Editing Fault tree analysis

{{short description|Failure analysis system used in safety engineering and reliability engineering}}[[Image:Fault tree.svg|thumb|A fault tree diagram]]

'''Fault tree analysis''' ('''FTA''') is a type of [[failure analysis]] in which an undesired state of a system is examined. This analysis method is mainly used in [[safety engineering]] and [[reliability engineering]] to understand how systems can fail, to identify the best ways to reduce risk and to determine (or get a feeling for) event rates of a safety accident or a particular system level (functional) failure. FTA is used in the [[aerospace]],<ref name="NASA SE Toolbox">{{cite book|last1=Goldberg|first1=B. E.|last2=Everhart|first2=K.|last3=Stevens|first3=R.|last4=Babbitt|first4=N.|last5=Clemens|first5=P.|last6=Stout|first6=L.|title=System engineering toolbox for design-oriented engineers|date=1994|location=Marshall Space Flight Center|pages=3–35 to 3–48|chapter-url=https://ntrs.nasa.gov/search.jsp?R=19950012517|language=en|chapter=3}}</ref> [[nuclear power]], [[Process manufacturing|chemical and process]],<ref>{{cite book
| last                  = Center for Chemical Process Safety
| title                 = Guidelines for Hazard Evaluation Procedures
| url                   = http://www.aiche.org/ccps/publications/books/guidelines-hazard-evaluation-procedures-3rd-edition
| edition               = 3rd
|date=April 2008
| publisher             = Wiley
| isbn                  = 978-0-471-97815-2
}}</ref><ref>{{cite book
| last                  = Center for Chemical Process Safety
| title                 = Guidelines for Chemical Process Quantitative Risk Analysis
| url                   = http://www.aiche.org/ccps/publications/books/guidelines-chemical-process-quantitative-risk-analysis-2nd-edition
| edition               = 2nd
|date=October 1999
| publisher             = American Institute of Chemical Engineers
| isbn                  = 978-0-8169-0720-5
}}</ref><ref>{{cite book
| last                  = U.S. Department of Labor Occupational Safety and Health Administration
| title                 = Process Safety Management Guidelines for Compliance
| url                   = https://www.osha.gov/Publications/osha3133.pdf
| year                  = 1994
| id                    = OSHA 3133
| publisher             = U.S. Government Printing Office}}</ref> [[Pharmaceutical drug|pharmaceutical]],<ref>ICH Harmonised Tripartite Guidelines. Quality Guidelines (January 2006). [http://www.ich.org/fileadmin/Public_Web_Site/ICH_Products/Guidelines/Quality/Q9/Step4/Q9_Guideline.pdf ''Q9 Quality Risk Management''].
</ref> [[petrochemical]] and other high-hazard industries; but is also used in fields as diverse as risk factor identification relating to [[social services|social service]] system failure.<ref>{{Cite journal
  | last = Lacey
  | first = Peter
  | title = An Application of Fault Tree Analysis to the Identification and Management of Risks in Government Funded Human Service Delivery
  | journal = Proceedings of the 2nd International Conference on Public Policy and Social Sciences
  | year = 2011
  | ssrn = 2171117
  }}</ref> FTA is also used in software engineering for debugging purposes and is closely related to cause-elimination technique used to detect bugs.

In aerospace, the more general term "system failure condition" is used for the "undesired state" / top event of the fault tree. These conditions are classified by the severity of their effects. The most severe conditions require the most extensive fault tree analysis. These system failure conditions and their classification are often previously determined in the functional [[hazard analysis]].

== Usage ==
Fault tree analysis can be used to:<ref>{{Cite web |title=Fault Tree Explanation |url=https://ftvisualisations.wixsite.com/ftvisualisations/fault-tree-information |access-date=2024-05-31 |website=ftvisualisations |language=en}}</ref><ref>{{Cite web |title=Projects |url=https://ftvisualisations.wixsite.com/ftvisualisations/projects-1 |access-date=2024-05-31 |website=ftvisualisations |language=en}}</ref>

* understand the logic leading to the top event / undesired state.
* show compliance with the (input) system safety / reliability requirements.
* prioritize the contributors leading to the top event- creating the critical equipment/parts/events lists for different importance measures
* monitor and control the safety performance of the [[complex system]] (e.g., is a particular aircraft safe to fly when fuel valve ''x'' malfunctions? For how long is it allowed to fly with the valve malfunction?).
* minimize and optimize resources.
* assist in designing a system. The FTA can be used as a design tool that helps to create (output / lower level) requirements.
* function as a diagnostic tool to identify and correct causes of the top event. It can help with the creation of diagnostic manuals / processes.

