The control you counted that wasn't there

Most boards count stop-work authority among their safety controls. It appears in the safety case, in the contractor pre-qualifications, in the annual board safety report — a tick in the column that says the workforce can halt unsafe work. Geismar is the case that should make every director ask what that tick actually buys. A contractor used it. The work continued. The control was present in every document and inert in the only moment it was exercised.

This is not a frontline-behaviour story. The contractor did precisely what the programme asks: he saw a degraded valve and raised it. What failed was the system the organisation built around the moment he spoke. And a board owns system design — not the behaviour of the person at the valve.

The most dangerous category of risk for a board is not the hazard you have failed to identify. It is the control you have counted that does not function. The unidentified hazard at least leaves you alert. The counted-but-inert control does the opposite: you have allocated confidence to it, written it into your assurance, and stopped looking — precisely because you believe it is handled.

Stop-work authority is uniquely prone to this failure, because it is invisible until used and is almost never tested. At Geismar it existed in every artefact and failed in the single moment it was exercised. The board-level question was never "do we have stop-work authority?" It was "have we ever tested what our system does when someone actually uses it?" — and nobody had asked it.

Every stop-work system has a default: what happens, by inertia, while the answer is still being worked out. At Geismar, the default was "continue." That default is not chosen by the worker or the supervisor in the moment — it is set, in advance, by the system the organisation designed. Which is to say, by governance. When ambiguity routinely resolves toward "keep working," that is a board-level decision that was made implicitly, long before any valve started to leak — and it decides the outcome of every uncertain moment that follows.

The stop dissolved at a specific interface: a contractor raising a concern to a client's employee. That contractor–client boundary is where authority is most ambiguous, power most asymmetric, and accountability most diffuse — and it is exactly where boards apply the least design attention, because the contractor is "someone else's people." The seam between two organisations is the weakest point in almost every safety control, and stop-work is no exception.

And the exposure is not transferred with the work. When an incident happens at that seam, the contracting structure that looked like risk-transfer on paper becomes shared exposure in public and in court. A board that has outsourced the task has not outsourced the duty — it has only outsourced its own visibility into whether the control works. You remain answerable for a control you can no longer see.

"The most dangerous place in any operation is the line where one company's authority ends and another's begins. That line is written in the contract — not on the plant."

You do not need to know the valve. You need to know whether the control you have counted actually functions. Three questions establish that.

1. What is the default when a stop is raised and the answer is unclear — and who decided it? — If management cannot state the default instantly, it is "continue" — and no one chose it deliberately. Red flag: the answer describes the stop-work policy rather than the behaviour of the system while the decision is pending.
2. Can anyone override a worker's — or a contractor's — stop without a positive, recorded restart decision? — If a stop can lapse through miscommunication or deference, it is a suggestion, not a control. Red flag: restart authority is informal or verbal, or sits with the party that has a schedule to protect.
3. When did we last test what happens when someone uses stop-work — at the contractor interface specifically? — Red flag: the only evidence the control works is that it exists on paper and "people know they can stop." An untested stop-work at the contractor seam is the exact gap that produced Geismar.

These three convert stop-work authority from a line item the board accepts into a control the board has verified. That difference — between accepting and verifying — is the difference between Geismar and the near-miss that nobody outside the site ever hears about.

A board's job is not to remind people they can stop. It is to ensure that when someone does, the system stops — by default, without an argument, and regardless of who raised it or whose payroll they are on. A stop-work that has to survive a handoff to take effect is a control in name and a hope in practice. Geismar is what the distance between the two costs, measured in one hospital admission and three more corroded valves no one had yet found.

"A control you have counted but never tested is not protection — it is a liability you have already booked as an asset."