12.217. Fault tree analysis may be used to predict the probability of system failure based on data or estimates of failure at the subsystem level. For this purpose, fault tree models, like the one in Fig. 12.16, are con­structed and a probability is associated with each event; the results are then combined, along the following lines. Suppose that a top event A is connected through an AND gate to three events at the second level for which the probabilities are Въ B2, and B3, respectively. The probability of A is then Вг x В2 x B3. On the other hand, if the three second-level events are connected with A by an OR gate, the probability of A is Вг + В2 + B3. The second-level events are themselves connected with third-
level events and the probabilities of these events in turn determine Bu B2, etc. By proceeding in this way through all the levels, down to the lowest, of a fault tree, the probability of the top event is determined.

12.218. It is evident that when a tree consists of many levels, as is commonly the case, the calculation of the probability can become very complex. As a general rule, therefore, fault tree models are first simplified as far as possible by using Boolean algebra techniques. Such simplification is aided by eliminating events of low probability and combining related events into a single event. Although the approach is straightforward, com­puter representation is generally necessary, even after simplification. Prob­abilistic analysis also makes use of event trees which are discussed in the next section.

12.219. There are a number of uncertainties in fault tree analysis that place error limits on the results. For example, because of the lack of experience of an event, e. g., a double-ended pipe break in the primary coolant system of a reactor, the probability of failure cannot be established and must be estimated. Allowance should also be made for human error and the unavailability of systems or components because of test or main­tenance requirements. Other uncertainties may arise from possible omis­sion of important faults and from unforeseen common-mode failures. Fur­thermore, in the fault tree model a component or subsystem is regarded as either failed or not failed; there is thus no allowance for a partial failure in which a subsystem may be operative but not at its full efficiency.