Barrier Analysis

Technical Research and Analysis Center

SCIENTECH, Inc.
1690 International Way
Idaho Falls, Idaho 83402

August 1995

SCIE-DOE-01-TRAC-29-95

Barrier Analysis

Prepared by:
W.A. Trost, INEL
R.J. Nertney, INEL
Revised by:
J. Kingston-Howlett, Aston University, Great Britian
R.J. Nertney, SCIENTECH, Inc.
H.K. Nelson, SCIENTECH, Inc.

Technical Research and Analysis Center

SCIENTECH, Inc.
1690 International Way
Idaho Falls, Idaho 83402
August 1995

SCIE-DOE-01-TRAC-29-95

Barrier Analysis
Executive Summary
Barrier Analysis was written to support the total MORT Programme. It is a reminder to the
system safety person or the accident investigator that there are three factors to be considered
when evaluating an accident or a potential accident situation. Those three factors are (1) the
energy or environmental condition present, (2) the target, the person or object of value and
(3) the barrier and control, those things that are in place or should be in place to keep the
energy and the targets apart. These three factors and their relationships to the MORT chart
are discussed. Familiarity with the MORT chart is recommended for readers of this
document.

August 1995

Barrier Analysis i

SCIE-DOE-01-TRAC-29-95

CONTENTS
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
I

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

II

Incident - Accident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

III

Energy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

IV

Potentially Harmful Energy Flow or Environmental Conditions . . . . . . . . . . . . . . . . 7

Barriers and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

VI

Vulnerable People or Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

VII

Energy Precursors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

VIII

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

FIGURES
1.

Accident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2.

Energy flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.

Harmful energy flow or environmental condition . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.

Types of barriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.

Barriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

6.

Limitation of barriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

7.

Barriers and controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

8.

Vulnerable people or objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

9.

Events and energy flows leading to mishap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

10.

Unwanted energy flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

August 1995

Barrier Analysis iii

SCIE-DOE-01-TRAC-29-95

Introduction

The Management Oversight and Risk Tree (MORT) provides to the user a technique for a
thorough, searching investigation of occupational accidents as well as a technique to analyse
safety programmes. MORT is a formal, disciplined logic or decision tree to relate and
integrate a wide variety of safety concepts systematically. Included is the sequential role of
energy and barriers to energy transfers.
The MORT chart is the key diagram for the whole MORT system safety programme. This
MORT chart sets down in an orderly way all the potential causal factors for accidents. It can
also be used to delve into the future to analyse systems for adequacy of those control elements
that are designed to prevent accidents.
In the MORT programme, an incident is an event for which a barrier to an unwanted energy
flow is inadequate or fails without any loss or consequence occurring. Accident or mishap is
defined as the unwanted flow of energy or exposure to an environmental condition that results
in adverse consequences.
Based upon these definitions, the basic ingredients of an accident are: (1) the energy flow or
environmental condition that does the harm; (2) the vulnerable people or objects that can be
hurt by that energy flow or environmental condition; (3) the failure or lack of the barriers and
controls that are designed to keep them apart; and (4) the events and energy flows that lead
into the final accident phase. All four of these ingredients are required to be in place for an
accident to occur. If any one of the four is missing, there would not be an accident.
Figure 1, Accident (SA1)1 graphically displays the ingredients of an accident.

14

Accident
S A1

Potentially Harmful
E nergy F low or
E nvironmental
Condition
S B1

17

S C4

c26
MB3

Barriers and
Controls
LTA
(Incident)

S C3
S B2

On E nergy F lows
& E nvironmental
Conditions People
& Objects

18

Vulnerable
People or Object
S B3

E vents and
E nergy F lows
L eading to
Accident

Value

S B4

18

19

Figure 1. Accident

Nomenclature from the MORT chart will be used throughout this document.

