Fault and Event Trees

Fault Trees

Fault trees provide a systematic method for investigating all the events that may lead to a
particular failure event. It provides a useful diagnostic tool for identifying failure paths and
critical events.

A fault tree starts with the failure event to be analysed and works through all events that could
possibly lead to that failure. These events are similarly analysed until “basic events” are reached.
The basic events are the events for which probabilities can be calculated.

Symbolism (Optional)

Basic Event
The circle describes a basic fault event that requires no
further development. Frequency and mode of failure of
items so identified are derived from empirical data.
Basic Event
The circle within a diamond indicates a subtree that was
evaluated separately and the quantitative results inserted as
a basic fault event
Basic Event
The diamond describes a fault event that is considered
basic in a given fault tree. The possible causes of the
event are not developed because the event is of insufficient
consequence or the necessary information is not available.
Combination event
The rectangle identifies an event that results from the
combination of basic events through the input logic gates.

Transferred event
The triangles are used as transfer symbols. A line from the
apex of the triangle indicates a transfer in; a line from the
side indicates a transfer out.
IN OUT

Switch
The house is used as a switch to include or eliminate parts
of the fault tree, as those parts may or may not apply in
certain situations.

Management of Risk Fault and Event Trees Page 1

Inhibit gate
Inhibit gates describe a causal relationship between one
fault and another. The input event directly produces the
output event if the indicated condition is satisfied.
AND gate
AND gates describe the logical operation whereby the
coexistence of all input events is required to produce the
output event
OR gate
OR gates define the situation whereby the output event
will exist if one or more of the input events exists

NOT gate
NOT gates define the situation whereby the logical state of
an event is reversed

Fault tree symbolism (after Cross, 1992)

Example
Chip in eye
(grinding)

Person without
safety glasses other
Operator fails to
than operator close
wear safety glasses
to operation

Motive
Machine to go Safety glasses
Operator fails to
operating into area not worn by
stop operation
non operators

Person enters
Person enters Person enters area
to bring item
to carry away for other reason
into area
item

Management of Risk Fault and Event Trees Page 2

Explanation

The tree begins with a head node or head event. This event is a failure for which causes are to
be determined. The second row of the tree consists of events that cause the head event.
Similarly the third row events cause the second row events.

Sub-events that have to occur simultaneously to cause an event have an AND linkage. Sub-
events that can occur independently and still cause the event have an OR linkage.

The bottom row of the tree consists of events that cannot be decomposed, or for which there is no
need to decompose.

Care has to be exercised that a step in the logic tree is not jumped.

The head event may be a failure event or a loss relating to that failure. “If the head event is
chosen to be the loss then there will be a branch of the tree that considers the failure of the loss
control system. If the head event is chosen to be the failure event itself then only the events
leading to the event will be considered.” (Cross, 1992)

Probability Evaluation

The probability of the head event occurring can be determined through the tree from the
probabilities of sub events. The probability of events related to their sub-events by an AND gate
is the probability of the intersection of the sub-events. The probability of events related to their
sub-events by an OR gate is the probability of the union of the sub-events.

A Thus

P (A) = P (B  C)
= P (C | B)  P (B)

And
B C

P (C) = P (D  E)
= P (D) + P(E) – P (D  E)

D E

Sometimes assumptions can be made to determine P (B  C).

If B and C are mutually exclusive (if one occurs the other will definitely not occur)
P (B  C) = 0

Management of Risk Fault and Event Trees Page 3

If B and C are statistically independent (the two events are totally unrelated in terms of cause)
P (B  C) = P(B)  P(C)

If B and C are fully correlated (if one occurs the other definitely will occur)
P (B  C) = P(B) = P(C)

Commonly independence is assumed. However failure events are usually at least partially
correlated. In this case assuming independence underestimates the probability.

Other Aspects

The development of fault trees is a good discipline for examining causes of an accident and leads
to systematic breakdown of causes. This is even without the quantitative aspects.

Fault trees may also be examined qualitatively to give indicative results. If a tree is too big,
analysing branches with dominant probabilities and ignoring others can be used to prune it.

Having evaluated a probability associated with the head event, a response may then be developed
to the associated risk. Should this probability lead to an unacceptable risk, the tree may be
examined to see in which parts event probabilities be changed, or even events eliminated.

Decision Making

Fault trees can be used in decision making by carrying out the analysis in iterations, each time
changing something or some data in the tree, typically to see the effect on the probability of the
head event. This is akin to a ‘what if’ analysis. Alternatively trade offs between the cost of
various changes can be compared.

Fault trees can be used to identify failure modes and sequences of events leading to failure.
Human nature tends to want to eliminate failure modes and failure sequences, or reduce their
probability of occurrence. In such an approach, the probability associated with the head event is
less important than the understanding of the failure problem gained.

Probability Estimates

Probabilities of events may be difficult to obtain in many instances, particularly those related to
human error and to rare events. In many cases best guesses are all that are available.
Probabilities relating to equipment, component and like failures may be obtained through
historical or test data. Those associated with financial trends and legal matters may be obtained
by seeking the opinions of a number of people.

Given that the probability estimates may lack accuracy, it is important to perform sensitivity
analyses on the fault tree. Analyses need to be carried out over the whole range of event
probabilities. This may mean that the head event probability may only be accurate to an order of
magnitude, or worse. Decisions can then be made in this light.

Management of Risk Fault and Event Trees Page 4

Common Mode Failures

Common mode failures are failures occurring more than once in a fault tree. These tend to have
a high influence on head event probability.

Human Factors

Often equipment reliability does not just rely on the equipment itself. For example it may not be
properly maintained. This can be particularly important in the case of a backup system. If the
main system has not been looked after properly then the backup system will not have been. Thus
what normally dramatically decreases the failure probability of a system may have little or no
effect. (The failure of the main and backup systems will not be independent events.)

Event Trees

An event tree differs from a fault tree in that it starts with an initiating event and traces its
consequences through various events. The initiating event may be an accident or some other
undesirable event. Developing an event tree allows systematic examination of all adverse
consequences.

D
0.3
B
0.2
A 0.7 E
C
Initiating 0.8 Second
event subsequent
First subsequent
events
events

The probability associated with the occurrence of any event is the product of the conditional
probabilities of all events lying on the associated path. For example

P (D | A) = P (B | A)  P (D | B) = 0.06

The sum of all conditional probabilities at a node will be 1.

Fault trees and event trees can be used together. For example the probability of an event in an
event tree can be evaluated from a fault tree with that event as the head event.

Management of Risk Fault and Event Trees Page 5

 Tutorial on Fault and Event Trees

1) In the following diagram P(A) = 0.5, P(B) = 0.4 and P(C) = 0.6. Determine P(D) if events
A,B and C are all independent of each other.
D

A B

2) In the following diagram A and C are mutually exclusive events, while B is independent of
both A and C. Calculate P(D) given that P(A) = 0.2, P(B) = 0.5 and P(C) = 0.3.
D

A B

3) A piece of equipment contains several high voltage cables and is located where the public
passes close by. The probability that a cable will be loose where someone can touch it is 0.1.
The probability that a person would touch a loose cable is 0.6. The probability that the
equipment would become wet with a “live” puddle of water around it is 0.2. The probability
that someone would step in the puddle is 0.8.
a) Draw the fault tree for this situation.
b) Calculate the probability that someone would become electrocuted assuming that all of
the events are independent.

4) A spacecraft traveling to the moon consists of two parts: a lunar module, used for landing on
the moon, and a reentry module, used for returning to Earth. Both modules are connected by
an airlock. 80% of the time the astronauts are all in the same compartment and the airlock is
closed. The astronauts are in the lunar module for half of this time and in the rentry module
for the other half. If a meteor strikes the module containing the astronauts, or while the
airlock is open then the astronauts will die. If the astronauts are in the rentry module and the
meteor hits the lunar module then the astronauts will jettison the lunar module and return
safely to Earth. If the astronauts are in the lunar module and the meteor hits the reentry
module then the astronauts need to get into their space suits and try to make repairs. They
have a 40% chance of being successful at this, otherwise they have no way of returning to
Earth. Draw an event tree for the event that a meteor hits the space craft and determine the
probability that the astronauts will return safely to Earth.

Management of Risk Fault and Event Trees Page 6