Hossein Haghgoo

10 October 2009

Bowtie Methodology and Hazards Management

Presented by :

Shahram mahmoudi

© Det Norske Veritas AS. All rights reserved.

10 October 2009

2

What is Bowtie?

Bowtie is a way to analyze, communicate, manage and even

audit the largest risks within your organization.

Bowtie is popular because of it’s capability to analyze and

present complex risks in a single diagram.

It shows the critical control measures, as well as where the

responsibilities lie.

Bowtie diagrams are easy to understand and capable of

convincing both the management and the workforce. This way

it increases awareness and ownership and can have great

impact on the safety culture within your organization.

© Det Norske Veritas AS. All rights reserved.

10 October 2009

3

Where do Bowtie comes in?

© Det Norske Veritas AS. All rights reserved.

10 October 2009

4

Which Risks need a Bowtie?

Major risks

When you start analyzing and

managing risks with Bowtie,

start with those major risks

that your organization is most

concerned about. To

determine which major risks to

analyze you may want to

start identifying and assessing

risks first. Based on that

you can decide which risks

‘deserve’ to be analyzed and

managed through Bowtie.

© Det Norske Veritas AS. All rights reserved.

10 October 2009

5

1

2

3

5

4

Hazards identification

Identify the Top Event

Identify Threats

Identify Consequences

Identify Threat

Barriers

Steps to the Bowtie Diagram

© Det Norske Veritas AS. All rights reserved.

10 October 2009

6

6

7

8

Identify Recovery

Measures

Identify Escalation

Factors

Identify Escalation

Factor Controls

Steps to the Bowtie Diagram

© Det Norske Veritas AS. All rights reserved.

10 October 2009

Escalation factor

An escalation factor is a condition that leads to

increased risk by reducing the effectiveness of

controls. An escalation factor cannot directly cause the

top event or consequence rather it increases the

likelihood that the scenario will progress because the

associated control will be degraded or fail.

7

© Det Norske Veritas AS. All rights reserved.

10 October 2009

8

Identify the Hazard

Identify the Hazard

The first step in creating a

Bowtie diagram is to identify the

hazard. A hazard is defined as

anything that has the potential to

cause harm.

Step 1

© Det Norske Veritas AS. All rights reserved.

10 October 2009

9

Identify the Top Event

Identify the Top Event

The second step in creating a

Bowtie diagram is defining the

Top Event. The Top Event

describes the moment of loss of

control, the moment were the

Hazard is released.

The Hazard and Top Event are

the center of your Bowtie

diagram. Before the moment of

loss of control, preventative

measures can be taken. After

the moment of loss of control,

recovery measures can be taken.

HAZARD

TOP EVENT

Step 2

© Det Norske Veritas AS. All rights reserved.

10 October 2009

10

Identify the Threats

3

After identifying the Hazard and the Top Event, the threats need to be

identified. You can ask yourself: “What are the possible causes

that may lead to or contribute to the loss of control?”

The best way to identify threats is to brainstorm about all possible

causes you can think of and add them to your diagram. When it’s all

there, you can rearrange your threats.

© Det Norske Veritas AS. All rights reserved.

10 October 2009

11

HAZARD

TOP EVENT

THREAT

THREAT

THREAT

Identify the Threats

© Det Norske Veritas AS. All rights reserved.

10 October 2009

12

Examples of Threats

Thermal (high temperature)

Chemical (corrosion)

Biological (bacteria / marine growth)

Radiation (ultraviolet)

Kinetic (fatigue)

Electrical (high voltage)

Environmental Condition (poor visibility / flooding / severe storm /

earthquake)

Uncertainty (design unknowns)

Human Factor (incompetence)

© Det Norske Veritas AS. All rights reserved.

10 October 2009

13

Identify the Consequences

A Top Event often leads to a number

of consequences. A consequence is

an event or chain of events that

result from the release of a hazard.

Sometimes consequences lead to

other consequences. Within the

Bowtie methodology you can place

them next to each other. You can

also choose to just mention the

final consequence. Sometimes a

chain of events is too complex for

one Bowtie diagram. In that case it

is better split the risk into several

diagrams.

Step 4

4

© Det Norske Veritas AS. All rights reserved.

10 October 2009

14

Examples of Consequences

Fire / Explosion Pollution Toxic gas release

Fall in share price Complaints Injury / Death

Legal action / fines Lost time

© Det Norske Veritas AS. All rights reserved.

10 October 2009

15

Identify the Consequences

HAZARD

TOP

EVENT

THREAT

THREAT

THREAT

CONSEQUENCE

CONSEQUENCE

CONSEQUENCE

© Det Norske Veritas AS. All rights reserved.

