Aven CH002.

tex 17/5/2007 9: 19 Page 9

Risk, Reliability and Societal Safety Aven & Vinnem (eds)
2007 Taylor & Francis Group, London, ISBN 978-0-415-44786-7
Safety-barrier diagrams
N.J. Duijm
Systems Analysis Department, Ris National Laboratory, Technical University of Denmark, Roskilde, Denmark
ABSTRACT: Safety-barrier diagrams and the related so-called bow-tie diagrams have become popular
methods in risk analysis. This paper describes the syntax and principles for constructing consistent and valid
safety-barrier diagrams. The relation with other methods such as fault trees and Bayesian networks are discussed.
A simple method for quantification of safety-barrier diagrams is proposed, including situations where safety
barriers depend on shared common elements. It is concluded that safety-barrier diagrams provide a useful
framework for an electronic data structure that integrates information from risk analysis with operational safety
management.
1 INTRODUCTION
Since the 1980-s, safety-barrier diagrams have been
used in Denmark as a tool for risk analysis in the pro-
cess industry. Safety-barrier diagrams became popular
because it appeared that these diagrams were helpful in
communication with non-experts by showing visually
what actions had been taken to prevent and mitigate
accidents. Therefore it became a tool that is appre-
ciated and promoted by the competent authorities in
Denmark.
Over the last five years, the concept of safety barri-
ers has gained interest internationally in the framework
of the so called bowtie which is essentially a bar-
rier diagram with a Critical Event. While a lot of
literature exists concerning other (and comparable)
risk-analysis tools like fault trees (FT), event trees (ET)
andBayesianNetworks (BN), little or nothinghas been
published concerning the principles of constructing
safety-barrier diagrams.
This paper describes the principles for safety-
barrier diagrams in order to draw consistent and valid
diagrams. The relation with other graphical presenta-
tions (FT, ET and BBN) and the layer of protection
analysis (LOPA) is described, and the advantages
and disadvantages as compared to these presenta-
tions discussed. One clear advantage of safety-barrier
diagrams is the focus on the safeguards that are delib-
erately inserted in the system to prevent or mitigate
accidents, so safety-barrier diagrams show directly
the issues that are the primary concern of safety
management.
2 SYNTAX OF SAFETY-BARRIER
DIAGRAMS
2.1 Definition of safety barriers
The notion of safety barriers has recently been dis-
cussedbySklet (Sklet, 2006). Previouslythe definition
of safety barriers has been linked to the safety func-
tion (Harms-Ringdahl, 2000; Harms-Ringdahl, 2003;
IEC, 2003) or barrier function (Hollnagel, 2004). Sklet
defines the barrier function as:
A barrier function is a function planned to prevent,
control, or mitigate undesired events or accidents,
and the corresponding definition of safety barriers is
proposed as:
Safety barriers are physical and/or non-physical
means planned to prevent, control, or mitigate
undesired events or accidents.
In his discussion, Sklet emphasizes that the safety
barrier should be directly related to the event sequence
or accident scenario, and that it should not include
the risk influencing factors that affect the barrier per-
formance. This is an important observation if safety-
barrier diagrams are to be used as comprehensive
documentation of possible event or accident scenarios,
and it is in line with the concept used in the ARAMIS
and BORA projects about the relation between safety
barriers and organizational factors including safety
management (Aven et al., 2006; Duijm & Goossens,
2006). Therefore, the definition of safety barriers and
9
Aven CH002.tex 17/5/2007 9: 19 Page 10
barrier functionshouldbe slightlymore restrictive, and
avoid the vagueness of the term non-physical.
As the notion of an abstract barrier function explic-
itly recognizes the possibility of implementing these
functions by different alternative solutions, it is the
preferred basis for a definition, so:
A barrier function is a function planned to prevent,
control, or mitigate the propagation of a condition
or event into an undesired condition or event;
A safety barrier is a series of elements that imple-
ment a barrier function, each element consisting of
a technical system or human action.
