This edition first published 2018
© 2018 the American Institute of Chemical Engineers

The American Institute of Chemical Engineers and the Energy Institute claim copyright on the contents of this concept book.

A Joint Publication of the American Institute of Chemical Engineers and John Wiley & Sons, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to re-use material from this title is available at http://www.wiley.com/go/permissions.

The rights of CCPS to be identified as the author of the editorial material in this work have been asserted in accordance with law.

Registered Office
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

Editorial Office
111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data

Names: American Institute of Chemical Engineers. Center for Chemical Process Safety, author.
Title: Bow ties in risk management : a concept book for process safety / CCPS, in association with the
Energy Institute / Center for Chemical Process Safety of the American Institute of Chemical Engineers,
and Energy Institute, London, UK. Other titles: Bow ties in risk management
Description: Hoboken, NJ : John Wiley & Sons, Inc. : American Institute of Chemical Engineers,
2018. | Series: Process safety guidelines and concept books | Includes bibliographical references
and index. | Identifiers: LCCN 2018033748 (print) | LCCN 2018035050 (ebook) |
ISBN 9781119490388 (Adobe PDF) | ISBN 9781119490340 (epub) | ISBN 9781119490395 (hardcover)
Subjects: LCSH: Chemical plants--Safety measures. | Risk management. | Organizational learning.
Classification: LCC TP150.S24 (ebook) | LCC TP150.S24 B69 2018 (print) | DDC 660/.2804–dc23
LC record available at https://lccn.loc.gov/2018033748

GLOSSARY

Terms in this Glossary, where relevant, match the online CCPS Glossary of Terms for Process Safety.

ALARP

As Low As easonably Practicable – a term used to describe a target level for reducing risk that would implement risk reducing measures unless the costs of the risk reduction in time, trouble or money are grossly disproportionate to the benefit. In bow tie analysis, it is a performance-based standard used for determining whether appropriate barriers have been put in place such that residual risk is reduced as far as reasonably practicable.

Barrier

A control measure or grouping of control elements that on its own can prevent a threat developing into a top event (prevention barrier) or can mitigate the consequences of a top event once it has occurred (mitigation barrier). A barrier must be effective, independent, and auditable. See also Degradation Control. (Other possible names: Control, Independent Protection Layer, Risk Reduction Measure).

Barrier Type

These are categories of a barrier. The purpose of defining a barrier type is to clarify its operational mode and to make transparent the case where only one type (e.g., active human) is relied on exclusively. Active barriers must contain the three elements of detect-decide-act.

•Passive Hardware

A barrier system that is continuously present and provides its function without any required action.

•Active Hardware

A barrier system that requires some action to occur to achieve its function. All aspects of the barrier detect-decide-act functions are achieved by hardware or software.

•Active Hardware and Human

The barrier detect-decide-act aspects are achieved by a mix of hardware, software and by at least one necessary human action.

•Active Human

The barrier detect-decide-act aspects are all achieved by humans. Some interaction with hardware will be necessary but the functions are predominantly human.

•Continuous Hardware

The barrier function is achieved by some continuous action.

Bow Tie Model

A risk diagram showing how various threats can lead to a loss of control of a hazard and allow this unsafe condition to develop into a number of undesired consequences. The diagram can show all the barriers and degradation controls deployed.

Consequence

The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Another possible name: Outcome. The magnitude of the consequence may be described using a Risk Matrix

Critical Barrier

An optional designation, sometimes required by companies or regulators, which identifies a subset of barriers that are designated to be more significant in risk control. The designation can assist prioritization of the barrier in terms of inspection, testing, maintenance and training. In principle, all barriers in a bow tie diagram are important and need an ongoing management process to ensure their effectiveness.

Dashboard

A simplified management diagram displaying KPIs or metrics (both leading or lagging) considered important in achieving the organization’s safety, environmental or commercial objectives. Barrier status could be a key element to be displayed on a dashboard.

Degradation Factor

A situation, condition, defect, or error that compromises the function of a main pathway barrier, through either defeating it or reducing its effectiveness. If a barrier degrades then the risks from the pathway on which it lies increase or escalate, hence the alternative name of escalation factor. (Other possible names: Barrier Decay Mechanism, Escalation Factor, Defeating Factor).

