AIChE
A Method for Barrier-Based Incident Investigation
Robin Pitblado, a Tony Potts, b Mark Fisher, b and Stuart Greenfieldb
aDNV GL, Risk Advisory Services, 1400 Ravello Drive, Katy, TX 77449; robin.pitblado@dnvgl.com (for correspondence)
bDNV GL, Manchester Advisory, Highbank House, Exchange Street, Stockport, SK3 OET, United Kingdom
Published online 27 June 2015 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11738
Incident investigation is a formal requirement for high
hazard facilities with the aim to learn from each incident
and to prevent future recurrences. Tbere are many published
investigation methods, with most driving to the management
system root cause and some applying newer barrier-based
methods. However, these methods either do not link tightly to
the facility risk assessment or are very difficult to apply, and
lessons from incidents that might reveal weaknesses, espe-
cially relating to major accidents, can be missed. This article
describes a novel method for incident investigation (Barrier-
based Systematic Cause Analysis Technique) that combines
the ideas of barrier-based risk assessment with a well-
established systems-based root cause analysis method (Sys-
tematic Cause Analysis Technique). The method described is
efficient and can be applied by properly trained supervisors,
and this potentially allows every incident or near-miss event
to be assessed in a consistent risk-based format. The method
clearly establishes links back to the facility risk assessment
and thus identifies risk pathways that are potentially too opti-
mistic (i.e., the risk is higher than predicted), and this can
be due to initial optimism or degradation of safety barriers
(human or hardware). © 2015 American Institute of Chemical
Engineers Process Saf Prog 34: 328-334, 2015
Keywords: accident investigation; bow tie; incident inves-
tigations; risk assessment,· root cause
INTRODUCTION
Formal incident investigation is required by US regula-
tions for high hazard facilities onshore and SEMS regulations
for offshore facilities. A similar requirement also applies
under safety case regulations in Europe, both onshore and
offshore. None of these, however, specifies any specific
method; the operator is free to select any method deemed
suitable.
Early incident investigation focused too much on direct
causes, assigning blame, and rarely delved into system
I.
causes. Bird et al. [l] quotes statistics from 1,490 old incident
reports and these show ineffective investigations which iden-
tified only 1% to be the fault of the employer, with bulk of
the remainder being either unpreventable (65%) or some
kind of human error (31%). With this depth of analysis, it is
not surprising that accidents continued without significant
reduction as the true underlying causes of accidents were
not being identified. Modern investigation techniques drive
beyond the initial or direct causes and attempt to identify
deeper root causes, usually linked to the management sys-
tem [2]. A selection of current techniques which do drive to
root causes is provided in Table 1.
© 2015 American Institute of Chemical Engineers
328 December 2015
With such a full list of methods, it might be asked why
there is a need for a new investigation method? Incident
investigation techniques need to evolve to match the manage-
ment processes in use, otherwise the lessons learned through
the investigation will not match the system being employed.
At a relatively simple level, this means the system categories
generated by the investigation should match the management
system elements employed at the facility (e.g., [3-5]). How-
ever, at a deeper level, there has been major change in the
management of high hazard facilities from a traditional safety
management structure (as in OSHA PSM) and toward a risk-
based structure (as in CCPS and ISRS). That is, the focus has
shifted to identifying major accident risks and putting in place
appropriate controls complementing all the elements of a pro-
cess safety management system. fa,1:racting lessons is more
than matching incidents to management system elements, and
ideally it should also provide a direct linkage to the safety bar-
riers defined in the facility risk assessment.
Investigation methods can be characterized by the
amount of structure inherent in the method and by the com-
