Primatech White Paper - How to Perform Bow Tie Analysis

Bow tie analysis (BTA) is an increasingly popular tool used to graphically display
hazard scenarios and the barriers that protect against them so that necessary
actions can be taken to protect their integrity.

A procedure for conducting BTA is described in the Primatech white paper, How
to Perform Bow Tie Analysis .

You can request the White Paper by clicking here .

You may be interested in:

BTA training course

BTA consulting

PHA software

Technical certification

PRIMATECH WHITE PAPER

HOW TO PERFORM BOW TIE ANALYSIS (BTA)

Glossary of Terms

Barrier: A control measure or grouping of control elements that on its own can
prevent a threat developing into a top event (prevention barrier) or can mitigate
the consequences of a top event once it has occurred (mitigation barrier). A
barrier must be effective, independent, and auditable. Also called an
Independent Protection Layer .

Barrier details: Information on the function, type, elements, criticality, owner, and
performance data for a barrier.

Barrier element: An individual component of a barrier system. Usually, it detects

the existence of a threat, decides what action is needed, or takes the action that
is needed.

Barrier function: The task or role of a barrier, e.g. relieve pressure.

Barrier system: A combination of barrier elements that collectively provides the

full functionality required of a barrier.

Consequence : The undesirable result of a loss event, usually measured in

health and safety effects, environmental impacts, loss of property, and business
interruption costs.

Control: See Degradation control .

Control details: Information on the function, type, elements, criticality, owner,

and performance data for a control.

Degradation control: A measure that helps to prevent a degradation factor from

impairing the function of a barrier. Degradation controls lie on a pathway
connecting the degradation factor to the barrier.

Degradation factor : A situation, condition, defect, or error that compromises the

function of a barrier through either defeating it or reducing its effectiveness. If a
barrier degrades, then the risks from the pathway on which it lies increase or
escalate, hence the alternative name of Escalation factor .

Degradation pathway: See Pathway.

Hazard : A potential source of harm. An operation, activity, or material with the

potential to cause harm to people, property, the environment, etc.

Mitigation barrier: A barrier located on the right-hand side of a bow tie diagram
lying between the top event and a consequence. It may only reduce the
magnitude of a consequence, not necessarily terminate the scenario before the
consequence occurs.

Mitigation pathway : See Pathway .

Pathway : A bow tie arm on which barriers or degradation controls are located. A
Main pathway is an arm connecting a threat to the top event, or the top event to
a consequence. They contain barriers. Alternative terms are Prevention pathway
and Mitigation pathway . Arms connecting degradation factors to a barrier are
termed Degradation pathways. They contain degradation controls.

Prevention barrier: A barrier located on the left-hand side of a bow tie diagram
lying between a threat and the top event. It must have the capability on its own
to completely terminate a threat sequence.

Prevention pathway: See Pathway.

Safeguard: Any device, system or action that would likely interrupt or assist in
interrupting the chain of events following an initiating cause, or that would
mitigate or help to mitigate the impacts of loss events. A barrier or a control.

Threat : An initiating event that can result in a loss of control or containment of a

hazard (i.e. the top event). Also called Cause and Initiating event .

Top event : A central event lying between a threat and a consequence

corresponding to the moment when there is a loss of control or loss of
containment of the hazard.

ABBREVIATIONS

Abbreviation Meaning
BTA Bow tie analysis
PFD Process flow diagram
PHA Process hazard analysis
PSM Process safety management
P&ID Piping and instrumentation drawing
QC Quality control

Introduction

Bow tie analysis (BTA) involves the construction of diagrams that depict how
prevention and mitigation barriers and controls (i.e. safeguards) protect against
threats (i.e. initiating events) that can cause hazardous events, and the adverse
impacts (i.e. consequences) that can arise from them. Bow tie diagrams have
various uses including communicating process hazards to stakeholders, helping
to identify safety critical equipment and tasks, barrier management, and incident
investigation.

A bow tie diagram maps the threats that may lead to a hazardous event and its
undesired consequences in a graphical display that resembles a bow tie (see
Figure 1).

