3.2.1. Basic Principles of Barrier Management Systems
From the engineering perspective, in most cases, the safety of a system or infrastructure is successfully maintained with the comprehensive application of various barriers, as discussed by Kjellen [
98]. The design and implementation of safety barriers are considered at the system level, and safety barriers can usually be hardware, software, operational or organizational, which interact with each other [
31,
73]. As a result, the concept of barrier management systems can be developed. According to the definition by PSA [
62], barrier management refers to “coordinated activities to establish and maintain barriers so that they maintain their function at all times”. Later, PSA [
99] suggested that the industry should acquire a better understanding of operational, organizational and technical safety barriers and their interactions. Therefore, in the present study, as illustrated in
Figure 14, the safety barrier management system is described and reviewed from the following three aspects: barrier element identification, barrier management system and barrier management evaluation.
- (1)
Barrier elements
The safety barrier system, as illustrated in
Figure 14, can usually be broken down into barrier elements that prospectively function to intercept the possibility of risks or threats before and after the identified hazardous events. Conceptually, safety barriers are closely related to layers of defenses, which are widely thought of in terms of the “Swiss Cheese” model [
100]. With the initiation of barrier element identification, the potential hazardous events involved in the system need to be identified. For this purpose, typical quantitative risk assessment (QRA) is frequently considered in the development of comprehensive methodologies. The baseline risk assessment tool (BART) is a practical example comprising simplified QRA-related approaches to identify the potential hazardous events arising from the process of oil and gas installations [
101]. In addition, vulnerability models designed for infrastructures or equipment are frequently integrated into QRA procedures to determine hazardous events after natural disasters, such as earthquakes [
102], floods [
103] and lightning strikes [
104]. More recently, traditional QRA approaches have been mapped into advanced risk assessment techniques, such as Bayesian networks [
105,
106], artificial neural networks [
107] and directed complex networks [
108], to identify and evaluate hazardous events leading to the occurrence of accidents. Based on the identified hazardous events, the barrier elements are mainly determined by means of qualitative approaches, and many graphical techniques are reported to illustrate the identification process of safety barriers, such as event tree analysis [
109], safety barrier diagrams [
34] and Bow-tie diagrams [
77]. These techniques are compared by Sklet [
110], who finds that the Bow-tie diagram is the most commonly used graphical technique. In a typical graphical representation of the Bow-tie, the central event is described using several terms, such as top event [
111,
112], critical event [
37], intermediate event [
34] and hazardous event [
16,
75], and in this paper, the term hazardous event is used thereinafter. The left part of hazardous events can be analyzed by fault tree analysis (FTA), while the right part can be coped with event tree analysis (ETA) [
113], by which barrier elements are identified for different application scenarios [
37,
63,
74,
75].
To date, the definition, function and classification of barriers or barrier elements have been studied extensively, as discussed in
Section 3.2.1; however, the criterion to be a barrier element and the performance requirement for a standard barrier need to be investigated and discussed further. Currently, there is no clear distinction between safety barriers and other terms associated with safety, such as safeguards, safety measures and countermeasures, especially for human-related barriers. As a result, the Center for Chemical Process Safety [
114] and the Chartered Institute of Ergonomics and Human Factors [
115] argued that most human-related measures should be treated as safeguards rather than barrier elements. This may be because most of the barrier elements are determined based on barrier function while ignoring the working principle of barrier elements. The criteria and performance requirements of physical or technical barrier elements are easily obtained by specific scenarios, the experience of professional experts and the available technical data, such as the barrier elements involved in barrier-based models for drilling blowouts [
60], barrier systems designed for leakage in oil and gas production [
116] and safety barrier systems for hydrogen refueling stations [
117]. However, the human-related barrier elements in the organizational and operational aspects are more complex and difficult to describe. Many scholars try to determine and develop human-related barrier elements from the perspective of safety management. Most of the studies are implemented by qualitative approaches. For instance, King et al. [
20] designed barrier systems involving organizational and operational barrier elements to maintain the stability of large passenger ships. Bucelli et al. [
25] described a barrier system associated with human-related barrier elements for safer operation in the oil and gas industry. Nevertheless, the CIEHF [
115] proposed a general performance standard for human-related barrier elements with coverage of at least seven aspects, and the performance criteria for these barrier elements were also involved.
