SEGURIDAD Y ASEGURAMIENTO DE

MISIONES

FAULT TREE

Facundo N. Oliva Cneo

.

Basic Concepts of System Analysis

System: A system is a deterministic entity comprising an interacting
collection of discrete elements. A system must have some purpose it
must do something.
Deterministic entity: The system in question be identifiable.
Discrete elements: The discrete elements of the definition must also be
identifiable. The discrete elements themselves may be regarded as
system.
Interacting: A system is made up of parts/or subsystems that interact.
This interaction generally insures that a system is not simply equal to the
sum of its parts. If any part change, the system itself also changes
System analysis: Is a directed process for the orderly and timely
acquisition and investigation of specific system information pertinent to a
given decision.
The primary function of the system analysis is the acquisition of
information and not the generation of a system model.
We must decide what information is relevant to a given decision before
2 of 30
.
the data gathering activity starts.

The decisionmaking process

Relationship between Reality, System Model, and Decision Process

Decisions are forced on us by time, and not by the degree of

completeness of our knowledge: we all have deadlines to meet.
Furthermore, because it is generally impossible to have all the relevant
data at time the decision must be made, we simply cannot know all the
consequences of electing to take a particular course of action
.

3 of 30

The decisionmaking process

Relationship between Reality, System Model, and Decision Process

Our decision is a direct outcome of our model and if our model is grossly in error,
so also will be our decision.
To making correct decisions, we require:

1)

The identification of that information (or those data) that would be pertinent
to the anticipated decision.

2)

A systematic program for the acquisition of this pertinent information.

3)

A rational assessment or analysis of the data so acquired.

4 of 30

External and Internal Boundaries

System Definition: External and Internal Boundaries.

External boundaries: Determines the comprehensiveness of the analysis.
Perhaps the most vital decision that must be made in system definition is how to put
external boundaries on the system.
Some external boundary to the system must be established and this decision will have to
be made partially on the basis of what aspect of system performance is of concern.
Limit of resolution. Limits the detail of the analysis.
Serve to define the discrete elements of the system and to establish the basic interactions
within the system.
5 of 30
.

FAULT TREE (FT)

The fault tree (FT) itself is a graphical model of the system, which shows
the logical interrelationship of the faults in the lower levels of the system. A
fault tree thus depicts the logical interrelationship of basic events that lead
to the undesired event - which is the top event of the fault tree.
Fault Tree Analysis addresses itself to the identification and
assessment of just such catastrophic occurrences and complete
failures
Benefits of Constructing a Fault Tree:
Explicitly shows all the different relationships that are necessary to
result in the top event
A thorough understanding is obtained of the logic and basic causes
leading to the top event
Is a tangible record of the systematic analysis of the logic and basic
causes leading to the top event
Provides a framework for thorough qualitative and quantitative
evaluation of the top event.
.

6 of 30

FT : Inductive vs Deductive Modeling

FT is based upon deductive reasoning (from the general to the specific).
A specific fault is postulated, and then an attempt is made to determine
modes of system or component behavior that contributed to this failure.

Inductive models forwardly induce the consequences of an event.

Deductive models backwardly deduce the causes of an event.

Fault tree analysis focuses on one particular undesired event at a time and
determines all credible causes of that event. The undesired event is the top
event in that fault tree diagram.
.

7 of 30

FT : Inductive vs Deductive Modeling

A Deductive Model Resolves the Causes for an Event
An event is first defined for which causes are to be resolved.
The event is resolved into its immediate and necessary sufficient causal
events.
The event is related to the causal events using appropriate logic.
This stepwise resolution of events into immediate causal events
proceeds until basic causes (primary causes) are identified.

Careful definition of the top event is extremely important to the success of

the analysis:
If the top event is too general, the analysis becomes unmanageable
if it is too specific, the analysis does not provide a sufficiently broad view
of the system.
.

8 of 30

FT : Why is carried out

To exhaustively identify the causes of a failure

To identify weaknesses in a system
To assess a proposed design for its reliability or safety
To identify effects of human errors
To prioritize contributors to failure
To identify effective upgrades to a system
To quantify the failure probability and contributors
To optimize tests and maintenances

9 of 30

FT : Potential Applications

Potential Applications for FTA Results

Fault tree analysis can be a time-consuming exercise, and its cost must be
measured against the cost associated with the occurrence of that specific
undesired event.
Fault tree analysis focuses on one particular undesired event at a time and
determines all credible causes of that event. The undesired event is the top
event in that fault tree diagram.
.

10 of 30

PROGRAM: FAULT TREE / MATRIX-FORM

A comprehensive program to anticipate nearly all identifiable causes of
failure and endeavor to prevent their occurrence can be used to insure that
hardware will achieve a high level of reliability.
The program is initiated by developing a comprehensive fault tree where
the user strives to identify all of the possible failure causes of a
subsystem or component.
These failure causes are compiled and combined with the prevention
measures of the program to form a matrix.
The fault tree and the matrix-form are two essential tools of this program.
The fault tree is used for the identification of critical fault paths.
The matrix-form is used for identifying detailed faults that lead to
component design changes and to programmatic changes, i.e., the
matrix-form can help in identifying additional analysis, testing or
inspections that are needed for a failure prevention program.

