“It’s not the fall that kills you; it’s the sudden stop at the end.” — Douglas Adams
It is October and cold weather is bearing down on us. Some places have already experienced freezing temperatures, and for most of the rest of the northern hemisphere, it is coming soon. Which means that it is time to winterize: to stock the salt bins, to drain lines, to confirm that heat tracing is working and that insulation is in good repair. Because more than any other season, winter can be deadly.
It’s not the cold that kills, though. It’s the failure of our preparations.
Cold Weather is Not a Cause
In a Hazard and Operability review or a Layer of Protection Analysis, the key task of the team is to determine the cause of a process deviation. It is only by understanding the cause of a hazardous deviation that the team can estimate the likelihood of a hazardous event and determine the risk. Further, that understanding is important to developing recommendations for reducing the risk. So, it is important to understand causes.
A cause is a failure. Specifically, a cause is an equipment malfunction or an error. (I’m not going to say “human error” because, as Trevor Kletz pointed out, what other kind of error is there?) It’s not just any failure, though. The failure of a safeguard or an independent layer of protection (IPL) is not a cause. The fact that a relief valve failed to lift is not what caused high pressure; there was some other failure that first caused the high pressure. That failure was an equipment malfunction or an error; assigning the cause to and placing the blame on the relief valve misses the opportunity to understand and address the real cause.
So, when pipes freeze, what is the cause, the failure, the error or equipment malfunction? How can cold weather be considered a failure? In the winter, isn’t cold weather something to expect, something normal?
What Is the Cause?
When pipes freeze, something failed, and it’s not the weather. A cause is an equipment malfunction or an error. When the design depends on heat tracing to keep pipes from freezing and it fails, then heat tracing failure is the cause—an equipment malfunction. When the design depends on keeping the piping drained when it is not in use, and the piping freezes because it is not drained, then not draining the piping is the cause—an error.
“Everybody talks about the weather, but nobody does anything about it.” If you can’t do anything about the weather, what can you do anything about? It is in understanding the cause that we find ways to reduce the risk.
Then What Role Does Cold Weather Play?
Cold weather is an enabling condition. When the heat tracing fails, the necessary conditions must exist—the temperatures must be low—for the pipes to freeze, but the failure, the cause, is still the heat tracing malfunction.
Some enabling conditions can be taken for granted. In the case of falling, the enabling condition is a gravity field. But Douglas Adams didn’t say, “It’s not the fall that kills you; it’s the gravity.”
Isn’t Freeze Protection a Safeguard?
Safeguards, and more specifically, IPLs, protect against failures. All safeguards and IPLs can fail, and in failing, not provide protection. A key characteristic of every IPL is its probability of failure on demand (PFD), and no IPL has a PFD of zero. However, the lower the average PFD of an IPL, the more risk reduction the IPL provides. The risk reduction factor (RRF) of an IPL is the inverse of its PFD:
RRF = 1/PFDAVG
The failure of an IPL, whether a relief valve, an operator response, or a safety instrumented function, is not the cause of the hazardous event. Something else failed first.
So, why isn’t freeze protection an IPL? Well, it can be, so long as the freeze protection is protecting against the failure of something else. So, if the heat tracing is there to protect against frozen pipes in the event that someone forgets to drain the line, then the cause is the error of not draining the line and the heat tracing is an IPL. When the heat tracing is all there is to keep the pipe from freezing when the weather gets cold, its failure is the cause of frozen pipes.
If It’s Not the Fall That Kills You
Adams’ quip, “It’s not the fall that kills you; it’s the sudden stop at the end,” is helpful in that it reminds us to understand our hazardous scenarios well enough to address causes. But even in that regard, Adam misses the point from a safety perspective. Understanding the mechanism of injury—knowing that it is not falling but deceleration trauma that kills—doesn’t help with our safety analysis. It’s like saying that it’s not the explosion that kills, or even the flying fragments and shock wave that the explosion generates that kills, but the blunt force trauma of being hit by fragments, and the displacement trauma of being thrown against a wall, and the internal bleeding and organ failure caused by the shock wave that kills. True, but irrelevant.
What is relevant is the failure that leads to the event. In the case of a fall, it is the error that sends a person over the edge or the malfunction of equipment that a person is actively relying on to keep them from falling. After that, it’s just gravity doing what gravity does.
Winter is Coming
It is October and cold weather is bearing down on us. So, it is time to winterize. Stock the salt bins. Drain water lines that are not in use and will be exposed to freezing temperatures. Confirm that heat tracing is working and that insulation is in good repair. Do the things that need to be done to prepare for winter.
Because it’s not the cold that kills. It’s the failure of our preparations.
This topic would be a good one to use at the beginning of a HAZOP to help orient the team so that they are better prepared to understand causes and safeguards. We don’t see much freezing weather down in Texas, but we still design water piping to be drained, and water lines that are not “always” flowing to be heat traced. As a process designer, I keep thinking I should find an alternative to all that steam tracing, but as a safety professional, I understand why it is required.