**1. Introduction**

The barrier method of risk assessment, more commonly called Bowtie analysis, has been widely adopted in multiple industries. The key concept encapsulated in the method is that of preventative barriers that prevent a hazardous outcome (the 'top event') from occurring, and recovery processes that limit the escalation of that event into a larger catastrophe. It is a composition of a fault tree, event tree and barrier concept. The method is especially good at visually representing the event chains from the root cause to the consequence and identifying barriers that are in place, missing or ine ffective. Industries in which the Bowtie method is particularly popular include oil and gas [1,2], aviation [3–7], transportation [8–10], chemical and process [11,12], mining [2,13], IT [14–16], and medical [17–19].

In the aviation industry, the safety of the passengers and crew is of utmost priority. To ensure this, maintenance, repair and overhaul (MRO) plays a crucial part. It includes the frequent inspection of the aircraft and its engines after a certain amount of flight hours or cycles, or after an unexpected event occurred, such as a bird strike. In both cases, di fferent means of visual inspection are applied. The aircraft engine is mainly inspected via borescope inspection (BI) and if required via subsequent piece part inspection (PPI). Since the results of such inspections are crucial for the aircraft airworthiness and passenger safety, it is important to understand the inherent risks of the process. A high-level MRO process with the di fferent borescope inspection procedures and related risks is presented in Figure 1.

**Figure 1.** Maintenance, repair and overhaul (MRO) process with borescope inspection procedures and risks.

Previous work showed that Bowtie is a useful tool for such risk assessments, but has some limitations, such as the process of constructing a Bowtie being ad hoc and arbitrary [7]. It highly depends on expert knowledge and the personal preferences and outlook of the analyst [4,20–22]. This is problematic because a risk analyst will have different technical and operational insights to a technician. There is a risk of missing important threats, consequences, and barriers. This paper offers a solution by introducing a conceptual framework for a more systematic Bowtie risk assessment for manufacturing and maintenance operations. It achieves this by an integration with the 6M cause-and-effect methodology from Ishikawa [23].

### **2. Review of Bowtie Development and Structures**

### *2.1. Existing Approaches Constructing a Bowtie Diagram*

There are no standards for developing Bowtie diagrams, which results in a variety of different representations and interpretations [22]. However, a generally accepted and widely used approach for constructing a Bowtie diagram is presented in the following. This process aligns with the minimum requirements for a safety managemen<sup>t</sup> system (SMS) and safety risk assessment introduced by the International Civil Aviation Organization (ICAO) [21]. Since the Bowtie methodology originates from the fault tree and event tree analysis, the diagram could be directly derived from these. In practice, however, the diagram is commonly developed based on brainstorming sessions [24].

A Bowtie diagram may be constructed using a bottom–up or top–down approach [4,25,26]. The latter starts with identification of the hazard, which sets the scope and context of the risk assessment [19,24]. As per the ICAO Safety Management Manual, a hazard is defined as "condition, object, process or activity with the potential of causing harm or damage, including injuries to personnel, damage to equipment, properties or environment, loss of material or reduction in ability to perform a prescribed function" [27].

The next step is defining the top event, which describes the release or loss of control over the hazard. "It has not caused any damage or negative impact yet, but can lead to undesired outcomes if all prevention barriers fail" [7]. The terminology of the 'top event' originates form the fault tree analysis. The top event forms the centre of the Bowtie diagram and links the fault tree and event tree. It can be caused by one or multiple threats.

Threats describe causes that can lead to the release of the top event, if all preventative barriers on the threat branch fail. They derive from fault tree analysis (FTA). Once identified, the threats are drawn as branches to the left of the top event.

The release of the hazard can lead to one or multiple consequences. These consequence branches are drawn to the right of the top event. Consequences are potential events or chain of events having a negative impact such as loss of control, damage, or harm. They originate from the event tree analysis (ETA).

Barriers, also referred to as 'controls' or 'layers of protection', are a means of prevention or mitigation for any negative outcome and can reduce the occurrence likelihood of the latter. Sklet [28] defined safety barriers as "physical and/or non-physical means planned to prevent, control, or mitigate undesired events or accidents". Depending on their purpose, barriers can be either on the left or on the right side of the Bowtie diagram. Prevention barriers are placed on the threat branches between the causes and the top event. Their function is to prevent the top event and ultimately the release of the hazard [12,18,21]. In contrast, mitigation barriers, also called recovery or protective barriers, aim to reduce the likelihood or minimise the severity of the consequences [29,30]. Thus, these barriers are positioned on the consequence branches between the top even and negative outcomes.

