1. Introduction
Professor J. Reason is famous for his theory of Swiss cheese model. In the late 1990s, he was taken around the air traffic control tower by Vancouver Harbor where he was introduced to a young ATCO. When he heard his name he said, “ah yes, you’re the Swiss cheese man”. There is no doubt that the Swiss cheese model spread very widely very fast [1] . The famous model has been taught in classes and applied in practice worldwide, it really plays a very important role in our daily safety management, but in the meantime, its negative effect has also appeared. For example, the concept that no barrier without defects (loopholes) just like Swiss cheese makes people less concern about the quality of barriers (measures), which indeed affects safety risk management [2] , and the talk such as “the master (J. Reason) taught us no barrier (measure) is perfect” is always heard as long as such kind of topic is touched. Moreover, the model does not give a clear definition of the barrier [1] , which make much trouble in nowadays when the concept of barrier is widely used [3] [4] [5] especially in the case of its number being required [6] . Besides, the Swiss cheese model mainly aims at unsafe human acts [7] , and explain the causes of accident in a metaphorical way [8] [9] [10] , and the word of hazard in the model has too broad extension [11] [12] , etc.
In addition, although the Energy Theory has grasped the core of the cause of accidents: the energy, it does not give a scientific and reasonable explanation for the reason why the energy releases accidentally, which prevent it from playing more important roles in risk management practice [13] .
Based on the above problems, the paper tries to analyze them one by one in the next section, and then to find out the solutions based on the analysis. Section three builds a new barrier model by combining the theory of Swiss cheese model and the Energy Theory after modifying them on the basis of the above analysis, and gives an academic explanation and an example to support the new model. In Section four, the function of the new model is introduced both for accident cause analysis and for accident prevention. In the last section, some conclusions of this paper are summarized.
2. Problems Analysis
2.1. The Problem with Energy Theory
The Energy Theory was introduced by Gibson [14] and was popularized by Haddon [15] with ten accident prevention strategies. There are three elements in the Energy Theory, i.e., energy source, barrier and vulnerable target. The energy source is the source of harm or losses, the vulnerable target is what we want to protect from harm or losses, and the barrier is our means to avoid losses by “separating” or protecting the vulnerable target from the energy source (see Figure 1). Based on the Energy Theory, energy is the source of harm or losses and an accident may thus happen if the vulnerable target is invaded by energy source under the condition that energy source is out of control.
As mentioned above, the Energy Theory has grasped the core of the cause of accidents: the energy, and the thought that it is the loss of unexpected energy that leads to accidents has withstood the examination of practice, but both Gibson and Haddon have not given a scientific and reasonable explanation about the reason why energy release accidentally. Moreover, in the schematic diagram
![]()
Figure 1. The energy model (based on Haddon, 1980).
of the Energy Theory (see Figure 1), only one piece of barrier is set between Energy source and Victim, which is inconsistent with most facts. On the contrary, through adding more barriers between energy source and victim, Swiss cheese model successfully explains the reason why energy releases accidentally. According to the theory of Swiss cheese model, there are many barriers generally set to protect the vulnerable target, but every barrier has loopholes just like the Swiss cheese chips, and the size and location of loopholes on each layer of the cheese change with time. Based on these hypotheses, when all the loopholes in the barriers get to line up to form a passageway, the restrained energy will be released through all barriers accidentally just like that of light, resulting in accidents [2] [8] .
2.2. The Problems with Swiss Cheese Model
Although the theory of Swiss cheese model gives a reasonable explanation for the release of unexpected energy, there are also some problems in it. The section will analyze the problems with Swiss cheese model.
