Fault Tree

5/25/2018 Fault Tree

1/45

L09 Fault Tree Analysis

Quantitative Risk Analysis L09

Fall 2013

Fault Tree Analysis

1


2/45L09 Fault Tree Analysis

Logic Diagram Analysis

Risk assessment includes frequencies or probability

estimates of scenario outcome events.

Values of Pr (system failure|c1, c2, ) usually are not

known and must be estimated from simpler or base

events: Pr (unit failure|c1, c2,) Quantification of outcome events are based on primary

or base events or components for which occurrence data

(specific, generic, expert opinion) exist.

Logic diagrams link base and intermediate events and

units that occur in event sequences or scenarios for

quantification of outcome events.

2



Fault Tree Analysis

Fault tree analysis (FTA) is a logic diagram approach to analyze

system failures.

A fault tree (FT) begins with a potential upset (top event), and

diagrams through deduction how the top event can result from

lower level events or failures.

An event tree (ET) diagram events that are initiated by and resultthrough induction from a FT top event.

A FT top event is connected to lower level events through logic

gates such as: OR (union operation,), AND (intersection

operation, ). FT and ET events are analyzed and quantified based on fail-

success (binary).

3



FTA Purpose

FTA requires an understanding of the system and potential failures

aided by a system block diagram or functional diagram and asystem hazard analysis of potential failure causes.

FTA can help to analyze system design, component and system

operation, human actions, and effects of the external environmenton the system

Cause and effect relationships leading to the top event are

identified, analyzed, and represented in the FT.

4



FTA Requirements

Identify the physical boundaries of the system to be

included in the FTA

System conditions at start of top event

External conditions at start of top event

Decide on the depth and resolution of the deductiveanalysis from top event to lower level events.

FTA team tasks

5



FTA Construction

Define the top event, example:

What, Fire

Where, in the process oxidation reactor

When, during normal operation

Identify necessary and sufficient events, conditions, and

units to cause the top event.

6



FTA Construction

Connect events and conditions via logic gates

such as AND, OR

Continue with underlying events to an appropriate event

level called primary or base events to include

components or human actions Connection to base events:

Simple, independent events

Events for which sufficient data exist (such as failure data) to

explain and quantify top event of FT

7



AND-Gate

Independent basic events E1 and E2 at time t The TOP event failure probability, QT, at time t is

QT = P(E1E2) = P(E1|E2)P(E2) = P(E1)P( E2)

With a single AND-gate and n independent basic events occurring

at time t,

8

TOP

E 1 E 2

(independent)



OR-Gate

Independent basic events E1 and E2 at time t The TOP event probability at time t is

QT = P(E1E2) = P(E1) + P(E2)P(E1E2)

= Q1 + Q2Q1Q2

With a single OR-gate and n basic independent events occurring at

time t,

9

TOP

E 1 E 2

(independent)



Combining OR with AND Gates

with Logic

10



Analysis of Logic Trees

Logical (qualitative) evaluation:

Find cut sets (for failure) or path sets (for success)

by Boolean manipulations, or use logical information to

rearrange the tree for easy computation.

Probabilistic (quantitative) evaluation:

Use estimates of probabilities or frequencies for event

occurrences.

11



Fault Trees Identification

Fault trees help to identify how a system can fail through

one or more of component failures or human failures.

FT help to analyze the causes of failures in complex

systems from sequence of failure/success events.

Minimum cut sets determined from a reduced FT show

the scenarios of minimum failures that lead to failureindicated by the top event occurrence, T.

12



FTAMain Symbols

Basic Event A basic initiating fault (component failure)

Intermediate or top

Event

Occurs as a result of events at a lower

level acting through logic gates

And Gate Output occurs if all input events occur

Or Gate Output occurs if at least one input eventoccurs



Flashlight

Fault Tree for a Flashlight

Switch

Bulb

+-+- Battery Battery

Event: No light



Fault Tree for a Flashlight

Battery Switch BulbBasic Event

No lightTop Event

Or Gate



Symbols


17/45L09 Fault Tree Analysis 17

FE, flow transducer

FC, flow controller

FS, flow switchFAL, low flow alarm

SV, solenoid valve

FCV, flow control

TE, T transducer

TC, T controller

TSH, high T switch

GIV, gas isolation valveMBV, manual bypass valve

TCV, T control valve

Hot Oil Heating System

H Oil H i S




scope

Supply hot oil plus solvent to bitumen (asphalt solution)

tanks

Flow through heater must be maintained or heater coilsmay overheat, rupture, and cause a fire.

