The BowTie, named after its shape, contains eight elements: hazard, top event, threats, consequences, preventive barriers, recovery barriers, escalation factors and escalation factor barriers.
Table of contents
Proactive risk assessments are performed by a wide variety of industries (e.g. oil & gas, aviation, healthcare etc.) to analyze and evaluate risks. Bowties are often used for this purpose, as well as for risk communication due to their visual and intuitive character.
Healthcare organizations can use the bowtie risk assessment method to analyze and detect weak points or gaps in how the organization is managing risk. This helps healthcare organizations to create risk based improvement plans to change patient safety for the better. One of the key goals of this project is using the bowtie risk assessment method for reducing avoidable harm and fatalities in healthcare.
The bowtie method is a risk assessment method that can be used to analyse and communicate risk scenarios. The method takes its name from the shape of the diagram that you create, which looks like a man’s bowtie. A bowtie diagram mainly does two things. First of all, a bowtie gives a visual summary of all plausible incident scenarios that could exist around a certain hazard. Second, the bowtie represents what an organization does to control those scenarios by identifying safety barriers.
However, this is just the beginning. Once the barriers are identified, the bowtie method takes it one step further and identifies the ways in which barrier can fail. These factors or conditions are called escalation factors. There are possible barriers for escalation factors as well, which is why there is also a special type of barrier called an escalation factor barrier, which has an indirect but crucial effect on the main hazard. By visualising the interaction between barriers and their escalation factors one can see how the overall system weakens when barriers have escalation factors.
Besides the basic bowtie diagram, safety management system information should also be considered and integrated with the bowtie to give an overview of what activities keep a barrier working and who is responsible for a barrier. Integrating the safety management system information in a bowtie demonstrates how hazards are managed by an organization.
Of course it is possible to perform a bowtie risk assessment on a piece of paper. The BowTieXP software is a convenient tool if you would like to create bowtie diagrams and link more information to the bowtie such as documents.
Risk analysis is often performed in a team setting. This team usually consists of a group of subject matter experts from different areas of the organization: for example, staff from the safety department as well as the personnel (e.g. physician, nurse etc.) involved in the risk scenario you are analysing. Creating bowties in this manner provides a more holistic and realistic view on the risk scenario. The bowtie method helps to structure your thinking and structure the brainstorm session during the risk assessment.
It is said that the first ‘real’ bowtie diagrams appeared in the (Imperial Chemistry Industry) course notes of a lecture on HAZAN (Hazard Analysis) given at The University of Queensland, Australia (in 1979), but how and when the method found its exact origin is not completely clear.
The catastrophic incident on the Piper Alpha platform in 1988 awoke the oil & gas industry. After the report of Lord Cullen, who concluded that there was far too little understanding of hazards and their accompanying risks that are part of operations, the urge arose to gain more insight into the causality of seemingly independent events and conditions and to develop a systematic/systemic way of assuring control over these hazards.
In the early nineties the Royal Dutch / Shell Group adopted the bowtie method as company standard for analysing and managing risks. Shell facilitated extensive research in the application of the bowtie method and developed a strict rule set for the definition of all parts, based on their ideas of best practice. The primary motivation of Shell was the necessity to assure that appropriate risk controls are consistently in place throughout all worldwide operations.
Following Shell, the bowtie method rapidly gained support throughout the industry, as bowtie diagrams appeared to be a suitable visual tool to keep overview of risk management practices, rather than replacing any of the commonly used systems.
In the last decade the Bowtie method also spread outside of the oil & gas industry to include aviation, mining, maritime, chemical and healthcare to name a few.
Definition: an activity, state or process that has the potential to cause harm.
The start of any bowtie risk assessment is identifying and defining the hazard. A hazard is something in, around or part of the organization which has the potential to cause harm. Working with hazardous substances, operating a patient or storing sensitive data are for instance hazardous aspects of an organization, while reading this article on your computer is not.
The idea of a hazard is to find the things that are part of your organization but could have a negative impact if control over that aspect is lost. They should be formulated as normal aspects of the organisation, e.g. operating a patient. A hazard is not necessarily something negative, it is part of normal business. The rest of the bowtie is devoted to how we keep that normal but hazardous aspect from turning into something unwanted and how control could be lost. The first step is always the hardest, and this is also the case with the hazard as it is the foundation of the bowtie diagram. The hazard sets the scope and context for the bowtie.
