Barrier Analysis
| Bill-Wilson.net :: Root Cause Analysis :: RCA Tools ... | (Menu) |
Description
Barrier analysis is an investigation or design method that involves the tracing of pathways by which a target is adversely affected by a hazard, including the identification of any failed or missing countermeasures that could or should have prevented the undesired effect(s).
Pros and Cons
Pros
- Conceptually simple, easy to grasp.
- Easy to use and apply, requires minimal resources.
- Works well in combination with other methods.
- Results translate naturally into corrective action recommendations.
Cons
- Sometimes promotes linear thinking.
- Sometimes subjective in nature.
- Can confuse causes and countermeasures.
- Reproducibility can be low for cases that are not obvious or simple.
Definitions
Barrier: A construct between a hazard and a target, intended to prevent undesired effects to the target. A barrier is often passive, i.e. it’s protective nature is inherent to it’s structure, and no additional action on the part of any agent is required to afford this protection.
Control: A mechanism intended to prevent undesired effects to the target. A control is often active, i.e. it’s protective nature is brought into being through the actions of an agent.
Countermeasure: A barrier or control intended to cut off a pathway between hazard and target.
Hazard: An agent that can adversely affect a target.
Pathway: A route or mechanism that provides the means, or medium, through which a hazard can affect a target.
Target: An object that requires protection, or needs to be maintained in a particular range or set of conditions.
Discussion
At the heart of barrier analysis is the concept of the target. The primary quality of a target is that it exists under a specified range or set of conditions, and that we require it to be maintained within that specified range or set of conditions. This very general quality means that almost anything can be a target -- a person, a piece of equipment, a collection of data, etc.
Given the concept of the target, we then move to the means by which a target is adversely affected. By adverse effect, we mean that the target is somehow moved outside of it's required range or set of conditions. Anything that does this is called a hazard. This is a very general quality -- almost anything can be a hazard. However, it is possible to uniquely define hazard/target pairs by the pathways through which hazards affects targets.
Having identified hazards, targets, and the pathways through which hazards affect targets, we arrive at the concepts of barriers and controls. These are used to protect and/or maintain a target within it's specified range or set of conditions, despite the presence of hazards. The primary quality of a barrier or control is that it cuts off a pathway by which a hazard can affect a target.
Barriers and controls are often designed into systems, or planned into activities, to protect people, equipment, information, etc. The problem is that design and planning are rarely perfect. All hazards may not be identified beforehand, or unrecognized pathways to targets may surface. In both of these cases, appropriate barriers and controls may not be present. Even if they are present, they may not be as effective as originally intended. As a result, targets may lack adequate protection from change or damage.
The purpose of barrier analysis is thus to identify pathways that were left unprotected, or barriers and controls that were present but not effective. All pathways relate to specific hazard/target pairs, and all barriers and controls relate to specific pathways. Success in barrier analysis depends on the complete and thorough identification of all pathways.
Concepts
Energy and Change
The concept of energy has historically been used to characterize the pathways by which hazard affects target. Very generally, energy is any physical quantity that can cause harm. There are many types of energy, including electrical, mechanical, hydraulic, pneumatic, chemical, thermal, radiation, etc. Note again that these are all physical quantities, and can only be used to describe physical hazards. Consequently, the types of barriers and controls that can be considered are primarily physical in nature, or relate to physical harm.
More recently, hazard pathways have been characterized by the concept of change. This concept is based on the recognition that any change in a target's condition, physical or otherwise, could be detrimental or undesired. This allows us to consider hazards and damage mechanisms other than the purely physical, and can lead us into areas that are more administrative, knowledge based, or policy based in nature. Furthermore, the concept of change does not prevent us from investigating purely physical phenomena.
The pathway characterization (or viewpoint) affects the types of hazards, targets, and damages that will be seen and considered during investigation and analysis. Investigation from a purely energy-based viewpoint will tend to concentrate on physical, energy-based hazards and damage mechanisms. Alternatively, a change-based viewpoint can be used to find both physical and non-physical damage pathways. For this reason, it is recommended that a change-based characterization for hazard/target pathways be adopted for general usage.
Countermeasure Effectiveness
Recall that the purpose of a barrier or control (i.e., countermeasure) is to cut off a pathway by which hazard affects target. Many options may be available for cutting off a hazard/target pathway, and some options may be more effective than others. Some variables that can be used to differentiate various countermeasures include action, placement, function, and permeability.
Action: This refers to whether the countermeasure is passive or active. Passive constructs (i.e., barriers) tend to be more effective than those requiring action or intervention (i.e., controls).
Placement: This refers to the location (in space, time, sequence, etc.) of a countermeasure along the hazard/target pathway. Those located closer to the hazard end of the pathway are often more effective than those located closer to the target.
Function: This refers to how the countermeasure cuts off the hazard/target pathway. Those that prevent creation, accumulation, or release of a hazard tend to be more effective than those that harden, warn, or rehabilitate the target.
Permeability: This refers to the extent that the countermeasure cuts off the hazard/target pathway. Those that completely cut off the pathway tend to be more effective than those that only limit or reduce the hazard.
Given the variables above, it is easy to say that the most effective countermeasure against a potential hazard would be a hard, passive barrier at the source that completely prevents creation of the hazard. This is rarely (if ever) practical, however. We are then forced into designing or planning countermeasures that merely reduce risk. This means that no single countermeasure can ever be 100% effective.
Reduction of risk to acceptable levels often requires the use of multiple, diverse countermeasures. Multiple, because usually no single countermeasure can provide the required risk reduction. Diverse, because the possibility of common-mode failure itself increases overall risk. Barrier analysis thus needs to consider all the following:
where countermeasures should have been provided, but were not;
how existing countermeasures failed to prevent undesired change;
whether an appropriate mix of multiple and diverse countermeasures was provided; and
if the overall risk of undesired change was acceptable.
Disadvantages
The use of barrier analysis presupposes that countermeasures were considered during the design of a system, or planning of an activity. The results of a complete and thorough barrier analysis may identify many opportunities to create new countermeasures, or to improve existing countermeasures. However, given the same consequence to investigate, different investigators might propose any of the following (or variations and/or combinations thereof) as root causes:
- preliminary hazard analysis was inadequate;
- appropriate countermeasure was not provided;
- inappropriate countermeasures were provided;
- existing countermeasure was inadequate;
- existing countermeasure was not properly employed;
- existing countermeasure was rendered inoperative;
- hazard was not controlled;
- target should not have been exposed to hazard;
- etc.
All these statements may be true. However, such variability makes it extremely difficult to rely on barrier analysis alone as a root cause analysis tool. It is therefore recommended that barrier analysis results always be reviewed independently, and that barrier analysis never be used as the sole method for determining root causes.
In the opinion of the author, the only statement above that qualifies as a potentially valid root cause statement is the first, "preliminary hazard analysis was inadequate." This statement could then be qualified with supporting evidence and analysis; in fact, all the other items listed might be provided to illustrate how the preliminary hazard analysis failed.
Web Resources
http://www.nri.eu.com/serv02.htm, Control Change Cause Analysis (3CA), NRI
http://www.sverdrup.com/safety/energy.pdf, Energy Flow/Barrier Analysis, Jacobs-Sverdrup
Revision History
00.0 14-JUN-2005 Initial revision issued for public consumption/comment.
