The bowtie
without the spreadsheet.

See the highlighted block above the contents list. The rest of this article walks through the five elements and the four design principles that separate a bowtie deliverable from a bowtie instrument.

A risk register lists hazards. A risk matrix scores them. A bowtie diagram explains them. The bowtie is the only common safety artifact that visually separates the threats that could cause a hazardous event from the consequences that would follow it — with the controls (barriers) in between, individually rated.

The technique originated in the chemical and oil-and-gas industries in the 1990s — the term comes from the diagram's shape, with the “top event” at the centre and threats fanning out left, consequences fanning out right. CCPS (Center for Chemical Process Safety) and IOGP (International Association of Oil & Gas Producers) codified the practice. It crossed into aviation through European safety culture in the 2010s and is now standard at most ICAO Annex 19 mature operators.

What the bowtie does that other artifacts don't: it makes thedefence-in-depthstory explicit. Anyone reading the diagram can see how many barriers stand between a threat and the top event, between the top event and a serious consequence, and how strong each barrier is. A risk score alone says “this is medium-red”; a bowtie says “medium-red because three of the seven barriers are degraded and two have ambiguous ownership.”

Every bowtie diagram contains exactly five element types:

1. The top event.The moment the hazard is no longer controlled. Not the consequence; not the cause. For example, “loss of separation between aircraft” (not “mid-air collision”, which is a consequence). Picking the top event correctly is the hardest part of constructing a useful bowtie.
2. Threats. The credible mechanisms by which the top event could be reached. Each threat is a distinct path on the left side. For loss of separation: incorrect ATC clearance, pilot deviation from cleared route, TCAS failure, navigation database error, weather avoidance manoeuvre.
3. Preventive barriers.Controls between threats and the top event — the things that stop the threat from materialising. Each barrier is a discrete control with an owner, a type (engineering / procedural / behavioural), and an effectiveness rating.
4. Recovery barriers.Controls between the top event and the consequence — the things that limit damage once the top event has occurred. Same structure as preventive barriers.
5. Consequences. The plausible outcomes if the top event materialises and recovery barriers fail. For loss of separation: airspace incursion, near miss (AIRPROX), traffic-induced manoeuvre, mid-air collision.

A useful bowtie typically has 3–6 threats, 2–4 preventive barriers per threat, 3–6 consequences, and 2–4 recovery barriers per consequence. More than that and the diagram becomes unreadable; less than that and it stops modelling the defence-in-depth.

The vast majority of bowtie diagrams in industry today live in PowerPoint, Visio, BowTieXP, or a custom Excel template. Each option fails the same way, for the same reasons.

The artifact diverges from reality the moment the room empties. A bowtie workshop produces a static picture of one moment in time. Six months later, three of the named barrier owners have changed roles, one barrier was retired in a procedure update, two new threats emerged from operational experience — and the diagram in the binder still shows the day-1 view. No one has time to re-draw.

The barriers are not connected to the audit evidence.A preventive barrier “TCAS-equipped fleet” is meaningful only if you can verify that every aircraft in the fleet is in fact equipped, the equipment is in service, and the crews are trained on it. In a spreadsheet, the barrier is a string. The verification lives in another system, audited by someone else, on a different schedule. The link is mental, not structural.

Cross-bowtie patterns are invisible.The same barrier (“crew fatigue management”, for example) appears across many different bowties — CFIT, runway excursion, in-flight fire response. If fatigue management degrades, every bowtie that depends on it should reflect that. In a spreadsheet, the barriers are independent strings. Degradation of one does not propagate.

The diagram is a one-way deliverable.Operationally relevant data (occurrence reports, audit findings, maintenance records) lives elsewhere, and the bowtie is updated — if at all — in a quarterly safety review workshop. By that point, the operational reality has moved.

Software-based bowtie systems exist (BowTieXP, RiskHive, internal tools at major operators). The good ones share four design principles.

1. Each barrier is a typed record, not a label. A barrier has an ID, an owner (a person, not a department), a type (engineering / procedural / behavioural), an effectiveness score, a current state (active / degraded / failed), a last-verified date, and a verification source (audit ID, occurrence ID, training record ID). It is the same structural object whether it appears in one bowtie or twenty.

2. Barriers reference operational evidence, not vice versa. When an audit produces a finding against a procedure that backs a barrier, the finding propagates: the barrier's effectiveness drops automatically, the bowtie's composite risk score updates, and any safety review board within scope sees the change. The barrier is updated by the operational data; the bowtie reflects the barrier.

