12-FTA - ETA - Combined - Updated 201802

Certified PHA/ HAZOP Leadership
FAULT & EVENT TREE ANALYSIS

(combined Presentation)
Said Khalifa, CSP

HSE and Loss Prevention Consultant
2018
8/11/2017 FTA/ ETA Analysis 1

About Fault Tree Analysis
• Fault tree analysis (FTA) is concerned with the
identification and analysis of conditions and factors that
cause or may potentially cause or contribute to the
occurrence of a defined top event
• FTA is often applied to the safety analysis of systems
(such as transportation systems, power plants, or any
other systems that might require evaluation of safety of
their operation).
• Fault tree analysis can be also used for availability and
maintainability analysis.
• However, for simplicity, in the rest of this presentation,
the term “reliability” will be used to represent these
aspects of system performance.

About FTA, contd.
• There are two types of FTA; qualitative or
quantitative .
• The qualitative one is called “traditional FTA”, no
concern on probability or occurrence of faults/
events.
• The quantitative one use probabilities of occurrence
of events or faults. In this case, the final result is the
probability of occurrence of a top event representing
reliability or probability of fault or a failure.

About FTA, contd.
• Fault Tree Analysis (FTA) is one of the most important logic

and probabilistic techniques used in Probabilistic Risk
Assessment (PRA) and system reliability assessment.
• Fault Trees are deductive method for identifying ways in

which hazards can lead to accident.
• The approach starts with a well defined accident , fault , or

top event, and works backwards towards the various
scenarios that can cause the accident.

Why FTA is Carried Out?
• Identify causes of a failure.
• Monitor and control safety performance of a

complex system.
• To identify the effects of human errors on the

system.
• Minimize and optimize resources.

The Fault Tree
• Fault tree is the logical model of the relationship of the
undesired event to more basic events.
• The top event of the Fault tree is the undesired event.
• The middle events are intermediate events and the

basic events are at the bottom.
• The logic relationship of events are shown by logic

symbols or gates.

Basic Fault Tree Structure

Events of a Fault tree
Basic Event: A lower most event that can not be
further developed.
Intermediate Event: This can be a intermediate

event (or) a top event. They are a result logical
combination of lower level events.
Undeveloped Event: An event which has scope

for further development but not done usually because of
insufficient data.
External Event: An event external to the system

which can cause failure.

Basic Gates Of a Fault tree
OR Gate: Either one of the bottom event
results in the occurrence of the top event.
AND Gate: For the top event to occur all the

bottom events should occur.
Inhibit Gate: The top event occurs

only if the bottom event occurs and
the inhibit condition is true.

STEPS IN CARRYING OUT A FAULT TREE ANALYSIS
1. Identify the objective for the FTA.
2. Define the top event of the FT.
3. Define the scope of the FTA.
4. Define the resolution of the FTA.
5. Define ground rules for the FTA.
* The first five steps involve the problem formulation for an
FTA.
6. Construct the FT.
7. Evaluate the FT.
8. Interpret and present the results.

FAULT TREE CONSTRUCTION`
Consider the following block diagram. Let I/P and O/P be the
input And output terminals. There are two sub-systems A and B
that are connected in series.
X1 X3
INPUT OUTPUT
X2 X4
SUB - SYSTEM (A) SUB - SYSTEM (B)
For this the fault tree analysis diagram shown in next slide

F (S) Top event
OR
intermediate event
F (A) F (B)
AND AND
Basic event
F( X 1) F( X 2) F( X 3) F( X 4)

CONTINUE…..
Here F(x1) , F(x2) , F(x3), F(x4) Are Events Fail…
F (A) = SUB SYSTEM (A) FAILS
F(B) = SUB SYSTEM (B) FAILS
THEN F(A) = F(X1) AND F(X2)
AND F(B) = F(X3) AND F(X4)
FINALLY THE FAILURE OF THE SYSTEM
F(S) = F(A) OR F(B)

