Electronics Guide

Fault Tree Analysis

Fault Tree Analysis (FTA) is a systematic, deductive failure analysis technique that uses Boolean logic to analyze how systems can fail. Starting from an undesired top-level event such as a system failure or safety hazard, the analysis works backward to identify all possible combinations of lower-level events that could cause the top event to occur. This top-down approach provides a structured framework for understanding complex system failure scenarios and quantifying their probabilities.

Originally developed in the 1960s for aerospace and nuclear industries, fault tree analysis has become an essential tool across all sectors of electronics engineering. The methodology excels at identifying single points of failure, evaluating the effectiveness of redundancy, assessing common cause failures, and supporting safety-critical design decisions. Whether analyzing a simple power supply or a complex avionics system, FTA provides rigorous insight into how failures propagate through electronic systems.

Fundamentals of Fault Tree Construction

Constructing an effective fault tree requires systematic identification of failure events and their logical relationships. The process begins with defining the undesired top event and progressively breaking it down into contributing causes until reaching basic events that can be quantified.

Defining the Top Event

The top event serves as the starting point for fault tree development:

  • Clear definition: The top event must be precisely defined, specifying what constitutes failure, under what conditions, and during what time frame or mission phase
  • Scope boundaries: Establish clear boundaries for the analysis including system interfaces, environmental conditions, and operational modes to be considered
  • Failure criteria: Define specific thresholds or conditions that constitute failure, such as output voltage deviation beyond specified limits
  • Mission context: Specify the operational scenario including duration, environment, and maintenance assumptions
  • Single versus multiple events: Determine whether to analyze a single failure event or develop separate trees for multiple failure modes

A well-defined top event ensures the analysis remains focused and produces actionable results. Vague or overly broad top events lead to unfocused analyses that fail to identify specific failure scenarios.

Intermediate Events and Basic Events

Fault trees decompose the top event into progressively lower-level events:

  • Intermediate events: Events that result from combinations of other events and are themselves further developed in the tree; represented by rectangles
  • Basic events: Fundamental events that cannot or need not be further developed; represent the lowest level of resolution in the analysis, shown as circles
  • Undeveloped events: Events that could be further developed but are not, typically due to insufficient information or because they fall outside the analysis scope; depicted as diamonds
  • House events: Events that are either certain to occur or certain not to occur, used to model conditional scenarios; shown as house-shaped symbols
  • Transfer symbols: Indicate connections to other parts of the tree or to separate fault trees; triangles pointing into or out of the tree

The level of decomposition depends on available failure data, analysis objectives, and system complexity. Basic events should correspond to failure modes for which reliability data exists or can be estimated.

Logic Gates

Logic gates define how lower-level events combine to cause higher-level events:

  • AND gate: Output event occurs only if all input events occur simultaneously; represents redundant or parallel configurations where multiple failures are required
  • OR gate: Output event occurs if any one or more input events occur; represents series configurations or single points of failure
  • Exclusive OR gate: Output occurs if exactly one input occurs but not both; less common in reliability applications
  • Priority AND gate: Output occurs only if inputs occur in a specified sequence; models sequence-dependent failures
  • Inhibit gate: Output occurs only if the input event occurs and a conditional event is satisfied; represents conditional failures

Proper gate selection is crucial for accurate analysis. AND gates model redundancy benefits while OR gates identify vulnerability to single failures. Most fault trees are dominated by OR gates, reflecting the many ways systems can fail.

Construction Methodology

Systematic construction ensures complete and accurate fault trees:

  • Top-down development: Start from the top event and ask "what could cause this event?" at each level, developing all immediate causes before moving to the next level
  • Completeness checking: Ensure all possible causes are identified at each level using systematic techniques such as checklists, failure mode libraries, and expert review
  • No gate-to-gate connections: Every gate output must connect to an event symbol; direct gate-to-gate connections violate fault tree conventions
  • Consistent abstraction levels: Events connected to the same gate should represent similar levels of detail and system hierarchy
  • State versus event: Distinguish between states (existing conditions) and events (occurrences that change states) to ensure logical consistency

Construction typically proceeds through multiple iterations, with initial trees refined as understanding deepens and reviewers identify missing failure scenarios.

Qualitative Fault Tree Analysis

Qualitative analysis extracts structural information from fault trees without requiring numerical probability data. This phase identifies the minimal combinations of basic events that cause the top event and reveals critical vulnerabilities in the system design.

