Safety Moment #43: “Double Contingency Doesn’t Count, You Know”

Double contingency

During process hazards analyses it is common to hear phrases such as, "Double contingency doesn't count, you know". What the speaker means is that only single failures should be considered when determining what could go wrong and how risk can be managed.


A hazards analysis team may be discussing "High Pressure in Vessel V-101" (the second standard example in Process Risk and Reliability Management). The causes of high pressure could include external fire, blocked-in discharge pump, and chemical reaction. The consequences and likelihoods of each for each of these causes can be assessed and a risk ranking provided for them. No other factors are considered.

But the reality is that there are almost always other factors to consider. Catastrophic events rarely have just one cause, and there are often multiple safeguards to control the event once it has started.

At the very least the normal instrumentation supplemented by the attention of the operating personnel will make these events at least triple contingency. In Fault Tree terms:

  • IF the discharge pump is blocked in (the initiating event)
  • AND IF the normal instrumentation fails to respond

  • AND IF the operator does not take action
  • AND If the safety instrumented system does not take over
  • AND IF the pressure safety relief valve does not open
  • THEN the vessel will explode

The sketch shows the corresponding Fault Tree AND Gate.

Use of fault trees in process hazards analysis

Since the ‘Pressure Rises’ is an initiating event with a frequency value, and the other items are safeguards with dimensionless probability values, the tree is actually better constructed as shown below. There are two AND Gates — one for ‘Pressure Rises’ and the other for the output of the AND Gate of the safeguards.

Use of fault trees in process hazards analysis

This simple example, which is typical of the issues that HAZOP teams discuss, goes beyond single contingency. It is actually a quintuple contingency situation — five things need to go wrong.

Case Study

These difficulties to do with the handling of multiple contingencies were very evident in the legal investigation that followed an incident in which two men were seriously injured. It turned out that the event required octuple contingency: eight things went wrong over a twelve hour period.

And some of those events could never have been foreseen by a hazards analysis team. For example, it turned out that some years previously someone had installed an underground line which connected the process to the firewater header. (No one knew why but it was probably to assist with water washing the process lines. This "midnight engineering" allowed light hydrocarbon liquid (with roughly the properties of gasoline) to enter the firewater system. Thankfully no fires occurred elsewhere in the facility at this time.

Hazard Analysis Techniques

The standard methods for identifying and evaluating hazards, in particular the HAZOP (Hazard and Operability) technique have trouble with multiple contingency situations. These techniques rely on team discussions. But such discussions can get very tangled, with people talking past and around one another. Therefore, it makes sense to at least supplement the HAZOP method with other techniques that do consider multiple contingencies. Two examples are the Qualitative Fault Tree and Layers of Protection Analysis.

Qualitative Fault Tree Analysis

A Fault Tree Analysis develops a strictly logical approach to understanding risk, and is ideal for identifying and understanding multiple contingencies. The technique is particularly good at identifying common cause events. A fault tree can also help incident analysis teams to identify "root cause" events, i.e., those events that affect different parts of the system simultaneously and so are seen as being fundamental as to why the event happened.

In spite of its value, the technique is not commonly used in the process industries because it is time-consuming, and often requires the services of specialized consultants.

A simplified form of this approach is known as Qualitative Fault Tree Analysis. It is explained in Safety Moment #6: Qualitative Fault Tree Analysis.

Layers of Protection Analysis

The Layer of Protection Analysis (LOPA) technique combines quantitative and qualitative risk analysis techniques. An incident scenario is postulated. LOPA helps determine the event frequency and consequences. It then evaluates the independent layers of protection (safeguards) to come up with an overall value for risk.

You are welcome to use this Safety Moment in your workplace. But there are restrictions — please read Use of Safety Moments.

Copyright © Ian Sutton. 2018. All Rights Reserved.