1

Fault Tree and Success Tree

Method: Construction,
Quantification, Interpretation

Unit 9A

Spring 2023
2

References
2
• Tweeddale, Mark, Managing Risk and Reliability of Process
Plants, Elsevier, 2003
• Crowl, D.A. and Louvar, J.F., Chemical Process Safety, 4th ed,
Prentice Hall, 2019
• Modarres, M., M. Kaminskiy, and V. Krivtsov, Reliability Engineering
and Risk Analysis, 2nd ed, Taylor&Francis, 2010 (Modarres, RERA)
• Norman Fenton and Martin Neil, “Risk Assessment and Decision
Analysis with Bayesian Networks,” CRC Press, 2nd ed., 2019,
Chapter 5 (RDBN, 2019)
• Modarres, M., Risk Analysis in Engineering, Taylor&Francis, 2006
(Modarres, RAE)
• Rausand, Marvin, System Reliability Theory, 2nd edition, Wiley,
2004
• Jordaan, Ian, Decisions Under Uncertainty– Probabilistic Analysis
for Engineering Decisions, Cambridge University Press, 2005
(Jordaan, 2005)
Fault Tree, Event Tree Analysis
3

• Fault Tree and Event Tree analysis (FTA, ETA) are Boolean
(True/False, Fail/Success) logic diagrams for an initial screening
approach to analyze system failures.
• A Fault Tree (FT) begins with a potential upset (Top Event), and
works downward by diagraming through Deduction to show
how the Top Event can result from earlier failure events.
• An Event Tree (ET) begins with an initiating event or a ‘top
event’, and diagrams all potential events or outcomes by
Induction.
• A FT top event is connected to lower level or earlier failure
events through Boolean logic gates, such as: OR (union
operation,∪), AND (intersection operation, ∩).
3
4

Fault Tree Symbols

4

A simple primary event (e.g., a

Basic Event
component or human action)

Intermediate Occurs as a result of events at

Event lower levels above base units
An event for which there is little
Undeveloped
information about primary events

“And” Gate Output occurs only if all input events

occur

“Or” Gate Output occurs if any (1 or more)

input event occurs
5

Event Tree Example

5
6

Fault Tree Example

6
7

FT Construction
7
• Connect fault tree (FT) events and conditions via
logic gates such as AND, OR.
• Continue deduction of underlying events to an
appropriate event level designated Base Events
involving components or human actions for which
failure data are available.
• Generally all modeled FT events are considered
independent, which is unrealistic, so this approach
is useful for an initial screening but not sufficient by
itself for Social-Technical System event modeling.
• For a System approach, Fault Trees are converted to
Bayesian networks to model dependencies,
multiple states, and to include discrete and
continuous distributions and estimates of
uncertainties.
 Fault Tree AND-Gate, Intersection
8
TOP

⋂
E1 E2
Basic events E1 and E2 are basic events
The TOP event failure probability, QT, at time t is:
QT = P(E1∩E2) = P(E1|E2)•P(E2) = P(E1)•P( E2)
(~ independent)

With a single AND-gate and n ~ independent basic events

occurring at time t,

8
(Rausand, 2004)
 Fault Tree OR-Gate, Union
9
TOP

⋃
E1 E2
E1 and E2 are basic events
The TOP event failure probability at time t is:
QT = P(E1∪E2) = P(E1) + P(E2) – P(E1∩E2)

= Q1 + Q2 – Q1•Q2 (independent) Compensate for overlap

With a single OR-gate and n basic independent events

occurring at time t, 𝒏𝒏

𝑸𝑸𝑻𝑻 (𝒕𝒕) = 𝟏𝟏 − � 𝟏𝟏 − 𝑸𝑸𝒊𝒊 (𝒕𝒕)

𝒊𝒊=𝟏𝟏
(Rausand, 2004)
10

OR-Gate, Rare Event Approximation

10

• The general expression for OR-gate, given independent

Qi events, adjusts for Qi event overlap or co-
occurrence:

General OR-Gate
Expression:

• If the events are rare events, probabilities of

occurrences are very low (so values of Qi are very
small)
• When the Rare Event Approximation (REA) is
conditionally acceptable:
OR-Gate Expression
with REA:
11