Some safety barriers implement the safety function
by the mere presence of their elements (e.g. a tank pit
or a firewall), these are called passive safety barriers.
Other safety barriers perform an action in response
to a certain state or condition, these are called active
barriers. Active barriers always include a sequence of
detection diagnosis action (in LOPA (Center for
Chemical Process Safety, 2001) called DDD: detect
diagnose deflect). A more correct term for these
barriers would be activated barriers, as e.g. a venti-
lation system or active corrosion protection doesnt
include this DDD sequence, but work continuously,
and, thereby, should be considered a passive barrier.
For a discussion of different barrier types, see (de
Dianous & Fievez, 2006; Duijm and Goossens, 2006;
Guldenmund et al., 2006).
2.2 The syntax and definition of barrier diagrams
A barrier diagram is a graphical presentation of the
evolution of unwanted events (initiating events or
conditions) through different system states depending
on the functioning of the safety barriers intended to
prevent this evolution. A barrier diagram represents
possible (accident) scenarios. It is a graph within the
framework of mathematical graph theory. A barrier
diagram is a directed graph by nature of the evolution
(normally in time), and the subsequent fact that one
cannot move backwards through the diagram.
In principle one could imagine barrier diagrams
that are cyclic, i.e. diagrams that contain closed loops.
This would mean that the actions of some barriers
could lead to conditions that appear earlier in the
scenario. However, this paper is restricted to acyclic
diagrams. The advantage of directed, acyclic graphs is
that they allow for a mathematical evaluation of the
likelihood of the states in the diagram, given the ini-
tial states and initiating events and the likelihoods of
the functioning of the barriers. The exclusion of cyclic
barrier diagrams is not a severe restriction in prac-
tice. One may notice that also event trees, fault trees,
cause-consequence diagrams and Bayesian networks,
to which the barrier diagrams are closely related, are
directed, acyclic graphs.
Using the terminology of graph theory, the barri-
ers are the nodes or vertices of the graph. The edges
between the nodes correspond to conditions or states
of the system: on the left-hand side of a barrier, such
a condition is the condition or event that triggers
the barrier to function (demand state or condition)
while normally the condition on the right-hand side
is the condition when the barrier has failed (condition
on failure). Alternatively other states on the right-
hand side can be defined, corresponding to different
responses of the barrier, but usually only two barrier
outcomes are considered, viz. success or failure. E.g.
for a pressure relief valve, the successful deployment
leads to a release of material, which is not a normal
condition and therefore may be included in the barrier
diagram giving rise to an alternative scenario (i.e. an
alternative path through the barrier diagram). We use
the graphical notation for barriers with two states on
the right-hand side as in Figure 1.
Logically, the barrier represents an AND gate, i.e.
the condition on failure occurs when the demand con-
dition occurs and the barrier fails. This is shown in
Figure 2. Note that in this presentation one cannot
show the condition on success without introducing
a new input condition (barrier works) and a new
logical gate. One of the main advantages of barrier
diagrams is their relative simplicity as compared to
Figure 1. Convention for picturing a barrier with condition
on success displayed.
Figure 2. Abarrier logical representation by means of AND
gates.
10
Aven CH002.tex 17/5/2007 9: 19 Page 11
fault trees and event trees, which makes them useful
for communication with non-experts.
A barrier diagram can be displayed as in Figure 3.
The diagram reads from left (a scenario starting with
initiating events) to right (a scenario ending with a
consequence).
2.3 Properties and restrictions of safety-barrier
diagrams
In order to design meaningful and logically consistent
safety-barrier diagrams, we discuss some restrictions
and properties of barrier diagrams.
Barriers may not be bypassed. The condition after
the barrier is different from the condition before the
barrier (if not physical, then at least logical: on the left-
hand side of the barrier, we have no knowledge on the
success of the barrier, while on the right-hand side, we
know whether the barrier has been effective or not, so
the probabilities of the states are different on the two
sides). This means that shortcuts parallel to barriers
are not possible as in the barrier diagram in Figure 4
(barrier B2). This is of course straightforward: if the
shortcut would exist, the barrier B2 is irrelevant.
