Treatment of Multiple Failures in Process Hazard
Analysis
Paul Baybutt
Primatech Inc., Columbus, OH; paulb@primatech.com (for correspondence)
Published online 3 June 2013 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11601
Process hazard analysis (PHA) is used to identify hazard
scenarios. These hazard scenarios may be initiated by single
or multiple failures. Other scenario events, such as the
responses of safeguards, are also subject to multiple failure,
and enabling events may combine with initiating events or
other scenario events to produce a type of multiple failure. If
multiple failures are not addressed in PHA, important sce-
narios may be missed, and the risks of scenarios may be
underestimated. This article describes the meaning and types
of multiple failures that are possible, discusses their impor-
tance, and provides an approach for addressing them in
PHA. V C 2013 American Institute of Chemical Engineers Process Saf
Prog 32: 361–364, 2013
Keywords: multiple failures; process hazards analysis; de-
pendent failures; common cause failures; enablers
INTRODUCTION
Process hazard analysis (PHA) methods such as the haz-
ard and operability (HAZOP) study and what-if analysis are
used to determine hazard scenarios for processes [1]. Their
starting point is to identify initiating events for scenarios. An
initiating event is the minimum combination of failures nec-
essary to start the propagation of a hazard scenario. It may
be a single initiating cause, multiple simultaneous causes, or
initiating cause(s) in the presence of enablers. Hazard sce-
narios also involve other events that occur as a result of the
initiating event, such as the response of safeguards, which
eventually lead to a consequence. Multiple failures may
occur for these other scenario events, and between them
and the initiating event. For example, redundant safeguards
may fail at the same time, and some safeguards may fail in a
related sequence.
Enablers are events or conditions that do not directly
cause a scenario but must be present or active for a scenario
to proceed [2]. They do not initiate a hazard scenario by
themselves; rather, they make scenarios possible. Enablers
are sometimes called contributing causes or contributing fac-
tors. They may apply not only to the initiating event but also
to other events in the scenario such as safeguard responses.
Enabling events usually occur prior to the initiating event
and are sometimes called latent failures, for example, a failed
or disabled alarm. Enabling conditions exist at the time the
scenario occurs and are sometimes called latent conditions,
for example, low environmental temperature. Enabling
events combine with initiating events or other scenario
C 2013 American Institute of Chemical Engineers
V vessel at the same time resulting in over-pressurization
Process Safety Progress (Vol.32, No.4)
events, such as safeguard failures, to produce a type of mul-
tiple failure. Often, PHA practitioners do not identify ena-
blers. However, they can be key elements of scenarios and
should be addressed [3]. Examples of enablers are provided
in Table 1.
Some practitioners focus on the identification of scenarios
with single failure initiating events and do not address multi-
ple failures, or for that matter, enablers. Indeed, some practi-
tioners specifically exclude the consideration of multiple
failures in PHA. However, such practice is poor as important
scenarios may be missed, though the inclusion of multiple
failures may pose challenges for PHA teams. Also, some
practitioners do not address multiple failures that may occur
within scenarios. Their omission may lead to underestimates
of scenario risks resulting in flawed decisions on risk reduc-
tion. Furthermore, PHA is often used to screen scenarios for
further analysis using methods such as layers of protection
analysis and underestimates of scenario risk may cause im-
portant scenarios to be omitted. This article describes the
meaning and types of multiple failures that are possible in
processes, discusses their importance, and provides an
approach for addressing them in PHA.
MEANING AND TYPES OF MULTIPLE FAILURES
Multiple failures involve two or more events occurring to-
gether. The events may be equipment failures, human fail-
ures, external events, or combinations thereof. External
events include natural events such as lightning strikes,
human-induced events such as a vehicle collision with a
pipeline, loss of utilities and services, and domino events.
Sometimes multiple failures are referred to as “double jeop-
ardy” or “triple jeopardy,” and so forth and also as double
contingency, and so forth. Failures that occur some time
prior to another failure are usually considered to be latent
events and can be treated as enablers. They include equip-
ment that may have been taken out of service or left in a dis-
abled state, for example, a disabled alarm.
