Fault Trees

Fault trees have been widely employed in the nuclear power sector to assess
and quantify the dangers and risks connected with nuclear power reactors. They
originated in the aerospace industry. This method is getting popular in the chemical
process sectors, owing to the nuclear industry's positive experiences.

A fault tree for any plant other than the simplest can be rather big, with
thousands of process events. This approach, fortunately, lends itself to computerization,
with a number of commercially available computer tools for drawing fault trees based on
an interactive session.

Fault trees are a deductive tool for determining how dangers can result in accidents.
The method begins with a well-defined accident, or top event, and then works
backwards to the different events that could lead to the accident.

For example, a flat tire on an automobile is caused by two possible events. In

one case the flat is due to driving over debris on the road, such as a nail. The other
possible cause is tire failure. The flat tire is identified as the top event. The two
contributing causes are either basic or intermediate events.

Basic Events – events that cannot be defined further

Intermediate Events – any event that occurs between a start and an end event.

Driving over road debris is a basic event in this case because no further definition is
possible. Tire failure is a middle event since it can occur as a result of either a defective
tire or a worn tire.
Figure 12-12. A fault tree describing the various events contributing to a flat tire

Basic events are represented by circles, while intermediate events are represented by
rectangles. The OR logic function is represented by the fishlike symbol. It signifies that
the output state can be triggered by either of the input events. The flat tire is caused by
either road debris or tire failure, as shown in Figure 12-12. Similarly, either a damaged
tire or a worn tire causes tire failure.

Figure 12-13. The logic transfer components used in a fault tree.

Before the actual fault tree is drawn, a number of preliminary steps must be taken:

1. Define precisely the top event. Events such as “high reactor temperature” or “liquid
level too high” are precise and appropriate. Events such as “explosion of reactor” or “fire
in process” are too vague, whereas an event such as “leak in valve” is too specific.

2. Define the existing event. What conditions are sure to be present when the top event
occurs?

3. Define the unallowed events. These are events that are unlikely or are not under
consideration at the present. This could include wiring failures, lightning, tornadoes, and
hurricanes.

4. Define the physical bounds of the process. What components are to be considered in
the fault tree?

5. Define the equipment configuration. What valves are open or closed? What are the
liquid levels? Is this a normal operation state?

6. Define the level of resolution. Will the analysis consider just a valve, or will it be
necessary to consider the valve components?

Drawing the fault tree is the next step in the approach. To begin, draw the most
important event at the top of the page. To avoid misunderstanding later when the fault
tree has expanded out over several pages of paper, label it as the top event.

Determine the significant events that lead to the top event in the second step. On the
sheet, write these down as intermediate, basic, undeveloped, or external events. If
these events are connected in parallel (all events must occur for the top event to occur),
an AND gate must be used to connect them to the top event. If these events are
connected in a series (any event can happen before the top event), an OR gate must be
used to connect them. If a single logic function cannot connect the new events to the
top event, the new events are most likely improperly specified. Remember that the fault
tree's objective is to find the individual event stages required to produce the top event.

Now consider any one of the new intermediate events. What events must occur to
contribute to this single event? Write these down as either intermediate, basic,
undeveloped, or external events on the tree. Then decide which logic function
represents the interaction of these newest events.

Continue developing the fault tree until all branches have been terminated by basic,
undeveloped, or external events. All intermediate events must be expanded.

Example 12-5.

Consider again the alarm indicator and emergency shutdown system of Example 12-5.
Draw a fault tree for this system.

Solution

The first step is to define the problem.

1. Top event: Damage to reactor as a result of overpressuring.

2. Existing event: High process pressure.

3. Unallowed events: Failure of mixer, electrical failures, wiring failures, tornadoes,

hurricanes, electrical storms.

4. Physical bounds: The equipment shown in Figure 12-5.

5. Equipment configuration: Solenoid valve open, reactor feed flowing.

6. Level of resolution: Equipment as shown in Figure 12-5.

The top event is written at the top of the fault tree and is indicated as the top event (see

Figure 12-14). Two events must occur for over pressuring: failure of the alarm indicator
and failure of the emergency shutdown system. These events must occur together so
they must be connected by an AND function. The alarm indicator can fail by a failure of
either pressure switch 1 or the alarm indicator light. These must be connected by OR
functions. The emergency shutdown system can fail by a failure of either pressure
switch 2 or the solenoid valve. These must also be connected by an OR function. The
complete fault tree is shown in Figure 12-14.

Figure 12-14. Fault tree for Example 12-5.

Determining the Minimal Cut Sets

The many sets of events that could lead to the top event are known as the minimal
cut sets. In general, the top event could occur as a result of a range of different events.
The minimal cut sets are the several unique sets of events that route to the top event.

The minimal cut sets are useful for determining the many possible outcomes of a top
event. The probability of certain of the minimal cut sets is larger than that of others. A
set with only two events, for example, is more likely than one with three. Similarly, a set
that requires human involvement is more likely to fail than one that relies solely on
hardware. The minimal cut sets are arranged in order of failure probability using these
simple principles. The higher likelihood sets are carefully investigated to see if any
additional safety devices are needed.

The minimal cut sets are determined using a procedure developed by Fussell and
Vesely.

Example 12-6.

Determine the minimal cut sets for the fault tree of Example 12-5.

Solution

The first step in the procedure is to label all the gates using letters and to label all the
basic events using numbers. This is shown in Figure 12-14. The first logic gate below
the top event is written:

AND gates increase the number of events in the cut sets, whereas OR gates lead to
more sets. Logic gate A in Figure 12-14 has two inputs: one from gate B and the other
from gate C. Because gate A is an AND gate, gate A is replaced by gates B and C:

AB C

Gate B has inputs from event 1 and event 2. Because gate B is an OR gate, gate B is
replaced by adding an additional row below the present row. First, replace gate B by
one of the inputs, and then create a second row below the first. Copy into this new row
all the entries in the remaining column of the first row:

Note that the C in the second column of the first row is copied to the new row.
Next, replace gate C in the first row by its inputs. Because gate C is also an OR gate,
replace C by basic event 3 and then create a third row with the other event. Be sure to
copy the 1 from the other column of the first row:

Finally, replace gate C in the second row by its inputs. This generates a fourth row:

The cut sets are then

This means that the top event occurs as a result of any one of these sets of basic

events. The procedure does not always deliver the minimal cut sets. Sometimes a set
might be of the following form:

This is reduced to simply 1, 2. On other occasions the sets might include supersets. For
instance, consider

The second and third sets are supersets of the first basic set because events 1 and 2
are in common.
The supersets are eliminated to produce the minimal cut sets.For this example there are
no supersets.

Quantitative Calculations Using the Fault Tree

Two ways to perform quantitative calculations to determine the probability of the top
event.

The computations in the first technique are done on the fault tree diagram itself. The
fault tree contains the failure probabilities for all basic, external, and undeveloped
events. The required computations are then carried out across the various logic gates.
Remember that in an AND gate, probabilities are multiplied, while in an OR gate,
reliabilities are multiplied. This pattern of computations is repeated until the top event is
reached. INHIBIT gates are a type of AND gate that is used to prevent anything from
happening.

Figure 12-14 depicts the outcome of this operation. The letters P and R stand for
probability and reliability, respectively. Example 12-2 provided the failure probabilities
for the basic occurrences.

The minimal cut sets are the alternative procedure. Only if the odds of all the events are
tiny will this strategy approach the exact conclusion. This solution, in general, yields a
figure that is higher than the real probability. The probability cross-product components
mentioned in Equation 12-10 are assumed to be negligible in this technique.

The minimal cut sets represent the various failure modes. For Example 12-6 events 1, 3
or 2, 3 or 1, 4 or 2, 4 could cause the top event. To estimate the overall failure
probability, the probabilities from the cut sets are added together. For this case
In comparison, the precise result of 0.0702 obtained using the fault tree is 0.0702. The
OR function is used to link the chopped sets together. All of the cut set probabilities
were added in Example 12-6. Because the cross-product terms were ignored, this is an
approximation solution, as indicated by Equation 12-10. The cross-product terms are
minimal for tiny probabilities, and the addition will approach the correct result.

Questions: