Bow-Tie Diagrams in Downstream Hazard
Identification and Risk Assessment
Yaneira E. Saud, Kumar (Chris) Israni, and Jeremy Goddard
ERM Americas Risk Practice, 15810 Park Ten Place Suite 300, Houston, TX 77084;
Yaneira.saud@erm.com (for correspondence)
Published online in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11576
Bow-tie diagrams are emerging as a very useful tool to
depict and maintain an up-to-date, real-time, working risk
management system embedded in daily operations. They are
a proven concept in the worldwide offshore industry. These
diagrams provide a pictorial representation of the risk assess-
ment process. This article introduces the bow-tie concept to
the downstream and chemical process industries in the
United States. The authors believe that bow-tie diagrams can
be a resourceful method in the safety and risk practitioners
toolkit to improve performance of the hazard identification
and risk assessment process and to demonstrate that major
hazards are identified and managed to as low as reasonably
practicable. Because of their graphical nature, the biggest
advantage of bow-tie diagrams is the ease to understanding
of risk management by upper management and operations
groups. V C 2013 American Institute of Chemical Engineers Process
Saf Prog 000: 000000, 2013
Keywords: bow-tie diagram; cause-consequence; hazard
identification; risk assessment; risk management; bow-tie
INTRODUCTION
The concept of cause-consequence analysis is a combina-
tion of the inductive and deductive reasoning of logic dia-
grams (e.g., event-tree analysis or fault-tree analysis) [1]. The
method has been used to identify the basic causes and con-
sequences of potential accidents. Likewise, bow-tie diagram-
ming provides a pictorial representation of the risk
assessment process that, during the last decade, has become
increasingly popular, especially in the sector of oil and gas
offshore exploration and production. Because of their unpar-
alleled advantages demonstrating that major hazards are
identified and controlled, bow-tie diagrams are widely used
in Europe and Australia to support safety reports and health,
safety, and environment (HSE) cases for drilling and green-
field major hazard facility onshore projects. Other applica-
tions have been reported for healthcare, nuclear, transport,
and organizational culture [2].
This article discusses the evolution of the risk-based
approach in the United States and how the bow-tie model
would fit in the risk management process for downstream
projects and facilities, and it shares a representative bow-tie
This article was originally presented at 8th Global Congress on
Process Safety Houston, TX, April 14, 2012.
C 2013 American Institute of Chemical Engineers
V distinctly administered) to an all-encompassing, integrated
Process Safety Progress (Vol.00, No.00)
case study application in making engineering controls
operational.
REGULATORY REQUIREMENTS VERSUS BEST PRACTICES
U.S. Regulatory Background
The evolution of the process safety approach for the
onshore industry within the United States has been driven
primarily by the regulatory agencies. However, it was indus-
try who produced one of the earliest process safety referen-
ces; a brochure published in 1985 by AIChE-CCPS; A
Challenge to Commitment. The article outlines a compre-
hensive model characterized by 12 distinct and essential ele-
ments to avoid catastrophic events. Other publications,
American Petroleum Institute Recommended Practice (API
RP) 750, Management of Process Safety Hazards (1990), fur-
ther refined the approach ultimately leading to the U.S.
Occupational Safety and Health Administration (OSHA) pro-
mulgation of the Process Safety Management (PSM) standard
in February 1992 [3].
In addition, the U.S. Environmental Protection Agency
(EPA) formulated a Risk Management Plan (RMP) rule [4]
related to preventing accidental releases. The EPAs RMP rule
avoided overlap by integrating the process safety elements
stated in OSHAs PSM Standard.
Along similar lines but for offshore operations, the Safety
and Environmental Management System (SEMS) was intro-
duced in 1991 by the Minerals Management Service, but this
was deemed voluntary. Eventually, in late 2010, the Bureau
of Ocean Energy Management, Regulation, and Enforcement
published Final Rule 30 CFR Part 250 Subpart S that incorpo-
rates by reference and makes mandatory API RP 75, 3rd Edi-
tion [5,6], today enforced by the Bureau of Safety and
Environmental Enforcement.
Irrespective of where the site is located within the U.S. or
vicinityonshore or offshorethe approach to risk has pre-
dominantly been regulatory driven. However, the 2010
Macondo accident manifested evidence that the right path to
follow is a performance-driven approach to risk with opera-
tors actively demonstrating that facilities have the appropriate
barriers to place to manage risks to as low as reasonably
practicable (ALARP) [7].
Trends in Global Risk Management Standardization
The risk management approach has moved in the litera-
ture from the isolated concept (where the different risks are
Month 2013 1

Figure 1. Evolution of risk-based process safety [8].
approach (where risk management is optimized throughout
an organization). Some driving forces for risk integration are:
 Increased number, variety, and interaction of risks.
 Accelerated pace of business and globalization.
 Tendency to quantify risks.
 Attitude of organizations toward the value-creating poten-
tial of risk.
 Common risk practices and tools shared across the world
(Figure 1).
The international community has created documents
related to the standardization of risk management that cover
general guidance, terminology, requirements, and tools.
Among them, documents worth mentioning are:
 CCPS latest publications on the evolution of PSM to a
risk-based management approach [8] and updated process
hazard methods that include bow-tie diagrams [1];
 International Association of Drilling Contractors Safety
Case guidelines where risk management is the center-
piece of a comprehensive major hazards ALARP assess-
ment [9,10]; and
 The International Organization for Standardization (ISO)
and the International Electrotechnical Commission
guidance for selecting and applying systematic techniques
for risk assessment [1113].
We are moving toward standardized, operational risk
management, emphasizing:
 The importance of a formal safety assessment roadmap,
instead of isolated hazard identification studies,
 A compilation of identification and assessment results,
describing critical barriers that avoid major accidents in a
tangible, ALARP demonstration report,
 Bow-tie diagrams appear as the tool of excellence to visu-
alize the risk management process and transmit specific
accountability.
Figure 2. Typical bow-tie diagram. [Color figure can be viewed in the online issue, which is available at
wileyonlinelibrary.com.]
2 Month 2013 Published on behalf of the AIChE
HAZARD IDENTIFICATION AND RISK ASSESSMENT (HIRA)
Identify, Evaluate, Analyze, and Manage
HIRA includes hazard identification and evaluation, risk
assessment, and reduction of events that could impact pro-
cess safety, occupational safety, environment, and social
responsibility.
The ISO Risk Management Principles and Guidelines
standardize risk assessment in four parts: risk identification,
risk analysis, risk evaluation, and risk treatment. The first
steprisk identificationis achieved by identifying all haz-
ards and their subsequent consequences.
The risk management process has reached a level of ma-
turity where recent and future improvements are focused to
better manage risk and include review and monitoring
checks, to ensure desired performance, in order to prevent
and mitigate major accident events. The risk management
process is a key factor in the success and sustainability of oil
and gas facilities and must be ingrained into the entire pro-
cess life cycle.
Where Do Bow-Tie Diagrams Fit in HIRA?
To understand the use and application of bow-tie dia-
grams in downstream, risk-based process safety, a transition
must be made from hazard identification to risk assessment.
Hazard identification is a key provision in the U.S. regula-
tory-based safety management systems (e.g., PSM, SEMS).
This process includes the orderly, systematic examination
of causes leading to potential releases of hazardous substan-
ces and what safeguards must be implemented to prevent
and mitigate a loss of containment resulting in occupational
exposure, injury, environmental impact, or property loss.
Process hazard analysis (PHA) techniques like hazard
identification (HAZID) and hazard and operability (HAZOP)
studies are the tabular hazard methods most widely used for
operational hazards identification. HAZID studies frequently
are used in exploration, production, and mid-stream opera-
tions, both onshore and offshore. However, comparing to
other worldwide best practices such as HSE cases for
onshore and offshore facilities, hazard identification by itself
falls short of applying the risk management process [7].
Moving from identifying hazards to qualitative risk
assessment is achieved using semiquantitative matrices,
which is essentially an interaction of the two attributes of
DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 3. Hazard identification and risk assessment process flow. Source: ERM North America Risk Practice. [Color figure can
be viewed in the online issue, which is available at wileyonlinelibrary.com.]
riskseverity and likelihood. The exercise amounts to risk
ranking these undesired events. The hazard evaluation team
must identify ways to reduce the consequence or reduce the
likelihood of high or medium risks through preventive or mit-
igation barriers to ensure that the risk level is either accepta-
ble or ALARP. Although ALARP can be demonstrated for any
system regardless of design definition or focus level, complex,
and costly decisions often require more accurate information
about potential consequences and frequency of occurrence.
Bow-tie diagrams effectively include the main elements of
the risk management process: identify, prevent, mitigate, and
assess (refer to Figure 2). To enhance a risk-based approach,
any tabular hazard identification can be customized to iden-
tify preventive and mitigation safeguards (barriers) that can
be exported to a bow-tie diagram.
Risk assessment becomes quantitative when accident sce-
narios need more precise numerical analysis to estimate the
extent of a potential damage and its yearly frequency of occur-
rence. Such quantitative risk assessment often involves the use
of existing failure and loss-of-integrity data plus computational
models to simulate accident events. Typical quantitative risk
assessments for the oil and gas industry include fire and explo-
sion analysis, smoke and toxic gas dispersion analysis, fire and
gas mapping, and dynamic events study such as ship collision,
helicopter crash, or dropped objects studies (refer to Figure 3).
As illustrated in Figure 3, a bow-tie diagram may be an
optional way to identify hazards and display the risk man-
agement process in an illustrative, all-inclusive way; this
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE
approach has proven particularly useful for risk communica-
tion. It also allows for extracting critical element systems that
either prevent or mitigate an accidental event. Even though
bow-tie diagrams are considered a qualitative risk assess-
ment tool, applications where quantitative analysis is neces-
sary can also benefit by representing within the risk
management process exactly where the results refine the
consequence and frequency of undesired outcomes.
BOW-TIE TERMINOLOGY
Essential definitions while conducting bow-tie analyses
are provided here for the benefit of the reader to understand
the terminology used and to relate it to the case studies.
 Hazard: Anything inherent to the business that has the
potential to cause harm to safety, health, the environ-
ment, property, plant, products, or reputation.
 Threat: A direct, sufficient and independent possible
cause that can release the hazard by producing the top
event leading to a consequence.
 Top Event: The moment in which the hazard is released;
the first event in a chain of negative events leading to
unwanted consequences.
 Control: Any measure taken that acts against some unde-
sirable force or intention in order to maintain a desired
state; Proactive Controls prevent an event (left side of
bow-tie diagram), Reactive Controls minimize conse-
quence (right side of bow-tie diagram).
DOI 10.1002/prs Month 2013 3
 Figure 4. Contribution of Bow-tie Diagrams to HIRA and Operational Excellence. Source: ERM America Risk Practice.
 Escalation Factor: Condition that leads to increased risk
by defeating or reducing the effectiveness of a control.
 Consequence: Accident event resulting from the release
of a hazard that results directly in loss or damage: per-
sons, environment, assets, or reputation.
 ALARP: Risk of a business where a hazard is intrinsic;
however, it has been demonstrated that the cost involved in
reducing the risk further would be grossly disproportionate
to the benefit gained. The ALARP definition is linked with
risk tolerability and, thus, is different for every organization.
 Risk Matrix: Company- or project-defined grid that com-
bines consequence (severity) and frequency (likelihood)
to produce a level of risk and defines the risk tolerability
boundaries for attributes of interest (people, environment,
assets, reputation).
HOW CAN BOW-TIE DIAGRAMS CONTRIBUTE TO HIRA?
After significant investment of time and resources in the
HIRA process, it would be unthinkable to lose access to the
results in thick binders that are seldom opened again. The
knowledge and insight gained through the process of identi-
fying hazards and assessing risks needs to be extracted and
kept operationally current and evolving.
4 Month 2013 Published on behalf of the AIChE
Operational excellence includes producing with no harm
and no leaks, and it is not possible unless the operator man-
ages, as a critical routine, the specific elements or compo-
nents that eliminate or minimize risk (i.e., preventive or
mitigation barriers; Refer to Figure 4).
Hence the successful documentation of a HIRA, for opera-
tional excellence, includes:
 Access to the information: the right level of detail at the
operators fingertips
 Understanding the information: pictorial bow-tie repre-
sentation that can be grasped as a whole or by threats or
consequences
 Individual accountability for the barriers
 Systems to ensure barrier integrity assurance actions are
adequate, timely, and maintained throughout the life
cycle of the process or facility.
Identify Major Hazard Events
In a process facility, although a plethora of hazards exists,
not all hazards have the potential of materializing to an acci-
dent or major hazard event (MHE). Likewise, process hazards
have numerous risk control systems, but not all controls are
DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 5. Hazard identification and risk assessment process flow. Source: Guidelines for the Management of Safety Critical Ele-
ments, London: Energy Institute, March 2007.
considered safety-critical. Bow-tie diagramming helps one to
understand the top events in a facility, the threats that can
be involved in a causation sequence, and the final conse-
quences that the organization will need to face.
The generic definition of MHE involves hazards with the
potential to result in an uncontrolled event with immediate
or imminent exposure leading to serious risk to the health
and safety of persons, environmental impact, or property
loss [14]. A bow-tie session will generate MHE candidates
from the HIRA process that will be validated by key disci-
pline team members and subject-matter experts. A consensus
MHE list (10 to 15 items, typically) clearly defines the events
capable of catastrophic losses in your facility and constitutes
the starting point of a bow-tie study.