Multiple failures in hazard scenarios may involve the ini-
tiating event and/or other elements of the scenario, for
example, safeguards. An example of an initiating event multi-
ple failure is the level controller on one fractionation column
failing at the same time as the level controller on another
fractionation column causing a higher-than-expected load of
liquids in the overhead system that may not be designed to
handle both simultaneous failures. An example of a safe-
guard multiple failure is the failure of dual relief valves on a
December 2013 361
Table 1. Examples of enabling events and conditions.
Disabled equipment, e.g., bypassed interlock
Override of inhibit condition, e.g., during startup
Failed equipment, e.g., alarm
Extreme ambient conditions, e.g., low temperature
Utility failure, e.g., loss of inerting
failure of the vessel. Of course, at issue is the credibility of
such multiple failures, that is, their likelihood of occurrence.
IMPORTANCE OF MULTIPLE FAILURES
It can be argued that actions taken to protect against sin-
gle failures will also protect against multiple failures, because
they help to protect against the individual contributors to the
multiple failures. It can then be posited that it is sufficient to
address single failures and that multiple failures need not be
addressed. Certainly, actions taken to prevent single failures
that contribute to multiple failures will help to prevent the
multiple failures. However, that is not the whole story.
Multiple failures may occur as a result of dependency
between failures. Usually, the causes of such dependencies
will not be eliminated by implementing measures to reduce
the likelihood of the individual failures. For example, if the
cause of the dependent failure of both column level control-
lers is a set point error by the control systems engineer,
improving their reliability will do nothing to address this de-
pendent failure. The same is true for the dual relief valves, if
the cause of their dependent failure is plugging of their
inlets.
Furthermore, multiple failure scenarios may have more
severe consequences than scenarios involving any one of
their contributors. They may merit additional safeguards
beyond those taken to protect against the single failures.
Also, protective actions against single failure events may not
have been taken, as they may have been deemed unneces-
sary for the lesser consequences involved. For example, the
scenario with the initiating event of the failure of both col-
umn level controllers is more serious than a scenario with
the failure of either one alone. Similarly, the scenario with
the failure of both relief valves is more serious than a sce-
nario with the failure of either one alone.
An author from the United States Environmental Protec-
tion Agency has expressed the view, “. . . major accidents
generally involve more than one cause. Virtually none of the
accidents that EPA and OSHA investigated involved only a
single cause. More commonly, half a dozen root and contrib-
uting causes were identified” [4].
TREATMENT OF MULTIPLE FAILURES IN PHA
PHA studies should consider credible multiple failures.
The design basis for the process should be reviewed, as it
may contain protections against some multiple failures and
may provide insight into what the designers thought was
possible. Ground rules can be established for the considera-
tion of multiple failures, ideally as part of corporate PHA
guidance. For example, some possible guidelines for initiat-
ing events are:
 Two concurrent human failures are credible.
 A single equipment failure coupled with a single human
failure is credible.
 The simultaneous failure of two or more pieces of equip-
ment may not be credible.
 A single equipment or human failure with an external
event may not be credible.
362 December 2013 Published on behalf of the AIChE
 The simultaneous occurrence of two or more external
events may not be credible.
These guidelines are based on this general relationship
between failure rates:
Human failure > Equipment failure > External events
However, PHA practitioners must be alert for exceptions.
The guidelines assume that the contributing failures to each
multiple failure are independent, so that a multiple failure may
be classified as noncredible when the contributors lower the
overall likelihood below a credibility threshold. For example,
a multiple failure with three contributors, each with a proba-
bility of 1 3 10 2 3, has a probability of 1 3 10 2 9, which is
below any reasonable de minimis criterion.
Despite any guidelines, other multiple failures that the
team views as credible should not be eliminated, for exam-
ple, triple failures, although the identification of such failures
is unlikely. Regardless of their likelihood, some hazard sce-
narios that involve two or more failures may merit documen-
tation because of their extremely severe consequences or the
existence of specific safeguards that protect against the multi-
ple failure.
Usually, PHA teams must be prompted to consider multi-
ple failures; otherwise, there is a strong tendency toward
considering only single failures. This practice involves a
mental shift for most teams. Unfortunately, there is no simple
or formal approach to identifying multiple failure scenarios
using inductive PHA methods, such as the HAZOP study.
