The FTA methodology is described in several industry and government standards, including NRC NUREG-0492 for the nuclear industry, an aerospace-oriented revision of NUREG-0492 used by NASA,[28] SAE ARP4761") for civil aircraft, MIL-HDBK-338 for military systems, and the IEC standard IEC 61025[29]​ which is intended for use cross-industry and has been adopted as European Standard EN 61025.

Any sufficiently complex system is subject to failure, due to the failure of one or more of its subsystems. The probability of failure, however, can often be reduced through improved system design. Fault tree analysis maps the relationship between faults, subsystems, and redundant elements of the safety design, creating a logical schematic of the overall system.

The undesired result is taken as the root ('event/top event') of a logical tree. For example, the undesirable result of a metal pressing and stamping operation is that some human appendage is stamped. Working backwards from this higher event, we could determine that there are two ways this could occur: during normal operation or during a maintenance operation. This condition is a logical OR. Considering the branch in which it occurs during normal operation perhaps we determine that there are two ways this could happen: press cycles hurt the operator or press cycles hurt someone else. This is another logical OR. We can make an improvement to the design by requiring the operator to press two buttons to start the machine - this is a safety feature in the form of a logical AND. The button may have an intrinsic failure rate - this becomes a failure incentive that we can analyze. When fault trees are weighted with real numbers for failure probabilities, computer programs can calculate the failure probabilities in the fault trees.

When a specific event must affect more than one event, i.e. has an impact on several subsystems, it is called a common cause or common mode. Graphically speaking, this means that this event will appear at various positions in the tree. Common causes introduce dependency relationships between events. The probability calculations for a tree containing some "common causes" are much more complicated than for normal trees where all events are considered independent. Not all software tools available on the market provide such capability.

The Tree is usually written using conventional logic gate symbols. The path through a tree between an event and an initiator in the tree is called a Cut Set. The shortest credible way through the tree from a failure to an initializing event is called Minimal Cut Set.

Some industries use both fault trees and event trees (see Probabilistic Risk Assessment). An Event Tree starts from an unwanted initializer (critical supply loss, component failure, etc.) and follows possible events farther out in the system through a series of final consequences. As each new event is considered, a new node is added to the tree with a split probability of taking any branch. The probabilities of a range of 'higher events' arising from the initial event can then be seen.

Classic programs include the Electric Power Research Institute's CAFTA (EPRI) software, which is used by many U.S. nuclear plants and most U.S. and international aerospace manufacturers, and the Idaho National Laboratory's SAPHIRE, which is used by the U.S. Government to evaluate the safety and reliability of nuclear reactors, the Space Shuttle, and the International Space Station. Outside the U.S. In the US, RiskSpectrum software is a popular tool for Fault Tree and Event Tree analyzes and is authorized for use in nearly half of the world's nuclear plants by Probabilistic Safety Assessment.

Contenido

Los símbolos básicos utilizados en el FTA están agrupados como eventos, puertas, y símbolos de transferencia. Variaciones menores pueden ser utilizadas en softwares de FTA.

Symbols of events

Event symbols are used for primary events and intermediate events. Primary events are not developed further in the fault tree. The intermediate events are found at the exit of a door. Event symbols are shown below:.

Primary event symbols are typically used as follows:

An intermediate event gate can be used immediately above a parent event, to provide more space to write the event description. The FTA is a top-down (top-down) approach.

Logic gate symbols

Gate symbols describe the relationship between input and output events. The symbols are derived from boolean logical symbols:

The doors work as follows:

Transfer symbols

Transfer symbols are used to connect the inputs and outputs of related fault trees, such as the fault tree of a subsystem to that of your system. NASA prepared a comprehensive documentation on the FTA through practical incidents.

Events in a fault tree are associated with statistical probabilities. For example, failed components may generally occur with some constant failure rate λ (a constant hazard function). In this simpler case, the probability of failure depends on the index λ and the exposure time t:.

A fault tree is typically normalized to a given time interval, such as a flight hour or a median mission time. The probabilities of events depend on the relationship between the hazard function of the event and its interval.

Unlike conventional logic gate schemes in which inputs and outputs contain the binary values ​​of TRUE (1) or FALSE (0), fault tree gates produce probabilities related to the set operations of Boolean logic. The probability of the output event of a door depends on the probabilities of the input events.

