Hazard Analysis and Fault Tree Analysis

Bill Vesely
NASA HQ

1
Use of a Fault Tree in Identifying Hazards

When a fault tree is used to identify the hazards then it

is often called a Master Logic Diagram (MLD)
The top event is the undesired event that can result
from the hazards
The top event is resolved to initiating events that can
result in the undesired event
Each initiating event is developed into an accident
scenario to assess the associated risk
Each initiating event is also linked to the conditions
enabling the initiating event

2
 A Master Logic Diagram for the Space Shuttle for
Loss of Crew and Vehicle (LOCV) Due to Fire
L O C V D ue to L oss o f
Stru ctu ral I nte grity C ause d b y
Fire/E x plosion d u rin g As ce nt

L O C V -Ascent-LS-F irE xp
2
1

APU cause d F ire/E xplosio n SRB cause d Fire/E xplosion M PS cause d OM S/R CS cau sed
Fire/E x plosion Fire/E x plosion

FC P fue l le ak

RSR M failure s causin g S R B S y stem failu re

APU ex h au st APU fuel elem ent Fire/E x plo sio n cau sin g S TS e lem en t
leak d am age leak d am age F ire/E x p lo s io n
O verp ress u rezatio n O verp ress u riz atio n
due to OM S failu re due to R C S failu re

Fo reign obje ct R SR M fails to m aintain s afe O verp ress u riz atio n

R S S d estru ct d am age ST S attitu de/perform ance due to M PS failu re
co m m an d o f S TS due to T hrus t failu re E T Fire/E x plosion
d u e to elem en t failu re

Stru ctu re bre ak up o f R SR M stru ctural failu re M PS fuel le ak

RSR M resultin g in cau sin g Fire/E xp los io n
Fire/E x p o f ST S ve hicle in othe r ST S elem e nts
Fire/E x plosion o f ST S E T fa ilu re cau s in g
du rin g Sep aration e lem en t
F ire/E x p lo s io n

M PS H2 le ak M PS O2 le ak

SSM E Fire/E x plo sio n

O rb iter fa ilu re cau sin g
Stru ctu re failure o f
elem en t F ir/Ex p lo sio n F ire/E x p lo s io n o f R SRM co m p one nts
o th er S TS e lem en ts

O rb ote r I/F le ak age

PR SD cause d Fire/E x plosion

3
Constructing an Accident Scenario for Each
Initiating Event
The accident scenario defines additional enabling
events (pivotal events) which are necessary for the
initiating event to progress to the undesired final
event
The pivotal events in the accident scenario are
resolved to basic causal events at which controls
are applied
The initiating event can also be resolved to more
basic causal events where controls can be
instituted

4
Approaches for Constructing the Accident
Scenario

Event Sequence Diagrams (ESDs) construct

the accident scenario as a chain sequence
Event Trees (ETs) construct the accident
scenario as an event tree
Fault Trees (FTs) construct the accident
scenario as a fault tree

5
Illustration of a Basic Event Sequence
Diagram

Initiating Pivotal Pivotal Final Undesired

Event Event Event Event

6
 High
HighMass
Mass
Pump
Pump Uncontained
Uncontained
Piece
Piece Fire
Fire LOC/V
LOC/V
Rub
Rub Failure
Failure
Liberated
Liberated

Rotor
Rotor Uncontained
Shift Uncontained Fire LOC/V
Shift Failure Fire LOC/V
Failure
High
HighMass
Mass
Turbine
Turbine Piece
Piece
Rub
Rub
Inspection Critical Crack Liberated
Pre-Existing Inspection Critical Crackinin Liberated Mass
MassHits
Hits
Pre-Existing Probability Crack Critical Fire
Fire LOC/V
LOC/V
Crack Probability Crack Critical Gox
GoxHex
Hex
Crack ofofDetection Size Area
Detection Size Area
Loss
Lossofof Turbine
Turbine Redline
Redline
Turbine
Turbine Over
Over LOC/V
LOC/V
Failure
Failure
Power
Power Temp
Temp

An Event Sequence Diagram (ESD) for a Hazard

Analysis of Cracks Existing in the Turn-Around-Duct of
the High Pressure Pump of the SSME

7
 2nd Stage Impeller Blade
ESD ~ Pre-Existing Flaw

Pre-
Existing PE 4
Crack PE 5 PE 6
Loss of PE 7
Impeller Loss of Turbine Redline
Turbine Overtemp LOC/V
Head Failure
Rise Power
PE 1 PE 2 PE 3
Missed Critical
Critical
Crack Crack
Area
Inspection Size
PE 8 PE 9
Loss of Disk Over PE 10
Torque Speed, Fire/
LOC/V
Carrying Burst, Case Explosion
Capability Penetration

8
Event Sequence Diagram for External Leakage
of Hydrazine in the APU
External Yes Yes Yes
Sufficient Ignition Source
Leakage of LOV/C
Hydrazine Hydrazine Release Present

Random Failure
Or Missed Defect No No

MS MS

Mission Success Mission Success

9
Basic Event Tree Model

Initiating Pivotal Pivotal Pivotal

Event Event Event Event
MS

MS

MS

No

Yes
Undesired
Event

10
 ET Weld Defect Event Tree
Critical defect in Critical defect in
Critical defect
Make Weld No critical defect detected before No critical defect repaired weld Critical defect Post proof NDE weld detected
in weld in repaired weld detected before survives proof required? during post proof
proof
proof NDE
Post-Repair- Require-Post-
Weld Good-Weld Pre-Proof-NDE Post-Repair-NDE Proof Post-Proof-NDE # End-State Names
Defects Proof-NDE

1 Good weld
No critical defect in weld d

2 Weld repair good

Weld fixed

3 Repair weld
Repair weld Repair tank

4 Repair & reproof

Critical defect Repair tank t k
still in weld
Make Weld Critical defect 5 Flawed weld on
still in weld Critical defect ET
Critical defect still in weld
still in weld 6 Repair & reproof
Repair tank t k
Critical defect
in weld 7 Repair & reproof
Repair tank t k

Another chance 8 Flawed weld on

to find defect Critical defect ET
Critical defect still in weld
still in weld 9 Flawed weld on
Weld unrepaired Critical defect ET
still in weld
10 Repair & reproof
Repair tank t k
PRA-Weld-Model - Event Tree Diagram for Weld

Weld Process Example

11
 LOCV due to Fire
From a Pre-
existing Crack

Mass fragments
Fire occurs from
generated
mass fragments

Rubbing of
Pump Rubbing of pump generates
mass fragments

Rotor shift due

to crack Rotor shift causes
rubbing of pump

Fault Tree for the Hazard

of a Crack Causing a Fire
Crack missed
by inspection
Crack causes
rotor shift and LOCV

12
 SRB–TVC–APU–LF–HDZ–LK–CFL

Leak Screening Sufficient Ignition

Initiating Event Misses Leak Quantity Source

SRB_TVC_APU_LF_LK_IE SRB_TVC_APU_LF_LK_SC SRB_TVC_APU_LF_LK_SQ SRB_TVC_APU_LF_LK_IG

Accident Scenarios Modeled in Fault Trees

SRB–TVC–APU–LF–HDZ–LK–RC

Leak Caught,
Leak Sufficient Ignition
Prob. Of
Initiating Event Quantity Source
Reoccurrence

SRB_TVC_APU_LF_LK_IE SRB_TVC_APU_LF_LK_RC SRB_TVC_APU_LF_LK_SQ 13

SRB_TVC_APU_LF_LK_IG
A Fault Tree is Generally Not
Recommended for Scenario Modeling

An accident scenario generally involves a time

sequence of events
Accident scenario modeling is inductive and
determines subsequent events and resulting
consequences
Accident scenarios are best modeled using ESDs or
ETs
A fault tree is a deductive model resolving an
undesired event into primary causes
FTs are best applied in resolving the events in an
accident scenario to primary causal events

14
FTA Application in Resolving an Event to
Basic Causal Events

The top event of the FT is the initiating event or one of

the enabling events in the accident scenario
The FT is developed to basic causal events at which
controls are applied
The basic causal event description includes the relevant
failure mode as done in standard FTA
Primitive root causes of the basic causal event are not
resolved unless controls are applied at this level

15
Use of a FT in Modeling System Failures in
an Accident Scenario

Certain of the enabling events (pivotal

events) in the accident scenarios can in
particular involve system failures
A fault tree is then constructed for each
system failure to resolve to component
failures or basic causes
The fault trees are then linked to the accident
scenarios to evaluate the accident risks

16
Illustration of a Basic Event Sequence
Diagram with a Linked Fault Tree

Initiating Pivotal Pivotal Final Undesired

Event Event Event Event

17
Reference

“Fault Tree Handbook with Aerospace Applications’,

Version 1.1, NASA Publication, August 2002.

18