fault trees

8/12/2019 Fault Trees

1/29

FAULT TREES

The aim of this learning session is to introduce what is probably the most essential element of

modern risk assessment studies the fault tree.

You can learn from this session:

(i) how to draw fault and success trees(ii) how to compute the probabilities for a range of complicated hazards

(iii) how to find cut and tie sets for critical systems considerations

More adanced issues:

(i) how to find a structure function bridging assessment and analysis

() boolean reduction to a minimal tree (esp. coherence)

!


2/29

FAULT TREES

"ault trees are a method of breaking a failure into contributing factors. The logical arrangement of

those factors can be e#amined as well as the contribution$criticality of each to the total.

Trees are connected digraphs (directed-graph) that do not contain cycles.

%f the &branching' is always into two parts the tree is called a BINARY TREE.

hen trees are oined together (if there are still no cycles) the result is called a FOREST.

*ll nodes hae one arc towards the root$top (OUTDEGREEone) but+odes can hae any integer number of branches (INDEGREE).

leaes hae zero outdegree.

,ogic (reision)

The study of truth and falsehood is a necessary background to the study of fault trees.

-onsider:

!) lephants are grey true

/) lephants are pink false

0) "ish swim true

1) "ish whistle false

,et2s ask a 3yrs child the two 4uestions:a) hat colour are elephants5

b) hat do fish do in the sea5

The child is gien a &cleer kid' badge if s$he answers both 4uestions correctly. There are in fact

four possible results:

6uestion (a) answer 6uestion (b) answer 7eward

i 8ink histle +o

ii 8ink 9wim +o

iii rey histle +o

i rey 9wim Yes

%f this table of results is e#pressed in terms of the number of correct answers; and the number of

rewards it follows:

6uestion 7eward

(c)(a) (b)

< <

+o Yes +o +o Yes

H


7/29

#amples of top eents:

!) heels up on landing

/) "ire

0) %rretreiable loss of primary test dat

1) 8andemic of *sian =ird "lu

3) ,ondon >lympic 8roect oerruns by more than !


8/29

>ther gates sometimes used:

>ctagons are &inhibit gates' which make the output of any gate zero unless a specified condition is

met. %t is e4uialent to an additional *+A gate if written more logically.

?ouse eents are normally e#pected

to occur; and hae probability !


9/29

ate name icon Truth table 9et notation Math

*+A A

B C

*= -

"" "

"T "

T" "

TT T

BAC = ABC=

>7 AB

C*= -"" "

"T T

T" T

TT T

BAC = ABBAC +=

+>T A * -

" T

T "

AC= AC =!

+*+A

(not and)

A

B C

*= -

"" T

"T T

T" TTT "

BAC = ABC =!

+>7

(not or)

A

B C

*= -

"" T

"T "

T" "

TT "

BAC = ABBAC +=!

L>7

(e#clusie or)

A

B C

*= -

"" "

"T T

T" TTT "

BAC = ( )( )ABABBAC += !

L+>7

(e#clusie nor)

A

B C

*= -

"" T

"T "

T" "

TT T

BAC = ( )( )ABABBAC += !!

+ote that the logical theory and logic gates hae deeloped far beyond this leel. There is alue in some of

the other types of gate to research these models; for e#ample amplifiers and flipCflops to study importance

and memory

G


10/29

9hort classroom e#ercise in small teams (!< mins only)

C draw a fault tree for &losses' in this classroom

!


11/29

"O##O "AUSE FAILURES

%n this simple fault tree there are four intruder detection systems. There is a great deal of

redundancy and a ery tiny chance of nonCdetection.

=KT

hat if all four detectors work from the same power supply5

This is an e#ample of a commonCcause failure. *nother entire branch needs to be added to the treeto correct the oersight:

%t is a necessity to ,>> for common causes on eery tree drawn. 9ome typical e#amples are:

-ommon -ommon -auses -ommon 9olutions

lectricity

-oolant

8neumatic pressure9team

Ktilities

Moisture

-orrosion

9eismic disturbance

Aust

?eat$ cold

M8

9ame$single operator

9eparation

%nsulation

9hields%ndependent redundant parts

%ndependent inspectors$ operators

7esilience

%t is good practice to note all the applicable causes from this list with a letter such as @c2 forcorrosion on each eent of a tree.

!!


12/29

The +"8* "ire 9afety -oncepts tree

!/


13/29

TREES $IT% PRO&A&ILIT'

?aing completed the mathematical e#amples aboe this is largely an iteration of the procedure.

( ) ( )

( ) ( ) ( ) ( )( ) ( )

( )


14/29

,et2s use a ery simple ranking scale:

+ote that input probabilities are much greater than output

probabilities from trees. This is for the same reason as rolling

one die compares to rolling !< dice.

This is not 4uite a simple < to ! scale because no one would run a business where a serious system

failure was more than 1


15/29

%t follows:

( )

0!


16/29

#ercise part / (!< mins)

7ank the leaes on your tree and find 8(top eent)

!H


17/29

SU""ESS TREES

* success tree is the logical conugate of a fault tree. %t begins with a topCeent that is a good thing

and proceeds to consider factors that contribute to that positie result. Ksually the success tree is

drafted from the fault tree as a means to check the logic of both. There are three steps in this

process:

!) redraw the tree but omit gates and words

/) substitute *+A gates instead of >7 gates and iceCersa0) write the logical @+>T2 opposite in each bo# (aoiding doubleCnegaties)

#ample:

9uccess tree "ault tree

*s an e#ample of the alue of drawing a success tree consider what you might include as

contributing factors on a fault tree with &fire' as the top eent. "or e#ample &arson'. Kpon

transformation into a success tree you hae fire preention factors such as &arsonCcontrol' but you

do not hae factors such as &sprinkler system' because that doesn2t cause a fire.

"urthermore; estimates of safety help to refine estimates of risk by bracketing the true alue.

!=+FR I!


18/29

"UT SETS

These will be e#tensiely met in the section on engineering reliability. * cut set is a group of

components; such that when all in the group fail; the entire system fails. * minimal cut set is an

irreducible cut set; such that if any one member does not fail the system can maintain operation.

8roect managers will be more familiar with argon such as &critical paths' and &key persons'.

!. raphical method

-onsider a tree:

%ntermediate eents do not matter in this method. +umber all the gates and letterClabel all the

leaes. +ow make a table and start with the first gate number in the first bo#:

!

+ow proceed down the tree replacing the gate @!2 by it2s inputs.

>7 ertical replacement

*+A horizontal replacement

%n this e#ample gate @!2 is an *+A gate with inputs /; 0; so the @!2 on the table is replaced

horizontally by /; 0; :

/ 0

!E


19/29

The ne#t gate in the table is @/2; which is an >7 gate with inputs *; =. 9o the @/2 is replaced

ertically by * and = and the @0 2 is dragged downwards (duplicated by the >7 gate)

* 0

= 0

!G


20/29

The only remaining number is @02 an *+A gate (horizontal) with inputs - and A:

* - A

= - A

>nce all the gates hae been replaced the answer is in front of usP There are two cut sets for thistree: *-A and =-A the topCeent can only occur if one of these cutCset combinations occurs.

They are critical to system failure.

?aing obtained the minimal cutCsets from the e#ample it is possible to draw the cutCsetCe4uialent

tree:

This tree has at most two gates between any leaf and the top eent. +ote that some eents occur

more than once as leaes.*s a rule of thumb; a tree with many >7 gates will yield many minimal cut sets of low order

(small sets). =y comparison many *+A gates will lead to a small number of cut sets; each

consisting of many terminal eents.

The probability of the top eent can also be computed rapidly from the cutCsets:

( ) ( ) ( ) ( ) ( )!i

i

PPPPT"pP=

=

==

!

i9et-utn9et-ut.../9et-ut!9et-ut

"or this e#ample there are only two cut sets:

( ) ( ) ( )

( )

( )BAEDC

EDCBABAEDC

EDCBAEDCBEDCA

PPPPP

PPPPPPPPPP

PPPPPPPPPPPPP

EDPEDPT"pP

+

+=

+=

=

///

-=-*

"or three cut sets:

( ) ( ) ( ) ( )

( ) ( ) ( )0/!0/0!/!0/!

09et-ut/9et-ut!9et-ut

CSCSCSCSCSCSCSCSCSCSCSCS PPPPPPPPPPPP

PPPT"pP

+++++=

=

"or four cut sets:

( ) ( ) ( )

( ) ( )10/!10/10!1/!0/!

101/0/1!0!/!10/!

CSCSCSCSCSCSCSCSCSCSCSCSCSCSCSCS

CSCSCSCSCSCSCSCSCSCSCSCSCSCSCSCS

PPPPPPPPPPPPPPPP

PPPPPPPPPPPPPPPPT"pP

++++

++++++++=

The pattern is from =ernoulli2s pyramid (binomial series).

/


21/29

%t is also possible to use the success tree (the critical sets on a success tree are called &tie sets' and

these are the minimum groups of elements needed to maintain operation of the system.

9tep !

!

