FAULT TREES

The aim of this learning session is to introduce what is probably the most essential element of modern risk assessment studies the fault tree. You can learn from this session: (i) how to draw fault and success trees (ii) how to compute the probabilities for a range of complicated hazards (iii) how to find cut and tie sets for critical systems considerations More ad anced issues: (i ) how to find a structure function bridging assessment and analysis ( ) boolean reduction to a minimal tree (esp. coherence)

FAULT TREES "ault trees are a method of breaking a failure into contributing factors. The logical arrangement of those factors can be e#amined as well as the contribution$criticality of each to the total.
Trees are connected digraphs (directed-graph) that do not contain cycles. %f the &branching' is always into two parts the tree is called a BINARY TREE. (hen trees are )oined together (if there are still no cycles) the result is called a FOREST. *ll nodes ha e one arc towards the root$top (OUTDEGREE one) but +odes can ha e any integer number of branches (INDEGREE). lea es ha e zero outdegree.

,ogic (re ision) The study of truth and falsehood is a necessary background to the study of fault trees. -onsider: !) .lephants are grey true /) .lephants are pink false 0) "ish swim true 1) "ish whistle false ,et2s ask a 3yrs child the two 4uestions: a) (hat colour are elephants5 b) (hat do fish do in the sea5 The child is gi en a &cle er kid' badge if s$he answers both 4uestions correctly. There are in fact four possible results: 6uestion (a) answer 6uestion (b) answer 7eward i 8ink (histle +o ii 8ink 9wim +o iii :rey (histle +o i :rey 9wim Yes %f this table of results is e#pressed in terms of the number of correct answers; and the number of rewards it follows: 6uestion 7eward (c) (a) (b) < < < < ! < ! < < ! ! ! This is the &truth table' for getting =>T? 4uestions @a2 *+A @b2 correct (with emphasis on the word *+A). Aenoting the reward by @c2 it can be said that @c2 is due to @a2 *+A @=2; which is usually written: C = A B (ith the set theory intersection$o erlap symbol @2. * Benn diagram can also be drawn from set theory.

The intersection is the doubleCshaded region /

Mathematically there is only one way to combine the ales @a2 and @b2 to get the result @c2 in this %nput (a) (b ) < < < ! ! < ! ! type of problem:
C = AB

>utput (c) < < < !

The @*+A2 symbol @D2 can be read as multiplication. .lectrical circuit theory method as a black bo# @gate2 with inputs and outputs:

Most standard te#t editing software also pro ide symbols or which can sometimes be used$abused to denote @*+A2. Example 2 -onsider the same child answering the same 4uestions but for different stakes: the reward badge is won if s$he gets at least one 4uestion correct (either @a2 >7 @b2). The truth table becomes: 6uestion 7eward (c) (a) (b) < < < < ! ! ! < ! ! ! !

This @>72 relationship can be written in set theory notation with a union @2 symbol C = A B .

%n electrical circuit notation: Mathematically C = A + B AB >n the Benn diagram abo e A B is the entire shaded region A + B but not counting the o erlap A B twice (not gi ing the child twice the reward). Two tree diagrams ha e been de eloped:

Probability on tree diagrams The same relationships de eloped abo e are alid for tree diagrams where e ents ha e probabilities rather than )ust absolutes.
P ( A B ) = P ( A) P ( B ) P ( A B ) = P ( A) + P ( B ) P ( A) P ( B )

"ault trees deal with system failures and the probabilities can be small numbers such as P ( A) =!./ !< E and P ( B ) = 0.3 !< 1 . %n such cases P ( A B ) = 1./ !< !/ might be deemed negligible and P ( A B ) P ( A) + P ( B ) . %t is bad practice to simply assume this appro#imation where life safety is being assessed. -riteria for what is tolerable or acceptable are discussed in 8AFGF1CF. DEVELOPI ! FAULT TREES Tree diagrams form a bridge (using graph theory) between 4ualitati e and 4uantitati e studies of risk. Tree diagrams are closely coupled to spreadsheet methods. %n particular 8?* is close to fault trees and "M.* is close to e ent trees. * fault tree uses @backwards logic2 following from a failure$loss backwards to causes. . ent trees follow forwardClogic from parts to combinations of failures that cause system failure. %t is a natural conse4uence that fault trees are more tractable early in design and e ent trees later (once a comprehensi e list of parts; connections and operational modes is known).