Degradation Control

Measures which help prevent the degradation factor impairing the barrier. They lie on the pathway connecting the degradation threat to the main pathway barrier. Degradation controls may not meet the full requirements for barrier validity. (Other possible names: Degradation Safeguard, Defeating Factor Control, Escalation Factor Control, Escalation Factor Barrier).

Dike

Synonymous with bund. A passive barrier describing a secondary containment system around a tank, the walls of which act as the primary containment.

Hazard

An operation, activity or material with the potential to cause harm to people, property, the environment or business or simply, a potential source of harm.

HAZOP

Hazard and Operability Study. A systematic qualitative technique to identify and evaluate process hazards and potential operating problems, using a series of guidewords to examine deviations from normal process conditions.

Human Factors

A term with both ergonomic and organizational implications. A discipline concerned with designing machines, operations, and work environments so that they match human capabilities, limitations, and needs. Human Factors is also the discipline used to describe the interaction of individuals with each other, with facilities and equipment, and with management systems. This interaction is influenced by both the working environment and the culture of people involved.

Impaired

Many degree of degradation of barrier performance from its intended function (i.e., partially available, not available, unknown status, etc.).

Incident

An event, or series of events, resulting in one or more undesirable consequences, such as harm to people, damage to the environment, or asset/business losses. Such events include fires, explosions, releases of toxic or otherwise harmful substances, and so forth.

Independence

The condition that no significant common mode of failure exists that would degrade two or more barriers simultaneously in an incident pathway.

LOPA

Layer of Protection Analysis. An approach that analyzes one incident scenario (cause-consequence pair) at a time, using predefined values for the initiating event frequency, independent protection layer failure probabilities, and consequence severity, in order to compare a scenario risk estimate to risk criteria for determining where additional risk reduction or more detailed analysis is needed.

Main Pathway Barrier

A barrier that lies along the direct route from a threat to the top event or from the top event to a consequence. (Another possible name: primary barrier).

MAE

Major Accident Event (MAE). A hazardous event that results in one or more fatalities or severe injuries; or extensive damage to structure, installation or plant or large-scale, severe and / or persistent impact on the environment. In bow ties MAEs are outcomes of the top event. (Other possible names: major accident, major incident).

Metadata

Information about other information. In the barrier context, the base information would be the barrier name and description; metadata would be the collection of other data relating to the barrier.

Mitigation Barrier

A barrier located on the right-hand side of a bow tie diagram lying between the top event and a consequence. It might only reduce a consequence, not necessarily terminate the sequence before the consequence occurs (Other possible names: Reactive Barrier, Recovery Measure).

MOPO

Manual of Permitted Operations. An operational management diagram derived from bow ties that maps all required barriers that must be functional before a defined activity can be carried out. Impaired barriers must be repaired or replaced with an equivalent alternative before the activity can be carried out. (Other possible name: Summary of Operational Boundaries – SOOB).

Multi-Level Bow Tie

An advanced approach that extends the standard bow tie to show deeper level degradation controls that support degradation controls from themselves degrading. The first level of build-out beyond the standard bow tie is termed Extension Level 1. Additional extension levels are possible. (See Standard Bow Tie).

Pathway

A bow tie arm on which barriers or degradation controls are located. A Main Pathway is an arm connecting the various threats to the top event, or the top event to the various consequences and these contain barriers. (Alternative term: Prevention Pathway or Mitigation Pathway). Arms connecting degradation factors to a main pathway barrier are termed Degradation Pathways and these contain Degradation Controls.

Performance Standard

Measurable statement, expressed in qualitative or quantitative terms, of the performance required of a system, equipment item, person or procedure (that may be part or all of a barrier), and that is relied upon as a basis for managing a hazard. The term includes aspects of functionality, reliability, availability and survivability.

Prevention Barrier

A barrier located on the left-hand side of bow tie diagram and lies between a threat and the top event. It must have the capability on its own to completely terminate a threat sequence. (Other possible names: Proactive Barrier).

Process Hazard Analysis

An organized effort to identify and evaluate hazards associated with processes and operations to enable their control. This review normally involves the use of qualitative techniques to identify and assess the significance of hazards. Conclusions and appropriate recommendations are developed. Occasionally, quantitative methods are used to help prioritize risk reduction.

