INTRODUCTION TO BOWTIE

Bowtie is one of many barrier risk models available to assist the identification and management of
risk and it is this particular model we have found (and are still finding) useful.
These pages explain:

what a bowtie can be used for,

how it can help you,
how to go about the methodology and
what to look for within a model.

This information is based on how the CAA has gone about producing their own bowties with
assistance from Across Safety and CGE.
There are different ways to go about a bowtie but we recommend trying different processes to see
what works for you. We hope you can see the benefits in our approach which has been based on the
bowtie software BowTie XP. However the terminology for the bowtie elements can be applied when
using other methods to create a model such as on Visio, post-it notes or in Excel spreadsheets.
The assessment of the bowtie elements which helps in identifying the safety and risk priorities can
also be applied without using the specific software it is all part of the risk conversation to appreciate
where those improvement areas are in the aviation system.
If you are part of the UK Aviation industry, you are able to access some starter bowties focusing on
the Significant Seven and the relevant risks. These bowties have been jointly constructed by industry
experts and colleagues from the CAA.
Bowtie is a visual tool which effectively depicts risk providing an opportunity to identify and assess
the key safety barriers either in place or lacking between a safety event and an unsafe outcome.
Bowtie models are a key component of Performance Based Regulation (PBR) and provide:

An effective, visual depiction of risk.

A balanced risk overview for the whole aviation system between internal and external
stakeholders (including third party risks).
An increased awareness and understanding of the safety risk leading to Significant
Seven outcomes.
The best practice guidance material for safety risk management at an operational and
regulatory level.
An identification of critical risk controls and an assessment of their effectiveness.
An identification of SPIs to monitor performance of risk control.

Bowties can also be used for a variety of tasks as shown below:

The bowtie model consists of different elements that build up the risk picture. The risk picture
revolves around the hazard (something in, around or part of an organisation or activity which has the
potential to cause damage or harm) and the top event (the release or loss of control over a hazard
known as the undesired system state).
Consideration is then turned to the threats (a possible direct cause for the top
event), consequences (results of the top event directly ending in loss or damage) and the controls (any
measure taken which acts against some undesirable force or intention).
The controls can be populated on either side of the model showing:
Left hand side of the model

Right hand side of the model

Preventative measures which eliminate the

threat entirely or prevent the threat from
causing the top event recovery

Measures which reduce the likelihood of the

consequence owing to the top event being "live" or
mitigate the severity of the consequence

The bowtie model explores the escalation factors (the reasoning to why a control may not be defeated
or less effective) of all controls allowing the allocation of escalation factor controls. These prevent the
escalation factors having an impact on the prevention or recovery controls. Further attributes, such as
control effectiveness or criticality can be allocated to the bowtie model to evaluate the risk picture as
part of an effective SMS.

An everyday example bowtie is available to navigate to demonstrate this explanation. Further

guidance is provided on the bowtie elements.

USING THE WEBVIEWER

Webviewer requires Microsoft Silverlight to operate. This is a free add-on which is available online. If
this is unavailable to you, please contact your own IT department for assistance.
Webviewer allows you to navigate around the bowtie in an interactive way. On the left hand side of
Webviewer click on the bowtie file. By clicking on the model this bowtie will appear in the
Webviewer window allowing you to navigate. Bowtie navigation can be enhanced by using the
toolbar. You are able to zoom in and out of the bowtie, make the bowtie full screen, expand levels to
easily view the content of the model, chose the display profile (to see the additional information on
the threats and controls (e.g. effectiveness etc)) and save the bowtie models to your personal
computer
Any sector of the aviation industry can benefit from the use of bowtie as it is a very portable
methodology. Bowtie is currently being used in a variety of aviation sectors within the UK and
worldwide.
The list of current users includes:

Airport operators
ANSPs
Large and small aircraft operators (both fixed and rotary wing),
Ground service providers
Military
National Aviation Authorities (NAAs).

The origins of bowtie are to be found in a simplified fusion of fault and event tree methodologies.
In the 90s the oil and gas industry founded and developed the practical application of bowtie as a tool
to facilitate a better understanding of how risks were being managed. The benefits of the methodology
have since been recognised in numerous other industries including defence, medical, financial and the
aviation industry.

A BARRIER-BASED APPROACH TO RISK

The aviation community are mostly familiar with Prof James Reasons model, referred to as Swiss
cheese and the bowtie is a barrier-based structure illustrating this approach. This method is also
referred to in ICAOs Safety Management Manual (SMM) document referencing defensive barriers in
accident causation with ICAO Annex 19 referring to understanding and appreciating safety risk
controls
Bowtie achieves this by not only identifying the controls (or barriers) in place but also looking at
control failure mechanisms (as escalation factors) and in turn how these are managed (as escalation
factor controls). Based on these considerations, insights are gained into the organisations risk
mitigation strategies and therefore into the appropriate management of safety resources.
The main strength of the barrier approach is as a qualitative tool, which is a practical solution for the
challenges of risk assessment in the dynamic operating environments of the aviation industry.
The barrier approach of the bowtie, while most often used as a proactive risk assessment tool, may
also be of benefit for the reactive classification of safety events as evidenced by the development of
the Aviation Risk Management Solutions (ARMS) Safety Issue Risk Assessment (SIRA) tool.

BOW TIE ELEMENTS

1. HAZARD
Step 1 to build the bowtie focusing on aspects with the potential to cause injuries, damage or loss

Whether you are building or interpreting a bowtie, the place to start is with the hazard.
This describes the potential source of harm under consideration. It will often describe a normal
aspect within the operating environment and sets the context and scope of the bowtie, for
example driving a car on a busy motorway this is an activity where risks are present.
A hazard can be focused on:

a condition (e.g. icing conditions),

an object (e.g. another vehicle) or
an activity (e.g. driving).

Hazards are often part of normal business activities and not necessarily something that can or
should be eliminated. There is also the possibility to have more than one top event from one
hazard as, for example, there would be a number of risk events associated in driving on a
motorway.

Definition
The condition, object or activity with the potential of causing injuries to personnel, damage to
equipment or structures, loss of material or reduction of ability to perform a prescribed function.

Guiding Principles

In the description of the hazard consider setting the context and scope for the bowtie
(e.g. defining the basic parameters within which the subsequent threats take place).
The scope of the Bowtie can be likened to zooming in or out when taking a picture. It
may be quite broad, where you capture the wider panorama or it may be quite specific,
where you zoom in on an area of particular concern.
The logical place to start is usually with the broad picture. However if you find that you
are not capturing the level of detail that is necessary for your purposes, it may be time to
revisit the hazard/ top event definition and zoom in.

Traps and Tips

Trap: In referring to an organisations pre-existing traditional hazard register, confusion

may arise as to what constitutes a hazard and what constitutes a threat. This comes about
because these registers do not usually differentiate between the two.
Tip: It is quite common to find a mix of both threats and hazards in a traditional hazard
register however the tendency is usually towards descriptions of threats. Remember that
the hazard description is helping to set the scene for a risk assessment that is going to
consider multiple threats.
Trap: Building bowties which are so large that their communication benefits are lost.
Tip: Be aware that there are practical considerations for the diagrams. For example, if
you wish to print a hardcopy of the diagram, A0 is usually the maximum usable paper
size. If the diagram is too large, the text size will be illegible once printed out.
Tip: If the diagram is getting too large, revisit the hazard, top event and threats to decide
if you could achieve a better result with a different structure.