plexity of applying the method. For example, MORT and
Systematic Cause Analysis Technique (SCAT) both have a
high degree of methodology structure and the user mostly
selects options from within this predefined stmcture; how-
ever, the complexity of application between these two tech-
niques is very different, with SCAT requiring less specialist
investigation knowledge and MORT much more. The 5
Why's and the Fault Tree methods provide a similar pair of
examples in the flexible area. Here, the methods do not pro-
vide predefined options and the user must develop the solu-
tion from first principles using the methodology rule set.
Barrier-based Systematic Cause Analysis Technique (BSCAT)
uses the fixed structure of SCAT but combines this with the
flexibility of a bow tie model, so it would be high midway
on the structure/flexibility axis. Similarly in terms of detail, it
extends the simple model of SCAT to address the risk
domain, but not in as much detail as some complex techni-
ques, so it lies midway on the Overview/Detailed axis. CGE
Risk has developed a figure mapping the different techni-
ques (Figure 1). While subjective, it does show that BSCAT
provides a good balance between structure and complexity,
making it suitable for general application by facility supervi-
sors rather than only by highly qualified investigation spe-
cialists. More sophisticated techniques like Tripod Beta are
more difficult to apply and suitable for only a subset of total
incidents. This limits their lessons learned potential for all
barriers, but it would be justified by the greater depth of
information for cultural influences that would show in most
incidents.
In the following sections, the authors review the new
barrier-based operational risk assessment method, frequently
Process Safety Progress (Vol.34, No.4)
 Table 1. Selected incident investigation methods.
Category Name
Generic 5 Why's
Fishbone Diagrams
Fault Trees
Proprietary Common List of Causes (BP)
(developer name) MORT-Management Oversight
and Risk Tree (US Department
of Energy)
Source (ABS)
TapRoot (System Improvements Inc.)
TriPod Beta (Reason and Hudson)
SCAT and BSCAT (DNV GL)
termed bow tie diagrams, and then show how these can be
adapted to incident investigation using only those arms of
the bow tie that capture the accident pathway. The well-
established SCAT method (Systematic Cause Analysis Tech-
nique) is then described. BSCAT (Barrier-based SCAT) then
merges the two techniques allowing a tight link between the
risk assessment and the root causes to be established.
Finally, a worked example shows the application of the
method to the Buncefield oil terminal fire event.
BARRIER RISK METHODS
Barrier-based risk assessment has been applied to process
safety risks for over two decades, with Shell taking a lead [6).
The original thinking derives from the well-known Swiss
Cheese model proposed by James Reason, but the method
does not follow his structure as it defines both preventative
and mitigative controls with a "top event" in the middle. The
Reason model focused instead on latent and active failures
and impo1tant psychological factors. Regulators also recog-
nized the value of this risk-based approach [7] as it permits a
focus on major accident risks during the operational phase;
most other risk techniques focus on the design stage. The
model shows a number of safety barriers lying between the
threats and the major accident outcome . The barriers are not
perfect and hence the holes which represent the failure
modes associated with individual barriers. If all the holes
"line-up," then the unwanted event occurs. The model is
intuitive and easy to explain; a safer system would employ
more barriers with smaller holes.
Currently, there is no publicly available guideline docu-
ment describing the bow tie method, although CCPS has a
working party (Project 237) on this. In the meantime, shorter
method statements have been published [6,8) or available as
software support manuals (from ABS for Thesis and CGE
Risk [9) for BowTieXP). In the absence of a formal specifica-
tion, there tends to be multiple terminology describing ele-
I
ments of the bow tie, although the method is similar in all
cases.
Figure 2 shows the primary elements of a bow tie dia-
gram. At the top is the hazard, this is the material or condi-