10 October 2009

16

Hazards Placeholder

Top Event

Threat Consequences Threat Barriers

• Threat Barrier

A protective measure put in place to prevent

threats from releasing a hazard.

As part of the risk evaluation and management process, controls are

identified for each risk scenario and their effectiveness evaluated. Some

types of control are more effective than others in reducing risk. The

knowledge about possible measures and their effectiveness is often spread

throughout the organization. The consultant or risk manager cannot create a

sensible Bowtie diagram without consulting all parties involved.

Identify Threat Barriers

© Det Norske Veritas AS. All rights reserved.

10 October 2009

17

Identify Threat Barriers

Identify the Threat Barriers

In order to prevent or reduce the probability of a Threat causing a Hazard to be released

it is important to put effective barriers in place. A great deal of Bowtie is about

identifying and managing the controls that are needed. The barriers/controls at the

left hand side of the Top Event are preventive measures; they prevent things from

going wrong.

“How do we prevent the hazard from being released?”, “How do we keep control?”

Step 5

HAZARD

TOP

EVENTTHREATBARRIER BARRIER BARRIER

© Det Norske Veritas AS. All rights reserved.

10 October 2009

18

Threat Barriers selection

.

A

P

P

R

O

A

C

H

E

S

Cost-benefit Approach

Code-based

Approach

Technology

based

App.

RISK-based

Approaches

Options will be selected if they have a favorable

ratio Of Benefits (i.e. RISK reduction) to Cost (i.e.

capital Expenditure & operating costs). The most

common Approach , Not fully developed in

developing countries. Difficult to justify to the

public.

Options will be selected only according to the results

of RISK Assessment regardless of costs. Giving clear

guidance of major RISKS and separates the

negligible RISKS from major ones. It takes time due

to requiring RISK Assessment in advance and so

may not be yet appropriate for developing countries.

Options will be selected which conform to good

engineering practice according to the industry codes

of practice. Benefit of taking account of practical

constraints however the codes of practices often do

not address major RISKS in each industries and

mostly based on experience in developed countries

so they are uneconomic for developing countries.

Best Technology is selected regardless of RISK &

cost. It’s easy to justify to public and good for

political pressure situations. Expensive for

developing countries

© Det Norske Veritas AS. All rights reserved.

10 October 2009

19

Examples of Threat Barriers

Guards or Shields (coatings, inhibitors, shutdowns)

Separation (time and/or space)

Reduction in Inventory

Control of Energy Release (safety valves, lower speeds, different fuel source)

Administration (warnings, training, drills)

Procedural (Implementation, action, supervision)

Preventative measures (alternative resources, re-cycling, process integrated solutions,

improved ergonomic conditions, health surveillance

Repressive measures (end-of-pipe measures, ventilation, dust filtration)

© Det Norske Veritas AS. All rights reserved.

10 October 2009

20

HAZARD

TOP

EVENT CONSEQUENCE

RECOVERY

MEASURE

RECOVERY

MEASURE

RECOVERY

MEASURE

Identify Recovery Measures

Recovery Preparedness Measure

All technical, operational and organizational

measures that limit the chain of

consequences arising from a Top Event.

© Det Norske Veritas AS. All rights reserved.

10 October 2009

21

Hazards Placeholder

Top Event

Threat Consequences Threat Barriers

Identify Recovery Measures

Recovery Measures

Assuming a Top Event will

occur, it is important to

identify all measures which

need to be in place to limit

the consequences.

A recovery measure seeks to

reduce the probability of

a consequence or it reduces

its severity.

“How do we limit the severity

of the event?”, “How do

we minimize the effects?”

Step 6

© Det Norske Veritas AS. All rights reserved.

10 October 2009

22

Examples of Recovery Preparedness Measures

Systems to Detect and Abate Incidents (gas, fire & smoke alarms, ESD, deluge / journey

management systems)

Systems Intended to Protect the Safeguards (fire & blast walls, protective coatings, drain

systems)

Operational Systems Intended for Emergency Management (contingency plans, training,

drills)

Curative measures (clean up, restoration, medical treatment)

Compensative measures (re-stock fish, financial compensation)

© Det Norske Veritas AS. All rights reserved.

10 October 2009

23

Identify Escalation Factors

Escalation Factors

Conditions that lead to increased risk by defeating or overriding barriers

or recovery preparedness measures.

© Det Norske Veritas AS. All rights reserved.

10 October 2009

24

Identify Escalation Factors

Sometimes there are special reasons or conditions that

cause a Threat Barrier or Recovery Measure to fail. When

for example a control is under maintenance it will probably

not function the way it should.

Bowtie offers the option of defining Escalation Factors. These

are factors that reduce the effectiveness of controls.