- (2)
Barrier management system
According to PSA, barrier management has been regarded as the main priority because accident investigation clearly indicates that the failure and weakening of barrier elements are the principal contributing factors to accidents [
96]. There is no doubt that various safety barriers should be systematically implemented in a consistent manner to minimize risks. Although Harms-Ringdahl [
56] argued that safety barriers should be limited to technical or physical barriers based on the perspective of the layer of defense, it is widely accepted that software, especially some human-related safeguards, should be involved in barrier systems. As Øie et al. [
16] and Lauridsen et al. [
96] discussed, the integrative safety barrier system should be comprised of at least three different kinds of barriers, namely, technical, operational and organizational barriers, as shown in
Figure 11. Practically, the subsystem comprised of technical or physical barriers is frequently studied in various scenarios, and the interactions between individual barriers are also presented by means of probabilistic-based techniques or fuzzy-based approaches. Based on the classification of the application scenarios of the safety barriers by different industries, it is interesting to find that the barrier management mode is nearly unique for a certain industry. For instance, in the chemical industry, barrier management emphasizes the integrity of different technical or physical barriers, although in many cases, these barriers are presented as subsystems, such as in [
9,
45,
71,
117,
118]. A similar phenomenon can also be observed in the field of natech scenarios [
21,
76]. However, in the field of offshore oil and gas, some of the studies are similar to the work conducted in the chemical industry, e.g., barrier management is focused on the combination of various technical or physical barriers. Most of the remaining studies pay more attention to the role of human-related barriers, mainly referring to operational barriers and organizational barriers. Especially for projects implemented by PSA [
62] and DNV GL [
16], operational and organizational barriers are given equal consideration as technical barriers. In fact, as early as 2006, the concept of a barrier integrated set (BIS) was proposed by Miura et al. [
119] to comprehensively consider the role and interaction of various barriers. Later, Pitbaldo and Nelson [
120] included human and organizational aspects in barrier management, and Lauridsen et al. [
96] tried to further investigate the interaction between technical, operational and organizational barrier elements. In addition, the failure of human-related barriers can be evaluated quantitatively by human reliability assessment (HRA) with reference to [
121]. In the maritime shipping industry, King et al. [
20] designed stability barrier management for large passenger ships based on the studies implemented by [
16].
The practical activities associated with safety management have proven that all the barrier elements are related to human factors [
122], and in a typical safety management system, the factors stemming from social and technical fields are influenced by each other; therefore, it is necessary to study the barrier management system from the perspective of complex socio-technical systems. In a typical complex socio-technical system, humans are widely accepted as the most positive element and assuring the reliability of human-related barrier elements is critical for the performance and function of the designed barrier management system [
50]. Achieving the true independence of technical barriers in terms of their reliance on organizational or operational barriers may be challenging. Unfortunately, although the importance of the intersection and interaction between technical barriers and human-related barriers has been recognized by some scholars, such as [
10,
34,
122]; few studies associated with interaction issues have been reported according to the existing literature. However, some explorative studies may be helpful for the investigation of these issues. Some influencing factors for safety barrier performance identified by Prashanth et al. [
73] can be classified as human-related barriers by the identification principle proposed by CIEHF [
115]. In many cases, the influencing factors are also known as risk influence factors (RIFs), whose relationship with barriers may be analyzed by a barrier model and operational risk analysis (BORA) proposed by Aven et al. [
38]. Later, an extension of the BORA model named risk-OMT was proposed by Vinnem et al. [
123] to further identify the RIFs considering the decomposed operational barrier functions.
- (3)
Barrier management evaluation
According to the perspective of safety management, the design and implementation of safety barrier management systems should be an integrated part of safety management [
72]. As illustrated in
Figure 11, the barrier management evaluation is played as feedback for the improvement of barrier element identification and safety barrier system design. Generally, in this paper, the issues of barrier management evaluation are reviewed in the following two aspects, namely, dynamic barrier management and the contribution of barrier management to safety management.
