(1)?1961~1962??,?Bell Telephone Lab.?H. A. Watson??????????????????????????

1
??????? (1)?19611962??,?Bell Telephone Lab.?H.
A. Watson?????????????????????????? (2)????????19
63???U. Of Washington??????????safety
Symposium???? (3)?70????????????? (4)?1972?Reacto
r Safety Study,WASH-1400???,?????????? (5)???????
???????????????(LNG)???????? (6)????PRA?????Fault
Tree Analysis (?Event Tree Analysis????)?
2

• General Description
• Fault Tree Analysis (FTA) is a deductive
  technique that focuses on one particular accident
  event.
• The fault tree itself is a graphic model that
  displays the various combinations of equipment
  faults and failures that can result in the
  accident event.
• The solution of the fault tree is a list of the
  sets of equipment failures and human/operator
  errors that are sufficient to result in the
  accident event of interest.
• The strength of FTA as a qualitative tool is its
  ability to break down an accident into basic
  equipment failures and human errors. This allows
  the safety analyst to focus preventive measures
  on these basic causes to reduce the probability
  of an accident.

3
Purpose Identify
combinations of equipment failures
and human errors that can result in an
accident event. When to Use
a. Design FTA can be used
in the design phase of
the plant to uncover hidden failure modes that
result from
combinations of equipment failures.
b. Operation FTA including operator and
procedure
characteristics can be used to study an operating
plant to identify
potential combinations of failures
for specific accidents.
4
Type of Results A listing of
sets of equipment and/or
operator failures that can result in a specific
accident. These sets can be
qualitatively ranked by importance.
Nature of Results Qualitative, with
quantitative potential. The
fault tree can be evaluated quantitatively
when probabilistic data are
available.

5
Data Requirements
a. A complete understanding of how the
plant/system
functions. b. Knowledge of
the plant/system equipment failure
modes and their effects on the
plant/system.

6
Staffing Requirements One analyst should be
responsible for a single fault
tree, with frequent
consultation with the engineers, operators, and
other personal who have
experience with the systems/
equipment that are included in the analysis. The
single analyst/single fault
tree approach promotes continuity
within the fault tree, but the analyst must have
access to the information
needed to define faults and failures that
contribute to the accident event. A team
approach is desirable if
multiple fault trees are needed, with each
team member concentrating on one
individual fault tree.
Interactions between team members and other
experienced personnel are necessary
for completeness in the analysis
process.
7
Time and Cost Requirements Time and cost
requirements for FTA are highly
dependent on the complexity of
the systems involved in the Modeling a
small process unit could require a day or
less with an experienced team.
Large problems, with many potential
accident events and complex systems, could
require several weeks even with
an experienced analysis team.
8
HIGH TEMP INTERLOCK
EMERGENCY SHUT-OFF VALVE
BURSTING DISC
TIS
FLOW CONTROLLER
)
FRC
FLOW CONTROL VALVE
MATERIAL B
MATERIAL A
?1 ??????
9
REACTOR EXPLOSION
3.6 ? 10-4 F/YR
RUNAWAY REACTION
BURSTING DISC FAILS
0.02 Probability of failure on demand
1.8 ? 10-2 F/YR
FLOW CONTROL LOOP FAILS
TEMPERATURE INTERLOCK FAILS
0.06
0.3 F/YR
FLOW CONTROLLER FAILS
THERMO - COUPLE RELAY FAIL
VALVE STICKS OPEN
VALVE FAILS TO CLOSE
0.05 Probability of failure on demand
0.01 Probability of failure on demand
0.2 F/YR
0.1 F/YR
?2 ????????????
10
Gate Symbol Gate Name
Causal Relation
Output event occurs if all input events
occur simultaneously.
AND gate
1
Output event occurs if any one of the input
events occurs.
2
OR gate
Input produces output when conditional event
occurs.
Inhibit gate
3
Table 2.1 Gate Symbols
11
Gate Symbol Gate Name
Causal Relation
Priority AND gate
Output event occurs if all input events occur in
the order from left to right.
4
Output event occurs if one,but not both, of the
input events occurs.
Exclusive OR gate
5
m Out of n gate (voting or sample gate)
Output event occurs if m out of n input events
occur.
m
6
n inputs
Table 2.1 Gate Symbols(?)
12
Event Symbol
Meaning of Symbols
Basic event with sufficient data
1
Circle
2
Undeveloped event
Diamond
3
Event represented by a gate
Rectangle
Table 2.2 Event Symbols
13
Event Symbol
Meaning of Symbols
Conditional event used with inhibit gate
4
Oval
5
House event. Either occurring or not occurring
House
6
Transfer symbol
Triangles
Table 2.2 Event Symbols
14
COMPONENT FAILURE CHARACTERISTICS Primary
Faults and Failures Primary faults and failures
are equipment malfunctions that occur in the
environment for which the equipment was intended.
These faults or failures are the responsibility
of the equipment that failed and cannot be
attributed to some external force or condition.
???? ?????? ??? Secondary Faults and
Failures Secondary faults and Failures are
equipment malfunctions that occur in an
environment for which the equipment was not
intended. These faults or failures can be
attributed to some external force or
condition.----------------- ?????
?????? ???
15
COMPONENT FAILURE CHARACTERISTICS Command
Faults and Failures Command faults and failures
are equipment malfunctions in which the
component operates properly but at the wrong time
or in the wrong place. These faults or failures
can be attributed to the source of the incorrect
command. ????? ????????
???? when the exact failure mode for a primary or
secondary failure is identified, and failure
data are obtained, primary and secondary failure
events are the same as basic failures and are
shown as circles in a fault tree.
16
EXAMPLE 1) Primary 2) Secondary 3)Command

