2021-02-02

ENIN 433
Risk Assessment and Decision Analysis

Fault Tree Construction

Golam Kabir, Ph.D.

Assistant Professor
Industrial Systems Engineering
University of Regina, SK, Canada

Risk Analysis – Main Steps

Risk Analysis

Hazard Identification • ”What if”

• Checklists
• HAZOP
Hazard & Scenario Analysis • Task analysis
• Index (Dow, Mond)

Likelihood Consequences

Risk

1
 2021-02-02

Risk Analysis – Main Steps

Risk Analysis

Hazard Identification

Hazard & Scenario Analysis • Fault tree analysis

• Event tree analysis
Likelihood Consequences • Bowties
• Barrier diagrams
• Reliability data
• Human reliability
Risk • Consequence models

FTA Introduction

A technique by which many events that interact to

produce other events can be related using simple
logical relationships.

Fault Tree Analysis (FTA) is one of the most important logic

and probabilistic techniques used in PRA and system
reliability assessment today.

 Perform probabilistic analyses for the expected rate of failures

 Estimate probabilities of events that are modelled as
logical combinations or logical outcomes of other
random events

2
 2021-02-02

FTA Historical Stages

• H. Watson of Bell Labs, along with A. Mearns, developed the technique
for the Air Force for evaluation of the Minuteman Launch Control
System, CIRCA 1961
• Recognized by Dave Haasl of Boeing as a significant system safety
analysis tool (1963)
• First major use when applied by Boeing on the entire Minuteman
system for safety evaluation (1964 – 1967, 1968-1999)
• The first technical papers on FTA were presented at the first System
Safety Conference, held in Seattle, June 1965
• Boeing began using FTA on the design and evaluation of commercial
aircraft, CIRCA 1966
• Boeing developed a 12-phase fault tree simulation program, and a fault
tree plotting program on a Calcomp roll plotter
• Adopted by the Aerospace industry and Nuclear Power Industry
5

Two Types of FTA

• Proactive FTA
 FTA during system design development
 Improve design by mitigating weak links in the design
 Prevent undesired events and mishaps

• Reactive FTA
 FTA during system operation
 Find root causes of a mishap/accident
 Modify the design to prevent future similar accidents

3
 2021-02-02

FTA Coverage
• Hardware
 System level
 Subsystem level
 Component level • System Events
 Environmental effects  Failures Events
 Normal Events
• Software  Environmental Events
 System level control
 Hardware/software interface

• Human Interaction
 Human error
 Human performance
 Organizational structures

• Procedures
 Operation, maintenance, assembly
7

FT Strengths
• Visual model -- cause/effect relationships
• Easy to learn, do and follow
• Models complex system relationships in an understandable manner
 Follows paths across system boundaries
 Combines hardware, software, environment and human
interaction
 Interface analysis - contractors, subsystems
• Probability model
• Scientifically sound
 Boolean Algebra, Logic, Probability, Reliability
 Physics, Chemistry and Engineering
• Commercial software is available
• FT’s can provide value despite incomplete information
• Proven Technique
8

4
 2021-02-02

W hy Do A FTA?
• Root Cause Analysis
 Identify all relevant events and conditions leading to Undesired Event
 Determine parallel and sequential event combinations
 Model diverse/complex event interrelationships involved

• Risk Assessment
 Calculate the probability of an Undesired Event (level of risk)
 Identify safety critical components/functions/phases
 Measure effect of design changes

• Design Safety Assessment

 Demonstrate compliance with requirements
 Shows where safety requirements are needed
 Identify and evaluate potential design defects/weak links
 Determine Common Mode failures

Example FTA Applications

• Evaluate a chemical process and determine where to monitor the process
and establish safety controls
• Evaluate inadvertent arming and release of a weapon
• Calculate the probability of a nuclear power plant accident
• Calculate the probability of a nuclear power plant safety device being
unavailable when needed
• Evaluate the accidental operation and crash of a railroad car
• Evaluate an industrial robot going astray
• Evaluate inadvertent deployment of jet engine thrust reverser
• Evaluate spacecraft failure
• Calculate the probability of a torpedo striking target vessel