August 1995

Barrier Analysis 1

SCIE-DOE-01-TRAC-29-95

Wherever there is a possibility that persons or objects may come in contact with an energy
flow or an environmental condition that could cause harm to persons or things, it is necessary
to isolate the energy flow or the environmental condition.
Other factors to consider are those that relate to control of potential targets of accidents, such
as those factors that relate to control of people that could be injured in the work areas.
Consideration should also be given to those factors that relate to protection of buildings,
grounds, hardware and production processes, and the factors that could relate to the
reputation and liability of a company itself.
Haddon2 originated the concept that harmful effects of energy transfer are commonly
controlled by one or more of a succession of measures or barriers. These barriers are:
1
2
3
4
5
6
7
8
9
10

Prevent the marshaling (do not produce or manufacture the energy)

Reduce the amount, e.g., voltages, fuel storage
Prevent the release (strength of energy containment)
Modify the rate of release , e.g., slow down burning rate, speed
Separate in space or time, e.g., electric lines out of reach
Interpose material barriers, e.g., insulation, guards, safety glasses
Modify shock concentration surfaces, e.g., round off and make soft
Strengthen the target, e.g., earthquake-proof structures
Limit the damage, e.g., prompt signals and action, sprinklers
Rehabilitate person and objects

These successive steps have been called energy barriers. The energy barriers may be a
physical obstruction or they may be a written or verbal procedure that is put into place as a
means of separating the energy from the persons or objects in time or space. Substituting a
less harmful energy may be a way to limit the energy or prevent the build-up.
In reference to Figure 1, the MORT programme uses an energy-barrier concept. This
emphasises that in order to analyse accidents or potential accidents, one must first investigate
the potentially harmful energy flows (hazard) or environmental conditions, SB1. These are
energy transfers that can interact with people or things, such as particles flying through the air
or vehicles in motion. In the environmental sense, one should consider environmental factors,
such as industrial hygiene problems, toxic materials, etc., or those elements which can interact
with and harm people or things.
The second element to be considered is the people or objects (targets) of value that are
vulnerable to an unwanted energy flow, SB3.

Haddon, William Jr.; Energy Damage and the Ten Counter-Measure Strategies, Human
Factors Journal, August 1973.
2 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

The third element to be considered in an accident sequence is the failure or lack of the barriers
and controls that are designed to keep the potentially harmful energy away from the
vulnerable people or objects, SB2.
The fourth element to be considered in the analysis of an accident is the precursor events, e.g.,
the multiple energy transfers and barrier failures that lead to the final energy transfer causing
the accident, SB4.

August 1995

Barrier Analysis 3

SCIE-DOE-01-TRAC-29-95

II

Incident - Accident

The MORT programme uses a special definition of an incident or an accident. This definition
will be used exclusively in the discussion of the MORT analysis of the Energy-Barrier
programme. As stated before, an incident is an event for which a barrier to unwanted energy
flow is inadequate or fails without any loss or consequences. An accident or mishap is defined
as the unwanted flow of energy or environmental condition that results (loss of barrier) in
adverse consequences.
To illustrate this concept in the MORT analysis, a tiger analogy is used. The analogy refers to
tigers (energy source or environmental conditions) harming a target (vulnerable persons or
objects), where barriers are inadequate or are not in place.
If there is a cage for the tigers and someone leaves the cage door open, the tiger gets out but
does not harm anyone; this is defined as an incident. That is, one of the barriers between the
tiger and the people failed.
The same sort of logic can be applied to a nuclear facility where a radioactive source is
normally kept in a container. If the source escapes containment but no person is there to be
exposed to the radiation, the barrier failed but no harm was done; this would also be defined
as an incident.
The event would be defined as an accident if the cage door were left open, and the tiger
harmed someone; an adverse consequence an accident. It would also be an accident if the
radioactive source got out of the container and a person was exposed to the radiation. The
incident is the failure of the control system without adverse consequences. The accident is the
failure of the control system with adverse consequences.

4 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

III

Energy

Energy is the physical capacity to do work, and is, therefore, essential to performance. As
man has advanced society, the use of energy has become an increasingly greater part of this
advancement.
Of concern here are the phenomena that involve the transfer of energy in such ways and
amounts, and at such rapid rates that people could be injured or objects could be damaged.
Energy, with its capacity to do damage, is essential to injury of personnel, damage to objects,
or process degradation. The management of the harmful effects of energy transfer is a basic
preventative approach and involves, among other things, identifying the energy source. The
point to be made is that an incident or an accident is an abnormal or unexpected release of
energy, and injury or damage could occur.
Some of the energy forms that could produce injury and damage are kinetic, chemical and
biological, thermal, electrical, and ionising and non-ionising radiation. Also included would be
energies which produce injury and damage by interfering with normal energy exchange, which
can be stated as environmental conditions.
All accidental injuries result from either the application of specific forms of energy in amounts
exceeding the resistance of structures upon which they impinge, or when there is interference
in the normal exchange or energy between the organism and the environment.
While the specific types of energy which lead to injuries are quite limited in number, the forms
in which they abound and the variety of the carriers of energy are innumerable.
Whenever there is a possibility that persons may come in contact with energy flows that
interfere with normal energy exchange, it is necessary to isolate the points of hazard by safely
enclosing them or providing other barriers to preclude workers from the proximity of the
hazard.
Figure 2 illustrates two basic types of energy flow; wanted energy flow (controlled) and
unwanted energy flow (uncontrolled). From a safety point of view, it is this unwanted energy
flow that needs to be identified in the process of analysing an incident or an accident.

August 1995

Barrier Analysis 5

SCIE-DOE-01-TRAC-29-95

E nergy
R equired to do work

Wanted energy flow

Unwanted energy flow

Work accomplished

Mis hap

Figure 2. Energy Flow.

6 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

IV

Potentially Harmful Energy Flow or Environmental Conditions

Figure 3 is a part of the MORT chart that depicts the potentially harmful energy flow or
environmental condition, SB1. During an accident investigation the question asked is, what
was the energy flow or environmental condition that resulted in the accident? [SB1 denotes an
energy flow or environmental condition which could result in harm if barriers and controls are
inadequate and a vulnerable person or object is exposed.] Attached to the box is SC4" in a
transfer triangle. This indicates a need to evaluate possible related events, energy flows and
environmental conditions that lead to the mishap that is being considered. It reminds one to
look at that area not only from the primary transfer of energy that did the damage, but also to
look at any preceding energy transfer.

Potentially Harmful
Energy F low or
Environmental
Condition
S B1

S C4

17

Nonfunctional

F unctional
a2

a1

17

17
S B2
Barriers
LT A

Control
LT A
b1

Admin
Control
LT A

Control
Impractical

17

R4

b2

17

b3

Divert
LT A

17

b4

18

Control
LT A
c1

Control
Impractical

18

R5

c2

18

Figure 3. Harmful energy flow or environmental condition.

The first investigation task for an accident or incident is to determine if the harmful energy
flow or environmental conditional is functional or nonfunctional in terms of the system under
consideration. In other words, is it an operational part of the system, or is it something that
August 1995

Barrier Analysis 7

SCIE-DOE-01-TRAC-29-95

lies outside the system? A thunderstorm, for example, is a potential harmful energy flow, and
is something that lies outside th system, on the other hand, a pressure vessel explosion where
the pressure vessel is part of the operation would be functional. Separate it according to
whether it is part of the system (a2) or something that is not part of the system (a1).
a1. Nonfunctional:
Consider the lower tier elements below this only if the harmful energy flow or environmental
condition was not a part of the system.
b1.
Was there adequate control of nonfunctional energy flow and environmental
conditions or was control less than adequate on the external source?
b2.
Was such control practicable or was it a situation where control was impracticable? If
control was impracticable, the external energy flow or environmental condition
causing the damage should have been defined in the safety analysis work and should
have been reduced to a risk that management has evaluated and accepted. [Note that
the event is flagged with the R4 assumed risk symbol. Remember that proper
management level must assume and accept responsibility for this decision.] The
diamond on the control impractical box means that normally it is not necessary to
analyse beyond this point. In specific cases this diamond box could be changed to a
rectangle and an analysis completed for this area of concern.
a2. Functional:
Consider the lower tier elements below this only if the harmful energy flow or environmental
condition was a functional part of a product of the system. The constraint on a2 is a reminder
that the functional areas are considered in the situation where the barriers might be less than
adequate. Normally, functional people and things are protected by the barriers, and are of
interest only under conditions when the barriers fail. Given a failure of the barrier system:
b3.
Were the administrative controls adequate to prevent the harmful energy flows or
environmental conditions from reaching vulnerable persons or objects? The
administrative controls that were designed to protect the functional people and
functional objects should be evaluated.
b4.
Review those processes which were in place to divert the harmful energy flow or the
harmful environmental conditions from the people or objects in case the barrier failed.
This is analysed in terms of controls that were less than adequate (c1) or controls that
were impractical (c2).

