Double Jeopardy in a PHA

Written By Stephanie Happ

When conducting a process hazard analysis, it is important for the HAZOP team to methodically identify, as much as possible, all the credible initiating events to ensure that the resulting hazardous scenarios include adequate safeguards or recommendations to reduce the risk to an acceptable level. However, a line has to be drawn when considering what is a credible initiating event and what is not. 

Double jeopardy is a common term used in process hazard analyses that prevents the analysis of two or more independent failures that occur at the same time. As discussed in API 521 6th Edition Section 4.2.3, designing a system for double jeopardy is not required. For example, it is not necessary to design a system for the simultaneous failure of a control valve and tube leakage. However, it may be important to evaluate the simultaneous failure of two control valves in the open position in the case of a power outage. It is not always easy to define which failures are independent of each other and which are not, and this is why the experience and knowledge of the team conducting the PHA truly matters.

Another important consideration is latent failures. A double jeopardy argument cannot be applied if one of the failures is an undetected, existing failure and the failure would not be detected and fixed prior to the second failure. A common example of this type of scenario would be if a check valve were stuck open, as it may not be detected prior to the failure of a pump. This means the simultaneous failure of the check valve and the pump would be an important case to evaluate for reverse flow overpressure. Another example would be multiple pressure regulators in series. If a single pressure regulator failed, the second pressure regulator would handle the full pressure drop and operations may not know about the first failure until the second regulator failed and an overpressure situation occurred in the downstream piping.

It is important to understand which multiple failure causes qualify as double jeopardy, and which causes do not. It can be easy to dismiss a cause in a PHA as it seems to fall into the double jeopardy assumption, however if these causes are wrongly dismissed, some hazardous scenarios may be missed and significant risk gaps could remain unidentified. If in doubt, always bring up your thoughts and concerns with your team to facilitate an informed and aligned conversation.

Stephanie Happ
Previous

What is a LOPA?
Next

How to Node P&IDs for a HAZOP