CALCULATION OF RELIABILITY FROM FAULT TREE
CONSIDER THE EARLIER BLOCK DIAGRAM
The probability of failure of sub – system (A) is indicated as shown in
below,
P(A) = P (X 1 and X 2)
P(A) = P( X1) * P( X 2)
Similarly for sub – system (B)
P(B) = P( X 3 and X 4)
P(B) = P( X 3) * P( X 4)
FAILURE OCCURS WHEN SUB – SYSTEM (A) or (B) FAIL..,
F (S) = P(A) or P(B) THEN F(S) = P(A) + P(B) – ( P(A) * P(B) )
IF THE RELIABILITY OF THE ELEMENTS ARE GIVEN BY R1,R2,R3,R4
THEN
P( Xi ) = 1 – Ri
RELIABILITY OF SYSTEM R(S) = 1 - F(S)

FTA PROCEDURE

Procedure
Define Top Event:
• Use PHA, P&ID, Process description etc., to define the top event.
• If its too broad, overly large FTA will result. E.g. Fire in process.
• If its too narrow, the exercise will be costly. E.g. Leak in the valve.
• The boundaries for top event definition can be a System, Sub-system,

Unit, Equipment (or) a Function.
• Some good examples are: Overpressure in vessel V1, Motor fails to

start, Reactor high temperature safety function fails etc.,

Procedure
•Define overall structure;
•Determine the intermediate events &
combination of failure that will lead to the top
event.
•Arrange them accordingly using logical
relationship

Procedure, contd.
Solve the Fault Tree:
• Assign probabilities of failure to the lowest
level event in each branch of the tree.
• From this data the intermediate event
frequency and the top level event frequency
can be determined using Boolean Algebra
and Minimal Cut Set methods.

Procedure
Perform corrections and make decisions:
 Application of Boolean Algebra and Minimal Cut Set

theory will result in identifying the basic events(A)
and combination of basic events(B.C.D) that have
major influence on the TOP event
 This will give clear insight on what needs to be

attended and where resources has to be put for
problem solving.
WORKED EXAMPLE
BATTERY POWERED CIRCUIT, BPC
Example

Specifications for the BPC FT
• Undesired top event : Motor does not start
when switch is closed.
• Boundary of the FT : The circuit containing the
motor, battery, and switch.
• Resolution of the FT: The basic components in
the circuit excluding the wiring.
• Initial State of System: Switch open, normal
operating conditions.

FTA worked Example
Motor does not start when switch is closed
Moto fails
to start
OR NO EMF applied to the motor
when EMF
applied
Wire from
battery to
OR No EMF from the battery
motor fails
open
Battery faild
to produce OR NO EMF to Battery
EMF
Wire from
switch to
OR NO EMF across switch
Battery fails
open
Start of Battery Switch fails

OR
Wire from
switch to
to contact motor fails
Powered Circuit, BPC open

WORKED EXAMPLE
POWER SUPPLY TO OPERATIONS THEATRE
For an emergency operation theatre in a hospital, the power is
obtained from the main city supply through a transformer
connected in series. To ensure an uninterrupted supply, an
auxiliary generator is also used with a suitable switch-over. The
probability of failure of the city supply is 0.01 and the
transformer reliability is 0.996. the auxiliary power generator
has a reliability factor of 0.99. draw the block diagram for the
system. Construct the fault tree and, based on this,
calculate the reliability of the system.
mains
transformer Operation
theatre
generator

BLOCK DIAGRAM
INPUT
X1 X2
OUTPUT
X3

Fault tree for problem
F (S)
AND
OR
A Generator
B C
fails
Main fails Transformer fails

