Professional Documents
Culture Documents
Probability Bow-Ties - A Transparent Risk Management Tool
Probability Bow-Ties - A Transparent Risk Management Tool
The operator had previous experience of quantitative risk Table 1 Terms used for Bow-Ties
assessment (QRA) studies conducted by third parties, but
Term Definition Examples
found that the process did not take sufficient account of
Hazard This is a condition that Flammable chemicals in
specific design features, operational and maintenance could potentially lead to storage.
practices. It was considered that underlying failure scenarios injury, damage to Flammable chemicals at
and the source of failure data were often obscure (“black- property or the pressure.
environment.
box”) and the output was insensitive to what would
intuitively be considered significant safety improvements. Initiating An event which has the Corrosion of pipeline.
Traditional QRA was considered an inappropriate tool to Event potential to release a Human error (line-up
hazard. failure).
provide a comparative evaluation of the appropriateness and
effectiveness of individual control measures for the facility. Control Preventative control Materials selection.
The operator had selected Bow-Ties as a primary tool for Measures measures put in place to Safety valves.
assembling information on hazards, initiating events, control (Preventative) prevent releasing the Control systems.
hazard. Procedural controls.
measures and consequences in a form suitable for process Preventative maintenance.
operator understanding and training. They provided a Training.
holistic view and an appreciation of control measures
Potential The initial consequence Loss of Containment.
working together. The operator had also adopted Rapid Risk Major which involves the
Ranking (RRR) methodology as a core feature of the risk Incident release of the hazard.
register and this was universally understood by personnel. (PMI)
What was needed was a risk assessment tool that took Control s Mitigative control Secondary containment
into account the specific design features, engineering and Measures measures put in place to (bunds).
administrative controls incorporated in the design and (Mitigative) prevent the PMI from Fire or gas detection
escalating to a systems.
operation, was simple to develop and maintain, provided the
consequence resulting in Fire fighting systems.
operator with ownership, could be integrated in the injury, damage to
operator’s safety management system and was transparent at property or the
all levels in the operator’s organisation and to the regulatory environment.
authorities. The tool should build on and complement the Consequence An event resulting from Controlled Liquid Spill
operator’s existing risk methodology if possible. the hazard, its initiating (failure of preventative
It was decided to extend the Bow-Ties to incorporate a event, failure of control measures, success
preventative control of mitigative control
semi-quantitative RRR methodology, and use a standard measures and failure or measures – secondary
spreadsheet computer program (Microsoft Excel) to perform success of mitigative containment).
the arithmetic calculations. control measures. Pool Fire (failure of
preventative control
measures, failure of
mitigative control
II. DEVELOPMENT OF PROBABILITY BOW-TIES measures – control of
ignition sources).
Figure 1 Probability Bow-Tie Potential Major Incident (PMI). The right hand side of the
INITIATING
CONSEQUENCES
Bow-Tie displays the PMI as a starting point, mitigative
EVENT
PREVENTATIVE MITIGATIVE
controls in sequence and the consequences that result from
CONTROL CONTROL
MEASURES MEASURES the failure of those controls.
H Table 1 provides an explanation of the Bow-Tie terms
A
POTENTIAL
MAJOR used in this paper. Alternative terms are commonly used; for
INCIDENT
Table 2 Generic RRR Matrix and also for their independence (for instance using the
AIChemE LOPA rules to assure independence2) the results
will be robust.
Insignificant
Catastrophe
Moderate
Companies already using Bow-Ties to visualise the
Minor
Major
relationship of control measures will benefit from a semi-
Likelihood
quantitative appreciation of the effectiveness of those
Almost certain S S H VH VH controls. Use of PBTs may eliminate weak controls and
Likely M S S H VH indicate if existing controls need to be strengthened or
Moderate L M S S H
Unlikely L L M S S
additional controls added
Rare N L L M S Companies using RRR as part of their risk management
Note: see key at Table 6 methodology will benefit from the pictorial view of the
control measure string and a more rigorous methodology for
level. The technique is particularly suitable for estimating the likelihood of an incident occurring.
incorporation in HAZOP studies, where the HAZOP team Companies using LOPA will benefit from the pictorial
has industry- and plant-specific experience of the frequency representation as the underlying calculations are the same,
of incidents (including near-misses) and the effectiveness of and will produce equivalent results after calibrating the
control measures. Table 2 is a typical generic 5 x 5 RRR RRR matrix.
matrix1. Companies usually tailor the generic matrix to Figures 2A & 2B depict an example of a single string for
reflect the complexity and severity of potential incidents at a both sides of a typical PBT. In practice, many strings are
facility. For a major hazard facility, the most serious involved on both the preventative and the mitigative sides.
outcomes are likely to involve a fatality (classified as
“Catastrophic”) or multiple fatalities. To reduce risk to a
tolerable level, the likelihood needs to be reduced to a level III. PROBABILITY BOW-TIE PROTOCOLS
well below “rare”. Additional categories of likelihood and
consequence are therefore usually added to the RRR matrix.