TOP EVENTS
Step 2 which describes the undesired system state

The top event describes the point where we no longer have adequate control over the hazard.
It is usually what we consider to be an unsafe state that is not yet an accident. Therefore, top events
while not being disasters themselves have the potential to become disasters if nothing is done to
control them.
In our driving a car on a busy motorway example, the top event could be described as losing control
of the car.
Definition
A point in time which describes the release or loss of control over a Hazard. The undesired system
state.

Guiding Principals
The top event is described as a loss of control event (not relevant to the Significant Seven) but in a
context of an undesired safety state. By defining this, we are able to consider multiple potential causes
for the loss of control and the various potential outcomes (as opposed to considering just one fixed
accident chain).
If you find that you are not examining the area you are most interested in, consider if it would be
reasonable to redefine the top event either left or right to suit your needs.
Traps and Tips

Trap: Rushing into or persisting with a hazard/top event definition that is not addressing the
main area of interest adequately.
Tip: Remain flexible; it often takes several iterations before finding the best solution.
Trap: Hazards can have multiple top events. Attempting to capture complex issues within one
Bowtie can lead to confusing and overly large bowties.
o Tip: Remain flexible; consider the option of creating several manageable and logically
structured bowties as opposed to one overly large or confusing bowtie that does not
work very well.

THREATS

Step 3 showing possible direct causes

The bowtie depicts scenarios in a time ordered sequence moving from left to right.

The hazard and top event are at the centre of the diagram.
Threats are placed to the left of the top event.

They describe events that may cause an unsafe state if not managed with preventative controls.
Consider the top event and ask the question why or how could this occur. These causes are the
threats and need to be direct. There should be a logical cause and effect relationship between the

threat and the top event. The reader should be able to understand this relationship based on the threat
description.
In our example of driving a car on a busy UK motorway, a threat would be tyre blow out.
Definition
A possible direct cause that will potentially release a hazard by producing a top event.
Guiding Principles

It is usually helpful to describe the cause as a particular event (e.g. something that occurs),
which sets off the subsequent scenario that leads to the top event (and therefore the potential
consequences).
Threats should be plausible. The overall effectiveness of the bowtie will be enhanced by
concentrating on threats that are considered plausible rather than overwhelming the diagram
with extraneous possibilities.
Each threat should be capable of causing the top event independently (e.g. it should not be
necessary for several threats to occur simultaneously).
In terms of ordering the threats (e.g. position top to bottom in the bowtie), there is no
particular significance to placement however the convention is to place the most significant
threat at the top.

Traps and Tips

Trap: A very common mistake is to describe a control failure as a threat. For example,
describing a failure to stop at a holding point stop bar light as the threat in a runway
incursion scenario. In this case, the stop bar lighting would be a control that helps prevent an
incursion. The failure of this control does not cause a runway incursion, rather it allows the
dangerous scenario to progress further towards the undesirable outcome
o Tip: Take time to revisit the threat descriptions before moving onto further
development of the bowtie.
Ask the question: would this threat actually cause the top event? or what is the
actual cause?
Taking the example of failure to stop at a holding point stop bar light a causal factor
could be flight crew failed to follow clearance.

CONSEQUENCES
Step 4 in building the bowtie showing possible direct outcomes resulting in loss or damage.

Consequences are placed to the right of the top event.

They describe the undesirable events (usually accidents and safety related) that may potentially result
from the top event if the event is not managed with recovery controls.
In our driving a car on a busy motorway, a consequence would be collision with another vehicle
resulting in serious injury or fatalities.
Definition
A potential event resulting from the release of a Hazard, which directly results in loss or damage
Guiding Principles

Consequences should be expressed in operational terms (e.g. collision on the runway) so that
the scenario being controlled is clear to the reader.
Consequences
are
events
not
the
actual
loss
or
damage.
The loss or damage is the outcome against which severity is usually gauged. In certain
circumstances it can be desirable to include some brief information on the outcome within the
consequence description in order to clarify the issue for the reader (e.g. mid-air collision
resulting in the loss of both aircraft).
If the top event is not controlled, it should be capable of resulting in any of the consequences.

Traps and Tips

Trap:
o
o

Multiple

threat

or

consequence

lines

with

identical

controls.

Tip: Consolidate the threats or consequences. Unless there are specific differences in
the controls, using several lines usually does not add any value.
Tip: If you are managing the worst event, you are usually managing other less
significant outcomes (e.g. there is no value to be gained from including nothing
happens as a consequence.

PREVENTIVE CONTROLS
Step 5 to the bowtie to add any measures taken to prevent the threat and top event

Definition
Any measure taken which acts against some undesirable force or intention, in order to maintain a
desired state.
Additional Guidance (relevant to Prevention and Recovery Controls):
Usually there will already be numerous ways in which you seek to prevent the top event from
occurring.
The addition of these controls to the bowtie is the next step. The controls would look at two aspects of
threat management:

eliminating the threat completely, therefore making sure the threat is not present
and
preventing the threat from developing into a top event if the threat does become live.

In the example of driving a car on a busy motorway, to eliminate our threat of a tyre blow out, the car
owner would conduct regulator tyre inspections to identify any potential issues to lead to a tyre blow
out. If our threat becomes live and a tyre blow out occurs, our preventative control could be driver
steering into the skid to keep control.

Traps and Tips

Trap: Control descriptions that are too generic e.g. control: ATC.
o Tip: Describe what the control actually does with the reader in mind e.g.: ATC detect
incorrect presence on the runway and issue avoiding instructions. Try to include the
action that takes place to interrupt the sequence of events.
Trap: Incorrect level of detail for diagram elements.
o Tip: When deciding the level of detail to include for the description of any diagram
element there are several important considerations:
o Too little detail -- The diagram might be referred to by people separated by
time and location from the author (e.g. bowties are often used as a stand alone
poster). Sufficient detail should be included in the element descriptions so that
the reader can generally understand the authors intention without reference to
additional explanatory material.

Trap:
o

Too much detail -- The competing consideration for an appropriate level of

detail is that the descriptions should not be overly convoluted or lengthy.
Diagram elements may be thought of as risk exclamation marks and by
remaining succinct, their communication benefits are maximized. Normally
one sentence should suffice.
Not
including
poor
quality
controls.

Tip: Include controls that are generally considered to be in place even if they have
very poor effectiveness. Using colours to depict control effectiveness will highlight
these areas for potential improvement.

See Recovery Controls for more additional guidance relevant to prevention controls

RECOVERY CONTROLS
Step 6 to the bowtie to add any measures taken to prevent the consequences

Similar to prevention controls, on the right hand side of the top event, controls are added that show
how the scenario is to be managed in order to stop an accident from occurring.

