What barrier management is
A bowtie diagram is an analysis tool. Barrier management is what you do with it after it's drawn.
In practice, barrier management means actively maintaining and verifying that every barrier on a bowtie is in place, is functional, and will perform when needed. It is the operational system — owners, tasks, health data, incident feedback — that keeps a static risk diagram alive and trustworthy.
The term is most widely used in major hazard industries (oil and gas, chemicals, mining, nuclear), where regulatory frameworks such as the UK Health and Safety Executive's guidance on the Safety Case regime, the Norwegian Petroleum Safety Authority's barrier framework, and the Australian NOPSEMA regulations all require that safety barriers be specified, maintained, and verified. But the underlying logic applies to any operation where the consequence of losing a barrier is severe: aviation, rail, healthcare, offshore wind, and increasingly critical infrastructure under cyber threat.
Barrier management is not the same as safety management. Safety management encompasses culture, leadership, competence, and system-level design. Barrier management is the specific discipline of keeping each individual barrier — a trip, a procedure, a trained operator, a containment system — in a known, verified state.
Barrier types
Barriers are classified along two dimensions: their position relative to the top event, and their nature.
Position: preventive vs recovery
Preventive barriers sit on the threat side of the bowtie. They interrupt causal pathways before loss of control occurs. A pressure relief valve that opens when a vessel approaches its maximum allowable working pressure is a preventive barrier. A permit-to-work system that stops an operator from breaking into a live line is a preventive barrier.
Recovery barriers sit on the consequence side. They limit the harm after control is lost. An emergency shutdown system that isolates a segment after a gas detector fires is a recovery barrier. A spill containment bund is a recovery barrier. A muster and headcount procedure is a recovery barrier.
The distinction matters because the assurance questions are different. For a preventive barrier you ask: Can this barrier interrupt the threat pathway? For a recovery barrier you ask: Can this barrier limit the consequence once the top event has happened?
Nature: hardware, human, and procedural
Hardware barriers are physical: trips and interlocks, relief valves, fire suppression systems, containment structures, segregation distances. Their failure modes are generally detectable through inspection and testing — but only if an inspection and testing programme actually exists.
Human barriers are performed by a person: an operator observing a level gauge and initiating corrective action, a supervisor conducting a pre-task check, a control room operator responding to an alarm. Human barriers depend on competence, workload, and the quality of the information available to the person. They fail in ways that are less visible than hardware failures: gradual skill erosion, normalised deviation, alarm fatigue.
Procedural barriers are documented steps that must be followed to prevent or limit harm: a chemical isolation procedure, a permit-to-work system, an emergency response checklist. A procedural barrier is only as effective as its compliance rate — an excellent procedure that is routinely bypassed in practice is not a functioning barrier.
Most bowties contain a mixture of all three. An effective barrier management programme recognises that each type degrades differently and therefore needs different assurance methods.
Barrier quality: effectiveness, availability, and reliability
A barrier is only worth listing if it can actually perform its function. Three attributes determine whether a barrier is genuinely protective or merely nominal:
Effectiveness describes whether the barrier, when activated and functioning correctly, is capable of preventing the top event or limiting the consequence. A check valve that is too small to handle the design flow is not an effective preventive barrier for the overpressure pathway, regardless of what the P&ID says.
Availability describes the fraction of time the barrier is in a state where it could perform if demanded. A relief valve that is in bypass for maintenance is unavailable. An operator who is managing six simultaneous alarms is less available to respond to a seventh. Availability is where many barrier failures begin: the barrier exists, it might even be effective, but it is not in a position to act.
Reliability describes the probability that the barrier performs correctly when demanded. A pressure transmitter that has a history of spurious trips has low reliability; operators start to ignore its alarms. A fire door that has been propped open for convenience is functionally unreliable regardless of its rated performance.
A fully effective barrier that is frequently unavailable provides much less protection than the diagram implies. Tracking all three attributes — not just confirming that a barrier exists — is what distinguishes serious barrier management from checkbox compliance.
Owners and accountability
Every barrier on a bowtie must have an individual owner. Not a department, not a role in the abstract — a named person who is responsible for that barrier's continued performance.
The barrier owner's responsibilities are:
- Confirming the barrier exists and is correctly configured for the hazard it protects against
- Ensuring assurance tasks are scheduled and completed — inspection, testing, procedure review, competence verification
- Escalating when the barrier is degraded — reporting unavailability, requesting maintenance, triggering compensatory measures when the barrier cannot be immediately restored
- Updating the bowtie when the barrier changes in a way that affects the risk picture
Ownership without authority to act is ineffective. A barrier owner who identifies that a relief valve is in bypass but has no mechanism to escalate and no compensatory measure authority is not really managing the barrier — they are monitoring a degraded state and hoping someone else acts.