PBT Construction
As detailed in the Appendix, RRR matrices have an
With the modules set up as described in the Appendix,
underlying mathematical structure. If the likelihoods and
constructing the PBT is relatively simple. Each module box
consequences are calibrated as order-of magnitude steps, a
is placed in the spreadsheet so that the correct output from
simple multiplication of likelihood and severity level results
the last module is captured as input. The module can then be
in risk expressed as an equivalent fatality rate.
moved as required, retaining the appropriate cell reference.
Probability Bow-Tie Diagrams
Group Input
The Probability Bow-Tie (PBT) is the combination of the
Once the PBT has been constructed, each module needs
traditional Bow-Tie diagram and the Rapid Risk Ranking
to be reviewed by a team having the appropriate capabilities
method. The PBT uses the structure of the Bow-Tie to
and experience in risk engineering, design, operations and
define the sequence between an initiating event, through
maintenance. Where control measures include automatic
preventative control measures to the PMI, and from the PMI
process and safety systems, the appropriate engineering
through mitigative control measures to consequences, or
disciplines should be included so that failure probabilities
final outcomes.
are properly assessed.
The PBT is set up in a spreadsheet, and the required skill
set is available in even the smallest organisation. Modules
Recording Assumptions and Calculations
are constructed which are pasted into the PBT to represent
All assumptions and intermediate calculations should be
the elements described in Table 1.
entered into the spreadsheet below the relevant module.
The basis of the initiating event frequency calculation or
This will provide a record for future modifications and
assumption is recorded in the PBT. This task is the same as
assist the SMS audit process. Where company or external
for other methods of risk analyses, and should be based on
sources are used (for example, initiating event frequency or
company standards, references or experience. Descriptors
failure rate) these should be referenced.
are used to enter the probability of failure of each control
measure. The PBT structure ensures that the appropriate
Independence of Control Measures
linkages are made so that the risk level is calculated
Traditional Bow-Ties often include such control measures
automatically.
as training, certification, procedures, inspection & testing,
The Appendix describes setting up the modules and
maintenance, communications and signage.
constructing the PBT. Protocols are described in the next
Each control measure in the underlying Bow-Tie should
section to ensure that the analysis is rigorous and the results
be reviewed for independence and effectiveness when
robust.
incorporated in the PBT. The AIChemE book “Layers of
The advantages of using the PBT are immediately
Protection Analysis”2 provides guidelines for assessing the
apparent. Firstly, the pictorial nature of the traditional Bow-
independence of control measures. For instance, training,
Tie is retained showing the relationship between elements
certification and procedures are not considered Independent
that contribute to risk and those that control it. If rigour is
Protection Layers (IPLs) but may be taken into account in
applied to the assignment of control measure effectiveness,
assessing whether process operator action is a valid IPL.
4
Unloading Operations Unloading Operations Procedural Failure (Lineup) Batch Control Verification
Calc Freq Calc Freq Unlikely 9.3E+01 Credit Not Taken
6240 6240 6240 0.015 9.4E+01 9.4E+01 0.01 9.4E-01 9.4E-01 1 9.4E-01
Control Room Monitoring LAH/SCADA Alarm/Op Action LAHH/Valve Interlock LOC Liquid (Moderate)
Moderate 8.4E-01 Moderate 8.4E-02 Rare 9.4E-03 Non-credible
9.4E-01 0.1 9.4E-02 9.4E-02 0.1 9.4E-03 9.4E-03 0.001 9.4E-06 9.4E-06 per year
The figure depicts single sequences of initiating event through to consequence for liquid loss of containment (LOC Liquid), due to storage tank overfill resulting from road ranker unloading operations.
In practice, each Probability Bow-Tie (PBT) has many initiating events and sequences.
5
Release of spill outside bund is likely Spill quantity = truck load (max 30 tonnes)
to find an ignition source. However, fire will spread
No sucessful outcome considered valid. Potential Knock-on Effects
Potential multiple fatality
The figure depicts single sequence of initiating event through to consequence for liquid loss of containment (LOC Liquid), due to storage tank overfill resulting from road ranker unloading operations.
In practice, each Probability Bow-Tie (PBT) has many initiating events and sequences.
6
The discipline involved in having to enter a failure Table 3 Terminal Operator’s Likelihood Table
probability in the PBT will generally identify such non-
independent control measures. These may be eliminated LIKELIHOOD
from the PBT or “Credit Not Taken” may be selected from Almost certain Expected to occur in 10 per year
the drop-down list (failure probability = 1.0). most circumstances.