Threats appear on the pre-event side (left side) and consequences appear on
the post-event side (right side). The focal point of the diagram is the specific
loss, or hazardous event (top event), that results from a hazard and ties
together the initiating events and the consequences. There is a time progression
from the left to the right of the diagram. Items in the diagram are connected by
pathways or arms. Prevention barriers lie along the prevention pathway which
connects threats to the top event. Mitigation barriers lie along the mitigation
pathway which connects the top event to consequences.

This white paper provides a procedure for performing BTA and constructing bow
tie diagrams.

BTA Procedure

The following steps will be described:

1. Prepare for the study.

2. Brief the study team.

3. Select the hazard and top event to be analyzed.

4. Identify consequences.

5. Identify threats.

6. Identify prevention and mitigation barriers.

7. Optionally, identify degradation factors and controls.

8. Optionally, record details for barriers and controls.

9. Review the bow tie diagram.

10. Analyze barriers.

11. Perform a formal quality control (QC) review.

12. Revalidate the study, as required.

Step 1. Prepare for the study

Preparation is essential to ensure studies run smoothly. Several items should be

addressed:

• Define the purpose, scope, and objectives of the study

• Choose the BTA approach

• Select level of analysis

• Collect reference data needed

• Select a study team

• Select a method for recording the study

Define the purpose, scope, and objectives of the study

A statement of the purpose, scope, and objectives helps to ensure a study stays
focused and is performed completely. It helps to avoid the inclusion of
extraneous items and digressions during the performance of the study.
Sometimes the purpose, scope and objectives statement is referred to as the
study charter or terms of reference.

The purpose is the reason(s) why the study is performed. It must be defined
since it affects the way the study is performed, for example, the types of hazards
to be included and the types of consequences to be addressed. It helps ensure
the study outcome is consistent with the intention for the study.

Usually, the study purpose specifies the process or process unit that is the
subject of the study, the intended use of the bow tie diagrams, and their
intended audience, for example, operators, managers, and/or regulators.
Possible study purposes include meeting regulatory or company requirements,
providing resources for training, and assisting in management of change (MOC)
reviews.

An example purpose statement is:

Develop bow tie diagrams for the refinery crude unit to communicate major
process hazards to upper management.

The study scope specifies what is included in the study and it may also specify
what is excluded. Several items should be addressed in the scope statement:

• Range of events to be included

- Some options are:

- Only major consequence events.

- Only events required by process safety regulations.

 - Only process safety, occupational safety, security, etc. events.

• Parts of a process to be considered

- An entire process may be covered or the focus may be on specific units or

areas within the process.

• Modes of operation to address

- The states of the process during its life cycle that will be addressed
must be identified, e.g. startup, normal operation, shutdown, emergency
shutdown, etc.

• Types of scenarios to include

- The focus may be on specific types of scenarios, such as high consequence,

high risk, etc.

• Possible restrictions on the number of top events

- They may be restricted to scenarios from PHA studies or brainstorming of

additional scenarios may be allowed.

- Process-wide or unit-specific bow ties may be developed.

• Inclusion / exclusion of barrier and control details

- Studies may or may not include the recording of details for barriers and
controls. Although it makes bow tie diagrams more complex and requires time to
formulate the information, it is needed to manage the risks of barriers and
controls.

• Assumptions

- Assumptions may be made during the study planning stage, e.g. preventive
maintenance is performed according to the mechanical integrity program.

- Additional assumptions may be made or discovered during the study.

- Assumptions should be documented and should not be made blindly.

- Assumptions must be justified / verified.

An example scope statement is:

Range of events to be included : Process safety events resulting from the
realization of major hazards.

Parts of a process to be considered : Ammonia refrigeration unit.

Modes of operation to address : Startup, normal operation, shutdown, and

emergency shutdown.

Types of scenarios to include : High risk and high consequence scenarios from
PHA as defined by the risk ranking scheme.

Possible restrictions on the number of top events : Address only scenarios from
the PHA study for the process.

Inclusion / exclusion of barrier and control details : Details are not recorded for
barriers or controls.

Assumptions : Training and preventive maintenance programs are effective

having been audited recently.

Study objectives specify what is to be considered, specifically, the types of

hazards and the types of consequences to be addressed. They are determined
by the study purpose. Hazards are potential sources of harm. Consequences
are the impacts of top events on receptors such as people, property, and the
environment.

An example objectives statement is:

Hazards : Flammability and explosibility.

Consequences : Impacts on employees, process equipment, and the

environment.

Choose BTA approach

Various approaches are possible for generating bow tie diagrams:

• Brainstorming by a team

• Generated by an individual practitioner and reviewed by a team

• Generated by an individual practitioner in consultation with knowledgeable

facility personnel
• Modification of existing similar bow ties by a team

• Modification of existing similar bow ties by an individual practitioner

The preferred approach is brainstorming by a team, developing bow tie

diagrams from scratch. The least preferred approach is construction by an
individual practitioner. The team approach is likely to lead to better results than
an approach that relies primarily on one individual. More experience and
perspectives are brought to bear by a team. Also, a team approach encourages
buy-in to bow ties by team members.

Select level of analysis

Several levels of analysis are possible:

• Basic

- Only the hazard, top event, threats, and consequences are identified.

• Standard without degradation factors

- Adds barriers to basic bow tie diagrams.

• Standard with degradation factors and controls.

- Adds degradation factors and controls to the standard bow tie diagram.

• Enhanced

- Details are documented for barriers and controls.

• Multi-level

- Shows controls supporting controls.

The level of analysis used is determined by the purpose of the study. For
example, if the purpose is communication of hazards, basic bow ties may be
sufficient whereas if the purpose is barrier management, enhanced bow ties will
be needed.

Collect reference data needed

Reference data, such as process flow diagrams (PFDs), piping and

instrumentation drawings (P&IDs), a plot plan, and hazardous chemical
information, are needed to conduct studies. Reference data must be available,
accurate, complete, and clear.

Select a study team

A team is led by a facilitator who guides the study and controls and motivates
team members. The facilitator must be knowledgeable in BTA and PHA,
possess facilitation and communication skills, and be able to understand the
process or operation being studied.

A scribe records the bow tie diagrams and documents discussions, The scribe
must be proficient with the means of recording the study and be able to
understand the technical discussions. The facilitator may act as the scribe.

The other team members formulate the bow tie diagrams under the guidance of
the facilitator. They should be subject matter experts in one or more aspects of
the process, such as engineering, operations, controls, maintenance, safety, etc.
Collectively, they must understand the full range of barriers and controls
deployed. Team members must attend all study sessions.

Typically, a team has 5 – 8 people, although it could be larger. However, as the

team increases in size, it becomes more difficult for the facilitator to manage the
team.

Select a method for recording the study

Studies can be recorded using pencil and paper, paper with sticky notes,
graphics software, or custom commercial software. Several custom commercial
software programs are available. They support different levels of display of bow
tie diagrams while storing details of barriers and controls.

Paper with sticky notes offers flexibility at a low cost while custom commercial
software provides convenience, but at a price. The size of computer screens
does limit what can be represented and viewed easily with software. Bow tie
diagrams become increasingly difficult to view as their complexity increases.
This issue may have the unfortunate result of constraining the depth and
breadth of the analysis to what can be conveniently viewed on the computer
screen. Paper or white board approaches may do a better job of encouraging
creative and expansive thinking for the initial construction of bow tie diagrams.

Step 2. Brief the study team

The following items should be addressed with the team before beginning the
construction of bow tie diagrams:

• Process description

• Project charter (statement of study purpose, scope, and objectives)

• Bow tie approach to be used

Training may be needed if the study participants are not familiar with BTA.

Step 3. Select the hazard and top event to be analyzed

BTA studies do not by themselves identify hazards or top events. Commonly,

they are obtained by consulting prior hazard identification studies such as
HAZID and HAZOP studies. Sometimes the BTA team may brainstorm
additional hazards and top events.

The hazard is shown in a bow tie diagram to provide clarity as to the source of
risk. Also, it defines the coverage of the bow tie diagram.

The potential for harm from a hazard is realized when control over the hazard is
lost, resulting in a hazardous event, or top event. A common type of top event in
process safety is one involving loss of containment. A hazard may result in
multiple top events. Each top event is described in a separate bow tie diagram.

An example of a bow tie diagram for a plant that contains a volatile hydrocarbon
in a pipeline under pressure is shown in Figure 2 for the hazard:

Volatile flammable hydrocarbons under pressure in pipeline L31-1, during

material transfer.

and the top event:

Large loss of hydrocarbon from line L31-1.

