OilAuthority.com

Bow-Tie Diagrams in Oil and Gas Process Safety: Threat-Barrier-Consequence Structure, Well Integrity Applications, and WCSB Operational Risk Management

A bow-tie diagram is a process safety risk visualization tool that maps the causal pathways and consequence escalation pathways of a single top event — an unwanted loss-of-containment, loss-of-control, or safety-critical equipment failure — by displaying threats and their prevention barriers on the left side of the diagram and consequences with their recovery barriers on the right side, with the top event occupying the central node where left and right sides connect in a shape that resembles the two lobes of a bow tie, providing a structured, simultaneously visual and quantitative framework for understanding how multiple independent failure modes can lead to the same safety-critical outcome and how multiple layers of protection either prevent the event or limit its consequences. The bow-tie methodology in the oil and gas industry originates from Shell's process safety management approach developed in the 1990s, formalized in IEC 61511 (Functional Safety for Process Industry), and adopted by CAPP (Canadian Association of Petroleum Producers) in its Well Integrity Management Standard (CAPP 2014-0013) and by NOPSEMA (Australia's offshore regulator) as the required format for barrier verification in safety case submissions — reflecting the industry-wide recognition after high-profile incidents including the 1988 Piper Alpha disaster and the 2010 Macondo blowout that the failure to maintain independent barriers was the common root cause of catastrophic well control events. The bow-tie has a defined vocabulary and structure: a threat is a specific failure mode that can initiate the sequence leading to the top event (e.g., casing corrosion from H2S, tubing packer failure from thermal cycling, wellhead seal degradation from pressure cycling); a prevention barrier is a specific control that interrupts the causal chain between a threat and the top event (e.g., H2S-resistant casing material specification, corrosion inhibitor injection program, annular pressure monitoring with automatic shut-in); the top event is the specific undesired safety-critical event whose occurrence is being managed (e.g., uncontrolled H2S release from tubing-casing annulus, loss of primary well containment, wellhead component failure during workover); a consequence is the outcome that results from the top event (e.g., personnel H2S exposure, environmental contamination of groundwater, reportable incident under AER Directive 056); and a recovery barrier or mitigation barrier interrupts the escalation from top event to worst-case consequence (e.g., H2S detection system and alarm, SCBA deployment procedure, emergency shutdown valve closure). Critically, barriers in a bow-tie must be specific, documented controls with an identified responsible party, an inspection/testing frequency, and a known failure mode — the difference between a robust barrier ("automated H2S monitor with 10 ppm alarm, tested monthly by designated operator, failure mode: sensor fouling identified by zero-gas calibration check") and an inadequate barrier ("personnel awareness of H2S risk"), which is the defining distinction that separates bow-tie analysis from informal hazard listing. The bow-tie is linked analytically to quantitative risk assessment: by assigning a probability of failure on demand (PFD) to each barrier and multiplying across the barrier chain, the residual frequency of the top event reaching each consequence can be computed, enabling Layer of Protection Analysis (LOPA) to verify whether the combined barrier system meets the risk tolerance criteria (typically a maximum individual risk of 1×10^-5 fatalities per year in WCSB H2S well operations under AER Emergency Planning Zone calculations).