==History==
{{Globalize|section|date=May 2022}}
Fault tree analysis (FTA) was originally developed in 1962 at [[Bell Labs|Bell Laboratories]] by H.A. Watson, under a [[United States Air Force|U.S. Air Force]] [[526th ICBM Systems Group|Ballistics Systems Division]] contract to evaluate the [[LGM-30 Minuteman|Minuteman I]] [[Intercontinental Ballistic Missile]] (ICBM) Launch Control System.<ref>{{Cite journal
 |last=Ericson 
 |first=Clifton 
 |title=Fault Tree Analysis - A History 
 |journal=Proceedings of the 17th International Systems Safety Conference 
 |year=1999 
 |url=http://www.fault-tree.net/papers/ericson-fta-history.pdf 
 |access-date=2010-01-17 
 |url-status=dead 
 |archive-url=https://web.archive.org/web/20110723124816/http://www.fault-tree.net/papers/ericson-fta-history.pdf 
 |archive-date=2011-07-23 
}}</ref><ref>{{Cite journal
  | last = Rechard
  | first = Robert P.
  | title = Historical Relationship Between Performance Assessment for Radioactive Waste Disposal and Other Types of Risk Assessment in the United States
  | format = pdf
  | journal = Risk Analysis
  | volume = 19
  | issue = 5
  | pages = 763–807
  | year = 1999
  | url = http://www.osti.gov/bridge/servlets/purl/759847-JsFRIG/webviewable/
  | doi = 10.1023/A:1007058325258
  | pmid = 10765434
 | s2cid = 704496
 | id = SAND99-1147J
  | access-date = 2010-01-22
| url-access = subscription
  }}</ref><ref>{{Cite journal
  | last = Winter
  | first = Mathias
  | title = Software Fault Tree Analysis of an Automated Control System Device Written in ADA
  | format = pdf
  | journal = Master's Thesis
  | year = 1995
  | url = http://handle.dtic.mil/100.2/ADA303377
  | archive-url = https://web.archive.org/web/20120515221443/http://handle.dtic.mil/100.2/ADA303377
  | url-status = dead
  | archive-date = May 15, 2012
  | id = ADA303377
  | access-date = 2010-01-17
}}</ref><ref>{{Cite journal
  | last = Benner
  | first = Ludwig
  | title = Accident Theory and Accident Investigation
  | journal = Proceedings of the Society of Air Safety Investigators Annual Seminar
  | year = 1975
  | url = https://www.iprr.org/papers/75iasiatheory.html
  | archive-url = https://web.archive.org/web/20010306205651/http://www.iprr.org/Papers/75iasiatheory.html
  | url-status = usurped
  | archive-date = March 6, 2001
  | access-date = 2010-01-17
}}</ref> The use of fault trees has since gained widespread support and is often used as a failure analysis tool by reliability experts.<ref>{{cite journal|author1=Martensen, Anna L. |author2=Butler, Ricky W. |title=The Fault-Tree Compiler|url=https://ntrs.nasa.gov/search.jsp?R=19870011332|journal=Langely Research Center|date=January 1987 |publisher=NTRS|access-date=June 17, 2011}}</ref> Following the first published use of FTA in the 1962 Minuteman I Launch Control Safety Study, [[Boeing]] and [[Avco|AVCO]] expanded use of FTA to the entire Minuteman II system in 1963–1964. FTA received extensive coverage at a 1965 [[System Safety]] Symposium in [[Seattle]] sponsored by Boeing and the [[University of Washington]].<ref>{{Cite journal
  | last = DeLong
  | first = Thomas
  | title = A Fault Tree Manual
  | journal = Master's Thesis
  | format = pdf
  | year = 1970
  | url = http://www.dtic.mil/get-tr-doc/pdf?AD=AD0739001
  | archive-url = https://web.archive.org/web/20160304031008/http://www.dtic.mil/get-tr-doc/pdf?AD=AD0739001
  | url-status = dead
  | archive-date = March 4, 2016
  | id = AD739001
  | access-date = 2014-05-18
}}</ref> Boeing began using FTA for [[civil aviation|civil aircraft]] design around 1966.<ref>{{Cite book
  | last = Eckberg
  | first = C. R.
  | title = WS-133B Fault Tree Analysis Program Plan
  | issue = Rev B
  | publisher = The Boeing Company
  | location = Seattle, WA
  | year = 1964
  | url = http://www.dtic.mil/get-tr-doc/pdf?AD=AD0299561
  | archive-url = https://web.archive.org/web/20160303225811/http://www.dtic.mil/get-tr-doc/pdf?AD=AD0299561
  | url-status = dead
  | archive-date = March 3, 2016
  | id = D2-30207-1
  | access-date = 2014-05-18
}}</ref><ref>{{Cite book
  | last = Hixenbaugh
  | first = A. F. 
  | title = Fault Tree for Safety
  | publisher = The Boeing Company
  | location = Seattle, WA
  | year = 1968
  | url = http://www.dtic.mil/get-tr-doc/pdf?AD=AD0847015
  | archive-url = https://web.archive.org/web/20160303224602/http://www.dtic.mil/get-tr-doc/pdf?AD=AD0847015
  | url-status = dead
  | archive-date = March 3, 2016
  | id = D6-53604   
  | access-date = 2014-05-18
}}</ref>

Subsequently, within the U.S. military, application of FTA for use with fuses was explored by [[Picatinny Arsenal]] in the 1960s and 1970s.<ref>{{cite book|last=Larsen|first=Waldemar|title=Fault Tree Analysis|date=January 1974|publisher=Picatinny Arsenal|url=http://www.dtic.mil/get-tr-doc/pdf?AD=AD0774843|archive-url=https://web.archive.org/web/20140518022301/http://www.dtic.mil/get-tr-doc/pdf?AD=AD0774843|url-status=dead|archive-date=May 18, 2014|access-date=2014-05-17|id=Technical Report 4556}}</ref> In 1976 the [[United States Army Materiel Command|U.S. Army Materiel Command]] incorporated FTA into an Engineering Design Handbook on Design for Reliability.<ref>{{cite book|last=Evans|first=Ralph A.|title=Engineering Design Handbook Design for Reliability|date=January 5, 1976|publisher=US Army Materiel Command| url=http://apps.dtic.mil/dtic/tr/fulltext/u2/a027370.pdf| archive-url=https://web.archive.org/web/20140518022549/http://www.dtic.mil/dtic/tr/fulltext/u2/a027370.pdf| url-status=live| archive-date=May 18, 2014|access-date=2014-05-17|id=AMCP-706-196}}</ref> The Reliability Analysis Center at [[Rome Laboratory]] and its successor organizations now with the [[Defense Technical Information Center]] (Reliability Information Analysis Center, and now Defense Systems Information Analysis Center<ref>{{Cite web |title=DSIAC – Defense Systems Information Analysis Center |url=https://dsiac.org/ |access-date=2023-03-25 |language=en-US}}</ref>) has published documents on FTA and reliability block diagrams since the 1960s.<ref>{{Cite book
  | last1 = Begley
  | first1 = T. F.
  | last2 = Cummings
| title = Fault Tree for Safety
  | publisher = RAC
  | year = 1968
  | id = ADD874448   <!-- | access-date = 2010-01-17 -->
}}</ref><ref>{{cite book|last=Anderson|first=R. T.|title=Reliability Design Handbook|date=March 1976|publisher=Reliability Analysis Center|url=https://apps.dtic.mil/sti/pdfs/ADA024601.pdf|archive-url=https://web.archive.org/web/20140518020425/http://www.dtic.mil/get-tr-doc/pdf?AD=ADA024601|url-status=live|archive-date=May 18, 2014|access-date=2014-05-17|id=RDH 376}}</ref><ref>{{cite book|last=Mahar|first=David J.|title=Fault Tree Analysis Application Guide|date=1990|publisher=Reliability Analysis Center|author2=James W. Wilbur }}</ref> MIL-HDBK-338B provides a more recent reference.<ref>{{cite book 
 |       title = Electronic Reliability Design Handbook
 |     section = 7.9 Fault Tree Analysis
 |     version = B
 |   publisher = [[United States Department of Defense|U.S. Department of Defense]]
 |        year = 1998
 |         url = http://www.everyspec.com/MIL-HDBK/MIL-HDBK-0300-0499/MIL-HDBK-338B_15041/
 |      format = pdf
 |          id = MIL&ndash;HDBK&ndash;338B
 |  access-date = 2010-01-17
 }}
</ref>

In 1970, the [[FAA|U.S. Federal Aviation Administration]] (FAA) published a change to 14 [[Code of Federal Regulations|CFR]] 25.1309 [[airworthiness]] regulations for [[transport category]] [[aircraft]] in the [[Federal Register]] at 35 FR 5665 (1970-04-08). This change adopted failure probability criteria for [[aircraft systems]] and equipment and led to widespread use of FTA in civil aviation. In 1998, the FAA published Order 8040.4,<ref>{{cite book|last=ASY-300|title=Safety Risk Management|date=June 26, 1998|publisher=Federal Aviation Administration|url=http://www.faa.gov/documentLibrary/media/directives/ND/ND8040-4.pdf|id=8040.4}}</ref> establishing risk management policy including hazard analysis in a range of critical activities beyond aircraft certification, including [[air traffic control]] and modernization of the U.S. [[National Airspace System]]. This led to the publication of the FAA System Safety Handbook, which describes the use of FTA in various types of formal hazard analysis.<ref>{{cite book|last=FAA|title=System Safety Handbook|date=December 30, 2000|publisher=Federal Aviation Administration|url=http://www.faa.gov/regulations_policies/handbooks_manuals/aviation/risk_management/ss_handbook/}}</ref>

Early in the [[Apollo project|Apollo program]] the question was asked about the probability of successfully sending astronauts to the moon and returning them safely to Earth. A risk, or reliability, calculation of some sort was performed and the result was a mission success probability that was unacceptably low. This result discouraged NASA from further quantitative risk or reliability analysis until after the ''Challenger'' accident in 1986. Instead, NASA decided to rely on the use of [[Failure mode and effects analysis|failure modes and effects analysis (FMEA)]] and other qualitative methods for system safety assessments. After the ''Challenger'' accident, the importance of [[probabilistic risk assessment]] (PRA) and FTA in systems risk and reliability analysis was realized and its use at NASA has begun to grow and now FTA is considered as one of the most important system reliability and safety analysis techniques.<ref name=fthbaa>{{cite book 
 |        last = Vesely
 |       first = William
 |       title = Fault Tree Handbook with Aerospace Applications
 |   publisher = [[NASA|National Aeronautics and Space Administration]]
 |        year = 2002
 |         url = https://elibrary.gsfc.nasa.gov/_assets/doclibBidder/tech_docs/25.%20NASA_Fault_Tree_Handbook_with_Aerospace_Applications%20-%20Copy.pdf
 |         archive-url = https://web.archive.org/web/20161228133244/https://elibrary.gsfc.nasa.gov/_assets/doclibBidder/tech_docs/25.%20NASA_Fault_Tree_Handbook_with_Aerospace_Applications%20-%20Copy.pdf
 |         url-status = dead
 |         archive-date = 2016-12-28
 |  access-date = 2018-07-16
 |display-authors=etal}} {{PD-notice}}</ref>

Within the nuclear power industry, the [[Nuclear Regulatory Commission|U.S. Nuclear Regulatory Commission]] began using PRA methods including FTA in 1975, and significantly expanded PRA research following the 1979 incident at [[Three Mile Island accident|Three Mile Island]].<ref>{{Cite book
  | last = Acharya
  | first = Sarbes
  | title = Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants
  | publisher = U.S. [[Nuclear Regulatory Commission]]
  | location = Wasthington, DC
  | year = 1990
  | url = https://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1150/v1/sr1150v1-intro-and-part-1.pdf
  | id = NUREG&ndash;1150
  | access-date = 2010-01-17
|display-authors=etal}}</ref> This eventually led to the 1981 publication of the NRC Fault Tree Handbook NUREG&ndash;0492,<ref>{{cite book 
 |        last = Vesely
 |       first = W. E.
 |       title = Fault Tree Handbook
 |   publisher = [[Nuclear Regulatory Commission]]
 |        year = 1981
 |         url = https://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0492/sr0492.pdf
 |          id = NUREG&ndash;0492
 |  access-date = 2010-01-17
 |display-authors=etal}}
</ref> and mandatory use of PRA under the NRC's regulatory authority.

