Professional Documents
Culture Documents
Bowtie is one of many barrier risk models available to assist the identification and management of
risk and it is this particular model we have found (and are still finding) useful.
These pages explain:
This information is based on how the CAA has gone about producing their own bowties with
assistance from Across Safety and CGE.
There are different ways to go about a bowtie but we recommend trying different processes to see
what works for you. We hope you can see the benefits in our approach which has been based on the
bowtie software BowTie XP. However the terminology for the bowtie elements can be applied when
using other methods to create a model such as on Visio, post-it notes or in Excel spreadsheets.
The assessment of the bowtie elements which helps in identifying the safety and risk priorities can
also be applied without using the specific software it is all part of the risk conversation to appreciate
where those improvement areas are in the aviation system.
If you are part of the UK Aviation industry, you are able to access some starter bowties focusing on
the Significant Seven and the relevant risks. These bowties have been jointly constructed by industry
experts and colleagues from the CAA.
Bowtie is a visual tool which effectively depicts risk providing an opportunity to identify and assess
the key safety barriers either in place or lacking between a safety event and an unsafe outcome.
Bowtie models are a key component of Performance Based Regulation (PBR) and provide:
The bowtie model consists of different elements that build up the risk picture. The risk picture
revolves around the hazard (something in, around or part of an organisation or activity which has the
potential to cause damage or harm) and the top event (the release or loss of control over a hazard
known as the undesired system state).
Consideration is then turned to the threats (a possible direct cause for the top
event), consequences (results of the top event directly ending in loss or damage) and the controls (any
measure taken which acts against some undesirable force or intention).
The controls can be populated on either side of the model showing:
Left hand side of the model
The bowtie model explores the escalation factors (the reasoning to why a control may not be defeated
or less effective) of all controls allowing the allocation of escalation factor controls. These prevent the
escalation factors having an impact on the prevention or recovery controls. Further attributes, such as
control effectiveness or criticality can be allocated to the bowtie model to evaluate the risk picture as
part of an effective SMS.
Airport operators
ANSPs
Large and small aircraft operators (both fixed and rotary wing),
Ground service providers
Military
National Aviation Authorities (NAAs).
The origins of bowtie are to be found in a simplified fusion of fault and event tree methodologies.
In the 90s the oil and gas industry founded and developed the practical application of bowtie as a tool
to facilitate a better understanding of how risks were being managed. The benefits of the methodology
have since been recognised in numerous other industries including defence, medical, financial and the
aviation industry.
1. HAZARD
Step 1 to build the bowtie focusing on aspects with the potential to cause injuries, damage or loss
Whether you are building or interpreting a bowtie, the place to start is with the hazard.
This describes the potential source of harm under consideration. It will often describe a normal
aspect within the operating environment and sets the context and scope of the bowtie, for
example driving a car on a busy motorway this is an activity where risks are present.
A hazard can be focused on:
Hazards are often part of normal business activities and not necessarily something that can or
should be eliminated. There is also the possibility to have more than one top event from one
hazard as, for example, there would be a number of risk events associated in driving on a
motorway.
Definition
The condition, object or activity with the potential of causing injuries to personnel, damage to
equipment or structures, loss of material or reduction of ability to perform a prescribed function.
Guiding Principles
In the description of the hazard consider setting the context and scope for the bowtie
(e.g. defining the basic parameters within which the subsequent threats take place).
The scope of the Bowtie can be likened to zooming in or out when taking a picture. It
may be quite broad, where you capture the wider panorama or it may be quite specific,
where you zoom in on an area of particular concern.
The logical place to start is usually with the broad picture. However if you find that you
are not capturing the level of detail that is necessary for your purposes, it may be time to
revisit the hazard/ top event definition and zoom in.
TOP EVENTS
Step 2 which describes the undesired system state
The top event describes the point where we no longer have adequate control over the hazard.
It is usually what we consider to be an unsafe state that is not yet an accident. Therefore, top events
while not being disasters themselves have the potential to become disasters if nothing is done to
control them.
In our driving a car on a busy motorway example, the top event could be described as losing control
of the car.
Definition
A point in time which describes the release or loss of control over a Hazard. The undesired system
state.
Guiding Principals
The top event is described as a loss of control event (not relevant to the Significant Seven) but in a
context of an undesired safety state. By defining this, we are able to consider multiple potential causes
for the loss of control and the various potential outcomes (as opposed to considering just one fixed
accident chain).
If you find that you are not examining the area you are most interested in, consider if it would be
reasonable to redefine the top event either left or right to suit your needs.
Traps and Tips
Trap: Rushing into or persisting with a hazard/top event definition that is not addressing the
main area of interest adequately.
Tip: Remain flexible; it often takes several iterations before finding the best solution.
Trap: Hazards can have multiple top events. Attempting to capture complex issues within one
Bowtie can lead to confusing and overly large bowties.
o Tip: Remain flexible; consider the option of creating several manageable and logically
structured bowties as opposed to one overly large or confusing bowtie that does not
work very well.
THREATS
The bowtie depicts scenarios in a time ordered sequence moving from left to right.
The hazard and top event are at the centre of the diagram.
Threats are placed to the left of the top event.
They describe events that may cause an unsafe state if not managed with preventative controls.
Consider the top event and ask the question why or how could this occur. These causes are the
threats and need to be direct. There should be a logical cause and effect relationship between the
threat and the top event. The reader should be able to understand this relationship based on the threat
description.
In our example of driving a car on a busy UK motorway, a threat would be tyre blow out.
Definition
A possible direct cause that will potentially release a hazard by producing a top event.
Guiding Principles
It is usually helpful to describe the cause as a particular event (e.g. something that occurs),
which sets off the subsequent scenario that leads to the top event (and therefore the potential
consequences).
Threats should be plausible. The overall effectiveness of the bowtie will be enhanced by
concentrating on threats that are considered plausible rather than overwhelming the diagram
with extraneous possibilities.
Each threat should be capable of causing the top event independently (e.g. it should not be
necessary for several threats to occur simultaneously).
In terms of ordering the threats (e.g. position top to bottom in the bowtie), there is no
particular significance to placement however the convention is to place the most significant
threat at the top.
Trap: A very common mistake is to describe a control failure as a threat. For example,
describing a failure to stop at a holding point stop bar light as the threat in a runway
incursion scenario. In this case, the stop bar lighting would be a control that helps prevent an
incursion. The failure of this control does not cause a runway incursion, rather it allows the
dangerous scenario to progress further towards the undesirable outcome
o Tip: Take time to revisit the threat descriptions before moving onto further
development of the bowtie.
Ask the question: would this threat actually cause the top event? or what is the
actual cause?
Taking the example of failure to stop at a holding point stop bar light a causal factor
could be flight crew failed to follow clearance.
CONSEQUENCES
Step 4 in building the bowtie showing possible direct outcomes resulting in loss or damage.
Consequences should be expressed in operational terms (e.g. collision on the runway) so that
the scenario being controlled is clear to the reader.
Consequences
are
events
not
the
actual
loss
or
damage.
The loss or damage is the outcome against which severity is usually gauged. In certain
circumstances it can be desirable to include some brief information on the outcome within the
consequence description in order to clarify the issue for the reader (e.g. mid-air collision
resulting in the loss of both aircraft).
If the top event is not controlled, it should be capable of resulting in any of the consequences.
Trap:
o
o
Multiple
threat
or
consequence
lines
with
identical
controls.
Tip: Consolidate the threats or consequences. Unless there are specific differences in
the controls, using several lines usually does not add any value.
Tip: If you are managing the worst event, you are usually managing other less
significant outcomes (e.g. there is no value to be gained from including nothing
happens as a consequence.
PREVENTIVE CONTROLS
Step 5 to the bowtie to add any measures taken to prevent the threat and top event
Definition
Any measure taken which acts against some undesirable force or intention, in order to maintain a
desired state.
Additional Guidance (relevant to Prevention and Recovery Controls):
Usually there will already be numerous ways in which you seek to prevent the top event from
occurring.
The addition of these controls to the bowtie is the next step. The controls would look at two aspects of
threat management:
eliminating the threat completely, therefore making sure the threat is not present
and
preventing the threat from developing into a top event if the threat does become live.
In the example of driving a car on a busy motorway, to eliminate our threat of a tyre blow out, the car
owner would conduct regulator tyre inspections to identify any potential issues to lead to a tyre blow
out. If our threat becomes live and a tyre blow out occurs, our preventative control could be driver
steering into the skid to keep control.
Trap: Control descriptions that are too generic e.g. control: ATC.
o Tip: Describe what the control actually does with the reader in mind e.g.: ATC detect
incorrect presence on the runway and issue avoiding instructions. Try to include the
action that takes place to interrupt the sequence of events.
Trap: Incorrect level of detail for diagram elements.
o Tip: When deciding the level of detail to include for the description of any diagram
element there are several important considerations:
o Too little detail -- The diagram might be referred to by people separated by
time and location from the author (e.g. bowties are often used as a stand alone
poster). Sufficient detail should be included in the element descriptions so that
the reader can generally understand the authors intention without reference to
additional explanatory material.
Trap:
o
Tip: Include controls that are generally considered to be in place even if they have
very poor effectiveness. Using colours to depict control effectiveness will highlight
these areas for potential improvement.
See Recovery Controls for more additional guidance relevant to prevention controls
RECOVERY CONTROLS
Step 6 to the bowtie to add any measures taken to prevent the consequences
Similar to prevention controls, on the right hand side of the top event, controls are added that show
how the scenario is to be managed in order to stop an accident from occurring.
These controls are considered to reduce the likelihood of the top event developing into a consequence
as well as mitigating the severity of the consequence.
In our example of driving a car on a busy motorway, a reduction control would be anti-lock braking
system (ABS) to constrain the loss of control parameters to not affect other motorway users. A
mitigating control could be airbag activation acting against the fatality severity of the consequence.
Additional Guidance (relevant to Prevention and Recovery Controls)
Parallel Versus Sequential Controls
Controls will usually be sequential e.g. if one fails then the next one would come into play.
However, it is not uncommon for controls to be included which do not function in this way but
rather have an either/or type relationship (also known as parallel controls).
o For example, consider the following aircraft loading scenario: Load and trim
calculations are an important control against an incorrect distribution of load but there
are several ways in which this might be achieved:
a) central control system;
b) b) manual load sheet;
Independence of Controls
See Prevention Controls for Traps and Tips relevant to recovery control
ESCALATION FACTORS
Step 7 showing a condition that affects the performance of the controls in place
Adding information that examines how the controls may be degraded is an area where the bowtie
excels. It allows for the inclusion of a level of detail entirely appropriate to the management of
controls.
In
bowtie
these
are
known
as
escalation
factors.
In our driving a car on a busy motorway example, an escalation factor would be the driver lacking the
knowledge of how to counteract the tyre blow out, therefore the driver not appreciating the need to
steer into the skid to keep control.
Definition
A condition that leads to increased risk by defeating or reducing the effectiveness of controls (a
control decay mechanism)
Controls are seldom 100% effective and history teaches us that they do fail. We need to understand
the factors that cause this to happen.
An escalation factor is a condition that leads to increased risk by reducing the effectiveness of
controls. An escalation factor cannot directly cause the top event or consequence rather it increases
the likelihood that the scenario will progress because the associated control will be degraded or fail.
Guiding Principles
Escalation
factors
need
to
be
credible
and
significant.
Incorporate lessons learned from incidents and accidents. Safety occurrence reports normally identify
contributory
factors.
Escalation factors should not cause the top event (in this case they would be threats).
Traps and Tips
Trap: Escalation factor descriptions that are too generic e.g. radio does not work.
o
Tip: Escalation factors should define how or why the control is degraded. They
should identify the real cause of the failure.
Trap: Extensive use of escalation factors can make the size of the diagram explode, and this
impacts readability quite significantly. Adding escalation factors that are theoretically possible
but
in
reality
are
not
a
problem
adds
un-necessary
complexity.
o
Tip: For escalation factors which are considered to be a significant risk when working
on a higher-level generic issue, it is advised to bowtie that issue separately (e.g.
hazard: fatigue; top event: personnel suffering fatigue to the extent that they do not
perform to the expected standard)
The final step in terms of the bowties main elements is the addition of information that describes how
the escalation factors are managed.
These are similar to the other controls already described, the difference being that they function in a
different part of the diagram e.g. they control the escalation factors.
In our driving a car on a busy motorway example with the driver lacking the knowledge of how to
counteract the tyre blow out, a control for this could be advanced driver training is completed to
obtain this knowledge.
Definition
A control that manages the conditions which reduce the effectiveness of other controls.
Once the escalation factors are identified, the next step is to look at what controls we have in place to
manage them.
Guiding Principles
Focus on the escalation factor you are managing and not on the related control.
They dont act on threats or controls directly, as the name implies, they are acting to manage a
particular escalation factor.
The principals are generally as per those for other controls.
Trap: Whilst it is possible in theory to add escalation factors to the escalation factor controls
(they are after all just another type of control), this approach adds an undesirable level of
complexity
and
is
generally
not
required.
o
Tip: It is normal practice to build diagrams only to one level of escalation factor
Bowtie analysis in aviation SMS is a fairly new tool that is catching on with great success in aviation
risk management programs.
Simply put, the bowtie is one of the most effective risk management tools currently available to
aviation safety managers. It ties together previously distinct risk philosophies and tools into a single
purpose.
Just a few critical risk management items that the bowtie incorporates are:
Using the bowtie will expose all of these elements in one way or another, and it does so in a single,
concise visual chart. The bowtie relies on 4 elements to do this (explained more below) which are:
1.
2.
3.
4.
The bowtie will appear different from organization to organization as companies will create bowties
that functionally and visually suite their needs best. Some organizations will use a simplified version
of the bowtie, and others will use much more complex, verbose bowties. They may even appear
different each time you use them depending on what your goals are.
Purpose of the Bowtie in Risk Management
The explicit purpose of the bowtie is to show the flow of a safety event including:
When a bowtie is conducted in full, it gives a visual picture of the entire issue, from root causes to
impacts, including the risk control holes along the way.
The implicit purpose of the bowtie is to expose the important elements of your program, namely key
risk indicators and weak controls. Without the bowtie, piecing all of these elements together in a way
that shows how they function in context can be difficult and error prone.
Why The Bowtie Is the Best Risk Management Visualization Tool In Existence
Perhaps I am zealous about its potential uses, but I have seen it successfully employed for:
Teaching employees what risk management is and the role of hazards in an SMS program;
Methodical analysis in safety incident management;
Documenting preventative analysis in hypothetical scenarios;
Understanding and assessing your risk controls in context; and
Identify KPIs.
The list goes on, but you get the idea. It is versatile and suited for many different uses. Companies that
adopt the bowtie tend to if they use it right employ the bowtie with different goals for different
uses.
To this end though I have not seen it done in practice yet I strongly advise that when you perform
a bowtie analysis you should write a purpose or goal at the top of the bowtie. I recommend this
for three reasons:
1. Clarifies what you are currently looking for, and therefore what the pertinent information is;
2. Great reference point for immediately orienting you when you are looking back at previous
bowties; and
3. Allows you to create categories for organizing bowties.
You could establish ahead of time, for example, 3 or 4 different goals you might have when using
bowties. For example, Hypothetical safety case analysis, Safety incident analysis, Financial
Impact Analysis, and so on.
3 Step Process for Creating a Bowtie in Aviation SMS
Creating bowties is actually fairly simple as long as you follow the basic process and understand why
you are performing it. It goes like this. You have some kind of scenario, real or hypothetical. You
need to:
1 - Choose what the Top Event "loss of control incident" is
This top level event will be the main risk in the entire issue, the accident that arose from all of the
root causes (threats). For example, this would be the point at which The drive loses control of the
car, or The aircraft suddenly loses altitude.
Its important not to confuse the Top Event with downstream events or Impacts. Just remember that
your Top Event is the point or "incident" at which loss of control occurs.
2 - Ask But why about Top Event to find preceding upstream events and root causes
Its extremely important to make sure your root causes are accurate, because the root causes are the
threats around which you will create risk controls. Too often people confuse weak controls (e.g. lack
of training which is actually a weak control) with root causes (better would be Human Error).
The best indication that you have arrived at a root cause is that the threat is an ACTIVE verb as
opposed to a static, negative lack of X or no Y noun. Moreover, when you get to a spot where
your answer to But why? is simply Because it is, then you have probably found one root case. For
example: the car lost control. But why? Flat tire. But why? Nail in the road and there is not answer
to this. We found one good root cause: Road debris.
3 - Ask And then about Top event to find downstream events and impacts
To get from your Top Event to impacts, you will want to see the interim events that culminated in the
impact. To do this simply ask And then about your Top Event and subsequent events. The impacts
should be clear when you get there, because they are the outcome and output of the issue.
Final Thought: Bowtie Mistakes to Avoid, Rules to Follow
We spent a lot of time here already, so here are a few tips when conducting bowtie analysis in your
aviation safety program.
A report, Risk Analysis Chart, or other tool simply cannot match this kind of versatility. If you arent
already using a Bowtie, then I highly recommend you get started. If you are already using it, here are
3 ways you probably arent but should be.
1 Demonstrate the Importance of Compliance
I hardly need to tell you how important aviation SMS compliance is. You are working with it every
day perhaps to the point of exasperation. For countless organizations, part of this exasperation is
trying to convince other employees and managers that:
Now, we have for the most part seen two ways of how managers deal with compliance in their
organization:
Where applicable, you could plug in your organization-specific corresponding points in 20 minutes
and have something concrete and valuable to deliver to all stakeholders that would be significantly
more effective than a paragraph about new legislation.
2 Using During Aviation SMS Risk Impact Analysis
Evaluating the end potential of certain risks when they collide or line-up to use the Swiss Cheese
Reason Model can be a nebulous endeavor at best. This is because too often Risk Impact analysis in
aviation SMS makes managers feel like they need to jump from A to Z in one fell swoop. Know what
I mean?
The dangers here are numerous to name a few:
1. Incorrect assumptions about the flow of events in a scenario; which can lead to
2. Arriving at irrelevant Impact conclusions; and
3. Coming up with false Causes, the mistake here being that all too often managers start with
Events - a good example would be calling Lack of Training a cause, when in reality that is a
result of Human Error.