A logical AND gate represents a combination of independent events. "Independence (probability)") That is, the probability of any input event to a logical AND gate is not affected by any other input event to the same gate. In set theory terms, this is equivalent to the intersection of the input event sets, and the probability of the output of the logical AND gate is given by:.

A logical OR gate, on the other hand, corresponds to a union of sets:

Since the probabilities of failures in fault trees tend to be small (less than .01), P(A ∩ B) typically becomes a very small error term, and the output of a logic OR gate can be conservatively approximated using the assumption that the inputs are mutually exclusive events:

The Exclusive-Or gate with two inputs represents the probability that one or the other input, but not both, occurs:.

Again, since P (A ∩ B) typically becomes a very small error term, the Exclusive-Or gate has limited value in a fault tree.

Many different approaches can be used to model an FTA, but the most common and popular can be summarized in a few steps. A single fault tree is used to analyze one and only one unwanted event or top event, which can subsequently feed into another fault tree as a base event. Although the nature of the unwanted event can vary dramatically, an FTA follows the same procedure for any unwanted event; be a delay of 0.25 ms in the generation of electrical energy, an undetected fire in a warehouse, or the accidental and involuntary launch of an ICBM. Due to the cost of labor, FTA is typically only used for more serious unwanted events.

The FTA involves five steps:

FTA is a deductive, top-down method aimed at analyzing the effects of initiating faults and events in a complex system.

This contrasts with failure modal and effects analysis (FMEA), which is an inductive bottom-up analysis method that aims to analyze the effects of single component or function failures on equipment or subsystems.

The FTA is very good at showing how resilient a system is to single or multiple failures. It is not good at finding all possible initial faults. The FMEA is good at comprehensively cataloging initial failures, and identifying their local effects. It is not good for examining multiple failures or their effects at the system level. The FTA considers external events, the FMEA does not. In civil aeronautics the usual practice is to perform both FTA and FMEA, with a failure mode effects summary (FMES) and the interface between the FMEA and the FTA.

Alternatives to FTA include dependency diagrams (DD), also known as reliability block diagrams (RBD), and Markov analysis. A dependency diagram is equivalent to a Success Tree Analysis (STA), the logical inverse of an FTA, and represents the system using paths instead of gates. DD and STA produce probabilities of success (i.e., avoiding a superior event) rather than the probability of a superior event.

The FTA methodology is described in several industry and government standards, including NRC NUREG-0492 for the nuclear industry, an aerospace-oriented revision of NUREG-0492 used by NASA,[28] SAE ARP4761") for civil aircraft, MIL-HDBK-338 for military systems, and the IEC standard IEC 61025[29]​ which is intended for use cross-industry and has been adopted as European Standard EN 61025.

Any sufficiently complex system is subject to failure, due to the failure of one or more of its subsystems. The probability of failure, however, can often be reduced through improved system design. Fault tree analysis maps the relationship between faults, subsystems, and redundant elements of the safety design, creating a logical schematic of the overall system.

The undesired result is taken as the root ('event/top event') of a logical tree. For example, the undesirable result of a metal pressing and stamping operation is that some human appendage is stamped. Working backwards from this higher event, we could determine that there are two ways this could occur: during normal operation or during a maintenance operation. This condition is a logical OR. Considering the branch in which it occurs during normal operation perhaps we determine that there are two ways this could happen: press cycles hurt the operator or press cycles hurt someone else. This is another logical OR. We can make an improvement to the design by requiring the operator to press two buttons to start the machine - this is a safety feature in the form of a logical AND. The button may have an intrinsic failure rate - this becomes a failure incentive that we can analyze. When fault trees are weighted with real numbers for failure probabilities, computer programs can calculate the failure probabilities in the fault trees.

When a specific event must affect more than one event, i.e. has an impact on several subsystems, it is called a common cause or common mode. Graphically speaking, this means that this event will appear at various positions in the tree. Common causes introduce dependency relationships between events. The probability calculations for a tree containing some "common causes" are much more complicated than for normal trees where all events are considered independent. Not all software tools available on the market provide such capability.

The Tree is usually written using conventional logic gate symbols. The path through a tree between an event and an initiator in the tree is called a Cut Set. The shortest credible way through the tree from a failure to an initializing event is called Minimal Cut Set.

Some industries use both fault trees and event trees (see Probabilistic Risk Assessment). An Event Tree starts from an unwanted initializer (critical supply loss, component failure, etc.) and follows possible events farther out in the system through a series of final consequences. As each new event is considered, a new node is added to the tree with a split probability of taking any branch. The probabilities of a range of 'higher events' arising from the initial event can then be seen.

Classic programs include the Electric Power Research Institute's CAFTA (EPRI) software, which is used by many U.S. nuclear plants and most U.S. and international aerospace manufacturers, and the Idaho National Laboratory's SAPHIRE, which is used by the U.S. Government to evaluate the safety and reliability of nuclear reactors, the Space Shuttle, and the International Space Station. Outside the U.S. In the US, RiskSpectrum software is a popular tool for Fault Tree and Event Tree analyzes and is authorized for use in nearly half of the world's nuclear plants by Probabilistic Safety Assessment.

Contenido

Los símbolos básicos utilizados en el FTA están agrupados como eventos, puertas, y símbolos de transferencia. Variaciones menores pueden ser utilizadas en softwares de FTA.

Symbols of events

Event symbols are used for primary events and intermediate events. Primary events are not developed further in the fault tree. The intermediate events are found at the exit of a door. Event symbols are shown below:.

Primary event symbols are typically used as follows:

An intermediate event gate can be used immediately above a parent event, to provide more space to write the event description. The FTA is a top-down (top-down) approach.

Logic gate symbols

Gate symbols describe the relationship between input and output events. The symbols are derived from boolean logical symbols:

The doors work as follows:

Transfer symbols

Transfer symbols are used to connect the inputs and outputs of related fault trees, such as the fault tree of a subsystem to that of your system. NASA prepared a comprehensive documentation on the FTA through practical incidents.

Events in a fault tree are associated with statistical probabilities. For example, failed components may generally occur with some constant failure rate λ (a constant hazard function). In this simpler case, the probability of failure depends on the index λ and the exposure time t:.

A fault tree is typically normalized to a given time interval, such as a flight hour or a median mission time. The probabilities of events depend on the relationship between the hazard function of the event and its interval.

Unlike conventional logic gate schemes in which inputs and outputs contain the binary values ​​of TRUE (1) or FALSE (0), fault tree gates produce probabilities related to the set operations of Boolean logic. The probability of the output event of a door depends on the probabilities of the input events.

A logical AND gate represents a combination of independent events. "Independence (probability)") That is, the probability of any input event to a logical AND gate is not affected by any other input event to the same gate. In set theory terms, this is equivalent to the intersection of the input event sets, and the probability of the output of the logical AND gate is given by:.

A logical OR gate, on the other hand, corresponds to a union of sets:

Since the probabilities of failures in fault trees tend to be small (less than .01), P(A ∩ B) typically becomes a very small error term, and the output of a logic OR gate can be conservatively approximated using the assumption that the inputs are mutually exclusive events:

The Exclusive-Or gate with two inputs represents the probability that one or the other input, but not both, occurs:.

Again, since P (A ∩ B) typically becomes a very small error term, the Exclusive-Or gate has limited value in a fault tree.

Many different approaches can be used to model an FTA, but the most common and popular can be summarized in a few steps. A single fault tree is used to analyze one and only one unwanted event or top event, which can subsequently feed into another fault tree as a base event. Although the nature of the unwanted event can vary dramatically, an FTA follows the same procedure for any unwanted event; be a delay of 0.25 ms in the generation of electrical energy, an undetected fire in a warehouse, or the accidental and involuntary launch of an ICBM. Due to the cost of labor, FTA is typically only used for more serious unwanted events.

The FTA involves five steps:

FTA is a deductive, top-down method aimed at analyzing the effects of initiating faults and events in a complex system.

This contrasts with failure modal and effects analysis (FMEA), which is an inductive bottom-up analysis method that aims to analyze the effects of single component or function failures on equipment or subsystems.

The FTA is very good at showing how resilient a system is to single or multiple failures. It is not good at finding all possible initial faults. The FMEA is good at comprehensively cataloging initial failures, and identifying their local effects. It is not good for examining multiple failures or their effects at the system level. The FTA considers external events, the FMEA does not. In civil aeronautics the usual practice is to perform both FTA and FMEA, with a failure mode effects summary (FMES) and the interface between the FMEA and the FTA.

Alternatives to FTA include dependency diagrams (DD), also known as reliability block diagrams (RBD), and Markov analysis. A dependency diagram is equivalent to a Success Tree Analysis (STA), the logical inverse of an FTA, and represents the system using paths instead of gates. DD and STA produce probabilities of success (i.e., avoiding a superior event) rather than the probability of a superior event.