Intro to Fault Tree Analysis

The NASA Fault Tree Handbook with Aerospace Applications

This is a break from the usual format of this site. I’m highly recommending that as your review materials and prepare for the CRE exam or prepare to conduct an FTA, you read this NASA document as an intro to fault tree analysis.

For a review, I suggest the first chapter or two. If working in the aerospace industry, you should print and use a copy.

The following is an extended excerpt from the first section of the document.

1.1 Introduction and Intended Readers

This handbook is an update of the original Fault Tree Handbook published in 1981 [1]. It is written for the informed reader who has some knowledge of system analysis and has knowledge of basic mathematics. This handbook is intended for system analysts, system engineers, and managers. No previous knowledge or training in statistics, reliability, or risk analysis is assumed. Basic concepts of statistical analysis, reliability analysis, and risk analysis are presented in relevant chapters and in the appendices.

This updated version of the Fault Tree Handbook is entitled Fault Tree Handbook with Aerospace Applications or AFTH for short. The AFTH presents the basic principles and procedures for Fault Tree Analysis (FTA), with an emphasis on Aerospace applications. The AFTH is organized into two major parts.

The first part of the handbook describes the concepts, steps, tools, and uses of FTA. FTA is a deductive, failure-based approach. As a deductive approach, FTA starts with an undesired event, such as failure of a main engine, and then determines (deduces) its causes using a systematic, backward-stepping process. In determining the causes, a fault tree (FT) is constructed as a logical illustration of the events and their relationships that are necessary and sufficient to result in the undesired event, or top event. The symbols used in an FT indicate the type of events and type of relationships that are involved. The FT is a qualitative model that provides extremely useful information on the causes of the undesired event. The FT can also be quantified to provide useful information on the probability of the top event occurring and the importance of all the causes and events modeled in the FT. This handbook leads the reader through FTA. Particular details can be skipped if the reader desires only an overview of FTA and instead wants to focus on its uses to assist decision-making.

In addition to FTA, inductive approaches are also used in safety analysis and in risk and reliability analysis. In contrast to the deductive approach used in FTA, inductive approaches are forward-stepping approaches that begin with a basic cause or initiating event and then investigate (induce) the end effects. Both FTA and inductive approaches are failure-based. The advantages
of failure-based approaches are also discussed.

An FT can be transformed into its logical complement, a success tree (ST) that shows the specific ways the undesired event can be prevented from occurring. The ST provides conditions that, if assured, guarantee that the undesired event will not occur. The ST is a valuable tool that
provides equivalent information to the fault tree but from a success viewpoint. Techniques for transforming the FT to its ST are described along with uses of the ST.

The uses of FTA to assist decision-making are described in this AFTH. FTA provides critical information that can be used to prioritize the importance of the contributors to the undesired event. The contributor importances provided by FTA vividly show the causes that are dominant and that should be the focus of any safety or reliability activity. More formal risk-benefit
approaches can also be used to optimally allocate resources to minimize both resource expenditures and the occurrence probability of the undesired event. These risk-benefit Fault Tree Handbook with Aerospace Applications
approaches are useful for allocating resource expenditures, such as safety upgrades to complex systems like the Space Shuttle.

FTA can be applied to both an existing system and to a system that is being designed. When it is applied to a system being designed for which specific data do not exist, FTA can provide an estimate of the failure probability and the important contributors using generic data to bracket the design components or concepts. FTA can also be used as an important element in the development of a performance-based design. When applied to an existing system, FTA can be used to identify weaknesses and to evaluate possible upgrades. It can also be used to monitor and predict behavior. Furthermore, FTA can be used to diagnose causes and potential corrective
measures for an observed system failure. The approaches and tools to obtain this information and the applications of this information in decision-making are important topics of the AFTH.

The second part of the AFTH contains examples of the application of FTA in studies that have been previously performed. The focus is on aerospace applications. The examples include the rupture of a pressure tank (a classic FTA example), failure to initiate and terminate thrust in a monopropellant propulsion system, failure of a redundant container seal (design analysis), and a dynamic FT analysis of a mission avionics system.

1.2 The Fault Tree Approach

FTA can be simply described as an analytical technique, whereby an undesired state of the system is specified (usually a state that is critical from a safety or reliability standpoint), and the system is then analyzed in the context of its environment and operation to find all realistic ways in which the undesired event (top event) can occur. The fault tree itself is a graphic model of the various parallel and sequential combinations of faults that will result in the occurrence of the predefined undesired event. The faults can be events that are associated with component hardware failures, human errors, software errors, or any other pertinent events which can lead to the undesired event. A fault tree thus depicts the logical interrelationships of basic events that lead to the undesired event, the top event of the fault tree.

It is important to understand that a fault tree is not a model of all possible system failures or all possible causes for system failure. A fault tree is tailored to its top event that corresponds to some particular system failure mode, and the fault tree thus includes only those faults that contribute to this top event. Moreover, these faults are not exhaustive—they cover only the faults that are assessed to be realistic by the analyst.

It is also important to point out that a fault tree is not in itself a quantitative model. It is a qualitative model that can be evaluated quantitatively and often is. This qualitative aspect, of course, is true of virtually all varieties of system models. The fact that a fault tree is a particularly convenient model to quantify does not change the qualitative nature of the model itself.

Intrinsic to a fault tree is the concept that an outcome is a binary event i.e., to either success or failure. A fault tree is composed of a complex of entities known as “gates” that serve to permit or inhibit the passage of fault logic up the tree. The gates show the relationships of events needed for the occurrence of a “higher” event. The “higher” event is the output of the gate; the “lower” events are the “inputs” to the gate. The gate symbol denotes the type of relationship of the input events required for the output event. Figure 1-1 shows a simple fault tree