“But, after all, no safeguards are adequate, unless the will to give effect to them fully is present.” — Jawaharial Nehru
I had a truly embarrassing experience a couple days ago. I got a flat tire.
The flat tire itself wasn’t embarrassing. Annoying, yes, but not embarrassing. There are road hazards, and even the most careful driver cannot avoid them all. No, it was embarrassing because when I went to change the tire, I discovered that my spare tire was also flat.
That was on me. I had an independent layer of protection in place to safeguard me from the consequences of a flat tire, but I hadn’t taken the necessary steps to assure that it would work when I needed it.
Everything Fails
Nothing is perfect. Anything can fail at some point. The purpose of a process hazard analysis is to identify how hazards—failures in the process—impact us and to determine what safeguards we have in place to protect us from those failures.
Not all failures are lethal. Not all failures are even especially inconvenient. Some are, however, and it is those for which the safeguards are especially important. Those safeguards cannot protect us, though, if they do not work when we need them.
Most safeguards spend most of the time doing nothing. After all, when everything is working the way it is supposed to work—which should be most of the time—there is nothing the safeguard needs to do. It just sits there, waiting to be called on.
As it sits there, however, it deteriorates. After all, everything fails. Even our safeguards.
Eternal Vigilance
Although incorrectly attributed to Thomas Jefferson, there was a phrase that was in frequent use in one variation or another during the early 19th century: “Eternal vigilance is the price of liberty.” The commentators of the day were noting that it is not enough to put systems in place to protect liberty. Those systems also need to be monitored and maintained.
The same can be said of safety: “The price of safety is eternal vigilance.” It is not enough to put safety systems and other safeguards in place to provide layers of protection. Those systems also need to be monitored and maintained. That monitoring is done by means of proof tests.
Proof Tests
A proof test is how we check to see if a safeguard, especially one that otherwise goes unused, works as it is supposed to. In some cases, a proof test means putting the safeguard “to the test”, challenging it with the conditions that it is intended to protect against. Usually, however, a proof test is not so dramatic. The proof test is simpler, something that shows that the safeguard will work when called on.
In a process setting, a layer of protection or safeguard could consist of a sensor and transmitter, a logic solver, and a valve that needs to close during an unsafe condition. It would be enough for a proof test to show that the sensor can detect the unsafe condition, that the logic solver will respond correctly to the signal that there is an unsafe condition, and that the valve will close when told to. It is not necessary to create the unsafe condition in the process to test the safeguard.
With a spare tire, it is enough to check that the pressure in the spare is adequate.
The proof test will check that the safeguard is working, that it hasn’t failed since the last time it was checked. If it has failed since it was last checked, it is imperative that it be restored to good working order. If it doesn’t work, it is no safeguard. So, after a proof test, the safeguard is good working order. Either it was already in good working order, or it wasn’t and so it was restored to good working order.
My Spare Tire
How did I end up with flat spare tire? I cannot claim that I didn’t know better, or that I didn’t know how to inflate a tire. Ironically, I had checked the inflation on the four regular tires only a week earlier, knowing that proper inflation extends tire life and improves gas mileage. Why did I not also check my spare?
The first car I ever owned had a regular tire as its spare. Every year, I rotated all five tires and made sure that all five were properly inflated. A couple of cars later, the spare was no longer a regular tire, and no longer part of the rotation. I still checked the inflation on the spare, although it was not as convenient since it was tucked away under covers and panels in the back of the car. The inflation was always fine.
Then life got busier and spare tires became even less accessible. The inflation was always fine. Then one year I skipped it. Then again. Then it just dropped off my list of things to do. Then, a couple of days ago, I needed it.
I don’t know how long it had been since I had last checked the spare. Years. Over the years, the air had slowly leaked out of the tire. It wasn’t completely flat. Instead of 60 psig, it was 5 psig. Still better than my regular tire, and enough that I could drive to a nearby auto repair shop to get both the flat tire and the spare restored to good operating condition.
Inspect and Test
It’s not enough to put safeguards in place if they are not maintained. Everything fails, even our safeguards, which are there to protect against other failures. The process safety management (PSM) standard requires that we inspect and test our equipment according to recognized and generally accepted good engineering practices, for this very reason.
Otherwise, our safeguards are at risk of not working when we eventually need them.
Good article and example to illustrate on proof testing using spare tire for illustration. One other parallel is Mission Time, spare tires have a life and it is recommend to be replaced after this time is exceeded. I have been in a situation where a tire store refused to inflate my spare as it was a older tire and recommended to replace it.
This is why Risk controls effectiveness must be assessed frequently. Controls deteriorate over time and risk can materialize as a result.