Safety

Use the Bow Tie Diagram

to Help Reduce
Process Safety Risks
Bruce K. Vaughen, P.E. Bow tie diagrams are useful for visualizing
Baker Engineering and
Risk Consultants process safety risks and safeguards. Although
typically used after an incident has occurred,
Kenneth Bloch
Consultant bow tie diagrams can also be employed during a
process hazard analysis.

B
ow tie diagrams visually depict the safeguards
or barriers put in place to prevent and mitigate a
loss-of-containment (LOC) incident. Although bow
tie diagrams are typically constructed after an incident
has occurred (1), they can also be useful during a process Design 1

hazard analysis (PHA) to identify deficiencies in a process

safety program and help to prevent the occurrence of an Manage
incident. Instead of simply showing what went wrong, bow 2
tie diagrams can be used proactively to keep things from Process Safety Systems
going wrong.
3
This article introduces the bow tie method and explains Basic Process Control Systems
how bow tie diagrams can assist in preventing incidents
and developing corrective actions needed to effectively Instrumentation and Alarms
4

mitigate any incidents that do occur. The article also illus-

trates how bow tie diagrams might have been used during a 5
Safety Instrumented Systems
PHA of the Bhopal facility — the site of the world’s worst
industrial disaster. 6
Active Engineering Controls

Process safety hazards and risks 7

Passive Engineering Controls
AIChE’s Center for Chemical Process Safety (CCPS)
defines process safety as: “A disciplined framework for 8
Emergency Response
managing the integrity of operating systems and processes
handling hazardous substances by applying good design
p Figure 1. A hierarchy of protection layers can be used in a process
principles, engineering, and operating practices. It deals
hazard analysis to determine the adequacy of the existing safeguards. This
with the prevention and control of incidents that have the approach identifies design as the first and most crucial barrier. Source:
potential to release hazardous materials or energy. Such Adapted from (3).

30  www.aiche.org/cep  December 2016  CEP Copyright © 2016 American Institute of Chemical Engineers (AIChE)
incidents can cause toxic effects, fire, or explosion, and
could ultimately result in serious injuries, property damage,
lost production, and environmental impact” (2).
Process safety hazards encountered in industry involve
materials with toxic, flammable, explosive, and reactive
properties. Losing control or containment of these hazard-
ous materials can cause a toxic release, fire, explosion, or
runaway reaction. Loss-of-containment release scenarios
have the potential for injuries, fatalities, environmental
harm, property damage, and business interruption.
The risk posed by such process safety hazards is tradi-
tionally thought of as a function of the product of a scenar-
io’s frequency (F) and consequence (C). Practical experi-
ence demonstrates, however, that risk is also
influenced by the example set by leadership, the
reliability of available process safety systems,
and an organization’s operational discipline
(OD) (3). Thus, a more accurate description of
risk incorporates OD into the equation, whereby
risk is inversely proportional to OD (4–6):
tal harm, property damage, and business interruption.
Various engineering and administrative controls can be
used to manage process safety risks. These are referred to as
individual barriers, and they are shown as rectangles on the bow
tie diagram (Figure 3). Preventive barriers (Figure 3, green rect-
angles) help reduce the likelihood of the event, while mitigative
barriers (Figure 3, blue rectangles) help reduce the severity of
the consequences if the incident does occur.
Systemic barriers can also be represented on a bow
tie diagram (Figure 4, next page). These are the process
safety systems designed to manage the individual barriers.
For example, a computerized maintenance management
system (CMMS) is a systemic barrier that controls several

Risk = f [(F × C)/OD] (1)

As operational discipline improves, risk Loss of Containment

decreases, and vice versa.

