Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213

Contents lists available at ScienceDirect

Process Safety and Environmental Protection

journal homepage: www.elsevier.com/locate/psep

“Bow-tie” model in layer of protection analysis

Adam S. Markowski ∗ , Agata Kotynia

Safety Engineering Department, Faculty of Process and Environmental Engineering, Technical University of Lodz, 90-133 Lodz, ul.
Wolczanska 213, Poland

a b s t r a c t

Layer of protection analysis (LOPA) is a semi-quantitative method that assesses the risk of an accident scenario in
the process industry. The calculation is similar to an event tree principles applied to a single worst case scenario.
However, process risk assessment requires to include all spectrum of possible accidents that subsequently may
exceed the company risk tolerance level. In order to obtain more appropriate and accurate analysis the complete
accident scenario model need to be used. This is the best provided by a “bow-tie” approach being a composition of
fault and event tree. The quantitative application of the “bow-tie” model is proposed in the methodology of LOPA.
Such an approach increases benefits in the risk management process. Further part of this paper focuses on the
application of fuzzy logic system (FLS). It enables to cope with the lack of knowledge of reliability data that describe
probabilities of initiating events (causes) and safety functions. The “bow-tie” model as well as the application of
fuzzy logic may affect the simplicity of traditional LOPA. However, it can be solved by appropriate computer-aided
analyses. The case study of a typical hexane distillation unit illustrates the application of the proposed method.
© 2011 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.

Keywords: Fuzzy logic; Fault and event tree analysis; “Bow-tie” accident scenario model; Layer of protection analysis;
Risk analysis; Process risk assessment

1. Introduction 2. “Bow-tie” accident scenario model in

The aim of this paper is to include an uncertainty aspect in the
layer of protection analysis (LOPA) applied to the risk assess-
ment of a hazardous substance release. It is achieved by the
application of fuzzy logic (FL) to accident scenario risk calcu-
lations which are obtained with the use of the fault and event
tree analysis combined in a “bow-tie” model. All variables are
replaced by the fuzzy sets and the application of fuzzy logic
systems (FLSs) allows us to calculate the fuzzy outcome fre-
quency as well as the fuzzy severity of the consequences for
each path of the “bow-tie” model. Subsequently, using a fuzzy
risk matrix, the fuzzy risk level and its characteristic value
are obtained for the complete accident scenario. The goal of
the analysis is to provide acceptable risk level. Existing and
additional safety measures are considered to reach this goal.
The case study concerning the distillation unit illustrates the
applied method. It also proves that assuming quantitative data
for all variables of the “bow-tie” model, the precise single point
risk estimate can be obtained.
LOPA
In the traditional LOPA, an accident scenario is defined as a
single cause–consequence pair using an event tree approach
(CCPS, 2001). Only one path of the accident scenario which
merely leads to a major hazard is analyzed. For more com-
plex scenarios, LOPA should be used several times, for each
initiating event (IE) separately. Another limitation of LOPA is
the fact that there is no separation of top event or loss event
(TE/LE).
A method that encompasses the complete accident sce-
nario (a loss event scenario) uses a “bow-tie” model. It is
composed of a fault tree (FT) which identifies the causes of the
top event or loss event, usually representing unwanted release
of the substance and an event tree (ET) showing what are the
consequences of such a release. In the “bow-tie” model all con-
nections between initiating events, loss event and outcome
events (OEs) are fully identified.
Fig. 1 presents the idea of the “bow-tie” model.

∗
Corresponding author. Tel.: +48 426313745; fax: +48 426313745.
E-mail address: markows@wipos.p.lodz.pl (A.S. Markowski).
Received 8 November 2010; Received in revised form 21 April 2011; Accepted 28 April 2011
0957-5820/$ – see front matter © 2011 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
doi:10.1016/j.psep.2011.04.005
206 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213

