IEC 61025:2006
(Main)Fault tree analysis (FTA)
Fault tree analysis (FTA)
Describes fault tree analysis and provides guidance on its application to perform an analysis, identifies appropriate assumptions, events and failure modes, and provides identification rules and symbols.
Analyse par arbre de panne (AAP)
Décrit l'analyse par arbre de panne et donne des lignes directrices sur son application indique la procédure à suivre pour effectuer une analyse en spécifiant les hypothèses voulues, les événements et les modes de défaillance et donne les règles de repérage et les symboles à utiliser.
General Information
Overview
IEC 61025:2006 - Fault tree analysis (FTA) is the International Electrotechnical Commission standard that defines the principles, symbols and procedures for performing Fault Tree Analysis. The second edition (2006) explains both qualitative and quantitative FTA approaches, provides mathematical modelling guidance, and specifies rules for identifying assumptions, events, failure modes, and labelling. The standard is published by IEC TC 56 (Dependability) and includes informative annexes with commonly used symbols and a detailed disjointing procedure.
Key topics
- Scope and objectives: Definition of the top event, scope of analysis, and objectives for safety, reliability, availability or maintainability studies.
- Terms and definitions: Clear definitions for top event, final event, basic/primary events, intermediate events, cut sets and minimal cut sets.
- Graphical structure and symbols: Standard gate and event symbols, gate types (AND, OR, PAND, etc.), and recommended labelling practices (see Annex A).
- Qualitative FTA: Traditional FTA techniques for identifying causal relationships without assigning probabilities - used to find fault combinations and minimal cut sets.
- Quantitative FTA: Methods to assign probabilities or failure rates to basic events and compute the probability of the top event; includes guidance on rare-event approximations and disjointing (Annex B).
- Development and evaluation: Stepwise procedures for system familiarization, fault tree construction, assumptions, failure-rate use, and report content.
- Relationships to other methods: Guidance on combining FTA with other dependability techniques (e.g., Markov analysis - IEC 61165) and when to use mixed approaches.
Applications
IEC 61025 is applicable to:
- Safety analysis of transportation systems, power plants, nuclear facilities and industrial plants.
- Reliability and availability studies for product development, operation and maintenance planning.
- Risk assessment and root-cause analysis where structured identification of event combinations is required.
Fault Tree Analysis under this standard supports both forensic (why did a failure occur?) and predictive (what is the probability of a system-level failure?) use cases.
Who should use this standard
- Reliability, safety and systems engineers
- Risk analysts and certification bodies
- Product designers and maintenance planners
- Regulators and auditors involved in dependability and safety assurance
Related standards
- IEC 60050(191) - IEV chapter on dependability terms
- IEC 61165 - Application of Markov techniques (referenced for combined modelling)
IEC 61025 provides a standardized, practical framework for documenting, analysing and quantifying fault combinations and system-level failure modes using Fault Tree Analysis (FTA).
Standards Content (Sample)
INTERNATIONAL IEC
STANDARD 61025
Second edition
2006-12
Fault tree analysis (FTA)
This English-language version is derived from the original
bilingual publication by leaving out all French-language
pages. Missing page numbers correspond to the French-
language pages.
Reference number
Publication numbering
As from 1 January 1997 all IEC publications are issued with a designation in the
60000 series. For example, IEC 34-1 is now referred to as IEC 60034-1.
Consolidated editions
The IEC is now publishing consolidated versions of its publications. For example,
edition numbers 1.0, 1.1 and 1.2 refer, respectively, to the base publication, the
base publication incorporating amendment 1 and the base publication incorporating
amendments 1 and 2.
Further information on IEC publications
The technical content of IEC publications is kept under constant review by the IEC,
thus ensuring that the content reflects current technology. Information relating to
this publication, including its validity, is available in the IEC Catalogue of
publications (see below) in addition to new editions, amendments and corrigenda.
Information on the subjects under consideration and work in progress undertaken
by the technical committee which has prepared this publication, as well as the list
of publications issued, is also available from the following:
• IEC Web Site (www.iec.ch)
• Catalogue of IEC publications
The on-line catalogue on the IEC web site (www.iec.ch/searchpub) enables you to
search by a variety of criteria including text searches, technical committees
and date of publication. On-line information is also available on recently issued
publications, withdrawn and replaced publications, as well as corrigenda.
• IEC Just Published
This summary of recently issued publications (www.iec.ch/online_news/ justpub)
is also available by email. Please contact the Customer Service Centre (see
below) for further information.
• Customer Service Centre
If you have any questions regarding this publication or need further assistance,
please contact the Customer Service Centre:
Email: custserv@iec.ch
Tel: +41 22 919 02 11
Fax: +41 22 919 03 00
INTERNATIONAL IEC
STANDARD 61025
Second edition
2006-12
Fault tree analysis (FTA)
© IEC 2006 Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
PRICE CODE
Commission Electrotechnique Internationale XA
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue
61025 © IEC:2006 – 3 –
CONTENTS
FOREWORD.7
INTRODUCTION.11
1 Scope.13
2 Normative references .13
3 Terms and definitions .13
4 Symbols .19
5 General .21
5.1 Fault tree description and structure .21
5.2 Objectives .23
5.3 Applications.23
5.4 Combinations with other reliability analysis techniques.25
6 Development and evaluation .29
6.1 General considerations.29
6.2 Required system information .35
6.3 Fault tree graphical description and structure .37
7 Fault tree development and evaluation .39
7.1 General .39
7.2 Scope of analysis .39
7.3 System familiarization .39
7.4 Fault tree development.39
7.5 Fault tree construction.41
7.6 Failure rates in fault tree analysis.75
8 Identification and labelling in a fault tree .75
9 Report .77
Annex A (informative) Symbols .81
Annex B (informative) Detailed procedure for disjointing .95
Bibliography.103
Figure 1 – Explanation of terms used in fault tree analyses.19
Figure 2 – Fault tree representation of a series structure .45
Figure 3 – Fault tree representation of parallel, active redundancy .47
Figure 4 – En example of fault tree showing different gate types.51
Figure 5 – Rectangular gate and events representation .53
Figure 6 – An example fault tree containing a repeated and a transfer event .55
Figure 7 – Example showing common cause considerations in rectangular gate
representation.55
Figure 8 – Bridge circuit example to be analysed by a fault tree.63
Figure 9 – Fault tree representation of the bridge circuit .65
Figure 10 – Bridge system FTA, Esary-Proschan, no disjointing.69
61025 © IEC:2006 – 5 –
Figure 11 – Bridge system probability of failure calculated with rare-event
approximation .71
Figure 12 – Probability of occurrence of the top event with disjointing.73
Figure A.1 – Example of a PAND gate .93
Table A.1 – Frequently used symbols for a fault tree.81
Table A.2 – Common symbols for events and event description .87
Table A.3 – Static gates.89
Table A.4 – Dynamic gates .91
61025 © IEC:2006 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FAULT TREE ANALYSIS (FTA)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61025 has been prepared by IEC technical committee 56:
Dependability.
The text of this standard is based on the following documents:
FDIS Report on voting
56/1142/FDIS 56/1162/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This second edition cancels and replaces the first edition, published in 1990, and constitutes
a technical revision.
61025 © IEC:2006 – 9 –
The main changes with respect to the previous edition are as follows:
– added detailed explanations of fault tree methodologies
– added quantitative and reliability aspects of Fault Tree Analysis (FTA)
– expanded relationship with other dependability techniques
– added examples of analyses and methods explained in this standard
– updated symbols currently in use
Clause 7, dealing with analysis, has been revised to address traditional logic fault tree
analysis separately from the quantitative analysis that has been used for many years already,
for reliability improvement of products in their development stage.
Some material included previously in the body of this standard has been transferred to
Annexes A and B.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
61025 © IEC:2006 – 11 –
INTRODUCTION
Fault tree analysis (FTA) is concerned with the identification and analysis of conditions and
factors that cause or may potentially cause or contribute to the occurrence of a defined top
event. With FTA this event is usually seizure or degradation of system perfomance, safety or
other important operational attributes, while with STA (success tree analysis) this event is the
attribute describing the success.
FTA is often applied to the safety analysis of systems (such as transportation systems, power
plants, or any other systems that might require evaluation of safety of their operation). Fault
tree analysis can be also used for availability and maintainability analysis. However, for
simplicity, in the rest of this standard the term “reliability” will be used to represent these
aspects of system performance.
This standard addresses two approaches to FTA. One is a qualitative approach, where the
probability of events and their contributing factors, – input events – or their frequency of
occurrence is not addressed. This approach is a detailed analysis of events/faults and is
known as a qualitative or traditional FTA. It is largely used in nuclear industry applications
and many other instances where the potential causes or faults are sought out, without interest
in their likelihood of occurrence. At times, some events in the traditional FTA are investigated
quantitatively, but these calculations are disassociated with any overall reliability concepts, in
which case, no attempt to calculate overall reliability using FTA is made. The second
approach, adopted by many industries, is largely quantitative, where a detailed FTA models
an entire product, process or system, and the vast majority of the basic events, whether faults
or events, has a probability of occurrence determined by analysis or test. In this case, the
final result is the probability of occurrence of a top event representing reliability or probability
of fault or a failure.
61025 © IEC:2006 – 13 –
FAULT TREE ANALYSIS (FTA)
1 Scope
This International Standard describes fault tree analysis and provides guidance on its
application as follows:
– definition of basic principles;
- describing and explaining the associated mathematical modelling;
- explaining the relationships of FTA to other reliability modelling techniques;
– description of the steps involved in performing the FTA;
– identification of appropriate assumptions, events and failure modes;
– identification and description of commonly used symbols.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For the references, only the edition cited applies. For undated references, the latest edition of
the referenced document (including any amendments) applies.
IEC 60050(191), International Electrotechnical Vocabulary (IEV) – Chapter 191: Dependability
and quality of service
IEC 61165, Application of Markov techniques
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050(191) apply.
In fault tree methodology and applications, many terms are used to better explain the intent of
analysis or the thought process behind such analysis. There are terms used also as
synonyms to those that are considered analytically correct by various authors. The following
additional terms are used in this standard.
3.1
outcome
result of an action or other input; a consequence of a cause
NOTE 1 An outcome can be an event or a state. Within a fault tree, an outcome from a combination of
corresponding input events represented by a gate may be either an intermediate event or a top event.
NOTE 2 Within a fault tree, an outcome may also be an input to an intermediate event, or it can be the top event.
3.2
top event
outcome of combinations of all input events
NOTE 1 It is the event of interest under which a fault tree is developed. The top event is often referred to as the
final event, or as the top outcome.
61025 © IEC:2006 – 15 –
NOTE 2 It is pre-defined and is a starting point of a fault tree. It has the top position in the hierarchy of events.
3.3
final event
final result of combinations of all of the input, intermediate and basic events
NOTE It is a result of input events or states (see 3.2).
3.4
top outcome
outcome that is investigated by building the fault tree
NOTE Final result of combinations of all of the input, intermediate and basic events; it is a result of input events
or states (see 3.2).
3.5
gate
symbol which is used to establish symbolic link between the output event and the
corresponding inputs
NOTE A given gate symbol reflects the type of relationship required between the input events for the output event
to occur.
3.6
cut set
group of events that, if all occur, would cause occurrence of the top event
3.7
minimal cut set
minimum, or the smallest set of events needed to occur to cause the top event
NOTE The non-occurrence of any one of the events in the set would prevent the occurrence of the top event.
3.8
event
occurrence of a condition or an action
3.9
basic event
event or state that cannot be further developed
3.10
primary event
event that is at the bottom of the fault tree
NOTE In this standard, primary event can mean a basic event that need not be developed any more, or it can be
an event that, although a product of groups of events and gates, may be developed elsewhere, or may not be
developed at all (undeveloped event).
3.11
intermediate event
event that is neither a top event nor a primary event
NOTE It is usually a result of one or more primary and/or other intermediate events.