This means that the edges on all sides of each barrier
are unique. It also means that in these graphs the edges
contain information, i.e. they represent clearly defined
conditions or events.
Converging and diverging graphs. It is useful to dis-
tinguish between converging or diverging graphs (or
parts of graphs). Converging graphs are graphs where
a node is linked to only one node on the right-hand
side (i.e. in the direction of the edges direction), so in
Figure 3. Basic example of a barrier diagram.
Figure 4. Invalid barrier diagram.
Figure 3 the barriers B1, B2 and B3 form a converg-
ing graph. In a converging diagram the edges that link
several left-hand side barriers to the right-hand side
barrier represent an OR gate, i.e. the demand condi-
tion for barrier B3 in Figure 3 above appears when the
condition on failure of barrier B2 or the condition on
failure of barrier B1 appears (alternative scenarios).
Converging diagrams can effectively represent fault-
tree-like paths to a critical event with several initiating
events (see below).
Diverging graphs are those where a node has more
than one right-hand side node or edge, such as formed
by barrier B3 in Figure 3, but also barrier B1 in Fig-
ure 5 (B1 is linked to both B2 and B3 on the right-hand
side). In a diverging diagram the edges that link one
left-hand side barrier to several right-hand side bar-
riers, represent parallel pathways, i.e. the probability
of each of the pathways through the right hand side
barriers is equal to the probability of the originating
condition following the left-hand side barrier. So barri-
ers B2 and B3 in Figure 5 are both demanded on failure
of barrier B1. This does not express mutually exclusive
paths as in an event tree, where the sum of the con-
ditional probabilities over the diverging paths would
be 1. Event-tree like diverging behavior can only
be included in a barrier diagram by means of barriers
that have more than one right-hand side states or condi-
tions, as illustrated by barrier B3 in Figure 3. (It should
be noted that event trees can easily be described with
diverging Bayesian networks, where the distribution
over parallel nodes is provided by a priori conditional
probabilities, see below).
Diverging behavior as illustrated by barriers B2 and
B3 in Figure 5 is relevant if a hazardous situation has
more than one consequence. E.g. spillage of a liquid
can lead to both evaporation and a hazardous cloud
and to pollution of the ground for both events bar-
riers can be put in place. In this case it is unlikely
that the pathways at some later point will join again.
Another possibility is that several barriers simultane-
ously act against the escalation of an event, e.g. when
a flammable cloud appears, ignition can be minimized
by both the installation of explosion-save equipment
Figure 5. Example of a diverging barrier diagram.
11
Aven CH002.tex 17/5/2007 9: 19 Page 12
Figure 6. Two parallel barriers between two events.
(passive barrier) and prohibiting smoking and open
fire (behavioral barrier based on passive warning). In
that case the condition on failure of both barriers is
identical (ignition of the cloud), see Figure 6.
A barrier diagram can be divided into a set of
connected barrier diagrams. A safety-barrier diagram
can be split into several diagrams. A barrier diagram
contains edges to the external environment. These
correspond to initiating events or initial conditions at
the left-hand side and consequences at the right-hand
side. But a consequence from one diagram can be an
initiating event for another diagram and vice versa.
There are no formal rules how to start or stop a bar-
rier diagram; one is free to split a diagram in as many
diagrams as possible, where the minimumsize of a dia-
gramconsists of a single barrier and its corresponding
demand condition and condition on failure or success.
But if diagrams share conditions or events, i.e. the dia-
grams are connected; it should be possible to generate
one single diagram, which again should be directional
and acyclic.
