Search or navigate to a page
When investigators reconstructed the Buncefield explosion of 2005, the Texas City refinery disaster the same year, and the Macondo blowout five years later, they reached a strikingly similar conclusion: each company's risk register correctly listed the hazard. What none could show, on the morning of the event, was which controls were actually still working. Barriers had degraded — some bypassed during commissioning, others defeated by override procedures no one had updated, a few never existing in the form the documentation implied. The hazard was known. The barrier picture was an illusion.
Bow-tie analysis exists to make that picture honest. For HSE professionals working in oil and gas, chemicals, mining, aviation, or any industry where one uncontrolled release of energy can cause multiple fatalities, the bow-tie is no longer optional reading — it is the dominant visualization tool for major-accident hazards (MAH), embedded in CCPS guidance, the UK HSE's safety case regime, EI 510, and ISO 17776 for offshore installations. Yet it is also one of the most misused tools in the HSE canon: turned into a wallchart for audits, populated with controls that are not really barriers, and disconnected from the management system supposed to keep them effective. This article walks through how to build a bow-tie that earns its keep.
A traditional risk register asks three questions: what can go wrong, how bad, how likely. It captures hazards as rows. It does not show how prevention and mitigation interact, where a single control sits on multiple pathways, or which controls share a common-mode failure. For occupational risks where the loss is bounded — a single sprain, a single laceration — a register is adequate. For process safety, where one ignited vapor cloud can kill twenty people, it is not.
The bow-tie diagram, popularized in the early 1990s by Royal Dutch Shell as part of its Tripod methodology and then absorbed into the broader HSE community, addresses this by forcing the analyst to draw the entire accident sequence in a single field of view. On the left side are threats — the credible initiating events. On the right are consequences. In the middle, at the knot of the bow, sits the top event: the moment control of the hazard is lost. Between threats and the top event run preventive barriers. Between the top event and consequences run mitigative barriers. Beneath each barrier sit escalation factors — the failure modes that degrade it — and the barriers that protect against those escalation factors. The result, when done properly, is a forensic map of how a major accident actually happens.
Regulators have caught up. Under the UK COMAH regulations, upper-tier operators must demonstrate that "all measures necessary" have been taken. The Australian model WHS Regulations for major hazard facilities require a documented safety case identifying controls and their performance standards. The US OSHA Process Safety Management standard (29 CFR 1910.119) requires a hazard analysis addressing engineering and administrative controls for each hazard. In each regime, bow-tie diagrams have become the de facto demonstration artifact — not because the regulations name them, but because nothing else communicates barrier logic as efficiently to a regulator, a board, and a shift supervisor at the same time.
Six elements have to be defined precisely, and they have to be defined in the right order.
Hazard. This is the source of harm — typically expressed as the energy or substance whose uncontrolled release would cause damage. "Hydrocarbon liquid under pressure in vessel V-201" is a hazard. "Slips, trips, and falls" is not — it is a consequence category. A common early error is to write hazards too broadly ("hot work") or too narrowly ("welder using oxy-acetylene on platform 3 north"). The right level is the one that allows you to identify a single, definable loss of control.
Top event. This is the loss of control of the hazard. For "hydrocarbon liquid under pressure in V-201," the top event is "loss of containment from V-201." It is not a consequence, and it is not an incident. The top event is the moment at which preventive controls have failed and mitigative controls become relevant. Choosing the wrong top event — typically by picking something that is already a consequence — collapses the diagram and hides the barriers that matter.
Threats. These are the credible initiating mechanisms that could, on their own, cause the top event. For a loss of containment, threats typically include overpressure, corrosion-induced wall thinning, mechanical impact, vibration-induced fatigue, and operational error during drainage or sampling. The discipline here is to enumerate independent pathways, not symptoms. "Corrosion" is a threat; "high CO2 in produced fluid" is a degradation factor that accelerates the threat.
Consequences. These are the end states if both preventive and mitigative barriers fail. They must be defined as bounded outcomes — pool fire on deck, vapor cloud explosion, fatality from H2S exposure — because the mitigative side cannot be designed against an unbounded "harm to people."
Barriers. A barrier is a control that, by itself, can either prevent the threat from becoming the top event (preventive) or stop the top event from becoming a consequence (mitigative). CCPS and EI 456 guidance require that to count as a barrier, a control must be effective (capable of performing under the demand it will see), independent (its failure is not caused by the same mechanism as the threat), and auditable (testable, measurable, with an owner and a performance standard). A laminated procedure pinned to the wall is not a barrier. A relief valve with a documented set pressure, a five-year inspection regime, an instrumented test record, and a designated responsible engineer is.
