Bow Ties in Risk Management E-Book

This book is one of a series of process safety guidelines and concept books publish ed by the Center for Chemical Process Safety (CCPS). Please go to www.wiley.com/go/ccps for a full list of titles in this series.

This concept book is issued jointly with the Energy Institute. In EI publications, concept books are termed Research Reports in its series of technical publications. EI publications can be found at http://publishing.energyinst.org/.

The information contained in this material is distributed as a reference guide only. It has been compiled from sources believed to be reliable and to represent the current industry opinion on the subjects set forth herein. No warranty, guarantee or representation is made by the American Institute of Chemical Engineers, CCPS Technical Steering Committee and its Subcommittee members, EI and its subcommittee members, DNV GL USA, Inc., or any of their respective employees, officers, directors, consultants, and or employees (collectively the ‘Producer’) as to the correctness or sufficiency of any representation or information contained in this reference material. Producer expressly disclaims any warranty or guaranty, either express or implied, including without limitation any warranty of fitness for a particular purpose. Producer assumes no responsibility in connection herewith nor can it be assumed that all acceptable safety measures and/or other standards are included herein or that other additional measures may not be required in any given circumstances. Any use of or reliance on this reference material by any party shall be at the sole risk of such party. In no event will Producer or any of its parent or affiliate companies, or any of its or their respective directors, officers, shareholders, and/or employees be liable to any other party regarding any of the statements, recommendations, and/or opinions contained in this reference material, and/or for any use of, reliance on, accuracy, or adequacy of same.

BOW TIES IN RISK MANAGEMENT

A Concept Book for Process Safety

CCPS in association with the Energy Institute

CENTER FOR CHEMICAL PROCESS SAFETY OF THE AMERICAN INSTITUTE OF CHEMICAL ENGINEERS

New York, NY

and

ENERGY INSTITUTE

London, UK

This edition first published 2018 © 2018 the American Institute of Chemical Engineers

The American Institute of Chemical Engineers and the Energy Institute claim copyright on the contents of this concept book.

A Joint Publication of the American Institute of Chemical Engineers and John Wiley & Sons, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to re-use material from this title is available at http://www.wiley.com/go/permissions.

The rights of CCPS to be identified as the author of the editorial material in this work have been asserted in accordance with law.

Registered Office John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

Editorial Office111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of WarrantyWhile the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data

Names: American Institute of Chemical Engineers. Center for Chemical Process Safety, author.  Title: Bow ties in risk management : a concept book for process safety / CCPS, in association with the Energy Institute / Center for Chemical Process Safety of the American Institute of Chemical Engineers,  and Energy Institute, London, UK. Other titles: Bow ties in risk management Description: Hoboken, NJ : John Wiley & Sons, Inc. : American Institute of Chemical Engineers,  2018. | Series: Process safety guidelines and concept books | Includes bibliographical references and index. | Identifiers: LCCN 2018033748 (print) | LCCN 2018035050 (ebook) |  ISBN 9781119490388 (Adobe PDF) | ISBN 9781119490340 (epub) | ISBN 9781119490395 (hardcover) Subjects: LCSH: Chemical plants--Safety measures. | Risk management. | Organizational learning. Classification: LCC TP150.S24 (ebook) | LCC TP150.S24 B69 2018 (print) | DDC 660/.2804–dc23 LC record available at https://lccn.loc.gov/2018033748

