Use the Bow Tie Diagram to Help

Reduce Process Safety Risks

December
2016
Bruce K. Vaughen, P.E., Kenneth Bloch

Bow tie diagrams are useful for visualizing process safety risks and safeguards. Although typically used
after an incident has occurred, bow tie diagrams can also be employed during a process hazard
analysis.

Bow tie diagrams visually depict the safeguards or barriers put in place to prevent and mitigate a loss-of-
containment (LOC) incident. Although bow tie diagrams are typically constructed after an incident has
occurred (1), they can also be useful during a process hazard analysis (PHA) to identify deficiencies in a
process safety program and help to prevent the occurrence of an incident. Instead of simply showing what
went wrong, bow tie diagrams can be used proactively to keep things from going wrong.

This article introduces the bow tie method and explains how bow tie diagrams can assist in preventing
incidents and developing corrective actions needed to effectively mitigate any incidents that do occur. The
article also illustrates how bow tie diagrams might have been used during a PHA of the Bhopal facility — the
site of the world’s worst industrial disaster.

Process safety hazards and risks

AIChE’s Center for Chemical Process Safety (CCPS) defines process safety as: ―A disciplined framework for
managing the integrity of operating systems and processes handling hazardous substances by applying good
design principles, engineering, and operating practices. It deals with the prevention and control of incidents
that have the potential to release hazardous materials or energy. Such incidents can cause toxic effects, fire, or
explosion, and could ultimately result in serious injuries, property damage, lost production, and environmental
impact‖ (2).
Process safety hazards encountered in industry involve materials with toxic, flammable, explosive, and
reactive properties. Losing control or containment of these hazardous materials can cause a toxic release, fire,
explosion, or runaway reaction. Loss-of-containment release scenarios have the potential for injuries,
fatalities, environmental harm, property damage, and business interruption.

The risk posed by such process safety hazards is traditionally thought of as a function of the product of a
scenario’s frequency (F) and consequence (C). Practical experience demonstrates, however, that risk is also
influenced by the example set by leadership, the reliability of available process safety systems, and an
organization’s operational discipline (OD) (3). Thus, a more accurate description of risk incorporates OD into
the equation, whereby risk is inversely proportional to OD (4–6):

As operational discipline improves, risk decreases, and vice versa.

As shown in Eq. 1, risk can be reduced by reducing the frequency and consequences of a hazardous scenario
— via safeguards, which include inherently safer designs, process safety systems, basic process control
systems, instrumentation and alarms, safety instrumented systems (SISs), active and passive engineering
controls, and emergency response systems. Implementing the hierarchy of controls (Figure 1) is the most

1
effective way to manage process safety risks. This approach focuses on inherently safer design as the first,
crucial barrier. A process safety incident occurs when weaknesses develop in these barriers.

▲Figure 1. A hierarchy of protection layers can be used in a process hazard analysis to determine the adequacy of the existing
safeguards. This approach identifies design as the first and most crucial barrier. Source: Adapted from (3).

The bow tie diagram

The bow tie diagram (Figure 2) depicts a potential process safety incident. The knot in the middle of the bow
represents loss of control over a hazardous material or energy. On the left of the knot are threats that
contribute to such an event, such as a material’s toxicity, flammability, explosivity, and reactivity, as well as
hazardous processing conditions (e.g., extremely high pressures or temperatures). On the right of the knot are
the possible consequences of the loss of control, such as injuries, fatalities, environmental harm, property
damage, and business interruption.

2
▲Figure 2. The bow tie diagram visually depicts the three parts of an incident — the threats that can cause an incident (left), the loss-
of-containment event (knot), and the resulting consequences of the event (right). Source: Adapted from (3).
Various engineering and administrative controls can be used to manage process safety risks. These are
referred to as individual barriers, and they are shown as rectangles on the bow tie diagram (Figure 3).
Preventive barriers (Figure 3, green rectangles) help reduce the likelihood of the event, while mitigative
barriers (Figure 3, blue rectangles) help reduce the severity of the consequences if the incident does occur.

▲Figure 3. The engineering and administrative controls that are being used to manage process safety risks can be shown on a bow tie
diagram. Preventive barriers (green rectangles) help reduce the likelihood of the event, while mitigative barriers (blue rectangles) help
reduce the severity of the consequences if the incident does occur. Source: Adapted from (3).
Systemic barriers can also be represented on a bow tie diagram (Figure 4). These are the process safety
systems designed to manage the individual barriers. For example, a computerized maintenance management
system (CMMS) is a systemic barrier that controls several individual barriers, including preventive
maintenance (PM) schedules, normal work order processing, failure analysis coding, and warehouse inventory
management.

3
▲Figure 4. Systemic barriers — the process safety systems designed to manage the individual barriers — can also be displayed on
bow tie diagrams as dotted lines. Source: Adapted from (3).

Bow tie diagrams and PHAs

Even the most effective incident investigations can be used only to prevent similar incidents from occurring in the
future (7, 8). It is much better to operate and manage processes so that learning from hindsight is not necessary. A PHA
that incorporates a bow tie diagram is one way to do this.
A PHA identifies potential hazardous scenarios and the barriers that should be in place to reduce the likelihood of an
unacceptable event. Once hazards have been identified, the PHA team can evaluate the effectiveness of safeguards that are
already in place or that could be added to prevent an incident. The results of that evaluation — hazard scenarios and
necessary safeguards — can be used to construct a bow tie diagram. The bow tie diagram assists the PHA team members
in visualizing the path that a hazard can take to cause a severe consequence and the combination of preventive and
mitigative barriers that are required to reduce the process safety risk. The bow tie diagram is a useful visual indicator of
risk for a PHA scenario.

The preventive and mitigative barriers identified on the bow tie diagram relate to the protection layers identified in a PHA.
Semi-quantitative layer of protection analysis (LOPA) principles are now widely incorporated into PHA studies to assess
the adequacy of safeguard protection (9, 10).

4
Barrier weaknesses and bow tie diagrams
The bow tie diagram can be used to map barrier weaknesses — any missing or ineffective engineering and
administrative controls that could ultimately lead to an incident (Figure 5). In Figure 5, a linear path to the
consequences of a loss-of-containment incident runs through the weak or failed individual barriers, preventive
barriers 1 and 2 and mitigative barriers 3–5. This approach can be used to depict multiple linear failure paths
through the knot of the bow tie involving different threats and barrier weaknesses and different mitigative
barriers and consequences.

▲Figure 5. A bow tie diagram can be used to show how weaknesses in individual barriers can lead to a loss-of-containment event followed by
consequences. In this case, weaknesses in Barriers 1–5 create a linear path to consequences. Source: Adapted from (3).

A more useful way to visualize the risk paths that can occur in industry is to also include the systemic barriers
(process safety systems managing the individual barriers) on the bow tie diagram. Whereas a bow tie diagram
for a hazard-specific safeguard deficiency might show a simple, linear failure path (Figure 5), deficiencies in
the systemic systems usually produce a complex, nonlinear path (Figure 6). The bow tie diagram in Figure
6 shows that there are two non-linear paths to Consequence C: Barriers 1 and 4 fail to prevent Threat A and
Barriers 5 and 7 fail to mitigate the loss of containment (white path); or Barriers 2 and 3 fail to prevent Threat
B and Barriers 6 and 7 fail to mitigate loss of containment (yellow path).

5
▲Figure 6. Adding systemic barriers to the bow tie diagram creates complex, nonlinear paths from threat to consequence. There are two nonlinear paths
to Consequence C: Barriers 1 and 4 fail to prevent Threat A and Barriers 5 and 7 fail to mitigate the loss of containment (white path); or Barriers 2 and 3
fail to prevent Threat B and Barriers 6 and 7 fail to mitigate loss of containment (yellow path). Source: Adapted from (3).

