Bow-Tie Analysis: 7 Critical Control Gaps

ISO 31010:2019 lists Bow-Tie among recognized risk assessment techniques, yet many EHS teams still use it as a workshop poster rather than a control-verification system. This article shows how an EHS manager can use Bow-Tie Analysis to expose seven critical control gaps that a risk matrix, TRIR dashboard, or generic hazard register will usually miss.

When the team is still deciding which technique fits the job, the comparison of HAZOP, FMEA and Bow-Tie helps separate process-deviation analysis, failure-mode analysis and critical-control governance.

Why Bow-Tie Analysis fails when it stays on paper

Bow-Tie Analysis is useful only when it connects hazards, top events, preventive barriers, mitigating barriers, degradation factors, and verification owners in one living risk picture. ISO 31010:2019 treats the method as a structured way to understand event pathways, while the Center for Chemical Process Safety and Energy Institute guidance has made barrier thinking common in high-hazard operations.

The weak version of the method is easy to recognize because it produces a beautiful diagram with no field test behind it. As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture is not what the company declares but what the operation repeats when the supervisor is absent and production pressure is high.

For an EHS manager, the practical decision is whether the Bow-Tie will remain a risk workshop deliverable or become a monthly control effectiveness verification routine. If it does not change inspections, maintenance priorities, permit-to-work quality, contractor controls, and supervisor conversations, the diagram is only another document competing with risk matrix scoring for attention.

1. The top event is vague, so every control looks relevant

A Bow-Tie starts with the top event, which is the moment control over a hazard is lost, not the worst consequence itself. In a confined-space entry, for example, the top event may be oxygen-deficient atmosphere during entry, while the consequence may be fatal asphyxiation or multiple-rescuer exposure.

When teams write the top event as a broad hazard, such as working at height, chemical handling, or vehicle movement, they blur the exact loss-of-control point. Across 25+ years leading EHS at multinationals, Andreza Araujo has observed that vague risk language lets every department agree in the room while nobody changes the work method in the field.

The practical test is simple enough for a supervisor to apply during a 30-minute review or a pre-mortem safety review. Ask whether the top event could be filmed in one specific moment, because if the team cannot identify the instant control is lost, it cannot verify the barriers that are supposed to stop that loss.

2. Preventive barriers are mixed with administrative wishes

Preventive barriers must stop a threat from reaching the top event, while administrative wishes only express what the organization hopes people will remember. The hierarchy of controls remains decisive here because elimination, substitution, engineering controls, and interlocks normally carry more defensive strength than a procedure that nobody has time to read.

What most Bow-Tie workshops fail to admit is that training is often listed as a barrier even when the task depends on engineering design, isolation, ventilation, guarding, or access control. The weakness spreads quickly because 1 weak procedural barrier can create the illusion of control across several threat lines, especially when the same training record is copied into every branch of the diagram.

The EHS manager should classify each preventive barrier by type and ask whether it can fail silently. If the answer is yes, the barrier needs a verification activity, an accountable owner, and a trigger for escalation when it is not working.

3. Mitigating barriers are treated as proof that risk is acceptable

Mitigating barriers reduce severity after the top event has happened, but they do not prevent the loss of control. Emergency response, rescue plans, spill kits, fire suppression, and first-aid capability matter because they reduce harm, although they should never justify weak prevention on the left side of the Bow-Tie.

During the PepsiCo South America tenure, where the accident ratio fell 50% in six months, Andreza Araujo learned that leaders often fund response capacity faster than they redesign the work that creates exposure. That pattern feels decisive because it is visible, but it can leave the serious injury and fatality pathway untouched.

A working-at-height scenario illustrates the point. A rescue plan is essential, yet working-at-height rescue planning cannot compensate for missing anchor-point design, poor permit review, or a supervisor who does not stop the job when weather changes.

4. Degradation factors are left out of the diagram

Degradation factors are the conditions that weaken a barrier before anyone notices the barrier has failed. They include fatigue, skipped maintenance, contractor turnover, unavailable parts, unclear handover, production pressure, poor labeling, and field adaptations that become normal because the operation has survived them before.

James Reason's Swiss Cheese Model helps explain why this matters, since serious events rarely depend on one active error alone. They emerge when latent weaknesses line up with local conditions, which is why a Bow-Tie without degradation factors usually overstates the real strength of the control system.

The application is to add a degradation question to every barrier review. Ask what would make this barrier unavailable, bypassed, misunderstood, or ineffective this month, then assign one verification action that can detect that weakening before the top event occurs.

5. Verification is assigned to job titles, not named owners

Critical controls need named ownership because a title does not perform a field check. In many Bow-Tie files, the owner column says maintenance, operations, EHS, or contractor management, which means the control has no accountable person when the monthly review exposes a failed inspection or overdue test.

In more than 250 cultural transformation projects supported by Andreza Araujo's team, weak ownership has been a recurring sign of compliance theater. The procedure exists, the audit checklist exists, and the dashboard exists, although the person who must stop work when the control is unavailable has never been named with authority.

The EHS manager should convert each critical control into a one-line assurance standard. The standard should state the control, the owner, the verification method, the frequency, the evidence, and the escalation rule, because each missing item becomes a place where risk can hide.

6. Bow-Tie outputs are not connected to leading indicators

Bow-Tie Analysis becomes stronger when each critical control produces a leading indicator that measures control health before an incident occurs. Near-miss quality, overdue preventive maintenance, failed permit audits, bypassed interlocks, and incomplete field verifications tell the organization more about SIF exposure than the absence of injuries last month.

This is where the method becomes more valuable than a lagging dashboard. TRIR, DART, and LTIFR can stay low while fatal exposure is rising, which is why leading indicators for serious risk must come from the barriers that stand between a threat and a consequence.

7 to 12 critical controls per major hazard is usually a more manageable executive dashboard than dozens of low-value activity metrics, provided each control has evidence from the field rather than self-reported confidence from a meeting.

7. Incident investigations do not update the Bow-Tie

Incident investigations for SIFs should feed the Bow-Tie because every event tests a theory about how the organization believed risk was controlled. If the investigation finds a barrier failed, was missing, or was bypassed, the diagram must change along with the action plan.

Andreza Araujo's Portuguese title Sorte ou Capacidade, translated as Luck or Capability, argues that accidents are systemic events rather than isolated bad luck. That thesis matters because an investigation that stops at operator behavior will rarely update barrier design, degradation controls, or executive assurance routines.

The practical move is to add one Bow-Tie review step to the RCA closeout. Before closing the action plan, the team should identify which threat line changed, which barrier failed, and whether the same weakness appears in another major hazard scenario, especially where RCA can fall into the operator-error trap.

Comparison: weak Bow-Tie vs control-verification Bow-Tie

The difference between a weak Bow-Tie and a useful Bow-Tie is not the software, the color coding, or the number of boxes. The difference is whether the diagram changes how leaders verify risk in the workplace where exposure actually occurs.

What the EHS manager should do in the next 30 days

An EHS manager should start with one major hazard rather than trying to rebuild the entire risk register. Pick the hazard with credible SIF potential, map one Bow-Tie, and test the current controls with supervisors, maintenance, contractors, and operators who know how the job is really done.

The 30-day output should not be a finished diagram. It should be a verified list of critical controls, weak degradation factors, named owners, and leading indicators that the leadership team will review monthly because those items decide whether the operation is depending on capability or luck.

Each month without critical control verification allows old risk scores to look stable while field conditions change, especially in operations with contractor turnover, equipment aging, overtime pressure, and high-energy tasks.

Bow-Tie Analysis should change the conversation about risk

Bow-Tie Analysis earns its place when it forces leaders to stop asking whether a risk is red, yellow, or green and start asking whether the critical controls are present, effective, verified, and owned. That shift is the difference between a diagram that explains risk and a management routine that reduces SIF exposure.

If your operation needs to connect ISO 31010 methods, SIF prevention, leading indicators, and safety culture into one practical implementation plan, ACS Global Ventures can support the diagnostic and implementation work through Andreza Araujo. Safety is about coming home, and the controls that make that possible need proof in the field.