8 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

c1.
Was there adequate diversion of harmful energy flows or environmental conditions?
This is an analysis of the administrative controls on the energy source.
c2.
Was diversion impractical? This is an analysis of the way harmful energy flows are
diverted in the event that the barriers do fail. It might be impractical to try to divert,
once the barrier have failed. Management should be certain this has been evaluated
and there is no practical way of redirecting the energy once the accident starts. This is
a risk that must be accepted by the management. This should come out of the safety
analysis work. It may be an accepted risk at the top of the diagram, beause any barrier
system has some probability of failure. It may be small, but it does exist. [Note that
this event is flagged with the R5 assumed risk symbol. Remember that an appropriate
management level should assume and accept risk responsibility for this decision.]

August 1995

Barrier Analysis 9

SCIE-DOE-01-TRAC-29-95

Barriers and Controls

Identifying all unwanted energy flows or potential unwanted energy flows (hazard) is essential
to providing a safe work environment for people or objects. These unwanted energy flows,
besides being harmful, can also be very wasteful and costly to an operation.
Once the hazards have been identified, the preferred method of dealing with unwanted energy
flows is to eliminate as many of the hazards in the working environment as practical.
Realistically, though, it is impossible to eliminate all hazards associated with an operation.
The reasons being that it would be too costly in some instances and in other cases it would not
be practical. Because of these two considerations adequate control measures must be
imposed over these unwanted energy flows (hazards).
Figure 4 Barrier Classifications lists some of the control and safety barriers that may be
found in place in an operational system. These barriers and controls as illustrated are divided
into two categories. One, the control of unwanted energy flows is a general class of barrier
that relates directly or indirectly to the protection of people or objects from the unwanted
energy flow and are the safety barriers. The other, control barriers, is the control of wanted
energy flows. Consideration should also be given to the fact that some barriers can be both a
control barrier and a safety barrier.

Barriers

S afety

Control
Control of wanted
energy flows

Control of unwanted
energy flows
E xamples

E xamples
Conductors
Approved work methods
Job training
Dis connect switch
Press ure ves s el

Protective equipment
Guardrails
S afety training
Work permit
E mergency plan

Figure 4. Barrier Classifications

In reference to the tiger analogy, the factors illustrated in Figure 4 may be related to the
protection of the people and objects from being harmed by the tigers (energy). Consideration
should be given to the things that are designed to keep the people and objects away from the
tiger. That is, establishment of control barriers and safety barriers, both on the tiger (energy
10 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

flows or environmental conditions) and those associated with people and objects. These
barriers may be either something physical that is used or they may be such things as
procedures, training, or even supervised work.
Figure 5 indicates the different types of barriers, the location of the barriers in relationship to
the energy flow and the person or object, and the function of the barrier. Keep in mind again,
that these barriers could be physical or non-physical in nature.

Barriers

Type
E quipment des ign
Phys ical barriers
Warning devices
Procedures /work proces s es
Knowledge and s kill
S upervis ion

Location

F unction

On energy s ource
Between energy s ource
and worker
On worker
S eparation through
time and s pace

Prevention
Control
Minimization

Figure 5. Barriers
Historically, safety professionals have always given preference to design solutions over other
methods of controlling the hazard. The major effort throughout the design phases must be to
ensure inherent safety through the selection of appropriate designed barriers, such as fail-safe
devices, redundancy and increased ultimate safety devices. If there is a concern as to where
equipment operators will place their hands and feet as they work, design the equipment so it
does not matter where they put their hands and feet because the built-in design features will
prevent these targets from reaching an unwanted energy flow. In other words, equipment
design should eliminate as many tigers as possible (e.g., flammable materials and high
energy sources).
Known hazards which cannot be eliminated through design selection should then be reduced
to the acceptable level through the use of appropriate safety devices (physical barriers). This
is the next best method of dealing with the hazard.
The next preferred method of dealing with the hazard would be warning devices. Where it is
not possible to preclude the existence or occurrence of a known hazard, devices should be
employed for the timely detection of the condition and the generation of an adequate warning
signal.