The hazard and top event are the starting point for constructing a bow tie
diagram. They must be defined carefully to ensure a useful bow tie is
constructed.

Guidelines for defining hazards are:

• Define hazards properly

- A hazard represents the potential for harm. Thus, flammability is a hazard but
fire is not.

• Do not combine hazards

- Separate bow tie diagrams should be used for each hazard.

• Address all hazards within the study objectives

• Address only those hazards specified in the study objectives

• Address multiple hazards of materials, as applicable.

• Be specific

- Generic hazards lead to generic bow tie diagrams which are of limited value.

• Express hazards in sufficient detail

- The level of detail provided for the hazard determines the level of detail in the
bow tie diagram.

• Identify the operation, activity, or material posing the hazard.

• Specify the type of hazard, e.g. toxicity, flammability, explosibility

• Specify the location of the hazard (geographical, process unit, etc.)

• Provide an indication of the magnitude of the hazard, e.g. amount of

hazardous material present

• Specify the circumstances under which the hazard occurs (mode of operation,
concurrent activities, etc.)

• Specify any other pertinent information, as applicable, e.g. storage or

processing conditions

• Do not confuse the hazard (potential for harm) with the top event (loss of
control over the hazard), or the consequences (actual harm).

Guidelines for defining top events are:

• Choose the best top event

- Generally, do not define top events so narrowly that multiple bow tie diagrams
are needed so that each one contains few threats and consequences.

- Also, do not define top events so broadly that the bow tie diagram has too
many threats and consequences making it complex.

• Select a suitable top event

- May be easy in some cases, e.g. loss of containment events.

- Less obvious top events may require some care to ensure the optimum one is
selected.

- Choose the best point in the time sequence of events to ensure a balance of
threats and consequences that does not skew the bow tie diagram to one side
or the other and provides for the correct placement of prevention and mitigation
barriers.

• Provide an indication of scale, e.g. small or large leak

Step 4. Identify consequences

Some practitioners address threats before consequences. However, addressing

consequences before threats can help in defining threats.

One top event may have multiple consequences. Usually, trivial consequences
are excluded from the analysis. Typically, consequences are identified by
consulting PHA studies or brainstorming.

An example of a bow tie diagram with consequences is shown in Figure 3.

Guidelines for defining consequences are:

• Define consequences properly

- Harm or damage from the realization of a hazard, e.g. operator fatality (actual
harm), not a toxic chemical release (not actual harm)..

• Address all consequences within the study objectives

• Record only consequences within the study objectives

• Specify worst-case consequences

- Assume barriers fail.

• Identify consequences that result directly from the top event

• Be specific, e.g. “Groundwater contamination by toluene” rather than just

“Environmental impact”

• Identify the particular receptor(s) impacted

• Include the event leading to the harm or damage

- Different barriers can be required to stop or mitigate harm or damage

depending on the event leading to the harm or damage, e.g. “Fatalities due to
fire” may call for different mitigation barriers than “Fatalities due to an
explosion”.

• Provide an indication of the scale of the consequences, e.g. multiple fatalities

versus a single fatality

- Useful when designing mitigation barriers.

• Do not combine different consequences at the outset of the analysis

- Barriers may be different.

• If all the barriers for different pathways are the same, consequences can be
combined and shown for a single pathway. This practice reduces the size of the
diagram, which supports more effective communication.

Step 5. Identify threats

Threats are reasons for loss of control of the hazard leading to the top event. A
threat leads directly to the top event if the pathway is not prevented. Each
pathway from a threat to the top event represents a single scenario that could
directly and independently lead to the top event. Usually, there are multiple
threats for each top event. Threats are placed on the left side of the bow tie
diagram.

Threats are identified by consulting PHA studies or by brainstorming. They may

be equipment failures, human errors, or external events.

An example of a bow tie diagram with threats is shown in Figure 4.

Guidelines for defining threats are:

• Threats should be credible

• The set of threats should be complete

- All that can be identified.

• All threats should lead to all consequences

- Through the top event.

• Threats should provide descriptive information

- Needed to properly identify barriers and controls.

• Threats should have a direct causation

- Causal relationship between the threat and the top event must be clear without
additional explanation.

• Threats should be specific

- Generic threats lead to generic barriers.

- Specific threats result in the identification of specific barriers.

- Identification of specific barriers is more valuable in controlling risks.

• Threats should be sufficient to lead to the top event

- A threat is not sufficient if it can only cause the top event in combination with
another threat.

- When two or more threats are required together to cause the top event, they
should be combined into a single threat.

• An initiating event must lead directly to the top event

• If the barriers for different threats are the same, the threats can be combined
on a single pathway

- Reduces the size of the diagram, which supports more effective

communication.

• Do not formulate a threat as a barrier failure

- A barrier failure by itself does not lead to the top event, unless a barrier failure
is truly an initiating event.

• Do not exclude threats just because there are many barriers in place to protect
against them

- Barriers may fail.

- Barriers must be identified in order to manage possible degradation factors.

Step 6. Identify prevention and mitigation barriers

Barriers are measures to prevent or mitigate top events. They appear on the
main pathways of the bow tie diagram. The barrier function is the task or role of
a barrier, e.g. relieve pressure. A barrier system is a combination of barrier
elements that collectively provides the full functionality required of a barrier. A
barrier element is an individual component of a barrier system. It usually detects
the existence of a threat, decides what action is needed, or takes the action that
is needed.

Barriers must have the ability to prevent or mitigate a top event on their own and
they must meet certain validity requirements. Bow tie practitioners usually
identify barriers along the timeline for each threat by consulting PHA studies and
applying barrier validity requirements.

For validity barriers must be:

• Effective

• Independent

• Auditable

A barrier is determined to be effective if it performs its intended function when

required and to the standard intended. Prevention barriers must be able to
completely stop the threat from leading to the top event. Mitigation barriers must
be able to eliminate or reduce the consequence.

A barrier is determined to be independent if it functions independently of other

barriers on the pathway, the threats, and the top event. Multiple barriers may fail
for the same reason due to common cause failures in which simultaneous (or
near-simultaneous) multiple failures result from a single shared cause. Shared
causes include failures of common utilities, errors by the same person, and
external factors such as environmental conditions.
A barrier is auditable if the adequacy of and adherence to the design,
inspection, maintenance, testing, and operating practices used to achieve the
other validity requirements can be demonstrated, for example, by inspecting
documents, reviewing records, interviewing people, and making observations.

An example of a bow tie diagram with prevention barriers is shown in Figure 5.

An example of a bow tie diagram with mitigation barriers is shown in Figure 6.

Barriers are the central element of a bow tie diagram. They must be defined
carefully to ensure a meaningful bow tie is constructed.

Guidelines for defining barriers are:

• Include all qualified barriers

- Engineered, human, organizational, etc.

• Include all barriers required by applicable codes, standards, practices, and

regulations

• Ensure barriers comply with current engineering standards

• Qualify barriers to ensure they meet validity requirements

- Effective, independent, auditable.

- Also, active barriers must provide all elements of “detect, decide, act”.

• Keep the number of barriers low by tailoring the bow tie diagram

- Makes the diagram more easily understood.

• Clearly identify barriers

- Use informative but concise names.

- Use tag numbers or other identifiers.

- Specify the barrier’s location if it not obvious.

- Communicate clearly the specific function of the barrier.

- Often, a list of barriers is used outside the context of the bow tie diagram so
reliance cannot be placed on the context to show their meaning.
• Consider recording set points, if applicable

• Place barriers on the correct side of the top event where they deliver their
function or effect

- Barriers that act to prevent the top event from occurring are placed between
the threat and the top event.

- Barriers that act to mitigate the top event are placed between the top event
and the consequences.

• Address those prevention barriers that prevent the threat from ever occurring
or stop a threat that has occurred from leading to the top event

• Address those mitigation barriers that stop the consequence from occurring or
reduce its magnitude

• Place barriers on the bow tie diagram in the time sequence of their operation

- Order in which they are called upon to function.

• Generally, the same barrier should not appear on both sides of the top event

• Do not display barriers that are just elements of a single barrier

• Do not include measures that are not barriers

• Ensure barriers provide full coverage

- Effective against all instances of the threat or consequence.

• Consider recording details for barriers (needed for barrier management)

• Do not include multiple barriers that share common cause failures on the same
prevention or mitigation pathway

- Creates an illusion of safety.

- Include only one of them.

