Event Tree Analysis (ETA)

Definition

Event tree analysis (ETA) is the safety engineering technique that uses forward searching of decision trees to identify sequences of failures (i.e., hazardous events) and resulting hazardous conditions that can lead to accidents.

Discussion

Because fault tree analysis (FTA) leads to impractically large and complicated decision trees when used on large systems, event tree analysis was adapted from business and economics to break the problem into smaller parts to which FTA can be successfully applied.

Objectives

The typical objectives of event tree analysis are to:

• Determine the various accident scenarios that may result from a single initiating failure event.
• Determine the safeguards, the failure of which most contribute to the probability of an accident.
• Determine the most important failure events on which to perform fault tree analysis.
• Enable safety engineers to estimate the probability of various success/failure event sequences that may or may not lead to an accident.

Preconditions

Event tree analysis can typically begin when the following preconditions hold:

• Most of the architecture and design (including safeguards) of the system must be complete.
• The safety engineers performing the event tree analysis must either fully understand the architecture and design or else have significant access to subject matter experts who do.

Completion Criteria

Event tree analysis is typically complete if the following postconditions hold:

• Event trees have been produced for all initiating failure events that may result in significant accidents.

Steps

When using the event tree analysis technique, the safety team typically performs the following steps in an iterative, incremental, and parallel manner:

1. Identify the initiation event (i.e., failure) used as the root of the event tree.
2. Identify the safeguards (i.e., protection systems or devices) that are relevant after the initiating failure.
3. Order these safeguards from left to right across the top of the event tree in the order in which they will be used.
4. Draw the event tree from left to right with each branching based on the successful (upper branch) or unsuccessful (lower branch) performance of the safeguard.
5. Continue drawing the event tree until the strings of failures have lead to all relevant accidents.
6. Determine and label the conditional probabilities of the individual branches.

Work Products

Event tree analysis typically results in the following work products:

• Multiple event trees

Limitations

Event tree analysis is typically subject to the following limitations:

• Because ETA is concerned with component failures, it is more oriented for failure (i.e., reliability) analysis of systems than for safety analysis.
• Because ETA is appropriate only after most of the design is complete, it is of little value during requirements analysis to identify system safety requirements.
• Although simpler than corresponding fault trees, event trees can never the less become quite complex.
• Multiple event trees need to be generated, one for each initiating failure.
• Unless it is obvious which paths of component failures lead to system failure (an accident), fault tree analysis is required to identify the failure modes.
• It may not be possible to determine all initiating failure events that lead to significant accidents, especially for systems that do not have a significant failure and accident history.
• The combination of event tree analysis and fault tree analysis can take many person years for a complex system, even when many simplifying assumptions are made.
• Event trees are less able to handle the combination of multiple events than fault trees because they do not support the use of logical operators (e.g., AND and OR).
• It is difficult to identify all safeguards and to know the correct temporal ordering of these safeguards for large complex systems.
• It is difficult to represent interactions between event states on different event trees.
• It is difficult to analyze the effects of multiple initiating failure events.
• The failure events are independent of one another (i.e., no common mode failures) so that conditional probabilities can be used.
• The time ordering of failure events must be stable.

Guidelines

• Use event tree analysis to decompose the problem into parts that are small enough to be analyzable using fault tree analysis.
• Simplify large event trees by pruning impossible branches (i.e., those whose associated functional or operational relationships are illogical or meaningless).
• Label the safeguards (i.e., safety protection systems or devices) above the conditions in order to simplify the identification of the branch event labels.
• For rare accidents, you can probably approximate the all success branch probability as 1 and only worry about the probabilities of branches with at least one unsuccessful path segment.
• The timing of the branching can cause problems because in some cases, failure logic can change based on when the failure events take place.