(72b) Current State of Bow Tie Risk Assessment Method

Bow tie analysis has been in use for several years, with applications in both the upstream and the downstream process industries, as well as other major hazard industries. The method is qualitative and uses a diagrammatic representation of major accident fault pathways showing the hazard, threats, the top event, and all potential consequences, with intervening barriers and degradation pathways supporting the main pathway barriers. Bowties are sometimes defined as no more than a combination of Fault Trees and Event Trees stuck together, based on an assumption of linear causality behind incidents. Such an assumption is not, however, a necessary premise underlying the value of Bowtie-type analysis. They can be seen as a summary of the controls (barriers and safeguards) organizations rely on to protect against threats - whatever the causal mechanisms involved. The aim is enhanced communication of how major hazards are controlled. A problem has been that there is no widely accepted methodology definition and this has resulted in inconsistent diagrams, often with structural errors or showing too many barriers against potential threats.

CCPS along with the Energy Institute has developed a concept book to better define the bow tie analysis method and to show best practice ideas. The committee is composed of experienced practitioners from the upstream and downstream industries along with risk assessment and human factors consultants.

The book ensures consistent application of the bow tie technique by defining structural elements together with good and poor examples for clarification. For example the book differentiates between barriers and safeguards to ensure controls are not overrepresented which may lull the workforce into a false sense of security that an event can never occur:

• Barriers are controls along the main threat and consequence pathway which should be independent, effective and auditable, and on the prevention side fully capable of terminating the event on its own and significantly reducing the consequence on the outcome side. This is similar to an IPL in LOPA analysis. Active barriers which detect, decide and actuate elements should be displayed as a single barrier. For example 1 barrier: flammable gas ESD system rather than showing 3 barriers: gas detection, operator assessment, emergency shutdown .-

• Safeguards are controls along degradation pathways which reduce the holes in the swiss cheese and may not meet barrier requirements of being independent, effective and auditable. They are often human and organizational in nature.

The biggest area for inconsistency is the treatment of HOF - human and organizational factors. No current guidance addresses this topic well and the CCPS Committee developed novel guidance for this area. Human error should not be a direct threat. Human error should normally appear as threats for degradation pathways of a barrier and HOFs should be modeled as safeguards against those errors, as well as other threats. A multi-level bow tie approach is presented with the higher levels being the current main pathway and degradation pathways respectively. Then progressively new lower levels are introduced which show the safeguards supporting the degradation pathway safeguards. It shows important safeguards -such as safety culture, senior management engagement, recruitment screening, etc. that today are rarely shown in bow tie. The layered analysis highlights such controls that apply to many parts of a full bow tie analysis and avoids duplication. A case study shows its application to a tank overfill scenario.