Following process industry disasters such as the 1984 [[Bhopal disaster]] and 1988 [[Piper Alpha]] explosion, in 1992 the [[United States Department of Labor]] [[Occupational Safety and Health Administration]] (OSHA) published in the Federal Register at 57 FR 6356 (1992-02-24) its [[Process Safety Management]] (PSM) standard in 19 CFR 1910.119.<ref>{{Citation
 | last = Elke
 | first = Holly C.
 | title = Global Application of the Process Safety Management Standard
  | url = http://www.asse.org/assets/1/7/Holly_Elke_Article.pdf
}}</ref> OSHA PSM recognizes FTA as an acceptable method for [[process hazard analysis]] (PHA).

Today FTA is widely used in [[system safety]] and [[reliability engineering]], and in all major fields of engineering.

==Methodology==
FTA [[methodology]] is described in several industry and government standards, including NRC NUREG&ndash;0492 for the nuclear power industry, an aerospace-oriented revision to NUREG&ndash;0492 for use by [[NASA]],<ref name=fthbaa /> [[Society of Automotive Engineers|SAE]] [[ARP4761]] for civil aerospace, MIL&ndash;HDBK&ndash;338 for military systems, [[International Electrotechnical Commission|IEC]] standard IEC&nbsp;61025<ref>{{cite book 
 |       title = Fault Tree Analysis
 |     version = Edition 2.0
 |   publisher = [[International Electrotechnical Commission]]
 |        year = 2006
 |          id = IEC&nbsp;61025
 |        isbn = 978-2-8318-8918-4
 }}
</ref> is intended for cross-industry use and has been adopted as European Norm EN&nbsp;61025.

Any sufficiently complex system is subject to failure as a result of one or more subsystems failing.  The likelihood of failure, however, can often be reduced through improved system design. Fault tree analysis maps the relationship between faults, subsystems, and redundant safety design elements by creating a logic diagram of the overall system.

The undesired outcome is taken as the root ('top event') of a tree of logic. For instance, the undesired outcome of a metal stamping press operation being considered might be a human appendage being stamped.  Working backward from this top event it might be determined that there are two ways this could happen: during normal operation or during maintenance operation. This condition is a logical OR. Considering the branch of the hazard occurring during normal operation, perhaps it is determined that there are two ways this could happen: the press cycles and harms the operator, or the press cycles and harms another person. This is another logical OR.  A design improvement can be made by requiring the operator to press two separate buttons to cycle the machine—this is a safety feature in the form of a logical AND. The button may have an intrinsic failure rate—this becomes a fault stimulus that can be analyzed.  

When fault trees are labeled with actual numbers for failure probabilities, [[computer programs]] can calculate failure probabilities from fault trees. When a specific event is found to have more than one effect event, i.e. it has impact on several subsystems, it is called a common cause or common mode. Graphically speaking, it means this event will appear at several locations in the tree. Common causes introduce dependency relations between events. The probability computations of a tree which contains some common causes are much more complicated than regular trees where all events are considered as independent. Not all software tools available on the market provide such capability.

The tree is usually written out using conventional [[logic gate]] symbols. A cut set is a combination of events, typically component failures, causing the top event. If no event can be removed from a cut set without failing to cause the top event, then it is called a minimal cut set.

Some industries use both fault trees and [[event tree]]s (see [[Probabilistic Risk Assessment]]). An event tree starts from an undesired initiator (loss of critical supply, component failure etc.) and follows possible further system events through to a series of final consequences. As each new event is considered, a new node on the tree is added with a split of probabilities of taking either branch. The probabilities of a range of 'top events' arising from the initial event can then be seen.