Using the Bowtie for risk impact analysis in aviation safety programs avoids these and similar errors.
For one, Bowties force to you literally create the flow of all causes/events/impacts visually together,
the benefit being that your erroneous assumption about flow of events will stick out like a sore thumb.
When you do this same activity in paragraph form, the basic fact is that its much harder to spot those
errors because all the pieces are not together and it is not visual. Likewise, the conclusions about
Impacts have a much higher likelihood of being closer to the mark if your events also make sense.
3 Cost Impact Scenario Analysis
Id like to branch off of Risk Impact Analysis which is essentially what Cost Impact Analysis is.
However, we live in a world where lives are, unfortunately, often measured by the bottom line
reputation damage and subsequent revenue loss. Thus, getting the impact of Costs right is critical.
So say your accountable executive comes up to you and says, What kind of damages are we looking
at if X happens?
Scenario 1: You could throw some number out there, like say 300 million. You could be spot on or
you could be wildly off the mark. Regardless, your boss is probably going to say, How the heck did
you come up with that number? And then you fumble around listing a bunch of reasons.
Scenario 2: You tell him to give you 20 minutes, and you map the Main Event, some preceding likely
causes and proceeding events. For one, now its much easier to say something like, Okay, X
happening will most likely lead to consequences A $100 million and consequence B $200 million for
a total of $300 million. This number could still be wildly off though its probably a much safer bet
than coming up with it off the cuff but now it looks (and probably is) much more legitimate.
In Scenario 2:
Most importantly to you, it makes you look like you know what youre talking about.
Final Thought: Resources for Using the Bowtie
At the very least, you can create a Bowtie with a pencil and piece of paper. No aviation safety
management software, no special program. Just your brain and ability to analyze a situations flow of
events.
Of course, the pen and paper way will take you a bit longer. Fortunately, PDF templates and online
resources are also readily available. Also, we will be unveiling a new module available to some
portals that will generate Bowties for you.
Check out our free Risk Management Solution and see how you can tie in a Bowtie.
Risk Analysis Charts - Aviation SMS Software Modules for Airlines & Airports
to deal with the corrective preventive actions to ensure the risk is mitigated and hopefully prevent
recurring events that share these types of risk. The next step in the risk management process may be to
classify the risk. Classifying the risk helps categorize risks and allows not only for immediate
understanding in the risk identification process, but also for future reports. A risk analysis not only
happens immediately after the reported incident, but repeatedly and at regular and irregular intervals
when upper level managers are attempting to understand the business risk they face. Understanding
business risk is important so management can budget for loss, training, equipment replacement, etc.
Therefore, classifying risk properly is very important not only in the immediate sense, but also for
future risk management processes.
Managers usually conduct their analysis of risk using charts and tabular reports. Without reports,
managers would not have an accurate picture of the business risk they face. SMS Pro has many
reports to help managers during the process of risk management. For example, there are the "Risk
Analysis Charts." These were formerly called "Quick Charts" because they allow managers to easily
review reported issues and identify challenges without requiring IT personnel to create these charts.
SMS Pro's complex charting tools allow managers to quickly determine which types of issues are
costing them the most time and money to manage business risk. These drill-down charts get one to the
heart of a risk analysis and provide incredible amounts of information. Risk Analysis Charts
(QuickCharts) and Financial Risk Analysis Charts (FinancialCharts) share basically the same
functionality as they allow managers to conduct their own ad-hoc analysis of risk.
Charts are broken out by "Number of Occurrences" in Risk Analysis Charts and "Financial Costs" in
Financial Risk Analysis Charts. Management easily applies date ranges and/or types of issues to
quickly see real-time reports by:
Types of Issues
Type of Processes Involved
Root Causes
Associated Risks/Hazards
Human Factors
Mission Delays (Flight Delays)
Key Performance Indicators
Status (open, closed, in progress...)
Department
Division
More sophisticated SMS Pro implementations can take data from multiple portals to analyze
business risk.
Understanding Risk Analysis Chart Numbers
Reported accidents and incidents can have multiple classifications attached to them. Often the
identified risks have overlapping classification types.
For another risk analysis example:
A bird strike is reported through the issue reporter. A manager working through the risk identification
process for this issue may add several "Type of Issue" classifications, such as:
Type of Business Process is an optional classification scheme companies can use to determine
whether business processes are faulty and may need modifications. Type of Business process is
classified in the Issue Manager under the "Classify" tab. Business processes are documented in the
Process Description Library. The Process Description Library affords management an opportunity to
document processes requiring change.