9tep /

>7 gate (ertical) with inputs /;0; E

/

0

E

9tep 0

@/2 is *+A gate (horizontal) with inputs A ; B

A B0

E

9tep 1

@02 is >7 gate (ertical) with inputs C ; D

A B

C

D

E

/!


22/29

The tieCsets of the success tree are:

Tie set ! Q BA

Tie set / Q { }CTie set 0 Q D

Tie set 1 Q }EThe e4uialent success tree is:

( ) ( ) ( ) ( ) ( )

( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )

( )( ) ( ) ( ) ( ) ( )( )( )

( )( )( ) ( )( )( ) ( )( ) ( )( )

( )( ) ( )( )( )( ) ( )( )( )( )

( )( )( )( ) ( )( )( )

( )( )( )( )( )EDCBA

EDCEDBA

ECBADCBAED

ECDCEBADBA

CBAEDCBA

PPPPP

PPPPPPP

PPPPPPPPPP

PPPPPPPPPP

PPPPPPPP

EPDPCPBAPEPDPCPEPDPBAP

EPCPBAPDPCPBAPEPDPEPCPDPCP

EPBAPDPBAPCPBAPEPDPCPBAP

EPDPCPBAP%uce%%P

++

++

+++=

++

++

+++=

=

!!!!!

!!!!!!!

!!!!!!!!!!

!!!!!!!!!!

!!!!!!!!

tc..

//


23/29

FAULT TREE SI#PLIFI"ATIO

ien that a fault$success tree is a graphical representation of a logical structure; if there are

recurrent elements (for e#ample with a tree deeloped from cut sets) then the tree can be simplified

by =oolean algebra (see notes on set theory). There are !! laws of =oolean algebra.

! commutatie ABBA = ABBA =

/ associatie ( ) ( ) CBACBA = ( ) ( ) CBACBA =0 distributie ( ) ( ) ( )CABACBA = ( ) ( ) ( )CABACBA =

1 absorbtion ( ) ABAA = ( ) ABAA =

3 Ae Morgan2s BABA = BABA =

H %dentity AUA ==A

UUA =AA =

F %nerse =AA UAA =

E %dempotent AAA = AAA =

G -omplement U= =U

!

7; +>T.

(i) = Q = = write @2 instead of &*+A'

(ii) - Q = *

(iii) A Q = *

(i) Q = - write instead of &>7'

() A2 Q D write either a dash; bar or tilde instead of &+>T'

(i) " Q A2

(ii) *2 Q A

(iii) T Q " *2

OR

C

E

B

AND AND AND

D

D' NOT

NOT

AND

F A'

Top Event Disaster

T

AND

B AB B B A AEnd Events

(leaves)

/3


26/29

9ubstitution (topCdown)

T Q " *

Q ( A2) * e#pad "

Q ((= -) A2) *2 e#pad

Q ((= -) (= *)2) *2 e#pad A

Q ((= (= *)) (= *)2) *2 e#pad -

e wish to simplify this

=oolean laws

9tep !: get rid of difference first; double caught second etc.

"rom bottom of list to topPP

T Q ((= (= *)) (=2 *2)) *2

difference

T Q ( = (=2 *2)) *2 absorption

T Q ((= =2) (= *2)) *2

distributie

T Q ( R (= *2)) *2

inerse

T Q ( = *2 ) *2

identity

TQ = (*2 *2) Q = *2

associatie indempotent

simplifiedP

9tep 0. Araw 7e new tree. TQ = *2

T Aisaster

*+A

= *2 +> *,*7M

+>!

* *,*7M

/H


27/29

FAULT TREE REDU"TIO &' APPRO(I#ATIO

(!) %f the probability of any eent is close to !


28/29

Problem!. The fault tree shown on "igure ! has been deeloped by *-M after a twoCyear study. ent

@*2 is the use of an inade4uate assessment of hazards; eent @=2 is the use of an inade4uate

assessment of likelihood. "ind the probability of the top eent if; for e#ample; *Q!

=P;


29/29

ROOT "AUSE AAL'SIS

9tudy of original reason for nonconformance with a process. hen the root cause is remoed or

corrected; the nonconformance will be eliminated.

1Cstep process: Aata collection and preseration

-ausal factor charting (eg tree diagram)

7oot cause identification (factors)

7ecommendation generation and implementation

M>7T *nalysis

Management S >ersight 7isk Tree.

There are 0 branches from the top eent (loss)C

eg.C the central route could be 9pecific S Management

egC the left route could be >ersights S >missions

egC the right could be *ssumed 7isks.

Bariants e#ist including 9M>7T.

fault trees

Documents