Example 1, Problem Statement

Step 1. Study of system, or problem statement

In this example we will consider the following "Pressure tank pump motor device and its associated control system"

The function of the control system is to regulate the operation of the pump. The latter pumps fluid from an infinitely
large reservoir into the tank and it takes a minute to pressurize the tank. The pressure switch has contacts which are
closed when the tank is empty. When the threshold pressure has been reached, the pressure switch contacts open, de-
energizing the coil of relay K2 so that relay K2 contacts open, removing power from the pump, causing the pump
motor to cease operation. The tank is fitted with an outlet valve that drains the entire tank in an essentially negligible
time; the outer valve, however, is not a pressure relief valve. When the tank is empty, the pressure switch contacts
close, and the cycle is repeated.

Initially the system is considered to be in its dormant mode. Switch S1 contacts open, relay K1 contacts open, and
relay K2 contacts open; i.e., the control system is de-energized. In this de-energized state the contacts of the timer
relay are closed. Also the tank is empty and the pressure switch contacts therefore closed.

System operation is started switching S1 on. This applies power to the coil of relay K1. Relay K1 is not electrically
self-latched. This allows the power to the coil of relay K2, which leads to the starting of the pump motor.

The timer relay has been provided to allow emergency shut-down in the event that the pressure switch fails closed.
Initially the timer relay contacts are closed and the timer relay coil is de-energized. Power is applied to the timer coil
as soon as relay K1 contacts are closed. This starts a clock in the timer. When the clock registers 60 seconds of
continuous power to the timer relay coil, the timer relay contacts open, breaking the circuit to the K1 relay coil and
thus producing system shut-down. In normal operation, when the pressure switch contacts open, the timer resets to 0
seconds.

Step 2. Determining the top event, or hazard that fault tree is to model
 Typically the top event is an undesired effect, or event that we would like to
avoid. In the case that the top event can not be eliminated (probability of 0.0), we
can obtain a probability and / or frequency of occurrence. Most important
objective in this step is to focus on the event that is most catastrophic and
undesirable. Complex systems may have multiple failure modes that are
undesirable, the recommendation here is to study each undesirable failure mode
separately. This will ensure that each top event and effectiveness of related
protection system (s) is analyzed with that goal.

Typical categories of undesirable events:

1. Injury to, or loss of human life

2. Environmental damage

3. Loss of mission

4. Down time of critical equipment / machinery

In the example we have been studying so far, let us consider an undesired event
“Rupture of Pressure Tank after Starting of the Pump”. To make the example
more realistic, we can state that this tank contains bio hazardous material. If
spilled, could have risks to both human life, and environment.

Example 1, Create Logical Structure

Step 3. Creating a Fault Tree logical structure based on the system

1. Create a project file and add a fault tree system.

2. Activate the "Fault Tree" diagram view, and select the top gate and edit description to include “Rupture of
Pressure Tank after Starting of the Pump” . Screen Shot.

3. Add an event to represent "Primary Failure of Pressure Tank", named "Tank".Screen Shot.

4. Add an OR Gate, to represent "Control System" failed. Screen Shot.

5. Add an event to represent "Primary Failure of Relay K2", named "K2". Screen Shot.

6. Add an AND Gate, to represent "K1" OR "R" OR "S1" AND "S" failed. Screen Shot.

7. Add an event to represent "Primary Failure of Pressure Switch", named "S". Screen Shot.

8. Add an OR Gate, to represent "K1" OR "R" OR "S1" failed. Screen Shot.

9. Add an event to represent "Primary Failure of Pressure Switch S1", named "S1". Screen Shot.

10. Add an OR Gate, to represent "K1" OR "R" failed. Screen Shot.

12. Add an event to represent "Primary Failure of Timer Relay", named "R".

Final fault tree diagram that gives a basic or reduced fault tree for this undesired event will look like the following:

Step 3. Assign Distributions

In the example under construction, we have identified six events, that are modeled after devices in the system. In
this step we need to identify which distribution fits the failure characteristics of each device, obtain appropriate
distribution parameters, and enter this data into the example under construction.
Event Name

Event Description

Distribution Type

Distribution parameter (Failure Rate)

Tank

Primary Failure of Pressure Tank

Rate

1.25e-10 failures per hour

K2

Primary Failure of Relay K2

Rate

8.5e-8 failures per hour

Primary Failure of Pressure Switch

Rate

7.3e-6 failures per hour

S1

Primary Failure of Pressure Switch S1

Rate

7.3e-6 failures per hour

Primary Failure of Relay K1

Rate

8.5e-8 failures per hour

Primary Failure of Timer Relay

Rate

8.5e-8 failures per hour

The devices under consideration can easily be modeled using an exponential distribution (Rate). This type of
distribution requires failure rate of the device as a parameter. Failure rate data can either be obtained from
manufacturer of devices, or Item ToolKit's failure prediction modules can be used to calculate the failure rate for
each device. If Item ToolKit's prediction modules are used for this purpose, data can be linked such that the fault
tree analysis could query the failure rates dynamically during the analysis.

Note: Events do not always have to be modeled after a physical device, they could also be modeled after
environmental factors, or human error.