Barriers fail because process safety systems (systemic barriers) designed to sustain them are ineffective.
Systemic weaknesses allow a specific hazard to break through a primary weakness in the outermost defense
and find deficiencies in other barriers, thereby creating many paths to the consequence. In a plant that
repeatedly patches multiple individual barriers to keep the process running, the risk of recurring failures is
greatly elevated. The systemic barrier representation on the bow tie diagram demonstrates visually how
patching a specific weakness in one barrier may do little to reduce the potential for recurring events if a
systemic problem is involved.

There are many potential paths for each cause-to-consequence scenario, and it is difficult for a hazard analysis
team to anticipate all of them. The team can use a technique such as hazards and operability (HAZOP)
analysis to identify the individual barriers needed to reduce the process safety risk for a particular cause-to-
consequence scenario. Then, by mapping those individual barriers on the bow tie diagram, the organization
can determine which process safety systems must be in place to sustain the integrity of those individual
barriers.

Bow tie diagrams and the Bhopal facility

To illustrate the use of a PHA combined with a bow tie diagram, let’s consider the Bhopal incident, which
permanently changed how the risks associated with hazardous materials and energies are recognized,
evaluated, and reduced (11). Although process hazard analysis had not yet been developed, if a PHA had been
conducted for the design and operation of the Bhopal facility, it would have identified the safeguards in place,
and those safeguards could have been used to construct a bow tie diagram (Figure 7).

6
▲Figure 7. If a PHA had been performed for the design and operation of the Bhopal facility, it would have identified the safeguards in place, which
could have been used to construct a bow tie diagram. Source: Adapted from (3).

The accident took place inside a pesticide manufacturing factory set up for production in India using a process
licensed by an experienced corporation with head-quarters in the U.S. The facility was designed in accordance
with the blueprint for the original manufacturing process that had operated safely for about 20 years in the
U.S. It was therefore reasonable to expect the newly constructed manufacturing process to operate at least as
safely as the original manufacturing process.

The synthesis reaction to make the pesticide involved a toxic, reactive, volatile, and flammable intermediate
chemical compound, methyl isocyanate (MIC), which is liquid at room temperature. Pure MIC is highly
reactive and can readily react with itself to form trimethyl isocyanurate, a stable and solid MIC trimer with a
melting point well above ambient temperature (178°C).

The original process and equipment design included multiple safeguards to control potentially unstable
conditions inside the MIC storage tanks, including exothermic reactions that might propagate into a loss-of-

7
containment incident. The preventive and mitigative safeguards to manage contaminated or unstable MIC
included design features, basic process control systems, instrumentation and alarm systems, active
engineering control, passive engineering control, and an emergency response system.

Design. Since iron oxide (rust) catalyzes the reaction of MIC with itself, all equipment containing MIC liquid
or vapor had to be fabricated from noncorrosive materials (stainless steel at a minimum) — an inherently
safer design specification. Other design safeguards included a refrigeration system, a nitrogen system, and a
phosgene-spiking system, as well as operating procedures such as:
 continuously spiking MIC storage tanks with phosgene (200–300 ppm) to prevent involuntary
conversion reactions involving pure MIC
 transferring the contents of the rundown tank into an empty auxiliary reserve tank for additional
cooling
 quenching hot MIC with excess solvent (chloroform)
 reprocessing contaminated MIC
 neutralizing waste MIC in the absorber section of the vent gas scrubber (VGS)
 sending excess MIC vapor into the flare tower for final destruction.
Basic process control system. The MIC storage tanks were equipped with temperature control.
Instrumentation and alarm system. Storage tanks were equipped with temperature and level indicators, as well
as a high-temperature alarm with several possible operator responses and forms that operators had to fill out
during their rounds.
Active engineering control. The MIC storage tanks were protected by a pressure relief valve set to
automatically open at 40 psi to prevent an overpressure incident. Under normal circumstances, the MIC
storage tanks were designed to operate at 2 psi. However, an exothermic reaction could generate heat inside
the tank if the MIC in storage was contaminated. If undetected, the pressure inside the MIC tank could
increase to the point that the relief valve would open.
Passive engineering control included a scrubber, a flare, and a water curtain system.
Emergency response system. MIC cannot be safely discharged into the environment. MIC leaks are relatively
simple to detect because MIC has an irritating odor, and upon exposure at low concentrations, it produces
symptoms similar to those caused by exposure to teargas. However, over time, the workers inside the factory
as well as the people in the surrounding community came to expect MIC leaks on a somewhat frequent basis
(approximately three times a month) without a severe consequence. Factory workers could use a public
address system to notify anyone inside or outside the factory who might be affected by an MIC release.
As a last resort for managing MIC releases, water from a fire monitor nozzle could be directed at the
atmospheric MIC release point to quench any escaping hot MIC vapor or liquid. Although these secondary
control measures could reduce the consequences of an MIC release, the preferred option — and the intent of
the design — was to prevent any condition that could cause loss of containment of MIC.

All of the process safety systems managing the individual barriers were needed to reduce the process safety
risk for safe and reliable operations at the Bhopal facility. However, the original preventive and mitigative
barriers deteriorated, offering no protection on Dec. 3, 1984 (Figure 8). Had the management team and the
operators at Bhopal used a bow tie diagram, they could have seen how important it was to sustain the integrity
of each process safety system managing the individual barriers, and the incident might not have occurred.

8
▲Figure 8. Mapping the MIC release from the Bhopal factory on a bow tie diagram depicting the barriers designed to prevent and
mitigate the risks associated with MIC releases reveals the many potential nonlinear paths from the reactivity threat to its devastating
consequences. Source: Adapted from (3).

A safeguard weakness analysis of the Bhopal incident

References 11–16 provide updated information explaining the sequence of events responsible for history’s
worst industrial disaster.

At the time of the incident, numerous workaround solutions were put in place to manage unsustainable
maintenance levels and meet production targets. Over time, the inherently safer design features intended to
manage the process safety risks were removed, or changed and replaced with more-burdensome and less-
reliable administrative controls subject to human error. Against this backdrop, the plant was shut down in
mid-1984. During the last production run, a small group of inadequately trained temporary workers was

9
assigned to help decommission the factory. Although the hazards associated with decommissioning the
process are the same as those of commissioning and operating the process, the sense of vulnerability had been
lost by late 1984. The weakening of protective barriers made the process more susceptible to human error,
especially with an inexperienced staff.

The bow tie digram in Figure 7 shows the barriers designed to prevent and mitigate the risks associated with
MIC releases. Mapping the MIC release from the Bhopal factory on the bow tie diagram clearly shows the
many potential nonlinear paths from the reactivity threat to its devastating consequences (Figure 8).
A path forward
Whether generated during a PHA or after an incident, bow tie diagrams are useful for visualizing necessary
barriers required for successful risk reduction efforts. Bow tie diagrams can be part of an effective process
safety program for managing process hazards and risks, helping everyone in the organization visualize the
critical safeguards designed to control the hazards. People at all levels in an organization typically respond
well when the technical information is shown in a simple, easy-to-understand format. A bow tie diagram
communicates the risks in a graphic form that requires little technical interpretation, enabling everyone to
standardize their perception and understanding of the risks. While a formal PHA report usually consists of
documented discussions and captures potential scenarios and their safeguards in tables and lists, a bow tie
diagram conveys the same information in graphic form — a picture is worth a thousand words.

Operational Discipline at the Bhopal Factory

The case study of the Bhopal catastrophe presented in this article provides a poignant illustration of the complex
interactions between managing process safety risks of hazardous processes and the influence of operational discipline on
the reliability of the barriers and the effectiveness of the process safety systems in place to manage them. In a perfect
manufacturing process, OD would not negatively impact risk (i.e., it would have a value of 1 in Eq. 1). Optimal OD
performance has been defined as ―the deeply rooted dedication by every member of an organization to carrying out each
task the right way‖ (6). In reality, perfect OD is not possible, since people are involved in all phases of the equipment and
process lifecycles.
Human imperfection has the potential to interfere with all phases of a process’ lifecycle, which includes design,
construction (fabrication and installation), commissioning, operation, maintenance, and subsequent decommissioning. In
addition, the behaviors and actions taken by operators and managers directly influence the way equipment and process
changes are made once the process is placed into service. Facing complex process- and business-related demands, an
organization may get distracted by acute and chronic maintenance issues, regulatory compliance obligations, or process
safety incidents, any of which could lead to significant loss of OD.

The manufacturing process in Bhopal suffered from chronic maintenance issues, which over time caused multiple barriers
to deteriorate — all due, at least in part, to defects in operational discipline. Organizational culture was a primary cause of
the insufficient hazard recognition that led to the gradual loss of safeguard protection at the Bhopal plant. Although the
equipment for the barriers was still in place, the effectiveness of that equipment had deteriorated significantly. Specific
weaknesses in OD that reduced the effectiveness of the process safety systems and increased the overall risk for a
catastrophic loss-of-containment incident to occur included (11):
 selecting materials of construction contrary to what was specified in the design — i.e., less-expensive iron instead
of inherently safer stainless steel to construct the MIC vapor-transfer header
 increasing the factory’s maintenance commitment by physically modifying the process — i.e., using the nitrogen
blanketing system to address the chronic failures of the MIC storage tank transfer pump
 adjusting operating procedures to implement pump maintenance and header workaround solutions — i.e.,
manipulating the MIC storage tank vent valves to reduce chronic MIC circulation pump failures
 loss of a sense of vulnerability to high MIC temperatures
 taking necessary equipment out of service and not repairing the compromised equipment quickly — i.e.,
disconnecting the scrubber system and the flare system because of maintenance-related issues
 acceptance by the workers and the surrounding community of frequent leaks as normal operations — i.e., people
endured the temporary physical effects of periodic MIC loss-of-containment incidents, gradually accepting an
accrued risk as foul MIC odors failed to prompt a defensive response.
Because of these OD deficiencies, most of the multiple safeguards in the original design were compromised or in a failed
state when the exothermic reaction occurred on Dec. 3, 1984. There was simply no way for the workers to mitigate the
consequences of the overpressurization once the loss of containment occurred. Many of today’s computerized,
interdependent processes suffer from the same weaknesses — by the time the operators recognize the hazardous situation,
they do not have sufficient time to respond (17).

10
Industry now recognizes that the Bhopal incident did not occur because of a simple sequence of events that lined up on
that fateful day. The disaster occurred due to failures in the three fundamental foundations of an effective process safety
program: process safety culture and leadership, operational discipline, and process safety systems (3). The interactions
among these three factors at the Bhopal factory pushed the process into unsafe and uncharted territory as the process
safety systems designed to manage the hazards and risks deteriorated (18).