Describe Risk Control Systems and Safety-critical
Equipment
The next step is to identify the key barriers that either
prevent or mitigate an MHE. These barriers are risk control
systems, and within them are vital elements known as
safety-critical elements (SCEs). SCEs are any part of the in-
stallation, plant, or computer programs the failure of which
will either cause or contribute to a major accident or the
purpose of which is to prevent or limit the effect of a major
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE
accident [15]. By extracting a list of SCEs, access to the con-
trols and their perceived effectiveness are easier to under-
stand, use, and monitor. A non-exhaustive list of SCEs,
proposed by the Energy Institute London, is reproduced in
Figure 5.
SCEs can be hardware, software, or human intervention
tasks. They can be intrinsic to the design, added as risk
reduction measures, or consist of administrative procedures.
The bottom line is that the set barriers for each threat need
to be legitimate to achieve a risk-reduction target; by block-
ing the threats or providing timely control and mitigation
once top events materializes. For a barrier to be valid it
must:
 Be able to stop a threat
 Be effective in minimizing a consequence
 Be independent from other barriers in same threat line
A common finding in accident investigations is the exces-
sive reliance on procedures. Procedural barriers should be
considered as complementary, and evaluation of escalation
factors due to human error must also be part of the bow-tie
study. Therefore, barrier documentation must include an
assessment of the number and quality rating of the barriers
for the overall risk control effectiveness.
DOI 10.1002/prs Month 2013 5
Figure 6. LNG loss of containmentcollapsed view. [Color figure can be viewed in the online issue, which is available at
wileyonlinelibrary.com.]
Elaborate Performance Standards and Procedures
Now that risk control systems (SCEs) have been identi-
fied, they will be of no value unless they consistently per-
form when needed, as expected. Performance standards for
each SCE define and document the attributes (e.g., function-
ality, availability, reliability, survivability, and interactions
with other systems). The following questions must be
answered by an SCE performance standard:
 What? function must the SCE perform, before and after a
major event
 How? will the SCE produce intended outcome on demand
6 Month 2013 Published on behalf of the AIChE
 Who? is the individual or position accountable for the
SCE integrity
 What? are associated interactions with other SCEs
 When? is inspection, maintenance, and testing required to
ensure a specific SCE attribute
Set Key Performance Indicators
Unless an SCE is inspected, maintained, and tested, it will
deteriorate over time. Most of the accident investigations
conducted in the industry reveal broken or degraded
DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 7. LNG loss of containmentexpanded view, threats. [Color figure can be viewed in the online issue, which is avail-
able at wileyonlinelibrary.com.]
barriers, where a complex sequence of unfortunate events
resulted in a major accident.
To ensure that SCEs perform as intended, the outcome
must be described along with a lagging indicator to show
that the outcome has been achieved [16]. Leading indicators
must also be set to monitor the effectiveness of the SCE
within the risk control system. Systems to define tier control
levels, tolerance, data collection, and follow-up outcome
deviations must also be established and kept throughout the
facilitys life cycle [17]. Moreover, facility modifications must
be assessed and managed to establish their impact on the
SCEs and to ensure that changes are incorporated into the
performance and verification regime.
Assure Competence and Training
Human factors continue to be recognized as an important
contributor to major hazard events and need to be appropriately
addressed. Human intervention is pervasive in the process
industries. SCEs are invented, designed, constructed, fabricated,
installed, maintained, tested, and replaced by people. Bow-tie
analysis facilitates the assignment of individual roles for risk con-
trol systems and SCE by providing clear performance expecta-
tions and monitoring outcomes through leading and lagging
indicators. By incorporating this valuable information, the com-
petencies are better delineated, training programs, and
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE
instructions are accurately designed, the operational procedures
are better designed and communicated; resulting in an operator
better equipped to fulfill his duties for safe and clean operations.
Bow-tie diagrams have been successfully applied in human
organizational change and optimization [18].
EXAMPLE OF DOWNSTREAM BOW-TIE DIAGRAMMING
A study case developed for a new coal seam LNG facility
in Australia is presented here. According to Australian regula-
tions, the LNG plant is classified as major hazard facility
(MHF) and, within the scope of engineering, procurement,
and construction, a Safety Case Report must be submitted to
the MHF regulator [14].
A condensed list of MHEs (including loss of containment,
occupational exposure, and global adverse events) and their
associated SCEs were extracted from the formal safety studies
(i.e., HAZIDs, HAZOPs, and project Hazard Register) that