Root Cause originates from the Investigation in Issue Manager. Root cause analysis typically covers
Management responsibility, Procedures, Controls, Process Management and Interfaces. After
determining the contributing factors of an event, a root cause analysis is performed and corrective
actions established.
Key Performance Indicators (KPIs) measure critical success factors of an organization. Based on
carefully selected measures, aviation-related KPIs reveal a high-level snapshot of a dynamic,
functioning organization. KPIs vary depending on the kind of organization they characterize. For
example, an airport may have a KPI as the total runway overruns, while KPIs of a helicopter operator
may have to do more with the number of emergency landings. Since there are so many ways to
classify an issue, such as type of issue, root cause or type of business process, not every classification
is highly important to the organization. KPIs allow companies to focus on what matters most to them.
Associated Hazards come from the Proactive Hazard Analysis Tool. This list is generated
automatically and may be appended in the Investigation portion of the Issue Manager. After
discovering the root cause of an issue, managers may have discovered a new hazard. The ability to
easily add identified hazards to the Hazard Registry is important functionality of SMS Pro. Associated
hazards should also have identified risks and control measures to mitigate the risk and recovery
measures should the hazard occur.
Status/Type allows managers to see how many issues are open, closed, in progress, etc. Choosing the
"By Type" option displays the reported issues according to safety, security, quality or compliance.
Department reports show the number of issues reported that have been classified as belonging to
particular departments. Higher number of reported issues for a particular department may not
necessarily indicate a lack of quality or substandard performance. The department may merely have
an exceptional reporting culture, or the department may be highly represented within the company.
Division reports allow management to quickly see how many reports originate from each division.
Similar to departments, higher number of reported issues for a particular division may not necessarily
indicate a lack of quality or substandard performance. The division may merely have an exceptional
reporting culture, or the division may be more highly represented within the company.
Lagging and leading indicators for aviation SMS KPIs are often confused or misunderstood.
Even various online sources have conflicting, vague, or incomplete explanations of the difference
between the two.
Obviously, understanding how to select aviation SMS KPIs is extremely important, and its a topic
that often generates much interest from all levels of the aviation safety industry. Developing a solid
list of lagging and leading indicators is the process of understanding:
In theory, these generalizations sound reasonable enough, but in the actual practice of choosing
aviation key performance indicators they are considerably less clear. This is because there are literally
hundreds of safety metrics that managers can choose to monitor, and sorting out which leading and
lagging KPIs to focus on can be daunting. For this reasons, lagging KPIs tend to receive more
attention because they are easy to measure and are visually more impressive to represent than their
leading indicator counterparts.
Heres what you need to know about what lagging and leading indicators are in aviation SMS, and
how to adopt good aviation SMS KPIs based on those lagging and leading indicators.
What Are Lagging Indicators in Safety Programs?
KPI lagging indicators in aviation safety programs:
Lagging indicators are usefulness for seeing the output performance of an aviation SMS
program. Aviation SMS safety output is the self-evident data of the safety program. For example, a
lagging indicator metric would be the number of reported safety issues year over year. Another way
of looking at it is that lagging indicators give safety mangers feedback about the programs
performance.
Lagging indicators answer the WHAT of how the safety program is performing, but doesnt
necessarily answer the WHY of performance. It is for this reason that lagging indicator KPIs are easy
to measure but hard to improve. For example, the number of reported issues will change every year,
but that metric gives no indication of why the changes happen.
Lagging indicators exemplify the phrase past successes/failures are not future guarantees.
Concerning their usefulness:
They should be taken at face value, and are great proof of a programs performance; but
Should influence which leading indicator KPIs are focused on.
There are considerable more lagging indicator KPIs that can be used, but the more specific the KPI,
the better.
What Are Leading Indicators in Safety Programs?
KPI leading indicators in aviation SMS programs are:
Many leading indicators involve metrics of what managers put into the program, hence input of the
program, and are generally associated with proactive risk management. A useful way to think about
it is:
How much something is being done (i.e., how often are audits done);
Or behavior that involve acting on a program (i.e., average time to implement actions).
For this reason KPI leading indicators are easier to influence because it simply involves changing how
much something is being done, but the value of leading indicators is difficult to measure.
This is because leading indicators in and of themselves are generally not very useful but they
become extremely useful when correlated with lagging indicator performance data. For example,
correlating the number of internal inspections (leading) with critical-risk reported safety issues
(lagging).
Correlating leading indicators metrics well involves hunches, experience, and assumptions by aviation
safety managers.
Examples of Great KPI Leading Indicators in Aviation SMS Programs
A great strategy for identifying quality leading indicator KPIs is to look at the aviation SMSs lagging
indicator data and ask questions about that data. These questions are a good place to start when
considering leading indicators.