3. The top event is the entity, not the diagram.“Loss of separation” is a managed object. It has a current risk score, a history of related occurrences, an open-action queue, and a list of associated bowties (not the other way around). The diagram is a view onto the entity, not the entity itself.

4. Cross-bowtie barrier reuse is enforced.“Crew fatigue management” appears in CFIT, runway excursion, and in-flight fire bowties as the same barrier object. A change to its effectiveness updates all three diagrams. Adding the same barrier with a different ID in a different bowtie is rejected by the system; reuse is the default.

The four principles above are inert without one more thing: the operational data the barriers depend on must be flowing into the same system. Three flows matter:

Occurrence reports.Each occurrence is classified against its hazard. The hazard's top event is the centre of one or more bowties. The occurrence becomes a piece of evidence about which barriers held, which were bypassed, and which failed. The bowtie's next view should reflect the occurrence within hours, not within the next quarterly review.

Audit findings.A finding against the procedure backing a preventive barrier is a degradation signal for that barrier. Effectiveness drops to “degraded” until the corrective action verifies effectiveness. The bowtie's composite risk reflects that.

Training and competency records.Many barriers are behavioural — they depend on crew skill or knowledge. Expired training on a barrier-relevant competency degrades the barrier; renewed training restores it. The connection is structural, not assumed.

An operator with these three flows running into a bowtie-aware safety platform has a different conversation at the safety review board than an operator with static diagrams. The conversation moves from “here is the diagram we drew last May” to “here is the bowtie as of this morning, and here are the three barriers that have degraded since the last meeting.”

IOGP Report 415 (Asset Integrity – the Key to Managing Major Incident Risks) and the CCPS bowtie guidelines both recommend a four-level barrier effectiveness scale. Adapted for aviation:

• Effective. The barrier is in place, owned, verified within the audit window, with no open findings.
• Partially effective. The barrier is in place but has at least one open finding, an expired verification, or an ambiguous owner.
• Degraded. The barrier exists but has materially failed in a recent occurrence or has multiple open critical findings.
• Failed / absent. The barrier is documented but not in fact present in the operation, or has been removed without replacement.

The composite risk on a top event is then a function of: number of preventive barriers, their effectiveness scores, the historical occurrence rate against this hazard, and the consequence severity weighted by recovery-barrier effectiveness. A platform that tracks all of this updates the score whenever any underlying record changes.

The trap to avoid: scoring barrier effectiveness as a quarterly subjective judgement. The score should be derived from the underlying records, not asserted by a workshop. If an assessor disagrees with the derived score, that is information — investigate why the records say what they say.

A static bowtie is a deliverable. A connected bowtie is an instrument. The difference is what shows up at the safety review board. With a static bowtie, the board reviews the diagram from the last workshop, decides it's mostly still right, and moves on. With a connected bowtie, the board reviews the three barriers that have changed effectiveness since last meeting, agrees on the corrective actions, and assigns owners.

The same operator, with the same hazards, running the same review board, has a completely different conversation. One conversation rationalises a diagram. The other one runs a safety system.

ICAO Doc 9859 does not mandate bowtie analysis as such; it does mandate Safety Risk Management as a pillar, with hazard identification, risk analysis, and control implementation. Bowtie is the most expressive available tool to do those three things in one structured artifact — which is why the operators doing them well have moved past the spreadsheet, regardless of what their framework guidance does or doesn't say.

• CCPS — Bowtie Method (Center for Chemical Process Safety). The canonical guidance on bowtie construction across process industries, with examples adaptable to aviation.
• IOGP Report 415 — Asset Integrity, the Key to Managing Major Incident Risks. Bowtie methodology and barrier effectiveness scoring from oil & gas, widely cross-referenced in aviation safety texts.
• James Reason — Managing the Risks of Organizational Accidents (1997). The Swiss Cheese model that underpins the defence-in-depth thinking the bowtie expresses visually.
• ICAO Doc 9859 — Safety Management Manual, fourth edition (2018). Section 2.7 on Hazards and Section 5.3 on Safety Risk Assessment.
• EUROCONTROL Safety Letter 11 — Bowtie Modelling. Aviation-specific worked examples and pitfalls.
• BowTieXP, RiskHive (commercial tools). Two of the better-known dedicated bowtie systems; reference points for what software-based bowtie can look like.