CONTENTS

Cover

Title page

Copyright page

Acronyms and Abbreviations

Glossary

Acknowledgments

Online Materials Accompanying this Book

Preface

1: Introduction

1.1 Purpose

1.2 Scope and Intended Audience

1.3 Organization of This Concept Book

1.4 Introduction to The Bow Tie Concept

1.5 Conclusions

2: The Bow Tie Model

2.1 Bow Tie Model Elements

2.2 Hazard

2.3 Top Event

2.4 Consequences

2.5 Threats

2.6 Barriers

2.7 Degradation Factors and Degradation Controls

2.8 Conclusions

3: Bow Tie Development

3.1 Rationale For Bow Tie Development

3.2 Bow Tie Workshop

3.3 Post-BOW Tie Workshop Activities and Quality Checks

3.4 Conclusions

4: Addressing Human Factors in Bow Tie Analysis

4.1 Human And Organizational Factors Fundamentals

4.2 Standard and Multi-Level Bow Tie Approaches

4.3 Human and Organizational Factors as A Barrier or Degradation Control

4.4 Validating Human Performance In Barriers And Degradation Controls

4.5 Quantifying Human Reliability in Bow Ties

4.6 Conclusions

5: Primary Uses Of Bow Ties

5.1 Primary Use Examples

5.2 Linking Bow Ties To The Risk Management System

5.3 Communication of Major Accident Scenarios and Degradation Controls

5.4 Use of Bow Ties in Design and Operations

5.5 Identification of Safety Critical Information

5.6 Conclusions

6: Barrier Management Program

6.1 Barrier Management Strategy

6.2 Barrier and Degradation Control Management Program

6.3 Organizational Learning

6.4 Conclusions

7: Additional Uses of Bow Ties

7.1 Additional Use Examples

7.2 Linking Bow Ties To Hazop, Lopa and Sil

7.3 Integrating Bow Ties into Alarp Demonstrations

7.4 Operationalizing Bow Ties (Mopo / Soob)

7.5 Incident Investigation Using Bow Ties

7.6 Real-Time Dashboards Using Bow Ties

7.7 Barrier and Degradation Control Verification

7.8 Bow Tie Chaining

7.9 Enterprise-Wide Analysis And Window On Systemic Risks

7.10 Conclusions

Appendix A – Software Tools

Appendix B – Case Study

Appendix C – Multi-Level Bow Ties

References

Index

Wiley end User License Agreement

List of Tables

2

Table 2-1

Table 2-2

Table 2-3

Table 2-4

Table 2-5

Table 2-6

Table 2-7

Table 2-8

Table 2-9

Table 2-10

Table 2-11

Table 2-12

Table 2-13

3

Table 3-1

4

Table 4-1

Table 4-2

5

Table 5-1

Table 5-2

Table 5-3

Table 5-4

Table 5-5

6

Table 6-1

7

Table 7-1

Appendix A

Table A-1

Appendix C

Table C-1

List of Illustrations

1

Figure 1-1

Fatal Accident Rate vs Total Hours Worked (Global Data)

Figure 1-2

Swiss Cheese Model (James Reason)

Figure 1-3

Bow Tie Model

2

Figure 2-1

Standard Bow Tie Showing all the Basic Elements

Figure 2-2

Gasoline Storage Tank Hazard

Figure 2-3

Example of a Hazard and Top Event

Figure 2-4

Consequence caused by the Top Event of Tank Overflow

Figure 2-5

Threat Leading to the Top Event of Tank Overflow

Figure 2-6

Bow Tie Showing Prevention and Mitigation Barriers on Either Side of the Top Event

Figure 2-7

Detect-Decide-Act Model

Figure 2-8

Demonstration of Time-ordered Barrier Sequence

Figure 2-9

Barrier Hierarchy

Figure 2-10

Example Placement of Degradation Control on Degradation Pathway

Figure 2-11

Example of Degradation Controls

Figure 2-12

Level of Detail in a Bow Tie Diagram

3

Figure 3-1

Bow Tie Creation Flow Chart

4

Figure 4-1

Positive and Negative Human Behavior Types

Figure 4-2

Poor and Better Treatment of Human Error in a Bow Tie

Figure 4-3

Poor Treatment of Human Error as a Threat

Figure 4-4

Better Treatment of Human Error as a Degradation Factor

Figure 4-5

Concept of Multi-Level Bow Tie Approach (for Standard Bow Tie and Extension Level 1)

Figure 4-6

Concept of Multi-Level Bow Tie Approach (with Extension Level Degradation Controls Cascading Directly off the Standard Bow Tie)

