14.6 Analysis Procedure
There are four steps to perform an FTA:
14.6.1 Defining the Problem
A top event and boundary conditions must be determined when defining the problem. Boundary conditions include:
- system physical boundaries;
- level of resolution;
- initial conditions;
- not allowed events;
- existing conditions;
- other assumptions.
Top events should be precisely defined for the system being evaluated. A poorly defined top event can lead to an inefficient analysis.
14.6.2 Constructing the Fault Tree
Construction begins at the top event and continues, level by level, until all fault events have been broken into their basic events. Several basic rules have been developed to promote consistency and completeness in the fault tree construction process. These rules, as listed in Table 14.4, are used to ensure systematic fault tree construction (3).
Table 14.4 Rules for Constructing Fault Tree
| Fault tree statements | Write the statements that are entered in the event boxes and circles as malfunctions. State precisely a description of the component and the failure mode of the component. The “where” and “what” portions specify the equipment and its relevant failed state. The “why” condition describes the state of the system with respect to the equipment, thus explaining why the equipment state is considered a fault. Resist the temptation to abbreviate during construction |
| Fault event evaluation | When evaluating a fault event, ask the question “Can this fault consist of an equipment failure?” If the answer is yes, classify the fault event as a “state-of-equipment” fault. If the answer is no, classify the fault event as a “state-of-system” fault. This classification aids in the continued development of the fault event |
| No miracles | If the normal functioning of equipment propagates a fault sequence, assume that the equipment functions normally. Never assume that the miraculous and totally unexpected failure of some equipment interrupts or prevents an accident from occurring |
| Complete each gate | All inputs to a particular gate should be completely defined before further analysis of any other gate. For simple models, the fault tree should be completed in levels, and each level should be completed before beginning the next level. This rule may be unwieldy when constructing a large fault tree |
| No gate-to-gate | Gate inputs should be properly defined fault events; that is, gates should never be directly connected to other gates. Cutting short the fault tree development process leads to confusion because the outputs of the gate are not specified |
14.6.3 Analyzing the Fault Tree
Many times, it is difficult to identify all of the possible combinations of failures that may lead to an accident by directly looking at the fault tree. One method for determining these failure paths is the development of “minimal cut sets.” Minimal cut sets are all of the combinations of failures that can result in the top event. The cut sets are useful for ranking the ways the accident may occur and are useful for quantifying the events, if the data are available. Large fault trees require computer analysis to derive the minimal cut sets, but some basic steps can be applied for simpler fault trees:
By evaluating the minimal cut sets, an analyst may efficiently evaluate areas for improved system safety.
14.6.4 Documenting the Results
The analyst should provide a description of the system being analyzed, a discussion of the problem definition, a list of the assumptions, the fault tree model(s), lists of minimal cut sets, and an evaluation of the significance of the minimal cut sets. Any recommendations should also be presented.