Escalation factors and their barriers. Beneath each main barrier, the diagram records the conditions under which it would fail — bypassed isolation, deferred inspection, override in alarm flood — and the controls that protect against those failures. This is where the bow-tie becomes a management-system document rather than a hazard cartoon. Override procedures, MoC (management of change) gates, competency assurance records, and operator training are all escalation-factor controls.
A bow-tie built in a workshop with the right people takes about a day per top event for a moderately complex unit. The process is straightforward but unforgiving.
Start by selecting top events that matter. For a hydrocarbon processing facility, this typically means the top events that drive the major-accident hazard inventory: loss of containment from pressurized systems, loss of well control, fire on a flammable inventory, toxic release. Bow-ties for routine occupational risks (manual handling, ergonomic strain) waste the methodology — they are better handled by job safety analysis.
For each top event, run a multidisciplinary workshop with process engineering, operations, maintenance, instrumentation and controls, and HSE. Brainstorm threats first, then consequences, then barriers. Resist the temptation to populate barriers from the existing controls list. Instead, ask: if this threat occurred today, what would actually stop it? The gap between the two answers is your honest finding.
Then test each barrier against the independence, effectiveness, and auditability criteria. A useful discipline is the "single point of failure" check: if a barrier on the preventive side and a barrier on the mitigative side share the same power supply, the same instrument, or the same maintenance cycle, they are not two barriers — they are one barrier represented twice. This is how organizations end up with bow-ties showing eight controls and a real-world resilience of two.
Finally, assign each barrier an owner, a performance standard, and an assurance task. The performance standard says what "working" looks like — for a relief valve, set pressure within tolerance and tested at the required interval. The assurance task is the recurring activity that demonstrates it. This is the linkage that turns the bow-tie into a live document: when a maintenance backlog report shows an overdue PSV pop-test, it is not just a maintenance KPI miss — it is a degraded barrier on a specific bow-tie, and the risk profile of the facility has changed measurably.
Several pathologies recur in bow-tie programs that look good on the wall but fail under audit.
The first is barrier inflation. To make the diagram look reassuring, teams list every procedure, every training course, and every signage standard as a barrier. After the count passes thirty, the diagram is no longer a risk model — it is a comfort blanket. A clean bow-tie usually shows three to six barriers per pathway. More than that is a sign the team has not distinguished barriers from supporting activities.
The second is administrative dependency. When five of six "independent" barriers depend on the operator following the procedure, the bow-tie has one barrier — human performance — wearing five hats. This is the structural error that the Texas City investigation identified: the layers of protection looked thick on paper and were thin in physical reality.
The third is drift. A bow-tie is a snapshot. Without an MoC linkage, plant modifications, deferred maintenance, and procedural changes will quietly degrade the barriers over months and years. The IOGP 415 guidance recommends that bow-ties for MAH be reviewed annually as a minimum, after any significant MoC, and after any incident or near-miss that involves one of the documented threats.
The fourth is disconnection from the SMS. A bow-tie that lives in a PDF on a shared drive, with no link to the work-order system, the audit schedule, or the competency matrix, will not survive. The barriers must point to the maintenance tasks, training records, and inspection regimes that keep them alive — and the SMS must, in turn, surface barrier health back to the line manager.
Bow-tie analysis is a qualitative tool. It shows logic and structure; it does not, by itself, quantify probability. For high-consequence scenarios, the bow-tie should sit alongside a Layer of Protection Analysis (LOPA), which assigns probabilities of failure on demand to each independent protection layer and produces a numerical mitigated frequency. The two methods are complementary: the bow-tie tells you which barriers exist and how they interact, and LOPA tells you whether the combined risk reduction is enough.
Within a formal safety case — required under COMAH, the Norwegian PSA regime, the Australian OPGGS Act, and various national equivalents — bow-ties provide the visualization layer that links identified MAHs to the performance standards in the safety management system. They are not the safety case, but a safety case without them is harder to defend, harder to audit, and harder for operators to internalize.
For HSE professionals starting or resetting a bow-tie program, three steps will move the work from compliance artifact to operational reality. First, restrict scope to MAH and prove the methodology there before extending it; bow-ties for low-consequence hazards waste analyst time and dilute the diagrams that matter. Second, assign every barrier a named owner, a performance standard expressed in measurable terms, and a recurring assurance task — and make those visible in the same system that tracks maintenance compliance and audit findings. Third, treat the diagrams as living documents: pull them into MoC reviews, into incident investigations, and into shift handovers, so that degraded barriers are surfaced in real time rather than discovered in the next regulatory inspection.
Done well, bow-tie analysis does not just describe how a major accident could happen. It describes, in a form that a regulator, a board, and a control-room operator can all read, why one is not happening today — and what would have to change for that statement to stop being true.
Sign in to join the conversation