ECAI 2015 - International Conference – 7th Edition
Electronics, Computers and Artificial Intelligence
25 June -27 June, 2015, Bucharest, ROMÂNIA
A quantitative risk analysis framework for
bow-tie models
Ionut Emil Iacob
Department of Mathematical Sciences
Georgia Southern University
USA
ieiacob@georgiasouthern.edu
Abstract – Risk management is a critical part of every
industrial activity. In recent years, due to the
complexity, importance and potential impacts of
industrial processes, risk analysis has taken advantage
of increasing computational availability to deliver tools
at every level of the risk management spectrum. Bow-tie
models, so called because of their generalized shape, are
used at various levels in the risk analysis process,
fundamentally because their presentation aggregates
complex, real-world scenarios in consistent, reducible
and communicable ways. As a result, vendors have
sought to map additional capabilities onto the Bow-tie
extending their applicability into qualitative, semi-
quantitative, and quantitative risk assessment
modalities. In this paper we present a generalized
computational framework for risk analysis using Bow-
tie models that simultaneously perform all such
analytical modes.
Keywords: risk; bow-tie; risk analysis; quantitative
risk assessment
I. INTRODUCTION
Risk is an intensively studied subject which can be
summarized as the relationship between the likelihood
of a major accident (critical event) and the severity of
the damage the accident would produce. More
precisely, the standard ISO/TC 199 defines risk
analysis as a sequence of steps an expert must take to
analyze dangerous events associated to an activity.
Initially introduced in Australian and European Union
regulations for mining and offshore drilling
companies, risk analysis has quickly gained popularity
in social [1] and occupational [2] analysis, hazardous
materials handling [3], failures in water supply
networks [4], or medical safety risk analysis [5].
The Bow-tie model for risk analysis was first
mentioned in late 70s and the Shell Group was the first
major company that integrated the model in its
business practice. The model is centered on a critical
event (major accident) having the possible causes that
may produce the event on the left-hand-side and the
probable consequences of the event on the right-hand-
side. A simplified representation of the model yields a
bowtie-shaped diagram as in Figure 1.
In the model, the main attribute of a Cause is the
likelihood of initiating the Critical Event. The main
attribute of a Consequence is the severity of the
Consequence if the Critical Event occurs. Then the
risk is measured by means of the pair: Cause
978-1-4673-6647-2/15/$31.00 ©2015 IEEE
Alex Apostolou
Meercat Pty Ltd
Perth, Australia
alex@meercat.com.au
Likelihood, Consequence Severity. A low risk
involves a very unlikely cause with a low severity
consequence. A very likely cause with a high severity
consequence would produce a high risk value.
Different cause likelihoods/consequence severities
would produce intermediate risk values. During risk
analysis the high risk scenarios must be identified and
solutions to prevent such scenarios must be found.
Cause 1 Consequence 1
Critical
Cause 2 Event
Consequence 2
Cause 3
Figure 1. The bow-tie model overview
Bowties are powerful representations and they
serve well both the qualitative [5] and (semi-)
quantitative [1,2,3] risk analysis. With the increased
pressure from regulators, companies and experts in
risk analysis are in need of tools to process larger and
more complex models. Some popular tools are
Meercat RiskView [6] and BowTieXP [7].
Implementing good tools for risk analysis is a
challenge in its own. Satisfying all legislative
requirements and functional needs is often difficult.
On top of these, generality, scalability, and
extensibility of the model are desirable features of a
good tool. The requirements in the former category are
the appanage of risk analysis experts. The burden of
satisfying the requirements in the latter category,
however, is the duty of the tool designer.
II. THE RISK ASSESSMENT PROCESS
The risk assessment process has as its first task the
selection of a tool or model within which to perform
that activity. Tools must be fit for purpose are selected
according to:
• suitability to the type and complexity of the
facility
• and the nature of the hazards present
• assists in understanding and selecting the
risk control measures
• is adequate to differentiate between hazards
