Chapter

12

Event Tree Analysis

12.1

INTRODUCTION

Event tree analysis (ETA) is an analysis technique for identifying and evaluating the sequence of events in a potential accident scenario following the occurrence of an initiating event. ETA utilizes a visual logic tree structure known as an event tree (ET). The objective of ETA is to determine whether the initiating event will develop into a serious mishap or if the event is sufciently controlled by the safety systems and procedures implemented in the system design. An ETA can result in many different possible outcomes from a single initiating event, and it provides the capability to obtain a probability for each outcome.

12.2

BACKGROUND

The ETA technique falls under the system design hazard analysis type (SD-HAT) and should be used as a supplement to the SD-HAT analysis. Refer to Chapter 3 for a description of the analysis types. The ETA is a very powerful tool for identifying and evaluating all of the system consequence paths that are possible after an initiating event occurs. The ETA model will show the probability of the system design resulting in a safe operation path, a degraded operation path, and an unsafe operation path.

Hazard Analysis Techniques for System Safety, by Clifton A. Ericson, II Copyright # 2005 John Wiley & Sons, Inc.

223

224

EVENT TREE ANALYSIS

The purpose of ETA is to evaluate all of the possible outcomes that can result from an initiating event. Generally, there are many different outcomes possible from an initiating event, depending upon whether design safety systems work properly or malfunction when needed. ETA provides a probabilistic risk assessment (PRA) of the risk associated with each potential outcome. The ETA technique can be used to model an entire system, with analysis coverage given to subsystems, assemblies, components, software, procedures, environment, and human error. ETA can be conducted at different abstraction levels, such as conceptual design, top-level design, and detailed component design. ETA has been successfully applied to a wide range of systems, such as nuclear power plants, spacecraft, and chemical plants. The technique can be applied to a system very early in design development and thereby identify safety issues early in the design process. Early application helps system developers to design in safety of a system during early development rather than having to take corrective action after a test failure or a mishap. The ETA technique, when applied to a given system by an experienced analyst, is thorough at identifying and evaluating all of the possible outcomes resulting from an initiating event (IE). A basic understanding of ETA and FTA theory is essential to developing an ETA model. In addition it is crucial for the analyst to have a detailed understanding of the system. Overall, ETA is very easy to learn and understand. Proper application depends on the complexity of the system and the skill of the analyst. Applying the ETA technique to the evaluation of a system design is not a difcult process; however, it does require an understanding of FTA and probability theory. A cause consequence analysis (CCA) is very similar to ETA and is a possible alternative technique. Additionally, multiple FTAs could be performed to obtain the same results as an ETA. The ETA produces many different potential outcomes from a single event, whereas the FTA only evaluates the many causes of a single outcome. The use of an ETA is recommended for a PRA of the possible outcomes resulting from an initiating event. The resulting risk proles provide management and design guidance on areas requiring additional safety countermeasure design methods.

12.3

HISTORY

Event tree analysis is a binary form of a decision tree for evaluating the various multiple decision paths in a given problem. ETA appears to have been developed during the WASH-1400 [1] nuclear power plant safety study (circa 1974). The WASH-1400 team realized that a nuclear power plant PRA could be achieved by FTA; however, the resulting fault trees (FTs) would be very large and cumbersome, and they therefore established ETA to condense the analysis into a more manageable picture, while still utilizing FTA.

12.5 THEORY

225

12.4

DEFINITIONS

The ETA technique is based on the following denitions: Accident scenario Series of events that ultimately result in an accident. The sequence of events begins with an initiating event and is (usually) followed by one or more pivotal events that lead to the undesired end state. Initiating event (IE) Failure or undesired event that initiates the start of an accident sequence. The IE may result in a mishap, depending upon successful operation of the hazard countermeasure methods designed into the system. Refer to Chapter 2 on hazard theory for information on the components of a hazard. Pivotal events Intermediary events between the IE and the nal mishap. These are the failure/success events of the design safety methods established to prevent the IE from resulting in a mishap. If a pivotal event works successfully, it stops the accident scenario and is referred to as a mitigating event. If a pivotal event fails to work, then the accident scenario is allowed to progress and is referred to as an aggravating event. Probabilistic risk assessment (PRA) Comprehensive, structured, and logical analysis method for identifying and evaluating risk in a complex technological system. The detailed identication and assessment of accident scenarios, with a quantitative analysis, is the PRA goal. Event tree (ET) Graphical model of an accident scenario that yields multiple outcomes and outcome probabilities. ETs are one of the most used tools in a PRA. A common denition of risk in the PRA discipline is that risk is based upon a set of triplets: 1. Accident scenarioswhat can go wrong? 2. Scenarios frequencieshow likely is it? 3. Scenarios consequencesWhat are the consequences?

