Risk

Bowtie analysis and Critical Control Management

How to read a bowtie diagram, what makes a control "critical", and how Critical Control Management keeps the barriers that stop a fatality actually working.

Updated 8 July 20262 min read

Bowtie analysis is a way of picturing how a single serious hazard is kept under control. It is popular because it is legible: a manager, an engineer and a person on the tools can look at the same diagram and agree on what stands between the work and a fatality.

Anatomy of a bowtie

The diagram is named for its shape. In the centre is the top event — the moment control is lost (for example, “uncontrolled release of hydrocarbons” or “person falls from height”). Everything fans out from there:

  • Hazard. The source of harm you are living with (working at height, stored energy, hydrocarbons under pressure).
  • Threats (left). The things that could trigger the top event.
  • Preventive barriers (left). The controls that stop each threat from reaching the top event.
  • Consequences (right). The outcomes if the top event happens.
  • Mitigating barriers (right). The controls that reduce the severity of each consequence once control is lost.

Reading left to right, the bowtie tells a story: here is what could go wrong, here is what stops it, and here is what limits the damage if it does.

What makes a control “critical”

Not every barrier is equal. A critical control is one whose failure or absence — on its own — could result in a fatality or catastrophic loss. Most organisations find that only a handful of their many controls are truly critical. The discipline of Critical Control Management (CCM) is to identify that small set and give it disproportionate attention, rather than spreading effort thinly across hundreds of minor checks.

A control is worth treating as critical when:

  • its failure could directly enable a fatal event;
  • it is the last line of defence, or one of very few;
  • and its effectiveness can actually be verified.

Making CCM real

A control drawn on a bowtie is a claim, not a fact. CCM turns the claim into something you can trust:

  1. Write a performance standard. For each critical control, define what “working” means — who is responsible, how well it must perform, and how you would know it has failed.
  2. Verify in the field. Check critical controls where the work happens, on a frequency that matches the risk. Field verification is the heartbeat of CCM.
  3. Treat degradation as a signal. A verification that finds a control weakening is a leading indicator — act on it before the top event, not after.
  4. Close failures through action. When a check fails, raise a tracked corrective action tied to the control, and re-verify before closing it.

Critical controls also connect the rest of your HSE system. Most map to an IOGP Life-Saving Rule, and when one fails, it should escalate straight into an ICAM investigation.

Contego links bowties, critical-control verification and the action register in one place, so a weakening control becomes a tracked action instead of a note in a spreadsheet. Book a walkthrough to see it.