5

Figure 5-1

Barrier Management to Return Risk to Original Target Level

6

Figure 6-1

Barrier or Degradation Control Management Flowchart

Figure 6-2

Corporate Template and Local Facility Bow Ties

7

Figure 7-1

Comparison of LOPA and Bow Tie Barrier Assessment

Figure 7-2

SOOB with SIMOPS, MOPO and Operational Risk Factors (IADC, 2015)

Figure 7-3

Operation of a MOPO System (Detman & Groot, 2011)

Figure 7-4

Bow Tie Investigation Methods (Tripod Beta and BSCAT)

Figure 7-5

Displaying Verification Information on Bow Tie Diagrams

Appendix B

Figure B-1

Bow Tie Creation Flow Chart

Figure B-2

Pipeline Loss of Containment Bow Tie – Threat Leg

Figure B-3

Pipeline Loss of Containment Bow Tie – Consequence Leg

Appendix C

Figure C-1

Bow Tie Summary for Tank Overfill Example

Figure C-2

Bow Tie Expansion Showing Main Pathways Only (Prevention Side)

Figure C-3

Bow Tie Expansion Showing Main Pathways Only (Consequence Side)

Figure C-4

Standard Bow Tie Showing Main Pathways and Degradation Factors (Prevention Side)

Figure C-5

Standard Bow Tie Showing Main Pathways and Degradation Factors (Consequence Side)

Figure C-6

Level 1 Extension Bow Tie for Operators Fail to Respond Degradation Factor (for Degradation Controls 1 and 2)

Figure C-7

Standard Bow Tie Degradation Pathway and Level 1 Extension showing Degradation Controls supporting Higher Degradation Controls

Pages

C1

ii

iii

iv

xiii

xiv

xv

xvi

xvii

xviii

xix

xx

xxi

xxiii

xxiv

xxv

xxvii

xxix

xxx

xxxi

1

2

3

4

5

6

7

8

10

11

12

13

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

149

150

151

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

171

172

173

174

175

177

178

179

180

ACRONYMS AND ABBREVIATIONS

AIChE

American Institute of Chemical Engineers

ALARP

As Low As easonably Practicable

API

American Petroleum Institute

ATP

Authorized To Proceed

BOP

Blowout Preventer

CCPS

Center for Chemical Process Safety (of AIChE)

COMAH

Control of Major Accident Hazards (UK Regulation incorporating most of the EU Seveso Directive requirements)

CSB

Chemical Safety Board (US)

DNP

Do Not Proceed

ETA

Event Tree Analysis

ESD

Emergency Shutdown

EI

Energy Institute

EU

European Union

FMECA

Failure Modes, Effects and Criticality Analysis

FRAM

Functional Resonance Analysis Method

FTA

Fault Tree Analysis

HAZID

Hazard Identification Study

HAZOP

Hazard and Operability Study

HOF

Human and Organizational Factors

HSE

Health, Safety and Environment

HSE

Health and Safety Executive (UK)

IADC

International Association of Drilling Contractors

IOGP

International Association of Oil & Gas Producers

IPL

Independent Protection Layer

ISO

International Standards Organization

KPI

Key Performance Indicator

LOPA

Layer of Protection Analysis

LOTO

Lock Out Tag Out (part of Permit to Work)

LPG

Liquefied Petroleum Gas

MAE

Major Accident Event

MOC

Management of Change

MOPO

Manual of Permitted Operations

NFPA

National Fire Protection Association

NOPSEMA

National Offshore Petroleum Safety and Environmental Management Authority (Australia)

NORSOK

Norwegian Oil Industry Standards (Norsk Sokkels Konkuranseposisjon)

OSHA

Occupational Safety and Health Administration (US)

PHA

Process Hazard Analysis

P&ID

Piping and Instrumentation Diagram

PSA

Petroleum Safety Authority (Norway)

PTW

Permit To Work

QRA

Quantitative Risk Assessment

RBPS

Risk Based Process Safety

SCE

Safety Critical Element (also Safety or Environmental Critical Element or Equipment)

SIL

Safety Integrity Level (as per IEC 61508 / 61511 standards)

SIMPOS

Simultaneous Operations

SOOB

Summary of Operational Boundaries

STAMP

Systems Theoretic Accident Model & Processes

GLOSSARY

Terms in this Glossary, where relevant, match the online CCPS Glossary of Terms for Process Safety.

