FaultTree+

for Windows

Version 11.2

Fault Tree Analysis

Event Tree Analysis
Markov Analysis

Windows is a registered trademark of Microsoft Corporation

FaultTree+ V11.2
 Copyright 1986 - 2008 Isograph Limited

All rights reserved. This document and the associated software contains
proprietary information which is protected by copyright and may not be
copied in whole or in part except with the prior written permission of
Isograph. The copyright and the foregoing restrictions on the copyright
extends to all media in which this information may be preserved.

Isograph makes no representations or warranties of any kind whatsoever

with respect to this document or its associated software. Isograph
disclaims all liabilities for loss or damage arising out of the possession
sale or use of this document or its associated software.

FaultTree+ V11.2
 Contents

Contents

1. INTRODUCTION............................................................................................................ 1

2. WHATS NEW ................................................................................................................. 5

3. THE USER INTERFACE ............................................................................................... 7

STARTING UP THE PROGRAM ................................................................................................ 7
THE FAULTTREE+ MAIN WINDOW ...................................................................................... 7
SELECTING OBJECTS IN THE FAULT AND EVENT TREE DIAGRAMS ........................................ 9
SELECTING OBJECTS IN A MARKOV DIAGRAM ...................................................................... 9
EDITING OBJECT ATTRIBUTES .............................................................................................. 9
USING THE PROJECT TREE CONTROL.................................................................................. 10
USING THE LIBRARY TREE CONTROL ................................................................................. 12
USING THE GRID CONTROL ................................................................................................ 13
GRID CONTROL - FILTER ................................................................................................... 16
GRID CONTROL GRID OPTIONS ....................................................................................... 17
GRID CONTROL FIND AND REPLACE ................................................................................ 18
GETTING HELP .................................................................................................................. 19
4. TUTORIAL - FAULT AND EVENT TREES.............................................................. 21
TUTORIAL SYSTEM DESCRIPTIONS ..................................................................................... 21
CONSTRUCTING FAULT TREES ........................................................................................... 23
ADDING FAILURE AND REPAIR DATA ................................................................................. 31
CONSTRUCTING AN EVENT TREE........................................................................................ 34
PERFORMING AN ANALYSIS ............................................................................................... 40
PRODUCING REPORTS ........................................................................................................ 44
5. TUTORIAL - MARKOV ANALYSIS.......................................................................... 47
MARKOV ANALYSIS METHODS .......................................................................................... 47
CONTINUOUS TIME AND DISCRETE TRANSITION PHASES .................................................... 50
EXAMPLE MARKOV DIAGRAM ........................................................................................... 50
STARTING A NEW MARKOV MODEL ................................................................................... 51
DEFINING STATES .............................................................................................................. 51
DEFINING PARAMETERS ..................................................................................................... 52
DEFINING PHASES.............................................................................................................. 53
DEFINING TRANSITIONS ..................................................................................................... 53
PERFORMING A MARKOV ANALYSIS .................................................................................. 54
SAVING THE CURRENT MARKOV MODEL TO FILE ............................................................... 56
ATTACHING MARKOV MODELS TO A FAULTTREE+ PROJECT .............................................. 56
6. PROJECT MANAGEMENT ........................................................................................ 59

FaultTree+ V11.2 i
Contents

DATABASE TABLES ............................................................................................................59

EVENT TABLE ....................................................................................................................59
GENERIC MODEL TABLE ....................................................................................................64
GENERIC PARAMETER TABLE .............................................................................................65
GATE TABLE ......................................................................................................................66
CCF TABLE .......................................................................................................................69
LABELS TABLE ...................................................................................................................69
NOTES TABLE ....................................................................................................................70
HYPERLINKS TABLE ...........................................................................................................71
EVENT TREE TABLE ...........................................................................................................71
CONSEQUENCE TABLE ........................................................................................................72
BITMAP TABLE...................................................................................................................73
MARKOV MODEL TABLE ....................................................................................................73
EVENT GROUP TABLE ........................................................................................................74
GENERIC MODEL GROUP TABLE.........................................................................................76
GENERIC DATA GROUP TABLE ...........................................................................................76
EDITING TABLES ................................................................................................................77
PROJECT FILES ...................................................................................................................80
APPENDING PROJECT DATA ................................................................................................82
APPENDING DATA FROM A SINGLE PROJECT .......................................................................82
APPENDING DATA FROM MULTIPLE PROJECTS ....................................................................85
LIBRARY FILES ..................................................................................................................85
ADDING PROJECT DATA TO A LIBRARY ..............................................................................87
LIBRARY ELEMENT PROPERTIES .........................................................................................87
7. CONSTRUCTING FAULT TREES .............................................................................89
ADDING NEW GATES AND EVENTS .....................................................................................89
GATE AND EVENT SYMBOLS...............................................................................................90
EDITING GATES AND EVENTS .............................................................................................91
FAULT TREE PAGINATION ..................................................................................................92
ADDING LABELS AND NOTES TO A FAULT TREE ..................................................................92
ADDING HYPERLINKS TO A FAULT TREE .............................................................................93
FAULT TREE COPY AND APPEND FACILITIES .......................................................................93
DELETING SYMBOLS ..........................................................................................................97
8. NAVIGATING FAULT TREES....................................................................................99
USING THE TREE CONTROL TO LOCATE FAULT TREE PAGES ...............................................99
USING THE COMBO-BOX TO LOCATE FAULT TREE PAGES .................................................100
LOCATING GATES USING THE GATE TABLE .......................................................................101
LOCATING FAULT TREE LABELS USING THE LABELS, NOTES AND HYPERLINKS TABLE .....102
USING THE DEPENDENCY LIST TO LOCATE EVENTS ..........................................................103
9. CONSTRUCTING EVENT TREES ...........................................................................105
CREATING NEW EVENT TREES .........................................................................................105
BRANCHES .......................................................................................................................105
COLUMNS ........................................................................................................................106

ii FaultTree+ V11.2
 Contents

EVENT TREE COPY AND PASTE FACILITIES....................................................................... 107

EVENT TREE PAGINATION ................................................................................................ 107
ADDING LABELS TO AN EVENT TREE ............................................................................... 108
DELETING EVENT TREES AND BRANCHES ........................................................................ 108
DELETING UNATTACHED GATES, EVENTS AND CONSEQUENCES ....................................... 108
10. NAVIGATING EVENT TREES............................................................................... 109
USING THE TREE CONTROL TO LOCATE EVENT TREES...................................................... 109
USING THE COMBO-BOX TO LOCATE EVENT TREES ......................................................... 110
LOCATING EVENT TREE LABELS USING THE LABELS, NOTES AND HYPERLINKS TABLE..... 111
USING THE DEPENDENCY LIST TO LOCATE EVENTS AND GATES ....................................... 111
11. THE SPELLING CHECKER ................................................................................... 113
SPELLING CHECKER SCOPE DIALOG ................................................................................. 113
CHECK-SPELLING DIALOG ............................................................................................... 113
DICTIONARIES DIALOG .................................................................................................... 115
SPELL CHECKER OPTIONS DIALOG ................................................................................... 117
NEW DICTIONARY DIALOG .............................................................................................. 119
12. DIAGRAM LAYOUT OPTIONS ............................................................................. 121
FAULT TREE LAYOUT OPTIONS ........................................................................................ 121
SCALING FAULT TREE DIAGRAMS .................................................................................... 124
SHIFTING FAULT TREE DIAGRAMS ................................................................................... 125
EVENT TREE LAYOUT OPTIONS........................................................................................ 128
SCALING EVENT TREES.................................................................................................... 130
13. PROJECT OPTIONS ................................................................................................ 131
GENERAL OPTIONS .......................................................................................................... 131
REPORTS OPTIONS ........................................................................................................... 135
LIBRARY OPTIONS ........................................................................................................... 137
COLOUR OPTIONS ............................................................................................................ 139
VIEW OPTIONS ................................................................................................................ 140
PRECISION OPTIONS ......................................................................................................... 144
SETS GENERATION OPTIONS ............................................................................................ 145
CUSTOM OPTIONS FOR APPROXIMATION METHODS .......................................................... 150
CALCULATION OPTIONS ................................................................................................... 155
CONFIDENCE ANALYSIS OPTIONS .................................................................................... 158
PHASE OPTIONS ............................................................................................................... 160
14. PERFORMING AN ANALYSIS .............................................................................. 163
PERFORMING AN ANALYSIS ............................................................................................. 163
PERFORMING A PARTIAL ANALYSIS ................................................................................. 164
PERFORMING A BATCH ANALYSIS .................................................................................... 165
15. DATA AND RESULTS VERIFICATION ............................................................... 167

FaultTree+ V11.2 iii

Contents

16. EXAMINING ANALYSIS RESULTS ......................................................................169

DISPLAYING RESULTS IN FAULT AND EVENT TREE DIAGRAMS..........................................169
FAULT AND EVENT TREE SUMMARY RESULTS ..................................................................169
GRAPHS DISPLAYING FAULT AND EVENT TREE RESULTS ..................................................170
17. EVENT DATA MODELS ..........................................................................................173
FIXED UNAVAILABILITY AND FAILURE FREQUENCY MODEL .............................................173
CONSTANT FAILURE AND REPAIR RATE MODEL ...............................................................174
MEAN TIME TO FAILURE AND REPAIR MODEL ..................................................................175
DORMANT FAILURE WITH PERIODIC INSPECTION MODEL ..................................................176
SEQUENTIAL FAILURE MODEL ..........................................................................................177
EVENT TREE INITIATOR MODEL .......................................................................................180
STANDBY MODEL ............................................................................................................180
TIME AT RISK FAILURE MODEL ........................................................................................181
BINOMIAL FAILURE MODEL .............................................................................................181
POISSON FAILURE MODEL ................................................................................................182
RATE/MTTR MODEL.......................................................................................................183
WEIBULL MODEL .............................................................................................................183
FIXED UNAVAILABILITY AND FAILURE FREQUENCY PHASED MODEL .............................186
CONSTANT FAILURE AND REPAIR RATE PHASED MODEL ...............................................187
UNCERTAINTY VALUES ....................................................................................................188
18. SYSTEMS ANALYSIS METHODS .........................................................................191

19. INITIATOR/ENABLER EVENTS AND SEQUENCING ......................................197

INITIATOR AND ENABLER EVENTS ....................................................................................197
EVENT SEQUENCING ........................................................................................................199
20. IMPORTANCE ANALYSIS......................................................................................203
FUSSELL-VESELY IMPORTANCE ........................................................................................203
BIRNBAUM IMPORTANCE ..................................................................................................205
BARLOW-PROSCHAN IMPORTANCE ...................................................................................206
SEQUENTIAL IMPORTANCE ...............................................................................................207
21. TIME-DEPENDENT ANALYSIS.............................................................................209

22. SENSITIVITY ANALYSIS........................................................................................211

SIMPLE SENSITIVITY ANALYSIS ........................................................................................211
SPECIAL SENSITIVITY ANALYSIS ......................................................................................211
23. CONFIDENCE ANALYSIS ......................................................................................215

24. BDD ANALYSIS.........................................................................................................219

25. COMMON CAUSE FAILURES ...............................................................................221

iv FaultTree+ V11.2
 Contents

OVERVIEW OF COMMON CAUSE FAILURES ....................................................................... 221

BETA FACTOR MODEL ..................................................................................................... 226
MGL MODEL .................................................................................................................. 227
ALPHA FACTOR MODEL ................................................................................................... 228
BETA BINOMIAL FAILURE RATE (BFR) MODEL ............................................................... 229
CCF EVENT NAMES ........................................................................................................ 230
26. USING HOUSE EVENTS ......................................................................................... 231

27. USING BITMAPS...................................................................................................... 233

28. CONVERTING TO AN AVSIM+ PROJECT ......................................................... 235

29. CONSTRUCTING MARKOV MODELS................................................................ 237

ADDING STATES TO A MARKOV MODEL ........................................................................... 237
DEFINING PARAMETERS FOR A MARKOV MODEL ............................................................. 238
DEFINING PHASES FOR A MARKOV MODEL ...................................................................... 239
ADDING TRANSITIONS TO A MARKOV MODEL .................................................................. 240
MARKOV DIAGRAM LAYOUT OPTIONS ............................................................................. 243
PERFORMING A MARKOV ANALYSIS ................................................................................ 244
MARKOV MODEL RESULTS AND GRAPHS ......................................................................... 247
ATTACHING MARKOV MODELS TO A FAULTTREE+ PROJECT ............................................ 248
MARKOV INTEGRATION METHODS ................................................................................... 250
30. THE REPORT GENERATOR ................................................................................. 253
PRINTING, PREVIEWING AND DESIGNING REPORTS ........................................................... 253
ORDERING FAULT TREE PAGES IN A PRINTED REPORT ..................................................... 254
FILTERING FAULT TREE PAGES IN A PRINTED REPORT ...................................................... 255
CREATING METAFILES ..................................................................................................... 255
31. IMPORT/EXPORT FACILITIES............................................................................ 257

32. INSERTING DATA FROM THE ISOGRAPH PARTS LIBRARY...................... 259

33. MISCELLANEOUS DIALOG DESCRIPTIONS ................................................... 261

THE ABOUT DIALOG ........................................................................................................ 261
THE PROMPT DIALOG ...................................................................................................... 261
THE REPLACE TEXT DIALOG............................................................................................ 262
THE MODIFY INSPECTION INTERVALS DIALOG ................................................................. 263
THE MODIFY TIME AT RISK DIALOG ................................................................................ 264
THE DEPENDENCIES DIALOG ........................................................................................... 265
THE CUSTOMISE EVENT GROUP CATEGORIES DIALOG ..................................................... 266
THE CUSTOMISE CONSEQUENCE CATEGORIES DIALOG ..................................................... 267
THE CUSTOMISE NOTES CAPTIONS DIALOG ..................................................................... 268
THE CLIPBOARD PARTS DIALOG ...................................................................................... 268

FaultTree+ V11.2 v
Contents

APPENDIX 1 - GLOSSARY OF TERMS ......................................................................271

APPENDIX 2 - REFERENCES.......................................................................................275

APPENDIX 3 DATABASE STRUCTURE..................................................................277

APPENDIX 4 INSTALLING FAULTTREE+ ............................................................301

INSTALLATION INTRODUCTION .........................................................................................301
INSTALLING ON A STANDALONE MACHINE .......................................................................303
INSTALLING ON A NETWORK SERVER ...............................................................................305
INSTALLING ON A NETWORK CLIENT ................................................................................307
APPENDIX 5 LICENSING FAULTTREE+ ...............................................................309
FLEXNET LICENSE SERVER INTRODUCTION .....................................................................309
INSTALLING STANDALONE FLEXNET LICENSES .............................................................310
INSTALLING THE FLEXNET LICENSE SERVER .................................................................311
ADDING LICENSES TO AN EXISTING FLEXNET LICENSE SERVER .....................................314
INSTALLING A SEPARATE FLEXNET LICENSE SERVER ....................................................315
THE FLEXNET SELECT LICENSES DIALOG ...................................................................316
MONITORING FLEXNET LICENSES USING LMTOOLS ...................................................318

vi FaultTree+ V11.2
 Introduction

1. Introduction
Welcome to the FaultTree+ analysis program for Microsoft Windows! You have
purchased a package that will enable you to analyse the availability and reliability of
both complex and simple systems and which is easy and intuitive to use. FaultTree+
provides an integrated environment for performing fault tree analysis, event tree
analysis and Markov analysis. The program is rich in features and can model a wide
range of scenarios. Some of the programs capabilities are listed below.

