follow up process including SIR 

In Figure 4 the SIR-analysis compliments the incident decision process by storing low severity incidents on a 
bowtie. Additionally, SIR helps to decide whether an investigation is needed during the follow up process. 
In the initial form, the reporter enters the details about the location, date, time, and a short description of what 
happened. SIR starts after the initial incident form is completed. A wizard guides the reporter through 3 
steps: 
� Reporter selects the operations at the time of the incident 
� Reporter selects the scenario of what happened 
� Reporter assesses each barrier in that scenario 
Each step is based on existing bowties and links data back to these bowties. 

Reporter selects the operations at the time of the incident 

In this step, the reporter chooses the operation he or she was doing at the time of the incident from a set of 
pre-built bowties. Behind the scenes, this will select a hazard and top event combination. The reporter does not 
necessarily need to know this, as knowledge of the bowtie methodology or how the bowtie is constructed is 
optional. Examples of hazards are working at height or lifting objects with a crane. 

Reporter selects the scenario of what happened 

From the selected bowtie in the previous step, the reporter chooses the relevant scenario. The relevant 
scenario starts on the left side, from a threat, all the way to the right to a consequence. It is optional to 
choose multiple threats or multiple (potential) consequences, as there might be multiple causes or multiple 
(potential) outcomes. 

Reporter assesses each barrier in that scenario 

The reporter is then taken through all the barriers that are in the selected bowtie scenario. Each barrier is 
assessed, and the primary cause is identified. 
The reporter first decides on the barrier state and chooses one of the following options per barrier: 
� This safety measure functioned correctly 
� This safety measure failed 
� This safety measure was not applicable in this scenario. 
When the reporter indicates a barrier as ‘failed’, a question appears about why the barrier failed, i.e. the primary 
cause of the barrier failure. These questions can be customized and will differ per barrier. 

742



As an example, the reporter selects the barrier: ‘Restricted access to lifting area’. The primary cause can be 
all types of human error, i.e. slips, lapses and mistakes (Reason, 1990). Optional answers could be that the 
restricted area was not set up or the restricted area was not adhered to. The barrier specific questions indicate 
the primary cause of the failure of the barrier. According to the Tripod Beta incident analysis methodology 
(Stichting Tripod Foundation, 2014), the primary cause is “An action or omission of a person, or group of 
people, that causes a barrier to fail.” Thus, by performing SIR analysis for every low severity incident, 
time can be saved for the follow up investigator and if not further investigated this data is now permanently 
captured onto the bowtie. 

3. Conclusions 

In this section, using three purposes defined by Reason (1997), academical critiques of near miss reporting 
are examined and how they relate to the presented SIR design. Limitations of the design are mentioned. 

3.1 Can SIR be an effective near miss management system? 

Reason (1997) identifies three purposes of collecting and analyzing near miss data: 
1. to gain qualitative insight into how (minor) errors can result in near misses or even major accidents 
2. to gain enough data for statistically correct trend analyses to find out the combinations of factors leading 
to accidents 
3. to remind organizations of the hazards challenging their systems and so “slow down the process 
of forgetting to be afraid” (Reason, 1997, p119), especially very safe organizations which have low 
occurrences of incidents 

3.2 Qualitative insight – Does near miss reporting prevent larger accidents? 

As we saw, using the iceberg model, studies in different industries (McKay, (2013)) found evidence in favor 
that near misses can hold predictive value for larger accidents. However, Reason (1991) critiques that 
information regarding near misses and accidents, only relates to the last steps of a long chain of causal 
events. The information is therefore not useful enough as it is both too noisy—it is difficult if not impossible to 
find the real root cause of the incident—and too late, as it encourages reactive rather than proactive safety 
management. Instead, Reason (as read in Van der Schaaf, 1992) proposes to use auditing with a focus only 
at the earliest events; management decisions. In response, Van der Schaaf (1992) agrees that any near miss 
reporting system by itself, would always be lacking considering the complexity and difficulty of incident 
analysis. This is where the bowtie methodology lends itself extremely well, as the barrier construct 
allows for both incident and audit data to be mapped onto itself. Thus, the limitations outlined by Reason 
above can be overcome through combining near miss results with audit results. 

3.3 Trend analyses – How can trend analyses be ensured? 

The presented SIR design tried to tackle two challenges in getting enough statistical data for effective trend 
analyses. The first challenge is getting enough data. By facilitating near miss reporting, SIR can quickly 
contain enough data, as: “Near misses are usually estimated to occur one or two orders of magnitude more 
frequently than actual accidents” (Van der Schaaf, 1992, p25). 
The second challenge is standardizing the data, as incidents are often investigated in isolation. In many cases 
investigation reports of near misses or accidents end up as a collection of largely unstructured documents. 
They are often treated as single events, making it difficult to clearly identify trends over multiple events. As we 
saw, using the bowtie method, standardization becomes much easier through the barrier constructs. The 
barriers serve as a common denominator for more effective trend analyses. A shortcoming, though, is that 
bowties are usually of a much more generic nature, whilst incidents are much more specific scenarios. As such 
it is difficult to capture all possible events and some information might be lost in the process of switching 
from specific scenarios to generic ones. 