were completed during front-end engineering and design.
During a bow-tie workshop, SCEs such as design, hardware,
and procedures were validated and classified.
The list of identified MHEs included:
 Loss of containment: Most MHEs will be concentrated in
the loss of containment of either hydrocarbons or hazard-
ous substances.
DOI 10.1002/prs Month 2013 7
Figure 8. LNG loss of containmentexpanded view, consequences. [Color figure can be viewed in the online issue, which is
available at wileyonlinelibrary.com.]
 Stored energy: Sudden release of hydrocarbons or hazard-
ous substances due to mechanical or trapped pressure
from stored energy sources.
 Dynamic energy: Involves events of traffic (vessel colli-
sion) or dropped or swung objects.
 Occupational MHE: Confined space entry, high elevation,
energy sources (stored energy, energized circuits).
 Adverse weather events: Earthquakes, bush fire, heavy
rain, flash foods.
The bow-tie method allowed the team to assess the
appropriateness and robustness of the preventive and mitiga-
tion controls for each identified MHE. Also, lessons learned
from other LNG projects were applied to challenge the bar-
riers proposed in the design. Identified action items aimed at
confirming and improving SCEs were incorporated during
the project execution phase. Figures 68 of this article are
provided as an illustration of the resulting diagrams.
ENVIRONMENTAL APPLICATIONS
The bow-tie concept was tested for an environmental
hazard identification (ENVID) study that was in progress for
an offshore platform. The ENVID was conducted independ-
ently of the HAZID. To stay consistent the HAZID approach,
the authors applied the bow-tie technique to the conven-
tional ENVID method.
A typical bow-tie originates at the center; beginning with
the hazard identified, and then is extended to either side for
cause and consequence, respectively. Similarly, an environ-
mental event was chosen to be the center of the bow-tie.
The left-hand side was populated with the causes identified,
and environmental consequences were populated on the
right-hand side.
Conventionally, an ENVID is another brainstorming tech-
nique that lists existing barriers or safeguards. In this case,
using the bow-tie approach, the safeguards identified were
classified as being either preventive measures that would
eliminate the cause or mitigation measures that would allevi-
ate the undesired environmental consequence. The study
(brainstorming session) was documented in a tabular spread-
sheet format using the bow-tie type of sequential approach
for the thought process. For each of the scenarios discussed,
the team proposed recommendations, where deemed
necessary.
An advantage for the team members of using this
approach was that they were able to correlate the preceding
HAZID results to the ENVID, thereby, understanding the
contribution of the various causes and barriers to
8 Month 2013 Published on behalf of the AIChE
environmental risk. This assisted in identifying critical envi-
ronmental compliance elements for the project. In addition,
a clear mapping of the undesired environmental events facili-
tated a robust understanding for the team of the environ-
mental hazards. This method is amenable to early phase
environmental impact assessment development, design
phases, project start up and review of changes and new
events, and startup operations.
See Table 1, which is an example of the application of
bow-tie diagramming to ENVIDs. The example is based on
current work for an oil and gas facility, where the table fields
will eventually be exported to bow-tie diagrams and the
results were recently published [19].
LESSONS LEARNED
The ERM Risk Practice has conducted a significant num-
ber of bow-tie workshops in a team environment with the
participation of relevant disciplines. The graphical nature of
bow-tie diagrams was a major contributor to the success of
the studies.
This visual approach also enhanced the brainstorming for
the analyses, minimizing the confusion that a tabular analysis
tends to cause. Four areas have been identified where the
bow-tie model is very useful during workshops:
 Distinction of the functionality of the controls:
Understanding each barriers contribution to either eliminat-
ing the causes or mitigating the consequences, provided the
team members a better perception of the barrier effective-
ness and the requirements to retain its integrity over time.
 Correct use of the risk matrix: When ranking consequence
using a risk assessment matrix, especially, when the team
is reluctant to assign valid likelihood and consequence
resulting in high risk, the bow-tie diagram illustrates the
importance of using the matrix correctly by assigning real-
istic qualitative values and aim at a recommendation to
yield the most risk reduction.
 Incident investigation: Building upon any investigation
method, the team can analyze immediate, intermediate,
and root causes in a holistic approach by comparing the
barriers in place and the ones that were degraded or bro-
ken and their connection to the HSE management system.
 Accurate inclusion of human factors: Human error must
not be addressed as another generic threat but as a spe-
cific escalating factor or vulnerability that can lead to the
barrier failure; for example, human error triggered by
unclear operational instructions or unrealistic emergency
response procedures.
DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
 contractor equipment
CONCLUSION

exhaust properties in
3. Review supply boat
exhaust parameters
Recommendations
The authors have successfully applied the bow-tie dia-

No recommendation
2. Review helicopter

8. Verify that drilling

emissions limits.
grammatic approach to downstream oil and gas facilities,

will not exceed

in later stages
both greenfield and brownfield projects. As the process safety

later stages
practice continues evolving to a risk-based approach, bow-tie

proposed
diagrams have enormous potential to complement process
safety initiatives [20,21]. Some advantages of applying the
bow-tie approach to the risk management process are:
 Application and understanding of the risk management
process, from identification to assessment.
 Focus on MHEs, differentiating highly hazardous releases
(e.g., loss of containment) from other workplace hazards,
occupational health, or environmental aspects.
 Synthesis, extraction of risk control systems, and SCEs to
this example)
(removed for
Risk Ranking

prevent or mitigate an MHE.

 Provision of stand-alone performance standards to docu-
ment SCE integrity assurance plan.
 Setting leading and lagging performance indicators.
 Unparalleled communication of MHEs and their controls,
demonstration of ALARP.
 Assessment of barrier strength to achieve the desired risk
surrounding environment
(increased GHG because
control effectiveness.
1. Release of pollutants to

 Integration of human and organizational factors by identi-

of unburned gases)

fying specific barriers to prevent and manage human

Consequence

(particulates, SOx,

error.
 Fine-tuning competency and training requirements for
environment
pollutants to
surrounding

NOx, CO2)

individuals accountable for risk-control systems and SCEs.

1. Release of

A few disadvantages have also been identified:

 Requirement to acquire bow-tie software to better docu-
ment and visualize the resulting large bow-tie diagrams
 Need to have a robust risk-assessment matrix to appropri-
ately screen MHEs and arrive at a representative set of
1. Monitoring for

bow-tie diagrams per facility or business unit.

black smoke

conditioning
Mitigation

1. Monitoring
Controls/

equipment

The authors use of the bow-tie concept points toward

the application of this tool as a complement, instead of a
2. Mud

substitute, to traditional tabular process hazard analysis (e.g.,

HAZID). Moreover, other semiquantitative applications (e.g.,
LOPA) are feasible and being used experimentally at this
stage. The future of bow-tie diagrams across industry to com-
1. Air Emissions

1. Air emissions
Environmental

plement, enhance, and operationalize hazard identification

and assessment with the incorporation of human factors at a
Event

practical level, does look promising and will rapidly evolve.

