Send your request to This email address is being protected from spambots. You need JavaScript enabled to view it.


The goal of a bowtie model is to create an overview that includes the risks an organisation needs to mitigate, the effectiveness of mitigating measures, possible improvements, and the costs involved. The results can be used to ensure the integrity and security of the assets in place, as well as to motivate investment policy and improving continuity. The data used is based on expert opinion as well as casuistry.

FF Curve

Click on the image for a larger version

Bowstar employs an advanced bowtie method to complete a risk inventory to define a mitigation plan that enables pipeline operators to optimize the lifecycle of its assets and facilitate decision-making in the most economical way to manage risk and integrity. Bowstar is a model that demonstrating the transparency of all integrity related operational activities and the way the cycle of improvement has been embedded into daily practice. It provides an enhanced bowtie risk assessment technique with a highly structured inventory of threats, consequences, escalations and mitigations throughout the lifecycle of a pipeline asset, include effectiveness and cost. Algorithms enable the economic evaluation of mitigations and quantification of the effect of new mitigations can be visualize. This approach allows a pipelines operator to balance between preventive and repressive mitigations to find the most economical solution to managing its risk.

The bowtie model can be visualised as follows:

Bowtiemodel 1

The different components used in the Bowtie model are defined below:

Unwanted event: Refers to a hazard that needs to be controlled. In the industry this is sometimes also referred to as the ‘top event’. It is situated in the centre of the bowtie model.

Threats: There are a number of threats that could cause the unwanted event to occur. They are visualised in the model on the left side and shows a direct relationship between the causes of the unwanted event and the unwanted event itself.

Consequences: Are displayed at the right side of the model. The consequences refer to the possible outcome in case the unwanted event does indeed occur. This involves a direct relationship between the unwanted event and the consequences of the unwanted event.

Life cycle barriers: Mostly the setup of a bowtie diagram as been developed by PI is related to the NTA 8000 code for pipeline operators. In that case has every threat and every consequence seven main barriers. These main barriers are being shaped by the seven life phases of the infrastructure. By specification according to the different phases in the asset life cycle, the result becomes much more specific compared to an analysis without life cycles being used. The threats and consequences are defined by the experts during the workshops. The different life phases are derived from the NTA 8000 and are as follows:

  •     Design (new installations and modifications).
  •     Construction.
  •     Commissioning.
  •     Operations (including commissioning and temporary interruptions).
  •     Maintenance (during normal operations and during temporary shutdowns).
  •     Third party damage prevention. *
  •     Mothballing/ removal.

* Third party damage prevention refers to damage caused by activities outside of the clients control, such as excavation activities and earthmoving. This factor plays a very dominant role. International research has shown that this type of threat is causing the greatest amount of damage to pipelines worldwide. This is why we decided to analyse this category separately.

Besides using the 7 life cycles that have been defined in the NTA 8000 it's also possible with our Bowstar Bowtie Module to use an alternative model: the COSO methodology. The COSO methodology is one of the most used international standards for risk management. The risk management model COSO II is divided into four categories (Strategic, Operations, Reporting and Compliance) and eight components:

  •      Internal Environment
  •      Objective Settings
  •      Event Identification
  •      Risk Assessment
  •      Risk Response
  •      Control Activities
  •      Information and Communication
  •      Monitoring

The model not only makes it possible for an organization to focus on integrated risk management, but also enables an organization to assess the control systems by category, component, or business unit. The COSO II framework is used by many organizations as a standard to determine what is expected of the company when it comes to risk management.

Escalation factors: The next step in the development of the Bowtie is to define the so-called escalation factors. These are threats which could erode the degree of effectiveness of the main barriers (= each life cycle barrier).

Mitigating measures: To minimize the chance that an escalating factor causes damage, a mitigating measure could be applied. Several types of mitigating measures can be defined:

  • Mitigating measures which are already in place.
  • Improvements for existing mitigating measures.
  • New mitigating measures.

Often multiple mitigating measures are applied concurrently. In order to minimize the effects of the escalation factors, it will be required that for each escalation factor mitigating measures need to be taken. The figure below shows an example of how two mitigating measures are being taken as a compensation for an escalation factor:

Bowtiemodel 2NIEUW

Note that in some cases, no mitigating measures have been implemented at all, which in other cases a number of mitigating measures are already in place.

Please contact us for more information.