ALARP

As Low As easonably Practicable – a term used to describe a target level for reducing risk that would implement risk reducing measures unless the costs of the risk reduction in time, trouble or money are grossly disproportionate to the benefit. In bow tie analysis, it is a performance-based standard used for determining whether appropriate barriers have been put in place such that residual risk is reduced as far as reasonably practicable.

Barrier

A control measure or grouping of control elements that on its own can prevent a threat developing into a top event (prevention barrier) or can mitigate the consequences of a top event once it has occurred (mitigation barrier). A barrier must be effective, independent, and auditable. See also

Degradation Control

. (Other possible names:

Control, Independent Protection Layer, Risk Reduction Measure

).

Barrier Type

These are categories of a barrier. The purpose of defining a barrier type is to clarify its operational mode and to make transparent the case where only one type (e.g., active human) is relied on exclusively. Active barriers must contain the three elements of detect-decide-act.

•Passive Hardware

A barrier system that is continuously present and provides its function without any required action.

•Active Hardware

A barrier system that requires some action to occur to achieve its function. All aspects of the barrier detect-decide-act functions are achieved by hardware or software.

•Active Hardware and Human

The barrier detect-decide-act aspects are achieved by a mix of hardware, software and by at least one necessary human action.

•Active Human

The barrier detect-decide-act aspects are all achieved by humans. Some interaction with hardware will be necessary but the functions are predominantly human.

•Continuous Hardware

The barrier function is achieved by some continuous action.

Bow Tie Model

A risk diagram showing how various threats can lead to a loss of control of a hazard and allow this unsafe condition to develop into a number of undesired consequences. The diagram can show all the barriers and degradation controls deployed.

Consequence

The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Another possible name:

Outcome

. The magnitude of the consequence may be described using a Risk Matrix

Critical Barrier

An optional designation, sometimes required by companies or regulators, which identifies a subset of barriers that are designated to be more significant in risk control. The designation can assist prioritization of the barrier in terms of inspection, testing, maintenance and training. In principle, all barriers in a bow tie diagram are important and need an ongoing management process to ensure their effectiveness.

Dashboard

A simplified management diagram displaying KPIs or metrics (both leading or lagging) considered important in achieving the organization’s safety, environmental or commercial objectives. Barrier status could be a key element to be displayed on a dashboard.

Degradation Factor

A situation, condition, defect, or error that compromises the function of a main pathway barrier, through either defeating it or reducing its effectiveness. If a barrier degrades then the risks from the pathway on which it lies increase or escalate, hence the alternative name of escalation factor. (Other possible names:

Barrier Decay Mechanism, Escalation Factor, Defeating Factor

).

Degradation Control

Measures which help prevent the degradation factor impairing the barrier. They lie on the pathway connecting the degradation threat to the main pathway barrier. Degradation controls may not meet the full requirements for barrier validity. (Other possible names:

Degradation Safeguard, Defeating Factor Control, Escalation Factor Control, Escalation Factor Barrier

).

Dike

Synonymous with bund. A passive barrier describing a secondary containment system around a tank, the walls of which act as the primary containment.

Hazard

An operation, activity or material with the potential to cause harm to people, property, the environment or business or simply, a potential source of harm.

HAZOP

Hazard and Operability Study. A systematic qualitative technique to identify and evaluate process hazards and potential operating problems, using a series of guidewords to examine deviations from normal process conditions.

Human Factors

A term with both ergonomic and organizational implications. A discipline concerned with designing machines, operations, and work environments so that they match human capabilities, limitations, and needs. Human Factors is also the discipline used to describe the interaction of individuals with each other, with facilities and equipment, and with management systems. This interaction is influenced by both the working environment and the culture of people involved.

Impaired

Many degree of degradation of barrier performance from its intended function (i.e., partially available, not available, unknown status, etc.).

Incident

An event, or series of events, resulting in one or more undesirable consequences, such as harm to people, damage to the environment, or asset/business losses. Such events include fires, explosions, releases of toxic or otherwise harmful substances, and so forth.

Independence

The condition that no significant common mode of failure exists that would degrade two or more barriers simultaneously in an incident pathway.

LOPA

Layer of Protection Analysis. An approach that analyzes one incident scenario (cause-consequence pair) at a time, using predefined values for the initiating event frequency, independent protection layer failure probabilities, and consequence severity, in order to compare a scenario risk estimate to risk criteria for determining where additional risk reduction or more detailed analysis is needed.

Main Pathway Barrier

A barrier that lies along the direct route from a threat to the top event or from the top event to a consequence. (Another possible name:

primary barrier

).

MAE

Major Accident Event (MAE). A hazardous event that results in one or more fatalities or severe injuries; or extensive damage to structure, installation or plant or large-scale, severe and / or persistent impact on the environment. In bow ties MAEs are outcomes of the top event. (Other possible names:

major accident, major incident

).

Metadata

Information about other information. In the barrier context, the base information would be the barrier name and description; metadata would be the collection of other data relating to the barrier.

Mitigation Barrier

A barrier located on the right-hand side of a bow tie diagram lying between the top event and a consequence. It might only reduce a consequence, not necessarily terminate the sequence before the consequence occurs (Other possible names:

Reactive Barrier, Recovery Measure

).

MOPO

Manual of Permitted Operations. An operational management diagram derived from bow ties that maps all required barriers that must be functional before a defined activity can be carried out. Impaired barriers must be repaired or replaced with an equivalent alternative before the activity can be carried out. (Other possible name:

Summary of Operational Boundaries – SOOB

).

Multi-Level Bow Tie

An advanced approach that extends the standard bow tie to show deeper level degradation controls that support degradation controls from themselves degrading. The first level of build-out beyond the standard bow tie is termed Extension Level 1. Additional extension levels are possible. (See

Standard Bow Tie

).

Pathway

A bow tie arm on which barriers or degradation controls are located. A Main Pathway is an arm connecting the various threats to the top event, or the top event to the various consequences and these contain barriers. (Alternative term:

Prevention Pathway

or

Mitigation Pathway

). Arms connecting degradation factors to a main pathway barrier are termed

Degradation Pathways

and these contain

Degradation Controls

.

Performance Standard

Measurable statement, expressed in qualitative or quantitative terms, of the performance required of a system, equipment item, person or procedure (that may be part or all of a barrier), and that is relied upon as a basis for managing a hazard. The term includes aspects of functionality, reliability, availability and survivability.

Prevention Barrier

A barrier located on the left-hand side of bow tie diagram and lies between a threat and the top event. It must have the capability on its own to completely terminate a threat sequence. (Other possible names:

Proactive Barrier

).

Process Hazard Analysis

An organized effort to identify and evaluate hazards associated with processes and operations to enable their control. This review normally involves the use of qualitative techniques to identify and assess the significance of hazards. Conclusions and appropriate recommendations are developed. Occasionally, quantitative methods are used to help prioritize risk reduction.

Process Safety Management

A comprehensive set of policies, procedures, and practices designed to ensure that barriers to episodic incidents are in place, in use, and effective.

The term is used generically in this document and is not restricted to the scope and rules of OSHA 29 CFR 1910.119 (frequently referred to as Process Safety Management or PSM). It is often aligned with the CCPS Risk Based Process Safety (PBPS) Guideline or the EI PSM Framework.

RAGAGEP

Recognized and Generally Accepted Good Engineering Practices (RAGAGEP) – a US regulatory requirement. They are the basis for engineering, operation, or maintenance activities and are themselves based on established codes, standards, published technical reports or recommended practices or similar documents. RAGAGEP details generally approved ways to perform specific engineering, inspection or asset integrity activities, such as fabricating a vessel, inspecting a storage tank, or servicing a relief valve.

