Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Bow-tie diagrams are emerging as a very useful tool to case study application in making engineering controls
depict and maintain an up-to-date, real-time, working risk operational.
management system embedded in daily operations. They are
a proven concept in the worldwide offshore industry. These REGULATORY REQUIREMENTS VERSUS BEST PRACTICES
diagrams provide a pictorial representation of the risk assess-
ment process. This article introduces the bow-tie concept to U.S. Regulatory Background
the downstream and chemical process industries in the The evolution of the process safety approach for the
United States. The authors believe that bow-tie diagrams can onshore industry within the United States has been driven
be a resourceful method in the safety and risk practitioners primarily by the regulatory agencies. However, it was indus-
toolkit to improve performance of the hazard identification try who produced one of the earliest process safety referen-
and risk assessment process and to demonstrate that major ces; a brochure published in 1985 by AIChE-CCPS; A
hazards are identified and managed to as low as reasonably Challenge to Commitment. The article outlines a compre-
practicable. Because of their graphical nature, the biggest hensive model characterized by 12 distinct and essential ele-
advantage of bow-tie diagrams is the ease to understanding ments to avoid catastrophic events. Other publications,
of risk management by upper management and operations American Petroleum Institute Recommended Practice (API
groups. V C 2013 American Institute of Chemical Engineers Process RP) 750, Management of Process Safety Hazards (1990), fur-
Saf Prog 000: 000000, 2013 ther refined the approach ultimately leading to the U.S.
Keywords: bow-tie diagram; cause-consequence; hazard Occupational Safety and Health Administration (OSHA) pro-
identification; risk assessment; risk management; bow-tie mulgation of the Process Safety Management (PSM) standard
in February 1992 [3].
INTRODUCTION In addition, the U.S. Environmental Protection Agency
The concept of cause-consequence analysis is a combina- (EPA) formulated a Risk Management Plan (RMP) rule [4]
tion of the inductive and deductive reasoning of logic dia- related to preventing accidental releases. The EPAs RMP rule
grams (e.g., event-tree analysis or fault-tree analysis) [1]. The avoided overlap by integrating the process safety elements
method has been used to identify the basic causes and con- stated in OSHAs PSM Standard.
sequences of potential accidents. Likewise, bow-tie diagram- Along similar lines but for offshore operations, the Safety
ming provides a pictorial representation of the risk and Environmental Management System (SEMS) was intro-
assessment process that, during the last decade, has become duced in 1991 by the Minerals Management Service, but this
increasingly popular, especially in the sector of oil and gas was deemed voluntary. Eventually, in late 2010, the Bureau
offshore exploration and production. Because of their unpar- of Ocean Energy Management, Regulation, and Enforcement
alleled advantages demonstrating that major hazards are published Final Rule 30 CFR Part 250 Subpart S that incorpo-
identified and controlled, bow-tie diagrams are widely used rates by reference and makes mandatory API RP 75, 3rd Edi-
in Europe and Australia to support safety reports and health, tion [5,6], today enforced by the Bureau of Safety and
safety, and environment (HSE) cases for drilling and green- Environmental Enforcement.
field major hazard facility onshore projects. Other applica- Irrespective of where the site is located within the U.S. or
tions have been reported for healthcare, nuclear, transport, vicinityonshore or offshorethe approach to risk has pre-
and organizational culture [2]. dominantly been regulatory driven. However, the 2010
This article discusses the evolution of the risk-based Macondo accident manifested evidence that the right path to
approach in the United States and how the bow-tie model follow is a performance-driven approach to risk with opera-
would fit in the risk management process for downstream tors actively demonstrating that facilities have the appropriate
projects and facilities, and it shares a representative bow-tie barriers to place to manage risks to as low as reasonably
practicable (ALARP) [7].
Figure 2. Typical bow-tie diagram. [Color figure can be viewed in the online issue, which is available at
wileyonlinelibrary.com.]
