Fault Tree Analysis

Part 1: Introduction
 失誤樹分析沿革
(1)在1961~1962年間，由Bell Telephone Lab.的H. A. Watson開
始發展。為空軍義勇兵飛彈的控制系統的一項研究計畫。
(2)第一篇發表之論文：1963年在由U. Of Washington與波音公
司聯合主辦之safety Symposium上發表。
(3)於70年代初期開始被廣泛地應用。
(4)於1972年“Reactor Safety Study”，WASH-1400計畫中，首
次為核工界所應用。
(5)亦被用於分析大型化工廠之安全分析及液化天然氣(LNG)工
廠之安全分析。
(6)大部分之PRA計畫均採用Fault Tree Analysis (與Event Tree
Analysis配合使用)。
 General Description
• Fault Tree Analysis (FTA) is a deductive reasoning technique
that focuses on one particular accident event.
• The fault tree itself is a graphic model that displays the various
combinations of equipment faults and failures that can result in
the accident event.
• The solution of the fault tree is a list of the sets of equipment
failures and human/operator errors that are sufficient to result
in the accident event of interest.
• The strength of FTA as a qualitative tool is its ability to break
down an accident into basic equipment failures and human
errors. This allows the safety analyst to focus preventive
measures on these basic causes to reduce the probability of an
accident.
Purpose: Identify combinations of equipment failures
and human errors that can result in an accident event.

When to Use:

a. Design: FTA can be used in the design phase of

the plant to uncover hidden failure modes that
result from combinations of equipment failures.
b. Operation: FTA including operator and procedure
characteristics can be used to study an operating
plant to identify potential combinations of failures
for specific accidents.
Type of Results: A listing of sets of equipment and/or
operator failures that can result in a specific accident.
These sets can be qualitatively ranked by importance.

Nature of Results: Qualitative, with quantitative

potential. The fault tree can be evaluated quantitatively
when probabilistic data are available.
Data Requirements:

a. A complete understanding of how the plant/system

functions.
b. Knowledge of the plant/system equipment failure
modes and their effects on the plant/system.
 Staffing Requirements
• One analyst should be responsible for a single fault tree,
with frequent consultation with the engineers, operators,
and other personal who have experience with the
systems/equipment that are included in the analysis.
• A team approach is desirable if multiple fault trees are
needed, with each team member concentrating on one
individual fault tree. Interactions between team members
and other experienced personnel are necessary for
completeness in the analysis process.
Time and Cost Requirements: Time and cost
requirements for FTA are highly dependent on the
complexity of the systems involved. Modeling a
small process unit could require a day or less with an
experienced team. Large problems, with many potential
accident events and complex systems, could require
several weeks even with an experienced analysis team.
 HIGH TEMP
EMERGENCY INTERLOCK
SHUT-OFF
VALVE BURSTING
FLOW TIS DISC
CONTROLLER )

FRC

FLOW
CONTROL
VALVE

MATERIAL
B

MATERIAL
A

圖1 批式反應系統
 REACTOR EXPLOSION
3.6  10-4 F/YR

RUNAWAY BURSTING
REACTION DISC FAILS
0.02
Probability
1.8  10-2 F/YR of failure
on demand

FLOW CONTROL TEMPERATURE

LOOP FAILS INTERLOCK FAILS

0.3 F/YR 0.06

FLOW VALVE THERMO -

VALVE FAILS
CONTROLLER STICKS COUPLE &
TO CLOSE
FAILS OPEN RELAY FAIL
0.2 F/YR 0.1 F/YR 0.05 0.01
Probability Probability
of failure of failure
on demand on demand
圖2 批式反應器爆炸失誤樹分析
 Gate Symbol Gate Name Causal Relation

Output event occurs if all input events occur

1 AND gate
simultaneously.

Output event occurs if any one of the input events

2 OR gate
occurs.

Input produces output when conditional event

3 Inhibit gate
occurs.

Table 2.1 Gate Symbols

 Gate Symbol Gate Name Causal Relation

Priority Output event occurs if all input events occur in the

4 AND gate order from left to right.

Exclusive Output event occurs if one,but not both, of the

5
OR gate input events occurs.

m
Out of
m n gate Output event occurs if m out of n input events
6 (voting or occur.
n inputs
sample gate)

