The bowtie study is an important risk management tool widely used in all sectors of industries. This method is particularly useful for root cause analysis and incident investigation. Because of the bowtie method's visual power, many regulators in various industries recommend it for use in safety studies or safety cases. The first documented use of the bowtie method appeared in the 1990s when the Royal Dutch Shell Group used it to demonstrate the relationships between risk sources and outcomes.
The bowtie study merges two existing risk-analysis tools: Fault trees, which illustrate the potential for multiple faults to lead to a single failure; and event trees, which illustrate the different effects that could be predicted from a single event. Together, they produce a connected diagram that clarifies relationships and establishes a direct line of sight between causes (faults or failures) and effects.
Rajeev Kumar, a Senior Consultant at ioMosaic, presents the basic steps for creating a bowtie diagram.
The bowtie diagram starts in the middle with the hazard and the event to be analyzed. This can be output from HAZID, HAZOP, Risk Register, or any other Hazard identification study.
On the left-hand side, list all the potential causes or threats that could lead to the Top event. These could range from things that are almost certain to happen to those that are remotely possible. List out as many possible causes without worrying about ranking the causes.
On the right-hand side, list all the consequences that could happen if the event linked to the hazard occurred. Walk through the logical flow of the chart as you have it now and consider, if this potential threat happens, then the event (linked to the hazard) could happen and the consequence listed could happen. If that flows logically, then you have things right. If you have a lot of debate or it doesn't feel right, then it's not a real cause or consequence.
Next, list for each potential cause what defense measures to put in place to prevent the cause from happening. You can have as many measures as you need for each cause. When you mark these on the chart, think about the measures as breaking the flow of the potential cause. Ask yourself, if I put this control in place, how definite is it that this will break the chain of events? Don't forget to think about what else you could do, either as well as or instead of that could be more beneficial. Then perform a ranking of measures in terms of their effectiveness by high, medium, or low. Color code them for quick identification. A few highly effective controls are better than a bunch of low effective ones.
Now it is time to think about the mitigation controls. If the event did occur, what would limit or stop the potential outcome or consequences from impacting? A few good mitigation controls that break the flow of the event are better than a multitude of smaller ones that might work or have to work in combination with others.
It is now time to identify what safety-critical equipment to list. Think about defining what the level of functionality is (what should it do), the performance level (how well should it do it), its availability (is it ok to use it only 50% of the time?), the survivability (will the equipment keep working in an event?), and any dependencies that the equipment has (does it need electricity, a chemical, or other utilities to function?).
Review Controls and Barriers
Risk controls and barriers should be effective, independent, and auditable. Prevention barriers are for preventing the onset of the top event. They sometimes lessen the effect of the top event. Be sure to include prevention barriers that detect, decide, and act.
Mitigation barriers act to reduce / mitigate the severity of the consequence (after the top event has happened). Sometimes they stop the consequence / outcome from happening. A control that is crucial to prevent or mitigate a high consequence event is critical.
The final step is to add escalation factors and barriers. The final result is a complete bowtie analysis of a hazard and event. Be sure to include for the company policies and procedures what activity(s) need to be in place to keep this control or mitigation step working, and in the company job descriptions include who is responsible for these actions.
To ask questions or get help from our highly trained technical support experts, please contact us at 1.844.ioMosaic or submit a ticket to our online support center. We'll be glad to assist.
ioMosaic is committed to leveraging the latest technology to maximize tool performance. Check back often to see the latest information about ioMosaic software and technology solutions.