Bow-tie hazards,barriers you can audit.
Every hazard is a bow-tie: threats on the left, the top event in the middle, consequences on the right, with barriers between them. Each barrier carries a status you can audit (effective, weak or failed) that updates when it is tested. Hazards link to the SPIs that watch them and the occurrences that prove them real.
A barrier status is a fact, not a colour on a slide.
Every barrier between a threat and the top event carries an audited status. When an occurrence shows a barrier failed, the register updates and the SPI watching it hears about it. The hazard picture reflects the operation, not last year's workshop.
The capabilities, on one record.
Threats, top event and consequences on one model, with the barriers between them named and owned.
Each barrier carries a status (effective, weak, failed) that updates when tested, not a colour someone painted once.
Every hazard links to the safety indicators that watch it, so drift on a barrier trips a signal.
When an occurrence weakens a barrier, it links straight to the hazard. The register is proven by the operation.
Real records, one reference each.
Every record carries a stable reference and a source on every field. Nothing is silently overwritten, and the trail is the record.
Every hazard is a bow-tie, not a line in a log
Barrier status is audited, not assumed
Hazards link to the SPIs that watch them
An occurrence that fails a barrier updates the register