Process Hazard Analysis (PHA) has become routine for chemical processes at every step of its lifecycle. The Bow-Tie method offers a graphic alternative to the traditional Hazard and Operability (HAZOP) method and the What-If method. One recognized hazard in the chemical industry is the runaway exothermic reaction. This article illustrates application of the Bow-Tie methodology for conducting an initial PHA study for a semi-batch chemical reactor system that has potential for a runaway exotherm event. The PHA application described presents general concepts and key issues and is not intended to present a complete case study.
The accepted practice in the chemical industry is to conduct a progressive series of increasingly detailed safety reviews for a new or significantly modified chemical process. Initial PHA studies are most often conducted during the conceptual design stage, with the objective being to identify and evaluate:
major hazards associated with the chemicals involved in the process
major hazards associated with the process and its equipment
changes to operating procedure
fundamental process safety and control philosophy and criteria
significant hazard control safeguards (hardware, software, and administrative)
aspects of the process/project that are anticipated to require additional safety review and evaluation in more detail
Initial PHA studies can be conducted using several methodologies; the most common are the What-if and the Hazard and Operability (HAZOP). The Bow-Tie analysis offers a cost-effective alternative approach for processes that are well understood. During the early stages of a project, it is premature to apply an extensive and rigorous review method such as Quantitative Risk Analysis (QRA) or Fault Tree Analysis (FTA), because a large portion of the information needed for these studies is not yet available. The Bow-Tie methodology is a qualitative PHA approach ideally suited for initial analysis of an existing process, or for application during the middle stages of project design.
The scope of a PHA can vary significantly, depending on numerous factors; including:
nature of the materials involved (reactivity, toxicity, flammability, stability, physical properties and others)
nature and complexity of the process chemistry and reaction kinetics
maturity of the process (new process, old process, existing process being modified)
degree of understanding related to the process, the chemicals, the equipment (operating history)
regulatory and code compliance issues
facility siting studies
proposed modifications (to the process, the equipment, control systems, organizational structure, and administrative management systems)
Batch and semi-batch synthesis chemical reaction processes that have the potential for runaway exotherms require a thorough and systematic identification and evaluation of process hazards and risks. This is best accomplished in progressive stages, as the design becomes more developed. Successful design reviews represent an optimum trade-off of several factors: the amount of information available to the PHA team, scope of the PHA study, cost to make modifications and the degree of remaining unknowns in the design. Timing is important. If the analysis is conducted too late, the cost for modifications can be significantly increased. If the analysis is conducted too early, items may be identified for which no action can be taken until the design progresses further to conclusion.
A screening PHA can be viewed as an optimization technique that allows identification of significant risk exposures with a minimum investment of resources. Screening studies can identify aspects of the process and project that can be excluded from additional or detailed review. In addition, a screening study may identify specific scenarios that provide input to formal QRA risk study.
The Bow-Tie technique
The Bow-Tie PHA methodology represents a synergistic adaptation of three powerful conventional system safety techniques (Fault Tree Analysis, Causal Factors Charting and Event Tree Analysis)¹. The Bow-Tie approach is highly effective for initial PHAs to ensure high probability-high consequence events have been identified and addressed. It can be described as a combined application of a high-level fault tree and a high level event tree. It provides a representation of the causes of a hazardous scenario event, likely outcomes, and the measures in place to prevent, mitigate, or control hazards. Existing safeguards (barriers) are identified and evaluated for adequacy. Additional protections are recommended where appropriate. Typical cause scenarios are identified and depicted on the pre-event side (left side) of the bow-tie diagram (Figure 1). Credible consequences and scenario outcomes are depicted on the post-event side (right side) of the diagram, and associated barrier safeguards are included. One attribute of the Bow-Tie method is that in its visual form, it depicts the risks in ways that are readily understandable to all levels of operations and management.
|Figure 1: Click to enlarge|
The conventional Fault Tree Analysis (FTA) methodology focuses on a designated "top event" and looks backwards in time to identify those specific factors, conditions and events that could, in combination, result in that specified top event². From a time progression perspective, the fault tree ends with the top event. Conversely, the conventional Event Tree begins with a specified event and looks forward in time. It is an inductive approach identifying and evaluating potential outcomes from a designated set of conditions and options³. Both techniques have the capability to identify and evaluate existing, or proposed, safeguard measures that prevent, or mitigate, adverse consequences. The Causal Factors Chart (CFC)4, sometimes referred to as the Events and Causal Factors (ECF) chart, is a formal, and systematic, incident investigation and root cause analysis technique. It combines critical thinking, logical analysis, and graphic representations to analyze and depict an accident event scenario. CFC also has been applied to root cause analysis. The ECF chart depicts the necessary and sufficient events and causal factors associated with a specific accident scenario.