tion that if control is lost could give rise to the unwanted
consequences. The hazard leads directly to the top event
which is the central circle. This is the specific loss of control
or loss of containment of the hazard (e.g., leak of a hazard-
ous material). On the left side are various threats or causes
(e.g., corrosion and dropped object) that could cause this
loss of control, and on the right side are the consequences
or undesired outcomes (e.g., injury, explosion, etc.). In
between the threats and the top event are prevention bar-
riers (or safeguards/ controls), and similarly on the other side
are mitigation barriers (or safeguards/controls). Not shown
Process Safety Progress (Vol.34, No.4) Published on behalf of the AIChE
- - - - - -- ----
heed structure
• MORT
0 SCAT
0 BP CLC
e Tripod
Beta
e Fishbone
Overview <:========-C);;;B=s=
cA=T=====~ Detailed
/simple
• 5 Why's
• Faulttru
Event tree
Fle><l ble
Figure 1. Application features of several investigation meth-
ods (CGE Risk).
on this simplified diagram are barrier decay mechanisms
(also known as escalation factors) which show how individ-
ual barriers can degrade (e.g., failure to inspect) and the
additional barriers installed (e.g., inspection and preventive
maintenance programs) to keep these at their performance
standard. Barriers are more than bars on a bow tie diagram,
each barrier represents an AND Gate with inputs of "demand
on barrier function" and "barrier fails." For example, if a bar-
rier is a shutdown system and an operator actuates the sys-
tem (i.e., barrier required to act) AND the barrier fails to
operate (i.e., does not work) then the barrier as a whole fails
and the system goes on to challenge the next barrier. This
provides an underpinning of sound safety science to the
method. The barrier decay mechanism builds out the fault
tree AND gate showing the mechanisms how the barrier
might fail. Pitblado and Weijand [8] give multiple examples
of good and poor bow tie elements and how these can affect
the quality and utility of the final bow tie.
Real bow ties are more complex than shown in this fig-
ure, often with 5-8 threat arms entering and 2-4 conse-
quence arms emerging. Generally, 3-4 barriers per arm
represents a well-protected system, however, examples are
seen with many more than this, but that is most often due to
faults in drawing the bow tie with barrier decay mechanism
barriers incorrectly promoted on to the main pathway. Shell
guidance [6) is that 10-15 bow ties are sufficient to capture
the most important top events and barriers, and usually little
value is obtained from creating a greater number.
An important opportunity is to link incident investigations
to these facility risk assessment bow ties, showing which bar-
riers must have failed in order to have an accident (reaching
all the way to the right hand side) or a near miss (having
stopped somewhere along the accident pathway).
The SCAT Root Cause Methodology
SCAT was developed in the 1980s by Frank Bird [1). 'lt is
based on the DNV GL Loss Causation Model (Figure 3). This
model when used from right to left, to investigate incidents,
is the SCAT approach. This shows that a Loss (e.g., occupa-
tional accident, fire, or near-miss event) is created by an Inci-
dent. Incidents have an Immediate Cause, which is
categorized as due to Substandard Acts or Substandard Con-
ditions, these in turn have a deeper Basic Cause, which is
categorized as due to a Personal factor or a Job/System Fac-
tor. These basic causes lead to the management system lack
of control areas which may be in need of corrective action.
The corrective action type will depend on whether the lack
DOI 10.1002/prs December 2015 329
 Figure 2. Bow tie diagram elements.
Lack of Basic Immediate
Control Causes Causes
~ ~
Inadequate
~ Penonal
Ftetors ~ Subtllncllfd
AdalPtactlcios
• Syattm
• Standatdl
• ComJ)Manco ~ Job/System
Factors ~
Subtllncllrd
Conclillont
Figure 3. Loss causation model. [Color figure can be viewed in the online issue, which is available at wileyonlinelibrary.
com.]
of control is due to an inadequate system, inadequate standards
within the system, or poor compliance to those standards.
The aim of SCAT is that it can be applied to all incidents
or near-miss events by supervisors, who have some training
in investigation, but who are not specialists. To aid them in