Nomenclature
Risk analysis methods
“Bow-tie” analysis ETA event tree analysis
ET event tree FTA fault tree analysis
FT fault tree HAZOP hazard and operability study
MCS minimum cut set LOPA layer of protection analysis
FIS fuzzy inference system
FL fuzzy logic Safety systems
FLS fuzzy logic system Ads automatic deluge system
Fb fire brigade
Consequences assessment Fea fatalities in the exposed area
E effectiveness
FP flash point Subscripts
Q amount of release i,j,. . .,k number of IE in minimal cut set in FT
TR time of response m number of OE in ET
n number of MCS in FT
Events (E) o number of SFs
ECE external conditioning event p number of ECEs
ICE internal conditioning event
IE initiating event
IPL independent protection layer
LE loss event
OE outcome event
This idea, which is the object of interest in this paper, was
SF safety function
used in the Aramis project (Dianous and Fievez, 2005) and
TE top event
later in our previous work. However, the presented approach
is extended to the complete accident scenario which takes
Frequencies, probabilities
into account all identified initiating events as well as all pos-
FE frequency of failure of “E” event
sible consequences of the analyzed loss event. The simplified
PE probability of failure of “E” event
scheme of this model is shown in Fig. 2.
Hazards Classical LOPA is a risk estimation method which consid-
FF flash fire ers the calculation of the mitigated frequency (F) as a result of
II immediate ignition activation of all independent protection layers (IPLs), whereas
LI late ignition the severity of the consequences (S) of a top event is assessed
PF pool fire in a traditional manner using the look-up tables developed
VCE vapor cloud explosion by LOPA book (CCPS, 2001) that provide the unmitigated cate-
gory of severity based on the substance type and the release
Linguistic terms for fuzzy frequency numbers amount, determined by an expert opinion.
R remote In our approach the evaluation of the frequency of a
U unlikely particular scenario and the severity of the consequences is
VL very low attempted in a different way. It is assumed that the miti-
L low gated frequency is influenced by the prevention and protection
M moderate safety measures (IPL I and IPL II) only, while the severity of
H high the consequences is decreased by safety measures located in
VH very high the mitigation layer (IPL III). It means that the safety systems
EH extremely high located in a multilayer of protection have different functions.
This approach is illustrated in Fig. 3 (Markowski, 2006).
Risk analysis
AS active system
CR community response
F frequency
P probability C
O
R risk
N
S severity of the consequences C S
S0 severity of the consequences without AS and A E
CR U Q
Loss event
S U
SRI severity reduction index E E
S N
Risk categories C
A acceptable E
S
TA tolerable acceptable
TNA tolerable not acceptable Fault tree Event tree
NA not acceptable
Fig. 1 – General idea of “bow-tie” model.
 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213 207

IPL I
IEn IPL III OEm
... TE IPL II ... OE
IE1 OE1

ICE ECE

Fault tree Event tree

Fig. 2 – “Bow-tie” accident scenario model in LOPA.

The mitigated frequency of the top event (FTE ) is calculated ment of the particular accident scenario (Markowski et al.,
on the basis of a minimal cut set equation of the fault tree 2009).
(MCSFT )—Eq. (1).

3. Fuzzy logic as a method of uncertainty

⎛ ⎞ reduction

N 
I 
J

K
FTE = ⎝ (FIE )i , (FIE )j , ..., (FIE )k ⎠ ⊗ PICE (1)
The knowledge of the detailed data of failure rates describing
n=1 i=1 j=1 k=1
n the reliability of safety measures of the multilayer of pro-
tection is required to analyze precisely an accident scenario
which may happen in the installation and its risk of occur-
Afterwards, the outcome frequency (FOE ), is obtained using rence. However, these values in the real situations are kind
MCS equations for the second part of “bow-tie” model—event of estimations, they are uncertain and ambiguous. They may
tree (MCSET ). Eq. (2) presents an appropriate model of the cal- provide an imperfect prediction of future accident scenario
culation. risk level related to unwanted release of a dangerous sub-
stance (Markowski et al., 2009).
That is why, methods which can deal with such an uncer-

o

P

M tainty are needed. One of them is the application of fuzzy logic
FOEm = FTE ⊗ · (PSF )o ⊗ (PECE )p FOE = (FOE )m (2) (FL). The main advantage of such a method is the use of quali-
o=1 p=1 m=1 tative human knowledge and mapping it into the quantitative
and much more precise values. FL identifies not only true or
false but the entire range of values in between as well.
The calculation of the mitigated severity of the conse- The direct application of fuzzy logic into LOPA, called
quences (S) is shown in Section 4. fLOPA, was provided by Markowski (2006) whereas other infor-
Both components, that is the outcome frequency and mation on the fuzzy logic application to different safety issues
the severity of the consequences are used for risk assess- are given by: Bowles and Pelaez (1995), Markowski and Mannan

