Scenario summaries are presented as separate pages with one event on each sheet. They include typical (suggested) Causes (Threats) and Controls (Barriers) and visual representations of the scenarios in bowtie format.

Although bowties are constructed on the principles of published practice (CCPS “Bow Ties in Risk Management: A Concept Book for Process Safety”), they do not rigorously follow the guidance as the aim is to provide simple effective summaries not wholly accurate representations of scenario evolution.


Hazards are operations, activities, or materials with the potential to cause harm.

The Top Event is the moment when control over the hazard or its containment is lost, releasing its harmful potential.

Hazards and Top Events (and their relative release potential & risk – see following sections) are shown as follows to help ‘players’ or Users remember that Major Accident Events are always a possibility:


Threats are potential reasons for (causes of) loss of control of the hazard leading to the top event (loss of containment).

Threats (and their relative likelihood) are shown as follows to help ‘players’ or Users recognise present or potential/developing Causes or Initiating Events that could lead to the Top Event:


Prevention or threat barriers prevent the Top Event from occurring. Mitigation barriers (not shown on these diagrams) are employed after the Top Event and should help prevent or reduce losses and regains control once it has been lost.

Barriers and their degradation factors & types are shown as follows to help ‘players’ or Users respect the Controls, Safeguards or Measures that could prevent the Top Event:

Respecting barriers means that ‘players’ or User acts or omissions i.e. what they do or don’t do, do not directly or indirectly result in barriers with reduced effectiveness because they are:


Operated beyond design limits or life
Overridden or inappropriately adjusted (poor temporary MoC)
Removed (poor permanent MoC)
Not fitted (poor Design Control or Action Management)

Barrier Types

Barriers are categorised (colour coded) according to the CCPS Bowtie guidance as follows:

Hardware + Human
Active Hardware
Continuous Hardware
Passive Hardware

Human actions
Combined actions e.g. Alarm
Detect + Decide + Do (Act)
Always operating
Always present



Barrier vulnerabilities may be considered as the inverse of the effectiveness. In this case these are based on a simple ranking system of barrier types according to the predictability or warning of failure and reliance on human action or intervention:

Hardware + Human
Active Hardware
Continuous Hardware
Passive Hardware

High vulnerability
High vulnerability
Medium vulnerability
Medium vulnerability
Low vulnerability


Barrier vulnerabilities are graphically represented on the Threat line as follows:

These utilise Barrier Failure Analysis functionality (representing Missing, Inadequate, Failed, Unreliable or Effective barrier performance during incidents or unplanned demands) from IncidentXP.

If necessary, barrier Effectiveness can also be shown on the diagrams – this is at the User’s discretion:

Degradation Factors

Degradation (or Escalation) factors are conditions that can reduce the effectiveness of the barrier.

They do not directly cause a Top Event or Consequence but, by degrading the associated barrier, the likelihood of escalation towards the Consequences is higher. Normally they appear below the barriers as follows:

However, for clarity (to minimise diagram depth), they are included inside the barriers, as shown below: