This edition first published 2022
© 2022 John Wiley & Sons Ltd
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
The right of Luca Fiorentini to be identified as the author of this work has been asserted in accordance with law.
Registered Office
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK
Editorial Office
111 River Street, Hoboken, NJ 07030, USA
For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.
Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.
Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Library of Congress Cataloging‐in‐Publication Data
Name: Fiorentini, Luca, 1976– author.
Title: Bow‐tie industrial risk management across sectors : a barrier based approach / Professor Luca Fiorentini.
Description: First edition. | Hoboken, NJ : Wiley, 2022. | Includes bibliographical references and index. | Summary: “As stated by ISO 31000 “organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on organization’s objectives is a risk. All activities of an organization involve risk”. ISO, together with the International Trade Centre and the United Nations Industrial Development Organization published a specific guide about the importance of the implementation of sound risk management practices in small and mid enterprises. Risk management is an integral part of all organizational processes and of decision making. It should be systematic, structured and timely. It also should be based on the best available information and tailored. It should consider human and cultural factors (“soft” factors) together with technical and organizational factors (“hard” factors).”– Provided by publisher.
Identifiers: LCCN 2021003284 (print) | LCCN 2021003285 (ebook) | ISBN 9781119523833 (hardback) | ISBN 9781119523826 (adobe pdf) | ISBN 9781119523673 (epub) | ISBN 9781119523857 (obook)
Subjects: LCSH: Risk management.
Classification: LCC HD61 .F49 2022 (print) | LCC HD61 (ebook) | DDC 658.15/5–dc23
LC record available at https://lccn.loc.gov/2021003284
LC ebook record available at https://lccn.loc.gov/2021003285
Cover Design: Wiley
Cover Image: © Nikolay_Popov/iStockphoto
To my wife Sonia, with whom, day by day and together, I always reach new important goals. Thank you for your support, patience and constant love, witnessed by the wonderful family we have.
Figure 1 Descent from Col du Chardonnet. Is it safe? Source: Luca Marmo archive photo.
Figure 2 Bas‐relief depicting the god Kairos.
Figure 3 The epistemological meaning of security.
Figure 4 Swiss Cheese Model. Source: Reason, J., 1990.
Figure 5 Top five global risks in terms of likelihood (2007–2020). Source: World Economic Forum, 2020.
Figure 6 Top five global risks in terms of impact (2007–2020). Source: World Economic Forum, 2020.
Figure 7 Different perspectives on risk.
Figure 8 Definition of the scope of risk management.
Figure 9 Relationship between principles, framework, and risk management process.
Figure 10 The principles of RM according to ISO 31000.
Figure 11 The RM framework.
Figure 12 Components of a risk management framework.
Figure 13 Risk management framework.
Figure 14 Leadership and commitment.
Figure 15 Internal and external context.
Figure 16 Identify the requirements related to risk management.
Figure 17 Implementing the risk management framework.
Figure 18 Scheme of the risk management process according to ISO 31000.
Figure 19 Relationship between the RM principles, framework, and process.
Figure 20 Improving the risk management framework.
Figure 21 The risk assessment phase in the context of the RM process.
Figure 22 Level of risk.
Figure 23 Frequency analysis and probability estimation.
Figure 24 Risk acceptability and tolerability thresholds.
Figure 25 Example of a risk matrix with level of acceptability regions.
Figure 26 Prioritization of risk given impact and liklihood.
Figure 27 Risk prioritization and the risk matrix.
Figure 28 Matrix example for qualitative ALARP analysis.
Figure 29 Achieving balance in risk reduction.
Figure 30 Risk treatment activities.
Figure 31 Residual risk.
Figure 32 Risk management process continuous improvement.
Figure 33 Documenting the risk management process.
Figure 34 Skills and knowledge for a risk manager.
Figure 35 Resources to be allocated for an effective RM.
Figure 36 Understand the mission, objectives, values, and strategies.
Figure 37 Risk control hierarchy and in practice.
Figure 38 Thinking‐Behavior‐Result model. Source: Adapted from Fiorentini and Marmo (2018).
Figure 39 Stimulus‐Response model. Source: Adapted from Fiorentini and Marmo (2018).
Figure 40 Two‐pointed model. Source: Adapted from Fiorentini and Marmo (2018).
Figure 41 Inverted two‐pointed model. Source: Adapted from Fiorentini and Marmo (2018).
Figure 42 Human factors in process plant operation. Source: Adapted from Strobhar (2013).
