5.1. Summary of Outcomes
This work proposes a new methodology for integrating structured frameworks to the Bowtie method. Ishikawa’s 6M approach was chosen to structure the Bowties and the accompanying brainstorming sessions. We showed that a contextualisation of the 6M categories was required for application to a maintenance environment. While constructing the Bowtie diagram, it was found that there is inconsistency and confusion about the hazard and top event relationship. A consistent interpretation was provided to overcome this problem. Furthermore, it was found that there are cascading consequences for different stakeholders. Depending on the focus of the risk analysis and the target audience, there are different consequences, which we demonstrated in this work. Moreover, the visualisation and receptivity of the diagram was improved by assigning different colours to each barrier category, which supports the main purpose of the Bowtie method, i.e., functioning as communication tool. Finally, the proposed conceptual framework was tested by applying it to the specific case of visual borescope inspection of aero engine parts.
5.2. Implications for Practitioners
The proposed structured approach was tested in the aviation maintenance area. However, the method could be applied in other areas within or outside the aviation industry. It might be of particular interest to other high-reliability organisations (HROs), such as oil and gas, nuclear power generation, health care, or wildland firefighting [80
]. This is supported by the fact that the structured approach could make the development of Bowtie somewhat simpler and hence promote the broader application of Bowtie.
The framework provides non-risk experts with a tool to perform risk assessment. Operators, who may have limited risk management skills but a better knowledge of the system and processes than a risk analyst, might use the tool to identify threats, consequences, and means of prevention and mitigation. The framework encapsulates a wide range of previous known areas relevant to risk assessment and ensures that most common and obvious threats, consequences and barriers are not missed. Furthermore, it enables the analyst to put the emphasis on the threat, consequence, and barrier identification, rather than on the construction of the diagram itself. The conceptual work could also be used to structure the accompanying brainstorming sessions of the Bowtie development process, which has the potential to overcome some of the limitations mentioned in Section 2.4
The categorisation of threats and consequences may help to better address them by appropriate means. Categorising barriers in turn may help practitioners to gain a better overview of the types of barriers in place and how diverse a threat or consequence path is in terms of barrier types. Furthermore, it may help to identify appropriate and efficient barriers that prevent more than one threat or consequence path, i.e., barriers that occur on multiple paths. This could be beneficial when identifying and eliminating ineffective barriers or barriers that only prevent one path, and rather improve barriers that prevent multiple threats. This brings in a management perspective of barrier prioritisation and investment strategies.
The idea of cascading consequence could allow an organisation to break the complex MRO process down into smaller blocks and perform a risk assessment for each of these process steps with the relevant process experts. This goes along with the previously mentioned practicability of the proposed method by non-risk analysts and may improve the quality of the Bowtie diagrams.
5.3. Limitations of the Work
The proposed methodology may be of limited use when analysing novel systems outside the manufacturing and maintenance industry, where 6M originated. It is important to accept that there is not only one right solution. Every model needs to provide a certain extent of flexibility that enables it to be applicable to the broader industry. The categories need to be tailored to suit the different needs and concerns of the specific industry and organisation that is applying it [82
]. This limitation was already addressed and we showed that the categories can be contextualised and adjusted to the area under investigation. It was found that the level of risk assessment plays an important role when contextualising the categories.
In other industries, different categorisations have already been applied such as the ‘8Ps marketing mix’ or the ‘4S cause categories’ in the service industry. Each of these categorisations could theoretically be applied to Bowtie following the principles presented in this paper. It is recommended to use a common approach to avoid arbitrary structures, which would act adversely on the attempt to provide consistency.
As mentioned in the previous section, the approach covers the most common risk areas based on previous experience. However, this involves the risk of missing Bowtie elements that have not previously occurred. The use of strictly defined categories may limit the imagination when identifying threats, consequences, or barriers. Analysts will need to ensure they are not so fixated on the method that they fail to anticipate new threats.
In some cases, the classification is not explicit as threats or barriers may fit into two of the proposed categories. From a risk point of view, it is not essential where and under which category an element is listed, as long as it is listed and brought to attention, so that it can be further analysed. In the case study, we made the decision to categorise the elements based on their nature and exerting agent.
The process of developing a Bowtie diagram following the proposed structure can be time consuming and people may focus too much on trying to fill in all gaps, although it is realistic and acceptable that there is not a threat, consequence, or barrier in each category type for every case.
There is a caveat regarding the Management category. The intent is to represent the operations management, as opposed to management-theory, leadership and vision. Consequently, the management threats shown here are aimed for an audience of operators, who have the operational knowledge to know how the integrity of the work may be compromised. Business executives normally do not know every process in detail and are not risk experts, and hence tend not to create Bowtie diagrams.
While there are many risk assessment methods (e.g., Bowtie, FTA, FMEA, Zonal analysis, and Ishikawa), and they all cope with single threats, they often struggle to represent multiple simultaneous failures. Reason [83
] stated that often multiple barriers fail at the same time, which then releases the top event, and ultimately has the potential to cause severe damage or result in a catastrophe. Consequently, any type of method that fixates on identifying root causes has the intrinsic detriment of under-emphasising the temporal relationships of causality between the contributory factors. It is particularly difficult to represent how organisational factors (such as work culture) affect physical failure, since the causal mechanisms are indistinct and perhaps easier to obfuscate [84
]. Many enquiries into major disasters focus on the physical root causes and the accident sequence: the organisational root causes are treated differently, are termed ‘contributory factors’, and are not easily representable with some diagrammatic methods. Bowtie analysis is not particularly efficient at representing complex relationships of causality, neither natively nor with the changes proposed in this paper. This is evident in the need to repeatedly represent causal chains on the diagram, hence our suggestion to use modules. It does not readily capture the more abstract organisational factors such as organisational culture and perverse agency [85
]. Nonetheless, Bowtie does excel at representing the failings of the operational systems alongside the physical faults. This plus its simple depiction make it an effective communication tool by which operators can build a shared understanding (and hence a local work culture) of how their tasks contribute to a larger good. Hence, we propose that the purpose of any risk analysis tool is to capture sufficient
complexity of the real system behaviour as to direct improvement efforts and consolidate work-culture around actions that improve safety outcomes.
5.4. Implications for Future Research
We identify the potential for future research in the following areas. Now that there is a more systematic approach for developing Bowtie, this means that there can be different representations of it, similar to a Gantt chart and a network diagram, which are complementary representations of the same project plan. While the Gantt chart is a visual representation, it can also be expressed as a table. It is conceivable that there could be a similar spreadsheet representation of Bowtie. If so, this may provide a mechanism to add additional information about the likelihoods and frequencies of the threats and the effectiveness of the barriers, and include other application critical factors. In the presented case study, these factors could include defect detectability, engine history, and other influence factors. Furthermore, the spreadsheet has the potential to calculate the risk of each threat and the overall hazard considering these factors.
A user interface could be developed for automated query of the values for the Bowtie elements, i.e., hazard, top event, threats, consequences, barriers, escalation factors and escalation factor barriers, following the proposed structure. These values might be used to automatically generate a starting Bowtie. This has the potential to generate Bowtie diagrams quicker and more efficiently. Moreover, the automation of Bowtie would allow selecting different levels of detail and presenting the most relevant elements for a target audience, or based on the likelihood and impact. This might be carried out by applying different filters in the Bowtie interface and retrieving the data from the spreadsheet accordingly. The generated Bowtie could then be limited to (say) the most important ten threats (highest risk) and the five most effective barriers of each threat and consequence path. This has not only the potential to significantly reduce the size and complexity of the Bowtie diagram, but also to further support a standardised presentation and to highlight the critical elements, where most emphasis should be put on improvement efforts.