61025 © IEC:2006 – 17 –
3.12
undeveloped event
event that does not have any input events
NOTE It is not developed in the analysis for various possible reasons, such as lack of more detailed information,
or it is developed in another analysis and then annotated in the current analysis as undeveloped. An example of
undeveloped gates could be Commercial Off The Shelf Items (or COTS).
3.13
single point failure (event)
failure event which, if it occurs, would cause overall system failure or would, by itself
regardless of other events or their combinations, cause the top unfavourable event (outcome)
3.14
common cause events
different events in a system or a fault tree that have the same cause for their occurrence
NOTE An example of such an event would be shorting of ceramic capacitors due to flexing of the printed circuit
board; thus, even though these might be different capacitors having different functions in their design, their
shorting would have the same cause – the same input event.
3.15
common cause
cause of occurrence of multiple events
NOTE In the above example it would be board flexing that itself can be an intermediate event resulting from
multiple events such as environmental shock, vibrations or manual printing circuit board break during product
manufacturing.
3.16
replicated or repeated event
event that is an input to more than one higher level event
NOTE This event can be a common cause or a failure mode of a component, shared by more than one part of a
design.
Figure 1 illustrates some of the above definitions. This figure contains annotations and
description of events to better explain the practical application of a fault tree. Omitted from
Figure 1 are the graphical explanations of cut sets or minimal cut sets, for simplicity of the
graphical representation of other pertinent terms. The symbols in Figure 1 and all of the
subsequent figures appear somewhat different to those in Tables A.1, A.2, A.3, and A.4
because of the added box above the gate symbol for description of individual events.
61025 © IEC:2006 – 19 –
IEC 2118/06
Figure 1 – Explanation of terms used in fault tree analyses
NOTE Symbols in Figure 1 and all other figures might slightly differ from the symbols shown in Annex A. This is
because description blocks are added to better explain the relationship of various events
4 Symbols
The graphical representation of a fault tree requires that symbols, identifiers and labels be
used in a consistent manner. Symbols describing fault tree events vary with user preferences
and software packages, when used. General guidance is given in Clause 8 and in Annex A.
Other symbols used in this standard are standard dependability symbols such as F(t) or just
probability of an event occurring F. For that reason, a separate list of symbols is not provided.
61025 © IEC:2006 – 21 –
5 General
5.1 Fault tree description and structure
Several analytical methods of dependability analysis are available, of which fault tree analysis
(FTA) is one. The purpose of each method and their individual or combined applicability in
evaluating the flow of events or states that would be the cause of an outcome, or reliability
and availability of a given system or component should be examined by the analyst before
starting FTA. Consideration should be given to the advantages and disadvantages of each
method and their respective products, data required to perform the analysis, complexity of
analysis and other factors identified in this standard.
A fault tree is an organized graphical representation of the conditions or other factors causing
or contributing to the occurrence of a defined outcome, referred to as the "top event". When
the outcome is a success, then the fault tree becomes a success tree, where the input events
are those that contribute to the top success event. The representation of a fault tree is in a
form that can be clearly understood, analysed and, as necessary, rearranged to facilitate the
identification of:
– factors affecting the investigated top event as it is carried out in most of the traditional
fault tree analyses;
– factors affecting the reliability and performance characteristics of the system, when the
FTA technique is used for reliability analysis, for example design deficiencies,
environmental or operational stresses, component failure modes, operator mistakes,
software faults;
– events affecting more than one functional component, which could cancel the benefits of
specific redundancies or affect two or more parts of a product that may otherwise seem
operationally unrelated or independent (common cause events).
Fault tree analysis is a deductive (top-down) method of analysis aimed at pinpointing the
causes or combinations of causes that can lead to the defined top event. The analysis can be
qualitative or quantitative, depending on the scope of the analyses.
A fault tree can be developed as its complement, the success tree analysis, (STA), where the
top event is a success, and its inputs are contributor to the success (desired) event.
In cases where the probability of occurrence of the primary events cannot be estimated, a
qualitative FTA may be used to investigate causes of potential unfavourable outcomes with
individual primary events marked with descriptive likelihood of occurrence such as: “highly
probable”, “very probable” “medium probability”, “remote probability”, etc. The primary goal of
the qualitative FTA is to identify the minimal cut set in order to determine the ways in which
the basic or primary events influence the top event.
A quantitative FTA can be used when the probabilities of primary events are known.
Probabilities of occurrence of all intermediate events and the top event (outcome) can then be
calculated in accordance with the model. Also, the quantitative FTA is very useful in reliability
analysis of a product or a system in its development.
FTA can be used for analysis of systems with complex interactions between sub-systems
including software/hardware interactions.
61025 © IEC:2006 – 23 –
5.2 Objectives
FTA may be undertaken independently of, or in conjunction with, other reliability analyses.
Objectives include:
– identification of the causes or combinations of causes leading to the top event;
– determination of whether a particular system reliability measure meets a stated
requirement;
– determination of which potential failure mode(s) or factor(s) would be the highest
contributor to the system probability of failure (unreliability) or unavailability, when a
system is repairable, for identifying possible system reliability improvements;
– analysis and comparison of various design alternatives to improve system reliability;
– demonstration that assumptions made in other analyses (such as Markov and FMEA) are
valid;
– identification of potential failure modes that might cause a safety issue, evaluation of
corresponding probability of occurrence and possibility of mitigation;
– identification of common events (e.g. the middle branch of a bridge circuit, see Figure 10);
– search for an event or combinations of events which are the most likely to cause the top
event to occur;
– assessment of the impact of the occurrence of a primary event on the probability of the top
event;
– calculation of event probabilities;
– calculation of availabilities and failure rates of system or its components represented by a
fault tree, if a steady state can be postulated, and eventual repairs are independent of
each other (same limitation as for the success path diagram/reliability block diagram).
5.3 Applications
FTA is particularly suited to the analysis of systems comprising several functionally related or
dependent subsystems. Benefits of FTA are apparent when a system design is the product of
several independent specialized technical design groups and the separate fault trees are
linked together. Fault tree analysis is commonly applied when designing nuclear power
generating stations, transportation systems, communication systems, chemical and other
industrial processes, railway systems, home entertainment systems, medical systems,
computer systems, etc. Fault tree analysis is also of particular value when applied to systems
comprising various component types and their interaction (mechanical, electronic and
software components), which cannot be easily modelled with other techniques. An example of
this would be a combination of events where their order of appearance is essential such as
existence of vibration fatigue causing fracture cracks and failures of components.
FTA has a multitude of uses as a tool (to list a few):
– to determine the pertinent logic combination of events leading to the top event and,
potentially, their prioritization;
– to investigate a system under development and anticipate and prevent, or mitigate,
potential cause(s) of undesired top event;
61025 © IEC:2006 – 25 –
– to analyze a system, determine its reliability, identify the major contributors to its un-
reliability and evaluate the design changes;
– to assist probabilistic risk assessment efforts.
FTA can be applied to all new or modified products in all design phases, as an analytical tool
for identification of potential design problems, including those early phases where information
on the design details is incomplete. Those early efforts would then be extended as more
information on the system design and its components becomes available. FTA also identifies
potential problems that may originate from the product’s physical design, environmental or
operational stresses, flaws in product manufacturing processes and from operational and
maintenance procedures.
5.4 Combinations with other reliability analysis techniques
5.4.1 Combination of FTA and failure modes and effects analysis (FMEA)
This analysis combination is often recommended by sector specific standards, in particular
safety standards and transportation standards. The benefits of a combined analysis are the
following:
– FTA is a top-down and FMEA a bottom-up analysis method and use of both deductive and
inductive reasoning is regarded as a good argument for providing assurance for the
completeness of an analysis;
– safety standards often demand a single failure and, in some cases, a multiple failure
analysis, the first requirement being fulfilled by FMEA. Both single and multiple failure
analysis are accomplished by FTA;
– FMEA is also a useful method for a comprehensive identification of basic events or
hazards, while FTA is a practical method for causal analysis of the undesirable events.
Additionally there exists a simple consistency check between FMEA and FTA:
– any identified single failure in FMEA leading to the top event of the fault tree also has to
appear as a single point failure (in the minimal cut set);
NOTE A single point failure is a failure that, if it occurs, would cause the entire system to fail.
– any single point failure identified in the FTA should also appear as such in the FMEA.
The value of this consistency check is increased if the analyses are performed separately and
independently. This is especially important in safety analyses.
The IEC standard which explains this methodology is IEC 60300-3-1.
5.4.2 Combination of FTA and event tree analysis (ETA)
Any event could be analysed by FTA. However, in some cases this may be not appropriate for
several reasons:
− it is sometimes easier to develop event sequences rather than causal relationships;
− the resulting tree may become very large;
− there are often separate teams dealing with different parts of the analysis.
61025 © IEC:2006 – 27 –
In order to find a practical procedure, it is often not the top undesired event that is defined
first, but potentially undesirable events at the interface between the functional and technical
domain.
To give an illustration, consider the top event “loss of crew or vehicle” for a spacecraft
mission. Instead of building a large fault tree based on “loss of crew or vehicle,” intermediate
undesired events like “ignition fails” or “thrust failure” may be defined as top events and
analysed as separate fault trees. These reduced top events would then, in turn, be used as
inputs to an event tree in order to analyse operational consequences.
This combination of ETA and FTA is sometimes referred to as cause-consequence analysis
(CCA).
5.4.3 Combination of FTA and Markov analysis
FTA that has only a combination of static events (timing – sequencing of the event
combination is not considered or modelled – static gates) usually evaluates systems with no
sequence dependency of events. However, it is possible to extend the FTA by defining
additional gates that represent Markov models. These gates bear the name of “dynamic”
gates and include PRIORITY AND gates, SEQUENTIAL gates, and SPARE gates. For such
gates, it is necessary to evaluate the failure probability at a time t by using the appropriate
Markov model or simulation. Once evaluated, the dynamic gate and its inputs may be
replaced by a single primary event, with the probability of occurrence calculated by Markov
analysis. Some commercial software allow for modelling of dynamic gates and the capability
for calculation of probability of occurrence of the event they represent. An example of
dynamic, PRIORITY AND gate is shown in Annex A.
Both static and dynamic gates of a fault tree are used, based on the assumption that the
individual events are independent (unless defined as common). However, particular attention
shall be given to independence properties between the events included in the Markov model
and the events in the fault tree.
5.4.4 Combination of FTA and binary decision diagram (BDD) techniques
Calculation of the probability of occurrence for the top event of a fault tree with many cut sets
requires calculation of probability for all cut set combinations. Because of its high complexity,
this calculation will often need to be truncated. A BDD may be constructed recursively from a
fault tree and it provides an efficient, exact calculation method. This method is well explained
in the “NASA Fault Tree Handbook with Aerospace Applications version 1.1[1] ”.
The BDD approach is useful where truncation of cut set probability calculations results in
either unacceptable loss of accuracy or an FTA solution takes excessive time, particularly
when many high-probability events appear in the model. Because the minimal paths
generated in the BDD approach are disjointed (see 7.5.5.4), calculation of importance and
sensitivities can also be performed efficiently and exactly.
—————————
Figures in square brackets refer to the bibliography.
61025 © IEC:2006 – 29 –
5.4.5 Combination with the reliability block diagram
A reliability block diagram is made up of blocks or modules, representing a group of
components, or failure modes. Those groups are normally formed following the functional
block diagram of a product, system or a process. These modules have either a determined
failure rate, or a calculated reliability or probability of failure for given use or operational
profile. Traditionally, the blocks would have a failure rate which would be the sum of failure
rates of individual components. In that manner, the functional interaction of components
within a module is not considered.
To augment correctness of functional modelling within a block (software/hardware, interaction
of mechanical parts), reliability of certain blocks can be modelled with a fault tree, and then
the resultant information on probability of occurrence of those blocks can be assigned to that
specific block being part of a reliability block diagram. In this manner, reliability block
diagrams, which normally assume independency of components failure within a block, would
yield a more realistic prediction.
6 Development and evaluation
6.1 General considerations
6.1.1 Overview
A fault tree is an organized graphical representation of the conditions that cause, or contribute
to, the occurrence of a defined undesirable outcome, referred to as the "top event". The
representation is in a form that can be clearly understood, analysed and, as necessary,
rearranged to facilitate the identification of:
– factors affecting the reliability and other performance characteristics of the system. These
factors, for example, include design deficiencies, environmental or operational stresses,
component fault modes, operator mistakes, software faults;
– common events that may contribute to more than one outcome of intermediate events in a
fault tree. As an example, events affecting more than one functional component, which
could cancel the benefits of specific redundancies or affect two or more parts of a product
that may otherwise seem operationally unrelated.
Fault tree analysis is a deductive (top-down) method of analysis aimed at pinpointing the
causes, or combinations of causes, that can lead to the defined top event. The analysis can
be qualitative, Method A, or quantitative, Method B, depending on the scope of the analyses.
In cases where the probability of occurrence of the basic events cannot be estimated, a
qualitative FTA, Method A, may be used to investigate causes of potential unfavorable
outcomes with individual basic events marked with descriptive likelihood of occurrence such
as: “highly probable”, “very probable” “medium probability”, “remote probability”, etc. as
explained in 5.1.
A quantitative FTA, Method B, can be used when the probabilities of basic or primary events
are known. Probabilities of occurrence of all intermediate events and the top event (outcome)
can then be calculated using the appropriate mathematical expressions.
61025 © IEC:2006 – 31 –
6.1.2 Concepts and combinations of events and states
The final outcome of a fault tree (top event) can be a fault in itself, or an event. Here, the fault
tree describes a fault or an event resulting from the contributing events or other faults. In the
fault tree analysis certain combination of events can be either states or events, while the
others must match the outcome. For example, the inputs into an OR gate where the outcome
is a state or an event, can be states or events. All inputs into an AND gate which as an
outcome is an event must be events, while if as the outcome it represent a state all the inputs
must be states.
The state can be characterized by the probability that the state will exist in time t, while the
event can be characterized either by the failure rate or failure frequency, or by probability of
event occurrence at time t.
6.1.3 Fault tree for investigation of faults leading to other faults or events
Traditionally, a fault tree is constructed to investigate faults or events leading to an outcome.
This concept has been used for a long time in many industries, and is specifically efficient and
applied in the nuclear industry. In this manner, it is a powerful and invaluable tool for
investigation of potential problems, events, improvements and other preventive measures that
preclude or mitigate an undesirable outcome.
An outcome, success or fault, is investigated, and the states or events leading to this outcome
investigated, their probability of existence or occurrence determined, and the fault tree model
constructed appropriately that would lead to the probability of existence or occurrence of the
assumed outcome.
In this application, the fault tree is constructed and evaluated as described in Clause 7,
having in mind that the outcome is characterized by probability of fault existence or event
occurrence, and is not related to reliability of the analysed item or a system.
It is possible that the basic or any other events in this type of analysis are not given any real
probability value, and are only used in investigation of an event that potentially might take
place (Method A). In such a case, they might be marked with a descriptive probability of “high,
medium, or low”, and are evaluated as potential contributors to the top event or fault. Such
types of fault trees are often used for identification of a primary fault or event that was the
single or a major contributor to the top fault or event, and are used in a vast variety of
industries: automotive, nuclear, manufacturing plants, etc.
6.1.4 FTA use in reliability assessment and improvement during product development
In this application which is based on the FTA Method B, a fault tree can model the entire
product, or parts of a product that might pose a risk to its reliability or operational safety. In
this case, Method B analysis probability of occurrence can be determined in a traditional
manner, such as in analysis of a safety-related fault or event of a product, or the detailed
analysis of potential product failure within a certain time period may lead to expression of its
unreliability or probability of failure within that period of interest. In this application, the fault
tree methodology follows the principles of a top down failure modes and effects analysis,
where each potential failure mode may result in an event or a fault leading to the product
failure.
61025 © IEC:2006 – 33 –
The FTA is specifically convenient here as the modelling can reflect the dynamics of events in
a product, software/hardware interaction, as well as the interaction between faults or events
representing the potential failure modes. This interaction is not possible to represent in a
regular FMEA, and is very difficult to model using traditional reliability block diagrams. Also,
the product reliability estimates are more realistic, as only the failure modes that contribute to
failure of a product, as defined, are considered.
The development of a fault tree should start early in the system design stage and be
continued in all of the development stages of a product. The evolution of the fault tree should
be such that it reflects the progress of the design. Thus an increased understanding of the
failure modes will be obtained as the design proceeds. "Analysis concurrent with design"
allows for early systems design change. Many fault trees will be large, in which case fault tree
analysis software may be needed to handle them. Software is available to facilitate analysis
and allow easy and quick estimates of probability of occurrence of the top event. There are
many FTA software programs available and perhaps many more being created. All of them
are sufficiently different to suit the needs of a specific use.
It is important to note that fault tree events are not confined solely to software or hardware
failures, but include their interaction and other factors, e.g. human factors or actions and
processes that are relevant to the top event.
Where quantitative analysis is carried out, but the probability of occurrence of some events
cannot be determined, even if the faults or events (failures) are systematic, those events and
their functional (logic) combination should be included in the analysis. In this case, these
failure modes will not be accounted for in the reliability (or probability of failure) prediction,
but their existence is accounted for even in the qualitative manner.
In order to use the fault tree technique effectively as a method for system analysis, the
procedure should consist of at least the following steps:
– definition of the scope of the analysis;
– familiarization with the design, functions and operation of the system;
– definition of the top event;
– construction of the fault tree;
– analysis of the fault tree logic;
– reporting on results of the analysis;
– assessment of reliability improvements and trade-offs.
If a numerical analysis is planned, it will be necessary to define a technique for numerical
assessment of primary event probabilities or other attributes such as failure intensity, mean
time between failures (MTBF) or mean time to failure (MTTF), etc. The selection of the data
to be used and numerical evaluation of the reliability or un-reliability measures are outside the
...
NORME CEI
INTERNATIONALE 61025
Deuxième édition
2006-12
Analyse par arbre de panne (AAP)
Cette version française découle de la publication d’origine
bilingue dont les pages anglaises ont été supprimées.
Les numéros de page manquants sont ceux des pages
supprimées.
Numéro de référence
CEI 61025:2006(F)
Numérotation des publications
Depuis le 1er janvier 1997, les publications de la CEI sont numérotées à partir de
60000. Ainsi, la CEI 34-1 devient la CEI 60034-1.
Editions consolidées
Les versions consolidées de certaines publications de la CEI incorporant les
amendements sont disponibles. Par exemple, les numéros d’édition 1.0, 1.1 et 1.2
indiquent respectivement la publication de base, la publication de base incorporant
l’amendement 1, et la publication de base incorporant les amendements 1 et 2
Informations supplémentaires sur les publications de la CEI
Le contenu technique des publications de la CEI est constamment revu par la CEI
afin qu'il reflète l'état actuel de la technique. Des renseignements relatifs à cette
publication, y compris sa validité, sont disponibles dans le Catalogue des
publications de la CEI (voir ci-dessous) en plus des nouvelles éditions, amende-
ments et corrigenda. Des informations sur les sujets à l’étude et l’avancement des
travaux entrepris par le comité d’études qui a élaboré cette publication, ainsi que la
liste des publications parues, sont également disponibles par l’intermédiaire de:
• Site web de la CEI (www.iec.ch)
• Catalogue des publications de la CEI
Le catalogue en ligne sur le site web de la CEI (www.iec.ch/searchpub) vous permet
de faire des recherches en utilisant de nombreux critères, comprenant des
recherches textuelles, par comité d’études ou date de publication. Des informations
en ligne sont également disponibles sur les nouvelles publications, les publications
remplacées ou retirées, ainsi que sur les corrigenda.
• IEC Just Published
Ce résumé des dernières publications parues (www.iec.ch/online_news/justpub)
est aussi disponible par courrier électronique. Veuillez prendre contact avec le
Service client (voir ci-dessous) pour plus d’informations.
• Service clients
Si vous avez des questions au sujet de cette publication ou avez besoin de
renseignements supplémentaires, prenez contact avec le Service clients:
Email: custserv@iec.ch
Tél: +41 22 919 02 11
Fax: +41 22 919 03 00
NORME CEI
INTERNATIONALE 61025
Deuxième édition
2006-12
Analyse par arbre de panne (AAP)
© IEC 2006 Droits de reproduction réservés
Aucune partie de cette publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun
procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit de l'éditeur.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
CODE PRIX
Commission Electrotechnique Internationale XA
International Electrotechnical Commission
Международная Электротехническая Комиссия
Pour prix, voir catalogue en vigueur
– 2 – 61025 © CEI:2006
SOMMAIRE
AVANT-PROPOS.6
INTRODUCTION.10
1 Domaine d'application .12
2 Références normatives.12
3 Termes et définitions .12
4 Symboles .18
5 Généralités.20
5.1 Structure et description de l’arbre de panne .20
5.2 Objectifs.22
5.3 Applications.22
5.4 Combinaisons avec d'autres techniques d'analyse de fiabilité .24
6 Développement et évaluation .28
6.1 Considérations générales.28
6.2 Information du système exigée .34
6.3 Structure et description graphique de l’arbre de panne.36
7 Elaboration et évaluation de l’arbre de panne.38
7.1 Généralités.38
7.2 Portée de l’analyse.38
7.3 Approfondissement de la connaissance du système .38
7.4 Elaboration de l’arbre de panne.38
7.5 Construction de l’arbre de panne.40
7.6 Taux de défaillance dans l’analyse de l’arbre de panne.74
8 Repères et étiquettes dans un arbre de panne .74
9 Rapport .76
Annexe A (informative) Symboles .80
Annexe B (informative) Procédure de disjonction détaillée.94
Bibliographie.102
Figure 1 – Explication des définitions utilisées dans les analyses par arbre de panne.18
Figure 2 – Représentation de l’arbre de panne d’une structure en série.44
Figure 3 – Représentation de l’arbre de panne de redondance parallèle, active .46
Figure 4 – Un exemple d'arbre de panne montrant différents types de porte .50
Figure 5 – Porte rectangulaire et représentation des événements .52
Figure 6 – Un exemple d’arbre de panne contenant un événement de transfert et un
événement répété .54
Figure 7 – Exemple présentant des indications se rapportant à une cause commune
dans une représentation de porte rectangulaire .54
Figure 8 – Exemple de circuit à embranchement à analyser par arbre de panne .62
Figure 9 – Représentation de l’arbre de panne du circuit à embranchement.64
Figure 10 – AAP Système à embranchement – Esary Proschan, pas de disjonction.68
– 4 – 61025 © CEI:2006
Figure 11 – Probabilité de défaillance du système à embranchement calculée avec une
approximation de l’événement rare .70
Figure 12 – Probabilité d’apparition de l’événement de tête avec disjonction .72
Figure A.1 – Exemple d’une porte PAND .92
Tableau A.1 – Symboles fréquemment utilisés pour un arbre de panne.80
Tableau A.2 – Symboles communs pour les événements et la description des événements.86
Tableau A.3 – Portes statiques .88
Tableau A.4 – Portes dynamiques.90
– 6 – 61025 © CEI:2006
COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE
____________
ANALYSE PAR ARBRE DE PANNE (AAP)
AVANT-PROPOS
1) La Commission Electrotechnique Internationale (CEI) est une organisation mondiale de normalisation
composée de l'ensemble des comités électrotechniques nationaux (Comités nationaux de la CEI). La CEI a
pour objet de favoriser la coopération internationale pour toutes les questions de normalisation dans les
domaines de l'électricité et de l'électronique. A cet effet, la CEI – entre autres activités – publie des Normes
internationales, des Spécifications techniques, des Rapports techniques, des Spécifications accessibles au
public (PAS) et des Guides (ci-après dénommés "Publication(s) de la CEI"). Leur élaboration est confiée à des
comités d'études, aux travaux desquels tout Comité national intéressé par le sujet traité peut participer. Les
organisations internationales, gouvernementales et non gouvernementales, en liaison avec la CEI, participent
également aux travaux. La CEI collabore étroitement avec l'Organisation Internationale de Normalisation (ISO),
selon des conditions fixées par accord entre les deux organisations.
