Fault Tree Analysis (FTA)

This technique has been used by the National Aeronautics and Space Administration (NASA) in
their space programmes and has also been used in the Nuclear industry. FTA is used extensively
in the field of reliability, safety, and risk analysis. It is a convenient method of representing the
logical connection between the failure modes of a system. The top of the tree, the top event, can
be evaluated qualitatively and quantitatively (failure rate data would be required for this
alternative), with the aid of a computer program.
FTA is defined as "The study of the possible sequences of events constituting the failure of a
system using the diagrammatic method of algorithms." (BS 4778 17.9.)
The first step is to define the system that is to be analysed, to prevent the tree from becoming too
complex. A tree can only analyse one event and so a number may be needed for one product. A
system can be divided into its operation phases in order that each can be analysed separately e.g.
start-up, run, shut-down. The next step is the selection of the top event, which is the undesirable
event, e.g. fire, explosion, or failure of a system, sub-system or assembly. The tree then develops
by the identification of the logical combination of the failure modes that would result in the
occurrence of the top event.
The modes of failure can have a variety of causes, such as the breakdown of an individual
component, operator error, the failure of a test procedure or a maintenance program. The failure
modes are combined in a number of ways which are called 'gates'.

Some basic Fault Tree symbols.

Having completed the tree, the analyst will then evaluate it to discover what specific actions are
required and then, obviously, make the appropriate recommendations.

Fault Tree Analysis - Top-down method

Failure Mode and Effects Analysis - Bottom-up method

Simple Fault Tree Analysis: mains operated electric food mixer

CASE HISTORY 1
The Amoco Cadiz
At 9.45 am on 16 March 1978 the steering-gear of the tanker Amoco Cadiz broke down in rough
seas, about ten miles from the Isle of Ushant, off Brest. The cause was the failure of a pipe flange
on the main steering-gear hydraulic circuit which allowed the oil in the system to he discharged
into the steering-gear compartment. The crew were unable to recharge the system and regain
control of the steerage before the ship grounded at 21.04. Over the next few days the entire cargo
of 226 000 tonnes of crude oil polluted hundreds of miles of the French coastline.
The steering gear and related equipment of the Amoco Cadiz complied with all existing
international regulations; which raised doubts about their adequacy. The disaster highlighted
both the basic weakness of the single hydraulic circuit, almost universally employed in the ram
and rotary vane types of steering gear, and the drastic potential consequences of the failure of the
steering gear of a large tanker.
Following the Amoco Cadiz casualty new international regulations were developed as a matter of
urgency for the steering gears of all ships, but with particular emphasis on large tankers. The new
regulations concentrated on the importance of maintaining the integrity of at least part of the
hydraulic circuit after a single failure of pressure parts, so that steering capability could be
maintained or be rapidly recovered after a fault. The regulations envisage automatic changeover

of separate identical systems or means to separate automatically, a single hydraulic circuit in

order to isolate a fault in pressure parts.
The simple fault tree analysis, in Figure 4, of the type of steering-gear used in the Amoco Cadiz
shows the route to failure in a qualitative manner direct through the OR gates. Figure 5 shows a
fault tree analysis of a conventional four-ram steering gear with six failure modes leading
through the OR gates. Figure 6 shows a fault tree analysis of the same type of steering-gear
designed in accordance with the new regulations, and fitted with separate and independent power
actuating systems, and shows the failure modes through the OR gates reduced to two.
The result of the grounding of the Amoco Cadiz was a series of complex international law suits
which were consolidated into a single court action. Judge Frank McGarr of the Eastern Division
of the Northern Circuit, Court of Illinois issued a 111-page opinion. He said, inter alia, that
Amoco was entitled to damages against Astilleros, the Spanish shipyard which built the Amoco
Cadiz, 'to the extent that its own liability was contributed to by the negligence and fault of the
shipbuilder'.
The judge concluded that Amoco International Oil Company (AIOC), the operator, 'negligently
performed its duty to ensure that the Amoco Cadiz in general and its steering gear in particular
were seaworthy, adequately maintained and in proper repair.
He noted that AIOC 'negligently performed its duty to ensure that the crew of the Amoco Cadiz
was properly trained', and failed in its duty to ensure that the design and construction of the
Amoco Cadiz was 'properly carried out so as to result in a seaworthy vessel'. He said AIOC was
negligent in operating the Amoco Cadiz without a redundant steering system, or any other means
of controlling the rudder, in the event of the complete failure of the hydraulic steering system.
In arriving at his decision Judge McGarr outlined the history and operation of the Amoco Cadiz.
These indicated there were problems with its steering gear from the start, which were not
adequately comprehended or repaired. In addition the Oil Company did not follow the
maintenance instructions for the steering gear, which ultimately caused the disaster.
Judge McGarr listed several areas where AIOC failed to maintain the steering gear of the Amoco
Cadiz properly. The company did not act to ensure that the filters on the steering gear were
cleaned according to the Instruction manual; it did not act to ensure that the oil in the steeringgear was changed; it did not arrange to have samples of the hydraulic fluid analysed; it did not
require the ship's steering-gear system to be purged to remove air.
In addition he faulted the company for accepting the ship from the Spanish shipyard with
acknowledged defects in its steering gear. In particular the ship was delivered with cast-iron
steering-gear ram bushings. It arranged to have bronze bushings installed on its own vessels and
placed additional bushings on board the Amoco Cadiz. These were not installed.
The judge noted that Amoco Cadiz's steering gear in the last four months of its life was losing 7
to 12 litres of hydraulic fluid a day. This was 'greatly in excess of what would occur with a
properly maintained system'. The report said, 'This excessive consumption was known to AIOC
which in the exercise of ordinary skill and prudence, should have recognised it as symptomatic
of a progressive degradation of the system's reliability.'

With both steering gear pumps secured the Amoco Cadiz and her sister-ships experienced as
much as 15 degrees of rudder movement while in port. 'This fact was well known among AIOC
engineers and should have signalled a serious malfunction of the two-sided restrain system of the
Amoco Cadiz steering mechanism.' The unexplained rudder movement of the Amoco Cadiz was
not properly investigated and was not corrected. AIOC failed to instruct the Amoco Cadiz crew
in emergency steering-gear drills and procedures to be followed in the event of a steering-gear
breakdown.

Simple Fault Tree Analysis showing the route to failure of an Amoco Cadiz types steering gear

Fault Tree Analysis of a conventional four-ram steering gear, showing six modes through the OR
gates

The figure shows a complete fault tree analysis of a bearing with the undesirable top event
'catastrophic bearing failure'