Figure 43 The principles of RM according to ISO 31000.
Figure 44 Main types of business risks.
Figure 45 Most common enterprise risks.
Figure 46 Culture maturity level in an organization.
Figure 47 Safety culture levels.
Figure 48 Quality of risk management approach.
Figure 49 The pathological condition.
Figure 50 The reactive condition.
Figure 51 The bureaucratic condition.
Figure 52 The proactive condition.
Figure 53 The generative condition.
Figure 54 The Deming Cycle PDCA.
Figure 55 Swiss Cheese Model applied to a major industrial event.
Figure 56 Maturity model. Source: Courtesy of EXIDA L.C.C. (USA).
Figure 57 Feed line propane‐butane separation column. Source: Adapted from Assael and Kakosimos (2010).
Figure 58 Basic structure of a fault tree (horizontal).
Figure 59 Basic structure of a fault tree (vertical).
Figure 60 Basic Events.
Figure 61 Example of the fault tree, taking inspiration from the Åsta railway incident. Source: Sklet, S., 2002.
Figure 62 Gates.
Figure 63 Fire triangle using FTA.
Figure 64 Flammable liquid storage system. Source: Modified from Assael, M. and Kakosimos, K., 2010.
Figure 65 Example of FTA for a flammable liquid storage system.
Figure 66 Fault tree example.
Figure 67 The structure of a typical ETA diagram.
Figure 68 Event tree analysis for the Åsta railway accident.
Figure 69 Pipe connected to a vessel.
Figure 70 Example of event tree for the pipe rupture.
Figure 71 Bow‐Tie diagram structure.
Figure 72 F‐N Curve.
Figure 73 Example of a risk matrix with acceptability regions.
Figure 74 Calibrated risk graph.
Figure 75 A typical Bow‐Tie.
Figure 76 Bow‐Tie as the combination of an FTA and an ETA.
Figure 77 The Swiss Cheese Model by James Reason.
Figure 78 Bow‐Tie project risk assessment.
Figure 79 Bow‐Tie diagram – transfer of a data center.
Figure 80 Bow‐Tie diagram on virtual classroom training.
Figure 81 Level of abstraction.
Figure 82 Zoom level and point in time.
Figure 83 Example of point in time.
Figure 84 Basic elements of a Bow‐Tie diagram.
Figure 85 Determining the threshold level to cause the top event.
Figure 86 Barrier functions.
Figure 87 Location of elimination and prevention barriers.
Figure 88 Location of control and mitigation barriers.
Figure 89 Barrier systems.
Figure 90 Using the same barrier on either side of the Bow‐Tie diagram.
Figure 91 Classification of safety barriers. Source: Sklet, S., 2006.
Figure 92 Barrier classification promoted by the AIChE CCPS Guidelines.
Figure 93 The energy model. Source: Haddon, W., 1980.
Figure 94 Generic safety functions related to a process model. Sources: Hollnagel, E., 2004. Barrier And Accident Prevention. Hampshire, IK: Ashgate; Duijm et al., 2004.
Figure 95 Layers of defence against a possible industrial accident.
Figure 96 A comparison between ETA and LOPA’s methodology.
Figure 97 Actions of a barrier.
Figure 98 Misuse of escalation factors, with nested structure.
Figure 99 Defining “activities” for a barrier.
Figure 100 Quantifying a simplified Bow‐Tie.
Figure 101 Scale of the effectiveness of a barrier and the relationship between effectiveness and PFD (correct).
Figure 102 Relationship between effectiveness and PFD (correct).
Figure 103 Bow‐Tie concatenation example.
Figure 104 Difference between accident, near‐accident and unintended circumstance.
Figure 105 Principles of incident analysis.
Figure 106 The importance of accident investigations.
Figure 107 Steps in the analysis of the operational experience of organizations.
Figure 108 Steps in accident investigations.
Figure 109 The pyramid of conclusions.
Figure 110 Example a Tripod Beta diagram.
Figure 111 Possible Tripod Beta appearances.
Figure 112 Example of a BFA diagram 1.
Figure 113 Example of a BFA diagram 2.
Figure 114 BFA core elements.
Figure 115 General structure of a BFA diagram.
Figure 116 Event chaining in BFA.
Figure 117 Defeated barriers are not BFA events.
Figure 118 Barrier identification in BFA.
Figure 119 Correct and incorrect barrier identification in BFA.
Figure 120 BFA analysis.
Figure 121 Events types in a BFA diagram.
