### Definition(s)

#### Fault Tree

In a fault tree the conditions necessary for a failure are presented in a reverse order starting with the unwanted or “top” event. Circumstances leading to this event are then developed. This activity, in itself, is useful in that it logically presents cause combinations. The fault tree is then “resolved” to eliminate duplication (this requires a little expertise in the application of Boolean algebra) and by applying failure estimates at the base of the tree and working up, the likelihood of the “top” event occurring may be estimated as either a probability or a frequency.

Source: Approved Code of Practice for Managing Hazards to Prevent Major Industrial Accidents, Health and Safety in Employment Act 1992, Department of Labour, New Zealand, July 1994. Regulatory Guidance

#### Fault Tree

Graphical tool used to illustrate the range, probability, and interaction of causal occurrences that lead to a final outcome

Sample Usage: A fault tree for machinery was used to diagram the possible points of failure.

Annotation:

1. Fault trees use inductive (backwards) logic; they begin with a final occurrence and work backwards in time to determine the possible causes.
2. A fault tree can be used to quantitatively estimate the probability of a program or system failure by visually displaying and evaluating failure paths.
3. Fault trees can identify system components that lack redundancy or are overly redundant.
4. As an example, consider Figure B. The final outcome, labelled here as Damage to System is shown at the top of the fault tree. All of the events that could lead to Damage to System are diagrammed in the tree beneath the final outcome. Each event either does or does not occur, and the events are interconnected by logical functions OR and AND.

Notice that one event that could result in Damage to System is if a Successful Attack occurs. Successful Attack is one of the final states depicted in the Event Tree example. The occurrence of a Successful Attack depends on 1) an attack being attempted, 2) the failure of Personnel Action to Stop Attack, AND 3) the failure of Security Equipment to Stop Attack. If the probability of an attack being attempted is P0, then the probability of a Successful Attack is the probability that all three of these conditions are met, equal to P0 ×P1 × P2.

However, Damage to System can also occur if Natural Disaster occurs, which happens with probability of P3. Assuming that P0 equals 5% or .05, P1 equals 10% or 0.1, P2 equals 30% or 0.3, and P3 equals 20% or 0.2, then the overall probability of Damage to System is calculated as follows:

Probability of Damage to System = Probability that Natural Disaster occurs OR Successful Attack occurs.

= 1 -[Probability that Natural Disaster does not occur AND Successful Attack does not occur]

= 1 -[(1 -P3) × (1 – P0 × P1 × P2)]

= 1 -[0.8 × (1 -0.0015)]

= 0.2012

Therefore, the probability of Damage to the System from all possible hazards is approximately 20%.

Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance

#### Fault Tree

Tree-like diagram based upon the application of “and/or” logic used to identify alternative sequences of hardware faults and human errors that result in system failures or hazardous events.
NOTE When quantified, fault trees allow system-failure probability or frequency to be calculated.

Source: ISO 17776:2000, Petroleum and natural gas industries – Offshore production installations – Guidelines on tools and techniques for hazard identification and risk assessment. Global Standards