Process Safety Management

A comprehensive set of policies, procedures, and practices designed to ensure that barriers to episodic incidents are in place, in use, and effective.

The term is used generically in this document and is not restricted to the scope and rules of OSHA 29 CFR 1910.119 (frequently referred to as Process Safety Management or PSM). It is often aligned with the CCPS Risk Based Process Safety (PBPS) Guideline or the EI PSM Framework.

RAGAGEP

Recognized and Generally Accepted Good Engineering Practices (RAGAGEP) – a US regulatory requirement. They are the basis for engineering, operation, or maintenance activities and are themselves based on established codes, standards, published technical reports or recommended practices or similar documents. RAGAGEP details generally approved ways to perform specific engineering, inspection or asset integrity activities, such as fabricating a vessel, inspecting a storage tank, or servicing a relief valve.

Risk Matrix

A tabular approach for presenting risk tolerance criteria, typically involving graduated scales of incident likelihood on the Y-axis and incident consequences on the X-Axis. Each cell in the table (at intersecting values of incident likelihood and incident consequences) represents a particular level of risk.

Risk Register

A regularly updated summary of potential major accident events over a facility life cycle, with an estimate of risk contribution and the barriers needed to achieve that level of risk. The risk register can be developed from facility PHA studies.

Risk Assessment

The process by which the results of a risk analysis (i.e., risk estimates) are used to make decisions, either through relative ranking of risk reduction strategies or through comparison with risk targets.

Safety I / II

A transition in safety thinking proposed by ollnagel from where humans are regarded primarily as a source of errors in process safety (Safety I) to where humans are regarded as contributing more to ongoing safety successes (Safety II).

Safety Critical Element

Many part of an installation, plant or computer program whose failure will either cause or contribute to a major accident, or the purpose of which is to prevent or limit the effect of a major accident. Safety Critical Elements are typically part of barriers. In the context of this book, safety includes harm to people, property and the environment. (Other possible names: Safety and Environmental Critical Element, Safety Critical Equipment).

Safety Critical Task

A task where human or organizational factors could cause or contribute to a major accident, or where the purpose of the task is to prevent or limit the effect of a major accident, including:

initiating events;
prevention and detection;
control and mitigation, and
emergency response.

Safety Critical Tasks are typically part of barriers.

Safety Integrity Level (SIL)

A relative level of risk reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a safety instrumented function (SIF). Defined in the IEC 61511 standard.

Standard Bow Tie

The basic bow tie showing hazard, top event, threats and consequences, with prevention and mitigation barriers, and optionally degradation pathways containing degradation controls supporting the main pathway barrier against identified degradation threats. (See also Multi-Level Bow Ties).

Swiss Cheese Model

A model of accident causation developed by James Reason. It represents a system of safety barriers depicted as slices of cheese with holes. In this model, the slices of cheese represent the safety barriers and the number and size of the holes an indication of the vulnerability of the barrier to fail.

Threat

A possible initiating event that can result in a loss of control or containment of a hazard (i.e., the top event). (Other possible names: Cause, Initiating Event).

Top Event

In bow tie risk analysis, a central event lying between a threat and a consequence corresponding to the moment when there is a loss of control or loss of containment of the hazard.

The term derives from Fault Tree Analysis where the unwanted event lies at the ‘top’ of a fault tree that is then traced downward to more basic failures, using logic gates to determine its causes and likelihood.

ACKNOWLEDGMENTS

The committee structure for this concept book differs from other CCPS books in that this was a joint project done in full collaboration with the Energy Institute. In addition, the contribution of the European Commission Joint Research Centre Major Accident Hazard Bureau is gratefully acknowledged. The American Institute of Chemical Engineers (AIChE) and the Center for Chemical Process Safety (CCPS) express their gratitude to all the members of the Bow Ties in Risk Management Subcommittee and their member companies for their generous efforts and technical contributions. Similarly, the EI acknowledges its Bow Ties in Risk Management Subcommittee, and to its Technical Partner and Technical Company Members for co-sponsoring the development of this concept book.

The authors from DNV GL and CGE Risk Management Solutions are also acknowledged, especially the principal authors Dr. Robin Pitblado and Paul Haydock, with additional inputs from Tatiana Norman, Jo Everitt, Amar Ahluwalia, Chris Boylan, and Ben Keetlaer.

