1
Probability bow-ties – a transparent risk
management tool
John E Cockshott, FIChemE, FIE(Aust), CEng, CPEng, BSc(Eng), ACGI
Abstract— The “Bow-Tie” diagram is a constructive risk
management tool, providing a pictorial representation of
the relationship between hazards, initiating events,
controls and consequences. It is easily understood by
management, engineers, OHSE professionals, process
operators and maintenance personnel involved in risk
management. Rapid risk ranking methods are
commonly used to evaluate the risks of simple
likelihood-consequence pairs and are straightforward in
application. Rapid risk ranking uses descriptors rather
than numbers for likelihood, severity and risk, avoiding
the common aversion to numerical values. Nonetheless,
it is based on an underlying mathematical construction.
These two tools have been combined to provide a simple
and transparent risk management tool, the Probability
Bow-tie, which can be applied to more complicated
systems usually found in the process industries. With
adherence to conservative assignment rules, the
Probability Bow-tie provides a robust method for
determining likelihoods for complicated systems, and
assists in assessing the adequacy of controls to achieve a
company’s tolerable risk criteria. This paper presents a
practical methodology using Probability Bow-ties for
risk assessment using standard spreadsheet computer
programs normally available in even the smallest
operating companies. Probability Bow-ties were
constructed for a new hazardous chemical marine
terminal, using spreadsheets to depict the Bow-tie
structure and incorporating lookup tables for
likelihoods, outcome severities and risk levels. The risk
level for individual outcomes and aggregated risk levels
for the terminal are calculated by spreadsheet linkages.
The methodology is simple in application, is transparent,
is easily maintained by the operating company, provides
a useful training tool for hazard awareness and presents
a realistic appreciation of the value of controls in place.
Index Terms—Bow-ties, Risk Assessment, Rapid Risk
Ranking, LOPA.
I. INTRODUCTION
In August 1991, a major fire occurred at a chemical storage
facility at Coode Island, Melbourne, Victoria, Australia. The
fires burned for two days, destroying approximately 30
J. E. Cockshott is principal of Cockshott Consulting Engineers,
Melbourne Australia. The firm provides chemical engineering consulting
services to a range of process industries.
storage tanks, though no terminal personnel or members of
the public were injured. Two fire fighting personnel
received minor injuries. A subsequent 1998 disaster at the
Longford Gas Plant, also in Victoria, prompted the State
Government to implement new major hazard facilities
regulations aimed at identifying and preventing potential
major incidents and limiting their consequences.
Development of a new chemical storage terminal at
Coode Island was therefore undertaken to achieve the
objectives of world’s best practice and comply with the new
Victorian Major Hazard Facilities (MHF) Regulations.
These regulations broadly follow other international
regulations for the control of major hazard facilities. In
particular, they require the operator of the facility to:
• establish and implement a safety management
system;
• identify major hazards;
• conduct comprehensive safety assessments; and
• adopt control measures which eliminate or reduce so
far as is practicable, risk to health and safety.
The regulations require the operator of the major hazard
facility to demonstrate compliance by the preparation and
submission of a Safety Case. Hazard identification during
the design phase was achieved by conducting process
reviews, HAZIDs and HAZOPs. Consequence analysis was
performed for each potential major incident (PMI). The
identified hazards and adopted control measures and
calculated risks were incorporated in a comprehensive risk
register. Early discussions with the regulatory authorities
indicated a requirement for a detailed discussion of the
appropriateness and effectiveness of each control measure
associated with the prevention or mitigation of a major
incident.
Design of the facility was a collaborative effort of the
facility operator and chemical industry clients (represented
by the author) and following a review of chemical storage
best-practices worldwide, as well as lessons learned from
the 1991 fire, incorporated features to minimise the risk to
people and the environment. These included:
• 10 kPa design-pressure (rather than atmospheric)
storage tanks for all flammable liquids;
• nitrogen padding of tanks (except polymerisable
products, provided with a depleted oxygen pad);
• vapour balancing of all products;
• hard-piped, product-dedicated stainless steel liquid
and vapour pipelines, eliminating hose exchanges,
and
• SIL-rated instrumentation for critical control
 2

