12.212. Fault tree analysis, which is essentially a graphical communi­cation tool based on Boolian algebra, is a key ingredient of reliability analysis and risk assessment. It has the value of identifying weak links in complex system interactions as well as providing insight into system be­havior. Since risk is determined by relating the system failure probability to consequences, fault tree analysis is the first stage of risk assessment.

12.213. A system fault tree is a logic diagram which depicts the com­ponent failure modes (or, in general, faults[26]) that combine to produce a failure of the system. First, an undesired event or failed state of a system is postulated; this is called the top event. The latter is then traced back, step by step, to identify the combinations of sequences of other events or failures that could lead to the top event. After proceeding through a number (often in the tens) of secondary stages, a set of primary failures is reached which can not (or need not) be traced further. In many cases, the failure of a complex system depends on the failures in several subsystems. Fault trees for the latter can then be analyzed separately, and the results provide part of the “primary” input to the system fault tree.

12.214. The first few stages of a fault tree are shown in Fig. 12.16, for which the top event is an insufficient flow of water from the spray intended to cool the containment atmosphere of a PWR. There are two redundant systems, A and B, either of which alone is capable of providing the nec­essary cooling. Hence, both systems must fail in order for the top event to occur; this is indicated by the AND logic gate, with a rounded top, relating the second level events to the undesired (top) event. The most immediate cause of the failure of the spray system would be insufficient water to the header to which the spray nozzles are attached; hence, this is regarded as the second level of the fault tree.

12.215. The third level identifies four different faults, each of which is sufficient to cause the second level event. The third level is therefore related to the second level by an OR gate, with a pointed top. Events within circles or diamonds need not be developed further. A circle indicates the failure of a component for which the probability of occurrence is available or can be determined. An event in a diamond is a fault, in its general sense, which is not developed either because of its minor significance or because of lack of information. An event within a rectangle in a fault tree is one that must

be traced down to a lower level (or levels). Levels beyond the third are not shown in Fig. 12.16, although they have been traced in some instances through more than 20 stages.

12.216. Fault tree analysis has both qualitative and quantitative aspects. From the qualitative standpoint, the analysis can often identify a critical subsystem or component where a failure could have a marked influence on the failure of the entire system. Similarly, in a complex network, one event path may be found to have a controlling effect on the total failure. In these circumstances, it would be desirable to introduce redundant elements.