What is Barrier Analysis and Analysis of Defenses?

Author: Rob De La EspriellaBD3, CEO and Founder, BlueDragon IPS

This guide explores the traditional concept of Barrier Analysis, a model used by organizations to understand and prevent problems, particularly in safety incidents. Originally known as Target-Hazard-Barrier analysis or Hazard and Barrier Analysis, the approach focuses on evaluating the effectiveness of Barriers in preventing Hazards from hitting their Targets.   

By implementing barriers to control or mitigate the effects of hazards, organizations aim to ensure the safety of personnel and prevent injuries.

Through examples, illustrations, and explanations of concepts like holes in barriers and the Swiss cheese model, this comprehensive overview will provide insights into the importance and effectiveness of barrier analysis in improving safety measures and preventing incidents within organizations.   

In addition, we will show how the traditional Barrier Analysis has evolved to a much more effective Analysis of Defenses in today’s complex sociotechnical work environments.   

Types of Barriers in Barrier Analysis

Here are the components that make up our “Line of Defenses.”   

  • Administrative Requirements: the applicable regulations, programs, policies and procedures in place to manage the activities being conducted at the place of business. Administrative defenses include industry guidelines, standard operating procedures and training that ensure safe practices are followed.  
  • Physical Barriers: barriers in place to keep us safe from hazards. These barriers physically separate the target from the hazard, providing a tangible form of protection. Examples include Personnel Protective Equipment (PPE), lead shielding, fire doors, engineered safety features walls, fences, and guardrails.  
  • Virtual Barriers: cyber barriers are in place to help us perform work and safeguard us against the loss of valuable information. These include firewalls, software applications and other cybersecurity measures.   

In every organization, there are many administrative requirements and physical and cyber barriers in place to ensure work is performed safely and without incidents.  Knowing that a single barrier or defense may not provide sufficient protection, organizations have implemented multiple layers of barriers and requirements (i.e. defense-in-depth).  

Companies in regulated environments such as Energy, Aerospace and Healthcare have incorporated an extensive line of defenses, with hundreds and even thousands of procedure requirements and physical and cyber defenses that are designed to prevent hazards from reaching their target.  

For an event or programmatic failure to occur, it would take a multiple set of causes (not just one) and a specific set of circumstances to get past all of the barriers and defenses.  This extensive set of physical barriers and administrative requirements make it more challenging to determine how and why they were all defeated when an event takes place. 

That is why in the modern era, we have replaced the traditional “Barrier Analysis” with the more modern “Analysis of Defenses.”  The reason becomes self-explanatory as we explain below.   

From Barrier Analysis to Analysis of Defenses

The Traditional Barrier Analysis Stops Too Soon

After decades of applying the traditional Barrier Analysis approach, the shortcomings of this approach became apparent.  

  • The Barrier Analysis evaluates the effectiveness of the barriers that were in place to protect us from harm, and will identify any barriers that failed or were bypassed.  These failures were considered to have caused or contributed to the event. However, what this analysis identifies are high-level causal factors that we refer to as symptoms.  
  • The more modern Analysis of Defenses also identifies these initial failures or breakdowns in our line of defenses.  However, these symptoms are turned into lines of inquiry questions and taken directly into a cause & effect analysis, to get to the deeper reasons by the line of defenses failed.    
  • The traditional Barrier Analysis table stops the analysis and immediately offers corrective actions to address the failed or weak barriers. However, the corrective actions that result from a traditional Barrier Analysis are merely band-aiding symptoms because the analysis, by designed and implemented, stops too soon.  
  • As discussed above, the more modern Analysis of Defenses follows up on the weak or failed barriers with cause & effect analysis, to identify the deeper-seated causal factors for the failed or weak barriers.  The resulting corrective actions will have a much higher likelihood of preventing recurrence.   

Barrier Analysis Example:  

  • Hazard: a miter saw that is used to cut wood.  
  • Barriers: miter saw blade guards, eye protection, training on power tools, the industrial safety program, the buddy system, management oversight, and the equipment counter checkout process.  
  • Target: the person cutting wood on a miter saw.  
  • Event: the person was injured with a wood splinter while cutting wood with the miter saw.  They were not wearing eye protection and the blade guard was missing. 
  • Failed barriers: all of them.    
  • Traditional corrective actions: safety memo and a stand down briefing to reinforce the use of blade guards, eye protection, training on power tools, the industrial safety program, the buddy system, management oversight, and the equipment counter checkout process.  These corrective actions will merely band-aid these symptoms for this one event.   

Analysis of Defenses Example:  

  • Modern Analysis of Defenses: generates lines of inquiry questions:  
    • Why was the blade guard removed?
    • Why was the person not wearing eye protection ?
    • Why did training on power tools not prevent the event?
    • Why did the industrial safety program not prevent the event?
    • Why did the buddy system not prevent the event?
    • Why did the management oversight program not prevent the event?
    • Why did the equipment counter checkout process not identify the missing blade guard?
  • The lines of inquiry questions would be pursued with a cause and effect analysis, and the deeper-seated causes would be identified. Corrective actions for the deeper-seated causes would prevent this event, and many other similar events in the future.   