After the establishment of a barrier system, dynamic barrier management should be developed and implemented because the performance and function of barrier elements involved in this system may be degraded or influenced by external environmental conditions and the internal factors within the barrier elements themselves. Essentially, dynamic barrier management is aimed at preventing the degradation of barrier elements and repairing degraded barriers [
69]. For this purpose, in the offshore oil and gas industry, some companies develop and implement their own safety management programs that function similarly to the aforementioned dynamic barrier management, such as the manual of permitted operations (MOPO) and the tripod investigation approach pioneered by Shell [
69,
124], the performance monitoring approach adopted by BG [
125], and the technical integrity management program (TIMP) initiated by Statoil [
126]. More recently, DNV GL proposed a dynamic barrier management program with the objective of blowout prevention [
127]. Perrin et al. [
128] proposed a methodology named Method Organized and Systemic Analysis of Risk (MOSAR) or Analysis of Dysfunctions of the Systems (MADS) to improve the performance of normative barriers. According to the study conducted by Pitblado et al. [
69], dynamic barrier management comprises the following stages: data collection from multiple sources, prediction of barrier status, impact evaluation of barrier status onto risk and finally, decision support analysis. Therefore, the key to dynamic barrier management is the performance monitoring and prediction of the barrier elements involved in the barrier systems. The issues of barrier degradation have been discussed in
Section 3.1.3, in which the roles of humans and organizations are given less attention. Pitblado and Nelson [
120] proposed a comprehensive methodology that integrates barrier-based risk assessment and “success pathways” with full consideration of the positive roles of humans and organizations.
The popularity and acceptance of safety barriers and barrier management in both industry and academia are mainly due to their applicability in risk reduction and accident prevention. Barrier management can certainly be regarded as one of the advances in the field of safety management, and barrier-based diagrams have proven to be a useful tool in documenting safety measures adapted to prevent accidents [
34]. As the critical component in safety management systems, barrier management functions to control risks and acts as the input of the system [
129]. Therefore, traditional safety management audit assessment approaches can be used to maintain the reliability of safety barriers [
130], such as the I-risk management audit technique [
131] and ARAMIS audit methodology [
132]. Duijm et al. [
133] complemented barrier-oriented audit protocols with the implementation of safety culture questionnaires. According to [
32], accidents that occurred in the Netherlands ranging from 1998–2004 were constructed by a software tool, storybuilder, developed within the framework of Bow-ties, based on which the success and failure modes of safety barriers were identified and analyzed to optimize the control of occupation risks. Later, Bellamy et al. [
134] found that the failure of safety management is mainly due to a poor understanding of the motivation and awareness of safety barriers. In France, the National Institute of Industrial Environment and Risks (INERIS) regards safety barriers as an important tool to implement risk control [
33]. Chen et al. [
45] integrated security measures, safety barriers and emergency responses into a comprehensive model named the dynamic vulnerability assessment graph to manage the human-related domino effects in chemical industrial parks.
3.2.2. Typical Application of Barrier Management Projects in Practice
The potential of safety barriers to manage risk allocation before and after accidents is developed and put into industrial practice in the form of safety-oriented projects. In this paper, these projects are reviewed and analyzed hereinafter.
- (1)
Accidental risk assessment methodology for industry projects.
The ARAMIS project was co-funded by the European Commission with the objective of satisfying the requirement of the SEVESO II directive. This three-year project was launched in January 2001 and ended in 2004. One year later, the methodology proposed in the project was applied in the industry. Within the ARAMIS project, there are mainly six steps involved in implementing the risk assessment in the decision-making process [
39].
The first step is to identify all the major hazardous events involved in the process industry, during which the Bow-tie diagram is developed with the integration of fault tree analysis and event tree analysis. In most cases, the identification of critical events for specific scenarios is emphasized in this step, and many probabilistic-based methodologies can be utilized here.
The second step focuses on the identification of safety barriers. In this stage, the safety barriers are defined by their function, performance, classification, and level of confidence. Notably, the performance monitoring and assessment of safety barriers are considered important and need to be studied.
