ChE/MEE 124 (W2009) Handout #M3.4 An Example of Fault Tree Fault Tree Analysis (FTA) is a popular tool used by system engineers to improve the safety of systems .Fault trees are used to anticipate system failures, identify weak links, and balance costs against system safety. Let’s consider the pressure vessel in Figure 1. The safety system consists of 4 valves, which are connected to the tank. The valves will open if the pressure in the tank exceeds a certain level, for example P0. The content in the tank will be release to the environment if both valves A1 and A2 on line 1 or both valves A3 and A4 on line 2 are open. (1) (2) A2 A4 A1 A3 TANK Figure 1. Arrangement of pressure tank and valves. a) What is the probability that the safety system fails to function when needed, i.e. the valves do not open when the pressure in the tank exceeds P0 ? The first step is to define the Top Event. The Top Event in this case is that the safety system fails to release the content in the tank when the pressure is more than P0. The second step is to construct a logic diagram (the Fault Tree) showing the necessary conditions or events that must occur in order for the top event to occur. First, the Intermediate Events are identified and their logical relationships to the top-level event are determined. For the safety system of the pressure tank to fail to work, the following two events must occur simultaneously: Line (1) fails to open Line (2) fails to open Note that the failure could not occur if either one of these two events does not occur. This is known as an "AND" logical relationship in the Fault Tree terminology. In an "AND" relationship, all input events must be satisfied concurrently for the higher level event to occur. Construction of the Fault Tree continues by identifying the appropriate events at lower levels and their logical relationship to the higher-level events. This process is continued until basic failure events are identified. Basic failures are those which are not analyzed further. The basic failures (or root causes) are placed at the bottom of the tree. The basic failures we choose for the present case are: Valve 1 fails to open Valve 2 fails to open Valve 3 fails to open Valve 4 fails to open The fault tree is shown in Figure 2. The objective of FTA is to compute the probability of the top event based on the probability of the basic failures. The probability of bottom events can be determined through direct experimentation, historical experience, or estimation. For example, from past data, we know that the probability that the valve will fail open when the pressure is more than P0 is p(A1 fails to open) = p(A2 fails to open)= p(A3 fails to open)= p(A4 fails to open) = 0.001. Once the probabilities of the basic events are known the fault tree is solved from the bottom up using Boolean logic and mathematics. We assume for now that the basic failures are considered to be independent events. The probability associated with an AND gate is easy to solve. To compute the probability of any event, simply multiply the probability of all sub-events. For the OR gate, the probability of the output event is determined by adding the probabilities of all sub-events (usually these are small so that intersections involving higher order terms are negligible). So the probability of the top event is P(failure to danger mode) =( p(A1 fails to open) + p(A2 fails to open)) x ( p(A1 fails to open) + p(A2 fails to open)) A complete fault tree analysis must take into account common-cause failures. Significant environmental events (e.g., earthquake, lightning strikes, terrorist attacks, etc.) may simultaneously cause failures of multiple components or subsystems. The safety system fails to release the content in the tank when the pressure is more than P0 AND (1) fails to open (2) fails to open OR OR A1 fails to A2 fails to A3 fails to A4 fails to open open open open Figure 2 Fault tree for fail-to danger mode. b) What is the probability that the safety system releases the contents in the tank when the pressure is less than P0? In this we consider the case that the valves open spuriously even when the pressure in the tank is less than P0. This is the fail-to-safe mode, i.e. the safety system acts spuriously under normal operational condition. This is important because the contents in the tank will be released to environment unnecessarily. . In the fail-to-safe mode we are concerned with the valves opening spuriously during a certain period of time. This is like a Poisson process. For example, suppose an estimate of the probability that a valve will open spuriously under normal working condition is 10-4 per year. This data is usually provided by the manufacturer. Let consider the probability of fail-to-safe over a period of 1 year ( for example this may be a maintenance interval). The probability that valve A1 will open spuriously during one year is 10-4. This is the same for A2, A3 and A4. Figure 3 shows the fault tree for the fail-to-safe mode. The calculation of the probability of the top event is trivial. The final result is p(fail-to-safe) = p(A1 opens spuriously) x p(A2 opens spuriously) + p(A3 opens spuriously) x p(A4 opens spuriously) The safety system acts spuriously to release the content in the tank when the pressure is less than P0 OR (1) opens spuriously (2) opens spuriously AND A1 opens A2 opens A3 opens A4 opens spuriously spuriously spuriously spuriously Figure 3 Fault tree for fail-safe mode.