As shown in Eq. 1, risk can be reduced by Consequences
Threats
reducing the frequency and consequences of a
hazardous scenario — via safeguards, which Threats Hazardous Events Consequences
include inherently safer designs, process safety Toxicity Toxic Releases Fatalities/Injuries
systems, basic process control systems, instru- Flammability Fires and Explosions Environmental Harm
Explosivity Runaway Reactions Property Loss
mentation and alarms, safety instrumented Reactivity Business Interruption
systems (SISs), active and passive engineer-
ing controls, and emergency response sys- p Figure 2. The bow tie diagram visually depicts the three parts of an incident — the threats
tems. Implementing the hierarchy of controls that can cause an incident (left), the loss-of-containment event (knot), and the resulting
(Figure 1) is the most effective way to manage consequences of the event (right). Source: Adapted from (3).
process safety risks. This approach focuses
on inherently safer design as the first, crucial
barrier. A process safety incident occurs when
weaknesses develop in these barriers.

The bow tie diagram

The bow tie diagram (Figure 2) depicts a
potential process safety incident. The knot in
the middle of the bow represents loss of control
Loss of Containment
over a hazardous material or energy. On the left
of the knot are threats that contribute to such an
event, such as a material’s toxicity, flammability,
Consequences
explosivity, and reactivity, as well as hazardous Threats
processing conditions (e.g., extremely high
pressures or temperatures). On the right of the p Figure 3. TheIndividual
engineering and administrative
Preventive Barriers controls that are being
Individual usedBarriers
Mitigative to manage process
safety risks can be shown on a bow tie diagram. Preventive barriers (green rectangles) help
knot are the possible consequences of the loss of reduce the likelihood of the event, while mitigative barriers (blue rectangles) help reduce the
control, such as injuries, fatalities, environmen- severity of the consequences if the incident does occur. Source: Adapted from (3).

Copyright © 2016 American Institute of Chemical Engineers (AIChE) CEP  December 2016  www.aiche.org/cep  31
Safety

individual barriers, including preventive maintenance (PM) useful visual indicator of risk for a PHA scenario.
schedules, normal work order processing, failure analysis The preventive and mitigative barriers identified on the
coding, and warehouse inventory management. bow tie diagram relate to the protection layers identified in a
PHA. Semi-quantitative layer of protection analysis (LOPA)
Bow tie diagrams and PHAs principles are now widely incorporated into PHA studies to
Even the most effective incident investigations can be assess the adequacy of safeguard protection (9, 10).
used only to prevent similar incidents from occurring in
the future (7, 8). It is much better to operate and manage Barrier weaknesses and bow tie diagrams
processes so that learning from hindsight is not necessary. The bow tie diagram can be used to map barrier weak-
A PHA that incorporates a bow tie diagram is one way to nesses — any missing or ineffective engineering and admin-
do this. istrative controls that could ultimately lead to an incident
A PHA identifies potential hazardous scenarios and the
barriers that should be in place to reduce the likelihood of
an unacceptable event. Once hazards have been identified,
the PHA team can evaluate the effectiveness of safeguards 1
2
that are already in place or that could be added to prevent
an incident. The results of that evaluation — hazard sce- 3 4 5
narios and necessary safeguards — can be used to con-
struct a bow tie diagram. The bow tie diagram assists the
PHA team members in visualizing the path that a hazard Loss of Containment
can take to cause a severe consequence and the combina-
tion of preventive and mitigative barriers that are required
to reduce the process safety risk. The bow tie diagram is a Threats Consequences

Individual Weak or Missing Individual

Process Safety Systems Preventive Barriers Individual Barriers Mitigative Barriers
Basic Process Control Systems

p Figure 5. A bow tie diagram can be used to show how weaknesses in

Passive Engineering Controls
Active Engineering Controls

individual barriers can lead to a loss-of-containment event followed by

Instrumentation and Alarms

consequences. In this case, weaknesses in Barriers 1–5 create a linear

Inherently Safer Design

Emergency Response

path to consequences. Source: Adapted from (3).