2.2.1. Hazard Problem in Swiss Cheese Model
In the Swiss cheese model, the barriers like the “Swiss cheese” is to prevent the hazard (hazardous source) from passing through, but according to the definition of hazard: the source, situation or act with potential for harm in terms of human injury or ill health, or a combination of these [11] [12] , i.e., the word of “hazard” consists of the source and the situation or act and a combination of these with potential for harm in terms of human injury or ill health. According to the Two Kinds of Hazards Theory proposed by Professor Chen [16] from Northeast University of China, the hazards can be divided into two kinds: the first kind is the source with potential for harm in terms of human injury or ill health, and the second kind is that of the unsafe situation or act or their combination. The hazard in the Swiss cheese model should be the hazardous source composed of energy and harmful substances (short for energy in the following), which needs to be controlled, while the unsafe “situation or act” or their combination are the unsafe factors that lead to the failure or destruction of energy restriction measures (barriers), i.e., the loopholes in the safety barriers. Because the nature of “source” and “act or situation” is totally different, it is the hazardous source that needs to be controlled, instead of the general hazard which is composed of both hazardous source and unsafe “act and/or situation”. The extension of the word “hazard” is too broad. As far as the classification of hazards is concerned, besides the Two Kinds of Hazards Theory proposed by Professor Chen, other scholars also divide hazards into two kinds, one kind which consists of energy and harmful substances is named as inherent hazard, or primary hazard, etc., the other which consists of unsafe “act and/or situation” or their combination is named as secondary hazard, contributory hazard, or function hazard, etc. [4] [17] .
2.2.2. Unclear Definition of Safety Barrier in Swiss Cheese Model
There are three versions of the Swiss Cheese Model built by Professor Reason, namely, Mark I, Mark II and Mark III [1] (see Figure 2). In Mark I, the barrier factors include senior management fallible decision, line management deficiencies, and precursors for unsafe acts and unsafe acts, which affect the performance of barrier, resulting in energy leakage channels—loopholes on the barrier (see the upper Figure of Figure 2). In Mark II, the barrier factors have evolved from four in Mark I to three, namely, organization, workplace and person, among which the organization includes corporate culture, organizational processes and management decisions. At the same time, the number of barriers has increased from one in Mark I to three, resulting in the prototype of the Swiss cheese model (see the middle Figure of Figure 2). In Mark III, the barrier factors are basically the same as Mark II, but the number of barriers has increased from three in Mark II to four, and the “person” at the “sharp end” is replaced by the “unsafe acts” once more. In addition, in this version, the three barrier factors are moved from a side to the bottom of the barriers, where the “hazard” is added to form a typical style of Swiss cheese model, composed of the hazard, the safety barrier and the loss (see the lower Figure of Figure 2). As for what the safety barriers really are, no clear explanation is given in all of the three versions [18] [19] [20] [21] .
It is just because Professor J. Reason does not give a clear definition of the safety barrier in his model that people have a different understanding of the barriers in the Swiss cheese model. At present, the understanding of the Swiss cheese model tends to regard all the factors from system management to individuals that can play role in energy control as the safety barrier, which is not only different from the objective reality but also inconsistent with the Swiss cheese model constructed by Professor J. Reason. The description of barriers of Swiss cheese model in CCPS [22] publications (see Figure 3) is broadly representative.
Nowadays, the concept of barrier has been used wider and wider in safety management [4] . As for the definition of the term safety barrier, many researches, such as CCPS [23] ; Duijm et al. [24] ; Goosens et al. [25] ; Hollnagel [3] ; Johnson [26] ; Keckund et al. [27] ; Neogy et al. [28] ; Rosness [29] ; Sklet et al. [30] ; Svenson [31] et al., have been done before. Among them, Sklet [4] gives a more scientific and rational definition on safety barrier as—physical and/or non-physical means planned to prevent, control, or mitigate undesired events or accidents. In fact, in view of the broad definition of the safety barrier, it is not inappropriate to regard all the factors that can play roles in energy control as the safety barriers, and there are barriers to prevent energy from being released at all levels of an organization [4] [32] , but the problem is that safety barriers in different levels play different roles in the process of energy control. Wahlstrom and Gunsell [4] distinguish between primary and secondary barriers, and they relate the secondary barriers to manage the primary barriers. Just like Wahlstrom and Gunsell, Schupp [17] also divides barriers as primary and secondary barriers, and he thinks that primary barriers control primary hazards and secondary barriers manage secondary hazards respectively. In a word, the barriers in different levels have different functions, so it is unscientific and unreasonable to mix those from system management to individuals upon one level, therefore, the arrangement of barriers shown in Figure 3 is unacceptable especial under the condition of the accurate quantity of safety barriers being required [6] .