on a risk basis (ie likelihood and
consequence)
 Y-44 Ionut Emil Iacob and Alex Apostolou
• is capable of managing the assessment of
cumulative risk and the potential effect of
risk reduction measures on the risk
• is not overly complicated for the facility’s
needs
• is consistent with the facility’s general
approach to safety.
• [Stolen from page 4 of the
WS_11_Safety_Asessment document]
Additionally, the more severe the consequences,
the detailed the risk assessment required, introducing
additional tiers of assessments. As a result, the data
gathered and processed for one process may not be
suitable for another process, with the relationships,
measures and methods in one process being
incompatible with another. Modelling introduces
additional challenges as models suffers inevitable
changes such as adding/removing causes and/or
consequences, adjustment of likelihoods and/or
severities, new elements for containing the effects of
causes and limit the damages of consequences, etc.
These changes raise questions about how the
computation model can adjust in a flexible way as
both the structure, its purpose and the mechanism of
it’s interaction also changes. In this paper we want to
demonstrate an approach that bridges the gap between
a very wide spectrum of risk assessment processes
with a computation framework that is general,
scalable, and extensible. Our framework relies on the
standard XQuery language [8], which is a de-facto
query language for searching tree data models.
The rest of the paper is organized as follows. In
Section II we introduce the bow-tie model for risk
analysis. We explain the terminology and present a
case study scenario. In Section III we present a general
computational framework for (semi-) quantitative risk
assessment. We conclude and present future plans in
Section IV.
III. BOW-TIE MODEL FOR RISK ANALYSIS
Risk analysis and assessment is a complex process
performed by experts in the subject. It generally starts
by identifying all potential hazards related to a certain
activity, causes that may produce the hazards, their
consequences, and means to prevent hazards as well as
methods to efficiently limit the damages
Fault Tree
Cause 1 Prevent 1.1 Prevent 1.2
Escalation
Factor 1.1
Critical
Even
Cause 2 Prevent 2.1
Cause 3 Prevent 3.1 Prevent 3.2
Figure 2. Typical Bow-tie diagram
(consequences) of hazards. This activity if mainly
based on direct observations of the process and/or
collections of data related to previous events.
Figure 2 represents a typical bow-tie diagram,
which consists of the following elements:
- Critical Event: the central node of the diagram
represents the manifestation of the risk event
itself.
- Cause 1, 2, 3: the potential causes that may
produce the critical event. Causes are
quantitatively characterized by their likelihood
(or, alternatively, by their frequencies) of
occurrence. We denote these likelihoods by
L11, L12, …, L32 respectively.
- Prevent 1.1 – 3.2: the preventative measures
(barriers) for producing the critical event, for
each specific cause. These preventative
measures are characterized by their “reduction
factor” (denoted by p11, p12, …, p32
respectively), which are percentages of cause
likelihood reduction, for their respective
causes.
- Effectiveness 1.1: a possible reduction of
effectiveness for a preventative measure. In
the presence of such element, the preventative
measure reduction factor is diminished by the
reduction factor of the “effectiveness”
element. If we denote the reduction factor of
the effectiveness element by e11, then the
effective reduction factor of Prevent 1.1
element is in fact: e11*p11. From a
mathematical perspective, the influence of an
Effectiveness element can be directly
incorporated into the corresponding Prevent
element. From the risk analysis perspective,
however, it is important to represent these
elements distinctively.
- Mitigate 1.1 – 3.2: similar to what Prevent
element does for a Cause, the Mitigate
element reduces the severity of a consequence
when the critical event occurs. These elements
are quantitatively characterized by their
reduction factor, denoted by m11, …, m32.
- Effectiveness 3.1: similar to Effectiveness 1.1,
this element may reduce the effectiveness of
the Mitigate 3.1. We will denote the reduction
Event Tree
Mitigate 1.1 Mitigate 1.2 Conseq 1
Mitigate 2.1 Mitigate 2.2 Conseq 2
Mitigate 3.1 Mitigate 3.2 Conseq 3
Effectiveness
3.1
 A quantitative risk analysis framework for bow-tie models Y-45

