It’s not enough just to identify risks. They need to be managed: analysed, evaluated, monitored and communicated. BowTie is a scenario based risk management tool which helps to accomplish these tasks and to answer questions like: “Where are we most exposed to risk?”, “do we have enough (or too many!) safety measures in place?”, “are our safety measures actually performing the way we intend?”
What is a BowTie?
BowTie is primarily a qualitative risk analysis tool. The complex nature of the aviation operating environment and the impossibility (in practical terms) of quantifying all the interactions (between people, equipment, time, weather, organizational factors, etc.) makes the qualitative approach particularly appropriate for safety risk assessments within the aviation industry.
Accidents rarely follow identical pathways so it is necessary to consider multiple potential scenarios. By looking at a particular hazard and an associated undesired state (the ‘top event’), BowTie methodology lets you consider multiple triggering events and multiple outcomes within a single analysis.
Another particular strength of the methodology is that it goes beyond a basic consideration of what controls may be in place to manage a hazard - it extends into an examination of the ways in which the controls might have their effectiveness degraded and how these ʻescalation factorsʼ may be managed.
BowTie is also well suited to risk communication too. The method is designed to give a better overview of the situation in which certain risks are present; to help people understand the relationship between the risks and organizational factors.
What’s in a basic BowTie Diagram?
Risk in BowTie methodology is elaborated by the relationship between Hazards, Top Events, Threats and Consequences. Controls are used to display what measures an organization has in place to control the risk. The objects in the diagram are laid out in a sequential order flowing from left to right according to where they would be expected to act within the particular scenario. They are defined as follows:
A hazard is defined by EASA as: “The condition, object or activity with the potential of causing injuries to personnel, damage to equipment or structures, loss of material or reduction of ability to perform a prescribed function”. Hazards are commonly part of the normal operating environment and may in fact be something an organization accepts a certain exposure to. Rather than being something that an organization seeks to eliminate it is often more appropriate to focus on managing the hazard effectively.
As long as a hazard is controlled, it is in an acceptable state. For example operations in marginal visual meteorological conditions (VMC) may be considered acceptable so long as they are adequately managed. But certain events can cause the hazard to be released. In BowTie methodology such an event is called the Top Event.
The Top Event is not a catastrophe yet, but the dangerous characteristics of the hazard are now in the open. For example: a loss of external visual references. It is not a major disaster yet, but if not mitigated correctly it can result in more unwanted events (consequences). There may be several Top Events related to a particular Hazard.
Often there are usually several factors that could cause the Top Event. In BowTie methodology these are called Threats. In the cause and effect relationship between Threat and Top Event, each Threat should individually be sufficient cause for the Top Event to occur if no measures are taken to control it. For example: inadvertently flying into conditions below VMC is sufficient to cause a loss of external visual references.
When a Top Event does occur it can lead to certain potential consequences. A consequence is a potential event resulting from the release of the Hazard which results directly in loss or damage.
Consequences in BowTie methodology are unwanted events that an
organization ʻby all meansʼ wants to avoid. For example: Controlled Flight Into terrain (CFIT).
Risk management is about controlling risks. This is done by placing barriers to prevent certain events form happening. A Control can be any measure taken that acts against some undesirable force or intention, in order to maintain a desired state.
In BowTie methodology there are proactive Controls (on the left side of the Top Event) that prevent the Top Event from happening. For example: weather forecasts. There are also reactive Controls (on the right side of the Top Event) that prevent the Top Event resulting in unwanted consequences. For example: transitioning to instrument flight. A third Control classification is the Escalation Control, used to manage Escalation Factors.
In an ideal situation a Control will stop a Threat from causing the Top Event. However, most Controls are not a 100% effective. There are certain conditions that can make a Control fail. In BowTie methodology these are called Escalation Factors.
An Escalation Factor is a condition that leads to increased risk by defeating or reducing the effectiveness of a control. By examining the Escalation Factors (and the Escalation Controls that are used to manage them), the methodology reveals important factors that many other types of risk analysis fail to consider. For example: flight crew not proficient in Instrument Flight.
Additional Information on the Diagrams
The colour of the various objects within the diagram can be modified and/or additional text added in order to display additional information. Its pretty typical to depict the effectiveness rating of a Control using an intuitive colour scale from red through green. But lots of additional valuable information can also be shown. For example, whilst all the depicted Controls may be considered to be part of the overall management of a Hazard, not all Controls are of equivalent criticality. Therefore, Controls that are considered to be highly important may be highlighted by the use of the term ʻCriticalʼ in an additional text box. There are many more possibilities, such as linking responsible post holders and documents to the diagram elements and defining activities required to support the Control.
Rating the Risk
Once all the elements of the BowTie have been considered, we are in a good position to make a
well-educated estimation of the severity of a potential consequence and the probability that it will actually occur. From there we enter a traditional risk matrix and make a final determination of the level of risk exposure.
Every organization will have its own ideas about what is appropriate. For example, what is considered acceptable risk and what is not. A sample generic matrix is shown below. The various colors reflect an As Low As Reasonably Practicable (ALARP) scale with:
- Green is ʻlowʼ (acceptable as is);
- Yellow is ʻmediumʼ (which requires management attention);
- Orange is ʻhighʼ (which requires senior management attention);
- Red is ʻextremeʼ (which is unacceptable and operations under these conditions must cease
Strictly necessary cookies guarantee functions without which this website would not function as intended. As a result these cookies cannot be deactivated. These cookies are used exclusively by this website and are therefore first party cookies. This means that all information stored in the cookies will be returned to this website.
Functional cookies enable this website to provide you with certain functions and to store information already provided (such as registered name or language selection) in order to offer you improved and more personalized functions.
Performance cookies gather information on how a web page is used. We use them to better understand how our web pages are used in order to improve their appeal, content and functionality.
Marketing / Third Party Cookies originate from external advertising companies (among others) and are used to gather information about the websites visited by you, in order to e.g. create targeted advertising for you.