PREVENTION PROTECTION MITIGATION

OUTCOME
LAYER LAYER LAYER
EVENT
IPL I IPL II IPL III

PFD PFD PFD

FIE F
Traditional
SCENARIO
ACCIDENT

method
RISK
S MATRIX

PFD PFD PFD / SRI

FIE F
Proposed
SCENARIO
ACCIDENT

method Legend
RISK
S0 S MATRIX
F
S = S0 - SRI
S

Fig. 3 – Functions of multilayer of protection in LOPA.

208 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213

Fault tree

Fuzzy TE
frequency
fFTA
IEn
Fuzzy numbers scale ...
Part 1 for frequency IPL I Calculations fFTE
IE1 according to
MCSFT
Choice of linguistic term
for identified IEs and IPL I ICE

Output fuzzy
frequencies

Event tree
fFOEn
Fuzzy TE Fuzzy frequency
frequency result
fETA
IPL III OEn
Part 2 ... II
IPL ... ... fFOE
fFTE Calculations
according to OE1
MCSET

Fuzzy numbers scale ECE fFOE1

for frequency

Choice of linguistic terms

for IPL II and IPL III

Fig. 4 – Methodology of fuzzy frequency of accident scenario assessment.

(2009), Markowski et al. (2010), Pokorádi (2010) and Singer
(1990).
4. Fuzzy “bow-tie” LOPA
4.1. “Bow-tie” frequency
The complete accident scenario described in detail with the
use of the “bow-tie” model is applied to LOPA. The methodol-
ogy of FL application to the “bow-tie” accident scenario model
is presented in Fig. 4.
To calculate a fuzzy frequency of each OE according to Eqs.
(1) and (2) the normalized fuzzy numbers scale is applied as is
shown in Fig. 5.
The proposed fuzzy “bow-tie” LOPA method can be divided
into two parts. The first one is based on the fault tree analysis
and leads to the top event or loss event and the second one,
based on the event tree analysis, leads to the outcome event.
Firstly, an expert selects the fuzzy number for each variable
which represents IEs and safety functions (SFs) in I IPL. The
probability of internal conditioning event (ICE) is given by a
traditional variable. Then, according to MCSFT , with the use
of fuzzy arithmetic operations (addition and multiplication),
fuzzy frequency of TE is calculated.
Subsequently, this value (FTE ) is used in the second part
of the method. Similarly, fuzzy numbers for variables which
represents SFs in II and III IPL are chosen by expert, based on
data provided by traditional LOPA. The probability of external
conditioning event (ECE) is given by a traditional variable. OEs
frequencies are calculated according to MCSET , with the use
of fuzzy arithmetic operations (multiplication).
The outcome events’ frequencies of each path of ET are
defuzzified developing crisp values.
All OEs’ frequencies are added together and the combined
mitigated frequency FOE for all paths representing loss event
scenario is obtained (CCPS, 2001).
4.2. Severity of the consequences
The severity of the consequences is calculated based on LOPA
book look-up tables (CCPS, 2001). They provide the category of

Remote Unilkely Very low Low Moderate Fairly high High Very high Extremely
(R) (U) (VL) (L) (M) (FH) (H) (VH) high (EH)
Degree of membership

0.5

0 -7
10 10-6 10-5 10
-4
10
-3
10
-2
10
-1
10
0
10
1

Fig. 5 – Normalized fuzzy numbers scale.

 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213 209

Fig. 6 – Fuzzy surface for flammable substance.

Fig. 7 – Fuzzy risk surface.
severity using the potential release amount and the type of
hazardous substance. These data are applied to the severity
III). It denotes the so called “severity reduction index” (SRI),
fuzzy inference system (S-FIS) as is proposed by Markowski
which is based on fuzzy “if-then” rules depending on the effec-
(2006). The original look-up tables develop “if-then” rules
tiveness and the time of response of the active systems (AS)
used to obtain severity of the consequences. This approach
and the community response (CR) (Markowski, 2006). The SRI
is shown in Fig. 6.
reduces the severity of the consequences as is indicated by Eq.
According to Fig. 3 the category of the severity of the conse-
(3).
quences is mitigated by the activation of mitigation layer (IPL

S = S0 − SRI SRI = MAX(SRIAS , SRICR ) (3)

Table 1 – Safety and protection systems.
Safety layer
Layer I—prevention systems
Layer II—protection systems
Layer III—mitigation systems
Measure
Good engineering practice (GEP)
Basic Process Control Systems
(BPCS) with indication and alarm
in central room: BPCSPAH , BPCSTAH ,
BPCSTAL , BPCSLAL , BPCSFAL , BPCSTI ,
BPCSPI
Safety instrumented systems (SIS):
SIST (TT, TIC, TCV), SISL (LT, LCR,
LCV), SISF (FT, FIC, FCV) PSV, RD
Automatic deluge system (Ads)
Fire brigade (Fb)
where S0 —severity of the consequences without AS and CR.
Similarly to the FOE calculations, the S for each OE is deter-
mined. For the outcome mitigated severity value, needed for
LOPA risk estimation, the highest value of S is chosen (CCPS,
2001).
4.3. Risk assessment
The fuzzy risk matrix is used for risk estimation and assess-
ment of the risk level (Markowski and Mannan, 2008). Fig. 7
shows the surface of fuzzy risk matrix.

PAH SET 10 PAH

FROM QUENCH 09 BARG 09
COLUMN PSV-02 PSV-03
LCV-02
RD-11 RD-12
FO SET 14
BARG

Legend PSV PSV

-05 -06
FAL – Flow Alarm Low E-02
PI
FIC – Flow Indicating Controller 08

FO – Fail Open OVERHEAD

CONDENSER
FT – Flow Transmitter TI E-03 / E-04
LAL – Level Alarm Low 02
PAH
LCV – Level Controlling Valve 10
TI
LRC – Level Recording Controll er PSV-04
03 FCV-02
TAH
LT – Level Transmitter RD-13 SET
01 10 BARG
PAH – Pressure Alarm High TAL TT FIC
ACUMULATOR
PI – Pressure Indicator 01 01 02 V-01
TIC SISF PI
PSV – Pressure Safety Valve C-01
01 SIST 04
FAL FT
RD – Rupture Di sk 02 02
TAH – Temperature Alarm High PI
P-04
03
TCV – Temperature Controlling Valve REFLUX
SET PUMPS
TIC – Temperature Indicating 17 BARG
Controller 3,45 BARG STEAM P-03
PSV-01
TI – Temperature Indicator LT LRC
TCV-01 05 05
TI
TT – Temperature Transmitter
04 LAL PI
V – Valve CONDENSATE SISL 05
E-01 07

V1 PI LCV-06
TO HEXANE
06 COLUMN
FEED P-07 FO
PUMPS

P-06

Fig. 8 – Hexane distillation installation.

210 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213

Conditioning Safety
Initiating event (IE) Intermediate event (IE) Top event (TE) enCE Outcome event (OE)
event (CE) function (SF)

deluge system

exposed area
Late ignition

Fire brigade

Fatalities in
Immediate

Automatic
ignition
A Failure of
PI-08
Failure of over-
pressure protect.
B Failure of
PSV-02
Fire extinguished
(OE1)
YES
C Loss of water
Condenser Loss of
G
rupture cooling Fire extinguished
Condenser Process upset YES (OE1)
YES
failure failure
NO
H Fouling
Pool fire and
fatalities (OE2)
YES
NO
D Failure of
TT-01 NO

hexane release
Pool fire (OE2b)

Catastrophic
E Failure of Overheating Overpressure
TCV-01
Failure of Spill /
I
TIC-01 dispersion (OE3)
Failure of YES
control systems
Failure of
J M Corrosion VCE / FF and
TAH-01 YES
fatalities (OE4)
YES
NO
Failure of Mechanical
F N Material defect NO Vapour cloud
LCV-02 failure NO
Failure of explosion /
K Overfilling flash fire (OE4b)
check valve V1
Outflow
O Human error
blockage
Failure of NO Spill /
L dispersion (OE3)
pump P-06

Fig. 9 – “Bow-tie” accident scenario model.