Many of the figures in this concept book have been created in software, either from Thesis (ABS Group) or BowTieP (CGE Risk). This contribution is acknowledged. Details on the software are provided in Appendix A.

PROJECT TEAM MEMBERS:

CCPS
Kiran Krishna	Shell	Project Team Chair
Timothy McGrath	ex Chevron	Project Team Vice-Chair
Americo Carvalho Neto	Braskem
Umesh Dhake	CCPS Asia Manager
Martin Johnson	BP
Mark Manton	ABS Group
Ron McLeod	Ron McLeod Ltd
Darrin Miletello	Lyondell Basell
Sudhir Phakey	Linde Gas
Keith Serre	Nexen
Ryan Supple	ConocoPhillips
Thiruvaiyaru Venkateswaran	Reliance Industries
Stephanie Wardle	Husky Energy
Danny White	Ex-BHP Billiton
Charles Cowley	CCPS Staff Consultant	Project Manager
Energy Institute
Mark Scanlon	Energy Institute	Project Team Co-Chair
Donald Smith	ENI
Dennis Evers	Centrica
Rob Miles	Hu-Tech
Rob Saunders	Shell

European Commission Joint Research Centre Major Accident Hazards Bureau

Maureen Wood

Zsuzsanna Gyenes

Before publication, all CCPS and EI books are subjected to a thorough peer review process. CCPS and EI gratefully acknowledge the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of this concept book.

Peer Reviewers:

San Burnett	BHP Billiton
Palani Chidambaram	Du Pont
Chris Devlin	Celanese
Scott Haney	Marathon Oil
Ed Janssen	Ed Janssen Risk Management Consulting
Bob Johnson	Unwin
Steve Lewis	Risktec
Don Loreno	ABS Group
Sian Miller	Newcrest Mining
Bradd McCaslin	Shell
Eric Wakley	Shell
Jack McCavit	JLM Consulting
Mary Metz	Director of Water Resource Policy Alberta
Louisa Nara	CCPS
Cathy Pincus	Exxon Mobil
Jan Pranger	Krypton Consulting
Karla Salomon	Chevron
Hans Schwarz	BASF
John Sherban	Systemic Risk Management Inc.
Mike Snyder	Dekra
Jeff Thomas	PII
Martin Timm	Praxair
Jan Windhorst	WEC Inc
Tracy Whipple	BP
Stuart King	EI HOFCOM and Tripod Foundation
Sam Daoudi	EI Process Safety Committee
Trish Kerin	IChemE Safety Centre
Sam Mannan	MKO Process Safety Center, Texas A&M University
Ian Travers	Ian Travers Ltd (ex Deputy Director Chemicals Regulation, HSE)
Mike Nicholas	Environment Agency
Mike Wardman	Health & Safety Laboratory (HSL)
Patrick Hudson	Independent Consultant, Emeritus Professor, Delft University

PREFACE

CCPS and EI Introduction

The American Institute of Chemical Engineers (AIChE) has been closely involved with process safety and loss control issues in the chemical and allied industries since the 1970s. AIChE publications and symposia have become information resources for those devoted to process safety and environmental protection.

AIChE created the Center for Chemical Process Safety (CCPS) in 1985 after the disasters in Mexico City, Mexico, and Bhopal, India. The CCPS is chartered to develop and disseminate technical information for use in the prevention of major chemical incidents. The Center is supported by around 200 chemical process industry sponsors that provide the necessary funding and professional guidance to its technical committees. The major product of CCPS activities has been a series of books to assist those implementing various elements of a process safety and risk management system. To complement the longer, more comprehensive Guidelines series and to focus on more specific topics, the CCPS extended its publication program in the last few years to include a ‘Concept Series’ of books. This book is part of the Concept Series.

The Energy Institute (EI) is the chartered professional body for the energy industry, developing and sharing knowledge, skills and good practice towards a safe, secure and sustainable energy system. The EI was set up in 2003 as the result of a merger between the Institute of Petroleum (IP) and the Institute of Energy (InstE). EI supports over 23,000 individuals working in or studying energy and 250 energy companies worldwide. The EI provides learning and networking opportunities to support professional development, as well as professional recognition and technical and scientific knowledge resources on energy in all its forms and applications.

