HAZOP vs Bow-Tie vs LOPA: 7 Selection Tests
Risk method selection improves when leaders match HAZOP, Bow-Tie, LOPA, FMEA, and risk matrices to the decision each one can actually support.
Principais conclusões
- 01Diagnose the decision first, because HAZOP, Bow-Tie, LOPA, FMEA, matrices, and registers answer different safety risk questions with different evidence.
- 02Choose HAZOP when process deviations, design intent, operating nodes, guide words, causes, consequences, and safeguards need disciplined technical examination before approval.
- 03Use Bow-Tie for barrier visibility and LOPA for protection-layer adequacy, especially when fatal or high-consequence scenarios need leadership judgment before acceptance.
- 04Keep risk matrices and registers in their management role, because they organize decisions after analysis rather than proving the scenario is understood.
- 05Share this Headline Podcast article with leaders before the workshop, so the team chooses the method that can support the real decision.
A risk workshop can consume three days of senior engineering, operations, and EHS time, yet still produce weak decisions when the wrong method directs the conversation. This article gives leaders seven selection tests for choosing HAZOP, Bow-Tie, LOPA, FMEA, risk matrices, or risk registers before the meeting starts.
Why risk method selection fails before the workshop begins
Risk method selection fails when teams choose the method they know best instead of the method the decision requires. A HAZOP is not a better Bow-Tie, a Bow-Tie is not a lighter LOPA, and a risk matrix cannot carry the same evidentiary burden as a scenario analysis.
On the Headline Podcast, Andreza Araujo and Dr. Megan Tranter often bring leadership back to real conversations rather than decorative safety language. That discipline matters here because the risk method becomes the room's thinking structure, which means a weak selection can hide the very exposure the organization wanted to understand.
IEC 31010 describes many risk assessment techniques, while IEC 61882 anchors HAZOP as a structured guide-word method. The executive decision is not whether one technique is famous, but whether it can answer the operational question on the table.
1. Start with the decision, not the acronym
The first test is whether the method matches the decision that leadership must make after the workshop. If the question is whether a new chemical process has credible deviations, HAZOP fits better than a generic risk matrix because it forces the team to examine nodes, parameters, causes, consequences, and safeguards. Those safeguards later need field proof during the pre-startup safety review, not only agreement in the analysis room.
What many organizations miss is that a familiar acronym can create false confidence. Across more than 250 cultural transformation projects, Andreza Araujo has observed that teams often confuse meeting discipline with risk intelligence, especially when a long worksheet gives the appearance of depth.
Write the decision in one sentence before selecting the method. A useful sentence sounds like this: approve the design, define independent protection layers, prioritize controls, explain barrier health to executives, or test how one equipment failure can escalate into a serious incident.
2. Use HAZOP when process deviation is the problem
HAZOP is strongest when a team needs to examine how a process can deviate from its intended design. IEC 61882 defines HAZOP as a structured and systematic examination, which is why it fits process nodes, guide words, design intent, operating conditions, and abnormal scenarios.
The trap is using HAZOP as a universal safety meeting for every problem. A warehouse traffic route, a contractor interface, or a leadership communication issue may need a different structure because the hazard is not always a process deviation inside a defined node.
Use HAZOP when the decision depends on technical causes and process consequences. If the team cannot define the node, parameter, guide word, deviation, cause, consequence, and safeguard, the method may be too heavy or pointed at the wrong question.
3. Use Bow-Tie when leaders need barrier visibility
Bow-Tie analysis is strongest when leaders need to see threats, a top event, preventive barriers, consequences, and mitigative barriers on one page. It translates risk into barrier logic, which helps executives understand where the organization is depending on people, equipment, procedures, alarms, supervision, or emergency response.
This is where the existing article on Bow-Tie analysis barrier questions becomes useful. Bow-Tie does not replace deep engineering analysis, but it exposes whether the organization can name the barriers that stand between a credible threat and a serious outcome.
5 barrier questions should be answered before Bow-Tie output goes to leadership, including whether each barrier has an owner, performance standard, verification route, degradation trigger, and escalation rule. That checklist is a leadership control, not a diagramming preference.
4. Use LOPA when protection layers must be tested
Layer of Protection Analysis fits high-consequence scenarios where the team must test whether independent protection layers are adequate. CCPS guidance treats LOPA as a semi-quantitative method, commonly used after hazard identification, because it needs a defined scenario rather than a vague concern.
The common mistake is asking LOPA to discover every hazard. LOPA is usually stronger after HAZOP, What-If analysis, or another hazard identification method has already named the scenario. The article on LOPA questions leaders should ask explains why independence, auditability, and human reliability cannot be assumed.
