Jump to content







Photo * * * * * 5 votes

An Introduction To The Concept Of Double Jeopardy In Process Safety




An Introduction To The Concept Of Double Jeopardy In Process Safety Most Process and / or Safety engineers have to perform an analysis for the scenario or case related to the application of a safety relief device during their engineering career. In the chemical process industry, majority of the cases or scenarios for safety relief device are well defined based on experience gathered over the years for operating various types of chemical process plants including oil and gas separation plants, petroleum refineries, petrochemicals, fine chemicals, pharmaceuticals etc. Some such cases or scenarios frequently encountered in the chemical process industry are:
 
1. External Fire
2. Blocked Outlet
3. Gas Blowby
4. Control Valve fail Open
5. Hydraulic expansion due to uncontrolled heat input also called thermal expansion
6. Utilities Failure (Single or Multiple)
7. Power Failure (Partial or Complete)
8. Tube Rupture
9. Runaway Reactions
10. Check or Non-Return Valve Failure (reverse flow)
11. Vaccum generation due to Steam-Out
 
The above are some of the more common scenarios identified and studied in the chemical process industry for providing and sizing suitable safety relief devices.
 
However, the identification of a failure scenario for a given chemical process plant / equipment is something that requires experience on the part of the process or safety engineer. The experience that I am mentioning comes in the form of either engineering, constructing and operating or all of these for a similar plant / equipment.  Often lack of experience results in either overlooking a credible failure scenario, or to cook up failure scenarios that are unrealistic and cannot stand logical scrutiny.
 
To avoid the uncertainties in defining and analyzing failure scenarios many top engineering and operating companies have pre-defined the failure scenarios for a plant / unit / equipment in their engineering manuals based on their own experience in engineering, constructing and operating a chemical process plant. While this simplifies the task in terms of the time taken for the safety analysis and consequent action for a safety relief device, it is also detrimental to the engineer because he or she is not allowed to use his or her analytical skills to determine a probable failure case. 
 
Coming to the main subject of what is a double jeopardy with reference to the failure analysis of a plant / unit / equipment for providing a safety relief device. I would define it as follows:
 
The simultaneous application of two unrelated failure events for sizing or adequacy check of a safety relief device for a plant / unit / equipment is called double jeopardy. 
 
In the above definition the key word is "unrelated". What do we mean by "unrelated"? It is not easy to identify what is related and what is unrelated. This is where the experience of the engineer counts and also the practices followed by the chemical process industry based on years of operating experience for a similar process plant / unit / equipment. 
 
However, some basic unrelated scenarios can easily be identified. I  will provide some very basic examples of double jeopardy which most new process engineers can easily understand.
 
A. Consider the example of a condenser supplied with cooling water for condensing the process vapors from a distillation column. Let us say that due to partial power failure, the cooling water pump(s) supplying cooling water to the condenser fail and there is a loss of cooling water to the condenser. Let us also take note that the column has a reboiler with steam fed at a controlled rate by a steam control valve for heating the column bottom contents. Can we imagine a combination scenario that when cooling water to the condenser fails at the very same time the steam control valve to the rebolier fails in the open position causing more process vapors to be generated in the column? What would be the relief rate that should be considered for the relief valve provided on the condenser? Should it be the normal vapor from the column top going to the condenser or should you consider the excess process vapors formed due to uncontrolled reboiler heating by steam control valve failing open at the very same time? The answer is quite simple. The flow rate for the relief device will be the vapor flow rate based on the normal vapor flow rate to the condenser when the cooling water failure occurred.
 
The partial power failure causing stoppage of cooling water supply to the condenser and the failure of the reboiler steam control valve in open position at the same time is highly improbable and as such can be considered as two "unrelated" events. It is highly unlikely that when the condenser cooling water supply fails, at the very same time the reboiler steam control valve will fail open, leading to abnormally high vapor flow from the column top.
 