Automatic drawing facilities produce high quality diagrams without any effort
from the user
Fault and event tree library management system
Drag and drop add mode for fast tree construction
Tree control for easy project navigation
Hyperlink facility for gates, events and failure models
Integrated Isograph generic failure data libraries
Extensive diagram scale and shift options including manual shifting of sub-trees
and automatic alignment to the screen edit area
Flexible colour coding for gate and event types
Global and local font selection allowing highlighting of labels and descriptions
Automatic paging facilities - simply identify gates or branches with a new page
tag and the program takes care of pagination
Single and multiple project append facilities for fault trees produced by different
users
OR, AND, VOTE, NOT, Exclusive Or, Inhibit and Priority AND gates supported
Basic, Conditional, Undeveloped, Dormant and House basic event symbols
supported
Multiple branching supported for event trees
Multiple consequence categories for event trees
Primary and secondary event trees
Extensive on-line help facility including key word search
Attributes such as event parameters, generic model codes, branch names and
column probabilities may be displayed on diagrams, if required
Cut, copy and paste facilities for fault and event trees
Flexible labelling formatting allows the user to place descriptive text anywhere
within a fault or event tree page
Project database tables may be easily edited using direct and dependency
filtering
Event and gate names may be globally edited
Circular logic checks during fault tree construction
Undo and automatic backup facilities
Delete hidden data facility for tidying-up large projects

FaultTree+ V11.2 1
Introduction

Comprehensive range of event failure and repair models including fixed rates,
dormant, time at risk, binomial, Poisson, sequential, standby, Weibull and
initiator failure models
User-created Markov models for handling dependencies between events
Event and generic failure model grouping
Event group importance analysis
Disjoint (exclusive event) analysis
Analysis of multiple operational phases in a single project
Fault tree house event analysis
Full minimal cut set analysis (including success states if required)
CCF analysis using the beta factor, MGL, alpha factor or beta BFR methods
IEC 61508 CCF beta factor generation wizard
Post-processing facilities for accurate upper bound calculations
Importance analysis with Fussell-Vesely, Birnbaum, Barlow-Proschan and
Sequential importance measures
Risk importance measures provided for event tree consequences
Initiator-enabler and sequence dependent analyses
Uncertainty analyses allowing confidence levels to be determined from event
failure and repair data uncertainties
Confidence correlation coefficients calculated
Sensitivity analysis allowing the automatic variation of event failure and repair
data between specified limits
Time-dependent analysis providing intermediate values for time-dependent
system parameters
Verification checks providing diagnostic information before commencing an
analysis. Checks are made for circular logic, undefined gates, invalid initiators,
etc.
Batch analysis facility for multiple projects
Cut set tracing in fault tree diagrams
Status facility to indicate whether analysis results are out-of-date with respect to
project data
Incorporate custom bitmap pictures for diagram enhancement
Customisable reports interfacing with Microsoft Office products
Graphs, plots, pie charts and time profile histograms
Import and export facilities
Interfaces with other reliability products such as AvSim+

The FaultTree+ program is a powerful systems reliability analysis tool that allows
fault and event tree analyses to be performed in an integrated environment.
Customised Markov models may also be linked to events in the fault or event tree
diagram. The program may also be used to analyse fault trees, event trees and
Markov models, independently.

2 FaultTree+ V11.2
 Introduction

The program runs under Microsoft Windows and is capable of analysing large and
complex fault and event trees, producing the full minimal cut representation for fault
tree TOP events and event tree consequences.

FaultTree+ provides CCF analysis, importance analysis, uncertainty and sensitivity

analyses facilities. The program allows users to construct a single project database
containing generic data and event tables, fault trees with multiple TOP events,
event trees originating from different initiating events, CCF tables and consequence
tables. Fault and event tree pagination is automatically controlled by the program.
Fault tree TOP events may be used to represent specific columns in the event tree.
Multiple branches are also handled to allow for partial failures. Users may feed the
end branches of event trees into secondary event trees, eliminating the need for the
user to reproduce identical event tree structures leading to identical consequences.

FaultTree+ uses efficient minimal cut set generation algorithms to analyse large and
complex fault and event trees. NOT logic may be included in the fault and event
trees at any level and the event success states retained in the analysis results, as
an option.

The FaultTree+ Report Generator allows you to select from a range of standard
reports or quickly design your own customised reports. You can design your own
headers and footers, choose your own fonts, insert your own pictures, sort and filter
data and much more!

Paginated network or fault tree diagram reports are automatically produced and can
be transferred to other packages such as Microsoft Word. You may specify the
pagination scheme you require for diagram reports and obtain page index reports to
allow you to find specific gates and events easily.

You may also choose from a wide range of sophisticated scientific graphs and
charts or create your own graphs and charts. You can display multiple graphs on
the same page and easily modify scales, legends, titles etc.

FaultTree+ provides a flexible import/export facility that allows the user to transfer
data to and from Microsoft Access databases, Microsoft Excel spreadsheets and
text delimited and fixed length files.

FaultTree+ has been used to perform systems reliability analysis by a wide range of
different industries for over a decade. We hope you enjoy using FaultTree+.
Remember that full support and training facilities are available with the program.

FaultTree+ V11.2 3
 Whats New

2. Whats New
This section outlines the differences between FaultTree+ Version 11.2 and
FaultTree+ Version 11.1.

Integrated Parts Libraries

The IsoLib NPRD and IAEA Parts Libraries have now been integrated into
FaultTree+. These libraries may now be accessed directly by selecting the Parts
Library tab at the top right of the main window. There are two libraries available
the IAEA library (IAEA-TECDOC-508) and the NPRD library (NPRD-95). Both these
libraries contain failure rate data for mechanical components and may be used to
populate the generic models and generic failure rate parameters in a FaultTree+
project. The parts database may be quickly searched by part category or by text
filters and selected parts may be transferred to a FaultTree+ project using drag and
drop.

Extension of Phase Models

The fault and event tree phase models have been extended to allow users to enter
absolute unavailability and failure rate values for each phase. Previously users were
forced to use adjustment factors. To use absolute values with the Fixed-Phase and
Rate-Phased models set the appropriate flag in the Phases tab of the Project
Options dialog.

In addition, users may now automatically set the project lifetime to the sum of phase
durations by selecting the appropriate flag in the Phases tab of the Project
Options dialog.

FaultTree+ V11.2 5
 The User Interface

3. The User Interface

Starting up the Program

The program may be started by selecting the FaultTree+ option on the Windows
Programs Menu.

The FaultTree+ Main Window

FaultTree+ Main Window

The FaultTree+ Window may be resized or iconified at any time by selecting window
reconfiguration options from the top right corner of the window border.

The principal pull-down menu options are positioned along the top of the FaultTree+
Window. Pull-down menus and their options may be selected using the left mouse
button. Alternatively, menu options may be selected using the keyboard. This is
achieved by holding down the Alt key and pressing the underlined character in the
required visible menu option. Accelerator keys are also provided for selected menu
options. For example, tapping the Delete key will delete selected objects in a fault
tree diagram.

FaultTree+ V11.2 7
The User Interface

Immediately below the pull-down menu options reside a group of buttons that form a
toolbar, allowing the user to access directly some of the more frequently used menu
options.

Both the contents of the menus on the menu bar and the toolbar change according
to whether the current diagram type is a fault tree, an event tree or a Markov model.
The purpose of each button in the toolbar can be displayed in the form of a 'tool tip'
that appears alongside the button when the cursor is placed over the button.

To the right of the toolbar is a combo-box. If the Fault Trees Tab is currently
selected, this combo-box is used to change the displayed fault tree page. If the
Event Trees Tab is selected, this combo-box determines which event tree is
displayed. If the Markov Models Tab is selected, the combo-box allows the user to
select the currently displayed Markov phase.

Below the toolbar is a split screen arrangement. The division between the two
portions can be moved by placing the cursor over the divider, at which point the
cursor will change form, and holding the left button down whilst dragging the cursor
to the desired position.

The left side of the FaultTree+ window contains the project or library tree control.
The user may alternate between displaying the project tree control and library tree
control by selecting the appropriate tab at the top of the left-hand window. The tree
control concept will be familiar to users of Microsoft Windows Explorer. The tree
control represents the various elements of the current FaultTree+ project or the
attached library. The right side of the FaultTree+ window contains the diagram edit
area that displays the current fault tree, event tree or Markov diagram.

The tabs above the diagram edit area are used to change to fault tree, event tree or
Markov display mode. The diagram edit area can contain fault trees that are larger
than the visible area and scroll bars are available to shift the visible fault tree.
Markov diagrams may also be shifted in a similar manner.

Two buttons are displayed to the right of the tabs, allowing the user to switch
between displaying the diagram drawing area or the grid control list.

At the bottom of the screen is a message area. When an option on a pull-down

menu is highlighted, the message strip indicates its functionality. At other times, this
message strip will display information relating to the current process. For example, if
an analysis is being performed the message area will indicate the current analysis
status.

To the right of the message area there is a display showing the number of elements
currently defined in the project. If the Fault Tree Tab is selected, the program
displays the number of gates and number of events in the format G:# E:#. If the
Event Tree Tab is selected, the program displays the number of branches and

8 FaultTree+ V11.2
 The User Interface

number of events in the format B:# E:#. If the Markov Models Tab is selected, the
program displays the number of states in the format S:#.

The current project and library file names are displayed at the top of the FaultTree+
window, together with the currently open Markov Model name.

Selection of many of the menu options will result in standard Windows dialog boxes
being displayed. These dialog boxes contain Windows controls. Controls include
buttons, combo-boxes (allowing the user to choose one option from a selection in a
pull-down list), check boxes (allowing the user to set a facility on or off) and edit
controls (allowing the user to enter text). The FaultTree+ controls behave in a
similar manner to controls in other Windows applications.

Selecting Objects in the Fault and Event Tree Diagrams

Selection of individual objects in the fault or event tree diagrams is accomplished by

placing the cursor over the object and clicking the left mouse button. Selected
objects may be deselected by choosing the Clear Current Selection option on the
right button pop-up menu. Selected gates and events in a fault tree diagram may
also be deselected by clicking the left mouse button with the cursor positioned
outside any of the currently visible symbols.

Multiple gates and events may be selected in a fault tree diagram by holding the Ctrl
key down whilst making selections. Multiple selections are used by the Shift, Align
Selections pull-down menu option.

Selecting Objects in a Markov Diagram

Individual states and transitions in a Markov diagram may be selected by placing

the cursor over the object and clicking the left mouse button. If you wish to select
more than one state or transition at the same time then hold the Ctrl key down
whilst making each selection. Objects may be deselected by choosing the Clear All
Selections option on the right button pop-up menu.

Editing Object Attributes

Where appropriate, the attributes of a selected diagram object can be accessed by

choosing the Edit, Selection pull-down menu option. Alternatively, placing the
cursor over the object and double-clicking on the left mouse button gives the same
result. An alternative would be to select the object and then choose the Edit
Selection option on the pop-up menu that is activated by clicking the right mouse
button in the diagram edit area. The tree control can also be used to edit the
attributes of most objects.

FaultTree+ V11.2 9
The User Interface

Using the Project Tree Control

The project tree control is a hierarchical structure that can be expanded or

contracted by clicking on the '+' or '-' signs in the tree control window when the
Project Tab is selected. The project tree control contains named icons that
represent the various parts of the current project. These include fault trees, event
trees, Markov models, generic data etc.

Tree Control Showing Project Data

The project tree control provides an efficient way of navigating and editing project
data. Pressing the right mouse button with the cursor positioned in the tree control
area will reveal a pop-up menu allowing the user to perform a variety of actions
depending on which tree control item is currently selected.

10 FaultTree+ V11.2
 The User Interface

Pop-Up Menu with the Events Node Selected

The 'drag and drop facilities in the project tree control can save considerable effort
in constructing a project. The 'drag and drop' process begins with the user placing
the cursor over the object that is to be dragged, the left mouse button is then
pressed down and an outline of the object can then be dragged over to the diagram
edit area where the object is to be dropped. When the user releases the left mouse
button, the drop is completed. The 'drag and drop' facility is valid for the following
transfers:

Gates in the tree control to fault tree gates and event tree columns
Events in the tree control to fault tree gates and event tree columns
Events in the tree control to event groups in the tree control
CCF models in the tree control to events in the fault tree
CCF models in the tree control to events in the tree control
Generic models and parameters in the tree control to events in the fault tree
Generic models and parameters in the tree control to events in the tree control
Generic models and parameters in the tree control to generic data groups in the
tree control
Markov models in the tree control to events in the fault tree
Markov models in the tree control to events in the tree control
Consequences in the tree control to event tree end branches
Bitmaps to labels in the tree control or to open spaces in fault or event trees

FaultTree+ V11.2 11
The User Interface

Using the Library Tree Control

The library tree control allows users to easily transfer library data to the current
project. Library data is displayed when a library is connected and the Library Tab is
selected above the left-hand window. To connect a library use the File, Connect to
Library pull-down menu option. You may connect another project as a temporary
library by setting the Files of Type selection to *.psa in the Open Dialog.

