Bowtie, FMEA, and Barrier Thinking

System Safety Methods Are Decision Tools

CSP11 Program Management includes system safety analysis techniques such as fault tree analysis, failure modes and effects analysis, Safety Case approach, and risk summation. The Risk Management domain then asks candidates to apply risk analysis and mitigation strategies. Together, those objectives expect more than vocabulary.

The exam may ask which method fits a scenario, what the output means, or what weakness remains after a study. A diagram is not the goal. The goal is better control selection, clearer assumptions, and stronger evidence that risk is tolerable.

Bow-Tie Analysis

A bow-tie places the central event in the middle. Threats sit on the left. Consequences sit on the right. Preventive barriers stop threats from reaching the central event. Mitigative barriers reduce consequences after the central event occurs.

Bow-ties are useful for communication because they show how prevention and mitigation differ. They also expose barrier gaps. If every preventive barrier depends on the same operator noticing the same alarm, the barriers are not independent. If a spill kit is behind the likely release area, mitigation may fail when needed.

FMEA Logic

Failure Modes and Effects Analysis (FMEA) works from components, steps, or functions. For each item, the team asks how it can fail, what effect follows, how severe the effect is, how often the failure might occur, how likely detection is before harm, and what action should reduce risk.

Many FMEAs calculate a Risk Priority Number by multiplying severity, occurrence, and detection ratings. The number helps rank attention, but it has limits. Different rating combinations can produce the same score with different meanings. A high-severity, low-occurrence failure may deserve action even when its score is lower than a frequent nuisance problem.

FMEA is strong for equipment, process steps, maintenance tasks, and product or design reviews. It is weaker when the team does not understand the actual operating environment or when common-cause failures can defeat several controls at once.

FTA, ETA, HAZOP, and LOPA

Fault Tree Analysis (FTA) starts with an undesired top event and works backward through combinations of failures. It is deductive. Use it when the question asks how multiple basic events could combine to cause a specific loss.

Event Tree Analysis (ETA) starts with an initiating event and works forward through success or failure of safeguards. It is useful for seeing possible outcome paths after something begins, such as ignition after release or containment after a pipe break.

Hazard and Operability Study (HAZOP) is structured around process deviations from design intent. Guide-word logic helps a team ask what happens if flow, pressure, temperature, level, composition, or sequence is more, less, none, reverse, or otherwise abnormal.

Layer of Protection Analysis (LOPA) evaluates whether independent protection layers are enough for a scenario. It sits between qualitative review and full quantitative risk analysis. The CSP concept to remember is independence. A safeguard is weaker if it shares the same power supply, sensor, software, maintenance failure, or human action as another layer.

Barrier Strength

A barrier can be physical, engineered, procedural, administrative, or human. Strong barriers are specific to the scenario, available when demanded, maintained, tested, and independent of the initiating event. Weak barriers are vague, unavailable, untested, bypassed, or dependent on perfect human performance under stress.

Ask these questions:

• Does the barrier prevent the event, detect it, control it, or mitigate the consequence?
• Is the barrier independent from other barriers and from the initiating cause?
• How will the organization know the barrier is healthy before it is demanded?
• What escalation factors could defeat it?
• Who owns inspection, testing, maintenance, training, and change control?

These questions are central to bow-tie review, FMEA actions, Safety Case reasoning, and serious-injury prevention. A control that is not verified can become assumed protection.

Use risk summation carefully when several moderate hazards affect the same worker, operation, or emergency pathway. Separate scores can hide combined exposure, especially during maintenance outages, simultaneous operations, or abnormal startup. A CSP-level review asks whether the total barrier set is adequate for the combined scenario, not only whether each individual line item looks acceptable.

Choosing the Method on Exam Items

Use JHA when work steps and task exposure are the focus. Use HAZOP when the problem is process deviation from design intent. Use FMEA when the prompt describes failure modes of components, equipment, or process steps. Use FTA when it starts with a top event and asks for combinations of causes. Use ETA when it starts with an initiating event and asks for outcome paths. Use bow-tie when the issue is communication of threats, consequences, and barriers.

The best CSP answer often improves the barrier system, not the diagram. Add independence, remove common-cause vulnerability, verify maintenance, use higher-order controls, and update the risk register when assumptions change.