systems. For MHF Regulations, the hazard release represents a

The operator had previous experience of quantitative risk Table 1 Terms used for Bow-Ties
assessment (QRA) studies conducted by third parties, but
Term Definition Examples
found that the process did not take sufficient account of
Hazard This is a condition that Flammable chemicals in
specific design features, operational and maintenance could potentially lead to storage.
practices. It was considered that underlying failure scenarios injury, damage to Flammable chemicals at
and the source of failure data were often obscure (“black- property or the pressure.
environment.
box”) and the output was insensitive to what would
intuitively be considered significant safety improvements. Initiating An event which has the Corrosion of pipeline.
Traditional QRA was considered an inappropriate tool to Event potential to release a Human error (line-up
hazard. failure).
provide a comparative evaluation of the appropriateness and
effectiveness of individual control measures for the facility. Control Preventative control Materials selection.
The operator had selected Bow-Ties as a primary tool for Measures measures put in place to Safety valves.
assembling information on hazards, initiating events, control (Preventative) prevent releasing the Control systems.
hazard. Procedural controls.
measures and consequences in a form suitable for process Preventative maintenance.
operator understanding and training. They provided a Training.
holistic view and an appreciation of control measures
Potential The initial consequence Loss of Containment.
working together. The operator had also adopted Rapid Risk Major which involves the
Ranking (RRR) methodology as a core feature of the risk Incident release of the hazard.
register and this was universally understood by personnel. (PMI)
What was needed was a risk assessment tool that took Control s Mitigative control Secondary containment
into account the specific design features, engineering and Measures measures put in place to (bunds).
administrative controls incorporated in the design and (Mitigative) prevent the PMI from Fire or gas detection
escalating to a systems.
operation, was simple to develop and maintain, provided the
consequence resulting in Fire fighting systems.
operator with ownership, could be integrated in the injury, damage to
operator’s safety management system and was transparent at property or the
all levels in the operator’s organisation and to the regulatory environment.
authorities. The tool should build on and complement the Consequence An event resulting from Controlled Liquid Spill
operator’s existing risk methodology if possible. the hazard, its initiating (failure of preventative
It was decided to extend the Bow-Ties to incorporate a event, failure of control measures, success
preventative control of mitigative control
semi-quantitative RRR methodology, and use a standard measures and failure or measures – secondary
spreadsheet computer program (Microsoft Excel) to perform success of mitigative containment).
the arithmetic calculations. control measures. Pool Fire (failure of
preventative control
measures, failure of
mitigative control
II. DEVELOPMENT OF PROBABILITY BOW-TIES measures – control of
ignition sources).

Bow-Tie Diagrams Risk Level The individual risk level

Bow-Ties graphically display the relationship between calculated for a final
consequence,
hazards, threats, controls and consequences. They are
determined by the Rapid
constructed in two parts: the left-hand side and the right- Risk ranking method,
hand side. The Bow-Tie concept is depicted in Fig. 1 below. based on the calculated
The left hand side depicts the latent hazard, initiating events, likelihood and
preventative controls and initial hazard release. consequence severity.

Figure 1 Probability Bow-Tie Potential Major Incident (PMI). The right hand side of the
INITIATING
CONSEQUENCES
Bow-Tie displays the PMI as a starting point, mitigative
EVENT

PREVENTATIVE MITIGATIVE
controls in sequence and the consequences that result from
CONTROL CONTROL
MEASURES MEASURES the failure of those controls.
H Table 1 provides an explanation of the Bow-Tie terms
A
POTENTIAL
MAJOR used in this paper. Alternative terms are commonly used; for
INCIDENT

instance, “barriers” or “safeguards” for control measures,

Z
“unwanted consequence” or “top-event” for potential major
A incident and “final outcome” for consequence.
R
Rapid Risk Ranking
D
Rapid Risk Ranking is a simple methodology using
qualitative estimates of the likelihood and consequence
severity for an unwanted incident, to assess the resultant risk
The Bow-Tie as applied to a Major Hazard Facility. The diagram provides
a simple visualisation of the relationship between the latent hazard, initiating
events, a PMI, mitigative controls and the final consequences.
 3

Table 2 Generic RRR Matrix and also for their independence (for instance using the
AIChemE LOPA rules to assure independence2) the results
will be robust.

