Fault Tree Analysis

Analytical Approaches
There are two generic analytical methods:
induction and deduction
What is the characteristics of these
approaches?.

Inductive Approaches

constitutes reasoning from individual cases

to a general conclusion
Example of the inductive approaches
Preliminary Hazards Analysis (PHA), Failure
Mode and Effect Analysis (FMEA), Failure
Mode Effect and Criticality Analysis
(FMECA), Fault Hazard Analysis (FHA), and
Event Tree Analysis.
assume some possible component condition
or initiating event and try to determine the
corresponding effect on the overall system.

Deductive Approaches
constitutes reasoning from the general to
the specific
we assume the system/components failed
in a certain way, and attempt to find out
what modes of system/components
behaviour contribute to this failure.
Can be considered as accident
investigations analyses in real life.

Deductive Approaches
For example what chain of events caused
the sinking of an "unsinkable" ship such as
the Titanic on its maiden voyage?
What failure processes, instrumental
and/or human, contributed to the crash of
a commercial airliner into a mountainside?
Example of this system is Fault Tree
Analysis

Summary

are applied to determine what system

states(usually failed states) are possible;
deductive methods are applied to
determine how a given system state
(usually a failed state) can occur.

"Parts Count" Approach

The simplest and most conservative
approach
assumption we can make about a system is
that any single component failure will
produce complete system failure.
Upper bound on the probability of system
failure is straightforward, by simply list all the
components along with their estimated
probabilities of failure.
The individual component probabilities are
then added and this sum provides an upper
bound on the probability of system failure.

"Parts Count" Approach

The simplest and most conservative
approach
assumption we can make about a system is
that any single component failure will
produce complete system failure.
Upper bound on the probability of system
failure is straightforward, by simply list all the
components along with their estimated
probabilities of failure.
The individual component probabilities are
then added and this sum provides an upper
bound on the probability of system failure.

"Parts Count" Approach

Component

Failure

fA

fB

fC

fD

where F, the failure probability for the system, is equal to fA + fB + fC + fD

The failure probabilities can be failure rates, unreliabilities, or
unavailabilities depending on the particular application

"Parts Count" Approach

Component

Failure

fA

fB

fC

fD

where F, the failure probability for the system, is equal to fA + fB + fC + fD

The failure probabilities can be failure rates, unreliabilities, or
unavailabilities depending on the particular application

Failure vs. Success Models

The operation of a system can be
considered from two standpoints:
we can enumerate various ways for
system success, or we can enumerate
various ways for system failure

Failure vs. Success Models

The operation of a system can be
considered from two standpoints:
we can enumerate various ways for
system success, or we can enumerate
various ways for system failure

Failure vs. Success Models

Fault tree analysis

is a deductive failure analysis which focuses on one particular
undesired event and which provides a method for
determining causes of this event.
The undesired event constitutes the top event in a fault tree
diagram constructed for the system, and generally consists of
a complete, or catastrophic failure
Careful choice of the top event is important to the success
of the analysis. If it is too general, the analysis become
unmanageable; if it is too specific, the analysis does not
provide a sufficiently broad view of the system.
Fault tree analysis can be an expensive and time-consuming
exercise and its cost must be measured against the cost
associated with the occurrence of the relevant undesired
event.

Basic Element of Fault Tree

A fault tree analysis can be simply described as an analytical

technique
Have to specify the undesired state of the system (usually a state
that is critical from a safety standpoint), and the system is then
analyzed in the context of its environment and operation to find
all credible ways in which the undesired event can occur.

Agraphic model of the various parallel and sequential

combinations of faults that will result in the occurrence of
the predefined undesired event.
Thefaults can be events that are associated with component
hardware failures, human errors, or any other pertinent
events which can lead to the undesired event.
Depicts the logical interrelationships of basic events that lead
to the undesired event-on the top of the tree.

Basic Element of Fault Tree

is not a model of all possible system failures
or all possible causes for system failure.
is tailored to its top event which
corresponds to some particular system
failure mode
Only includes those faults that contribute to
this top event.
Can not consider as exhaustive-they cover
only the most credible faults as assessed by
the analyst.

Basic Element of Fault Tree

is not a quantitative model. It is a
qualitative model that can be evaluated
quantitatively
Can be used for all virtually varieties of
system models.
fact that a fault tree is a particularly
convenient model to quantify does not
change the qualitative nature of the model
itself.

Basic Element of Fault Tree

A fault tree is a complex of entities known as
"gates" which serve to permit or inhibit the
passage of fault logic up the tree.
The gates show the relationships of events
needed for the occurrence of a "higher" event.
The "higher" event is the "output" of the gate; the
"lower" events are the "inputs" to the gate.
The gate symbol denotes the type of relationship
of the input events required for the output event.
Gates are somewhat analogous to switches in an
electrical circuit or two valves in a piping layout.

