4.5.4. Barrier Modules

Since barriers repeat themselves multiple times along the Bowtie, we propose defining "barrier modules". This has the potential of making the Bowtie development process more time e fficient since not every barrier with its entire escalation factor and escalation factor control path has to be repeated. Furthermore, it tidies up the diagram without diminishing comprehensiveness. A visualisation of the barrier module is presented in Figure 10.

**Figure 10.** Potential visualisation of barrier modules encapsulating escalation factors and its controls.

When introducing barrier modules, one limitation might be that all barriers are expected to have the same e fficiency. Some barriers (modules) might be repeated because they are of the same nature; their e ffectiveness in regards to the threat, however, might be di fferent. For example, when considering 'fire' being the threat, the extent of the fire might vary significantly, e.g., a burning candleholder, a house fire or a wildland fire. In each case, a fire-extinguishing agen<sup>t</sup> would be a barrier. However, for the small fire, a handheld fire extinguisher might be su fficient, while for a house fire, a fire truck is the right level of prevention, and for a wildland fire, an extinguishing plane may be required. This limitation must be considered when using barrier modules.

### *4.6. Full Bowtie with a 6M Structure*

Combining the 6M structure for threats and consequences from Section 4.4.3, the 6M structure for barriers from Section 4.5.1, and the colour-coding scheme from Section 4.5.2, results in a 6M × 6M matrix structure on both sides of the Bowtie diagram. The full Bowtie structure is shown in Appendix A. For better legibility, both sides of the diagram are presented individually in Figures 11 and 12.

**Figure 11.** Threat side of the Bowtie diagram with 6M prevention barrier structure.

**Figure 12.** Consequence side of the Bowtie diagram with 6M mitigation barrier structure.

### *4.7. Application to a Case Study*

The conceptual framework was applied to the specific case of visual inspection of aero engine parts in an MRO environment. Borescope inspection plays a crucial part in engine maintenance, since it allows inspecting parts inside the engine for defects, such as nicks, dents, cracks, tears, and fractures, without the need for a costly teardown. Missing such a defect during visual inspection is highly critical for the airworthiness of the engine and passenger safety. Hence, we defined the top event as being the risk of a 'Defect missed during inspection'. The next step was the identification of the threats, consequences and barriers. We asked each specialist from the maintenance and inspection domain to identify risks inherent in the process of borescope inspection, and what means of prevention and mitigation are or could be in place. The insights were extracted from field notes taken during the observation and the Bowtie diagrams were drawn. It shall be noted that the main emphasis was put on the prevention side, which is common practice in Bowtie application [4,26]. The reason behind this approach is that prevention e fforts are more cost-e ffective and hence more attractive from a managemen<sup>t</sup> perspective [77].

A general limitation of Bowtie and other root cause diagrams is the scalability and legibility when analysing complex systems, as the diagrams tend ge<sup>t</sup> quite large. When using BowtieXP software, there is a function to show and hide di fferent layers of the Bowtie diagram. The layers include: (a) only hazard and top event; (b) hazard, top event, threats and consequence; (c) hazard, top event, threats and consequences with all barriers; (d) hazard, top event, threats, consequences, barriers and escalation factors; (e) threats, consequences, barriers, escalation factors and escalation factor controls. This is helpful when presenting the diagram to an audience who does not need all the details, but without losing any of the data in the background. Unfortunately, this is a manual task and there is no automatism for expanding or condensing Bowtie diagrams, or hiding individual threat or consequence paths. It would be helpful if this feature could be enhanced in future versions of BowtieXP software.

Possibly, multiple threats of the same category can be merged into one 'higher-level' threat path (similar to the barrier modules introduced in Section 4.5.4), e.g., summarising fatigue, distraction, and complacency, into a single human factors threat path instead of listing all twelve human factors (HFs) individually. However, this requires that all threats have the same barriers, which often is not the case.

In order to represent the Bowtie diagram of this research in a legible and receptive way, it was divided into six Sub-Bowties based on the M categories. The six Sub-Bowties for the threat side are shown in Figures 13–18. The consequence side of the diagram is presented in Figure 19. Additionally, for purposes of illustration, the size of all Bowtie diagrams was somewhat artificially limited to a maximum six barriers per threat and consequence path. This is solely a limitation to provide legible diagrams within the journal constraints.

The full-sized Bowtie diagrams with all barriers can be found in Appendix A Figures A2–A8. For a higher resolution version of the developed diagrams, refer to Supplementary Materials Figures S1–S8.

**Figure 13.** Management-related threat paths with barriers.

**Figure 15.** Method-related threat paths with barriers.

**Figure 16.** Man-related threat paths with barriers.

**Figure 17.** Mother Nature-related threat paths with barriers.

The categorisation and barrier colour coding were made in collaboration with the risk and managemen<sup>t</sup> team of our industry partner. The categorisation was based on the responsibility and exerting agency of the threat or barrier. This decision was made after a discussion with the industry experts, about the Bowtie elements that could be placed in more than one category, such as task-related threats. In this particular example, the threat could be placed in the man category since the inspection personnel performs the task. On the other hand, it could also be a method-related threat, since a task is part of a process or procedure. Based on the decision above, we categorised it as a man-related threat, since the human performs the task and human performance is always critical in this industry. It is generally accepted that human errors cause over 70% of all aircraft accidents [78]. Furthermore, 80% of all maintenance errors involve human factors [79]. Hence, it can be expected that the threat paths in the man category will make up the majority of all threats in the Bowtie diagram.

The diagrams produced as part of this research should not be considered comprehensive. We limited the consequence side of the Bowtie to the immediate consequence rather than the full consequence chain.

**Figure 18.** Machine-related threat paths with barriers.

**Figure 19.** Consequence path with barriers.