10

10

5
 2021-02-02

FTA Misconceptions

• FTA is a Hazard Analysis

 Not true
 Sort of meets definition of hazard analysis (HA), but not a true HA
 Normally used for root cause analysis of a hazard
 FTA is a secondary HA technique

• FTA is Like an FMEA

 Not true
 FMEA is bottom up single thread analysis of all item failure modes
 FTA is a top down analysis
 FTA only includes those failures pertinent to the top Undesired
Event

11

11

FTA Criticisms

• It’s too difficult for an outside reviewer to know if a FT is

complete
• The correctness of a tree cannot be verified (subjective)
• FTA cannot handle timing and sequencing
• FTA failure data makes results questionable
• FTs become too large, unwieldy and time consuming
• Different analysts sometimes produce different FTs of the
same system – so one must be wrong

Most are not true

12

12

6
 2021-02-02

Small Example FT
System
Battery Light

A B

System Undesired Event: Light Fails Off

Light Fails
FT Model Off

Bulb Switch A Switch B Battery Wire Fails

Fails Fails Open Fails Open Fails Open
A B C D E

Cut Sets
Event combinations that can cause Top Undesired Event to occur
1
3

13

FT Building Blocks

Basic Events
Primary Secondary Normal
Failure Failure Event

Gates
OR AND Inhibit Exclusive OR Priority AND
Gate Gate Gate Gate Gate

Top UE
Text Box

Condition
Gate Output

Transfer
Gate Input

1
4

14

7
 2021-02-02

Table: Event Symbols

Event Symbol Meaning of Symbols

1 Basic event with sufficient data

Circle

2 Undeveloped event

Diamond

3 Event represented by a gate

Rectangle

15

Table: Event Symbols

Event Symbol Meaning of Symbols

4 Conditional event used with inhibit gate

Oval

5 House event. External Event- Either occurring or

not occurring
House

6 Transfer symbol

Triangles

16

8
 2021-02-02

Table: Gate Symbols

Gate Symbol Gate Name Causal Relation

Output event occurs if all input events occur

1 AND gate
simultaneously.

Output event occurs if any one of the input events

2 OR gate
occurs.

Input produces output when conditional event

3 Inhibit gate
occurs.

17

Table: Gate Symbols

Gate Symbol Gate Name Causal Relation

Priority Output event occurs if all input events occur in the

4 AND gate order from left to right.

Exclusive Output event occurs if one, but not both, of the

5
OR gate input events occurs.

m
Out of
m n gate Output event occurs if m out of n input events
6 (voting or occur.
n inputs
sample gate)

18

9
 2021-02-02

Two Equivalent FTs

Battery Light Light

A B

Switch

19

19

Reference Books

 Probabilistic Risk Assessment and Management for Engineers and

Scientists, E. J. Henley & H. Kumamoto, IEEE Press (2nd edition), 1996.
 NUREG-0492, Fault Tree Handbook, N. H. Roberts, W. E. Vesely, D. F.
Haasl & F. F. Goldberg, 1981.
 IEC 1025, Fault Tree Analysis, International Electrotechnical Commission,
1990.
 Reliability and Risk Assessment, Longman Scientific & Technical, 1993, J.
D. Andrews & T. R. Moss, 1993.
 NASA (no number), Fault Tree Handbook with Aerospace
Applications, August 2002.
 NASA (no number), Probabilistic RiskAssessment Procedures Guide for
NASA Managers and Practitioners,August 2002.
 Hazard Analysis Techniques for System Safety, C. A. Ericson, John Wiley
& Sons, 2005, Chapter 11.
 Fault Tree Analysis Primer, C.A. Ericson, CreateSpace, 2012

20

20

10
 2021-02-02

FTA Process
Define the
System 1 - Acquire data, understand system operation.

Define Top
2 - Descriptively define the problem.
Undesired Event

Establish
3 - Define analysis ground rules and boundaries.
Boundaries

Construct
4 - Follow FT construction process and rules.
Fault Tree

Evaluate
Fault Tree 5 - Generate FT cut sets and probabilities.

