This is another form of fault tree most commonly used in the analysis of the course of the accident. It proceeds in the direction opposite to the single-failure tree, from cause to a number of consequences rather from a consequence to its various causes.

Starting from the initiating fault, an attempt is made to see where the events may lead, just as the accident might progress. Therefore, conse­quences may be both safe and unsafe.

To illustrate a flow-process tree, consider Fig. 1.28. This follows the

FUEL EJECTION —m FISS PRO ___ Ш ASEOF ION DUCT Л_____

f*| ( CRITICAL| AMOUNW

behavior of the particular system in the face of a reasonably probable fault: the installation of an oversized fuse. If an oversized fuse were installed, then the fuse would be unable to open in the face of excessive power. This is not a problem, unless the motor fails, although the failure is always a potential one while the oversized fuse is in position.

However if the motor does fail shorted, then an overcurrent will result through the system wiring and through the relay contacts. So the tree is further extended into two further possible terminations—one in which there is transient overheating but the wire is safe and the other in which the wire does fail.

Such a" fault tree answers the question: What happens as a consequence of this event? It is the tree that one would follow in any calculation of the ensuing accident. There will be further examples throughout this book; a particularly good one lies in the analysis of fuel failure and its possible extension to further failures.

Figure 1.29 shows this tree in its accident process configuration while Fig. 1.30 shows the single-failure fault tree for the pin-failure propagation. They are equivalent, and they should be referred to again after reading Chapter 4. Because such trees require an intimate knowledge of the proc­esses involved before they can be made unique, there is in fact great variety in how such trees may be laid out.