Risk Matrix

A tabular approach for presenting risk tolerance criteria, typically involving graduated scales of incident likelihood on the Y-axis and incident consequences on the X-Axis. Each cell in the table (at intersecting values of incident likelihood and incident consequences) represents a particular level of risk.

Risk Register

A regularly updated summary of potential major accident events over a facility life cycle, with an estimate of risk contribution and the barriers needed to achieve that level of risk. The risk register can be developed from facility PHA studies.

Risk Assessment

The process by which the results of a risk analysis (i.e., risk estimates) are used to make decisions, either through relative ranking of risk reduction strategies or through comparison with risk targets.

Safety I / II

A transition in safety thinking proposed by ollnagel from where humans are regarded primarily as a source of errors in process safety (Safety I) to where humans are regarded as contributing more to ongoing safety successes (Safety II).

Safety Critical Element

Many part of an installation, plant or computer program whose failure will either cause or contribute to a major accident, or the purpose of which is to prevent or limit the effect of a major accident. Safety Critical Elements are typically part of barriers. In the context of this book, safety includes harm to people, property and the environment. (Other possible names:

Safety and Environmental Critical Element, Safety Critical Equipment

).

Safety Critical Task

A task where human or organizational factors could cause or contribute to a major accident, or where the purpose of the task is to prevent or limit the effect of a major accident, including:

initiating events;

prevention and detection;

control and mitigation, and

emergency response.

Safety Critical Tasks are typically part of barriers.

Safety Integrity Level (SIL)

A relative level of risk reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a safety instrumented function (SIF). Defined in the IEC 61511 standard.

Standard Bow Tie

The basic bow tie showing hazard, top event, threats and consequences, with prevention and mitigation barriers, and optionally degradation pathways containing degradation controls supporting the main pathway barrier against identified degradation threats. (See also

Multi-Level Bow Ties

).

Swiss Cheese Model

A model of accident causation developed by James Reason. It represents a system of safety barriers depicted as slices of cheese with holes. In this model, the slices of cheese represent the safety barriers and the number and size of the holes an indication of the vulnerability of the barrier to fail.

Threat

A possible initiating event that can result in a loss of control or containment of a hazard (i.e., the top event). (Other possible names:

Cause, Initiating Event

).

Top Event

In bow tie risk analysis, a central event lying between a threat and a consequence corresponding to the moment when there is a loss of control or loss of containment of the hazard.

The term derives from Fault Tree Analysis where the unwanted event lies at the ‘top’ of a fault tree that is then traced downward to more basic failures, using logic gates to determine its causes and likelihood.

ACKNOWLEDGMENTS

The committee structure for this concept book differs from other CCPS books in that this was a joint project done in full collaboration with the Energy Institute. In addition, the contribution of the European Commission Joint Research Centre Major Accident Hazard Bureau is gratefully acknowledged. The American Institute of Chemical Engineers (AIChE) and the Center for Chemical Process Safety (CCPS) express their gratitude to all the members of the Bow Ties in Risk Management Subcommittee and their member companies for their generous efforts and technical contributions. Similarly, the EI acknowledges its Bow Ties in Risk Management Subcommittee, and to its Technical Partner and Technical Company Members for co-sponsoring the development of this concept book.

The authors from DNV GL and CGE Risk Management Solutions are also acknowledged, especially the principal authors Dr. Robin Pitblado and Paul Haydock, with additional inputs from Tatiana Norman, Jo Everitt, Amar Ahluwalia, Chris Boylan, and Ben Keetlaer.

Many of the figures in this concept book have been created in software, either from Thesis (ABS Group) or BowTieP (CGE Risk). This contribution is acknowledged. Details on the software are provided in Appendix A.