Classic programs include the [[Electric Power Research Institute]]'s (EPRI) CAFTA software, which is used by many of the US nuclear power plants and by a majority of US and international aerospace manufacturers, and the [[Idaho National Laboratory]]'s [[SAPHIRE]], which is used by the U.S. Government to evaluate the safety and [[Reliability engineering|reliability]] of [[nuclear reactor]]s, the [[Space Shuttle]], and the [[International Space Station]]. Outside the US, the software [http://www.RiskSpectrum.com RiskSpectrum] is a popular tool for fault tree and event tree analysis, and is licensed for use at more than 60% of the world's nuclear power plants for probabilistic safety assessment. Professional-grade [[free software]] is also widely available; SCRAM<ref>{{cite web |url=https://scram-pra.org/ |title=SCRAM 0.11.4 — SCRAM 0.11.4 documentation |website=scram-pra.org |access-date=13 January 2022 |archive-url=https://web.archive.org/web/20161123011255/https://scram-pra.org/ |archive-date=23 November 2016 |url-status=dead}}</ref> is an open-source tool that implements the Open-PSA Model Exchange Format<ref>{{Cite web|url=https://open-psa.github.io/mef/|title=The Open-PSA Model Exchange Format — The Open-PSA Model Exchange Format 2.0|website=open-psa.github.io}}</ref> open standard for probabilistic safety assessment applications.

==Graphic symbols==
The basic symbols used in FTA are grouped as events, gates, and transfer symbols. Minor variations may be used in FTA software.

===Event symbols===
Event symbols are used for ''primary events'' and ''intermediate events''. Primary events are not further developed on the fault tree. Intermediate events are found at the output of a gate. The event symbols are shown below:
<gallery>
File:FTA_basic_event.jpg|Basic event
File:FTA_initiating_event.jpg|External event
File:FTA_undeveloped_event.jpg|Undeveloped event
File:FTA_conditioning_event.jpg|Conditioning event
File:FTA_intermediate_event.jpg|Intermediate event
</gallery>
The primary event symbols are typically used as follows:
* '''Basic event'''{{snd}}failure or error in a system component or element (example: switch stuck in open position)
* '''External event'''{{snd}}normally expected to occur (not of itself a fault)
* '''Undeveloped event'''{{snd}}an event about which insufficient information is available, or which is of no consequence
* '''Conditioning event'''{{snd}}conditions that restrict or affect logic gates (example: mode of operation in effect)
An intermediate event gate can be used immediately above a primary event to provide more room to type the event description.

FTA is a top-to-bottom approach.

===Gate symbols===
Gate symbols describe the relationship between input and output events. The symbols are derived from Boolean logic symbols:
<gallery>
File:FTA_OR_gate.jpg|OR gate
File:FTA_AND_gate.jpg|AND gate
File:FTA_XOR_gate.jpg|Exclusive OR gate
File:FTA_priority_AND_gate.jpg|Priority AND gate
File:FTA_inhibit_gate.jpg|Inhibit gate
</gallery>

The gates work as follows:
* '''OR gate'''{{snd}}the output occurs if any input occurs.
* '''AND gate'''{{snd}}the output occurs only if all inputs occur (inputs are independent from the source).
* '''Exclusive OR gate'''{{snd}}the output occurs if exactly one input occurs.
* '''Priority AND gate'''{{snd}}the output occurs if the inputs occur in a specific sequence specified by a conditioning event.
* '''Inhibit gate'''{{snd}}the output occurs if the input occurs under an enabling condition specified by a conditioning event.

===Transfer symbols===
Transfer symbols are used to connect the inputs and outputs of related fault trees, such as the fault tree of a subsystem to its system. NASA prepared a complete document about FTA through practical incidents.<ref name=fthbaa />
<gallery>
File:FTA_transfer_in.jpg|Transfer in
File:FTA_transfer_out.jpg|Transfer out
</gallery>

==Basic mathematical foundation==
Events in a fault tree are associated with [[Statistics|statistical]] [[probability theory|probabilities]] or Poisson-Exponentially distributed constant rates. For example, component failures may typically occur at some constant [[failure rate]] λ (a constant hazard function). In this simplest case, failure probability depends on the rate λ and the exposure time t:

<math> P = 1 - e^{- \lambda t} </math>

where:

<math> P \approx \lambda t </math> if <math> \lambda t < 0.001 </math>

A fault tree is often normalized to a given time interval, such as a flight hour or an average mission time. Event probabilities depend on the relationship of the event hazard function to this interval.

