Double-jeopardy is NOT a discussion of (or failure of) multiple layers of protection. Nearly every scenario should have multiple layers of protection against the ultimate (unmitigated) consequence. Double jeopardy is also NOT a deviation combined with failure of a safeguard that then “lies in wait.” Double jeopardy is the occurrence of two deviations or two initiating events at the same time; this is NOT a deviation and failure of a safeguard. Such scenarios do arise in HAZOP, but HAZOP is not great at finding these; but when we do find them we discuss them because if the team members brainstorm such rare scenarios, it has “likely” occurred before! An example of double-jeopardy scenario is adding too much catalyst to a reactor “as well as” having the agitator fail. These would normally be two, independent causes/deviations, but in rare cases they occur at the same time. If we have enough safeguards (IPLs) against the consequences of each of the independent initiating events, then we Very Likely have plenty of safeguards against the rare combos of initiating events; this is why the rule was invented and (overly) promoted decades ago … to prevent wasting too much time on dual-cause scenarios. After explaining the rules on multiple independent protection layers (IPLs) a time or two, the team begins to understand the concept quickly. To learn more, attend one of our courses on PHA/HAZOP Leadership or LOPA.
With that starting point of understanding, the PHA team should discuss the consequences if All IPLs fail and then ensure there are enough IPLs for each scenario. If the risk is too high (qualitatively), then the PHA team will recommend ways to strengthen current safeguards (that either are or else support IPLs). So, yes, all scenarios should be evaluated for the failure of multiple safeguards; but failure of multiple IPLs is Not double or multiple jeopardy; instead it is the “normal” PHA discussion. I hope this is clear; it is difficult to clarify further without a “book” of discussion.