From Traditional Barriers to an Expanded View of Hazards 

Hazards are the potential threats that could harm the target. By recognizing and understanding these hazards, you can effectively assess the risks involved and establish appropriate barriers to prevent them from reaching the target. The Department of Energy (DOE) identifies the traditional 15 categories of hazards in their documents related to safety and risk management. These hazard categories are: 

  • Radiation 
  • Nuclear Criticality 
  • Explosive Materials 
  • Combustible Materials 
  • Reactive Materials 
  • Corrosive Materials 
  • Toxic Materials 
  • Chemical Carcinogens 
  • Biological Agents 
  • Oxygen Deficiency 
  • High Pressure 
  • Cryogenic Temperature 
  • Electrical 
  • Kinetic Energy 
  • Potential Energy 

We point out that the traditional representation of hazards in the original approach to Barrier Analysis is not comprehensive enough and would limit the application of a true analysis of the complete line of defenses. In our more modern approach, hazards can also include:  

  • Regulatory Non-Compliance: Failure to adhere to laws, regulations, or industry standards, leading to fines, legal action, or loss of licenses.  
  • Cyber Attacks: Unauthorized access, malware, phishing, and other digital threats to systems and data. 
  • Supply Chain Disruptions: Interruptions to the flow of goods or services due to supplier issues, transportation problems, or geopolitical events. 
  • Pandemics: Widespread outbreaks of infectious diseases that can impact workforce availability, supply chains, and consumer behavior. 
  • Technological Obsolescence: Failure to keep pace with technological advancements, leading to inefficiencies or competitive disadvantages. 
  • Project Failures: Inability to complete projects on time, within budget, or to the required specifications. 
  • Skill Shortages: Difficulty in attracting or retaining employees with the necessary skills or expertise to meet organizational needs.  
  • Insider Threats: Employees, contractors, or partners who misuse their access to cause harm or steal sensitive information. 
  • Environmental Damage: Pollution, contamination, or other harm to the environment caused by an organization’s activities. 
  • Financial Fraud: Embezzlement, money laundering, insider trading, and other illegal financial activities. 
  • Intellectual Property Theft: Unauthorized use or theft of patents, trademarks, copyrights, or trade secrets.  

From Barrier Analysis to Proactive & Reactive Analysis of Defenses  

The most prevalent use of an Analysis of Defenses is after an event, incident, accident or program failure takes place.  In this application, we can identify the failure points, the at-risk behaviors and error-likely situations, deviations, non-conformances and non-compliance, and establish the applicable line of defenses in place to prevent such problems.

We then compare the negative performance against the family of requirements and other defenses, identify gaps in performance, and generate questions so we can conduct a cause & effect analysis.  

The Analysis of Defenses may also be used proactively.  In fact, it is much more cost-effective to use this approach to systematically assess the current effectiveness of the line of defenses for various programs and organizations.

For example, one of the most prevalent threads today is a cybersecurity attack on our installations important to national security, such as military bases, the nuclear weapons complex and the U.S, National Laboratories. A proactive Analysis of Defenses can be conducted on the line of defenses in place to prevent cyber-attacks from succeeding.   

Analysis of Defenses can also significantly enhance risk management practices within an organization. One of the best uses of this method is to conduct an enterprise level program review or risk management assessment.

Organizations can proactively mitigate risks, prevent incidents and ensure the safety of personnel by evaluating current performance in high-risk areas against the line of defenses in those areas.  The results will highlight weaknesses in the line of defenses, and corrective actions can be taken to strengthen the defenses before a serious incident or program failure.

Organizations should continuously evaluate the effectiveness of their line of defenses and adapt their proactive self-assessment strategies to address evolving risks. 

Steps for Conducting an Analysis of Defenses (Barrier Analysis)

 The “Analysis of Defenses” involves examining the applicable physical barriers, safeguards, and administrative controls in place to prevent or mitigate potential hazards or risks. The process can be summarized as follows: 

  1. Identify the potential hazards or risks associated with the system, process, program or activity being analyzed. 
  2. Create a comprehensive list of all the defenses currently in place to address these hazards or risks. These defenses may include physical barriers, safety devices, regulations, industry standards, administrative procedures, training, and other administrative controls. 
  3. Evaluate the effectiveness of each defense by considering performance factors such as design, implementation, maintenance, and human interactions. In summary, this evaluation involves reviewing performance evidence against the line of defenses, and generating lines of inquiry questions in each instance that noncompliance, deviations and other non-conformances are identified.  
  4. The lines of inquiry questions are used to conduct a cause & effect analysis, to identify weaknesses, vulnerabilities or failures in the existing line of defenses that could allow hazards or risks to cause harm or losses. 
  5. The cause & effect analysis will uncover why those line of defenses failed to prevent the event, incident, accident or program breakdown.  
  6. Once we uncover the deepest-seated causes of the breakdowns in our line of defenses, we can develop recommendations for strengthening or improving those defenses, such as upgrading equipment, revising procedures, enhancing training, or implementing additional safeguards. 