The library tree control is a hierarchical structure that can be expanded or

contracted by clicking on the '+' or '-' signs in the tree control window when the
Library Tab is selected. The library tree control contains named icons that
represent the various parts of the connected library. These include fault trees, event
trees, Markov models, generic data etc.

Tree Control Showing Library Data

12 FaultTree+ V11.2
 The User Interface

The library tree control provides an efficient way of navigating library data and
transferring it to the current project. Pressing the right mouse button with the cursor
positioned in the tree control area will reveal a pop-up menu, allowing the user to
perform a variety of actions depending on which tree control item is currently
selected.

Pop-Up Menu with the Library Events Node Selected

The 'drag and drop facilities in the library tree control allow data to be easily
transferred to the current project. The 'drag and drop' process begins with the user
placing the cursor over the object that is to be dragged, the left mouse button is
then pressed down and an outline of the object can then be dragged over to the
diagram edit area where the object is to be dropped. When the user releases the
left mouse button the drop is completed. The 'drag and drop' facility is valid for the
following transfers:

Gates in the tree control to fault tree gates and event tree columns
Events in the tree control to fault tree gates and event tree columns
CCF models in the tree control to events in the fault tree
Generic models and parameters in the tree control to events in the fault tree
Markov models in the tree control to events in the fault tree
Consequences in the tree control to event tree end branches
Bitmaps to open spaces in fault or event trees

Using the Grid Control

The grid control may be revealed by selecting the grid control icon near the top right
of the FaultTree+ window.

Diagram, Grid Control and IsoLib Icons

The grid control displays project data in tabular format. The following data
categories may be displayed in the grid control:

FaultTree+ V11.2 13
The User Interface

Fault Trees
Gates
Event Trees
Events
CCF Models
Generic Data
Consequences

Selection of the appropriate tab below the grid control will display the required data
category. If the tab that you require is not visible, use the arrows to the left of the
tabs to bring the appropriate one into view.

The grid control provides an alternative method of editing data. To modify a data
item associated with a record in the list, simply select the field with the left mouse
button and then type in the data or select an option from a list. Use the tab and up
and down arrow keys to move from one field to another. When you have finished
entering data, click the left mouse button with the cursor outside the grid control.
Pressing the Escape key aborts the current edit operation. You may also edit data
by double-clicking the left mouse button with the cursor positioned over the grey
button to the left of the grid row. Some columns may be disabled due to the type of
data they are displaying.

You may customise the layout of the grid control by pressing the right mouse button
over the grid control and then selecting the appropriate option.

Grid Control Pop-up menu

14 FaultTree+ V11.2
 The User Interface

View Diagrams

Switches the right-hand window to show diagrams rather than the grid control.

View Tables

Confirms the grid control tables are on view.

Add Record

Adds a new record to the bottom of the table.

Copy

Copies the current record to the clipboard.

Paste

Pastes the clipboard contents to the current table.

Paste Special

Pastes the clipboard contents to the current table.

Delete Record

Deletes the selected record.

Change Page

Changes the page view upwards or downwards in the fault tree diagram according
to the current selection. This option is only active for the Fault Trees table.

Wrap Text

This option wraps the text in each grid cell where the text length exceeds the
column width.

Grid Options

A dialog will appear allowing the user to hide or reposition different fields. Users
may also specify the field for which data is to be sorted in this dialog.

Filter

A dialog will appear allowing the Grid data to be filtered.

FaultTree+ V11.2 15
The User Interface

Clear Filter

Clears the Filter and shows all data in the chosen category.

Find and Replace

A dialog will appear allowing the user to replace one piece of text with another
throughout the grid control.

Grid Control - Filter

The Filter pop-up allows users to selectively filter the data shown in the grid
control.

Grid Control Filter facility Dialog with Gates Table selected

Table

Defines the category currently displayed that the filter will be applied to.

Column

Choose, from the drop down box, the column the filter is to be applied to. In the
next drop down box, choose the type of comparison to be made, for example,
equals.

Value

The value or text that the comparison applies to. If a second comparison is
required, choose either OR or AND from the next drop-down box and fill out the
second comparison type and value.

16 FaultTree+ V11.2
 The User Interface

Filter by tree control selection

Checking on this option shows only the data associated with the highlighted item in
the project tree control.

Apply, OK and Cancel

Clicking Apply will immediately apply the chosen filter. Clicking OK applies the
chosen filter and exits the dialog box. Clicking Cancel exits the dialog without
applying the chosen filter.

Grid Control Grid Options

The Grid Options pop-up allows users to modify the position and visibility of fields.

Grid Options Dialog with Gates Table Selected in Grid Control

Sort Field

Allows the user to choose the field to be used for sorting data.

Visible Fields

Shows the currently visible fields for the selected category. The order of the list is
the order the fields are displayed in the grid. To change this order, highlight the

FaultTree+ V11.2 17
The User Interface

field using the left mouse button and click the Up or Down Button to shift the
highlighted item one place. To transfer fields to the Hidden Fields list, highlight the
item using the left mouse button and click on the right-hand arrow.

Hidden Fields

Shows the currently hidden fields for the selected category. To transfer fields to the
Visible Fields list, highlight the item using the left mouse button and click on the
left-hand arrow.

Field Sort, Layout and Visibility to Default

To reset the Grid sort options and layout to the default settings, click the Field Sort,
Layout and Visibility to Default Button.

OK and Cancel

Clicking the OK Button will exit the Grid Options pop-up making the requested
changes to the Grid. Clicking the Cancel Button will exit the Grid Options pop-up
without making the requested changes.

Grid Control Find and Replace

This dialog allows strings of text to be replaced with alternative strings of text
throughout a column of data.

Replace Dialog with Gates Table Selected in Grid Control

Table

Defines the category currently displayed that the filter will be applied to.

18 FaultTree+ V11.2
 The User Interface

Column

Choose from the drop down box the column the text change is to be applied to.

Find what

The text to be found and replaced.

Replace with

The new text to be entered in place of the existing defined text.

Match case

Indicates that only text matching the case of that defined will be found.

Match entire cell

Indicates that the entire cell must match the text to be found.

Getting Help

The online documentation facilities provided with the FaultTree+ program may be
accessed via the Help menu.

Context sensitive help may also be obtained for visible FaultTree+ dialogs simply by
pressing the F1 key when the dialog is displayed or by selecting the Help Button
inside the dialog.

Users who have a current maintenance contract should have details of the contact
telephone, fax numbers and e-mail addresses through which they can obtain
support. If you are in any doubt about these facilities, please contact your
FaultTree+ supplier.

FaultTree+ V11.2 19
 Tutorial - Fault and Event Trees

4. Tutorial - Fault and Event Trees

This tutorial is designed to lead new users through the basic steps for constructing
and analysing fault and event trees.

The tutorial is based on the safety analysis of three critical systems in a chemical
plant. The systems are a cooling system, an electrical system and a fire protection
system. These systems do not represent part of a real plant but have been
designed solely to illustrate the principles of developing fault and event trees using
FaultTree+.

If you are using a demonstration version of FaultTree+ you will not be able to save
any data you enter to a project file. However, project files are provided in the
Examples directory which represent various stages of the tutorial.

Tutorial System Descriptions

The schematic diagram below illustrates a simple cooling system consisting of

pumps, valves, control and instrumentation equipment and a heat exchanger. The
function of the system is simply to provide continuous cooling for a reactor vessel.

Cooling System Schematic

The cooling system operates in the following manner. Under normal conditions of
operation, coolant will be provided via leg 1 (containing pump EP1). If this leg is
unavailable for any reason, the flow sensor FS1 is designed to detect the decreased
flow rate and the controller will close valve EV1, open valve EV2 and start pump
EP2.

FaultTree+ V11.2 21
Tutorial - Fault and Event Trees

The pumps and valves EP1, EP2, EV1 and EV2 in the cooling system are all
electrically operated and so we must also consider the electrical supply system
which is illustrated below.

Electrical Supply System Schematic

The fire protection system consists of three compressed gas cylinders connected to
three electrical valves which are normally closed. On detection of a fire by either of
the two smoke detectors SD1 and SD2, a controller CON will open all three
electrical valves.

Fire Protection System Schematic

22 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

Note that a minimum of two of the three valves must open to ensure that the fire is
quenched by the inert gas released. The electrical valves are powered directly from
the grid. All components are inspected and tested for failure at regular intervals.
Constructing Fault Trees

In this tutorial we will consider two fault tree TOP events. These TOP events are

Loss of Cooling
Fire Protection Unavailable

TOP events generally represent system failures for which we wish to predict
parameters such as unavailability, failure frequency, number of expected lifetime
failures etc. The fault trees will represent how failures interact together to cause the
TOP event to occur. At the bottom of our fault trees we will have events which
generally represent component or operator failures. These are joined to the fault
tree TOP events via gate symbols that represent failures at various system levels.

The fault trees representing the electrical and fire protection systems have already
been constructed in two separate project files:

electric.psa
protect.psa

These files will have been copied to your FaultTree+ Examples directory during
installation. In the tutorial we will construct the fault tree representing the cooling
system and then append the electrical and protection systems into one master
project. This illustrates one method of working with FaultTree+ where a number of
different users might construct fault trees representing different systems and then
append these together at a later stage.

For the first stage of the tutorial, we will construct the fault tree representing Loss of
Cooling.

Start up the program by selecting the FaultTree+ option on the Windows Programs
Menu. Select the File, New Project pull-down menu option to start a new project.
When a new project is opened, FaultTree+ will display a single TOP gate in the
diagram edit area.

FaultTree+ V11.2 23
Tutorial - Fault and Event Trees

Single TOP Gate Display After a New Project is Opened

Now select the Add Gate Toolbar Button and move the mouse cursor into the
diagram edit area. The mouse cursor should change its appearance to a gate
symbol when it is moved into the diagram edit area.

Add Gate Toolbar Button

Position the cursor over the single TOP gate in the display and click the left mouse
button once. A new gate symbol will be automatically drawn underneath the original
gate symbol. A default name of GATE1 will be automatically assigned to this gate.
Now move the cursor over GATE1 and click the left mouse button again. Another
gate will appear underneath GATE1. Click the left mouse button one more time with
the cursor still positioned over GATE1 to create another gate. Your fault tree
diagram should now contain a TOP gate named TOP1 with a single input gate
GATE1. GATE1 should have two input gates GATE2 and GATE3. Now move the
mouse cursor over the Add Event Toolbar Button and click the left mouse button to
enter Add Event mode.

Add Event Toolbar Button

24 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

Move the mouse cursor back over gate TOP1 and click the left mouse button. An
event symbol will appear below gate TOP1. Now quit the Add Event mode by
selecting the Clear Add Mode Toolbar Button.

Clear Add Mode Toolbar Button

Display After Adding the First Few Gates and Events

From the simple steps carried out so far you will see how FaultTree+ enables the
user to quickly build up the fault tree structure. When in Add Gate mode, clicking
on gates will add gate inputs. When in Add Event mode, clicking on gates will add
event inputs. Incidentally, if you make an error when adding gates or events, simply
select the Edit, Undo pull-down menu option or equivalent toolbar button.
Alternatively, you may delete inputs to gates by selecting the input with the left
mouse button (make sure youre not in add mode) and then pressing the Delete
key.

FaultTree+ automatically positions gates and events as the tree is constructed (they
may be shifted later by the user if required) and assigns default gate and event
types according to the number of inputs to each gate. In our example Loss of
Cooling fault tree, we must now modify the gate types and enter some descriptions
for our failure events.

FaultTree+ V11.2 25
Tutorial - Fault and Event Trees

First, make sure you are no longer in Add Mode by selecting the Clear Add Mode
Toolbar Button. Position the mouse cursor over the TOP gate currently named
TOP1. Now double-click the left mouse button. The Edit Gate Dialog will now
appear allowing you to modify various attributes associated with the gate TOP1.
Change the gate name to COOLING and type in the description TOTAL LOSS OF
COOLING. Now select the OK Button in the dialog. The dialog will disappear and
the modification will be shown in the diagram.

Now move the mouse cursor over the gate named GATE1. Change the gate name
to SYS1, enter the description LOSS OF COOLING TO HEX, and change the gate
type to AND. Now select the OK Button in the dialog. Repeat this procedure with
GATE2 and GATE3, changing their names and entering their descriptions as shown
in the diagram below. Leave their gate types as TRANSFER.

Now move the mouse cursor over the event EVENT1 and double-click the left
mouse button. The Edit Event Dialog will now appear. Enter the new event name
and description as indicated below and then select the OK Button.

First Stage of Loss of Cooling Fault Tree

We now need to develop the events representing LOSS OF COOLING LEG 1 and
LOSS OF COOLING LEG 2. For convenience, we will first break up our fault tree
into pages. Move the cursor over symbol SYS2 in the diagram and double-click the
left mouse button. Select the Page check box and then select the OK Button to
remove the dialog. Now select gate SYS2 with a single click of the mouse button

26 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

and then select the Change Page Toolbar Button. FaultTree+ will now draw a new
page in the diagram edit area with SYS2 positioned on its own at the top of the
page.

Change Page Toolbar Button

Use the Add Gate and Add Event modes to continue the construction process
until you have built the fault tree page illustrated below.

