GENERAL  DESIGN  CONSIDERATIONS 69
          Since process and operating procedure changes are often made during or
     shortly after plant startup, it is strongly advised that hazard assessment not stop
     after startup. Rather, periodic hazard-assessment studies should be used to
     define the hazard potential of such changes throughout the life of the facility.
     The average time between reviews is about three years; more hazardous
     facilities are reviewed more frequently.


     Fault-tree  Analysis
     The fault-tree analysis  (FTA)  is primarily a means of analyzing hazardous
     events after they have been identified by other techniques such as HAZOP. The
     FIA  is used to estimate the likelihood of an accident by breaking it down into
     its contributing sequences, each of which is separated into all of its necessary
     events. The use of a logic diagram or fault tree then provides a graphical
     representation between certain possible events and an undesired consequence.
     The sequence of events forms pathways on the fault tree, provided with logical
     And and Or gates. The And symbol is used where coincident lower-order events
     are necessary before a more serious higher-order event occurs. By multiplying
     the probabilities of each event in this set, the probability of the next higher-order
     event is obtained. Correspondingly, when the occurrence of any one of a set of
     lower-order events is sufficient to cause a more serious higher-order event, the
     events in the set are joined by an Or gate’ and the probabilities are added to
     obtain the probability of the higher-order event. Probabilities of the various
     events are expressed as a yearly rate. For example, a 1 X 10m3  chance occur-
     rence per year would represent an event that average-wise would occur only
     once every 1000 years. Estimation of failure rates with any precision is generally
     difficult because of the limited prior data. In such cases, information from
     various sources is used and then revised to incorporate information that is
     site-specific.
          Once a fault-tree analysis has been completed, it becomes rather easy to
     investigate the impact of alternative preventive measures. For example, in the
     developmenf of a  FTA  for Fig. 3-1 and its associated HAZOP study presented
     in Table 4, Ozogt  has determined that the most probable event is a liquid
     release from the storage tank (Event 6) due to overfilling. However, by adding
     an independent high-level shutoff to the tank-truck unloading pump, the proba-
     bility of a liquid release by this event is significantly reduced and Events 12 or
     13  (PV-2  closed) become the most probable events. The probability of these
     events, in turn, could be reduced by the installation of an independent low-pres-
     sure alarm to the tank. This process of reducing the probability of the most
     probable event could be continued until an overall acceptable risk level is
     eventually achieved.



    W. Ozog, C/tern.  Eng.,  92(4):161  (Feb. 18, 1985).