of management systems, today, there are different definitions that all have in common the presence of three elements:
1 Hazards
2 Consequence seriousness
3 Frequency of a specific scenario
There is a risk if a given event is considered (with its probability of occurrence) and, depending on the type of impact, an opportunity, a loss, or the presence of uncertainty is determined. Events that have only negative consequences are indicated as pure risks. In general, a tolerability threshold is set for them and managed in such a way as to fall within this threshold.
Generally, there are three types of risk assessment, namely qualitative (Q), semi‐quantitative (SQ), and quantitative risk assessment (QRA).
In QRA, numerical values are independently assigned to the various risk assessment components and the level of potential losses. When all the elements (threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability, etc.) are quantified, the process is considered entirely quantitative.
In the SQ, frequency and severity are approximately quantified within ranges.
Finally, Q does not assign numerical values to the risk assessment components. It is based on the scenario. Several threat vulnerability scenarios are determined by trying to answer “what‐if” questions. In general, qualitative risk assessment tends to be more subjective in nature
The lower levels of assessment (Q and SQ) are considered most appropriate for screening for hazards and events that need to be analyzed in greater detail. One approach to deciding the proper level of detail could be to start with a qualitative approach and to add for more detail whenever it becomes apparent that the current level is unable to offer an understanding of the risks, discrimination between the risks of different events, and so on.
It is possible to refer to the existing literature (widely used by many states in the promulgation of laws and regulatory provisions) to analyze the numerous methodologies implemented over time, in particular, to support sectors of activity characterized by elements of risk that could determine if the event were to occur, and serious consequences for people and the environment, as well as for the company itself (O&G, nuclear, etc,).
The first step for the risk assessment is hazard identification. Hazard identification (HAZID), hazard and operability (HAZOP), safety integrity level (SIL), failure modes and effects analysis (FMEA), what‐if (WI), and safety checklist (SCL) are all examples of methodologies used worldwide.
The next steps are:
Risk estimation and ranking of risk
Risk evaluation
Implementation of risk reduction
The output of the risk estimation should be a list of risks in ranked order for consideration. The process of risk evaluation starts with the highest risk. It proceeds down the list of identified potential risk reduction measures until it is evident that no further risk reduction measures can be justified. It should be demonstrated that risks are controlled to ensure compliance with the relevant provisions, and not intolerable. Risk estimation needs assessing both the severity (consequence) and frequency (likelihood) of hazardous events. For the Q or SQ approaches, a risk matrix is a convenient method of ranking and presenting the results.
A risk reduction measures study should be carried out by a multi‐disciplinary brainstorming team with adequate experience, knowledge, and qualifications. The team will take each risk in turn and identify potential risk reduction measures, including any identified during the risk assessment.
Although the elimination of danger is the ultimate goal, it cannot be easy and is not always possible. A hierarchical approach to risk reduction involves: hazard elimination (the most effective hazard control); hazard substitution (replacing something that produces a hazard (similar to removal) with something that does not create a hazard); engineering controls (these do not eliminate hazards, but rather isolate people from hazards); administrative controls (changes to the way people work.); and personal protective equipment.
When discussing risk reduction and the hierarchy of risk control, it is essential to introduce the concept of the barrier. Barriers are functions and measures designed to break a specified undesirable chain of events. In other words, their function is to prevent a hazard from manifesting itself or mitigating its consequences.
Both control and recovery barriers are elements of the bow tie methodology that will be discussed in depth. The Bow‐Tie method is a risk assessment method that can be used to analyze risk scenarios. It’s named after its shape and contains eight elements: hazard, top event, threats, consequences, preventive barriers, recovery barriers, escalation factors, and escalation factor barriers.
Anyway, all the topics presented up to now will be discussed in detail later, including the concept of ALARP (which represents a critical element of risk management) and risk reduction in a “region of acceptability.”
Author Preface
Luca Fiorentini
Director, TECSA S.r.l.
Risk, as per the ISO 31000 international standard, is defined as “effect of uncertainty on objectives,” where the “effect is a deviation from the expected”: risk is “usually expressed in terms of risk sources, potential events, their consequences and their likelihood.”
When I first met the Bow‐Tie method many years ago I classified it as a simple, immediate, funny notation to describe simple situations. At that time I could refer to my experience in the industrial risk and process safety domains with HSE cases built with the use of multiple and combined methodologies (fault tree, event tree, HAZID/HAZOP/FMEA, etc.) up to full quantitative risk assessments based on calculations. So I started using Bow‐Ties to summarize the results coming from other methods, nothing more. Immediate (and coloured) notation of my Bow‐Ties started enriching my executive summaries, my papers, my conference slides, and so on with a great reward in terms of appreciation from readers, students, colleagues, and customers.
Later I realized that I had discovered one of the main capabilities of the method: the clarity power of notation. It happened during the preparation of my Italian book on fire risk assessment, in which I described a number of methods (also risk matrices, structured brainstorming, LOPA, etc.) and I decided to describe with a Bow‐Tie diagram a couple of real incidents: the Buncefield tank fire in the UK (from a description given by the UK Health and Safety Executive in an official report) and the Thyssenkrupp fire in Italy that became very famous for the number of fatalities (seven) and in which I was part of the technical consultant group working on behalf of the Public Prosecutor’s Office since the beginning of the investigations. Both of the two incidents, described with a Bow‐Tie, raised the usual interest and curiosity in the readers, but I did understand that Bow‐Tie is the best way to deal with the essence of the various elements that define risk according to the ISO 31000 standard: hazard, deviation, threats, and consequences.
Deviations are raised from threats and could lead to potential impacts in a very simple and straightforward path. This flow can be interrupted by barriers (or controls) that can modify the likelihood and or the severity of the consequences. Simple enough!
The diagram can be modified to include more details (failure mechanisms of barriers, common causes of failure, roles and responsibilities associated to each control in place, …), a quantification (escalation factors, conditional probabilities, conditional modifiers,
