Bow-tie diagram

Last updated

A bow-tie diagram is a graphic tool used to describe a possible damage process in terms of the mechanisms that may initiate an event in which energy is released, creating possible outcomes, which themselves produce adverse consequences such as injury and damage. The diagram is centred on the (generally unintended) event with credible initiating mechanisms on the left (being where reading diagrams starts) and resulting outcomes and associated consequences (such as injury, loss of property, damage to the environment, etc.) on the right. Needed control measures, or barriers, can be identified for each possible path from mechanisms to the final consequences. The shape of the diagram resembles a bow tie, after which it is named. [1]

Contents

A bow-tie diagram can be considered as a simplified, linear, and qualitative representation of a fault tree (analyzing the cause of an event) combined with an event tree (analyzing the consequences), [2] although it can maintain the quantitative, probabilistic aspects of the fault and event tree when it is used in the context of quantified risk assessments. [3]

Bow-tie analysis is used to display and communicate information about risks in situations where an event has a range of possible causes and consequences. A bow tie is used when assessing controls to check that each pathway from cause to event and event to consequence has effective controls, and that factors that could cause controls to fail (including management systems failures) are recognized. It can be used proactively to consider potential events and also retrospectively to model events that have already occurred, such as in an accident analysis. The diagram follows the same basic principles as those on which fault tree analysis and event tree analysis are based, but, in being far less complex than these, is attractive as a means of rapidly establishing an overall scope of risk concerns for an organisation, only some few of which may justify those more rigorous and logical methods. [4] [5]

Bow-tie diagrams are used in several industries, such as oil and gas production, the process industries, aviation, and finance. [1] [6]

History

It has been commonly noted that the earliest mention of the bow-tie methodology appeared in the Imperial Chemical Industries (ICI) course notes of a lecture on hazard analysis given at the University of Queensland, Australia in 1979. [1] [7] Other sources point to Derek Viner (in the same year) at the then Ballarat College of Advanced Education (now the Federation University of Australia), who drew it as an aid to visualization of his generalized time sequence model (GTSM) for damage processes. [5] [8] The more complex risk analysis tools of fault tree analysis, event tree analysis use the same principle: Things go wrong, there is a reason for that and a result too, with the result generating the adverse consequences. The bow-tie diagram introduces the concept of a central energy-based event (the "bow tie knot") in which the damaging properties of the energy are no longer under control so that they result in outcomes and consequences. [5] [3]

Royal Dutch Shell is considered to be the first major company to successfully integrate bow-tie diagrams into their business practices, at least since the early 1990s. [1] [9] [10]

Logic and structure of the diagrams

Bow-tie diagram elements and structure Bow-tie diagram.jpg
Bow-tie diagram elements and structure

Bow-tie diagrams contribute to the identification, description and understanding of the different types of hazards that can arise in a given situation, facility or production process. They also help identify the relevant risk control measures (barriers) for a given hazard.

The fact that scientific effort benefits greatly from a focus on the process giving rise to the phenomenon of interest is well known in several scientific domains, as noted by William Haddon. [11] The generalized time sequence model (GTSM) was developed in the 1970s by Viner as a process model suited to understanding this process to the phenomenon of unwanted damage. Bow-tie diagrams are a simplified extract of this, conceived of (and then named by students) during a lecture to assist explanation. [5]

Bow-tie diagrams are centred on a centralevent in which the energy necessary to bring about the ultimate undesired consequences is released. In William Rowe’s seminal work, which explained half of the process of damage, the event of interest is defined as what produces outcomes and consequences of interest and outcomes as what results from an event. [12]  Derek Viner resolved this circularity by defining the event as "the point in time when control is lost of the potentially damaging properties of the energy source of interest." This is sometimes referred to as the top event (a fault-tree term) or the critical event. Thus, a bow-tie analysis is centred on an energy-based event. The need for energy sources in any damage process had been noted by Lewis DeBlois as early as 1926 [13] as well as Gibson [14] and Haddon [11] in the decade prior to the introduction of the bow-tie diagram. It is evident that any central event may be originated by more than one mechanism and that, following the release of energy, a number of different outcomes may result. As Rowe made clear, it is these various unwanted outcomes that produce the adverse consequences of injury, damage etc. [12]

Credible initiating mechanisms (which some call causes, triggers, threats, etc.) are shown on the left of the central event and its ultimate outcomes and consequences, such as injury, loss of property, damage to the environment, etc. on the right. This left to right flow of the process is also a time axis. Control barriers, either hard/engineered or administrative/procedural, are identified for each path from the mechanisms to the final outcomes.

