NUREG-0492 Fault Tree Handbook U.S. Nuclear Regulatory Commission NUREG-0492 Fault Tree Handbook Date Published: January 1981 W. E. Vesely, U.S. Nuclear Regulatory Commission F. F. Goldberg, U.S. Nuclear Regulatory Commission N. H. Roberts, University of Washington D. F. Haasl, Institute of System Sciences, Inc. Systems and Reliability Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, D.C. 20555 For sale by the U.S. Government Printing Office Superintendent of Documents, Mail Stop: SSOP, Washington, DC 20402-9328 Available from GPO Sales Program Division.of Technical Information and Document Control U.S. Nuclear Regulatory Commission Washington, DC 20555 Printed copy price: $5.50 and National Technical Information Service Springfield, VA 22161 TABLE OF CONTENTS Introduction . vii I. Basic Concepts of System Analysis . 1-1 1. The Purpose of System Analysis . 1-1 2. Definition of a System . 1-3 3. Analytical Approaches . 1-7 4. Perils and Pitfalls . 1-9 II. Overview oflnductive Methods . 11-1 1. Introduction . 11-1 2. The "Parts Count" Approach . 11~1 3. Failure Mode and Effect Analysis (FMEA) . 11-2 4. Failure Mode Effect and Criticality Analysis (FMECA) . 11-4 5. Preliminary Hazard Analysis (PHA) . 11-4 6. Fault ffazard Analysis (FHA) . 11-5 7. Double Failure Matrix (DFM) . 11-5 8. Success Path Models . 11-10 9. Conclusions ............... ; . 11-12 III. Fault Tree Analysis-Basic Concepts. ID-1 l. Orientation . 111-1 2. Failure vs. Success Models . 111-1 3. The Undesired Event Concept . III-3 4. Summary . ID-4 IV. The Basic Elements of a Fault Tree . IV-1 1. The Fault Tree Model . IV-1 2. Symbology-The Building Blocks of the Fault Tree ............ IV-1 V. Fault Tree Construction Fundamentals . V-1 1. Faults vs. Failures . V-1 2. Fault Occurrence vs. Fault Existence . V-1 3. Passive vs. Active Components . V-2 4. Component Fault_Categories: Primary, SeconAary, and Command . V-3 S. Failure Mechanism, Failure Mode, and Failure Effect . V-3 6. The "Immediate Cause" Concept . V-6 7. Basic Rules for Fault Tree Construction . V-8 iii iv TABLE OF CONTENTS VI. Probability Theory-The Mathematical Description of Events ......... VI-1 L Introduction VI-1 2. Random Experiments and Outcomes of Random Experiments ..... VI-1 3. The Relative Frequency Definition of Probability ............. VI-3 4. Algebraic Operations with Probabilities ................... VI-3 5. Combinatorial Analysis .............................. VI-8 6. Set Theory: Application to the Mathematical Treatment of Events ....................................... VI-11 7. Symbolism ..........._ ...... ·..................... VI-16 8. Additional Set Concepts ............................. VI-17 9. Bayes' Theorem ................................... VI-19 VII. Boolean Algebra and Application to Fault Tree Analysis ............ VII-1 1. Rules of Boolean Algebra ............................. VII-I 2. Application to Fault Tree Analysis ...................... VII-4 3. S_hannon's Method for Expressing Boolean Functions in Standardized Forms ................................. VII-12 4. Determining the:Milliinal Cut Sets or Minimal Path Sets of a Fault Tree ....................................... VII-15 VIII. The Pressure Tank Example ............................... VIII-1 1. System Definition and Fault Tree Construction .............. VIII-1 2. Fault Tree Evaluation (Minimal Cut Sets) .................. VIII-12 IX. The Three Motor Example ................................ IX-1 1. System Definition and Fault Tree Construction .............. IX-1 2. Fault Tree Evaluation (Minimal Cut Sets) .................. IX-7 X. Probabilistic and Statistical Analyses ......................... X-1 1. Introduction ..................................... X-1 2. The Binomial Distribution ............................ X-1 3. The Cumulative Distribution Function .................... X-7 4. The Probability Density Function ....................... X-9 5. Distribution Parameters and Moments ......... , .......... X-10 6. Limiting Forms of the Binomial: Normal, Poisson ............ X-15 7. Application of the Poisson Distribution to System Failures- The So-Called Exponential Distribution ................... X-19 8. The Failure Rate Function ............................ X-22 9. An Application Involving the Time-to-Failure Distribution ....... X-25 10. Statistical Estimation ............................... X-26 11. Random Samples .................................. X-27 12. Sampling Distributions ............................... X-27 13. Point Estimates-General ............................. X-28 TABLE OF CONTENTS 14. Point Estimates-Maximum Likelihood ................... X-30 15. Interval Estimators . X-35 16. Bayesian Analyses . X-39 XI. Fault Tree Evaluation Techniques . XI-1 1. Introduction . XI-1 2. Qualitative Evaluations . XI-2 3. Quantitative Evaluations . XI-7 XII. Fault Tree Evaluation Computer Codes . XII-1 1. Overview of Available Codes . XIl-1 2. Computer Codes for Qualitative Analyses of Fault Trees . XII-2 3. Computer Codes for Quantitative Analyses of Fault Trees ....... XII-6 4. Direct Evaluation Codes . XII-8 5. PL-MOD: A Dual Purpose Code ........................ XII-11 6. Common Cause Failure Analysis Codes .................... XII-12 Bibliography . BIB-1 INTRODUCTION Since 1975, a short course entitled "System Safety and Reliability Analysis" has been presented to over 200 NRC personnel and contractors. The course has been taught jointly by David F. Haasl, Institute of System Sciences, Professor Norman H. Roberts, University of Washington, and ·members of the Probabilistic Analysis Staff, NRC, as part of a risk assessment training program sponsored by the Probabilistic Analysis Staff. This handbook has been developed not only to serve as text for the System Safety and Reliability Course, but also to make available to others a set of otherwise undocumented material on fault tree construction and evaluation. The publication of this handbook is in accordance with the recommendations of the Risk Assessment Review Group Report (NUREG/CR-0400) in which it was stated that the fault/event tree methodology both can and should be used more widely by the NRC. It is hoped that this document will help to codify and systematize the fault tree approach to systems analysis. vii CHAPTER I - BASIC CONCEPTS OF SYSTEM ANALYSIS 1. The Purpose of System Analysis The principal concern of this book is the fault tree technique, which is a systematic method for acquiring information about a system.* The information so gained can be used in making decisions, and therefore, before we even define system analysis, we will undertake a brief examination of the decisionmaking process. Decisionmaking is a very complex process, and we will highlight only certain aspects which help to put a system analysis in proper context. Presumably, any decision that we do make is based on our present knowledge about the situation at hand. This knowledge comes partly from our direct experience with the relevant situation or from related experience with similar situations. Our knowledge may be increased by appropriate tests and proper analyses of the results-that is, by experimentation. To some extent our knowledge may be based on conjecture :Jd this will be conditioned by our degree of optimism or pessimism. For example, w~ may be convinced that "all is for the best in this best of all possible worlds." Or, conversely, we may believe in Murphy's Law: "If anything can go wrong, it will go wrong." Thus, knowledge may be obtained in several ways, but in the vast majority of cases, it will not be possible to acquire all the relevant information, so that it is almost never possible to eliminate all elements of uncertainty. It is possible to postulate an imaginary world in which no decisions are made until all the relevant information is assembled. This is a far cry from the everyday world in which decisions are forced on us by time, and not by the degree of completeness of our knowledge .. We all have deadlines to meet. Furthermore, because it is generally impossible to have all the relevant data at the time the decision must be made, we simply cannot know all the consequences of electing to take a particular course of action. Figure 1-1 provides a schematic representation of these considerations. DIRECT INFORMATION ACQUISITION DECISION INDIRECT INFORMATION ACQUISITION I I I TIME AXIS • TIME AT WHICH ~ DECISION MUST _T BE MADE Figure 1-1. Schematic Representation of the Decisionmaking Process *There are other methods for performing this function. Some of these are discussed briefly in Chapter II. 1-1 1-2 FAULT TREE HANDBOOK The existence of the time constraint on the decisionmaking process leads us to make a distinction between good decisions and correct decisions. We can classify a decision as good or bad whenever we have the advantage of retrospect. I make a decision to buy 1000 shares of XYZ Corporation. Six months later, I find that the stock has risen 20 points. My original decision can now be classified as good. If, however, the stock has plummeted 20 points in the interim, I would have to conclude that my original decision was bad. Nevertheless, that original decision could very well have been correct if all the information available at the time had indicated a rosy future for XYZ Corporation. We are concerned here with making correct decisions. To do this we require: (1) The identification of that information. (or those data) that would be pertinent to the anticipated rlecision. (2) A systematic