Quick definitions
HAZOP — Hazard and Operability Study. A structured, qualitative technique for systematically identifying hazards and operability problems in a process design. Facilitator-led, word-guide-based, deviation-by-deviation. Output: a log of deviations, causes, consequences, safeguards, and recommendations. Standardised in IEC 61882.
LOPA — Layer of Protection Analysis. A semi-quantitative technique for estimating the frequency of a consequence scenario and the risk reduction credit assigned to each independent protection layer (IPL). Operates on scenarios identified by HAZOP or an equivalent hazard identification method. Output: a frequency estimate for the mitigated consequence and a determination of whether the tolerable risk target is met. Documented in IEC 61511 Part 3, AIChE CCPS guidelines.
Bowtie analysis — a barrier-centric, visual risk analysis technique that maps the causal pathways (threats) to a top event and the consequence pathways (outcomes) with preventive and recovery barriers. Directly communicable to non-specialists. Output: a bowtie diagram with named barriers, escalation factors, and barrier owners. No single IEC standard, but widely used in alignment with ISO 31000, IEC 61511, and major-hazard regulatory frameworks (e.g., the UK COMAH Safety Case, Norwegian PSA barrier framework).
All three methods deal with the same underlying domain — how hazards lead to harm and how safeguards prevent or limit that harm. The differences lie in what they produce, how quantitative they are, and what they are used for.
What each method answers
| Method | Primary question answered |
|---|---|
| HAZOP | What can go wrong in this design? |
| LOPA | Is the risk from this scenario tolerable given the protection layers we have? |
| Bowtie | What barriers stand between us and harm, and are we managing them? |
These are complementary questions, not competing ones. A risk management process for a major hazard installation typically needs all three answers.
HAZOP: deviation-based, qualitative
HAZOP was developed in the 1960s at ICI and formalised through the 1970s. Its core mechanism is the systematic application of guide words (No, More, Less, As Well As, Part Of, Reverse, Other Than) to process parameters (Flow, Pressure, Temperature, Level, etc.) to generate deviations that the design team then evaluates for causes, consequences, and safeguards.
What HAZOP does well:
- Methodical coverage of a process design — especially piping-and-instrumentation diagrams (P&IDs) — at a level of detail no other common method matches
- Surfaces operability problems (production inefficiencies, control difficulties) as well as safety hazards
- Generates a systematic record of the team's reasoning that can be re-opened when designs change
- Works best early in design (FEED stage or detailed design) when changes are still cost-effective
What HAZOP does not do:
- Estimate risk numerically — HAZOP produces a ranked qualitative risk judgment ("High / Medium / Low") at best
- Assess combinations of safeguard failures — it evaluates safeguards one scenario at a time but does not credit or debit multiple layers in a formal way
- Produce an ongoing operational risk picture — HAZOP is a design-phase technique; its output is not designed to be maintained as a living operational document
When to use HAZOP:
Use HAZOP to systematically examine a new design, a significant modification, or a process that has never been formally reviewed. It is the standard method for PHA in the chemical and oil and gas industries and is required or expected by regulators in many jurisdictions. It is also the primary source of scenarios for a subsequent LOPA.
LOPA: semi-quantitative, IPL-based
LOPA was developed in the 1990s by the Center for Chemical Process Safety (CCPS) as a way of doing more rigorous risk assessment than qualitative HAZOP without the full complexity of quantitative risk assessment (QRA). It takes scenarios identified in HAZOP — or occasionally from incident data or PHA — and evaluates them by estimating:
- The initiating event frequency (how often does the cause occur, absent any protection?)
- The risk reduction credit granted to each independent protection layer (IPL) that interrupts the scenario
- The mitigated consequence frequency (initiating event frequency × conditional modifier probabilities)
- Whether the result meets the tolerable risk target — if not, additional risk reduction is required
IPL criteria: a protection layer earns risk reduction credit in LOPA only if it meets four criteria — it must be independent of the initiating event and other IPLs, functional (it physically prevents or mitigates the consequence), auditable (its performance can be verified), and reliable (a defined probability of failure on demand, PFD, is maintained). Safety instrumented functions (SIFs) rated to a Safety Integrity Level (SIL) under IEC 61511 are the most rigorously defined IPL category.
What LOPA does well:
- Provides a defensible, semi-quantitative basis for determining whether the risk from a scenario is tolerable
- Drives SIL determination — the SIL required for a safety instrumented function is the risk reduction credit gap identified by LOPA
- Is significantly faster than full QRA for most industrial scenarios
- Produces an auditable record that supports a Safety Case or process safety report
What LOPA does not do:
- Assess common-cause failures rigorously — LOPA assumes IPL independence, which must be verified separately
- Model the interaction between multiple simultaneous demands or multi-cause initiating events
- Produce a picture of who manages each layer and how — LOPA produces a frequency estimate, not an operational management framework
When to use LOPA:
Use LOPA after HAZOP when you need to demonstrate that risk from a specific scenario meets a quantitative or semi-quantitative tolerable risk criterion, or when you need to determine the SIL target for a safety instrumented function. It is required by IEC 61511 as one of the acceptable SIL determination methods.
Bowtie: barrier-centric, communicable
Bowtie analysis was used informally in the aviation and nuclear industries from the 1970s but became formalised in major-hazard process safety following the Piper Alpha disaster (1988) and the subsequent development of barrier philosophy in the North Sea oil and gas sector. The Dutch company Shell formalized the modern bowtie notation in the 1990s.
Unlike HAZOP and LOPA, which are primarily analytical techniques producing technical records, the bowtie is primarily a communication and management tool. Its deliberate visual simplicity — threats on the left, consequences on the right, barriers in between — is a feature, not a limitation. The goal is a diagram that a board director, an operator, and a regulator can all read.