SYS2 Fault Tree Page

Set the Page check boxes in the Edit Gate Dialog for gates ELECA and ELECB.
When you have completed this page of the fault tree you will have multiple pages
defined in your project. The names of each page correspond to the names of the
gate at the top of the page. You can navigate between pages using the combo-box
in the toolbar area or the project tree control to the left of the diagram edit area.
Alternatively, you may select a gate at the top of the page, or a page gate at the
bottom of the displayed page, and then select the Change Page Toolbar Button.

Now change to the original page (page COOLING). Double-click the left mouse
button with the cursor over gate SYS3 and define this gate as a page (by selecting

FaultTree+ V11.2 27
Tutorial - Fault and Event Trees

the Page check box in the Edit Gate Dialog). Change the current page to SYS3
and develop this part of the fault tree as illustrated below.

SYS3 Fault Tree Page

Note that gates ELECA and ELECB represent common cause events as they have
exactly the same names as the gates representing electrical faults in page SYS2.
You will not be able to create these repeated gates using the normal Add Gate
mode, as FaultTree+ will not let you change the default gate names to a name that
already exists. To create inputs ELECA and ELECB, we will use the copy and paste
facility provided with FaultTree+. First, build this page of the tree, excluding gates
ELECA and ELECB, using the Add Gate and Add Event modes. Then change the
current page to SYS2 and select gate ELECA. Then select the Copy Toolbar
Button.

Copy Toolbar Button

Now return to page SYS3 and select gate PUMP2. Now select the Paste Toolbar
Button (be careful not to select the Paste Special Button as this will create a gate

28 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

with identical attributes but with a different name which is not what we want). Gate
ELECA will now appear underneath gate PUMP2. Repeat this process for gate
ELECB.

Paste Toolbar Button

It is important to note that when we come to perform an analysis FaultTree+ will

recognise gates and events with the same name as being common cause failures.

We will now save the current project data to a project file. Select the File, Save
Project pull-down menu option and save the data to a file called master1.psa. If
you have not entered all of the fault tree structure specified so far in this tutorial, you
can open a file called cooling.psa contained in the Examples directory. You can
do this by selecting the File, Open Project pull-down menu option and selecting the
file. The cooling.psa file contains the tutorial fault tree constructed so far. Use the
File, Save Project As pull-down menu option to save the data to a file called
master1.psa.

In the cooling fault tree, there are two gates associated with electrical failures,
ELECA and ELECB. These gates are currently defined as TRANSFER gates and
need to be further developed. The electrical fault trees have already been defined
for you in a file located in the Examples directory. This file is called electric.psa.
We will now append this data to your current project which should be master1.psa.
Select the File, Append Project, Single Project pull-down menu option. A standard
Windows Open Dialog will appear. Select the file electric.psa from the Examples
directory. The Single Project Append Options Dialog will now appear displaying the
gates defined in the project electric.psa. The dialog allows you to specify whether
you wish to append the entire project or whether you wish to select specific gates to
append. Note that if you were to select a specific gate then the program would
append the gate and all other gates and events connected below it. The program
would also append any associated data models. We will append all the data in the
electric.psa project, so click the Select All Button. Select the Apply and Quit
Button to append the data and remove the dialog.

FaultTree+ V11.2 29
Tutorial - Fault and Event Trees

Single Project Append Options Dialog

Now use the combo-box in the toolbar to change the current fault tree page to
ELECA. You will see that the fault tree structure representing ELECA has been
appended to your project. The file electric.psa simply contains the fault trees for
the electrical system faults. FaultTree+ knows where to append these fault trees by
the gate names used. In electric.psa there is a gate named ELECA and a gate
named ELECB. These gates have other gates defined below them. In your
master1.psa project, these gates are defined as TRANSFER gates. FaultTree+
simply replaces the TRANSFER gates with the structure defined in electric.psa.

We will now append the fault tree representing the fire protection system to our
master1.psa project. Select the File, Append Project, Single Project option again
and then select the file protect.psa from the Examples directory. Select Apply and
Quit to complete the append. Now save the master1.psa project to file using the
File, Save Project pull-down menu option.

There is another way in which we could append data from another project.
FaultTree+ provides a library facility that allows you to connect a library or another
project for the purposes of extracting data. By selecting the File, Connect to Library
pull-down menu option you may open library (extension *.psl) or project (extension

30 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

*.psa) files. Then, after selecting the Library Tab above the tree control window,
you can drag and drop library objects, such as gates and events, onto the project
diagram in the right-hand window. You may also select an object in the library tree
control and select the Add to Project option from the right mouse button pop-up
menu (revealed by selecting clicking the right mouse button with the cursor
positioned over the tree control).

FaultTree+ applies certain rules if the names of objects in the appended or library
project conflict with the names of objects in the target project. These rules may be
modified by accessing the Library Tab in the Project Options Dialog. By default,
objects with matching names (such as gates and events) are renamed when they
are appended. If you modify these options so that objects are not renamed, the
program will retain the definition of the object in the target project.

Adding Failure and Repair Data

We have now completed the full fault tree structure definition for our tutorial project.
It is now time to enter some failure and repair data.

In fault tree studies, failure and repair data is assigned to the events which appear
at the roots of the fault tree. These events usually represent component or operator
failures. FaultTree+ allows the user to enter data for individual events or to set up
generic data models and parameters that might apply to a group of events with the
same failure and repair characteristics.

We will first create a generic model. We can do this either by selecting the Edit,
Generic Model Table pull-down menu option, or by using the project tree control to
the left of the diagram edit area. We will use the tree control method in this tutorial.
Ensure that the Project Tab is selected above the tree control window. Select the
Generic Data node of the tree control (using the left mouse button). Now press the
right mouse button with the cursor positioned in the tree control area. A pop-up
menu will appear.

FaultTree+ V11.2 31
Tutorial - Fault and Event Trees

Selecting the Add Button from the Tree Control Menu

Select the Add a Generic Model option from this menu. FaultTree+ will now display
the Add Generic Model Dialog.

Add Generic Model Dialog

32 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

This dialog allows the user to select the appropriate model type. Select the RATE
model type. The first model we will create will represent transformer failures that are
immediately revealed and repaired. Set the model name to TRANSF and the failure
rate and repair rate values according to the table below. Note that if the
unspecified, consistent option is set in the Calculation Tab of the Project Options
Dialog (the default setting), all failure and repair data must be entered in consistent
time units. For example, if failure rates are entered as failures per year (as in the
tutorial) then repair rates must also be entered as repairs per year and mean times
to repair (MTTRs) must be entered in years. Ignore the standard deviation values
these relate to confidence analysis. Set the model description to Transformer
failures immediately revealed. Select the OK Button to create the new generic
model.

Event(s) Model MTTR

HEX Rate 0.01 100

EV1 Rate 0.7 166.667
NRV1 Rate 0.05 1000
EP1 Rate 1.0 125
T1,T3 Rate 0.08 1000
C1,C3 Rate 0.1 1000
GRID Rate 1.0 1000
DGEN Dormant 1.0 0.005 0.1
T2,T4 Dormant 0.08 0.001 1
C2,C4 Dormant 0.1 0.001 1
EV2 Dormant 0.7 0.006 0.1
EP2 Dormant 1.0 0.008 0.1
V1,V2,V3 Dormant 0.8 0.0027 0.0833
CON Dormant 0.25 0.0055 0.0833
SD1,SD2 Dormant 1.0 0.0009 0.0833
NRV2 Dormant 0.05 0.001 0.1

Data Model Parameters for the Tutorial Project

= failure rate
= repair rate
MTTR = mean time to repair
= inspection interval
Now create another generic model representing dormant transformer failures using
the same process. This time set the model name to TRAN-DORM and choose a
model type of DORMANT and enter the data relevant to events T2 and T4.

FaultTree+ V11.2 33
Tutorial - Fault and Event Trees

So far, we have defined two generic models but we have not assigned them to any
events in the fault tree. This is the next stage of the process. Change the currently
displayed fault tree page to ELECA using the combo-box in the toolbar area. Ensure
the Generic Data node of the tree control is open (showing the two models we
have just created). If it is not open, click the left mouse button with the cursor
positioned over the + symbol to the left of the Generic Data node. We will now drag
and drop the generic model TRANSF onto event T1 in the diagram. Position the
cursor over the TRANSF symbol in the tree control. Press and hold down the left
mouse button. Move the cursor over the event T1 in the diagram and release the
left mouse button. In order to view the models assigned to events in the diagram,
select the Show Generic Data Names check box in the Project Options Dialog
(View Tab). The Project Options Dialog is accessed via the Tools, Options pull-
down menu option. You should now see the TRANSF generic model name appear
below the event T1 in the diagram. Now drag model TRAN-DORM and drop it onto
event T2 in the diagram, using the same process. Now change the displayed fault
tree page to ELECB and assign the TRANSF generic model to T3 and the TRAN-
DORM generic model to T4.

We have used drag and drop to assign generic models to events. An alternative
method would be to double-click the left mouse button over the event in the diagram
to reveal the Edit Event Dialog. There are a set of radio buttons and a combo-box
within this dialog that allows the user to assign a generic model. This dialog also
allows the user to assign failure and repair data directly. The benefit in using the
generic model method is that if you have many events with identical failure and
repair characteristics, you neednt re-enter the data for each event.

Repeat this process with all the other events in the project, using the data given in
the table above. If you wish to skip this task then you can open a project file in the
Examples directory that contains the full fault tree structure for the tutorial together
with all the associated failure and repair data. This file is named master2.psa.

Constructing an Event Tree

FaultTree+ provides facilities for constructing event trees as well as fault trees.
Many fault and event trees may be constructed in a single project and the results
from a fault tree may be fed through to an event tree.

An event tree is a graphical representation of the logic model that identifies and
quantifies the possible outcomes following an initiating event. Event trees provide
an inductive approach to reliability assessment as they are constructed using
forward logic. Fault trees use a deductive approach as they are constructed by
defining TOP events and then use backward logic to define causes. Event tree
analysis and fault tree analysis are, however, closely linked. Fault trees are often
used to quantify system events that are part of event tree sequences. The logical
processes employed to evaluate event tree sequences and quantify the
consequences are the same as those used in fault tree analyses.

34 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

Event trees are generally used in risk assessments to model the effectiveness of
protective systems in mitigating against consequences arising from a given initiating
event. To illustrate the use of event trees, let us consider the following initiating
events for the reactor system we have been considering in this tutorial:

Temperature Surge
Fire

Either of these initiating events might lead to fatalities in the plant if the cooling
system and fire protection systems (which we have constructed fault trees for) are
not functional. We will also consider the mitigating effects of secondary cooling and
fire protection systems in our event tree analysis. The secondary systems will be
represented by simple events (rather than fault trees). The event trees we will
construct are illustrated below.

Event Tree for Initiating Event Fire

FaultTree+ V11.2 35
Tutorial - Fault and Event Trees

Event Tree for Initiating Event Temperature Surge

Each event tree represents the likely consequences following the initiating event.
The Fire event tree indicates that if a fire occurs and both the primary and
secondary protection systems fail then there will be more than 8 fatalities. If a fire
occurs and the primary protection system is functional but the secondary system
fails then 1 fatality is likely.

To create a new event tree in our project first select the Event Tree Tab at the top
of the diagram edit area.

Event Tree Tab Selected

A blank diagram edit area should be displayed as we have not yet created any
event trees. You will notice that some of the toolbar buttons and pull-down menu
options have changed to reflect that we are now in event tree mode. Now select the
Add a New Event Tree Toolbar Button.

New Event Tree Toolbar Button

A dialog will appear requesting the user to enter the initial number of columns for
the event tree and specify whether it is a primary or secondary event tree. Enter 3

36 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

for the number of columns and select the Primary Event Tree option and then
select the OK Button.

New Event Tree Prompt

A new event tree will now appear in the diagram edit area. Note that a primary
event tree is a standard event tree that will have an initiating event assigned to the
first column. Secondary event trees must have their first column linked to the end
branches of other event trees. We will not be dealing with secondary event trees in
this tutorial. Now we need to define the initiating event in the Event Table. Select
the Edit, Event Table pull-down menu option. A list of all the events currently
defined in the project should appear. Choose the Add Button to create a new
event.

Adding the Fire Event to the Event Table

FaultTree+ V11.2 37
Tutorial - Fault and Event Trees

In the Add Event Dialog, enter the event name FIRE and enter the description Fire
starts. Then select the Data Model Edit Button and change the model type to ET
Initiator. Enter a frequency of 0.2. Exit the Edit Local Model Dialog and Add Event
Dialog by selecting the OK Buttons. Now select the Add Button in the Event
Table Dialog and create a new event FPROTECT2 using the same procedure. This
time, select a local model type of DORMANT and enter a failure rate of 0.5, a MTTR
of 0.01 and an inspection interval of 0.25. Give the event a description of
Secondary fire protection system unavailable. After creating these 2 new events,
remove the Event Table Dialog by selecting the Quit Button.
st
Now position the cursor over the 1 column header in the newly created event tree
diagram and double-click the left mouse button.

st
1 Column Header in an Event Tree Diagram

The Edit Column Dialog will now appear.

Edit Column Dialog

38 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

Set the Type List Box to EVENT. Set the event name to FIRE (this is one of the
new events just created in the Event Table). Set the column description to Fire.
Then exit this dialog using the OK Button.

Now double-click the left mouse button over the second column header. Set the
Type List Box to GATE. Set the event name to PROTECT (this is the fault tree
TOP event of the fire protection system). Set the column description to Primary Fire
Protection System. Then exit this dialog using the OK Button.

Now double-click the left mouse button over the third column header. Set the Type
List Box to EVENT. Set the event name to FPROTECT2 (this is one of the new
events just created in the Event Table). Set the column description to Secondary
Fire Protection. Then exit this dialog using the OK Button.

We must now define the consequences that might arise in the event of a fire. Open
the Consequences node in the project tree control to the left of the diagram edit
area. Select the Safety consequence category. Press the right mouse button in the
tree control area to reveal the pop-up menu. Select Add a Consequence from this
menu. The Add Consequence Dialog will appear.

Add Consequence Dialog

Enter the name F0 and the description No Fatalities. Enter a weight of 0 (the
default). Now select the OK Button. Repeat this procedure to define the other
consequences detailed in the table below.