These controls are considered to reduce the likelihood of the top event developing into a consequence
as well as mitigating the severity of the consequence.
In our example of driving a car on a busy motorway, a reduction control would be anti-lock braking
system (ABS) to constrain the loss of control parameters to not affect other motorway users. A
mitigating control could be airbag activation acting against the fatality severity of the consequence.
Additional Guidance (relevant to Prevention and Recovery Controls)
Parallel Versus Sequential Controls

Controls will usually be sequential e.g. if one fails then the next one would come into play.
However, it is not uncommon for controls to be included which do not function in this way but
rather have an either/or type relationship (also known as parallel controls).
o For example, consider the following aircraft loading scenario: Load and trim
calculations are an important control against an incorrect distribution of load but there
are several ways in which this might be achieved:
a) central control system;
b) b) manual load sheet;

c) c) electronic flight bag. These could be depicted on the bowtie as three

controls; however for any given departure only one will actually be used (e.g.
they are parallel controls).
Bowtie
diagrams
do
not
model
parallel
controls
specifically.
This is a trade off between being analytically correct and being an easily understandable tool.
Therefore it visually looks as though all controls are sequential. In this situation, what could
be interpreted as three controls is in effect only one dependent on the operation type.
The important lesson is that it should not be assumed that controls are always sequential when
building or referring to a bowtie. This is also one of several considerations that tend to make
the counting of controls in order to determine sufficient protection a flawed technique.

Independence of Controls

It is not uncommon for controls to be depicted which are not independent.

This occurs when it is desirable to highlight separate aspects of a control in order to depict
specific escalation factors e.g. detecting a problem and then actioning the appropriate
response.
Consider for example, fire detection and fire fighting. Clearly the two are not independent e.g.
detection is not a standalone controls as it does nothing to stop a fire and fire fighting will not
commence
until
the
fire
has
been
detected.
As with parallel controls, these dependencies degrade the validity of counting controls.

See Prevention Controls for Traps and Tips relevant to recovery control

ESCALATION FACTORS
Step 7 showing a condition that affects the performance of the controls in place

Adding information that examines how the controls may be degraded is an area where the bowtie
excels. It allows for the inclusion of a level of detail entirely appropriate to the management of
controls.
In
bowtie
these
are
known
as
escalation
factors.
In our driving a car on a busy motorway example, an escalation factor would be the driver lacking the
knowledge of how to counteract the tyre blow out, therefore the driver not appreciating the need to
steer into the skid to keep control.

Definition
A condition that leads to increased risk by defeating or reducing the effectiveness of controls (a
control decay mechanism)
Controls are seldom 100% effective and history teaches us that they do fail. We need to understand
the factors that cause this to happen.
An escalation factor is a condition that leads to increased risk by reducing the effectiveness of
controls. An escalation factor cannot directly cause the top event or consequence rather it increases
the likelihood that the scenario will progress because the associated control will be degraded or fail.
Guiding Principles
Escalation
factors
need
to
be
credible
and
significant.
Incorporate lessons learned from incidents and accidents. Safety occurrence reports normally identify
contributory
factors.
Escalation factors should not cause the top event (in this case they would be threats).
Traps and Tips

Trap: Escalation factor descriptions that are too generic e.g. radio does not work.
o

Tip: Escalation factors should define how or why the control is degraded. They
should identify the real cause of the failure.
Trap: Extensive use of escalation factors can make the size of the diagram explode, and this
impacts readability quite significantly. Adding escalation factors that are theoretically possible
but
in
reality
are
not
a
problem
adds
un-necessary
complexity.
o

Tip: Ask: Is it really a problem? If yes, include it as an escalation factor.

Trap: Escalation factors that only state the negative of the control. The mere negative of a
control as an escalation factor should be avoided - it adds no useful information e.g. control:
conflict visually detected by driver; escalation factor: conflict not visually detected by
driver.
Tip: Escalation factors should define how or why the control is degraded (e.g. low
visibility conditions prevents visual detection by driver).
Trap: Generic escalation factors. Avoid generic escalation factors, as the result will usually be
an explosion in the diagram size without adding any useful information.
o

Tip: For escalation factors which are considered to be a significant risk when working
on a higher-level generic issue, it is advised to bowtie that issue separately (e.g.
hazard: fatigue; top event: personnel suffering fatigue to the extent that they do not
perform to the expected standard)

ESCALATION FACTOR CONTROLS

Step 8 is adding any measure taken to prevent the escalation factors impacting the controls

The final step in terms of the bowties main elements is the addition of information that describes how
the escalation factors are managed.
These are similar to the other controls already described, the difference being that they function in a
different part of the diagram e.g. they control the escalation factors.
In our driving a car on a busy motorway example with the driver lacking the knowledge of how to
counteract the tyre blow out, a control for this could be advanced driver training is completed to
obtain this knowledge.
Definition
A control that manages the conditions which reduce the effectiveness of other controls.
Once the escalation factors are identified, the next step is to look at what controls we have in place to
manage them.
Guiding Principles

Focus on the escalation factor you are managing and not on the related control.
They dont act on threats or controls directly, as the name implies, they are acting to manage a
particular escalation factor.
The principals are generally as per those for other controls.

Traps and Tips

Trap: Whilst it is possible in theory to add escalation factors to the escalation factor controls
(they are after all just another type of control), this approach adds an undesirable level of
complexity
and
is
generally
not
required.
o

Tip: It is normal practice to build diagrams only to one level of escalation factor

CREATING A BOW TIE

WHAT, WHY, AND HOW TO USE BOWTIE ANALYSIS IN AVIATION SMS

PROGRAMS
What is Bowtie Analysis in Aviation SMS

Bowtie analysis in aviation SMS is a fairly new tool that is catching on with great success in aviation
risk management programs.
Simply put, the bowtie is one of the most effective risk management tools currently available to
aviation safety managers. It ties together previously distinct risk philosophies and tools into a single
purpose.
Just a few critical risk management items that the bowtie incorporates are:

The James Reason (Swiss Cheese) Model;

Risk Assessment Charts;
Leading/lagging indicator analysis;
Key performance indicators; and
Performing safety cases.

Using the bowtie will expose all of these elements in one way or another, and it does so in a single,
concise visual chart. The bowtie relies on 4 elements to do this (explained more below) which are:
1.
2.
3.
4.

Root causes that lead to the

Top Event (i.e., the main issue that arises) that leads to
Impacts on an organization; and
The relevant risk controls to the threat/event/impact.

The bowtie will appear different from organization to organization as companies will create bowties
that functionally and visually suite their needs best. Some organizations will use a simplified version
of the bowtie, and others will use much more complex, verbose bowties. They may even appear
different each time you use them depending on what your goals are.
Purpose of the Bowtie in Risk Management

The explicit purpose of the bowtie is to show the flow of a safety event including:

Causes (threats) that aligned to create a problem;

The events that funneled upstream to the;
The Top Event (i.e. the critical point of the event);
The cascading events of the Top Event that lead downstream to
Impacts that adversely affect your organization; and
The failure/success of each risk control measure in the sequence of events.

When a bowtie is conducted in full, it gives a visual picture of the entire issue, from root causes to
impacts, including the risk control holes along the way.
The implicit purpose of the bowtie is to expose the important elements of your program, namely key
risk indicators and weak controls. Without the bowtie, piecing all of these elements together in a way
that shows how they function in context can be difficult and error prone.
Why The Bowtie Is the Best Risk Management Visualization Tool In Existence
Perhaps I am zealous about its potential uses, but I have seen it successfully employed for:

Teaching employees what risk management is and the role of hazards in an SMS program;
Methodical analysis in safety incident management;
Documenting preventative analysis in hypothetical scenarios;
Understanding and assessing your risk controls in context; and
Identify KPIs.