3.4 Awareness - Does more information through near misses lead to a safer organization? 

A challenge that organizations face when implementing or improving an incident reporting system, such as 
near miss reporting, is that there can be both 1) a lack of feedback on how the reported information is used and 
2) the perceived difficulty of collecting enough data (Van Der Schaaf and Kanse, 2004). A lack of 
feedback in how the reports are handled can demotivate reporters to report again in the future, which can also 
result in more difficulty in gathering data. Therefore, SIR immediately feeds the reported information back 
onto the bowtie, for all to see. Moreover, according to Phimister (2003), a well-functioning system should 
also give feedback of the results and improvements of the near miss investigation to the reporter. In addition, 
these results should be communicated to as many other employees as appropriate in order to raise 

743



awareness levels. Thus, SIR can be set up to allow the reporter and related users to be given updates of the 
recommendations. Furthermore, to address the perceived difficulty of data collection, the reporting forms 
should be easy and convenient and not require lengthy analysis for every near miss reported. Again, using the 
bowtie methodology, SIR can save a lot of time and avoid lengthy analyses, which should stimulate 
employees to report more. A limitation here, however, is that SIR might be confusing at first for employees. 
In line with the importance of feedback, Swain (as read in Van der Schaaf, 1992) suggests that just the act of 
observing and reporting a near miss can be considered employee engagement, which should result in 
higher levels of awareness. Raised levels of awareness can in turn lead to a safer organization. Indeed, 
Cooper (2000); Glendon and Stanton (2000) and Jones, Kirchsteiger and Bjerke, (1999), have found that 
near misses can boost safety culture. Additionally, near miss reporting can help show that employees are 
exhibiting learning, as it demonstrates how employees have recovered and prevented errors from developing 
into incidents (Van der Schaaf, 1992). Therefore, organizations can become safer not only by analysis of the 
near misses through SIR but also by the increased feedback that SIR provides, stimulating further reporting of 
near misses. 

References 

Braithwaite J, Westbrook MT, Robinson M, Michael, S., Pirone, C. and Robinson, P. Improving patient safety: 
the comparative views of patient-safety specialists, workforce staff and managers , BMJ Qual Saf , 2011 , 
vol. 20  (pg. 424 -31 ) 

Cambraia, F. B., Saurin, T. A., & Formoso, C. T. (2010). Identification, analysis and dissemination of information 
on near misses: A case study in the construction industry. Safety Science, 48(1), 91-99. 

Clarke l. Learning from critical incidents, Adv Psychiatr Treat, 2008, vol. 14(pg. 460-8) Cooper, M.D., 2000. 
Towards a model of safety culture. Safety Science 36 (2), 111–136. 

Davies, HTO, NutleySM.Developing learning organisations in the new NHS, BMJ, 2000, vol. 320(pg. 998-1001) 
Glendon, A.I., Stanton, N.A., 2000. Perspectives on safety culture. Safety Science 34(1–3), 193–214. 

Hollnagel, E. (2014). Safety-I and Safety-II: the past and future of safety management. CRC Press. 
Hyden C.(1987) The development of a method for traffic safety evaluation. The Swedish traffic conflicts 

technique. Bulletin 70, University of Lund. 
Jones, S., Kirchsteiger, C., Bjerke, W., 1999. The importance of near miss reporting to further improve safety 

performance. Journal of Loss Prevention in the Process Industries 12 (1), 59–67. 
Mckay, B. (2013). Measures of effect: Near miss reporting on construction site injuries. 
ODN. (2010). Reaction to Buncefield explosion decision. Retrieved from 
https://www.youtube.com/watch?v=E_daM9tM4bs 
Phimister, J. R., Oktem, U., Kleindorfer, P. R., & Kunreuther, H. (2003). Near‐miss incident management in the 
chemical process industry. Risk Analysis: An International Journal, 23(3), 445-459. 
Pitblado,  R.,  Potts,  T.,  Fisher,  M.,  &  Greenfield,  S.  (2015).  A  method  for  barrier‐based  incident 
investigation. Process Safety Progress, 34(4), 328-334. 
Reason, J. (1990). Human error. Cambridge university press. 
Reason, J. (1997). Managing the risks of organizational accidents. Routledge. 
Reason, J.T. (1991). Too little and too late: a commentary on accident andincident reporting systems. In: T.W. 

van der Schaaf, D.A. Lucas and A.R.Hale (eds). Near Miss Reporting as a Safety Tooi. Butterworth- 
Heinemann. Oxford. 

Schaaf, van der, T.W. (1992). Near miss reporting in the chemical process industry Eindhoven: Technische 
Universiteit Eindhoven DOI: 10.6100/IR384344 

Sklet, S. (2006). Safety barriers: Definition, classification, and performance. Journal of loss prevention in the 
process industries, 19(5), 494-506. 

Smit, J. (2017). Advanced barrier management: Linking Bowtie Analysis, Barrier-Based Incident Analysis and 
Risk Based. Leidschendam, The Netherlands. 

Stichting Tripod Foundation. (2014). Guidance on using Tripod Beta in the investigation and analysis of 
incidents, accidents and business lesses. London: Energy Institute. 

Swain, A.D. (1974). The Human Element in Systems Safety: a guide for modern management. InComtec Ltd., 
Camberley. 

The American Institute of Chemical Engineers; the Energy Institute. (2018). Bow ties in risk management. 
Hoboken: the American Institute of Chemical Engineers. 
Van Der Schaaf, T., & Kanse, L. (2004). Biases in incident reporting databases: an empirical study in the 

chemical process industry. Safety Science, 42(1), 57-67. 
Vincent C, Aylin P, Franklin BD, Holmes, A., Iskander, S., Jacklin, A. and Moorthy, K. Is health care getting 

safer?, BMJ , 2008, vol. 337 pg. a2426 https://doi.org/10.1136/bmj.a2426 

744