Fault Tree

Analysis
Clifton A. Ericson II
[email protected]
[email protected]

1 © C. Ericson 1999
 Fault Tree Analysis
Clifton A. Ericson II
Sept. 2000

[email protected] or [email protected]

2 © C. Ericson 1999
 Fault Tree Analysis

Outline
n Overview
n History
n Basic Process
n Definitions
n Construction
n Mathematics
n Evaluation
n Pitfalls
n Rules
n Examples

3 © C. Ericson 1999
 Fault Tree Analysis

FTA Overview

4 © C. Ericson 1999
 Introduction

“To design systems that work correctly

we often need to understand and
correct how they can go wrong.”
Dan Goldin, NASA Administrator, 2000

FTA identifies, models and evaluates the

unique interrelationship of events leading to :
• Failure
• Undesired Events / States
• Unintended Events / States

5 © C. Ericson 1999
 FTA - Description

l Tool
n evaluate complex systems
n identify events that can cause an Undesired Event
n safety, reliability, unavailability, accident investigation

l Analysis
n identifies root causes
n deductive (general to the specific)
n provides risk assessment
F cut sets (qualitative)
F probability (quantitative)

6 © C. Ericson 1999
 FTA - Description

l Model A picture is worth

a 1,000 words!
n visual
n displays cause-consequence relationships
n fault events, normal events, paths
n probability

l Methodology
n defined, structured and rigorous
n easy to learn, perform and follow
n utilizes Boolean Algebra, probability theory, reliability theory, logic
n follows the laws of physics, chemistry and engineering

7 © C. Ericson 1999
 Example FT
System
Battery Light

A B

System Undesired Event: Light Fails Off

Light Fails
FT Model Off

Bulb Switch A Switch B Battery Wire Fails

Fails Fails Open Fails Open Fails Open

A B C D E

Cut Sets
Event combinations that can cause Top Undesired Event to occur
CS Probability
A PA=1.0x10-6
B PB=1.0x10-7
C PC=1.0x10-7
D PD=1.0x10-6
E PE=1.0x10-9

8 © C. Ericson 1999
 FTA Application – Why
l Root Cause Analysis
n Identify all relevant events and conditions leading to Undesired Event
n Determine parallel and sequential event combinations
n Model diverse/complex event interrelationships involved
l Risk Assessment
n Calculate the probability of an Undesired Event (level of risk)
n Identify safety critical components/functions/phases
n Measure effect of design changes
l Design Safety Assessment
n Demonstrate compliance with requirements
n Shows where safety requirements are needed
n Identify and evaluate potential design defects/weak links
n Determine Common Mode failures

9 © C. Ericson 1999
 FTA -- Coverage

l Failures
l Fault Events
l Normal Events
l Environmental Effects
l Systems, subsystems, and components
l System Elements
n hardware, software, human, instructions

l Time
n mission time, single phase, multi phase

l Repair

10 © C. Ericson 1999
 FT Strengths
l Visual model -- cause/effect relationships
l Easy to learn, do and follow
l Models complex system relationships in an understandable manner
n Follows paths across system boundaries
n Combines hardware, software, environment and human interaction
l Probability model
l Scientifically sound
n Boolean Algebra, Logic, Probability, Reliability
n Physics, Chemistry and Engineering
l Commercial software is available
l FT’s can provide value despite incomplete information
l Proven Technique

11 © C. Ericson 1999
 FTA Misconceptions
l Not a Hazard Analysis
n root cause analysis vs. hazard analysis
n deductive vs. inductive

l Not an FMEA
n FMEA is bottom up single thread analysis

l Not an Un-Reliability Analysis

n System Integrity vs. Availability
n not an inverse Success Tree

l Not a model of all system failures

n only includes those failures pertinent to the top Undesired Event

l Not 100% fidelity – model of reality only

n estimate, not an exact duplicate
n perception of reality

12 © C. Ericson 1999
 FTA Application -- When

l Required by customer
l Required for certification
l Necessitated by the risk involved with the product (risk is high)
l Accident/incident/anomaly investigation
l To make a detailed safety case for safety critical system
l To evaluate corrective action or design options
l Need to evaluate criticality, importance, probability and risk
l Need to know root cause chain of events
l To evaluate the effect of safety barriers
l Determine best location for safety devices (weak links)

13 © C. Ericson 1999
 FTA Is Not For Every Hazard

Haz1 3C
Haz2 2D
Haz3 1B FTA - Inadvertent Weapon Arm
Haz4 2C
Haz5 3B
. .
. .
. .
Haz77 1C FTA - Inadvertent Weapon Launch
. .
. .
. .
Haz100 2C

Only do FTA on
Safety Critical hazards.

14 © C. Ericson 1999
 Example Applications
l Evaluate inadvertent arming and release of a weapon
l Calculate the probability of a nuclear power plant accident
l Evaluate an industrial robot going astray
l Calculate the probability of a nuclear power plant safety device
being unavailable when needed
l Evaluate inadvertent deployment of jet engine thrust reverser
l Evaluate the accidental operation and crash of a railroad car
l Evaluate spacecraft failure
l Calculate the probability of a torpedo striking target vessel
l Evaluate a chemical process and determine where to monitor the
process and establish safety controls

15 © C. Ericson 1999
 FTA Timeline
l Design Phase
n FTA should start early in the program
n The goal is to influence design early, before changes are too costly
n Update the analysis as the design progresses
n Each FT update adds more detail to match design detail
n Even an early, high level FT provides useful information

l Operations Phase
n FTA during operations for root cause analysis
n Find and solve problems (anomalies) in real time

