The Bow-Tie method and safety barriers for risk modeling in RAMS Engineering


Bow-tie analysis / modeling is a risk analysis technique that is a combination of a fault tree analysis (FTA) and an event tree analysis (ETA). Fault Tree Analysis (FTA) identifies basic events that can lead to an accident, while Event Tree Analysis (ETA) identifies sequences of events from initiating events to accident scenarios.

The bow-tie method is therefore a risk assessment method that can be used to analyze and communicate risk scenarios. The method takes its name from the shape of the diagram that is created, which looks like a man's bow tie. A bow-tie diagram mainly does two elements. First, a bow tie provides a visual summary of all plausible incident scenarios that could exist around a particular hazard. Second, the bow tie represents what an organization does to control those scenarios by identifying safety barriers.

From Leedeo we highlight the following points as the benefits of bow-tie analysis:

  • Very effective for preliminary risk analysis in early stages of a project,
  • Ensures the identification of high probability and high consequence events,
  • Combined application of high-level event / fault trees,
  • Identification, evaluation and representation of the causes of a dangerous event, the probable results and the measures implemented to prevent, mitigate or control the hazards,
  • Identification, evaluation and representation of existing barriers.

The bow-tie contains eight basic elements for its design: danger, main event, threats, consequences, preventive barriers and recovery barriers.


The bow-tie model consists of different elements that build the holistic representation of danger and its associated actions, both in its favor and against it. The bow-tie representation revolves around the hazard "top event" (something within, around, or part of an organization or activity that has the potential to cause harm or harm) and the main event (the release or loss of control over a hazard known as unwanted system state).

From here on, consideration focuses on threats (a possible direct cause of the main event), consequences (the results of the main event that end directly in loss or damage), and controls (any action taken that acts against any force or undesirable intention).

Controls or barriers can be completed on either side of the scheme. In the left loop we will call them control measures; in the right loop, recovery measures. Control measures are preventive measures that eliminate the threat entirely or prevent the threat from causing recovery from the main event. Recovery measures reduce the likelihood that the consequence will occur (slow the escalation to the consequence) or mitigate (minimize) the severity of the consequence.

Once the controls or barriers are identified, the advanced bow-tie method can go one step further and identify the ways in which the barrier may fail. These factors or conditions are called escalation factors. There are also potential barriers to climbing factors, so there is also a special type of barrier called a climbing factor barrier, which has an indirect but crucial effect on the main hazard. By visualizing the interaction between barriers and their escalation factors, you can see how the overall system weakens when barriers have escalation factors.

How to construct a bow-tie diagram?

  • Define the risk. As we all know, a hazard is an activity, state, or process that has the potential to cause harm.

The beginning of any bow-tie risk assessment is to identify and define the risk. A hazard is something within, around, or within the organization that has the potential to cause harm. Working with dangerous substances, operating on a patient or storing confidential data are, for example, risky aspects of an organization, while reading this article is not.

  • Definition of the main event: the event that generates the moment in which control over the danger is lost.

Once the hazard is chosen, the next step is to define the main event. This is the moment when you lose control over danger. Often, there is still no damage or negative impacts. This means that the main event occurs just before the events start to do real damage.

  • Threats: a possible cause of the main event.

Threats are credible causes of the main event. There can be multiple threats for a single main event. It is important at this point to avoid generic formulations such as "Human error", "Equipment failure" or "Climatic conditions". What does a person actually do to spark the main event? What equipment fails and why? What kind of weather or what impact does the weather have? The identification of more specific threats results in the identification of more specific and therefore more effective barriers and recommendations.

  • Aftermath: an unwanted event caused by the main event.

The consequences are the unwanted results of the main event. There can be more than one consequence for each main event.

At this stage, we have a clear understanding of the risk scenarios and what needs to be managed. Hazard, Main Event, Threats, and Consequences provide an overview of everything we don't want around a certain hazard. Each line through the bow tie represents a different potential incident scenario. At this point we add the barriers.

  • Barriers: measures taken to prevent, control or mitigate events.

Now that we have an overview of the unwanted scenarios, it is time to see how to control these scenarios as an organization. This is done by identifying the barriers.

Bow tie barriers appear on both sides of the top event. Barriers interrupt the stage so that threats don't result in the main event or turn into actual unintended consequences.

Once barriers are identified, you have a basic understanding of how risks are managed. Barriers can be expanded with information from the safety management system to include, for example, barrier effectiveness ratings, risk assessment matrix ratings, and documents (eg, procedures, protocols, policies, etc.). After that, you can view the activities that maintain the integrity of the barrier effectiveness.

Basically this means mapping a Safety Management System on the barriers. Also determining who is responsible for a barrier and assessing the importance of a barrier are things that can be done to increase the understanding, criticality, and robustness or weakness of the barriers.

Barriers in functional safety. Beyond the bow-tie diagram

The concept of barriers in Engineering Safety dates back to 1961, with the appearance of the energy barrier principle by Gibson. From a conceptual point of view, we could define barriers as physical and / or non-physical means planned to prevent, control or mitigate unwanted events or accidents. In other words, in other words, a set of technical, operational or organizational measures that intervene to prevent, control or mitigate unwanted accidents.

Barriers are categorized by function or role in an accident sequence, its nature, technology or performance:

In addition, from Leedeo Engineering we always analyze from a qualitative and quantitative point of view the goodness of a barrier on the following properties and / or performances: its functionality, the reliability associated with the barrier, the specificity and ability to block risks, its durability in time, its response time, its ability to be audited and maintained and, finally, its dependencies.

At Leedeo Engineering, we are specialists in the development of RAMS projects, supporting RAM and Safety tasks at any required level, and both at the infrastructure or on-board equipment level.

Are you interested in our articles about RAMS engineering and Technology?

Sign up for our newsletter and we will keep you informed of the publication of new articles.