As an output of fuzzy risk matrix, fuzzy risk set and its vapour cloud explosion (VCE) or flash fire (FF) when late igni-
defuzzified crisp value are obtained for the combined outcome tion (LI) takes place.
frequency (FOE ) and the highest severity of the consequences The minimal cut sets equations of TE and OEs obtained
(S). These are the results of the analysis. from the “bow-tie” model are as follows.

MCSTE = ABC + ABG + ABH + ABD + ABE + ABIJ
5. Case study of the accident scenario in a
distillation unit + ABFK + ABFL + M + N + O (4)

A hexane distillation unit was chosen for a better description 

of the above mentioned method. In Fig. 8 the hexane distilla- MCSOE2 = TE · II · Ads · Fb · enCE (5)
tion installation is presented.
Table 1 gives safety and protection systems of the instal- 
MCSOE4 = TE · II · LI · Ads · enCE (6)
lation divided into 3 safety layers: prevention, protection and
mitigation.
5.2. Frequency calculation with the use of fuzzy logic
concept
5.1. Identification of the representative “bow-tie”
accident scenario The assumptions connected with the calculations of fuzzy
sets according to the MCS Eqs. (4)–(6) are presented in
The distillation unit was reviewed in HAZOP where possi- Tables 2 and 3. The frequency/probability numbers are
ble accident scenarios were identified. For simplification one obtained based on look-up tables developed by LOPA book
representative loss event scenario, named the catastrophic (CCPS, 2001) and experts’ knowledge and experience. They are
hexane release, is taken into account. The loss event scenario presented in a form of fuzzy sets chosen from normalized
is further analyzed with the use of the “bow-tie” model which fuzzy numbers scale (Fig. 5) for IEs and in a form of tradi-
is shown in Fig. 9. tional variables for CEs. Calculations of fuzzy sets follow the
As can be seen, there are two OEs in which fatalities can fuzzy algebra principles (Dubois and Prade, 1980). The appli-
occur: pool fire (PF) in case of immediate ignition (II) and cation of the MSC equations into LOPA makes it possible to

A TA TNA NA
Degree of membership

1
Risk levels:
0.83 A - acceptable
TA- tolerable acceptable
0.5 TNA - tolerable not acceptable
NA - not accpetable
0.17
0
0 1 2 3 3,17 4 5
safety goal

Fig. 10 – Crisp risk value membership to fuzzy risk sets.

 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213 211

Human
Table 3 – Standard probability numbers for CEs.

error

10−2
Symbol Conditioning event (CE) Probability

FH
F
value

II Immediate ignition 0.1

Material
N

defect
LI Late ignition 0.5

10−2
FH
Enabling CE Staff in affected area 0.5

F
Fatalities 0.5

Corrosion
M

10−2
analyze all identified accident scenario paths and to estimate

FH
F their frequencies.
The frequencies of outcome events and the combined fre-
Failure of

quency calculations results are presented in Table 4. The cases

L

P-06

10−1
in which there are no losses are not taken into consideration.
H
P

The combined frequency is calculated for the paths where

fatalities occur. The mapping of a fuzzy number into a crisp
Failure of

number (nonfuzzy) is performed with the use of a centroid

K

10−1

method in the defuzzification process (Yen and Langari, 1999).