Table 2.1 Gate Symbols（續）

 Event Symbol Meaning of Symbols

1 Basic event with sufficient data

Circle

2 Undeveloped event

Diamond

3 Event represented by a gate

Rectangle

Table 2.2 Event Symbols

 Event Symbol Meaning of Symbols

4 Conditional event used with inhibit gate

Oval

5 House event. Either occurring or not occurring

House

6 Transfer symbol

Triangles

Table 2.2 Event Symbols

 Classification of Failures
• Sudden versus gradual failures
• Hidden versus evident failures
• According to effects (critical, degraded or
incipient)
• According to severity (catastrophic, critical,
marginal or negligible)
• Primary failure, secondary failure and
command fault
Component Failure Characteristics
• Primary failure: component within design
envelope (natural aging)
• Secondary failure: excessive stresses
(neighboring components, environment,
plant personnel)
• Command fault: inadvertent control signals
or noises (neighboring components,
environment, plant personnel)
COMPONENT FAILURE CHARACTERISTICS
Primary Faults and Failures
Primary faults and failures are equipment malfunctions that occur in the
environment for which the equipment was intended. These faults or failures are
the responsibility of the equipment that failed and cannot be attributed to some
external force or condition. • 本身毛病 • 沒有超出負荷 • 需修理

Secondary Faults and Failures

Secondary faults and Failures are equipment malfunctions that occur in an
environment for which the equipment was not intended. These faults or failures
can be attributed to some external force or condition.

• 非本身毛病 • 超出設計負荷 • 需修理

COMPONENT FAILURE CHARACTERISTICS
Command Faults and Failures
Command faults and failures are equipment malfunctions in which the component
operates properly but at the wrong time or in the wrong place. These faults or
failures can be attributed to the source of the incorrect command.
• 非本身毛病 • 沒有超出設計負荷 • 不需修理

when the exact failure mode for a primary or secondary failure is identified, and
failure data are obtained, primary and secondary failure events are the same as
basic failures and are shown as circles in a fault tree.
[ EXAMPLE ]
1) Primary
• Tank rupture due to metal fatigue
2) Secondary
• Fuse is opened by excessive current

• Earth quake cracks storage tanks

• Pressure vessel rupture because some faults external to the vessel
causes the internal pressure to exceed the design limits.
3)Command
• Power is applied inadvertently to relay coil.

• Noisy input to safety monitor randomly generate spurious shutdown

signals.
 Boolean Algebra
A
A
AND AND
=
B C C B

• AND: all the inputs

are required to cause
the output.
 Boolean Algebra
A
A
OR OR
=
B C C B

• Inclusive OR: any

input or combination
of inputs will cause
the output.
 Boolean Algebra

A
EOR
Exclusive OR: B or C
B C
but not both cause the
the output A.
 Boolean Algebra

A A A

EOR = OR =

B B B
 Boolean Algebra
A
A
AND AND
=
B C D
B AND

C D
 Boolean Algebra
A
A
OR OR
=
B C D
B OR

C D
 Boolean Algebra
A
A
EOR “EOR”
=
B C D
B EOR

ODD COMBINATIONS
C D
 Boolean Algebra
A
A
AND OR
=
B OR AND AND

B C B D
C D
 Boolean Algebra
A
A
OR OR
=
B
B L
(very low
probability)
 Boolean Algebra
A (very low
A probability)
AND AND
=
B L C L
(very low
(very low probability)
probability)
 Boolean Algebra
A
A
OR OR
=
B
B AND

C L
(very low
probability)
 Boolean Algebra
A
A
AND
=
B
B H
(very high
probability)
 Boolean Algebra
A (very high
A probability)
OR OR
=
B H C H
(very high
(very high probability)
probability)
 Boolean Algebra
A
A
AND
=
B
B OR

C H
(very high
probability)