Name Description Weight

F0 No fatalities 0
F1 1 fatality 1
F2-8 2 to 8 fatalities 5
F>8 Greater than 8 fatalities 20

Consequences for Tutorial Project

FaultTree+ V11.2 39
Tutorial - Fault and Event Trees

If the Safety node in the tree control is not already open, click on the + sign to
reveal the consequences you have just defined.

Tree Control Showing Consequences

Now we will drag and drop one of the consequences onto the event tree diagram.
Position the cursor over the F0 consequence symbol in the tree control. Press and
hold down the left mouse button. Move the cursor over the topmost end branch (the
branches on the right-hand side of the diagram are all end branches) and release
the left mouse button. The consequence description should now appear to the right
of the end branch. Repeat this process to assign the appropriate consequences to
each of the end branches in the event tree.

We have now constructed an event tree and assigned the appropriate events and
consequences.

If you wish, repeat this procedure to define the SURGE event tree (starting with the
selection of the Add a New Event Tree Toolbar Button). You may wish to skip this
stage and open a project file that has already been prepared and contains both
event trees. The name of this project file is master3.psa and it can be located in
the Examples directory.

Performing an Analysis

Before performing an analysis, users may select various options that will affect the
approximation methods used during the analysis. These options may be set by

40 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

selecting the Sets Generation Options Toolbar Button. Select this Toolbar Button
to view the current option settings.

Sets Generation Options Toolbar Button

Ensure that the following options are set before selecting the OK Button.

Order Cut-Off Off

Probability Cut-Off Off
Consequence Cut-Off Off
Success State Cut-Off Off
Approximation Methods Default
Dormant Failure Model Mean
Implicit House Events Off
Visible ET Consequences Only Off
Auto Sequence PRIORITY AND On
Perform CCF Analysis Off
Adjust Independent Q Off
Use Minimum Q in Group On
Sort Cut Sets By Unavailability
Maximum Sorted Sets 2000

Project Options Dialog (Sets Generation Tab)

FaultTree+ V11.2 41
Tutorial - Fault and Event Trees

To perform an analysis simple select the Start Analysis Toolbar Button.

Start Analysis Toolbar Button

On selection of this option, FaultTree+ will determine the minimal cut sets for the
project TOP events, calculate system parameters such as unavailability and
unreliability and provide importance rankings for the events in the fault trees. It will
also determine the minimal cut sets for any consequences associated with event
trees defined in the project. Consequence frequencies, importance rankings and
total risk will also be calculated.

Once an analysis has been completed (the progress of the analysis is indicated in
the message area at the bottom left of the FaultTree+ window), the user may view a
summary of the results by selecting the Results Summary Toolbar Button.

Results Summary Toolbar Button

Results Summary Dialog

42 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

The Results Summary Dialog allows the user to select any of the gates in the
project which have had their results retained. When TOP gates are created, they
automatically have their retain results flag set on and so, for the tutorial example,
you should see the names of the two TOP gates in the list at the top of the dialog.
Select either of these gates to view a summary of the results for the appropriate
gate. Select the Importance or Cut Sets radio buttons to view the importance
values or minimal cut sets, respectively. Note that the Consequence and Risk
radio buttons may be selected to view similar results associated with the event tree
consequences and overall risk.

Once you have reviewed the results from the analysis, select the Quit Button to
remove the dialog.

Analysis results may also be reviewed using graphs. To view a graph, select the
Graphs Toolbar Button.

Graphs Toolbar Button

The Graph Options Dialog will then be displayed. Try selecting various graph types
followed by selection of the Graph Button in the dialog.

Graph Options Dialog

FaultTree+ V11.2 43
Tutorial - Fault and Event Trees

This graphs facility provides a quick way of reviewing data before printing a report.
Note that the Report Generator (the facility used to print and preview reports)
provides an additional facility for producing standard and customised graphs.

Typical Graph Showing Fussell-Vesely Importance Values

Producing Reports

We may now preview and print data from our tutorial project using the Report
Generator. The Report Generator is a generic facility that also provides the
reporting functionality for other reliability applications. The Report Generator is a
very powerful and flexible tool that allows you to design customised text reports and
graphs, as well as selecting standard reports provided with the application.

When you select the File, Print Preview or File, Design Report pull-down menu
options, FaultTree+ will copy the current project data (including analysis results if
they are up-to-date) into an application database and start up the Report Generator.
When the Report Generator starts up, it will access the data contained in the
database. In this tutorial session, we will first preview and then print one of the
standard reports provided with FaultTree+. The Report Generator also provides
facilities for designing your own customised reports.

44 FaultTree+ V11.2
 Tutorial - Fault and Event Trees

Select the Print Preview option on the File pull-down menu. The Print/Export
Options Dialog will be displayed.

Print/Export Options Dialog

This dialog allows you to select a single gate, consequence and risk category for
which importance data and cut set information will be transferred to the Report
Generator Database. You will be able to select any gate for which results have been
retained and any consequence. It is necessary to filter importance and cut set data
in this way to ensure that the Report Generator Database is not excessively large.
Select gate COOLING, consequence F>8 and risk category Safety from the lists in
the dialog. Set the maximum number of printed/exported cut sets to 400. Then
select the OK Button.

FaultTree+ will now construct the database for the Report Generator and start up
the Report Generator program. The Report Explorer window will now be displayed
together with a list of standard reports.

Report Explorer Showing the Standard Reports List

FaultTree+ V11.2 45
Tutorial - Fault and Event Trees

Under Text Reports on the left-hand side, select Importance Rankings. You will
see the various reports available for this option on the right-hand side. Select the
Importance Rankings - Fault Tree Report and then select the Open Button. The
Report Generator will now display the selected report in preview mode.

Typical Report Generator Print Preview Screen

Now select the Print option from the Report Generator File menu. A standard
Windows Print Dialog will appear allowing you to print the report.

After printing this first report, try selecting some of the other standard report types
using the Report Generators File, Open pull-down menu options.

46 FaultTree+ V11.2
 Tutorial - Markov Analysis

5. Tutorial - Markov Analysis

Markov Analysis Methods

Markov analysis provides a means of analysing the reliability and availability of

systems whose components exhibit strong dependencies. Other systems analysis
methods (such as the Kinetic Tree Theory method employed in fault tree analyses)
generally assume component independence, which may lead to optimistic
predictions for the system availability and reliability parameters. Some typical
dependencies that can be handled using Markov models are:

Components in cold or warm standby

Common maintenance personnel
Common spares with a limited on-site stock

The major drawback of Markov methods is that Markov diagrams for large systems
are generally exceedingly large and complicated and difficult to construct. However,
Markov models may be used to analyse smaller systems with strong dependencies
requiring accurate evaluation. Other analysis techniques, such as fault tree
analysis, may be used to evaluate large systems using simpler probabilistic
calculation techniques. Large systems that exhibit strong component dependencies
in isolated and critical parts of the system may be analysed using a combination of
Markov analysis and simpler quantitative models.

The state transition diagram identifies all the discrete states of the system and the
possible transitions between those states. In a Markov process, the transition
frequencies between states depends only on the current state probability values
and the constant transition rates between states. In this way, the Markov model
does not need to know about the history of how the state probabilities have evolved
in time in order to calculate future state probabilities. Although a true Markovian
process would only consider constant transition rates, FaultTree+ does allow time-
varying transition rates to be defined. These time-varying rates must be defined with
respect to absolute time or phase time (the time elapsed since the beginning of the
current phase).

In order to illustrate the use of Markov methods, let us consider a very simple
Markov model. The Markov diagram below represents the failure and repair
behaviour of a single component.

FaultTree+ V11.2 47
Tutorial - Markov Analysis

The component has two states only: the working state (State 0) and the failed state
(State 1). It is a repairable component (with failures immediately revealed) and
therefore the component may move from the failed state to the working state as well
as moving from the working state to failed state. These possible transitions are
represented by the transition lines and arrows in the Markov diagram.

The Markov diagram represents the logical behaviour of a component or system

and should contain all possible states and transitions for the component or system
under given conditions.

The Markov diagram above may be translated into a set of linear differential
equations that represent the time-dependent behaviour of the state probabilities.
These equations are given below.

dP0 ( t )
= P0 ( t ) + P1 ( t )
dt
dP1 ( t )
= P0 ( t ) P1 ( t )
dt
where Pi ( t ) = probability of being in state i at time t
= component failure rate
= component repair rate

Integration of these equations, after applying the initial conditions

P0 ( 0 ) = 1
P1 ( 0 ) = 0
produces the well-known expression for the unavailability of a two-state repairable
component with immediately revealed failures:

P1 ( t ) = (1 e ( + ) t )
+

48 FaultTree+ V11.2
 Tutorial - Markov Analysis

As t becomes very large, the component unavailability approaches the steady state
solution of

P1 ( ) =
+
The Markov diagram below represents the failure and repair behaviour of a 2-pump
standby system. The diagram assumes that the pumps are identical and that there
is no possibility of a pump failing if it is in standby (cold standby).

Only one pump is required to be working at any time to provide full functionality. If
the operating pump should fail, the standby pump will be started and the failed
pump will be repaired. A dependency therefore exists between the two pumps.

Even for this small system of two components, it can be seen that the number of
states in the Markov model is rapidly increasing. The steady-state solution for the
unavailability of the two-component system is equal to the steady-state probability
for state 4:
2
P4 =
2 + 2 + 2 2
As the size of the Markov diagram increases, the task of evaluating the expressions
for time-dependent unavailability by hand becomes impractical. Computerised
numerical methods may be employed, however, to provide a fast solution to large
and complicated Markov systems. In addition, these numerical methods may be
extended to allow the modelling of phased behaviour and time-dependent transition
rates. FaultTree+ employs a Runge-Kutta 4th order numerical integration technique
to determine the time-dependent behaviour of state probabilities. The time step
employed during the integration may be specified by the user. FaultTree+ also

FaultTree+ V11.2 49
Tutorial - Markov Analysis

provides three different error indicators to allow the user to assess the accuracy of
the result.

Continuous Time and Discrete Transition Phases

FaultTree+ allows the user to split the system lifetime for Markov models into
discrete fixed-interval phases. Each phase may be represented by a set of
transitions unique to that particular phase. States may not vary between phases.
Phases may be specified as continuous time phases or discrete transition phases.
Continuous time phases have transitions that are quantified with transition rates.
Transition rates are generally failure and repair rates. Continuous time phases have
finite phase durations. Discrete phases do not have a phase duration associated
with them as they represent fixed probability transitions between states. They may
be used to represent fixed interval inspections and preventive maintenance actions.
The transitions in a discrete phase must be identified with fixed probabilities.

For continuous time phases, the user may specify transition rates that vary with
absolute system time or absolute phase time. The time-varying transition rates are
specified in the form of a Weibull distribution which is superimposed on the base
failure rate:
(t ) 1
(t ) = 0 +

where 0 = base failure rate
= Weibull characteristic lifetime
= Weibull shape parameter
= Weibull location parameter

Example Markov Diagram

The following two-phase Markov diagram will be constructed during the tutorial.

Markov Diagram for Dormant Phase

50 FaultTree+ V11.2
 Tutorial - Markov Analysis

Markov Diagram for Inspection Phase

Starting a New Markov Model

To start a new Markov model, first select the Markov Models Tab above the
drawing area.

Markov Models Tab Selected

After selecting this tab, you will notice that the pull-down menu options and toolbar
buttons have changed. Select the Start a New Markov Model Toolbar Button or
equivalent pull-down menu option.

Toolbar Button for Starting a New Markov Model

Make sure the View, Show Grid pull-down menu option is selected. The diagram
area should now be blank except for a background grid. This grid is used to align
states in the Markov diagram as they are placed on the screen.

In this tutorial we will create a Markov model and save it to a Markov model file (with
extension .mkv). Each Markov model is stored on a separate file. Markov models
may later be attached to a FaultTree+ project file.

Defining States

We will define three states for this simple example. The first state will represent the
component when it is working. The second state will represent the component in a

FaultTree+ V11.2 51
Tutorial - Markov Analysis

failed and dormant condition. The third state will represent the component when it is
failed but undergoing repair. These three states represent all the possible states of
the system and are mutually exclusive.

Define these three states by selecting the Add, State pull-down menu option or
equivalent toolbar button. As you move the cursor into the drawing area, the cursor
will change shape to indicate that you are in the Add State mode. Position the
cursor where you wish the states to appear and click the left mouse button. You will
see that the program draws each state in the diagram as they are created. Note that
the program will not allow you to create states where this results in overlapping
states.

Once you have added the three states to the diagram, you should now modify the
state attributes where appropriate. First exit the Add State mode by selecting the
Clear Add Mode pull-down menu option. Alternatively, click the right mouse button
or press the Esc key. Then double-click the left mouse button over the first state
you added. The Edit State Dialog should now appear allowing you to modify the
state parameters. For the first state, set the initial state probability to 1 (this is
actually the default for the first state you add), leave the Unavailability State flag off
and set the Long Description to Working. For the second state, set the initial state
probability to 0, set the Unavailability State flag on and set the Long Description to
Dormant Failure. For the third state, set the initial state probability to 0, set the
Unavailability State flag on and set the Long Description to Failed, Under Repair.
Unavailability states are shown with a small circle at their top-right corner and
represent states for which the system is considered to be unavailable.

If the long descriptions you have entered do not appear in the Markov diagram,
select the View, Show State Long Descriptions pull-down menu option.

Defining Parameters

Later in the tutorial we will be adding transitions to the Markov diagram. These
transitions will have transition rates (usually failure or repair rates) associated with
them. For a given Markov model, we will usually wish to vary one or more of the
rates. For this reason, FaultTree+ provides a facility which allows parameters to be
associated with transitions. These parameters may be associated with one or more
transitions in the diagram. In this tutorial we will define two parameters one
representing the failure rate of our component and the other the repair rate.