SOLUTION
FAILURE OF THE SYSTEM
F (S) = ( P ( X1 ) or P(X 2) ) and P( X 3 )
P ( X 1) = 0.01
P ( X 2) = 1 – 0.996 = 0.004
P ( X 3) = 1 – 0.99 = 0.001
F (S) = ( P (X 1) + P (X 2 ) – ( P (X1 ) * P(X2) ) ) * ( P (X 3 ) )
= ( 0.01 + 0.004 – ( 0.01 * 0.004) ) * (0.001)
F(S) = 0.0001396
FOR RELIABILITY
R(S) = 1- F(S) R(S) = 0.99986
= 1- 0.0001396

Advantages Of FTA
•Deals well with parallel, redundant or alternative fault
paths.
•Searches for possible causes of an end effect which

may not have been foreseen.
•The cut sets derived in FTA can give enormous insight

into various ways top event occurs.
•Very useful tool for focused analysis where analysis is

required for one or two major outcomes.

Disadvantages Of FTA
• Requires a separate fault tree for each top event and
makes it difficult to analyze complex systems.
• Fault trees developed by different individuals are

usually different in structure, producing different cut
set elements and results.
• The same event may appear in different parts of the

tree, leading to some initial confusion.

Applications
• Used in the field of safety engineering and
Reliability engineering to determine the
probability of a safety accident or a particular
system level failure.
• Aerospace Engineering.

EVENT TREE ANALYSIS
ETA
About ETA
• The Event Tree Analysis (ETA) is an inductive logic technique
to model a system with respect to dependability and risk
related measures as well as to identify and assess the
frequency of the various possible outcomes of a given
initiating event.
• According to the IEC 60050(191) the dependability of a system
is defined as the ability to meet success criteria, under given
conditions of use and maintenance.
• The core elements of dependability are the reliability,
availability and maintainability of the item considered.
• Starting from an initiating event the ETA deals with the
question "What happens if..." and thus constructs a tree of
the various possible outcomes.

STEPS INVOLVED IN AN ETA
1. Identify an initiating event of interest.

2. Identify the safety functions designed
to deal with the initiating event.
3. Construct the event tree.
4. Describe the resulting accident event

sequences
EXAMPLE
• Oxidation reactor high temp. Alarm alerts operator at
temp T1.
• Operator re-establish cooling water flow to the
oxidation reactor.
• Automatic shutdown system stops reaction at temp. T2.
( T2 > T1)
These safety functions are listed in the order in which they

are intended to occur.

Cooling Coils
Reactor Feed
Cooling Water Out
Cooling
Water In
Reactor
TIC
Temperature
Controller
TIA
Alarm Thermocouple
at
T > TA
High Temperature Alarm
Figure depicts Reactor with high temperature alarm and temperature controller

Step 1 - Identify the initiating event
• system or equipment failure

• human error
• process upset
[Example]
“Loss of Cooling Water” to an Oxidation Reactor

Step 2 - Identify the Safety Functions Designed to
Deal with the Initiating Event
• Safety system that automatically respond to the initiating

event.
• Alarms that alert the operator when the initiating event

occurs and operator actions designed to be performed in
response to alarms or required by procedures.
• Barriers or Containment methods that are intended to limit

the effects of the initiating event.

Step 3: Construct the Event Tree
a. Enter the initiating event and safety functions.
Oxidation reactor Operator Automatic

SAFETY high temperature Re-establishes shutdown system
FUNCTION alarm alerts operator cooling water flow stops reaction at
at temperature T1 to oxidation reactor temperature T2
INITIATING EVENT:
Loss of cooling water
to oxidation reactor
FIRST STEP IN CONSTRUCTING EVENT TREE

