FAULT TREE ANALYSIS

I. CONCEPT DISCUSSION
Fault tree analysis (FTA) is a top down, deductive failure analysis in which an undesired state of
a system is analyzed using Boolean logic to combine a series of lower-level events. This
analysis method is mainly used in the fields of safety engineering and reliability engineering to
understand how systems can fail, to identify the best ways to reduce risk or to determine (or get
a feeling for) event rates of a safety accident or a particular system level (functional) failure. FTA
is used in the aerospace, nuclear power, chemical and process, pharmaceutical, petrochemical
and other high-hazard industries; but is also used in fields as diverse as risk factor identification
relating to social service system failure. FTA is also used in software engineering for debugging
purposes and is closely related to cause-elimination technique used to detect bugs.

In aerospace, the more general term "system Failure Condition" is used for the "undesired
state" which is the top event of the fault tree. These conditions are classified by the severity of
their effects. The most severe conditions require the most extensive fault tree analysis. These
"system Failure Conditions" and their classification are often previously determined in the
functional hazard analysis.

USAGE:
Understand the logic leading to the top event/undesired state.
Show compliance with the (input) system safety/reliability requirements
Prioritize the contributors leading to the top event- creating the critical
equipment/parts/events lists for different important measures
Monitor and control the safety performance of the complex system (e.g. is a
particular aircraft safe to fly when fuel valve x malfunctions? For how long is it
allowed to fly with the valve malfunction?)
Minimize and optimize resources
Assist in designing a system. The FTA can be used as a design tool that helps to
create (output/ lower level) requirements
Function as a diagnostic tool to identify and correct causes of the top event. It
can help with the creation of diagnostic manuals/processes

GRAPHIC SYMBOLS:
The basic symbols used in FTA are grouped as events, gates, and transfer symbols.
 Figure 1: Graphic Symbols used in Fault Tree Analysis

EVENT SYMBOLS
These are used for primary and intermediate events. Primary events are not further developed
on the fault tree. Intermediate events are found at the output of a gate. The event symbols are
shown below:

Figure 2: Event Symbols used in Fault Tree Analysis

The primary event symbols are typically used as follows:

Basic Event failure or error in a system component or element (example: stick
stuck in open position)
External Event normally expected to occur (not of itself a fault)
Undeveloped Event an event about which insufficient information is available,
or which is of no consequence.
Conditioning Event - conditions that restrict or affect logic gates (example: mode
of operation in effect)
An intermediate event gate can be used immediately above a primary event to provide more
room to type the event description. FTA is top to bottom approach

GATE SYMBOLS:
Gate symbols describe the relationship between input and output events. The symbols are
derived from Boolean logic symbols:
 Figure 3: Gate Symbols used in Fault Tree Analysis

The gates work as follows:

OR gate - the output occurs if any input occurs
AND gate - the output occurs only if all inputs occur (inputs are independent)
Exclusive OR gate - the output occurs if exactly one input occurs
Priority AND gate - the output occurs if the inputs occur in a specific sequence
specified by a conditioning event
Inhibit gate - the output occurs if the input occurs under an enabling condition
specified by a conditioning event

TRANSFER SYMBOLS:
Transfer symbols are used to connect the inputs and outputs of related fault trees, such as the
fault tree of a subsystem to its system. NASA prepared a complete document about FTA
through practical incidents.

Figure 4: Transfer Symbols used in Fault Tree Analysis

BASIC MATHEMATICAL FOUNDATION

Events in a fault tree are associated with statistical probabilities. For example, component
failures may typically occur at some constant failure rate (a constant hazard function). In this
simplest case, failure probability depends on the rate and the exposure time t:

P = 1 - exp(-t)
P t, t < 0.1
A fault tree is often normalized to a given time interval, such as a flight hour or an average
mission time. Event probabilities depend on the relationship of the event hazard function to this
interval.
Unlike conventional logic gate diagrams in which inputs and outputs hold the binary values of
TRUE (1) or FALSE (0), the gates in a fault tree output probabilities related to the set operations
of Boolean logic. The probability of a gate's output event depends on the input event
probabilities.

