There is a point in most safety assessments where the conversation shifts, almost subconsciously, from understanding the problem to feeling like it has been solved, and that point usually arrives the moment someone says, “we have mitigations in place.”
It sounds reassuring, and in many cases it is, but it can also be slightly misleading if we are not careful about what we mean by mitigation in the first place.
Because a mitigation is not a solution in the absolute sense.
It is a way of managing exposure to something that still fundamentally exists.
The subtle difference people tend to skip over
When a hazard is identified, the instinct is often to ask how it can be removed entirely, and while that is sometimes possible through design changes, in most aviation systems the reality is that hazards are rarely eliminated outright.
Instead, they are:
- controlled
- contained
- or made less likely to escalate
Which means the hazard itself is still present in the system, just sitting behind layers of protection that we expect to hold under the right conditions.
That distinction matters, because it changes how we think about what “done” actually looks like.
This is where the Bow Tie starts to become useful
The bow tie method is often introduced as a visual tool, something neat and structured that helps organise threats, barriers, and consequences around a central hazard, and at a basic level, that is exactly what it does.
But if it is treated purely as a diagram to complete, it quickly loses most of its value.
At its core, the bow tie is trying to answer two very different questions at the same time:
how does this hazard occur?
and once it does, what stops it from becoming something worse?
On the left-hand side, you are dealing with causation:
- threats
- initiating events
- upstream conditions
On the right-hand side, you are dealing with outcomes:
- consequences
- escalation paths
- downstream effects
And in the middle sits the hazard, not as a failure, but as a state the system can enter.
Barriers are where the real thinking is
The most important part of the bow tie is not the hazard itself, or even the threats and consequences, but the barriers that sit in between.
Because those barriers are what the entire safety argument is built on.
They are the reason you can say:
- this will not happen
or - if it does happen, it will not get worse
But each barrier carries with it an implicit assumption:
- that it will activate when required
- that it will function as intended
- and that it will not be compromised by something else in the system
And those assumptions are rarely written as clearly as they should be.
Not all mitigations are created equal
One of the more common traps is treating all mitigations as though they provide the same level of protection, when in reality they sit on very different parts of the spectrum.
For example:
- a design feature that physically prevents a condition
- a monitoring function that detects it
- a procedure that relies on human response
All of these are valid mitigations, but they behave very differently under stress, time pressure, or unexpected scenarios.
And yet, in many assessments, they are listed side by side without much distinction.
The illusion of completeness
A completed bow tie diagram can look very convincing, particularly when every threat has a barrier and every consequence has a recovery measure, giving the impression that the system has been fully considered.
But the diagram itself does not guarantee that:
- the right threats were identified
- the barriers are truly independent
- or the escalation paths are realistic
It simply reflects the current understanding of the system.
And that understanding can always be incomplete.
Where things start to get interesting
The real value of the bow tie is not in documenting what you already know, but in exposing what you might be assuming without realising it.
For example:
- are multiple barriers relying on the same underlying system?
- do different mitigations fail under the same conditions?
- is there a point where everything depends on a single human action?
These are the kinds of questions that tend to emerge when the method is used properly, not as a template, but as a way of thinking.
Bringing it back to fundamentals
At its simplest level, safety engineering is about understanding how a system can move from a normal state into an undesirable one, and what stands in the way of that transition or its escalation.
The bow tie provides a structured way of mapping that movement, but it does not replace the need to critically examine each element within it.
And perhaps more importantly, it reminds us that mitigations are not endpoints.
They are conditions that must continue to hold true for the system to remain safe.
Final thought
It is easy to feel a sense of closure once hazards have been identified and mitigations have been assigned, particularly when everything fits neatly into a structured model.
But safety rarely operates in neat boundaries.
And the moment we start treating mitigations as guarantees rather than conditional protections is usually the moment we stop asking the questions that matter most.
(If you are working through hazard mitigation strategies, building bow tie models, or trying to understand how barriers actually hold up in real systems, we are putting together a practical guide that goes deeper into the thinking behind it—contact us for further information.)
