1

INSE 6320 --
Risk Analysis for Information and Systems Engineering

• F-N Curves
• Fault Trees
• Event Trees
• Decision Theory for Quantitative Risk Analysis
•

Dr. M. AMAYRI Concordia University

F-N curves
2

• Usually used to express societal risk.

• Important to define acceptable / tolerable risk (F-N Curves help define acceptable risk but do not
assist in decision-making).

• Risk acceptability is mostly defined on the basis of F-N curves

• F-N curve is a plot of cumulative frequency versus consequences (often expressed as number of
fatalities).
F-N curves show the number of Fatalities against annual frequency.

Right Curve: Frequency vs.

Fatalities
• X-axis (N): Number of
fatalities.
• Y-axis (F): Annual frequency
of N or more fatalities.
• Red (Unacceptable region):
Risk is too high.
• Yellow (ALARP region): Risk
should be reduced if feasible.
• Green (Acceptable region):
Risk is low and generally
acceptable.
 3

How to generate F-N curves

• The frequency of events which causes at least N fatalities is plotted

against the number N on log log scales.
• The difference between the frequency of events with N or more fatalities,
F(N), and that with N+1 or more, F(N+1), is the frequency of events with
exactly N fatalities, usually represented by f(N), with lower-case f. That is,
f(N) = F(N)-F(N+1)
• Because f(N) must be non-negative, it follows that F(N) ≥ F(N+1) for all N,
so that FN-curves never rise from left to right, but are always falling or flat
• The lower an FN curve is located on the F-N graph, the safer is the system
it represents, because lower FN curves represent lower frequencies of fatal
events than higher curves.
 4

How to calculate F-N curves

• In this exercise you will calculate F-N curves for accidents that have occurred in Europe
in the period 1967 to 2001 (i.e., 35 years).
• Three different types of accident data area available: for roads, railroad and aviation.
• The analysis is based on empirical data, collected from historical accidents records.
Probabilistic Risk Assessment
7

Probabilistic Risk Assessment usually answers three basic questions:

1) What can go wrong with the studied technological entity, or what are the initiators or
initiating events (undesirable starting events) that lead to adverse consequence(s)?

2) What and how severe are the potential consequences that the technological entity
may be eventually subjected to as a result of the occurrence of the initiator?

3) How likely to occur are these undesirable consequences, or what are their
probabilities or frequencies?

• Two common methods of answering this last question are Fault Tree Analysis and
Event Tree Analysis.
• A fault tree is an event tree, where failures are emphasized rather than successes

PRA provides insights into the strengths and weaknesses of a system's design and operation. It
allows organizations to identify critical risk factors, prioritize them, and design specific controls to
mitigate these risks.
 8

Fault Tree Analysis

• Fault Tree Analysis (FTA) is one of the most important logic and probabilistic
techniques used in Probabilistic Risk Assessment (PRA) and system reliability
assessment.
• Fault Tree Analysis is a deductive method (top-down approach) for identifying
ways in which hazards can lead to accident.
• The approach starts with a well defined accident, or top event, and works
backwards towards the various scenarios that can cause the accident.
• Fault trees are used to determine the probability of a “top event” (e.g., core
damage).
• Top event defines the failure or success of a system or component
• Fault trees use a structure of logical operations to calculate the probability of the top
event as a result of “basic events” inputs.
• FTA helps in risk assessment, reliability analysis, and decision-making to improve
system safety and performance.
•
 9

Fault Tree Analysis

Fault tree analysis is a graphical representation of the combination of faults
that will result in the occurrence of some (undesired) top event.
In the construction of a fault tree, successive subordinate failure events are
identified and logically linked to the top event.
The linked events form a tree structure connected by symbols called gates.
 10

Fault Tree Analysis

• The undesired event is stated at the top of the tree

• The fault tree gates specify logical combinations of basic

events that lead to the top event AND Gate
• Fault trees can be used to identify system weaknesses

• Fault trees can help recognize interrelationships between

fault events

• Fault trees consist of logic gates and basic events as

inputs to the logic gates

• Logic Gates: Boolean operations (union or intersection)

of the input events

• Basic Events: Faults such as a hardware failure, human

error, or adverse condition
 11

FTA Symbols

Basic Event: A lower most event that can not be further developed.
E.g. Relay failure, Switch failure etc.,

An Event / Fault: This can be a intermediate event (or) a top event. They
are a result logical combination of lower level events.
e.g. Both transmitters fail, Run away reaction

OR Gate: Either one of the bottom event results in occurrence of

the top event. e.g, Either one of the root valve is closed, process signal to transmitter
fails.

AND Gate: For the top event to occur all the bottom events should
occur. e.g, Fuel, Oxygen and Ignition source has to be present for fire.
Union
12

No Current
A A=B+C
A=B Union C
B OR C must occur
for event A to occur

B C
Switch A Battery B
Open 0 Volts
 13

Intersection

Over-heated
D Wire D=E.F
D= E Intersection F
E AND F must occur
for D to occur

E F
5mA Current Power Applied
in System t >1ms
 14

Summary of Fault Tree Basics

Top level event
A fault tree involves:
• Specifying a top level event (TLE) Intermediate
representing an undesired state. events
• Find all possible chains of basic events
that may cause the TLE to occur.

A fault tree:
• Is a systematic representation of such
chains of events.
• Uses logical gates to represent the
interrelationships between events and Basic events
TLE, e.g. AND, OR.
 15

Summary of Fault Tree Basics

Top level event
A fault tree involves:
• Specifying a top level event (TLE) Intermediate
representing an undesired state. events
• Find all possible chains of basic events
that may cause the TLE to occur.

A fault tree:
• Is a systematic representation of such
chains of events.
• Uses logical gates to represent the
interrelationships between events and Basic events
TLE, e.g. AND, OR.
An example fault tree
Logically: (A + (B + C)) . (C + (A . B))
 16

Procedure
Procedure for Fault Tree Analysis

Explore each
Define TOP Define overall branch in
event structure. successive level
of detail.

Perform
corrections if Solve the fault
required and tree
make decisions

Solve the Fault Tree:

• Assign probabilities of failure to the lowest level event in each branch of the tree.

• From this data the intermediate event frequency and the top level event frequency
can be determined using Boolean Algebra and Minimal Cut Set methods.
 17

Minimal Cut Set Theory

• The fault tree consists of many levels of basic and intermediate events linked
together by AND and OR gates. Some basic events may appear in different
places of the fault tree.

• The minimal cut set analysis provides a new fault tree, logically equivalent to
the original, with an OR gate beneath the top event, whose inputs (bottom)
are minimal cut sets.

• Cut Set: is a set of basic events whose simultaneous occurrence ensures that
the TOP event occurs.
• Minimal Cut Set: is a cut set that does not contain another cut set as a
subset.
• Each minimal cut set is an AND gate with a set of basic event inputs
necessary and sufficient to cause the top event.

• The fault tree can be represented by the TOP structure and the minimal cut
sets connected through a single OR-gate.
 18

Minimal Cut Sets

Minimal cut set analysis rearranges the fault tree so
that any basic event that appears in different parts
of the fault tree is not "double counted" in the
quantitative evaluation.

The result of minimal cut set analysis is a new fault

tree, logically equivalent to the original

The minimal cut sets for the top event are a group of
MCSs sets consisting of the smallest combinations of basic
events that result in the occurrence of the top event.
Why is it Useful?

By identifying minimal cut sets, you can focus on the most critical components that need
to be checked or fixed to prevent the top event from happening.
 19

Procedure

Steps to get the final Boolean equation:

TOP
1. Replace AND gates with the product of their inputs.
IE1 = A.B
IE2 = C.D
2. Replace OR gates with the sum of their inputs.
TOP = IE1+IE2 IE1 IE2

= A.B+C.D
3. Continue this replacement until all intermediate event gates
have been replaced and only the basic events remain in the A B C D

equation.
TOP = A.B+C.D
 20

Procedure
Boolean Algebra Reduction Example:
TOP = IE1 + IE2
= (A.B) + (A + IE3)
TOP
= A.B + A + (C.D.IE4)
= A.B + A + (C.D.D.B)
IE1 IE2
= A + A.B + B.C.D.D (D.D = D)
= A + A.B + B.C.D (A + A.B = A)
A B A IE3
= A + B.C.D

So the minimal cut sets are: C D IE4

CS1 = A
CS2 = B.C.D D B
meaning TOP event occurs if
either A occurs OR (B.C.D) occurs.
 21

Fault Tree Basics

• Logically, fault trees are equivalent if the associated logical formulae
are equivalent.

What is the minimal cuts of this FT?

 23

Fault Tree Construction

Consider the following block diagram. Let I/P and O/P be the input and output terminals.
There are two sub-systems A and B that are connected in series.

X1 X3
INPUT OUTPUT

X2 X4

SUB - SYSTEM (A) SUB - SYSTEM (B)

For this the fault tree analysis diagram shown in next slide
 27

Example: simple fault tree for a fire

What is the probability of the top event (Fire)?

For the fire to occur there needs to be:

• Fuel.
• Oxygen.
• An ignition source.
 29

Uses of FTA
• Use of FTA to understand of the logic leading to the top event.

• Use of FTA to prioritize the contributors leading to the top event.

• Use of FTA as a proactive tool to prevent the top event.

• Use of FTA to monitor the performance of the system.

• Use of FTA to minimize and optimize resources.

• Use of FTA to assist in designing a system.

• Use of FTA as a diagnostic tool to identify and correct causes of the top event.

Advantages Disadvantages
• Begins with top event. • Complicated process.

• Use to determine the minimal cut sets. • Require considerable amount of time to complete.
 30

Event Trees
• Event trees begin with an initiating event & work towards the final result.

• This method provides information on how a failure can occur & the probability
of occurrence.

• Event trees are generated both in the success and failure domains. It is
bottom-up, inductive approach

• This technique explores system responses to an initiating “challenge” and

enables assessment of the probability of an unfavorable or favorable
outcome. The system challenge may be a failure or fault, an undesirable
event, or a normal system operating command.

• In constructing the event tree, one traces each path to eventual success or
failure.
Event tree development procedure
31

Step 1: Identification of the initiating event

Step 2: Identification of safety function

Step 3: Construction of the event tree

Step 4: Classification of outcomes

Step 5: Estimation of the conditional probability of each branch

Step 6: Quantification of outcomes

Step 7: Evaluation
 32

Event Tree Structure

This is a complimentary technique to FTA but defines the consequential events which flow from the
primary ‘initiating’ event. Event trees are used to investigate the consequences of loss-making
events in order to find ways of mitigating, rather than preventing, losses.
 33

FTA for Evaluating Consequences

 34

Event Tree Analysis

ADVANTAGES
• Structured, rigorous, and methodical approach.

• Can be effectively performed on varying levels of design detail.

• Permits probability assessment.

DISADVANTAGES
• An ETA can only have one initiating event, therefore multiple ETAs will be
required to evaluate the consequence of multiple initiating events.

• Partial successes/failures are not distinguishable.

• Requires an analyst with some training and practical experience.

 35

Fault Tree vs Event Tree Analysis

Key Differences

• Approach: FTA is a top-down, deductive approach focusing on causes of

failure, whereas ETA is a bottom-up, inductive approach focusing on
consequences of an initiating event.

• Focus: FTA is concerned with identifying root causes of a specific failure,

while ETA is concerned with mapping out potential outcomes of an
initiating event.

• Diagram: FTA uses logical gates to show the relationship between

failures, while ETA uses branches to show different possible scenarios.

Both FTA and ETA are complementary techniques and can be used together
for comprehensive risk assessment. FTA helps in understanding how failures
can occur, while ETA helps in understanding the impact of those failures and
how effective the mitigation measures are.
36
69