SCM Mark I
SCM Mark II
![]()
SCM Mark III
Figure 2. The Mark Ι-Ш of the swiss cheese model.
![]()
Figure 3. The cheese model in CCPS publishing.
In the case of Swiss cheese model alone, the barrier should be what Professor Reason refers to as the “sharp end” [1] , because the Swiss cheese model is a model about energy control at the first level, i.e., a model to control energy directly. The “sharp end” is just the barrier at the forefront of energy control, which plays a direct role in preventing energy from being released. In addition, it is located at the “sharp end” of the series barrier factors listed by Professor Reason, which is influenced by the subsequent barrier factors just as the arrows hinted in MARK II (see the middle Figure of Figure 2). Just because of the negative effect of the subsequent barrier factors, loopholes will appear in the “sharp end” which is made to lose its ability of energy control. The negative factor is the so-called “resident pathogens” by Professor Reason. Moreover, the subsequent barrier factors may also have a positive influence, which will enhance the barrier of “sharp end” and strengthen its ability to control energy. It should be pointed out that the last plane in Mark I (the upper Figure in Figure 2) marked as “Inadequate defenses” do not actually exist, the actual barrier should be the last but one plane, i.e., the “sharp end” of series barrier factors, and it should be the barrier of “person” instead of “unsafe acts” which is the loophole in the barrier of “person” (Figure 4). Although the things in “sharp end” position are not the same in the three versions of the Swiss cheese model, it is “person” as in Mark II, and they become “unsafe acts” as in Mark I & III, but all of them, in essence, should be “persons”, i.e., the front-line employees who deal with energy or harmful substances directly. They are the direct barriers to prevent energy from being released, while “unsafe acts” are the leakage of the “person” barrier, i.e., the loopholes in the “person” barrier, and it can also be understood as the opposite side of the “person” barrier [33] , which is the immediate cause of an accident.
According to Heinrich’s Accident Causation Theory [34] and many other popular accident causation theories [16] , besides the unsafe acts of person, the unsafe situation of hardware is another immediate cause of accidents, therefore, the safe situation of hardware, as the opposite of the unsafe situation of hardware, should also be taken as the direct barrier which also controls energy directly. In fact, just like personnel barriers, hardware facilities, including safety accessories, are also in direct contact with energy, so they are another kind of direct barriers which can control energy directly. It is understandable that Professor Reason, as a psychologist, focuses on the study of human behavior, rather
![]()
Figure 4. The modification of the Swiss cheese model (Mark I).
than the state of hardware on energy control [7] . In a word, based on the above analysis, the barriers to prevent energy runaway directly should also include the hardware barriers besides the personnel barriers, and the others should be indirect barriers, which are the influencing factors of direct barriers, i.e., barrier factors as mentioned before.
The so-called direct barriers are the barriers directly acting on the control of energy, that is, the barriers defined in the modified Swiss cheese model. On the contrary, the indirect barriers can only play their roles through the direct barriers, or having an impact on the direct barriers. Just because the indirect barriers can only play their roles through the direct barriers, they should be hidden behind the direct barriers and can no longer appear in the model with the direct barriers together. As mentioned above, there are only two types of barriers which directly control energy: hardware barriers and personnel barriers. The hardware barriers include not only safety accessories which only own safety function, but also hardware equipment, facilities, tools, etc., which have both protective and productive function. While the personnel barriers mainly refer to front-line employees (such as pilots), who work in the front line of production and operation, direct contact or through hardware contact with energy, and they also have both protective and productive function. In short, they play a direct role in the control of energy, so they are called direct safety barriers, or direct barriers for short.
Compared with the direct barriers, the indirect barriers are senior management, line management, psychological precursors for acts (Mark I) or organization, workplace (Mark II & III) in Swiss cheese model. In fact, they can be summarized as the organizational management &supervision and (safety) culture of the organization [35] [36] . Although the indirect barriers are very important for the control of energy [1] , they are not directly in contact with energy, but influence through direct barriers [37] . Because the function of the indirect barriers has played through direct barriers, if the two kinds of barriers are put together on the same level just as those in Figure 3, it will cause overlapping and repeated counting, which is neither scientific and reasonable nor practical, let alone benefit for the accident prevention in practice. For example, it is demanded by Shell Co. that high-risk control requires at least three barriers, and they should be only direct barriers, not indirect barriers [6] .
2.2.3. The Analogy Problem in Swiss Cheese Model
As mentioned above, although the Swiss cheese model can reasonably explain the causes of release of unexpected energy, its literary analogy is not suitable for the interpretation of scientific models [1] [10] . Moreover, the concept that any barrier is like Swiss cheese chip with loopholes (defects) has caused the negative impact of ignoring the quality of risk control measures (barriers) [2] . As for the problems of barrier properties of Swiss cheese model, Shappell & Wiegmann [9] questioned “the theory never defines what the holes in the cheese really are”, and Dekker [8] probed into it as following:
· Where the holes are or what they consist of?
· Why the holes are there in the first place?
· Why the holes change over time, both in size and location?
· How the holes get to line up to produce an accident? etc.
The imperfection of safety barrier in practice is an objective reality, which is not difficult to understand. It is unnecessary to assume that it is just like Swiss cheese with loopholes from the beginning to the end. In fact, because everything has its own weaknesses, such as steel is strong but easily corroded, glass is hard but fragile, rubber is flexible but easy to aging, etc., and that fixing by bolts will appear nut loosening, or even falling off, and so on, all things may be fallen into unsafe state because of their own characteristics defects duo to time-going-on or other reasons. Similarly, because people are of high IQ and with subjective initiative, they may break the rules and act unsafely due to their subjective initiative during work. In a word, as barriers, both human and hardware have their own defects which are determined by the essential characteristics of their own. The special defects of personnel and hardware barriers in potential state are called potential hazards [2] . It is an objective existence.
It is just because that the personnel and the hardware barriers have their own special defects, therefore, corresponding preventive measures should be taken against the special defects to ensure the potential hazards always kept in a potential state. For example, through strengthening staff education and training and supervision, we can prevent unsafe acts, do well in anti-corrosion of steel beforehand, and ensure the replacement of rubber products in time before they age…In a word, although the barrier has the possibility of losing its function, i.e., appearing unsafe acts or unsafe situation, there are no unsafe acts or situations in practice owing to the effective prevention work, which makes this trait defects always in a potential state. This state of barrier is shown as a dotted line hole in the barrier model diagram (see the left of Figure 5). On the contrary, if the preventive work is not effective or in place, such as aged rubber products have not been replaced, bolts have loosened, even fallen off, people have violated the rules during their work, etc., which makes the characteristic defects from the potential to the reality, then the barrier will lose its due preventive role, which means energy will pass through the barrier. This state of barrier is shown by solid line holes in the barrier model diagram (see the middle of Figure 5). In a word, if the potential hazard is out of control, it will become the hazardous, and holes will appear in the barrier, which makes it lose its ability of energy control. From the above analysis, it can be seen that the barrier that set at the beginning should by no means have holes in it, otherwise, it will lose its value as a barrier, and whether there will be holes appearing in the barrier or not later on depends on the following-up management or maintenance. It should be pointed out that barrier without holes does not mean that it is perfect without any defect at all but means that it should be sound and effective.
By the way, the hazardous state which is shown as holes in barriers is just the second kind of hazard of Two Kinds of Hazards Theory [16] mentioned above, it is the so-called yinhuan (the hazardous state of the second kind of hazards) in China [2] .
The personnel barrier and the hardware barrier are quite different from each other in nature. The hardware barrier, once losing its function, will keep on its state until appropriate measures are taken, such as repair or replacement (see Figure 5, right), otherwise it will not work anymore. Since the hazardous state will return to its potential state after the defective barrier has been repaired or replaced, the left and right barriers in the Figure are equivalent (see Figure 5). On the contrary, the personnel barrier may work or not from time to time, because the safe acts (compliance) and unsafe acts (non-compliance) inter-change easily compared with that of the hardware barrier.