Basic Element of Fault Tree

A typical fault tree is composed of a

number of symbols which are described
in detail in in the following slides

Primary event
The primary events of a fault tree are those events, which, not
further developed.
The probabilities have to be provided if the fault tree is to be
used for computing the probability of the top event.
There are four types of primary events:

BASIC
A basic initiating fault requiring no further development

CONDITIONING
Specific conditions or restrictions that apply to any logic gate

UNDEVELOPED
An event which is not further developed either because it is of insufficient
consequence or because information is unavailable

EXTERNAL
An event which is normally expected to occur

Building Blocks of the FTA

Symbol

Event
BASIC

CONDITIONING
record any conditions or restrictions

UNDEVELOPED
specific fault event that is not further
developed
EXTERNAL
used to signify an event that is
normally expected

Building Blocks of the FTA

Symbol

Event
INTERMEDIATE EVENT
A fault event that occurs because of
one or more antecedent causes acting
through logic gates

Building Blocks of the FTA

Symbol

Gate
AND
Output fault occurs if all of the input
faults occur
OR
Output fault occurs if at least one of
the input faults occurs
EXCLUSIVE OR
Output fault occurs if exactly one of
the input faults occurs
PRIORITY AND

INHIBIT

Output fault occurs if the (single)

input fault occurs in the presence of
an enabling condition

Building Blocks of the FTA

Event Q occurs if A occurs, B occurs, or both A and B occur

Building Blocks of the FTA

Building Blocks of the FTA

Building Blocks of the FTA

Event Q occurs if A occurs and B occurs

Building Blocks of the FTA

Building Blocks of the FTA

Building Blocks of the FTA

Event Q occurs only if input A occurs under the condition specified by input B

Building Blocks of the FTA

Building Blocks of the FTA

Building Blocks of the FTA

The primary events of a fault tree are those events, which, not
further developed.
The probabilities have to be provided if the fault tree is to be
used for computing the probability of the top event.
There are four types of primary events:

BASIC
A basic initiating fault requiring no further development

CONDITIONING
Specific conditions or restrictions that apply to any logic gate

UNDEVELOPED
An event which is not further developed either because it is of insufficient
consequence or because information is unavailable

EXTERNAL
An event which is normally expected to occur

Example of FTA
a vehicle headlamp.
The electric circuit is very simple and includes the
battery, the switch, the lamp itself, and the wire
harness (Figure 1).
For simplicity, we will assume that the latter is
reliable enough to be excluded from our study.
We will also assume certain failure probabilities
for some components.
For a given time period, the probability of
failureon the figure
or the unreliability for the assigned distribution of
failures (not necessarily normal). Such
probabilities can be estimated from warranty

Example of FTA
A vehicle headlamp.
The electric circuit is very simple and includes the
battery, the switch, the lamp itself, and the wire
harness.
For simplicity, we will assume that the latter is
reliable enough to be excluded from our study.
We will also assume certain failure probabilities
for some components.
For a given time period, the probability of
failureon the figure
or the unreliability for the assigned distribution of
failures (not necessarily normal). Such
probabilities can be estimated from warranty

Example of FTA

Example of FTA

Example of FTA
P1 = 0.01, P2 = 0.01, P3=0.001, and P5= 0.02
P4 =P1+P2 - P1x P2
= 0.0199
P6 = P3+P4+P5-P3xP4-P3xP5-P4xP5+P3xP4 xP5
= 0.04046

Faults vs. Failures

Word failure and the more general word
fault.
Consider a relay. If the relay closes
properly when a voltage is impressed
across its terminals, we call this a relay
"success." If, however, the relay fails to
close under these circumstances, we call
this a relay "failure."

Faults vs. Failures

Another possibility is that the relay closes
at the wrong time due to the improper
functioning of some upstream
component.
This is clearly not a relay failure; however,
untimely relay operation may well cause
the entire circuit to enter an
unsatisfactory state

Faults vs. Failures

We shall call an occurrence like this a
"fault.
What can you say about failure and fault,
all failures are faults but not all faults are
failures.

Fault Occurrence vs. Fault Existence

A fault may be repairable or not,
depending on the nature of the system.
Under conditions of no repair, a fault that
occurs will continue to exist.
In a repairable system a distinction must
be made between the occurrence of a
fault and its existence. Actually this
distinction is of importance only in fault
tree quantification.

Passive vs. Active Components

A passive component contributes in a more

or less static manner to the functioning of
the system.
The failure of a passive component will result in
the non-transmission (or, perhaps, partial
transmission) of its "signal."

Active component contributes in a more

dynamic manner to the functioning of its
parent system by modifying system
behaviour in some way.
active component acts as a "transfer function,"

Passive vs. Active Components

In constructing a fault tree, the basic

concepts of failure effects, failure modes,
and failure mechanisms are important in
determining the proper interrelationships
among the events