Insignificant

Catastrophe
Moderate
Companies already using Bow-Ties to visualise the

Minor

Major
relationship of control measures will benefit from a semi-
Likelihood
quantitative appreciation of the effectiveness of those
Almost certain S S H VH VH controls. Use of PBTs may eliminate weak controls and
Likely M S S H VH indicate if existing controls need to be strengthened or
Moderate L M S S H
Unlikely L L M S S
additional controls added
Rare N L L M S Companies using RRR as part of their risk management
Note: see key at Table 6 methodology will benefit from the pictorial view of the
control measure string and a more rigorous methodology for
level. The technique is particularly suitable for estimating the likelihood of an incident occurring.
incorporation in HAZOP studies, where the HAZOP team Companies using LOPA will benefit from the pictorial
has industry- and plant-specific experience of the frequency representation as the underlying calculations are the same,
of incidents (including near-misses) and the effectiveness of and will produce equivalent results after calibrating the
control measures. Table 2 is a typical generic 5 x 5 RRR RRR matrix.
matrix1. Companies usually tailor the generic matrix to Figures 2A & 2B depict an example of a single string for
reflect the complexity and severity of potential incidents at a both sides of a typical PBT. In practice, many strings are
facility. For a major hazard facility, the most serious involved on both the preventative and the mitigative sides.
outcomes are likely to involve a fatality (classified as
“Catastrophic”) or multiple fatalities. To reduce risk to a
tolerable level, the likelihood needs to be reduced to a level III. PROBABILITY BOW-TIE PROTOCOLS
well below “rare”. Additional categories of likelihood and
consequence are therefore usually added to the RRR matrix.
PBT Construction
As detailed in the Appendix, RRR matrices have an
With the modules set up as described in the Appendix,
underlying mathematical structure. If the likelihoods and
constructing the PBT is relatively simple. Each module box
consequences are calibrated as order-of magnitude steps, a
is placed in the spreadsheet so that the correct output from
simple multiplication of likelihood and severity level results
the last module is captured as input. The module can then be
in risk expressed as an equivalent fatality rate.
moved as required, retaining the appropriate cell reference.
Probability Bow-Tie Diagrams
Group Input
The Probability Bow-Tie (PBT) is the combination of the
Once the PBT has been constructed, each module needs
traditional Bow-Tie diagram and the Rapid Risk Ranking
to be reviewed by a team having the appropriate capabilities
method. The PBT uses the structure of the Bow-Tie to
and experience in risk engineering, design, operations and
define the sequence between an initiating event, through
maintenance. Where control measures include automatic
preventative control measures to the PMI, and from the PMI
process and safety systems, the appropriate engineering
through mitigative control measures to consequences, or
disciplines should be included so that failure probabilities
final outcomes.
are properly assessed.
The PBT is set up in a spreadsheet, and the required skill
set is available in even the smallest organisation. Modules
Recording Assumptions and Calculations
are constructed which are pasted into the PBT to represent
All assumptions and intermediate calculations should be
the elements described in Table 1.
entered into the spreadsheet below the relevant module.
The basis of the initiating event frequency calculation or
This will provide a record for future modifications and
assumption is recorded in the PBT. This task is the same as
assist the SMS audit process. Where company or external
for other methods of risk analyses, and should be based on
sources are used (for example, initiating event frequency or
company standards, references or experience. Descriptors
failure rate) these should be referenced.
are used to enter the probability of failure of each control
measure. The PBT structure ensures that the appropriate
Independence of Control Measures
linkages are made so that the risk level is calculated
Traditional Bow-Ties often include such control measures
automatically.
as training, certification, procedures, inspection & testing,
The Appendix describes setting up the modules and
maintenance, communications and signage.
constructing the PBT. Protocols are described in the next
Each control measure in the underlying Bow-Tie should
section to ensure that the analysis is rigorous and the results
be reviewed for independence and effectiveness when
robust.
incorporated in the PBT. The AIChemE book “Layers of
The advantages of using the PBT are immediately
Protection Analysis”2 provides guidelines for assessing the
apparent. Firstly, the pictorial nature of the traditional Bow-
independence of control measures. For instance, training,
Tie is retained showing the relationship between elements
certification and procedures are not considered Independent
that contribute to risk and those that control it. If rigour is
Protection Layers (IPLs) but may be taken into account in
applied to the assignment of control measure effectiveness,
assessing whether process operator action is a valid IPL.
 4

PROBABILITY BOW-TIE: LEFT-HAND SIDE

Initiating Event Exposure Control Measure Control Measure

Unloading Operations Unloading Operations Procedural Failure (Lineup) Batch Control Verification
Calc Freq Calc Freq Unlikely 9.3E+01 Credit Not Taken
6240 6240 6240 0.015 9.4E+01 9.4E+01 0.01 9.4E-01 9.4E-01 1 9.4E-01

6240 0.015 Daily activity New system

Number of trucks/day 20 For a hazardous situation (overfill), need Primary Operator Function Process Control (BPCS)
Days/week 6 to be at safe fill level: Training Review experience after one year
Weeks/year 52 Tank size (m3): 2000 Experience has been zero line-up non-
Truck movements/year 6240 average load size: 30 conformances in >3000 operations
Factor 0.015

Control Measure Control Measure Control Measure PMI Frequency

Control Room Monitoring LAH/SCADA Alarm/Op Action LAHH/Valve Interlock LOC Liquid (Moderate)
Moderate 8.4E-01 Moderate 8.4E-02 Rare 9.4E-03 Non-credible
9.4E-01 0.1 9.4E-02 9.4E-02 0.1 9.4E-03 9.4E-03 0.001 9.4E-06 9.4E-06 per year

Control Room Supervision Process alarms High integrity (AS6158)

Independent of Operator & Driver
Effectiveness takes account of extra ullage
provided for all tanks (1 metre above SFL)
A minimum of 5 tankers need to be unloaded
after safe fill level before the tank invert level
is reached (design feature) - 1 day's filling
operations for the subject tank.
Reaction time may be inadequate to prevent SIL rated SIF
spill from a single truck unloading operation
However, the effectiveness takes account of the
extra ullage provided for all tanks (1 metre above SFL)
A minimum of 5 tankers need to be unloaded
after safe fill level before the tank invert level
is reached (design feature) - 1 day's filling operatons.