Key Takeaways

  • How bow-tie integrates fault tree and event tree analysis in a single visualization: A fault tree analysis (FTA) maps all causes of an event — starting at the top event and working backward through AND/OR logic gates to identify initiating causes at the bottom of the tree. An event tree analysis (ETA) starts at an initiating event and traces forward through branch points to consequences, with each branch representing a barrier success or failure. The bow-tie combines both: the left (threat) side is conceptually a simplified fault tree showing how threats lead to the top event through prevention barrier failures, and the right (consequence) side is a simplified event tree showing how the top event escalates to consequences through recovery barrier successes or failures. This integration in a single visual is the key advantage of the bow-tie over stand-alone FTA or ETA: operations personnel — toolpushers, company representatives, and drilling supervisors — can read and understand the bow-tie without formal risk analysis training, enabling barrier ownership and verification to be managed operationally rather than exclusively by safety engineers.
  • Barrier vs degradation factor: the distinction that separates effective from ineffective bow-ties: A barrier in a bow-tie must be capable of independently preventing the top event or consequence without relying on any other barrier to be functional. A degradation factor is a condition that reduces the reliability of a barrier without eliminating it entirely. For example, an H2S surface detector is a barrier; corrosion of the sensor sampling line is a degradation factor. A paperwork procedure ("operator must check annular pressure daily") is NOT a barrier unless it is backed by a mechanical or electronic system that enforces the check and records the result — paper procedures without verification are degradation factors masquerading as barriers. Identifying and managing degradation factors is the maintenance side of the bow-tie: each barrier has an associated degradation factor register, inspection schedule, and remediation protocol, and the barrier is classified as "intact" or "degraded" in real-time operational monitoring. WCSB operators with AER-approved bow-tie-based well integrity management systems audit barrier status at least monthly, with any degraded barrier triggering a formal compensatory measure (e.g., increased monitoring frequency, restricted production rate, or well shut-in) until the barrier is restored.
  • Well control bow-tie for a WCSB sour gas well: example top event and barrier layers: For a WCSB Devonian H2S-bearing horizontal well with known H2S content of 4% mol fraction, the top event "uncontrolled H2S release to atmosphere during workover operations" would have threats including: tubing failure during workover (prevention barrier: tubing corrosion inspection with minimum wall thickness cutoff, premium H2S-resistant tubing connection); unexpected well pressurization during workover (prevention barrier: blind rams closed, pump-in lines isolated, BOP function test within 14 days); human error (prevention barrier: approved workover program signed by company representative, toolpusher safety briefing completed). Recovery barriers for escalation mitigation include: H2S detection system with 10 ppm alarm trigger; SCBA inventory confirmed and personnel trained; downwind evacuation route confirmed; Emergency Response Plan notified. Each prevention barrier has a PFD of 0.01-0.05 (one failure per 20-100 demands); the probability of all three prevention barriers failing simultaneously is 10^-5 to 10^-6 per workover — meeting AER's fatality risk tolerance criteria only when all three barriers are intact and not degraded.
  • Bow-tie for process safety in WCSB facility operations: separator overpressure example: At a WCSB oil battery processing H2S-bearing Devonian crude, the top event "separator vessel overpressure leading to rupture" would have threats including: gas blowby from slug flow (prevention barrier: automatic shutdown on high separator level with level sensor test monthly); control valve failure open (prevention barrier: independent high-pressure switch with set point 10% below MAWP, tested quarterly); relief valve plugging with wax or paraffin (prevention barrier: quarterly relief valve test and inspection). Recovery barriers include: hard-piped atmospheric vent with rain cap (terminates safely upwind of personnel); automated ESD system de-energizes the separator inlet if PSH activates; emergency blowdown to flare. The bow-tie makes visible that three independent prevention barriers protect against overpressure, and that the recovery barriers assume the AER-approved emergency muster point is upwind — a geometric assumption that must be reverified if the prevailing wind direction changes or new facilities are built nearby that alter the safe evacuation zone.
  • Integration of bow-tie with WCSB regulatory compliance: AER Directive 056 H2S Emergency Response Planning: AER Directive 056 requires H2S Emergency Response Plans (ERPs) for all wells in Alberta with estimated H2S concentrations above defined thresholds. The bow-tie diagram is increasingly used to satisfy the requirement for "barrier documentation" in the ERP submission, demonstrating to the AER what specific controls prevent H2S releases and what mitigation measures limit consequences if a release occurs. The AER reviews bow-tie diagrams as part of the Directive 056 ERP approval process and may require additional barriers if the documented barrier set does not provide sufficient protection depth. WCSB operators who develop well-specific bow-tie diagrams that are updated when the well configuration changes (tubing replacement, pump change, workover) maintain a living safety record that also serves as the basis for pre-job hazard assessments (ToolBox talks) that regulatory inspectors use to verify compliance at the wellsite during field audits.

Bow-Tie Analysis for WCSB H2S Casing Leak During Production

A Devonian Nisku carbonate well in southern Alberta producing 4% H2S has a well integrity bow-tie with top event "casing-tubing annulus H2S leak to surface." Threats (left side): external casing corrosion at groundwater zone (prevention barriers: cemented surface casing to 150 m depth, cement bond log confirmed, AER Directive 009 compliant — intact); tubing thread failure from H2S stress corrosion cracking (prevention barriers: L-80 chrome H2S-resistant tubing per NACE MR0175, tubing inspection at 3-year workover cycle — intact but due for inspection in 4 months); thermal cycle fatigue on tubing anchor (prevention barrier: packer latching confirmed in last tubing inspection — intact). Recovery barriers (right side): automated surface casing vent (SCV) pressure monitor with 50 kPa alarm (degraded: sensor housing shows moisture ingress, maintenance order raised, compensatory measure: daily manual check implemented); SCBA available at wellsite for operators responding to alarm (intact); ERP Initial Isolation Zone 300 m based on Directive 056 dispersion calculation (intact — current EPZ map current). Bow-tie audit outcome: SCV monitor degradation classified as Level 2 (compensated, no immediate well shut-in required), daily manual monitoring log opened, maintenance scheduled within 14 days. Bow-tie document updated and counter-signed by company representative and AER-licensed well integrity engineer. No production interruption required under the compensatory measure protocol.

Fast Facts

The bow-tie risk diagram owes its modern petroleum industry adoption to Shell's "Hearts and Minds" safety culture program developed in the early 2000s, which used the bow-tie visual to communicate barrier thinking to frontline workers without formal risk assessment training. Shell's methodology was subsequently published as International Association of Oil and Gas Producers (IOGP) Report 544 (Bow-Ties in Risk Management, 2016), establishing the industry-standard definitions for threat, barrier, degradation factor, and top event now used consistently across Canadian and international oil and gas safety management systems. IOGP 544 is the authoritative reference for WCSB operators implementing bow-tie analysis in compliance with CAPP and AER safety management expectations.

Well integrity management standards that use bow-tie barrier analysis as a primary documentation and verification tool — including AER Directive 020 requirements for barrier confirmation before abandonment and the CAPP Well Integrity Management Standard for producing wells — are described in the context of annular pressure monitoring and barrier testing under well integrity, where the regulatory requirements for surface casing vent flows, annular pressure surveillance, and barrier degradation reporting under AER directives are covered. H2S emergency response planning relying on bow-tie barrier documentation to demonstrate adequate protection depth to the AER under Directive 056 — including initial isolation zone calculation, evacuation route planning, and personnel H2S monitoring for WCSB sour well operations — is described under hydrogen sulfide. Quantitative Layer of Protection Analysis (LOPA) using bow-tie barrier probability of failure on demand (PFD) values to verify that the combined barrier system meets AER tolerable individual risk criteria is described under process safety.

Browse the Oil and Gas Glossary