VDA_04-2-1_en Fault Tree Analysis-(2012-09-14_3)
We would like to thank all the companies and their staff who have contri-buted to this workgroup:
AUDI AG, Ingolstadt
BMW AG, Munich
Robert Bosch GmbH, Stuttgart
Continental AG, Hannover
DGQ (Deutsche Gesellschaft für Qualit?t), Frankfurt
Fichtel & Sachs AG, Schweinfurt
Ford-Werke AG, Cologne
GETRAG Getriebe- und Zahnradfabrik Hermann Hagenmeyer GmbH
& Cie, Ludwigsburg
Kolbenschmidt AG, Neckarsulm
Mercedes Benz AG, Stuttgart
Adam Opel AG, Rüsselsheim
Dr. Ing. h. c. F. Porsche AG, Stuttgart
Siemens AG, Regensburg
Steyer-Daimler-Puch AG, Steyer
ITT Automotive Europe GmbH, Bietigheim
VDO Adolf Schindling AG, Babenhausen
Wabco Fahrzeugbremsen, Hannover
Volkswagen AG, Wolfsburg
Zahnradfabrik Friedrichshafen AG, Friedrichshafen
We would also like to thank all those who have provided us with improvement suggestions.
Frankfurt/Main, May 1996
VERBAND DER AUTOMOBILINDUSTRIE E. V. (VDA) VDA-Volume 4: Fault Tree Analysis 1
Contents Page
1 Fault Tree Analysis ( FTA) 3
1.1 Introduction 3 1.2 Purpose 6 1.3 Terms 6 1.4 Description of the Methods 8
1.5 Drawing up a Fault Tree 11
1.6 Evaluation of the Fault Tree 20
Evaluation 20 1.6.1 Qualitative
1.6.2 Quantitative
Evaluation 21 1.7 Stipulating the need for action and choice of actions 22
(Example) 23 1.8 Procedure
2
VDA-Volume 4: Fault Tree Analysis
1 Fault Tree Analysis (FTA)
1.1 Introduction
Risk analyses are primarily used for timely detection and correction of weak points and for comparing alternative systems. The aim of this procedure is to determine the probability of the occurrence of system failures and to demonstrate their possible consequences, which are considered in the evaluation of damage or an accident sequence when there is a system failure (the so-called top event). The risk is consequently a function of both the probability and the consequences that would result. For this reason, two quantities are always of interest in risk analysis:
- the frequency of occurrence and
- the consequences of a system failure.
Figure 1 shows the breakdown of the most common technical risk analyses. VDA-Volume 4: Fault Tree Analysis 3
Figure 1 The most common technical risk analyses
VDA-Volume 4: Fault Tree Analysis
4
The first safety/risk analyses (USA 150) were limited to an examination of the different types of failures (failure modes) of a system's components/assemblies and the consequences (failure effects) of each of the failure modes. To evaluate the effects and probabilities of occurrence for failures, four classes were heuristically formed:
Failure effect Failure occurrence probability
No effect Insignificant effects Critical effects Catastrophic effects Very improbable
(1 event / 107 operating hours) Improbable
(1 event / 105-107 operating hours) Reasonably probable
(1 event / 104-105 operating hours) Probable
(1 event / 104 operating hours)
After only a short time, however, it became evident that - as the devices and systems became more complex - an analysis based exclusively on failure modes and the analysis of the consequences of a failure were difficult to carry out and proved unsuitable for a quantitative reliability analy-sis. Working from knowledge gained from reliability theory and Boolean algebra, engineers at Bell Telephone Laboratories (H. Watson, 1961) were able to represent the incorrect behavior of control systems in a Boolean model with logic symbols. This marked the birth of fault tree analysis. Especially during the last 10 years, FTA has undergone constant refine-ment and is currently probably the most wide spread analysis method for safety and reliability evaluation of large complex systems.
VDA-Volume 4: Fault Tree Analysis 5
1.2 Purpose
Using fault tree analysis, the logical connections between component or partial system failures that lead to a top event are determined and displayed in graph form. The purpose of the analysis is to uncover not only the failure causes, but also their functional correlations.
In fault tree analysis, it is possible to
? identify all possible failures and failure combinations and their causes that lead to a top event,
? display particularly critical events or event combinations (such as incorrect functions that lead to the top event),
? calculate reliability quantities, such as occurrence probabilities for the top event or system availability, when requested,
? attain objective evaluation criteria for system concepts and
? obtain clear and easily understood documentation of the failure mechanisms and their functional correlations.