PROJECT TEAM MEMBERS:

CCPS

Kiran Krishna

Shell

Project Team Chair

Timothy McGrath

ex Chevron

Project Team Vice-Chair

Americo Carvalho Neto

Braskem

Umesh Dhake

CCPS Asia Manager

Martin Johnson

BP

Mark Manton

ABS Group

Ron McLeod

Ron McLeod Ltd

Darrin Miletello

Lyondell Basell

Sudhir Phakey

Linde Gas

Keith Serre

Nexen

Ryan Supple

ConocoPhillips

Thiruvaiyaru Venkateswaran

Reliance Industries

Stephanie Wardle

Husky Energy

Danny White

Ex-BHP Billiton

Charles Cowley

CCPS Staff Consultant

Project Manager

Energy Institute

Mark Scanlon

Energy Institute

Project Team Co-Chair

Donald Smith

ENI

Dennis Evers

Centrica

Rob Miles

Hu-Tech

Rob Saunders

Shell

European Commission Joint Research Centre Major Accident Hazards Bureau

Maureen Wood

Zsuzsanna Gyenes

Before publication, all CCPS and EI books are subjected to a thorough peer review process. CCPS and EI gratefully acknowledge the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of this concept book.

Peer Reviewers:

San Burnett

BHP Billiton

Palani Chidambaram

Du Pont

Chris Devlin

Celanese

Scott Haney

Marathon Oil

Ed Janssen

Ed Janssen Risk Management Consulting

Bob Johnson

Unwin

Steve Lewis

Risktec

Don Loreno

ABS Group

Sian Miller

Newcrest Mining

Bradd McCaslin

Shell

Eric Wakley

Shell

Jack McCavit

JLM Consulting

Mary Metz

Director of Water Resource Policy Alberta

Louisa Nara

CCPS

Cathy Pincus

Exxon Mobil

Jan Pranger

Krypton Consulting

Karla Salomon

Chevron

Hans Schwarz

BASF

John Sherban

Systemic Risk Management Inc.

Mike Snyder

Dekra

Jeff Thomas

PII

Martin Timm

Praxair

Jan Windhorst

WEC Inc

Tracy Whipple

BP

Stuart King

EI HOFCOM and Tripod Foundation

Sam Daoudi

EI Process Safety Committee

Trish Kerin

IChemE Safety Centre

Sam Mannan

MKO Process Safety Center, Texas A&M University

Ian Travers

Ian Travers Ltd (ex Deputy Director Chemicals Regulation, HSE)

Mike Nicholas

Environment Agency

Mike Wardman

Health & Safety Laboratory (HSL)

Patrick Hudson

Independent Consultant, Emeritus Professor, Delft University

ONLINE MATERIALS ACCOMPANYING THIS BOOK

Although the bow tie figures in this book are shown in black and white and reduced in size to enhance readability, some of them are available in color and larger size in an online register.

To access this online material, go to:

www.aiche.org/ccps/publications/BTRM.aspx

Enter the password BTRM2018

PREFACE

CCPS and EI Introduction

The American Institute of Chemical Engineers (AIChE) has been closely involved with process safety and loss control issues in the chemical and allied industries since the 1970s. AIChE publications and symposia have become information resources for those devoted to process safety and environmental protection.

AIChE created the Center for Chemical Process Safety (CCPS) in 1985 after the disasters in Mexico City, Mexico, and Bhopal, India. The CCPS is chartered to develop and disseminate technical information for use in the prevention of major chemical incidents. The Center is supported by around 200 chemical process industry sponsors that provide the necessary funding and professional guidance to its technical committees. The major product of CCPS activities has been a series of books to assist those implementing various elements of a process safety and risk management system. To complement the longer, more comprehensive Guidelines series and to focus on more specific topics, the CCPS extended its publication program in the last few years to include a ‘Concept Series’ of books. This book is part of the Concept Series.

The Energy Institute (EI) is the chartered professional body for the energy industry, developing and sharing knowledge, skills and good practice towards a safe, secure and sustainable energy system. The EI was set up in 2003 as the result of a merger between the Institute of Petroleum (IP) and the Institute of Energy (InstE). EI supports over 23,000 individuals working in or studying energy and 250 energy companies worldwide. The EI provides learning and networking opportunities to support professional development, as well as professional recognition and technical and scientific knowledge resources on energy in all its forms and applications.