b. Evaluate the safety functions
SAFETY high temperature reestablishes shutdown system
at temperature T1 to oxidation reactor temperature T2
INITIATING EVENT:
Succes
s
Failure
REPRESENTATION OF THE
8/11/2017 FIRST
FTA/ ETA Analysis SAFETY FUNCTION 42
b. Evaluate the safety functions
FUNCTION alarm alerts cooling water flow stops reaction at
operator to oxidation temperature T2
at temperature T1 reactor
INITIATING EVENT:
Succes
s
If the safety function does not affect the course of the
accident, the accident path proceeds with no branch pt
Failure to the next safety function.
REPRESENTATION OF THE SECOND SAFETY FUNCTION
Step 3: b. Evaluate safety functions.
FUNCTION alarm alerts cooling water flow stops reaction at
operator to oxidation temperature T2
at temperature T1 reactor
INITIATING EVENT:
Succes
s
Completed !
Failure
8/11/2017
COMPLETED EVENT TREE
FTA/ ETA Analysis 44
Step 4: Describe the Accident Sequence
at temperature T1
to oxidation reactor temperature T2
B C D
A Safe condition,
return to normal
operation
AC Safe condition,
process shutdown
INITIATING EVENT:
ACD Unsafe condition,
Loss of cooling water runaway reaction,
to oxidation reactor operator aware of
A problem
AB
Unstable condition,
process shutdown
ABD Unsafe condition,
runaway reaction,
Succes operator unaware
s of problem
Failure
8/11/2017
ACCIDENT SEQUENCES
FTA/ ETA Analysis 45
High Temp Operator Operator Operator
Safety Function:Alarm Alerts Notices Re-starts Shuts Down
Operator High Temp Cooling Reactor Result
Identifier: B C D E
Failures/Demand: 0.01 0.25 0.25 0.1
A Continue Operation
0.7425
AD Shut Down
0.99
0.2227
0.247 ADE Runaway
A 5 0.02475
AB Continue Operation
1 0.00562
5
ABD
Initiating Event: Shut Down
0.007 0.00168
Loss of Cooling 5 8
0.00187 ABDE Runaway
1 Occurrence/yr. 0.0001875
5
0.01 ABC Continue Operation
0.00187
5
ABCD
0.002 Shut Down
0.000562
5 5
0.000625 ABCDE Runaway
Shutdown = 0.2227 + 0.001688 + 0.005625 = 0.2250 occurrences/yr. 0.0000625
Runaway = 0.02475 + 0.0001875 + 0.0000625 = 0.02500 occurrences/yr.
Figure 11-9 Event tree for a loss of coolant
8/11/2017 accident
FTA/ ETA for the reactor of Figure 11-8.
Analysis 46
Safety Function
0.01 Failures/Demand
Initiating Success of Safety Function

Event (1-0.01)*0.5 = 0.495 Occurrence/yr.
0.5 Occurrences/yr.
Failure of Safety Function

0.01*0.5 = 0.005 Occurrence/yr.
Figure 11-10 The computational sequence across a safety function

in an event tree.

High Temp Operator Operator Operator Operator
Safety Function:Alarm Alerts Notices Re-starts Shuts Down Shuts Down
Operator High Temp Cooling Reactor Result
Identifier: B C D E F
Failures/Demand: 0.01 0.25 0.25 0.01 0.1
A
Continue Operation
0.7425
AD Shut Down
0.99 0.2450
ADE
0.2475 0.002228 Shut Down
ADEF
0.002475 0.0002475 Runaway
A AB
1 Continue Operation
0.005625
Initiating Event: ABD Shut Down
0.001856
Loss of Cooling 0.00750
ABDE
Shut Down
1 Occurrence/yr. 0.001875 0.00001688
ABDEF
0.00001875 Runaway
0.00000187
5
0.01 ABC
Continue Operation
0.001875
ABCD Shut Down
0.0006187
0.0025
ABCDE
0.000625 0.00000563 Shut Down
ABCDEF
0.00000675 0.00000062 Runaway
5
Shutdown = 0.2450 + 0.001856 + 0.00001688 + 0.0006187 = 0.2475 occurrences/yr.
Runaway = 0.0002475 + 0.000001875 + 0.000000625 = 0.0002500 occurrences/yr.
Figure 11-11 Event tree for the reactor of Figure 11-8. This includes a high temperature shutdown
ADVANTAGES
• Structured, rigorous, and methodical approach.
• Can be effectively performed on varying levels of design

detail.
• Permits probability assessment.