Fault Tree Example 1: Reactor Overpressure

11

Crowl & Louvar, 2019

12
OR-Gate , AND-Gate
12
13
Building a FT
Example 2: Hot Oil Heating System
13
• Heating section supplying hot oil to bitumen tanks
• Flow through heater must be maintained or heater coils may
overheat, rupture, and result in a fire.
• Flow control valve, FCV, opens progressively if flow to heater
drops (detected by FE ) and recirculates oil back to pump
• Manual bypass valve, MBV, for FCV maintenance.
• If flow is low, FE actuates FS. FS warns operator (through FAL)
and also actuates solenoid to close fuel gas supply (TCV), which
reduces temperature in heater
• If high temperature switch, TSH, detects extreme high
temperature in the output line, it closes TCV
• For this system, construct a Fault Tree based on current
knowledge and understanding of the system operation.
14

Process Control
14

FE, flow transducer TE, T transducer

FC, flow controller TC, T controller
FS, flow switch TSH, high T switch
FAL, low flow alarm GIV, gas isolation valve
SV, solenoid valve MBV, manual bypass valve
FCV, flow control valve TCV, T control valve

(Tweeddale, 2003)
15

Hazard Identification
15

• How to diagram the system and develop failure

scenarios? Begin by identifying and characterizing the
hazards.
• What are the hazards of this oil heating system?
 FTA for Heater Coil Burn Out
16
• For heater Coil Burn Out as the upset (top) event, identify
triggering events or system demands:
No or low oil flow:
o Pump failure
o Flow control system failure
o Oil leak (large)
o Pipeline blockage
o Valve closed
o Operator failure to respond to low flow alarm, FAL
Excess Gas Flow
o Gas flow control system failure

Note: Human and Organizational factors influence all events including

test and maintenance, training, leadership etc., but are not16modeled
explicitly in a Fault Tree
17

Analyze System from the Logic Diagram

17
• We will focus on heater coil burn-out due to pump failure

• Over-temperature protection system, (TSH, SV) does not

operate if pump stops, because there is insufficient flow to
the TSH sensor

• The oil in the heater can overheat and cause heater coil
burn out
– if pump stops

– OR low flow protection system (FS, SV) fails,

– OR FAL(low flow alarm) fails,

– OR operator, OP, fails to cut off fuel to the heater.

18

Coil Burn Out Fault Tree Construction

18
• Causes of Automatic Response failure: either FE fails
OR FS fails OR SV fails OR TCV fails
• Causes of Manual Response failure: either FE fails OR
FS fails OR FAL fails OR the operator fails OR GIV fails
• Can pump failure itself lead to a coil burn out?
19

Initial FT and Logic Based on Understanding of System

19
Logic Expression:
T = A⋂[(B⋃C⋃D⋃E)⋂(B⋃C⋃F⋃G⋃H)]

Pump Automatic response Manual response

(Tweeddale, 2003)
20

Review: FT Logic Representation

20

• Represent the mishap or top event by T.

• Events leading to T are represented by letters for system
components (from the initial FT).
• Based on approximations, the FT logic can be quantified by
converting the Boolean operators or gates to arithmetic
operations with approximations (for simplicity):
T = A•(B+C+D+E)•(B+C+F+G+H),
which follows from what two assumptions or
approximations?
 Modified FT and Logic Expression
21

T = A⋂[(B⋃C⋃D⋃E)⋂(B⋃C⋃F⋃G⋃H)]
becomes
T = A•[(B+C+D+E)•(B+C+F+G+H)]

Note the Independence and REA

assumptions/approximations in T.

OR- Gate:

AND- Gate:
Redundancy Redundancy

Letters A,B,… designate

component failures
21
22
Pump Failure Demand Fault Tree
22
• From the initial fault tree construction, there are two
components, FE and FS, that appear in more than one
branch of the tree.

• Repetitions can lead to over-counting of failures and

inaccurate top event frequency or probability calculations.

• Thus, an initial fault tree is reduced to remove repetitions

• From the initial FT prepare a Reduced Fault Free.

23

FT Reduction with Boolean Algebra, 1

23

• To simplify, the Top Event T logic expression is first

expanded (and then reduced):

T = A • (B+C+D+E) • (B+C+F+G+H) =
A•(B•B+B•C+B•F+B•G+B•H+C•B+C•C+C•F+
C•G+C•H+D•B+D•C+D•F+D•G+D•H+E•B+E•C+E•F+E•G+
E•H)
24

Review: FT Reduction with Boolean Algebra

24

A∪A=A
A∩A=A
A OR A = A
A AND A = A
} Idempotent

A ∪ (A ∩ B) = A A OR (A AND B) = A
A ∩ (A ∪ B) = A A AND (A OR B) = A
} Absorption

Tweeddale, 2003
25

FT Reduction with Approximations

25

Identify approximation used (rare event, REA, or mutually

independent, MI).

A∩A=A A∙A=A
A∪A=A A+A=A
A ∪ (A ∩ B) = A A + (A ∙ B) = A
26
Fault Tree Reduction
26
• Assume REA and mutual independence of components.

• To Reduce the Fault Tree we use the Idempotent and Adsorption

identities to reduce the logic expression for the Top Event, T.
• T = A•(B•B
B +B B•C + B•F + B•G + B•H

+ C•B + C•C + C•F + C•G + C•H

+ D•B + D•C + D•F + D•G + D•H

+ E•B + E•C + E•F + E•G + E•H)

So, T = A•(B+C+D•F+D•G+D•H+E•F+E•G+E•H)
27

Fault Tree Reduction

27
• T = A•(B+C+D•F+D•G+D•H+E•F+E•G+E•H)
• Factor and group this logic expression of T to highlight
system functions:
T = A•{B + C + (D + E)•(F + G + H)}
• State the logic expression in words (next slide).

auto auto manual

T = A•{B + C + (D + E)•(F + G + H)}
FE FS SV TCV FAL OP GIV

Pump Fails Protective Response System

28

Reduced FT: Protective Response System

28
Note that in the Reduced FT, the
FE, FS redundancy has been
removed, and the Auto Response
is now separated from the Manual
A Response.
Auto
Logic expression:
T = A•{B+C+(D+E)•(F+G+H)}

B C

Auto Manual

D E F G H (Tweeddale, 2003)
Fault Tree Following Reduction
29

• The heater coils will burn out if both the pump fails AND
the Protective Response fails.

• The Protective Response fails if either FE fails OR FS

fails OR if both failures occur.

• A combination of failures leading to failure of the

Protective Response System occurs if there is (a failure
of either SV OR TCV) AND (a failure of either FAL OR
the operator OR GIV).
• How many minimum component failure scenarios are
there?

29
 FT Cut Sets
30
• A fault tree Cut Set is a unique set of events leading to the
top event T.
• The simultaneous failure of each event in a set causes the
top event to occur. Therefore, each cut set represents a
failure scenario leading to T.
• By the simultaneous occurrence of each failure event within a
cut set, each cut set inactivates or cuts all success paths to
avert T.
• A minimum cut set is a set that cannot be reduced in size
(number of components) and is determined directly from the
Reduced Fault Tree, top event logic.
• A minimal cut set fails when all components of the cut set co-
fail simultaneously.
31

Minimum Cut Sets

31
What are the # of minimum failure scenarios
(Cut Sets) that result in T?
T = A•{B+C+(D+E)•(F+G+H)}

A Cut Sets:
Auto
Rank 1:
Rank 2:
Rank 3:
B C
Number of events in a set
Auto Manual
Here, each letter (A,B…)
represents a failure event

D E F G H (Tweeddale, 2003)
32

Minimum Cut Sets

32
What are the # of minimum failure scenarios
(Cut Sets) that result in T?

A T = A•{B+C+(D+E)•(F+G+H)}
Auto
Cut Sets:
0 Rank 1:
2 Rank 2: (A,B), (A,C)
B C
6 Rank 3: (A,D,F), (A,D,G),
(A,D,H),(A,E,F),
Auto Manual (A,E,G),(A,E,H)
Number of alternative paths
in a given rank

D E F G H (Tweeddale, 2003)
33

Top Event Assessment

33

• How can events and paths leading to the top

event, i.e., cut sets, be assessed with regard to
their quantitative contribution to the top event
frequency or probability?
• This risk source quantification and prioritization
are needed to identify cost effective direction of
resources to lower risk if necessary and
manage risk within acceptable ranges.