Select the Edit, Parameter Table pull-down menu option or equivalent toolbar
button. The Parameter Table Dialog displays all the currently defined parameters.
Add the first parameter to the table by selecting the Add Button. The Add
Parameter Dialog will now appear allowing you to enter long and short parameter
descriptions and other data. Enter the short description for the first parameter and
set the long description to Failure Rate. Now enter a constant base rate of 1. Now
select the OK Button. Now add a second parameter. This time enter a short

52 FaultTree+ V11.2
 Tutorial - Markov Analysis

description of , a long description of Repair Rate and set the constant base rate to
100. Select the OK Button to return once again to the Parameter Table Dialog.
You should now have two parameters listed in the dialog. Select the Quit Button to
remove the Parameter Table Dialog.

Defining Phases

Many Markov models do not require separate phases to be defined. However, the
dormant failure model we are considering in the tutorial requires the definition of two
phases. The first phase represents the time between inspections when failures will
remain dormant. The second phase represents the point in time at which an
inspection takes place. This second phase is a discrete phase characterised by
discrete transition probabilities.

Select the Edit, Phase Table pull-down menu option or equivalent toolbar button.
The Phase Table Dialog displays all the currently defined phases. Add the first
phase to the table by selecting the Add Button. The Add Phase Dialog will now
appear allowing you to enter a phase description and other data. Enter the
description Dormant for the first phase and select the Continuous Time phase
type radio button. Now enter a duration of 0.25. Now select the OK Button. Now
add a second phase. This time enter a phase description of Inspection, select a
phase type of Discrete Transition and specify the Number of Discrete Operations
to be 1. Select the OK Button to return once again to the Phase Table Dialog. You
should now have two phases listed in the dialog. Select the Quit Button to remove
the Phase Table Dialog.

The phase behaviour we have just defined indicates that dormant phases last for
0.25 years and are followed by an instantaneous inspection. If we later specify a
system lifetime of 1 year, this will imply there are four dormant periods with three
intermediate inspections every 0.25 years.

Defining Transitions

The combo control (which displays the current phase displayed in the diagram) in
the toolbar area above the Markov diagram should now display the description
Dormant. We will now add the legitimate transitions for this phase to the Markov
diagram.

Transitions may be added to the currently displayed phase by selecting the Add,
Transition pull-down menu option. Alternatively, select the F3 key or the equivalent
toolbar button. As you move the cursor into the drawing area, the cursor will change
shape to indicate that you are in the Add Transition mode. Transitions are added to
the diagram by first clicking the left mouse button with the cursor over the origin
state and then clicking the left mouse button with the cursor over the target state. A

FaultTree+ V11.2 53
Tutorial - Markov Analysis

message will appear at the bottom of the screen giving you the appropriate
instruction.

We will define two transitions for the Dormant phase. First, add a transition from
state 0 (origin state) to state 1 (target state). Then add a transition from state 2 to
state 0. We will now modify the attributes of the two states we have just added.

Double-click the left mouse button with the cursor positioned over the first transition
you added (state 0 to state 1). The Edit Transition Dialog should now appear.
Select the Assign rates Using a parameter check box. Select the Failure Rate
parameter. Leave the parameter multiplier set to 1. Selection of the OK Button will
result in the dialog being removed and the parameter being displayed in the
diagram (ensure that the View, Show Transition Parameters pull-down menu
option is selected). Now edit the attributes of the second transition in the same
manner. Associate the Repair Rate parameter with this transition.

We have now specified that in the Dormant phase the component has a failure rate
of 1 failure per year. Repairs can only be completed if the component is already
undergoing repair (this would be possible immediately after an inspection). If the
component fails during the Dormant phase, it will remain failed until an inspection
takes place and the repair is completed.

We must now define the possible transitions for the Inspection phase. Change
phases by selecting the Inspection phase from the combo control in the toolbar
area. You will see that the previously entered transitions (which were only
applicable to the Dormant phase) have been removed from the diagram. We will
define a single discrete transition for the Inspection phase. Select the Add,
Transition pull-down menu option in order to add a transition from state 1 to state 2.
Clear the add mode (with the right mouse button) and then double-click the left
mouse button with the cursor positioned over the single transition in the diagram.
The Edit Transition Dialog will be revealed. Enter a discrete probability of 1. Now
select the OK Button. We have now indicated that at the point of inspection a
repair will commence if the component was in the dormant failure state.

We have now defined the Markov diagram and can now proceed to perform an
analysis.

Performing a Markov Analysis

Before asking the program to analyse the Markov diagram using numerical
integration, we may wish to modify some of the default calculation options. This may
be achieved by selecting the Analysis, Options pull-down menu option or
equivalent toolbar button. Select this option to reveal the Analysis Options Dialog.
This dialog allows the user to specify the time step, accuracy indicators and the
number of time intervals at which data is to be retained for reports and graphs. The
system lifetime is set to the same lifetime as the fault and event tree analyses, if the

54 FaultTree+ V11.2
 Tutorial - Markov Analysis

Use FaultTree+ Project Lifetime flag is set on. Set the number of time intervals to
80. Leave the other parameters set to their default values. Now select the OK
Button to accept any changes and remove the dialog.

Analysis Options Dialog

We will now perform a Markov analysis by selecting the Analysis, Start pull-down
menu option or equivalent toolbar option. The progress of the analysis is indicated
at the bottom of the screen in the message strip.

Once the analysis is completed, the program displays a dialog showing the
summary results. This dialog shows lifetime data, mean values and error factors.
Remove this dialog by selecting the OK Button.

We may also view a variety of time-dependent plots. Select the Results, Graphs
pull-down menu option or equivalent toolbar button. A Graphs Dialog will be
displayed allowing you to select a particular graph type. Select the Unavailability
type followed by selection of the OK Button. A graph will now be displayed showing
the variation of unavailability values with time. Notice the periodic behaviour of the
unavailability plot reflecting the periodic phased behaviour of the model. You may
obtain a hardcopy of the plot by selecting the Mono Print or Colour Print Button.
Remove the graph by selecting the Quit Button. Remove the Graphs Dialog by
selecting the Cancel Button.

FaultTree+ V11.2 55
Tutorial - Markov Analysis

Unavailability Plot Showing Periodic Behaviour

Saving the Current Markov Model to File

A permanent record of a newly constructed or modified Markov diagram may be

stored in a Markov model file by selecting the Save Markov Model or Save Markov
Model As options on the File pull-down menu. The Save Markov Model option
will save the diagram and any analysis results to the Markov model file name
displayed in the window header. The previous contents of this file will be
overwritten. The Save Markov Model As option allows you to specifically name the
project file. If you are constructing a new Markov diagram then the Save Markov
Model option will also require you to name the Markov model file. Select the Save
Markov Model option and type in a new Markov model file name. Your data may
be recovered later by selecting the Open Markov Model option on the File pull-
down menu.

Attaching Markov Models to a FaultTree+ Project

FaultTree+ may be used to analyse Markov models individually. However, one of

the powerful features of FaultTree+ is that one or more Markov models may be
assigned to events in a fault or event tree. Once a Markov model has been created

56 FaultTree+ V11.2
 Tutorial - Markov Analysis

and saved to a Markov model file, we can move back to either the fault tree or event
tree modes and attach that Markov model to a FaultTree+ project.

We will now attach the Markov model created in this tutorial to the FaultTree+
project. Select the Markov Models node in the project tree control. Then press the
right mouse button with the cursor inside the tree control area. Select Add a Markov
Model from the pop-up menu that appears.

Selecting Add a Markov Model

FaultTree+ V11.2 57
Tutorial - Markov Analysis

The Markov Model Definition Dialog will be revealed. Set the Markov Model File to
the name of the file you have just created, using the Browse Button. The Markov
model we created produces a periodically varying unavailability. When we later
attach this Markov model to events in a fault tree or event tree, we will want to use
the mean values of unavailability and failure frequency. Select the Use Mean Q and
w radio button. Then select the OK Button.

Markov Model Definition Dialog

The newly created Markov model should now be attached to the project tree control.

You may now associate this Markov model with any events in the fault or event tree
diagrams. This is achieved via the Edit Event Dialog. In this dialog, you will be able
to set the Use Markov Model radio button and select the appropriate Markov model
from the list box in the dialog.

58 FaultTree+ V11.2
 Project Management

6. Project Management

Database Tables

FaultTree+ uses project databases to store fault and event tree data. A single
project may contain many fault and event trees and the associated data.
FaultTree+ works with a single project at any time, although data from separate
projects may be appended. Projects may also be connected as a temporary library,
allowing data to be transferred easily from one project to another. This is particularly
useful when a number of different users are responsible for developing different
parts of a project. The project database is stored on a single project file. The
default extension for a project file is .psa.

Each project database consists of a number of separate tables. These tables

contain the data associated with the project and each record (or item) in a table is
identified with a unique name (maximum 32 characters) for that table. These tables
are:

Event Table
Generic Model Table
Generic Parameter Table
Gate Table
CCF Table
Labels Table
Notes Table
Hyperlinks Table
Event Tree Table
Consequence Table
Bitmap Table
Markov Model Table
Event Group Table
Generic Model Group Table

You may consider the event table as being a list of all the events in a project
together with their individual attributes; the event tree table as being a list of all
event tree initiators with their attributes, and so on.

Event Table

Events appear in both fault and event trees and may represent component
unavailability values, human errors, initiating events etc. An event has the following
attributes:

FaultTree+ V11.2 59
Project Management

Name

The event name is a unique identifier of up to 32 characters.

Extend Name Box

Setting the Extend Name Box flag on will increase the width of the event name
label in the fault tree diagram. This feature is useful if you are using long event
names (say more than 20 characters in length).

Data Model

The data model defines the quantitative failure and repair parameters associated
with the event. You may select either a generic model (defined in the generic model
table), a Markov model (specified in the Markov model table), or specify the model
parameters locally.

Event Symbol

Symbol types are Basic, Undeveloped, Conditional, House and Dormant. Normally,
the event symbol type need only be specified for events appearing in fault trees
(and not for events that only appear in event trees). The exception to this is the
House event whose logic mode affects calculations performed by the program.
When selecting the House event type, you must set the Logic Mode attribute to
True or False.

Logic Mode

Valid logic mode types are Basic, True and False. The logic mode determines
how the event will be logically treated during an analysis. If the logic mode is set to
Basic then the event will appear in the minimal cut set listings as a basic event. If
the logic mode is set to True or False, the event will be treated as the appropriate
house event during analysis. Note that the Basic mode may not be selected if the
event symbol is type House.

CCF Model

Each event may optionally be associated with a CCF model contained in the CCF
table. If a CCF model is associated with the event, the program will automatically
add the appropriate number of additional CCF events during analysis (so long as
the Perform CCF Analysis flag is set on in the Sets Generation Tab of the Project
Options Dialog).

60 FaultTree+ V11.2
 Project Management

Font Index

The font index attribute indicates which font should be used for the event
description when they appear in fault tree diagrams.

Sequencing

In certain circumstances, the order in which events occur determines whether a

hazard will occur. Setting sequence flags for events indicates to FaultTree+ which
sequences can or cannot lead to a hazard and hence enables the program to adjust
the calculated probability values for the system accordingly. By default, the
sequence flag is set off for each event unless it appears below a PRIORITY AND
gate and the Auto Sequence PRIORITY AND flag is set on in the Project Options
Dialog (Sets Generation Tab).

Individual events may be assigned a position of first, second, third, fourth, fifth or
last in a sequence. The position indicates the allowable position for the event in a
time sequence. The program will adjust the calculated unavailability and frequency
values for cut sets containing events with a sequence assignment. The sequence
restrictions will be calculated based on the number of events in a minimal cut set
sequence. Modular gates in a fault tree will affect the results of sequence
calculations in some circumstances. Users may wish to set the Always Modularise
flag on for a gate to affect sequence calculations. For example, consider the fault
tree illustrated below. Events A, B and C must occur in sequence (A first, B second
and C third) for the event represented by GATE1 to occur. If GATE1 is modularised
in the analysis (users may force a gate to be modularised using the Always
Modularise flag in the Edit Gate Dialog) then the TOP gate will be represented by
a single cut set GATE1*.D (GATE1* is the super event for GATE1). As the super
event GATE1* and D1 are not sequence-dependent this implies that the following
sequences are allowable:

A->B->C->D
D->A->B->C

If GATE1 was not modularised during the analysis, we would obtain the cut set
A.B.C.D for the TOP gate. As the events A, B and C must occur in positions 1, 2
and 3, respectively in a cut set, only one sequence is permitted:

A.B.C.D

The two cases will lead to different results for the predicted unavailability of the TOP
gate.

FaultTree+ V11.2 61
Project Management

TOP

GATE1 D

Q=0.1

1 2 3

A B C

Q=0.1 Q=0.1 Q=0.1

The sequence status of an event may also be set to Initiator Only or Enabler Only.
These flags should only be set if the fault tree is being used to generate failure
frequency values and the concept of unavailability for the TOP event has no
meaning (e.g. a hazardous event such as FIRE). An initiator only event is an
event that can only contribute to the hazard if it occurs last in the sequence. An
enabler only event is one that can only contribute to the hazard if it occurs
anywhere but last in the sequence. During an analysis, FaultTree+ will assign
initiator and/or enabler status to each gate in the tree, based on the initiator enabler
status of input events.

Event Groups

You may, if you wish, associate an event with up to 16 event groups. This facility is
particularly useful if you have a large number of events defined in your project as it
allows you to quickly locate a particular event in the project tree control. You might
also wish to group events that represent dormant failures. The inspection intervals
of a group of events (with the local data model assigned) may be modified in one go
by selecting the Modify Inspection Intervals option on the project tree control pop-
up menu. You might also wish to group events that represent components
associated with the Time at Risk failure model. The time at risk of a group of
events (with the local data model assigned) may be modified in one go by selecting
the Modify Time at Risk option on the project tree control pop-up menu.

62 FaultTree+ V11.2
 Project Management

Event groups may also be used to identify a group of disjoint events. Disjoint
(exclusive) events are events that cannot occur at the same time. Examples of
disjoint events are valve failed open and valve failed closed (exclusive failure
modes for the same component), or night and day. Disjoint events should be used
as an alternative to adding NOT gates into a fault tree as the cut set calculations will
be more efficient.