2 Month 2013 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 3. Hazard identification and risk assessment process flow. Source: ERM North America Risk Practice. [Color figure can
be viewed in the online issue, which is available at wileyonlinelibrary.com.]
riskseverity and likelihood. The exercise amounts to risk approach has proven particularly useful for risk communica-
ranking these undesired events. The hazard evaluation team tion. It also allows for extracting critical element systems that
must identify ways to reduce the consequence or reduce the either prevent or mitigate an accidental event. Even though
likelihood of high or medium risks through preventive or mit- bow-tie diagrams are considered a qualitative risk assess-
igation barriers to ensure that the risk level is either accepta- ment tool, applications where quantitative analysis is neces-
ble or ALARP. Although ALARP can be demonstrated for any sary can also benefit by representing within the risk
system regardless of design definition or focus level, complex, management process exactly where the results refine the
and costly decisions often require more accurate information consequence and frequency of undesired outcomes.
about potential consequences and frequency of occurrence.
Bow-tie diagrams effectively include the main elements of BOW-TIE TERMINOLOGY
the risk management process: identify, prevent, mitigate, and Essential definitions while conducting bow-tie analyses
assess (refer to Figure 2). To enhance a risk-based approach, are provided here for the benefit of the reader to understand
any tabular hazard identification can be customized to iden- the terminology used and to relate it to the case studies.
tify preventive and mitigation safeguards (barriers) that can
be exported to a bow-tie diagram. Hazard: Anything inherent to the business that has the
Risk assessment becomes quantitative when accident sce- potential to cause harm to safety, health, the environ-
narios need more precise numerical analysis to estimate the ment, property, plant, products, or reputation.
extent of a potential damage and its yearly frequency of occur- Threat: A direct, sufficient and independent possible
rence. Such quantitative risk assessment often involves the use cause that can release the hazard by producing the top
of existing failure and loss-of-integrity data plus computational event leading to a consequence.
models to simulate accident events. Typical quantitative risk Top Event: The moment in which the hazard is released;
assessments for the oil and gas industry include fire and explo- the first event in a chain of negative events leading to
sion analysis, smoke and toxic gas dispersion analysis, fire and unwanted consequences.
gas mapping, and dynamic events study such as ship collision, Control: Any measure taken that acts against some unde-
helicopter crash, or dropped objects studies (refer to Figure 3). sirable force or intention in order to maintain a desired
As illustrated in Figure 3, a bow-tie diagram may be an state; Proactive Controls prevent an event (left side of
optional way to identify hazards and display the risk man- bow-tie diagram), Reactive Controls minimize conse-
agement process in an illustrative, all-inclusive way; this quence (right side of bow-tie diagram).
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE DOI 10.1002/prs Month 2013 3
Figure 4. Contribution of Bow-tie Diagrams to HIRA and Operational Excellence. Source: ERM America Risk Practice.
Escalation Factor: Condition that leads to increased risk Operational excellence includes producing with no harm
by defeating or reducing the effectiveness of a control. and no leaks, and it is not possible unless the operator man-
Consequence: Accident event resulting from the release ages, as a critical routine, the specific elements or compo-
of a hazard that results directly in loss or damage: per- nents that eliminate or minimize risk (i.e., preventive or
sons, environment, assets, or reputation. mitigation barriers; Refer to Figure 4).
ALARP: Risk of a business where a hazard is intrinsic; Hence the successful documentation of a HIRA, for opera-
however, it has been demonstrated that the cost involved in tional excellence, includes:
reducing the risk further would be grossly disproportionate
to the benefit gained. The ALARP definition is linked with Access to the information: the right level of detail at the
risk tolerability and, thus, is different for every organization. operators fingertips
Risk Matrix: Company- or project-defined grid that com- Understanding the information: pictorial bow-tie repre-
bines consequence (severity) and frequency (likelihood) sentation that can be grasped as a whole or by threats or
to produce a level of risk and defines the risk tolerability consequences
boundaries for attributes of interest (people, environment, Individual accountability for the barriers
assets, reputation). Systems to ensure barrier integrity assurance actions are
adequate, timely, and maintained throughout the life
cycle of the process or facility.
HOW CAN BOW-TIE DIAGRAMS CONTRIBUTE TO HIRA?