Table 1. ENVID worksheet aligned to bow-tie approach.

LITERATURE CITED
1. Center for Chemical Process Safety (CCPS), Guidelines
4. Shut down equipment

for Hazard Evaluation Procedures, 3rd Ed., Wiley, Hobo-

1. Routine maintenance

3. Equipment selection
Detection Barriers

ken, New Jersey, 2008.

Prevention and

2. Mud conditioning

2. P. Hudson, Leiden University of the Netherlands & Delft

and inspection

1. Gas detection

University of Technology, The Netherlands, Integrating

2. Engineering

Organization Culture into Incident Analyses: Extending

the Bow Tie Model. SPE International Conference on
to code

Health Safety and Environment, Vol. 4, 2010, 26622674.

3. 29 CFR 1910.119 Process Safety Management of Highly
Hazardous Chemicals, 1992.
4. 40 CFR Part 68 Risk Management Program (RMP) Rule,
2009.
valves, tanks, vents etc.

5. CFR Part 250 Subpart S, Safety and Environmental Man-

1. Release of gas from

2. Leaks from flanges,

(fugitive emissions)
3. Specific equipment

5. Helicopter exhaust

agement Systems, October 2010.

6. American Petroleum Institute, API Recommended Practice
1. Diesel engine

75, Recommended Practice for Development of a Safety

4. Supply Boat

drilling mud
2. Third-party
equipment

and Environment Management Program for Offshore Oper-

ations and Facilities, 3rd Ed., 2004, reaffirmed May 2008.
exhaust

exhaust

7. National Commission on the BP Deepwater Horizon, The

Cause

Gulf Oil Disaster and the Future of Offshore Drilling

Report to the President, January 2011.

Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE DOI 10.1002/prs Month 2013 9
 8. Center for Chemical Process Safety (CCPS), Guidelines
for Risk Based Process Safety, Wiley, Hoboken, New Jer-
sey, 2007.
9. International Association of Drilling Contractors (IADC)
Health, Safety, and Environment Case Guideline for Mo-
bile Offshore Drilling Units, Issue 3.3, Houston, Texas,
IADC. December 1, 2010.
10. International Association of Drilling Contractors (IADC)
Health, Safety, and Environment Case Guideline for Land
Drilling Units, Issue 1.0.1, Houston, Texas, IADC, July 27, 2009.
11. International Standard ISO 17776 Petroleum and Gas Nat-
ural IndustriesOffshore production installations, Guide-
lines on tools and techniques for hazard identification
and risk assessment, October 15, 2000.
12. ANSI/ASSE Z690.2-2011, Risk Management Principles and
Guidelines, National Adoption of ISO 31000:2009.
13. ANSI/ASSE Z690.2-2011, Risk Assessment Techniques,
National Adoption of IEC/ISO 31010:2009.
10 Month 2013 Published on behalf of the AIChE
14. SafeWork Australia Guide for Major Hazard Facilities
Safety Assessments, March 2012.
15. Guidelines for the Management of Safety Critical Ele-
ments, 2nd Ed., Energy Institute, London, UK, 2007.
16. UK Health and Safety Executive, Developing Process
Safety Indicators, HSG254, 2006.
17. American Petroleum Institute, API Recommended Practice
754, Process Safety Performance Indicators for the Refin-
ing and Petrochemical Industries, American Petroleum
Institute, Washington D.C., 2010.
18. P. Davidson and S.D. Mooney, Key Safety Roles in
Organizational Changes, Wiley InterScience, 2009.
19. F. Jones and K. Israni, Environmental Risk Assessment
Using Bow-tie Methodology, 2012.
20. T. Whipple and R. Pitblado, Applied Risk-Based Process
Safety: A Consolidated Risk Register and Focus on Risk
Communication, Wiley InterScience, 2009.
21. P. Davidson and S.D. Mooney, Key Safety Roles in
Organizational Changes, Wiley InterScience, 2009.
DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)