-on entionally a fault tree is drawn from the centreCtop of a page downwards as contributing causes are added. The &fault' is often referred to as the &top e ent'. *t the foot of the page are the endCpoints of the tree. These can be called terminal e ents but more usually they are called &lea es' because they are the e#tremities of a series of treeCbranches (ignore the fact that the root is at the top of the page and the lea es at the bottom). %n complicated problems &component le el e ents' are distinguished from &e#ternal e ents' instead of )ust calling them all terminal.

(hen the tree is de eloped (i.e. more factors are added or substituted) a series of standard 4uestions occur: !) (hat is the hazard$e ent /) (hat contributes to that The causes are linked to effects by the logic gates so that each de elopment must satisfy: !) *re all causes listed necessary /) *re the causes listed sufficient 0) %s this de elopment repeatable (or would someone else gi e something different)

+ote that straight lines are used as connectors not cur y lines. "urthermore only one line feeds into each logic gate. The bo#es are occurrences$e ents$outcomes. +ote also that logic gates lead to an &e ent' or occurrence and ne er feed directly into another logic gate.

+o

Yes

+o

+o

Yes

.#amples of top e ents: !) (heels up on landing /) "ire 0) %rretrei able loss of primary test dat 1) 8andemic of *sian =ird "lu 3) ,ondon >lympic 8ro)ect o erruns by more than !<<I These are usually highCloss e ents. %t is ery easy to become ambitious and write a top e ent like &risk'. %t is good practice to set some limits$tolerance on e ery e ent of a tree diagram. "or e#ample losses e#ceeding J/3<k of a fuseCshort due to contacts failing in the closedCposition. Three types of leaf are con entionally used:

Ae eloped

Knde eloped

Transfer symbol

-onsider working as part of a large team on a study where each day you submit the latest ersion of the tree and recei e a list of modifications to make. 9ome lea es will be unchanged. These are described as &de eloped' and are denoted by circles or ellipsis rather like a fullCstop. %f a leaf is to be further de eloped or re ised it is usually denoted by a diamond and is described as &unde eloped'. That leaf is essentially the topCe ent of another tree which will be substituted in place. (hen a tree becomes large it is common to continue a branch on another page. This is indicated by a &transfer symbol' containing a page number or mnemonic etc. for where that information is to be found. "or e#ample this se en digit number: F?>1/B-This identifies system F (which may be the metro; )ag; =entley; ?arley) component type ?> (human operator) component 1 (1th component on the list of components of system F) subsystem / (which may mean the dri er or na igator) failure mode B (asleep) and special situations -(common cause; house e ent; etc.). Two particular mistakes to a aoid in drawing tree diagrams are: !) do not include miracles /) always use distinct lea es

>ther gates sometimes used:

>ctagons are &inhibit gates' which make the output of any gate zero unless a specified condition is met. %t is e4ui alent to an additional *+A gate if written more logically. ?ouse e ents are normally e#pected

to occur; and ha e probability !<<I.

:ate name *+A

icon

A B

>7

A B

+>T +*+A (not and)

A A B

+>7 (not or)

A B

L>7 (e#clusi e or)

A B

L+>7 (e#clusi e nor)

A B

Truth table 9et notation C = A B *= "" " "T " T" " TT T C = AB *= "" " "T T T" T TT T C =A * " T T " C = A B *= "" T "T T T" T TT " C = A B *= "" T "T " T" " TT " C = AB *= "" " "T T T" T TT " *= C = A B "" T "T " T" " TT T

C = AB

Math

C = A + B AB

C =! A C = ! AB

C = ! A B + AB

C = ( A + B AB )(! AB )

C = ! ( A + B AB )(! AB )

+ote that the logical theory and logic gates ha e de eloped far beyond this le el. There is alue in some of the other types of gate to research these models; for e#ample amplifiers and flipCflops to study importance and memory

9hort classroom e#ercise in small teams (!< mins only) C draw a fault tree for &losses' in this classroom

!<

"O##O "AUSE FAILURES

%n this simple fault tree there are four intruder detection systems. redundancy and a ery tiny chance of nonCdetection. =KT (hat if all four detectors work from the same power supply5

There is a great deal of

This is an e#ample of a commonCcause failure. *nother entire branch needs to be added to the tree to correct the o ersight:

%t is a necessity to ,>>M for common causes on e ery tree drawn. 9ome typical e#amples are: -ommon -ommon -auses -ommon 9olutions .lectricity 9eparation -oolant %nsulation 8neumatic pressure 9hields 9team %ndependent redundant parts Ktilities %ndependent inspectors$ operators Moisture 7esilience -orrosion 9eismic disturbance Aust ?eat$ cold .M8 9ame$single operator %t is good practice to note all the applicable causes from this list with a letter such as @c2 for corrosion on each e ent of a tree.

!!

The +"8* "ire 9afety -oncepts tree

!/

TREES $IT% PRO&A&ILIT' ?a ing completed the mathematical e#amples abo e this is largely an iteration of the procedure.

P (Top . ent ) = P ( Middle ) P ( A)

= ( P ( = ) + P ( - ) P ( = ) P ( - ) ) P ( A) = ( <./ + <.<3 <./ <.<3) <.! = <.</1

.#ample /: 9ource: http:$$www.dcs.glasgow.ac.uk$N)ohnson$papers$)oucCtime.html accessed )une /<<0 =ased upon the AoT report of the Townsend Torrisen -ar "erries -apsize of the ?erlad of "ree .nterprise (!GEF).

!0

,et2s use a ery simple ranking scale: ,ikelihood ?igh Moderate ,ow 8robability estimate <.1 <./ <.! +ote that input probabilities are much greater than output probabilities from trees. This is for the same reason as rolling one die compares to rolling !< dice.

This is not 4uite a simple < to ! scale because no one would run a business where a serious system failure was more than 1<I probable. %t is not a linear scale either.

.stimates: ,eaf .stimate * ?igh = ?igh Moderate A Moderate . Moderate " ,ow

!1

%t follows:
PG = P ( A B C D ) = PA PB PC PD = <.1 <.1 <./ <./ = H.1 !< 0

PH = P ( E F ) = PE PF = <./ <.! = /.< !<

/

PI = P ( G H ) = PG PH = /.< !< / H.1 !< 0 =!./E !< 1

Two points to note in this calculation are !) The final result MK9T be rounded so that it is not more accurate than the data used PI = !< 1 /) The obser ant student will notice for this e#ample PI =PA PB PC PD PE PF This formula is called the &Structure u!cti"!' of the tree.

%n the e#ample of this page the probabilities were estimates. %n this case it is best practice to repeat the calculation with &pessimistic estimates' and &optimistic estimates' to e#amine the range of log( a ) + log( # ) . results. %f a middleC alue is to be used on the nonClinear scale; then try antilog / -ommon errors a) o erconfidence with numerical figures. ..g. 3.0/F1E<!FG/<<1 what is the Ouncertainty on that5 b) credibility of small numbers /.!3 !< G/ per hour5 c) acceptability of results. %s G.!3 !< F chance per day of an e#plosion acceptable5

!3

.#ercise part / (!< mins) 7ank the lea es on your tree and find 8(top e ent)

!H

SU""ESS TREES * success tree is the logical con)ugate of a fault tree. %t begins with a topCe ent that is a good thing and proceeds to consider factors that contribute to that positi e result. Ksually the success tree is drafted from the fault tree as a means to check the logic of both. There are three steps in this process: !) redraw the tree but omit gates and words /) substitute *+A gates instead of >7 gates and iceC ersa 0) write the logical @+>T2 opposite in each bo# (a oiding doubleCnegati es) .#ample:

9uccess tree

"ault tree

*s an e#ample of the alue of drawing a success tree consider what you might include as contributing factors on a fault tree with &fire' as the top e ent. "or e#ample &arson'. Kpon transformation into a success tree you ha e fire pre ention factors such as &arsonCcontrol' but you do not ha e factors such as &sprinkler system' because that doesn2t cause a fire. "urthermore; estimates of safety help to refine estimates of risk by bracketing the true alue.

R + F =!

Ri%& + Sa et$ = !<<I

>f course business has huge problems in 4uantifying !<<I losses. Ri%& =! $ Sa et$ as an estimate. ,ikelihood 7isk probability estimate 9afety probability estimate ?igh <.1 <.H Moderate <./ <.E ,ow <.! <.G %t is still good practice to make optimistic and pessimistic estimates.

%ndustry often uses

+ote that spreadsheets also commonly fall short on not considering the logical opposites. * 8?* starts with a list of hazards but does not usually make a list of safety features and de elop a comparati e (similarly ?az>p and "M.*).

!F

"UT SETS These will be e#tensi ely met in the section on engineering reliability. * cut set is a group of components; such that when all in the group fail; the entire system fails. * minimal cut set is an irreducible cut set; such that if any one member does not fail the system can maintain operation. 8ro)ect managers will be more familiar with )argon such as &critical paths' and &key persons'.

!. :raphical method -onsider a tree:

%ntermediate e ents do not matter in this method. +umber all the gates and letterClabel all the lea es. +ow make a table and start with the first gate number in the first bo#: !

+ow proceed down the tree replacing the gate @!2 by it2s inputs. >7 ertical replacement *+A horizontal replacement %n this e#ample gate @!2 is an *+A gate with inputs /; 0; . so the @!2 on the table is replaced horizontally by /; 0; .: / 0 .

!E

The ne#t gate in the table is @/2; which is an >7 gate with inputs *; =. 9o the @/2 is replaced ertically by * and = and the @0 .2 is dragged downwards (duplicated by the >7 gate) * = 0 0 . .

!G

The only remaining number is @02 an *+A gate (horizontal) with inputs - and A: * = A A . .

>nce all the gates ha e been replaced the answer is in front of usP There are two cut sets for this tree: *-A. and =-A. the topCe ent can only occur if one of these cutCset combinations occurs. They are critical to system failure. ?a ing obtained the minimal cutCsets from the e#ample it is possible to draw the cutCsetCe4ui alent tree:

This tree has at most two gates between any leaf and the top e ent. +ote that some e ents occur more than once as lea es. *s a rule of thumb; a tree with many >7 gates will yield many minimal cut sets of low order (small sets). =y comparison many *+A gates will lead to a small number of cut sets; each consisting of many terminal e ents. The probability of the top e ent can also be computed rapidly from the cutCsets:
P (T"p ) = P ( -ut 9et !) P ( -ut 9et / ) ... P ( -ut 9et n ) = P ( -ut 9et i )
i= ! i =!

"or this e#ample there are only two cut sets:

P ( T"p ) = P ( * - D E ) P ( = - D E )
/ = PA PC PD PE + PB PC PD PE PA PB PC/ PD PE/

= PC PD PE ( PA + PB PA PB PC PD PE ) PC PD PE ( PA + PB )

"or three cut sets:

P ( T"p ) = P ( -ut 9et !) P ( -ut 9et / ) P ( -ut 9et 0) = ( PCS ! + PCS / + PCS 0 ) ( PCS ! PCS / + PCS ! PCS 0 + PCS / PCS 0 ) + ( PCS ! PCS / PCS 0 )

"or four cut sets: P ( T"p ) = ( PCS ! + PCS / + PCS 0 + PCS 1 ) ( PCS ! PCS / + PCS ! PCS 0 + PCS ! PCS 1 + PCS / PCS 0 + PCS / PCS 1 + PCS 0 PCS 1 ) + ( PCS! PCS / PCS 0 + PCS ! PCS / PCS 1 + PCS ! PCS 0 PCS 1 + PCS / PCS 0 PCS 1 ) ( PCS ! PCS / PCS 0 PCS 1 ) The pattern is from =ernoulli2s pyramid (binomial series).

/<

%t is also possible to use the success tree (the critical sets on a success tree are called &tie sets' and these are the minimum groups of elements needed to maintain operation of the system. 9tep !

9tep / >7 gate ( ertical) with inputs /;0; E / 0

E

9tep 0 @/2 is *+A gate (horizontal) with inputs A ; B

A B

0
E

9tep 1 @02 is >7 gate ( ertical) with inputs C ; D

A
C

D E

/!

The tieCsets of the success tree are:

Tie set ! Q {A B} C} Tie set / Q { Tie set 0 Q {D} Tie set 1 Q {E } The e4ui alent success tree is:
P ( %uce%% ) = P A B P C P D P E

( ) ( ) ( ) ( ) = P ( A B ) + P (C ) + P ( D ) + P ( E ) P ( A B ) P (C ) P ( A B ) P ( D ) P ( A B ) P ( E ) P (C ) P ( D ) P (C ) P ( E ) P ( D ) P ( E ) + P ( A B ) P (C ) P ( D ) + P ( A B ) P (C ) P ( E ) + P ( A B ) P ( D ) P ( E ) + P (C ) P ( D ) P ( E ) P ( A B ) P (C ) P ( D ) P ( E )
= (! PA )(! PB ) + (! PC ) + (! PD ) + (! PE ) (! PA )(! PB )(! PC ) (! PA )(! PB )(! PD ) (! PA )(! PB )(! PE ) (! PC )(! PD ) (! PC )(! PE ) (! PD )(! PE ) + (! PA )(! PB )(! PC )(! PD ) + (! PA )(! PB )(! PC )(! PE ) + (! PA )(! PB )(! PD )(! PE ) + (! PC )(! PD )(! PE ) (! PA )(! PB )(! PC )(! PD )(! PE )

.tc..

//

FAULT TREE SI#PLIFI"ATIO :i en that a fault$success tree is a graphical representation of a logical structure; if there are recurrent elements (for e#ample with a tree de eloped from cut sets) then the tree can be simplified by =oolean algebra (see notes on set theory). There are !! laws of =oolean algebra. ! / 0 1 3 H F E G ! < ! ! commutati e associati e distributi e absorbtion Ae Morgan2s %dentity
A ( B C ) = ( A B) C A ( B C) = ( A B) ( A C) A ( A B) = A
AB = A B A = A A =

A B = B A

A ( B C ) = ( A B) C A ( B C) = ( A B) ( A C) A ( A B) = A
AB = A B A = A

A B = B A

A U = A

A U = U

%n erse %dempotent A A= A =U -omplement Aouble compliment A = A Aifference

A B = AB

A A =U
U =

A A= A

.#ample:

/0

T"p = ' Y

' = AC D E Y = B C D E

?ence

T"p = ( A C D E ) ( B C D E )

*pply the notation C D E = so that T"p = ( A ) ( B ) *pply the commutati e law to get T"p = ( A) ( B ) *pply the distributi e law to find T"p = ( A B ) 7eplace the notation T"p = ( C D E ) ( A B ) "inally (commutati ely) T"p = ( A B ) ( C D E ) "licking back a few pages this is ob iously simplified.

