FTA — Fault Tree Analysis

FTA

Fault Tree Analysis Deductive

Watson · Bell Labs (1962) · IEC 61025 · NASA FT Handbook · ARP 4761

Fault Tree Analysis is a deductive, top-down technique that starts from a single undesired top event and works backwards through Boolean logic gates to identify the combinations of basic events whose simultaneous occurrence would cause it. It produces both qualitative output (minimal cut sets — the smallest combinations of failures sufficient to cause the top event) and quantitative output (top-event probability and cut-set importance measures).

Overview of the technique

FTA was developed by H. A. Watson at Bell Labs in 1962 to analyse the launch-control system of the Minuteman ICBM and was adopted by Boeing for commercial aircraft systems shortly afterwards. It became a cornerstone of nuclear and aerospace probabilistic safety assessment through the WASH-1400 Reactor Safety Study and is now standardised in IEC 61025:2006 and the NASA Fault Tree Handbook (NUREG-0492 / NASA-SP-2010-580). The fault tree is a graph of failure logic: an undesired top event at the root, intermediate events, and basic events at the leaves. Gates encode logical relationships — AND requires all inputs, OR requires any one, k-of-n voting gates capture redundant architectures, NOT and INHIBIT handle conditional logic, and priority-AND or dynamic gates capture sequence dependence.

Solving the tree gives minimal cut sets — the irreducible combinations of basic-event failures that lead to the top event. Their order is a structural measure of resilience: an order-1 cut set (single point of failure) is usually unacceptable; high-order cuts indicate strong defence-in-depth. Quantification combines basic-event probabilities with the gate logic to compute top-event probability, importance measures (Birnbaum, Fussell-Vesely, RAW, RRW), and sensitivity. FTA pairs naturally with FMEA (which supplies the basic events), Event Tree Analysis (which extends the analysis from initiating events to consequences) and Common Cause Analysis (which adjusts for dependence between supposedly independent failures).

Figure 1. A simple FTA: redundant brake architecture — both primary and backup systems must fail (AND) for total loss; each branch fails through any of several basic events (OR).

When to use it

Typical applications

Probabilistic Safety Assessment of complex systems
Certification of safety-critical aerospace and nuclear systems
Identifying single points of failure and weak redundancy
Quantifying the value of additional protection layers
Common-cause and dependence analysis

Aviation relevance

Mandated by ARP 4761 / CS-25 / FAR 25.1309 quantitative targets
Top-event probability must meet 1×10⁻⁹/FH for catastrophic
Pairs with FMEA (basic events) and CCA (dependence)
Used in ATM/ANS safety cases under EUROCONTROL SAM
Applied to launch vehicles, UAS, and runway-incursion analysis

Benefits

Logical rigour

Boolean structure makes reasoning explicit and falsifiable; minimal cut sets reveal architectural weakness with no hand-waving.

Qualitative + quantitative

Same model produces both a structural diagnosis and a numeric probability with importance ranking — supporting both engineering judgement and certification arithmetic.

Architecture-centric

Excels at evaluating redundancy, voting and defence-in-depth designs — particularly k-of-n architectures and standby systems where intuition fails.

Mature tooling

Decades of solver development (BDD, ZBDD, MOCUS) make even very large trees tractable; commercial and open-source tools support sensitivity, uncertainty and CCF.

Limitations

Static and binary

Classical FTA models binary working/failed states and time-independent logic; dynamic FTA, Markov and Bayesian methods are needed for sequence-dependent or repairable systems.

Data hunger

Quantification depends on basic-event probabilities that are often uncertain, especially for software, novel hardware and human actions — uncertainty must be propagated honestly.

Bounded by the analyst

Only failure modes the analyst draws into the tree are quantified; unknown unknowns and emergent system behaviours stay invisible — a recurring critique from Leveson and Hollnagel.

Common-cause failures

Naive independent-failure quantification dramatically understates risk; explicit beta-factor or alpha-factor models (NUREG/CR-5485) are needed for credible numbers on redundant systems.

In short

FTA reasons backwards from a single undesired event through Boolean logic to its causes, yielding both a structural map (minimal cut sets) and a probability. It is the workhorse of aerospace and nuclear PSA, especially when paired with FMEA, ETA and CCA.

References (APA 7)

Vesely, W. E., Goldberg, F. F., Roberts, N. H., & Haasl, D. F. (1981). Fault tree handbook (NUREG-0492). U.S. Nuclear Regulatory Commission.

Stamatelatos, M., Vesely, W., Dugan, J., Fragola, J., Minarick, J., & Railsback, J. (2002). Fault tree handbook with aerospace applications. NASA Office of Safety and Mission Assurance.

International Electrotechnical Commission. (2006). Fault tree analysis (FTA) (IEC 61025:2006). IEC.

Society of Automotive Engineers. (2010). Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment (ARP 4761A). SAE International.

Mosleh, A., Rasmuson, D. M., & Marshall, F. M. (1998). Guidelines on modeling common-cause failures in probabilistic risk assessment (NUREG/CR-5485). U.S. NRC.

Watson, H. A. (1961). Launch control safety study. Bell Labs.