Guideline: Fault Tree Analysis
This guidance discusses how to best use Fault Tree Analysis.
Relationships
Main Description
A Fault Tree Analysis (FTA) is used to model casual chains of events and conditions that can lead to hazards. Relevant questions on the effective use of FTA are:
  • What kinds of projects should use an FTA?
  • When in the workflows should I create and/or modify the FTA?
  • How should I structure my FTA?

What kind of projects should use an FTA?

Safety-critical projects can benefit from fault tree analysis. These create systems that can lead to an accident (e.g. injury or death) or loss (e.g. financial) that can occur due to the correct or incorrect functioning of the system.

When in the workflow should I create and/or modify the FTA?

For a safety-critical system, the FTA should be created early in requirements analysis to identify and clarify the hazards to which use of the system can lead. In design, control measures are added, resulting in updates to the FTAs. In addition, selection of design solutions can also introduce new hazards (e.g. use of electrical power can lead to a risk of electrocution that would not exist with a mechanical design) that can be explored. The FTA evolves by adding ANDing redundancy so that not only must the fault condition occur but the control measure must also fail before the hazard condition can be reached.

How should I structure my FTA?

The most common overall structure is to have several FTAs - one for each identified hazard you want to analyze. This may result in dozens of FTAs, each addressing a specific hazard.

The hazard typically appears at the top of the diagram. Below it are the normal and exceptional events and conditions, combined with logic operators, depicting the causal chain(s) that can lead to the hazard - see below. The elements that show up in an FTA are shown below:


icon An event that results from a combination of events through a logic gate. icon A condition that must be present to produce the output of a gate.
icon A basic fault event that requires no further development. icon Transfer
icon An "undeveloped fault" event, not elaborated because the event is trivial or more decomposition is not necessary. icon AND Gate
icon An event that is expected to occur normally. icon NAND Gate
icon NOT Gate icon OR Gate
icon NOR Gate
icon XOR Gate