The third step is to evaluate the safety management efficiency to barrier reliability. Within the ARAMIS project, the existing safety management system and safety culture are assumed to influence the reliability of safety barriers; therefore, a process-oriented audit protocol is embedded in the ARAMIS procedures to review the activities relating to safety barriers.
In the fourth step, the reference accident scenario (RAS) is defined and identified. Usually, the RAS refers to the initiating events that cause critical events; in some cases, the terms trigger events are also used to describe the RAS. The specific severity index for RAS can be quantified with reference to [
135].
The fifth step is to map the risk severity of reference scenarios based on the results of risk severity assessment. Risk severity is represented geographically by a combination of the frequency level and intensity effects. Finally, risk severity can be mathematically calculated by multiplying the frequency and severity index obtained in the fourth step.
The last step in ARAMIS is to evaluate and map the vulnerability of the environment independently of hazardous events, which is beneficial for local authorities to take measures to reduce the global risk level, perhaps neglected by the operator on site. Global vulnerability is actually a linear combination of each target vulnerability, which is determined by the concerns of all stakeholders.
- (2)
The barrier management project launched by DNV GL.
Almost at the same time as initiating the ARAMIS in 2001, the DNV GL collaborated closely with Statoil to implement a program named the technical condition of safety barriers (TTS), which is mainly aimed at monitoring the identified key safety barriers [
69]. In the TTS program, all the critical safety barriers are evaluated in terms of their original design, conditions and operation, which are scored “A–F”. In 2010, another program named the technical integrity management program (TIMP) was launched by DNV GL to implement risk control in conjunction with TTS [
126]. Recently, DNV GL published the guideline “
barrier management in operation for the rig industry—good practices”, which aims to increase the understanding of barrier management at the management level and operational phase for both onshore and offshore [
16]. In this guideline, the establishment and implementation of barrier management are described in detail. Later, DNV GL released a QHSE software solution for barrier management named Synergi Life on the basis of a Bow-tie model. With the application of Synergi Life, missing and degraded barriers can be effectively identified and monitored, and other operational elements can also be embedded conveniently depending on the requirements. In addition, the barrier management project of DNV GL also covers the fish farming industry, which supports the sustainable development of fish farming by improving the operational risk management level. Another barrier management program proposed by DNV GL refers to MyBarrier with the objective of applying it in offshore oil and gas industries. MyBarrier is able to quantitatively assess the impacts of component failures on the risk of losing a barrier element by using real-time data and information.
- (3)
Standards (generic and industry) and guidelines associated with barrier management.
The development and application of safety barriers are taking place continuously at a rapid pace, and the objective of barrier management is to harmonize the various safety barriers in an orderly way; as a result, the anticipating functions of barrier systems can be successfully maintained. For this purpose, many nonprofit organizations and authorities, including but not limited to standardization organizations, industrial associations, industrial committees and industrial authorities have offered standards and guidelines, both generic and industrial, in recent decades. These standards and guidelines are beneficial for practitioners in terms of barrier application and management. In this paper, some of the standards and guidelines associated with barrier management are listed in
Table 6.
It can be seen from
Table 6 that the standards and guidelines associated with barrier management are mainly concentrated in the oil and gas and process industries. In the oil and gas industry, a great contribution is made by Norsk Sokkels Konkuranseposisjon (NORSOK) and PSA from Norway. In the publication of NORSOK [
136], a total of 20 barrier systems are listed that can be decomposed further into various barrier elements. Later, PSA issued a guideline on the management of barriers [
62] based on the basic principle of the Bow-tie diagram. In 2016, a guideline titled “
Guidance for barrier management in the petroleum industry” was published by Hauge and Øien [
137] from SINTEF. At almost the same time, the Center for Chemical Process Safety in the U.S. also offered guidance for the management of barrier elements from the perspective of Bow-tie diagrams [
114]. In the process industry, most of the contributions associated with barrier management are attributed to the international standard organization (ISO) and the international electrotechnical commission (IEC), both of which issued a series of barrier management standards, including generic and industrial standards. For instance, the IEC issued a series of standards [
82,
83,
138] to guide the management of safety-instrumented systems that essentially correspond to barrier systems. In addition, the role of human-related barriers, including operational barriers and organizational barriers, is a concern of the Chartered Institute of Ergonomics and Human Factors (CIEHF), which published the “
Human Factors in Barrier Management” guideline. The highlights in this publication are represented by (1) the proposed principle to determine whether a safeguard is a safety barrier element, (2) the performance standards for human-related barriers, and (3) the management procedures designed for human-related barriers.
