*5.3. Limitations of the Work*

The proposed methodology may be of limited use when analysing novel systems outside the manufacturing and maintenance industry, where 6M originated. It is important to accept that there is not only one right solution. Every model needs to provide a certain extent of flexibility that enables it to be applicable to the broader industry. The categories need to be tailored to suit the di fferent needs and concerns of the specific industry and organisation that is applying it [82]. This limitation was already addressed and we showed that the categories can be contextualised and adjusted to the area under investigation. It was found that the level of risk assessment plays an important role when contextualising the categories.

In other industries, di fferent categorisations have already been applied such as the '8Ps marketing mix' or the '4S cause categories' in the service industry. Each of these categorisations could theoretically be applied to Bowtie following the principles presented in this paper. It is recommended to use a common approach to avoid arbitrary structures, which would act adversely on the attempt to provide consistency.

As mentioned in the previous section, the approach covers the most common risk areas based on previous experience. However, this involves the risk of missing Bowtie elements that have not previously occurred. The use of strictly defined categories may limit the imagination when identifying threats, consequences, or barriers. Analysts will need to ensure they are not so fixated on the method that they fail to anticipate new threats.

In some cases, the classification is not explicit as threats or barriers may fit into two of the proposed categories. From a risk point of view, it is not essential where and under which category an element is listed, as long as it is listed and brought to attention, so that it can be further analysed. In the case study, we made the decision to categorise the elements based on their nature and exerting agent.

The process of developing a Bowtie diagram following the proposed structure can be time consuming and people may focus too much on trying to fill in all gaps, although it is realistic and acceptable that there is not a threat, consequence, or barrier in each category type for every case.

There is a caveat regarding the Management category. The intent is to represent the operations management, as opposed to management-theory, leadership and vision. Consequently, the managemen<sup>t</sup> threats shown here are aimed for an audience of operators, who have the operational knowledge to know how the integrity of the work may be compromised. Business executives normally do not know every process in detail and are not risk experts, and hence tend not to create Bowtie diagrams.

While there are many risk assessment methods (e.g., Bowtie, FTA, FMEA, Zonal analysis, and Ishikawa), and they all cope with single threats, they often struggle to represent multiple simultaneous failures. Reason [83] stated that often multiple barriers fail at the same time, which then releases the top event, and ultimately has the potential to cause severe damage or result in a catastrophe. Consequently, any type of method that fixates on identifying root causes has the intrinsic detriment of under-emphasising the temporal relationships of causality between the contributory factors. It is particularly di fficult to represent how organisational factors (such as work culture) a ffect physical failure, since the causal mechanisms are indistinct and perhaps easier to obfuscate [84]. Many enquiries into major disasters focus on the physical root causes and the accident sequence: the organisational root causes are treated di fferently, are termed 'contributory factors', and are not easily representable with some diagrammatic methods. Bowtie analysis is not particularly e fficient at representing complex relationships of causality, neither natively nor with the changes proposed in this paper. This is evident in the need to repeatedly represent causal chains on the diagram, hence our suggestion to use modules. It does not readily capture the more abstract organisational factors such as organisational culture and

perverse agency [85]. Nonetheless, Bowtie does excel at representing the failings of the operational systems alongside the physical faults. This plus its simple depiction make it an e ffective communication tool by which operators can build a shared understanding (and hence a local work culture) of how their tasks contribute to a larger good. Hence, we propose that the purpose of any risk analysis tool is to capture *su*ffi*cient* complexity of the real system behaviour as to direct improvement e fforts and consolidate work-culture around actions that improve safety outcomes.