11 of 30

PROGRAM: FAULT TREE / MATRIX-FORM

There are three steps in the fault tree and matrix-form preparation program:
A. FAULT TREE: The evolutionary compilation of discrete modes of failure
and their associated causes, using a detailed fault;
B. MATRIX-FORM: The development of the corresponding matrix-form
that combines the "generated failure causes from the fault tree" with the
"planned preventive measures of the program.
C. CONCURRENCE: Concurrence by the design agency that the
applicable preventive measures regarding the matrix items are, or will
be, part of its reliability program; this concurrence must be among
individuals in analysis, design, quality assurance, manufacturing, and/or
other disciplines involved in delivering the equipment.

12 of 30

STEP 1- FT Construction: A Systematic Deductive Process

The first step, is the choice of an observed subsystem level functional fault
(particular undesired event). This functional fault is then the top level of the
FT. The analyst must then postulate the various lower level faults or failures
which, individually or in combination, lead to the next level fault in question.

An undesired event is defined

The event is resolved into its immediate cause
This resolution of events continues until basic causes are identified
A logical diagram called a fault tree is constructed showing the logical
event relationships.

Examples of Top Event Definitions

Fire Suppression System Fails to Operate when actuated
Fire Suppression System Inadvertently Activates during normal
conditions
Auxiliary Power System Fails to Continually Operate for the required
time period
Fuel Supply System Fails to Shutoff after the fueling phase
Launch Vehicle Fails to Ignite at Launch
13 of 30
Launch Vehicle Suffers a Catastrophic Failure at Launch

STEP 1 - FT Construction: Basic Structure

The fault tree is the logical model of the relationship of the undesired
event to more basic events.
The top event of the fault tree is the undesired event.
The middle events are intermediate events.
The bottom of the fault tree is the causal basic events or primary events.
The logical relationships of the events are shown by logical symbols or
gates.
.

14 of 30

STEP 1 - FT Construction: Basic Structure (cont.)

The use of logical "AND" and "OR" symbols graphically depicts the
combination of faults which lead to the observed higher level fault.
The "AND" symbol means that the failures which feed into it on the
FT must both occur for the observed higher level fault to occur.
The "OR" symbol means that either of the failures which feed into
the symbol will cause the observed higher level fault to occur.
.

15 of 30

STEP 1 - FT Construction: Basic Structure (cont)

Events or observations related to the fault are, as the fault itself, put into
rectangular boxes.
An event or observation which is described by a basic system
component or part failure is put into a circle.
Events or observations which are terminations of the fault sequence (for
reasons of lack of sufficient information or to indicate further
development) are put into diamond shaped parallelograms.
.

16 of 30

STEP 1 - FT Construction: Four Necessary Steps

1.
2.
3.
4.

Define the undesired event to be analyzed (focus of the FTA)

Define the boundary of the system (scope of the FTA)
Define the basic causal events to be considered (resolution of the FTA)
Define the initial state of the system

.
.

17 of 30

STEP 1 - FT Construction: The Basic Elements

18 of 30

STEP 1 - FT Construction: The Basic Elements (cont)

.
.

19 of 30

STEP 1 - FT Construction: Example

Simple Battery Powered Circuit (BPC)

Specifications:
Undesired top event: Motor does not start when switch is closed
Boundary of the FT: The circuit containing the motor, battery, and
switch
Resolution of the FT: The basic components in the circuit.
Initial State of System: Switch open, normal operating conditions
.

20 of 30

STEP 1 - FT Construction: Example (cont)

21 of 30

STEP 2 - THE MATRIX FORM

After the fault tree has been constructed, the information is transferred to the matrix
form.
The top section of the matrix form represents the bottom levels of the fault tree (or
fault tree branch) with the causes of failure indicated in the vertical columns.
The information on the fault tree matrix form need not be detailed on the fault tree
itself. Rather than actually constructing the bottom-most branches of the fault tree,
simply refer to the appropriate page number of the matrix.
The preventive measures are listed down the left-hand side of the matrix (the yaxis). The circle symbol in the matrix grid ties the failure causes to the preventive
measures.

22 of 30

STEP 2 - THE MATRIX FORM

23 of 30

STEP 2 - THE MATRIX FORM: Top section

Top section of the matrix form

Top section of the matrix form (cont.)

24 of 30

STEP 2 - THE MATRIX FORM: Top section

The top section of the matrix form represents the bottom levels of the fault tree (or fault
tree branch) with the causes of failure indicated in the vertical columns.
SubTop section of the matrix form

25 of 30

STEP 2 - THE MATRIX FORM: Top section

SubTop section of the matrix form (cont)

26 of 30

STEP 2 - THE MATRIX FORM: Left-hand side (the y-axis)

The preventive measures are listed. Various product assurance specialists should be
consulted to assist in listing preventive measures.
Left-hand side (the y-axis)

Left-hand side (the y-axis) (cont.)

27 of 30

STEP 2 - THE MATRIX FORM: Grid

The circle symbol in the matrix grid ties the failure causes to the preventive measures.
Grid

28 of 30

STEP 3 - FINAL CONCURRENCE

FINAL CONCURRENCE OF THE FAULT TREE AND MATRIX-FORM

DATA
The final phase of this task is getting concurrence from the project office
that the corrective measures will be implemented. If corrective measures
cannot be implemented to preclude or minimize the risk of a critical failure,
the issue should be documented on a DDR form.

29 of 30

FT EVALUATION TECHNIQUES
Once a FT is constructed it can be evaluated to obtain qualitative and/or
quantitative results.
Qualitative results:
The minimal cut sets of the fault tree
Qualitative component importance
minimal cut sets potentially susceptible to common cause (common
mode) failures.
Quantitative results:
Absolute probabilities
Quantitative importances of components and minimal cut sets
Sensivity and relative probability evaluations.

30 of 30