Barriers and conditions are unique. Each barrier
responds to a well defined demand condition and leads
to well defined conditions on success or failure (or
other possible outcomes of the barrier if one allows for
this). This means that the same barrier cannot be part
of parallel paths through the barrier diagram unless
these paths are fullyidentical. Together withthe acyclic
requirement this implies that each barrier and each
condition in the diagram is unique. In a set of con-
nected diagrams (as described above) each barrier is
unique, while conditions can be used more than once
only as consequence and initiating event.
Note that elements that make up the barrier need not
to be unique, i.e. unique barriers can have common
power supply or actions in several barriers are per-
formed by the same operator. These common elements
need of course to be accounted for when quantifying
the probability of scenarios.
2.4 Logical gates
As depicted in Figure 2, a barrier is to be considered
as an AND gate: The condition on failure occurs if the
Figure 7. Variation of barrier diagram from Figure 3 with
AND gate.
Figure 8. Barrier diagram with an explicit OR gate.
demand condition occurs and the barrier fails. But if
two or more different necessary conditions depend on
left-hand side initial events and barriers, it is impos-
sible to construct a collective barrier diagram without
the concept of a separate AND-gate. In Figure 7 the
demand condition for barrier B3 is only fulfilled if
the condition on failure for both barrier B1 and B2 are
fulfilled (which automatically requires that both initial
conditions 1 and 2 occurred)
Barrier diagrams can be constructed without the
need of an OR-Gate. A condition can be the outcome
of more than one barrier, thus this condition repre-
sents the joint OR condition for the continuation of
the scenario. The demand condition for barrier 3 in
Figure 3 is the joint result (OR result) of the outcomes
of barriers 1 and 2. However, there may be situations
where one prefers to show explicitly that a condition
can be a result of more than one event or situation.
This will especially be the case where several initiat-
ing events create the same hazardous condition (e.g.
loss of power or mechanical failure or loss of coolant
leads to temperature rise in a reactor). For this rea-
son OR-gates can be included in a similar way as an
AND-gate, see Figure 8.
3 SAFETY-BARRIER DIAGRAMS AND
OTHER REPRESENTATIONS
A barrier diagram doesnt include other information
than can be presented by either fault trees or event
trees. As stated above, a barrier can be represented
12
Aven CH002.tex 17/5/2007 9: 19 Page 13
by an AND gate to represent the relation between
the demand conditions and the condition on failure,
respectively as an event-tree branch to show the alter-
native possibilities of the condition on failure and the
condition on success.
The combination of fault trees and event trees
in a single diagram has been introduced as a
cause-consequence diagram in the early seventies
(Lees, 2001; Nielsen, 1971; Nielsen, 1974; Taylor,
1973). The cause-consequence diagram combines one
or more fault trees (cause diagrams) leading to a
critical event, followed by a consequence diagram
which combines elements from event trees (binary
branches) with fault-tree type logic (gates). The cause-
consequence diagram syntax as developed by Nielsen
and Taylor is quite extensive, in (Nielsen, 1974) are
described some 25 different symbols to be used in
cause-consequence diagrams. It is interesting to note,
that cause-consequence diagrams allow for a time-
delay symbol, which makes it possible to show and
consider some dynamic aspects in safety analysis, such
as time available for intervention, an aspect that is
included explicitly in neither fault trees, event trees
nor safety-barrier diagrams.
The safety-barrier diagramas such does not provide
extra information than a cause-consequence diagram,
but the representation is simpler, which makes it easier
to identify the elements in a socio-technical system
that perform deliberate safety functions.
Late research activities (ARAMIS, WORM) pro-
mote the use of the so-called bowtie (Aneziris et al.,
2006; Delvosalle et al., 2006; Salvi & Debray, 2006).