After significant investment of time and resources in the
HIRA process, it would be unthinkable to lose access to the Identify Major Hazard Events
results in thick binders that are seldom opened again. The In a process facility, although a plethora of hazards exists,
knowledge and insight gained through the process of identi- not all hazards have the potential of materializing to an acci-
fying hazards and assessing risks needs to be extracted and dent or major hazard event (MHE). Likewise, process hazards
kept operationally current and evolving. have numerous risk control systems, but not all controls are
4 Month 2013 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 5. Hazard identification and risk assessment process flow. Source: Guidelines for the Management of Safety Critical Ele-
ments, London: Energy Institute, March 2007.
considered safety-critical. Bow-tie diagramming helps one to accident [15]. By extracting a list of SCEs, access to the con-
understand the top events in a facility, the threats that can trols and their perceived effectiveness are easier to under-
be involved in a causation sequence, and the final conse- stand, use, and monitor. A non-exhaustive list of SCEs,
quences that the organization will need to face. proposed by the Energy Institute London, is reproduced in
The generic definition of MHE involves hazards with the Figure 5.
potential to result in an uncontrolled event with immediate SCEs can be hardware, software, or human intervention
or imminent exposure leading to serious risk to the health tasks. They can be intrinsic to the design, added as risk
and safety of persons, environmental impact, or property reduction measures, or consist of administrative procedures.
loss [14]. A bow-tie session will generate MHE candidates The bottom line is that the set barriers for each threat need
from the HIRA process that will be validated by key disci- to be legitimate to achieve a risk-reduction target; by block-
pline team members and subject-matter experts. A consensus ing the threats or providing timely control and mitigation
MHE list (10 to 15 items, typically) clearly defines the events once top events materializes. For a barrier to be valid it
capable of catastrophic losses in your facility and constitutes must:
the starting point of a bow-tie study.
Be able to stop a threat
Be effective in minimizing a consequence
Describe Risk Control Systems and Safety-critical Be independent from other barriers in same threat line
Equipment
The next step is to identify the key barriers that either A common finding in accident investigations is the exces-
prevent or mitigate an MHE. These barriers are risk control sive reliance on procedures. Procedural barriers should be
systems, and within them are vital elements known as considered as complementary, and evaluation of escalation
safety-critical elements (SCEs). SCEs are any part of the in- factors due to human error must also be part of the bow-tie
stallation, plant, or computer programs the failure of which study. Therefore, barrier documentation must include an
will either cause or contribute to a major accident or the assessment of the number and quality rating of the barriers
purpose of which is to prevent or limit the effect of a major for the overall risk control effectiveness.
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE DOI 10.1002/prs Month 2013 5
Figure 6. LNG loss of containmentcollapsed view. [Color figure can be viewed in the online issue, which is available at
wileyonlinelibrary.com.]
Elaborate Performance Standards and Procedures Who? is the individual or position accountable for the
Now that risk control systems (SCEs) have been identi- SCE integrity
fied, they will be of no value unless they consistently per- What? are associated interactions with other SCEs
form when needed, as expected. Performance standards for When? is inspection, maintenance, and testing required to
each SCE define and document the attributes (e.g., function- ensure a specific SCE attribute
ality, availability, reliability, survivability, and interactions
with other systems). The following questions must be
answered by an SCE performance standard:
Set Key Performance Indicators
What? function must the SCE perform, before and after a Unless an SCE is inspected, maintained, and tested, it will
major event deteriorate over time. Most of the accident investigations
How? will the SCE produce intended outcome on demand conducted in the industry reveal broken or degraded
6 Month 2013 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 7. LNG loss of containmentexpanded view, threats. [Color figure can be viewed in the online issue, which is avail-
able at wileyonlinelibrary.com.]
barriers, where a complex sequence of unfortunate events instructions are accurately designed, the operational procedures
resulted in a major accident. are better designed and communicated; resulting in an operator
To ensure that SCEs perform as intended, the outcome better equipped to fulfill his duties for safe and clean operations.
must be described along with a lagging indicator to show Bow-tie diagrams have been successfully applied in human
that the outcome has been achieved [16]. Leading indicators organizational change and optimization [18].
must also be set to monitor the effectiveness of the SCE
within the risk control system. Systems to define tier control
levels, tolerance, data collection, and follow-up outcome EXAMPLE OF DOWNSTREAM BOW-TIE DIAGRAMMING
deviations must also be established and kept throughout the A study case developed for a new coal seam LNG facility
facilitys life cycle [17]. Moreover, facility modifications must in Australia is presented here. According to Australian regula-
be assessed and managed to establish their impact on the tions, the LNG plant is classified as major hazard facility
SCEs and to ensure that changes are incorporated into the (MHF) and, within the scope of engineering, procurement,
performance and verification regime. and construction, a Safety Case Report must be submitted to
the MHF regulator [14].