2) Les décisions ou accords officiels de la CEI concernant les questions techniques représentent, dans la mesure
du possible, un accord international sur les sujets étudiés, étant donné que les Comités nationaux de la CEI
intéressés sont représentés dans chaque comité d’études.
3) Les Publications de la CEI se présentent sous la forme de recommandations internationales et sont agréées
comme telles par les Comités nationaux de la CEI. Tous les efforts raisonnables sont entrepris afin que la CEI
s'assure de l'exactitude du contenu technique de ses publications; la CEI ne peut pas être tenue responsable
de l'éventuelle mauvaise utilisation ou interprétation qui en est faite par un quelconque utilisateur final.
4) Dans le but d'encourager l'uniformité internationale, les Comités nationaux de la CEI s'engagent, dans toute la
mesure possible, à appliquer de façon transparente les Publications de la CEI dans leurs publications
nationales et régionales. Toutes divergences entre toutes Publications de la CEI et toutes publications
nationales ou régionales correspondantes doivent être indiquées en termes clairs dans ces dernières.
5) La CEI n’a prévu aucune procédure de marquage valant indication d’approbation et n'engage pas sa
responsabilité pour les équipements déclarés conformes à une de ses Publications.
6) Tous les utilisateurs doivent s'assurer qu'ils sont en possession de la dernière édition de cette publication.
7) Aucune responsabilité ne doit être imputée à la CEI, à ses administrateurs, employés, auxiliaires ou
mandataires, y compris ses experts particuliers et les membres de ses comités d'études et des Comités
nationaux de la CEI, pour tout préjudice causé en cas de dommages corporels et matériels, ou de tout autre
dommage de quelque nature que ce soit, directe ou indirecte, ou pour supporter les coûts (y compris les frais
de justice) et les dépenses découlant de la publication ou de l'utilisation de cette Publication de la CEI ou de
toute autre Publication de la CEI, ou au crédit qui lui est accordé.
8) L'attention est attirée sur les références normatives citées dans cette publication. L'utilisation de publications
référencées est obligatoire pour une application correcte de la présente publication.
9) L’attention est attirée sur le fait que certains des éléments de la présente Publication de la CEI peuvent faire
l’objet de droits de propriété intellectuelle ou de droits analogues. La CEI ne saurait être tenue pour
responsable de ne pas avoir identifié de tels droits de propriété et de ne pas avoir signalé leur existence.
La Norme internationale CEI 61025 a été préparée par le comité d’études 56 de la CEI:
Sûreté de fonctionnement.
Le texte de la présente norme est issu des documents suivants:
FDIS Rapport de vote
56/1142/FDIS 56/1162/FDIS
Le rapport de vote indiqué dans le tableau ci-dessus donne toute information sur le vote ayant
abouti à l'approbation de cette norme.
Cette deuxième édition annule et remplace la première édition publiée en 1990. Elle constitue
une révision technique.
– 8 – 61025 © CEI:2006
Les principaux changements par rapport à l’édition précédente sont les suivants:
– ajout d’explications détaillées sur les méthodologies de l’arbre de panne
– ajout d’aspects quantitatifs et d’aspects de fiabilité sur l’Analyse par Arbre de Panne
(AAP)
– extension de la relation avec d’autres techniques de sûreté de fonctionnement
– ajout d’exemples d’analyses et de méthodes expliqués dans cette norme
– mise à jour des symboles couramment utilisés
L’Article 7 concernant les analyses a été modifié afin de traiter l’analyse par arbre de panne
logique traditionnelle séparément de l'analyse quantitative utilisée depuis de nombreuses
années, pour l'amélioration de la fiabilité des produits pendant leur développement.
Certaines parties intégrées précédemment dans le corps de cette norme, ont été transférées
aux Annexes A et B.
Cette publication a été rédigée selon les Directives ISO/CEI, Partie 2.
Le comité a décidé que le contenu de cette publication ne sera pas modifié avant la date de
maintenance indiquée sur le site web de la CEI sous «http://webstore.iec.ch» dans les
données relatives à la publication recherchée. A cette date, la publication sera
• reconduite;
• supprimée;
• remplacée par une édition révisée, ou
• amendée.
– 10 – 61025 © CEI:2006
INTRODUCTION
L’AAP sert à déterminer et à analyser les conditions et les facteurs qui produisent, peuvent
potentiellement produire ou contribuent à produire un événement indésirable défini. Pour
l’AAP, cet événement est généralement un «grippage» ou une dégradation des performances
du système, de la sécurité ou d’autres attributs fonctionnels importants, alors qu’avec
l’analyse par arbre de succès (STA = Success Tree Analysis) cet événement est l’attribut
décrivant le succès.
L’AAP est souvent appliquée aux analyses pour la sécurité des systèmes (tels que les
systèmes de transport, les centrales électriques, ou tout autre système pouvant nécessiter
une évaluation de la sécurité de leur fonctionnement). L’analyse par arbre de panne peut
également être utilisée pour les analyses de disponibilité et de maintenabilité. Cependant,
dans le reste de cette norme, à fin de simplification, le terme de fiabilité sera utilisé pour
représenter ces aspects de performance du système.
Dans cette norme, deux approches de l'AAP sont traitées. L’une d’elles est une approche
qualitative, où la probabilité des événements et leurs facteurs de contribution – les
événements d'entrée ou leur fréquence d'apparition n'est pas traitée. Cette approche est une
analyse détaillée des événements/pannes et est connue comme AAP Qualitative ou
traditionnelle. Elle est largement utilisée dans les applications de l’industrie nucléaire et de
nombreuses autres instances où les causes potentielles, – les pannes sont recherchées
quelque soit leur fréquence d'apparition. Parfois, certains événements dans l’analyse
traditionnelle sont étudier quantitativement, mais ces calculs sont dissociés de tout autre
concept de fiabilité d’ensemble, auquel cas, aucune tentative pour calculer la fiabilité
d'ensemble en utilisant l'AAP n'est faite. La seconde approche adoptée par de nombreuses
industries est largement quantitative, dans les cas d’AAP qui modélisent un produit complet,
un procédé, ou un système et la grande majorité d'événements de base, pannes ou
événements, qui a une probabilité d’apparition déterminée par analyse ou essai. Dans ce cas,
le résultat final est la probabilité d'apparition d’un événement de tête représentant la fiabilité
ou la probabilité d’une panne ou d’une défaillance.
– 12 – 61025 © CEI:2006
ANALYSE PAR ARBRE DE PANNE (AAP)
1 Domaine d'application
La présente Norme internationale décrit l’analyse par arbre de panne et donne des lignes
directrices sur son application comme suit:
– définition des principes de base;
- en définissant et en expliquant la modélisation mathématique associée;
- en expliquant les relations entre l’AAP et d’autres techniques de modèle de fiabilité;
– description des étapes impliquées dans la réalisation de l’AAP;
– identification des hypothèses appropriées, des événements et des modes de défaillance;
– identification et description des symboles couramment utilisés.
2 Références normatives
Les documents référencés suivants sont indispensables pour l'application de ce document.
Pour des références datées, seule l'édition citée s'applique. Pour les références non datées,
c’est la dernière édition du document référencé (y compris les amendements) qui s’applique.
CEI 60050(191), Vocabulaire Electrotechnique International (VEI) – Chapitre 191: Sûreté de
fonctionnement et qualité de service.
CEI 61165, Application des techniques de Markov
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans la
CEI 60050(191) s'appliquent.
Dans la méthodologie et les applications de l’arbre de panne, de nombreux termes sont
utilisés pour mieux expliquer l’objectif de l’analyse ou le mécanisme de pensée que reflète
une telle analyse. Il s’agit de termes utilisés également comme synonymes de ceux qui sont
considérés comme analytiquement corrects par divers auteurs. Les termes supplémentaires
suivants sont utilisés dans la présente norme.
3.1
issue
résultat d’une action ou autre entrée; conséquence d’une cause
NOTE 1 Une issue peut être un événement ou un état. Dans un arbre de panne, une issue d’une combinaison
d’événements d’entrée correspondants représentés par une porte peut être soit un événement intermédiaire ou un
événement de tête.
NOTE 2 Dans un arbre de panne, une issue peut également être une entrée vers un événement intermédiaire ou
elle peut être un événement de tête.
3.2
événement de tête
issue de combinaisons de tout événement d’entrée
NOTE 1 C’est l’événement intéressant sous lequel un arbre de panne est développé. On fait souvent référence à
l’événement de tête par l’événement final, ou l’issue de tête.
– 14 – 61025 © CEI:2006
NOTE 2 L’événement de tête est prédéfini et est le point de départ d’un arbre de panne. Il a une position
supérieure dans la hiérarchie des événements.
3.3
événement final
résultat final de combinaisons de tous les événements d’entrée intermédiaires et de base
NOTE Il s’agit d’un résultat d’événements d’entrée ou d’états (voir 3.2).
3.4
issue de tête
issue qui est étudiée en construisant l'arbre de panne
NOTE Résultat final de combinaisons de tous les événements d'entrée intermédiaire et de base, c’est un résultat
d’événements d’entrée ou d’états (voir 3.2).
3.5
porte
symbole qui est utilisé pour établir un lien symbolique entre l’événement de sortie et les
entrées correspondantes
NOTE Un symbole de porte donné réfléchit le type de relation nécessaire entre les événements d’entrée pour
qu’un événement de sortie apparaisse.
3.6
coupe
groupe d’issues (ou d’événements) qui, si tous se produisent, provoquerait l’apparition de
l’événement de tête
3.7
coupe minimale
minimum, ou plus petit ensemble d’événements devant se produire pour causer l’événement
de tête
NOTE La non-apparition de l’un ou l’autre des événements de l’ensemble empêcherait l’apparition de
l’événement de tête.
3.8
événement
apparition d’une condition ou d’une action
3.9
événement de base
événement ou état qui ne peut pas être développé plus
3.10
événement primaire
événement qui se situe en bas de l’arbre de panne
NOTE Dans la présente norme, un événement primaire peut signifier un événement de base qui ne peut plus être
développé ou il peut s’agir d’un événement qui, bien qu’il soit un produit de groupes d’événements et de portes,
peut être développé ailleurs ou ne pas être développé du tout (événement non développé).
3.11
événement intermédiaire
événement qui est ni un événement de tête ni un événement primaire
NOTE Il est généralement le résultat d’un ou de plusieurs événements primaires et/ou d’autres événements
intermédiaires.
– 16 – 61025 © CEI:2006
3.12
événement non développé
événement qui n’a aucun événement d’entrée
NOTE Dans l’analyse, il n’est pas développé pour diverses raisons possibles, tel que le manque d’information
plus détaillée, ou il est développé dans une autre analyse et ensuite annoté dans l’analyse en cours comme non
développé. Un des exemples de portes non développées serait Commercial Of The Shelf items ou COTS
3.13
défaillance localisée (événement)
défaillance qui, si elle apparaît, causerait la défaillance du système global ou serait en elle-
même la cause de l’événement de tête non favorable (issue) indépendamment des autres
événements ou de leurs combinaisons
3.14
événements de cause commune
différents événements dans un système ou un arbre de panne qui ont la même cause
d’apparition
NOTE Un exemple d’un tel événement serait la réduction de condensateurs céramique due à la flexion de carte
imprimée; par conséquent même si ceux-ci sont des condensateurs différents avec des fonctions différentes dans
la conception, leur réduction causerait la même chose – le même événement d’entrée.
3.15
cause commune
cause d’apparition d’événements multiples
NOTE Dans l’exemple ci-dessus, la flexion de la carte serait l’événement intermédiaire qui lui-même résulte de
multiples événements tels que: choc environnemental, vibrations ou rupture manuelle de carte imprimée pendant la
fabrication du produit.
3.16
événement répliqué ou répété
événement qui est une entrée à plus d’un événement de niveau supérieur
NOTE Cet événement peut être une cause commune ou un mode de défaillance d’un composant partagé par plus
d’une partie de la conception.
La Figure 1 illustre les définitions ci-dessus. Cette figure contient les annotations et
descriptions d’événements pour mieux expliquer l’application pratique d’un arbre de panne.
Les explications graphiques des coupes ou coupes minimales sont omises de la Figure 1,
pour simplifier la représentation graphique d’autres termes pertinents. Les symboles dans la
Figure 1 et toutes les figures suivantes semblent quelque peu différents de ceux des
Tableaux A.1, A.2, A.3 et A.4 à cause de la boîte ajoutée au-dessus du symbole de la porte
pour la description des événements individuels.
– 18 – 61025 © CEI:2006
Système hors de sa
spécification ou non opérational
Evénement de tête
>=1
Evénement final
Défaillance
Issue de tête défavorable
du système
Pas de tension
Pas de traitement de
ou tensions
données ou traitement
Evénement intermédiaire inadéquates
de données inadéquat
Cause de l'événement de prochain niveau
L'événement développé
Evénement d'entrée vers l'événement de prochain niveau >=1
ailleurs dans l'arbre de panne
Evénement de sortie à partir de ses entrées Alimentation
Représenté graphiquement
électrique
par une porte de transfert
Microprocesseur
Tension de Le système ne
Aucune tension
La porte (OR), comme symbole
l'accumulateur fournit aucune
en sortie de
représente une combinaison
l'accumulateur non filtrée des deux sorties
de ses événements d'entrée - La porte (AND), comme symbole
l'une ou l'autre apparition représente la combinaison de ses
>=1
&
Filtrage
d'événement ou existence d'un événements d'entrée - l'apparition des deux
Entrée de
Sorties
état cause le prochain événements cause le prochain événement
l'accumulateur
événement ou état L'existence de deux états a pour résultat l'état
de sortie
Défaillance de Condensateur de filtrage
Sortie 1 Sortie 2
l'inductance d'entrée provoquant le court-circuit de
non disponible non disponible
en circuit ouvert l'accumulateur avec la terre
Evénement non développé
>=1
>=1 Développé dans une autre AAP,
Condensateur
Sortie 1 Sortie 2
Bobine d'entrée ou non développé par manque
de filtrage en
d'information ou besoin de
en circuit ouvert
court-circuit
plus de détail
Défaillance du
Défaillance de
Défaut de
Défaut de
l'inductance en condensateur en
fabrication fabrication
circuit ouvert en court-circuit en
provoquant provoquant
raison de sa raison de sa
un circuit ouvert un court-circuit
défaillance aléatoire défaillance aléatoire
>=1 >=1
Evénement
Circuit Court-
Défaut de fabrication_ Circuit Défaut de fabrication_ Court
de base
ouvert_L1 circuit_C1
ouvert_L1 -circuit_C1
Soudure Bobine Soudure excessive Composant
d'inductance cassée provoquant un
insuffisante endommagé
pendant
provoquant une court-circuitant pendant l'assemblage
connexion ouverte l'assemblage des plotse - court-circuit
Soudure_L1 Cassure_L1 Court-circuit Fissure_C1
IEC 2118/06
de la soudure_C1
Figure 1 – Explication des définitions utilisées dans les analyses par arbre de panne
NOTE Les symboles dans la Figure 1 et dans toutes les autres figures peuvent être sensiblement différents des
symboles présentés dans l'Annexe A. Ceci est dû aux blocs de description ajoutés pour une meilleure explication
de la relation entre les différents événements.
4 Symboles
La représentation graphique d’un arbre de panne requiert l’utilisation d’un ensemble cohérent
de symboles, de repères et de libellés. Les symboles varient avec les préférences des
utilisateurs et les progiciels éventuellement utilisés. Un guide général est donné à l’Article 8
et à l’Annexe A.
D’autres symboles utilisés dans cette norme sont des symboles de sûreté de fonctionnement
normalisés tels que F(t) ou juste la probabilité d’apparition d’un événement F. Pour cette
raison, une liste séparée des symboles n'est pas fournie.
– 20 – 61025 © CEI:2006
5 Généralités
5.1 Structure et description de l’arbre de panne
L’analyse par arbre de panne (AAP) est une méthode parmi d’autres d’analyse de la sûreté de
fonctionnement. Avant de commencer une AAP, Il convient que l’analyste examine l'objectif
de chaque méthode et son applicabilité individuelle ou combinée dans l’évaluation du flux
d’événements ou d’états qui seraient la cause d’une issue, ou la fiabilité ou disponibilité d’un
système donné ou de composant. Il convient de tenir compte des avantages et des
inconvénients de chaque méthode et de leurs produits respectifs, des données nécessaires
pour effectuer l’analyse, de la complexité de l’analyse, ainsi que d’autres facteurs identifiés
dans la présente norme.
Un arbre de panne constitue une représentation graphique organisée des conditions ou des
facteurs produisant ou contribuant à produire un événement indésirable défini, appelé
«événement de tête». Lorsque l’issue est un succès, alors l’arbre de panne devient un arbre
de succès, ou les événements d’entrée sont ceux qui contribuent à l’événement de succès de
tête. Cette représentation est établie sous une forme clairement compréhensible, analysable
et, si nécessaire, adaptable pour faciliter l’identification:
– des facteurs influant sur l'événement de tête à l’étude comme dans la plupart des
analyses d’arbre de panne traditionnelles;
– des facteurs influant sur la fiabilité et sur les caractéristiques fonctionnelles du système,
lorsque la technique AAP est utilisée par l’analyse de la fiabilité, par exemple
imperfections de conception, contraintes environnementales ou de fonctionnement, modes
de défaillance des composants, erreurs de l’opérateur, erreurs dans le logiciel;
– des événements influant sur plus d’un composant fonctionnel et qui pourraient annuler le
bénéfice apporté par les redondances spécifiques ou influer sur deux ou plusieurs parties
d’un produit, qui peuvent autrement sembler non liées d’un point de vue opérationnel ou
indépendants (événements de cause commune).
L’analyse par arbre de panne est une méthode d’analyse déductive (descendante) qui a pour
but de faire apparaître les causes ou les combinaisons de causes qui peuvent produire
l’événement de tête défini. Cette analyse peut être qualitative ou quantitative, en fonction de
la portée des analyses.
Un arbre de panne peut être développé comme son complément, le Success Tree Analysis
(STA) Analyse de l’Arbre de Succès, lorsque l'événement de tête est un succès, et ses
entrées ont contribué au succès (souhaité).
Dans les cas où la probabilité d’apparition des événements primaires ne peut pas être
estimée, une AAP qualitative peut être utilisée pour rechercher les causes d’issues
défavorables potentielles avec des événements primaires individuels et portant une indication
descriptive de la probabilité d’apparition telle que: «fortement probable», «très probable»,
«probabilité moyenne», «probabilité éloignée», etc. Le premier but d’une AAP qualitative est
d’identifier la coupe minimale afin de déterminer les manières dont les événements primaires
ou de base influencent l’événement de tête.
Une AAP quantitative peut être utilisée, lorsque les probabilités d’événements de base sont
connues. Les probabilités d’apparition de tous les événements intermédiaires et de
l’événement de tête (issue) peuvent ensuite être calculées. L’AAP quantitative est également
très utile dans l’analyse de fiabilité d’un produit ou d’un système dans son développement.
L’AAP peut être utilisée pour l’analyse des systèmes ayant des interactions complexes entre
les sous-systèmes, interactions logicielles/matérielles incluses.
– 22 – 61025 © CEI:2006
5.2 Objectifs
L’AAP peut être entreprise seule ou combinée à d’autres analyses de fiabilité. Les objectifs
sont les suivants:
– identifier les causes ou les combinaisons de causes conduisant à l’événement de tête;
– déterminer si l’une des caractéristiques de fiabilité du système est conforme à une
exigence établie;
– déterminer quel(s) mode(s) ou facteur(s) de défaillance potentiel(s) contribuerai(en)t le
plus à la probabilité, pour le système, de défaillance (fiabilité insuffisante) ou
d’impossibilité, lorsqu’un système est réparable, d’améliorations de la fiabilité du système;
– analyser et comparer les diverses alternatives de conception, afin d’améliorer la fiabilité
du système;
– démontrer que les hypothèses faites dans d’autres analyses (telles que Markov et FMEA)
sont valables;
– identifier les modes de défaillance potentiels qui pourraient être à l’origine d’un problème
de sécurité, évaluer la probabilité d’apparition correspondante et la possibilité de
réduction;
– Identifier les événements communs (par exemple, la branche moyenne d’un circuit à
embranchement, voir Figure 10);
– rechercher un événement ou des combinaisons d’événements qui sont le plus
susceptibles de provoquer l’apparition de l’événement de tête;
– évaluer l’impact (l’importance) de l’apparition d’un événement primaire sur la probabilité
de l’événement de tête;
– calculer les probabilités d’événement;
– calculer les taux de disponibilité et de défaillance du système ou de ses composants
représentés par un arbre de panne, évaluer si des conditions continues peuvent être
établies et si les réparations éventuelles sont indépendantes les unes des autres (même
limitation que pour le diagramme du cheminement pour le succès/bloc-diagramme de
fiabilité).
5.3 Applications
L’AAP est particulièrement adaptée à l’analyse de systèmes constitués de plusieurs sous-
systèmes dépendants ou entre lesquels existent des relations fonctionnelles. Les avantages
de l’AAP sont clairs dans le cas d’une conception d’un système qui est le produit de plusieurs
groupes de conception technique spécialisés indépendants et lorsque les AAP partielles sont
reliées. L’analyse par arbre de panne est couramment appliquée lors de la conception des
centrales nucléaires, des systèmes de transport, des systèmes de communication, des
procédés chimiques et autres procédés industriels, des réseaux ferroviaires, des matériel hifi
et vidéo, des systèmes médicaux, des systèmes informatiques, etc. L’analyse par arbre de
panne présente également un intérêt particulier lorsqu’elle s’applique à des systèmes
comprenant des composants de natures diverses et à leurs interactions (composants
mécaniques, électroniques et logiciels) qui ne peuvent être modélisés par d'autres
techniques. Un exemple de ceci serait une combinaison d’événements où l’ordre d’apparition
est essentiel tel que l’existence de fatigue due aux vibrations provoquant des fissures et des
défaillances de composants.
L’AAP possède une multitude d’utilisation comme outil (pour en citer quelques-unes):
– déterminer la combinaison logique pertinente d’événements menant à l’événement de tête
et leur mise en priorité potentielle ;
– étudier un système en développement et anticiper ou prévenir et atténuer les causes
potentielles d’un événement de tête non souhaité ;
– 24 – 61025 © CEI:2006
– analyser un système, déterminer sa fiabilité, identifier les éléments principaux contribuant
à sa fiabilité et évaluer les modifications de conception ;
– aider aux efforts d’évaluation du risque de probabilité.