the correct categorization of immediate and basic causes, the
SCAT system has predefined categories of substandard acts
and conditions, and similarly for personal and job factors.
Supervisors, after collecting all needed evidence (interviews,
documents, photographs, etc.) would refer to these lists to
most closely match the incident immediate and basic causes
to the available categories. The current SCAT (version 8) has
immediate cause categories with 28 substandard acts and 21
substandard conditions, some examples are shown in Table
2.
., The list of basic causes is longer and to make this man-
ageable these are divided into main categories and subcate-
gories. There are 8 personal factors and 10 job/system
factors, and each of these has around 8-20 subcategories,
giving a total of over 200 subcategories. A sampling of these
is provided in Table 3.
The purpose of these lists of categories is to help the user
define correctly the immediate and basic causes. Without
such a list, it might be possible to confuse causes and assign
a basic cause as an immediate cause, or to list two immedi-
ate causes as the immediate and basic cause combination.
This would not point correctly toward the lack of control
issue and a faulty corrective action might be developed.
When assigning categories there is no restriction to a single
330 December 2015 Published on behalf of the AIChE
Incident Loss
~
~ Event Unlnlended
Hann
Ot
~ Damage
immediate or basic cause, in fact most incidents have multi-
ple immediate and basic causes. These lists have been the
subject of careful revision over the years and the current list
(SCAT 8:PSM) is considered effective to due to the large
numbers of SCAT and ISRS users (and tens of thousands of
applications), the feedback received, and the updates
implemented.
The lack of control categories should match the facility
safety management system. If this is the risk-based Interna-
tional Safety Management System (ISRS v8 [5]) then this has
15 elements, if it is based on the CCPS Risk Based Process
Safety [4] then this will have 20 elements.
BSCAT METHOD
Accidents can be converted from a traditional description
or storyboard diagram into a bow tie pathway showing the
barriers that were degraded or failed. This pathway can be
in the form of a bow tie diagram with a single top event in
the center and barriers on either side, or as a sequence of
intermediate events with barriers around these. The
sequence can be initiated by a single failure (e.g., dropped
object) or by multiple failures (e.g., corrosion and excess
pressure). Similarly, there can be one or more consequences
(e.g., safety, environment, asset damage, etc.). An advantage
of the bow tie diagram format is that the incident analysis
can link directly back to the facility risk assessment
diagrams.
The BSCAT methodology follows the CCPS [2] approach
in terms of collecting evidence (physical/positional,
DOI 10.1002/prs Process Safety Progress (Vol.34, No.4)
Table 2. Examples of SCAT list of immediate causes
Substandard Acts
Operating equipment without authority
Failure to warn/secure
Making safety devices inoperative
Using defective equipment
Improper operation of equipment
Improper employee/management behavior
Being under the influence of alcohol or other drugs
Etc.
Table 3. Examples of SCAT list of basic causes (categories with subcategories).
Personal Factors
Inadequate Physical/Physiological Capability
Inappropriate height, weight, size, strength, etc.
Restricted range of body movements
Substance sensitivities
Inadequate Mental/Psychological Capability
Fears and phobias
Mental illness/ emotional disturbance
Intelligence level
Etc.
photographs/video, witness statements, paper records, and
electronic data) and organizing this with the aid of a timeline
or storyboard. This collates multiple different sources and
helps resolve conflicts in evidence. The new part involves
reviewing the existing bow ties and selecting the bow tie
most closely matching the actual incident and selecting among
the threat and consequence arms for those relevant to the
incident, other arms can be neglected (e.g., in an event
caused by a dropped object leading only to asset damage,
other causes such as corrosion or process disturbance and
environmental or safety consequences may be neglected).
The BSCAT approach combines the incident bow tie with