Choose LOPA when the decision is whether the current layers can credibly reduce risk, whether a safety instrumented function is justified, or whether a claimed layer is independent enough to count. If the workshop cannot describe the initiating event, consequence, enabling conditions, and candidate layers, LOPA will become arithmetic without risk judgment.
5. Use FMEA when failure modes sit inside equipment or workflow
FMEA is strongest when the team needs to identify how components, tasks, or process steps can fail and what the effect of each failure would be. It fits equipment packages, maintenance routines, quality-sensitive operations, and workflows where failure modes can be listed clearly.
The risk is treating FMEA scoring as truth. The article on FMEA for safety failure modes shows why severity, occurrence, and detection numbers can become negotiation rather than evidence when the team lacks field data.
Use FMEA when the object of analysis is small enough to break into functions, failure modes, effects, causes, current controls, and actions. If the workshop is actually about escalation across many barriers and organizational interfaces, Bow-Tie or HAZOP may reveal more than an FMEA table.
6. Keep risk matrices and risk registers in their proper role
Risk matrices and risk registers are decision-management tools, not substitutes for analysis. A matrix can prioritize and communicate, while a register can assign ownership, deadlines, and review rhythm, but neither one proves that a scenario has been understood.
This distinction matters because many leaders see a red, amber, or green square and assume the analysis is complete. The existing article on risk matrix blind spots explains how scale design, consequence compression, and probability guesses can distort attention.
Use a safety risk register after a stronger method has clarified the scenario, not before. 7 register fields should remain visible to leaders, including risk owner, barrier owner, next verification date, action status, escalation trigger, residual risk, and evidence source.
7. Build a method-selection rule before the next serious risk review
A method-selection rule prevents the organization from reinventing the choice every time a difficult risk appears. It also protects the team from choosing a comfortable tool simply because the facilitator prefers it.
As Andreza Araujo argues in *Safety Culture: From Theory to Practice*, culture appears in repeated decisions rather than slogans. Risk method selection is one of those repeated decisions because it reveals whether leaders want evidence, visibility, speed, documentation, or real challenge.
Use a simple rule that names the question, method, required inputs, expected output, facilitator competence, and approval threshold. When the decision involves fatal or high-consequence risk, the rule should require escalation to a more structured method before he risk is accepted.
Each major review that starts with the wrong method burns expert time and leaves leaders with weak evidence, while the underlying exposure remains in the operation.
Comparison table: which risk method answers which question?
| Method | Best question | Weak use | Leadership output |
|---|---|---|---|
| HAZOP | How can this process deviate from design intent? | General safety brainstorming without clear nodes | Credible deviations, causes, consequences, safeguards, actions |
| Bow-Tie | Which barriers prevent or mitigate one top event? | Decorative diagram without verified barrier ownership | Barrier map, degradation signals, accountability gaps |
| LOPA | Are the independent protection layers adequate? | Early hazard discovery before a scenario is defined | Layer adequacy, independence concerns, need for extra protection |
| FMEA | How can this component, task, or step fail? | Broad organizational risk with many interfaces | Failure modes, effects, causes, controls, actions |
| Risk matrix | How should risks be prioritized and communicated? | Proof that the scenario has been analyzed | Relative priority, escalation band, management attention |
| Risk register | Who owns the risk and what happens next? | Storage place for untested assumptions | Ownership, action rhythm, evidence trail, review trigger |
Conclusion
The right risk method is the one that answers the decision in front of the organization, with enough evidence for leaders to act without pretending certainty.
Headline Podcast exists as the space where leadership and safety come together to shape better workplaces and better lives. Before the next workshop, ask one practical question: what decision must this method make possible, and what risk will remain invisible if we choose it poorly?
Perguntas frequentes
How do I choose between HAZOP and Bow-Tie?
When should a company use LOPA?
Is a risk matrix enough for safety risk assessment?
What is the difference between FMEA and HAZOP?
Why does Headline Podcast connect risk tools with leadership?
Sobre a autora
Andreza Araujo
Host & Editorial Lead
Andreza Araujo is an international reference in EHS, safety culture and safe behavior, with 25+ years leading cultural transformation programs in multinational companies and impacting employees in more than 30 countries. Recognized as a LinkedIn Top Voice, she contributes to the public conversation on leadership, safety culture and prevention for a global professional audience. Civil engineer and occupational safety engineer from Unicamp, with a master's degree in Environmental Diplomacy from the University of Geneva. Author of 16 books on safety culture, leadership and SIF prevention, and host of the Headline Podcast.
- Civil Engineer (Unicamp)
- Occupational Safety Engineer (Unicamp)
- Master in Environmental Diplomacy (University of Geneva)