The list goes on, but you get the idea. It is versatile and suited for many different uses. Companies that
adopt the bowtie tend to if they use it right employ the bowtie with different goals for different
uses.
To this end though I have not seen it done in practice yet I strongly advise that when you perform
a bowtie analysis you should write a purpose or goal at the top of the bowtie. I recommend this
for three reasons:
1. Clarifies what you are currently looking for, and therefore what the pertinent information is;
2. Great reference point for immediately orienting you when you are looking back at previous
bowties; and
3. Allows you to create categories for organizing bowties.
You could establish ahead of time, for example, 3 or 4 different goals you might have when using
bowties. For example, Hypothetical safety case analysis, Safety incident analysis, Financial
Impact Analysis, and so on.
3 Step Process for Creating a Bowtie in Aviation SMS
Creating bowties is actually fairly simple as long as you follow the basic process and understand why
you are performing it. It goes like this. You have some kind of scenario, real or hypothetical. You
need to:
1 - Choose what the Top Event "loss of control incident" is

This top level event will be the main risk in the entire issue, the accident that arose from all of the
root causes (threats). For example, this would be the point at which The drive loses control of the
car, or The aircraft suddenly loses altitude.
Its important not to confuse the Top Event with downstream events or Impacts. Just remember that
your Top Event is the point or "incident" at which loss of control occurs.
2 - Ask But why about Top Event to find preceding upstream events and root causes
Its extremely important to make sure your root causes are accurate, because the root causes are the
threats around which you will create risk controls. Too often people confuse weak controls (e.g. lack
of training which is actually a weak control) with root causes (better would be Human Error).
The best indication that you have arrived at a root cause is that the threat is an ACTIVE verb as
opposed to a static, negative lack of X or no Y noun. Moreover, when you get to a spot where
your answer to But why? is simply Because it is, then you have probably found one root case. For
example: the car lost control. But why? Flat tire. But why? Nail in the road and there is not answer
to this. We found one good root cause: Road debris.
3 - Ask And then about Top event to find downstream events and impacts
To get from your Top Event to impacts, you will want to see the interim events that culminated in the
impact. To do this simply ask And then about your Top Event and subsequent events. The impacts
should be clear when you get there, because they are the outcome and output of the issue.
Final Thought: Bowtie Mistakes to Avoid, Rules to Follow
We spent a lot of time here already, so here are a few tips when conducting bowtie analysis in your
aviation safety program.

Avoid confusing Impacts (issue outcomes) with the Top Event;

Be explicit rather than implicit with threats, events, and Impacts, which is to say that your
bowtie items should state the meaning exactly rather than implying it;
Make sure root causes are ACTIVE (usually verbs like Interference of, Accumulation of,
and so on);
Dont skip over interim events;
Understand your risk management goal and objectives for performing risk controls; and
Use the same step by step method (described above) every time you create a bowtie so as to
maintain consistent.

Let the Bowtie in Aviation SMS Make Your Job Easier

I love the Bowtie.

Its logical, lightweight, and delivers a ton of pertinent information that no other tools in risk
management deliver.
A simple Bowtie can summarize an issue or scenario as well as a 3 page report. But, in my opinion,
what really makes the Bowtie so useful is that its easy to be creative with it.
Thats an elaborate way of saying that you can use the Bowtie in many different situations. Moreover,
because its visual, its just as easy to comprehend for people of:

Different backgrounds and experience;

Different levels of intelligence; and
Different levels of education.

A report, Risk Analysis Chart, or other tool simply cannot match this kind of versatility. If you arent
already using a Bowtie, then I highly recommend you get started. If you are already using it, here are
3 ways you probably arent but should be.
1 Demonstrate the Importance of Compliance
I hardly need to tell you how important aviation SMS compliance is. You are working with it every
day perhaps to the point of exasperation. For countless organizations, part of this exasperation is
trying to convince other employees and managers that:

Yes, is more than just another rule;

Yes, it is important; and
Yes, there are actually good reasons for us to make an effort to be compliant.

Now, we have for the most part seen two ways of how managers deal with compliance in their
organization:

1. Its the rule, so just do it; and

2. Its the rule, and here are a couple of reasons we need to do it.
The first point is not exactly conducive for mature safety culture, nor is it forthcoming with helpful
incentives, though it is to the point. The second point is certainly much better, but for the most part
you are just giving a couple of paragraphs to employees who lets face it are probably only
marginally interested.
For both of these reasons, using the Bowtie is amazingly effective for demonstrating why aviation
SMS compliance is important. Its visual and easy to understand, it speaks for itself, and gives plenty
of reasons (without all of the unnecessary explaining that will tune the out). Heres a great example
Bowtie template for demonstrating compliance:

Where applicable, you could plug in your organization-specific corresponding points in 20 minutes
and have something concrete and valuable to deliver to all stakeholders that would be significantly
more effective than a paragraph about new legislation.
2 Using During Aviation SMS Risk Impact Analysis
Evaluating the end potential of certain risks when they collide or line-up to use the Swiss Cheese
Reason Model can be a nebulous endeavor at best. This is because too often Risk Impact analysis in
aviation SMS makes managers feel like they need to jump from A to Z in one fell swoop. Know what
I mean?
The dangers here are numerous to name a few:
1. Incorrect assumptions about the flow of events in a scenario; which can lead to
2. Arriving at irrelevant Impact conclusions; and
3. Coming up with false Causes, the mistake here being that all too often managers start with
Events - a good example would be calling Lack of Training a cause, when in reality that is a
result of Human Error.
Using the Bowtie for risk impact analysis in aviation safety programs avoids these and similar errors.
For one, Bowties force to you literally create the flow of all causes/events/impacts visually together,
the benefit being that your erroneous assumption about flow of events will stick out like a sore thumb.

When you do this same activity in paragraph form, the basic fact is that its much harder to spot those
errors because all the pieces are not together and it is not visual. Likewise, the conclusions about
Impacts have a much higher likelihood of being closer to the mark if your events also make sense.
3 Cost Impact Scenario Analysis
Id like to branch off of Risk Impact Analysis which is essentially what Cost Impact Analysis is.
However, we live in a world where lives are, unfortunately, often measured by the bottom line
reputation damage and subsequent revenue loss. Thus, getting the impact of Costs right is critical.
So say your accountable executive comes up to you and says, What kind of damages are we looking
at if X happens?
Scenario 1: You could throw some number out there, like say 300 million. You could be spot on or
you could be wildly off the mark. Regardless, your boss is probably going to say, How the heck did
you come up with that number? And then you fumble around listing a bunch of reasons.
Scenario 2: You tell him to give you 20 minutes, and you map the Main Event, some preceding likely
causes and proceeding events. For one, now its much easier to say something like, Okay, X
happening will most likely lead to consequences A $100 million and consequence B $200 million for
a total of $300 million. This number could still be wildly off though its probably a much safer bet
than coming up with it off the cuff but now it looks (and probably is) much more legitimate.
In Scenario 2:

You give plenty of reasons for the final cost impact;

Your reasons are logical and easy to read; and
Your boss has something tangible to use at his/her leisure.