Some examples of great KPI leading indicators in aviation SMS programs that can be strongly
correlated with leading indicators are:
Developing superior KPIs will take time, research, and experience, as well as a solid understanding of
an organizations unique lagging and leading indicators.
Ground handling
In assigning the accountable industry sector, the bowtie templates have assumed that dispatchers and
loaders are under the direct control of the handling agent. Naturally this may not be the case for a
specific operator and this should be customised as required.
Bowtie 6.1 'Loading operations for large CAT fixed wing aircraft at UK Aerodromes/ Aircraft
significantly outside the operational mass and balance envelope'
Threat 1 'Aircraft loaded in accordance with incorrect load instructions generated by load controller'
includes three 'parallel' controls regarding the generation of an accurate load sheet e.g. one of those
controls would be expected to be in place in any given scenario, not all three.
For example they may be quite effective at limiting passenger and crew injuries/ fatalities following a
low energy collision scenario, however they may be ineffective in a high energy collision.
Bowtie 6.2 'Ground operations for large CAT fixed wing aircraft at UK Aerodromes / Significant
ground damage undetected prior to aircraft commencing take-off'.
When assessing the effectiveness of the controls within this bowtie consider how effective the
controls are regarding composite aircraft.
The threat "Ground service equipment/ vehicle impacts and damages parked aircraft" contains many
"impact and damage detected" controls. These controls are conducted by many different people
during pre-departure inspections. It is worth noting in the escalation factors (which need to be added)
that the objectives for those different people differ and whilst they are expected to notice damage,
each inspection is focused on different areas of the aircraft for different purposes
Runway excursions
Definitions
Go-Around: a manoeuvre that results when a pilot decides to abort an approach or landing.
General Notes
The effectiveness of the controls 'aircraft evacuation' and 'aerodrome emergency response
plan' are quite variable depending on the particular scenario.
For example they may be quite effective at limiting passenger and crew injuries/ fatalities
following a low energy collision scenario, however they may be ineffective in a high energy
collision.
Landings resulting in a runway excursion were considered to tend more towards the low
energy scenario and the effectiveness ratings were made accordingly.
Runway incursion
Definition
Runway incursion
Any occurrence at an aerodrome involving the incorrect presence of an aircraft vehicle or person on
the protected area of a surface designated for the landing and takeoff of aircraft.
General Notes
Where direct reference is available for a diagram element to EAPPRI (version 2) (European Action
Prevention Plan Runway Incursion), the reference has been included for your information. Please
note the document link is not live.
Control effectiveness ratings are for a typical UK aerodrome with the majority of operations being
CAT type.
Bowtie 4.1 'Large CAT fixed wing aircraft operating on the ground in or close to the protected area of
an active runway/ Incorrect presence of aircraft on the protected area'.
Recovery controls (to the right of the top event) are related with detection and avoidance manoeuvring
controls being dependant (e.g. detection will be of no value unless avoiding action is taken).
Control effectiveness of 'Aircraft evacuation' and 'Aerodrome Emergency Response Plan'.
The effectiveness of these controls is quite variable depending on the particular scenario.
For example they may be quite effective at limiting passenger and crew injuries/ fatalities
following a low energy collision scenario, however they may be ineffective in a high energy
collision.
Runway incursion collisions were considered to tend more towards the high energy scenario
and the effectiveness rating 'poor' was made accordingly e.g. despite a potentially perfect
response by the aerodrome operator/ RFFS, the ability to mitigate the scale of the injuries/
fatalities is may be extremely limited.
Related information
Consideration points
Focus on Operational Safety
The bowtie templates are primarily concerned with operational safety scenarios. This
is reflected in the various diagram elements.
For example, consequences identify events that have primarily a negative safety
outcome rather than solely commercial or environmental outcomes.
The threats and consequences seek to be of a sufficiently high level to include the
often broad scope of the issues involved within a reasonable number of bowties, yet
specific enough to provide useful and relevant operational insights.
Threat Significance
It should be taken as a given that the scale of the problem described in the Threat is
significant.
For example, when reading a threat description such as 'mis-set reference speed' leading to a
top event such as 'aircraft upset', you should consider that the mis-set is greater than one or
two knots.
Training and Proficiency
Regulator Oversight
Controls associated with the assurance of adequate standards via regulatory oversight
are not generally included in the bowties.
They are considered as part of the umbrella bowtie models except for where specific attention
within a template was required (e.g. where the only significant control identified was
regulatory).
Aircraft and Equipment Types
Umbrella Bowties
The benefit of escalation factors identified in the bowtie is to provide exclamation marks to
identify specific problem areas. A simple repetition of generic escalation factors on every
control would not meet that goal and would degrade many of the benefits provided by the
bowtie methodology.
