PT Notes
Challenges in Constructing Bow Tie Diagrams - Threats and Consequences
PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.
This PT Note is the second in a series on challenges faced by process safety practitioners in constructing bow tie diagrams. It addresses the specification of the threats and consequences in a bow tie diagram.
Bow tie analysis (BTA) involves the construction of diagrams that depict how prevention and mitigation barriers (i.e. safeguards) protect against threats (i.e. initiating events) that can cause hazardous events, or so-called top events, resulting from loss of control over a hazard, and the adverse consequences that can arise from them. Degradation factors that impair barriers and the controls used to protect against them often are also depicted.
Threats and consequences must be defined in order to develop bow tie diagrams. They are the starting and ending points of the hazard scenarios depicted by a bow tie diagram. Often, they are obtained from process hazard analysis (PHA) studies. However, care must be exercised to ensure PHA scenarios are accurately transposed into the bow tie diagram and also to avoid omitting important scenarios. Typically, bow tie diagrams are not developed for all hazard scenarios from a PHA study. Rather, they are developed only for the most important scenarios. Risk ranking can be used to assist in their selection.
Threats and consequences must be specified clearly to ensure that the appropriate barriers are identified, process risks are depicted clearly, and iterations and revisions in bow tie construction are minimized. This PT Note addresses the principal challenges faced by practitioners in specifying the threats and consequences for a bow tie diagram in light of the subjective judgement required for the construction of bow tie diagrams.
Some practitioners address threats first. Others address consequences before threats because it can help in defining threats. However, the order of consideration is optional.
Threats
Threats are reasons for the loss of control of the hazard that leads to the top event. They are also called “causes” and “initiating events”. A threat leads directly to the top event if the pathway to it is not prevented by a barrier. Usually, there are multiple threats for each top event. Threats are placed on the left side of top event in the bow tie diagram.
Threats should have a direct causation and the causal relationship between the threat and the top event must be clear without additional explanation. For example, for the top event, “Loss of hexane from tank TK1", the threat, “Pump fails”, does not have direct causation. Rather, “Transfer pump fails on” is better because it makes the threat scenario more specific which helps in identifying specific barriers that leads to better risk management.
Threats should be specific so that they result in the identification of specific barriers which is necessary for the control of risks. Generic threats lead to generic barriers. For example, “Low ambient temperature” is too generic. Rather, “Low ambient temperature resulting in freezing of water supply line” is better.
Threats should be sufficient to lead to the top event. Thus, a threat is not sufficient if it can only cause the top event in combination with another threat. When two or more threats are required together to cause the top event, they should be combined into a single threat. For example, the failure of the level controller on a fractionation column by itself may be insufficient to overload a flare system. Rather, the failure of level controllers on two columns at the same time may be needed to overload the flare system.
Consequences
Consequences are the harm or damage that results from the realization of a hazard, e.g. an operator fatality, not a chemical release. They are placed on the right side of the bow tie diagram. One top event may have multiple consequences.
Consequences should be specific to aid in deciding on needed risk reduction measures. For example, “Groundwater contamination by toluene” is better than “Environmental impact”. Consequences should provide an indication of their scale or magnitude, e.g. multiple fatalities versus a single fatality. This practice is useful when designing mitigation barriers.
Consequences should identify the particular receptor(s) impacted, and include the event leading to the harm or damage, e.g. “Operator fatalities due to fire“ and “Public fatalities due to an explosion”. The two consequences may call for different mitigation barriers because of the different receptors and the different events leading to harm. Alternatively, the event leading to harm or damage can be included in the definition of the top event.
Consequences should not be combined at the outset because their barriers may be different. However, if all the barriers for different pathways are the same, consequences can be combined and shown for a single pathway. This practice reduces the size of the diagram which supports more effective communication, a key purpose in using bow tie diagrams.
It is challenging to construct bow tie diagrams correctly without iteration. Careful specification of threats and consequences helps to minimize revisions.
If you would like further information, please click here.
To comment on this PT Note, click here.
You may be interested in:
Copyright © 2020, Primatech Inc. All rights reserved.