Figure 122 Example of timeline developed for the Norman Atlantic investigation.
Figure 123 Timeline example.
Figure 124 The onion‐like structure between immediate causes and root causes.
Figure 125 Benefit of RCA.
Figure 126 RCA Process.
Figure 127 Levels of analysis.
Figure 128 The Bow‐Tie diagram.
Figure 129 Bow‐Tie risk assessment and incident analysis.
Figure 130 Bow‐Tie preparation workflow.
Figure 131 From organization to critical tasks.
Figure 132 Example of Barrier Criticality Assessment.
Figure 133 Steps to identify critical barriers.
Figure 134 Example of a barrier audit.
Figure 135 Traditional audit: one element of the management system is analyzed at a time.
Figure 136 Audit barrier‐based: all elements of the management system identified as relevant to a specific barrier are analyzed.
Figure 137 General workflow of LOPA.
Figure 138 The general workflow of a survey.
Figure 139 Incident barrier states and relation between barrier state and barrier lifecycle.
Figure 140 Recommendations development and review.
Figure 141 On the left: pier with a damaged downpipe; the concrete is wet and deteriorated. On the right: a similar pier with a safe downpipe; the concrete is in good condition.
Figure 142 Effects of ageing and humidity on the concrete. The reinforcement bars are corroded and there are signs of rust on the beams.
Figure 143 Concrete spalling on a Gerber support with a consequent capacity reduction. The cause of the damage has to be searched for on a damaged downpipe on the road joint (recently substituted).
Figure 144 The spalling of concrete caused the corrosion to progress. The reinforcement bars broken due to the limited cross‐section are causing a reduction of the capacity of the girder.
Figure 145 Bow‐Tie diagram for “Local reduction of the resisting capacity of a bridge due to ageing”.
Figure 146 Employee infected with COVID‐19 virus.
Figure 147 Fire in flight.
Figure 148 BFA on food contamination (near miss).
Figure 149 Web‐based software development – Bow‐Tie.
Figure 150 IT systems protection Bow‐Tie.
Figure 151 Satellite view of Matera.
Figure 152 Matera – Piazza Vittorio Veneto. On the right: steps. Source: Google LLC.
Figure 153 Developed Bow‐Tie to assess crowding‐related risks – zooming the threats and preventive barriers.
Figure 154 Developed Bow‐Tie to assess crowding‐related risks – zooming the consequences and mitigative barriers.
Figure 155 Map to develop simulated scenarios.
Figure 156 Different levels of service.
Figure 157 Piazza Vittorio Veneto and the bottleneck in Via San Biagio, Matera.
Figure 158 Impact of the soft obstacles on the pedestrian flow.
Figure 159 Bow‐Tie Risk assessment (whole picture).
Figure 160 Helicopter loss of control Bow‐Tie risk assessment.
Figure 161 Treatment of critically ill patients.
Figure 162 Treatment of patient with pain.
Figure 163 Preparing parenterals (excluding cytostatic drugs).
Figure 164 Administration of parenterals (excluding cytostatic drugs).
Figure 165 Medication verification in handoff during hospital admission.
Figure 166 Medication verification in handoff during hospital discharge (1of 2).
Figure 167 Medication verification in handoff during hospital discharge (2of 2).
Figure 168 Administration of medicines.
Figure 169 Treatment of patients with acute coronary syndrome.
Figure 170 Administering intravascular iodinated contrast media (excluding intensive care patients).
Figure 171 Applying a central venous catheter (CVC).
Figure 172 Operating on a patient.
Figure 173 Hospitalization of vulnerable elders (> 70 years) (1 of 4).
Figure 174 Hospitalization of vulnerable elders (> 70 years) (2 of 4).
Figure 175 Hospitalization of vulnerable elders (> 70 years) (3 of 4).
Figure 176 Hospitalization of vulnerable elders (> 70 years) (4 of 4).
Figure 177 Performing surgical procedures.
Figure 178 Elaboration of the threat “external corrosion” and main escalating factors and controls.
Figure 179 Link between controls and the company HSE management system procedures.
Figure 180 BFA of Flixborough (UK) incident.
Figure 181 BFA of Seveso (Italy) incident.
Figure 182 BFA of Bhopal (India) incident.
Figure 183 BFA of Piper Alpha (UK – offshore) incident.
Figure 184 BFA of Pembroke Refinery (Milford Haven) (UK) incident.
Figure 185 BFA of Texas City (US) incident.
Figure 186 BFA of Macondo (Deepwater Horizon) (US – Offshore) incident.
