Forums
Blogs
Articles
File Library
FAQ
Search
FB
10
5 votes
An Introduction To The Concept Of Double Jeopardy In Process Safety
05 August 2013
Most Process and / or Safety engineers have to perform an analysis for the scenario or case related to the application of a safety relief device during their engineering career. In the chemical process industry, majority of the cases or scenarios for safety relief device are well defined based on experience gathered over the years for operating various types of chemical process plants including oil and gas separation plants, petroleum refineries, petrochemicals, fine chemicals, pharmaceuticals etc. Some such cases or scenarios frequently encountered in the chemical process industry are:1. External Fire
2. Blocked Outlet
3. Gas Blowby
4. Control Valve fail Open
5. Hydraulic expansion due to uncontrolled heat input also called thermal expansion
6. Utilities Failure (Single or Multiple)
7. Power Failure (Partial or Complete)
8. Tube Rupture
9. Runaway Reactions
10. Check or Non-Return Valve Failure (reverse flow)
11. Vaccum generation due to Steam-Out
The above are some of the more common scenarios identified and studied in the chemical process industry for providing and sizing suitable safety relief devices.
However, the identification of a failure scenario for a given chemical process plant / equipment is something that requires experience on the part of the process or safety engineer. The experience that I am mentioning comes in the form of either engineering, constructing and operating or all of these for a similar plant / equipment. Often lack of experience results in either overlooking a credible failure scenario, or to cook up failure scenarios that are unrealistic and cannot stand logical scrutiny.
To avoid the uncertainties in defining and analyzing failure scenarios many top engineering and operating companies have pre-defined the failure scenarios for a plant / unit / equipment in their engineering manuals based on their own experience in engineering, constructing and operating a chemical process plant. While this simplifies the task in terms of the time taken for the safety analysis and consequent action for a safety relief device, it is also detrimental to the engineer because he or she is not allowed to use his or her analytical skills to determine a probable failure case.
Coming to the main subject of what is a double jeopardy with reference to the failure analysis of a plant / unit / equipment for providing a safety relief device. I would define it as follows:
The simultaneous application of two unrelated failure events for sizing or adequacy check of a safety relief device for a plant / unit / equipment is called double jeopardy.
In the above definition the key word is "unrelated". What do we mean by "unrelated"? It is not easy to identify what is related and what is unrelated. This is where the experience of the engineer counts and also the practices followed by the chemical process industry based on years of operating experience for a similar process plant / unit / equipment.
However, some basic unrelated scenarios can easily be identified. I will provide some very basic examples of double jeopardy which most new process engineers can easily understand.
A. Consider the example of a condenser supplied with cooling water for condensing the process vapors from a distillation column. Let us say that due to partial power failure, the cooling water pump(s) supplying cooling water to the condenser fail and there is a loss of cooling water to the condenser. Let us also take note that the column has a reboiler with steam fed at a controlled rate by a steam control valve for heating the column bottom contents. Can we imagine a combination scenario that when cooling water to the condenser fails at the very same time the steam control valve to the rebolier fails in the open position causing more process vapors to be generated in the column? What would be the relief rate that should be considered for the relief valve provided on the condenser? Should it be the normal vapor from the column top going to the condenser or should you consider the excess process vapors formed due to uncontrolled reboiler heating by steam control valve failing open at the very same time? The answer is quite simple. The flow rate for the relief device will be the vapor flow rate based on the normal vapor flow rate to the condenser when the cooling water failure occurred.
The partial power failure causing stoppage of cooling water supply to the condenser and the failure of the reboiler steam control valve in open position at the same time is highly improbable and as such can be considered as two "unrelated" events. It is highly unlikely that when the condenser cooling water supply fails, at the very same time the reboiler steam control valve will fail open, leading to abnormally high vapor flow from the column top.
B. A remotely located sales gas pipeline requires planned pigging intermittently. Permanent pig launcher and pig receiver are provided for this purpose. Administrative procedures and mechanical interlocks are in place to ensure that the pig launcher and receiver drain valves remain locked closed before pigging is started. The mechanical interlock ensures that the launcher or receiver cannot be pressurized by opening the gas supply line valve to them unless the drain valves are closed. The drain valves from the launcher and receiver are connected to a covered local pit respectively. There is a degassing local vent from the pit raised to a safe location height of 3 m. Due to administrative procedure failure error as well as mechanical interlock failure, the drain valve on the pig launcher is inadvertently opened during pigging and excess vapors are released from the degassing vent. At the same time accidental ignition occurs at the vent tip due to an ignition source. To prevent thermal radiation hazards to personnel in the surrounding area near the jet fire from the vent, a radiation contour study is mandated which suggests that to mitigate thermal radiation hazard from the jet fire the vent height must be raised to 18 m.
How credible is this scenario? Some might argue that this is perfectly credible and the degassing vent height needs to be raised based on the radiation contour study recommendations. I would say that this is not credible and a clear case of double jeopardy and I present the following reason for this:
The pigging operation is intermittent. It is a planned exercise with administrative measures as well as mechanical interlocks in place to ensure that drain valves are closed prior to start of pigging operation. Simultaneous failure of administrative measures and mechanical interlocks is unrelated and hence not credible. Presence of an ignition source at the vent tip and leakage of gas from the drain valves during pigging at the same time is unrelated and hence not credible.
The logic for relief scenarios needs to be developed based on the aforementioned methodology. Newcomers to process safety engineering should remember that one of the most challenging tasks in process safety engineering is to analyze the credible relief scenarios and identify what is double jeopardy and reject such scenarios which involve double jeopardy.
Hope this gives some idea to new entrants in process safety engineering of what "double jeopardy" is all about.
Anticipating a lot of comments from the readers of my blog.
Regards,
Ankur.
strictly following 'standing instructions. If the operating company feels that he cannot trust his operators to attend to such occurrences in a trained fashion, the designer of this plant should have been told that all valves on this critical service will be locked open (L.O.). Not even C.S.O. where such an untrained could without consulting his superiors could break the seal and turn the valve shut. As said before, no amount of checks and balances can make a plant idiot or sabotage proof. At that rate all pilots flying a plane need to be breathalysed and checked against impending myocardial infarction every time before taking over the controls.
Flash,
Ankur has explained it quite well.
However, here are a few more specific points to mull about.
1. Air/water cooler is probably a bad example where the service is really so benign.
2. Usual air compressor design pressure and temperatures do not exceed the minimum flange rating (150#) of the cooling medium side.
3. The thermal expansion relief is a must from vessel code requirements. Fortunately a 3/4" X 1" TSV is USUALLY adequate for most thermal expansions of this volume. To prevent an inadvertent closure (by an operator) of BOTH the water isolation valves, these valves are at least kept N.O. and more like L.O. (locked open) or C.S.O. (car sealed open). This begs the question of what was so evident by this tube rupture to lead the operator to close the valves? Standing instructions (if LO or CSO does not exist) would have been blatantly mandatory to ensure that operators are well knowledgeable before shutting off a cooling water valve. One can make a plant as safe as money will allow, but it will never make it idiot or sabotage proof. It is like switching a car off in the middle of a fast lane just because there were indications of trouble, and not coasting the car on to the hard shoulder and out of fast moving traffic to try and 'troubleshoot the problem'.
4. If there is indeed a tube rupture, could it compromise the integrity of the water side ? API 521 rules suggest that as long as the design pressure of the high pressure (here air) side is less than 1.3 times the design pressure (i.e hydro test pressure) of the low pressure (cooling water channel side built to vessel codes), overpressure protection due to rube rupture need not be considered. This is exactly what Ankur has been trying to tell you in his last line.
5. Finally, the particular example you did offer had too low a risk exposure to be considered as a good example. It would indeed be a completely different matter if the gas side was hydrocarbons at a high pressure and handling and disposal of the tube rupture flow was a serious safety matter. With the typical air compressor intercoolers and design pressures of channel sides ( >15 barg) and air side of < 10-12 barg, if you do want to still provide tube rupture overpressure protection (NOT REQUIRED) , do go ahead and put in a bursting disk, and make sure that an operator is standing underneath the bursting vent discharge to atmosphere so that on relief (if ever) an air water drenching would awaken him to run and ask his supervisor whether he should close the cooling valves or shut (trip) the compressor. Sorry, I may sound a bit frivolous but the nervous knee-jerk reactions of an ill-trained operator is not part of a double jeopardy, The only jeopardy is himself, and he should not be allowed to come close to any running plant.
Hope this gives you a bit more general and specific understanding of the issues raised.