• Tank rupture due to metal fatigue
• Fuse is opened by excessive current
• Earth quake cracks storage tanks
• Pressure vessel rupture because some faults
  external to the vessel
• causes the internal pressure to exceed the
  design limits.
• Power is applied inadvertently to relay coil.
• Noisy input to safety monitor randomly generate
  spurious shutdown
• signals.

17
FTA Procedure

• Problem Definition
• Fault Tree Synthesis
• Solution - Minimal Cut Sets
• Probability Calculation

18
Step 1 PROBLEM DEFINITION

• TOP Event
• Boundary Conditions
• - unallowed events (impossible events)
• - existing events (certain events)
• - system physical bounds
• - level of resolution
• - other assumptions , e. g. Initial
  conditions.

19
Step 2 FAULT TREE SYNTHESIS
COOLING WATER EMERGENCY HEAD TANK
REACTANT Y
REACTANT X
E M
COOLING WATER OUT
COOLING WATER IN
COOLING WATER SUPPLY PUMP
PUMP X
20

LOSS OF REACTION CONTROL
(ABC)(BDE)(BF).G
OR
LOSS OF AGITATION
SUPPLY OF REACTANT X STOPS
LOSS OF COOLING ON JACKET
OR
OR
AND
(ABC)
(BDE)
(BF).G
PUMP X FAILS
OPERATOR ERROR
FAILURE OF POWER SUPPLY
AGITATOR MECHANICAL FAILURE
FAILURE OF WAWER SUPPLY FAILS
EMERGENCY SUPPLY FROM HEAD TANK FAILS
OR
OR
C
B
E
G
(AB)
(BF)
PUMP X MACHANICAL FAILURE
FAILURE OF POWER SUPPLY
OPERATOR ERROR
FAILURE OF POWER SUPPLY
WATER PUMP MECHANICAL FAILURE
B
F
D
B
A
21
HEURISTIC GUIDELINES 1) Replace an abstract
event by a less abstract event.
Loss of Cooling water
No Water from Pump 2)
Classify an event into more elementary
events. Tank Explosion OR Explosion