In the Bow-Tie method, the designated top event output of a Fault Tree is the starting point for an Event Tree. This approach was initially developed by the Shell organization and gets its name from the shape of the combined diagrams that appear as a rotated hourglass shape (Figure 1). Bow-Tie adopts the Causal Factors Charting approach of a progressive timeline and expanded annotations for developing details of the safeguard measures (preventive or mitigative). Safeguard barriers to prevent, or mitigate, progression of an accident scenario are depicted by dotted vertical lines on the diagram. These safeguard measures (preventive, mitigation, and recovery) can function as the basis for conducting a Layer of Protection Analysis (LOPA) study5. Although not normally included during initial PHA studies, the reliability and independence of each safeguard measure can be evaluated and confirmed. Safeguard measures can be examined in increasing levels of detail as determined by the scope and objectives of the PHA study.
One feature of the Bow-Tie method is the concept of a potential recovery path. The diagram can depict and evaluate several different scenario outcomes, where the operator, or system, recovers or mitigates the consequences and avoids the ultimate worst case path. If desired, the pre-event side of the Bow-Tie can be used as a starting point for a full quantitative fault-tree analysis PHA study, and the post-event side can be used as the input for a quantitative Event Tree study.
The Bow-Tie analysis is most effective when conducted by a seasoned team led by a trained and experienced facilitator. Since the Bow-Tie encompasses a wide range of issues, team member selection is important to the success of the study and must include personnel with knowledge of the:
1. Design features and functions (process/project engineer)
2. Operational characteristics of the system (operations personnel),
3. Chemical reaction characteristics (process/project/safety engineer)
4. Existing safeguards and their reliability and vulnerabilities (instrumentation, safety, maintenance, and process/project engineer)
5. Environmental safety factors (process/environmental engineer)
Ideal team size ranges from four to seven people. Accurate and complete process safety information is critical for success (including reaction chemical kinetics and properties). It is essential that the team have sufficient knowledge of existing, or intended, administrative safeguards: operator training and competencies, permit systems, mechanical integrity systems, management of change systems, and emergency preparedness and response systems. The Bow-Tie approach shares some characteristics of a structured What-if study in that simultaneous multiple deviations can be identified and evaluated.
When conducting a Bow-Tie analysis, fault tree, or event tree, the selection and designation of the top event is a critically important step. For reactive chemical batch and semi-batch reactions, there are several options for selecting the top-event. In this illustrative example, the top event can be designated as either: 1) Undesired (or unintended) exotherm; 2) Significant overpressure in the reactor due to accelerating reaction; or 3) Loss of Containment of the reactor contents (Figure 2). Pre-event cause scenarios are depicted on the left side of the diagram and represent credible causes and potential failure modes. Post-event consequence outcomes are depicted on the right side of the diagram. Safeguard measures (pre- and post) are depicted by vertical lines. During the PHA study sessions, the team identifies these existing barriers (left of the top event) and makes a consensus decision as to adequacy of these existing safeguards. General time progression is from left to right of the diagram.
|Figure 2: Click to enlarge|
The reaction process chosen for this illustration is a typical semi-batch reactor (Figure 3). In this process example, an initial charge of reactants is fed to the reactor. The exothermic reaction is started via addition of an initiating substance, and subsequently the batch proceeds by controlled addition of additional reactants. The initial exotherm is desirable, intended, and necessary. During the controlled addition phase of the batch, reactant feed rate is regulated by a temperature control system that senses both the absolute temperature at several locations and the rate of temperature change in the reactor. The reactants and solvent are presumed to be flammable liquids (NFPA Class One material) with moderate vapor pressure at atmospheric conditions. The exothermic reaction is presumed to release moderate to high rates of thermal energy (-800cal/g), and is presumed to have the potential to accelerate into an uncontrollable, run-away, reaction.
|Figure 3: Click to enlarge|
Critical equipment for safe operation of the reaction system includes the reactor vessel, condenser, agitator, cooling system (internal coils), and control systems for:
addition of reactants
venting (normal venting and emergency venting), and reactor dump system
There are interlocks on the feed rate, and automatically-activated emergency cooling, emergency venting, and emergency dump systems. Alarms are provided for high temperature, high-high temperature, and rate of temperature rise.