Minimal Cut Sets

Cut sets are combinations of basic events that cause the top event:

  • Cut set definition: A cut set is any combination of basic events that, if all occur, will cause the top event to occur
  • Minimal cut set: A cut set from which no event can be removed while still causing the top event; contains only necessary events
  • Cut set order: The number of basic events in a minimal cut set; first-order cut sets are single points of failure
  • System vulnerability: Systems with many first-order cut sets are highly vulnerable; those with only higher-order cut sets have built-in redundancy
  • Importance ranking: Cut sets can be ranked by order to prioritize design improvements

Identifying minimal cut sets is the primary objective of qualitative FTA. First-order cut sets represent single points of failure that warrant immediate design attention in critical applications.

Cut Set Determination Methods

Several approaches determine minimal cut sets from fault tree structure:

  • Boolean reduction: Convert the fault tree to a Boolean expression and reduce to sum-of-products form using Boolean algebra rules
  • MOCUS algorithm: Method for Obtaining Cut Sets; a systematic top-down algorithm that processes gates sequentially
  • Binary Decision Diagrams: Efficient data structure for representing Boolean functions; enables fast cut set enumeration for large trees
  • Monte Carlo simulation: Random sampling approach useful for very large trees where exact enumeration is impractical
  • Software tools: Commercial FTA software automates cut set determination and handles trees with thousands of events

For small trees, manual Boolean reduction is practical and builds understanding. Large industrial fault trees require software tools that implement efficient algorithms.

Minimal Path Sets

Path sets provide the complementary view of what must work for the system to succeed:

  • Path set definition: A combination of basic events that, if none occur, guarantees the top event does not occur
  • Minimal path set: A path set from which no event can be removed while still preventing the top event
  • Success orientation: Path sets represent combinations of components that must function for system success
  • Duality with cut sets: Path sets of the original tree equal cut sets of the complement tree (with all gates inverted)
  • Reliability calculations: Path sets enable alternative approaches to calculating system reliability

Path set analysis is particularly useful when system success is more naturally understood than system failure, or when calculating reliability bounds.

Common Cause Failure Analysis

Common cause failures defeat redundancy by affecting multiple components simultaneously:

  • Common cause identification: Review basic events under AND gates to identify potential common causes that could fail multiple components
  • Susceptibility categories: Environmental factors, design defects, maintenance errors, external events, and operational errors
  • Beta factor method: Quantify common cause susceptibility by estimating the fraction of failures that are common cause
  • Defense strategies: Diversity, physical separation, independence, and monitoring can mitigate common cause vulnerabilities
  • Tree modification: Add common cause events to fault trees to properly model their impact on redundant configurations

Common cause failures often dominate system unreliability in highly redundant systems. Identifying and mitigating these vulnerabilities is essential for achieving target reliability in safety-critical applications.

Quantitative Fault Tree Analysis

Quantitative FTA calculates the probability of the top event by combining basic event probabilities according to the tree logic. This provides numerical estimates of system unreliability that support design decisions, safety assessments, and regulatory compliance.

Basic Event Probability Assignment

Quantitative analysis requires probability estimates for each basic event:

  • Failure rate data: Use component failure rates from reliability databases, manufacturer data, or field experience
  • Mission time considerations: Convert failure rates to probabilities appropriate for the analysis time frame
  • Demand probability: For standby components, consider both failure to operate on demand and failure during operation
  • Human error probability: Estimate probabilities of human errors using human reliability analysis techniques
  • Uncertainty characterization: Document uncertainty in basic event probabilities for propagation through the analysis

Basic event probability accuracy directly impacts top event probability accuracy. Conservative estimates and uncertainty analysis ensure results support decision-making despite data limitations.

Probability Calculations

Gate probabilities are calculated from input event probabilities:

  • OR gate: P(output) = 1 - (1 - P(A)) x (1 - P(B)) x ... for independent inputs; approximates to sum of input probabilities when all are small
  • AND gate: P(output) = P(A) x P(B) x ... for independent inputs; product of input probabilities
  • Rare event approximation: When probabilities are small (less than 0.1), the top event probability approximately equals the sum of minimal cut set probabilities
  • Exact calculation: Include-exclude formula accounts for overlapping cut sets in exact calculations
  • Non-coherent trees: Trees with NOT gates require more complex calculation methods

For most reliability applications, the rare event approximation provides adequate accuracy with greatly simplified calculations. Safety assessments may require exact methods.