Most importantly to you, it makes you look like you know what youre talking about.
Final Thought: Resources for Using the Bowtie
At the very least, you can create a Bowtie with a pencil and piece of paper. No aviation safety
management software, no special program. Just your brain and ability to analyze a situations flow of
events.
Of course, the pen and paper way will take you a bit longer. Fortunately, PDF templates and online
resources are also readily available. Also, we will be unveiling a new module available to some
portals that will generate Bowties for you.
Check out our free Risk Management Solution and see how you can tie in a Bowtie.

Risk Analysis Charts - Aviation SMS Software Modules for Airlines & Airports

What is Risk Analysis

Managing risk is one of the main activities of any ICAO compliant SMS program and without a
doubt, your airline or airport has practiced risk management processes defined in some manner or
another.
The process of risk management has been occurring for hundreds of years. The most well known
industry for understanding the process of risk management is the insurance industry. Their profit
stems from their shrewd analysis of risk and understanding the types of risk in each industry they
specialize in. While your risk identification process doesn't have to be as refined as an insurance
company, you will still have to understand the fundamentals of what is risk analysis and how the
analysis of risk is important in not only saving lives, but also protecting assets and property.
Let's assume airline or airport employees have been reporting incidents and accidents. When an
incident report comes into your system, the first thing a safety manager will do is to review the report
and attempt to understand what happened. Not every reported incident requires a formal risk
management process, but it helps if there is a template or example available for safety managers to
review as they work through the risk identification process.
OK, the incident has been reported and the safety manager has reviewed the details that arrived with
the report. Let's assume the safety manager has all the necessary details to understand the types of risk
and knows which risk analysis process works best in this particular instance. For this risk analysis
example, we will say the reported incident does not require an in-depth investigation that goes through
the formal sequence of events, identification of causal/contributing factors, root cause analysis, etc.
Let's keep this risk analysis example simple.
Safety managers should first understand what types of risk center around the reported incident and
draft a "risk statement." The risk statement helps the safety manager put his thoughts down on paper
so others can also understand the types of risk the airline or airport is facing. The risk statement is
also a great instrument to communicate to the safety committee and other managers as they also
undertake the process of risk management. A risk statement doesn't have to be a long, formal
document on the risk identification process used to understand the types of risk. Again, keep it simple.
When you think about the risk statement, think "If this xxx were to occur (or has occurred), what is
the likely (reasonable) result.
Without understanding the risk, the safety manager will not be able to do a proper risk assessment and
communicate the business risk to management. A risk analysis covers understanding the risk (risk
identification process), assessing the risk, communicating the risk, classifying the risk, and treating the
risk. Up to this point, we have understood the types of risk that come with our risk analysis example.
And we have created our risk statement help communicate the risk. Next, the safety manager will
assess the risk according to the probability. and severity of the reported incident. Some risk
assessments may also factor exposure, but in most airlines and airport safety programs, exposure tends
to complicate the risk management process. We need to keep it simple, else the task of analysis of risk
will become too burdensome and not be effected in a timely manner. In some organizations, there may
be six to twelve reported incidents daily. So keep it simple.
Up to now, the reported incident has been risk assessed and hopefully a responsible manger assigned

to deal with the corrective preventive actions to ensure the risk is mitigated and hopefully prevent
recurring events that share these types of risk. The next step in the risk management process may be to
classify the risk. Classifying the risk helps categorize risks and allows not only for immediate
understanding in the risk identification process, but also for future reports. A risk analysis not only
happens immediately after the reported incident, but repeatedly and at regular and irregular intervals
when upper level managers are attempting to understand the business risk they face. Understanding
business risk is important so management can budget for loss, training, equipment replacement, etc.
Therefore, classifying risk properly is very important not only in the immediate sense, but also for
future risk management processes.
Managers usually conduct their analysis of risk using charts and tabular reports. Without reports,
managers would not have an accurate picture of the business risk they face. SMS Pro has many
reports to help managers during the process of risk management. For example, there are the "Risk
Analysis Charts." These were formerly called "Quick Charts" because they allow managers to easily
review reported issues and identify challenges without requiring IT personnel to create these charts.
SMS Pro's complex charting tools allow managers to quickly determine which types of issues are
costing them the most time and money to manage business risk. These drill-down charts get one to the
heart of a risk analysis and provide incredible amounts of information. Risk Analysis Charts
(QuickCharts) and Financial Risk Analysis Charts (FinancialCharts) share basically the same
functionality as they allow managers to conduct their own ad-hoc analysis of risk.
Charts are broken out by "Number of Occurrences" in Risk Analysis Charts and "Financial Costs" in
Financial Risk Analysis Charts. Management easily applies date ranges and/or types of issues to
quickly see real-time reports by:
Types of Issues
Type of Processes Involved
Root Causes
Associated Risks/Hazards
Human Factors
Mission Delays (Flight Delays)
Key Performance Indicators
Status (open, closed, in progress...)
Department
Division
More sophisticated SMS Pro implementations can take data from multiple portals to analyze
business risk.
Understanding Risk Analysis Chart Numbers
Reported accidents and incidents can have multiple classifications attached to them. Often the
identified risks have overlapping classification types.
For another risk analysis example:
A bird strike is reported through the issue reporter. A manager working through the risk identification
process for this issue may add several "Type of Issue" classifications, such as:

1. Injury >> Employee

2. Injury >> Customer
3. Damage >> Aircraft (not NTSB Reportable)
In the charts it will show that there have been two "Injury" classifications, but when you hover over
the drill-down links it will only show one issue. Please keep this in mind while doing a risk analysis.
Risk Analysis Charts and Risk Analysis Financial Charts share similar functionality. What applies to
Risk Analysis Charts also applies to Risk Analysis Financial Charts; however, the context changes
from "number of occurrences," to "cost of occurrences."
Note: Advanced SMS Pro implementations can display aggregated data for multiple portals. For
example, a multinational airline may a portal for North America, another for Latin America, and
another for Asia. Data can be aggregated from these three portals and displayed immediately. This
functionality saves time and money preparing accurate and timely reports.

Using Risk Analysis Charts

By default, a divisional report is loaded when users come to the module. The current user's default
division is active, hence, it is loaded. If users have permissions to view other divisional data, other
divisions will appear in the dropdown list at the upper left.
Choose whether to narrow your investigation to one division or the entire company by selecting an
item from the dropdown list for "Show Issues for:"
Next, decide whether to change the date parameters. By default, the start date is filled with the date of
the first reported issue in the system. The end date contains today's date.
One is able to filter the types of reported issues (safety, security, quality or compliance) by selecting
an option from the "Type of Concern" dropdown list. "Type of Concern" should not be confused with
"Type of Issue." Types of Issue are customizable by the SMS Admin and may be unique to each
division.
Drilldown and KPIs are similar report types. By selecting a classification type, such as Type of Issue,
Process or Root Cause, one can drill down and understand the analysis of risk associated to the
classification scheme. It is possible to drill down into three charts, which is the number of
classification dropdown lists in the Issue Manager. All classifications originate from the classification
process in the Issue Manager.
Hovering over the links, one can learn more about the types of issues providing the data, such as the
Issue Title and the Total Cost associated with the reported issue.
Risk Management Process Definitions
Types of Issues are the first classification system that all organization should use when classifying
issues. This classification is performed in Issue Manager under the "Classify" tab.