August 1995

Barrier Analysis 11

SCIE-DOE-01-TRAC-29-95

The next barrier option could be special procedures. If the possible effects of an existing or
potential hazard cannot be reduced through design or the use of safety and warning devices,
special procedures must be developed to enable the equipment operator to perform their
function.
These are paper barriers: rules which govern people actions. For example, large signs could
be erected that warn people from the village, not to walk or climb trees in the tigers patch of
the jungle.
Consideration should always be given to the fact that it really does not matter how the tigers
(energy source or environmental condition) are separated from the people and objects. In
other words, the location of the barrier. There are control systems that involve putting
barriers on the hazard; that is, a guard on a grinding wheel, a cover over an open pit, etc.
Another class of physical barrier would involve protecting the persons or objects with such
things as a hard hat in construction areas, safety glasses in certain areas, etc. Other barriers
are placed between the energy and the hazard such as a guard rail around a hazardous area or
a fence around a swimming pool. The term barrier has the connotation of physical
intervention; however, the barrier may be a paper barrier. Separation by time or space in
particular may be accomplished by written procedure or some other type of administrative
control
In our example, tigers can be separated from potential targets by physical barriers: putting a
muzzle on the tiger, placing a fence between the tiger and the people, or having a tiger-proof
suit that the people can wear to keep them from being harmed. Tigers can also be separated
from potential targets by procedural (non-physical) barriers: a sign that states, when the
tigers are out, people must stay away from the jungle. A physical barrier, in almost all cases,
would be far more effective than a procedural barrier.
The function of a barrier could be prevention, control, or minimization. Work processes
could be established to remove the hazard to substitute a safer form. That is, there could be a
tiger drive and remove all the tigers. This would then eliminate SB1" (Figure 3) from the
MORT chart; the energy or environmental condition that could cause the harm. Additionally,
people or objects could be made invulnerable to the hazard. For example, if people were
working in a bacteriological laboratory with typhoid, they could render all laboratory workers
invulnerable to the disease by giving them typhoid immunisation. This would remove the
vulnerable people or objects from the system.
A combination of barriers and controls may be used to accomplish our purposes. The
important thing is that consideration be given to all the barriers and controls. Remember that
it does not matter whether a cage is considered to be a barrier on the tiger (energy source) or
a barrier between the energy source and the object. What is important is to think about all the
possibilities.

12 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

L imitations
of barriers

B arriers
fail

B arriers not
practical

Not
poss ible

Not
economic

B arriers are
not used

P ar tial

Not
provided

T otal

Worker
error

Figure 6. Limitations of Barriers

The analysis that is done, and the results arrived at, are exactly the same whether it is decided
that the tiger cage is a barrier on the tiger or whether it is called a barrier between the tiger
and the person or object.
Figure 6 Limitations of Barriers is a reminder to the analyst that, regardless of where the
barrier is placed in the work environment, there are certain limitations. Consideration should
be given to the fact that high energy operations that require a high degree of barrier reliability
must think in terms of multiple barriers.
One limitation is when barriers are not practical. If it were found that barriers were impossible
to be placed in such a way as to protect the persons and objects due to the nature of the
energy source, cost of the barrier, etc., then this should be a subject in a safety analysis. This
information should be presented to the appropriate level of management for their evaluation
and possibly to assume the risk.
Another limitation is when barriers fail. Barriers could be in place and built as designed,
correctly, but still fail; that is, the latch broke on the gate of the tiger cage. Accident analyses
indicate that energy levels sometimes build up gradually, perhaps as a production increase is
planned. At the same time, physical barriers erode and procedural barriers may deteriorate
through weak change control. No barrier is 100% effective. Barriers, although present and in
place, can still fail. This failure can be partial or total.
The final limitation occurs when barriers are not used. Even though the cage may have had
provisions for locking the gate, the locks were not provided because the company did not
have sufficient money to pay for the locks. If this were the case, it should be brought to the
August 1995

Barrier Analysis 13

SCIE-DOE-01-TRAC-29-95

attention of management for their evaluation and acceptance. On the other hand, if the locks
were provided but the individual that tended the tigers failed to lock the cage, this would be
called a task performance error, or worker error.
Rarely is it acceptable to have only one barrier. The number of barriers required for each
energy flow in any given work environment is dependent upon: (1) the reliability of the barrier
used, and (2) the degree of safety required.
Analysing the Barrier
In doing analysis of barriers and controls, (SB2) the following points should be addressed.
C

Were adequate barrier and controls in place to prevent vulnerable persons and objects
from being exposed to harmful energy flows and/or environmental conditions? Note
that both control and safety barriers should be considered but rigorous and proper
classification is not necessary to the analytical process, provided that all barriers are
considered.

Were the barriers and controls designed to prevent harmful energy flows or
environmental conditions from reaching vulnerable people and objects?

Were the barriers and controls designed to prevent vulnerable people and objects from
encountering harmful energy flows and environmental conditions?

