Documente Academic
Documente Profesional
Documente Cultură
This technique has been used by the National Aeronautics and Space Administration (NASA) in
their space programmes and has also been used in the Nuclear industry. FTA is used extensively
in the field of reliability, safety, and risk analysis. It is a convenient method of representing the
logical connection between the failure modes of a system. The top of the tree, the top event, can
be evaluated qualitatively and quantitatively (failure rate data would be required for this
alternative), with the aid of a computer program.
FTA is defined as "The study of the possible sequences of events constituting the failure of a
system using the diagrammatic method of algorithms." (BS 4778 17.9.)
The first step is to define the system that is to be analysed, to prevent the tree from becoming too
complex. A tree can only analyse one event and so a number may be needed for one product. A
system can be divided into its operation phases in order that each can be analysed separately e.g.
start-up, run, shut-down. The next step is the selection of the top event, which is the undesirable
event, e.g. fire, explosion, or failure of a system, sub-system or assembly. The tree then develops
by the identification of the logical combination of the failure modes that would result in the
occurrence of the top event.
The modes of failure can have a variety of causes, such as the breakdown of an individual
component, operator error, the failure of a test procedure or a maintenance program. The failure
modes are combined in a number of ways which are called 'gates'.
CASE HISTORY 1
The Amoco Cadiz
At 9.45 am on 16 March 1978 the steering-gear of the tanker Amoco Cadiz broke down in rough
seas, about ten miles from the Isle of Ushant, off Brest. The cause was the failure of a pipe flange
on the main steering-gear hydraulic circuit which allowed the oil in the system to he discharged
into the steering-gear compartment. The crew were unable to recharge the system and regain
control of the steerage before the ship grounded at 21.04. Over the next few days the entire cargo
of 226 000 tonnes of crude oil polluted hundreds of miles of the French coastline.
The steering gear and related equipment of the Amoco Cadiz complied with all existing
international regulations; which raised doubts about their adequacy. The disaster highlighted
both the basic weakness of the single hydraulic circuit, almost universally employed in the ram
and rotary vane types of steering gear, and the drastic potential consequences of the failure of the
steering gear of a large tanker.
Following the Amoco Cadiz casualty new international regulations were developed as a matter of
urgency for the steering gears of all ships, but with particular emphasis on large tankers. The new
regulations concentrated on the importance of maintaining the integrity of at least part of the
hydraulic circuit after a single failure of pressure parts, so that steering capability could be
maintained or be rapidly recovered after a fault. The regulations envisage automatic changeover
With both steering gear pumps secured the Amoco Cadiz and her sister-ships experienced as
much as 15 degrees of rudder movement while in port. 'This fact was well known among AIOC
engineers and should have signalled a serious malfunction of the two-sided restrain system of the
Amoco Cadiz steering mechanism.' The unexplained rudder movement of the Amoco Cadiz was
not properly investigated and was not corrected. AIOC failed to instruct the Amoco Cadiz crew
in emergency steering-gear drills and procedures to be followed in the event of a steering-gear
breakdown.
Simple Fault Tree Analysis showing the route to failure of an Amoco Cadiz types steering gear
Fault Tree Analysis of a conventional four-ram steering gear, showing six modes through the OR
gates
The figure shows a complete fault tree analysis of a bearing with the undesirable top event
'catastrophic bearing failure'