Process Safety Systems

3
A
1
5
C
4 7

6
B
2
Loss of Containment

Loss of Containment

Individual Individual Systemic

Preventive Barriers Mitigative Barriers Barriers

Weak or Missing Weak or Missing

Threats Consequences Individual Barriers Systemic Barriers

Individual
Preventive Barriers
p Figure 4. Systemic barriers — the process safety systems designed
to manage the individual barriers — can also be displayed on bow tie
diagrams as dotted lines. Source: Adapted from (3).
Individual Systemic p Figure 6. Adding systemic barriers to the bow tie diagram creates complex,
Mitigative Barriers Barriers
nonlinear paths from threat to consequence. There are two nonlinear paths to
Consequence C: Barriers 1 and 4 fail to prevent Threat A and Barriers 5 and 7 fail
to mitigate the loss of containment (white path); or Barriers 2 and 3 fail to prevent
Threat B and Barriers 6 and 7 fail to mitigate loss of containment (yellow path).
Source: Adapted from (3).

32  www.aiche.org/cep  December 2016  CEP Copyright © 2016 American Institute of Chemical Engineers (AIChE)
(Figure 5). In Figure 5, a linear path to the consequences
of a loss-of-containment incident runs through the weak or
failed individual barriers, preventive barriers 1 and 2 and
mitigative barriers 3–5. This approach can be used to depict
multiple linear failure paths through the knot of the bow tie
involving different threats and barrier weaknesses and differ-
ent mitigative barriers and consequences.
A more useful way to visualize the risk paths that can
occur in industry is to also include the systemic barriers (pro-
cess safety systems managing the individual barriers) on the
bow tie diagram. Whereas a bow tie diagram for a hazard-
specific safeguard deficiency might show a simple, linear
failure path (Figure 5), deficiencies in the systemic systems
usually produce a complex, nonlinear path (Figure 6). The
bow tie diagram in Figure 6 shows that there are two non­
linear paths to Consequence C: Barriers 1 and 4 fail to prevent
Threat A and Barriers 5 and 7 fail to mitigate the loss of
containment (white path); or Barriers 2 and 3 fail to prevent
Threat B and Barriers 6 and 7 fail to mitigate loss of contain-
ment (yellow path).
Barriers fail because process safety systems (systemic
barriers) designed to sustain them are ineffective. Systemic
weaknesses allow a specific hazard to break through a pri-
mary weakness in the outermost defense and find deficien-
cies in other barriers, thereby creating many paths to the
consequence. In a plant that repeatedly patches multiple
individual barriers to keep the process running, the risk of
recurring failures is greatly elevated. The systemic barrier
representation on the bow tie diagram demonstrates visu-
ally how patching a specific weakness in one barrier may do
little to reduce the potential for recurring events if a systemic
problem is involved.
There are many potential paths for each cause-to-
consequence scenario, and it is difficult for a hazard
analysis team to anticipate all of them. The team can use a
technique such as hazards and operability (HAZOP) analy-
sis to identify the individual barriers needed to reduce the
process safety risk for a particular cause-to-consequence
scenario. Then, by mapping those individual barriers on
the bow tie diagram, the organization can determine which
process safety systems must be in place to sustain the
integrity of those individual barriers.
Bow tie diagrams and the Bhopal facility
To illustrate the use of a PHA combined with a bow tie
diagram, let’s consider the Bhopal incident, which per-
manently changed how the risks associated with hazardous
materials and energies are recognized, evaluated, and reduced
(11). Although process hazard analysis had not yet been
developed, if a PHA had been conducted for the design and
operation of the Bhopal facility, it would have identified
the safeguards in place, and those safeguards could have
Copyright © 2016 American Institute of Chemical Engineers (AIChE)
been used to construct a bow tie diagram (Figure 7).
The accident took place inside a pesticide manufactur-
ing factory set up for production in India using a process
licensed by an experienced corporation with head­quarters
in the U.S. The facility was designed in accordance with
the blueprint for the original manufacturing process that
had operated safely for about 20 years in the U.S. It was
therefore reasonable to expect the newly constructed manu-
facturing process to operate at least as safely as the original
manufacturing process.
The synthesis reaction to make the pesticide involved a
toxic, reactive, volatile, and flammable intermediate chemical
compound, methyl isocyanate (MIC), which is liquid at room
temperature. Pure MIC is highly reactive and can readily react
with itself to form trimethyl isocyanurate, a stable and solid
MIC trimer with a melting point well above ambient tempera-
ture (178°C).
The original process and equipment design included
multiple safeguards to control potentially unstable condi-
tions inside the MIC storage tanks, including exothermic
reactions that might propagate into a loss-of-containment
Process Safety Systems
Inherently Safer Design, Refrigeration,
Basic Process Control System
Scrubber, Flare, Water Curtain
Pressure Control and Relief
Nitrogen, Phosgene Spike
High-Temperature Alarm,
Public Warning System
Operator Rounds
Loss of Containment
Threats Consequences
Individual Individual Systemic
Preventive Barriers Mitigative Barriers Barriers
p Figure 7. If a PHA had been performed for the design and operation of the
Bhopal facility, it would have identified the safeguards in place, which could
have been used to construct a bow tie diagram. Source: Adapted from (3).
CEP  December 2016  www.aiche.org/cep  33
Safety

