Double Jeopardy in Process Safety: Busting the “Safeguard” Myth
In any Process Hazard Analysis (PHA) workshop—whether it’s a HAZOP, HAZID, LOPA, or a high-level Risk Assessment (RA)—there is one phrase that consistently derails the conversation: “That’s Double Jeopardy!”
It is often played like a “Get Out of Jail Free” card to dismiss a scenario simply because it seems unlikely. But there is a fundamental misunderstanding about what Double Jeopardy actually means.
When we assess risk, it is critical to postulate that ALL safeguards fail. If we don’t, we cannot arrive at the worst possible scenario (the unmitigated consequence). This assumption is not Double Jeopardy; it is the cornerstone of robust risk assessment. As history reminds us with incidents like Deepwater Horizon, Process Safety is specifically about preventing those uncommon, low-probability incidents that lead to Major Accident Events (MAE).
So, what exactly is Double Jeopardy in a process safety setting, and how do we distinguish it from legitimate risk?
1. The Golden Rule: Safeguard Failure is NOT Jeopardy
The most common error in workshops is counting the failure of a protection layer as a “second jeopardy.”
-
The Fallacy: “We have a blocked outlet (Jeopardy 1). For the vessel to explode, the High-Pressure Trip has to fail (Jeopardy 2) AND the PSV has to fail (Jeopardy 3). That’s Triple Jeopardy!”
-
The Reality: This is Single Jeopardy.
In LOPA terms, every safeguard has a Probability of Failure on Demand (PFD). No device is 100% reliable. If we dismissed scenarios because “the trip should work,” we would effectively be claiming our safeguards have a failure rate of zero.
Deepwater Horizon didn’t happen because two unrelated lightning strikes hit the rig at the same time. It happened because of a single loss of well control (Initiating Event) followed by the failure of multiple barriers (Cement, BOP, Alarms). If that team had dismissed the scenario because “the BOP failing is Double Jeopardy,” they would have ignored the catastrophic potential of the event.
Rule: You assume safeguards fail to calculate the unmitigated risk. This justifies why you need the safeguards in the first place.
2. The True Definition: Two Concurrent Causes
According to API Standard 521 (7th Edition, Section 4.2.3), Double Jeopardy refers strictly to the simultaneous occurrence of two independent initiating events.
It applies to the Cause side of the bow-tie, not the Mitigation side. For a scenario to be dismissed as Double Jeopardy, two conditions must be met:
-
Independence: Event A and Event B have absolutely no process, mechanical, or electrical linkage.
-
Simultaneity: They happen at the exact same time (or effectively so).
API 521 states:
“The simultaneous occurrence of two or more unrelated causes of overpressure (also known as double or multiple jeopardy) is not a basis for design.”
3. Offshore Examples: Applying the Logic
In an offshore environment (FPSO, Platform), the congested nature of the facility makes the distinction between “Double Jeopardy” and “Common Mode Failure” critical.
Case A: Blocked Discharge + Blowdown
-
Scenario: A vessel is arriving and losses power while its large crane suddenly collapses onto a platofrm
-
Is this Double Jeopardy? YES
Case B: The “True” Double Jeopardy
-
Scenario: The Inlet SDV on Separator A fails closed due to a mechanical latch jamming. At the exact same moment, the Outlet Control Valve on Separator B fails closed due to a stem seizure.
-
Is this Double Jeopardy? YES.
-
Why: These are two independent mechanical failures. The probability of two distinct valves mechanically jamming at the same second is statistically negligible. You generally do not design the flare tip for this overlap.
4. The Workshop Cheat Sheet
To clear the confusion in your next HAZOP or HAZID, use this simple decision matrix:
| Scenario Argument | Verdict | Action |
| “But we have a PSV and a Trip!” | NOT Double Jeopardy | Assume they fail. Calculate Unmitigated Risk to verify the SIL rating/PSV sizing is adequate. |
| “The air failure causes Valve A AND Valve B to trip.” | NOT Jeopardy | Common Mode Failure. Analyze the simultaneous impact. |
| Fire Zones – Can a wellhead linked by a bridge and CPP catch fire simultenous | Maybe DOUBLE JEOPARDY | Linked Event. Analyze the escalation. |
| “What if Vessel Fails AND the unrelated crane collapses?” | DOUBLE Jeopardy | Dismiss. These are independent causes. |
The Bottom Line:
We design for the “bad day” (safeguards failing), but we don’t design for the “impossible day” (two unrelated disasters striking the exact same second). Differentiating between the two is the mark of a true Process Safety expert.