Home / Guides / Barriers, threats & consequences
Barriers, threats & consequences
Five terms do most of the work in a bowtie diagram. Getting them right turns a wall chart into a real risk picture.
Top event
The hazardous event sitting in the centre of the bowtie. A top event should be specific, observable, and located on the boundary between "everything is fine" and "we have a problem." Loss of containment of hydrocarbon is a top event. Damage to the plant is a consequence.
Threats
The plausible causes of the top event, drawn on the left. Each threat should be capable, on its own, of producing the top event in the absence of barriers. "Operator forgets to close valve" is a threat. "Maintenance" is a category, not a threat.
Preventive barriers
Controls that sit between a threat and the top event. They reduce the likelihood that the threat reaches the top event. Examples: pressure-relief valves, permits-to-work, two-person sign-off, software input validation, MFA on a login.
A useful question for any preventive barrier: if every other barrier failed, would this one alone stop the top event? If yes, it is a real barrier. If no, it is a contributing factor.
Consequences
What follows from the top event, drawn on the right. Each consequence is a distinct outcome — fire, environmental release, regulatory fine, harm to a person. Bundling consequences together hides the fact that recovery barriers differ between them.
Recovery barriers
Controls that sit between the top event and a consequence. They reduce the severity of the consequence. Examples: emergency shutdown systems, gas detection, bunding, incident response plans, customer credit monitoring after a breach.
Escalation factors
Conditions that defeat or degrade a barrier. Common examples: human error, environmental conditions (fog defeating gas detection; humidity defeating an electrical interlock), shared single points of failure (one technician maintaining all the relief valves on one shift), test or maintenance windows when a barrier is offline.
An escalation factor usually has its own secondary control — the thing that defends the barrier from the escalation factor.
A common mistake
Counting controls instead of barriers. A bowtie that lists ten preventive controls per threat is not necessarily safer than one that lists three. The question is independence — would they all fail together for a single root cause? Two barriers that share a power supply, an operator, or a calibration source are effectively one barrier.