incident. The preventive and mitigative safeguards to
manage contaminated or unstable MIC included design
features, basic process control systems, instrumentation
and alarm systems, active engineering control, passive
engineering control, and an emergency response system.
Design. Since iron oxide (rust) catalyzes the reaction
of MIC with itself, all equipment containing MIC liquid
or vapor had to be fabricated from noncorrosive materials
(stainless steel at a minimum) — an inherently safer design
specification. Other design safeguards included a refrigera-
tion system, a nitrogen system, and a phosgene-spiking
system, as well as operating procedures such as:
• continuously spiking MIC storage tanks with phosgene
(200–300 ppm) to prevent involuntary conversion reactions
involving pure MIC
• transferring the contents of the rundown tank into an
empty auxiliary reserve tank for additional cooling
• quenching hot MIC with excess solvent (chloroform)
• reprocessing contaminated MIC
Ineffective Process Safety Systems
Inherently Safer Design, Refrigeration,
• neutralizing waste MIC in the absorber section of the
vent gas scrubber (VGS)
• sending excess MIC vapor into the flare tower for
final destruction.
Basic process control system. The MIC storage tanks
were equipped with temperature control.
Instrumentation and alarm system. Storage tanks were
equipped with temperature and level indicators, as well as
a high-temperature alarm with several possible operator
responses and forms that operators had to fill out during
their rounds.
Active engineering control. The MIC storage tanks
were protected by a pressure relief valve set to automati-
cally open at 40 psi to prevent an overpressure incident.
Under normal circumstances, the MIC storage tanks were
designed to operate at 2 psi. However, an exothermic reac-
tion could generate heat inside the tank if the MIC in stor-
age was contaminated. If undetected, the pressure inside
the MIC tank could increase to the point that the relief
valve would open.
Passive engineering control included a scrubber, a
flare, and a water curtain system.
Emergency response system. MIC cannot be safely