Importance Measures

Importance measures quantify how much each basic event contributes to system unreliability:

  • Fussell-Vesely importance: Fraction of system unreliability attributable to cut sets containing the event; indicates contribution to current unreliability
  • Risk Reduction Worth: Factor by which system unreliability decreases if the event is made perfectly reliable; identifies events whose improvement most benefits the system
  • Risk Achievement Worth: Factor by which system unreliability increases if the event certainly occurs; identifies events critical to maintaining current reliability
  • Birnbaum importance: Rate of change of system unreliability with respect to basic event probability; measures sensitivity
  • Cut set importance: Contribution of each minimal cut set to overall system unreliability

Importance measures guide resource allocation for reliability improvement by identifying which components or failure modes most impact system reliability.

Uncertainty and Sensitivity Analysis

Understanding result uncertainty is essential for informed decision-making:

  • Parameter uncertainty: Uncertainty in basic event probabilities due to limited data or estimation methods
  • Model uncertainty: Uncertainty arising from simplifications, assumptions, and potential incompleteness in the fault tree model
  • Monte Carlo propagation: Sample from basic event probability distributions and calculate top event probability distribution
  • Sensitivity analysis: Vary individual parameters to understand their impact on results and identify key assumptions
  • Confidence bounds: Express results as probability distributions or confidence intervals rather than point estimates

Results presented with uncertainty information support better decisions than point estimates alone, particularly when probabilities are close to decision thresholds.

Fault Tree Analysis for Electronics

Electronics applications present specific considerations for fault tree development and analysis. Understanding these nuances ensures fault trees accurately represent electronic system failure behavior.

Electronic Component Failure Modes

Electronic components exhibit characteristic failure modes that must be captured in fault trees:

  • Open circuit failures: Loss of electrical continuity through a component; common in resistors, inductors, and connections
  • Short circuit failures: Unintended low-resistance path; common in capacitors, semiconductors under overstress
  • Parametric drift: Component parameters change beyond acceptable limits while component continues functioning
  • Intermittent failures: Failures that occur sporadically, often due to thermal cycling, vibration, or marginal connections
  • Degradation failures: Progressive deterioration leading to eventual failure; important for wear-out analysis

Different failure modes of the same component may appear in different branches of the fault tree, reflecting their different effects on system function.

Circuit-Level Analysis

Fault trees for electronic circuits require understanding of circuit behavior:

  • Functional decomposition: Divide circuits into functional blocks (power supply, signal processing, output stage) for systematic analysis
  • Signal flow tracing: Follow signal paths to identify how component failures propagate to system failure
  • Failure effect analysis: Determine how each component failure mode affects circuit function
  • Sneak circuit analysis: Identify unintended circuit paths that may cause unexpected failures
  • Interface failures: Include failures at circuit interfaces including connectors, cables, and module boundaries

FMEA complements FTA for circuit analysis by systematically identifying component failure modes that serve as basic events in the fault tree.

Software and Firmware Considerations

Modern electronic systems include software that must be addressed in fault trees:

  • Software failures: Software defects can cause system failure; include as basic events with estimated probabilities
  • Hardware-software interaction: Model failures arising from software response to hardware anomalies
  • Watchdog and monitoring: Include software monitoring functions that detect and respond to hardware failures
  • Common cause: Software running on redundant hardware represents a common cause failure source
  • Version diversity: Diverse software versions on redundant channels reduce common cause software failures

Software failures are difficult to quantify due to their deterministic nature. Approaches include using software defect data, development process quality metrics, or treating software failures as house events for sensitivity analysis.

Power Supply and Distribution

Power system failures commonly appear as high-importance events in electronic system fault trees:

  • Single power supply: Creates first-order cut set unless redundant power is provided
  • Power distribution: Failures in power buses, fuses, and regulators affect multiple downstream functions
  • Power quality: Include failures due to voltage excursions, noise, and transients
  • Backup power: Model battery backup systems including charging, monitoring, and switchover functions
  • Common power: Redundant circuits sharing common power represent common cause vulnerability

Power system analysis often reveals that apparently redundant designs share common power sources that create unexpected single points of failure.

Integration with Safety Analysis

Fault tree analysis integrates with broader safety analysis methodologies to support safety-critical system development and regulatory compliance.

