A Bowtie diagram is only as strong as the barriers on it. And in practice, many of the barriers written onto Bowtie diagrams in Malaysian workplaces do not actually qualify as barriers — they qualify as wishes.
This is not a minor technical distinction. It is the difference between a workplace that has genuine layers of protection and a workplace that has documentation that says it does.
What a Barrier Must Actually Do
In the Bow-Tie methodology, a barrier is a measure that either prevents the top event from occurring — a threat barrier — or limits the consequences if the top event has already occurred — a recovery barrier.
For a measure to function as a genuine barrier, it must meet two fundamental criteria.
First: effectiveness. The barrier must actually be capable of preventing or limiting the event it is assigned to. Not theoretically capable. Not capable “if used correctly.” Actually, physically capable of performing the function in the conditions where it is needed.
Second: independence. The barrier must be able to function without relying on another barrier in the same chain. A measure that only works because another measure is already working does not add a genuine layer of protection — it shares the failure mode of the measure it depends on.
The Problem With Administrative Barriers
The most common issue in Bowtie diagrams across Malaysian industries is the over-reliance on administrative barriers — procedures, permits, training records, supervision requirements — presented as if they were independent layers of protection.
Consider a permit-to-work system listed as a threat barrier for a pressurised energy hazard. The permit system requires a supervisor to approve the isolation before work begins. But the permit’s effectiveness depends on:
- The supervisor being present and engaged
- The supervisor understanding the energy isolation requirements
- The worker completing the isolation correctly
- Neither party being under production pressure that shortens the review
These are not one failure mode. They are four separate human factors, all of which can fail simultaneously under the same conditions — typically, the high-pressure, high-consequence conditions that Bowtie barriers are supposed to be most reliable in.
A permit-to-work system is a valuable administrative control. But it is not, on its own, an independent barrier. It is a human-dependent process that relies on correct behaviour at the critical moment.
When production pressure is highest — when maintenance windows are tight, when schedules are behind, when the cost of delay is visible — the administrative barrier is at its most vulnerable. This is precisely the scenario where a physical barrier’s independence is most valuable.
What a Real Barrier Looks Like
A genuine barrier in Bowtie terms does not require a human to make the correct decision at the critical moment. It functions based on physics, engineering design, or automatic systems.
Examples include:
- A physical guard that prevents a hand from reaching a moving part regardless of whether the operator is experienced or distracted
- A pressure relief valve that activates automatically when system pressure exceeds the rated limit, without requiring a person to notice and respond
- Secondary containment designed to hold the full volume of a chemical storage vessel, regardless of whether anyone is watching when the primary containment fails
- An interlock system that prevents a process from proceeding unless a specific physical condition is met
These barriers do not negotiate with fatigue, distraction, or production pressure. They function because of how they are designed, not because of how people behave.
The Test to Apply
When reviewing a Bowtie diagram, apply a two-part test to every listed barrier.
Test 1 — Effectiveness: Can this measure actually stop the top event or limit the consequence it is assigned to, in the realistic conditions of this workplace?
Test 2 — Independence: If the barrier immediately to its left in the chain failed completely, would this barrier still function? Or does its functioning depend on the prior barrier having partially worked?
Any barrier that fails either test should be reclassified — as a safeguard, an administrative control, or a contributing measure — not presented as an independent layer of protection.
The Practical Implication
A Bowtie diagram that shows five barriers on the threat side may be providing a false sense of security if four of those five barriers are administrative controls with shared human-dependency failure modes.
The real question for any workplace is not how many barriers are listed — it is how many barriers would hold if a person had a bad day. Fatigued. Distracted. Under pressure. Making a reasonable-looking decision that turns out to be wrong.
If the honest answer is “one or two,” the Bowtie is reflecting a much thinner defence-in-depth than the diagram suggests.
Want to build Bowtie diagrams that reflect your real defence system — not just your documentation? Cikgu Barrier’s Barrier Management: Bowtie Analysis program teaches teams how to identify genuine barriers, apply escalation factors, and produce diagrams that are actionable, not decorative. Available in-house and as a public workshop across Malaysia.