Barriers are not entirely e ffective or may not be permanently e ffective. Conditions that have the potential to adversely a ffect the e ffectiveness of a barrier are called escalation factors [31]. These factors are depicted as sub-branches from the main barrier path in the Bowtie diagram. To prevent the escalation factors from leading to barrier failure, additional controls, also called escalation factor barriers, are put in place [32]. These are drawn on the sub-branch of the escalation factor they are trying to prevent or mitigate. A generic Bowtie with all its elements is shown in Figure 2 below.

**Figure 2.** Generic structure of a Bowtie diagram.

As previously shown, the Bowtie method has elements of fault and event trees, albeit without the quantification or Boolean logic. There have been occasional e fforts to re-introduce those features into Bowtie, e.g., in cyber security [14] and the process industry [33]. However, quantification and formalisation of the logic still su ffers from the limitation of requiring estimates of probabilities—the provenance of which is as di fficult as it originally was for FTA. This is particularly di fficult if no historic data is available and must be estimated.

### *2.2. Categorisations Applied in Bowtie Analysis*

Culwick et al. proposed two Bowtie structures [17]. One is a generic structure for general risk assessment, and the other one is an application-specific structure for malignant hyperthermia (MH) susceptibility. The focus for the following discussion is on the generic structure, as this might be transferable to other applications and industries. The generic Bowtie structure introduced by those authors has prompts and examples. For the preventive barriers, these include assessment, optimisation, preparation, planning, checklists, and forcing strategies. Examples given for the barrier controls are monitoring, vigilance, detection, and correction. As a means of recovery, the authors mentioned crisis management, resource and expertise, diagnosis and treatment as possible barrier categories. However, there was no structure or prompts provided for threats and consequences. It was proposed to organise the consequences from the top of the diagram to the bottom based on their severity reaching from 'no harm' to 'severe harm' respectively. The authors recommended that the Bowtie shall be "constructed by a group of individuals who have an interest in managing the particular hazard" [17]. This raises the question of whether or not an interest in the hazard is su fficient for creating a valid and comprehensive Bowtie risk assessment or if it would be better to have an expert or a group of experts, ideally with an experienced Bowtie facilitator, performing the risk assessment as suggested by CAA and ASEMS [4,22]. In addition to the generic Bowtie elements, the authors recommended consideration of factors influencing the e fficacy of controls, namely patient factors, procedural factors, system factors, human factors, and chance factors. These factors are only suitable for the medical industry and were only conditionally transferable to other industries.

Hamzah developed a Bowtie based on a risk assessment matrix [34]. The matrix categorised the consequences into four categories, namely people, assets, environment, and reputation. These categories were used to evaluate the severity of consequences and, subsequently, to determine the risk of the hazard. However, this structure was not used for the development of the Bowtie diagram, but for the severity assessment and quantification.

Another approach was taken by Maragakis et al. [21], who did not provide a categorisation, but a hazard checklist deriving from past events and experience to help quickly identifying hazards. This list grouped hazards into the following categories: natural, technical, economical, ergonomic, and organisational hazards.

CAA UK used the 'Significant Seven' safety scenarios to categorise di fferent top events and created a Bowtie for each. However, there was no categorisation suggested for threats, consequences and barriers [4,25].

As part of the "Basic Aviation Risk Standard (BARS) Program", the Flight Safety Foundation (FSF) performed a Bowtie risk assessment on o ffshore helicopter operation [35]. Similar to the Significant Seven by CAA UK, the threats were divided into eleven groups, namely: heliport and helideck obstacles, fuel exhaustion, fuel contamination, collision on ground, unsafe ground handling, controlled flight into terrain/water, aircraft technical failure, weather, loss of control, mid-air collision, and wrong deck landing. Furthermore, barriers were divided in organisational, flight operations, and airworthiness controls. This categorisation is particularly detailed and application specific, which makes the transferability to other industries somewhat di fficult.

Barriers have been categorised based on their function, characteristics, and origins. Kang et al. [36] distinguished between physical and non-physical barriers and subsequently divided each group into three main categories, based on the work of Neogy [37] and Chevreau [38]. These include technological barriers, organisational barriers, and personnel barriers. Technological barriers can be further divided [18,29,32]. The division of risks into only two categories—'physical' and 'non-physical', or 'human behaviour' and 'technology related'—is insufficient for a broader categorisation as attempted here. Furthermore, an active and passive classification works well for barriers, but not for threats and consequences.

### *2.3. General Categorisations and Classifications in Risk Management*

No systematic methodology is evident in the Bowtie literature, but there are some in the wider field of risk management. Some originate from the risk breakdown structure (RBS) focusing on project risks, while others derive from root cause analysis (RCA), a tool commonly used after a major, single-event problem occurred [39]. Still others focus on human factors, i.e., risks and conditions that cause humans to err.
