bowtie methodology and hazards managementbowtie is popular because of it’scapability to analyze...
TRANSCRIPT
Hossein Haghgoo
10 October 2009
Bowtie Methodology and Hazards Management
Presented by :
Shahram mahmoudi
© Det Norske Veritas AS. All rights reserved.
10 October 2009
2
What is Bowtie?
Bowtie is a way to analyze, communicate, manage and even
audit the largest risks within your organization.
Bowtie is popular because of it’s capability to analyze and
present complex risks in a single diagram.
It shows the critical control measures, as well as where the
responsibilities lie.
Bowtie diagrams are easy to understand and capable of
convincing both the management and the workforce. This way
it increases awareness and ownership and can have great
impact on the safety culture within your organization.
© Det Norske Veritas AS. All rights reserved.
10 October 2009
3
Where do Bowtie comes in?
© Det Norske Veritas AS. All rights reserved.
10 October 2009
4
Which Risks need a Bowtie?
Major risks
When you start analyzing and
managing risks with Bowtie,
start with those major risks
that your organization is most
concerned about. To
determine which major risks to
analyze you may want to
start identifying and assessing
risks first. Based on that
you can decide which risks
‘deserve’ to be analyzed and
managed through Bowtie.
© Det Norske Veritas AS. All rights reserved.
10 October 2009
5
1
2
3
5
4
Hazards identification
Identify the Top Event
Identify Threats
Identify Consequences
Identify Threat
Barriers
Steps to the Bowtie Diagram
© Det Norske Veritas AS. All rights reserved.
10 October 2009
6
6
7
8
Identify Recovery
Measures
Identify Escalation
Factors
Identify Escalation
Factor Controls
Steps to the Bowtie Diagram
© Det Norske Veritas AS. All rights reserved.
10 October 2009
Escalation factor
An escalation factor is a condition that leads to
increased risk by reducing the effectiveness of
controls. An escalation factor cannot directly cause the
top event or consequence rather it increases the
likelihood that the scenario will progress because the
associated control will be degraded or fail.
7
© Det Norske Veritas AS. All rights reserved.
10 October 2009
8
Identify the Hazard
Identify the Hazard
The first step in creating a
Bowtie diagram is to identify the
hazard. A hazard is defined as
anything that has the potential to
cause harm.
Step 1
© Det Norske Veritas AS. All rights reserved.
10 October 2009
9
Identify the Top Event
Identify the Top Event
The second step in creating a
Bowtie diagram is defining the
Top Event. The Top Event
describes the moment of loss of
control, the moment were the
Hazard is released.
The Hazard and Top Event are
the center of your Bowtie
diagram. Before the moment of
loss of control, preventative
measures can be taken. After
the moment of loss of control,
recovery measures can be taken.
HAZARD
TOP EVENT
Step 2
© Det Norske Veritas AS. All rights reserved.
10 October 2009
10
Identify the Threats
3
After identifying the Hazard and the Top Event, the threats need to be
identified. You can ask yourself: “What are the possible causes
that may lead to or contribute to the loss of control?”
The best way to identify threats is to brainstorm about all possible
causes you can think of and add them to your diagram. When it’s all
there, you can rearrange your threats.
© Det Norske Veritas AS. All rights reserved.
10 October 2009
11
HAZARD
TOP EVENT
THREAT
THREAT
THREAT
Identify the Threats
© Det Norske Veritas AS. All rights reserved.
10 October 2009
12
Examples of Threats
Thermal (high temperature)
Chemical (corrosion)
Biological (bacteria / marine growth)
Radiation (ultraviolet)
Kinetic (fatigue)
Electrical (high voltage)
Environmental Condition (poor visibility / flooding / severe storm /
earthquake)
Uncertainty (design unknowns)
Human Factor (incompetence)
© Det Norske Veritas AS. All rights reserved.
10 October 2009
13
Identify the Consequences
A Top Event often leads to a number
of consequences. A consequence is
an event or chain of events that
result from the release of a hazard.
Sometimes consequences lead to
other consequences. Within the
Bowtie methodology you can place
them next to each other. You can
also choose to just mention the
final consequence. Sometimes a
chain of events is too complex for
one Bowtie diagram. In that case it
is better split the risk into several
diagrams.
Step 4
4
© Det Norske Veritas AS. All rights reserved.
10 October 2009
14
Examples of Consequences
Fire / Explosion Pollution Toxic gas release
Fall in share price Complaints Injury / Death
Legal action / fines Lost time
© Det Norske Veritas AS. All rights reserved.
10 October 2009
15
Identify the Consequences
HAZARD
TOP
EVENT
THREAT
THREAT
THREAT
CONSEQUENCE
CONSEQUENCE
CONSEQUENCE
© Det Norske Veritas AS. All rights reserved.