In a word, whether the barrier can play its role or not depends mainly on the prevention of special defects of its own characteristics, but there may be some other exceptions. Therefore, in order to make the barriers play their roles, great attention should be paid to the special defects of their own characteristics to keep the hazards in their potential state, in the meantime, the other possible cases should also be taken into account according to the specific reality to control all kinds of hazards completely and make the barriers play their roles well.
![]()
Figure 5. Barrier diagram of different conditions in the model.
3. Model Construction and Explanation
Till now, the problems mentioned in Section one have all analyzed, now it is time to construct a new model based on the above analysis, and then make an explanation about it. By the way, some other features of the barrier such as active & passive, the function and system, cannot discuss for the limit of the paper.
3.1. Model Construction
Based on the above analysis, a new accident prevention model is constructed by combining the energy theory with the modified Swiss cheese model on the basis of the Two Kinds of Hazards Theory. The new model is similar to the Swiss cheese model and the Energy Theory in structure, all of them have three elements: energy source, safety barriers, and accidents (losses or harm to vulnerable targets) (Note: Figure 4 is the case where energy is not out of control owing to the defense of the last barrier, so no loss yet). As for the detail of composition, it is a combination of the advantages of both. Firstly, there is more than one barrier in the model, which is like Swiss cheese model but different from the schematic diagram of the Energy Theory. In terms of the types of barriers, on the one hand, there are only direct barriers, and indirect barriers, as the support behind the direct barriers, do not appear in this model, eliminating the confusion of barriers at different levels; on the other hand, the direct barriers have both human barriers and hardware barriers, which make up for the lack of hardware barriers in the Swiss cheese model. Secondly, in terms of the nature of the barriers, unlike Swiss cheese with loopholes from the beginning to the end, the barriers of the new model should by no means have loopholes in the first place although they may have later on due to poor barrier maintenance. Otherwise, they will lose their value as barrier to control energy. Thirdly, the source cause of the accident is defined as energy rather than hazard in the new model, which is just like the Energy Theory and unlike the Swiss cheese model, it not only conforms to the principle of the Energy Theory, but also solves the problem of too broad extension of the word of hazard in the original Swiss cheese model.
3.2. Model Explanation
Unlike the Swiss cheese model, in which both the location and the size of the holes in the barriers are changing from time to time, and when the moving holes in all the multiple barriers get to line up to produce an accident [8] , all of those hypotheses are based on analogy which are taboos for the explanation of scientific models [1] . The barrier in the new model is not meant to be the Swiss cheese with loopholes, but a sketch of a real barrier (see Figure 6), which is just like that in the Energy Theory (Figure 1). But its structure is different from that of the Energy Theory (Figure 1), in which only one piece of barrier separates the energy source from the vulnerable target, there are multiple barriers in place for every piece of energy just like the Swiss cheese model at this point (Figure 3). Just as the above mention, the barrier in the new model is unlike the Swiss
cheese barrier but like that of the Energy Theory, there is no hole in the barriers in the first place, and the holes may appear in the barriers due to their own characteristic feature if the following-up management or maintenance is poor, which will make them may lose their due preventive role. Because there are multiple barriers in place, so long as any one of them can play its role, it can ensure the control of energy (see Figure 6), and only when all barriers lose their roles, will energy be out of control and will accidents thus occur. In this way, the new model has successfully salved the problem of analogy of the Swiss Cheese Model.
3.2.1. As an Accident Prevention Model
Because of the reason that as long as one of the barriers can play its role, the energy will be under control, therefore, as an accident prevention model, the barriers in the model should be all independent from the other, and that anyone of them can play its role or not will not affect others, otherwise, interrelated will affect barrier play a role and ultimately affect the effect of accident prevention. Only when all barriers are broken through one after another, will the energy be out of control and lead to an accident. Therefore, the higher the quality and the more the quantity of the barriers, the less likely all of them will be all broken down and lead to an accident, the model emphasizes both the quantity and the quality of barriers, especially its quality. If the quality of a barrier is so high that there is no hole in it at any time and under any condition, there will be no need for any other barriers. Unfortunately, no such kinds of barriers exist, so more barriers are added to increase the safety factor especially in the case of high-risk prevention. On the contrary, if the quality of barriers is too bad, no matter how many barriers will be not competent.