Event group importance rankings are produced for any event groups defined in the
project.

Background Colour

You may set a colour for the event symbol in the fault tree diagram by selecting the
background colour Button (represented by <<). The selected colour will override
the default colour for the event type set in the Project Options Dialog (Colours
Tab). Individual event and gate background colours may be reset to default by
selecting the Tools, Clear All Local Gate and Event Background Colours pull-down
menu option.

Description

The event description will appear in the description rectangle above the appropriate
symbol in fault tree diagrams. Up to 120 characters are permitted.

Hyperlink

Selecting the Hyperlink Button will reveal the Hyperlink Dialog. If a hyperlink is
associated with an event then the hyperlink will be revealed on the screen when the
mouse cursor is moved over the event in a fault or event tree diagram (if the
appropriate View, Reveal Notes and Hyperlinks pull-down menu option is
selected). The hyperlink may then be activated from the fault or event tree diagram.

Notes

Eight categories of notes, of up to 255 characters may be assigned to an event.

Notes will appear in reports and on the screen when the mouse cursor is moved
over the event in a fault tree diagram (if the appropriate View, Reveal Notes and
Hyperlinks pull-down menu option is selected).

Dependencies

Selection of the Dependencies Button will reveal a list of dependent gates. The
user may then select and display a dependent gate from the list.

FaultTree+ V11.2 63
Project Management

Generic Model Table

The generic model table defines failure/repair models that may be associated with
one or more event in the event table. A generic model has the following attributes:

Name

The generic model name is a unique identifier of up to 32 characters.

Type

Valid model types are: Fixed, Rate, MTTF, Dormant, Sequential, ET Initiator,
Standby, Time at Risk, Binomial, Poisson, Rate/MTTR, Weibull, Fixed-Phased and
Rate-Phased model. Each model type requires a set of parameters to allow the
program to determine the associated model unavailability and failure frequency.

Generic Data Group

You may, if you wish, associate a generic model with a single generic data group.
This facility is particularly useful if you have a large number of generic models and
parameters defined in your project as it allows you to quickly locate a particular
generic model in the project tree control. You may also wish to group generic
models that represent dormant failures or time at risk models. The inspection
interval or time at risk of a group of generic models may be modified in one go by
selecting the Modify Inspection Interval or Modify Time at Risk options on the
project tree control pop-up menu.

Model Parameters

The model parameters required are dependent on the model type chosen. Model
parameters include failure and repair parameters, as well as uncertainty values.

Description

A description of up to 120 characters may be entered for the model.

Hyperlink

Selecting the Hyperlink Button will reveal the Hyperlink Dialog. If a hyperlink is
associated with a model then the hyperlink may be activated from within the dialog.
Hyperlinks may only be added to an existing model (the Hyperlink Button will not
appear in the dialog when adding the generic model for the first time).

64 FaultTree+ V11.2
 Project Management

Notes

Eight categories of notes, of up to 255 characters, may be assigned to a generic

model. Notes will appear in reports. Notes may only be added to an existing model
(the Notes Button will not appear in the dialog when adding the generic model for
the first time).

Generic Parameter Table

The generic parameter table defines failure and repair parameters that may be
associated with one or more event in the event table. A generic parameter has the
following attributes:

Name

The generic parameter name is a unique identifier of up to 32 characters.

Type

Valid parameter types: are Failure Rate, Inspection Interval, Time at Risk,
Unavailability, Frequency, Repair Rate, MTTF, MTTR, Standby Failure Rate and
Characteristic Lifetime.

Generic Data Group

You may, if you wish, associate a generic parameter with a single generic data
group. This facility is particularly useful if you have a large number of generic
models and parameters defined in your project as it allows you to quickly locate a
particular generic parameter in the project tree control.

Parameter

The parameter value. Uncertainty data may also be specified for many parameter
types.

Description

A description of up to 120 characters may be entered for the parameter.

Hyperlink

Selecting the Hyperlink Button will reveal the Hyperlink Dialog. If a hyperlink is
associated with a parameter then the hyperlink may be activated from within the
dialog. Hyperlinks may only be added to an existing parameter (the Hyperlink
Button will not appear in the dialog when adding the generic parameter for the first
time).

FaultTree+ V11.2 65
Project Management

Notes

Eight categories of notes, of up to 255 characters, may be assigned to a generic

parameter. Notes will appear in reports. Notes may only be added to an existing
parameter (the Notes Button will not appear in the dialog when adding the generic
parameter for the first time).

Gate Table

The gate table effectively defines the structure of the fault trees in a project. Each
record in the gate table contains information about the connectivity to other gates
and events as well as specifying the gate type and other attributes. A gate has the
following attributes:

Name

The gate name is a unique identifier of up to 32 characters.

Extend Name Box

Setting the Extend Name Box flag on will increase the width of the gate name label
in the fault tree diagram. This feature is useful if you are using long gate names (say
more than 20 characters in length).

Gate Type

Valid gate types are: OR, AND, VOTE, NOT, XOR, INHIBIT, PRIORITY,
TRANSFER and NULL. The gate type defines the appearance of the gate symbol
when drawn in the fault tree. In addition, the gate type determines how the inputs to
the gate are logically connected for the minimal cut set analysis process.

Vote Number

A vote number need only be specified for VOTE gate types. The vote number
indicates how many of the gate inputs need to occur to cause the gate failure to
occur. For example, if the gate had four inputs and a vote number of three was
specified, this would indicate that at least three of the gate's four inputs would have
to occur to cause the gate failure to occur.

Tag

The tag indicator determines whether a transfer tag is attached to the gate symbol
in the diagram. In Auto mode, a tag is drawn if the gate is at the top of a page and
feeds into another gate. If the tag indicator is set to on then a tag is drawn
irrespective of the position of the gate. If the tag indicator is set to off, a tag is not
attached to the gate. The tag indicator only affects the appearance of the gate

66 FaultTree+ V11.2
 Project Management

symbol and does not affect the fault tree structure in any other way. Note that users
may set a flag in the Project Options Dialog (General Tab) to prevent a tag being
displayed when the gate is a TRANSFER gate.

Users may request the program to display a special tag symbol if the gate is
repeated on the same page. This special symbol (a triangle with a bar drawn below
it) will only be visible in screen displays and not in printed reports (they are not
necessary in printed reports as the page reference indicates that the gate is
repeated on the same page). The special symbol will be displayed if the Show
Repeat Bars option is selected in the Project Options Dialog (View Tab). The
program will also draw a bar below transfer symbols associated with the repeated
events on the same page.

Special Tag with Repeat Bar

Font Index

The font index attribute indicates which font should be used for the gate description
in fault tree diagrams.

Always Modularise

This flag affects the processing of minimal cut sets during an analysis. During the
analysis procedure, FaultTree+ automatically modularises gates that represent
independent sub-trees and replaces these gates by super events in the minimal cut
sets. This speeds up the analysis process significantly. At the end of an analysis,
FaultTree+ will expand these super-events if the Disable Automatic Modularisation
flag is set on (in the Project Options Dialog, Sets Generation Options Tab, Custom
Options). However, a user may force an individual gate to be modularised by setting
the Always Modularise flag on. Users should only set this flag on for independent
gates or gates with weak dependencies.

Retain Results

The Retain Results flag indicates whether the minimal cut sets and quantitative
results parameters should be retained for a gate during analysis. Retained results
may be reviewed from within the program or printed to a report.

Include in Partial Analysis

Setting this flag will result in the gate being included in partial analysis runs. A
partial analysis is initiated by selecting the Analysis, Perform Partial Analysis pull-
down menu option. Gates and event tree sequences that are not included in a
partial analysis run will be labelled <Not calculated>, where appropriate.

FaultTree+ V11.2 67
Project Management

All the partial analysis flags in a project may be removed by selecting the Clear
Partial Analysis Flags option on the Analysis pull-down menu.

Page

The Page flag indicates whether the gate should be drawn at the top of a fault tree
page. Page flags are used to split up large fault trees into manageable units.

Description

The gate description will appear in the description rectangle above the appropriate
symbol in the fault tree diagram. A maximum of 120 characters is permitted for the
description.

Gate and Event Inputs

The gate and event input names identify the immediate causes of the output event
associated with the gate. Gate and event inputs are automatically drawn in the fault
tree diagram once the OK Button has been selected.

Background Colour

You may set a colour for the gate symbol in the fault tree diagram by selecting the
background colour Button (identified by the symbol <<). The selected colour will
override the default colour for the gate type set in the Project Options Dialog
(Colours Tab). Individual event and gate background colours may be reset to
default by selecting the Tools, Clear All Local Gate and Event Background Colours
pull-down menu option.

Hyperlink

Selecting the Hyperlink Button will reveal the Hyperlink Dialog. If a hyperlink is
associated with a gate then the hyperlink will be revealed on the screen when the
mouse cursor is moved over the gate in a fault or event tree diagram (if the
appropriate View, Reveal Notes and Hyperlinks pull-down menu option is
selected). The hyperlink may then be activated from the fault or event tree diagram.

Notes

Eight categories of notes, of up to 255 characters, may be assigned to a gate.

Notes will appear in reports and on the screen when the mouse cursor is moved
over the gate in a fault tree diagram (if the appropriate View, Reveal Notes and
Hyperlinks pull-down menu option is selected).

68 FaultTree+ V11.2
 Project Management

Dependencies

Selection of the Dependencies Button will reveal a list of dependent gates. The
user may then select and display a dependent gate from the list.

CCF Table

The CCF table defines common cause failure models which may be associated with
groups of events in the event table. A CCF model has the following attributes:

Name

The CCF name is a unique identifier of up to 32 characters.

Model Type

Valid model types are: Beta, MGL, Alpha and Beta BFR. Each model type requires
a different set of parameters to allow the program to determine the associated
model behaviour.

Model Parameters

The model parameters required are dependent on the model type chosen. All
models except the Beta model type require three or four parameters to be entered.
The Beta model requires only the beta factor to be entered.

Set CCF Model using IEC 61508-6

If this check box is selected the program will automatically determine the beta factor
for the simple Beta Factor model. The beta factor determination will be based on
settings accessed by selecting the IEC 61508-6 Settings Button.

Description

Descriptive text for the CCF model. A maximum of 120 characters is permitted for
the description.

Labels Table

The labels table contains all labels associated with a given project. A label has the
following attributes:

FaultTree+ V11.2 69
Project Management

Name

The label name is a unique name of up to 32 characters. This name is always set
automatically by the program.

Text

The label text appears in fault or event tree diagrams (max. 255 characters).

Font

The font attribute indicates which font should be used for the label text in the fault or
event tree diagram.

Border Flag

The Border flag attribute indicates whether the label should be drawn with a
border.

Horizontal Alignment

The horizontal alignment setting indicates whether text should be left-, right- or
centre-justified in the surrounding text box.

Bitmap Flag

If this flag is set on then this indicates that the label text is to be replaced by a
bitmap image.

Bitmap Name

The name of the bitmap to be used if the bitmap flag is set on.

Notes Table

The notes table contains all the notes associated with a given project. A note has
the following attributes:

Name

The note name is a unique name of up to 32 characters. This name is always set
automatically by the program.

70 FaultTree+ V11.2
 Project Management

Category

There are 8 different note categories for events, gates and generic data. These
categories may be set by the user via the Tools, Customise Notes pull-down menu
options.

Text

The note text appears in fault or event tree diagrams (max. 255 characters).

Hyperlinks Table

The hyperlinks table contains all the hyperlinks associated with a given project. A
hyperlink has the following attributes:

Name

The hyperlink name is a unique name of up to 32 characters. This name is always

set automatically by the program.

File or Web Page Name

The file or web page name defining the hyperlink (max. 255 characters).

Event Tree Table

The event tree table contains all the currently defined event tree initiators. Event
tree initiators are the branches that start off each event tree in a project. An event
tree initiator has the following attributes:

Branch Name

The initiator branch name is a unique name of up to 32 characters.

Type

The initiator type must be set to 'failure' or 'secondary event tree'. If the 'secondary
event tree' option is selected, the initiator branch receives cut sets from the end
branches of other event trees in the project.

Include in Partial Analysis

Setting this flag will result in the event tree being included in partial analysis runs. A
partial analysis is initiated by selecting the Analysis, Perform Partial Analysis pull-

FaultTree+ V11.2 71
Project Management

down menu option. Gates and event tree sequences that are not included in a
partial analysis run will be labelled <Not calculated>, where appropriate.

All the partial analysis flags in a project may be removed by selecting the Clear
Partial Analysis Flags option on the Analysis pull-down menu.

Font Index

The font index attribute indicates which font should be used for the initiator branch
description in the event tree diagram.

Description

The initiator description will appear above the initiator branch in event tree
diagrams. The description may contain up to 120 characters.

Consequence Table

The consequence table defines event tree consequences that are associated with
terminal branches. A consequence has the following attributes:

Category

Each consequence must be associated with one of the ten consequence categories
permitted in FaultTree+. Default consequence categories are: Safety, Financial,
Environmental and Operational (1 to 7). The consequence category is determined
by selecting the Consequence Category in the Consequence Table Dialog before
adding a new consequence. Alternatively, if you are adding a consequence using
the project tree control, the consequence category will be determined by which
category node is currently selected. After you have defined a consequence, you will
be able to assign it to one or more end branches in an event tree. You will also be
able to assign more than one consequence to the same end branch, so long as the
consequences belong to different categories.

Name

The consequence name is a unique identifier of up to 32 characters.

Weight

The weight value indicates the importance weighting or severity of the consequence
and may be greater than or equal to zero.

72 FaultTree+ V11.2
 Project Management

Include in Partial Analysis

Setting this flag will result in the event tree sequences leading to the consequence
being included in partial analysis runs. A partial analysis is initiated by selecting the
Analysis, Perform Partial Analysis pull-down menu option. Gates and event tree
sequences that are not included in a partial analysis run will be labelled <Not
calculated>, where appropriate.