In practice, barrier ownership is distributed across disciplines: engineering for hardware barriers, operations management for human barriers, HSE for procedural barriers. The barrier management system needs to surface all barriers and their health data in a way that each owner can see their accountabilities without reviewing the whole bowtie every day.
Barrier health and degradation
Barrier health is a real-time picture of the operational status of each barrier. A barrier is healthy when it is in place, available, and has passed its most recent assurance tests. A barrier is degraded when something — a maintenance bypass, an overdue test, a competence gap — has reduced its ability to perform.
Degradation mechanisms vary by barrier type:
- Hardware barriers degrade through corrosion, wear, calibration drift, software version mismatch, and physical damage. They can also be intentionally isolated for maintenance — a legitimate reason for temporary unavailability that needs a compensatory measure.
- Human barriers degrade through skill fading (low task frequency), shift handover failures, understaffing, and increased cognitive load. They can also degrade when the task description changes but training does not keep pace.
- Procedural barriers degrade when procedures are not kept current with the physical plant, when authorisation levels shift without updating the permit, or when compliance checking lapses.
Escalation factors are the named conditions on the bowtie that cause a specific barrier to degrade. Making escalation factors explicit — rather than leaving barrier degradation as a vague possibility — focuses assurance effort on the mechanisms that actually happen.
A well-managed barrier has a defined degraded-barrier protocol: a predetermined set of compensatory measures that activate when the primary barrier is unavailable. For a safety-instrumented function being tested, the compensatory measure might be enhanced operator monitoring of the protected variable and a reduced test window. For an OT network firewall being patched, it might be additional logging at adjacent network segments and a formal standby approval from the OT security team before any traffic changes.
Assurance tasks that keep barriers alive
Assurance is the evidence-gathering activity that confirms a barrier is actually performing. Without assurance, a bowtie is a model of assumptions, not a verified picture of protection.
Common assurance activities by barrier type:
| Barrier type | Assurance activity | Typical frequency |
|---|---|---|
| Safety instrumented function (SIF) | Proof test to confirm trip logic and final element | Per SIL requirement (e.g., annually for SIL 2) |
| Pressure relief valve | Bench test and recertification | Per piping code (typically 2–5 years) |
| Fire detection and suppression system | Functional test, detector response test, deluge activation test | Quarterly to annually |
| Permit-to-work system | Compliance audit — sample of active permits vs. actual site conditions | Monthly to quarterly |
| Human — competence-critical task | Competency assessment, observed task performance | Per training matrix (typically annually) |
| Emergency response procedure | Drill and debrief against the documented procedure | Annually; scenario variety across 3-year cycle |
| OT network segmentation | Firewall rule review and penetration test | Annually; after every firewall change |
The assurance schedule for safety-critical barriers in major hazard industries is typically defined in the Safety Case or Major Hazard Facility permit and is subject to regulatory verification. For other sectors, the schedule should be proportionate to the consequence severity if the barrier fails and to the known degradation rate.
How incidents test barriers
Every incident involving a hazard that has been modelled in a bowtie is a data point about barrier performance. The investigation question is not just "what caused the incident?" but "which barriers were present, which failed, and why?"
This framing — known as barrier analysis — is built into formal investigation frameworks like ICAM (Incident Cause Analysis Method) and is consistent with the systemic investigation approach advocated by most major regulators.
An incident may reveal:
- A barrier that was on the bowtie but had been degraded without the barrier management system recognising it
- A threat pathway that was not captured in the bowtie at all
- A barrier that appeared effective on paper but was never realistically capable of performing as designed
Each of these findings is an input to a bowtie update. A barrier management programme that loops incident findings back into the bowtie model is progressively more accurate than one that leaves the original diagram unchanged until the next scheduled review.
Near-misses are equally valuable: a near-miss is an event where the top event was reached but the consequences were limited by recovery barriers, or where a threat was active but preventive barriers held. Near-miss data should be reviewed against the bowtie with the same rigour as full incidents.
From static diagram to living bowtie
The original promise of the bowtie method was that it creates a communicable picture of risk that everyone — from the operator on the job to the board — can understand. That promise is only delivered if the bowtie reflects current reality, not the state of the plant on the day the diagram was drawn.
Keeping a bowtie alive requires:
- A system for recording barrier ownership and accountability
- A schedule of assurance tasks linked to each barrier, with completion tracking
- A mechanism for marking barriers as degraded and activating compensatory measures
- A process for incorporating change (MoC) and incident findings into the diagram
- Regular review of barrier health across the portfolio of bowties — not just individual barriers in isolation
The gap between a static bowtie and a living one is mostly an operational and systems problem, not an analysis problem. The analysis — which threats, which barriers, which consequences — is often done well. It is the operational maintenance of the diagram that tends to slip.
SolidBowtie is built specifically for this gap: every barrier has a named owner, a health status, and a linked assurance task schedule, so the bowtie model stays current as the operation changes.