How to read a bowtie diagram
A bowtie diagram has three zones arranged around a central point called the top event — the moment at which control of the hazard is lost.
On the left side are threats: the causes or initiating events that could drive the hazard toward loss of control. Between each threat and the top event are preventive barriers — the measures that interrupt those causal pathways.
On the right side are consequences: the harmful outcomes that result once control is lost. Between the top event and each consequence are recovery barriers — the measures that limit harm after the top event has occurred.
Running alongside and between barriers are escalation factors: conditions that degrade or defeat a barrier, and escalation factor barriers: controls that keep those degradation mechanisms in check.
Reading a bowtie from left to right tells the story of how harm can happen. Reading it right to left reveals the layers of defence that stand in the way. The diagram is intentionally communicable — it is meant to be understood by anyone in the organisation, not just the risk specialist who drew it.
The three examples below each follow the same structure. Adapt them freely to your own site, but take care to test every barrier against your actual controls rather than inheriting assumptions from someone else's hazard assessment.
Example 1 — Working at Height: Fall from Height
Hazard: person at height (any work task above 2 m where a fall is possible)
Top event: uncontrolled fall begins
Threats (left side)
| Threat | Notes |
|---|---|
| Unsecured access equipment (ladder, scaffold) | Ladder not footed, scaffold not inspected |
| Unguarded edge | Leading edge without barrier or cover |
| Slip or trip on working surface | Wet deck, tools left underfoot |
| Loss of grip or balance | Fatigue, awkward posture, load in both hands |
| Equipment failure (MEWP fault, harness defect) | Mechanical failure of elevated work platform or fall-arrest equipment |
| Inclement weather (wind, rain) | Condition change after work begins |
Preventive barriers
- Permit-to-work system with pre-task inspection — requires sign-off on access equipment and edge-protection status before work begins
- Competence verification — worker holds current Working at Height certification; checked against competency register before task allocation
- Collective protection (guardrails, covers, barriers) — physical edge protection present and in place; inspected by scaffold supervisor
- Fall-arrest system in use — harness and lanyard worn and attached to certified anchor point; pre-use check completed
Consequences (right side)
| Consequence | Description |
|---|---|
| Struck by falling person/object | Co-workers or members of public below; exclusion zone failure |
| Serious injury to the fallen worker | Impact injury on landing surface; head injury |
| Fatality | High-fall or secondary impact |
| Regulatory action and prosecution | HSE/labour authority investigation, improvement or prohibition notice |
Recovery barriers
- Exclusion zone and barriers below — prevents secondary victims; limits harm to the fallen individual
- Emergency response procedure — first-aid trained persons immediately available; 999 / emergency services called within defined time
- Rescue-at-height plan — if worker is suspended mid-fall-arrest or stranded, trained rescue team and equipment on-site
- Trauma care and hospital pathway — rapid casualty transfer; trauma centre pre-notification
Escalation factors worth noting
For the preventive barrier "fall-arrest system in use," a common escalation factor is anchor point not rated for dynamic load — the harness is attached but to a structural element that cannot absorb shock loading. The escalation factor barrier is that anchor points are marked, load-rated, and colour-coded annually by a competent rigger.
For the recovery barrier "exclusion zone," the escalation factor is exclusion zone not enforced during task (a delivery or visitor walks through). Its barrier is a dedicated banksman or barrier attendant whose sole role is zone enforcement.
Example 2 — Loss of Containment: Hydrocarbon Release
Hazard: flammable or toxic hydrocarbon held under pressure in process equipment
Top event: uncontrolled release of hydrocarbon to atmosphere
Threats (left side)
| Threat | Notes |
|---|---|
| Corrosion/erosion through pipe wall or vessel | Internal or external; accelerated in wet-H₂S, CUI conditions |
| Mechanical failure — flange, valve, fitting | Fatigue, vibration, improper installation |
| External impact | Vehicle collision, dropped object on pipework |
| Instrument/control failure causing overpressure | Control loop fails, ESD does not trip |
| Human error during maintenance | Incorrect re-assembly, wrong isolation, wrong material |
| Third-party excavation striking buried line | Ground works near buried pipework |
Preventive barriers
- Inspection and integrity management programme — scheduled UT scanning, CML monitoring; thickness data reviewed against fitness-for-service limits
- Corrosion monitoring and inhibition system — chemical injection; corrosion probes; trend review
- Management of change (MoC) process — all physical modifications go through an approved MoC before execution; includes HAZOP/risk review
- Safe isolation procedure and lock-out / tag-out (LOTO) — energy isolation verified with positive confirmation before breaking containment
- Permit-to-work with pressure testing hold point — reinstatement requires pressure test sign-off before return to service
- Buried services register and ground disturbance permit — third parties must notify and receive permit before excavating within exclusion distance
Consequences (right side)
| Consequence | Description |
|---|---|
| Flash fire | Ignition of vapour cloud without explosion; personnel caught in fireball |
| Vapour cloud explosion (VCE) | Congested module or building causes pressure rise at ignition |
| Pool fire | Liquid release ignites on ground |
| Toxic exposure | H₂S or other toxic component; inhalation injury or fatality |
| Marine pollution | Offshore or waterside facility; release to sea |
| Production shutdown | Plant isolation, investigation, regulatory hold on restart |
Recovery barriers
- Gas detection and alarm system — fixed point detectors and open-path detectors; automatic ESD and PA alarm at set-point
- Emergency shutdown system (ESD) — isolates and depressurises affected segment on demand or automatically on high-high detection
- Deluge and firewater systems — active fire suppression in the release area; cooling of adjacent equipment
- Emergency response — muster, evacuation, and firefighting — muster accountability; trained EERP team; fire brigade on-site or under contract
- Oil spill response plan (offshore/waterside) — boom, skimmer, dispersant authority; regulatory notification within legally required window
- Ignition source management — hot-work permit; vehicle exclusion; earthing and bonding for mobile equipment in zone
Escalation factors worth noting
For "gas detection and alarm system": a recurring escalation factor is detector in fault/bypass during turnaround — the barrier is effectively absent at the moment containment is most likely to be broken. The escalation factor barrier is that all bypassed detectors are listed on a live bypass register, reviewed at the control room handover, and subject to enhanced manual surveillance.