Definition: the point in time when control over the hazard is lost.
Once the hazard is chosen, the next step is to define the top event. This is the moment when control over the hazard is lost. Often there is no damage or negative impact yet. This means that the top event is regularly chosen just before events start causing actual damage.
The top event is a choice though, what is the exact moment that control is lost? This is to a large extent a subjective and pragmatic choice. Often, the top event is reformulated after the rest of the bowtie is finished. Don’t worry too much at the beginning about formulation. You can start with a generic “Loss of control” and revisit it a couple of times during the bowtie process to sharpen the formulation.
Definition: a possible cause for the top event.
Threats are credible causes of your top event. There can be multiple threats for a single top event. Threats should be able to singlehandedly cause a top event.
Try to avoid generic formulations like “Human error”, “Equipment failure” or “Weather conditions”. What does a person actually do to cause the top event? Which piece of equipment fails and why? What kind of weather or what does the weather impact? For instance, the threat ‘Wrong delivery of medication via infusion pump’ can be reformulated into three specific threat such as ‘Wrong medication placed in infusion pump’, ‘Wrong patient connected to infusion pump’ and ‘IV line incorrectly inserted into patient’. The identification of more specific threats results in the identification of more specific barriers and recommendations. You can be too specific as well, but generally people tend to be too generic.
When do you decide to make a threat more generic of specific? The goal, scope and audience of the bowties are the first thing to keep in mind, and they can override any other considerations. If the audience needs very specific information, we can decide to make the bowties on that level, even though the diagrams will become larger.
Definition: an unwanted event caused by the top event.
Consequences are the undesired results from the top event. There can be more than one consequence for every top event. As with the threats, people tend to focus on generic categories or damage instead of describing specific events. Try not to focus on Injury/fatality, Asset damage, Reputation damage or Financial damage. Those are broader categories of damage rather than specific consequence event descriptions. Try to describe events like “Prolonged hospital stay” or “Increased costs due to additional diagnostic procedures and treatments.” Besides containing more specific information, you’re also helping yourself to think more specifically when coming up with barriers or recommendations. Think how you want to prevent “Patient injury” versus “Prolonged hospital stay” or “Financial damage” versus “Increased costs due to additional diagnostic procedures and treatments”. The second is an actual scenario which makes it much easier to come up with specific barriers.
At this stage we have a clear understanding of the risk scenarios and what needs to be managed. The hazard, top event, threats and consequences gives an overview about everything we don’t want around a certain hazard. Every line through the bowtie represents a different potential incident scenario. Besides containing incident scenarios that might already have occurred, part of the strength of the bowtie is that there is also room for possible scenarios which have not occurred yet. This makes it a very proactive approach to analyzing risk.
Definition: measures taken to prevent, control or mitigate events.
Now that we have an overview of the unwanted scenarios, it is time to look at how to control these scenarios as an organisation. This is done by identifying barriers.
Barriers in the bowtie appear on both sides of the top event. Barriers interrupt the scenario so that the threats do not result in the top event or do not escalate into actual unwanted consequences.
Once the barriers are identified, you have a basic understanding about how risks are managed. You can build on this basic barrier structure further to deepen you understanding of where the weaknesses are. Barriers can be extended with safety management system information to include, for instance, barrier effectiveness ratings, risk assessment matrix scores and documents (e.g. procedures, protocols, policies etc.). After that you can look at the activities that uphold the integrity of the barrier’s effectiveness. This essentially means mapping your safety management system on the barriers. Also determining who is responsible for a barrier and assessing the criticality of a barrier are things you can do to increase your understanding of the barriers. It might be the case that a consequence line completely exists of hardware barriers, perhaps you would like to introduce a human element to block a possible common mode failure.
Definition: a condition that defeats or reduces the effectiveness of a barrier.
Barriers are never perfect. Even the best hardware barrier can fail. Given this fact, what you need to know is why a barrier can fail. This is done using the escalation factor. Anything that could defeat or reduce the effectiveness of a barrier can be described in an Escalation factor. For instance, a door that opens and closes automatically using an electrical mechanism might fail if there’s a power failure.
The logical next step to manage escalation factors is to identify barriers for the escalation factors, aptly named 'escalation factor barriers'. In this case it could be a backup generator.
Note: be careful with escalation factors. You do not need to describe all the potential failure modes. Only describe the significant weaknesses of your control framework and how you want to manage that.