LECTURE NOTES 5

Fault Tree Analysis

FTA is a failure-oriented, deductive, and top-down approach, which considers an
undesirable event associated with the system as the top event; the various possible
combinations of fault events leading to the top event are represented with logic gates.
The fault tree is a qualitative model which provides useful information on the various
causes of undesired top events. However, quantification of the fault tree provides top-
event occurrence probability and critical contribution of the basic causes and events. The
fault tree approach is widely used in probability safety assessment.
The faults can be events that are associated with component hardware failure, software
error, human errors, or any other relevant events which can lead to top events. The gates
show the relationships of faults (or events) needed for the occurrence of a higher event.
The gates thus serve to permit or inhibit the fault logic up the tree. The gate symbol
denotes the type of relationship of the input (lower) events required for the output
(higher) event.

Procedure for Carrying out Fault Tree Analysis

The procedure for carrying out FTA is shown as a flow chart in Figure 3.37.
System Awareness and Details
Thorough understanding of the system is the prerequisite for doing FTA. System awareness
through discussion with designers, and operating and maintenance engineers is very important;
plant or system visits will also enhance it further. Input information such as the following
should be collected and studied:
• design basis reports;
• safety analysis reports (deterministic);
• technical specification report (for testing and maintenance information);
• history cards, maintenance cards, and safety-related unusual occurrence reports
for obtaining failure or repair data.
Defining Objectives, Top Event, and Scope of Fault Tree Analysis
Objectives are defined in consultation with decision makers or managers who commissioned
the FTA. Though the general objective may be evaluation of current design or comparisons of
alternative designs, particular objectives should be explicitly defined in terms of system failure.
The top event of the fault tree is the event which is analyzed to find all credible ways in which
it could be brought about. The failure probability is determined for the defined top event. The
top event is defined based on the objectives of the analysis.
There can be more than one top event required for successfully meeting objectives. In such
cases separate top events are then defined.
Lack of proper understanding of objectives may lead incorrect definition of the top event,
which will result in wrong decisions being made. Hence it is extremely important to define and
understand the objectives of the analysis. After identifying the top event from the objectives,
the scope of the analysis is defined. The scope of the FTA specifies which of the failures and
contributors are to be included in the analysis. It mainly includes the boundary conditions for
the analysis. The boundary conditions comprise the initial states of the subsystems and the
assumed inputs to the system. Interfaces to the system such as power sources or water supplies
are typically included in the analysis; their states need to be identified and mentioned in the
assumptions.
Construction of the Fault Tree
The basic principle in constructing a fault tree is “consider short-sightedly.” The immediate
events or causes are identified for the event that is analyzed. The analysis does not jump to the
basic causes of the event. Instead, a small step is taken and the necessary and sufficient
immediate events are identified. This talking of small steps backwards assures that all of the
relationships and primary consequences will be revealed. This backward stepping ends with
the basic consequence identified that constitutes the resolution of the analysis. Fault trees are
developed to a level of detail where the best failure probability data are available. The
terminology and basic building blocks of fault trees are explained in the next section.
Qualitative Evaluation of the Fault Tree
The qualitative evaluations basically transform the fault tree into logically equivalence forms
that provide more focused information. The qualitative evaluation provides information on the
minimal cut sets of the top event. The minimal cut set is the smallest combination of basic
events that result in the occurrence of the top event. The basic events are the bottom events of
the fault tree. Hence, the minimal cut set that relates to the top event is represented by the set
of minimal cut sets. Success sets may also be identified that guarantee prevention of the top
event. Methods of obtaining the minimal cut set are explained in the subsequent sections.
Data Assessment and Parameter Estimation
This step aims at acquiring and generating all information necessary for the quantitative
evaluation of the fault tree. The tasks of this step include the following considerations:
• identification of the various models that describe the stochastic nature of contain phenomena
related to the events of interest and the corresponding parameters that need to be estimated;
determination of the nature and sources of relevant data;
• compilation and evaluation of the data to produce the necessary parameter estimations and
associated uncertainties.
Quantitative Evaluation of the Fault Tree
Fault trees are quantified by first calculating the probability of each minimal cut set and then
by summing all the cut-set probabilities. The quantitative evaluation produces the probability
of the top event. This determines dominant cut sets and also identifies important basic events
that contribute to the top event.
Sensitivity studies and uncertainty propagation provide further key information.
Identification of important basic events is very useful for decision making in resource
allocation and trade-off studies. Better, surveillance, maintenance and replacement can be
focused on the critical events for cost-effective management of reliability or risk.
Interpretation and Presentation of the Results
It is very important to interpret the results of the analysis and present it to the decision makers
in an effective manner. FTA should not be limited to documentation and sets of numerical
values. The FTA results must be interpreted to provide tangible implications, especially
concerning the potential impact upon the objectives.
Important Points to Be Considered while Constructing Fault Trees
The following issues should be considered carefully while carrying out FTA:
• To maintain consistency and traceability all the assumptions and simplifications made during
the analysis should be well documented.
• To ensure quality, consistency, and efficiency, standard computer codes should be used.
• To ensure the clarity and ease of identification of events, a standardized format needs to be
adopted while giving the names in the fault tree for intermediate and basic events. The format
should include specific component type and identification, the specific system in which the
component is located, and component failure mode. However, the formatting should be
compatible with the computer code adopted.
• To avoid double counting and/or complete omission of systems/interfaces/support
systems, it is strongly recommended that explicit definitions of boundary
conditions should be established and documented.
It is important to see whether protective systems or testing practices may induce
failures. If such failure causes are possible, they need to be considered in
the analysis.
• The following aspects should also be considered:
– human reliability issues;
– operator recovery actions;
– dependent and common-cause failures;
– external environment impact (fire, flood, seismic, and missile attack).