Figure 2A: Simplified Example of Probability Bow-Tie Construction

The figure depicts single sequences of initiating event through to consequence for liquid loss of containment (LOC Liquid), due to storage tank overfill resulting from road ranker unloading operations.
In practice, each Probability Bow-Tie (PBT) has many initiating events and sequences.
 5

PROBABILITY BOW-TIE: RIGHT-HAND SIDE

Consequence Likelihood Consequence Severity Risk Level (EFR)

Contained Spill (Bund) Contained Spill (Bund) RISK LEVEL

Non-credible Minor Negligible Risk
8.4E-06 per year 0.001 8.4E-09

Spill quantity = truck load (max 30 tonnes)

Potential for injury during clean-up
Low toxicity.

Control Measure Consequence Likelihood Consequence Severity Risk Level (EFR)

Control of Ignition Sources Bund Fire Bund Fire RISK LEVEL

Moderate 8.4E-06 V Non-cred Major Negligible Risk
9.4E-06 0.1 9.4E-07 9.4E-07 per year 0.1 9.4E-08

Hazardous Area Classification Spill quantity = truck load (max 30 tonnes)

PMI Frequency Control Measure Electrical Compliance Cosequence level considered catastrophic
General Procedural Controls: Potential fatality
LOC Liquid (Moderate) Secondary Containment (Bund) Exclusion of Ignition Sources
Non-credible Rare 9.4E-06 Hot Work Permits
9.4E-06 per year 9.4E-06 0.001 9.4E-09

Reinforced Concrette Bund Floors & Walls

Subject to annual inspection Control Measure Consequence Likelihood Consequence Severity Risk Level (EFR)

Control of Ignition Sources Uncontained Fire Bund Fire RISK LEVEL

Likely 0.0E+00 V Non-cred Extreme Catastrophe Negligible Risk
9.4E-09 1 9.4E-09 9.4E-09 per year 10 9.4E-08

Release of spill outside bund is likely Spill quantity = truck load (max 30 tonnes)
to find an ignition source. However, fire will spread
No sucessful outcome considered valid. Potential Knock-on Effects
Potential multiple fatality

Figure 2B: Simplified Example of Probability Bow-Tie Construction

The figure depicts single sequence of initiating event through to consequence for liquid loss of containment (LOC Liquid), due to storage tank overfill resulting from road ranker unloading operations.
In practice, each Probability Bow-Tie (PBT) has many initiating events and sequences.
 6

The discipline involved in having to enter a failure Table 3 Terminal Operator’s Likelihood Table
probability in the PBT will generally identify such non-
independent control measures. These may be eliminated LIKELIHOOD
from the PBT or “Credit Not Taken” may be selected from Almost certain Expected to occur in 10 per year
the drop-down list (failure probability = 1.0). most circumstances.
Common cause failure was addressed by the PBT team as
Likely Could occur at some 1 per year
they evaluated the strength of each control measure. The time during the
approach taken was to provide no credit for controls plant’s operation.
potentially subject to dependent failure. Thus, although all
Moderate Will probably occur 1 in 10 years
storage tanks were provided with dual pressure transmitters in most
(a requirement of the EPA for continuous monitoring), no circumstances.
credit was taken for this redundancy in the PBTs.
Unlikely Should occur at some 1 in 100 years
In the case of overfill protection, independent high-high time during the
level alarms and shutdown systems (using different sensor plant’s operation.
technology and SIS control circuits) were installed in
Rare Could only occur in 1 in 1,000 years
addition to normal level measurement in the BPCS. Credit exceptional
was taken for the high-high level alarm and shutdown circumstances.
system as an independent control measure.
Extremely rare Could only occur 1 in 10,000 years
with concurrent
Conservatism incidence of unlikely
Different approaches may be used by organisations in or rare events.
terms of the assumptions used in their risk analysis
Non-credible No feasible scenario 1 in 100,000 years
methodology. Assumptions may be “conservative” or can be developed.
“realistic”. Whatever approach is taken, the assumptions
should be applied consistently, and the risk guidelines Very non-credible Calculated very low 1 in 106 years
probability from
should reflect the approach used3. Our suggestion is that PBT.
assumptions should be made conservatively, so that the It should be noted that these Likelihood levels are calculated from the
resultant risk profile potentially overestimates risk. PBT and are displayed as output values and descriptors. They are not
input values.

Facility Risk appreciation of the value of individual control measures,

Once all PBTs have been developed for a facility, and assists the operator in focussing on the key performance
individual consequence risk levels can be summed and the indicators (KPIs) needed to assure the integrity of critical
total facility risk compared with company risk guidelines. controls.