Although this situation is unsatisfactory, feasible alternatives
generally are not available. Deductive techniques such as
fault tree analysis (FTA) do provide a formal means of
addressing multiple failures, but their application for an
entire process is not feasible owing to the time and effort
involved. Furthermore, the events they analyze must be iden-
tified by another method, some multiple failures are difficult
to include, and there is still no guarantee that all multiple
failures will be identified by the analysts.
The identification of multiple failures for initiating events
is particularly challenging, especially if the contributors arise
in different parts of the process. It is less challenging for
multiple failures that occur within the elements of a scenario,
since the elements are defined as part of the scenario. How-
ever, the team must still search for them, as they may not be
obvious. The PHA team should use guidelines on the types
of multiple failures that are considered credible for the pro-
cess and examine the process for such possibilities using
their imagination.
DEPENDENT FAILURES
For multiple failures to be classified as noncredible
because the contributors lower the overall likelihood below
a credibility threshold, the contributors must be independent.
However, some apparently independent failures may be de-
pendent. For example, if a process contains a primary pump
and a backup, both electrically powered, failure of electric
power will cause both pumps to fail. However, if the primary
pump fails mechanically, the backup pump will not neces-
sarily fail, especially if it is of a different design. Dependent
failures involve two or more failure events that are related
causally.
For dependent failures, the likelihood of the multiple fail-
ure will be higher than otherwise would be estimated. For
independent failures, P(A and B) 5 P(A) 3 P(B) but for de-
pendent failures, P(A and B) 5 P(A) 3 P(B|A). In the case
of loss of electric power to the two pumps, P(A and
B) 5 P(A), because P(B|A) 5 1. In words, the probability of
DOI 10.1002/prs Process Safety Progress (Vol.32, No.4)
Table 2. Examples of dependent failure situations.
Control and shutdown functions with a common power
supply
Fire water system and process water use same supply
Failure of a single I/O card resulting in the loss of several
control channels
Multiple flow meters, analyzers, etc. with a calibration error
due to human error, faulty calibration instruments, etc.
Functional deficiency in a type of valve, sensor, etc. used in
multiple systems
Plugging of shared instrument lead lines
failure of both pumps is the same as the probability of fail-
ure of the single primary pump, when the cause is failure of
electric power.
There are various types of dependent failure. The best
known is common cause failure (CCF) wherein simultane-
ous, or near-simultaneous, multiple failures result from a sin-
gle shared cause. The cause may be internal or external to
the system. For example, the failure of two redundant relief
valves owing to the internal cause of plugging, or the failure
of two pumps owing to the external cause of power failure.
CCFs may result from the random failure of a single,
nonredundant component, for example, multiple pump fail-
ures owing to a breaker failure, or systematic failures in
redundant components, for example, two pumps failing
owing to maintenance error.
Random failures occur at predictable rates but unpredict-
able times. They result from a variety of degradation mecha-
nisms. Systematic failures are related in a deterministic way
to a particular cause. They are nonrandom and usually occur
under the same conditions such that once one failure has
occurred another is assured. Systematic failures neither can
be predicted nor can their rates quantified. They result from
hidden faults in design or implementation and can only be
eliminated by a modification of the design, operating proce-
dures, and so forth. Generally, they are controlled by ensur-
ing that all life cycle activities are performed correctly, for
example, employing suitable procedures to reduce the likeli-
hood of incorrect equipment specifications.
Common mode failures are CCFs in which multiple items
fail in the same way, or mode, for example, multiple relief
valves stuck closed. Cascade or sequential failures are
another type of dependent failure. They are failures in a sys-
tem of interconnected components where the failure of a
preceding component triggers the failure of successive com-
ponents in a type of chain reaction. They are also called
propagating failures, because one event leads to another in a
sequence. Cascade failures commonly occur in electrical dis-
tribution systems and computer networks. Overloading one
part of the system or network results in transfer of the load
or data and overloading of other parts of the system or net-
work, which ultimately results in the failure of the entire sys-
tem. The successive dependent failure of safeguards in a
process is a cascade failure.