12.5

THEORY

When performing a PRA, identifying and developing accident scenarios is fundamental to the concept of risk evaluation. The process begins with a set of IEs that perturb the system (i.e., cause it to change its operating state or conguration). For each IE, the analysis proceeds by determining the additional failure modes necessary to lead to the undesirable consequences. The consequences and frequencies of each scenario are computed for the individual IEs and the collection of probabilities form a risk prole for the system. Event trees are used to model accident scenarios. An ET starts with the IE and progresses through the scenario via a series of pivotal events (PEs) until an end state is reached. The PEs are failures or events that are mitigating or aggravating

226

EVENT TREE ANALYSIS

to the scenario. The frequency (i.e., probability) of the PE can be obtained from an FTA of the event. The PRA theory relates very closely with standard system safety terminology. An accident scenario is equivalent to a hazard; scenario frequency is equivalent to hazard probability; scenario outcome is equivalent to hazard severity. Risk management involves the identication and prevention or reduction of adverse accident scenarios and the promotion of favorable scenarios. Risk management requires understanding the elements of adverse scenarios so that their components can be prevented or reduced, and an understanding of favorable scenarios in order that their components can be enhanced or promoted. An accident scenario contains an IE and (usually) one or more pivotal events leading to an end state as shown in Figure 12.1. As modeled in most PRAs, an IE is a perturbation that requires some kind of response from operators and/or one or more systems to prevent an undesired consequence. The pivotal events include successes or failures of these responses or possibly the occurrence or nonoccurrence of external conditions or key phenomena. The end states are formulated according to the decisions being supported by the analysis. Scenarios are classied into end states according to the kind and severity of consequences, ranging from completely successful outcomes to losses of various kinds, such as:
. . . . . .

Loss of life or injury/illness to personnel Damage to or loss of equipment or property (including software) Unexpected or collateral damage as a result of tests Failure of mission Loss of system availability Damage to the environment

An ET distills the pivotal event scenario denitions and presents this information in a tree structure that is used to help classify scenarios according to their consequences. The headings of the ET are the IE, the pivotal events, and the end states. The tree structure below these headings shows the possible scenarios ensuing from the IE, in terms of the occurrence or nonoccurrence of the pivotal events. Each distinct path through the tree is a distinct scenario. According to a widespread but informal convention, where pivotal events are used to specify system success or failure, the down branch is considered to be failure. The ET concept is shown in Figure 12.2.
Mishap
Pivotal Events Pivotal Event 1 Pivotal Event 2 Pivotal Event n

IE

End State

Figure 12.1 Accident scenario concept.

12.5 THEORY

227

Initiating Event Event 1

Pivotal Events Event 2 Event 3 Success

Outcomes

Outcome 1 Success Fail Success Success Fail IE Fail Outcome 4 Fail Outcome 5
Figure 12.2 Event tree concept.

Outcome 2 Accident Scenarios

Outcome 3

In most ETs, the pivotal event splits are binary: A phenomenon either does or does not occur; a system either does or does not fail. This binary character is not strictly necessary; some ETs show splits into more than two branches. What is necessary is that distinct paths be mutually exclusive and quantied as such (at least to the desired level of accuracy). An example of ET structure with quantitative calculations is displayed in Figure 12.3. The ET model logically combines all of the system design safety countermeasure methods intended to prevent the IE from resulting in a mishap. A side effect of the analysis is that many different outcomes can be discovered and evaluated. Note how the ET closely models the scenario concept shown in Figure 12.1.

Initiating Event

Event 1

Pivotal Events Event 2 Success (P2S)

Event 3 Success (P3S) Fail (P3F)

Outcomes Outcome A PA=(PIE)(P1S)(P2S)(P3S) Outcome B PB=(PIE)(P1S)(P2S)(P3F) Outcome C PC=(PIE)(P1S)(P2F)(P3S) Outcome D PD=(PIE)(P1S)(P2F)(P3F) Outcome E PE=(PIE)(P1F)

Success (P1S) Success (P3S) Event (PIE) Fail (P1F) Fail (P2F) Fail (P3F)

Figure 12.3 ETA concept.

228

EVENT TREE ANALYSIS

12.6

METHODOLOGY

Figure 12.4 shows an overview of the basic ETA process and summarizes the important relationships involved in the ETA process. The ETA process involves utilizing detailed design information to develop event tree diagrams (ETDs) for specic IEs. In order to develop the ETD, the analyst must have rst established the accident scenarios, IEs, and pivotal events of interest. Once the ETD is constructed, failure frequency data can be applied to the failure events in the diagram. Usually this information is derived from FTA of the failure event. Since 1 PS PF , the probability of success can be derived from the probability of failure calculation. The probability for a particular outcome is computed by multiplying the event probabilities in the path. Table 12.1 lists and describes the basic steps of the ETA process, which involves performing a detailed analysis of all the design safety features involved in a chain of events that can result from the initiating event to the nal outcome. Complex systems tend to have a large number of interdependent components, redundancy, standby systems, and safety systems. Sometimes it is too difcult or cumbersome to model a system with just an FT; so, PRA studies have combined the use of FTs and ETDs. The ETD models accident/mishap cause consequence scenarios, and FTs model complex subsystems to obtain the probability of these subsystems failing. An accident scenario can have many different outcomes, depending on which PEs fail and which function correctly. The ET/FT combination models this complexity very well. The goal of ETA is to determine the probability of all the possible outcomes resulting from the occurrence of an IE. By analyzing all possible outcomes, it is possible to determine the percentage of outcomes that lead to the desired result and the percentage of outcomes that lead to the undesired result. Event trees can be used to analyze systems in which all components are continuously operating or for systems in which some or all of the components are in standby modethose that involve sequential operational logic and switching. The starting point (referred to as the initiating event) disrupts normal system operation. The event tree displays the sequences of events involving success and/or failure of the system components.

ETA Process Input

Output
Mishap outcomes Outcome risk probabilities Causal sources Safety requirements

Figure 12.4 ETA overview.

12.6

METHODOLOGY

229

TABLE 12.1 ETA Process Step 1 2 Task Dene the system. Identify the accident scenarios. Identify the initiating events. Identify the pivotal events. Build the event tree diagram. Obtain the failure event probabilities. Identify the outcome risk. Evaluate the outcome risk. Recommend corrective action. Document ETA. Description Examine the system and dene the system boundaries, subsystems, and interfaces. Perform a system assessment or hazard analysis to identify the system hazards and accident scenarios existing within the system design. Rene the hazard analysis to identify the signicant IEs in the accident scenarios. IEs include events such as re, collision, explosion, pipe break, toxic release, etc. Identify the safety barriers or countermeasures involved with the particular scenario that are intended to preclude a mishap. Construct the logical ETD, starting with the IE, then the PEs, and completing with the outcomes of each path. Obtain or compute the failure probabilities for the PEs on the ETD. It may be necessary to use FTs to determine how a PE can fail and to obtain the probability. Compute the outcome risk for each path in the ETD. Evaluate the outcome risk of each path and determine if the risk is acceptable. If the outcome risk of a path is not acceptable, develop design strategies to change the risk. Document the entire ETA process on the ETDs. Update for new information as necessary.