B. A remotely located sales gas pipeline requires planned pigging intermittently. Permanent pig launcher and pig receiver are provided for this purpose. Administrative procedures and mechanical interlocks are in place to ensure that the pig launcher and receiver drain valves remain locked closed before pigging is started. The mechanical interlock ensures that the launcher or receiver cannot be pressurized by opening the gas supply line valve to them unless the drain valves are closed. The drain valves from the launcher and receiver are connected to a covered local pit respectively. There is a degassing local vent from the pit raised to a safe location height of 3 m. Due to administrative procedure failure error as well as mechanical interlock failure, the drain valve on the pig launcher is inadvertently opened during pigging and excess vapors are released from the degassing vent. At the same time accidental ignition occurs at the vent tip due to an ignition source. To prevent thermal radiation hazards to personnel in the surrounding area near the jet fire from the vent, a radiation contour study is mandated which suggests that to mitigate thermal radiation hazard from the jet fire the vent height must be raised to 18 m.
 
How credible is this scenario? Some might argue that this is perfectly credible and the degassing vent height needs to be raised based on the radiation contour study recommendations. I would say that this is not credible and a clear case of double jeopardy and I present the following reason for this:
 
The pigging operation is intermittent. It is a planned exercise with administrative measures as well as mechanical interlocks in place to ensure that drain valves are closed prior to start of pigging operation. Simultaneous failure of administrative measures and mechanical interlocks is unrelated and hence not credible. Presence of an ignition source at the vent tip and leakage of gas from the drain valves during pigging at the same time is unrelated and hence not credible.
 
The logic for relief scenarios needs to be developed based on the aforementioned methodology. Newcomers to process safety engineering should remember that one of the most challenging tasks in process safety engineering is to analyze the credible relief scenarios and identify what is double jeopardy and reject such scenarios which involve double jeopardy.
 
Hope this gives some idea to new entrants in process safety engineering of what "double jeopardy" is all about.
 
Anticipating a lot of comments from the readers of my blog.
 
Regards,
Ankur.
 
 
 
 
 
 
 
 
 
 
 




Hi Ankur,

Thank you for this great article. However, I am curious reagarding your statement of

 

"It is highly unlikely that when the condenser cooling water supply fails, at the very same time the reboiler steam control valve will fail open, leading to abnormally high vapor flow from the column top."
 

What makes you so sure that the above incident is very unlikely to happen at the same time?

 

Thank you

ahyoung,

 

It is unlikely to happen since the failure I mentioned is a local failure of the cooling water pumps to the condenser and not related to failure of the reboiler steam control valve.

 

In fact, the reboiler control valve is generally configured as "Fail to Close" for the failure of instrument air or instrument power supply.  The other possible process safeguarding interlocks that I would provide for the reboiler steam control valve to close would be as follows:

 

1. Column bottom temperature high-high (TAHH)

2. Column differential pressure high-high (PDAHH)

3. Colum differential pressure low-low (PDALL)

 

The whole concept of double jeopardy is based on the premise of two unrelated failure incidents occurring simultaneously and their anlalysis. This is where the experience of the process or safety engineer counts. Otherwise you could end up providing hugely oversized safety relief devices and connected flare systems which would inflate the overall cost of the plant unit to unmanageable proportions.

 

The other downside for oversized relief valves is the phenomena of "valve chatter" encountered in oversized relief valves.

 

Hope I have been able to clear some doubts.

 

Regards,

Ankur.

Hi

 

The first example about loosing cooling water to the condenser and having steam valve open 100% to the reboiler being a double jeopardy makes a lot of sense to me.

 

But the fact that something is a double jeopardy does not mean it cannot happen. It just mean the probability is low.

 

Great Article.

 

Thanks.

Hi Ankur,

 

Very precise and clear explanation.

I believe the concept of double jeopardy is the practical way of optimising process safety design based on probability of occurrence. Otherwise, cost to deal with each scenario will be enormous.

At the same time, it is not 100% certainty for never having double jeopardy. There have been unfortunate double jeopardy or barriers failure in series for the process accidents occured.

 

Thanks.

Hi Ankur,

 

Thanks for the clear explanation!

However I think in process safety design, we always need to expect for the worst to happen. So, in this case, what if the condenser fail and at the same time the control valve of reboiler which is supposed to FC, doesnt close.