What bowtie does well:
- Produces a clear, shared picture of how a major hazard is managed — communicable across the hierarchy without translation
- Integrates preventive and recovery barriers into a single model (HAZOP focuses on prevention; LOPA focuses on individual scenario risk; bowtie covers the full range)
- Provides a natural framework for assigning barrier ownership and tracking barrier health operationally
- Supports regulatory Safety Cases and Major Accident Hazard risk registers where a narrative account of barriers is required
- Surfaces escalation factors — conditions that degrade barriers — which are not systematically captured in HAZOP or LOPA
What bowtie does not do:
- Estimate risk numerically — a bowtie does not produce a frequency estimate; it shows the structure of protection, not the probability
- Provide the systematic deviation-by-deviation coverage of HAZOP — bowtie focuses on a chosen top event; it does not crawl through every line on the P&ID
- Determine SIL requirements — that is LOPA's function
When to use bowtie:
Use bowtie to create the risk communication and barrier management framework for a major hazard. It is particularly well-suited to:
- Safety cases and MAH risk registers where regulators want to see barrier structure
- Leadership and workforce engagement — the visual format supports site-level safety conversations better than a HAZOP log
- Operational barrier management — assigning owners, tracking health, triggering assurance tasks
- Incident investigation framing — a bowtie immediately contextualises which barriers were present, which failed, and why
Comparison table
| Attribute | HAZOP | LOPA | Bowtie |
|---|---|---|---|
| Primary purpose | Hazard identification | Risk estimation / SIL determination | Barrier management and communication |
| Output | Deviation log with causes, consequences, safeguards, actions | Mitigated consequence frequency vs. tolerable risk target | Barrier diagram with owners, escalation factors, assurance tasks |
| Quantitative? | No — qualitative risk ranking | Semi-quantitative (order-of-magnitude frequency) | No — qualitative structure |
| Typical stage | Design (FEED, detailed design) | Design (post-HAZOP) or modification | Design and operations — maintained through asset life |
| Coverage | Systematic (all parameters, all deviations) | Scenario-by-scenario | Top-event-by-top-event |
| Best audience | P&ID engineers, process safety specialists | Process safety engineers, SIL practitioners | Operations, leadership, regulators, workforce |
| Standard | IEC 61882 | IEC 61511 Part 3, CCPS guidelines | ISO 31000 context; no single standard |
| Ongoing maintenance | Re-opened for modifications; not a living document | Not typically a living document | Designed to be maintained operationally |
When to use which — and how they work together
In a well-structured process safety programme these three methods are not competing alternatives. They operate in sequence, each building on the previous:
HAZOP first. Use HAZOP to identify and document all significant hazard and operability scenarios in the process design. The HAZOP study provides the systematic scenario foundation — without it, LOPA and bowtie risk missing important initiating events.
LOPA for scenarios that need numerical justification. From the HAZOP log, select the scenarios where qualitative safeguard assessment is not sufficient: scenarios with potentially severe consequences (typically fatality-potential or major release), where there is uncertainty about whether existing safeguards are adequate, or where a safety instrumented function is being specified. Run LOPA on these scenarios to determine whether the risk is tolerable and, if not, what SIL the additional safety function must achieve.
Bowtie for the major accident hazards. Select the top events that represent your major accident hazards — the scenarios with the highest consequence potential. Build a bowtie for each, drawing on the HAZOP scenario log for threats and the LOPA IPL list for candidate barriers. Assign owners and assurance tasks. The bowtie becomes the operational management framework for each major hazard through the life of the asset.
A common misapplication is to run one of these methods in isolation and treat it as a complete risk assessment. HAZOP without LOPA leaves risk tolerance unresolved for critical scenarios. LOPA without HAZOP risks missing significant initiating events. Bowtie without HAZOP and LOPA may lack the systematic coverage and numerical grounding needed for a credible Safety Case.
Frequently asked questions
Can I use bowtie as the primary hazard identification tool?
Not reliably. Bowtie works well when the top events are already known — either from experience, incident history, or a prior HAZOP. It is not designed to systematically identify hazards from first principles the way HAZOP is. For a new design, run HAZOP first.
Do I need LOPA if I have bowtie?
If your regulatory framework requires SIL determination for safety instrumented functions, or if you need a quantified risk estimate to demonstrate ALARP, then yes — bowtie cannot provide that. If your requirement is operational barrier management for a hazard with established controls, bowtie may be sufficient.
Can a bowtie barrier serve as a LOPA IPL?
A bowtie barrier and a LOPA IPL are not the same thing. An IPL in LOPA must meet the four criteria (independent, functional, auditable, reliable with a verified PFD). A bowtie barrier may include measures that would not qualify as IPLs under LOPA's criteria — for example, a barrier that shares a cause with another barrier (not independent) or a procedural barrier without a verified compliance rate. When aligning the two models, confirm each bowtie barrier's IPL status explicitly rather than assuming they map one-to-one.
Is there an ISO standard for bowtie?
IEC 31010 (Risk assessment techniques, 2019) lists bowtie analysis as one of 41 risk assessment methods and provides a brief description. It is not a detailed methodology standard. Most practitioners work from Shell's published guidance, the Energy Institute's bowtie primer, or the CCPS guidance. IEC 61882 covers HAZOP; IEC 61511 Part 3 covers LOPA.
Once you have the barrier structure from bowtie analysis established, SolidBowtie helps maintain it operationally — barrier owners, health tracking, and assurance task scheduling — so the risk picture stays accurate between HAZOP revalidations.