• Do not include degradation controls as barriers

Step 7. Optionally, identify degradation factors and controls

Degradation factors are conditions that can reduce the effectiveness of a barrier
to which they apply. Degradation controls are measures that support the main
pathway barriers against a degradation factor. They do not directly prevent or
mitigate the top event but they support barriers that do so. Generally, they do
not meet barrier validity requirements. Degradation controls can apply to
barriers on either side of the top event. Often, degradation controls are human
and organizational factors, such as a competence management system.

Degradation factors and controls are drawn in the bow tie diagram below the
barrier to which they apply. They lie along a degradation pathway leading to a
barrier. Multiple degradation factors can apply to a single barrier and multiple
degradation controls can apply to a single degradation factor.

The BTA team identifies existing degradation factors and controls using their
knowledge of the process.

An example of a bow tie diagram with degradation factors and controls for
prevention barriers is shown in Figure 7. An example of a bow tie diagram with a
degradation factor and controls for a mitigation barrier is shown in Figure 8.

Degradation factors and controls can be an important part of a bow tie diagram.
They must be defined carefully to ensure their meaningful management.

Guidelines for defining degradation factors and controls are:

• Use degradation factors and controls sparingly

- Avoid impairing the ability of bow ties to easily communicate visually.

• Do not place degradation controls on main pathways in the bow tie diagram

• Be specific as to the cause of barrier failure

- The underlying reason for the failure needs to be specified so that analysts can
be sure degradation controls address the specific problem.

• Ensure degradation controls actually act on the degradation factor

• Generally, do not express degradation factors as the negation of the barrier

- Produces an entry that is too general.

• Avoid unnecessarily repeating the same degradation factor and its controls on
recurring barriers
- Reference the first occurrence.

• Recognize that some degradation factors are not specific to a particular barrier
but may impact multiple barriers

- Best managed outside of bow ties.

Step 8. Optionally, record details for barriers and controls

Details for barriers and controls include information on the function, type,
elements, criticality, owner, and performance data for a barrier or control. They
are recorded using the knowledge of the team and by referencing appropriate
process documentation. However, the details are not recorded directly on bow
tie diagrams owing to space limitations.

Step 9. Review the bow tie diagram

On completion, bow tie diagrams should be reviewed to confirm that they meet
the requirements of the project charter, ensure the full ranges of threats and
consequences are addressed, and verify that they are structurally correct. There
should be no degradation controls on a main pathway or ineffective barriers.
Also, consistency of barriers and controls across diagrams should be confirmed.

Step 10. Analyze barriers

Completed bow tie diagrams should be analyzed to determine any safety

weaknesses they reveal. Key questions to address include:

• Is any one person responsible for too many barriers?

- Responsibilities should be distributed.

• Is the combination of barrier types appropriate?

- Diverse types lessen the possibility of common cause failures.

- Mitigation barriers act as a backup for prevention barriers.

• Is the strength of barriers sufficient?

• Is there defence in depth?

- Processes should not rely on single barriers.

• Is there a balance between prevention and mitigation barriers?

- Prevention barriers are favored over mitigation barriers but the latter are
needed too in case the former fail.

• Are any pathways protected entirely by human barriers?

- Generally, engineered barriers are more reliable than human barriers.

• Are additional barriers needed?

- Often it is better to resolve deficiencies in existing barriers rather than add new
ones

- Each extra barrier adds complexity and must be managed throughout its life
cycle.

- Particularly true if the new barrier will be subject to the same degradation
factors that reduced the performance of the existing barriers.

- All changes to barriers must be subjected to a management of change (MOC)

review.

Step 11. Perform a formal QC review

Once bow tie diagrams are considered final, a QC review should be performed.
Typically, a checklist of pertinent questions is used.

Step 12. Revalidate the study, as required

Bow tie diagrams should be updated periodically to address process changes

and include lessons learned from any incidents that have occurred in the
process.

Closing Comments

The likelihood that bow tie diagrams will be constructed correctly is increased if
a formal procedure is followed for their construction. However, BTA is an
iterative process in which pathways are split and combined, and other
adjustments are made, according to the judgment of the analysts to produce
what is viewed as an optimum diagram. However, there is no single ‘right’
answer. Moreover, bow tie diagrams are not intended to capture every aspect of
safety management systems. The intent is to focus on primary barriers and
controls.