Unlike conventional [[logic gate]] diagrams in which inputs and outputs hold the [[Binary numeral system|binary]] values of TRUE (1) or FALSE (0), the gates in a fault tree output probabilities related to the [[Algebra of sets|set operations]] of [[Boolean logic]]. The probability of a gate's output event depends on the input event probabilities.

An AND gate represents a combination of [[independence (probability theory)|independent]] events. That is, the probability of any input event to an AND gate is unaffected by any other input event to the same gate. In [[set theory|set theoretic]] terms, this is equivalent to the intersection of the input event sets, and the probability of the AND gate output is given by:
:P (A and B) = P (A ∩ B) = P(A) P(B)

An OR gate, on the other hand, corresponds to set union:
:P (A or B) = P (A ∪ B) = P(A) + P(B) - P (A ∩ B)

Since failure probabilities on fault trees tend to be small (less than .01), P (A ∩ B) usually becomes a very small error term, and the output of an OR gate may be conservatively approximated by using an assumption that the inputs are [[mutually exclusive events]]:
:P (A or B) ≈ P(A) + P(B), P (A ∩ B) ≈ 0

An exclusive OR gate with two inputs represents the probability that one or the other input, but not both, occurs:
:P (A xor B) = P(A) + P(B) - 2P (A ∩ B)

Again, since P (A ∩ B) usually becomes a very small error term, the exclusive OR gate has limited value in a fault tree.

Quite often, Poisson-Exponentially distributed rates<ref>Olofsson and Andersson, Probability, Statistics and Stochastic Processes,  John Wiley and Sons, 2011.</ref> are used to quantify a fault tree instead of probabilities. Rates are often modeled as constant in time while probability is a function of time. Poisson-Exponential events are modelled as infinitely short so no two events can overlap. An OR gate is the superposition (addition of rates) of the two input failure frequencies or failure rates which are modeled as [[Poisson point process]]es. The output of an AND gate is calculated using the unavailability (Q<sub>1</sub>) of one event thinning the Poisson point process of the other event (λ<sub>2</sub>). The unavailability (Q<sub>2</sub>) of the other event then thins the Poisson point process of the first event (λ<sub>1</sub>). The two resulting Poisson point processes are superimposed according to the following equations.

The output of an AND gate is the combination of independent input events 1 and 2 to the AND gate:
:Failure Frequency = λ<sub>1</sub>Q<sub>2</sub> + λ<sub>2</sub>Q<sub>1</sub>   where Q = 1 - e<sup>-λt</sup> ≈ λt  if λt < 0.001
:Failure Frequency ≈ λ<sub>1</sub>λ<sub>2</sub>t<sub>2</sub> + λ<sub>2</sub>λ<sub>1</sub>t<sub>1</sub>   if   λ<sub>1</sub>t<sub>1</sub> < 0.001 and λ<sub>2</sub>t<sub>2</sub> < 0.001

In a fault tree, unavailability (Q) may be defined as the unavailability of safe operation and may not refer to the unavailability of the system operation depending on how the fault tree was structured. The input terms to the fault tree must be carefully defined.

==Analysis==
Many different approaches can be used to model a FTA, but the most common and popular way can be summarized in a few steps. A single fault tree is used to analyze one and only one undesired event, which may be subsequently fed into another fault tree as a basic event. Though the nature of the undesired event may vary dramatically, a FTA follows the same procedure for any undesired event; be it a delay of 0.25&nbsp;ms for the generation of electrical power, an undetected cargo bay fire, or the random, unintended launch of an [[ICBM]].