Elements of Fault Tree

A typical fault tree is shown in Figure 3.38. It depicts various combinations of events leading
person X to arrive late at their office. It is essential to understand some of the terms that are
used in FTA:
• Basic event: the initiating fault event that requires no further development.
• Intermediate event: a failure resulting from the logical interaction of primary failures.
• Top event: an undesired event for the system under consideration which occurs as a result of
the occurrence of several intermediate events. Several combinations of primary failures lead to
the event.

The symbols used in fault trees for representing events and their relations have been more or
less standardized. The symbols can be classified into three types, viz., event symbols (Table
3.3), gate symbols (Table 3.4), and transfer symbols (Table 3.5).
Evaluation of Fault Tree
The evaluation of fault tree includes both qualitative evaluation and quantitative evaluation.
The top events as a function of the minimal cut set are determined with the help of Boolean
algebra. Later, by applying probability over the Boolean expression and substituting the
respective basic event probability values, the quantification is carried out. There is one-to-one
correspondence between the fault tree gates representation and Boolean operations. Boolean
algebra is explained in Chapter 2.
In the development of any fault tree, the OR gate and the AND gate are often present. Both are
explained here to obtain basic probability expressions.
AND Gate
This gate allows the output event to occur only if the all-input events occur, representing
the intersection of the input events. The AND gate is equivalent to the Boolean symbol “⋅”.
For example, an AND gate with two input events A and B and output event T can be represented
by its equivalent Boolean expression, T = A B. (Symbol will be omitted subsequently.)
A realistic example is power supply failure to a personal computer due to the occurrence of
two events: failure of main supply and UPS failure (Figure 3.39).

OR Gate
This gate allows the output event to occur if any one or more input event occur, representing
the union of input events. The OR gate is equivalent to the Boolean symbol “+”.
For example, an OR gate with two input events A and B and the output event T can be
represented by its equivalent Boolean expression, T = A + B.
A practical example for the OR gate is where a diesel generator (DG) did not start on demand
due to actuation failure or a DG was already in a failed condition prior to demand on both
(Figure 3.40).
The probability formula for the top event T is given by
Prior to obtaining the quantitative reliability parameter results for the fault tree, repetition of
basic events and redundancies must be eliminated.
If the calculations are carried out directly on the fault tree without simplifying, the quantitative
values will be incorrect. This is achieved by obtaining minimal cut sets using Boolean algebra
rules algorithms developed for them.
There are many methods available in the literature, for example, Vesely, Fussell, Kumamoto,
Rasmuson. However, methods based on top-down or bottom-up successive substitution method
and Monte Carlo simulation are most often used. The latter is a numerical computer-based
approach. The top-down successive substitution method can be done by simple hand
calculations also. In this method, the equivalent Boolean representation of each gate in the fault
tree is obtained such that only basic events remain. Various Boolean algebra rules are used to
reduce the Boolean expression to its most compact form. The substitution process can proceed
from the top of the tree to the bottom or vice versa. The distribution law, laws of idempotence,
and the law of absorption are extensively used in these calculations. The final expression thus
obtained has minimal cut sets which are in the form of run of products, and can be written in
the general form

Any fault tree will consist of a finite number of minimal cut sets that are unique for that top
event. If there are single-order cut sets, then those single failures will lead to the occurrence of
the top event.