In addition, according to the above analysis, just for this model alone, whether the barrier plays a role or not has nothing to do with wherever it is, i.e., the order of the barriers in the model is unimportant.
3.2.2. As an Accident-Causes Analysis Model
In the model, the barriers are divided into direct and indirect barriers, and there are only direct barriers to control energy, but whether the direct barriers can play their roles or not depends on the indirect barriers [37] . Therefore, it is necessary to study the direct barriers on the basis of the indirect barriers. Thus, on the one hand, it not only can avoid confusing the direct barriers with the indirect barriers but also can solve the problems of quantity repetition and function overlap among different kinds of barriers; on the other hand, it makes the hierarchy and logic clear between the direct barriers and the indirect barriers. On the basis of the direct barriers, the analysis of the indirect barriers can trace the origin and form a chain of causality, especially favorable for the retrospective analysis of accident causes [2] .
As for the relationship of the two kinds of barriers, some explanation has been made before, and the following will make a further analysis.
Firstly, in terms of personnel barriers, they mainly play roles by complying with procedures and rules to prevent energy from being released. The staffs who act as personnel barriers, are not distinguished by blue-collar or not, but by whether they are engaged in front-line jobs or not, such as factory operation, maintenance personnel, hospital doctors, nurses, pilots and drivers, who are front-line employees and belong to the staff of personnel barriers. Of course, when management (decision-making) personnel engage in front-line staff business, they will also be regarded as front-line staffs just at that moment, such as a hospital president having an operation, who is playing a role as front-line surgeon doctor, rather than in the exercise of hospital president’s management (decision-making) function. In terms of hardware barriers, they play their roles mainly through the completeness & effectiveness of hardware, and the hardware barriers include not only safety accessories such as safety valve which only own protective function, but also hardware equipment, facilities, tools, etc., which have both productive function as either energy carriers (such as airplanes flying) or containers (such as high-pressure storage tanks) for energy or harmful substances or …, and protective function to keep the safety of their productive function. In a word, just like personnel barriers, they are also directly in contact with energy. Some hardware barriers can work alone, while others need to work with personnel barriers, for example, that traffic light plays its role demands pedestrians to come cross road according to its signal.
Secondly, as for the indirect barriers, although they play an extremely important role in risk control, they do not directly deal with energy, but through direct barriers such as front-line employees or field apparatus. For example, in terms of personnel barriers, by organizational management, and selecting the right employees and conducting effective training to enable them to have the ability and will for their post-work, coupled with organizational supervision to ensure their correct performance if necessary, the role of personnel barriers can be effectively played. The same is true as to the hardware barriers, through organizational management; first of all, relevant personnel should be organized to do a good job in hardware design and making or installing. On this basis, the daily inspection and maintenance work is well done during the operation of the hardware so that their functions can be brought into full play.
Of course, if organizational management or supervision is not effective, problems will arise in personnel and/or hardware barriers, such as inappropriate selection and employment of personnel, or inadequate training, which will lead to unsafe acts in the work. This is the unsafe acts of people, manifested as loopholes in personnel barriers. As for the hardware, if there are problems in design, construction or installation, or the work of inspection and maintenance is not in place, etc., the hardware will have problems. This is the unsafe situation of hardware, as shown by the loopholes on the hardware barriers. In addition, if we trace back to the deep-seated problems that lead to inadequate organizational management or supervision, it is not difficult to find out that the poor safety culture must be at work [2] [36] . In fact, the poor safety culture is similar to the “resident pathogens” of the Swiss cheese model; it is shown as loopholes in the safety culture barrier. Under such a surrounding, people look down on safety generally, and the organizational management and supervision on safety will be certainly weakened, which is shown as loopholes in the organizational management and supervision barrier. Due to inadequate management and supervision on safety, coupled with the general lack of attention to safety work, the unsafe acts and situations will be quite common, which are shown as the loopholes in the human and hardware barriers. The possibility of accident-occurring will be much higher due to the fact that most of the direct barriers to control energy have been broken down, and an accident will happen if the rest also fail.