Flow control valve, FCV, opens progressively if flow toheater drops, e.g., flow to a bitumen tank reduced, and

returns oil back to pump.

Manual bypass valve, MBV, for FCV maintenance.

18

H Oil H i S




HAZID

What are hazards of this oil heating system?

19

H t Oil H ti S t




FTA for Heater Coil Burn Out

For heater coil burn out as an upset event, identify initial

triggering events or system demands, each to be

analyzed separately.

20

H t Oil H ti S t




FTA for Heater Coil Burn Out

events or demands:

No or low oil flow demands

Pump failure

Flow control system failure

Oil leak (large) Pipeline blockage

Valve closed

Excess gas flow (e.g. at a time of low oil flow)

Fuel gas control

21

H t Oil H ti S t




Heater Coil Burn Out -Frequency

each of this demands should be analyzed separately

Frequency of coil burn out is based on frequencies from

each of the demands:

Pump failure OR

flow control system failure OR oil leak OR

pipeline blockage OR

valve closed OR

Can pump failure by itself cause top event?

22

P F il D d


23/45


Pump Failure Demand

Fault Tree, 1

The heater coils burn out if both the pump fails AND the

protective response fails.

The protective response fails if both the automatic response

fails AND the manual response fails.

Causes of automatic response failure: either FE fails OR FSfails OR SV fails OR TCV fails.

Causes of manual response failure: either FE fails OR FS

fails OR FAL fails OR the operator fails OR GIV fails.

For this system, construct a fault tree based on your knowledgeof the system operation.

23

P F il D d


24/45


T = A[(BCDE)(BCFGH)]

Automatic response Manual response

State the logic expression in words.

Initial FT and Logic Based on Understanding of System

Pump Failure Demand

Fault Tree, 1

24

Represent the mishap or top event

by T.

Events leading to T are represented

by letters for system components

P F il D d


25/45


T = A[(B+C+D+E)(B+C+F+G+H)]

Automatic Manual

Boolean Algebra Logic

Pump Failure Demand

Fault Tree, 1

25

which makes what assumptions?

P mp Fail re Demand


26/45


Pump Failure Demand

Fault Tree, 1 comments

Over-temperature protection system, (TSH, SV) does not

operate if pump stops, because there is no flow to the

TSH sensor. (auto response system failure)

But the oil in the heater can overheat and cause heatercoil burn out if pump stops, and FS fails, or FAL fails, or

operator, OP, fails to cut off fuel to the heater.

26

Pump Failure Demand


27/45


Pump Failure Demand

Fault Tree, 1

27

Pump Failure Demand


28/45


Pump Failure Demand

Fault Tree, 1 comments

From the initial fault tree construction, there are two

components, FE and FS, that appear more than in one

branch of the tree.

As discussed, the initial fault tree is based on our

understanding of how the system works. An initial fault tree should be therefore reduced to avoid

repetitions, which can lead to over counting of failures

and inaccurate top event frequency or probability

calculation.

From the initial FT prepare a reduced fault tree.

28

FT Reduction with


29/45


FT Reduction with

Boolean Algebra,

To simplify, the logic expression is expanded and

reduced:

T = A (B+C+D+E) (B+C+F+G+H) =

= A(BB+BC+BF+BG+BH+CB+CC+CF+CG+CH+DB+DC+DF+DG+DH+

EB+EC+EF+EG+EH)

29

FT Reduction with


30/45


FT Reduction with

Boolean Algebra

Boolean Identities (Idempotent, Absorption)

A A = A A AND A = A

A A = A A OR A = A

A (A B) = A A OR (A AND B) = A

B

30

FT Reduction


31/45


FT Reduction

with Approximations

Boolean Identities (Idempotent, Absorption)

Fill in spaces to quantify , and identify approximation

used (RE rare event, or SI independent).

Exact Approximate

A A = A A A = A

A A = A A + A = A

A (A B) = A A + (A B) = A

31


32/45


Fault Tree Reduction

T = A

(BB + BC + BF + BG + BH

+ CB + CC + CF + CG + CH

+ DB + DC + DF + DG + DH

+ EB + EC + EF + EG + EH)

32

based on the previous assumptions and identities

simplify the equality


33/45


Fault Tree Reduction

T = A(B+C+DF+DG+DH+EF+EG+EH)

Factor and categorize this logic expression of T to

highlight system functions

T = A{B + C + (D + E)(F + G + H)}

State the logic expression in words.

33

auto auto manual

Pump Failure Demand


34/45


A

D E F G H

ManualAuto

Auto

B C

State the logic of the

reduced FT using the

same assumptions as

for the initial FT:

Pump Failure Demand

Fault Tree after reduction, 2

34

T = A{B+C+(D+E)(F+G+H)}

protective response

Pump Failure Demand


35/45


Pump Failure Demand


The heater coils will burn out if both the pump fails

AND the protective response fails.

The protective response fails if either FE fails OR FS

fails OR a combination of failures occurs.

A combination of failures leading to failure of the

protective response occurs if there is (a failure of either

SV OR TCV) AND (a failure of either FAL OR the

operator OR GIV).

35

Pump Failure Demand


36/45


A

D E F G H

ManualAuto

Auto

B C

Pump Failure Demand


36

T = A{B+C+(D+E)(F+G+H)}

What are the

minimum failures

that result in T?


37/45


Fault Tree Success Paths

A FT success path is a component or group of

components that prevents the FT top event fromoccurring.

A FT can exhibit one or more success paths. Success paths form a success tree ST, which is the

complement of a FT with all events and operations

changed to their logical complements (fail/success,

/).

37


38/45


Success Trees

Shows how a system can perform without failure based

on performance of components and human actions

Facilitate understanding of minimum success

requirements, with minimal path sets leading to systemperformance, for system designers, operators, and

managers.

38


39/45


FT Cut Sets

A fault tree cut set is an event or set of basic failure

events, the simultaneous occurrence of which causes thetop event to occur.

Each cut set inactivates or cuts all success paths.

A minimum cut set is a set that cannot be reduced in size(number of components).

Minimum cut sets are determined directly from the

reduced fault tree.

A minimal cut set fails (cuts all success paths) when all

components of the cut set fail simultaneously or co-fail

within a short time period.

39

h


40/45


Cut Sets, Path Sets

Success Path Components

1 PU

2 FE, FS, SV, TCV

3 FE, FS, FAL, OP, GIV

Single component to inactivate all paths?

Two-component combinations:

are minimal cut sets with 2 components that by co-failure cut all success paths.

How many are there?

40

C S h S


41/45


Cut Sets Path Sets

Success Path Components

1 PU

2 FE, FS, SV, TCV

3 FE, FS, FAL, OP, GIV

Three-component cut sets: How many?

Four-component cut sets: How many?

41

FT C S d ST P h S


42/45


FT, Cut Sets, and ST, Path Sets

42

( ), (B,C)Acut sets

Input Output

A+B C=A (B +C) =A B +A C[Independent, REA]

Logic:

path sets( , ), ( , )A B A C

C S E l i


43/45


Cut Set Evaluation

43

Cut set fails

E2 ErE1 . . .

A minimal cut set fails if (and only if) all the

basic events in the set simultaneously fail.

The probability that cut set s, with rindependent events, fails at time t is

TOP E P b bili


44/45


TOP Event Probability

44

The TOP event occurs if at least one of the k

minimal cut sets, SI, fails. The upper bound

approximation of the TOP event probability is

TOP

CS2 CSkCS1 . . .

for independent events

(Rausand, 2004)

REA approximation

failure scenarios:

Cut sets are not

mutually exclusive!

T E t A t


45/45

Top Event Assessment

How can events and paths leading to the top event, i.e.,

cut sets, be assessed with regard to their quantitativecontribution to the top event frequency or probability?

This risk source quantification is needed to identify costeffective direction of resources to lower risk and manage

risk within acceptable ranges.

Documents

Fault Tree