In order to address generic issues three high level 'Umbrella Bowties' were developed which
present a basic, high-level overview of the issues:
Technical Factors
Human Factors
Environmental Factors
Where 'generic' escalation factors are considered to be a specific concern to a specific control,
they have been included in order to highlight the issue. When customizing the bowtie
template, these factors should be added or removed as appropriate to the particular operation.
Control effectiveness rating
The purpose of rating control effectiveness is to highlight areas of strength and weakness
within the context of how a particular hazard and its associated threats and consequences are
managed.
The effectiveness ratings assigned to the bowtie templates were made using the following
assumptions:
That the control is actually in place and functioning as might be typically encountered
(e.g. if the control is a piece of equipment, it is assumed to be installed/ available).
The rating is based on how the control might typically be encountered not according to
the best possible effectiveness e.g. whilst a control may be rated as poor in the bowtie
template, that is not to say that it does not have the potential to be better than poor
given adequate resourcing and effort.
The party having ownership of the control is a UK entity (e.g. international operations
and operators introduce a degree of complexity to the control effectiveness rating
process that is not possible to cover in the bowtie templates.
The effectiveness rating in the bowtie template is intended to be a starting point for further
evaluation. Individual operators should modify the effectiveness ratings as required, according
to their specific operational environment.
Taxonomy and display
The following taxonomy is used to define the various effectiveness ratings:
This is shown in block colour across the extra information text box below the control.
Engineered devices: for controls that rely primarily on technical equipment such as
FMS, TCAS, TAWS or interlocks on thrust levers.
elimination
prevention
reduction
mitigation
The information is displayed as a text box below the Control in block colour (black
background with white writing).
Similar to control effectiveness ratings, the bowtie template criticality ratings provide a
starting point for further evaluation.
Future Possibilities
An additional definition included in the criticality taxonomy is 'future possibility'. This
identifies a control that may not be currently available to the aviation industry at large but one
that is expected to become commonly accessible (usually a technology driven, engineering
type of control).
The purpose is to help 'future proof' the bowties to some extent, by identifying controls on the
safety management horizon.
Taxonomy and display
The following taxonomy is used to define the various criticality types:
The control "tab" depicted in the diagram is coloured (the top "tab" pinning the control to the
threat/consequence/escalation line).
Constant Exposure - where the potential to be exposed exists throughout the majority
of every flight e.g. Flt Crew failing to follow an ATCO instruction;
The threat exposure is depicted within the threat element and is coloured.
Ownership
This feature has been used to identify the industry sector with the most significant and direct
influence over the effectiveness of a particular control, such as:
Aerodrome Operator
Aircraft Operator
ANSP (Air Navigation Service Provider)
Approved Design Organisation
Handling Agent
Manufacturer
Misc. Third Party
MRO (Maintenance Repair Organisation)
Regulator
If someone said the word bowtie to you, what do you think of? An accessory or a safety risk
management tool?
If you think the latter you may either shudder at the potential size bowties can be or like me, you smile
in appreciation for what information they can offer a safety conscious business.
What do bowtie models tell us?
The models are a visual risk tool that display the causal factors (threats) and outcomes (consequences)
for a specific risk (top event). They highlight the controls in place to prevent or recover the risk and
can help you understand what could cause those controls to fail (escalation factors) - it's a risk picture
telling a story.
Once the model has been built, you then assess the controls for effectiveness, criticality and other
attributes to manage the risk
The use of bowtie, either its methodology or software is rapidly growing worldwide thanks to the
introduction of Safety Management Systems (SMS) where aviation organisations are having to be
more proactive in understanding what their operational risks are. Bowtie offers a way of identifying
them so that they can be managed more effectively!
Background
In April 2014 the UK CAA launched a CAA-industry collaborative project where 24 bowtie templates
were developed on a range of significant safety scenarios, such as aircraft loading error leading to loss
of control; a runway excursion resulting in ground collision and a hidden area fire considering the
human, technical and environmental aspects.
How to find out more
The UK CAA have also endorsed and published a bowtie strategy. This identifies how the CAA and
industry can maximise the use of bowtie models as an effective and proactive safety risk management
tool, to inform decision making for the right actions to be taken achieving the best safety outcomes.
Our bowtie strategy and templates can be found at www.caa.co.uk/bowtie
I also Chair a Bowtie User Group (BUG) for UK and Ireland aviation bowtie practitioners, meeting
quarterly, to work on best practice guidance and to be a support network for each other - if you're keen
to know more, please contact safety.performance@caa.co.uk.
Take a look at our further information online to see how bowtie could help you manage your risks or
turn your shudder into a smile!