The constraint placed on SB2 (Figure 7, Barriers and Controls) is intended to prevent
oversight. It is designed primarily to draw attention to barriers and controls that are related to
harmful energy flows or environmental conditions and those controls designed to control the
movement of the target, persons, or objects. Were there adequate barriers? What were the
specific barriers?
The breakdown which follows (a1, a2, a3, a4) is intended as a device to prevent oversight.
All barrier types should be considered. Rigorous and proper classification in terms of a1, a2,
a3, and a4 is not necessary to the analytical process provided that all barriers are considered.
a1.

Were there barriers on the energy source? [Note other lower tier events included by
transfer from a3.]

a2.

Were there barriers between the energy source and the injured person/damaged
equipment? [Note other lower tier events included by transfer from a3.]

a3.

Were there barriers on persons and/or objects? [Note all lower tier development under
this event also transfer to a1, a2, and a4.]
b1.
None possible [Note use of the Diamond event symbol, indicating termination of fault

14 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

sequence because of the lack of solution. Note also the event is flagged with the R2
assumed risk symbol. Appropriate management must assume and accept risk for
design in which no barriers were possible.]
b2.
Barrier Failed: Did the barrier function as intended?
b3.
D/N (did not) Use: Were barriers used?
c1.
D/N (did not) Provide: Were barriers provided where possible? [Note the event is
flagged with the R3 assumed and accept risk symbol. An appropriate level of
management must assume risk for failure to provide barriers, e.g., failure to provide
safety glasses.]
c2.
Task Performance Errors: Were the provided barriers used property? (e.g., Were
available safety glasses improperly used?) [Note that all the lower tier development
under event SD5-b3 transfer to this event also.]
a4.

Were there barriers of time or space which separated the energy and the person or
object? [Remember that separation by time or space in particular may be accomplished
by written procedure or some other type of administrative control.]

August 1995

Barrier Analysis 15

SCIE-DOE-01-TRAC-29-95

c26
MB3

On E nergy F lows
& E nvironmental
Conditions People
& Objects

Barriers and
Controls
LTA
(Incident)

S C3

S B2

18

Barriers LTA

S C2

On E nergy
S ource
a1

20

On Pers ons
or Objects

Between

a2

a3

19

a3

20

S eparate
T ime S pace
a4

20

a3

None
Pos s ible

R2

21
a3

b1

Barrier
Failed

20

b2

D/N Us e

b3

20

Tas k
Performance
E rrors

D/N Provided

R3

c1

20

20
c2

b3
S D5

21

Figure 7. Barriers and controls

16 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

VI

Vulnerable People or Objects

Figure 8 is the part of the MORT chart that depicts the vulnerable people or objects, SB3.
Vulnerable people or objects are also referred to as targets. The target is the thing of value
that has been hurt or could be hurt by the interaction of the harmful energy flow or a harmful
environment. Vulnerable people or objects can be hurt when energy is transferred to them.
The harmful energy or harmful environment could be any of the many things that interact
directly with people or objects to do them harm. Barriers which are designed to prevent these
transfers or prevent people and things from interacting with a harmful environment should be
considered.

Vulnerable
People or Object
S B3

Value

18

Nonfunctional

F unctional
a2

a1

19

18
S B2
Barriers
LT A

Control
LT A
b1

Admin
Control
LT A

Control
Impractical

18

R4

b2

19

b3

Divert
LT A

19

b4

19

Control
LT A
c1

Control
Impractical

19

R5

c2

19

Figure 8. Vulnerable people or object

During an accident investigation the question asked is, what vulnerable people and/or objects
of value were exposed to the harmful energy flow or environmental condition? [SB3 denotes
the vulnerable people or objects (target) which could sustain damage if barriers and controls
are inadequate and harmful energy flows or environments are present.] The constraint value
applies here, because an accident is defined in terms of loss of something of value.

August 1995

Barrier Analysis 17

SCIE-DOE-01-TRAC-29-95

People or objects that have been hurt or might be hurt are either functional or nonfunctional.
That is, functional people or objects are people or objects that are part of the operational
system. Nonfunctional people or objects are the persons or objects that are not part of the
operation. The same breakdown is considered on these vulnerable people or objects as that
considered on the energy sources.
a1. Nonfunctional: Consider the lower tier elements below only if the person or object was
not part of the operational system. Is control over the innocent bystanders less than adequate
or was control impracticable?
b1.
Was there adequate control of nonfunctional persons and objects?
b2.
Was such control practicable? If it is impracticable to control the innocent bystanders,
then that must be identified in the safety analysis work and carried by the operation as
an assumed risk. [Note that the event is flagged with the R4 assumed risk symbol.
Remember that the proper management level must assume risk responsibility for this
decision.]
a2.