Hazard Analysis Integration

FTA connects to system-level hazard analysis:

  • Top event derivation: Top events derive from hazard analysis identifying unacceptable system states
  • Safety requirement verification: FTA verifies that design meets probability targets derived from hazard analysis
  • Hazard mitigation: Cut set analysis identifies where design changes most effectively reduce hazard probability
  • Residual risk: FTA quantifies residual risk after mitigation measures are implemented
  • Documentation: FTA provides traceable evidence for safety cases and certification submissions

Integration ensures FTA addresses the right questions (top events derived from hazard analysis) and results feed back into system safety assessment.

Safety Integrity Levels

FTA supports safety integrity level (SIL) verification in functional safety standards:

  • Probability targets: SIL levels specify probability of dangerous failure targets that FTA can verify
  • Architecture requirements: Standards require specific fault tolerance that cut set analysis can confirm
  • Diagnostic coverage: FTA models impact of diagnostics on detected versus undetected dangerous failures
  • Common cause defense: Standards require common cause analysis that FTA supports
  • Proof testing: FTA models effect of periodic testing on failure probability

Standards such as IEC 61508 and ISO 26262 reference FTA as an appropriate technique for verifying safety function reliability.

Event Tree Analysis Combination

Fault trees and event trees combine for complete accident sequence analysis:

  • Complementary perspectives: FTA analyzes how systems fail (deductive); event tree analysis (ETA) models what happens after initiating events (inductive)
  • Linked analysis: Fault trees model failure of safety functions that appear as branch points in event trees
  • Accident sequences: Event tree sequences combined with FTA-derived branch probabilities yield accident sequence frequencies
  • Risk integration: Combined FTA/ETA analysis enables complete probabilistic risk assessment
  • Defense in depth: Combined analysis evaluates effectiveness of multiple protective barriers

The combination of FTA and ETA provides comprehensive risk analysis capability addressing both system failures and their consequences.

Regulatory Applications

FTA supports regulatory compliance across industries:

  • Aerospace: FAA and EASA require FTA for certification of safety-critical avionics systems under DO-178C and DO-254
  • Nuclear: NRC requires FTA as part of probabilistic risk assessment for nuclear facilities
  • Automotive: ISO 26262 specifies FTA as a method for safety analysis of automotive electrical and electronic systems
  • Medical devices: FDA accepts FTA as part of risk analysis documentation for medical device submissions
  • Rail: EN 50129 requires FTA or equivalent for safety-related railway electronic systems

Understanding regulatory requirements ensures FTA analyses meet documentation, methodology, and review requirements for specific industries.

Practical Implementation

Effective FTA implementation requires appropriate tools, processes, and organizational support. Practical considerations significantly impact analysis quality and efficiency.

Software Tools

FTA software tools range from simple drawing aids to comprehensive analysis packages:

  • Drawing capabilities: Create and edit fault tree diagrams with proper symbology and automatic layout
  • Cut set calculation: Automated determination of minimal cut sets using efficient algorithms
  • Quantification: Probability calculations with support for various probability models and time dependencies
  • Importance analysis: Automated calculation of multiple importance measures
  • Uncertainty analysis: Monte Carlo simulation for uncertainty propagation
  • Report generation: Automated documentation meeting industry standards

Commercial tools include Relex, RAM Commander, ITEM ToolKit, and others. Open-source options exist for basic applications. Tool selection depends on analysis complexity, regulatory requirements, and integration needs.

Analysis Process

A structured process ensures consistent, high-quality fault tree analyses:

  • Planning: Define scope, objectives, assumptions, and resource requirements before beginning analysis
  • Information gathering: Collect system design information, failure data, and operational context
  • Tree construction: Develop fault tree systematically with ongoing review for completeness
  • Qualitative analysis: Determine cut sets and identify critical vulnerabilities
  • Quantitative analysis: Assign probabilities and calculate results with uncertainty
  • Documentation: Record methodology, assumptions, data sources, and results
  • Review: Independent review for technical accuracy and completeness

Documented processes ensure repeatability and support regulatory review. Process rigor should match the criticality of the application.

Common Pitfalls

Awareness of common mistakes improves analysis quality:

  • Incomplete development: Stopping tree development before reaching basic events with available failure data
  • Missing failure modes: Overlooking failure modes, particularly those not directly related to component function
  • Logic errors: Incorrect gate selection (AND versus OR) that misrepresents system behavior
  • Common cause neglect: Failing to identify and model common cause failures in redundant configurations
  • Data quality: Using inappropriate or outdated failure data without adjustment for actual conditions
  • Assumption documentation: Failing to document assumptions that affect result interpretation

Independent review by experienced analysts helps identify and correct these issues before results are used for decisions.

