Why run a bowtie workshop
A bowtie diagram drawn alone at a desk is a document. A bowtie drawn in a room with the people who own and operate the hazard is a shared understanding. The workshop format exists precisely to get that shared understanding out of people's heads and onto a structured model.
Done well, a bowtie workshop surfaces threats the written procedure never acknowledged, names barriers that everyone assumed someone else was responsible for, and produces a diagram that the whole team recognises as an accurate picture of how they actually manage risk — not an idealised version of how they should.
This guide covers everything from setting up the room to closing with clear action items.
Who to invite
Bowtie workshops work best with five to ten participants. Too few and you miss crucial operational knowledge; too many and facilitation becomes crowd management.
Core roles to include:
- Process owner or area manager — accountable for the hazard being analysed; keeps the scope realistic
- Frontline operators — they know the real threats and the barriers that actually work (versus those on paper)
- Maintenance representative — critical for hardware barrier performance and degradation factors
- Health, safety, and environment (HSE) lead — brings regulatory context and ensures consequences are correctly characterised
- Subject-matter expert (process engineer, instrument engineer, etc.) — needed for any technical claims about barrier integrity
Optional but valuable:
- A representative from a previous incident involving the same hazard — lived experience of a barrier failure is worth ten theoretical threat analyses
- A contractor or third-party who works on the asset — an outsider often sees threats the regular team has normalised
Keep the decision-making hierarchy flat in the room. A senior leader whose presence stops operators from raising inconvenient truths does more harm than good. If a VP insists on attending, agree in advance that they listen rather than drive.
Before the session
Preparation time is where most facilitation mistakes are made — or avoided.
1. Choose the hazard and top event
The top event is the central loss-of-control moment that the bowtie pivots on. For a flammable gas system it might be "uncontrolled release of flammable gas." For a lifting operation it might be "loss of load." Picking the right level of specificity matters: too broad ("major accident") and the threats and barriers become a laundry list; too narrow ("valve V-22 fails open") and you've written a FMEA, not a bowtie.
A workable top event is specific enough to name a hazard source and a mode of loss of control, but general enough that more than one credible threat can cause it.
2. Gather pre-read material
Send participants these documents at least two days before the session:
- The relevant risk assessment or process hazard analysis (PHA) covering the same hazard
- Any incident or near-miss reports related to the hazard over the past three to five years
- The operating procedure for the relevant task
- A blank bowtie template, so nobody sees the format for the first time in the workshop
3. Prepare the facilitation space
- A large display surface (whiteboard, flip chart, or shared screen) where the bowtie grows in real time as the group talks
- Sticky notes or a digital equivalent (Miro, Mural) — let people add threats and consequences individually before grouping
- A notetaker separate from the facilitator; the facilitator cannot drive the diagram and capture discussion at the same time
Running it: threats → preventive barriers → consequences → recovery barriers
Work left-to-right, then right-to-left, then fill in escalation factors and escalation factor barriers across the whole diagram.
Step 1 — Name the threats (left side)
Ask: "What could cause us to lose control of this hazard?"
Prompt the group with categories: equipment failure, human error, external events, organisational/management failures, third-party action, natural hazard. Aim for six to twelve distinct threats. Consolidate overlaps but don't merge threats that have meaningfully different barriers — "valve fails closed" and "valve fails open" often lead to completely different barrier sets.
Step 2 — Identify preventive barriers for each threat
For each threat, ask: "What stops that threat from reaching the top event?"
A preventive barrier is any measure — hardware, procedural, or human-action — that interrupts the causal pathway between a specific threat and the top event. Test each candidate with two questions:
- Is it specific? A barrier must relate to a particular threat or pathway, not be a general good practice.
- Is it effective on its own? A barrier must be capable of preventing the top event by itself if all other barriers fail.
Common pitfalls: listing "training" as a barrier (training is a means of maintaining a human barrier, not a barrier itself), or listing "management system" (the management system is the assurance framework for barriers, not a barrier in the operational sense).
Step 3 — Identify the consequences (right side)
Ask: "If we lose control — if the top event happens — what could result?"