Common cause failure was addressed by the PBT team as
Likely Could occur at some 1 per year
they evaluated the strength of each control measure. The time during the
approach taken was to provide no credit for controls plant’s operation.
potentially subject to dependent failure. Thus, although all
Moderate Will probably occur 1 in 10 years
storage tanks were provided with dual pressure transmitters in most
(a requirement of the EPA for continuous monitoring), no circumstances.
credit was taken for this redundancy in the PBTs.
Unlikely Should occur at some 1 in 100 years
In the case of overfill protection, independent high-high time during the
level alarms and shutdown systems (using different sensor plant’s operation.
technology and SIS control circuits) were installed in
Rare Could only occur in 1 in 1,000 years
addition to normal level measurement in the BPCS. Credit exceptional
was taken for the high-high level alarm and shutdown circumstances.
system as an independent control measure.
Extremely rare Could only occur 1 in 10,000 years
with concurrent
Conservatism incidence of unlikely
Different approaches may be used by organisations in or rare events.
terms of the assumptions used in their risk analysis
Non-credible No feasible scenario 1 in 100,000 years
methodology. Assumptions may be “conservative” or can be developed.
“realistic”. Whatever approach is taken, the assumptions
should be applied consistently, and the risk guidelines Very non-credible Calculated very low 1 in 106 years
probability from
should reflect the approach used3. Our suggestion is that PBT.
assumptions should be made conservatively, so that the It should be noted that these Likelihood levels are calculated from the
resultant risk profile potentially overestimates risk. PBT and are displayed as output values and descriptors. They are not
input values.
of 10-5 per year. These tolerable levels were established Table 7 Results of PBT Study (Initial Safety Case)
after a review of national and international risk guidelines
INITIATING EVENT EFR, per annum
and against a background of a conservative application of
LOC Liquid - Phenol
the RRR methodology.
Vapour Space Solidification 6 x 10-7
Load-in from RTFS 2 x 10-7
General Findings
The operator reported to the author that the PBT Third Party Offsite Impact
Toxic Vapour Cloud 6 x 10-7
methodology and format was “found to provide transparent, Unignited Flammable Vapour Cloud 1 x 10-7
useful results, in a format that is suitable for personnel
training and communication to persons with limited risk LOC Liquid - Propylene Oxide
Impact 3 x 10-7
engineering training.” As all process operators were new Sabotage/Vandalism 1 x 10-7
hires, the PBTs played an important role in process operator
training. The traditional pictorial Bow-Ties were used as the RTFS Internal Fire & Explosion
Road Tanker Return to Service Failure 2 x 10-7
primary training tool for understanding the relationship Instrument Failure 2 x 10-7
between hazards, initiating events, control measures and
consequences. The PBTs then provided the operators with a LOC Vapour (at Road Tanker Fill Stand)
deeper understanding of the strength of individual control Maintenance Procedure Failure 2 x 10-7
measures - for example, the level of risk reduction provided LOC Liquid – Piping & Pumps
by SIL-rated safety integrity functions (e.g. for overfill Maintenance Procedure Failure 1 x 10-7
protection) and the need for security access for some basic
process control system functions.
limited the value attributed to such procedural control
Engineering and management personnel reported that:
measures) the high level of engineering controls applied to
• direct involvement in the development of the PBTs
this state-of-the-art facility resulted in very low levels of
provided “ownership” of the risk assessment, which,
risk.
in turn eased communication of risk to process
The study concluded that the overall risk for the facility
operators and particularly assisted with
(including both onsite and offsite population) was
communications with the regulatory authorities;
3 x 10-6 EFR, meeting the operator’s overall risk criterion
• the method provided a sound understanding of the
(1 x 10-5 pa). All individual risk contributors met the
value of individual controls, including those that
operator’s criterion of 1 x 10-6 EFR.
were inherently weak, and provided focus for the
The principle contributors to risk are presented in Table 7
development of operating procedures within the
below which includes all initiating events presenting a risk
SMS.
greater than 1 x 10-7 EFR.
Certain operations involving phenol contributed the
Results
highest risk. In the construction of the PBTs, no account had
The study revealed that facility risk was highly dependent
been taken of mitigation due to personal protective
on the number of operations (receipts, deliveries and
equipment (PPE). Conservatively, a spill of molten phenol
transfers) as would be expected intuitively. Though many
was assumed to result in a fatality to exposed personnel due
terminal operations involve operational procedures rather
to skin absorption. The SMS included appropriate safety
than relying on automatic control (and the applied protocols
precautions (including the use of fully encapsulating
chemical suits) for handling phenol as well as strict training
Table 6 Operator’s Risk Ranking Matrix requirements and a requirement for signage in potential spill
Consequence Severity areas. In consideration of these procedures, no additional
control measures were adopted.