Living Document Management

Fault trees should be maintained throughout the product lifecycle:

  • Design evolution: Update fault trees as design matures and changes
  • Field data incorporation: Refine basic event probabilities based on actual field failure data
  • Configuration control: Manage fault tree versions corresponding to product configuration
  • Change impact: Assess impact of design changes on fault tree results
  • Lessons learned: Incorporate field failure insights to improve completeness

Maintaining fault trees as living documents maximizes return on analysis investment and ensures relevance throughout product life.

Advanced Topics

Advanced FTA techniques address complex systems and special analysis requirements beyond basic methodology.

Dynamic Fault Trees

Dynamic fault trees model sequence and time-dependent failure behavior:

  • Sequence dependence: Priority AND gates model failures that cause the top event only if occurring in specific sequence
  • Spare gates: Model standby redundancy with cold, warm, or hot spare behavior
  • Functional dependencies: Model situations where one component failure affects availability of others
  • Markov model conversion: Dynamic trees can be converted to Markov models for solution
  • Mission phases: Model systems with different configurations during different mission phases

Dynamic fault trees extend FTA capability to systems where traditional static analysis is insufficient due to temporal dependencies.

Modular Decomposition

Modular approaches manage large fault tree complexity:

  • Module identification: Identify subtrees that share no basic events with the rest of the tree
  • Independent calculation: Calculate module probabilities independently and substitute into parent tree
  • Computational efficiency: Modular decomposition dramatically reduces calculation time for large trees
  • Repeated events: Repeated events appearing in multiple tree locations require special handling
  • Hierarchical analysis: Natural mapping to system hierarchy enables distributed analysis

Large fault trees may contain thousands of basic events. Modular decomposition makes analysis tractable while preserving accuracy.

Non-Coherent Fault Trees

Non-coherent trees include negated (NOT) events representing success:

  • Success branches: Some failure scenarios require both failure and success events to occur
  • Complement events: NOT gates or complement events represent component success or non-occurrence
  • Implicants versus cut sets: Non-coherent trees yield prime implicants rather than minimal cut sets
  • Calculation complexity: Standard Boolean reduction and rare event approximation require modification
  • Practical occurrence: Non-coherent situations arise in protection system analysis and human action modeling

While most reliability applications involve coherent systems, analysts should recognize non-coherent situations and apply appropriate methods.

Bayesian Updating

Bayesian methods update fault tree results as new information becomes available:

  • Prior distributions: Initial basic event probabilities expressed as probability distributions
  • Evidence incorporation: Field data, test results, or expert judgment updates distributions
  • Posterior distributions: Updated probability distributions reflect combined prior knowledge and new evidence
  • Propagation: Updated basic event distributions propagate through fault tree to update top event
  • Decision support: Bayesian updating enables value of information analysis for data collection decisions

Bayesian approaches formalize how FTA results should evolve as system experience accumulates, supporting continuous improvement of reliability estimates.

Summary

Fault Tree Analysis provides a rigorous, systematic framework for analyzing how electronic systems can fail. The top-down, deductive approach identifies all combinations of basic events that can cause system failure, enabling both qualitative insights into system vulnerabilities and quantitative estimates of system unreliability. Cut set analysis reveals single points of failure and common cause vulnerabilities, while importance measures guide resource allocation for reliability improvement.

For electronics engineers, FTA is an essential tool for safety-critical system development, supporting hazard analysis, safety integrity level verification, and regulatory compliance. The methodology integrates with other reliability techniques including FMEA, event tree analysis, and probabilistic risk assessment to provide comprehensive system safety evaluation. Whether analyzing a simple power supply or a complex avionics system, fault tree analysis provides structured insight into failure behavior that supports informed design decisions.

Effective FTA requires appropriate tools, systematic processes, and attention to common pitfalls including incomplete development, missing failure modes, and neglected common cause failures. Maintained as living documents throughout the product lifecycle, fault trees provide ongoing value from initial design through field operation. Mastery of fault tree analysis equips reliability engineers with a fundamental technique for ensuring electronic systems meet their reliability and safety requirements.