Consequences sit on the right side of the bowtie. List realistic outcomes: injury, fatality, environmental release, fire, explosion, production loss, reputational damage. You are not listing every possible outcome; you are listing the distinct consequence pathways that have materially different recovery barriers.
Group consequences where the mitigation is identical. Keep them separate where even one barrier differs.
Step 4 — Identify recovery barriers for each consequence
For each consequence, ask: "What limits the harm once the top event has occurred?"
Recovery barriers are activated after loss of control: isolation systems, emergency shutdown, spill containment, fire suppression, evacuation procedures, medical response. The quality questions are the same as for preventive barriers: is this barrier specific to this consequence pathway, and can it limit harm on its own?
Capturing escalation factors
Escalation factors are conditions that degrade or defeat a specific barrier. They sit between the threat and the barrier (or between the top event and the recovery barrier) and explain why a barrier might fail to perform.
For the preventive barrier "pressure relief valve (PRV) opens," a realistic escalation factor might be "PRV is in bypass during maintenance." The escalation factor barrier for that is "permit-to-work controls a bypass isolation procedure."
Capture escalation factors for barriers where the group identifies a realistic degradation mechanism. Do not force escalation factors onto every barrier — it produces clutter without analytical value.
Common facilitation pitfalls
Running out of time on threats. Teams often spend so long developing the threat side that consequence analysis gets rushed. Time-box the threats to roughly one-third of the session.
Barriers that are really procedures inside procedures. If a candidate barrier is "follow procedure X, which requires A, then B, then C," it is a procedural barrier with a human performance component — write it as one barrier with a clear owner, not three.
Consequence catastrophising. Groups with a recent bad incident sometimes list worst-case consequences as the only outcome. Encourage a realistic range, including near-miss-level consequences, because different recovery barriers apply.
Groupthink. If one senior voice is driving the threat list, the facilitator should actively invite quiet participants: "Are there any threats specific to night shifts or contractor activities that we haven't captured?"
Confusing barriers with safety objectives. "Reduce the likelihood of a release" is an objective, not a barrier. A barrier must be a tangible, named measure that a specific person or system delivers.
After the workshop
Assign barrier owners
Every barrier needs an individual owner — a named person, not a department. The owner is responsible for confirming the barrier exists, that it is maintained, and that it is capable of performing when needed. Without owners, the bowtie is a diagram of aspirations.
Define assurance tasks
For each barrier, identify the assurance activity that confirms the barrier is in place and functional: inspection frequency, test interval, competence verification, permit audit. These tasks become the operational backbone of barrier management. Without them the bowtie represents what was true the day it was drawn, not what is true now.
Review and sign off
Circulate the completed diagram to participants within a week while the session is still fresh. Invite corrections — operational details often need adjustment once people have had time to reflect. A single review cycle before sign-off is usually enough for a first-pass bowtie.
Schedule a review date
A bowtie that is never updated after a change becomes a liability: it shows barriers that no longer exist, or misses new threats that have emerged. Set a review trigger (change of plant, near-miss, periodic review schedule) and record it in the document.
Frequently asked questions
How long should a workshop take?
For a single, well-scoped top event with six to ten participants, plan for three to four hours including a short break. Complex top events with many consequence pathways may need two sessions.
Do we need bowtie software during the session?
No. Many facilitators prefer to work on a whiteboard and transfer the result to software afterwards. The priority in the room is quality of thinking, not a polished diagram.
What if people disagree about whether something is a barrier?
Apply the two tests: specificity and independent effectiveness. If it passes both, it is a barrier regardless of what it is called in the organisation. If a group cannot agree, note the disagreement and move on — it is a sign that the operating procedure and the management system need clarification, not a sign that the facilitation has failed.
How often should we revisit the bowtie?
At minimum, after any significant management of change, after any incident or near-miss involving the hazard, and on a periodic schedule (typically one to three years depending on the hazard class). A barrier audit mid-cycle often surfaces degraded barriers before an incident makes them visible.
SolidBowtie is designed to make the post-workshop step easier: every barrier gets an owner and a health indicator, and assurance tasks are tracked operationally so the diagram stays live rather than becoming a compliance artefact.