Validate
6 - Check FT for correctness.
Fault Tree

Modify
7 - Modify FT as found necessary.
Fault Tree

Document &
8 - Document and apply the results.
Apply Results
21

21

Step 1 -Define The System

 Obtain system design information

 Drawings, schematics, procedures, timelines
 Failure data, exposure times
 Logic diagrams, block diagrams, IELs

 Know and understand

 System operation
 System components and interfaces
 Software design and operation
 Hardware/software interaction
 Maintenance operation
 Test procedures

Guideline -- If you are unable to build block diagram of

the system, your understanding may be limited.

22

22

11
 2021-02-02

Step 2- Define The Top Undesired Event

 Purpose
 The analysis starts here, shapes entire analysis
 Very important, must be done correctly
 Start with basic concern
 Hazard, requirement, safety problem, accident/incident
 Define the UE in a long narrative format
 Describe UE in short sentence
 Test the defined UE
 Determine if UE is achievable and correct
 Obtain concurrence on defined UE

23

23

Example Top UE’s

 Loss of All Aircraft Communication Systems

 Offshore Oil Platform Overturns During Towing
 Failure of the MPRT Vehicle Collision Avoidance System
 Inadvertent Weapon Unlock
 Inadvertent Weapon Release
 Inadvertent Deployment of Aircraft Engine Thrust Reverser
 Loss of Auto Steer-by-wire Function

24

24

12
 2021-02-02

Step 3- Establish Boundaries

 Define the analysis ground rules
 Define assumptions
 Bound the overall problem
 Obtain concurrence
 Document the ground rules, assumptions and boundaries

Boundary Factors
 System performance- areas of impact
 Size- depth and detail of analysis
 Scope of analysis - what subsystems and components to include
 System modes of operation - startup, shutdown, steady state
 System phase(s)
 Available resources (i.e., time, dollars, people)
 Resolution limit (how deep to dig)
 Establish level of analysis detail and comprehensiveness

25

25

Step 4 -Construct Fault Tree

 Follow rules and definitions of FTA
 Iterative process
 Continually check against system design
 Continually check ground rules
 Tree is developed in layers, levels and branches

Top UE
EFFECT EFFECT

CAUSE CAUSE

EventA Event B

EFFECT EFFECT

CAUSE CAUSE

Event C Event D Event E Event F

EFFECT

CAUSE

26

26

13
 2021-02-02

Step 5 -Evaluate Fault Tree

 Qualitative Analysis
 Generate cut sets
 Verify correctness of cut sets
 Evaluate cut sets for design impact
 Quantitative Analysis
 Apply failure data to tree events
 Compute tree probability
 Compute importance measures
 Evaluate probability for design impact

Generate FT results and interpret the findings

27

27

Basic Evaluation Methods

 Manual
 possible for small/medium noncomplex trees
 Computer
 Required for large complex trees
 Two approaches
 Analytical
 Simulation
 Methods
 Cut Set computation
 Boolean reduction
 Algorithms (eg, MOCUS, MICSUP)
 Binary Decision Diagram (BDD)
 Probability computation
 Boolean reduction
 Approximations

28

28

14
 2021-02-02

Step 6 -Validate Fault Tree

 Verify the FT is correct and accurate (Objective)

 Check FT for errors
 Ensure correctness
 Best method is to check validity of every generated cut set

29

29

Step 7 -Modify Fault Tree

 Modify FT when design changes are proposed/incorporated

 Make changes in FT structure as found necessary from

validation
 Validation results
 Risk analysis results
 Better system knowledge

 Features that can be modified

 Tree logic
 Tree events
 Event failure rates

30

30

15
 2021-02-02

Step 8 -Document & Apply Results

 Document the study

 Customer product (in-house or external)
 Historical record
 May need to update FTA some day for system upgrades
 May need to reference the FTA study for other projects
 Adds credibility

 Apply FTA Results

 Interpret results
 Present the results (using the document)
 Make design recommendations
 Follow-up on recommendations

31

31

Summary – FTA Process

1
8 Define
2
System
Doc/Apply Define
FTAResults Top UE
7
3
Modify SYSTEM
Fault Tree Establish
(Design / Data) Boundaries
6 4
Validate Construct
Fault Tree Fault Tree

Reports Fault
Trees
Cut
5
Set
List Evaluate
Fault Tree

Probability

32

32

16