Conceptual Preliminary Final

Deployment
Design Design Design

Initial Update Update Final Operations

FTA FTA FTA FTA FTA

16 © C. Ericson 1999
 FTA – Summary
Undesired Event

B
System V x

A C

V V

Fault Tree
UE

Critical Cut Set = A • B • C • Y A C

Probability = 1.7 x 10-7

B

17 © C. Ericson 1999
 FTA – Summary

l FTA is an analysis tool

n Strengths – methodical, structured, graphical, quantitative, easy to model
complex systems
n Coverage – hardware, software, humans, procedures, timing
n Like any tool, the user must know when, why and how to use it correctly
l FTA is for system evaluation
n Safety – hazardous and catastrophic events
n Reliability – system unavailability
n Performance – unintended functions
l FTA is for decision making
n Root cause analysis
n Risk assessment
n Design assessment

18 © C. Ericson 1999
 FTA History

19 © C. Ericson 1999
 FTA Historical Stages
The Beginning Years (1961 – 1970)
l H. Watson of Bell Labs, along with A. Mearns, developed the
technique for the Air Force for evaluation of the Minuteman Launch
Control System, circa 1961
l Recognized by Dave Haasl of Boeing as a significant system safety
analysis tool (1963)
l First major use when applied by Boeing on the entire Minuteman
system for safety evaluation (1964 – 1967, 1968-1999)
l The first technical papers on FTA were presented at the first System
Safety Conference, held in Seattle, June 1965
l Boeing began using FTA on the design and evaluation of commercial
aircraft, circa 1966
l Boeing developed a 12-phase fault tree simulation program, and a
fault tree plotting program on a Calcomp roll plotter
l Adopted by the Aerospace industry (aircraft and weapons)
20 © C. Ericson 1999
 FTA Historical Stages

The Early Years (1971 – 1980)

l Adopted by the Nuclear Power industry
l Power industry enhanced codes and algorithms
l Some of the more recognized software codes include:
n Prepp/Kitt, SETS, FTAP, Importance and COMCAN

21 © C. Ericson 1999
 FTA Historical Stages

The Mid Years (1981 – 1990)

l Usage started becoming international, primarily via the
Nuclear Power industry
l More evaluation algorithms and codes were developed
l A large number of technical papers were written on the
subject (codes & algorithms)
l Usage of FTA in the software (safety) community
l Adopted by the Chemical industry

22 © C. Ericson 1999
 FTA Historical Stages

The Present (1991 – 1999)

l Continued use on many systems in many countries
l High quality fault tree Commercial codes developed that
operates on PC’s
l Adopted by the Robotics and Software industry

23 © C. Ericson 1999
 FTA Definitions

24 © C. Ericson 1999
 FT Building Blocks

Node Types:
l Basic Events (BE)
l Gate Events (GE)
l Condition Events (CE)
l Transfer Events (TE)

25 © C. Ericson 1999
 FT Node Types
Basic Event (BE)
l Failure Event
n Primary Failure - basic component failure (circle symbol)
n Secondary Failure - failure caused by external force (diamond symbol)

l Normal Event
n An event that describes a normally expected system state
n An operation or function that occurs as intended or designed, such as
“Power Applied At Time T1”
n The Normal event is usually either On or Off, having a probability of
either 1 or 0
n House symbol

l The BE’s are where the failure rates and probabilities enter the FT

26 © C. Ericson 1999
 FT Node Types

Gate Event (GE)

l A logic operator combining input nodes
l A gate that permits or inhibits fault logic up the tree
l Five basic types
n AND, OR, Inhibit, Priority AND and Exclusive OR

l Represents a fault state that has further causes to be developed

27 © C. Ericson 1999
 FT Node Types

Condition Event (CE)

l A condition attached to a gate event
l It establishes a condition that is required in order for the gate event
to occur
l Three basic types
n Inhibit, Priority AND and Exclusive OR

28 © C. Ericson 1999
 FT Node Types
Transfer Event (TE)
l A pointer to a tree branch
l Indicates a subtree branch that is used elsewhere in the tree
(transfer in/out)
l A Transfer always involves a Gate Event node on the tree, and is
symbolically represented by a Triangle
l The Transfer is for several different purposes:
n Starts a new page (for plots)
n It indicates where a branch is used numerous places in the same tree,
but is not repeatedly drawn (Internal Transfer) (MOB)
n It indicates an input module from a separate analysis (External
Transfer)

29 © C. Ericson 1999
 OR Gate

l Causality never passes through an OR gate

n The input faults are never the cause of the output fault
n Inputs are identical to the output, only more specifically
defined (refined) as to cause

Valve
Is
Closed

Valve Is Valve Is
Closed Due To Closed Due To
H/W Failure S/W Failure

30 © C. Ericson 1999
 AND Gate

l Specifies a causal relationship between the inputs and the output

n The input faults collectively represent the cause of the output fault
n Implies nothing about the antecedents of the input faults

All Site
Power
Is Failed

Electrical Diesel Backup Battery Backup

Power Is Power Is Power Is
Failed Failed Failed

31 © C. Ericson 1999
 Inhibit Gate

Y1

A B

• Both C and Y1 are necessary to cause D

• Y1 is a condition or probability
• Pass through if condition is satisfied
• Essentially an AND gate

32 © C. Ericson 1999
 Transfer Symbols

Switch
Transfer In Is Open
A

Switch
Is Open
A

Transfer Out
Switch SW Inadv
Fails Open Opened

33 © C. Ericson 1999
 Failure / Fault

l Failure
n The occurrence of a basic component failure.
n The result of an internal inherent failure mechanism, thereby
requiring no further breakdown.
n Example - Resistor R77 Fails in the Open Circuit Mode.

l Fault
n The occurrence or existence of an undesired state for a
component, subsystem or system.
n The result of a failure or chain of faults/failures; can be further
broken down.
n The component operates correctly, except at the wrong time,
because it was commanded to do so.
n Example – The light is failed off because the switch failed
open, thereby removing power.

