As discussed in Part I, bow tie diagrams provide an easy-to-understand visual representation of risk management information (hazards, potential consequences, barriers, degradation factors and controls). In this article we examine the applicability of bow ties to alarm management.
According to the CCPS book “Bow Ties in Risk Management”, there are five main barrier types.
An operator response to an alarm is considered an “Active Hardware + Human” barrier. To be considered a complete barrier it must contain the following three elements; Detect (e.g., high-high level indicator with alarm), Decide (e.g., the operator diagnoses the situation and initiates a response), and Act (e.g., operator manipulates final control element manually or via the control system).
Note that in the example diagrams below the barrier type is indicated by color code and label.
Bow tie Diagram for Buncefield Incident
To illustrate the potential use of bow ties for alarm management, the Buncefield tank overflow and explosion (2009) was analyzed. At the Buncefield Oil Depot, a failure of a tank level gauge prevented its associated high-level alarm from being annunciated to the operator. As the level in the tank reached its ‘ultimate’ high level, a second protection layer, an independent safety switch, failed to trigger an alarm to notify the operator and failed to initiate a trip which would have automatically shut off the incoming flow. The tank overflow and ensuing fire resulted in a £1 billion (1.6 billion USD) loss.
As shown in the bow tie diagram below, the three main barriers to prevent “Tank Overflow” (Top Event) were “Fill Plan & Proactive Monitoring”, “Tank Level Alarms & Operator Response”, and “Independent High-High Automatic Shut-Off”. The degradation factors for the Tank Level Alarm barrier were identified as “Alarm Failure” and “Operators fail to respond appropriately to alarms”. The degradation controls to prevent “Alarm Failure” are “Regular Maintenance and Testing” and “Alarm failure easily identified in control room and prioritized fault repair process”.
Identifying these degradation controls highlights their importance to the prevention of a Major Accident Event (MAE) such as tank overflow. If these controls had been adopted and applied rigorously, it is possible that the failure of the level gauge indicating the tank was 2/3 full could have been prevented or would have still drawn the operator’s attention to investigate the abnormal situation.
Figure – Standard Bow Tie Showing Main Pathways and Degradation Factors (Prevention Side) Ref CCPS
Multi-Level Bowtie Approach
To dive down and analyze the human and organizational factors (HOF) associated with a particular barrier, a multi-level bow tie approach can be used. It focuses on the impact of human error on barrier degradation and subsequently on making the barriers as robust as possible.
To create a multi-level bowtie diagram for the Buncefield incident, the Top Event becomes the failure of one of the barriers, in this example “Tank Level Alarms & Operator Response”. The bow tie diagram then focuses in detail on the degradation factor “Operators fail to respond appropriately to alarms”, which is now modelled as a threat. The barriers to prevent this threat include “Alarm easily identified on HMI” and “Defined operator action in event of high level alarm (auditable)”. As shown in the Level 1 Extension Bow Tie below, each barrier has additional degradation factors and controls that can now be shown that would have made the main bow tie diagram too complicated.
Figure – Level 1 Extension Bow Tie Selected Barriers (Ref CCPS)
The benefit of calling out the additional level of detail would be in focusing the operations, maintenance, and management team on what safety critical tasks should be performed to maximize the reliability of the operator response to alarm barrier. It could reinforce to the team, and garner management commitment, for the following critical alarm management activities:
- Performing alarm rationalization (including prioritization) to ensure all alarms are meaningful
- Maintenance and testing of alarms based on classification
- Developing Alarm Response Procedures to provide guidance to the operator when a barrier alarm is generated
- Designing the Human Machine Interface (HMI) to maximize the operator’s situation awareness
In conclusion it appears that bow tie diagrams have potential for use in alarm management, particularly for alarms that are expected to help prevent major accident events. Bow tie diagrams can highlight alarm management tasks to be performed. They also highlight alarm management degradation controls, many of which are generic and could be applied to the entire alarm system. Bow tie diagrams seem to provide a useful mechanism for integrating process safety, alarm management, (and cybersecurity) risk assessment results into a common view.
Since this is a relatively new methodology, time will tell how far bow ties are adopted to support alarm management.
“Bow Ties in Risk Management: A Concept Book for Process Safety” CCPS in association with the Energy Institute, 2018.
“Bowtie Analysis for Alarm Management”, D. Hatch, and A. Geddes, IChemE Alarm Systems and Controls Seminar & Tyneside Process Safety Forum 2018.
“The Buncefield Investigation” - www.buncefieldinvestigation.gov.uk/reports/index.htm