An AND gate represents a combination of independent events. That is, the probability of any
input event to an AND gate is unaffected by any other input event to the same gate. In set
theoretic terms, this is equivalent to the intersection of the input event sets, and the probability
of the AND gate output is given by:

P (A and B) = P (A B) = P(A) P(B)

An OR gate, on the other hand, corresponds to set union:

P (A or B) = P (A B) = P(A) + P(B) - P (A B)
Since failure probabilities on fault trees tend to be small (less than .01), P (A B) usually
becomes a very small error term, and the output of an OR gate may be conservatively
approximated by using an assumption that the inputs are mutually exclusive events:

P (A or B) P(A) + P(B), P (A B) 0
An exclusive OR gate with two inputs represents the probability that one or the other input, but
not both, occurs:

P (A xor B) = P(A) + P(B) - 2P (A B)

Again, since P (A B) usually becomes a very small error term, the exclusive OR gate has
limited value in a fault tree.

II. FTA PROCEDURE

A single fault tree is used to analyze one and only one undesired event or top event, which may
be subsequently fed into another fault tree as a basic event. Though the nature of the undesired
event may vary dramatically, a FTA follows the same procedure for any undesired event; be it a
delay of 0.25 ms for the generation of electrical power, an undetected cargo bay fire, or the
random, unintended launch of an ICBM. Due to labor cost, FTA is normally only performed for
more serious undesired events.
It involves five steps:
1. Define the undesired event to study
Definition of the undesired event can be very hard to catch, although some of
the events are very easy and obvious to observe. An engineer with a wide
knowledge of the design of the system or a system analyst with an
engineering background is the best person who can help define and number
the undesired events. Undesired events are used then to make the FTA, one
event for one FTA; no two events will be used to make one FTA.
2. Obtain an understanding of the system
 Once the undesired event is selected, all causes with probabilities of affecting
the undesired event of 0 or more are studied and analyzed. Getting exact
numbers for the probabilities leading to the event is usually impossible for the
reason that it may be very costly and time consuming to do so. Computer
software is used to study probabilities; this may lead to less costly system
analysis.
System analysts can help with understanding the overall system. System
designers have full knowledge of the system and this knowledge is very
important for not missing any cause affecting the undesired event. For the
selected event all causes are then numbered and sequenced in the order of
occurrence and then are used for the next step which is drawing or
constructing the fault tree.
3. Construct the fault tree
After selecting the undesired event and having analyzed the system so that
we know all the causing effects (and if possible their probabilities) we can
now construct the fault tree. Fault tree is based on AND and OR gates which
define the major characteristics of the fault tree.
4. Evaluate the fault tree
After the fault tree has been assembled for a specific undesired event, it is
evaluated and analyzed for any possible improvement or in other words study
the risk management and find ways for system improvement. This step is as
an introduction for the final step which will be to control the hazards identified.
In short, in this step we identify all possible hazards affecting in a direct or
indirect way the system.
5. Control the hazards identified
This step is very specific and differs largely from one system to another, but
the main point will always be that after identifying the hazards all possible
methods are pursued to decrease the probability of occurrence.

COMPARISON WITH OTHER ANALYTICAL METHODS

Fault Tree Analysis
Deductive
Top-down Method
Aimed at analyzing the effects of
initiating faults and events on a
complex system
Very good at showing how resistant a
system is to single or multiple
initiating faults
Not good at finding all possible
initiating faults
Considers external effects
Failure Mode and Effects Analysis
Inductive
Bottom-up Analysis Method
Aimed at analyzing the effects of a
single component or function failures
on equipment or subsystems
Good at exhaustively cataloging
initiating faults, and identifying their
local effects.
Not good at examining multiple
failures or their effects at a system
level.
Does not consider external effects
BENEFITS OF FAULT TREES
A fault tree creates a visual record of a system that shows the logical relationships
between events and causes lead that lead to failure. It helps others quickly understand
the results of your analysis and pinpoint weaknesses in the design and identify errors.
A fault tree diagram will help prioritize issues to fix that contribute to a failure.
In many ways, the fault tree diagram creates the foundation for any further analysis and
evaluation.
For example, when changes or upgrades are made to the system, you already have a
set of steps to evaluate for possible effects and changes.
You can use a fault tree diagram to help you design quality tests and maintenance
procedures.

III. EXAMPLES OF FAULT TREES

Figure4: Fault Tree Example 1

Figure 5: Fault Tree Example 2