“Everything is impossible until it is done.”  — Robert H. Goddard

In 1921, annoyed with ignorant criticism, Robert Goddard published a piece in Scientific American in defense of the potential for travel to the moon.

It’s always easier to say something is impossible than to address the potential of it happening.

Double Jeopardy

When someone declares, “That’s double jeopardy,” during a HazOp, they are not making an appeal to the Fifth Amendment to the U.S. Constitution, where it states that no person “shall be subject for the same offense to be twice put in jeopardy of life or limb.”

Instead, they are arguing that because two things have to go wrong to cause a scenario, the likelihood is so low as to be not credible, so that there is no need to consider the scenario.

We need to acknowledge, though, that these two-failure causes are presented when someone believes they are possible. However, “possible” does not necessarily equal “credible.”

It’s Not About the Failure of Safeguards

The idea of double jeopardy is not that a there is a failure that triggers an event and that a safeguard then fails to prevent the event.

The failure of a safeguard is never a triggering event. The failure of a safeguard is not even part of a triggering event.

All safeguards have the potential to fail. To argue that a scenario need not be considered because it involves a failure that is the triggering event and a second failure, of a safeguard, and so is “double jeopardy”, is to argue that scenarios with safeguards need never be considered. That would mean that either we believe the safeguard will fail, so can use “double jeopardy” to dismiss the scenario, or we believe that the safeguard is perfect and will not fail, in which case the very perfection of the safeguard eliminates the need to consider the scenario.

Clearly, this is not a valid approach.

It’s About a Combination of Failures Triggering the Hazardous Scenario

Instead, the idea of double jeopardy is that the cause of a hazardous event is the combination of two failures, where neither failure alone is sufficient to trigger the event. The example I first heard to explain the idea of double jeopardy was that of a relay failure that occurs when the relay is struck by lightning, but only as the relay switches.

A process safety consultant gives another example: Adding too much catalyst to a reactor “as well as” having the agitator fail.

Is a Combination of Failures Credible?

Can two things go wrong? Sure. Do two things go wrong? Yes, and far too often. Every major incident has been the result of more than one thing going wrong.

When it comes to process safety, cause frequencies must be very low before entering the realm of “not credible.” If two things have to go wrong, the frequency is considerably less than that of either thing going wrong by itself, but IT IS NOT ZERO. The kind of frequencies that typically put us into the “not credible” range are along the lines of once every 100,000 years, give or take an order of magnitude.

Consider a double jeopardy scenario where two things have to go wrong. Each is independent, which in itself may be a dubious claim.  Each has a failure rate of once every 10 years, and each remain failed once failed. The frequency at which both are failed simultaneously is 0.1 x 0.1/year, or once per 100 years. Lower than either by itself, but still around a thousand times higher than “not credible.”

Modern hazard analysis requires that we understand risk, which consists of both consequence impact assessment and likelihood assessment. The claim of “double jeopardy” is an assertion that the likelihood is so low that the consequence impact does not need to be assessed. Is that true? We don’t know until we do the calculation.

Lightning Strikes a Relay

Let’s consider the example of lightening striking as a relay switches.

The switching time for a relay is about 15 milliseconds. If a relay is cycled about once an hour, its probability of being in the state of switching is about 0.000008 and it cycles about 9,000 times a year.

The duration of a lightning strike is about 30 microseconds. Contrary to popular belief, lightening often strikes the same place, not twice, but over and over. The Washington Monument, for example, is often struck several times during a single storm. So, too, your distillation column. In St. Louis, there are about 50 thunderstorms per year. Assuming 5 lightning strikes per storm, that means a St. Louis plant is struck by lightning about 250 times per year. The probability of being in the state of being struck by lightning is about 2.4 x 10-10.

The rate of the two events occurring simultaneously is the greater of the rate of one event times the probability that the other event is occurring. In this case, 250 lightning strikes per year times 0.000008. That works out to 2 x 10-3/year, or once every 500 years. Sounds credible.

Agitator Failures After Adding Too Much Catalyst

Now let’s consider the case of an agitator failing after adding too much catalyst. Let’s assume the facility makes two batches a day and that operators add catalyst to each batch. Let’s also assume that the addition step where the reactor is vulnerable to agitator failure lasts for 2 hours each batch.

According to the CCPS Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, the error rate for a routine task performed more than once a week is once per year. The failure rate for rotating equipment, such as an agitator, is 0.1/year. That means that the probability that an agitator will fail while the process is vulnerable is 0.017. The rate of the two events occurring simultaneously, then, is 1 error per year times 0.017, or once every 60 years. This also sounds credible.

It’s Not Rocket Science

Lighting strikes while switching a relay. Agitator failures after overcharging catalyst. Clearly “double jeopardy”, right? This couldn’t be credible, could it? Until there are calculations, the claim that “double jeopardy” makes a scenario not credible is just an assertion. Back when all calculations were done with slide rules, it was nice to have a reason to eliminate the work of doing calculations. But now, the calculations are not that difficult to do and increasingly, easier to do than to explain why they don’t need to be done.

Society is no longer willing to let us simply make the assertion of “double jeopardy.” It’s time for us let this antiquated notion go, to get on with just doing the risk assessments we must. Unless a scenario is truly impossible—violates the laws of physics and chemistry, or disrupts the space-time continuum—then we shouldn’t just dismiss it. Instead, let’s just do the math. It’s not rocket science.


  • Mike Schmidt

    With a career in the CPI that began in 1977 with Union Carbide, Mike was profoundly impacted by the 1984 tragedy in Bhopal and has been working on process safety ever since.