The EI’s purpose is to develop and disseminate knowledge, skills and good practice towards a safe, secure and sustainable energy system. It informs policy by providing a platform for debate and scientifically-sound information on energy issues. In fulfilling the EI’s mission, its Technical Work Program addresses the depth and breadth of the energy sector, from fuels and fuels distribution to health and safety, sustainability and the environment. This program provides cost-effective, value-adding knowledge on key current and future issues affecting those operating in the energy industry, both in the UK and internationally. For further information, please visit http://www.energyinst.org.

Bow Ties in Risk Management Concept Book

CCPS has been at the forefront of documenting and sharing important risk assessment methodologies for more than 30 years. It has published well-known guidelines on hazard identification, chemical process quantitative risk assessments, Layer of Protection Analysis (LOPA), and facility siting. This concept book continues that tradition with a focus on a specific qualitative risk assessment methodology – bow tie barrier analysis.

Barrier-based risk assessment has been applied to process safety risks for over two decades and increasingly frequently through the use of bow tie diagrams. Bow tie barrier analysis focuses on assessing barriers for the prevention and mitigation of incident pathways, especially related to major accidents. Bow tie diagrams examine potential major accidents by diagrammatically mapping the hazards and threats that may lead to an event and the potential undesired consequences, including most importantly, all the barriers and degradation controls in place to reduce the risk. Bow tie diagrams can assist with barrier management, the analysis of risk reduction, and the assessment of barriers in place. They provide a powerful means to communicate complex process safety information to staff, contractors, regulators, senior management, the public, and other stakeholders.

The increasing use of bow ties to communicate risks and barriers has led the CCPS Technical Steering Committee to charter a project committee to develop this concept book for Bow Ties in Risk Management. The Energy Institute (EI) and European Commission Major Accident Hazards Bureau were collaborating partners with CCPS on this project. To gather input from many experienced sources, CCPS invited representatives from many chemical and petroleum companies, trade associations, and regulators involved in the field of process safety, as well as other key stakeholders or subject matter experts to participate in this committee’s activities. The Energy Institute joined the project to share the knowledge of its members and particularly to provide additional focus on the human factors aspects of bow ties.

Well-constructed bow tie diagrams, which are clear and easy to communicate, may give the impression that they are easy to create. This is not the case. Too often bow ties are created with structural or other errors that detract from their value. The aim of this concept book is to equip the novice or even experienced reader with the requisite skills and knowledge in order to develop quality bow ties.

While there is currently a reasonable degree of consensus on how to handle technical matters in bow ties, the same is not true for Human and Organizational Factors (HOF). Chapter 4 addressing human factors in bow tie analysis is the product of a sub-committee representing a wide range of experience in the practice of human factors in the process industries, including both industrial and regulatory backgrounds. The sub-committee considered and critically evaluated how human factors issues are represented in current approaches to bow tie modeling. This group recognized the need for simplicity and clarity in bow ties as implemented, but also that oversimplification can lead to an incorrect understanding of how human factors actually contribute to safer operations. The approach described here addresses the critical role that people play in barrier systems, with the wide range of HOF that need to be managed effectively for barriers to be as robust as they reasonably can be – all with the aim of preventing barriers being degraded or defeated by ‘human error’. Current approaches to bow tie modeling rarely capture the complexity of the human contribution to barrier systems and may not recognize the range of factors that need to be managed to mitigate the risk from ‘human failure’. A multi-level bow tie method is proposed to capture these fully.

Therefore, even experienced bow tie practitioners may see changes to preferred terminology and will find novel material on HOF in this concept book. The committee believes that following these ideas will enhance the value, quality and consistency of bow ties produced, thus contributing to the goal of enhanced safety.

CCPS and EI encourage companies, regulators and other key managers of process risks around the globe to consider adopting and implementing the suggestions contained within this book.

1INTRODUCTION

1.1 PURPOSE