the SCAT analysis. Each barrier failure is treated as an inci-
dent and a SCAT analysis is applied, no change is needed to
the SCAT categories. The difference between a traditional
SCAT and BSCAT is shown in Figure 4. It might be assumed
from this figure that BSCAT requires significantly more effort
than SCAT, but this is not the case. All the barriers that failed
and are analyzed in BSCAT need to be identified and
assessed in SCAT as well, but now there is no barrier count
to guide how deep the analysis should proceed. Using the
barrier model, all the barrier failures must be developed.
WORKED EXAMPLE-BUNCEFIELD INCIDENT
The Buncefield incident provides a good example show-
ing application of the BSCAT methodology and uses an inci-
dent that is well known publicly. The incident has been well
investigated and the HSE [10] published a summary report
with their overall assessment as to causes, which were seen
to be due to a series of "broader management system fail-
ings." The authors have used this report exclusively as the
source of information for this BSCAT worked example.
The Buncefield Oil Storage Depot explosion and fires
occurred on December 11, 2005 at an oil storage facility
located just north of London. A storage tank was overfilled
with unleaded gasoline, which escaped over the rim of the
tank, causing the loss of about 300 tonnes of fuel. The
splashing to ground formed a massive vapor cloud in still
Process Safety Progress (Vol.34, No.4) Published on behalf of the AIChE
Substandard Conditions
Inadequate or improper protective equipment
Failure to reach business goals and/or objectives
Presence of fire and/or explosion hazards
Inadequate information data/indieators
Inadequate preparation/planning
Inadequate support/assistance/resources
Inadequate EQSH system
Etc.
Job/System Factors
Inadequate Leadership and/or Supervision
Unclear or conflicting reporting relationships
Lack of supervisory/management job knowledge
Improper or insufficient delegation
Inadequate Maintenance Inspection and Controls
Inadequate inspections
Part substitution
Etc.
weather which eventually found an ignition source and
caused a series of explosions and resulting fires, involving 20
large storage tanks. Analysis of damage and later experi-
ments at the DNV GL Spadeadam test site showed this was
probably a DDT event-Deflagration to Detonation Transi-
tion. There were no fatalities in the adjacent business park as
the event occurred on a Sunday morning; however, there
was significant prope1ty damage and environmental impact.
The HSE report allowed a series of intermediate or key
events to be determined. These events are points at which
the potential for an incident either increased or decreased,
that is, control was lost or regained. The key events help
prompt for barriers that were, could, or should have been in
place. It is possible for different analysts to choose different
sets of key events, but the barrier failures all need to be
mapped and well selected events help identify all these. For
Buncefield, DNV GL has identified the following key events:
• Filling the Tank with Gasoline (the threat)-Note this is a
threat as it will lead to the top event if control is lost.
• Bulk Storage of Gasoline/Overfill, spill and formation of
vapor cloud (top event).
• Ignited Release causing Explosion and Fire (the conseql1ence).
These key events relate directly to the Cause, Top Event
and Consequence of an incident bow tie pathway. Since
there were no preexisting bow ties, the incident bow tie had
to be created from first principles. It can be useful to choose
several intermediate key events as this encourages deeper
thinking about the incident and associated barriers. It is also
recommended that possible barriers that could have been in
place according to legislation, company standards and/or
international best practices etc. should be mapped, even if
not present, but they would be shown as "missing" barriers.
Once added to the diagram, the barriers can then be clas-
sified as one of the following types: present and operational
(i.e., worked as designed), missing, failed, or low reliability
(while this is not truly a state, it is a useful category wherejt
is unclear if the barrier actually did work or not and · thus
DOI 10.1002/prs December 2015 331
 Traditional SCAT BSCAT Method