Linkages Sensitivity of Results

It is likely that some PMIs or consequences will be
initiating events in other PBTs. Therefore, the spreadsheet
files should be saved in the same file folder, and “Update
Links” should always be selected when opening files.
Analysis of Risk
In addition to the comparison of the risk level of an
individual consequence or total risk level against company
guidelines, it is possible to assign the risk level associated
with each of the initiating events. Clearly, the risk level of
the PMI is the sum of the risk levels for each of the right-
hand-side consequences. Each PBT sequence therefore has a
proportional risk level associated with it (in proportion to its
frequency). The PBT may therefore be further analysed by
working back through each sequence, and assigning risk
levels at each branch leading back to the initiating event. In
this manner, it is possible to rank the initiating events as
contributors to the total facility risk.
Criticality of Control Measures
Another useful application of the PBTs is the review of
key or critical control measures. The technique is to assign
“Credit not Taken” to the control measure. The effect on the
risk level of the PMI, total risk level or the ranking of the
initiating event can be studied. This provides an immediate
The lookup tables are not data in the normal sense. They
are merely translations of probability descriptors to
numerical values (for control measures) translations of
likelihood values to descriptors (for frequencies) and
calculated risk values to descriptors (for risk). The
calculation of risk is therefore sensitive only to the input
data – frequency of initiating event and failure probabilities.
The basis for these input values is recorded transparently on
the PBT diagram.
With conservatism applied to the input data, as suggested,
the results of PBT studies will err on the conservative side.
IV. CASE STUDY - MARINE CHEMICALS
TERMINAL
Marstel Coode Island Terminal
The methodology described in this paper was applied to
the new Coode Island Chemical Terminal of Marstel
Terminals Pty Ltd. The terminal receives marine parcels of
liquid chemicals which are stored at the facility and loaded
out by road tanker to the local chemical manufacturing
industry, which owns the goods. Some products are

Table 4 Allowable Failure Probabilities
Probability
Control Measure PCM
Descriptor
Alarms, operator Moderate or 10-1 or
action, procedures. Unlikely 10-2
Basic Process Control
Systems (BPCS)
Safety Devices Unlikely or 10-2 or
Rare 10-3
Safety Instrumented Unlikely, Rare or 10-2 to
Systems (according to Extremely Rare 10-4
SIL)
received from road tankers and exported by ship.
Source documentation was compiled and reviewed. This
included engineering documentation, HAZID and HAZOP
reports, the Risk Register, Fire Safety Study, SIL Report,
reports on neighbouring site risks, and the results of
consequence studies. Traditional Bow-Ties were drafted in a
workshop using a logical division of the plant areas and a
division of PMIs into three generic categories (LOC Liquid,
LOC Vapour, Fire & Explosion). This matrix was further
developed to represent specific product groups.
The operator had incorporated an RRR tool in its Safety
Management System (SMS) and its personnel were familiar
with its use for risk assessment during HAZOP sessions.
Table 3 is the operator’s RRR likelihood table, extended to
seven levels for PBT output display.
The PBT methodology was applied conservatively.
Administrative controls include general procedures such as
training, work permit systems, incident reporting and so
forth. They also include operating procedures which define
how manual operations are to be conducted.
Whereas procedures for training, certification and work
permit systems as well as other safeguards such as general
communications, signage and maintenance are clearly key
measures contributing to plant safety, they are assumed to
be in place and working correctly. They are not identified as
primary independent control measures for inclusion in the
PBT, in line with the AIChemE LOPA rules2.
For instance, “Control of Ignition Sources” is one
identified control measure. The component design features
and procedures that contribute to the value of this control
are noted below the PBT control measure module:
“hazardous area classification & electrical compliance, and
exclusion of ignition sources and hot work permit
procedures”. A review of each of these components was
made to assess the failure probability for the identified
control measure.
Whilst the general administrative procedures described
above are not considered primary control measures in the
construction of PBTs, the nature of bulk liquid chemical
terminal operations is that many manual operations are
conducted by process operators. Ship-to-shore transfer is
one such operation, involving several administrative
procedures: tank ullage calculations, line-up of liquid and
vapour pipelines, connection of hoses at the ship, leak
testing, line walks, communications with the ship,
monitoring of filling, pigging lines and so forth. Failure of
these operational procedures may lead to potentially
7
hazardous situations.
This approach allowed specific design features,
engineering controls and specific operational procedures
that had been incorporated in the design and operation to be
taken into account, whilst preserving the notion of
independent control measures. (It is noted that, if an audit
revealed deficiencies in the underlying general procedures,
the control measure should be re-evaluated and the impact
on risk determined.)
The operator adopted limitations on the control measure
failure probabilities entered into the PBTs and these are
listed in Table 4.
Table 5 is the operator’s consequence table, used to
define the severity of an incident. This is a seven-level table
with successive levels notionally representing order-of
magnitude steps of increasing severity. Selection was based
on the consequence analyses or experience for the lower
severity outcomes.
Table 6 is the operator’s 8 x 6 risk ranking matrix,
notionally used to estimate the resultant risk level. In
practice, the PBT performs a multiplication to calculate the
equivalent fatality rate (EFR) and this is compared with the
EFR for each risk level descriptor. The category “Extreme
Catastrophe” was redefined as that resulting in three onsite
fatalities to properly represent the actual deployment of
personnel at the facility and extent of impact from the
consequence analyses. The key to Table 6 indicates the
numerical equivalence of the descriptive risk level.
Whereas the objective of control measures is to eliminate
risk wherever possible, all risks can not be eliminated and it
is important to clearly define the tolerability of the residual
risk (Hendershot3). The operator established the criteria that
the level of risk for a single incident was tolerable at the
“Low” risk level with an equivalent fatality rate (EFR) of
10-6 per year and that the total risk was tolerable at an EFR
Table 5 Operator’s Consequence Severity Table
CONSEQUENCE SEVERITY
Insignificant No injuries or low financial loss, handled as
part of normal operations
Minor First aid treatment or on-site release of
materials immediately contained, or medium
financial loss; some resources diverted.
Moderate Medical treatment required or on-site release
contained without assistance or high financial
loss or plant interruption: significant resources
needed in response.
Major Extensive injuries or loss of production
capability or off-site release with no
detrimental effects or major financial loss;
external resources required in response.
Catastrophic Single fatality on-site or toxic release off-site
with detrimental effects or huge financial loss,
major plant shutdown.
Extreme catastrophe Multiple fatalities on-site or toxic release off-
site with major detrimental effects or
enormous financial loss or major plant
shutdown.
 8