L’AAP peut être appliquée à tous les produits nouveaux ou modifiés dans toutes les phases
de conception, comme un outil analytique pour l’identification des problèmes potentiels de
conception, y compris dans les premières phases pour lesquelles les informations de détail
sur la conception sont incomplètes. Ces efforts anticipés peuvent être ensuite poursuivis,
lorsque davantage d’informations sur la conception du système et sur ses composants
deviennent disponibles. L’AAP traite également de problèmes potentiels qui peuvent provenir
de la conception physique du produit, de contraintes environnementales ou de fonction-
nement, de failles dans les processus de fabrication du produit, et de procédures de
fonctionnement et de maintenance.
5.4 Combinaisons avec d'autres techniques d'analyse de fiabilité
5.4.1 Combinaison de l’AAP avec l’analyse des modes de défaillance et de leurs
effets (AMDE)
Cette combinaison d’analyses est souvent recommandée par des normes spécifiques
sectorielles, en particulier des normes de sécurité et des normes sur les modes de transport.
Les bénéfices d’une analyse combinée sont les suivants:
– l’AAP est une méthode d’analyse descendante et l’AMDE est une méthode d’analyse
ascendante, et une confrontation des raisonnements déductif et inductif est considérée
comme un bon argument pour assurer l’intégralité d’une analyse ;
– les normes de sécurité exigent souvent une analyse des défaillances individuelles et une
analyse des défaillances multiples, la première exigence étant satisfaite par l’AMDE. Les
analyses des défaillances individuelles et multiples sont accomplies par l’AAP ;
– l’AMDE est également une méthode utile pour une identification détaillée des événements
de base ou des risques, tandis que l’AAP est une méthode pratique d’analyse causale des
événements indésirables.
De plus, il existe un contrôle de cohérence simple entre l’AMDE et l’AAP :
– toute défaillance individuelle identifiée dans l'AMDE conduisant à un événement de tête
de l’arbre de panne doit également apparaître en tant que défaillance localisée (dans la
coupe minimale);
NOTE Une défaillance localisée est une défaillance qui, si elle se produit, entraîne la défaillance de
l’ensemble du système.
– il convient que toute défaillance localisée identifiée dans l’AAP apparaisse en tant que
telle dans l’AMDE.
La valeur de ce contrôle de cohérence est accrue si les analyses sont réalisées séparément
et indépendamment. Cela est particulièrement important dans les analyses de sécurité.
La norme CEI qui explique cette méthodologie est la CEI 60300-3-1.
5.4.2 Combinaison de l’AAP avec l’analyse par arbre d’événement (AAE)
Tout événement indésirable pourrait être analysé par l’AAP. Cependant, dans certains cas,
cela peut ne pas être approprié, pour plusieurs raisons:
− il est parfois plus simple d’élaborer des séquences d’événements plutôt que des relations
causales;
− les arbres résultants peuvent devenir très ramifiés;
− ce sont souvent des équipes indépendantes qui dirigent les différentes parties de
l'analyse.
– 26 – 61025 © CEI:2006
Pour trouver une procédure pratique, souvent ce n’est pas de l’événement de tête non désiré
qui est défini en premier, mais des événements potentiellement indésirables à l’interface
entre le domaine opérationnel et le domaine technique.
A titre d’illustration, considérons pour une mission spatiale, l’événement de tête non désiré
«perte de l’équipage ou du véhicule spatial». Au lieu de construire un grand arbre de panne
basé sur la «perte de l’équipage ou de véhicule spatial», des événements intermédiaires non
désirés tels que «panne d’allumage» ou «défaillance moteur» peuvent être définis comme des
événements de tête et analysés comme des arbres de panne séparés. Ces événements de
tête réduits pourront être ensuite utilisés comme des entrées vers un arbre d’événement, afin
d’analyser les conséquences opérationnelles.
Cette combinaison de l’AAE et de l’AAP est parfois désignée sous le terme d’analyse de
cause à effet (ACE).
5.4.3 Combinaison de l’AAP avec l’analyse de Markov
Une AAP qui est seulement une combinaison d’événements statiques (le délai – la séquence
de la combinaison d'événement n'est pas considérée ou modélisée – portes statiques) évalue
généralement les systèmes hors de la dépendance de la séquence des événements.
Cependant, il est possible d’étendre l’AAP statique en définissant des portes supplémentaires
qui représentent les modèles de Markov. Ces portes portent le nom de portes «dynamiques»
et comprennent des portes PRIORITY AND, SEQUENTIAL et SPARE. Pour de telles portes, il
est nécessaire d’évaluer la probabilité de défaillance à un temps t en utilisant le modèle ou la
simulation de Markov approprié(e). Une fois évaluée, la porte dynamique et ses entrées
peuvent être remplacées par un événement primaire simple, avec la probabilité d’apparition
calculée par l’analyse de Markov. Certains logiciels du commerce permettent la modélisation
de portes dynamiques et offrent la capacité de calcul de probabilité d’apparition de
l’événement représenté par la porte. Un exemple de porte dynamique PRIORITY AND est
présenté à l'Annexe A.
Les portes statiques et dynamiques d’un arbre de panne sont utilisées en se basant sur
l’hypothèse que les événements individuels sont indépendants (sauf s’ils sont définis comme
communs). Cependant, une attention particulière doit être accordée aux propriétés
d’indépendance entre les événements dans le modèle de Markov et les événements dans
l’arbre de panne.
5.4.4 Combinaison des techniques de l’AAP et du diagramme de décision binaire
(DDB)
Le calcul de la probabilité d’apparition pour un événement de tête d’un arbre de panne avec
de nombreuses coupes nécessite les calculs de probabilité pour toutes les combinaisons de
coupes. A cause de sa haute complexité, ce calcul sera souvent tronqué. Un diagramme de
décision binaire (DDB) peut être construit de façon récursive à partir d’un arbre de panne et
peut fournir une méthode de calcul efficace et exacte. Cette méthode est bien expliquée dans
le «NASA Fault Tree Handbook with Aerospace Applications version 1.1[1] ».
L’approche du DDB est utile lorsque la troncature des calculs de la probabilité de coupe
entraîne une perte inacceptable de précision ou si la solution AAP prend trop de temps, en
particulier lorsque de nombreux événements de forte probabilité apparaissent dans le modèle.
En raison de la disjonction des cheminements minimaux générés dans l’approche du DDB,
(voir 7.5.5.4), le calcul de l’importance et des sensibilités peut également être réalisé
efficacement et avec exactitude.
—————————
Les chiffres entre crochets se réfèrent à la bibliographie.
– 28 – 61025 © CEI:2006
5.4.5 Combinaison avec le bloc-diagramme de fiabilité
Un bloc-diagramme de fiabilité est constitué de blocs ou modules, représentant un groupe de
composants, ou de modes de défaillance. Ces groupes sont normalement formés suivant le
bloc-diagramme fonctionnel d’un produit, système, ou procédé. Ces modules ont soit un taux
de défaillance déterminé, soit une fiabilité calculée ou une probabilité de défaillance pour une
utilisation donnée ou un profil opérationnel. Traditionnellement, il convient que les blocs aient
un taux de défaillance équivalent à la somme des taux de défaillance des composants
individuels. De cette manière, l’interaction fonctionnelle des composants dans un module
n’est pas considérée.
Pour augmenter l’exactitude de la modélisation fonctionnelle dans un bloc (logiciel/matériel,
interaction des parties mécaniques), la fiabilité de certains blocs peut être modélisée avec un
arbre de panne, et par conséquent l’information résultant sur la probabilité d’apparition de ces
blocs peut être attribuée à ce bloc spécifique faisant partie du bloc-diagramme de fiabilité. De
cette manière, les blocs-diagrammes de fiabilité, qui normalement présument de
l’indépendance des défaillances des composants dans un bloc, donneront une prédiction plus
réaliste.
6 Développement et évaluation
6.1 Considérations générales
6.1.1 Vue d’ensemble
Un arbre de panne constitue une représentation graphique organisée des conditions ou des
facteurs produisant ou contribuant à produire un événement indésirable défini, appelé
«événement de tête». Cette représentation est établie sous une forme clairement compré-
hensible, analysable et, si nécessaire, adaptable pour faciliter l’identification:
– des facteurs affectant la fiabilité et d’autres caractéristiques de performance du système.
Ces facteurs, par exemple, incluent des déficiences de conception, d’environnement ou de
contraintes fonctionnelles, de modes de panne de composant, de fautes des opérateurs,
de pannes de logiciel ;
– des événements communs qui peuvent contribuer à plus d’une issue d’événements
intermédiaires dans un arbre de panne. Par exemple, des événements communs influant
sur plus d’un composant fonctionnel et qui pourraient annuler le bénéfice apporté par les
redondances spécifiques ou influer sur deux ou plusieurs parties d’un produit, qui peuvent
autrement sembler non liées d’un point de vue opérationnel.
L’analyse par arbre de panne est une méthode d’analyse déductive (descendante) qui a pour
but de faire apparaître les causes ou les combinaisons de causes qui peuvent produire
l’événement de tête défini. Cette analyse peut être qualitative, Méthode A, ou quantitative,
Méthode B, en fonction de la portée des analyses.
Dans les cas où la probabilité d’apparition des événements de base ne peut pas être estimée,
une AAP qualitative, Méthode A, peut être utilisée pour rechercher les causes d’issues
défavorables potentielles avec des événements de base individuels et portant une indication
descriptive de la probabilité d’apparition telle que: «fortement probable», «très probable»,
«probabilité moyenne», «
...
IEC 61025
Edition 2.0 2006-12
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Fault tree analysis (FTA)
Analyse par arbre de panne (AAP)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.
IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.
A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 61025
Edition 2.0 2006-12
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Fault tree analysis (FTA)
Analyse par arbre de panne (AAP)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
XA
CODE PRIX
ICS 03.120.01; 03.120.99 ISBN 2-8318-8918-9
61025 © IEC:2006 –– 2 – 3 – 61025 © IEC:2006
CONTENTS
FOREWORD.4
INTRODUCTION.6
1 Scope.7
2 Normative references .7
3 Terms and definitions .7
4 Symbols .10
5 General .11
5.1 Fault tree description and structure .11
5.2 Objectives .12
5.3 Applications.12
5.4 Combinations with other reliability analysis techniques.13
6 Development and evaluation .15
6.1 General considerations.15
6.2 Required system information .18
6.3 Fault tree graphical description and structure .19
7 Fault tree development and evaluation .20
7.1 General .20
7.2 Scope of analysis .20
7.3 System familiarization .20
7.4 Fault tree development.20
7.5 Fault tree construction.21
7.6 Failure rates in fault tree analysis.38
8 Identification and labelling in a fault tree .38
9 Report .39
Annex A (informative) Symbols .41
Annex B (informative) Detailed procedure for disjointing .48
Bibliography.52
Figure 1 – Explanation of terms used in fault tree analyses.10
Figure 2 – Fault tree representation of a series structure .23
Figure 3 – Fault tree representation of parallel, active redundancy .24
Figure 4 – En example of fault tree showing different gate types.26
Figure 5 – Rectangular gate and events representation .27
Figure 6 – An example fault tree containing a repeated and a transfer event .28
Figure 7 – Example showing common cause considerations in rectangular gate
representation.28
Figure 8 – Bridge circuit example to be analysed by a fault tree.32
Figure 9 – Fault tree representation of the bridge circuit .33
Figure 10 – Bridge system FTA, Esary-Proschan, no disjointing.35
61025 © IEC:2006 61025 © IEC:2006 –– 3 – 5 –
Figure 11 – Bridge system probability of failure calculated with rare-event
approximation .36
Figure 12 – Probability of occurrence of the top event with disjointing.37
Figure A.1 – Example of a PAND gate .47
Table A.1 – Frequently used symbols for a fault tree.41
Table A.2 – Common symbols for events and event description .44
Table A.3 – Static gates.45
Table A.4 – Dynamic gates .46
61025 © IEC:2006 –– 4 – 7 – 61025 © IEC:2006
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FAULT TREE ANALYSIS (FTA)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61025 has been prepared by IEC technical committee 56:
Dependability.