3.2.3. Issues Discussed for Barrier Management
Although there are many documents associated with safety barriers and barrier management, such as standards, guidelines, reports, and research papers, many challenges still exist during the implementation of safety barrier frameworks in practice. Across various scenarios, different barrier-related aspects can hardly maintain consistency; for instance, barrier strategies, performance requirements, and operational procedures, in many cases, cannot harmonize comprehensive integration according to the audit results reported by PSA [
144]. Therefore, it is necessary to discuss the issues that need to be studied for the implementation and improvement of barrier frameworks.
- (1)
Issue 1: Lack of clear clarification for the boundary of safety barriers
According to the existing literature or technical reports, nearly thousands of safety barriers or barrier elements have been proposed and defined [
69]. However, where is the boundary of safety barriers? Few studies have focused on this issue, and in most cases, the boundary between safety barriers and safeguards or safety measures is not clear, especially for human-related barriers, such as the operational barriers and organizational barriers defined by DNV GL [
16]. Furthermore, in some studies, human-related or organizational factors are identified as performance influence factors (PIFs) for technical or hardware barriers [
73,
96,
137,
145] instead of barrier elements, and studies on these factors are aimed at providing flexible conditions under which technical barriers are able to function as expected. Another important area where there is a lack of clarity is in the terminological inconsistencies between regulations and standards, which makes it confusing during the implementation of barriers [
146]; for instance, the terms barriers/barrier elements and barrier performance/status are frequently used interchangeably. Another source of confusion lies in the fact that different guidelines or standards are issued by authorities from different countries; for example, the guidelines recommended by PSA in Norway and CCPS in the U.S. may differ in terms of terminology and principles.
- (2)
Issue 2: Role of human or organizational barrier elements in barrier management
This issue is discussed under the assumption that human-related barriers are important components in the barrier management system, which is widely accepted at present. First, the distinction between human-related barriers and the PIFs for barriers needs to be clarified further. For instance, safety culture is considered a kind of barrier in some studies; however, is there any interaction between safety culture and other technical barriers? In addition, practitioners on site are frequently confused by the relationship between human-related or organizational safety barriers and standard operating procedures (SOPs). More importantly, in the case of the introduction of human-related barriers into safety management, an important issue that emerges is “how to cope with the relationship between barrier management and human reliability analysis (HRA)?” In this case, some concepts have to be recognized to obtain a better understanding of human-related barriers. For example, human errors or human-related mistakes in most cases are regarded as the causes or trigger events leading to incidents or accidents, as described in many accident models under the HRA framework; however, from the barrier management perspective, human errors are considered the consequence of human-related barrier failure, that is, human errors are results rather than causes. Unfortunately, to date, few studies have investigated the functioning of human-related barriers with reference to the HRA framework.
The ambiguous understanding of human-related barriers is essentially determined by the difficulties of describing these barriers in the aspects of function, performance and the monitoring approach applicable for specific scenarios, especially in the case of the unavailability of required reliable data. Although CIEHF [
115] tentatively proposed a framework to describe human-related barriers, it is still difficult to substantially influence various operational industries. In addition, in the guidelines reported by CIEHF [
115], the interaction between human-related barriers and technical barriers is not given much attention, which may be an important issue to solve in the near future. Another particular challenge for the industrial application of human-related barriers lies in the fact that there is a lack of guidance for establishing performance requirements and monitoring procedures, as well as the assessment framework.
- (3)
Issue 3: Integrating various safety barriers into existing safety management
In the early application of barrier management, barrier elements were generally identified as technical barriers that could be described and evaluated quantitatively. However, the occurrence of accidents is a reminder that accident prevention measures should be comprehensive, especially after the Deepwater Horizon accidents. The Chemical Safety Board argued that with the necessary actions taken, serious consequences may be avoided [
147], which explains the importance of barriers associated with humans or organizations. Unfortunately, only a few technical barriers are able to function within limited industrial scenarios, let alone human-related or organizational barriers. The challenges are mainly attributed to the gap between barrier management and safety management in use, even though both are aimed at controlling various risks, and the implementation process is different to a large extent.
At present, the safety management system is running well in most industrial companies, and the safety audit approaches are also standardized. Therefore, a common concern among industrial practitioners is how to map barrier management into the existing safety management system. In practice, it can be reasonably predicted that the introduction of barrier management would increase the complexity of the safety management system. Furthermore, most of the quantitative analysis approaches (QRAs) frequently used in traditional safety management are not applicable for barrier management because most of the nonphysical barrier elements cannot be described quantitatively. Another important concern about this issue lies in the compatibility of barrier management and planned maintenance [
146]. As mentioned in
Section 3.1.1, the performance of barrier elements deteriorates with time, similar to ordinary mechanical equipment. The latter is practically maintained by establishing the typical planned maintenance system; however, the maintenance of the former is not solved up to date; for instance, how can the test intervals or maintenance period of the barrier elements be determined? In addition, the function of most barrier elements cannot be tested in the simulation circumstance; if the function verification is implemented in the real scenario, the verification activity may induce unexpected failures or accidents. The uncertainty or vagueness of barrier element maintenance would also confuse practitioners with distinctions between system failure and barrier criticality. According to audits reported by PSA, many oil and gas companies are not able to exactly classify failure and barrier element criticality [
137].
- (4)
Issue 4: Dynamic assessment of barrier elements based on a system perspective
According to the definition proposed by PSA [
62], the purpose of barrier management is to maintain the function of barriers, which is generally implemented by dynamic assessment of objective barrier elements. The methodologies employed in the existing literature associated with QRA can be consulted to conduct dynamic barrier assessment, such as dynamic Bayesian network and failure tree analysis. However, there are still three important issues that need to be studied further: (1) what is the benchmark for the assessment? (2) How can real-time data and information be obtained and integrated? (3) How can the interaction among the various barrier elements involved in the barrier system be coped with?
It is essential to set a reasonable benchmark for dynamic barrier assessment; however, the determination of the benchmark for various barrier elements is not easy, especially for nonphysical barrier elements. In the guidance provided by PSA [
62] and DNV GL [
16], the benchmark for dynamic barrier assessment is not explained in detail, which makes it difficult to distinguish the barriers that function or are impaired. Meanwhile, the benchmarks designed for a single barrier element and the barrier system may be different; therefore, it is necessary to understand the relationships among different benchmarks. For instance, before initiating a specific assessment activity, all the performance requirements of barriers should be reviewed and analyzed. The second issue is focused on the technical data and information, current technical developments are trying to make it possible to obtain real-time data [
120], and advanced tools are developed and tentatively applied on advanced oil and gas platforms [
148]. However, companies will not implement risk control activities at any price; for example, a common complaint about the barrier management requirement proposed by PSA is the significant costs related to functional testing and the establishment of an indicator system [
72]. Therefore, how to balance the cost and gains is a challenge for the application of industrial barrier management that cannot be ignored. The last issue involved in the dynamic management of barrier systems emerged from a consideration of the interaction between barrier elements. Generally, the objective of barrier management is supported by integrating multiple barriers; as a result, the interaction between technical, operational and organizational barrier elements should be well understood [
96]. For instance, traditional technical barriers frequently act as active barriers or preventive barriers on the left side of the Bow-tie diagram, while operational and organizational barriers are usually applied as reactive barriers or protective barriers on the right side of the Bow-tie diagram. In the state of “work as image”, the positive interaction of both sides of the Bow-tie diagram should be observed in an effective safety management system. Therefore, the interaction between different kinds of barrier elements should be fully considered in dynamic assessment activities for barriers, whether at the single or system level.