V1

H
P
Failure of

5.3. Severity of the consequences calculations with the

TAH-01
J

use of the fuzzy logic concept

10−1
H
P

In the mitigation layer for the catastrophic hexane column

Failure of

release there are two independent safety measures, the first

TIC-01
I

to protect against widespread releases from the plant – auto-

10−2
FH

matic deluge system (Ads), which is an active system, and

P

the second to react and provide relief for a rescue action – fire
Symbol

brigade (Fb), which is a community response. Both of them (AS

Fouling
H

and CR) have an impact on the severity of the consequences of

10−3
M

OE2 (pool fire), while AS has an influence on the consequences

P

of OE4. The results of the mitigated severity of consequences

Condenser

calculations are shown in Table 5.

rupture
G

10−2
FH
P

5.4. Risk index calculation with the use of fuzzy logic

concept
Failure of
LCV-02
F

10−1

The final LOPA risk calculations’ result is shown in Table 6.

H
P

A defuzzified crisp value (3.17) belongs to two risk sets—TNA

(tolerable not acceptable) and NA (not acceptable) as is shown
Failure of
TCV-01

in Fig. 10. It gives information that the additional safety mea-

E

10−1

sures are required to make the analyzed installation safe. The

H
P

safety goal requires no more than 50% of TA (tolerable accept-

able) and TNA.
Failure of
D

TT-01
Table 2 – Fuzzy frequency/probability numbers for IEs.

10−2
FH

5.5. An effect of the additional safety measures

P

application
Loss of
C

water

The safety goal can be achieved in two ways. One way to

10−1

increase the safety of the installation is to increase the reliabil-

H
P

ity of the systems which have a crucial effect on the frequency

Failure of

of TE and finally on the risk level. As indicates the impor-

PSV-02
B

tance of reliability measure of Fussell and Vesely (1972) applied

10−2
FH

to a fault tree, these are the components A—failure of PI,

P

and B—failure of PSV (Fig. 9). Their failure rates need to be

Failure of

increased by one order in the relation to previous values, A to

A

PI-08

FH (fairly high) fuzzy number and B to M (moderate) fuzzy

10−1
H

number—Case 1. The other possibility to obtain the safety

F

goal is to add the ignition control measures which reduce the

Fuzzy ling. term

immediate ignition (II) probability to 0.05 and the late ignition

Mean value

(LI) probability to 0.1—Case 2. In a Case 3, both possibilities are

F [1/y]/P

considered.
Table 7 gives the results with the applied additional safety
IE

measures being proposed.

212 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213

Table 4 – Results of frequency calculations.

Symbol Event Fuzzy set Crisp value Comment

Left boundary value Mean value Right boundary value

TE Hexane release 0.0030 0.030 0.73 0.18

OE1 Fire extinguished 6.00E−06 6.05E−04 0.15 0.024 No losses
OE2 Pool fire and fatalities 7.50E−08 7.56E−06 0.0018 2.96E−04 Fatalities
OE2b Pool fire 6.75E−07 6.80E−05 0.016 0.0027 No losses
OE3 Spill/dispersion 1.35E−06 0.0014 3.29 0.40 No losses
OE4 VCE/FF and fatalities 3.34E−09 3.40E−06 0.0082 0.0010 Fatalities
OE4b VCE/FF 3.04E−08 3.06E−05 0.074 0.0091 No losses
OE Combined consequences 7.84E−08 1.10E−05 0.010 0.0013 Fatalities

Table 5 – Results of severity of consequences calculations.

Symbol Flammable hexane S0 Automatic deluge system (Ads)—AS Fire brigade (Fb)—CR SRI (max) S = S0 − SRImax

FP [◦ C] Q [ton] E [%] TR [min] SRIAS E [%] TR [min] SRICR

OE2 −22 >100 4.65 70 1 1.30 60 2 0.81 1.30 3.35

OE4 70 1 1.30 – – – 1.30 3.35

Table 6 – Risk index calculations results.

Symbol Event Crisp frequency, F Crisp severity, S Crisp risk, R Membership to risk set

OE Combined consequences 0.0013 3.35 3.17 TNA—83%, NA—17%

Table 7 – Results of the reduced risk index calculations.

