Managing Double Jeopardy in Process Hazard Analysis - Allison de Man
Managing Double Jeopardy in Process Hazard Analysis - Allison de Man
Managing Double Jeopardy in Process Hazard Analysis - Allison de Man
Hazard Analysis
Allison De Man
ACM Automation Inc.
#700, 940 - 6th Avenue SW
Calgary, Alberta
ademan@acm.ca
Guillermo Pacanins
ACM Automation Inc.
#700, 940 - 6th Avenue SW
Calgary, Alberta
gpacanins@acm.ca
Abstract
Double jeopardy is a common process hazard analysis (PHA) term that is often misunderstood and
misused. Identifying a PHA cause as a double jeopardy cause means that it does not need to be
analyzed further, as typical PHA methodologies exclude double jeopardy causes from the analysis.
Double jeopardy is defined as the concurrent incidence of two independent initiating events or other
revealed failures (1). It is important to understand which multiple failure causes qualify as double
jeopardy, and which causes are not considered as double jeopardy and therefore should be considered
in the PHA. Many PHA participants are too quick to dismiss a cause because it appears to fall into the
double jeopardy assumption. If these causes are wrongly dismissed, important hazardous scenarios may
be missed and significant risk gap remains unidentified.
The majority of previous process incidents are the result of multiple failures as they involve a latent
failure or are caused by a common mode of failure. It is crucial that multiple failure causes are carefully
considered before being excluded from analysis. To make sure that all credible scenarios are identified,
PHA participants need to clearly understand the concept of double jeopardy and when to apply it
correctly.
Introduction
Process hazard analysis (PHA) studies such as hazard and operability studies (HAZOP) identify credible
causes that lead to a process deviation and, in turn, can lead to a hazardous event with severe
consequences. These causes are commonly referred to as initiating events. Types and examples of
initiating events can be found in Table 1. Once the initiating event has been identified, the resulting
hazardous scenario is determined. The hazardous scenario is then risk ranked, or assessed, for severity
and likelihood. Safeguards or independent layers of protection (IPLs) that can provide adequate risk
mitigation, are then identified and recorded. If all IPLs fail or are not available during the occurrence of
an initiating event the unwanted event may occur. If there are not enough safeguards in place to control
the risk to an acceptable tolerable level then recommendations are identified to reduce the risk further.
It is important for the HAZOP team to methodically identify, as much as possible, all the credible
initiating events to ensure that the resulting hazardous scenarios include adequate safeguards or
recommendations to reduce the risk to a tolerable level; however, a line has to be drawn when
considering what is a credible initiating event and what is not. In the case of multiple failures scenarios,
where two or more initiating events occur concurrently leading to a hazardous scenario, many
combinations of failures can be conjured from the failures identified in the PHA. To analyze all these
combinations of failures is a time-consuming exercise and not an efficient use of time in the HAZOP.
Double jeopardy provides direction on when it is or isnt credible to address these multiple failure
scenarios. Whether or not the multiple failure cases are deemed credible to address, each single
initiating event failure must still be analyzed.
The term double jeopardy appeared as a legal term in the Fifth Amendment of the U.S. Constitution (1).
Double jeopardy prevents a person from being tried in court twice for the same offense and be twice
put in jeopardy of life or limb. Similarly, in the context of a PHA session the term double jeopardy
prevents the analysis of two or more independent failures that occur concurrently; however, double
jeopardy is incorrectly applied in many PHA studies. There are many multiple failure scenarios that must
be considered and analyzed further to ensure adequate controls are place. There are a few key factors
to consider before preventing concurrent initiating event failures from being analyzed in the PHA
including:
1) Whether the multiple failure events are independent or dependent events. This includes
considering failures which can lead to multiple concurrent failures such as the loss of power.
These common failure modes can be difficult to identify, but give credibility to concurrent
failure scenarios, as these failures can no longer be viewed as independent.
2) The estimated time duration that a failure exists before being detected and corrected. A cause
cannot be neglected as double jeopardy if one of the failures is a latent failure, and therefore
remains unrevealed long enough that the second failure could also occur resulting in the
hazardous scenario. Similarly, even if a failure has been revealed, but the repair time is long
enough that a second failure could occur during that time, the concurrent independent failure
causes must be considered and analyzed in the PHA.
3) The consequence severity of the concurrent independent failures. There are cases where the
consequence of the concurrent independent failures is more severe than the single independent
failure cases. Even though, the likelihood of concurrent independent failure is less, the high
severity can result in a risk that may need additional mitigation above what is present for the
independent failures.
If two independent initiating events were found to credibly occur concurrently (e.g. one initiating event
was unrevealed) then the probability of occurrence of each event would be added to determine the
probability of occurrence of the multiple failure case. This addition of credible concurrent independent
failures can be shown in Figure 2. This scenario is still very probable to occur and the concurrent failure
should therefore be considered in the HAZOP.
Probability of Failure of A = 10-2/year
Probability of Failure of B = 10-2/year
The analysis of multiple concurrent failures can also be applicable if the repair time for a revealed failure
is long enough that a second failure could occur during that time. The time required for detecting,
diagnosing and correcting the failure needs to be considered when determining the failure duration.
Long durations of corrective action for a failure, along with the occurrence of another independent
failure, can result in a credible multiple failure scenarios that need to be considered in the PHA study.
Incipient failures can be considered in the same way as latent unrevealed failures; incipient failures are
also not considered double jeopardy when occurring concurrently with another initiating event.