The text of this standard is based on the following documents:
FDIS Report on voting
56/1142/FDIS 56/1162/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This second edition cancels and replaces the first edition, published in 1990, and constitutes
a technical revision.
61025 © IEC:2006 61025 © IEC:2006 –– 5 – 9 –
The main changes with respect to the previous edition are as follows:
– added detailed explanations of fault tree methodologies
– added quantitative and reliability aspects of Fault Tree Analysis (FTA)
– expanded relationship with other dependability techniques
– added examples of analyses and methods explained in this standard
– updated symbols currently in use
Clause 7, dealing with analysis, has been revised to address traditional logic fault tree
analysis separately from the quantitative analysis that has been used for many years already,
for reliability improvement of products in their development stage.
Some material included previously in the body of this standard has been transferred to
Annexes A and B.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
61025 © IEC:2006 –– 6 – 11 – 61025 © IEC:2006
INTRODUCTION
Fault tree analysis (FTA) is concerned with the identification and analysis of conditions and
factors that cause or may potentially cause or contribute to the occurrence of a defined top
event. With FTA this event is usually seizure or degradation of system perfomance, safety or
other important operational attributes, while with STA (success tree analysis) this event is the
attribute describing the success.
FTA is often applied to the safety analysis of systems (such as transportation systems, power
plants, or any other systems that might require evaluation of safety of their operation). Fault
tree analysis can be also used for availability and maintainability analysis. However, for
simplicity, in the rest of this standard the term “reliability” will be used to represent these
aspects of system performance.
This standard addresses two approaches to FTA. One is a qualitative approach, where the
probability of events and their contributing factors, – input events – or their frequency of
occurrence is not addressed. This approach is a detailed analysis of events/faults and is
known as a qualitative or traditional FTA. It is largely used in nuclear industry applications
and many other instances where the potential causes or faults are sought out, without interest
in their likelihood of occurrence. At times, some events in the traditional FTA are investigated
quantitatively, but these calculations are disassociated with any overall reliability concepts, in
which case, no attempt to calculate overall reliability using FTA is made. The second
approach, adopted by many industries, is largely quantitative, where a detailed FTA models
an entire product, process or system, and the vast majority of the basic events, whether faults
or events, has a probability of occurrence determined by analysis or test. In this case, the
final result is the probability of occurrence of a top event representing reliability or probability
of fault or a failure.
61025 © IEC:2006 61025 © IEC:2006 –– 7 – 13 –
FAULT TREE ANALYSIS (FTA)
1 Scope
This International Standard describes fault tree analysis and provides guidance on its
application as follows:
– definition of basic principles;
- describing and explaining the associated mathematical modelling;
- explaining the relationships of FTA to other reliability modelling techniques;
– description of the steps involved in performing the FTA;
– identification of appropriate assumptions, events and failure modes;
– identification and description of commonly used symbols.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For the references, only the edition cited applies. For undated references, the latest edition of
the referenced document (including any amendments) applies.
IEC 60050(191), International Electrotechnical Vocabulary (IEV) – Chapter 191: Dependability
and quality of service
IEC 61165, Application of Markov techniques
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050(191) apply.
In fault tree methodology and applications, many terms are used to better explain the intent of
analysis or the thought process behind such analysis. There are terms used also as
synonyms to those that are considered analytically correct by various authors. The following
additional terms are used in this standard.
3.1
outcome
result of an action or other input; a consequence of a cause
NOTE 1 An outcome can be an event or a state. Within a fault tree, an outcome from a combination of
corresponding input events represented by a gate may be either an intermediate event or a top event.
NOTE 2 Within a fault tree, an outcome may also be an input to an intermediate event, or it can be the top event.
3.2
top event
outcome of combinations of all input events
NOTE 1 It is the event of interest under which a fault tree is developed. The top event is often referred to as the
final event, or as the top outcome.
61025 © IEC:2006 –– 8 – 15 – 61025 © IEC:2006
NOTE 2 It is pre-defined and is a starting point of a fault tree. It has the top position in the hierarchy of events.
3.3
final event
final result of combinations of all of the input, intermediate and basic events
NOTE It is a result of input events or states (see 3.2).
3.4
top outcome
outcome that is investigated by building the fault tree
NOTE Final result of combinations of all of the input, intermediate and basic events; it is a result of input events
or states (see 3.2).
3.5
gate
symbol which is used to establish symbolic link between the output event and the
corresponding inputs
NOTE A given gate symbol reflects the type of relationship required between the input events for the output event
to occur.
3.6
cut set
group of events that, if all occur, would cause occurrence of the top event
3.7
minimal cut set
minimum, or the smallest set of events needed to occur to cause the top event
NOTE The non-occurrence of any one of the events in the set would prevent the occurrence of the top event.
3.8
event
occurrence of a condition or an action
3.9
basic event
event or state that cannot be further developed
3.10
primary event
event that is at the bottom of the fault tree
NOTE In this standard, primary event can mean a basic event that need not be developed any more, or it can be
an event that, although a product of groups of events and gates, may be developed elsewhere, or may not be
developed at all (undeveloped event).
3.11
intermediate event
event that is neither a top event nor a primary event
NOTE It is usually a result of one or more primary and/or other intermediate events.
61025 © IEC:2006 61025 © IEC:2006 –– 9 – 17 –
3.12
undeveloped event
event that does not have any input events
NOTE It is not developed in the analysis for various possible reasons, such as lack of more detailed information,
or it is developed in another analysis and then annotated in the current analysis as undeveloped. An example of
undeveloped gates could be Commercial Off The Shelf Items (or COTS).
3.13
single point failure (event)
failure event which, if it occurs, would cause overall system failure or would, by itself
regardless of other events or their combinations, cause the top unfavourable event (outcome)
3.14
common cause events
different events in a system or a fault tree that have the same cause for their occurrence
NOTE An example of such an event would be shorting of ceramic capacitors due to flexing of the printed circuit
board; thus, even though these might be different capacitors having different functions in their design, their
shorting would have the same cause – the same input event.
3.15
common cause
cause of occurrence of multiple events
NOTE In the above example it would be board flexing that itself can be an intermediate event resulting from
multiple events such as environmental shock, vibrations or manual printing circuit board break during product
manufacturing.
3.16
replicated or repeated event
event that is an input to more than one higher level event
NOTE This event can be a common cause or a failure mode of a component, shared by more than one part of a
design.
Figure 1 illustrates some of the above definitions. This figure contains annotations and
description of events to better explain the practical application of a fault tree. Omitted from
Figure 1 are the graphical explanations of cut sets or minimal cut sets, for simplicity of the
graphical representation of other pertinent terms. The symbols in Figure 1 and all of the
subsequent figures appear somewhat different to those in Tables A.1, A.2, A.3, and A.4
because of the added box above the gate symbol for description of individual events.
61025 © IEC:2006 –– 10 – 19 – 61025 © IEC:2006
IEC 2118/06
Figure 1 – Explanation of terms used in fault tree analyses
NOTE Symbols in Figure 1 and all other figures might slightly differ from the symbols shown in Annex A. This is
because description blocks are added to better explain the relationship of various events
4 Symbols
The graphical representation of a fault tree requires that symbols, identifiers and labels be
used in a consistent manner. Symbols describing fault tree events vary with user preferences
and software packages, when used. General guidance is given in Clause 8 and in Annex A.
Other symbols used in this standard are standard dependability symbols such as F(t) or just
probability of an event occurring F. For that reason, a separate list of symbols is not provided.
61025 © IEC:2006 61025 © IEC:2006 –– 11 – 21 –
5 General
5.1 Fault tree description and structure
Several analytical methods of dependability analysis are available, of which fault tree analysis
(FTA) is one. The purpose of each method and their individual or combined applicability in
evaluating the flow of events or states that would be the cause of an outcome, or reliability
and availability of a given system or component should be examined by the analyst before
starting FTA. Consideration should be given to the advantages and disadvantages of each
method and their respective products, data required to perform the analysis, complexity of
analysis and other factors identified in this standard.
A fault tree is an organized graphical representation of the conditions or other factors causing
or contributing to the occurrence of a defined outcome, referred to as the "top event". When
the outcome is a success, then the fault tree becomes a success tree, where the input events
are those that contribute to the top success event. The representation of a fault tree is in a
form that can be clearly understood, analysed and, as necessary, rearranged to facilitate the
identification of:
– factors affecting the investigated top event as it is carried out in most of the traditional
fault tree analyses;
– factors affecting the reliability and performance characteristics of the system, when the
FTA technique is used for reliability analysis, for example design deficiencies,
environmental or operational stresses, component failure modes, operator mistakes,
software faults;
– events affecting more than one functional component, which could cancel the benefits of
specific redundancies or affect two or more parts of a product that may otherwise seem
operationally unrelated or independent (common cause events).
Fault tree analysis is a deductive (top-down) method of analysis aimed at pinpointing the
causes or combinations of causes that can lead to the defined top event. The analysis can be
qualitative or quantitative, depending on the scope of the analyses.
A fault tree can be developed as its complement, the success tree analysis, (STA), where the
top event is a success, and its inputs are contributor to the success (desired) event.
In cases where the probability of occurrence of the primary events cannot be estimated, a
qualitative FTA may be used to investigate causes of potential unfavourable outcomes with
individual primary events marked with descriptive likelihood of occurrence such as: “highly
probable”, “very probable” “medium probability”, “remote probability”, etc. The primary goal of
the qualitative FTA is to identify the minimal cut set in order to determine the ways in which
the basic or primary events influence the top event.
A quantitative FTA can be used when the probabilities of primary events are known.
Probabilities of occurrence of all intermediate events and the top event (outcome) can then be
calculated in accordance with the model. Also, the quantitative FTA is very useful in reliability
analysis of a product or a system in its development.
FTA can be used for analysis of systems with complex interactions between sub-systems
including software/hardware interactions.
61025 © IEC:2006 –– 12 – 23 – 61025 © IEC:2006
5.2 Objectives
FTA may be undertaken independently of, or in conjunction with, other reliability analyses.
Objectives include:
– identification of the causes or combinations of causes leading to the top event;
– determination of whether a particular system reliability measure meets a stated
requirement;
– determination of which potential failure mode(s) or factor(s) would be the highest
contributor to the system probability of failure (unreliability) or unavailability, when a
system is repairable, for identifying possible system reliability improvements;
– analysis and comparison of various design alternatives to improve system reliability;
– demonstration that assumptions made in other analyses (such as Markov and FMEA) are
valid;
– identification of potential failure modes that might cause a safety issue, evaluation of
corresponding probability of occurrence and possibility of mitigation;
– identification of common events (e.g. the middle branch of a bridge circuit, see Figure 10);
– search for an event or combinations of events which are the most likely to cause the top
event to occur;
– assessment of the impact of the occurrence of a primary event on the probability of the top
event;
– calculation of event probabilities;
– calculation of availabilities and failure rates of system or its components represented by a
fault tree, if a steady state can be postulated, and eventual repairs are independent of
each other (same limitation as for the success path diagram/reliability block diagram).
5.3 Applications
FTA is particularly suited to the analysis of systems comprising several functionally related or
dependent subsystems. Benefits of FTA are apparent when a system design is the product of
several independent specialized technical design groups and the separate fault trees are
linked together. Fault tree analysis is commonly applied when designing nuclear power
generating stations, transportation systems, communication systems, chemical and other
industrial processes, railway systems, home entertainment systems, medical systems,
computer systems, etc. Fault tree analysis is also of particular value when applied to systems
comprising various component types and their interaction (mechanical, electronic and
software components), which cannot be easily modelled with other techniques. An example of
this would be a combination of events where their order of appearance is essential such as
existence of vibration fatigue causing fracture cracks and failures of components.
FTA has a multitude of uses as a tool (to list a few):
– to determine the pertinent logic combination of events leading to the top event and,
potentially, their prioritization;
– to investigate a system under development and anticipate and prevent, or mitigate,
potential cause(s) of undesired top event;
61025 © IEC:2006 61025 © IEC:2006 –– 13 – 25 –
– to analyze a system, determine its reliability, identify the major contributors to its un-
reliability and evaluate the design changes;
– to assist probabilistic risk assessment efforts.
FTA can be applied to all new or modified products in all design phases, as an analytical tool
for identification of potential design problems, including those early phases where information
on the design details is incomplete. Those early efforts would then be extended as more
information on the system design and its components becomes available. FTA also identifies
potential problems that may originate from the product’s physical design, environmental or
operational stresses, flaws in product manufacturing processes and from operational and
maintenance procedures.
5.4 Combinations with other reliability analysis techniques
5.4.1 Combination of FTA and failure modes and effects analysis (FMEA)
This analysis combination is often recommended by sector specific standards, in particular
safety standards and transportation standards. The benefits of a combined analysis are the
following:
– FTA is a top-down and FMEA a bottom-up analysis method and use of both deductive and
inductive reasoning is regarded as a good argument for providing assurance for the
completeness of an analysis;
– safety standards often demand a single failure and, in some cases, a multiple failure
analysis, the first requirement being fulfilled by FMEA. Both single and multiple failure
analysis are accomplished by FTA;
– FMEA is also a useful method for a comprehensive identification of basic events or
hazards, while FTA is a practical method for causal analysis of the undesirable events.
Additionally there exists a simple consistency check between FMEA and FTA:
– any identified single failure in FMEA leading to the top event of the fault tree also has to
appear as a single point failure (in the minimal cut set);
NOTE A single point failure is a failure that, if it occurs, would cause the entire system to fail.
– any single point failure identified in the FTA should also appear as such in the FMEA.
The value of this consistency check is increased if the analyses are performed separately and
independently. This is especially important in safety analyses.
The IEC standard which explains this methodology is IEC 60300-3-1.
5.4.2 Combination of FTA and event tree analysis (ETA)
Any event could be analysed by FTA. However, in some cases this may be not appropriate for
several reasons:
− it is sometimes easier to develop event sequences rather than causal relationships;
− the resulting tree may become very large;
− there are often separate teams dealing with different parts of the analysis.
61025 © IEC:2006 –– 14 – 27 – 61025 © IEC:2006
In order to find a practical procedure, it is often not the top undesired event that is defined
first, but potentially undesirable events at the interface between the functional and technical
domain.
To give an illustration, consider the top event “loss of crew or vehicle” for a spacecraft
mission. Instead of building a large fault tree based on “loss of crew or vehicle,” intermediate
undesired events like “ignition fails” or “thrust failure” may be defined as top events and
analysed as separate fault trees. These reduced top events would then, in turn, be used as
inputs to an event tree in order to analyse operational consequences.
This combination of ETA and FTA is sometimes referred to as cause-consequence analysis
(CCA).
5.4.3 Combination of FTA and Markov analysis
FTA that has only a combination of static events (timing – sequencing of the event
combination is not considered or modelled – static gates) usually evaluates systems with no
sequence dependency of events. However, it is possible to extend the FTA by defining
additional gates that represent Markov models. These gates bear the name of “dynamic”
gates and include PRIORITY AND gates, SEQUENTIAL gates, and SPARE gates. For such
gates, it is necessary to evaluate the failure probability at a time t by using the appropriate
Markov model or simulation. Once evaluated, the dynamic gate and its inputs may be
replaced by a single primary event, with the probability of occurrence calculated by Markov
analysis. Some commercial software allow for modelling of dynamic gates and the capability
for calculation of probability of occurrence of the event they represent. An example of
dynamic, PRIORITY AND gate is shown in Annex A.
Both static and dynamic gates of a fault tree are used, based on the assumption that the
individual events are independent (unless defined as common). However, particular attention
shall be given to independence properties between the events included in the Markov model
and the events in the fault tree.
5.4.4 Combination of FTA and binary decision diagram (BDD) techniques
Calculation of the probability of occurrence for the top event of a fault tree with many cut sets
requires calculation of probability for all cut set combinations. Because of its high complexity,
this calculation will often need to be truncated. A BDD may be constructed recursively from a
fault tree and it provides an efficient, exact calculation method. This method is well explained
in the “NASA Fault Tree Handbook with Aerospace Applications version 1.1[1] ”.
The BDD approach is useful where truncation of cut set probability calculations results in
either unacceptable loss of accuracy or an FTA solution takes excessive time, particularly
when many high-probability events appear in the model. Because the minimal paths
generated in the BDD approach are disjointed (see 7.5.5.4), calculation of importance and
sensitivities can also be performed efficiently and exactly.
—————————
Figures in square brackets refer to the bibliography.
61025 © IEC:2006 61025 © IEC:2006 –– 15 – 29 –
5.4.5 Combination with the reliability block diagram
A reliability block diagram is made up of blocks or modules, representing a group of
components, or failure modes. Those groups are normally formed following the functional
block diagram of a product, system or a process. These modules have either a determined
failure rate, or a calculated reliability or probability of failure for given use or operational
profile. Traditionally, the blocks would have a failure rate which would be the sum of failure
rates of individual components. In that manner, the functional interaction of components
within a module is not considered.
To augment correctness of functional modelling within a block (software/hardware, interaction
of mechanical parts), reliability of certain blocks can be modelled with a fault tree, and then
the resultant information on probability of occurrence of those blocks can be assigned to that
specific block being part of a reliability block diagram. In this manner, reliability block
diagrams, which normally assume independency of components failure within a block, would
yield a more realistic prediction.
6 Development and evaluation
6.1 General considerations
6.1.1 Overview
A fault tree is an organized graphical representation of the conditions that cause, or contribute
to, the occurrence of a defined undesirable outcome, referred to as the "top event". The
representation is in a form that can be clearly understood, analysed and, as necessary,
rearranged to facilitate the identification of:
– factors affecting the reliability and other performance characteristics of the system. These
factors, for example, include design deficiencies, environmental or operational stresses,
component fault modes, operator mistakes, software faults;
– common events that may contribute to more than one outcome of intermediate events in a
fault tree. As an example, events affecting more than one functional component, which
could cancel the benefits of specific redundancies or affect two or more parts of a product
that may otherwise seem operationally unrelated.
Fault tree analysis is a deductive (top-down) method of analysis aimed at pinpointing the
causes, or combinations of causes, that can lead to the defined top event. The analysis can
be qualitative, Method A, or quantitative, Method B, depending on the scope of the analyses.
In cases where the probability of occurrence of the basic events cannot be estimated, a
qualitative FTA, Method A, may be used to investigate causes of potential unfavorable
outcomes with individual basic events marked with descriptive likelihood of occurrence such
as: “highly probable”, “very probable” “medium probability”, “remote probability”, etc. as
explained in 5.1.
A quantitative FTA, Method B, can be used when the probabilities of basic or primary events
are known. Probabilities of occurrence of all intermediate events and the top event (outcome)
can then be calculated using the appropriate mathematical expressions.
61025 © IEC:2006 –– 16 – 31 – 61025 © IEC:2006
6.1.2 Concepts and combinations of events and states
The final outcome of a fault tree (top event) can be a fault in itself, or an event. Here, the fault
tree describes a fault or an event resulting from the contributing events or other faults. In the
fault tree analysis certain combination of events can be either states or events, while the
others must match the outcome. For example, the inputs into an OR gate where the outcome
is a state or an event, can be states or events. All inputs into an AND gate which as an
outcome is an event must be events, while if as the outcome it represent a state all the inputs
must be states.
The state can be characterized by the probability that the state will exist in time t, while the
event can be characterized either by the failure rate or failure frequency, or by probability of
event occurrence at time t.
6.1.3 Fault tree for investigation of faults leading to other faults or events
Traditionally, a fault tree is constructed to investigate faults or events leading to an outcome.
This concept has been used for a long time in many industries, and is specifically efficient and
applied in the nuclear industry. In this manner, it is a powerful and invaluable tool for
investigation of potential problems, events, improvements and other preventive measures that
preclude or mitigate an undesirable outcome.
An outcome, success or fault, is investigated, and the states or events leading to this outcome
investigated, their probability of existence or occurrence determined, and the fault tree model
constructed appropriately that would lead to the probability of existence or occurrence of the
assumed outcome.
In this application, the fault tree is constructed and evaluated as described in Clause 7,
having in mind that the outcome is characterized by probability of fault existence or event
occurrence, and is not related to reliability of the analysed item or a system.
It is possible that the basic or any other events in this type of analysis are not given any real
probability value, and are only used in investigation of an event that potentially might take
place (Method A). In such a case, they might be marked with a descriptive probability of “high,
medium, or low”, and are evaluated as potential contributors to the top event or fault. Such
types of fault trees are often used for identification of a primary fault or event that was the
single or a major contributor to the top fault or event, and are used in a vast variety of
industries: automotive, nuclear, manufacturing plants, etc.
6.1.4 FTA use in reliability assessment and improvement during product development
In this application which is based on the FTA Method B, a fault tree can model the entire
product, or parts of a product that might pose a risk to its reliability or operational safety. In
this case, Method B analysis probability of occurrence can be determined in a traditional
manner, such as in analysis of a safety-related fault or event of a product, or the detailed
analysis of potential product failure within a certain time period may lead to expression of its
unreliability or probability of failure within that period of interest. In this application, the fault
tree methodology follows the principles of a top down failure modes and effects analysis,
where each potential failure mode may result in an event or a fault leading to the product
failure.
61025 © IEC:2006 61025 © IEC:2006 –– 17 – 33 –
The FTA is specifically convenient here as the modelling can reflect the dynamics of events in
a product, software/hardware interaction, as well as the interaction between faults or events
representing the potential failure modes. This interaction is not possible to represent in a
regular FMEA, and is very difficult to model using traditional reliability block diagrams. Also,
the product reliability estimates are more realistic, as only the failure modes that contribute to
failure of a product, as defined, are considered.
The development of a fault tree should start early in the system design stage and be
continued in all of the development stages of a product. The evolution of the fault tree should
be such that it reflects the progress of the design. Thus an increased understanding of the
failure modes will be obtained as the design proceeds. "Analysis concurrent with design"
allows for early systems design change. Many fault trees will be large, in which case fault tree
analysis software may be needed to handle them. Softwar
...
Frequently Asked Questions
IEC 61025:2006 is a standard published by the International Electrotechnical Commission (IEC). Its full title is "Fault tree analysis (FTA)". This standard covers: Describes fault tree analysis and provides guidance on its application to perform an analysis, identifies appropriate assumptions, events and failure modes, and provides identification rules and symbols.
Describes fault tree analysis and provides guidance on its application to perform an analysis, identifies appropriate assumptions, events and failure modes, and provides identification rules and symbols.
IEC 61025:2006 is classified under the following ICS (International Classification for Standards) categories: 03.120.01 - Quality in general; 03.120.99 - Other standards related to quality. The ICS classification helps identify the subject area and facilitates finding related standards.
You can purchase IEC 61025:2006 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of IEC standards.
記事タイトル:IEC 61025:2006 - 故障木解析(FTA) 記事内容:故障木解析(FTA)について説明し、分析を実行するための適切な仮定、イベント、故障モードを特定し、識別のための規則と記号を提供します。
기사 제목: IEC 61025:2006 - Fault tree analysis (FTA) 기사 내용: 결함 트리 분석 및 해당 분석의 적용에 대해 설명하며, 분석을 수행하기 위한 적절한 가정, 사건 및 결함 모드를 식별하고, 식별 규칙과 기호를 제공합니다.
The article discusses IEC 61025:2006, which is a standard that focuses on fault tree analysis (FTA). FTA is a technique used to analyze failures in systems. The article explains how to apply FTA and offers guidelines on identifying assumptions, events, and failure modes. It also provides rules and symbols for identifying different elements in FTA.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...