Reactor safeguards include emergency reaction quench system, auxiliary cooling, emergency venting, and emergency dump system. A rupture disk (PSE) and a relief valve (PSV) are provided to reduce the likelihood of reactor vessel failure. An emergency reactor evacuation (dump) system is composed of a large diameter pipe that flows to an open water basin and discharges 10 ft below the surface of a remote basin. There are on-line analyzers as well as periodic lab sample analysis.
Other safeguards include an integrated set of safety management systems, operator training and qualification program, mechanical integrity (inspections, reliability assurance, testing/calibrations), written general operating procedures, written specific batch instruction sheets, emergency response plans, environmental documentation, e.g., spill prevention, control and countermeasure (SPCC) plans, flammable gas detectors, a water-spray deluge system, and a flare. Designated critical steps in the batch cycle are required to be verified by a second (qualified) person.
Pre-event side of Bow-Tie
In this illustration, not all cause scenarios are included on the pre-event side of the Bow-Tie. A screening study would be conducted in significantly more detail and would identify and include all credible cause scenarios. The PHA team develops the pre-event (cause scenario) side of the diagram by progressing from right to left, backwards in time, in a deductive approach. Figure 4 illustrates the first level of the pre-event diagram, along with associated safeguard barriers The PHA team identified five general cause categories at the first level that could result in an unintended exotherm (Figure 4):
|Figure 4: Click to enlarge|
A. Mis-charging (during the initial reaction step or during subsequent step of continuous feed).
B. Less than adequate Agitation due to a variety of reasons, motor, shaft, impeller/blade.
C. Heat Removal Problem (during normal operation or during a temperature excursion).
D. Control System Problem.
E. Other and Miscellaneous.
Safeguards, or barriers, are identified and added to the diagram between the identified causes and the designated top event (the unintended exotherm). Some barriers may apply to more than one cause. As shown on Figure 4, the team identified five existing barriers that apply to the Mis-charge scenario:
1. Written Specific Batch Control Instruction or Specification Sheet that is generated, reviewed, and approved by operation managers.
2. Physical action by operations personnel to verify and confirm the operating conditions and completed actions.
3. Lab analyses.
4. On-line analyzers.
5. Operator qualification and competency specifically applicable to the cause scenario.
The PHA study progresses systematically through each of the five cause categories at level one, then progresses to the next level of detail. Figure 5 illustrates 16 potential second level cause scenarios.
|Figure 5: Click to enlarge|
In some aspects, results of a Bow-Tie analysis resemble a modified Failure Mode and Effect Analysis (FMEA): credible failures are systematically identified, and then existing safeguards are determined and evaluated. For example, credible causes for malfunctions of the written Specific Batch Control Instructions could be examined by the team; the associated safeguard measures related to these causes would be further identified and evaluated The system for ensuring that written instructions are accurate and up-to-date would be discussed by the PHA team. Procedures for change management, and occasional, anticipated deviations related to these written instructions, would be evaluated. Finally, reliability, and degree of independence, of each of the identified safeguards are evaluated. Further analysis can be conducted later as desired.
The analysis then proceeds to the next level of detail. One of the identified concerns at this level is the availability of cooling water for heat removal. The third-tier of detail for this concern might include credible causes of loss of cooling water such as:
supply problem (inadequate quantity available for pumping, or low supply pressure)
flow restriction problem caused by obstruction (fouling or corrosion inside the piping system)
flow restriction problem caused by mis-valving (manual block valve positions incorrect)
flow problem associated with the pumping system
flow problem associated with freezing water
Safeguards associated with each of these identified flow problems would then be identified and evaluated by the PHA team. Another example of additional detail is shown in Figure 6, where the team identifies and examines potential causes for mis-charge events, which could involve one or more of eight possible sources.
|Figure 6: Click to enlarge|
The post-event side
The Event-Tree side of the Bow-Tie diagram is used to identify and evaluate credible outcome scenarios. A variety of consequences can be addressed including, injury, damage to equipment, environmental consequences, production outage, company reputation, or other criteria of concern. Safeguard measures that prevent, or mitigate, consequences are identified and depicted by vertical lines. The Event Tree side of the Bow-Tie diagram has the capability to illustrate various consequences outcomes based on the presence, or effectiveness, of the safeguard measures.