“How might controls fail?”, “How might their effectiveness be

undermined?”

© Det Norske Veritas AS. All rights reserved.

10 October 2009

25

Identify Escalation Factors

HAZARD

TOP EVENT

THREAT

BARRIER BARRIER BARRIER

ESCALATION

FACTOR

© Det Norske Veritas AS. All rights reserved.

10 October 2009

26

Examples of Escalation Factors

Abnormal Operating Conditions (maintenance mode, testing of equipment)

Operating Outside Design Envelope (erosion flow velocities)

Environmental Variations (extreme weather & tidal conditions)

Loss of Services (Hydraulics, electric power)

Human Error (Lapses, rule violations)

© Det Norske Veritas AS. All rights reserved.

10 October 2009

27

Identify Escalation Factor Controls

HazardsEscalation

Factors

Escalation

Factor

Controls

Top Event

Threats Consequences Threat barriers

Recovery

Measures

Escalation Factor Controls Controls put in place to manage

conditions that lead to increased

risk due to loss of Threat Barriers

or loss of Recovery Preparedness

Measures.

© Det Norske Veritas AS. All rights reserved.

10 October 2009

28

Identify Escalation Factor Controls

In order to prevent escalation factors causing controls to

fail, it is important to put Escalation Factor Controls in place.

Ask yourself: “How do we prevent this Escalation Factor from

having any negative effect on the barrier/recovery measure?”

“How do we make sure controls don’t fail?”

Step 8

Identify Escalation Factor Controls

© Det Norske Veritas AS. All rights reserved.

10 October 2009

29

HAZARD

TOP

EVENTTHREAT

BARRIER BARRIER BARRIER

ESCALATION

FACTOR

ESCALATION

FACTOR CONTROL

Identify Escalation Factor Controls

© Det Norske Veritas AS. All rights reserved.

10 October 2009

30

Hazard Threat BarrierTop

Event

Recovery

Measures Consequences

Moving

Vehicle

Slippery

RoadSlow Down

Loss of

ControlABS

Accident,

Injuries,

Fatalities

Examples 1

© Det Norske Veritas AS. All rights reserved.

10 October 2009

31

Example 3 (Offshore Well Control)

Descontrol de

Pozo

1.01 Hidrocarburos

en el Pozo

Fallas en el Riser

Mantenimiento preventivo del riser

Pronóstico Meteorológica y seguimiento

Procedimientos para Desconectar y Retirar el Riser

Failure to close using subsea accumulator

pressureRedundancia - Dos lineas

POD

Inspección del Riser con Vehículo Operado por control

Remoto

Arremetida de Pozo

Cabeza Hidrostática - Control Primario de Pozo

Preventor de Blowout (BOP) Control Secundario de Pozo

Sello de la Bomba Control Terciario de Pozo

Perforación a través de una bolsa Superficial de

GasEstudio Sísmico

Datos sísmicos inexactos

Revisión Independiente del Estudio Sísmico

Comparar con datos de anteriores pozos

Diseño del Programa de Perforación

Plataforma no posicionada correctamente

Sistema de Posicionamiento 3ª Partes

Sistema GPS de la Plataforma

Perforar Pozo Piloto Vigilancia de burbujas en superficie

Vigilancia de burbujas en lecho marino mediante

Vehículo Operado por control Remoto

Sello de la Bomba (Control terciario del Pozo)

Derrame de Hidrocarburos en el Oceano

D1 A1 B1 A1

Implementación del Plan de Emergencia ante Derrames de Productos Petrolíferos en

el Oceano

Escape de Hidrocarburos por debajo de depósitos o

instalaciones

D2 C1 B1 B1

Procedimiento de Desconexión de Emergencia

Mover el Rig de Locación

Falla de Respuesta Rápida o Apropiada

Simulacros de Movimiento del Rig

Ignición de Hidrocarburos

C1 D1 A1 A1

Permiso de Trabajo en Caliente

Restricciones de Fumar en Rig

Equipos Intrínsecamente Seguros

Clasificación de Zonas como Áreas Peligrosas

Fuego / Explosión

A1 E1 A1 B1

Evacuación de la InstalaciónRefugio Temporal MEDIVAC Heridos

Instalaciones Médicas en Rig

Sistema de Detección de Fuego y Humo

Inhalación de Gas Tóxico

A1 D1 B1 A1

MEDIVAC Heridos

Instalaciones Médicas en Rig

Punto de encuentro de Cuadrilla a favor del viento

La gente se reune en el lugar incorrecto

Indicadores de Dirección del viento

Equipos SCBASistemas de Detección de Gas

© Det Norske Veritas AS. All rights reserved.

10 October 2009

32

Example 4 (Rigless Operation)