 

At this case, how are we going to size for the relief device?

Thanks!

I think the most dangerous scenarios occur from double jeopardy. I think most historical disaster are made of at least two unrelated failures. I think we should not completely reject those double jeopardy scenario if it could be more dangerous than more probable failure. But how to that and avoid overlooking them in an safety analysis?

Great article Mr. Ankur !!

 

I agree with Ankur that we should not include double jeopardy cases in relief calculations.

 

Reason:

  • Probability of the event is very less
  • Cost Implications
  • Industrial norms (API 521 etc.) are all accepting the philosophy of neglecting double jeopardy cases in relief study

As all of you argue that though the probability is less but still it is finite value and should not be overlooked, I would like to bring forward an example. There is a possibility of some natural disasters like earthquake, tsunami, cyclone etc. and it may also create enormous relief but we don't include these cases in relief scenario analysis. Similar is the case with double jeopardy.

 

Please correct me if I am going wrong somewhere.

 

Regards,

Arpit

There might be a question in someone's mind: How can we be so sure about the small probability of double jeopardy cases ?

 

I believe, that API 521 and other norms are based on the history of such events in the past. Using the formula given below, P(A|B ) might come out to be very less and thus probability of double jeopardy (i.e. event A happens given that B is always occurring is very less)

 

8694e4193ba45b55403595096b7d23c5.png

 

 

Note: The above mentioned explanation is not factual. I am just trying to prove the reason behind small probability. I might be wrong also as I don't have enough work experience.

 

Dear Ankur and other experts,

Please correct me if I am wrong.

Dear Ankur,

A very good written blog and very good guide for young engineer.

 

I  differ on point that that 

" Presence of an ignition source at the vent tip and leakage of gas from the drain valves during pigging at the same time is unrelated and hence not credible "

 

As please note that accidental ignition  at vent due to lightning is credible case as you can not control lightening.

 

API even recommended "The possibility that vapors from the vent stack can be accidentally ignited by lightning or other sources usually
makes a remote-controlled snuffing-steam connection desirable on the vent stack"

API even recommended "The possibility that vapors from the vent stack can be accidentally ignited by lightning or other sources usually
makes a remote-controlled snuffing-steam connection desirable on the vent stack"

 

dgoyal,

 

In the strictest sense of the word "possible", everything is possible. What I am trying to put across is the probability of two things happening simultaneously which in this case the inadvertent opening of drain valves during pigging (an operation carried out very infrequently) and lightning happening at the same time. In my opinion the probability is very low and hence the complete description provided in my blog entry.

 

By the way, how do you propose to provide snuffing steam at a remote station where there is no steam available.

 

Regards,

Ankur. 

Hi Ankur,

Useful article for young engineers no doubt.

However there is one scenario which does not lend itself well with double jeopardy.

Your first example of cooling water failure AND reboiler steam valve failure is indeed a double jeopardy and very much unrelated, given the fail closed mode of a steam valve.

 

However the second example has got some problems.

Here comes the problem of 'unrevealed failure'. Being a remote location and discounting manual administrative checks and balances of the drain valves, the 'interlock system' might have failed probably a long time back, probably after the last successful pigging or no undue radiation incident. I wonder how much automated plant monitoring sensors / alarms exist to report that the interlock has got a fault.

So based on an unrevealed failure of one component i.e. the interlock (please ignore manual administrative procedures, they are human interfaced), all you need is one ignition source to compromise the radiation level.

Sounds a bit daft doesn't it?

 

Let me provide an example:

My nearly brand new reputable make car suddenly 'died' on the motorway. When the rescue team came they found that the fuel tank was empty! They allowed me to purchase some fuel from them to let me get going. From my perspective as the driver, the fuel gauge (I showed them) showed more than a third full.

Anyway, later on I demanded from the manufacturer why did I also not get a warning from the low fuel warning light ?

Further inspection revealed that the bulb (neon) for the low fuel warning was MISSING. This was in spite of the recent pre-delivery-inspection (administrative checks & balances). The first diagnostic that something was not working (for a long time) only came after a failure.

 

Another recent example: This was in the UK North Sea.