For "ESD system": instrument air loss can freeze an air-operated ESD valve in its last position. The escalation factor barrier is a spring-return (fail-safe) valve configuration, verified in the last proof-test record.
Example 3 — Cyber: Ransomware on Operational Technology
Hazard: internet-connected or IT-networked operational technology (OT) — DCS, SCADA, PLCs, historian servers — managing a physical process
Top event: ransomware encrypts or disrupts OT systems; operator loses visibility or control of the physical process
Threats (left side)
| Threat | Notes |
|---|---|
| Phishing email credential compromise | IT credential used to pivot to OT network |
| Compromised remote access pathway | VPN, RDP, or vendor remote-support tunnel misused |
| Infected USB or portable media | Maintenance laptop brought on-site without scan |
| Supply chain compromise (software update) | Malicious code delivered via legitimate vendor update |
| Insider threat or misconfiguration | Inadvertent or deliberate change enabling propagation |
| IT network lateral movement after IT breach | Insufficient segmentation between corporate and OT zones |
Preventive barriers
- OT network segmentation (DMZ / industrial demilitarised zone) — firewalled boundary between corporate IT and the OT/SCADA network; unidirectional data diodes where feasible
- Privileged access management (PAM) for OT remote access — all remote sessions logged, time-limited, and require MFA; vendor access via jump-server, not direct connection
- Endpoint protection and application allowlisting on OT hosts — only known-good executables permitted on historian and HMI nodes; antivirus with OT-safe update schedule
- Patch and vulnerability management programme — prioritised patching schedule for known OT vulnerabilities; compensating controls documented where patches cannot be applied
- Change management and USB media control — media scanned at secure kiosk before use; USB ports disabled on OT workstations by policy and technical control
- OT security monitoring and alerting — passive network monitoring (Claroty, Dragos, or equivalent) detecting anomalous traffic without active probing of OT assets
Consequences (right side)
| Consequence | Description |
|---|---|
| Loss of process visibility | Operators cannot see DCS/SCADA; must rely on manual rounds |
| Loss of process control — manual / safe shutdown required | Controlled shutdown to prevent unsafe state; production loss |
| Unsafe process state — physical harm | If process cannot be safely shut down; overpressure, runaway, or loss of containment |
| Regulatory notification and investigation | GDPR (if personal data touched), NIS2, sector-specific OT incident reporting |
| Extended production outage during OT rebuild | Weeks of recovery; significant business impact |
Recovery barriers
- Manual operation capability and procedure — operators trained and documented in manual mode; panel instruments independent of DCS available
- Emergency shutdown system independence — ESD/SIS runs on separate hardware and logic from the compromised DCS; not affected by ransomware on the historian or HMI layer
- Offline backup of OT configuration and golden images — PLC logic, DCS configuration, and HMI screens backed up offline and air-gapped; verified via periodic restore test
- Incident response and OT recovery plan — defined runbook for ransomware; contacts list for ICS security specialists; decision tree for partial versus full restore
- Regulatory and stakeholder communication plan — regulatory body notification within defined window; internal escalation to board level; customer communication if supply affected
Escalation factors worth noting
For "OT network segmentation": the escalation factor is firewall rule misconfiguration during a network change — a single overly permissive rule opens the boundary. The escalation factor barrier is that all OT firewall rules changes go through a formal MoC with a second-person review and a penetration test confirmation.
For "ESD independence": the escalation factor is shared power supply or shared historian connection between the DCS and the SIS. The escalation factor barrier is a validated segregation design review (aligned with IEC 61511) and periodic proof testing to confirm independence remains intact.
How to adapt an example to your site
These examples are starting points, not finished bowties. Before using any of them in a risk register, take the following steps:
-
Review each threat against your actual installation. A threat that is theoretically possible but has no credible initiating mechanism at your facility should be removed or marked as not applicable with a justification.
-
Confirm every listed barrier exists. A barrier that is not actually in place — or that exists on paper but is not maintained — is not a barrier. Working from a list of nominal barriers produces false confidence.
-
Assign an owner to every barrier. The owner is a named individual responsible for confirming the barrier is available and functional. Without an owner, nobody is accountable when the barrier degrades.
-
Check barrier interactions. Barriers that share a single point of failure (for example, the same power circuit, the same maintenance contractor, or the same procedure) are not independent. Identify and document the dependency.
-
Run the diagram past the people who do the work. Operational teams will immediately spot threats and barriers the desk-based analyst missed. A workshop review of an adapted example usually takes less than two hours and produces significantly better output.
SolidBowtie lets you build from templates like these and immediately assign owners, set barrier health indicators, and create assurance tasks — so the diagram stays live after the initial analysis is done.