Prevention Con1rots Mttlpdon Controls

Threat

Type of Event - Common to all

~..,...._

R~t
.Actlottt•~
Rtcoilc•*l U ll' I 11
,,.... .,.._
AI co llllftWt61d ~-
ActioM to....,_
R~tddon:s.

Figure 4. Comparison of SCAT and BSCAT approach.

Part a)

I
c c c c Bulk storage of ....
GHoNne /
FIDlng ofT•nk ~ ~ ~ i=I Overfill, aplll and

l Automatic Tank Inst•btlon

Padlock (LcKked Open)
NqulNd to •RAUN
Independent High
fonnatlon of
v•pour cloud.
Gauging Sytltem lndructkln• Level Switch (IHLV)
oper•llonaL

Part b)

Bulk storage of
Gasoline I Ignited Release
Overfill, spill and causing Explosion
formation of
vapour cloud. Tank Dike - Secondary Emetgency Response
Ignition Control
containment Procedures

Figure 5. Key events and barriers summary.

prevents an accurate classification). For the Buncefield inci-
dent, Figure 5 shows an extract of key events and barriers,
only half the barriers are shown to aid clarity, with the left
and right segments shown vertically to improve readability.
All barriers have been assumed to have failed (shown as bro-
ken bars).
The next stage in the BSCAT analysis is to complete the
SCAT (or root cause analysis) for each of the barriers, and
this is shown in Figure 6. The SCA:r d ,1elopment app ar as
text boxes b neath each barrier. R ferring to the first barrier
in Figure 5 (automatic tank gauging system), the top two
boxes are the immediate cause and its category (here IC21:
defective equipment), the next two are the basic cause and
its category (BC13: inadequate maintenance/inspection), and
the bottom two are the finding or recommendation and the
safety management system category (MSFl0.3: execution of
maintenance).
Figure 6 also shows two display formats: the BSCAT
results in full and partial modes. In full mode (Part a) the
free text description and associated SCAT categories are

332 December 2015 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.34, No.4)
 Part a)

Bulk Storage of
Gasoline I
~ ~ r='.'.'! overfill, •pill and
formation of
Padlock (Locked Open) vapour cloud.
Automatic Tank Installation Independent High
required to ensure
Gauging System Instructions Level switch (IHLV)
operational.

Gouge Drum become Switc/1 supplier did Padlock 11ot installed

stuck 011d did 11ot not indicate need for as per instruction.
indicate the rising padlock 011 switch to
IC17 Failure to
level. the installer.
Follow Procedure I
IC21 Oefccllve IC2 Failure to Instruction
Tool/Equipment Inform/Warn Lack of
Toleration of Tl1ere was understanding of
repeated gauge insufficient padlock safety
faUure. information transfer fu1Jction.
as to criticality of
BC13 Inadequate BC5 Lack of
Maintenance/Inspec
padlock. Knowledge
ti on BC18.6 Inadequate Provide
Identify ond ensure transfer of understanding of all
relloblllty of safety information with lHLVsafety
critical equipment suppliers/ contractor functions.
s/third parties
MSF10.3 Execution MSF9 RISK
of Maintenance Information transfer CONTROL
and training
require1nents for
new equipment
should be
established.
MSFll CONTRACTOR
MANAGEMENT/
PURCHASING

.·
Part b)

Bulk Storage of
Gasoline I Ignited Release
overfill, spill and ~ ~ ~ Causing Explosion
formation of
vapour cloud. Tank Dike - Secondary Emergency Response
Containment Ignition Control Procedures

. /
V/Jpor cloud created Vapor cloud wa s
by spill over wind Ignited onslte In
girder. ne11rbv utllltv
buildlng.
Vapor cloud not
antic/(Jltled by P/IA/UAZDP OIO not
design team and antidpate D large
PHA / HAZOP, and vapor cloud and the
hence major hazard potenrial for Ignition
risk of overspill. of drlfring
flammable clouds.
Better aw11reness of
major hazard A determination of
potent/11111nd need potential vapor
for prevention. cloud e vents Is
needed so th11t t/leir
l1azards can be
properly assessed.
T/1e potential for o
detonation event
needs to be
considered If dense
vegetation Is ne11rby.
Multiple tank and
dike fires occur with
very large volumes
of polluting
firewater run-off.
Emergency
arrangements and
procedures were not
adequate to deaf
with worst case
scenario event
CiJusing escalation.
Emergency response
orrangements need
to be improved to
oddress the
potent/al for
explosion and tonk
fire escalation.

Figure 6. BSCAT analysis for Buncefield incident.

displayed and in partial display mode (Part b) only the free
text description is displayed. The full display mode is nor-
mally only used by the analyst, to ensure that the free text is
correctly categorized as a valid immediate or basic cause and
to collect statistics as to longer term trends of causes. Neither
of these is directly important to readers of the investigation
and by removing these, Part b) in the figure, the BSCAT dia-
gram is simpler to read and would be the normal format of
presentation.
CONCLUSIONS
The BSCAT method was developed to update the well-
established SCAT method by addressing the barrier theory of
accident causation. It provides a transparent linkage to the

