Fault Tree Analysis

Technological Risk Methods
Fault Trees
and
Event Trees
© 2003, David M. Hassenzahl

Introduction
 Fault identification, correction and
tolerance to improve design
 Fault Tree Analysis

◦ “A method to decompose it and look for
situation that might lead to failure”
(Software Engineering)
◦ Displayed the logical path from effect to cause
Fault Tree Analysis, Fall

The Fault Tree
 Begin Fault Analysis by identifying possible
failures in design operation or maintenance
 Next build a graph whose nodes are failures

◦ Single contents
◦ System function
◦ Entire system
 Edge = relationship among nodes by logical

descriptor (AND,OR)
Fault Trees
 Long history in engineering
 Look at possible FAILURE
 Trace back possible CAUSES
 Applicable to many other risks
◦ Carcinogenesis
◦ Species loss

General Description
•Fault Tree Analysis (FTA) is a deductive reasoning technique that
focuses on one particular accident event.
•The fault tree itself is a graphic model that displays the various
combinations of equipment faults and failures that can result in the
accident event.
•The solution of the fault tree is a list of the sets of equipment
failures and human/operator errors that are sufficient to result in
the accident event of interest.
•The strength of FTA as a qualitative tool is its ability to break
down an accident into basic equipment failures and human errors.
This allows the safety analyst to focus preventive measures on
these basic causes to reduce the probability of an accident.
Purpose: Identify combinations of equipment failures
and human errors that can result in an accident event.
When to Use:
a. Design: FTA can be used in the design phase of

the plant to uncover hidden failure modes that
result from combinations of equipment failures.
b. Operation: FTA including operator and procedure
characteristics can be used to study an operating
plant to identify potential combinations of failures
for specific accidents.
Type of Results: A listing of sets of equipment and/or
operator failures that can result in a specific accident.
These sets can be qualitatively ranked by importance.
Nature of Results: Qualitative, with quantitative

potential. The fault tree can be evaluated quantitatively
when probabilistic data are available.
Data Requirements:
a. A complete understanding of how the plant/system

functions.
b. Knowledge of the plant/system equipment failure
modes and their effects on the plant/system.
Staffing Requirements
 One analyst should be responsible for a single fault tree,
with frequent consultation with the engineers,
operators, and other personal who have experience
with the systems/equipment that are included in the
analysis.
 A team approach is desirable if multiple fault trees are
needed, with each team member concentrating on one
individual fault tree. Interactions between team
members and other experienced personnel are
necessary for completeness in the analysis process.
Time and Cost Requirements: Time and cost
requirements for FTA are highly dependent on the
complexity of the systems involved. Modeling a
small process unit could require a day or less with an
experienced team. Large problems, with many potential
accident events and complex systems, could require
several weeks even with an experienced analysis team.
Remember Uncertainty!
 Think through typology (see uncertainty
lecture)
 Common Mode Failures
 Missing Components
 The Human Element
◦ Can’t leave this out
◦ “Nuclear power is safe…operator error is to
blame” is internally contradictory

Classification of Failures
 Sudden versus gradual failures
 Hidden versus evident failures
 According to effects (critical, degraded or
incipient)
 According to severity (catastrophic,
critical, marginal or negligible)
 Primary failure, secondary failure and
command fault
Component Failure Characteristics
 Primary failure: component within design
envelope (natural aging)
 Secondary failure: excessive stresses
(neighboring components, environment,
plant personnel)
 Command fault: inadvertent control
signals or noises (neighboring
components, environment, plant
personnel)
COMPONENT FAILURE CHARACTERISTICS
Primary Faults and Failures
Primary faults and failures are equipment malfunctions that occur in

the environment for which the equipment was intended. These faults
or failures are the responsibility of the equipment that failed and
cannot be attributed to some external force or condition
Secondary Faults and Failures
Secondary faults and Failures are equipment malfunctions that

occur in an environment for which the equipment was not intended.
These faults or failures can be attributed to some external force or
condition.
COMPONENT FAILURE CHARACTERISTICS
Command Faults and Failures
Command faults and failures are equipment malfunctions in which

the component operates properly but at the wrong time or in the
wrong place.
These faults or failures can be attributed to the source of the incorrect
command.
when the exact failure mode for a primary or secondary failure is

identified, and failure data are obtained, primary and secondary
failure events are the same as basic failures and are shown as circles
in a fault tree.
[ EXAMPLE ]
1) Primary
• Tank rupture due to metal fatigue
2) Secondary
• Fuse is opened by excessive current
• Earth quake cracks storage tanks

• Pressure vessel rupture because some faults external to the vessel
causes the internal pressure to exceed the design limits.
3)Command
• Power is applied inadvertently to relay coil.
• Noisy input to safety monitor randomly generate spurious shutdown

signals.
Gate Symbol Gate Name Causal Relation
Output event occurs if all input events occur

