Home / Guides / What is bowtie analysis?

What is bowtie analysis?

Bowtie analysis is a visual risk-assessment technique that puts a single hazardous event in the centre of a diagram, with the things that can cause it on one side and the things that can follow on the other, separated by the controls — barriers — that mitigate them.

The shape of a bowtie

A bowtie diagram has five elements:

• Top event — the hazardous event sitting in the centre. The loss of containment, the runway incursion, the data breach, the medication overdose.
• Threats — the things that can cause the top event, drawn on the left.
• Preventive barriers — the controls that stand between threats and the top event.
• Consequences — what could happen if the top event occurs, drawn on the right.
• Recovery barriers — the controls that reduce, contain, or mitigate the consequence.

Many practitioners also model escalation factors — the conditions that defeat or degrade a barrier — and the secondary controls that defend against those.

Why a bowtie?

Risk registers and FMEA tables are necessary, but they are hard to read in a meeting. A bowtie is a single picture that explains the hazard, what mitigates it, and where the picture is fragile. Auditors, operators, regulators, and executives can all read the same diagram and discuss it in the same language.

Bowtie analysis is particularly suited to:

• Communicating risk to non-specialist stakeholders.
• Demonstrating ALARP and the safety case in process industries.
• Workshops where multidisciplinary teams need a shared diagram language.
• Post-incident reviews where the goal is to understand which barriers failed.

A worked example: process safety

Consider a top event of loss of containment of flammable hydrocarbon.

Threats might include corrosion of pipework, overpressure, mechanical impact, and operator error during a maintenance turnaround. Each threat sits on the left, with preventive barriers between it and the top event: an inspection regime against corrosion; a pressure-relief valve and high-pressure trip against overpressure; a permit-to-work system and toolbox talk against mechanical impact; competent-person sign-off against operator error.

Consequences might include fire, explosion, environmental release, and personnel injury. Each sits on the right, with recovery barriers between it and the consequence: gas detection and emergency isolation against ignition; bunding and drainage against environmental release; emergency response and first-aid against personnel injury.

Escalation factors might include unavailability of the relief valve due to incorrect maintenance, or degraded gas detection during fog. Each escalation factor has its own secondary control.

The result is a single diagram that an operations manager and a regulator can both read.

A worked example: cybersecurity

The same shape, different vocabulary. Top event: unauthorised access to customer database. Threats: phishing, exposed credentials, exploited web vulnerability, insider misuse. Preventive barriers: MFA, password manager, web application firewall, role-based access control. Consequences: data exfiltration, regulatory fine, reputational damage. Recovery barriers: detection, incident response, breach notification, customer credit monitoring.

What bowties don't do

A bowtie is not a quantitative risk assessment. It does not replace a LOPA, a fault tree, or a quantitative consequence model. It complements them. A bowtie is the picture; LOPA gives you the numbers behind the barriers; fault-tree analysis gives you the logic of how a top event arises; consequence modelling gives you the size of the outcome.

A bowtie is also not a substitute for honest barrier validation. A diagram with eight barriers per threat is reassuring; a diagram with eight barriers per threat where six of them have the same single point of failure is dangerous. Escalation factors exist to make this visible.

How to draw a good bowtie

1. Pick a single, specific top event. "Loss of containment" is a category. "Loss of containment of hydrocarbon from pipework" is a top event.
2. Brainstorm threats and consequences first, barriers second. A diagram drawn around the existing controls flatters them.
3. Be honest about barrier independence. Two barriers that share a power supply or an operator are not really two barriers.
4. Use escalation factors. Most consequential incidents involve a barrier that failed for a known reason.
5. Review the bowtie with operations, not just engineering. The people who maintain the barriers know which ones really work.

Standards and references

Bowtie analysis appears across:

• IEC 31010 — risk-assessment techniques.
• CCPS publications on process safety.
• ICAO Doc 9859 — Safety Management Manual.
• ISO 14971 — medical-device risk management (as a complementary technique).

Try it

The fastest way to understand bowtie analysis is to draw one. Open the editor →

Related guides

• Bowtie vs. fault-tree analysis
• Barriers, threats, and consequences explained