Double Jeopardy & Process Hazard Analysis

Hey guys, hope you are doing well. Today we are discussing "Double Jeopardy" which creates regular dilemma and stirs up arguments during PHA sessions. If you have participated as a team member or facilitated or scribed in a PHA session, you would be aware of the term "Double Jeopardy". When someone declares, “That’s double jeopardy,” during a PHA, they are definitely not fighting a legal case in court where double jeopardy prevents a person from being tried in court twice for the same offense. Instead, they are arguing that because two things have to go wrong to cause a scenario, the likelihood is so low that it is not credible and there is no need to consider the scenario.

 "Double jeopardy" is defined as the simultaneous occurrence of two independent initiating events or other revealed failures. Double Jeopardy is not a discussion on multiple layers of protection as every scenario should have multiple layers of protection against the final unmitigated consequence. It is also not a deviation combined with failure of a safeguard that remains hidden.

Can two things go wrong at a time? Of course, they can. But, do two things go wrong at a time? Yes, and majority of previous process incidents are the result of multiple failures as they involve a latent failure or are caused by a common mode of failure. We cannot cover all multiple failure scenarios in a PHA but some must be considered and analyzed further to ensure adequate controls are in place. 

It can be argued that safeguards against single failures will also protect against multiple failures as they help to protect against the individual contributors of the multiple failures, and hence it is sufficient to address single failures and that multiple failures need not be addressed. Certainly, actions taken to prevent single failures that contribute to multiple failures will help to prevent the multiple failures. However, if multiple failure scenarios are dependent including failures which can disable multiple equipment simultaneously, such as the loss of control system power like DCS or PLC system. These common failure modes effects can be difficult to identify but can make simultaneous occurrence of failure scenarios credible. For example:

• In a reactor, if the agitator and cooling water fail simultaneously, it will not be considered as double jeopardy, since loss of power can be a common failure mode.
• In a vessel with dual relief valves but possibility of plugging of nozzle, simultaneous failure of relief valve is possible and should be considered in PHA.

Multiple failure scenarios might also have more severe consequences as compared to one of the contributing scenarios. Multiple failure scenarios may need additional safeguards beyond those taken to protect against the single failures. Also, protective actions against single failure events may not have been taken as they may have been deemed unnecessary for the lesser consequences involved. For example, the scenario with the failure of both relief valves is more serious than a scenario with the failure of either one alone. For failure of one relief valve, we would have argued that we have an additional relief valve. But in case of failure of both with common cause of plugging, we will be without safeguards. Similarly for the reactor example mentioned above, agitator failure might lead to accumulation of reactants and cooling water failure will not allow removal of excess heat generated leading to a possible runaway reaction. 

Also, if a failure is a latent failure which means that it remains undetected long enough such that the second failure could also occur leading to a hazardous scenario. In such a case of latent failure multiple failure scenarios cannot be excluded from PHA as double jeopardy. Similarly, it has to be considered in PHA if a failure has been detected, but the repair time is long such that a second failure could occur during that time.

It is important to understand which multiple failure causes qualify as double jeopardy, and which causes are not considered as double jeopardy and therefore should be considered in the PHA. Many PHA participants are too quick to dismiss a cause because it appears to fall into the double jeopardy assumption. If these causes are wrongly dismissed, important hazardous scenarios may be missed and significant risk gap remains unidentified. 

Hope this is clear. Feel free to send your questions, comments and topics for future blogs on himanshuchichra@gmail.com