Analyzing system safety and risks under uncertainty using a bow-tie diagram: An innovative approach

Abstract

A bow-tie diagram combines a fault tree and an event tree to represent the risk control parameters on a common platform for mitigating an accident. Quantitative analysis of a bow-tie is still a major challenge since it follows the traditional assumptions of fault and event tree analyses. The assumptions consider the crisp probabilities and “independent” relationships for the input events. The crisp probabilities for the input events are often missing or hard to come by, which introduces data uncertainty. The assumption of “independence” introduces model uncertainty. Elicitation of expert's knowledge for the missing data may provide an alternative; however, such knowledge incorporates uncertainties and may undermine the credibility of risk analysis.

This paper attempts to accommodate the expert's knowledge to overcome missing data and incorporate fuzzy set and evidence theory to assess the uncertainties. Further, dependency coefficient-based fuzzy and evidence theory approaches have been developed to address the model uncertainty for bow-tie analysis. In addition, a method of sensitivity analysis is proposed to predict the most contributing input events in the bow-tie analysis. To demonstrate the utility of the approaches in industrial application, a bow-tie diagram of the BP Texas City accident is developed and analyzed.

Introduction

“Accident” is the term often used for the occurrence of a single event or a sequence of events that causes undesired consequences. These undesired consequences may be environmental damage, property damage, economic loss, sickness, injury or death. “Risk” is a function of a set of scenario (s), likelihood of occurrence (f) and the consequences (c) (Kaplan and Garrick, 1981, AIChE, 2000).

$$\text{Risk}=g(s,c,f)$$

Risk analysis is a systematic approach that gathers and integrates qualitative and quantitative information of potential causes, consequences, and likelihoods of adverse events. Likelihood of an event refers to a quantitative measurement of occurrence, which is expressed either as frequency or probability of occurrence. Fault tree analysis (FTA) and event tree analysis (ETA) are two well established techniques in performing risk analysis for a system. From a risk analysis perspective, a fault tree develops a graphical model for a particular system through exploring the logical relationship between the causes and occurrence of an undesired event, typically termed as basic events, and a top event (Vesely et al., 1981, Hauptmanns, 1980, Hauptmanns, 1988). It uses the likelihoods of basic events as input event data and determines the likelihood of the top event. The event tree constructs a graphical model of consequences considering the undesired event as an initiating event and identifies possible outcome events at the end (Lees, 2005). The initiating event propagates through a number of intermediate consequences, which are termed as events. Each event represents a barrier to escalate the consequences of the initiating event until the final outcome events are identified (AIChE, 2000). Like FTA, ETA also considers the likelihoods of events and initiating event as input event data and estimates the likelihoods for the outcome events. Traditional FTA and ETA assume the input events (probability) data are “precisely” known and the independence of the input events (i.e., basic events and events) are independent (CMPT, 1999). However, these assumptions are often unrealistic and lead to erroneous conclusions and defy the purpose of risk analysis (Ferson et al., 2004, Sadiq et al., 2008, Ferdous et al., 2009b, Ferdous et al., 2010, Markowski et al., 2009).

FTA and ETA distinctly investigate the causes and consequences of an undesired event for a system. A bow-tie diagram is a combined concept of risk analysis that integrates a fault tree and an event tree on the left and right side of the diagram to represent the risk control parameters such as causes, threats (hazards) and consequences, on a common platform for mitigating an accident. The quantitative analysis of a bow-tie diagram determines the likelihoods of the undesired event as well as the outcome events. Cockshott (2005), Chevreau et al. (2006), Dianous and Fiévez (2006), and Duijm (2009) describe the procedure of bow-tie analysis in detail. However, they did not consider the associated uncertainties in quantitative evaluation. In the last few years, the bow-tie method has gained acceptance as a credible risk and safety management tool because of the following advantages:

• provides a graphical representation of accident scenarios,

• provides explicit linkages between the causes and the potential outcomes,

• connects possible outcome events with the undesired event and basic events,

• provides guidance throughout, stating from basic causes to the final consequences, and

• provides systematic help in performing comprehensive risk analysis and safety assessment.

The common objective of any safety assessment and risk analysis technique is to assure that a process or a system is designed and operated to meet “accepted risk” or a “threshold” criterion such as ALARP (Skelton, 1997, Markowski et al., 2009). These techniques follow several systematic steps: hazard analysis, consequence analysis, likelihood assessment and risk estimation (AIChE, 2000). In each step different approaches may be used, that collectively guide towards estimating the risk, safety and reliability of a system. FTA and ETA individually assist the risk and safety assessment by providing a qualitative hazard analysis and a detail quantitative assessment of likelihood (CMPT, 1999). However, uncertainties hinder FTA and ETA in performing meaningful quantitative analyses. Characterization, representation, and propagation of uncertainties are important and also vital for bow-tie analysis, since the credibility of the analysis fundamentally depends on the FTA and ETA.

Uncertainty is inherent and unavoidable in performing risk analysis since it belongs to the physical variability of a system response and also to the lack of knowledge about the system (Markowski et al., 2009). In general taxonomy, the uncertainty due to natural variation or random behavior of a system is named aleatory uncertainty, whereas the uncertainty due to lack of knowledge or incompleteness is termed epistemic uncertainty (Bae et al., 2004). These two types of uncertainty can be introduced from any of the three different sources represented in Fig. 1 (Henley and Kumamoto, 1996, AIChE, 2000, Ferdous, 2006). According to Fig. 1, the sources of uncertainty can be classified as data uncertainty, model uncertainty and quality uncertainty. Quality uncertainty refers to the complete and comprehensive evaluation of hazards, including the identification and description of their relationships in developing the fault and event tree. Recursive effort and the implementation of HAZOP, HAZID, and FMEA can reduce this kind of uncertainty for risk analysis (Skelton, 1997, AIChE, 2000, Crowl and Louvar, 2002). It should be noted that the current paper does not address this type of uncertainty while analyzing the bow-tie method. The main objective of this paper is to develop a generic framework for bow-tie analysis under uncertainties, which includes exploiting appropriate techniques to handle data uncertainty and introducing the interdependence of input events to explore model uncertainty. In addition, a method for sensitivity analysis has been proposed to identify the most important input events and measure the risk for the corresponding events in bow-tie analysis.