Bowtie Barriers: Prevention vs Mitigation Controls Explained

In a bowtie diagram, barriers do the heavy lifting. They’re the reason a hazard doesn’t become a fatality. But not all barriers are equal — and understanding the difference between prevention barriers and mitigation barriers is the foundation of effective risk management in high-hazard industries.

This guide breaks down what bowtie barriers are, how the two types differ, what makes a barrier effective, and how to manage them over time.

What Is a Bowtie Barrier?

A barrier is any control that interrupts the path between a threat and a top event, or between a top event and a consequence. In bowtie analysis, barriers are represented as vertical lines crossing the pathways on either side of the top event.

The term “barrier” comes from the barrier model of accident causation — the idea that accidents occur when multiple protective layers fail simultaneously. Each barrier is a layer of protection. When barriers are strong, independent, and well-maintained, the risk is controlled. When barriers degrade, fail, or are absent, the path to harm opens up.

Barriers in a bowtie are not the same as all controls in your risk register. A bowtie focuses specifically on the controls that matter most — the ones that directly prevent threats from reaching the top event, or that reduce the impact of consequences if the top event does occur.

Prevention Barriers: The Left Side of the Bowtie

Prevention barriers sit on the left side of the bowtie, between threats and the top event. Their job is to stop a threat from causing the top event — to prevent control of the hazard from being lost in the first place.

Think of prevention barriers as the defences that keep the hazard contained.

Examples of prevention barriers in mining:

• Traffic management plans that keep light vehicles and heavy equipment separated (threat: vehicle interaction; top event: collision)
• Isolation procedures that de-energise equipment before maintenance work (threat: energised equipment; top event: uncontrolled energy release)
• Fitness for work assessments that prevent fatigued operators from accessing heavy mobile equipment (threat: fatigue; top event: loss of vehicle control)

Examples in construction:

• Edge protection systems on elevated work platforms (threat: worker near unprotected edge; top event: fall from height)
• Permit to work systems that require excavation checks before digging (threat: unknown underground services; top event: striking a buried asset)
• Pre-task risk assessments that identify hazards before work begins (threat: unrecognised hazard; top event: loss of control)

Prevention barriers are your primary line of defence. They’re the controls you want to be robust, well-monitored, and genuinely effective — because if they fail, the top event occurs and you’re now relying on your mitigation barriers to limit the damage.

Mitigation Barriers: The Right Side of the Bowtie

Mitigation barriers sit on the right side of the bowtie, between the top event and its consequences. Their job is not to prevent the top event from occurring — that moment has passed — but to reduce the severity of what happens next.

Think of mitigation barriers as damage control. They can’t undo the top event, but they can limit its impact on people, equipment, and environment.

Examples of mitigation barriers in mining:

• Rollover protection structures (ROPS) on mobile equipment (top event: vehicle rollover; consequence: fatality)
• Emergency shutdown systems on process plants (top event: loss of containment; consequence: explosion)
• Emergency response plans that govern evacuation and medical response (top event: any major event; consequence: escalating harm)

Examples in construction:

• Fall arrest systems as a secondary protection against falls (top event: worker falls; consequence: fatal injury)
• Exclusion zones around crane lifts (top event: dropped load; consequence: struck person)
• Site emergency procedures and first aid capability (top event: serious injury; consequence: preventable death)

Mitigation barriers matter because top events do occur. No prevention system is perfect. A robust bowtie has strong mitigation barriers on the right side so that when something does go wrong, the consequences are survivable and contained.

Critical Barriers vs Supporting Barriers

Not all barriers on your bowtie are equally important. This is where critical control management comes in.

A critical barrier (or critical control) is one where its absence or failure would significantly increase the likelihood of the top event occurring, or significantly worsen the consequence if it occurs. Remove a critical barrier and the risk profile changes dramatically.

A supporting barrier contributes to risk reduction but isn’t the single line between the hazard and the harm. Its failure alone wouldn’t be catastrophic — other barriers would still be in place.

The practical test: if you removed this barrier tomorrow and everything else stayed the same, how much worse would the risk be? If the answer is “significantly,” it’s probably critical.

Most bowties should have no more than three to seven critical controls. If you’ve identified fifteen critical barriers on a single bowtie, you’ve likely included supporting controls in the critical category — which dilutes focus and makes verification impractical.

What Makes a Good Barrier?

Not every control qualifies as an effective bowtie barrier. A useful test is the ACTIVE criteria, used in critical control management frameworks:

• Adequate — the barrier is sufficient to interrupt the pathway if it functions correctly
• Comprehensive — it covers the full range of scenarios it’s supposed to address
• Tested — its effectiveness has been verified in realistic conditions, not just on paper
• Independent — its function doesn’t depend on another barrier that might fail at the same time
• Valid — it addresses a realistic threat or consequence pathway, not a theoretical one
• Effective — there’s evidence it actually works when called upon

Barriers that fail these tests are often what we call “phantom barriers” — they appear on the bowtie, they might even appear in a compliance document, but in practice they provide little real protection.

Common phantom barriers:

• “Worker training” — training affects behaviour but doesn’t physically interrupt a pathway
• “Procedure exists” — having a written procedure is not the same as the procedure being followed
• “Supervision” — unless supervision is defined, scheduled, and verified, it’s not a barrier
• “PPE required” — PPE is often a last-resort mitigation, not a prevention barrier, and its effectiveness depends entirely on correct use

None of these are bad controls. Training matters. Procedures matter. But they shouldn’t be listed as primary barriers on a bowtie for major hazards. The barriers that count are the physical, engineered, or rigorously enforced administrative controls that genuinely interrupt the causal pathway.

How Barriers Fail in Practice

Understanding how barriers fail is as important as understanding what they are. Barriers fail in predictable ways:

Degradation — the barrier gradually becomes less effective over time. An isolation procedure that was once robust becomes less reliable as staff turn over and the procedure isn’t updated. A proximity detection system drifts out of calibration. A physical guard corrodes.

Bypass — the barrier is deliberately circumvented, usually under production pressure. An interlock is defeated to keep the line running. A permit to work is back-signed rather than completed in real time. This is one of the most dangerous failure modes because it’s invisible until something goes wrong.

Irrelevance — the barrier was designed for a scenario that no longer applies. New equipment was introduced, the process changed, or the threat pathway shifted. The barrier still exists but no longer addresses the actual risk.

Absence — the barrier was never installed or has been removed. Sometimes this is intentional (a control was considered unnecessary). Sometimes it happens without anyone realising.

Simultaneous failure — multiple barriers fail at the same time, often because they share a common cause. Two barriers that both depend on the same training program, the same maintenance team, or the same management commitment can fail together when that common factor is under pressure.

Escalation Factors: What Weakens Your Barriers

On a bowtie, escalation factors (also called barrier degradation factors) are conditions that reduce the effectiveness of a barrier without removing it entirely. They sit on the barrier itself on the diagram.

Common escalation factors include:

• Time pressure or production targets that encourage workers to take shortcuts
• Fatigue that reduces operator alertness
• Poor environmental conditions (heat, noise, low visibility) that affect barrier function
• Equipment age or maintenance backlog
• High workforce turnover that disrupts institutional knowledge

Understanding your escalation factors is critical because they tell you when your barriers are at elevated risk of failure — and when you need to compensate with additional controls or temporary measures.

How to Keep Barriers Effective Over Time

A bowtie diagram is only valuable if it reflects reality. A barrier that appears on the diagram but has degraded in practice is worse than no barrier at all — it creates a false sense of security.

Effective barrier management requires:

Verification schedules — regularly checking that critical barriers are in place and functioning. This means physical verification in the field, not just paperwork. A level 1 check might happen every shift; a level 3 check might happen quarterly. The frequency should match the failure rate and the consequence of failure.

Incident linkage — when an incident occurs, mapping it back to the bowtie immediately. Which barriers held? Which failed or were absent? This feedback loop is how your bowtie stays calibrated to reality rather than aspiration.

Regular review — bowties should be reviewed when operations change significantly: new equipment, process modifications, changes in workforce, or learnings from incidents elsewhere in the industry.

Clear ownership — every critical barrier should have a named owner responsible for its performance standard and verification. Barriers without owners don’t get maintained.

The Difference Between a Barrier and a Risk Treatment

It’s worth clarifying one common point of confusion. In ISO 31000 terminology, a “risk treatment” is any action taken to modify risk. A barrier in a bowtie is more specific — it’s a control that directly interrupts a causal pathway in the bowtie model.

Many risk treatments aren’t barriers in the bowtie sense. Buying insurance modifies the financial consequence of a risk but doesn’t interrupt the causal pathway. A risk transfer arrangement reduces your exposure but doesn’t change the likelihood of the event occurring. These matter for risk management broadly but don’t appear as barriers on a bowtie.

The bowtie model focuses on the controls that physically or operationally interrupt the pathway between threat and consequence. That’s a more precise and actionable framing than the broader category of risk treatments — which is why high-hazard industries have adopted it so widely.

How RiskSight Manages Bowtie Barriers

Understanding barriers conceptually is the first step. Managing them in practice — verifying they’re in place, tracking when they degrade, connecting them to incidents when they fail — is where most organisations struggle.

RiskSight connects your bowtie barriers directly to your risk register, verification schedules, and incident investigations. When a barrier fails during an incident, it updates on the bowtie automatically. When a verification is overdue, it surfaces in the dashboard. When a barrier’s performance standard isn’t being met, it flags to the right people.

That’s the difference between a bowtie as a diagram and a bowtie as a live risk management system. Explore how RiskSight handles critical control management — or start your 30-day free trial and see your first bowtie in practice.