Platform operators enjoying the glisten of the (very rarely so calm) sea, found that the sheen for a huge radius around the platform was not the reflected sunlight from the calm waters but actually diesel.

The investigation found out that after a test shutdown, the interfacial level control valve on the diesel coalescer drain had remained failed  open for a very very long time indeed! There was no device to monitor this failure, instrumented or manual. To make matters worse, this old platform did not even have a caisson prior to discharge of effluent water on to the sea.

To divert attention of the DOE from this huge inadequacy, the new additional platform designed to be besides this old platform was mandated to have triple valves (in series) on all DIESEL valves (mostly working under gravity). !!!!!

 

Moral of these incidents are:

1. You can not always economically provide monitoring devices to check the failure of components, unless you promote it to a safety critical item (that also by hazop & design review people who are just human).

 

2. For such components which does not need to have automated integrity monitoring, an unrevealed failure can always happen.

 

3. When people find themseves with their back against the wall, their self preservation techniques include denial and doing utmost to divert the attention from the underlying cause.

Photo
curious_cat
Sep 05 2013 01:26 PM

OTOH most disasters happen when the "unrelated" holes on the cheese just line up perfectly.

 

I'm not so sure you can discount the possibility of unrelated occurrences like Ankur is doing.

 

I think the only rational way to do this is to use numerical probablities and figure the risk of a joint occurance and then you are allowed to ignore it only if it is a risk level you are willing to accept. 

 

I think the airline industry and FAA is very systematic in doing this. We can learn a lot from them. Basically a one in so many million hours flown is a failure rate we consciously accept and then judge the credibility of risk combinations based on that.

This blog entry is about process safety or safety in the chemical process industry. I see some attention grabbers trying to take it in a different direction such as safety in the aviation industry which has absolutely no relevance to my blog entry.

 

Probability of failure or availability on demand is a separate and vast subject related to "Safety Integrity Level" (SIL) studies for instrumented systems in the chemical process industry. I do plan a blog entry on that very soon.

 

I would request readers to provide relevant comments and refrain from frivolous and off-topic comments. This is only a request, but then I can't stop people making a laughing stock of themselves.

 

API even recommended "The possibility that vapors from the vent stack can be accidentally ignited by lightning or other sources usually
makes a remote-controlled snuffing-steam connection desirable on the vent stack"

 

dgoyal,

 

In the strictest sense of the word "possible", everything is possible. What I am trying to put across is the probability of two things happening simultaneously which in this case the inadvertent opening of drain valves during pigging (an operation carried out very infrequently) and lightning happening at the same time. In my opinion the probability is very low and hence the complete description provided in my blog entry.

 

By the way, how do you propose to provide snuffing steam at a remote station where there is no steam available.

 

Regards,

Ankur. 

 

 

Please note this kind of incidence already happen in the industry  . Also note in case of remote there are two ways to handle this ;

1. By providing N2 snuffing

2. Else design the  vent stack  for radiation

 

And both is prevalent in the industry , i was involved in some of such projects where this the client requirement.  And as i pointed out if API recommends this. Even DEP 80.45.10.10  section 3.1.4.1 point no  5 says

 

In the event of accidental ignition of the vent, flames shall not impinge upon adjacent equipment and the thermal radiation to equipment or personnel shall be within the limits of (5.2.2)

 

Hence in my view possibilities always need to asses based on past experience and industry standard.

However we may agree to disagree on this point.

Photo
Padmakar Katre
Sep 20 2013 01:47 AM

Hello Ankur,

Hope you are fine. You are doing a wonderful job for the community members here. Thanks a lot for sharing such useful knowledge.

With utmost respect, I have a doubt regarding example "A", in the event of power failure thereby no supply of instrument air. In this case all reboiler steam flow control valve action is FC i.e. failed to close and not FO i.e. Failed to open. This is a general rule followed in industry for safe operation.

Hope you have a nice time in Muscat.

Hello Ankur,

Hope you are fine. You are doing a wonderful job for the community members here. Thanks a lot for sharing such useful knowledge.

With utmost respect, I have a doubt regarding example "A", in the event of power failure thereby no supply of instrument air. In this case all reboiler steam flow control valve action is FC i.e. failed to close and not FO i.e. Failed to open. This is a general rule followed in industry for safe operation.

Hope you have a nice time in Muscat.

Fail Closed is a normal action for the reboiler steam control valve in a power failure scenario and / or instrument air failure scenario. We are talking of an abnormal scenario where the valve remains "stuck open" despite the normal signal to fail close. This is not something new I am talking about, there have have been innumerable instances in the industry where the control valve has misbehaved i.e remaining "stuck open" or "stuck closed" despite the signal to close or open in a utility failure scenario.

 

I hope you understand the point I am trying to drive.

 

Regards,

Ankur

Thanks for the article Ankur.

 

I have a queston for you and would like to hear from you and other mates whether it is a credible double jeopardy scenario.

 

I have across a design where there was a potential tube rupture scenario (air-water intercooler of an air compressor package, air on shell side, cooling water on tube side) and there was no relief valve provided to protect the tube/tubesheets/channels. The explanation given to me was - there was enough open path in the cooling water system that will not let the pressure build up in the water line.

 

How about a scenario when an operator, as a part of a troubleshooting exercise when the tube ruptures, closes the cooling water isolation valve/s of the intercooler that results in pressure build up? Locked open valves could be a solution here, but I guess my question is - whether a failure event combined with an operator action to troubleshoot the situation (resulting in more hazard) a double jeopardy scenario?

 

Cheers,

How about a scenario when an operator, as a part of a troubleshooting exercise when the tube ruptures, closes the cooling water isolation valve/s of the intercooler that results in pressure build up? Locked open valves could be a solution here, but I guess my question is - whether a failure event combined with an operator action to troubleshoot the situation (resulting in more hazard) a double jeopardy scenario?

 

Flash,

 

IMHO, this is a case of double jeopardy because we are talking of 2 unrelated incidents coinciding at the same time i.e. tube rupture and operator closing the isolation valves when a tube rupture happens.

 

The cooling water isolation valves valves are "Normally Open" (NO) but to ensure administrative procedures for air-water intercooler are fail-safe it is a good idea to have the cooling water isolation valves for the intercooler as "Locked Open" (LO) if they are manual valves or fail-open (FO) if they are automatic valves.

 

Regards,

Ankur.

Ankur,

Perhaps I did not explain enough. The scenario is like this:

 

Tube rupture has already happened and in order to troubleshoot the problem an operator closes the cooling water isolation valves to protect the cooling water pipelines by mistake. One can argue an operator must be knowledgeable enough to understand the consequence of closing the valves, but operators are operators not engineers. To me it appears like related events but I was wondering whats the general understanding in the industry about this.

Flash,

 

In any case a heat exchanger (in your case a cooler) where water is a cooling medium requires a thermal expansion relief valve (TERV) on the cooling water side to cater to the hydraulic expansion (read pressure rise) of trapped cooling water due to temperature rise when the cooling water side is blocked or there is no flow due to closed valves or any other reason.

 

So there has to be a relief valve on the cooling water side anyways, although catering for the hydraulic expansion case, and this would to quite an extent help in preventing pressure rise on the cooling water side even if the valves are closed.

 

As discussed earlier provision of "Locked Open" valves for cooling water would help in preventing the scenario you have mentioned.

 

I still don't think that a relief valve for tube rupture case is required on the cooling water side.

 

Regards,

Ankur

Latest Visitors

  • Photo
    Alroman
    Today, 12:54 AM
  • Photo
    Lutfi
    Yesterday, 06:18 PM
  • Photo
    Alhazmiw1
    Yesterday, 03:17 PM
  • Photo
    Bullgineer
    Yesterday, 01:56 PM
  • Photo
    harshitpatel2111
    Yesterday, 01:42 PM
  • Photo
    ctumuluru
    Yesterday, 11:17 AM
  • Photo
    MarcelGawron
    Yesterday, 06:48 AM
  • Photo
    juliamar
    Yesterday, 06:16 AM
  • Photo
    demyx
    Yesterday, 05:06 AM