10 October 2009
16
Hazards Placeholder
Top Event
Threat Consequences Threat Barriers
• Threat Barrier
A protective measure put in place to prevent
threats from releasing a hazard.
As part of the risk evaluation and management process, controls are
identified for each risk scenario and their effectiveness evaluated. Some
types of control are more effective than others in reducing risk. The
knowledge about possible measures and their effectiveness is often spread
throughout the organization. The consultant or risk manager cannot create a
sensible Bowtie diagram without consulting all parties involved.
Identify Threat Barriers
© Det Norske Veritas AS. All rights reserved.
10 October 2009
17
Identify Threat Barriers
Identify the Threat Barriers
In order to prevent or reduce the probability of a Threat causing a Hazard to be released
it is important to put effective barriers in place. A great deal of Bowtie is about
identifying and managing the controls that are needed. The barriers/controls at the
left hand side of the Top Event are preventive measures; they prevent things from
going wrong.
“How do we prevent the hazard from being released?”, “How do we keep control?”
Step 5
HAZARD
TOP
EVENTTHREATBARRIER BARRIER BARRIER
© Det Norske Veritas AS. All rights reserved.
10 October 2009
18
Threat Barriers selection
.
A
P
P
R
O
A
C
H
E
S
Cost-benefit Approach
Code-based
Approach
Technology
based
App.
RISK-based
Approaches
Options will be selected if they have a favorable
ratio Of Benefits (i.e. RISK reduction) to Cost (i.e.
capital Expenditure & operating costs). The most
common Approach , Not fully developed in
developing countries. Difficult to justify to the
public.
Options will be selected only according to the results
of RISK Assessment regardless of costs. Giving clear
guidance of major RISKS and separates the
negligible RISKS from major ones. It takes time due
to requiring RISK Assessment in advance and so
may not be yet appropriate for developing countries.
Options will be selected which conform to good
engineering practice according to the industry codes
of practice. Benefit of taking account of practical
constraints however the codes of practices often do
not address major RISKS in each industries and
mostly based on experience in developed countries
so they are uneconomic for developing countries.
Best Technology is selected regardless of RISK &
cost. It’s easy to justify to public and good for
political pressure situations. Expensive for
developing countries
© Det Norske Veritas AS. All rights reserved.
10 October 2009
19
Examples of Threat Barriers
Guards or Shields (coatings, inhibitors, shutdowns)
Separation (time and/or space)
Reduction in Inventory
Control of Energy Release (safety valves, lower speeds, different fuel source)
Administration (warnings, training, drills)
Procedural (Implementation, action, supervision)
Preventative measures (alternative resources, re-cycling, process integrated solutions,
improved ergonomic conditions, health surveillance
Repressive measures (end-of-pipe measures, ventilation, dust filtration)
© Det Norske Veritas AS. All rights reserved.
10 October 2009
20
HAZARD
TOP
EVENT CONSEQUENCE
RECOVERY
MEASURE
RECOVERY
MEASURE
RECOVERY
MEASURE
Identify Recovery Measures
Recovery Preparedness Measure
All technical, operational and organizational
measures that limit the chain of
consequences arising from a Top Event.
© Det Norske Veritas AS. All rights reserved.
10 October 2009
21
Hazards Placeholder
Top Event
Threat Consequences Threat Barriers
Identify Recovery Measures
Recovery Measures
Assuming a Top Event will
occur, it is important to
identify all measures which
need to be in place to limit
the consequences.
A recovery measure seeks to
reduce the probability of
a consequence or it reduces
its severity.
“How do we limit the severity
of the event?”, “How do
we minimize the effects?”
Step 6
© Det Norske Veritas AS. All rights reserved.
10 October 2009
22
Examples of Recovery Preparedness Measures
Systems to Detect and Abate Incidents (gas, fire & smoke alarms, ESD, deluge / journey
management systems)
Systems Intended to Protect the Safeguards (fire & blast walls, protective coatings, drain
systems)
Operational Systems Intended for Emergency Management (contingency plans, training,
drills)
Curative measures (clean up, restoration, medical treatment)
Compensative measures (re-stock fish, financial compensation)
© Det Norske Veritas AS. All rights reserved.
10 October 2009
23
Identify Escalation Factors
Escalation Factors
Conditions that lead to increased risk by defeating or overriding barriers
or recovery preparedness measures.
© Det Norske Veritas AS. All rights reserved.
10 October 2009
24
Identify Escalation Factors
Sometimes there are special reasons or conditions that
cause a Threat Barrier or Recovery Measure to fail. When
for example a control is under maintenance it will probably
not function the way it should.
Bowtie offers the option of defining Escalation Factors. These
are factors that reduce the effectiveness of controls.
“How might controls fail?”, “How might their effectiveness be
undermined?”
© Det Norske Veritas AS. All rights reserved.
10 October 2009
25
Identify Escalation Factors
HAZARD
TOP EVENT
THREAT
BARRIER BARRIER BARRIER
ESCALATION
FACTOR
© Det Norske Veritas AS. All rights reserved.
10 October 2009
26
Examples of Escalation Factors
Abnormal Operating Conditions (maintenance mode, testing of equipment)
Operating Outside Design Envelope (erosion flow velocities)
Environmental Variations (extreme weather & tidal conditions)
Loss of Services (Hydraulics, electric power)
Human Error (Lapses, rule violations)
© Det Norske Veritas AS. All rights reserved.
10 October 2009
27
Identify Escalation Factor Controls
HazardsEscalation
Factors
Escalation
Factor
Controls
Top Event
Threats Consequences Threat barriers
Recovery
Measures
Escalation Factor Controls Controls put in place to manage
conditions that lead to increased
risk due to loss of Threat Barriers
or loss of Recovery Preparedness
Measures.
© Det Norske Veritas AS. All rights reserved.
10 October 2009
28
Identify Escalation Factor Controls
In order to prevent escalation factors causing controls to
fail, it is important to put Escalation Factor Controls in place.
Ask yourself: “How do we prevent this Escalation Factor from
having any negative effect on the barrier/recovery measure?”
“How do we make sure controls don’t fail?”
Step 8
Identify Escalation Factor Controls
© Det Norske Veritas AS. All rights reserved.
10 October 2009
29
HAZARD
TOP
EVENTTHREAT
BARRIER BARRIER BARRIER
ESCALATION
FACTOR
ESCALATION
FACTOR CONTROL
Identify Escalation Factor Controls
© Det Norske Veritas AS. All rights reserved.
10 October 2009
30
Hazard Threat BarrierTop
Event
Recovery
Measures Consequences
Moving
Vehicle
Slippery
RoadSlow Down
Loss of
ControlABS
Accident,
Injuries,
Fatalities
Examples 1
© Det Norske Veritas AS. All rights reserved.
10 October 2009
31
Example 3 (Offshore Well Control)
Descontrol de
Pozo
1.01 Hidrocarburos
en el Pozo
Fallas en el Riser
Mantenimiento preventivo del riser
Pronóstico Meteorológica y seguimiento
Procedimientos para Desconectar y Retirar el Riser
Failure to close using subsea accumulator
pressureRedundancia - Dos lineas
POD
Inspección del Riser con Vehículo Operado por control
Remoto
Arremetida de Pozo
Cabeza Hidrostática - Control Primario de Pozo
Preventor de Blowout (BOP) Control Secundario de Pozo
Sello de la Bomba Control Terciario de Pozo
Perforación a través de una bolsa Superficial de
GasEstudio Sísmico
Datos sísmicos inexactos
Revisión Independiente del Estudio Sísmico
Comparar con datos de anteriores pozos
Diseño del Programa de Perforación
Plataforma no posicionada correctamente
Sistema de Posicionamiento 3ª Partes
Sistema GPS de la Plataforma
Perforar Pozo Piloto Vigilancia de burbujas en superficie
Vigilancia de burbujas en lecho marino mediante
Vehículo Operado por control Remoto
Sello de la Bomba (Control terciario del Pozo)
Derrame de Hidrocarburos en el Oceano
D1 A1 B1 A1
Implementación del Plan de Emergencia ante Derrames de Productos Petrolíferos en
el Oceano
Escape de Hidrocarburos por debajo de depósitos o
instalaciones
D2 C1 B1 B1
Procedimiento de Desconexión de Emergencia
Mover el Rig de Locación
Falla de Respuesta Rápida o Apropiada
Simulacros de Movimiento del Rig
Ignición de Hidrocarburos
C1 D1 A1 A1
Permiso de Trabajo en Caliente
Restricciones de Fumar en Rig
Equipos Intrínsecamente Seguros
Clasificación de Zonas como Áreas Peligrosas
Fuego / Explosión
A1 E1 A1 B1
Evacuación de la InstalaciónRefugio Temporal MEDIVAC Heridos
Instalaciones Médicas en Rig
Sistema de Detección de Fuego y Humo
Inhalación de Gas Tóxico
A1 D1 B1 A1
MEDIVAC Heridos
Instalaciones Médicas en Rig
Punto de encuentro de Cuadrilla a favor del viento
La gente se reune en el lugar incorrecto
Indicadores de Dirección del viento
Equipos SCBASistemas de Detección de Gas
© Det Norske Veritas AS. All rights reserved.
10 October 2009
32
Example 4 (Rigless Operation)