Forums
Blogs
Articles
File Library
FAQ
Search
FB
10
5 votes
An Introduction To The Concept Of Double Jeopardy In Process Safety
05 August 2013
Most Process and / or Safety engineers have to perform an analysis for the scenario or case related to the application of a safety relief device during their engineering career. In the chemical process industry, majority of the cases or scenarios for safety relief device are well defined based on experience gathered over the years for operating various types of chemical process plants including oil and gas separation plants, petroleum refineries, petrochemicals, fine chemicals, pharmaceuticals etc. Some such cases or scenarios frequently encountered in the chemical process industry are:1. External Fire
2. Blocked Outlet
3. Gas Blowby
4. Control Valve fail Open
5. Hydraulic expansion due to uncontrolled heat input also called thermal expansion
6. Utilities Failure (Single or Multiple)
7. Power Failure (Partial or Complete)
8. Tube Rupture
9. Runaway Reactions
10. Check or Non-Return Valve Failure (reverse flow)
11. Vaccum generation due to Steam-Out
The above are some of the more common scenarios identified and studied in the chemical process industry for providing and sizing suitable safety relief devices.
However, the identification of a failure scenario for a given chemical process plant / equipment is something that requires experience on the part of the process or safety engineer. The experience that I am mentioning comes in the form of either engineering, constructing and operating or all of these for a similar plant / equipment. Often lack of experience results in either overlooking a credible failure scenario, or to cook up failure scenarios that are unrealistic and cannot stand logical scrutiny.
To avoid the uncertainties in defining and analyzing failure scenarios many top engineering and operating companies have pre-defined the failure scenarios for a plant / unit / equipment in their engineering manuals based on their own experience in engineering, constructing and operating a chemical process plant. While this simplifies the task in terms of the time taken for the safety analysis and consequent action for a safety relief device, it is also detrimental to the engineer because he or she is not allowed to use his or her analytical skills to determine a probable failure case.
Coming to the main subject of what is a double jeopardy with reference to the failure analysis of a plant / unit / equipment for providing a safety relief device. I would define it as follows:
The simultaneous application of two unrelated failure events for sizing or adequacy check of a safety relief device for a plant / unit / equipment is called double jeopardy.
In the above definition the key word is "unrelated". What do we mean by "unrelated"? It is not easy to identify what is related and what is unrelated. This is where the experience of the engineer counts and also the practices followed by the chemical process industry based on years of operating experience for a similar process plant / unit / equipment.
However, some basic unrelated scenarios can easily be identified. I will provide some very basic examples of double jeopardy which most new process engineers can easily understand.
A. Consider the example of a condenser supplied with cooling water for condensing the process vapors from a distillation column. Let us say that due to partial power failure, the cooling water pump(s) supplying cooling water to the condenser fail and there is a loss of cooling water to the condenser. Let us also take note that the column has a reboiler with steam fed at a controlled rate by a steam control valve for heating the column bottom contents. Can we imagine a combination scenario that when cooling water to the condenser fails at the very same time the steam control valve to the rebolier fails in the open position causing more process vapors to be generated in the column? What would be the relief rate that should be considered for the relief valve provided on the condenser? Should it be the normal vapor from the column top going to the condenser or should you consider the excess process vapors formed due to uncontrolled reboiler heating by steam control valve failing open at the very same time? The answer is quite simple. The flow rate for the relief device will be the vapor flow rate based on the normal vapor flow rate to the condenser when the cooling water failure occurred.
The partial power failure causing stoppage of cooling water supply to the condenser and the failure of the reboiler steam control valve in open position at the same time is highly improbable and as such can be considered as two "unrelated" events. It is highly unlikely that when the condenser cooling water supply fails, at the very same time the reboiler steam control valve will fail open, leading to abnormally high vapor flow from the column top.
B. A remotely located sales gas pipeline requires planned pigging intermittently. Permanent pig launcher and pig receiver are provided for this purpose. Administrative procedures and mechanical interlocks are in place to ensure that the pig launcher and receiver drain valves remain locked closed before pigging is started. The mechanical interlock ensures that the launcher or receiver cannot be pressurized by opening the gas supply line valve to them unless the drain valves are closed. The drain valves from the launcher and receiver are connected to a covered local pit respectively. There is a degassing local vent from the pit raised to a safe location height of 3 m. Due to administrative procedure failure error as well as mechanical interlock failure, the drain valve on the pig launcher is inadvertently opened during pigging and excess vapors are released from the degassing vent. At the same time accidental ignition occurs at the vent tip due to an ignition source. To prevent thermal radiation hazards to personnel in the surrounding area near the jet fire from the vent, a radiation contour study is mandated which suggests that to mitigate thermal radiation hazard from the jet fire the vent height must be raised to 18 m.
How credible is this scenario? Some might argue that this is perfectly credible and the degassing vent height needs to be raised based on the radiation contour study recommendations. I would say that this is not credible and a clear case of double jeopardy and I present the following reason for this:
The pigging operation is intermittent. It is a planned exercise with administrative measures as well as mechanical interlocks in place to ensure that drain valves are closed prior to start of pigging operation. Simultaneous failure of administrative measures and mechanical interlocks is unrelated and hence not credible. Presence of an ignition source at the vent tip and leakage of gas from the drain valves during pigging at the same time is unrelated and hence not credible.
The logic for relief scenarios needs to be developed based on the aforementioned methodology. Newcomers to process safety engineering should remember that one of the most challenging tasks in process safety engineering is to analyze the credible relief scenarios and identify what is double jeopardy and reject such scenarios which involve double jeopardy.
Hope this gives some idea to new entrants in process safety engineering of what "double jeopardy" is all about.
Anticipating a lot of comments from the readers of my blog.
Regards,
Ankur.
Hi Ankur,
Thank you for this great article. However, I am curious reagarding your statement of
"It is highly unlikely that when the condenser cooling water supply fails, at the very same time the reboiler steam control valve will fail open, leading to abnormally high vapor flow from the column top."
What makes you so sure that the above incident is very unlikely to happen at the same time?
Thank you