Figure 187 BFA of Fukishima (Daiichi) (Japan) incident.
Figure 188 Drug administration Bow‐Tie.
Figure 189 Area involved in the accident. Right, unwinding section of the line, left, the front wall impinged by flames. Source: Taken from Marmo, Piccinini and Fiorentini, 2013.
Figure 190 The flattener and the area involved in the accident. Details of the area struck by the jet fire, view from the front wall. Source: Taken from Marmo, Piccinini and Fiorentini, 2013.
Figure 191 Details of the hydraulic pipe that provoked the flash fire. Source: Taken from Marmo, Piccinini and Fiorentini, 2013.
Figure 192 Map of the area struck by the jet fire and by the consequent fire. The dots represent the presumed position of the workers at the moment the jet was released. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 193 Footprint of the jet fire on the front wall. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 194 Timescale of the accident. F1 is the time interval in which the ignition occurred. F2 is the time interval in which it is probable that the workers noticed the fire. The group 5 and group 6 events are defined as in Table 28. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 195 The domain used in the FDS fire simulations. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 196 Simulated area, elevation. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 197 Jet fire simulation results: flames at 1 s from pipe collapse. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 198 Jet fire simulation results: flames at 2 s from pipe collapse. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 199 Jet fire simulation results: flames at 3 s from pipe collapse. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 200 Jet fire simulation results: temperature at 1 s from pipe collapse. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 201 Jet fire simulation results: temperature at 2 s from pipe collapse. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 202 Jet fire simulation results: temperature at 3 s from pipe collapse. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 203 Scheme of the hydraulic circuits with two‐position (a) and three‐position (b) solenoid valves. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 204 Event tree of the accident. The grey boxes indicate a lack of safety devices. Source: Marmo, Piccinini and Fiorentini, 2013.
Figure 205 Damages on the forklift.
Figure 206 Frames from the 3D video, reconstructing the incident dynamics.
Figure 207 Bow‐Tie diagram of the ThyssenKrupp fire.
Figure 208 Twente stadium roof collapse Tripod Beta analysis.
Figure 209 Water treatment Bow‐Tie analysis.
Figure 210 Timeline of the sample (developed with CGE‐NL IncidentXP).
Figure 211 Possible RCA of the sample (developed with CGE‐NL IncidentXP).
Figure 212 Possible Tripod Beta of the sample (developed with CGE‐NL IncidentXP).
Figure 213 Possible BFA of the event (developed with CGE‐NL IncidentXP).
Figure 214 Bow‐Ties developed to assess fire risk in multiple railway stations.
Figure 215 Fire load.
Figure 216 Bow‐Tie worksheet developed by TECSA S.r.l. and Royal Haskoning DHV to quantify a Bow‐Tie scheme with a LOPA approach. Not real scores and data presented in the image.
Figure 217 Barriers/protection layer scores.
Figure 218 Weakest barriers and the public.
Figure 219 Bow‐Tie model for fire risk assessment in PV plants.
Figure 220 Map of ceraunic density in Italy.
Figure 221 Annual average temperature in Italy.
Figure 222 Deming Cycle from a barrier‐based perspective.
Figure 223 Bow‐Tie core elements and general structure.
Figure 224 Bow‐Tie guiding principles.
Figure 225 BFA core elements.
Figure 226 Incident barrier state.
Figure 227 Incident barrier state decision support tree.
Figure 228 BFA guiding principles.
Figure 229 Classification of human failure.
Figure 230 Fault tree analysis, current configuration (ANTE).
Figure 231 Fault tree analysis, better configuration (configuration A).
Figure 232 Fault tree analysis, the best configuration (POST configuration).
Figure 233 Frequency estimation of the scenario “Oxygen sent to blow down, during start up of reactor of GAS1”.
Figure 234 The Swiss Cheese Model by James Reason. Source: Reason, 1990.
Figure 235 Level 1: Unsafe acts.
Figure 236 Level 2: Preconditions.
Figure 237 Level 3: Supervision issues.
Figure 238 Level 4: Organizational issues.
Table 1 Applicability of tools for risk assessment.
Table 2 Example of “what‐if” analysis. Source: Adapted from Assael, M. and Kakosimos, K., 2010.
Table 3 Guidewords for HAZOP analysis.
Table 4 Extract of an example of HAZOP analysis. Adapted from Assael and Kakosimos (2010).
Table 5 Subdivision of the analyzed system into areas.
Table 6 Hazards and assumed event in HAZID.
Table 7 List of typical consequences.
Table 8 HAZID worksheet.
Table 9 Different classification of barriers as physical or non‐physical.
Table 10 Comparison of defined hazards with insufficient detail and optimal degree for evaluation.
Table 11 Comparison of defined top events with insufficient detail and with an optimal degree for evaluation.
Table 12 Comparison of defined causes with insufficient detail and with an optimal degree for evaluation.
Table 13 Comparison of defined consequences with insufficient detail and with an optimal degree of evaluation.
Table 14 Barrier Types.
Table 15 Quality scores and judgments on the effectiveness of barriers.
Table 16 Standard Performance Scores (PS).
Table 17 Definition of BRFs in Tripod Beta.
Table 18 Example of spreadsheet event timeline.
Table 19 Example of Gantt chart investigation timeline.
Table 20 Barrier function score (FS).
Table 21 Barrier consequence of failure score (CS).
Table 22 Barrier redundancy score (RS).
Table 23 Barrier criticality ranking.
Table 24 Barrier criticality assessment example.
Table 25 Interpretation of the barrier‐based audit response histograms.
Table 26 Survey team members should and should not.
Table 27 General information about the case study.
Table 28 Record of the supervisor systems (adapted from Italian). Source: Marmo, Piccinini and Fiorentini, 2013.
Table 29 Threshold values according to Italian regulations. Source: Marmo, Piccinini and Fiorentini, 2013.
Table 30 Summary of the investigation.
Table 31 Example of calculating HEP with the SPAR‐H Method.
Table 32 PIF (current configuration)
Table 33 PIF (Configuration A)
Table 34 PIF (POST configuration)
Table 35 Frequency of incidental assumptions considered.
Riccardo Ghini
Quality Head Italy & Malta and South Europe Cluster, Sanofi
Risk assessment is a basic concept that has always accompanied me throughout my work and professional experience, so being able to contribute, albeit marginally, to the drafting of this monumental work fills me with pride and happiness.
Since the time of Legislative Decree 626/94, the ability to evaluate the probability of occurrence and the possible consequences of accidents and injuries at work has been a fundamental skill for me to develop, through the study of ever‐more‐refined methods and techniques of investigation. Finding all these useful analysis tools grouped in this way, brilliantly described and accompanied by real application examples, represents for me, and for all professionals, a unique opportunity for enrichment and deepening.
In fact, as my career continued, I soon realized how the concepts underlying this book can be effectively applied, not only in the field of work safety, but also in all areas of business activity, where words like “risk,” “scenario,” “analysis of the causes,” and “continuous improvement” have become commonly used, as they are based on the very structure of the management systems developed in accordance with the various reference standards, now completely standardized.
Furthermore, we mustn’t fail to mention the importance assumed by the methods of analysis, assessment, and operational management of the risks associated with the predicate offenses of Legislative Decree 231/2001 (administrative liability of companies and entities), which constitute the essential element in the preparation of a Corporate Organization, Management, and Control Model that effectively prevents the occurrence of the types of offense and, at the same time, constitutes a valid exemption in the context of a possible criminal trial.
The real cultural transition, however, takes place when the concept of risk assessment is adopted and is also applied outside the professional sphere, elevating it to a rational criterion to guide our daily choices: “do I overtake or not overtake the car that’s in front of me?, “do I subscribe to this insurance policy or not?,” “do I vaccinate my children or not?” These are all questions and situations we face every day, and for which it is very useful to identify the possible “top event,” the “consequences” that can be generated, and the “causes” that can originate it, as well as to know what “barriers” we can implement in our defence.
This book is therefore much more than a scientific text for a few super‐technicians and experts; it is a concrete and useful reference to all, to bring order and reasoning into our decisions, whatever they may be, in a world increasingly dominated by superficiality and disinformation.
I would also like to underline another aspect, often not adequately communicated: the concept of risk not only with a negative meaning, as a threat or weighting of an unfavourable event, but also, from the perspective of ISO 31000, as a positive deviation from the result expected, therefore, as an opportunity, to be evaluated and seized for the development of the organization. A better understanding of this dimension of risk would certainly facilitate a wider and more extensive use of the methodologies illustrated in the book.
At this point, before diving into reading and studying, I just have to applaud the authors, who represent all‐Italian excellence, similar to Ferrari and Parmigiano Reggiano, in this scientific field traditionally the prerogative of Anglo‐Saxon and American schools, and of which we must all be proud.