Single-Contingency Events
We continue our series of posts on the topic of Safety in Design. The first two posts were,
When designing safety systems and devices it is common to use the ‘Single Contingency’ philosophy which specifies that only one emergency (or group of interrelated emergencies) will occur at one time. The probability that multiple unrelated incidents would occur simultaneously is so low that they need not be considered.
For example, a pressure vessel could be could be subject to overpressure from various causes such as external fire, pump dead-head pressure and internal chemical reactions. The vessel’s pressure safety relief valve for that vessel will be designed for the worst of those cases. It is assumed that the vessel will not experience two or more of these events simultaneously.
Tank farm secondary containment systems provide another example. It is a common practice to build a bund wall around tank farms. This wall is high enough such that it could contain the volume of the liquid in the largest tank. Then, if that tank were to fail catastrophically, the liquid spilled would be contained by the bund wall, thus avoiding a serious environmental problem.
In some situations, it may turn out that there is a link between supposedly independent events. In the case of the vessel overpressure, it is possible that an external fire would cause a runaway reaction to take place inside the vessel. Hence, the two scenarios ― external fire and internal chemical reaction ― are not unconnected. Moreover, the Single Contingency philosophy may not apply to the overall system. For example, an external fire could impact two or more pressure vessels at the same time. Were this to happen multiple pressure safety relief valves would open simultaneously. This would lead to the possibility of over-loading the downstream flare or vent system. With the tank farm example the most likely causes of total tank failure would be corrosion at the base tank or a vehicle driving into the tank. It is unlikely that either of these events would occur at two or more tanks at the same time. However, there may be a scenario where an operator starts to fill two tanks, and then fails to notice that both are about to overflow.
Therefore, although use of the Single Contingency Event provides a good starting point for designing safety equipment, it is important to conduct a hazards analysis to find common cause events, i.e., those items that could trigger two or more supposedly independent events. With regard to vessel overpressure, in addition to the external fire case, another potential common cause would be loss of cooling water to the entire facility. Other common causes are electrical failure and operating error.
We will discuss the important topic of common cause events in future posts.