Insignificant
Catastrophe
Moderate
Extreme
Major
resulted in complex PBT structures, whereas simple systems Alternatively, “Calc Freq” is selected from the drop-down
with few initiating events resulted in simple structures. The list and the value of FIE is obtained from a value calculated
approach was found to be equally applicable to major below the module box.
hazard scenarios and those having lesser outcomes. To avoid input errors and over-writing data, only the text
The regulatory authority, Victorian WorkCover Authority box is available for direct data entry.
(VWA) accepted the PBT analyses as demonstration of the If the initiating event frequency is a calculated value, the
viability and effectiveness of control measures to reduce the calculation and assumptions are set out clearly below the
facility risk so far as practical. module box for transparency and audit purposes.
Figure 3 Initiating Event Module
APPENDIX Input frequency
descriptor for
PBT Calculations initiating event
The frequency for each PMI occurring is the product of
the frequency of the initiating event and fractional failure Initiating Event (text)
probabilities of each preventive control measure, summed
Frequency descriptor
for each initiating event sequence:
F IE F out
Each consequence is ranked for severity based on the Figure 4 Exposure Module
consequence analysis for that outcome. The risk level is Input probability
determined by the RRR methodology. In practice, the descriptor for
initiating event
equivalent fatality rate, EFR, is calculated as the product of
the frequency of a particular consequence and its Exposure (text)
consequence level.
Probabilty descriptor
EFRC , j = FC , j × LC , j (3)
Fin PEXP Fout
Probability from
Input from Initiating Output to next module
For ease of calculation, and to maintain the pictorial value Event Module LOOKUP Table (control measure)
of the Bow-Tie, PBTs are constructed using a spreadsheet
with standard modules for each element (initiating event,
Control Measure Module
control measure and so forth). Each module is simple to set
For the control measure module, input of the failure
up requiring only basic spreadsheet capability. The use of
probability is made by selection of a probability descriptor
standard modules is preferred to minimise construction
from a drop-down list. The numerical value is displayed
errors, for efficiency and to maintain consistency.
below the descriptor.
The input frequency is taken from the previous module
Initiating Event Module
and is multiplied by the probability of failure to calculate
Fig 3 shows the initiating event module. There are two
the resultant frequency in the lower right-hand cell. Many
ways to enter the initiating event frequency. Either a
control measures, if successful, will prevent the unwanted
frequency descriptor is selected in the central cell from a
consequence altogether. In other cases, the success of a
drop-down list (the value FIE is obtained from a LOOKUP
control measure may lead to another chain of events of
table and when selected is displayed in the cell below).
10
Probability from
FPMI Frequency of a PMI occurrence Events per year
Input from previous Output to next module
module LOOKUP Table (failure)
PMCM,j,m Probability of failure of Fractional
The control measure module may be used for both preventative and mitigative control probability
mitigative control measures. Where the success of the control measure
eliminated any subsequent outcome, only the value of FOUT,F is carried
forward.
equivalent fatality.
The risk level module performs the RRR matrix lookup,
The control measure module therefore has two outputs – and the risk level is displayed as a descriptor and as a
event frequency on failure and event frequency on success. numerical value.
The latter is particularly used on the mitigative side of the
bow-tie (for instance if ignition control measures are “AND” and “OR” Gates
successful, the result of a loss of liquid containment might Frequencies for the same event (PMI and Consequence
result in a contained spill; the failure of ignition control Likelihood) are additive. The Excel “reviewing” toolbar is
measure might result in a flash fire or pool fire). useful to ensure that the correct inputs have been collected.
Care should be taken handling situations where
PMI Module concurrent events are required to release a hazard. For
The PMI Module has no inputs except for the textual instance, if one series of a left-hand side PBT leads to the
description. The value for FPMI is the sum of the final presence of a flammable mixture and another series leads to
frequencies of all sequences leading to the PMI. This sources of ignition, and both are expressed as a frequency,
calculation is manually input into the cell. The Excel these cannot simply be added to establish the frequency of
“reviewing” toolbar is useful to ensure that the correct an explosion or fire. One must be converted to a fractional
inputs have been collected. The PMI Frequency descriptor probability (for instance the fractional presence of any
is derived from a LOOKUP table for the value of FPMI. ignition source). Kletz4 describes “AND” and “OR” gates
for fault trees and this technique should be applied.
Figure 6 PMI Module Kletz also describes the dependence of hazard rate on the
PMI Frequency test interval and demand rate. If a failure rate is used to
from LOOKUP
table
establish the failure probability for a control measure, the
failure rate should be adjusted for high demand rates. With
SIL-rated SIFs, the SIL level is equivalent to a failure
PMI Event Description (text)
probability.
Frequency descriptor