34 © C. Ericson 1999
 Failure / Fault Example

Battery Light

Sw A

Computer
Light Fails
Off

Fault
(Command Fault)
Light Bulb Light Cmd’d
Fails Off – No Pwr

Battery Fails Computer

Failure Opens Sw

(Primary Failure)

All failures are faults, but not

all faults are failures.

35 © C. Ericson 1999
 Primary, Secondary, Command Fault

l Primary Fault / Failure

n A component failure that cannot be further defined at a lower level.
n Example – diode inside a computer fails due to materiel flaw.

l Secondary Fault / Failure

n A component failure that can be further defined at a lower level, but is
not defined in detail (ground rules).
n Example – computer fails (don’t care about detail of why).

n A component failure that is caused by an external force to the system,

can be further defined.
n Example – Fuel tank ruptures due to little boy shooting it with an
armor piercing bow and arrow.

n They are also important when performing a Common Cause Analysis.

36 © C. Ericson 1999
 Primary, Secondary, Command Fault

l Command Fault / Failure

n A fault state that is commanded by an upstream fault / failure.

n Normal operation of a component, except in an inadvertent or

untimely manner. The normal, but, undesired state of a
component at a particular point in time.
n The component operates correctly, except at the wrong time,
because it was commanded to do so by upstream faults.

n Example – a bridge opens (at an undesired time) because

someone accidentally pushed the Bridge Open button.

37 © C. Ericson 1999
 System Complexities Terms
l MOE
n A Multiple Occurring Event or failure mode that occurs more than one
place in the FT
n Also known as a redundant or repeated event

l MOB
n A multiple occurring branch
n A tree branch that is used in more than one place in the FT
n All of the Basic Events within the branch would actually be MOE’s

l Branch
n A subsection of the tree (subtree), similar to a limb on a real tree

l Module
n A subtree or branch
n An independent subtree that contains no outside MOE’s or MOB’s, and is
not a MOB

38 © C. Ericson 1999
 Cut Set Terms
l Cut Set
n A set of events that together cause the tree Top UE event to occur

l Min CS (MCS)
n A CS with the minimum number of events that can still cause the top event

l Super Set
n A CS that contains a MCS plus additional events to cause the top UE

l Critical Path
n The highest probability CS that drives the top UE probability

l Cut Set Order

n The number of elements in a cut set

l Cut Set Truncation

n Removing cut sets from consideration during the FT evaluation process
n CS’s are truncated when they exceed a specified order and/or probability
39 © C. Ericson 1999
 Cut Sets

• • • E F • Cut Sets
A, D
B, D
A D B D C D G H C, D
E Order 1
F
G, H Order 2

AND gate means that both

G & H must occur. Since
they go directly to top, they
comprise a CS, denoted by {G, H}.

Cut Set (CS)

A unique set of events that cause the Top UE to occur.

40 © C. Ericson 1999
 FTA Construction

41 © C. Ericson 1999
 Construction Process − Overview

Top Structure

Middle Structure

Bottom Structure

l Tree is developed in Layers, Levels, and Branches

l Levels represent various stages of detail
§ Top - shapes tree, combines systems
§ Middle - subsystems, functions, phases, fault states
§ Bottom - basic events, component failures

42 © C. Ericson 1999
 FT Construction

Undesired I,N,S Methodology

Event P,S,C
1) Repetitive
2) Structured
Primary Secondary
Command I,N,S 3) Methodical
Causes P,S,C

Primary Secondary
Command I,N,S
Causes P,S,C

Primary Secondary
Command I,N,S
Causes
P,S,C

Primary Primary

I,N,S=Immediate, Necessary, Sufficient

P,S,C=Primary, Secondary, Command

43 © C. Ericson 1999
 FT Construction -- Iterative Process
Top UE
Step 1, Level 1
EFFECT EFFECT
Iterative
Analysis CAUSE CAUSE

Event B
Event A Step 2, Level 2
EFFECT EFFECT

CAUSE CAUSE

Event C Event D Event E Event F Step 3, Level 3

EFFECT EFFECT

CAUSE CAUSE
Step 4, Level 4

1) Review the Gate Event under investigation

2) Identify all the possible causes of this event
3) Ensure you do not jump ahead of a possible cause event
4) Identify the relationship or logic of the Cause-Effect events
5) Structure the tree with these events and logic gate
6) Keep looking back to ensure identified events are not repeated
7) Repeat the process for the next gate.