/1

.#ample / (tree simplification)

Top Event T AND F AND E OR C AND B B B AND A B D AND A D' NOT

Disaster

A'

NOT

End Events (leaves)

Method (ork from the bottom of the tree to the top; one logic gate at a time. (rite the relationships in a list using the =oolean operators *+A; >7; +>T. (i) =Q== write @2 instead of &*+A' (ii) -Q=* (iii) AQ=* (i ) .Q=write instead of &>7' ( ) A2 Q D write either a dash; bar or tilde instead of &+>T' ( i) " Q . A2 ( ii) *2 Q A ( iii) T Q " *2

/3

9ubstitution (topCdown) TQ"* Q (. A2) * Q ((= -) A2) *2 Q ((= -) (= *)2) *2 Q ((= (= *)) (= *)2) *2 (e wish to simplify this =oolean laws

e#pad " e#pad . e#pad A e#pad -

9tep !: get rid of difference first; double caught second etc. "rom bottom of list to topPP T Q ((= (= *)) (=2 *2)) *2 difference TQ( = absorption (=2 *2)) *2

T Q ((= =2) (= *2)) *2 distributi e TQ( R (= *2)) *2 in erse ) *2

T Q ( = *2 identity

TQ = (*2 *2) Q = *2 associati e indempotent simplifiedP 9tep 0. Araw 7e new tree. T *+A = *2 +> *,*7M +>! * *,*7M Aisaster TQ = *2

/H

FAULT TREE REDU"TIO &' APPRO(I#ATIO (!) %f the probability of any e ent is close to !<<I and it lies under an *+A gate. Then it can be ignored and e en remo ed from the tree diagram. i.e. ignore likely e ents under *+A gates
AND

Trees are green

%n theory: P( A B) = P( A) + P( B) P( A B) P( A) hence P( A) o erestimates P( A B) and the predicted 7s will be larger than really obser ed. Ao not ignore terminal e ents that influence some other intermediate e ents. (/) "irst order cut sets affect the system more than higher order cut sets. The higher order cut sets can be ignored unless there are ery many of them. Aiscard all such sets from terminal e ents up through intermediate e ents until you encounter an >7 gate. This appro#imation will reduce the predicted 7s and underestimate the real reliability. i.e. ignore unlikely e ents under >7 gates *t a glance only )oint properties could be assigned to a tree: it2s mean alue will be gi en by the coordinate r = ( ( ; $ ; ) ;...) and the uncertainty will be gi en by the co ariance. (hen time is the only ariable then the structure function can be integrated for the MTT" (see reliability section).

/F

Problem
!. The fault tree shown on "igure ! has been de eloped by *-M. after a twoCyear study. . ent @*2 is the use of an inade4uate assessment of hazards; e ent @=2 is the use of an inade4uate assessment of likelihood. "ind the probability of the top e ent if; for e#ample; *Q<.! and =Q<./. 7edraw the tree so that terminal e ents are not repeated; but the same probability is obtained

D is a s t e r
A ND

C
O R

E
OR

G
NOT

F
A ND

H
A ND

D
A ND

A '

"igure !. *-M. risk concepts tree /. The tree diagram in "igure / has been de eloped to estimate some of the human factors affecting fire safety in Maudland =uilding.
P0 = <.<E find the following probabilities: a) Ksing the crude estimates P ! = <.<! ; P / = <.<3 and (i) 8(classroom origin of fire) (ii) 8(office origin of fire) (iii) 8(fire)

b) 7epeating the computation with letters rather than numbers; use algebra to find the structure function. c) %t is suggested (from academics) that the tree is poorly drawn; because &facilities' appears more than once. %s this true5

"igure /. Maudland =uilding tree *pplication notes: /E

ROOT "AUSE A AL'SIS 9tudy of original reason for nonconformance with a process. (hen the root cause is remo ed or corrected; the nonconformance will be eliminated. 1Cstep process: Aata collection and preser ation -ausal factor charting (eg tree diagram) 7oot cause identification (factors) 7ecommendation generation and implementation

M>7T *nalysis Management S > ersight 7isk Tree. There are 0 branches from the top e ent (loss)C eg.C the central route could be T9pecific S ManagementT egC the left route could be T> ersights S >missionsT egC the right could be T*ssumed 7isksT. Bariants e#ist including 9M>7T.

/G