Process Safety Progress (Vol.34, No.4) Published on behalf of the AIChE DOI 10.1002/prs December 2015 333
risk management system and to modern risk-based manage-
ment systems, and compared to other investigation systems it
has a good balance between level of detail and formal strnc-
ture. Its simplicity and use of checklist categories and if they
exist, the use of preconstructed bow tie risk diagrams help
both experienced analysts and supervisors to apply the
method to all incidents or near miss events. This allows
every incident to identify not only the management system
root causes, but also to document which safety barriers failed
or were degraded, and also importantly those which
worked.
A feature of bow ties is that many barriers repeat between
different bow ties and even different arms of the same bow
tie. For example, if on one incident bow tie the cause is
related to failure to calibrate inspection equipment, then that
same barrier in otherwise unrelated bow ties would also be
suspect. This is not a definitive failed state, but a useful
warning that the second barrier might be degraded. Software
can automatically detect and communicate such common
failures and display these on all the bow ties where that bar-
rier appears, it does not require active intervention or insight
by a safety specialist. Thus over time, owners of bow ties
will see many of the barriers overlaid with failure events
(often from other bow ties and other incidents). This is a vis-
ual indication of robustness of the barrier system against
each threat and a powerful lessons learned feature.
The authors have applied the BSCAT method on multiple
occasions and generally have found it aids in communication
of the final results as recommendations are directly linked to
barrier failures. A paper [11] was presented comparing
BSCAT analysis of an incident to a Chemical Safety Board
investigation. The authors concluded that the recommenda-
tions for improvement were more tightly linked to specific
barrier failures. It tends to reduce good practice recommen-
dations, not directly related to the incident causation, which
can sometimes confuse investigations. These are better cap-
tured as additional findings.
The visual nature of the result merges some features of an
extended storyboard diagram (extended as BSCAT shows
causal links between failures) with the root cause of each
334 December 2015 Published on behalf of the AIChE
failure. This enhances communication and allows the facility
risk assessment to be reinforced with every investigation.
Faulty risk assessments will be quickly identified and recti-
fied, without waiting for a five year revision requirement.
ACKNOWLEDGMENT
Images in this article were created in IncidentXP Software
from CGE Risk, Leidshendam, The Netherlands.
LITERATURE CITED
1. F. Bird, G. Germain, and D. Clark, Practical Loss Control
Leadership, 3rd Edition, DNV GL, Atlanta, 2003.
2. CCPS, Guidelines for Investigating Chemical Process Acci-
dents, 2nd Edition, Wiley/AIChE, New York, 2003.
3. Occupational Safety and Health Administration, Process
Safety Management of Highly Hazardous Chemicals Reg-
ulation, OSHA 29 CFR 1910.119, 1992.
4. CCPS, Risk Based Process Safety, Wiley/AIChE, New
York, 2007.
5. DNV GL, International Safety Rating System (ISRS 8th
Edition), Manchester, UK, 2012.
6. C. Zuijderduijn, Risk management by Shell refinery/
chemicals at Pernis, The Netherlands, In: EU Safety Con-
ference: Implementation of the Seveso II Directive, Ath-
ens, 2000.
7. UK Parliamentary Office of Science and Technology,
Managing Human Error, Report 156, London, 2001.
8. R. Pitblado and P. Weijand, Barrier diagram (bow tie)
quality issues for operating managers, Process Safety Pro-
gress 33 (2014), 355-361.
9. CGE Risk, Bow Tie XP Software Manual, Leidschendam,
The Netherlands, 2010.
10. Health and Safety Executive, Buncefield: Why did it happen?
Available at http://www.hse.gov.uk/comah/buncefield/bun-
cefield-report.pdf, Accessed on November 25, 2014.
11. R. Pitblado, M. Fisher, and A.J. Benavides, Linking inci-
dent investigation to risk assessment, In: Mary Kay
O'Connor Process Safety Conference, College Station,
October 2011.
DOI 10.1002/prs Process Safety Progress (Vol.34, No.4)