44 © C. Ericson 1999
 Node Construction -- Three Step Process

l Construction at each gate node involves a 3 step process:

n Step 1 − Immediate, Necessary and Sufficient (INS)
n Step 2 − Primary, Secondary and Command (PSC)
n Step 3 − State of the System or Component

45 © C. Ericson 1999
 Step 1

Step 1 − Immediate, Necessary and Sufficient (INS)?

l Read the IG event wording
l Identify all Immediate, Necessary and Sufficient events to cause
the IG event
l Structure the INS casual events with appropriate logic:
n Immediate – do not skip past events
n Necessary – include only what is actually necessary
n Sufficient – do not include more than the minimum necessary

l Mentally test the events and logic until satisfied

46 © C. Ericson 1999
 Step 2
Step 2 − Primary, Secondary and Command (PSC)?
l Read the IG event wording
l Ask “what is Immediate, Necessary and Sufficient” to cause event
(Step 1)
l Word Gate events in terms of Input or Output
l Consider the type of fault path for each Enabling Event
n identify each causing event as one of the following path types
FPrimary Fault
FSecondary Fault
FCommand Fault (Induced Fault, Sequential Fault)
n structure the sub events and gate logic from the path type
n any event that is not a BE (component) event is another Enabling Event
(Command Path)

47 © C. Ericson 1999
 Step 3

Step 3 − State of the System or Component?

l Read the IG event wording
l Ask “ is the IG a State of the System or State of the
Component event”
n State of the Component is identified by being at the
component level
n State of the System is identified by being composed of more
IG events
n If its not State of the Component then it must be a State of the
System

48 © C. Ericson 1999
 Example
ARM Command
Occurs

P C S

Wire Short EMI Generates

Inadv ARM
To +28V Command on
Cmd From D
Output Line

P C S A
D Fails In ARM D Receives EMI Causes
Inadv Cmd C D ARM
Output Mode Cmd From D Command
From C
B

P C S
C Fails In ARM Inadv Cmds EMI Causes
Output Mode From A & B Cmd From C

P C C S
Primary C Receives C Receives
Secondary
[none] Inadv Cmd Inadv Cmd
[none]
From A From B

P S P S
C C
A Fails In A Receives EMI Causes A B Fails In A Receives EMI Causes B
Output Mode Inadv Input To Output Output Mode Inadv Input To Output

A A

49 © C. Ericson 1999
 Construction Example

Battery Light

A B

Light Fails
Off

Light Bulb Light Receives

Fails No Current Immediate
Necessary
Sufficient
A

Command Failure
Primary Failure

50 © C. Ericson 1999
 Construction Example (continued)

Battery Light

Light Fails A B
Off

State of System

Light Bulb Light Receives

Fails No Current

Power Not Ground Not

Available Available Immediate
Necessary
Sufficient

System Fault State

System Fault State

51 © C. Ericson 1999
 Node Wording Is Important

l Node wording is important and helps the analysis process

l Be clear and precise
l Always express device transitions in terms of the output device that
causes the transition
l Do not use failure and fault terms for state transitions if not necessary

U25 Has High

Output On Pin 25

7 3 25
U31 U25

U25 Fails U31 Has High

High On Pin 25 Output On Pin 7

52 © C. Ericson 1999
 FT Data Requirements
•Node name √
•Node text √
•Node type √
•Node failure rate & exposure time √
Node text

Node name

Node type λ and Time

53 © C. Ericson 1999
 FTA Mathematics

54 © C. Ericson 1999
 Basic Reliability Equations

l R = e-λT
l R+Q=1
l Q = 1 – R = 1 - e-λT
l Approximation
n When λT < 0.001 then Q ≈ λT

l Where:
n R = Reliability or probability of success
n Q = Unreliability or probability of failure
n λ = component failure rate = 1 / MTBF
n T = time interval (mission time or exposure time)

55 © C. Ericson 1999
 Effects of Failure Rate & Time

l The longer the mission (or exposure time) the higher the
probability of failure

l The smaller the failure rate the lower the probability of

failure

56 © C. Ericson 1999
 Example
The Effect of Exposure Time On Probability
λA TA PA=1 - e-λT
(FPH) (HRS)
λA 1.0xE-6 1 9.99xE-7
TA
1.0xE-6 10 9.99xE-6
A 1.0xE-6 100 9.99xE-5
1.0xE-6 1000 9.99xE-4
1.0xE-6 10000 9.95xE-3
1.0xE-6 100000 0.095
1.0xE-6 1000000 0.6321
1.0xE-6 10000000 0.99995

T = 1,000 Hrs

Probability

T = 1 Hr
0

Time (hours)

57 © C. Ericson 1999
 Axioms of Boolean Algebra

[A1] ab = ba
Commutative Law
[A2] a+b=b+a
[A3] (a + b) + c = a + (b + c) = a + b + c
Associative Law
[A4] (ab)c = a(bc) = abc
[A5] a(b+c) = ab + ac Distributive Law

58 © C. Ericson 1999
 Theorems of Boolean Algebra

[T1] a+0=a
[T2] a+1=1
[T3] a•0=0
[T4] a•1=a
[T5] a•a=a ü
Idempotent Law
[T6] a+a=a ü
[T7] a •a = 0
[T8] a +a = 1
[T9] a + ab = a ü
Law of Absorption
[T10] a(a + b) = a ü
[T11] a +ab = a + b

where a = not a

59 © C. Ericson 1999
 Probability
Union
For two events A and B, the union is the event {A or B} that
contains all the outcomes in A, in B, or in both A and B.

Case 1 - Disjoint Events

A B
P=P(A) + P(B)

Case 2 - Non Disjoint Events

A B
P=P(A) + P(B) - P(A)P(B)

A B Case 3 - Mutually Exclusive Events

P=P(A) + P(B) - 2P(A)P(B)

Note - Exclusive OR is not the

same as Disjoint.

60 © C. Ericson 1999
 Probability

Intersection
For two events A and B, the intersection is the event {A and B} that
contains the occurrence of both A and B.

Case 1 - Independent Events

A B
P=P(A)P(B)

P(A)P(B) Case 2 - Dependent Events

P=P(A)P(B/A)

61 © C. Ericson 1999
 CS Expansion Formula

P=Σ(singles) - Σ(pairs) + Σ(triples) - Σ(fours) + Σ(fives) - Σ(sixes) + •••

CS {A; B; C; D}

P= (PA + PB + PC + PD)
– (PAB + PAC + PAD + PBC + PBD + PCD)
+ (PABC + PABD + PACD + PBCD )
– (PABCD)

P=P A + P B + P C + P D – (PAB + P AC + P AD + P BC + PBD + PCD) + (PABC + PABD + PACD + P BCD) – (PABCD)

Size and complexity of the formula

depends on the total number of cut
sets and MOE’s.

62 © C. Ericson 1999
 FTA Evaluation

63 © C. Ericson 1999
 FT Evaluation− Purpose

l Obtaining the results and conclusions from the FT

l Using the FT for its intended purpose

n evaluate risk / decision making
n determining if the UE is safe
n identify root causes
n identify critical components and paths

l Using the FT to impact design

n identify weak links
n evaluate impact of changes

64 © C. Ericson 1999
 Evaluation Process

l Process
n generate Cut Sets √
n apply failure data
n compute probabilities
n compute criticality measures

65 © C. Ericson 1999
 Types

Two type of Evaluation:

l Qualitative
n Cut Sets only

l Quantitative
n Cut Sets and Probability
n Importance Measures

66 © C. Ericson 1999
 Requirements

l Requires knowledge and use of:

n FT mathematics (probability and Boolean algebra)
n FT algorithms
n FT approximation methods
n FT computer programs

67 © C. Ericson 1999
 Cut Set

l A unique set of events that together cause the Top UE event

to occur

l One (of possibly many) root causes of the Top UE

l A CS can consist of one event or 10 simultaneous events

68 © C. Ericson 1999
 The Value of Cut Sets

l Cut Sets identify which component failures and/or events can

cause an accident or undesired event (UE) to occur
l CS’s show which unique event combinations can cause the UE
l CS’s provide the mechanism for probability calculations
l Cut Sets reveal the critical and weak links in a system design
n high probability
n bypass of intended safety or redundancy features

Note:
Always check all CS’s against the system design to make
sure they are valid and correct.

69 © C. Ericson 1999
 Qualitative Evaluation

l Non-numerical
l Process
n Obtain the entire list of Min Cut Sets from the FT

l Qualitatively evaluate and analyze the Cut Sets for design

problems/concerns

Note:
Slightly subjective than quantitative evaluation.

70 © C. Ericson 1999
 Value of Qualitative Evaluation

l CS importance by order number

n Lower order CS are generally more important

l Component importance by number of times it appears in

different CS’s
l Analyze the CS for:
n identifying (unexpected) root cause combinations
n design weak points
n bypass of intended safety features
n common cause problems

71 © C. Ericson 1999
 Quantitative Evaluation

l Numerical − Probability of Event occurrence

l Process
n Obtain the entire list of Min Cut Sets from the FT
n Compute FT probabilities from the Min CS’s
n Compute FT Importance Measures from the CS’s
n Requires component failure rates & exposure times

l Quantitatively evaluate and analyze the Cut Sets and

Probabilities for design problems/concerns

72 © C. Ericson 1999
 Value of Quantitative Evaluation

l Tree & gate probability estimates

l Probabilistic Risk Assessment (PRA)
l More precise evaluation of FT, not as subjective
l Quantitative measures for:
n FT (UE) probability
n component criticality & importance
n CS criticality & importance
n critical path ranking

73 © C. Ericson 1999
 Basic Evaluation Methods

l Manual
n possible for small/medium noncomplex trees

l Computer
n required for large complex trees
n two approaches
- analytical
- simulation

74 © C. Ericson 1999
 Methods For Finding Min CS

l Boolean reduction
l Bottom up reduction algorithms
n MICSUP algorithm

l Top down reduction algorithms

n MOCUS algorithm

l BDD (Binary Decision Diagram)

l Min Terms method (Shannon decomposition)
l Modularization methods
l Genetic algorithms

75 © C. Ericson 1999
 Evaluation Trouble Makers

l Tree size
l Tree Complexity
n from redundancy (MOE’s)
n from large AND/OR combinations

l Exotic gates
l Computer limitations
n speed
n memory size
n software language

76 © C. Ericson 1999
 Min CS

l A CS with the minimum number of events that can still

cause the top event
l The true list of CS’s contributing to the Top
l The final CS list after removing all SCS and DupCS
l Additional CS’s are often generated, beyond the MinCS’s
n Super Cut Sets (SCS) – result from MOE’s
n Duplicate Cut Sets (DupCS) - result from MOE’s or AND/OR
combinations

l Why eliminate SCS and DupCS?

n laws of Boolean algebra
n would make the overall tree probability slightly larger
(erroneous but conservative)

77 © C. Ericson 1999
 Min CS

A B A B C A B

Cut Sets: Min Cut Sets:

A A
A,B SCS
A,B,C SCS
A,B DupCS, SCS

78 © C. Ericson 1999
 FTA Pitfalls

79 © C. Ericson 1999
 Pitfall #1 – FT Design

l Lack of proper FT planning and design can result in

problems
n Might necessitate restructure of entire tree
n Might necessitate renaming all events in tree
n Rework will cost time and money

l Must plan ahead

n Leave room for future tree expansion
n Allow for possible future changes in tree without repercussions
n Structure tree carefully, later changes can impact entire tree
F Carefully develop a name scheme - events, MOE’s, transfers
l Large FT’s require more design foresight
n Develop organized plan when several analysts work on same FT

80 © C. Ericson 1999
 Poorly Planned FT

81 © C. Ericson 1999
 Pitfall #3 – AND Gate Overconfidence

l An over confident assumption is often made that a system is

safe because it requires at least 3 or 4 inputs to an AND gate
l The probability for a 3 input AND gate is usually very small
(10-3 • 10-3 • 10-3 = 10-9)
l However, an MOE in each branch of the AND gate can
reduce the probability to a SPF (making the probability 10 -3)

The effect of a Repeated event.

Or, common mode failure.

82 © C. Ericson 1999
 Pitfall #3 – AND Gate Overconfidence
No TFR Avoid the temptation to
Example: Fly Up Cmd truncate tree at high level
because it appears safe.

No Fly Up Cmd No Fly Up Cmd

On Primary ATF On Sec. ATF

No Fly Up Cmd SCAS Lockup Aural Fly Up Manual Fly Up

From TFRDT Prevents Fly Up Cmd Fails Cmd Fails

15 FT levels and 5
subsystems in depth.

Tree bottom shows that

triple redundancy was
bypassed by SPF.
Relay K6 Relay K6 Relay K6
Fails Closed Fails Closed Fails Closed

X121 X121 X121

83 © C. Ericson 1999
 Pitfall #4 – Incorrect Exposure Time

l If the Time in P=1.0 – e-λλT is not correct, errors are

injected into the FT probability calculations
l Note the quantitative impact for different exposure
times
P = PA + PB + PC

A B C

λA=1.0x10-6 The impact of

exposure time.
λB=1.0x10-6
λC=1.0x10-6
84 © C. Ericson 1999
 Exposure Time
Scenario Calculation Time
-6 -6
PA = (1x10 ) (10) = 10x10
PB = (1x10-6) (10) = 10x10-6 Mission
PC = (1x10-6) (10) = 10x10-6
A
Standard B
P = (10x10-6 ) x (10x10-6) x (10x10-6)
= 1,000x10-18
C
= 1.0x10-15

PA = (1x10-6) (0.1) = 0.1x10-6

Component PB = (1x10-6) (10) = 10x10-6 Mission
PC = (1x10-6) (10) = 10x10-6
used for A
short P = (0.1x10-6) x (10x10-6 ) x (10x10-6) B
duration = 10x10-18 C
= 1.0x10-17

PA = (1x10-6) (10) = 10x10-6

Standby -6
PB = (1x10 ) (10) = 10x10
-6

component, PC = (1x10-6) (1000) = 1x10-3 Mission

unchecked A
-6
) x (10x10-6) x (1x10-3)
(latent fault) P = (10x10 -15 B
= 100x10 C
-13
= 1.0x10

85 © C. Ericson 1999
 Pitfall #10 – Gate Calculations Errors

Gate Calculations Errors due to MOEs

l An often used method of tree calculation is the bottom-up
gate to gate calculation
l This method is valid as long as the tree has no MOEs in it
l If MOEs exist, this method generally produces very
erroneous results
n as shown below, error can range from very large to no error,
depending on tree structure

l Some computer programs print the probability

calculations for each gate on the tree, which is very
dangerous if MOEs exist
l Must resolve MOE’s for correct tree probability calculation

86 © C. Ericson 1999
 MOE Error Example 1

PA=8x10-6 Incorrect

P=4x10- 6 P=4x10- 6

A B A C

PA=2x10-6 PB=2x10-6 PA=2x10-6 PC=2x10-6 Correct

PA=6x10-6

Cut Sets = A ; B ; C A B C

P= PA + PB + PC
= (2x10-6) + (2x10-6) + (2x10-6) PA=2x10-6 PB=2x10-6 PC=2x10-6

= 6x10-6 [upper bound]

87 © C. Ericson 1999
 MOE Error Example 2
P=16x10-12 Incorrect

P=4x10- 6 P=4x10- 6

A B A C
Correct
PA=2x10-6 PB=2x10-6 PA=2x10-6 PC=2x10-6
P=2x10- 6

A P=4x10- 12
Cut Sets = A ; B,C

P = PA + PBPC PA=2x10-6
= (2x10-6) + (2x10-6)(2x10-6) B C
= 2x10-6 + 4x10-12
= 2x10-6 [upper bound] PB=2x10-6 PC=2x10-6

88 © C. Ericson 1999
 MOE Error Example 3
Incorrect but
P=8x10- 12
Correct
P=4x10- 12 P=4x10- 12

A B A C
Correct
PA =2x10-6 PB =2x10-6 PA =2x10-6 PC =2x10-6
P=8x10- 12

Cut Sets = A,B ; A,C

A P=4x10- 6
P = PAPB + PAPC
= (2x10-6)(2x10-6) + (2x10-6)(2x10-6) PA=2x10-6
= 4x10-12 + 4x10-12 B C
= 8x10-12 [upper bound]
PB=2x10-6 PC=2x10-6
89 © C. Ericson 1999
 FTA Rules

90 © C. Ericson 1999
 Rule #1

Rule #1 – Know The Purpose And Strengths Of FTA

l Use the right tool
l Use the tool correctly
l Remember, FTA is a tool for:
n root cause deductive analysis
n identifies events contributing to an Undesired Event
n computes the probability of an Undesired Event
n measures the relative impact of a design fix
n fault path diagrams for presentation

l Know when to use another tool

91 © C. Ericson 1999
 Rule #2

Rule #2 -- Know The Purpose And Objectives Of Your FTA

l Solve the right problem / do the right analysis
l Establish a problem/solution statement
n what is the problem statement
n what are the solution requirements
n show how FTA results will satisfy or solve the problem
n test potential FTA results against the problem

l Make sure top Undesired Event (UE) is correct and reasonable

n correct/reasonable model
n don’t solve the wrong problem
n don’t try the impossible
n make sure analysis will meet desired objectives/goals

92 © C. Ericson 1999
 Rule #3
Rule #3 -- Establish Your FTA Ground Rules
l Define and document assumptions
l Scope the problem
n size, level of analysis, level of detail

l Set analysis scope and boundaries

l Establish analysis definitions
l Make sure top UE is correct and reasonable (do the right analysis)
l Publish FTA ground rules before starting (living document)
n definitions, scope, boundaries, level of detail and analysis depth
n construction rules, FT format

l Obtain agreement on ground rules

n design team, customer

93 © C. Ericson 1999
 Rule #4

Rule #4 -- Intentionally Design Your Fault Tree

l Follow FTA ground rules and formats
n Make checks against ground rules

l Establish name convention for Events, MOEs and Transfers

n use a methodology
n by hardware type, supplier, subsystem
n short names are usually better (long names becomes burdensome,
time consuming)

l Maintain event databases and cross references

n basic failure events, gate events, condition events, MOE’s, transfers

l Establish tree structure approach

n functional or subsystem

94 © C. Ericson 1999
 Rule #4 (continued)

l Determine level of analysis detail

n subsystem, LRU, component

l Use gate types cautiously

n AND, OR and Inhibit gates do almost everything
n if you think an exotic gate is necessary, that’s the first clue to re-
analyze your problem

l Be very descriptive in writing event text

n avoid using word “fail” -- not enough information
n “power supply fails” vs. “power supply does not provide +5 VDC”
n do not use the terms primary failure or secondary failure (provide
more description)

l Use FT programs and design around their capabilities

95 © C. Ericson 1999
 Rule #4 (continued)

l Maintain tree metrics

n event counts − Basic Events, Gate Events
n complexity
n complexity

l Tree size (more effort for larger trees)

n small (< 100 event)
n medium (100 to 750 events)
n large (750 to 2,000 events)
n huge (>2,000 events)

l Conduct tree peer review

n other FT experts
n system designers

96 © C. Ericson 1999
 Rule #5
Rule #5 -- Know Your System
l Know the system design and operation
l Know the interfaces between subsystems
l Utilize all sources of design information
n drawings, procedures, block diagrams, flow diagrams, FMEA’s
n stress analyses, failure reports, maintenance procedures

l Drawings and data must be current for current results

l Requires system engineering skills -- electronics, mechanics,
software, etc.
l Make periodic checks to make sure the FT model is correct
n reviews - peer , designers, customer

l The model and design data can be iterative

n preliminary model progresses to detailed model
97 © C. Ericson 1999
 Rule #6

Rule #6 -- Understand Your Failure Data

l Failure data must be obtainable for quantitative evaluation
l Must understand failure modes, failure mechanisms and
failure rates
l Data accuracy and trustworthiness must be known
(confidence)
l Data estimates are useful and can be used, but results
must be understood

98 © C. Ericson 1999
 Rule #7

Rule #7 -- Know Your Fault Tree Tools

l Know basic tool capabilities
n construction, editing, plotting, reports, cut set evaluation

l Know tool user friendliness

n intuitive operation
n easy to use and remember
n changes are easy

l Single vs. multi-phase tree

l Qualitative vs. quantitative evaluation
l Simulation vs. analytical evaluation (considerations include
size, accuracy, phasing)

99 © C. Ericson 1999
 Rule #7 (continued)

l Know tool limits

n tree size
n cut set size
n plot size

l Understand cutoff methods, some can cause errors

l Gate probabilities could be incorrect when MOE’s are
involved

100 © C. Ericson 1999

 Rule #8

Rule #8 -- Understand (Appreciate) Small Numbers

l Failure rates and probabilities are between 0 and 1
l FT’s generally deal with small numbers (< 1.0e-6)
l Small numbers are somewhat abstract
l The exponent size is of prime interest (e-6, e-15, e-35)
n Decimal places are somewhat significant within the same
range (1.11e-6 vs 1.97e-6)
n Decimal places are not as significant for a wide range (1.1e-6
vs. 1.778e-9)
n As numbers get very very small, decimal place are probably
insignificant (ie, 1.0e-35 vs. 1.2e-35)

101 © C. Ericson 1999

 Rule #8 (continued)

Probability range is between 0 and 1.

FT events and cut sets also fall into this
probability range.
A number of 1.0e-6 looks very abstract on this
chart.

1 failure per million hrs = 0.000001 = 1.0e-6

Looking at a small number within a range of

small numbers provides more valuable
information.

What Are Small Numbers ?

102 © C. Ericson 1999

 Rule #8 (continued)

Rule #8 -- Understand (Appreciate) Small Numbers

l Don’t get carried away with numbers
n All results are essentially estimates for relative comparisons
n is system 1.0e-3 or 1.0e-7 is relevant
n is system 1.1e-6 or 8.7e-6 is not as relevant
n is system 1.1e-6 or 1.123767e-6 is not relevant

l Remember, the model is only a model and does not have

100% fidelity to the true system, therefore, everything is
somewhat relative

103 © C. Ericson 1999

 Rule #9

Rule #9 -- Understand Your Results

l Make reasonableness tests on the results
n are the results correct
n look for analysis errors (data, model, computer results)
n are CS’s credible and relevant, if not revise tree
n take nothing for granted from the computer
n test your results via hand calculations

l Verify that the FTA goals were achieved

n are the results meaningful
n was the analysis objective achieved
n was the right tool used

104 © C. Ericson 1999

 Rule #9 (continued)

l Probability calculations are important, but nothing more

than a mathematical exercise
l CS’s are very important -- shows where to fix system,
importance of specific events
l If exotic gates are used, check results, check assumptions
l Effect of MOEs is very important
n they can cause large numerical impact or none at all
n review carefully

105 © C. Ericson 1999

 Rule #10
Rule #10 – Remember FT’s Are Models
l Remember that FT’s are models
n perception or model of reality
n not 100% fidelity to exact truth

l Remember that models are approximations (generally)

n not necessarily 100% exact
n still a valuable predictor
n Newton’s law of gravity is an approximation

l Do not represent FTA results as an exact answer

n use engineering judgment
n small number are relative (2.0x10 -8 is as good as 1.742135x10-8)
n anything overlooked by the FTA skews the answer
Fminor things left out can make results conservative (understate results)
Fmajor things left out can be significant (overstate results)

106 © C. Ericson 1999

 Rule #11

Rule #11 -- Publish/Document Your Analysis And Results

Completely
l Formally document and publish the entire FTA
n may need to provide to customer (product)
n may need to defend at a later date
n may need to modify at a later date
n may perform a similar analysis at a later date
n may need records for an accident/incident investigation

l Even a small analysis should be documented for posterity

107 © C. Ericson 1999

 Rule #11 (continued)

l Provide complete documentation

n problem statement
n definitions
n ground rules
n references
n comprehensive system description
n data and sources (drawings, failure rates, etc.)
n FT diagrams
n tree metrics
n FT computer tool description
n results
n conclusions

108 © C. Ericson 1999

 FTA Examples

109 © C. Ericson 1999

 Problem #2
l Construct a FT for the following system
n The Undesired Event is “Inadvertent Warhead Arming”
n Construct the Fault Tree
n Ground Rules:
FWhen all the switches are closed the Warhead receives the Arm
command.

A B

Battery ARM 1 ARM 2

Signal Signal Warhead

Computer A

110 © C. Ericson 1999

 Problem 2 (cont’d)
C

Method 1 – Structured A B

(Using Functional Approach) D

Battery ARM 1 ARM 2

WH
Signal Signal

Warhead Computer A
Inadv Armed

WH Fails WH Receives
Armed Arm Cmd

Wire Short to Inadv Arm

+28V Cable1 Command

ARM 2 Pwr Present

Closed At ARM 2
A B

111 © C. Ericson 1999

 Problem 2 (cont’d)
C

A B

D
ARM 2
Closed
A
Battery ARM 1 ARM 2
WH
Signal Signal

Switch C Wire Short Switch D

Computer A
Is Closed Across Sw Is Closed

Switch C Switch C Switch D Switch D

Fails Closed Cmd Closed Fails Closed Cmd Closed

Computer Computer Computer Computer

H/W Fault S/W Fault H/W Fault S/W Fault

112 © C. Ericson 1999

 Problem 2 (cont’d)
C
Pwr Present A B
At ARM 2
B D

Battery ARM 1 ARM 2

Wire Short Inadv Pwr Signal Signal
WH
To +28V From ARM 1
Computer A

ARM 1 Pwr Present

Closed At ARM 1

Switch A Switch B Battery 1

Is Closed Is Closed Present

Switch A Switch A Switch B Switch B

Fails Closed Cmd Closed Fails Closed Cmd Closed

Computer Computer Computer Computer

H/W Fault S/W Fault H/W Fault S/W Fault

113 © C. Ericson 1999

 FTA References

114 © C. Ericson 1999

 Reference Books

l Reliability And Fault Tree Analysis, Conference On Reliability

And Fault Tree Analysis; UC Berkeley; SIAM Pub, R. E. Barlow &
J. B. Fussell & N. D. Singpurwalla, 1975.
l Fault Tree Handbook, NUREG-0492, 1981, N. H. Roberts, W. E.
Vesely, D. F. Haasl & F. F. Goldberg, 1981.
l Reliability and Risk Assessment, Longman Scientific & Technical,
1993, J. D. Andrews & T. R. Moss, 1993.
l Probabilistic Risk Assessment And Management For Engineers
And Scientists, IEEE Press (2nd edition), 1996, E. J. Henley & H.
Kumamoto, 1996.

115 © C. Ericson 1999

 Web Sites

l www.system-safety.org
l www.FaultTree.net or www.fault-tree.net
l www.aot.com

116 © C. Ericson 1999

 3 Day Course

1.0 FTA Introduction

2.0 FTA History
3.0 FT Overview
4.0 FT Definitions
5.0 FT Construction – Methodology
6.0 FT Construction – FT Design
7.0 FT Mathematics
8.0 FT Evaluation
9.0 FT Validation
10.0 Multi-Phase FTs
11.0 Common FTA Pitfalls
12.0 FTA Rules
13.0 FT Software Codes
14.0 FTAB Operation
15.0 FT Repair
16.0 Other Tree Types (Success Tree, Event Tree, Casual Tree)
17.0 FT Dependent Events
18.0 Special Cases (standby, latency, spares)
19.0 Exposure Times
Appendix A – FT References
Appendix B – Exercises
Appendix C – Class Project
Appendix D – Example Fault Trees

117 © C. Ericson 1999