In short, the personnel and hardware barriers are the first level of barriers directly contacting with energy, while organizational management and supervision is the second level of barriers which can only play a role through personnel and hardware barriers. The safety culture of an organization is the third level of barriers, which can play a role through organizational management and supervision at first, and through the second level of barriers pass to personnel and hardware barriers on the one hand, on the other hand, it can also play its role directly through personnel barriers. According to the above analysis, the first level of barriers are direct barriers, both the second level and the third level of barriers belong to the indirect barriers.
As the above analysis, the effect of indirect barriers on direct barriers are twofold, on the one hand, the active factors of indirect barriers can strengthen the direct barriers (human barriers & hardware barriers) to play their roles as shown in the first half of Figure 7, on the other hand, their negative factors called “resident pathogens” can also prevent the indirect barriers from playing their roles, i.e., holes appearing in the direct barriers as shown in the second half of Figure 7.
3.2.3. Example Verification
The petroleum and petrochemical industry is a typical high-risk industry. At present, the concept of safety barrier is widely used. Shell Co. is a company with the longest history in the application of the Bow-tie model (prevention barrier & control barrier) in the world. In Shell Co., it is required that at least three barriers are set to control high risks [6] . Of course, these barriers can only be hardware barriers such as physical protection, safety instrumentation system, or personnel barriers such as personnel compliance and discipline operation, patrol inspection and emergency response. Otherwise, if the indirect barriers are also taken into account, such a provision would be null and void. In order to make it clear, they publish a Figure (see Figure 8) in which only personnel and hardware barriers appear as the barriers to prevent energy directly. Now such a Figure has been widely accepted by many oil companies such as Total Co. [38] and international organizations such as IOGP [37] , etc.
In addition, whether it is famous risk management tools such as LOPA, Bow-Tie, etc. [4] [33] [39] , or various risk control measures (barriers) in daily work that directly control energy are either human barriers or hardware barriers or both [2] .
4. Model Functions
The model is simple in structure and clear in hierarchy. It has unique advantages in accident cause analysis and accident prevention.
![]()
Figure 7. The theory of accident-prevention of the model.
4.1. Function for Accident Cause Analysis
As shown in Figure 4, this model can scientifically analyze the causes of accidents, such as immediate causes, contributory causes and root causes of accidents.
Firstly, accidents may happen if energy is out of control, because they are the source of all kinds of accidents. If an accident happened, it should make it clear that whether the energy or hazardous substance is identified or not, and if so, there will be the problem of the barriers.
Secondly, if it is a problem of prevention barriers, it should be analyzed further that which kinds of problems they are: the problem of personnel barrier loopholes (unsafe acts of people) or the problem of hardware barrier loopholes (unsafe situation of things). By analyzing thoroughly to find out the immediate cause of the accident, the targeted measures can be taken to prevent the recurrence of such accidents.
Thirdly, the reason for the problems of personnel barriers or hardware barriers must trace back to the responsibility of linear organizations which have such kind of problems as poor performance in safety supervision and management, and on this basis, carry out targeted rectification. It is the contributory or managerial cause of accident.
Fourthly, it should be made clear that it is due to fortuitous negligence, weak link of safety supervision and management or bad safety culture. If it is the former case, targeted management should be strengthened. Otherwise, the cultivation of safety culture should be strengthened. The root cause of the problems in the safety supervision and management of linear responsibility organizations lies in the bad safety culture of its organization. Because of the bad safety culture, it cannot really attach importance to the safety supervision and management, and there exists a fluke mentality. Therefore, the ultimate solution is to cultivate good safety culture (see Figure 9).