As previously mentioned, selection of the top event is critical for success. For this illustrative example, the PHA team identified three sequential events that occur (Figure 2). To be significant, an unintended exotherm must progress to a situation that results in loss of containment (release of process material to the atmosphere). There are safeguards that prevent an unintended exotherm event from developing into a loss of containment incident. For example, if the reactor emergency cooling, or quench system, function adequately, a release to the atmosphere could be avoided.
Release of flammable vapors could result in one, or more, of four outcomes (Figure 7):
|Figure 7: Click to enlarge|
ignition (and its subsequent consequences)
news media coverage
regulatory agency action
The PHA team identified five existing safeguard measures that prevent or mitigate ignition (Figure 8):
|Figure 8: Click to enlarge|
1. Design specifications for spacing, venting, and equipment.
2. Selection and installation of equipment that meet Electrical Area Classification Standards.
3. An effective Mechanical Integrity Program to ensure electrical equipment and other potential ignition sources are maintained in proper condition.
4. Hot work control system to control temporary and mobile sources of ignition.
5. Deluge waterspray system.
Seven, second-tier, consequences for an ignition event are illustrated in Figure 8. Applicable preventive, or mitigating, safeguards are identified for each of these potential outcomes. The PHA team progresses through each of the consequences to the extent dictated by the scope of the study. The team identifies additional measures believed to be appropriate.
An attractive option
The flexibility of the Bow-Tie methodology, demonstrated here, shows the advantages of using it for analyzing process hazards. This method can be applied in a range of detail, from a preliminary screening, to a Layer of Protection Analysis (LOPA)6 study of an existing process (Figures 6, 7, and 8). Safeguard measures may apply to more than one cause or consequence scenario, therefore this method can be used to identify, and evaluate, the degree of independence of designated safeguards. In addition, vulnerabilities, and common cause failures can be easily identified. Bow-Tie offers many attributes of the Hazard and Operability (HAZOP) PHA method, yet it can more easily address non-steady state operations such as batch reactions and startup situations. The Bow-Tie method can accommodate multiple outcomes and simultaneous multiple failure events.As with most PHA methodologies, effective application of this method is dependent on the combined experience, skills, and synergies of the PHA team.
The Bow-Tie approach can be used for non-PHA applications such as reliability and root cause analysis studies and for unit production operation applications. For example, the Bow-Tie method could be used to analyze the reliable operation of a fire water pump system. Multiple causes of system unreliability and failure modes can be identified and evaluated. The event tree side of the Bow-Tie diagram can be used to identify and evaluate various recovery paths from deviations and impairments of safeguards. It is expected that this Bow-Tie approach will find increasing acceptance for those systems involving human reliability and error minimization. Due to its flexibility, the Bow-Tie method is ideally suited for integration with efforts to improve human performance and reliability.
1. Gifford, M, Giltert S, Bernes I, Bow-Tie Analysis, Equipment Safety Assurance Symposium (ESAS), 2003.
2. Couronneau,J.C. Tripathi A., Implementation of the New Approach of Risk Analysis in France 41st International Petroleum Conference, 2003.
3. Vincoli J.W., Basic Guide to System Safety 1993, Van Nostrand Reinhold NY NY ISBN 0-442-01275-6.
4. Guidelines for Hazard Evaluation Procedures Center for Center for Chemical Process Safety (CCPS), American Institute of Chemical Engineers, NY NY, Second Edition 1992, ISBN 0-8169-0491-X.
5. Oakley, Jeffrey S., Accident Investigation Techniques American Society of Safety Engineers, Des Plaines, IL, 2003, ISBN 1-885581-47-5.
6. Layer of Protection Analysis, Center for Chemical Process Safety (CCPS), American Institute of Chemical Engineers,2001, NY, NY.