For example, pressure in a process vessel is a form of energy that can be released if containment is breached (the central event). Possible mechanisms for breach of containment, shown to the left, include structural degradation (abrasion, corrosion, fatigue), spurious pressurization above design limits, inadvertent opening, etc. Shown to the right of the central event, are the results/outcomes of the release (e.g., noise, blast overpressure propagation, flying debris, loss of fluid, etc.) When mechanisms and outcomes and subsequently routes to adverse consequences are understood, the analyst can ensure that control measures (often now called barriers) exist to stop the initiating mechanisms from resulting in the central event and the central event from leading to the ultimate unwanted outcomes and consequences. Left-hand side (mechanism) control measures are, in this example, external and internal surface coatings, vessel inspection (internal and external), wall thickness measurements, pressure safety valves, etc. While some are relevant to design and commissioning, others are to maintenance and condition monitoring. Outcome (right-hand side) control measures in this example would include nearby structures designed to withstand modelled blast overpressure.

Bow-tie diagrams are typically a qualitative tool, used for simple damage process analysis as well as for illustrative purposes, such as in training courses to plant operators and in support of safety cases. However, a different type of bow-tie diagram exists that is more apt at supporting quantified risk analysis. This diagram is essentially the combination of a fault tree and an event tree and maintains the Boolean and probabilistic features of those approaches. [3]

Use in various domains

Bow-tie diagrams are used in various disciplines and domains, including for example:

Several software packages are available in the market for bow-tie diagram creation and management.

Related Research Articles

<span class="mw-page-title-main">Risk management</span> Identification, evaluation and control of risks

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

<span class="mw-page-title-main">Safety engineering</span> Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

<span class="mw-page-title-main">Fault tree analysis</span> Failure analysis system used in safety engineering and reliability engineering

Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify the best ways to reduce risk and to determine event rates of a safety accident or a particular system level (functional) failure. FTA is used in the aerospace, nuclear power, chemical and process, pharmaceutical, petrochemical and other high-hazard industries; but is also used in fields as diverse as risk factor identification relating to social service system failure. FTA is also used in software engineering for debugging purposes and is closely related to cause-elimination technique used to detect bugs.

<span class="mw-page-title-main">Safety-critical system</span> System whose failure would be serious

A safety-critical system or life-critical system is a system whose failure or malfunction may result in one of the following outcomes:

In science and engineering, root cause analysis (RCA) is a method of problem solving used for identifying the root causes of faults or problems. It is widely used in IT operations, manufacturing, telecommunications, industrial process control, accident analysis, medicine, healthcare industry, etc. Root cause analysis is a form of inductive and deductive inference.

<span class="mw-page-title-main">Failure mode and effects analysis</span> Analysis of potential system failures

Failure mode and effects analysis is the process of reviewing as many components, assemblies, and subsystems as possible to identify potential failure modes in a system and their causes and effects. For each component, the failure modes and their resulting effects on the rest of the system are recorded in a specific FMEA worksheet. There are numerous variations of such worksheets. An FMEA can be a qualitative analysis, but may be put on a quantitative basis when mathematical failure rate models are combined with a statistical failure mode ratio database. It was one of the first highly structured, systematic techniques for failure analysis. It was developed by reliability engineers in the late 1950s to study problems that might arise from malfunctions of military systems. An FMEA is often the first step of a system reliability study.

Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity or the effects of stressors on the environment.

A hazard analysis is one of many methods that may be used to assess risk. At its core, the process entails describing a system object that intends to conduct some activity. During the performance of that activity, an adverse event may be encountered that could cause or contribute to an occurrence. Finally, that occurrence will result in some outcome that may be measured in terms of the degree of loss or harm. This outcome may be measured on a continuous scale, such as an amount of monetary loss, or the outcomes may be categorized into various levels of severity.

Failure mode effects and criticality analysis (FMECA) is an extension of failure mode and effects analysis (FMEA).

IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.

A job safety analysis (JSA) is a procedure that helps integrate accepted safety and health principles and practices into a particular task or job operation. The goal of a JSA is to identify potential hazards of a specific role and recommend procedures to control or prevent these hazards.

Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents in process plants or other facilities dealing with hazardous materials, such as refineries and oil and gas production installations. Thus, process safety is generally concerned with the prevention of, control of, mitigation of and recovery from unintentional hazardous materials releases that can have a serious effect to people, plant and/or the environment.

An event tree is an inductive analytical diagram in which an event is analyzed using Boolean logic to examine a chronological series of subsequent events or consequences. For example, event tree analysis is a major component of nuclear reactor safety engineering.