4.2. Function for Accident Prevention
Firstly, according to the model, energy is the source that leads to all kinds of accidents. Therefore, in order to prevent accidents, first of all, the source leading to accident—energy should be identified, and only on this base can the targeted barriers be worked out to control energy effectively.
Secondly, because any barrier has inherent defects due to its essential characteristics, if the safety barriers are not well done, it will produce unsafe situation or/and acts, thus making them lose their normal preventive and control role. Therefore, in order to make them play the shielding role effectively, the possible loopholes and defects on the barriers should be found out. Only in this way can the inherent defects in the barriers be kept in potential state and can the barrier really play its due role effectively. Therefore, just after the barrier is worked out but before its implementation, the possible defects and loopholes in it should be identified through the evaluation to further improve its quality and make it play
![]()
Figure 9. The analysis of the causation of accidents.
a real role in prevention accident.
In short, based on the model analysis, in order to make the barriers to play their roles well in accident prevention, the barriers should be reviewed after their working out but before their implementation, and the barriers’ quality will be improved on the basis of identification of their defects and loopholes. In this way, it will not only improve the effectiveness of risk control but also eradicate the root out causes of yinhuan (the hazardous state of the second hazards), which is the urgent problem met during accident prevention practice. It is the contribution of the model in accident prevention. In addition, in order to achieve long-term stability in macro-strategy level, a good safety culture of enterprises should be cultivated, which is the fundamental & ultimate measure.
5. Conclusions
The paper put forward and analyses the problems of both the theory of Swiss cheese model and the Energy Theory, and builds a new barrier model by combining the Swiss cheese model and the Energy Theory on the basis of analysis. The model has the following characteristics.
1) The model is simple and practical. It solves not only the problem of metaphor in the theory of Swiss cheese model but also the problem of despising the quality of the barrier caused by the barrier feature. According to the new model, any barrier with defect (loophole) will lose its role in prevention; therefore, it is necessary to ensure the quality of the barrier in order to play its role in accident prevention.
2) The model combines the Energy Theory with the modified Swiss cheese model, the Energy Theory reveals the internal causes of accidents while the modified Swiss cheese model explains external causes of accidents, which make the theory of accident cause more scientific and reasonable. Instead of hazard, the energy is taken as the source of accident, eliminating both the problem caused by using hazard as the source of accident and the problem that the energy theory fails to explain the reason why energy is out of control.
3) In the aspect of accident cause analysis, the model is simple in structure and clear in level. It can scientifically analyze the causes of accidents: immediate causes, contributory causes and root causes. It has unique advantages in accident cause analysis. In the aspect of accident prevention, firstly, at the micro-technical level, based on the model’s requirements for barrier quality, this paper suggests to evaluate the quality of barriers just after they are worked out but before their implementation, which can effectively improve the quality of barriers and root out the source of yinhuan (the hazardous state of the second hazards). Secondly, at the macro-strategic level, this model reveals the importance of the cultivation of a good safety culture for accident prevention.
Besides, the concept of direct barrier and indirect barrier is proposed for the first time in this paper, and the direct barriers are limited to personnel and hardware barriers. It is considered that the barrier in the model should be only composed of direct barriers and indirect barriers as their support behind them. Thus, the problem of overlapping functions and repeating quantities among barriers at different levels can be solved, which is both scientific and reasonable and in line with objective reality. At the same time, by adding the hardware barrier to the model, it makes up for the defect of the Swiss cheese model which lacks the prevention of the unsafe situation of the object.
Acknowledgements
I am very grateful to Professor Fan Yunxiao from China University of Geosciences, Professor Wu Chao from Central South University, Professor Fu Gui from China University of Mining and Technology, Miss Fang Meihua and Mr. Chohing Lee from ERM, Mr. Chen Haibo from Lloyd’s Register for their great support, encouragement and many wise suggestions, I would like to give my great thanks to Dr. Joao FIGUEIREDO who is very busy with his business as Vice President Division HSE Audit & Major Accident Investigations of Total Co. for his kind help with my paper, without their help I might may fail to finish my paper, at least not so satisfactory as it is now.