The EI’s purpose is to develop and disseminate knowledge, skills and good practice towards a safe, secure and sustainable energy system. It informs policy by providing a platform for debate and scientifically-sound information on energy issues. In fulfilling the EI’s mission, its Technical Work Program addresses the depth and breadth of the energy sector, from fuels and fuels distribution to health and safety, sustainability and the environment. This program provides cost-effective, value-adding knowledge on key current and future issues affecting those operating in the energy industry, both in the UK and internationally. For further information, please visit http://www.energyinst.org.

Bow Ties in Risk Management Concept Book

CCPS has been at the forefront of documenting and sharing important risk assessment methodologies for more than 30 years. It has published well-known guidelines on hazard identification, chemical process quantitative risk assessments, Layer of Protection Analysis (LOPA), and facility siting. This concept book continues that tradition with a focus on a specific qualitative risk assessment methodology – bow tie barrier analysis.

Barrier-based risk assessment has been applied to process safety risks for over two decades and increasingly frequently through the use of bow tie diagrams. Bow tie barrier analysis focuses on assessing barriers for the prevention and mitigation of incident pathways, especially related to major accidents. Bow tie diagrams examine potential major accidents by diagrammatically mapping the hazards and threats that may lead to an event and the potential undesired consequences, including most importantly, all the barriers and degradation controls in place to reduce the risk. Bow tie diagrams can assist with barrier management, the analysis of risk reduction, and the assessment of barriers in place. They provide a powerful means to communicate complex process safety information to staff, contractors, regulators, senior management, the public, and other stakeholders.

The increasing use of bow ties to communicate risks and barriers has led the CCPS Technical Steering Committee to charter a project committee to develop this concept book for Bow Ties in Risk Management. The Energy Institute (EI) and European Commission Major Accident Hazards Bureau were collaborating partners with CCPS on this project. To gather input from many experienced sources, CCPS invited representatives from many chemical and petroleum companies, trade associations, and regulators involved in the field of process safety, as well as other key stakeholders or subject matter experts to participate in this committee’s activities. The Energy Institute joined the project to share the knowledge of its members and particularly to provide additional focus on the human factors aspects of bow ties.

Well-constructed bow tie diagrams, which are clear and easy to communicate, may give the impression that they are easy to create. This is not the case. Too often bow ties are created with structural or other errors that detract from their value. The aim of this concept book is to equip the novice or even experienced reader with the requisite skills and knowledge in order to develop quality bow ties.

While there is currently a reasonable degree of consensus on how to handle technical matters in bow ties, the same is not true for Human and Organizational Factors (HOF). Chapter 4 addressing human factors in bow tie analysis is the product of a sub-committee representing a wide range of experience in the practice of human factors in the process industries, including both industrial and regulatory backgrounds. The sub-committee considered and critically evaluated how human factors issues are represented in current approaches to bow tie modeling. This group recognized the need for simplicity and clarity in bow ties as implemented, but also that oversimplification can lead to an incorrect understanding of how human factors actually contribute to safer operations. The approach described here addresses the critical role that people play in barrier systems, with the wide range of HOF that need to be managed effectively for barriers to be as robust as they reasonably can be – all with the aim of preventing barriers being degraded or defeated by ‘human error’. Current approaches to bow tie modeling rarely capture the complexity of the human contribution to barrier systems and may not recognize the range of factors that need to be managed to mitigate the risk from ‘human failure’. A multi-level bow tie method is proposed to capture these fully.

Therefore, even experienced bow tie practitioners may see changes to preferred terminology and will find novel material on HOF in this concept book. The committee believes that following these ideas will enhance the value, quality and consistency of bow ties produced, thus contributing to the goal of enhanced safety.

CCPS and EI encourage companies, regulators and other key managers of process risks around the globe to consider adopting and implementing the suggestions contained within this book.

BOW TIES IN RISK MANAGEMENT

A Concept Book for Process Safety

CCPS in association with the Energy Institute

ACRONYMS AND ABBREVIATIONS

GLOSSARY

ACKNOWLEDGMENTS

ONLINE MATERIALS ACCOMPANYING THIS BOOK

PREFACE