By following this guide, you will create a bowtie analysis diagram — from defining the top event through identifying threats and consequences, adding barriers, and assessing barrier effectiveness.
Who should read this: Safety managers and admins who perform
risk analyses. Investigators and hazard owners also benefit from
understanding how bowtie diagrams map causal pathways and controls.Prerequisites: Safety manager or admin role with risk assessment
permissions. Familiarity with the
Bowtie Analysis reference and the
Risk Matrix is recommended. When to Use Bowtie Analysis
Use a bowtie analysis when:
- A hazard has multiple causal pathways (threats) that could lead to the undesired event.
- You need to visualize the relationship between threats, controls, and consequences for stakeholder communication.
- The 5x5 risk matrix alone does not provide sufficient detail about which specific barriers are managing each pathway.
- An investigation has identified barrier failures and you need to map the defense-in-depth structure.
- A hazard is in the yellow (ALARP) or red (Unacceptable) zone and requires systematic barrier analysis.
For simple hazards with a single threat and clear controls, the 5x5 risk matrix may be sufficient on its own.
Create a Bowtie Analysis
Step 1: Navigate to the Bowtie page
Go to Safety > Hazards > Bowtie Analysis. This page lists all existing bowtie diagrams for your workspace.
Step 2: Create a new bowtie
Click New Bowtie. A dialog prompts you for the initial information.
Step 3: Define the top event
Enter the Top Event — the central undesired event at the heart of the bowtie. This should be the pivotal moment where control is lost.
Write the top event as a specific, observable event, not a vague condition. “Loss of runway
directional control during landing” is more useful than “Runway problem.”
Step 4: Give the bowtie a title
Enter a descriptive title that summarizes the analysis scope (e.g., “Engine Failure During Takeoff”).
Step 5: Link a hazard (optional)
If the bowtie is associated with an existing hazard register entry, select it from the Linked Hazard dropdown. This creates traceability between the bowtie and the risk assessment record.
Step 6: Add a description (optional)
Provide additional context about the scope, operational context, or purpose of the analysis.
Step 7: Create the bowtie
Click Create. The system creates a draft bowtie and opens the detail page.
Add Threats (Left Side)
Threats are the causal factors on the left side of the bowtie. Each threat represents a distinct pathway that could lead to the top event.
Step 1: Identify potential threats
Ask: “What could cause this top event?” Consider threats across four categories:
| Category | Examples |
|---|
| Human | Pilot error, fatigue, miscommunication, inadequate training. |
| Technical | Equipment malfunction, system failure, software error. |
| Organizational | Procedural gaps, staffing shortages, inadequate supervision. |
| Environmental | Weather conditions, runway contamination, wildlife activity. |
For each identified threat, add it to the bowtie with a clear description, category classification, and likelihood assessment (rare, unlikely, possible, likely, or almost certain).
Step 3: Order threats by priority
Arrange threats from highest likelihood to lowest so the diagram highlights the most probable causal pathways first.
Use investigation findings, safety reports, and industry data to identify threats. Do not rely
solely on brainstorming — review your organization’s historical data for evidence-based threat
identification.
Add Consequences (Right Side)
Consequences are the potential outcomes on the right side of the bowtie. They represent what could happen if the top event occurs and recovery barriers are insufficient.
Step 1: Identify potential consequences
Ask: “If this top event occurs, what could happen?” Consider consequences across four impact domains:
| Domain | Examples |
|---|
| Safety | Injury, fatality, aircraft damage, environmental contamination. |
| Operational | Flight delay, aircraft out of service, operational disruption. |
| Financial | Repair costs, liability claims, regulatory fines, insurance impact. |
| Reputational | Media attention, customer confidence loss, regulatory scrutiny. |
Step 2: Add each consequence
For each consequence, provide a clear description, severity rating (negligible through catastrophic), and impact category.
Step 3: Order by severity
Arrange consequences from most severe to least severe.
Add Preventive Barriers (Left Side)
Preventive barriers sit between threats and the top event. They are the controls that stop threats from causing the undesired event.
Step 1: For each threat, identify existing controls
Review what controls are currently in place that prevent each threat from leading to the top event. These may be SOPs, training requirements, engineering controls, or equipment.
For each barrier, provide:
A description of what the barrier does.
The barrier category — engineering, administrative, procedural, or PPE.
The linked threat — which threat this barrier blocks.
If a threat has no preventive barriers, or if existing barriers are known to be weak, flag the gap. Consider creating a CPA to implement a new barrier.
Add Recovery Barriers (Right Side)
Recovery barriers sit between the top event and consequences. They mitigate or limit the damage after the top event has occurred.
Step 1: For each consequence, identify existing mitigations
Review what controls would limit or prevent each consequence if the top event occurs. These are emergency procedures, protective equipment, containment measures, and response plans.
For each recovery barrier, provide the description, category, and linked consequence it mitigates.
If a severe consequence has no recovery barriers, this represents a significant risk gap requiring immediate attention.
Assess Barrier Effectiveness
Step 1: Evaluate each barrier
For every barrier (preventive and recovery), assess its effectiveness:
| Rating | Criteria |
|---|
| Effective | Evidence demonstrates the barrier works consistently. Verified through testing, audits, or operational experience. |
| Partially Effective | Barrier works under normal conditions but has known gaps, limitations, or dependencies on human compliance. |
| Ineffective | Barrier does not reliably prevent the threat or mitigate the consequence. Evidence of failures exists. |
| Not Assessed | Barrier has not yet been evaluated. Schedule assessment. |
Step 2: Address ineffective barriers
For any barrier rated as ineffective or partially effective, determine the appropriate action:
Create a CPA to improve the barrier.
Replace the barrier with a more effective control.
Add a complementary barrier to provide defense in depth.
Step 3: Link CPAs to barriers
When a CPA is created to address a barrier gap, link it to the barrier record for traceability. This allows you to track whether the barrier improvement has been implemented and verified.
A bowtie with multiple ineffective barriers indicates systemic risk. Escalate to the safety
committee and consider whether operations should continue under current conditions until barriers
are strengthened (14 CFR 5.55).
Finalize and Activate
Once threats, consequences, and barriers are documented and effectiveness is assessed, change the bowtie status from Draft to Active. Active bowties are included in ongoing safety assurance monitoring.
Review active bowties periodically as part of your hazard review cycle to verify that barrier effectiveness has not degraded.
Bowtie Analysis Reference
Complete reference for bowtie structure, fields, and methodology.
Conduct a Risk Assessment
How the 5x5 risk matrix complements bowtie analysis.
Hazard Register
The hazard records that bowtie analyses link to.
Create a CPA
Implementing barriers identified through bowtie analysis.