Create and assign the identified distributions to each event:

1. Select "Tank" event, on the diagram and activate the "Event Parameters..."

2. Select the "Failure Model" tab,

3. Press "New Model" button

4. Change the "Type (CDF)" selection list to "Rate"

5. Enter "1.25e-10" in the "Failure Rate" edit box.

6. Repeat steps 1 to 5, for the remaining events, substituting the appropriate failure rate from the above table.

Note: The above procedure is one of many methods that is available for this operation. Other methods could utilize
the System Hierarchy and the embedded Dialog View, or the Failure Model Library facility and the Grid View to
accomplish the same task.

Set Analysis Options

Item ToolKit's Fault Tree module offers several analysis options. For this simple example, and the first pass we will
consider the "Life Time", and leave all other options as default.
Using the Fault Tree System Dialog, set the "Life Time" to ten years or 87600 hours.

Perform Analysis

Performing analysis is a simple click of the "Start FT Analysis" button on the Fault Tree toolbar, or selecting the
"Perform" option from the "Analysis Menu".

Click the "Start FT Analysis" button on the Fault Tree toolbar, a progress bar will be displayed followed by an
"Advisory Msg" indicating the analysis is completed.

Note: If analysis had encountered errors, a "Verification Results" dialog would be displayed indicating errors:

Review Results

Item ToolKit's Fault Tree module offers several options as to how results are displayed. For this example, use the
"Result Summary" dialog. From the "Fault Tree" toolbar, select the "Result Summary" button, which will display
the following dialog:

First pass of the analysis:

Review Results

Item ToolKit's Fault Tree module offers several options as to how results are displayed. For this example, use the
"Result Summary" dialog. From the "Fault Tree" toolbar, select the "Result Summary" button, which will display
the following dialog:
Please note that the "Unavailability Q" in the top section of this dialog, the importance ranking of each event, and
the "Cut Sets" results in the bottom section. In this initial pass the overall "Unavailability Q" is high, given that we
didn't specify any repairs in the distribution models. Another way to translate this figure is, probability of the
overall system failing in the specified life time which was set to ten years.

Other observations regarding the results include:

1. "S" event is ranked the most important, according to F-Vesely model.

2. The cut sets sorted by "Unavailability" show that the probability of "S1", and "S" failing is the highest compare to
the other cut sets.

3. Results also contain two single point of failures, "K2", and "Tank", listed as single order cut sets. All other
failures require at least two events (2nd order).

Review Results After modifications without "Probability Cut Off":

Also the results contain standard deviation (StD), and confidence measures, which better justify the results given the
uncertainties at each event.

Review Results After modifications with "Probability Cut Off":

Note that the 4th, and 5th cut sets are not present in the following results dialog. These two cut sets fell below our
cut off value of 1e-12, therefor filtered out of the results.
 Achieved Objectives?
Determination of whether the analysis as achieved its objective or not is a relative
question, and it will vary for each system or analysis. However, here are several
typical goals that can be used as a measuring stick:

For the example we have been building, we could improve the model to include
repairs, and uncertainty analysis.

Produce Reports
There are several reports that can be produced for fault tree analysis. To complete this example we will generate the
following reports:

1. Diagram report,

2. Fault Tree Result Summary

3. Fault Tree Cut sets

4. Fault Tree Uncertainty report

4. Fault Tree Unavailability, Unreliability, and uncertainty charts

Above links will detail steps to produce the specified reports. Following screen shots display the result for the
example:

1. Diagram report,

2. Fault Tree Result Summary

3. Fault Tree Cut sets

4. Fault Tree Uncertainty report

4. Fault Tree Unavailability, Unreliability, and uncertainty charts

Click on the green text items to expand and view screen shots.

Modify Logical Structure

In the original construction of the fault tree, we simply read the schematic, and constructed the fault tree. Upon
examining the original fault tree diagram we will see that the diagram could be simplified by consolidating the
lower level OR gates.
1. Copy event "K1", and paste it to gate "K1 OR R OR S1".

2. Copy event "R", and paste it to gate "K1 OR R OR S1".

3. Delete gate "K1 OR R".

4. Name generator will automatically rename the pasted events to avoid duplicate names.

5. Rename events "K1", and "R", back to their original names.

The final fault tree diagram should look like the following:
Adjust Failure Distributions

Failure distributions can be adjusted for the actual failure rate, or refined by adding repair rates, and uncertainty
values. The following table show sample of refinements that will optimize the example under construction.

Modify the above distributions which has already been assigned to each event:
1. Select "Tank" event, on the diagram and activate the "Event Parameters..."

2. Select the "Failure Model" tab,

3. Enter "Failure Rate" uncertainty value from the above table.

4. Enter "Repair Rate" from the above table.

5. Enter "Repair Rate" uncertainty from the above table.

6. Repeat steps 1 to 5, for the remaining events, substituting the appropriate values from the above table.

Adjust Analysis Options

Item ToolKit's Fault Tree module offers several analysis options. For the example under construction, we may filter
out cut sets that have probability of less than 1e-12. This states that these cut sets are so minimal that we will ignore
them.

Using the Fault Tree System dialog set the "Probability Cut Off" to 1e-12.