Explosion by
by
Overfilling
Runaway Reaction
22
HEURISTIC GUIDELINES 3) Identify distinct causes
for an event. Runaway Reaction
OR Excessive
Loss of
Feed
Cooling 4) Couple trigger event with
no protective action. Overheating AND
Loss of
No System Cooling
shutdown
Water
23
HEURISTIC GUIDELINES 5) Find cooperative causes
for an event. Fire
AND Leak of
Source of
Flammable Fluid
Sparks 6) Pinpoint a component failure
event. No Cooling Water AND Main
Valve Bypass
Valve is Closed
isnt Opened Note, 1) -
6) are state-of-system events.

24
7) Develop a component failure using Fig. 2.22
Component failure (state-of-component event)
Command fault
Primary failure
Secondary failure
State-of-system event
Figure 2.22. Development of a component failure
(state-of-component event).
25
Example - The Process

• This example shows how the heuristic guidelines
  can be used to construct fault trees. In the
  pumping system shown in the next page, the tank
  is filled in 10 min and empties in the next 50
  minutes thus, the cycle time is 1 hr. After the
  switch is closed, the timer is set to open the
  contacts in 10 min. If the mechanisms fail, then
  the alarm horn sounds and the operator opens the
  switch to prevent a tank rupture due to
  overfilling.

26
Horn
Operator
Switch
Contacts
Power supply
Pump
Tank
Timer
Schematic diagram for a pumping system.
27
Example - The Fault Tree

• A fault tree with the top event of tank rupture
  (at time t) is shown in the next page. This tree
  shows which guidelines are used to develop events
  in the tree. The operator in this example can be
  regarded as a system component, and the gate E
  is developed by using the guidelines of Fig.
  2.22. A primary operator failure means that the
  operator functioning within the design envelope
  fails to push the panic button when the alarm
  sounds. The secondary operator failure is, for
  example, operator has been killed by a fire when
  the alarm sounded. The command fault for the
  operator is no alarm sounds.

28
(No Transcript)
29
Lambert, H. E. , System Safety Analysis and
Fault Tree Analysis, UCID-16238, 31, May 9,
1973 Expect no miracles if the normal
functioning of a component helps to propagate a
fault sequence, it must be assumed that the
component functions normally. Write complete,
detailed fault statements. Avoid direct
gate-to-gate relationships. Think locally. Always
complete the inputs to the gate. Include notes on
the side of the fault tree to explain assumptions
not explicit in the fault statements. Repeat
fault statements on both sides of the transfer
symbols.
30
Boolean Algebra

• AND all the inputs are required to cause the
  output.

A
A
AND
AND

C
B
B
C
31
Boolean Algebra

• Inclusive OR any input or combination of inputs
  will cause the output.

A
A
OR
OR

C
B
B
C
32
Boolean Algebra
A
EOR
Exclusive OR B or C but not both cause the the
output A.
B
C
33
Boolean Algebra
A
A
A
EOR
OR


B
B
B
34
Boolean Algebra
A
A
AND
AND

C
B
D
B
AND
C
D
35
Boolean Algebra
A
A
OR
OR

C
B
D
B
OR
C
D
36
Boolean Algebra
A
A
EOR
EOR

C
B
D
B
EOR
ODD COMBINATIONS
C
D
37
Boolean Algebra
A
A
OR
AND

AND
AND
B
OR
B
B
D
C
C
D
38
Boolean Algebra
A
A
OR
OR

B
B
L
(very low probability)
39
Boolean Algebra
(very low probability)
A
A
AND
AND

C
L
B
L
(very low probability)
(very low probability)
40
Boolean Algebra
A
A
OR
OR

B
B
AND
C
L
(very low probability)
41
Boolean Algebra
A
A
AND

B
B
H
(very high probability)
42
Boolean Algebra
(very high probability)
A
A
OR
OR

C
H
B
H
(very high probability)
(very high probability)
43
Boolean Algebra
A
A
AND

B
B
OR
C
H
(very high probability)