The bowtie should consist of a fault tree on the left-
hand side, leading to a critical event, followed by
an event tree to show the possible outcomes or con-
sequences of the critical event, c.f. the description
of cause-consequence diagrams, see Figure 9. These
bowties are often displayed with barriers to prevent
(on the left-hand side) the critical event or mitigate (on
the right-hand side) the consequences, see (de Dianous
and Fievez, 2006; Salvi and Debray, 2006). We can
therefore state that a bowtie is a special case of a safety-
barrier diagram, where all paths (scenarios) through
the diagramstarting fromone or more initiating events
converge to at least one shared event before the dia-
gram diverges to one or more consequences. One of
the shared events is the critical event of the bowtie.
3.1 Condition graph
In stead of using the barriers as nodes, one can also use
the conditions as nodes, and the barriers as the edges
between conditions. In this form, the graph becomes
a Bayesian network (BN), (Jensen, 1996) where the
conditional probability tables of the nodes contain the
information regarding the failure or success rates of
Figure 9. Example of a bowtie diagram.
Figure 10. Condition graph or Bayesian Network that
corresponds to the barrier diagram of Figure 3.
the barriers, see Figure 10. These graphs are some-
what less restrictive than barrier diagrams, e.g. there
are no restrictions on the number of branches as com-
pared to barrier diagrams, where a barrier normally
only has two possible output states. Also the edges can
represent natural events, not necessarily deliberate
(i.e. subject to safety management) barriers such as
ambient temperature or wind direction. But the disad-
vantage of the BN is that the logical relations (AND,
OR) cannot be visualized in the graph they are hid-
den in the conditional probability tables that link the
conditions in the BN - while the barriers are degraded
to connecting arrows.
3.2 Layer of protection analysis
The layer of protection analysis (LOPA) has been intro-
duced as a means to rationalize the decision making
in safety management related to protection layers
(which can be considered to be synonymous to the con-
cept of safety barriers in this paper) (Center for Chem-
ical Process Safety, 2001). Both LOPA and safety-
barrier diagrams aim at making explicit what specific
measures are present or should be installed to ensure
safe operation. Many of the considerations in LOPA
especially with regards to the need of independency
between safety systems using the concept of Indepen-
dent Protection Layers (IPL) are equally applicable
when drafting and developing safety-barrier diagrams.
13
Aven CH002.tex 17/5/2007 9: 19 Page 14
Figure 11. Fault tree with two root causes involving operator action.
However, there may be two notable differences, mainly
related to the (restrictions of) the use of written forms
in LOPA. Firstly, the graphical presentation of the
safety-barrier diagramis expected to be better suited in
the communication with non-experts. Secondly, LOPA
is restricted to one-to-one relations between a sin-
gle initiating event (though an Enabling condition
and Conditional Modifiers are allowed) and a single
consequence. Safety-barriers diagrams allow includ-
ing alternative initiating events and different resulting
consequences for the same analysis.
4 QUANTIFICATION OF SAFETY-BARRIER
DIAGRAMS
Safety-barrier diagrams can be used to evaluate the
likelihood of the consequences depicted on the dia-
gram(or for that matter, the likelihood of any condition
in the diagram) given the expected frequency or
probability of initiating events or conditions and the
probabilities of failure on demand (PDF) of the safety
barriers.
Safety-barrier diagrams can be quantified using the
same methods as used for fault trees, such as the
minimum cut sets or Monte Carlo simulation. As all
conditions and barriers in the diagramare unique, min-
imum cut sets can be easily derived from the topology
of the diagram, where parallel paths represent alter-
native scenarios (OR condition) while the conditions
and barriers in a single string are necessary (AND
condition).
But in many cases the propagation of likelihood
through the diagram is straightforward in diagrams
that do not exhibit diverging-converging paths as
exemplified in Figure 6. In those cases it is not nec-
essary to derive minimum cut sets (unless the barriers
have common dependencies, see below).
When quantifying barrier diagrams one should real-
ize the difference between events where likelihood is
expressed as the expected frequency (unit: time
1
) and
conditions where likelihood is expressed as a (condi-
tional) probability (dimensionless). In this paper we
only consider events. In that case the following rule
can be applied to propagate the expected frequency
through the diagram:
Here f
c
is the expected frequency of an event that
occurs on failure of one out of k, or success of one
out of m preceding barriers, while the demand condi-
tions of these barriers have an expected frequency of
f
i
or f
j
, respectively.