factor of this element by e31 and consequently automatically absorbed by a computational

the effective reduction factor of Mitigate 3.1
is: e31*m31.
- Conseq 1, 2, 3: the consequences of the
critical event occurrence. They are
characterized by their severities, denoted by
S1, S2, and S3, respectively.
framework, allowing the risk analyst focus on model
and parameters of the model rather than performing
chain corrections of computational formulas.
IV. QUANTITATIVE RISK ASSESSMENT FOR BOW-TIE
MODELS

For the diagram in Figure 2 with the notations as In this section we briefly describe how the
described above, the effective likelihood EL1 of computation model illustrated in Figure 2 and
Cause 1 towards producing the Critical Event is: described by equations similar to (1) and (2) can be
implemented in practice in a flexible and extensible
way.
L1*e11*p11*p12 (1)
A. Using XPath/XQuery for path-navigation of trees
Similarly, the effective severity ES1 of XQuery [8] is the de facto query language for
Consequence 1 is: searching Document Object Model (DOM) trees [11]
built from XML data. Since DOM trees can be
S1*m11*m12 (2) virtually built out of any hierarchical data, XQuery can
be used for searching trees, in general. At the core of
Based on effective likelihoods and severities, the the language there is a tree-navigation language
risk is evaluated according to specific risk-analysis (XPath), which traverses and selects sets of tree nodes
engineering rules using a classical logic and/or their attributes.
implication: “If the cause likelihood is L and the A path query for navigating the tree consists of a
consequence severity is S, then the risk category is sequence of /-separated steps and has the following
R”. Depending on the process being analyzed, the syntax:
results of the above logic implication are typically
defined using a 3x3, 5x5 [9], 7x4 [10], or 7x5 [3] Query := /step1/step2/…./stepn
chart (called risk matrix) as shown in Figure 3. The A step consists of a standard tree nodes
risk matrix in the example is clearly not universal, relationship (child, parent, descendant, ancestor,
as each process may have different approaches for sibling, etc), followed by a node name and possibly by
estimating the risk. Moreover, the estimated a filtering condition enclosed in brackets:
likelihood and severity used for risk analysis may
vary between maximum likelihood/severity among step := nodes-relationship::node-name[filter]
all causes/consequences or the averages of these For the purpose of discussion here, we will only
values. consider the simplified version of a step in a path
query:
step := node-name or step := @aname
10-1 TNA NA NA NA NA
where @aname refers to a special leaf node in a DOM
10-2 TNA TNA NA NA NA tree, called attribute.
10-3 TA TNA TNA NA NA
R
Likelihood