Type of Business Process is an optional classification scheme companies can use to determine
whether business processes are faulty and may need modifications. Type of Business process is
classified in the Issue Manager under the "Classify" tab. Business processes are documented in the
Process Description Library. The Process Description Library affords management an opportunity to
document processes requiring change.
Root Cause originates from the Investigation in Issue Manager. Root cause analysis typically covers
Management responsibility, Procedures, Controls, Process Management and Interfaces. After
determining the contributing factors of an event, a root cause analysis is performed and corrective
actions established.
Key Performance Indicators (KPIs) measure critical success factors of an organization. Based on
carefully selected measures, aviation-related KPIs reveal a high-level snapshot of a dynamic,
functioning organization. KPIs vary depending on the kind of organization they characterize. For
example, an airport may have a KPI as the total runway overruns, while KPIs of a helicopter operator
may have to do more with the number of emergency landings. Since there are so many ways to
classify an issue, such as type of issue, root cause or type of business process, not every classification
is highly important to the organization. KPIs allow companies to focus on what matters most to them.
Associated Hazards come from the Proactive Hazard Analysis Tool. This list is generated
automatically and may be appended in the Investigation portion of the Issue Manager. After
discovering the root cause of an issue, managers may have discovered a new hazard. The ability to
easily add identified hazards to the Hazard Registry is important functionality of SMS Pro. Associated
hazards should also have identified risks and control measures to mitigate the risk and recovery
measures should the hazard occur.
Status/Type allows managers to see how many issues are open, closed, in progress, etc. Choosing the
"By Type" option displays the reported issues according to safety, security, quality or compliance.
Department reports show the number of issues reported that have been classified as belonging to
particular departments. Higher number of reported issues for a particular department may not
necessarily indicate a lack of quality or substandard performance. The department may merely have
an exceptional reporting culture, or the department may be highly represented within the company.
Division reports allow management to quickly see how many reports originate from each division.
Similar to departments, higher number of reported issues for a particular division may not necessarily
indicate a lack of quality or substandard performance. The division may merely have an exceptional
reporting culture, or the division may be more highly represented within the company.

Why Aviation KPIs Lagging and Leading Indicators are Important

Lagging and leading indicators for aviation SMS KPIs are often confused or misunderstood.
Even various online sources have conflicting, vague, or incomplete explanations of the difference
between the two.
Obviously, understanding how to select aviation SMS KPIs is extremely important, and its a topic
that often generates much interest from all levels of the aviation safety industry. Developing a solid
list of lagging and leading indicators is the process of understanding:

The historical performance of the safety program; and

The critical safety factors that influence that performance (i.e. that will influence it in the
future).

In theory, these generalizations sound reasonable enough, but in the actual practice of choosing
aviation key performance indicators they are considerably less clear. This is because there are literally
hundreds of safety metrics that managers can choose to monitor, and sorting out which leading and
lagging KPIs to focus on can be daunting. For this reasons, lagging KPIs tend to receive more
attention because they are easy to measure and are visually more impressive to represent than their
leading indicator counterparts.
Heres what you need to know about what lagging and leading indicators are in aviation SMS, and
how to adopt good aviation SMS KPIs based on those lagging and leading indicators.
What Are Lagging Indicators in Safety Programs?
KPI lagging indicators in aviation safety programs:

Are the output of the program;

Show past safety data;

Characterize the historical performance of the program;
Often they are easy to measure but difficult to improve.

Lagging indicators are usefulness for seeing the output performance of an aviation SMS
program. Aviation SMS safety output is the self-evident data of the safety program. For example, a
lagging indicator metric would be the number of reported safety issues year over year. Another way
of looking at it is that lagging indicators give safety mangers feedback about the programs
performance.
Lagging indicators answer the WHAT of how the safety program is performing, but doesnt
necessarily answer the WHY of performance. It is for this reason that lagging indicator KPIs are easy
to measure but hard to improve. For example, the number of reported issues will change every year,
but that metric gives no indication of why the changes happen.
Lagging indicators exemplify the phrase past successes/failures are not future guarantees.
Concerning their usefulness:

They should be taken at face value, and are great proof of a programs performance; but
Should influence which leading indicator KPIs are focused on.

Examples of Great KPI Lagging Indicators in Aviation SMS Programs

While there are many countless KPIs that aviation SMS programs could use and each program will
necessarily use different KPIs based on their specific needs some great aviation KPIs that involve
lagging indicators are:

Various metrics about safety reporting;

CPA and Hazard Issue average closure times vs. goals;
Percentage/frequency of Acceptable, Mitigatable, and Unacceptable issues;
Revisions of procedures in the last period;
Compliance findings to show differences between procedure and practice;
Number of defective list items combined with extra equipment list (indicates availability of
spare resources); or
Planned crew vs real crew per shift.

There are considerable more lagging indicator KPIs that can be used, but the more specific the KPI,
the better.
What Are Leading Indicators in Safety Programs?
KPI leading indicators in aviation SMS programs are:

Are the input of the program;

Identify precursors and indicate future performance ;
Identify technical or organizational weaknesses; and
Identify warning signs.

Many leading indicators involve metrics of what managers put into the program, hence input of the
program, and are generally associated with proactive risk management. A useful way to think about
it is:

How much something is being done (i.e., how often are audits done);
Or behavior that involve acting on a program (i.e., average time to implement actions).

For this reason KPI leading indicators are easier to influence because it simply involves changing how
much something is being done, but the value of leading indicators is difficult to measure.
This is because leading indicators in and of themselves are generally not very useful but they
become extremely useful when correlated with lagging indicator performance data. For example,
correlating the number of internal inspections (leading) with critical-risk reported safety issues
(lagging).
Correlating leading indicators metrics well involves hunches, experience, and assumptions by aviation
safety managers.
Examples of Great KPI Leading Indicators in Aviation SMS Programs
A great strategy for identifying quality leading indicator KPIs is to look at the aviation SMSs lagging
indicator data and ask questions about that data. These questions are a good place to start when
considering leading indicators.
Some examples of great KPI leading indicators in aviation SMS programs that can be strongly
correlated with leading indicators are:

Percentage of employees receiving communication training;

Percentage of training that includes competency testing;
Average turnover rate (%) in the organization;
Average number and percentage of accidents per employee per year;
Number of safety audits per year;
Increase in safety percentage per year (%);
Average time to implement actions on complaints; and
Percentage of CPA and reported issues closed on time.

Final Thought: Passive KPIs, Active KPIs, and Superior KPIs

When it comes to choosing great aviation SMS KPIs:

Leading KPIs are active actions on the SMS program;

Lagging KPIs is passive (historical) information about the program; and
The most superior KPI will be a combination of a lagging and leading indicator.