discharged into the environment. MIC leaks are relatively

Basic Process Control System

simple to detect because MIC has an irritating odor, and

Scrubber, Flare, Water Curtain
Pressure Control and Relief

upon exposure at low concentrations, it produces symp-

Nitrogen, Phosgene Spike

High-Temperature Alarm,

Public Warning System

toms similar to those caused by exposure to teargas. How-

ever, over time, the workers inside the factory as well as
Operator Rounds

the people in the surrounding community came to expect

MIC leaks on a somewhat frequent basis (approximately
three times a month) without a severe consequence. Fac-
tory workers could use a public address system to notify
anyone inside or outside the factory who might be affected
by an MIC release.
As a last resort for managing MIC releases, water from
a fire monitor nozzle could be directed at the atmospheric
MIC release point to quench any escaping hot MIC vapor
or liquid. Although these secondary control measures
could reduce the consequences of an MIC release, the
preferred option — and the intent of the design — was to
Loss of Containment
prevent any condition that could cause loss of containment
of MIC.
All of the process safety systems managing the indi-
Threats Consequences
vidual barriers were needed to reduce the process safety
risk for safe and reliable operations at the Bhopal facility.
Individual Individual Systemic
Preventive Barriers Mitigative Barriers Barriers However, the original preventive and mitigative barri-
ers deteriorated, offering no protection on Dec. 3, 1984
Weak or Missing Weak or Missing
Individual Barriers Systemic Barriers
(Figure 8). Had the management team and the operators at
Bhopal used a bow tie diagram, they could have seen how
p Figure 8. Mapping the MIC release from the Bhopal factory on a bow tie important it was to sustain the integrity of each process
diagram depicting the barriers designed to prevent and mitigate the risks
associated with MIC releases reveals the many potential nonlinear paths from safety system managing the individual barriers, and the
the reactivity threat to its devastating consequences. Source: Adapted from (3). incident might not have occurred.

