Learn the bow-tie method

Most safety effort goes into frequent, minor events. But the things that cause paper cuts aren’t the things that kill people. Bow-tie analysis focuses on your critical risks — the rare events with the worst outcomes — and makes visible the controls that stand between normal work and disaster. One picture shows: what could go wrong, why, how bad it gets, and what you’re relying on to stop it.

Hazard

Something in your business with the potential to cause harm — usually an energy source (gravity, electricity, moving machinery, chemicals) or hazardous activity. It’s part of normal operations: you don’t remove it, you control it.

Top event

The moment you lose control of the hazard — the knot in the middle of the bow-tie. Control is lost but the worst hasn’t happened yet: “person falls from height”, “loss of containment”, “ignition event”. If your top event mentions injury or damage, it’s a consequence — wind back.

Threats

The causes, on the left. Each threat must be able to lead to the top event on its own. Don’t list control failures (“lack of training”) as threats — name the direct cause.

Consequences

The credible outcomes, on the right — think maximum foreseeable loss across people, plant, environment, legal and reputation. Be specific: “fire spreads through facility”, not “damage”.

Controls (barriers)

The boxes on each line. Preventive controls (left) stop a threat causing the top event; mitigating controls (right) limit the harm afterwards. A control is a specific act, object or system that could stop the event by itself — something you could audit.

Escalation factors

Conditions that defeat or degrade a control — “spotter distracted during peak loads”. Each escalation factor should have its own controls defending the main control.

A critical risk (some industry guides, like ICMM's, call this a “material unwanted event”) is one whose potential consequence exceeds the threshold your business decides warrants the highest level of attention — most commonly: could this credibly kill or permanently impair someone? Base the test on consequence, not likelihood — fatal events are rare by nature, and if you rank by frequency they get drowned out by minor stuff (the “tyranny of the frequent”).

• Scan your risk register, incident and near-miss history, and industry fatality data.
• Ask workers — they usually know what could kill them.
• Expect roughly 5–15 critical risks for most businesses, not 50.

From the ICMM good practice guide, ask of each control:

1. Is it crucial to preventing the event, or to limiting its consequences?
2. Would its absence or failure significantly increase the risk, despite all the other controls?
3. Does it protect against several threats (or mitigate several consequences) at once?

If yes, mark it critical — then make it real. Every critical control needs:

• A performance standard — what the control must do, to what standard, measurable in the field.
• An accountable owner — a named role responsible for it being in place and effective.
• Verification activities — checks that it works in practice (field observation, function tests, records audits), not just on paper, at a defined frequency.

If everything is critical, nothing is. A handful of well-verified controls beats a long list of weak ones. And when verification finds a critical control absent or failed — that’s a stop-and-fix trigger, not a footnote.

• Top event = loss of control, not the harm itself.
• Each threat can cause the top event on its own.
• No threat line left without controls — a bare line is a finding.
• Controls are specific and auditable (“spotter checks loads before compaction”, not “training”).
• Right-hand side is credible — serious events need recovery measures too.
• Critical controls have owner + performance standard + verification.

The Coach tab in the editor checks these automatically as you build.