FTA analysis involves five steps:
# Define the undesired event to study.
#* Definition of the undesired event can be very hard to uncover, although some of the events are very easy and obvious to observe. An engineer with a wide knowledge of the design of the system is the best person to help define and number the undesired events. Undesired events are used then to make FTAs. Each FTA is limited to one undesired event.
# Obtain an understanding of the system.
#* Once the undesired event is selected, all causes with probabilities of affecting the undesired event of 0 or more are studied and analyzed. Getting exact numbers for the probabilities leading to the event is usually impossible for the reason that it may be very costly and time-consuming to do so. Computer software is used to study probabilities; this may lead to less costly system analysis.<br /> System analysts can help with understanding the overall system. System designers have full knowledge of the system and this knowledge is very important for not missing any cause affecting the undesired event. For the selected event all causes are then numbered and sequenced in the order of occurrence and then are used for the next step which is drawing or constructing the fault tree. <!-- These two paragraphs could do with some copyediting to trim them down. -->
# Construct the fault tree.
#* After selecting the undesired event and having analyzed the system so that we know all the causing effects (and if possible their probabilities) we can now construct the fault tree. Fault tree is based on AND and OR gates which define the major characteristics of the fault tree.
# Evaluate the fault tree.
#* After the fault tree has been assembled for a specific undesired event, it is evaluated and analyzed for any possible improvement or in other words study the risk management and find ways for system improvement. A wide range of qualitative and quantitative analysis methods can be applied.<ref>{{Cite journal
  |last1= Ruijters
  |first1= Enno
  |last2= Stoelinga
  |first2= Mariëlle I. A.
  |date= February–May 2015
  |title= Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools
  |journal= Computer Science Review
  |volume= 15–16
  |pages= 29–62
  |doi= 10.1016/j.cosrev.2015.03.001
|url= https://research.utwente.nl/en/publications/fault-tree-analysis-a-survey-of-the-stateoftheart-in-modeling-analysis-and-tools(88c7ba34-fe51-4f9d-b2f3-cb04aeffaa6e).html
 }}</ref> This step is as an introduction for the final step which will be to control the hazards identified. In short, in this step we identify all possible hazards affecting the system in a direct or indirect way.
# Control the hazards identified.
#* This step is very specific and differs largely from one system to another, but the main point will always be that after identifying the hazards all possible methods are pursued to decrease the probability of occurrence.

==Comparison with other analytical methods==
FTA is a [[Deductive reasoning|deductive]], top-down method aimed at analyzing the effects of initiating faults and events on a complex system. This contrasts with [[failure mode and effects analysis]] (FMEA), which is an [[Inductive reasoning|inductive]], bottom-up analysis method aimed at analyzing the effects of single component or function failures on equipment or subsystems. FTA is very good at showing how resistant a system is to single or multiple initiating faults. It is not good at finding all possible initiating faults. FMEA is good at exhaustively cataloging initiating faults, and identifying their local effects. It is not good at examining multiple failures or their effects at a system level. FTA considers external events, FMEA does not.<ref>{{Citation
 |last        = Long
 |first       = Allen
 |title       = Beauty & the Beast &ndash; Use and Abuse of Fault Tree as a Tool
 |url         = http://www.fault-tree.net/papers/long-beauty-and-beast.pdf
 |publisher   = fault-tree.net
 |access-date  = 16 January 2010
 |url-status     = dead
 |archive-url  = https://web.archive.org/web/20090419200036/http://www.fault-tree.net/papers/long-beauty-and-beast.pdf
 |archive-date = 19 April 2009
}}
</ref> In civil aerospace the usual practice is to perform both FTA and FMEA, with a [[Failure mode and effects analysis|failure mode effects summary]] (FMES) as the interface between FMEA and FTA.

Alternatives to FTA include [[Reliability block diagram|dependence diagram]] (DD), also known as [[reliability block diagram]] (RBD) and [[Markov analysis]]. A dependence diagram is equivalent to a success tree analysis (STA), the logical inverse of an FTA, and depicts the system using paths instead of gates. DD and STA produce probability of success (i.e., avoiding a top event) rather than probability of a top event.

==See also==
{{Commons category|Fault tree diagrams}}
* [[Event tree analysis]]
* [[Failure mode and effects analysis]]
* [[Ishikawa diagram]]
* [[Reliability engineering]]
* [[Root cause analysis]]
* [[Safety engineering]]
* [[System safety]]
* [[Why-because analysis]]

== References ==
{{Reflist|2}}

{{DEFAULTSORT:Fault Tree Analysis}}
[[Category:Quality]]
[[Category:Process safety]]
[[Category:Reliability engineering]]
[[Category:Risk analysis methodologies]]
[[Category:Safety engineering]]