Incipient failures are the result of imperfections in the condition or state of an item that will degrade
over a relative long period of time resulting in a critical equipment initiating event failure if continuous
monitoring and corrective maintenance action is not taken (3). Incipient failures such as corrosion and
flange leaking occur over a long period of time, and therefore have a relatively low probability of
occurrence. Even though the probability of an incipient failure occurring concurrently with another
initiating event is relatively low, the resulting consequence severity may be so severe that the scenario
must be considered for analysis in the PHA.
Consequence Severity
As previously mentioned, the probability of occurrence of two concurrent independent initiating events
is typically very low (rare event approximation); however, there can be cases where even though the
probability of occurrence is extremely low (incipient failures) the severity of the multiple failure
hazardous event can be so severe that the resulting risk level may require analysis in the PHA. This is
especially important in scenarios where the resulting concurrent failure can have a more severe
outcome than each independent event failure.
It is also often assumed that the safeguards put in place to protect against one independent failure
should also help to mitigate against the concurrent failure of two independent events. However, there
can be cases where the safeguards are found to be inadequate to mitigate against the multiple
concurrent failure scenario because of the increased severity and resulting risk level. Additionally, there
can be instances where certain safeguards can be deemed unnecessary for the lower severity
independent failure case and not listed as mitigation safeguards. These safeguards would then be
missed when identifying critical safeguards if the high severity scenario that they are required to protect
against were not analyzed. This underestimation of the risk of a scenario is also an issue if these high risk
scenarios are being addressed in additional studies such as Layer of Protection Analysis (LOPA) or
Qualitative Risk Assessment (QRA). Neglecting to analyze high severity multiple concurrent failure
scenarios can leave an unacceptable level of risk that lacks adequate risk control.
Chain reaction events, also called cascade or sequential events, are not double jeopardy events. Chain
reaction events are the result of one failure triggering another failure; these failures occur sequentially
one after another. Typically chain reaction events are included in the hazard development mechanism
as the root initiating event leads to the resulting hazardous consequence scenario.
During the HAZOP session the team may identify multiple failure scenarios that involve an initiating
event failure along with the failure of a safeguard. The occurrence of an initiating event along with the
lack of response of a safeguard(s) is already taken into consideration when developing the hazardous
event scenario, as the hazardous scenario only occurs if the safeguard(s) fails. This leads to the
importance of independence, diversity, separation, reliability, and availability in safeguard selection.
One needs to be certain that the listed safeguards will provide the required control when called upon to
prevent the consequence, or protect the system from damage.
Knock-on events are events that occur as the result of failure events in other process units, or adjacent
process areas of the same facility. Knock-on events can include impacts from fire, explosion, loss of
containment, etc., resulting from a hazardous scenario occurring in another area or process unit.
Analyzing the impacts of knock-on events occurring concurrently with an initiating event are not
considered to be double jeopardy. Concerns around the location of adjacent units and their potential
impacts should be discussed in siting studies, or addressed as a siting concern during the PHA study
itself.
The existence or non-existence of conditional modifiers and enablers along with an initiating event
failure are not considered to be double jeopardy as these conditional effects do not initiate a hazardous
scenario by themselves. Enabling conditions are similar to latent conditions in that they usually occur
before the initiating event, but dont lead to a hazardous scenario themselves (2). Conditional enablers
do, however, make scenarios possible as they are a contributing cause/factor that leads to the
hazardous event. The qualitative probability of existence or non-existence of conditional modifiers is
included in the scenario risk ranking assessment. Conditional modifiers affect the probability of the
consequence (e.g. fatality) instead of reducing the probability of occurrence of the hazardous event (e.g.
vessel rupture) (1). An example of a conditional modifier is the probability that a person would be in the
area, and therefore be impacted, when the hazardous event occurs. An example of a conditional
enabler, is the presence of an ignition source, where the hazardous event will only occur if that ignition
source is present to enable the scenario.
Conclusions
It is important that careful consideration goes into determining if two or more initiating events can be
considered as double jeopardy or not. If these initiating events are wrongly dismissed, important
hazardous scenarios may be missed and a high risk gap could remain unidentified. The following
questions should be asked in the PHA session when multiple initiating event failures are brought up, to
determine if double jeopardy can be applied.
Are the initiating events independent or is there a common cause failure mode that could lead
to both initiating events occurring?
Are the failures revealed failures? Would you know if one of the failures occurred, or could one
failure be a latent failure that remains undetected?
Is the resulting consequence severity of the concurrent independent failures high enough to be
considered an extreme risk?
If the initiating event failures are independent (of very low probability), revealed, and do not result in a
high consequence severity, then the concurrent initiating event failures are considered to be double
jeopardy and do not need to be analyzed further in the qualitative PHA.
References
1. Center for Chemical Process Safety. Appendix A: Simultaneous Failures and Double Jeopardy, in
Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis. Hoboken,
NJ, USA : John Wiley & Sons, Inc., 2013.
2. Treatment of Multiple Failures in Process Hazard Analysis. Baybutt, Paul. 2013, AIChE, pp. 361-364.
3. API STD 689. Collection and Exchange of Reliability and Maintenance Data for Equipment, First
Edition. July 2007.
4. US Chemical Safety Board. Investigation Report: Pesticide Chemical Runaway Reaction Pressure
Vessel Explosion, at Bayer CropScience, LP, Institute, WV, on August 28, 2008. January 2011. Report No.
2008-08-I-WV.
5. Oversights and Omissions in Process Hazard Analyses: Lessons Learned from CSB Investigations.
Kaszniak, Mark. 264-269, s.l. : Process Safety Progress, 2010, Vol. 29.
6. Risk Management in a Dynamic Society: A modelling Problem. Rasmussen, Jens. s.l. : Safety Science,
1997, Vol. 27 No. 2/3.
7. Leveson, Nancy G. Engineering a Safer World. s.l. : The MIT Press, 2012.