1 AND gate
simultaneously.
Output event occurs if any one of the input events

2 OR gate
occurs.
Input produces output when conditional event

3 Inhibit gate
occurs.
Table 2.1 Gate Symbols

Gate Symbol Gate Name Causal Relation
Priority Output event occurs if all input events occur in the

4 AND gate order from left to right.
Exclusive Output event occurs if one,but not both, of the

5
OR gate input events occurs.
m
Out of
m n gate Output event occurs if m out of n input events
6 (voting or occur.
n inputs
sample gate)
Table 2.1 Gate Symbols（續）

Event Symbol Meaning of Symbols
1 Basic event with sufficient data
Circle
2 Undeveloped event
Diamond
3 Event represented by a gate
Rectangle
Table 2.2 Event Symbols

Event Symbol Meaning of Symbols
4 Conditional event used with inhibit gate

Oval
5 House event. Either occurring or not occurring
House
6 Transfer symbol
Triangles
Table 2.2 Event Symbols

Car Accident Fault Tree
Car
Accident
Non-deer
accidents
Deer in Car fails to

Road stop
Driver
distracted Brakes Fail
Brakes
applied
Top Event
 Primary undesired event of interest
 Denoted by a rectangle
Car Accident
Haimes, Page 544

Intermediate Event
 Fault event that is further developed
 Denoted by a rectangle
Brakes Fail
Haimes, Page 544

Basic Event
 Event requiring no further development
 Denoted by a circle
Deer in
Roadway
Haimes, Page 544

Undeveloped Event
 Low consequence event
 Information not available
 Denoted by a diamond
All non-
Deer
Causes
Haimes, Page 544

“OR” Gate
 Output event occurs only if one or more
input event occurs
 Systems in series
 + ,  , union
Haimes, Page 544

“AND” Gate
 Output event occurs only if all input
events occur
 Systems in parallel
 • ,  , intersection
Haimes, Page 544

Reliability
 Probability that the system operates
correctly
 Boolean algebra
 Minimal set
◦ Smallest combination of component failures
leading to top event
Haimes, Page 544 - 5

Boolean Algebra
Operation Probability Mathematics Engineering
Union of A A or B AB A+B

and B
Intersection A and B AB A•B
of A and B
Complement Not A A' A'
of A
Haimes, Page 549

Intersections and Unions
Graphical Representation
AB=
Driver
Distracted
(A)
AB=0
Deer in
Road
(A  B)  C = (C)
Brakes
applied, fail
(B)

Probability Possibilities
 If S = F + G
P(S) = P(F) + P(G) – P(FG)
= P(F) + P(G) – P(F)P(G|F)
= P(F) + P(G) – P(F)P(G) if independent
= P(F) +P(G) if rare events
 If S = F • G
P(S) = P(F)P(G) if independent
Haimes, Page 546 - 8

Deer Accident Equations
 Car Accident (S) if
◦ Deer in roadway (C) AND
◦ Driver distracted (A) OR brakes fail (B)
 S = (A  B)  C
 S = (A + B) • C
 S = (A union B) intersect C
 S = (A intersect C) union (B intersect C)

Probabilities
Event Probability, f(time)
Deer in roadway 0.0026
Distracted driver 0.001
Brakes applied 0.999
Brake failure 0.0002

Deer in Road Event Tree
Probabilities
(P = 0.25) Glancing
abrupt
(P = 0.99) effective Safe
Brakes (P = 0.60)
(P = 0.8) Function
late (P = 0.15) Glancing
Brakes
Applied
(P = 0.01)
partial (P = 0.60) Glancing
Deer runs Brakes
into road Fail
Collision
(P = 1) complete (P = 0.40)
(P = 0.2)
Brakes not
Applied Collision
HIGH TEMP
EMERGENCY INTERLOCK
SHUT-OFF
VALVE BURSTING
FLOW TIS DISC
CONTROLLER )
FRC
FLOW
CONTROL
VALVE
MATERIAL
B
MATERIAL
A
REACTOR EXPLOSION
3.6  10-4 F/YR
RUNAWAY BURSTING
REACTION DISC FAILS
0.02
Probability
1.8  10-2 F/YR of failure
on demand
FLOW CONTROL TEMPERATURE

LOOP FAILS INTERLOCK FAILS
0.3 F/YR 0.06
FLOW VALVE THERMO -

VALVE FAILS
CONTROLLER STICKS COUPLE &
TO CLOSE
FAILS OPEN RELAY FAIL
0.2 F/YR 0.1 F/YR 0.05 0.01
Probability Probability
of failure of failure
on demand on demand
圖2 批式反應器爆炸失誤樹分析
Example 1: BlockSim

Fault Tree Analysis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fault Tree Analysis

Uploaded by

Copyright:

Available Formats

Technological Risk Methods

© 2003, David M. Hassenzahl