The purpose of this website is to provide references and presentations on system safety analysis, hazard analysis, fault tree analysis, event tree analysis and probabilistic risk assessment. These are references that the analyst Howard Lambert has generated, conducted a peer review of or has used as references in his career. This website also contains videos, training notes and case studies.


It’s a matter of logic my dear Watson
Sherlock Holmes
Fault Tree Analysis
Fault tree analysis (FTA) evolved from the aerospace industry in the early 60’s when FTA was conducted on the launch control system of the minuteman missile. FTA is a specialized reliability engineering analysis. Fault trees are multidisciplinary symbolic multiple thread Boolean logic models. Fault trees are top down, backward looking, starting with a top event, asking the question “how can something occur” and is built using basic logic gates such as AND and OR and terminating with basic events at the bottom of the fault tree representing events such as human error, hardware, software errors and environmental conditions. The fault tree is built by construction rules [1] that establish the procedures necessary at each gate to determine the type of gate to use and inputs to the gate. The Top Event generally represents an event that causes injury, harm or loss such as fire, explosion, toxic or radiological release. Basic events represent the limit of resolution in FTA.

Fault tree construction and analysis is described in terms of the immediate cause principle – what is immediately necessary to cause the output event? – accomplished by decomposing events from abstract to less abstract into understandable root causes called the basic events. Assumptions are made, the scope is determined when constructing fault trees. Assumptions include specifying initial conditions and the applicability of the reliable system assumption. Knowing system success criteria is important in determining the failure logic in the fault tree. Events in the fault tree should be logically consistent. Logic loops should be identified and eliminated, e.g., an event that causes itself to occur.
FTA can be qualitative (deterministic) or quantitative (probabilistic). This website shows the importance of identifying initiating and enabling events in both the qualitative and quantitative evaluation of fault trees. Initiating events are triggering events that lead to the occurrence of the top event. Enabling events are contributing events that permit the initiating event to cause the Top Event. Initiating events include 1. deviation events also called critical events and 2. phase changes in a system—both place demands on system mitigation measures to respond called enabling events. Enabling events include predecessor events and successor events. Predecessor events include for example failure of safety devices or preexisting conditions that occur before or at the time the initiating event occurs. Successor events include for example failure of an operator to respond or a time delay that occurs after the occurrence of the initiating event. An important step in FTA is to describe system interactions in terms of the system modes of occurrence called the min cut sets [9] consisting of combinations of basic events that cause the Top Event to occur. These min cut sets can be traced in the fault tree to the Top Event to understand how they can occur and to study interactions. The number of basic events in a min cut set called order is determined; min cut sets of order 1 (single point failures) are most important from a qualitative viewpoint. Min cut sets of order 2 or higher require more basic events to occur. Higher order min sets can occur if redundancy, preventative and/or mitigation measures fail (called enabling events) when the initiating event occurs and define critical system states for an initiating event [2].
Probabilistic analysis entails computing the probability or frequency of the Top Event and determining the basic events and min cut sets that contribute most probabilistically to the Top Event through an importance analysis [12].
Methods to describe how to construct fault trees of control systems are the use of directed graph analysis [3] [4]. Fault trees are generated from digraphs using a synthesis algorithm that delineates how a control system can cause or pass a disturbance resulting in the occurrence of the top event. A sample digraph is shown below for a chlorine vaporizer [2]. Much more complicated digraphs and fault trees were generated for a system involving fire and explosion hazards [5] [6] [7] [8] [12] [13][19]. The annual frequency of fire or explosion was calculated by identifying initiating and enabling events in the fault trees and by knowing the frequency of occurrence of initiating events and the probability of enabling events and the min cut sets.
Digraphs are also used for nuclear materials safeguards assessment both domestically [14], [15] and internationally [16][17][18]. Fault trees generated from these digraphs have min cut sets known as diversion paths.
Currently FTA is used commercially in many technologies such as nuclear power, petrol chemical, aerospace and transportation. One way to learn FTA is to study numerous case studies presented on this website and in the literature.
Digraphs are used for FTA of control systems.
Red arrows indicate information flow with external disturbances;
blue indicates negative feedback loop; green indicates operator shutdown and
black indicates hardwired interlocks.

Event Tree Analysis
Event Tree analysis were first used by the United Kingdom Atomic Energy Agency in 1968 for a whole plant risk assessment to optimize the design of a 500MW Steam Generating Heavy Water Reactor. The first extensive use of event trees occurred in the Reactor Safety Study (RSS) in the 70’s [9]. The RSS used event trees in conjunction with fault trees to generate and analyze reactor accident scenarios called the event tree-fault tree approach. RSS found that solely using fault trees to describe reactor accident scenarios resulted in unmanageable large fault trees and did not effectively address the combination of success and failure that can lead to end states with different consequences. A symbolic representation of the event tree-fault tree approach is shown below.

An Event Tree is an inductive logic model — starts with an initiating event and depicts branching nodes that can lead to undesired system states and accident scenarios – Nodes can represent failure of features such as safety controls. Downward step in the event tree generally indicates failure; an upward step generally indicates success. An event tree is future thinking, asks the question “what if” and is specific to general.
Event tree can depict event interactions regarding
- Timing
- Conditionally of events
- Sequential effects

As an example consider a building with a room with a one hour fire wall described in the presentation on this website “Introduction to Event tree Fault Tree Analysis.” The room has administrative controls that prevent the presence of ignition sources and transient combustibles. The operator has access to a fire extinguisher. The room has a wet pipe sprinkler system. The building is located on a site with a fire brigade. The event tree is used to support a fire risk analysis. The event tree that depicts fire ignition and growth is shown with a time line leading to full facility fire. End state information shows end state description that includes the initiating event, annual frequency and economic loss (consequences). The end states to event trees are mutually exclusive which means we can sum the probability of each end state to determine the total probability or frequency of all end states – if the initiating event frequency or probability is one – then the sum of the end state probabilities is one. As with fault trees, event trees are used in various industries to conduct probabilistic risk assessment (PRA).
Get in touch
Have something you want to discuss?
Send Dr. Lambert a message today, he’d be happy to share his experience and expertise.