34  www.aiche.org/cep  December 2016  CEP Copyright © 2016 American Institute of Chemical Engineers (AIChE)
A safeguard weakness analysis
of the Bhopal incident
References 11–16 provide updated information explain-
ing the sequence of events responsible for history’s worst
industrial disaster.
At the time of the incident, numerous workaround
Operational Discipline at the Bhopal Factory
T he case study of the Bhopal catastrophe presented in
this article provides a poignant illustration of the complex
interactions between managing process safety risks of haz-
ardous processes and the influence of operational discipline
on the reliability of the barriers and the effectiveness of the
process safety systems in place to manage them. In a per-
fect manufacturing process, OD would not negatively impact
risk (i.e., it would have a value of 1 in Eq. 1). Optimal OD
performance has been defined as “the deeply rooted dedica-
tion by every member of an organization to carrying out each
task the right way” (6). In reality, perfect OD is not possible,
since people are involved in all phases of the equipment and
process lifecycles.
Human imperfection has the potential to interfere with all
phases of a process’ lifecycle, which includes design, construc-
tion (fabrication and installation), commissioning, operation,
maintenance, and subsequent decommissioning. In addition,
the behaviors and actions taken by operators and managers
directly influence the way equipment and process changes are
made once the process is placed into service. Facing complex
process- and business-related demands, an organization may
get distracted by acute and chronic maintenance issues, regu-
latory compliance obligations, or process safety incidents, any
of which could lead to significant loss of OD.
The manufacturing process in Bhopal suffered from chronic
maintenance issues, which over time caused multiple barriers
to deteriorate — all due, at least in part, to defects in opera-
tional discipline. Organizational culture was a primary cause of
the insufficient hazard recognition that led to the gradual loss of
safeguard protection at the Bhopal plant. Although the equip-
ment for the barriers was still in place, the effectiveness of that
equipment had deteriorated significantly. Specific weaknesses
in OD that reduced the effectiveness of the process safety
systems and increased the overall risk for a catastrophic loss-
of-containment incident to occur included (11):
• selecting materials of construction contrary to what
was specified in the design — i.e., less-expensive iron
instead of inherently safer stainless steel to construct the
MIC vapor-transfer header
• increasing the factory’s maintenance commitment by
physically modifying the process — i.e., using the nitrogen
blanketing system to address the chronic failures of the MIC
storage tank transfer pump
• adjusting operating procedures to implement pump
maintenance and header workaround solutions — i.e.,
manipulating the MIC storage tank vent valves to reduce
chronic MIC circulation pump failures
Copyright © 2016 American Institute of Chemical Engineers (AIChE)
solutions were put in place to manage unsustainable
maintenance levels and meet production targets. Over time,
the inherently safer design features intended to manage
the process safety risks were removed, or changed and
replaced with more-burdensome and less-reliable admin-
istrative controls subject to human error. Against this
• loss of a sense of vulnerability to high MIC
temperatures
• taking necessary equipment out of service and not
repairing the compromised equipment quickly — i.e., discon-
necting the scrubber system and the flare system because of
maintenance-related issues
• acceptance by the workers and the surrounding com-
munity of frequent leaks as normal operations — i.e., people
endured the temporary physical effects of periodic MIC loss-
of-containment incidents, gradually accepting an accrued
risk as foul MIC odors failed to prompt a defensive response.
Because of these OD deficiencies, most of the multiple
safeguards in the original design were compromised or in
a failed state when the exothermic reaction occurred on
Dec. 3, 1984. There was simply no way for the workers to
mitigate the consequences of the overpressurization once the
loss of containment occurred. Many of today’s computerized,
interdependent processes suffer from the same weaknesses
— by the time the operators recognize the hazardous situa-
tion, they do not have sufficient time to respond (17).
Industry now recognizes that the Bhopal incident did not
occur because of a simple sequence of events that lined up
on that fateful day. The disaster occurred due to failures in the
three fundamental foundations of an effective process safety
program: process safety culture and leadership, operational
discipline, and process safety systems (3). The interactions
among these three factors at the Bhopal factory pushed the
process into unsafe and uncharted territory as the process
safety systems designed to manage the hazards and risks
deteriorated (18).
Unsafe
Operating
s
tem
Space
Op
era
ys
yS
tio
na
t
afe
lD
sS
Safe Space
isc
es
to Operate
ipl
oc
ine
Pr
Safety Culture and Leadership
CEP  December 2016  www.aiche.org/cep  35
Safety
backdrop, the plant was shut down in mid-1984. During the
last production run, a small group of inadequately trained
temporary workers was assigned to help decommission the
factory. Although the hazards associated with decommis-
sioning the process are the same as those of commission-
ing and operating the process, the sense of vulnerability
had been lost by late 1984. The weakening of protective
barriers made the process more susceptible to human error,
especially with an inexperienced staff.
The bow tie digram in Figure 7 shows the barriers