The same expression can be used for propagation
through an OR gate, with PFD=1 and m=0. An
AND gate can only have one event as input, the other
inputs need to be conditions. The resulting output fre-
quency is the product of the one event input frequency
and the probabilities of the other inputs.
4.1 Dependency between barriers
In many systems, some safety barriers depend on
common elements to fulfill the safety function. The
common elements can be physical infrastructures,
such as power supply or the control system. There are
also situations, where an operator has to react on dif-
ferent signals and alarms. If the same operator has to
performthese tasks, the operator is a common element
14
Aven CH002.tex 17/5/2007 9: 19 Page 15
Figure 12. Safety diagram equivalent to the fault tree in
Figure 11 with dependent operator actions.
in the different alarm-based barriers. As an example,
Figure 11 shows part of a fault tree discussed by Lees
(Lees, 2001). In this fault tree there are two root causes
operator fails to intervene (level rise as indicated by
level meter) and operator fails to intervene High
Alarm. This fault tree can be pictured as a barrier
diagram as in Figure 12.
The barriers Level Intervention and HighAlarm
Intervention can be described with a block diagram
where the functioning of the instrumentation (level
meter or alarm) and the action from the operator are
in series. The barrier fails if either the instrumentation
fails or if the operator fails, so the PFDof the total bar-
rier is the sum of the PFD of the instrumentation and
the PFD of the operator. In general, if P
1
is the PFD of
the whole barrier B
1
, which involves a common ele-
ment E with a PFD P
E
, then the remaining elements
of the barrier B
1
in series with E have a PFD:
If in a barrier diagram consisting of a single path as
in Figure 11 a barrier B
1
(e.g. Level Intervention) at
some later point is followed by a barrier B
2
(e.g. High
Alarm Intervention), and both barriers have element
E (i.e. control room operator action) in common, then
the demand condition of barrier B
2
only occurs if B
1
has failed. So instead of the a priori PFDP
2
one should
use the conditional probability P
2
to propagate the
expected frequencythrough the diagram. Using Bayes
rule one can derive:
This formula can be extended for n barriers that
depend on E, by replacing P
2,R
with P
n,R
and the
probability of E conditional on failure of B
1
by:
It is straightforward to extend this rule to multiple
common elements, while it is also possible to derive
similar rules for barriers where some of the barrier ele-
ments are in parallel (n-out-of-m systems). But these
rules can only be applied if the barrier diagrams are
not converging up to the condition of interest (diver-
gence is allowed if each path is evaluated separately).
If common elements appear in more than one converg-
ing path, the above mentioned methods developed for
fault tree evaluation need to be used. When barriers
share common elements throughout the converging
branches, minimum cut sets can no longer be derived
directly from the diagrams topology.
5 DISCUSSION
In this paper, safety-barrier diagrams have been pre-
sented as a comprehensive method for analyzing risk.
Syntax, restrictions and requirements are discussed.
Rules to quantify the likelihood of the outcomes of
accident scenarios from safety-barrier diagrams have
been proposed.
It is obvious that nowadays safety-barrier diagrams
will be developed as electronic data structures, where
the graphical presentation and the quantification are
only two of the expressions of all the available data. It
is mentioned in this paper that safety-barrier diagrams
are simpler and use fewer symbols than fault trees
or cause-consequence diagrams. This simplification
could lead to loss of information, but an underlying
data structure that captures and stores the invisible
information, will resolve this apparent loss.
We suggest that the syntax of barrier diagrams with
objects describing safety barriers linked to conditions
or events is a useful architecture for a data structure
that can be used for both risk analysis and safety man-
agement. Such a data structure can link additional
information to the safety barriers, such as management
factors and actions that influence barrier performance
(Aven et al., 2006; Duijm and Goossens, 2006), oper-
ational information such as procedures, maintenance
records and incident reports.