of 10-5 per year. These tolerable levels were established Table 7 Results of PBT Study (Initial Safety Case)
after a review of national and international risk guidelines
INITIATING EVENT EFR, per annum
and against a background of a conservative application of
LOC Liquid - Phenol
the RRR methodology.
Vapour Space Solidification 6 x 10-7
Load-in from RTFS 2 x 10-7
General Findings
The operator reported to the author that the PBT Third Party Offsite Impact
Toxic Vapour Cloud 6 x 10-7
methodology and format was “found to provide transparent, Unignited Flammable Vapour Cloud 1 x 10-7
useful results, in a format that is suitable for personnel
training and communication to persons with limited risk LOC Liquid - Propylene Oxide
Impact 3 x 10-7
engineering training.” As all process operators were new Sabotage/Vandalism 1 x 10-7
hires, the PBTs played an important role in process operator
training. The traditional pictorial Bow-Ties were used as the RTFS Internal Fire & Explosion
Road Tanker Return to Service Failure 2 x 10-7
primary training tool for understanding the relationship Instrument Failure 2 x 10-7
between hazards, initiating events, control measures and
consequences. The PBTs then provided the operators with a LOC Vapour (at Road Tanker Fill Stand)
deeper understanding of the strength of individual control Maintenance Procedure Failure 2 x 10-7

measures - for example, the level of risk reduction provided LOC Liquid – Piping & Pumps
by SIL-rated safety integrity functions (e.g. for overfill Maintenance Procedure Failure 1 x 10-7
protection) and the need for security access for some basic
process control system functions.
limited the value attributed to such procedural control
Engineering and management personnel reported that:
measures) the high level of engineering controls applied to
• direct involvement in the development of the PBTs
this state-of-the-art facility resulted in very low levels of
provided “ownership” of the risk assessment, which,
risk.
in turn eased communication of risk to process
The study concluded that the overall risk for the facility
operators and particularly assisted with
(including both onsite and offsite population) was
communications with the regulatory authorities;
3 x 10-6 EFR, meeting the operator’s overall risk criterion
• the method provided a sound understanding of the
(1 x 10-5 pa). All individual risk contributors met the
value of individual controls, including those that
operator’s criterion of 1 x 10-6 EFR.
were inherently weak, and provided focus for the
The principle contributors to risk are presented in Table 7
development of operating procedures within the
below which includes all initiating events presenting a risk
SMS.
greater than 1 x 10-7 EFR.
Certain operations involving phenol contributed the
Results
highest risk. In the construction of the PBTs, no account had
The study revealed that facility risk was highly dependent
been taken of mitigation due to personal protective
on the number of operations (receipts, deliveries and
equipment (PPE). Conservatively, a spill of molten phenol
transfers) as would be expected intuitively. Though many
was assumed to result in a fatality to exposed personnel due
terminal operations involve operational procedures rather
to skin absorption. The SMS included appropriate safety
than relying on automatic control (and the applied protocols
precautions (including the use of fully encapsulating
chemical suits) for handling phenol as well as strict training
Table 6 Operator’s Risk Ranking Matrix requirements and a requirement for signage in potential spill
Consequence Severity areas. In consideration of these procedures, no additional
control measures were adopted.
Insignificant