Literature Cited

1. Klein, J. A., ―The ChE as Sherlock Holmes: Investigating Process Incidents,‖ Chemical Engineering
Progress, 112 (10), pp. 28–34 (Oct. 2016).
2. Center for Chemical Process Safety, ―Process Safety
Glossary,‖ www.aiche.org/ccps/resources/glossary/process-safety-glossary/process-safety (accessed Sept. 2016).
3. Klein, J. A., and B. K. Vaughen, ―Process Safety: Key Concepts and Practical Applications,‖ CRC Press, Boca
Raton, FL (to be published Mar. 2017).
4. Klein, J. A., and B. K. Vaughen, ―A Revised Model for Operational Discipline,‖ Process Safety
Progress, 27 (1), pp. 58–65 (Mar. 2008).
5. Klein, J. A., and B. K. Vaughen, ―Implementing an Operational Discipline Program to Improve Plant Process
Safety,‖ Chemical Engineering Pr o gress, 107 (6), pp. 48–52 (June 2011).
6. Vaughen, B. K., and J. A. Klein, ―Improving Operational Discipline to Prevent Loss of Containment
Incidents,‖ Process Safety Progress, 30 (3), pp. 216–220 (Sept. 2011).
7. Dekker, S., ―The Field Guide to Understanding Human Error,‖ Ashgate Publishing Co., Burlington, VT (June 30,
2005).
8. Vaughen, B. K., and T. Muschara, ―A Case Study: Combining Incident Investigation Approaches to Identify
System-Related Root Causes,‖ Pr o cess Safety Progress, 30 (4), pp. 372–376 (Dec. 2011).
9. Goddard, W. K., ―Use LOPA to Determine Protective System Requirements,‖ Chemical Engineering
Progress, 107 (2), pp. 47–51 (Feb. 2007).
10. Center for Chemical Process Safety, ―Guidelines for Initiating Events and Independent Protection Layers in
Layer of Protection Analysis,‖ Wiley/AIChE, Hoboken, NJ, and New York, NY (Dec. 2014).
11. Bloch, K., ―Rethinking Bhopal: A Definitive Guide to Investigating, Preventing, and Learning from Industrial
Disasters,‖ IChemE, Elsevier, Amsterdam, Netherlands (2016).
12. Willey, R. J., ―What are Your Safety Layers and How Do They Compare to the Safety Layers at Bhopal before
the Accident?,‖ Chemical Enginee r ing Progress, 111 (12), pp. 22–27 (2014).
13. Kletz, T. A., ―What Went Wrong? Case Histories of Process Plant Disasters and How They Could Have Been
Avoided,‖ 5th Edition, Butterworth-Heinemann/IChemE (July 2009).
14. Center for Chemical Process Safety, ―Guidelines for Investigating Chemical Process Incidents,‖ 2nd Edition,
Wiley/AIChE, Hoboken, NJ, and New York, NY (Mar. 2003).
15. Center for Chemical Process Safety, ―Incidents That Define Process Safety,‖ Wiley/AIChE, Hoboken, NJ, and
New York, NY (Apr. 2008).

11
 16. Institution of Chemical Engineers, ―Remembering Bhopal — 30 Years On,‖ Loss Prevention Bulletin, 240,
IChemE, Rugby, U.K. (Dec. 2014).
17. Leveson, N. G., ―Engineering a Safer World; Systems Thinking Applied to Safety,‖ MIT Press, Cambridge, MA
(2011).
18. Vaughen, B. K., ―Three Decades After Bhopal: What We Have Learned About Effectively Managing Process
Safety Risks,‖ Process Safety Pr o gress, 34 (4), pp. 345–354 (Dec. 2015).
Additional Resources
Bloch, K., and B. Jung, ―The Bhopal disaster,‖ Hydrocarbon Processing, 91 (6), pp. 71–76 (June 2012).
Vaughen, B. K., and T. A. Kletz, ―Continuing Our Process Safety Management (PSM) Journey,‖ Process Safety
Progress, 31 (4), pp. 337–342 (Dec. 2012).

Bruce K. Vaughen, P.E., is a principal consultant for Baker Engineering and Risk Consultants, Inc.
(Email: bvaughen@bakerrisk.com). He has more than two-and-a-half decades of experience in process safety, with roles
in research, operations, teaching, and consulting. He is the principal author of two CCPS guideline books and a co-author
of Process Safety: Key Concepts and Practical Approaches. He has presented papers and led sessions at National Society
of Professional Engineers, American Society for Engineering Education, and AIChE/CCPS symposia. He has a BS in
chemical engineering from the Univ. of Michigan, and an MS and a PhD in chemical engineering from Vanderbilt Univ.
He is a registered P.E.
Kenneth Bloch is an industrial accident investigator for the downstream petrochemical refining industry in the Texas
Gulf Coast area (Email: processreliability@gmail.com). His 30 years of experience includes maintenance, reliability,
process safety, technical, and operations positions. He is the author of Rethinking Bhopal: A Definitive Guide to
Investigating, Preventing, and Learning from Industrial Disasters and speaks about current industrial safety and
regulatory topics at American Fuel and Petrochemical Manufacturers, American Petroleum Institute, and AIChE
symposia. He has a BS in environmental science from Lamar Univ.

Download & Read This

12