Case no. Symbol of New linguistic Crisp Crisp severity, S Crisp risk, R Membership to
IE/ECE term/probability frequency, F risk set

1 A, B A = FH 7.09E−04 3.35 2.79 TA—20%,

B=M TNA—80%
2 II, LI II = 0.05 2.49E−04 3.35 2.41 TA—60%,
LI = 0.1 TNA—40%
3 A, B, II, LI A = FH, B = M 1.39E−04 3.35 2.34 TA—66%,
II = 0.05, LI = 0.1 TNA—34%

As can be seen, the satisfactory effect is obtained for the
Cases 2 and 3. In both of them the additional ignition con-
trol measures are applied. Further reduction of the risk index
requires more research to obtain an acceptable risk level (A-
TA).
6. Conclusions
Among different qualitative models used for the presentation
of accident scenario, the “bow-tie” approach is considered to
be the best pictorial display of the relations between the vari-
ous hazards (causes), enabling events, safety systems and the
consequences. This model can introduce entire set of path
events which can be used for all possible accident scenarios.
This is a basis for the identification of the safety systems and
tasks which control the worst case accident scenario as well
as other contributing scenarios. Such an approach increases
benefits in the risk management process.
A quantitative application of the “bow-tie” model carries
obvious weaknesses which are met in the quantitative fault
and event tree analysis. In majority, it concerns the input reli-
ability data that may not be available or may be imprecise and
vague.
The lack of knowledge and the encountered uncertainties
may be successfully improved by the fuzzy logic application. It
enables the usage of uncertain, qualitative input data provided
by expert to convert them into specific, precisely determined
outputs.
The presented case study proves that calculations with the
use of fuzzy logic provides more realistic value of risk index
and offers an advantage with respect to the traditional single
point estimate. Besides, fuzzy logic may be quite successful
in precise determination of additional safety measures which
are essential to achieve the safety goal.
The proposed hybrid approach (“bow-tie” model, fuzzy
logic and LOPA) enhances management of the protection lay-
ers, however, it requires the application of computer-aided
analyses which may be in conflict with a simplicity of LOPA.
References
Bowles, J.B., Pelaez, C.E., 1995. Application of fuzzy logic to
reliability engineering. Proc. IEEE 80 (3), 435–449.
CCPS, 2001. Layer of Protection Analysis: Simplified Process Risk
Assessment. AIChE.
Dianous, V., Fievez, C., 2005. ARAMIS project: A more explicit
demonstration of risk control through the use of bow–tie
diagrams and the evaluation of safety barrier performance. J.
Hazard. Mater. 130, 220–233.
Dubois, D., Prade, H., 1980. Fuzzy Sets and Systems—Theory and
Applications. Academic Press.
Fussell, J.B., Vesely, W.E., 1972. A new methodology for obtaining
cut sets for fault trees. Trans. Am. Nucl. Soc. 15 (1), 262–263.
 Process Safety and Environmental Protection 8 9 ( 2 0 1 1 ) 205–213
Markowski, A.S., 2006. Layer of Protection Analysis for the
Process Industry. Polish Academy of Science (PAN), Branch
Lodz, ISBN: 483-86-492-36-8.
Markowski, A.S., Mannan, M.S., 2008. Fuzzy risk matrix. J. Hazard.
Mater. 159, 152–157.
Markowski, A.S., Mannan, M.S., 2009. Fuzzy logic for piping risk
assessment (pfLOPA). J. Loss Prev. Proc. Ind. 22, 921–927.
Markowski, A.S., Mannan, M.S., Bigoszewska, A., 2009. Fuzzy logic
for process safety analysis. J. Loss Prev. Proc. Ind. 22, 695–702.
213
Markowski, A.S., Mannan, M.S., Kotynia (Bigoszewska), A., Siuta,
D., 2010. Uncertainty aspects in process hazard analysis. J.
Loss Prev. Proc. Ind. 23, 446–454.
Pokorádi, L., 2010. Application of fuzzy set theory for risk
assessment. J. KONBiN 2–3 (14/5), 1895–8281.
Singer, D., 1990. A fuzzy set approach to fault tree and reliability
analysis. Fuzzy Sets Syst. 34, 145–155.
Yen, J., Langari, R., 1999. Fuzzy Logic, Intelligence Control and
Information. Prentice Hall PTR, Upper Saddle River, NJ.