Third party (offsite) impacts were the next highest risk

Catastrophe

Catastrophe
Moderate

Extreme

contributor. These resulted from a neighbouring terminal

Minor

Major

Likelihood site. The Emergency Response Plan and Procedures (ERPP)

were reviewed, to ensure that timely incident identification
Almost certain S S H VH VH VH
and safe evacuation procedures were in place.
Likely M S S H VH VH
Moderate L M S S H VH Other initiating events ranked at the higher levels of
Unlikely L L M S S H calculated risk were similarly reviewed.
Rare N L L M S S Following the initial development of the PBTs for the
Extremely rare N N L L M S
Non-credible N N N L L M facility, modifications were made to the import-export
Very non-credible N N N N L L logistics, and certain storage tanks were reassigned to other
Key to table 6: (EFR= Equivalent Fatality Rate) chemicals. In particular, the terminal configuration was
N: Negligible Risk (10-8 per year EFR, or better)
modified for phenol import rather than export. The PBTs
L: Low Risk (10-6 per year EFR, or better)
M: Moderate Risk (10-5 per year EFR, or better) were modified with little effort to reflect these changes.
S: Significant Risk (10-3 per year EFR, or better) Because of the modular methodology used for
H: High Risk (10-2 per year EFR, or better) constructing the PBTs, these were automatically scaled to
VH: Very High Risk (more than 10-2 per year EFR)
each scenario. Thus, complex systems automatically
 9

resulted in complex PBT structures, whereas simple systems Alternatively, “Calc Freq” is selected from the drop-down
with few initiating events resulted in simple structures. The list and the value of FIE is obtained from a value calculated
approach was found to be equally applicable to major below the module box.
hazard scenarios and those having lesser outcomes. To avoid input errors and over-writing data, only the text
The regulatory authority, Victorian WorkCover Authority box is available for direct data entry.
(VWA) accepted the PBT analyses as demonstration of the If the initiating event frequency is a calculated value, the
viability and effectiveness of control measures to reduce the calculation and assumptions are set out clearly below the
facility risk so far as practical. module box for transparency and audit purposes.
Figure 3 Initiating Event Module
APPENDIX Input frequency
descriptor for
PBT Calculations initiating event
The frequency for each PMI occurring is the product of
the frequency of the initiating event and fractional failure Initiating Event (text)
probabilities of each preventive control measure, summed
Frequency descriptor
for each initiating event sequence:
F IE F out

FPMI = ∑i [FIE ,i × ∏ n (PPCM ,i ,n )] (1)

The frequency of the initiating event is estimated from the
best available data. This may be the number of occurrences
per year (for instance of tank filling operations) or be drawn
from an appropriate database or the experience of team
members. The fractional probability of the failure of each
control measure will also be based on the best information
and judgement available (SIL ratings for safety
instrumented systems, experience for operational
procedures).
Similarly, the frequency of occurrence for each
consequence is the product of the frequency of the PMI and
the fractional probability of each of the mitigative control
measures for each sequence leading to a consequence:
FC , j = FPMI × ∏ m (PMCM , j ,m ) (2)
Frequency from Output to next module
LOOKUP Table (control measure)
The initiating event module comprises a description of the initiating
event, a field for entering the frequency as a descriptor, and fields
displaying the input event frequency (from a LOOKUP table) and the
output frequency to the subsequent module.
Exposure Module
The initiating event frequency must be modified if every
instance does not lead to the threat of releasing the hazard.
For instance, when filling storage tanks from road
tankers, the threat of overfill only exists when the storage
tank is already close to its safe fill level. An exposure
module is used to take account of the exposure level. The
probability is again selected from a drop-down list and is
displayed in the box below. The module multiplies the input
frequency by the exposure probability to derive the
modified output probability.

Each consequence is ranked for severity based on the Figure 4 Exposure Module
consequence analysis for that outcome. The risk level is Input probability
determined by the RRR methodology. In practice, the descriptor for
initiating event
equivalent fatality rate, EFR, is calculated as the product of
the frequency of a particular consequence and its Exposure (text)
consequence level.
Probabilty descriptor