Fault tree analysis is a method that can be applied in a very universal manner. It can be used both for prevention as well as for determining the causes of problems that have already occurred.
1.3 Terms
(Excerpt from DIN 25424)
Observation unit
This refers to the object of an observation, which the observer determines in each case according to functional and design considerations, depending on the type and scope. For example, observation units are systems, components and functional elements.
6
VDA-Volume 4: Fault Tree Analysis
System
A system is a combination of technical-organizational means for autono-mous compliance with a task complex. A distinction must be made between a technical system (hardware structure) and a functional system. One or more functional systems exist, depending on the different functions of a technical system.
Component
A component is the lowest level observation unit in a technical system. One or more functional elements are assigned to each component.
Functional element
A functional element is the lowest observation unit in a functional system. It is permitted to describe only an elementary function, such as switching, turning, blocking, etc.
Failure (breakdown)
The failure of a technical observation unit occurs when this technical observation unit’s permissible deviation from a performance goal is excee-ded. In the functional system, such a failure represents a loss of functional elements, which is described in the FTA as a failure of the functional element.
Nonconformity
An inadmissible deviation in a characteristic.
Failure mode (breakdown mode)
The different possibilities for the failure of a component are called failure modes.
VDA-Volume 4: Fault Tree Analysis 7
Top event (unwanted event)
The top event (fault tree exit) is the failure of the examined functional system. This can be caused by different failure combinations.
Failure combinations
A failure combination is the simultaneous presence of functional element failures that lead to the top event. The smallest failure combinations are combinations of failures that contain exactly as many failures as are needed at a minimum to generate the top event.
1.4 Description of the methods
In addition to depicting the functional system structure, the developed model also makes it possible to qualitatively specify the system failure behavior that is to be expected. The structural and methodical modeling is done using Boolean algebra. FTA can basically be divided into three groups, according to the scope of the work:
- Depiction of the cause-effect structure
- Determination of the reliability parameters for the basic events
- Calculation of reliability parameters.
The starting point is a system that comprises n components that can take on exactly one of two states (intact/defective). The system can also be in one of these two states. Each node (component/system state) can be in exactly one of the two states. For each node, there is a function that specifies the dependence on the states of the predecessors. The states of all nodes without predecessors are described as independent variables in a fault tree (Figure 2). This lowest level is also described as the basic event or fault tree leaf.
8
VDA-Volume 4: Fault Tree Analysis
O
(Output)
Basic event
Figure 2 Node without predecessor
The components correspond to the nodes without predecessors (fault tree leaves), while the system state is depicted by a node without successor (top event) (Figure 3).
Top
event
(input)
I
Figure 3 Node without successor
The function that determines the state of a node by its predecessor is a Boolean function. It is described by a base function, or so-called gates (see Figure 4).
Successor
Gate
Predecessor X Predecessor Y
Figure 4 Boolean function
VDA-Volume 4: Fault Tree Analysis 9
When developing fault trees, the component failures (inputs) are divided into three categories: primary failure, secondary failure and command fault.
A primary failure is a component failure that occurs under permissible application conditions. The cause of a primary failure lies in the design or in the material characteristics of the component itself.
A secondary failure describes a component failure that occurs as a result of impermissible external influences, such as environmental conditions, application conditions or the influence of other system components.
Command faults are brought about by incorrect human operation or misuse.
The actual fault tree now comprises pictorial markings for the above mentioned inputs and their logic operations. These operations, which stand for the logical correlations, use characteristic rules to determine an output from their inputs; the output is described in binary:
"0" (intact)
(defective).
"1"
In the case of the (1 of 2) evaluation, the so-called OR gate, one of two input signals (I1 or I2) is sufficient for determining the corresponding output signal (O). In this case, the non-completion of the output signal is less probable than when there is a one-channel setup. In Figure 5, the (1 of 2) evaluation is shown with the corresponding truth table.
I1 I2 O
1 = 1 1
>
1 0 1
I1 I2 0 1 1
0 0 0
Figure 5 (1 of 2) evaluation
10
VDA-Volume 4: Fault Tree Analysis
If, for example, the braking action of a winch is triggered by an OR logic operation, braking is even possible if there is a failure in one input signal. In this case, however, it is necessary to accept operating delays caused by incorrect release of the brakes.
In the (2 of 2) evaluation (AND gate), both input signals must be present simultaneously in order to generate the output signal. In this case, the completion of output A is less probable than with a one-channel setup. Figure 6 represents the (2 of 2) evaluation.
O I1 I2 O
1 & 1 1
1 0 0
I1 I2 0 1 0
0 0 0
Figure 6 (2 of 2) evaluation
If a drive is produced using a (2 of 2) evaluation, it is possible to prevent an impermissible startup when there is a nonconformity. In this case, however, it is necessary to accept increased operating delays caused by blocking the drive.
The pictorial markings for inputs and logic operations are explained in DIN 25424 (Part 19). A summary of gates is described in DIN 25424 (Part 2).
1.5 Drawing up a fault tree
Using a few clear examples, the development of fault trees with the fundamental AND/OR operations will be explained. Figure 7 shows a simple electrical circuit with a power supply, two switches and a motor. System A is in a defined output state, in which switch 1 and switch 2 are closed. "Motor cannot be switched off" is chosen as top event.
VDA-Volume 4: Fault Tree Analysis 11
Figure 7
Description of system A
The accompanying fault tree, Figure 8, shows the two fundamental component failures given these circumstances: Switch 1 cannot be opened
Switch 2 cannot be opened.
Assuming that, in this defined system, the cabling and plugs do not contribute to the incorrect event, the top event occurs only when both component failures occur (AND gate).
Motor
cannot be switched
off
& Gate
Switch 1 cannot be opened Switch 2
cannot be opened
Figure 8
Fault tree for system A with one AND operation
VDA-Volume 4: Fault Tree Analysis
12
In contrast, Figure 9 shows a typical OR operation. In this case, a different top event is assumed for the system: "Motor does not start". The above mentioned assumptions apply in this case as well. It can be seen in the illustration that the motor does not start running if either the motor itself fails, if there are external influences that are not taken into consideration, or if the necessary power supply is not properly available.
Motor
does not start
≥ 1
Switch 1 cannot be opened Secondary motor
failure
Switch
2
cannot be
opened
Figure 9 Fault tree for system A with one OR operation
In this case, the motor failure is a primary failure, the external influence quantities are secondary failures and the incorrect power supply is a command fault (for example, caused by improper operation). Generally, primary failures are not developed further. If FTA is used for analyzing the cause of existing problems, it is vital to strive for a complete list of causes; consequently, the primary failures should also be analyzed further.
VDA-Volume 4: Fault Tree Analysis 13
The branches of the command faults or secondary failures should be developed further, down to the level of the basic events. Figure 10 shows an example of the fault tree where the secondary failures of the motor are developed.
Motor
does not start
≥ 1
Primary failure:
motor
Secondary
failure: motor
Command fault:
motor ≥ 1
External influences
Failure of other system components: switches 1 and 2,
power source
≥ 1
Blocking of the motor
caused by
impurities
Break in motor
housing caused by excessive temperatures
or
vibrations
Figure 10 Fault tree for system A with development of secondary failure
VDA-Volume 4: Fault Tree Analysis 14
In order to be able to transfer also very complex technical systems into models that are as realistic as possible, the following steps must be per-formed when drawing up the fault tree:
Steps for drawing up
the fault tree
1st step
System analysis
2nd step
Definition of the top event and failure
criteria
3rd step
Determination of reliability parameters
and time intervals
4th step
Determination of the failure modes for the
components
5th step
Drawing up the fault tree
Figure 11 Steps in drawing up a fault tree
VDA-Volume 4: Fault Tree Analysis 15
1st step: System
analysis
Exact knowledge of the functional sequences in the normally functioning system is necessary in drawing up the fault tree. With the help of the system analysis, the system’s method of operation should be made clear, taking into account its interfaces to the environment.
- System functions/system requirements
To stipulate the system function unambiguously, all required functions are shown and assigned to the elements fulfilling the function (system elements). In this connection, the performance goals and permissible tolerances of the respective system functions must be considered. Generally, this means that it is necessary to have the customary technical documents, such as signal and/or current flow plans, performance specifications and design drawings. So-called function block diagrams (FBD) serve to illustrate system networkings and interface influences. This graphical, two-dimensional depiction of a verbal, one-dimensional approach, as followed in the specifications, is far superior once the functional sequences are no longer purely sequential.
- Environmental conditions
During the various operating phases, the system must comply with the required functions under the influence of environmental conditions on which the technical system itself has no influence. Both environmental influences and the physical and chemical properties of the system elements need to be considered.
- Dependency and behavior
In this connection, the system must be examined with an eye to the following criteria:
- Interplay of the system elements for generation of the system functions,
- Reaction of the system to the environmental conditions,
- Behavior of the system in case of internal failures and failures of required auxiliary sources (energy supply, services).
16
VDA-Volume 4: Fault Tree Analysis
2nd step: Definition of the top event and the failure criteria
The meaningfulness of FTA depends on the description of the top event and the associated boundary conditions. When stipulating the top event, there are two different basic starting points:
- Preventive approach
If the FTA is performed from a preventive point of view, the top event is defined by non-fulfillment of functions or requirements. When defining top events, product requirements relevant to both the safety and the conven-ience can be taken into account.
- Corrective approach
In this case, a failure or incorrect system function that has already occurred is defined as the top event.
3rd step:Determination of reliability quantities and time intervals
When performing a quantitative fault tree evaluation, a distinction is made between the failure probability across a defined time period and the non-availability at any given time.
In order to derive such quantitative statements for the top event, it is necessary to have the corresponding data on the basic events.
4th step:Determination of the failure modes of the components
After completing the system analysis and defining the top event, all of the components' failure modes must be derived that need to be considered for the fault tree model. To obtain a detailed FTA, it is usually not sufficient to merely use assessments of failures as basic events in an undifferentiated manner. Instead, a component's different failure modes (such as a relay's contacts not opening or closing) can have completely different consequen-ces for the top event, so that they cannot be subsumed to one basic event, and must instead be entered in different places in the fault tree. When determining reliability parameters for basic events, this results in an additional VDA-Volume 4: Fault Tree Analysis 17
difficulty, namely that failure probabilities are often known for components, but not for separate failure modes. Some data books contain details on failure modes for particular components.
If no quantitative details on the failure modes are available, it is at least possible to arrive at a worst-case view by using the entire failure probability for a component for estimating the highest occurrence probability of its separate failure modes. It is often useful to conduct a failure mode analysis (e.g., FMEA) before the fault tree analysis as a type of information gathering, so that the possible failure modes can be recognized first.
5th step:Drawing up the fault tree
In order to arrive at comparable events when developing fault trees and to usefully restrict the arbitrariness introduced by the person drawing up the tree, it is advisable to formulate a general procedure. Such a plan is explained in more detail in Figure 11.
The starting point for drawing up a fault tree is ascertaining the top event for the system that is to be examined.
First an examination is made of whether the described top event can be described as the failure of one system element alone. If this is the case, the next step is generally an OR operation with a maximum of three inputs: "primary failure", "secondary failure" and "command fault". Otherwise, the next step is ascertaining the failures that result in the top event, either alone or in combination. These failures are entered into comment rectangles, logically combined and then further developed in the same way as a top event. In this way, a separate "fault tree branch" results from each failure event that is recorded.
18
VDA-Volume 4: Fault Tree Analysis
As already mentioned, primary failures are not developed further unless FTA is used purely as a cause analysis for existing problem fields. If secondary failures and command faults refer to matters that are not a part of the system being examined, they are also not developed further. Otherwise, the process is the same as for a top event. Unlike a primary failure, the secondary failures and the command fault do not have to be present in each case. Once a fault tree branch has been processed, the next failure is tackled. When there are no more failures to process, the fault tree is complete.
Figure 12 Plan for drawing up fault trees
VDA-Volume 4: Fault Tree Analysis 19
1.6 Fault tree evaluation
After the fault tree has been drawn up completely, qualitative and/or quanti-tative information on the system failure behavior can be obtained, depen-ding on the problem definition. This evaluation can be made manually if the fault tree is relatively simple, but complex trees require the use of compu-ters.
evaluation
1.6.1 Qualitative
FTA is a complete procedure, which means that, in principle, when applied consistently, all event combinations that lead to the top event can be found. The limits are therefore not in the procedure, but in the user’s level of knowledge and in the care taken by the respective individuals. The result of a fault tree analysis is only as realistic and therefore meaningful as it is possible to form the system and its functional failure behavior as a causal functional chain.
- Critical paths
Even without using input data (such as failure rates, for example) for the occurrence of precise functional failures, a fault tree can already provide qualitative information on system reliability. Particularly when FTA is used purely as an instrument for finding causes, the cause-effect structure that was developed already helps to detect critical paths systematically. The particular branch in which the component failures that are listed are not taken up by internal system avoidance or test mechanisms is identified as the critical path. Each open event is entered into a list, sorted by specialty and passed on to the affected departments for clarification. In the first approach, the momentary risks of the system's possible weak points can be derived from the results that were obtained.
- Minimal cut sets
Another possibility for making qualitative statements consists of examining the system for single and multiple failures using the methods of minimal cut sets.
20
VDA-Volume 4: Fault Tree Analysis