designed to prevent and mitigate the risks associated with
MIC releases. Mapping the MIC release from the Bhopal
factory on the bow tie diagram clearly shows the many
potential nonlinear paths from the reactivity threat to its
devastating consequences (Figure 8).
A path forward
Whether generated during a PHA or after an incident,
bow tie diagrams are useful for visualizing necessary bar-
riers required for successful risk reduction efforts. Bow
tie diagrams can be part of an effective process safety
program for managing process hazards and risks, helping
everyone in the organization visualize the critical safe-
guards designed to control the hazards. People at all levels
in an organization typically respond well when the techni-
cal information is shown in a simple, easy-to-understand
format. A bow tie diagram communicates the risks in a
graphic form that requires little technical interpretation,
enabling everyone to standardize their perception and
understanding of the risks. While a formal PHA report
usually consists of documented discussions and captures
potential scenarios and their safeguards in tables and lists,
a bow tie diagram conveys the same information in graphic
form — a picture is worth a thousand words. CEP
BRUCE K. VAUGHEN, P.E., is a principal consultant for Baker Engineering and
Risk Consultants, Inc. (Email: bvaughen@bakerrisk.com). He has more
than two-and-a-half decades of experience in process safety, with roles in
research, operations, teaching, and consulting. He is the principal author
of two CCPS guideline books and a co-author of Process Safety: Key
Concepts and Practical Approaches. He has presented papers and led
sessions at National Society of Professional Engineers, American Society
for Engineering Education, and AIChE/CCPS symposia. He has a BS in
chemical engineering from the Univ. of Michigan, and an MS and a PhD in
chemical engineering from Vanderbilt Univ. He is a registered P.E.
KENNETH BLOCH is an industrial accident investigator for the downstream
petrochemical refining industry in the Texas Gulf Coast area (Email:
processreliability@gmail.com). His 30 years of experience includes
maintenance, reliability, process safety, technical, and operations
positions. He is the author of Rethinking Bhopal: A Definitive Guide
to Investigating, Preventing, and Learning from Industrial Disasters
and speaks about current industrial safety and regulatory topics at
American Fuel and Petrochemical Manufacturers, American Petroleum
Institute, and AIChE symposia. He has a BS in environmental science
from Lamar Univ.
36  www.aiche.org/cep  December 2016  CEP
Literature Cited
1. Klein, J. A., “The ChE as Sherlock Holmes: Investigating
Process Incidents,” Chemical Engineering Progress, 112 (10),
pp. 28–34 (Oct. 2016).
2. Center for Chemical Process Safety, “Process Safety Glossary,”
www.aiche.org/ccps/resources/glossary/process-safety-glossary/
process-safety (accessed Sept. 2016).
3. Klein, J. A., and B. K. Vaughen, “Process Safety: Key Concepts
and Practical Applications,” CRC Press, Boca Raton, FL (to be
published Mar. 2017).
4. Klein, J. A., and B. K. Vaughen, “A Revised Model for Opera-
tional Discipline,” Process Safety Progress, 27 (1), pp. 58–65
(Mar. 2008).
5. Klein, J. A., and B. K. Vaughen, “Implementing an Operational
Discipline Program to Improve Plant Process Safety,” Chemical
Engineering Progress, 107 (6), pp. 48–52 (June 2011).
6. Vaughen, B. K., and J. A. Klein, “Improving Operational Disci-
pline to Prevent Loss of Containment Incidents,” Process Safety
Progress, 30 (3), pp. 216–220 (Sept. 2011).
7. Dekker, S., “The Field Guide to Understanding Human Error,”
Ashgate Publishing Co., Burlington, VT (June 30, 2005).
8. Vaughen, B. K., and T. Muschara, “A Case Study: Combining
Incident Investigation Approaches to Identify System-Related
Root Causes,” Process Safety Progress, 30 (4), pp. 372–376
(Dec. 2011).
9. Goddard, W. K., “Use LOPA to Determine Protective System
Requirements,” Chemical Engineering Progress, 107 (2),
pp. 47–51 (Feb. 2007).
10. Center for Chemical Process Safety, “Guidelines for Initiating
Events and Independent Protection Layers in Layer of Protec-
tion Analysis,” Wiley/AIChE, Hoboken, NJ, and New York, NY
(Dec. 2014).
11. Bloch, K., “Rethinking Bhopal: A Definitive Guide to Inves-
tigating, Preventing, and Learning from Industrial Disasters,”
IChemE, Elsevier, Amsterdam, Netherlands (2016).
12. Willey, R. J., “What are Your Safety Layers and How Do They
Compare to the Safety Layers at Bhopal before the Accident?,”
Chemical Engineering Progress, 111 (12), pp. 22–27 (2014).
13. Kletz, T. A., “What Went Wrong? Case Histories of Process
Plant Disasters and How They Could Have Been Avoided,”
5th Edition, Butterworth-Heinemann/IChemE (July 2009).
14. Center for Chemical Process Safety, “Guidelines for Investigat-
ing Chemical Process Incidents,” 2nd Edition, Wiley/AIChE,
Hoboken, NJ, and New York, NY (Mar. 2003).
15. Center for Chemical Process Safety, “Incidents That Define
Process Safety,” Wiley/AIChE, Hoboken, NJ, and New York, NY
(Apr. 2008).
16. Institution of Chemical Engineers, “Remembering Bhopal —
30 Years On,” Loss Prevention Bulletin, 240, IChemE, Rugby,
U.K. (Dec. 2014).
17. Leveson, N. G., “Engineering a Safer World; Systems Thinking
Applied to Safety,” MIT Press, Cambridge, MA (2011).
18. Vaughen, B. K., “Three Decades After Bhopal: What We Have
Learned About Effectively Managing Process Safety Risks,”
Process Safety Progress, 34 (4), pp. 345–354 (Dec. 2015).
Additional Resources
Bloch, K., and B. Jung, “The Bhopal disaster,” Hydrocarbon
Processing, 91 (6), pp. 71–76 (June 2012).
Vaughen, B. K., and T. A. Kletz, “Continuing Our Process Safety
Management (PSM) Journey,” Process Safety Progress, 31 (4),
pp. 337–342 (Dec. 2012).
Copyright © 2016 American Institute of Chemical Engineers (AIChE)