Double-jeopardy (D-J) is NOT an independent protection layer (IPL) failure after an initiating event (IE). All PHA/HAZOP scenarios are of the type of: IE occurs, then IPL 1 fails, then…., leading to Consequences. However, the definition of double jeopardy (D-J) is when two initiating events, which are independent (or we had hoped they were so), occur or exist at the same time. These are rare, but if a HAZOP team wants to discuss them, then I let them, because it likely has happened to one or more team members in the past and so is more likely than other D-J scenarios. The D-J scenarios we have discussed to our Advantage are normally human-error based.
For a good example of D-J scenario, look at the dual initiating events of the accident at Bayer-Crop Science accident (2008) (see the US CSB report and film for more details). In summary there were two, independent initiating events. One was the high concentration from the crystallizer to the residue treater (a few combined errors led to this cause). The second was failure to pre-fill the residue treater with solvent. These two IEs, starting from human error (mistakes) were made for different reasons and
neither is an IPL; both were themselves IEs. When these two IE happen on the same startup, and when the temperature interlock (an IPL) is left in bypass (a failure of the BPCS IPL; caused by human error) and when the PSV fails to control the over-pressure (because the PSV, which normally would be an IPL, was not sized large enough for this runaway reaction), the combination led to the explosion. There are root causes to each IE and each IPL failure, of course, and these root causes are management system failures. But, this explosion is a good example of where double-jeopardy (two IEs) occurred. Since the two IEs happening at the same time was not deemed “credible” in the continuous process PHA/HAZOP, the PSV was not designed for that event…but it should have been. So ignoring this D-J was a fatal mistake (this mistake happened because there was No PHA/HAZOP of startup procedures; a PHA/HAZOP is required for ALL modes of operation).
Double jeopardy is far less likely in a continuous process operation, but it has occurred in this operating mode as well; I have investigated some accidents for continuous mode that had D-J as the cause (two IEs).
So, though we do not waste a lot of time searching for double-jeopardy events in a PHA/HAZOP, when the team (especially operators; but sometimes others) want to discuss a specific D-J scenario, I let them go for it. Our PHA/HAZOPs are still typically completed in 1/3 to 1/2 the time of others, so this does not appear to waste much (if any) time… but I would hate to miss a D-J scenario that is credible. And we have found many credible one D-J scenarios; especially during PHA/HAZOP of startup, shutdown, and online
maintenance events, when the “single IE” and “double IE” are more likely to occur….
The mathematical reason D-J actually occurs (versus predictive statistics, that says it never will) is that real life does not always follow the “independence” rule we like to use in statistical estimates. For instance, what if ALL of the staff onsite are fatigued during a restart of a process (such as during the BP TX city accident [2005], Bayer CropScience [2008], etc.). Then the probability of a human error is 20 times higher than normal. Let’s say maintenance, also fatigued, fails to put a normal process
controller back in automatic, and also in the same startup, a misalignment or set point entry error is made by an operator…. then, due to fatigue across the worksite during restart, the combined D-J error rates could be 20 x 20 = 400 higher than normal. This is NOT accounted for in simplistic math that most people think through…. because such math assumes independence…. but in reality, there are global factors (such as fatigue rates) that effects the reliability of all humans at the same time (such as during a plant startup) and therefore that couples failure rates that we had wished and hoped were truly independent (effect multiple IEs and multiple IPLs).
PII does not use a HAZOP rule that states “double jeopardy is not considered, as the probability of D-J is minuscule”… instead we state “the HAZOP method is not capable of finding all D-J scenarios and we do not try; but we do discuss the D-J scenarios that appear credible”. Yes, we rely once more on the judgment of the PHA/HAZOP team.