CHAPTER 9

Fault trees, event trees and

success trees

Fault-tree analysis was developed by H.A. Watson of the Bell Telephone

Laboratories in 1961-2 as part of a US Air Force study contract for the
Minuteman missile launch control system. Through the years it has proved
to be a very valuable tool for the reliability evaluation of complex systems,
such as nuclear power stations, chemical plants, wide-body aeroplanes
and communication satellites. Fault-tree analysis is a deductive process
that splits up a complex event (system failure) into more detailed events,
such as subsystem failures, that might be responsible for this occurrence.
This process is repeated for each new event found and proceeds until only
basic events lacking more detailed descriptions are left. Since fault tree
analysis apparently uses a top-down approach, descending from the system
level to more detailed levels like subsystem or component levels, as is
also the case in a system design process, it is well suited to evaluate the
reliability effects of design considerations at each stage of the design
process. This, and the fact that one is free to choose the level of detail to
be reached, has made fault tree analysis very popular. Analogous to fault
trees, which describe undesired system performance (failure), success
trees can be constructed describing the successful action of a system. The
theory in this chapter applies to both types of event trees. Although the
general term 'event tree' is more correct we will stick to the current term
'fault tree' since reliability analysts are particularly interested in system
failures because these are the events of which the occurrences and impacts
must be minimized.
Over the last two decades many papers and books dealing with fault-
tree analysis have been published. Most of this literature is confined to
systems having only two-state components. This means that all components
are considered to be either good or failed and no distinction is made
between different failure modes. Practical systems, however, may contain
components having multiple failure mechanisms, and each mechanism
may have a different influence on the system performance, thus leading to
distinct failure modes. Furthermore, a sufficient description of system
performance might require multiple degrees of component deterioration
caused by a single failure mechanism to be distinguished. These multiple

D. J. Sherwin et al., The Reliability, Availability and Productiveness of Systems

© D.J. Sherwin and A. Bossche 1993
134 Fault, Event and Success Trees

failure modes might introduce dependent events in a fault tree which will
complicate the solution. Therefore, this chapter will show both; a simplified
solution which can be applied to fault trees with all independent events
and a formal solution method which has general validity.
Likewise, a system might have multiple failure modes as well. Therefore,
a fault tree can be set up for each of a system's failure modes or each
combination of these failure modes. The failure mode (or union of failure
modes) considered is called the top event of the corresponding fault tree.
Few authors considered these multi-state components (and systems) when
introducing algorithms to calculate the probability of a fault tree's top
event.

9.1 FAULT-TREE SYMBOLS AND DEFINITIONS

A fault tree is an oriented graph representing the causal relationships

between the top event, i.e. the complex event to be analysed, and its
causes. The name of the graph is derived from its form, which is very
similar to that of a tree (Fig. 9.1). The symbols used in fault trees

Fig. 9.1 Typical fault tree.