A condensed list of MHEs (including loss of containment,
Assure Competence and Training occupational exposure, and global adverse events) and their
Human factors continue to be recognized as an important associated SCEs were extracted from the formal safety studies
contributor to major hazard events and need to be appropriately (i.e., HAZIDs, HAZOPs, and project Hazard Register) that
addressed. Human intervention is pervasive in the process were completed during front-end engineering and design.
industries. SCEs are invented, designed, constructed, fabricated, During a bow-tie workshop, SCEs such as design, hardware,
installed, maintained, tested, and replaced by people. Bow-tie and procedures were validated and classified.
analysis facilitates the assignment of individual roles for risk con- The list of identified MHEs included:
trol systems and SCE by providing clear performance expecta-
tions and monitoring outcomes through leading and lagging Loss of containment: Most MHEs will be concentrated in
indicators. By incorporating this valuable information, the com- the loss of containment of either hydrocarbons or hazard-
petencies are better delineated, training programs, and ous substances.
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE DOI 10.1002/prs Month 2013 7
Figure 8. LNG loss of containmentexpanded view, consequences. [Color figure can be viewed in the online issue, which is
available at wileyonlinelibrary.com.]
Stored energy: Sudden release of hydrocarbons or hazard- environmental risk. This assisted in identifying critical envi-
ous substances due to mechanical or trapped pressure ronmental compliance elements for the project. In addition,
from stored energy sources. a clear mapping of the undesired environmental events facili-
Dynamic energy: Involves events of traffic (vessel colli- tated a robust understanding for the team of the environ-
sion) or dropped or swung objects. mental hazards. This method is amenable to early phase
Occupational MHE: Confined space entry, high elevation, environmental impact assessment development, design
energy sources (stored energy, energized circuits). phases, project start up and review of changes and new
Adverse weather events: Earthquakes, bush fire, heavy events, and startup operations.
rain, flash foods. See Table 1, which is an example of the application of
bow-tie diagramming to ENVIDs. The example is based on
The bow-tie method allowed the team to assess the current work for an oil and gas facility, where the table fields
appropriateness and robustness of the preventive and mitiga- will eventually be exported to bow-tie diagrams and the
tion controls for each identified MHE. Also, lessons learned results were recently published [19].
from other LNG projects were applied to challenge the bar-
riers proposed in the design. Identified action items aimed at
LESSONS LEARNED
confirming and improving SCEs were incorporated during
the project execution phase. Figures 68 of this article are The ERM Risk Practice has conducted a significant num-
provided as an illustration of the resulting diagrams. ber of bow-tie workshops in a team environment with the
participation of relevant disciplines. The graphical nature of
bow-tie diagrams was a major contributor to the success of
ENVIRONMENTAL APPLICATIONS
the studies.
The bow-tie concept was tested for an environmental This visual approach also enhanced the brainstorming for
hazard identification (ENVID) study that was in progress for the analyses, minimizing the confusion that a tabular analysis
an offshore platform. The ENVID was conducted independ- tends to cause. Four areas have been identified where the
ently of the HAZID. To stay consistent the HAZID approach, bow-tie model is very useful during workshops:
the authors applied the bow-tie technique to the conven-
tional ENVID method. Distinction of the functionality of the controls:
A typical bow-tie originates at the center; beginning with Understanding each barriers contribution to either eliminat-
the hazard identified, and then is extended to either side for ing the causes or mitigating the consequences, provided the
cause and consequence, respectively. Similarly, an environ- team members a better perception of the barrier effective-
mental event was chosen to be the center of the bow-tie. ness and the requirements to retain its integrity over time.
The left-hand side was populated with the causes identified, Correct use of the risk matrix: When ranking consequence
and environmental consequences were populated on the using a risk assessment matrix, especially, when the team
right-hand side. is reluctant to assign valid likelihood and consequence
Conventionally, an ENVID is another brainstorming tech- resulting in high risk, the bow-tie diagram illustrates the
nique that lists existing barriers or safeguards. In this case, importance of using the matrix correctly by assigning real-
using the bow-tie approach, the safeguards identified were istic qualitative values and aim at a recommendation to
classified as being either preventive measures that would yield the most risk reduction.
eliminate the cause or mitigation measures that would allevi- Incident investigation: Building upon any investigation
ate the undesired environmental consequence. The study method, the team can analyze immediate, intermediate,
(brainstorming session) was documented in a tabular spread- and root causes in a holistic approach by comparing the
sheet format using the bow-tie type of sequential approach barriers in place and the ones that were degraded or bro-
for the thought process. For each of the scenarios discussed, ken and their connection to the HSE management system.
the team proposed recommendations, where deemed Accurate inclusion of human factors: Human error must
necessary. not be addressed as another generic threat but as a spe-
An advantage for the team members of using this cific escalating factor or vulnerability that can lead to the
approach was that they were able to correlate the preceding barrier failure; for example, human error triggered by
HAZID results to the ENVID, thereby, understanding the unclear operational instructions or unrealistic emergency
contribution of the various causes and barriers to response procedures.
8 Month 2013 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
contractor equipment
CONCLUSION
exhaust properties in
3. Review supply boat
exhaust parameters
Recommendations
The authors have successfully applied the bow-tie dia-
No recommendation
2. Review helicopter
emissions limits.
grammatic approach to downstream oil and gas facilities,
later stages
practice continues evolving to a risk-based approach, bow-tie
proposed
diagrams have enormous potential to complement process
safety initiatives [20,21]. Some advantages of applying the
bow-tie approach to the risk management process are:
Application and understanding of the risk management
process, from identification to assessment.
Focus on MHEs, differentiating highly hazardous releases
(e.g., loss of containment) from other workplace hazards,
occupational health, or environmental aspects.
Synthesis, extraction of risk control systems, and SCEs to
this example)
(removed for
Risk Ranking
(particulates, SOx,
error.
Fine-tuning competency and training requirements for
environment
pollutants to
surrounding
NOx, CO2)
conditioning
Mitigation
1. Monitoring
Controls/
equipment
1. Air emissions
Environmental
LITERATURE CITED
1. Center for Chemical Process Safety (CCPS), Guidelines
4. Shut down equipment
3. Equipment selection
Detection Barriers
2. Mud conditioning
1. Gas detection
(fugitive emissions)
3. Specific equipment
5. Helicopter exhaust
drilling mud
2. Third-party
equipment
exhaust
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE DOI 10.1002/prs Month 2013 9
8. Center for Chemical Process Safety (CCPS), Guidelines 14. SafeWork Australia Guide for Major Hazard Facilities
for Risk Based Process Safety, Wiley, Hoboken, New Jer- Safety Assessments, March 2012.
sey, 2007. 15. Guidelines for the Management of Safety Critical Ele-
9. International Association of Drilling Contractors (IADC) ments, 2nd Ed., Energy Institute, London, UK, 2007.
Health, Safety, and Environment Case Guideline for Mo- 16. UK Health and Safety Executive, Developing Process
bile Offshore Drilling Units, Issue 3.3, Houston, Texas, Safety Indicators, HSG254, 2006.
IADC. December 1, 2010. 17. American Petroleum Institute, API Recommended Practice
10. International Association of Drilling Contractors (IADC) 754, Process Safety Performance Indicators for the Refin-
Health, Safety, and Environment Case Guideline for Land ing and Petrochemical Industries, American Petroleum
Drilling Units, Issue 1.0.1, Houston, Texas, IADC, July 27, 2009. Institute, Washington D.C., 2010.
18. P. Davidson and S.D. Mooney, Key Safety Roles in
11. International Standard ISO 17776 Petroleum and Gas Nat- Organizational Changes, Wiley InterScience, 2009.
ural IndustriesOffshore production installations, Guide- 19. F. Jones and K. Israni, Environmental Risk Assessment
lines on tools and techniques for hazard identification Using Bow-tie Methodology, 2012.
and risk assessment, October 15, 2000. 20. T. Whipple and R. Pitblado, Applied Risk-Based Process
12. ANSI/ASSE Z690.2-2011, Risk Management Principles and Safety: A Consolidated Risk Register and Focus on Risk
Guidelines, National Adoption of ISO 31000:2009. Communication, Wiley InterScience, 2009.
13. ANSI/ASSE Z690.2-2011, Risk Assessment Techniques, 21. P. Davidson and S.D. Mooney, Key Safety Roles in
National Adoption of IEC/ISO 31010:2009. Organizational Changes, Wiley InterScience, 2009.
10 Month 2013 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)