Guide · Bowtie risk assessment
The bowtie method, explained
Bowtie risk assessment is the clearest way anyone has found to put a major risk on one page: what could release it, what would follow, and — most importantly — every barrier standing in between. This guide explains the method from first principles: where it came from, how a bowtie diagram is built, a worked example you can copy, and where the method's limits are. No prior risk-engineering background required.
What is the bowtie method?
The bowtie method is a barrier-based risk analysis technique. It takes one hazardous activity and maps the credible pathways from cause to consequence through a single central point — the top event, the moment you lose control. Threats fan in from the left, consequences fan out to the right, and the resulting shape looks like a bowtie. On every pathway you place barriers: the specific controls that stop a threat from releasing the hazard, or that limit the damage once it has been released. The finished diagram answers the question auditors, regulators and boards actually ask: not "is this risk high or low?" but "what, concretely, is keeping it under control — and is each of those things working?"
The method has industrial roots. Bowtie-shaped hazard diagrams first appear in course notes from Imperial Chemical Industries (ICI) in the late 1970s. It was Royal Dutch Shell that matured the technique in the early 1990s, making it a group standard in the years after the Piper Alpha disaster of 1988, when the oil and gas industry was forced to demonstrate — not merely assert — how major accident hazards were controlled. Today the bowtie is a recognized risk assessment technique in IEC 31010, supporting the ISO 31000 framework, and the joint CCPS / Energy Institute guidance Bow Ties in Risk Management (2018) is its de facto methodology handbook.
Adoption long ago escaped oil and gas. Process safety teams use bowties for loss-of-containment scenarios; aviation uses them for runway excursions and controlled flight into terrain; mining for ground failure and vehicle interactions; healthcare for medication error and patient deterioration; and security teams increasingly use them for cyber scenarios like ransomware. The common thread: a small number of risks that can genuinely hurt people or end the organization, controlled by barriers that must be managed, not just listed.
Anatomy of a bowtie diagram
Every bowtie is built from the same seven elements. Get the definitions right and the diagram almost draws itself; get them wrong and you end up with a cause-and-effect spaghetti chart wearing a bowtie.
The thing you work with that has the potential to cause harm — flammable inventory, working at height, moving vehicles. A hazard is not a problem in itself; it is usually the reason the business exists. The bowtie does not try to remove it, only to keep it under control.
The knot in the middle: the moment control over the hazard is lost. Not yet the harm itself — the release of containment, the dropped load, the forklift striking a person. Choosing a crisp top event is the single most important modelling decision in the whole exercise.
The credible, direct causes on the left side — each one capable of producing the top event on its own. "Human error" is not a threat; "driver reverses with an obstructed view" is. Specific threats invite specific barriers.
The credible outcomes on the right side if the top event occurs: injuries, environmental damage, asset loss, regulatory shutdown. Each consequence gets its own line, because each tends to need different recovery measures.
Controls placed on the threat lines, left of the knot, that stop a threat from causing the top event. A good barrier passes a hard test: it must be able to stop the scenario by itself, on its own line. "Safety culture" fails that test; "interlocked gate on the charging bay" passes.
Controls on the consequence lines, right of the knot, that limit harm once control is already lost: detection, shutdown, containment, emergency response, evacuation. Mature bowties are honest about needing both sides — prevention fails sometimes.
Conditions that degrade a specific barrier — not new threats, but reasons a barrier might not work when called upon. Fog defeats the mirror at the blind corner; a hiring surge defeats the training barrier. Escalation factors hang off the barrier they attack, and they often carry barriers of their own.
Barriers themselves come in recognizable types — passive (a bund, a fire wall), active hardware (a shutdown valve, an interlock), socio-technical (an alarm plus the operator who must act on it), behavioural (a procedure, a permit) and continuous (ventilation, cathodic protection). The further a barrier leans on a human doing the right thing under pressure, the more assurance it needs. Put together, the skeleton looks like this:
A worked example: forklifts and pedestrians
The classic warehouse scenario. The hazard is forklifts operating near pedestrians — a normal, necessary part of the operation. The top event is the moment control is lost: a forklift strikes a person. Here is a deliberately small bowtie for it — a real workshop would add more threats, more barriers per line, and escalation factors.
Everything left of this moment is prevention. Everything to the right is about how bad the next five minutes get.
Notice what the structure forces. Each threat is specific enough to act on. Each barrier sits on one line and could plausibly stop the scenario on its own. And the right side exists at all — many risk assessments quietly assume prevention always works. Now hang an escalation factor on barrier one: "seasonal agency staff unfamiliar with site rules." The walkways are still there, but the people most likely to step out of them just changed. That is the kind of insight a probability-times-severity score will never give you.
Bowtie analysis vs. the risk matrix
The two are not rivals; they answer different questions. A risk matrix tells you how much risk you think you carry — likelihood against severity, a colour, a ranking. A bowtie tells you how that risk is controlled: which barriers exist, on which pathways, owned by whom, in what condition. The matrix is a prioritization tool; the bowtie is a control-assurance tool.
The failure mode of matrix-only risk management is well documented: a hazard scores "amber, tolerable," everyone moves on, and nobody can say which specific controls that score depends on — or notice when one of them quietly stops working. The bowtie's failure mode is effort: it takes a workshop, not a spreadsheet cell. A sensible rule of thumb: score everything on the matrix, then build bowties for the risks in the red and amber corner — the ones where "we think it's unlikely" is not a good enough answer for the people exposed to it.
The same logic separates the bowtie from its analytical cousins. Fault trees and event trees quantify a single scenario in depth; HAZOP finds the deviations in the first place; LOPA counts independent protection layers on one cause–consequence pair. The bowtie is the communication layer on top: rigorous enough for engineers, readable enough for the board and the workforce whose behaviour the barriers depend on.
From wall chart to living bowtie
Here is the uncomfortable truth about most bowties: they peak on the day the workshop ends. The diagram gets laminated, the PDF goes in the safety case, and from that moment it describes the barriers as they were — not as they are. Barriers degrade silently. The proof test slips, the trained operator leaves, the mirror at the blind corner fogs over, and the diagram on the wall keeps smiling.
A bowtie earns its keep when it becomes an operating document. That means every barrier has an accountable owner. It means barrier health is tracked, not assumed — and that the assurance activities keeping a barrier alive (inspections, proof tests, refresher training) have due dates, with the barrier's health degrading automatically when one slips. And it means incidents and near-misses are logged against the bowtie, recording whether each barrier worked, degraded or failed — so the weakest barriers reveal themselves from evidence rather than opinion.
You can run that discipline on a spreadsheet next to a drawing tool — plenty of teams do, for a while. It is exactly the part we built SolidBowtie for: bowties with owned, health-tracked barriers, assurance tasks that degrade them when overdue, incident feedback, and an AI that drafts a method-correct first bowtie from a plain-language description of your operation. The Starter plan is free, and your forklift bowtie takes about twenty minutes.
Frequently asked questions
Who invented the bowtie method?
No single person, and no single moment. The earliest known bowtie-shaped hazard diagrams appear in Imperial Chemical Industries (ICI) course notes from the late 1970s. The method's real maturation came at Royal Dutch Shell in the early 1990s, when the company adopted it as a group standard for demonstrating control of major accident hazards — part of the industry-wide reckoning that followed Piper Alpha in 1988. Shell's adoption is what carried the bowtie across oil and gas and, from there, into aviation, mining, healthcare and beyond.
Is the bowtie method part of ISO 31000?
Not directly. ISO 31000 is a framework standard — it describes how risk management should be organized, and deliberately prescribes no techniques. Its companion standard, IEC 31010, catalogues risk assessment techniques, and bowtie analysis is one of the recognized methods in it. So a bowtie programme supports an ISO 31000-aligned process rather than being required by it. For methodology detail, the CCPS / Energy Institute guidance Bow Ties in Risk Management (2018) is the reference most practitioners actually work from.
How is bowtie analysis different from desktop tools like BowTieXP?
Bowtie analysis is the method; BowTieXP is one well-known desktop tool for applying it, and it is genuinely good at building and documenting diagrams. The distinction that matters more is diagram versus system. A desktop file lives on one machine, is current as of its last save, and reaches the organization as a static export. A barrier-management system keeps the same bowtie connected to operations — owners, assurance tasks, barrier health, incident records — so the diagram stays true between revisions. Which you need depends on whether your bowtie's job ends at the safety case or starts there.
How many bowties does a typical site need?
Fewer than most teams expect. Bowties are for major accident hazards and the handful of risks that could genuinely end lives or the licence to operate — not for every line in the risk register. Most sites cover their major hazards with five to fifteen bowties; a complex process plant might justify a few dozen. If you find yourself past fifty, you are probably modelling risks that a simpler assessment would handle, and diluting the attention your critical barriers deserve.
What does it cost to get started?
The method itself costs nothing but time: a whiteboard, the CCPS/EI book if you want rigour, and the people who actually run the operation in the room for an afternoon. For software, SolidBowtie's Starter plan is free — one organization, up to three bowties, the full canvas with barriers, escalation factors and health roll-up. The Team plan adds AI drafting, realtime collaboration, incident analysis and dashboards at €9 per editor per month, and viewers are always free on every plan.