Functional: Consider the lower tier elements below this only if the person or object
was performing a functional role in operation of the system. An analysis here is only
warranted in the situations where the in-place barriers have failed and the energies
(tigers) are free. In this situation, a look at the administrative controls designed to
protect the target and the evasive action that could be taken should be evaluated.
Given a failure of the barrier system:

Note: The constraint Barriers LTA applies here. An accident can only occur if the barriers
were LTA.
b3.
Were the administrative controls adequate to prevent persons or objects from being
exposed to the harmful energy flow or environmental condition?
b4.
Evasive Action LTA: Were they inadequate or was control impractical?
c1.
Was there adequate evasive action for vulnerable persons or objects?
c2.
Was evasion impractical? If evasion was impractical, this is carried as an assumed
risk. [Note that this event is flagged with the R5 assumed risk symbol. Remember
that an appropriate management level should assume risk responsibility for this
decision.]
18 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

VII

Energy Precursors

Normally, accidents are not simple but are very complex. A surprising number of serious
accidents show a number of successive energy flows. To completely analyse an accident or
potential accident, a need exists to identify and evaluate the precursor events that lead into the
mishap.

E vents and
E nergy F lows
Leading to
Accident
S B4

Barriers and
Controls
LTA
S C3

21
S B2

19

R elevent
to
Accident

E vents and
E nergy F low
S C4

21
S B1

Figure 9. Events and energy flows leading to mishap

Figure 9 is the part of the MORT chart that depicts the events and energy flows leading to the
accident, SB4. Some accidents are caused by a single mechanism in the form of one unsafe
condition or one unsafe act. For example, oil spilled on a floor is a single condition that can
cause a fall that transforms the potential energy of an upright person into a broken hip.
Unfortunately, many actual and potential accidents involve sequences or combinations of
unsafe conditions and unsafe acts that result in complex energy transformation mechanisms.
SB4.

What were the events and energy flows leading to conversion of hazards to actual
accident-incidents? (Analyse as appropriate to the accident events.) Note: Energybarrier analysis and events and causal factor analysis should be used as appropriate to
the situation.
SC3.
Were the barriers and controls on energy transfers, and other events leading to
conversion of a hazard to an actual accident, less than adequate?
SC4.
What were the precursor events and energy flows which resulted in conversion of a
hazard to an actual accident?

August 1995

Barrier Analysis 19

SCIE-DOE-01-TRAC-29-95

Example of Precursors
Consider an accident victim standing by a street intersection. Some events could lead up to
the individual being hurt. Figure 10 illustrates precursors of multiple energy flows from a
pictorial point of view. To illustrate this energy barrier concept, the following example is
given. There is a small sports car coming down the street. The petrol truck is coming
through the traffic light on green. The sports car driver sees the red traffic light and ignores
the warning. That was the barrier that was designed to prevent the sports car from hitting the
petrol truck.
There is a barrier failure. The sports car hits the petrol truck. There is a transfer of energy.
The large tank was a barrier for the petrol. When the sports car strikes the petrol truck,
another barrier is broken. Petrol spills out onto the street. Still no harm to the person over on
the curb. The ignition and electrical systems of the vehicles are enclosed in insulation. The
insulation is a barrier. When the petrol truck was struck, another barrier is broken in that the
insulation on the electrical wiring on the truck is broken. There was a transfer of energy, a
spark from the wire (energy), ignites the petrol vapour and the person on the curb is injured
by the fire.
So what must be done now is track through the system, look at the successive energy
transfers or the successive events that have led to the final energy transfer. It is a series of
things that is analysed in our MORT analysis. The problem really started back where the car
ran the stop light. Complete analysis includes the evaluation of all these upstream precursor
events.
Fuel flash
point

Wire
Insulation

Truck
tank

Traffic
light

Accident
victim

Fire

Spark

Ignition

Petrol

Break

Car

Rupture

Car

T hrough

Figure 10. Unwanted energy flow

20 Barrier Analysis

August 1995

SCIE-DOE-01-TRAC-29-95

VIII

References

I. N. W. Knox and R. W. Eicher, MORT Users Manual, ODE 76/45-4, SSDC-4

(Revision 2), May 1983.

August 1995

Barrier Analysis 21