-4
10 TA TA TNA TNA NA

10-5 A TA TA TNA TNA

A B
-6
B @a
10 A A TA TA TNA
@a
10-7 A A A TA TA B @b

1 2 3 4 5 C
Severity
Figure 3. An example of a risk matrix (A = acceptable;
TA = tolerable-acceptable; TNA = tolerable-non-
acceptable; NA = non-acceptable)
It is the risk analyst who decides which method(s)
of computation to be used and the computational
framework/tool should provide means to
accommodate such methods. On top of these
challenges, a computational framework/tool should be
easily extensible. Naturally, a change of the risk
analysis model in Figure 2 may produce changes in
formulas (1) or (2). These changes should be
C
Figure 4. A DOM tree example
Figure 4 shows a DOM tree example where R (the
root), A, B, and C are node names; @a and @b are
attributes of the nodes they are connected to.
A path query like /R/A/B will produce a set of two
nodes (both nodes named “B” from the left hand side
of the tree). A path query like /R/B/@a will return a
single node, namely the attribute node @a of the node
B on the right hand side of the tree. The main purpose
of the path query part of XQuery is to select nodes of
 Y-46 Ionut Emil Iacob and Alex Apostolou
the tree. The individual nodes or set of nodes can then
be manipulated by the language using standard
programming concepts: variable assignments, loops,
conditional statements, and functions. It is not the
purpose of this paper to give a full description of the
language, for which the user is directed to the
language reference [10]. Next, we will illustrate and
explain a more complex.
B. Using XQuery in a bow-tie model
A typical bowtie diagram (as given in Figure 2) is
a directed graph. However, as illustrated in Figure 2,
the bowtie diagram can be decomposed in a “fault
tree” and an “event tree”. Each one of these parts can
be easily modelled as DOM trees, on which XQuery
searches can be perform. We illustrate the DOM
representation of the fault tree (left hand side of the
diagram) in Figure 5, but the representation of the
event tree is very similar.
CE
P P
p quantitative risk assessment in bowtie models using
p
P XQuery. The method allows the risk analyst focus
p p P primary on adjusting the model and its parameters in
P
p adjusting computational formulas required by model
E changes. XQuery is the de facto query standard for
C e C L C L
L of a bowtie model (see Figure 2).
Figure 5. The Fault Tree of a bowtie diagram: CE is the Central
Event node; Ps are the Prevent nodes (with @p attributes holding the
reduction factor values); E is the Escalation Factor node (with @e
the corresponding attribute holding the reduction factor value); Cs
are the Cause nodes (with @L being the corresponding likelihoods
stored as attribute nodes).
With the power of XQuery over the Fault and Event
Trees, one can successfully represent many models of
computation for the effective likelihood or severity the
Central Event is receiving. Regardless of how the
likelihood for producing the central event is computed
(as an average of all cause likelihoods, or as maximum
likelihood among all cause), one needs to compute the
effective likelihoods (after applying preventative
reductions) on each path from the central node CE
down to each cause C. These likelihoods can be easily
computed using the following query, for instance:
(1) declare function likelihood($node) {
(2) if ($node/P/E) then
(3) return $node/P/@p * $node/P/E/@e * likelihood($node/P)
(4) else if ($node/P)
(5) return $node/P/@p * likelihood($node/P)
(6) else if ($node/C) return $node/C/@L
(7) else return 1
(8) };
(9) for $ll in /CE/P
(10) return $ll/@p * likelihood($ll)
The main part of the query is in lines 9 – 10: the
immediate P child nodes from the central event node
CE are retrieved. For each P node, the reduction value
is multiplied with the result of the recursive function
likelihood() (lines 1 – 8). This recursive function goes
deep on a path to a cause C and multiplies along the
way all reductions of P nodes (and E nodes, if any),
and eventually computes the effective likelihood
produced by the cause at the bottom of the path. The
query eventually returns a sequence of effective
likelihoods (one effective likelihood per each cause in
the diagram), where each effective likelihood for
cause i is eventually computed as:
ELi = Li * Πκ=1..ν pik
where ELi is the effective likelihood produce by cause
i; Li is the likelihood of cause i; pik are the reduction
factors of all Prevent nodes (from 1 to n) on the path
to cause i. The major benefit of this query is the fact
that a change in the structure (adding/removing
Prevent or Cause nodes; changes of likelihood and/or
reduction factors) would not require adjusting any
computation formulas, hence extensibility is
achieved.
V. CONCLUSIONS
In this paper we present the bowtie model for risk
analysis and we introduce a general framework for
order to better fit the process, rather than permanently
tree data structures and can be naturally used for
processing the Fault Tree and Event Tree components
REFERENCES
[1] Aurélie Léger, Carole Duval, Philippe Weber, Eric Levrat,
Régis Farret. Bayesian Network Modelling the risk analysis
of complex socio technical systems. Workshop on Advanced
Control and Diagnosis, ACD'2006, Nov 2006, Nancy, France.
[2] Ioannis A. Papazoglou, Ben J.M. Ale, A logical model for
quantification of occupational risk, Reliability Engineering &
System Safety, Volume 92, Issue 6, June 2007, p 785-803.
[3] Adam S. Markowski, M. Sam Mannan, Fuzzy risk matrix,
Journal of Hazardous Materials, Volume 159, Issue 1, 15
November 2008, Pages 152-157, ISSN 0304-3894.
[4] B. Tchórzewska-Cieślak, K. Boryczko, I. Piegdoń,
Possibilistic risk analysis of failure in water supply network,
Safety and Reliability: Methodology and Applications -
Proceedings of the European Safety and Reliability
Conference, ESREL 2014, Pages 1473-1480.
[5] Peter C. Wierenga, Loraine Lie-A-Huen, Sophia E. de Rooij,
Niek S. Klazinga, Henk-Jan Guchelaar, Susanne M.
Smorenburg, Application of the Bow-Tie Model in
Medication Safety Risk Analysis, Drug Safety, 2009, Volume
32, Issue 8, pp 663-673.
[6] Meercat RiskView, http://www.meercat.com.au/
[7] BowTieXP, http://www.bowtiexp.com.au/
[8] XQuery 1.0: An XML Query Language (Second Edition),
W3C, http://www.w3.org/TR/xquery/
[9] B. Ruge, Risk Matrix as Tool for Risk Assessment in the
Chemical Process Industries, ESREL 2004, paper 0192.
[10] O. Salvi, B. Debray, A global view on ARAMIS, a risk
assessment methodology for industries in the framework of
the SEVESO II directive, J. Hazard. Mater. 130 (2006) 187–
199.
[11] Document Object Model (DOM), http://www.w3.org/DOM/.