Skip to content

Double contingency doesn’t count, you know

October 8, 2013
Fault Tree

Fault Tree

This is the second in our series of posts on the theme of “Complex Systems Fail in Complex Ways”. Last week we looked at one aspect of this theme: overlooked Common Cause effects. This week’s discussion is to do with the difficulty that hazards analysis teams have in analyzing multiple contingencies.

The title of this post, “Double contingency doesn’t count, you know”, is a quotation from a member of a HAZOP team that I was leading. What he was saying is that we should consider single failures only. For example, the team can discuss “High Pressure in Vessel V-101”. The causes of high pressure could be say external fire, blocked-in feed pump, and chemical reaction”. The consequences and likelihoods of each for each of these causes can be assessed and a risk ranking provided for them. No other factors are considered.

In practice there will generally be safeguards against serious hazards such as high pressure in a vessel. Typically the vessel will at least have at least two layers of protection: a high pressure interlock and a pressure safety relief valve (PSRV). Therefore, the hazard should read, “High pressure in V-101 AND failure of the interlock AND failure of the PSRV”. In other words we have a triple contingency situation. The presence of these safeguards can lead to misunderstandings in the team’s discussions, with some of them factoring the safeguards into their thinking and other thinking of the single contingency event only. The team leader can attempt to get around these potential areas of confusion by having two discussions: one to do with risk without taking credit for the safeguards and another with the safeguards being considered. However, the presence of any other contingent event — such as known problems with the instrumentation control system — can lead to additional confusion between the team members, with some thinking one thing and others something else.

Confusing team discussionFurther difficulties are added if Common Cause events are a factor. For example, when the cause of high pressure “chemical reaction” is being discussed someone may note that such a reaction could create waxy or polymer-like solids that could simultaneously degrade the normal instrumentation, the safety instrumentation and the PSRV. Once more, the discussion could become muddled. And these difficulties are important. If the team members feel confused they will lose confidence and the quality of the analysis will decline.

These difficulties to do with the handling of multiple contingencies were brought home to me because, at about the same time as the above team member made his comment, I was assisting a law firm in the analysis of an event that led to a bad explosion. It turned out that the event required octuple contingency: eight things went wrong over a twelve hour period. And some of those events could never have been foreseen by a hazards analysis team. For example, it turned out that some years previously someone had installed an underground line which connected the process to the firewater header. (No one knew why but it was probably to assist with water washing the process lines.) This “midnight engineering” (think Flixborough) allowed light hydrocarbon liquid (with roughly the properties of gasoline) to enter the firewater system. Thankfully no fires occurred elsewhere in the facility at this time.

The HAZOP method has been around for 50 years and will continue to provide valuable insights. But we are entering a period of diminishing returns, not least because, ironically, HAZOPs have been so successful. New ways of analyzing risk are needed. In a previous post (Black Swans and Bow Ties) it was noted that a Bow Tie consists basically of a Fault Tree followed by an Event Tree, techniques which can readily incorporate complex contingencies and common causes. And these techniques have been around for even longer than the HAZOP method. So, it would seem that a natural development in hazards analysis would be for the different approaches to be combined.

  • HAZOP (or similar type of analysis) would allow a team of multi-discipline experts to identify hazards through the use of an equipment and systems-oriented analysis.
  • Bow Tie would provide a visual framework that would incorporate the HAZOP results.
  • Fault trees and event trees would then allow the Bow Tie to be quantified, and they would provide a means for considering multiple contingencies and common causes.
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: