A gas detector that passes its monthly function test for two straight years sounds like a well-maintained barrier. In Bowtie terms, it might not be a barrier at all — and the gap between “passed the test” and “would have stopped the event” is one of the most consequential misunderstandings in Malaysian process safety management.
Two Tests, Not One
A function test answers a narrow question: does the device respond when a known input is applied? Spray calibration gas at the sensor head, see if the alarm triggers — pass. This confirms the detector is mechanically alive. It says nothing about whether the alarm setpoint itself is still correct for current process conditions.
Over time, sensors get recalibrated, replaced, and adjusted. Process parameters shift as equipment ages, throughput changes, or upstream conditions vary. A setpoint configured correctly three years ago can become quietly wrong without the monthly function test ever catching it — because the function test was never designed to catch it. It tests responsiveness, not correctness.
What Bowtie Methodology Actually Requires of a Barrier
In Bowtie analysis, a measure only qualifies as a genuine barrier if it meets two conditions: it must be Specific — performing one defined, demonstrable action — and Independent — functioning without relying on some other condition being correct first.
A gas detector with a stale setpoint can still be Specific: it performs one defined action, alarming at a threshold. But it fails Independent, because its ability to do that job correctly depends entirely on a setpoint configuration that nobody is actively verifying. The barrier’s effectiveness is hostage to an assumption — and assumptions are exactly what Bowtie analysis exists to expose.
Why This Matters Under CIMAH 1996
For major hazard installations in Malaysia, the Control of Industrial Major Accident Hazards Regulations 1996 (CIMAH) require operators to demonstrate that safety-critical detection and shutdown systems remain effective against current process conditions — not merely that they were installed correctly and tested on schedule.
This is a meaningfully higher bar than most maintenance programs are built to meet. A maintenance log that shows twenty-four consecutive monthly passes looks complete. It answers the regulator’s question about testing frequency. It does not answer the regulator’s actual concern, which is whether the barrier would work during the event it exists to prevent.
The Pattern Investigators Find After the Fact
When a detection or shutdown barrier fails during a real process upset despite a clean inspection history, the investigation almost always finds the same shape: the device was functioning exactly as designed, against a setpoint or configuration that had silently drifted out of alignment with the conditions it was meant to detect. Nobody falsified a record. Nobody skipped a test. The barrier simply stopped being correct while continuing to pass.
This is a harder failure to catch than equipment that’s visibly broken, because every document in the file says everything is fine.
How to Apply the Bowtie Test to Your Own Barriers
For any barrier on your Bowtie diagram described as “tested monthly” or “inspected quarterly,” ask two follow-up questions. First: does the test confirm the barrier responds, or does it confirm the barrier responds at the correct threshold for current conditions? Second: when configuration, calibration, or equipment changes occur elsewhere in the process, is there a defined trigger that brings this barrier’s setpoint back under review?
If the answer to either question is “we’ve never asked that,” the barrier may be Specific without being Independent — passing its test while drifting away from the job it’s actually there to do.
What This Means for Audit Preparation
DOSH and internal audits that focus only on test completion rates are measuring documentation discipline, not barrier effectiveness. A facility preparing for audit should be able to show not just that a barrier was tested, but that the basis for its alarm or trip setpoint has been reviewed against current process data within a defined interval — and that any equipment change that could affect that basis triggers a review.
That second layer — calibration governance, not just test scheduling — is what separates a barrier that exists on paper from one that would actually function during the event it’s there to stop.
Want to know which barriers on your Bowtie diagrams would actually hold under real conditions? Cikgu Barrier’s Barrier Management: Bowtie Analysis program teaches teams how to apply the Specific and Independent tests rigorously, identify barriers that are administrative controls in disguise, and build diagrams that reflect genuine defence-in-depth. Available in-house and as a public workshop across Malaysia.