In a previous blog, we have already introduced the guidelines for creating a basic bowtie diagram. Now it is time for you to apply CGE guidelines and the guidelines written in the CCPS/EI book ‘Bow Ties in Risk Management’ to create a usable bowtie. This concept book introduces how to create a qualified bowtie and how to use it in depth for risk management. The bowtie case of this blog comes from process safety, where relevant practical examples can be found. We expect that this blog (a) provides new bowtie users with thorough thinking for creating a bowtie and (b) provide experienced bowtie users with a way to verify the quality of their existing bowties.
Make the hazard and the top event meaningful
The hazard and the top event are the elements that determine the scope of a bowtie. The hazard is an operation, activity, or material with the potential to cause harm. It should show the source of the risk. According to the CCPS/EI book, the hazard can include two types of details: situational context; and an indication of scale. The top event can be described as the very first moment when control over the hazard is lost. Therefore, firstly the top event describes how/what control is lost. Secondly, the top event should happen to the hazard.
In figure 1a, the hazard ‘Chemical/Flammables liquids’ is general and doesn’t describe the context or scale of this chemical. The context information ‘Bulk Storage’ in the top event is not appropriate; while the ‘Flammables liquids in bulk storage’ in Figure 1b is a well-worded hazard because it contains the information of context. The top event ‘Loss of Operational Control’ is also too general for the hazard ‘Chemical/Flammables liquids’ since the operational control loss can refer to different things; while ‘Loss of primary containment’ is more precise and specific in relation to its hazard.
- The original bowtie skeleton should be revised accordingly, and an action is added to summarize the changes defined.
Generic versus specific
Figure 1a. Poor worded hazard & top event Figure 1b. well-worded hazard & top event
Describe credible threats and consequences
After the hazard and top event are defined, the next step is to determine the threats and consequences. Since consequences normally are more direct than threats in events chains, many bowtie experts prefer to create consequences ahead of threats. According to CCPS/EI guidelines, the consequence should be described as ‘[Damage] due to [Event]’; the threat should be direct, specific, credible, sufficient, and not a barrier failure. The more precise the description is, the easier the identification of barriers will be.
In Figure 2a, some common mistakes are shown. Except for a general description of fire, the consequences only describe damages (e.g. human, property, organization, and environment damages). A well-worded consequence should include how the impact happens, for example in Figure 2b ‘Large pool fire in the tank bund area leading to fire related injuries to personnel’ elaborates on a consequence event and impact as in a credible scenario. This description not only explains the scale and context of fire but also refers to the impact on people, which is indispensable for further risk assessment.
‘Overfill’ is a common threat for creating a LOC bowtie. However, since this is a specific bowtie in the process field, we need to know how the ‘overfill’ causes the top event ‘loss of primary containment’. Therefore, in figure 2b, the ‘overfill’ is described as ‘Parcel (volume) too large for the space in tank’. This shows the specific and credible causal event or state.
- Change the top consequence to move away from ‘damage’ to an event and incorporate the middle (second) consequence into it.
- Change the last consequence from ‘damage’ to an event.
- Delete the consequence ‘injure/death’.
- Change the top threat to being more meaningful about how the tank is overfilled.
Figure 2a. Poor worded threats & consequences
Figure 2b. Well-worded threats & consequences
Ensure the quality of both preventive and recovery barriers
Preventive barriers and recovery barriers share some common characters. According to the guidelines, they should be effective (functional), independent, and auditable. To check the barriers on the prevention side against the guidelines, the first question is 1) does the barrier on its own stop the threat from causing the top event? If the answer is no, then the second question is 2) does this barrier relate to other barriers in this threat line? If the answer is no as well, it is not a proper barrier and we delete it. A preventive barrier is effective if it is capable on its own of preventing a threat developing into the top event. The way to validate preventive barriers applies similarly to check the recovery (mitigation) barriers. In this example, here we only elaborate on the preventive side.
In the original bowtie, the barriers ‘Ensure an appropriate overfill design with containment’ and ‘Periodic inspection of the overflow system’ cannot independently prevent the threat from becoming the top event. We haven’t found any related barriers in the threat line of the ‘Overfill of storage tank’ as well. Thus, we leave them out.
- Delete the improper or ineffective barriers according to guidelines.
Figure 3a. Check barriers | Click on the image to enlarge the picture
Figure 3b. Delete improper barriers
If the answer to the second question (does this barrier relate to other barriers in this threat line?) is yes, we need to group the barriers with a common barrier name in a family field. When we define a barrier family, we consider the functional phases of a barrier (Detect – Decide – Act), the integrity of safety-critical equipment, the implementation of a barrier including a whole PDCA cycle, etc. (for further understanding of barrier families, please click here).
In figure 4a, we distinguish two barrier families among the six barriers. These two families are independently functional. For example, the three barriers, ‘High level trip system’ ‘Periodic inspection of the inlet trip valve’ and ‘Overhaul the inlet trip valve’, are grouped together as ‘Independent high level trip’. The ‘Periodic inspection’ and ‘Overhaul of the trip valve’ are not barriers on their own capable of stopping the threat from becoming the Top Event, but they are associated with the high- level trip system.
- Group barriers to achieve the (prevention, control or mitigation) function independently.
Figure 4a. Grouping barriers by family | Click on the image to enlarge the picture.
Figure 4b. An example of a barrier family
When considering barrier types and function phases according to the CCPS/EI guidelines, the ‘High level alarm’ is missing an element and the ‘Operator response’ as the alarm on its own does not truly meet the CCPS guidance on barrier rules. Here, a recap of the barrier rules is required (i.e. barrier is effective, independent and auditable). A barrier is auditable if there is a means to check that it works and delivers its functionality on demand.
- Complete partial barriers in order to accomplish the barrier function.
Figure 5. Editing partial barriers (missing element of barriers)
- Ultimately, remove the grouped elements and create standalone barriers named as the families if a concise bowtie is needed. Switching on the family grouping display feature (BowTieXP Advanced software only) can be enough.
- Consider if there are any missing barriers and add them.
Figure 6. Well-worded barriers
Check, check, double check
In summary, this blog illustrates how to improve an existing bowtie following the CCPS/EI guidelines. After fully understanding the definitions of the basic elements, one needs to check every element carefully with the guidelines. If the bowtie has any flaws, one should edit them and record the editing actions. Creating a good bowtie requires thorough checks of all elements and sometimes repeat this to update a bowtie.