Page 530 - Corrosion Engineering Principles and Practice
P. 530

496     C h a p t e r   1 2                                                                                                        C o r r o s i o n   a s   a   R i s k    497


                         However, there are several problems with this approach, which
                      are less apparent:
                          •  Many judgments are required on likelihood and consequence
                             and unless properly recorded the basis for risk decisions will
                             be lost.
                          •  Judgments must be consistent among different team members,
                             a  condition  difficult  to  achieve  whether  qualitative  or
                             quantitative definitions are used.
                          •  Where multiple outcomes are possible (e.g., the consequence
                             of a fall on a slippery deck can range from nothing to a broken
                             neck), it can be difficult to select the correct consequence for
                             the risk categorization.
                          •  A risk matrix looks at hazards one at a time rather than in
                             accumulation, whereas risk decisions should really be based
                             on the total risk of an activity. Potentially many smaller risks
                             can accumulate into an undesirably high total risk, but each
                             smaller one on its own might not warrant risk reduction. As a
                             consequence, risk matrix has the potential to underestimate
                             total risk by ignoring accumulation.

                      12.5.4  Fault Tree Analysis
                      Fault tree analysis (FTA) provides a logical representation of many
                      events and component failures that may combine to cause one critical
                      event (e.g., pipeline explosion). It uses logic gates to show how basic
                      events may combine to cause the critical top event. The top event would
                      normally be a major hazard such as “pipeline SCC” as in the example
                      shown in Fig. 12.10. The most commonly used tree symbols and gates
                      used in the construction of fault trees are illustrated in Fig. 12.11 and
                      briefly described here [12]:
                          •  Fault event (rectangle): System-level fault or undesired event.
                          •  Conditional  event  (ellipse):  Specific  condition  or  restriction
                             applied to a logic gate (mostly used with inhibit gate).
                          •  Basic event (circle): Lowest event of examination which has the
                             capability of causing a fault to occur.
                          •  Undeveloped  event  (diamond):  Failure  which  is  at  the  lowest
                             event  of  examination  by  the  fault  tree,  but  can  be  further
                             expanded.
                          •  Transfer (triangle): The transfer function is used to signify a
                             connection between two or more sections of the fault tree.
                          •  AND gate: The output occurs only if all inputs exist (multiply
                             probabilities  on  the  input,  therefore  decreasing  resulting
                             probability).
   525   526   527   528   529   530   531   532   533   534   535