In process safety, the Hazard and Operability (HAZOP) analysis is a fundamental risk assessment tool used to identify potential hazards and operational issues. One of the key principles applied in HAZOP is the double jeopardy rule, which helps maintain a structured and manageable risk analysis approach.
Double jeopardy refers to the occurrence of two independent initiating failures simultaneously, and it is often misunderstood in Process Hazard Analysis (PHA). This blog explores the correct interpretation of double jeopardy, common misconceptions, and when it should and should not be considered in a HAZOP study.
What is Double Jeopardy in HAZOP?
During risk analysis, the assumption is typically made that only one failure will occur at any specific time. A scenario involving multiple simultaneous independent failures is categorized as double jeopardy—a term borrowed from the legal field, albeit with a different meaning.
The double jeopardy rule is used to prevent HAZOP teams from having to analyze every possible combination of failures, which would be an exhaustive and nearly impossible task. However, its application must be carefully considered to avoid overlooking critical hazards.
Identifying Double Jeopardy Scenarios
Double jeopardy is defined as the simultaneous failure of two independent initiating events or revealed failures that are not linked by a common cause. Understanding which failures fall under double jeopardy and which should still be analyzed in PHA is essential.
Examples of Double Jeopardy
- A plant operator closes a vessel outlet valve, and at the same time, the high-level alarm fails, leading to an overflow. If both failures are independent and unrelated, this scenario can be dismissed under double jeopardy.
- A PSV failing to open on demand in response to high pressure is not double jeopardy.
When Double Jeopardy Should Be Considered in HAZOP
While double jeopardy scenarios are generally ignored in HAZOP, certain cases warrant further evaluation. For example:
- If a product header is periodically offline and maintenance crews are required to place or remove blind plates, there is a risk of inadvertent opening of a valve from a pressurized system.
- If material flows into an isolated header where maintenance personnel are working, it could lead to severe consequences.
- In such cases, double jeopardy should not be ignored and must be assessed on a case-by-case basis.
Misunderstandings About Double Jeopardy
Misunderstanding #1: Double Jeopardy and Latent Failures
The double jeopardy rule applies only to two independent simultaneous failures of functioning equipment. However, it does not apply to latent failures—undetected failures that remain dormant until a demand is placed on the failed component.
For example:
- A mechanical slam-shut valve is expected to prevent overpressure. The HAZOP team may assume it will function properly.
- However, the valve may have an undiscovered defect preventing it from closing when needed.
- If an upstream pressure controller also fails, leading to a demand on the slam-shut valve, this is not a case of double jeopardy.
- The failure of the pressure controller and the latent failure of the slam-shut valve should both be considered in the HAZOP study.
This highlights the importance of distinguishing between true double jeopardy and latent failures that may impact safeguards.
Misunderstanding #2: Double Jeopardy in SIL Assessments
While ignoring double jeopardy simplifies HAZOP studies, it cannot be applied to Safety Integrity Level (SIL) assessments.
In SIL assessments, every possible failure combination that leads to a demand on a Safety Instrumented Function (SIF) must be considered, regardless of how rare the failure may seem.
- If a combination of failures leads to a demand on a SIF, it must be analyzed.
- In some cases, such a scenario may warrant its own independent SIF, with a low demand frequency, dedicated protection layers, and an evaluation of the consequences of failure.
When Should Double Jeopardy Be Considered?
While double jeopardy simplifies HAZOP studies, ignoring all cases without evaluation can be risky. Certain conditions require a closer examination:
- If a secondary failure is not truly independent (e.g., common mode failures, shared system vulnerabilities).
- If one failure exposes another previously undetected failure (e.g., a failed safety valve that was assumed functional).
- If the failure scenario involves human intervention, operational changes, or maintenance activities (e.g., temporary isolation of safety systems).
Best Practice: Evaluate double jeopardy scenarios on a case-by-case basis rather than dismissing them outright.
References:
- Functional Safety from Scratch by Peter Clarke
- https://petrorisk.com
- https://pipesyscon.com
