How to get bow tie assessments right
Updated: Jun 12, 2023
Bow tie diagrams are powerful tools for managing major accident hazards and communication of key risk drivers with non-specialist audiences.
Even though it is straightforward to understand a bow tie diagram, it is easy to make mistakes when constructing it. In this article, we share practical advice for developing bow tie diagrams.
As shown in the picture, a bow tie diagram consists of the following elements:
Hazard – Source of risk in an operation, activity, or material
Top Event – When control of the hazard is lost
Consequences – Unwanted effect of the top event if mitigating barriers fail
Threats – Causes that can trigger the top event
Prevention barriers – Prevent the top event
Mitigation barriers – Stop or reduce the unwanted effect of the top event
Degradation factors – Condition reducing the effectiveness of barrier
Degradation controls – Stopping or reducing the effect of degradation factors
Important issues to consider when assigning the various elements and constructing the bow tie diagram will be discussed for each aspect at a time in the following. It is recommended that a bow tie diagram is built in the order of the above list.
Hazard
Describe the hazard in its controlled state, e.g., flammable gas inside a vessel and NOT, e.g., vessel explosion. Ask the question: “Is the hazard described a normal part of our normal operation?”
Ensure that the hazard description is as specific as possible and supports the purpose of the bow tie. There is a difference in analyzing loss of containment in general and overpressure protection of a system that can lead to loss of containment upon failure.
Top Event
The top event should not be mixed with consequences. A typical error is to choose a consequence with damage or harm rather than a loss of control event. Ask the question: “Is this the loss of control of the hazard, or is this a consequence?”
Consider if the top event is too narrow so that several bow ties are required to cover the hazard/system?
Can the analysis be done using a single bow tie rather than several? or
Is the top event too broad, and the analysis should be split up into several bow ties?
Ask: “How many threats and consequences can we develop for this top event (too many (>10) or too few (<2-3) or appropriate amount)”?
Consequences
Identify only significant consequences that illustrate the effect of mitigation barriers in place.
Do not identify consequences that are NOT a direct chain of events from the top event (if mitigating barriers fail).
Threats
Each threat should be able to lead to the top event if barriers fail.
Consider the following when identifying threats: “Primary equipment failure,” “Environmental Impact,” and “Operational issues.”
The use of “Human error” as a threat leading to a top event is generally NOT recommended as this is better treated as degradation factors.
Threats are not barrier failures, which is a common mistake made.
Threats having identical prevention barriers can be lumped into a single threat.
Barriers
A barrier must have the capability on its own to prevent or mitigate a bow tie sequence and meet traditional LOPA requirements for Independent Protection Layers (IPLs).
If item 1 is not fulfilled, it should not be a barrier but a degradation control instead (protecting barriers against degradation threats).
Active barriers must include all elements of detect-decide-act or, in functional safety terms: sensor-logic-final element.
The barriers should be ordered per the sequence of their effect.
If item 1-3 is not followed, there is a risk that multiple barriers are included in the bow tie pathways giving the illusion of good hazard management. On the other hand, only a few barriers are effective or independent. This is a common problem in bow ties.
ORS Consulting has supported clients in multiple industries with bow tie assessments (read more about bow-tie workshops in this insight). Contact us if you would like to discuss how to use bow tie models for managing major accident hazards.