REFERENCES
Aneziris, O.N., Papazoglou, I.A., Mud, M.L., Baksteen, H.,
Post, J., Ale, B.J.M., Hale, A., Bellamy, L.J., Bloemhof,
A. & Oh, J.I.H. 2006. Towards risk assessment for crane
activities. In Guedes Soares, C. and Zio, E. (eds.), Safety
andReliabilityfor ManagingRisk, Proceedings of ESREL
2006: 733740, London: Taylor & Francis Group.
Aven, T., Sklet, S. & Vinnem, J.E. 2006. Barrier and
operational risk analysis of hydrocarbon releases (BORA-
Release): Part I. Method description. Journal of Haz-
ardous Materials 137(2): 681691.
Center for Chemical Process Safety 2001. Layers of protec-
tion analysis simplified process risk assessment. New
York: American Institute of Chemical Engineers.
de Dianous, V. & Fievez, C. 2006. ARAMIS project: A more
explicit demonstration of risk control through the use
15
Aven CH002.tex 17/5/2007 9: 19 Page 16
of bow-tie diagrams and the evaluation of safety bar-
rier performance. Journal of Hazardous Materials 130(3):
220233.
Delvosalle, C., Fievez, C., Pipart, A. & Debray, B. 2006.
ARAMIS project: A comprehensive methodology for
the identification of reference accident scenarios in pro-
cess industries. Journal of Hazardous Materials 130(3):
200219.
Duijm, N.J. & Goossens, L. 2006. Quantifying the influence
of safety management on the reliability of safety barriers.
Journal of Hazardous Materials 130(3): 284292.
Guldenmund, F., Hale, A., Goossens, L., Betten, J. & Duijm,
N.J. 2006. The development of an audit technique to
assess the quality of safety barrier management. Journal
of Hazardous Materials 130(3): 234241.
Harms-Ringdahl, L. 2000. Assessment of safety functions
at an industrial workplace A case study. In Cottam,
M. P., Harvey, D. W., and Pape, R. P. (eds.), Foresight
and Precaution, ESREL 2000: 13731378, Edinburgh:
Balkema.
Harms-Ringdahl, L. 2003. Assessing safety functionsresults
from a case study at an industrial workplace. Safety
Science 41(8): 701720.
Hollnagel, E 2004. Barriers andAccident Prevention. Hamp-
shire, UK: Ashgate.
IEC 2003. International Standard IEC 61511-1, Functional
Safety Safety instrumented systems for the process
industry sector Part 1: Framework, definitions, system,
hardware and software requirements. Geneva, Switzer-
land: IEC.
Jensen, F V 1996. An introduction to Bayesian Networks.
London: UCL Press.
Lees, F. P. 2001. Chapter 9: Hazard Assessment. Loss pre-
vention in the process industries Edition 2. Oxford:
Butterworth Heinemann.
Nielsen, D.S. 1971. The Cause/Consequence Diagram
Method as a Basis for Qiantitative Accident Analysis.
Ris-M-1374. Roskilde: Danish Atomic Energy Commi-
sion, Ris.
Nielsen, D.S. 1974. Use of Cause-Consequence Charts
in Practical Systems Analysis. Ris-M-1743.: 124.
Roskilde: Danish Atomic Energy Commission, Ris.
Salvi, O. & Debray, B. 2006. A global view on ARAMIS, a
risk assessment methodology for industries in the frame-
work of the SEVESO II directive. Journal of Hazardous
Materials 130(3): 187199.
Sklet, S. 2006. Safety barriers: Definition, classification, and
performance. Journal of Loss Prevention in the Process
Industries 19(5): 494506.
Taylor, J.R. 1973. A formalisation of failure mode analysis of
control systems. Ris-M-1654. Roskilde: Danish Atomic
Energy Commission, Ris.
16