DISADVANTAGES
• An ETA can only have one initiating event, therefore

multiple ETAs will be required to evaluate the consequence
of multiple initiating events.
• Partial successes/failures are not distinguishable.
• Requires an analyst with some training and practical

experience.

Open Discussion
End of Session

12-FTA - ETA - Combined - Updated 201802

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

12-FTA - ETA - Combined - Updated 201802

Uploaded by

Copyright:

Available Formats

Certified PHA/ HAZOP Leadership

FAULT & EVENT TREE ANALYSIS

Said Khalifa, CSP

8/11/2017 FTA/ ETA Analysis 1

8/11/2017 FTA/ ETA Analysis 2

8/11/2017 FTA/ ETA Analysis 3

• Fault Tree Analysis (FTA) is one of the most important logic

• Fault Trees are deductive method for identifying ways in

• The approach starts with a well defined accident , fault , or

8/11/2017 FTA/ ETA Analysis 4

• Identify causes of a failure.

• Monitor and control safety performance of a

• To identify the effects of human errors on the

• Minimize and optimize resources.

8/11/2017 FTA/ ETA Analysis 5

• The top event of the Fault tree is the undesired event.

• The middle events are intermediate events and the

• The logic relationship of events are shown by logic

8/11/2017 FTA/ ETA Analysis 6

8/11/2017 FTA/ ETA Analysis 7

Intermediate Event: This can be a intermediate

Undeveloped Event: An event which has scope

External Event: An event external to the system

8/11/2017 FTA/ ETA Analysis 8

AND Gate: For the top event to occur all the

Inhibit Gate: The top event occurs

8/11/2017 FTA/ ETA Analysis 9

8/11/2017 FTA/ ETA Analysis 10

SUB - SYSTEM (A) SUB - SYSTEM (B)

8/11/2017 FTA/ ETA Analysis 11

8/11/2017 FTA/ ETA Analysis 12

F(B) = SUB SYSTEM (B) FAILS

THEN F(A) = F(X1) AND F(X2)

AND F(B) = F(X3) AND F(X4)

FINALLY THE FAILURE OF THE SYSTEM

F(S) = F(A) OR F(B)

8/11/2017 FTA/ ETA Analysis 13

8/11/2017 FTA/ ETA Analysis 14

8/11/2017 FTA/ ETA Analysis 15

• The boundaries for top event definition can be a System, Sub-system,

• Some good examples are: Overpressure in vessel V1, Motor fails to

8/11/2017 FTA/ ETA Analysis 16

8/11/2017 FTA/ ETA Analysis 17

8/11/2017 FTA/ ETA Analysis 18

 Application of Boolean Algebra and Minimal Cut Set

 This will give clear insight on what needs to be

8/11/2017 FTA/ ETA Analysis 21

8/11/2017 FTA/ ETA Analysis 22

Start of Battery Switch fails

8/11/2017 FTA/ ETA Analysis 23

8/11/2017 FTA/ ETA Analysis 26

8/11/2017 FTA/ ETA Analysis 27

8/11/2017 FTA/ ETA Analysis 28

F (S) = ( P ( X1 ) or P(X 2) ) and P( X 3 )

F (S) = ( P (X 1) + P (X 2 ) – ( P (X1 ) * P(X2) ) ) * ( P (X 3 ) )

= ( 0.01 + 0.004 – ( 0.01 * 0.004) ) * (0.001)

8/11/2017 FTA/ ETA Analysis 29

•Searches for possible causes of an end effect which

•The cut sets derived in FTA can give enormous insight

•Very useful tool for focused analysis where analysis is

8/11/2017 FTA/ ETA Analysis 30

• Fault trees developed by different individuals are

• The same event may appear in different parts of the