Developing superior KPIs will take time, research, and experience, as well as a solid understanding of
an organizations unique lagging and leading indicators.

Ground handling
In assigning the accountable industry sector, the bowtie templates have assumed that dispatchers and
loaders are under the direct control of the handling agent. Naturally this may not be the case for a
specific operator and this should be customised as required.

The term "manoeuvring area" refers to apron/ramp areas and taxiways

The term "Ground Service Equipment" refers to equipment used during the aircraft turnaround
typically used by a Ground Service Provider (including loaders, refuellers, de-icers, cleaners,
caterers, push-back staff etc) such as belt loader, stairs, jetty, de-icing boom etc.
The term "Pre-departure inspection" is an inspection conducted by anyone within the aviation
industry which is completed before the tug is cleared (if appropriate) and the aircraft is under
its own power.
The term "Ground Handling" is an activity which stops when the aircraft is under its own
power (unless it is being marshalled)

Bowtie 6.1 'Loading operations for large CAT fixed wing aircraft at UK Aerodromes/ Aircraft
significantly outside the operational mass and balance envelope'
Threat 1 'Aircraft loaded in accordance with incorrect load instructions generated by load controller'
includes three 'parallel' controls regarding the generation of an accurate load sheet e.g. one of those
controls would be expected to be in place in any given scenario, not all three.

Control effectiveness of 'Aircraft evacuation' and 'Aerodrome Emergency Response Plan'.

o The effectiveness of these controls is quite variable depending on the particular
scenario.

For example they may be quite effective at limiting passenger and crew injuries/ fatalities following a
low energy collision scenario, however they may be ineffective in a high energy collision.
Bowtie 6.2 'Ground operations for large CAT fixed wing aircraft at UK Aerodromes / Significant
ground damage undetected prior to aircraft commencing take-off'.
When assessing the effectiveness of the controls within this bowtie consider how effective the
controls are regarding composite aircraft.
The threat "Ground service equipment/ vehicle impacts and damages parked aircraft" contains many
"impact and damage detected" controls. These controls are conducted by many different people
during pre-departure inspections. It is worth noting in the escalation factors (which need to be added)
that the objectives for those different people differ and whilst they are expected to notice damage,
each inspection is focused on different areas of the aircraft for different purposes

Runway excursions
Definitions

Go-Around: a manoeuvre that results when a pilot decides to abort an approach or landing.

General Notes

Future control: Transport Aeroplane Landing Performance Assessment (TALPA)

TALP will be a methodology which all manufacturers, aircraft operators and ultimately all ATC
agencies will use as a reference point when assessing a runways surface condition.
It becomes the starting block for determining the required landing distance shortly before landing. It
is a simplified and more logical approach to the in flight calculation of landing performance than
currently employed.
Bowtie 2.1 'Large CAT fixed wing aircraft - Landing operations / Inability to make a stop within the
expected landing distance requirement'
Control effectiveness of 'Aircraft evacuation' and 'Aerodrome Emergency Response Plan'.

The effectiveness of the controls 'aircraft evacuation' and 'aerodrome emergency response
plan' are quite variable depending on the particular scenario.
For example they may be quite effective at limiting passenger and crew injuries/ fatalities
following a low energy collision scenario, however they may be ineffective in a high energy
collision.
Landings resulting in a runway excursion were considered to tend more towards the low
energy scenario and the effectiveness ratings were made accordingly.

Runway incursion
Definition
Runway incursion
Any occurrence at an aerodrome involving the incorrect presence of an aircraft vehicle or person on
the protected area of a surface designated for the landing and takeoff of aircraft.
General Notes
Where direct reference is available for a diagram element to EAPPRI (version 2) (European Action
Prevention Plan Runway Incursion), the reference has been included for your information. Please
note the document link is not live.

Control effectiveness ratings are for a typical UK aerodrome with the majority of operations being
CAT type.
Bowtie 4.1 'Large CAT fixed wing aircraft operating on the ground in or close to the protected area of
an active runway/ Incorrect presence of aircraft on the protected area'.
Recovery controls (to the right of the top event) are related with detection and avoidance manoeuvring
controls being dependant (e.g. detection will be of no value unless avoiding action is taken).
Control effectiveness of 'Aircraft evacuation' and 'Aerodrome Emergency Response Plan'.

The effectiveness of these controls is quite variable depending on the particular scenario.
For example they may be quite effective at limiting passenger and crew injuries/ fatalities
following a low energy collision scenario, however they may be ineffective in a high energy
collision.
Runway incursion collisions were considered to tend more towards the high energy scenario
and the effectiveness rating 'poor' was made accordingly e.g. despite a potentially perfect
response by the aerodrome operator/ RFFS, the ability to mitigate the scale of the injuries/
fatalities is may be extremely limited.

Related information

Scope of the templates

Before accessing and using the bowtie models and documentation, please ensure that you read
the full licence agreement and agree to the conditions of use.
The scope of the Significant Seven Bowtie project is focused around the risks which
contribute towards to the Significant Seven for UK CAT fixed wing operations (classed as
large aircraft (greater than 5700kg MTOW)). The operating environment and equipment
considered is quite generic and UK oriented.
Aircraft operators can be expected to encounter operating environments outside the scope of
the bowtie templates during international operations and these conditions are an example of
issues that should be addressed when customising the bowties.
The Significant Seven bowtie templates provide a reasonably high level overall system
perspective. It should be expected that specific areas of concern to specific operators will
benefit from the self development of additional bowties that target those issues.
The templates have been classed as core or supplementary. See the information on how
the bowtie templates were created for details.
The core bowties have been fully completed with all eight elements and have been assessed
with additional information being allocated to the elements where the supplementary bowties
have been partially completed for you to complete. These models also require assessing based
on your own operation.
The core bowties are:

Loss of Control: 1.1 Aircraft upset (human performance)

Runway Excursion: 2.1 Inability to stop within distance (landing operations)
CFIT: 3.1 Terrain separation deteriorating below normal requirements (arrival or
departure (general))
Runway Incursion: 4.1 Incorrect presence of aircraft on protected area (ground
operations)
Airborne Conflict: 5.1 Close proximity with another aircraft (Class A airspace)
Ground Handling: 6.1 Outside mass and balance envelope (Loading operations)
Fire: 7.1 Hidden area fire (aircraft electrical systems)

Consideration points
Focus on Operational Safety

The bowtie templates are primarily concerned with operational safety scenarios. This
is reflected in the various diagram elements.

For example, consequences identify events that have primarily a negative safety
outcome rather than solely commercial or environmental outcomes.

Level of Detail in Threats and Consequences

The threats and consequences seek to be of a sufficiently high level to include the
often broad scope of the issues involved within a reasonable number of bowties, yet
specific enough to provide useful and relevant operational insights.

Threat Significance

It should be taken as a given that the scale of the problem described in the Threat is
significant.

For example, when reading a threat description such as 'mis-set reference speed' leading to a
top event such as 'aircraft upset', you should consider that the mis-set is greater than one or
two knots.
Training and Proficiency

Controls associated with basic training on equipment, procedures, rules and

regulations are not generally included in the bowties. They are considered as part of
the umbrella bowtie models except for where specific attention within a bowtie
template was required.