Risk management requires a nuanced approach that considers the limitations and potential misapplications of barrier analysis. Organizations must continuously evaluate the effectiveness of their barriers and adapt their strategies to address evolving risks. 

Common Pitfalls to Avoid When Conducting an Analysis of Defenses

Here are some potential pitfalls to avoid when conducting an “Analysis of Defenses.” 

  1. Overreliance on Existing Defenses: Assuming current defenses are adequate without evaluating their effectiveness or considering potential improvements.  
  2. Insufficient Root Cause Analysis: Identifying gaps or weaknesses in defenses without digging deeper to understand the underlying root causes that contribute to those vulnerabilities.  
  3. Incomplete Hazard Identification: Failing to identify all relevant hazards or risks can lead to an incomplete analysis and inadequate defenses. 
  4. Bias and Subjectivity: Allowing personal biases, assumptions, or subjective opinions to influence the evaluation of defenses, rather than relying on objective evidence and data. 
  5. Insufficient Stakeholder Involvement: Not engaging all relevant stakeholders, such as front-line employees, subject matter experts, or external partners, can result in missing defenses, critical insights and perspectives. 
  6. Overlooking Human Factors: Focusing solely on technical defenses while neglecting the role of human behavior, culture, and decision-making in the effectiveness of those defenses. 
  7. Lack of Prioritization: Treating all identified gaps or weaknesses as equally important, rather than prioritizing them based on their potential impact and likelihood of occurrence. 
  8. Narrow Focus: Concentrating on individual defenses in isolation, rather than considering how they interact and support each other as part of a larger system. 
  9. Lack of Follow-Up: Failing to establish clear action plans, assign responsibilities, and monitor progress in addressing identified gaps or implementing recommendations. 
  10. Neglecting External Factors: Focusing solely on internal defenses while overlooking external factors, such as changes in regulations, industry standards, or the competitive landscape, that may impact the effectiveness of those defenses. 

By being aware of these potential pitfalls and taking steps to avoid them, organizations can enhance the effectiveness and value of their “Analysis of Defenses.” 

Summary 

This blog explains the evolution from the traditional Barrier Analysis to the more modern Analysis of Defenses approach. Barrier Analysis, originally known as Target-Hazard-Barrier analysis, focuses on evaluating the effectiveness of barriers in preventing hazards from reaching their targets.

However, the traditional Barrier Analysis has limitations, such as stopping too soon and not identifying the deeper-seated causes of failed or weak barriers.

In contrast, the modern Analysis of Defenses goes beyond identifying symptoms and uses cause and effect analysis to uncover the root causes of breakdowns in the line of defenses. The document also expands the view of hazards beyond the traditional categories, including non-physical threats like regulatory non-compliance, cyber-attacks, and skill shortages. 

The Analysis of Defenses can be used proactively or reactively to assess the effectiveness of an organization’s line of defenses, consisting of administrative requirements, physical barriers, and virtual barriers. 

The document outlines the steps for conducting an Analysis of Defenses and highlights common pitfalls to avoid, such as overreliance on existing defenses and insufficient root cause analysis. 

For additional insights or questions on the modern Analysis of Defenses or the BlueDragon Integrated Problem-solving System, contact us by following this link. 

********************************************

About the Author:

Rob De La EspriellaBD3, CEO and Founder, BlueDragon IPS

Deming Prize winning team member and pioneering Nuclear Quality Assurance expert Rob De La Espriella draws from four decades of experience in the commercial nuclear power sector and the nuclear weapons complex to offer deep insights into Root Cause Analysis and Total Quality Management. Rob is a leading expert in solving complex human-centric problems in our modern work environments, and has re-defined how organizations solve complex problems with the BlueDragon Integrated Problem-solving System (IPS), the first universal problem-solving system that can be applied to all regulated industries.  Rob is a former nuclear submarine officer, a decorated Resident Inspector with the US Nuclear Regulatory Commission, and a senior manager at commercial nuclear power plants. He was also on the Florida Power & Light team that won the Deming Prize from Japan.  Since 2007, he has been a Senior Policy Advisor for the Department of Energy and their contractors, helping solve some of their most complex issues.  Rob is a adjunct professor at Endicott College in Beverly, MA, and in 2023, he was accepted into the Forbes Business Council and is a Forbes contributor.    

© 2024 DLE Technical Services, LLC. All rights reserved.

Don’t Stop Here

More To Explore

BlueDragon horizontal logo on a transparent background

Attention Retired Executives!

Are you a retired executive from a regulated industry looking to stay engaged through consulting work? We are seeking highly motivated partners to leverage their expertise and earn 10% commissions on new contract sales.

If you have executive experience in our target industries and a strong professional reputation to utilize, this is the perfect opportunity to supplement your income through flexible contracting work without needing to rebuild your client base from scratch. We provide the sales and marketing support, you provide the expertise – it’s a winning partnership!

Click here to set up a 30-minute meeting with us.

Open chat
Hello 👋
Can we help you?