Bow-Tie Diagram

The bow-tie method is a powerful tool for visualizing and managing risks. Named after its distinctive shape, this tool is used to analyze the causes and consequences of potential risks.

At the center of the bow-tie diagram is the “top event,” which represents the risk being analyzed. On the left side of the diagram are the potential causes of the top event, while on the right side are the potential consequences. The diagram also includes barriers or controls that can be put in place to prevent or mitigate the risk.

To create a bow-tie diagram identify the “top event” representing the risk being analyzed. This is placed at the center of the diagram.

Next, you identify the potential causes of the top event and place them on the left side of the diagram. These causes can be further broken down into sub-causes if necessary.

On the right side of the diagram, you identify the potential consequences of the top event. These can also be further broken down into sub-consequences if necessary.

Once you have identified the causes and consequences of the top event, you can then add barriers or controls to the diagram. These are measures that can be put in place to prevent or mitigate the risk. Barriers can be placed between the causes and the top event to prevent it from occurring, while controls can be placed between the top event and its consequences to mitigate their impact.

The bow-tie method works by providing a clear and concise visual representation of a risk and its potential impacts. This allows stakeholders to better understand the risk and identify areas where additional controls may be needed.

This tool also works nicely with desirable consequences.

This picture showed up when I typed bow-tie on my computer. It’s relevant


In the current world scenario, which is marked by high volatility, uncertainty, complexity, and ambiguity (VUCA), threats are increasingly unforeseen. As organizations, we are striving for this concept of Resilience.

Resilience is one of those hot words, and like many hot business terms it can mean a few different things depending on who is using it, and that can lead to confusion. I tend to see the following uses, which are similar in theme.

Where usedMeaning
PhysicsThe property of a material to absorb energy when deformed and not fracture nor break; in other words, the material’s elasticity.
EcologyThe capacity of an ecosystem to absorb and respond to disturbances without permanent damage to the relationships between species.
PsychologyAn individual’s coping mechanisms and strategies.
Organizational and Management studiesThe ability to maintain an acceptable level of service in the face of periodic or catastrophic systemic and singular faults and disruptions (e.g. natural disasters, cyber or terrorist attacks, supply chain disturbances).

For our purposes, resilience can be viewed as the ability of an organization to maintain quality over time, in the face of faults and disruptions. Given we live in a time of disruption, resilience is obviously of great interest to us.

In my post “Principles behind a good system” I lay out eight principles for good system development. Resilience is not a principle, it is an outcome. It is through applying our principles we gain resilience. However, like any outcome we need to design for it deliberately.

We gain resilience in the organization through levers that can be lumped together as operational and organizational.

The attributes that give resilience are the same that we build as part of our quality culture:

On the operational side, we have processes to drive risk management, business continuity, and issue management. A set of activities that we engage in.

Like many activities they key is to think of these as holistic endeavors proactively building resiliency into the organizaiton.

Call a Band-Aid a Band-Aid: Corrections and Problem-Solving

A common mistake made in problem-solving, especially within the deviation process, is not giving enough foresight to band-aids. As I discussed in the post “Treating All Investigations the Same” it is important to be able to determine what problems need deep root-cause analysis and which ones should be more catch and release.

For catch and release you usually correct, document, and close. In these cases the problem is inherently small enough and the experience suggesting a possible course of action – the correction – sound enough, that you can proceed without root cause analysis and a solution. If those problems persist, and experience and intuition-drive solutions prove ineffective, then we might decide to engage in structured problem-solving for a more effective solution and outcome.

In the post “When troubleshooting causes trouble” I discussed that lays out the 4Cs: Concern, Cause, Countermeasure, Check Results. It is during the Countermeasure step that we determine what immediate or temporary countermeasures can be taken to reduce or eliminate the problem? Where we apply correction and immediate action.

It helps to agree on what a correction is, especially as it relates to corrective actions. Folks often get confused here. A Correction addresses the problem, it does not get to addressing the cause.

Fixing a tire, rebooting a computer, doing the dishes. These are all corrections.

As I discussed in “Design Problem Solving into the Process” good process design involves thinking of as many problems that could occur, identifying the ways to notice these problems, and having clear escalation paths. For low-risk issues, that is often just fix, record, move on. I talk a lot more about this in the post “Managing Events Systematically.”

A good problem-solving system is built to help people decide when to apply these band-aids, and when to engage in more structured problem-solving. This reliance on situational awareness is key to build into the organization.

Risk, Hazard and Harm

Risk Is….

The combination of the probability of the occurrence of the harm and the severity of that harm.

The effect of uncertainty on objectives

Often characterized by reference to the potential event and consequences or combination of these

Often expressed in terms of a combination of the consequences of an event (including in changes in circumstances) and the associated likelihood of the occurrence


Hazard, harm and risk

Enabling state that leads to the possibility of harmInjury or damageProbability of harm from a situation triggered by the hazard.
Hazard harm and risk

A hazard is defined in ISO 12100 as “The potential source of harm.” This definition is carried through other ISOs and regulatory guidances. The hazard is what could go wrong, our “What If…”, it is when we start engaging the outcome identification loop to query uncertainty about the future.

Harm are those injuries or damages I should care about.

Every risk assessment is really asking “What could go wrong,” and then answering two questions:

  1. If it did go wrong how bad is it – the Harm
  2. And how likely is it to go wrong – Probability.

Risk is then the combination of those things as a magnitude or priority.

Risk assessment tools break down into two major camps. Those that start with the hazards, asking how something can fail; and those that start with the harms, asking what bad things do we want to avoid.

Escalation of Critical Events

Event management systems need to have an escalation mechanism to ensure critical events are quickly elevated to a senior level to ensure organization-wide timely reactions.

Consistent Event Reporting

There are many reasons for a fast escalation.

  • Events that trigger reporting to Regulatory Agencies (e.g. Serious Breach, Urgent Safety Measures (UK), Field Alerts, Biological Product Deviation, Medical Device Report)
  • Events that require immediate action to prevent additional harm from across the organization
  • Events that require marshalling resources from large parts of the organization







         Impact to data integrity

       Impact to product quality/supply

       Impact to data integrity

       Data/privacy breach

       Event impacting on-time compliance rates (not isolated/steady state)

       Impact to data integrity

       Impact to data integrity

       Reference GxP area for Impact resulting from/linked to system error/failure

       Product Quality/ CMC events in accordance with MRB criteria (or other events of similar scope of impact)

       Impact to study integrity

       Impact to subject’s safety, rights or welfare

       Gaps in reporting/ collection of potential AEs

       Impact to study integrity

       Impact to study integrity

       System design, testing, deployment, upgrade, etc. event impacting GxP data integrity or regulatory compliance

       Recurring event with broad scope of impact

       Recurring event with broad scope of impact

       Recurring event with broad scope of impact

       Recurring event with broad scope of impact

       Recurring event with broad scope of impact

       Recurring event with broad scope of impact

       Impact to program milestones & corporate goals

       Impact to program milestones & corporate goals

       Impact to program milestones & corporate goals

       Impact to program milestones & corporate goals

       Impact to program milestones & corporate goals

       Potential Falsified or Counterfeit Product

       Potential Fraud or Misconduct

       Potential Fraud or Misconduct

       Credible Risk of Product Shortage

       Quality event with patient safety risk/gap

       GxP Data Breach

       Potential Product Recall

       Significant Quality Event Notified to Regulatory Authority

       System error or failure with significant GxP compliance impact

·       Potential Critical Finding Resulting from Regulatory Authority Inspection or Audit by External Body/Third Party

·       Quality Event/Observation Classified as Critical (Event or Internal Audit) Notification from Regulatory Authority or other External Authority of Findings of Significant/Critical Quality Deficiency (inspection or other than through inspection)

o   e.g.; Refusal to File, Notification of Inadequate Response to Inspection Findings (e.g.; Other Action Indicated (FDA classification), Warning Letter


You can drill down to a lower, more practical level, like this

Escalation Criteria

Examples of Quality Events for Escalation

Potential to adversely affect quality, safety, efficacy, performance or compliance of product (commercial or clinical)

       Contamination (product, raw material, equipment, micro; environmental)

       Product defect/deviation from process parameters or specification (on file with agencies)

       Significant GMP deviations

       Incorrect/deficient labeling

       Product complaints (significant PC, trends in PCs)

       OOS/OOT (e.g., stability)

Product counterfeiting, tampering, theft

       Product counterfeiting, tampering, theft reportable to Health Authority (HA)

       Lost/stolen IMP

       Fraud or misconduct associated with counterfeiting, tampering, theft

       Potential to impact product supply (e.g., removal, correction, recall)

Product shortage likely to disrupt patient care and/or reportable to HA

       Disruption of product supply due to product quality events, natural disasters (business continuity disruption), OOS impact, capacity constraints

Potential to cause patient harm associated with a product quality event

       Urgent Safety Measure, Serious Breach, Significant Product Compliant, Safety Signal that are determined associated with a product quality event

Significant GMP non-compliance/event

       Non-compliance or non-conformance event with potential to impact product performance meeting specification, safety efficacy or regulatory requirements

Regulatory Compliance Event

       Significant (critical, repeat) regulatory inspection findings, lack of commitment adherence

       Notification of directed/for cause inspection

       Notification of HA correspondence indicating potential regulatory action