BTII: Control-freak*

As a follow-on to my first post on the Bow-Tie risk assessment method, I thought I'd concentrate on controls (or barriers or whatever else you would like to call them). This is, after all, where all the action happens. Risk controls are how we spend most of our time - they are the practical aspect of managing risk.

Quick Review

Our typical bow-tie model consists of one or more threats leading to a single top event which results in one or more consequences. The idea is to insert your controls into these connections in such a way as to reduce the level of risk associated with the scenario. Controls may also be subject to defeating factors which affect their ability to reduce risk. Here's my overview picture from a couple of weeks ago:

Bow-Tie Overview

Bow-Tie Overview

Skinning Cats

You can categorise controls a multitude of ways. Risk professionals would be familiar with the standard hierarchy of controls and other ways of breaking them up. Now, I'm not sure if you're getting to know me yet but, you may have guessed, I've got a slightly different approach.

The first concept I'd like to introduce is that bow-ties are made up of primary lines and  secondary lines. The primary lines are those that link threats to the top event to consequences while the secondary lines are those connecting defeating factors to controls - see my new diagram below. The reason for the distinction is that I believe there are fundamental differences between the controls required on the primary line and those used on secondary lines.

Lines of Control

Lines of Control

I only noticed this phenomenon the other day when I was putting together a bow-tie on mid-air collision within a very specific context. I had a good piece of technical analysis in front of me but I wanted to create a picture of the risk to assist in evaluation. This analysis contained a list, in no particular order, of existing and potential controls and as I slotted them into the diagram, I noticed that certain types of controls went on the primary lines and other types ended up on the secondary lines.

Now, I've been racking my brain on how to describe these differences and I'm still not fully there but here goes.

Within my approach to creating a bow-tie, the primary line consists of events closely related in time. Maybe not a short time but at least a progression from threat through top event to consequence. Therefore, controls along the primary line must also exist along that same temporal line - not necessarily within it though, as we shall see in a moment. This means that controls here must be things that interact with the events that occur along the line. I noticed that front-line operator actions, equipment and facilities tended to fall along this line.

Secondary lines, on the other hand, may not relate to events which occur at the time or may be situations or conditions which lay dormant until the right set of circumstance arise. I noted last time the similarity between defeating factors and latent conditions. As such, controls on these lines must address these latent conditions and should have been implemented prior to the events of the primary line taking place. In the bow-tie I was working on, controls on these lines tended to be things like education and promotion related to the primary line controls.

Not all defeating factors, however, are latent conditions. I can think of a few that are events or situations related in time to the primary line. As an example, I tend to think that low visibility is a common defecting factor to many aerodrome related controls - visual markers etc. - and this is definitely something which needs to exist at the time of the top event to have an impact.

However, I have began to distinguish these two types of controls as action controls on the primary lines and capability controls on the secondary lines1. That is not to say that capability controls don't involve action. Of course they do but their objective is to ensure the capability of the action control to achieve what it aims to achieve. I'm not exactly sure how to operationalise this concept - I would like to turn it into some form of advice or guidance on what type of controls go where or how to word controls on each line. That level of understanding still eludes me.

Squares or Triangles?**

Regardless of this shortfall, I have also been categorising controls according to where they act on their line. I think it is very important to consider this a part of categorising your controls because a bow-tie diagram has the potential to overly constrain your thinking.

As I mentioned previously, a bow-tie is or should be limited in its focus. I may have created that constraint but I stand by it, for now. When it comes to controls, however, you may need to identify things that impact on the situation to the left of the threats, to the right of the consequences and outside of the defeating factors. Before we get into all that, let's have another picture.

Types of Controls

Types of Controls

In this diagram, I've identified four types of controls categorised according to where they impact on the links between the bow-tie's components. Let's go through them, one by one.

Prevention - These controls act outside the bow-tie diagram as they attempt to prevent the existence of the threat or defeating factor. An example of such a control might be maintenance on an aircraft breaking system designed to prevent the system from failing.

Intervention - These controls intervene after the threat or defeating factor has occurred or manifest and seeks to stop that situation from becoming a top event or impact on the capability of a control. A sufficiently wide runway would be a good example in the case of runway excursions - this control can't prevent threats from occurring but it may stop a runway excursion from occurring if sufficiently wide to contain the aircraft's lateral deviation during landing or take-off.

Mitigation - These controls don't stop the top event from occurring but they seek to mitigate the consequence. Continuing on from the last example, a sufficient runway strip would be such a control as it only comes into play once the runway excursion has occurred.

Recovery - These controls also act outside the bow-tie diagram. This time they impact the scenario after the consequence has occurred. Any form of response, for example - emergency response, is a good example of a recovery control.

You can cut the control-pie other ways. In fact, you have to if you want to conduct analysis of the risk picture or turn it into a consolidated action plan. The more complicated the picture, the more important the structure as this helps to break it up into manageable junks. For example, you might want to think about what type of activities are involved in your controls. As examples, which ones involve training and which ones involve inspections of facilities?

Where to from Here?

I think I'll be doing a lot more bow-ties in the very near future. So, this group of posts is going to develop, grow, change, morph, what have you. Next on my list might be evaluation methods, maybe. I'll be back with more as soon as I figure it out. Actually, I might be back before then.

* I really have trouble naming things. As proof I offer my high-school band name - "Hot Pink Combi" - I know, right? :oops:

** I ask this question of my kids nearly every weekend morning when I go to cut their toast. For me, it has become to mean the same thing as slicing up a pie.