IMPORTANCE OF CCFS
Redundancy is commonly used to improve system reli-
ability for processes by protecting against random hardware
failures, which reduces the likelihood of system failure.
However, redundancy introduces the potential for CCFs by
providing duplication of functions or components. Moreover,
process complexity increases with redundancy, and the
potential for CCFs increases owing to the increase in shared
attributes for the elements of complex systems. Furthermore,
redundancy is not effective against design or other systematic
Process Safety Progress (Vol.32, No.4) Published on behalf of the AIChE
errors. Nuclear power plant generating stations employ
highly redundant systems, and considerable effort is invested
in addressing CCFs [5].
Some sources of CCF reinforce others, for example, similar
equipment has the same vulnerability to abnormal environ-
ments and is susceptible to the same misoperation, misalign-
ment, miscalibration, and so forth, by a person. For example,
a technician may be assigned to calibrate identical pressure
detectors in different systems on a given shift, but the same
miscalibration error is made during each of the calibrations
owing to a misunderstanding by the technician. There are
now multiple miscalibrated pressure detectors in the process
in different systems. The technician represents a source of
CCF for scenarios where the pressure detectors play a role
but the identical design of the pressure detectors reinforced
this cause. Some further examples of situations with the
potential for dependent failures are provided in Table 2.
Usually, it is not possible to eliminate CCFs completely
from a process. There will always be common equipment,
manufacturing processes, raw materials, equipment compo-
nents, people, utilities, and so forth. At best, CCFs can be
minimized. Defenses against CCFs include functional diver-
sity, using different equipments to achieve the same purpose,
spatial separation of equipment, physical protection of
equipment, and staggered testing/maintenance.
TREATMENT OF DEPENDENT FAILURES IN PHA
Ideally, the role of dependent failures should have been
considered during the design of the process. However, PHA
provides the opportunity for a critical examination of the
process for potential dependent failures and its ability to
withstand them. For this critical examination to be performed
effectively, it is essential that the PHA team understands the
meaning and importance of dependent failures. Further
details on the types of dependent failures that may occur in
processes can be found in the literature [6]. The PHA team
should try to identify their presence. A checklist of typical
sources of dependent failures can be a useful aid (Table 3).
Dependent failures should be addressed for both initiating
events and events within hazard scenarios. Dependent fail-
ures within scenarios may occur between the initiating event
and other scenario events, such as safeguard responses, and
between other events within a scenario such as the
responses of redundant safeguards or sequential safeguard
responses.
Dependent failures for initiating events may lead to
higher estimates of the risk of multiple failure scenarios, or
the inclusion of multiple failure scenarios that otherwise
would be excluded on the grounds of credibility. Dependent
failures for events within hazard scenarios impact the assess-
ment of scenario risk. Conservatively, it may be assumed that
scenario elements subject to dependent failure, such as
redundant safeguards, would not all act to reduce the sce-
nario likelihood. For example, if two relief valves may fail
dependently, the failure likelihood of only one may be taken
into account in estimating the scenario likelihood, that is, the
failure probability of the second relief valve is assumed to
be 1.
TREATMENT OF ENABLERS IN PHA
The combination of enabling events with initiating events
and other scenario events, such as safeguard responses, pro-
duces a type of multiple failure. Both enabling events and
conditions should be addressed in PHA. Typically, this is
accomplished best by including an additional column in the
PHA worksheet to record them, usually placed immediately
after the safeguards column [3]. The team should be
prompted to brainstorm the identification of enablers. Check-
lists of possible enablers and examples are useful aids.
DOI 10.1002/prs December 2013 363
Table 3. Typical sources of dependent failures.
Utilities, e.g., electrical power, instrument air, etc.
People, e.g.
Designers, e.g. specification errors, hardware, and software
design errors, human-process interface design errors
Manufacturers, e.g., manufacturing errors
Constructors, e.g., construction errors
Operators, e.g., misoperation
Mechanics, e.g., maintenance errors, miscalibration
Maintenance, e.g., tools, procedures, training
Operations, e.g., procedures, training
External factors, e.g., lightning, flooding
Common locations
Environmental factors, e.g.
Electrical issues, e.g., power spike, voltage surge, high
current level, static discharge, radiofrequency radiation
Mechanical issues, e.g., shock, vibration
Chemical issues, e.g., corrosive atmosphere, salt air,
humidity, presence of water
Physical issues, e.g., temperature, fire, dust, debris
Usage issues, e.g., heavy or infrequent
Control systems, e.g., DCS
Similar technologies or the same type of redundant
equipment
Process corrosion, plugging, or fouling, e.g., plugging of
relief valves and sensors in a shutdown system
Single elements supporting multiple systems, e.g., common
process taps, common conduit, single energy sources,
single field devices, etc.
Susceptibility to misoperation, e.g., training, procedures,
activity under abnormal stress
CONCLUSIONS
PHA provides a means to identify hazard scenarios for
processes, including their initiating events and safeguard
responses. Both single and multiple failures are possible for
initiating events and within scenarios. They should be
addressed in PHA, otherwise, important hazard scenarios
may be missed, and the risks of hazard scenarios may be
underestimated. Multiple failures may be independent or de-
pendent. PHA teams should address these types of failures:
 Single failures, for example, a valve failure.
 Dependent multiple failures including CCFs, for example,
a breaker failure resulting in multiple pump failures.
 Independent multiple failures if they meet guidelines
established by the company or are considered credible by
the team.
 Enabling events in combination with initiating events and
safeguard failures.
364 December 2013 Published on behalf of the AIChE
Dependent multiple failures can be as likely as single fail-
ures since they reduce to a single failure. Generally, inde-
pendent multiple failures are less likely, but they may still be
credible. Inductive PHA methods are not well suited to iden-
tifying multiple failures but teams should address them to
the extent possible. Brainstorming approaches that are char-
acteristic of PHA can be used. Deductive methods, such as
FTA, do a better job but their application for an entire pro-
cess is not feasible owing to the time and effort involved.
Moreover, the events they analyze must be identified by
another method, some multiple failures are difficult to
include, and completeness is not assured. Other recent pro-
cess safety progress articles have addressed PHA [[7–9]].
LITERATURE CITED
1. Center for Chemical Process Safety/American Institute of
Chemical Engineers, Guidelines for Hazard Evaluation
Procedures, 3rd edition, Center for Chemical Process
Safety/American Institute of Chemical Engineers, New
York, NY, 2008.
2. Center for Chemical Process Safety/American Institute of
Chemical Engineers, Layer of Protection Analysis: Simpli-
fied Process Risk Assessment, Center for Chemical Pro-
cess Safety/American Institute of Chemical Engineers,
New York, NY, 2001.
3. P. Baybutt, “Analytical methods in process safety manage-
ment and system safety engineering—Process hazards
analysis,” Handbook of Loss Prevention Engineering, J.M.
Haight (Editor), Wiley-VCH, Weinheim, Germany, 2013.
4. J.C. Belke, Recurring causes of recent chemical accidents,
US EPA, Chemical Emergency Preparedness and Preven-
tion Office, International Conference and Workshop on
Reliability and Risk Management, AIChE/CCPS, San Anto-
nio, TX, 1998.
5. T.E. Wierman, D.M. Rasmuson, and A. Mosleh, Common-
Cause Failure Database and Analysis System: Event Data
Collection, Classification, and Coding, NUREG/CR-6268,
Rev. 1, U.S. Nuclear Regulatory Commission, Office of
Nuclear Regulatory Research, Washington, DC, 2007.
6. Methods for Determining and Processing Probabilities,
Report CPR-12E, VROM, The Hague, 2005.
7. M. Kaszniak, Oversights and omissions in process hazard
analyses: Lessons learned from CSB investigations, Pro-
cess Saf Prog 29 (2010), 264–269.
8. P. Baybutt, Process hazard analysis for phases of opera-
tion in the process life cycle, Process Saf Prog 31 (2012),
279–281.
9. P. Baybutt, What risk reduction measures should be cred-
ited in process hazard analysis? Process Saf Prog 31
(2012), 359–362.
DOI 10.1002/prs Process Safety Progress (Vol.32, No.4)