5 6

7 8 9 10

In the case of standby systems and, in particular, safety and, mission-oriented systems, the ET is used to identify the various possible outcomes of the system following a given IE, which is generally an unsatisfactory operating event or situation. In the case of continuously operated systems, these events can occur (i.e., components can fail) in any arbitrary order. In the event tree analysis, the components can be considered in any order since they do not operate chronologically with respect to each other. The ETA is based on binary logic in which an event either has or has not happened or a component has or has not failed. It is valuable in analyzing the consequences arising from a failure or undesired event. An ET begins with an IE, such as a component failure, increase in temperature/pressure, or a release of a hazardous substance that can lead to an accident. The consequences of the event are followed through a series of possible paths. Each path is assigned a probability of occurrence and the probability of the various possible outcomes can be calculated. The ETD is a diagram modeling all of the possible events that follow an originating failure or undesired event. The originating event can be a technical failure or an operational human error. The objective is to identify the chain of events following one or more specied basic events, in order to evaluate the consequences and determine whether the event will develop into a serious accident or are sufciently controlled by

230

EVENT TREE ANALYSIS

Initiating Event Event 1

Pivotal Events Event 2 Success (P2S)

Outcomes Event 3 Success (P3S) Outcome A PA = (PIE)(P1S)(P2S)(P3S) Fail (P3F) Outcome B PB = (PIE)(P1S)(P2S)(P3F) Success (P3S)

Success (P1S) Event (PIE) Fail (P2F) Fail (P3F)

P1S = 1 P1F

Outcome C PC = (PIE)(P1S)(P2F)(P3S) Outcome D PD = (PIE)(P1S)(P2F)(P3F)

Fail (P1F) P2F P2F P1F P3F Outcome E PE = (PIE)(P1F)

Figure 12.5 ETD development.

the safety systems and procedures implemented. The results can therefore be recommendations to increase the redundancy or to modications to the safety systems. The ETA begins with the identied IE listed at the left side of the diagram in Figure 12.5. All safety design methods or countermeasures are then listed at the top of the diagram as contributing events. Each safety design method is evaluated for the contributing event: (a) operates successfully and (b) fails to operate. The resulting diagram combines all of the various success/failure event combinations and fans out to the right in a sideways tree structure. Each success/failure event can be assigned a probability of occurrence, and the nal outcome probability is the product of the event probabilities along a particular path. Note that the nal outcomes can range from safe to catastrophic, depending upon the chain of events.

12.7

WORKSHEET

The primary worksheet for an ETA is the event tree diagram (ETD), which provides the following information: 1. 2. 3. 4. Initiating event System pivotal events Outcomes Event and outcome probabilities

Figure 12.5 demonstrates the typical ETD. Each event is divided into two paths, success and failure. The success path always is the top path and the failure path is the lower path. The ETD has only one IE, which is identied at the far left of the diagram. As many contributing events as necessary to fully describe the system are listed at the top of the diagram. The more contributing events involved the larger the resulting ETD and the more tree branches required.

12.11

EXAMPLE 4

231

Initiating Event

Fire Detection Works

Pivotal Events Fire Alarm Works

Fire Sprinkler System Works YES (P = 0.8) NO (P = 0.2)

Outcomes

Prob

Limited damage YES (P = 0.7) Extensive damage, people escape YES (P = 0.8) Fire Starts (P = 0.01) NO (P = 0.3) NO (P = 0.2) Death/Injury, extensive damage NO (P = 0.1) Death/Injury, extensive damage Limited damage, wet people

0.00504

0.00126

YES (P = 0.9)

0.00216

0.00006

0.001

Figure 12.6 ETA example 1.

12.8

EXAMPLE 1

Figure 12.6 contains an example ETA for a re detection and suppression system in an ofce building. This ETA analyzes all the possible outcomes of a system re. The IE for the ET is re starts. Note the range of outcomes resulting from the success or failure of the safety subsystems (pivotal events). Note from this example that when computing the success/fail probability for each contributing PE that the PE states must always sum to 1.0, based on the reliability formula that PSUCCESS PFAILURE 1. Also note that in this case there are three contributing PEs that generate ve possible different outcomes, each with a different probability.

12.9

EXAMPLE 2

Figure 12.7 contains an example ETA for an automobile system, where the car battery has failed. The dead battery is the IE that begins the scenario analysis.

12.10

EXAMPLE 3

Figure 12.8 contains an example ETA for a missile system. The IE is the missile being dropped during handling or transportation.

12.11

EXAMPLE 4

Figure 12.9 contains an example ETA for a nuclear power plant system. The IE is a pipe break in the cooling subsystem.

232

EVENT TREE ANALYSIS

Pivotal Events Initiating Event Jumper Cables Available Donor Battery Available Cables Connected Properly Donor Battery Starts Car YES (P = 0.9) Outcomes Prob

Car is jump started, mission success

0.03024

YES (P = 0.8)

YES (P = 0.7) NO (P = 0.2)

NO (P = 0.1)

Car not started, mission failure Car not started, possible damage, mission failure

0.0048

YES (P = 0.6)

0.0084

Dead Battery (P = 0.1) NO (P = 0.3) Car not started, mission failure Car not started, mission failure 0.018

NO (P = 0.4)

0.04

Figure 12.7 ETA example 2.

Initiating Event

Arm-1 Remains Safe YES (P = 0.9)

Pivotal Events Arm-2 Remains Safe

Arm Power Remains Safe

Outcomes

Prob

Missile is safe YES (P = 0.7) Missile Dropped (P = 0.01) NO (P = 0.1) YES (P = 0.8) NO (P = 0.3) NO (P = 0.2) Missile is armed and powered Missile is safe

0.009

Missile is safe

0.0007

0.00024

0.00006

Figure 12.8 ETA example 3.

Initiating Event

Electricity

Pivotal Events Emergency Fission Product Removal Core Cooling Available

Containment Available

Outcome Fission Release Very small

Fails Small Available Available Small Fails Available Fails Medium Available Large Pipe Breaks Fails Fails Very large Fails Very large

Figure 12.9 ETA example 4.

12.14

SUMMARY

233

12.12

ADVANTAGES AND DISADVANTAGES

The following are advantages of the ETA technique: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Structured, rigorous, and methodical approach. A large portion of the work can be computerized. Can be effectively performed on varying levels of design detail. Visual model displaying cause/effect relationships. Relatively easy to learn, do, and follow. Models complex system relationships in an understandable manner. Follows fault paths across system boundaries. Combines hardware, software, environment, and human interaction. Permits probability assessment. Commercial software is available.

The following are disadvantages of the ETA technique: 1. An ETA can only have one initiating event, therefore multiple ETAs will be required to evaluate the consequence of multiple initiating events. 2. ETA can overlook subtle system dependencies when modeling the events. 3. Partial successes/failures are not distinguishable. 4. Requires an analyst with some training and practical experience.

12.13

COMMON MISTAKES TO AVOID

When rst learning how to perform an ETA, it is commonplace to commit some typical errors. The following is a list of typical errors made during the conduct of an ETA: 1. Not identifying the proper IE 2. Not identifying all of the contributing pivotal events

12.14

SUMMARY

This chapter discussed the ETA technique. The following are basic principles that help summarize the discussion in this chapter: 1. ETA is used to model accident scenarios and to evaluate the various outcome risk proles resulting from an initiating event. 2. ETA is used to perform a PRA of a system.

234

EVENT TREE ANALYSIS

3. The ETA diagram provides structure and rigor to the ETA process. 4. ETA can be a supplement to the SD-HAT. 5. Fault trees are often used to determine the causal factors and probability for failure events in the ETA.

REFERENCE
1. N. C. Rasmussen, Reactor Safety Study: An Assessment of Accident Risks in US Commercial Nuclear Power Plants, WASH-1400, Nuclear Regulatory Commission, Washington, DC, 1975.

BIBLIOGRAPHY
Andrews, J. D. and S. J. Dunnett, Event Tree Analysis Using Binary Decision Diagrams, IEEE Trans. Reliability, 49(2):230 238 (2000). Henley, E. J. and H. Kumamoto, Probabilistic Risk Assessment and Management for Engineers and Scientists, 2nd ed., IEEE Press, 1996. Kapan, S. and B. J. Garrick, On the Quantitative Denition of Risk, Risk Analysis, 1:11 37 (1981). NASA, Fault Tree Handbook with Aerospace Applications, version 1.1. NASA, August 2002. Papazoglou, I. A., Functional Block Diagrams and Automated Construction of Event Trees, Reliability Eng. System Safety, 61(3):185 214 (1998).