EFRC , j = FC , j × LC , j (3)
Fin PEXP Fout

Probability from
Input from Initiating Output to next module
For ease of calculation, and to maintain the pictorial value Event Module LOOKUP Table (control measure)
of the Bow-Tie, PBTs are constructed using a spreadsheet
with standard modules for each element (initiating event,
Control Measure Module
control measure and so forth). Each module is simple to set
For the control measure module, input of the failure
up requiring only basic spreadsheet capability. The use of
probability is made by selection of a probability descriptor
standard modules is preferred to minimise construction
from a drop-down list. The numerical value is displayed
errors, for efficiency and to maintain consistency.
below the descriptor.
The input frequency is taken from the previous module
Initiating Event Module
and is multiplied by the probability of failure to calculate
Fig 3 shows the initiating event module. There are two
the resultant frequency in the lower right-hand cell. Many
ways to enter the initiating event frequency. Either a
control measures, if successful, will prevent the unwanted
frequency descriptor is selected in the central cell from a
consequence altogether. In other cases, the success of a
drop-down list (the value FIE is obtained from a LOOKUP
control measure may lead to another chain of events of
table and when selected is displayed in the cell below).
 10

lower consequence severity. Table 8 Symbols

Figure 5 Control Measure Module
EFR Equivalent Fatality Rate Fatalities/year
Input probability Output to next module
descriptor for (sucess) Frequency of a final Events per year
control measure
FC,j
consequence occurring.

Control Measure (text) PPCM, I,n Probability of failure of Fractional

Probability descriptor FOUT,S preventative control. probability
FIN PPCM F OUT,F
FIE, i Initiating event frequency. Events per year

Probability from
Input from previous
module LOOKUP Table
The control measure module may be used for both preventative and
mitigative control measures. Where the success of the control measure
eliminated any subsequent outcome, only the value of FOUT,F is carried
forward.
The control measure module therefore has two outputs –
event frequency on failure and event frequency on success.
The latter is particularly used on the mitigative side of the
bow-tie (for instance if ignition control measures are
successful, the result of a loss of liquid containment might
result in a contained spill; the failure of ignition control
measure might result in a flash fire or pool fire).
PMI Module
The PMI Module has no inputs except for the textual
description. The value for FPMI is the sum of the final
frequencies of all sequences leading to the PMI. This
calculation is manually input into the cell. The Excel
“reviewing” toolbar is useful to ensure that the correct
inputs have been collected. The PMI Frequency descriptor
is derived from a LOOKUP table for the value of FPMI.
Figure 6 PMI Module
PMI Frequency
from LOOKUP
table
PMI Event Description (text)
Frequency descriptor
FPMI Frequency of a PMI occurrence Events per year
Output to next module
(failure)
PMCM,j,m Probability of failure of Fractional
mitigative control probability
equivalent fatality.
The risk level module performs the RRR matrix lookup,
and the risk level is displayed as a descriptor and as a
numerical value.
“AND” and “OR” Gates
Frequencies for the same event (PMI and Consequence
Likelihood) are additive. The Excel “reviewing” toolbar is
useful to ensure that the correct inputs have been collected.
Care should be taken handling situations where
concurrent events are required to release a hazard. For
instance, if one series of a left-hand side PBT leads to the
presence of a flammable mixture and another series leads to
sources of ignition, and both are expressed as a frequency,
these cannot simply be added to establish the frequency of
an explosion or fire. One must be converted to a fractional
probability (for instance the fractional presence of any
ignition source). Kletz4 describes “AND” and “OR” gates
for fault trees and this technique should be applied.
Kletz also describes the dependence of hazard rate on the
test interval and demand rate. If a failure rate is used to
establish the failure probability for a control measure, the
failure rate should be adjusted for high demand rates. With
SIL-rated SIFs, the SIL level is equivalent to a failure
probability.

F PMI per year ACKNOWLEDGEMENT

Sum of inputs from all
PBT sequences
The cell representing FPMI is the sum of the probabilities for all
sequences leading to the PMI.
Consequence Likelihood, Severity and Risk Modules
These modules are placed in the PBT as a group.
Examples are shown in Figure 2.
The consequence likelihood module takes the calculated
consequence frequency from the last mitigative control
measure. The frequency descriptor is obtained from a
LOOKUP table.
The consequence severity module is used to enter the
severity level from a consequence analysis of the final
outcome, from a drop-down list (see Table 5). The basis of
the severity level is entered below the module box for
review and auditing purposes. A LOOKUP table is used to
convert the descriptive severity level to a numerical value of
The author wishes to acknowledge the close cooperation
of staff of Marstel Terminals Pty Ltd in the development of
Probability Bow-Ties for the Coode Island Terminal. In
particular, we thank Mr. Ron Dickinson (Operations
Manger for the new terminal) and Mr. Brent Metson
(Project Engineer, Marstel NZ Ltd). Their keen interest in
safety and dedication to the project resulted in the
development of a robust risk management tool.
REFERENCES
1 AS/NZS 4360:1999, Appendix E
2 “Layers of Protection Analysis – Simplified Process Risk Assessment”,
CCPS/AIChemE 2001.
3 D. C. Hendershot, “Risk Guidelines as a Risk Management Tool”,
prepared for AIChemE Process Plant Safety Symposium, Houston, 1996.
Available:
http://home.att.net/~d.c.hendershot/papers/pdfs/riskguidelines.pdf
4 T Kletz, “HAZOP & HAZAN – Identifying and Assessing Process
Industry Hazards”, 3rd Edition, IChemE.