<span class="mw-page-title-main">Accident</span> Unforeseen event, often with a negative outcome

An accident is an unintended, normally unwanted event that was not directly caused by humans. The term accident implies that nobody should be blamed, but the event may have been caused by unrecognized or unaddressed risks. Most researchers who study unintentional injury avoid using the term accident and focus on factors that increase risk of severe injury and that reduce injury incidence and severity. For example, when a tree falls down during a wind storm, its fall may not have been caused by humans, but the tree's type, size, health, location, or improper maintenance may have contributed to the result. Most car wrecks are not true accidents; however, English speakers started using that word in the mid-20th century as a result of media manipulation by the US automobile industry.

<span class="mw-page-title-main">Risk</span> The possibility of something bad happening

In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value, often focusing on negative, undesirable consequences. Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is "effect of uncertainty on objectives".

ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

ISO/IEC 31010 is a standard concerning risk management codified by The International Organization for Standardization and The International Electrotechnical Commission (IEC). The full name of the standard is ISO.IEC 31010:2019 – Risk management – Risk assessment techniques.

Event tree analysis (ETA) is a forward, top-down, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis. This analysis technique is used to analyze the effects of functioning or failed systems given that an event has occurred.

Tripod Beta is an incident and accident analysis methodology made available by the Stichting Tripod Foundation via the Energy Institute. The methodology is designed to help an accident investigator analyse the causes of an incident or accident in conjunction with conducting the investigation. This helps direct the investigation as the investigator will be able to see where more information is needed about what happened, or how or why the incident occurred.

References

  1. 1 2 3 4 5 6 7 Center for Chemical Process Safety (CCPS); Energy Institute (EI) (2018). Bow Ties in Risk Management. Hoboken, N.J.: John Wiley & Sons. ISBN   9781119490388.
  2. IEC; ISO (2019). Risk Management – Risk Assessment Techniques. IEC 31010 (2.0 ed.). Genève, Switzerland: International Electrotechnical Commission. ISBN   978-2-8322-6989-3.
  3. 1 2 3 de Ruijter, A.; Guldenmund, F. (2016). "The Bowtie Method: A Review". Safety Science . 88: 211–218. doi:10.1016/j.ssci.2016.03.001. eISSN   1879-1042. ISSN   0925-7535.
  4. IEC; ISO (2019). Risk Management – Risk Assessment Techniques. IEC 31010 (2.0 ed.). Geneva: International Electrotechnical Commission. ISBN   978-2-8322-6989-3.
  5. 1 2 3 4 Viner, Derek (2015). Occupational Risk Control: Predicting and Preventing the Unwanted. Abingdon, England and New York, N.Y.: Routledge. ISBN   978-1-4724-1970-5.
  6. 1 2 "Introduction to Bowtie". UK Civil Aviation Authority . Archived from the original on 7 December 2023. Retrieved 17 March 2024.
  7. "Bowties – History". BowTie Pro. Archived from the original on 17 June 2016.
  8. Donaldson, Craig (December 2016). "Time for OHS to Understand the Science of Risk". OHS Professional. No. December 2016. Safety Institute of Australia. pp. 18–22. ISSN   1837-4980.
  9. Sneddon, James. "Practical Application of Bowtie Analysis" (PDF). Chemical Institute of Canada . Archived (PDF) from the original on 26 October 2022. Retrieved 14 July 2023.
  10. Rausand, Marvin (2011). Risk Assessment: Theory, Methods, and Applications. Hoboken, N.J.: John Wiley & Sons. ISBN   978-0-470-63764-7.
  11. 1 2 Haddon, Jr., William (1973). "Energy Damage and the Ten Countermeasure Strategies". Human Factors . 15 (4): 355–366. doi:10.1177/001872087301500407. eISSN   1547-8181. ISSN   0018-7208. PMID   4743998.
  12. 1 2 Rowe, William D. (1977). An Anatomy of Risk. New York, N.Y. etc.: John Wiley & Sons. pp. 29, 456, 462. ISBN   0-471-01994-1.
  13. DeBlois, Lewis Amory (1926). Industrial Safety Organization for Executive and Engineer. New York, N.Y.: McGraw-Hill Book Company via Internet Archive.
  14. Gibson, J. (1961). "The Contribution of Experimental Psychology to the Formulation of the Problem of Safety: A Letter for Basic Research". In Jacobs, Herbert J. (ed.). Behavioral Approaches to Accident Research. New York, N.Y.: Association for the Aid of Crippled Children.
  15. Bernsmed, K.; Frøystad, C.; Meland, P.H.; Nesheim, D.A.; Rødseth, Ø.J. (2018). "Visualizing Cyber Security Risks with Bow-Tie Diagrams". In Liu, P.; Mauw, S.; Stolen, K. (eds.). Graphical Models for Security. 4th International Workshop, GraMSec 2017, Santa Barbara, CA, USA, August 21, 2017, Revised Selected Papers. Springer, Cham. ISBN   978-3-319-74860-3.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.