Regulator Oversight

Controls associated with the assurance of adequate standards via regulatory oversight
are not generally included in the bowties.

They are considered as part of the umbrella bowtie models except for where specific attention
within a template was required (e.g. where the only significant control identified was
regulatory).
Aircraft and Equipment Types

The bowtie templates are not aircraft or equipment type specific.

Aircraft operators should customise the elements as required reflecting the type of
equipment in use.

Umbrella Bowties
The benefit of escalation factors identified in the bowtie is to provide exclamation marks to
identify specific problem areas. A simple repetition of generic escalation factors on every

control would not meet that goal and would degrade many of the benefits provided by the
bowtie methodology.
In order to address generic issues three high level 'Umbrella Bowties' were developed which
present a basic, high-level overview of the issues:

Technical Factors
Human Factors
Environmental Factors

Where 'generic' escalation factors are considered to be a specific concern to a specific control,
they have been included in order to highlight the issue. When customizing the bowtie
template, these factors should be added or removed as appropriate to the particular operation.
Control effectiveness rating
The purpose of rating control effectiveness is to highlight areas of strength and weakness
within the context of how a particular hazard and its associated threats and consequences are
managed.
The effectiveness ratings assigned to the bowtie templates were made using the following
assumptions:

That the control is actually in place and functioning as might be typically encountered
(e.g. if the control is a piece of equipment, it is assumed to be installed/ available).

The rating is based on how the control might typically be encountered not according to
the best possible effectiveness e.g. whilst a control may be rated as poor in the bowtie
template, that is not to say that it does not have the potential to be better than poor
given adequate resourcing and effort.

The party having ownership of the control is a UK entity (e.g. international operations
and operators introduce a degree of complexity to the control effectiveness rating
process that is not possible to cover in the bowtie templates.

The effectiveness rating in the bowtie template is intended to be a starting point for further
evaluation. Individual operators should modify the effectiveness ratings as required, according
to their specific operational environment.
Taxonomy and display
The following taxonomy is used to define the various effectiveness ratings:

Very Good (dark green)

Good (light green)
Poor (orange)
Very Poor (red)
Un-assessed (yellow)

This is shown in block colour across the extra information text box below the control.

Control type classifications

Control types illustrate the high level grouping based on the type of control, this helps
illustrate what type of weak spots there are and whether there is an over-reliance in the safety
system e.g. over-reliance on training or proficiency controls surrounding a particular risk.
Taxonomy and display
The following taxonomy is used to define the various control types:

Policy/Procedure: For controls that rely primarily on a person to perform a particular

action according to a pre-determined procedure or policy which may be based on
regulation

Engineered devices: for controls that rely primarily on technical equipment such as
FMS, TCAS, TAWS or interlocks on thrust levers.

Training/ proficiency: for controls that seek to assure an action is performed to a

certain standard.

Human sensory: for controls where a human's sight/hear/taste/smell/touch is used

outside of procedures.

The information is displayed as a text box below the control.

Control function classifications

Controls can be identified according to their function within the bowtie. These 'functions' are
shown on the bowtie templates to provide clarity for the end user as well as appreciating
where efforts are concentrated on (e.g. is there more we can do to eliminate the threat as the
majority of control are preventative?)
Taxonomy and display
The following taxonomy is used to define the various control functionalities:

elimination
prevention
reduction
mitigation

The information is displayed as a text box below the Control in block colour (black
background with white writing).

Control criticality classifications

Not all controls will have the same importance with regard to the management of a specific
threat. Within the bowtie templates, differentiation has been achieved based on two types of
criticality definitions: 'standard controls' and 'critical controls'.

Similar to control effectiveness ratings, the bowtie template criticality ratings provide a
starting point for further evaluation.
Future Possibilities
An additional definition included in the criticality taxonomy is 'future possibility'. This
identifies a control that may not be currently available to the aviation industry at large but one
that is expected to become commonly accessible (usually a technology driven, engineering
type of control).
The purpose is to help 'future proof' the bowties to some extent, by identifying controls on the
safety management horizon.
Taxonomy and display
The following taxonomy is used to define the various criticality types:

High Criticality (red)

Standard Criticality (grey)
Future Possibilities (white textured)

The control "tab" depicted in the diagram is coloured (the top "tab" pinning the control to the
threat/consequence/escalation line).

Threat exposure classifications

Somewhat similar in concept to identifying criticality for the controls, identifying exposure to
the threats can add value to the bowtie by highlighting areas of greater concern overall. This
technique has been applied to the bowtie templates.
Taxonomy and display
The following taxonomy is used to define the exposure:

Constant Exposure - where the potential to be exposed exists throughout the majority
of every flight e.g. Flt Crew failing to follow an ATCO instruction;

Commonly Exposed - where the potential to be exposed is likely to be once or twice

during every flight e.g. incorrect takeoff configuration selected;

Limited Exposure (yellow) - where the potential to be exposed is likely to be less

frequent e.g. conducting an NPA.

The threat exposure is depicted within the threat element and is coloured.

Ownership
This feature has been used to identify the industry sector with the most significant and direct
influence over the effectiveness of a particular control, such as:

Aerodrome Operator
Aircraft Operator
ANSP (Air Navigation Service Provider)
Approved Design Organisation
Handling Agent
Manufacturer
Misc. Third Party
MRO (Maintenance Repair Organisation)
Regulator

The information is displayed as a text box below the control.

Risk Specialist Laura Madden explains how bowtie models work

If someone said the word bowtie to you, what do you think of? An accessory or a safety risk
management tool?
If you think the latter you may either shudder at the potential size bowties can be or like me, you smile
in appreciation for what information they can offer a safety conscious business.
What do bowtie models tell us?
The models are a visual risk tool that display the causal factors (threats) and outcomes (consequences)
for a specific risk (top event). They highlight the controls in place to prevent or recover the risk and
can help you understand what could cause those controls to fail (escalation factors) - it's a risk picture
telling a story.
Once the model has been built, you then assess the controls for effectiveness, criticality and other
attributes to manage the risk

The use of bowtie, either its methodology or software is rapidly growing worldwide thanks to the
introduction of Safety Management Systems (SMS) where aviation organisations are having to be
more proactive in understanding what their operational risks are. Bowtie offers a way of identifying
them so that they can be managed more effectively!
Background
In April 2014 the UK CAA launched a CAA-industry collaborative project where 24 bowtie templates
were developed on a range of significant safety scenarios, such as aircraft loading error leading to loss

of control; a runway excursion resulting in ground collision and a hidden area fire considering the
human, technical and environmental aspects.
How to find out more
The UK CAA have also endorsed and published a bowtie strategy. This identifies how the CAA and
industry can maximise the use of bowtie models as an effective and proactive safety risk management
tool, to inform decision making for the right actions to be taken achieving the best safety outcomes.
Our bowtie strategy and templates can be found at www.caa.co.uk/bowtie
I also Chair a Bowtie User Group (BUG) for UK and Ireland aviation bowtie practitioners, meeting
quarterly, to work on best practice guidance and to be a support network for each other - if you're keen
to know more, please contact safety.performance@caa.co.uk.
Take a look at our further information online to see how bowtie could help you manage your risks or
turn your shudder into a smile!