All the partial analysis flags in a project may be removed by selecting the Clear
Partial Analysis Flags option on the Analysis pull-down menu.

Description

Descriptive text for the consequence. The consequence description will appear
alongside terminal branches in the event tree diagram. A maximum of 120
characters may be entered for the description.

Font Index

The font index attribute indicates which font should be used for the consequence
description in event tree diagrams.

Bitmap Table

The bitmap table defines the bitmap images which may be attached to labels in the
fault and event tree diagrams. A bitmap has the following attributes:

Name

The bitmap name is a unique identifier of up to 32 characters.

Description

Descriptive text for the bitmap. Up to 120 characters may be entered for the
description.

Bitmap File

The name of the bitmap file containing the bitmap image.

Markov Model Table

The Markov model table defines the Markov models which are attached to the
current FaultTree+ project. Each Markov model may be assigned to one or more

FaultTree+ V11.2 73
Project Management

events in the project fault or event trees. A Markov model has the following
attributes:

Name

The Markov model name is a unique identifier of up to 32 characters.

Description

Descriptive text for the Markov model. Up to 120 characters may be entered for the
description.

File

The full file name (including directory path) of the Markov model file. Markov model
files may be created or modified using the Markov Models facilities of FaultTree+
(accessed by selecting the Markov Models Tab above the diagram edit area). A
Markov model file is a separate file from the FaultTree+ project file and contains the
full description of the Markov diagram and its associated parameters.

Probability Interpretation

The probability interpretation setting indicates how the results of the Markov model
analysis are to be processed before transfer to the appropriate events in the project
fault or event trees. There are two options:

Use Mean Q and w

Use Point Q and w

If the Use Point Q and w option is selected, FaultTree+ will interpolate the
calculated time-dependent Markov analysis unavailability and frequency values to
the project lifetime for any events associated with the Markov model.

If the Use Mean Q and w option is selected, FaultTree+ will transfer the mean
values of unavailability and frequency values calculated by the Markov analysis
process to any events associated with the Markov model. The mean values are
calculated over the lifetime specified for the individual Markov model.

Event Group Table

The event group table defines the event groups in the current FaultTree+ project.
An event may be associated with up to 16 different event groups via the Edit Event
Dialog. Alternatively, you may drag and drop an event into an existing event group,
using the project tree control.

74 FaultTree+ V11.2
 Project Management

As an example of how event groups might be used, consider an event ELECTRIC

PUMP FAILURE that may be associated with a system PRIMARY COOLING, as
well being assigned to a component class PUMPS. Event groups PRIMARY
COOLING and PUMPS may be defined and the event ELECTRIC PUMP
FAILURE assigned to both groups. One of the advantages of associating multiple
event groups with a single event is that finding an event in the tree control becomes
easier. Events may be located by more than one event group. Multiple event groups
also allow the user to take advantage of the disjoint event analysis function and the
group importance ranking facility.

Defining event groups is particularly useful if you have a large number of events
defined in your project as it allows you to quickly locate a particular event in the
project tree control. You may also wish to group events that represent dormant
failures. The inspection intervals of a group of events (with the local data model
assigned) may then be modified in one go by selecting the Modify Inspection
Interval option on the project tree control pop-up menu. You may also wish to group
events that are associated with time at risk failure models. The time at risk of a
group of events (with the local data model assigned) may then be modified in one
go by selecting the Modify Time at Risk option on the project tree control pop-up
menu.

An event group has the following attributes:

Event Group Name

The event group name is a unique identifier of up to 32 characters.

Event Group Category

The category assignment for the event group. Assigning different categories to
event groups such as location and type helps to filter event group importance
rankings in reports. Users may change the names of the 10 event group categories
by selecting the Tools, Customise Event Group Categories pull-down menu option.

Disjoint Event Group

A disjoint event group defines a set of disjoint events. Disjoint (exclusive) events
are events that cannot occur at the same time. Examples of disjoint events are
valve failed open and valve failed closed (exclusive failure modes for the same
component), or night and day. Disjoint events should be used as an alternative to
adding NOT gates into a fault tree as the cut set calculations will be more efficient.
During an analysis, the program will remove any cut sets that contain two or more
events in the same disjoint event group.

FaultTree+ V11.2 75
Project Management

Description

Descriptive text for the event group. Up to 120 characters may be entered for the
description.

Generic Model Group Table

The generic model group table defines the generic model groups in the current
FaultTree+ project. A generic model may be associated with a given generic model
group via the Edit Generic Model Dialog. Alternatively, you may drag and drop a
generic model into an existing generic model group, using the project tree control.

Defining event groups is particularly useful if you have a large number of events
defined in your project as it allows you to quickly locate a particular event in the
project tree control. You may also wish to group events that represent dormant
failures. The inspection intervals of a group of events (with the local data model
assigned) may then be modified in one go by selecting the Modify Inspection
Interval option on the project tree control pop-up menu.

A generic model group has the following attributes:

Name

The generic model group name is a unique identifier of up to 32 characters.

Description

Descriptive text for the generic model group. Up to 120 characters may be entered
for the description.

Generic Data Group Table

The generic data group table defines the generic model and parameter groups in
the current FaultTree+ project. A generic model or generic parameter may be
associated with a single generic data group via the Edit Generic Model or Edit
Generic Parameter Dialogs. Alternatively, you may drag and drop a generic model
or parameter into an existing generic data group, using the project tree control.

Defining generic data groups is particularly useful if you have a large number of
generic models and parameters defined in your project as it allows you to quickly
locate a particular generic model or parameter in the project tree control. You may
also wish to group generic models that represent dormant failures. The inspection
intervals of a group of generic models may then be modified in one go by selecting
the Modify Inspection Interval option on the project tree control pop-up menu. You
may also wish to group time at risk generic models. The time at risk of a group of

76 FaultTree+ V11.2
 Project Management

generic models may then be modified in one go by selecting the Modify Time at
Risk option on the project tree control pop-up menu.

A generic data group has the following attributes:

Data Group Name

The generic data group name is a unique identifier of up to 32 characters.

Description

Descriptive text for the generic data group. Up to 120 characters may be entered for
the description.

Editing Tables

Project tables may be edited by selecting the appropriate table option in the Edit
pull-down menu, or by editing a selected item in the fault or event tree diagram
displayed in the diagram edit area. The latter method is merely a short-cut to
editing the attributes of events, gates, event trees and labels. Alternatively, the
project tree control on the left-hand side of the diagram edit area may be used. This
section describes how the Edit pull-down menu may be used to construct and
modify tables.

Gate Table Dialog

FaultTree+ V11.2 77
Project Management

On selecting any of the table options in the Edit pull-down menu, the Table Edit
Dialog will be displayed. The appearance and functionality of the dialog is similar
for all table types. The dialog contains a list of all the currently defined table
records. Each line of the list represents a single record and contains the name of
the item (an item may be an event, gate, CCF model, etc.) usually followed by its
type and description. Consequences have their weights displayed rather than a type
and events have their logic mode displayed. Bitmaps and Markov models have their
file name displayed rather than a type. For labels, notes and hyperlinks the
description constitutes the actual text displayed in the fault or event tree diagram.

Records in the list may be selected by positioning the cursor over the item name
and clicking the left mouse button. Some of the dialog buttons (e.g. Edit) perform
functions on the currently selected record. Double-clicking on a record will reveal
the attributes associated with the selected item. Selecting the Edit Button will have
the same effect.

All table dialogs contain an Add Button except for the labels, notes and hyperlinks
table. This button enables records to be added to the table. The attributes of a new
record are entered via a dialog that appears after the Add Button is selected.

Add Consequence Dialog

All table dialogs contain a Delete Button. Deletion of an item may be prohibited by
the program if deletion dependency checks are enabled. An example of a
dependency is when an event is an input to a gate. The gate is said to be
dependent on the event. Deletion dependency checking may be disabled in the
Project Options Dialog (General Tab).

All table dialogs contain a Filter Button. The filter facility is provided to allow items
in the dialog list to be selectively displayed. This is an important facility when
handling large projects. On selection of the Filter Button a dialog will be displayed
allowing the user to enter a string of filter text and then select the Direct Filter or
Dependency Filter options. The direct filter function will search all item names and
descriptions for text matching the filter text string. If a match is found, the item

78 FaultTree+ V11.2
 Project Management

record will remain in the table dialog list otherwise it will be removed. The
dependency filter option will retain all items which are dependent on other table
items containing the specified text string. For example, if the Event Table Dialog
was currently displayed and a dependency filter was performed using the filter text
VIBRATION, any event associated with CCF models with the string VIBRATION
contained in their names or descriptions would be retained in the list.

Filter Dialog

All table dialogs contain a Global Edit Button. This facility may be used to rename
groups of items by substituting, prefixing or appending text to existing item names.
Note that a substitution will only take place if the new item name does not exceed
32 characters.

Global Name Edit Dialog

The Gate Table and Event Tree Table Dialogs contain a Display Button. When
this option is chosen, the selected gate or event tree is displayed in the diagram edit
area. Selected gates will always be displayed as the TOP gate in the visible
diagram. Note that the combo-boxes in the toolbar area and the tree control to the
left of the diagram edit area provide other means of navigating between fault and
event tree pages.

The Gate Table and Event Table Dialogs contain buttons allowing the user to
quickly navigate between these two table types.

FaultTree+ V11.2 79
Project Management

The Gate Table Dialog contains a check control which allows only gates which
appear at the top of fault tree pages to be displayed.

Most of the table dialogs contain a Dependencies Button which, when selected, will
reveal a dialog listing items which are dependent on the selected table item. For
example, if an event is selected in the gate table, followed by selection of the
Dependencies Button, FaultTree+ will list fault tree gates that have the event as an
input. In addition, a list of event trees associated with the event will be displayed.
The Dependencies Dialog may be used to locate a gate, event or label in a fault or
event tree. This is a particularly useful feature when searching for gates and events
in large and complex projects. The Display Buttons in the Dependencies Dialog
may be used to change the fault tree page or event tree in the diagram edit area, to
locate the gate or event.

Dependencies Dialog

Project Files

Project file options may be accessed via the File pull-down menu or the equivalent
toolbar options. Project file options allow the user to save and retrieve project data
and append data from different projects.

New Project

Selection of the New Project option on the File pull-down menu closes the current
project, ready for the user to begin a new project. If modifications have been made
to the old project, the user will be given the opportunity to save any modified data.
After closing the current project the program will automatically create the first TOP
gate of the new project and display this TOP gate in the diagram edit area.

80 FaultTree+ V11.2
 Project Management

Open Project

The Open Project option on the File pull-down menu allows the user to open an
existing project file. On selection of this option, a standard Windows Open Dialog
will appear. When a file is selected, the project data contained in the file will be
read into the project tables, overwriting any existing data. If a modified project is
already open then the user will first be given an opportunity to save the data.
FaultTree+ project files all have the extension .psa.

The Windows Open Dialog may also be used to import data from files originating
from older versions of FaultTree+. In addition, the Files of Type combo-box allows
the user to open project backup files (with extension .bak) automatically created
using the Automatic Backup facility provided with FaultTree+. Users may also open
FaultTree+ library files (extension .psl) in order to edit library data.

File Open Dialog

Recent Projects

Files may also be opened using the File, Recent Projects pull-down menu option.
Selection of this option reveals a dialog displaying the most recently opened
projects. The user may select the required project and then open it by selecting the
Open Button in the dialog.

Save Project

The Save Project option on the File pull-down menu allows the user to save data
to a project file. If a project file is specified in the FaultTree+ window header then
the data will be saved to that file. Otherwise, the program will display the Save As
Dialog, allowing the user to name a project file.

FaultTree+ V11.2 81
Project Management

Save Project As

The Save Project As option on the File pull-down menu is similar to the Save
Project option except that the user will be asked to specifically name the project file.

Appending Project Data

Two append options are available on the File menu. The Append Project, Single
Project option appends data from a single project to the existing project data. The
Append Project, Multiple Projects option appends data from a group of projects.
The existing project data is first removed.

Appending Data from a Single Project

The Append Project, Single Project option on the File pull-down menu allows
users to append data from another project to the data in the currently open project.
This option allows users to construct sub-projects independently and later append
the data into a single project. For example, different users may be responsible for
developing different branches of a large fault tree. Fault tree connections are
automatically recognised during the append process by the gate and event names
used in the original project files. For example, if one project contains a transfer gate
named GATE3, and a second project contains a TOP gate also named GATE3, the
append function will join the fault trees at the appropriate places.

Project 1 fault tree before append

82 FaultTree+ V11.2
 Project Management

Project 2 fault tree before append

Final fault tree after appending the project

Before an append operation takes place, the user may specify whether items with
matching names should be renamed. This is done by setting check boxes in the
Project Options Dialog (Library Tab). In addition, the user may specify whether
labels are to be transferred from the appended project. This renaming facility is

FaultTree+ V11.2 83
Project Management

provided to ensure that different items that are given the same name in different
projects (maybe because default names were used) are not treated as the same
item when the append operation takes place. For example, the event EVENT1
might represent a pump failure in one project and a valve failure in another project.
As the events haven't been given unique names such as PUMP and VALVE, the
event from the appended project needs to be renamed. Using the renaming facility
ensures the independence of items is maintained, where necessary, during the
append operation. There may be other circumstances where you do not wish items
to be renamed during the append operation. For example, if you are have many
common events occurring in different fault tree projects which are later to be
appended, you may wish to set the rename function off for events. If one such event
was named POWER (representing power supply failure), and this event occurred in
the current project as well as the appended project, then, if the rename function was
set off for events, FaultTree+ would not rename this, or any other event, during the
append operation.

Single Project Append Options Dialog

Note that if the rename facility is set off, the append function will ignore conflicting
data definitions in appended projects for events, generic models, CCFs,
consequences, Markov models, event groups and model groups. For example, if
the current project contains a CCF named VIBRATION and a project is appended
which also contains a CCF named VIBRATION, the original CCF definition will be
retained and the new definition ignored. If the appended project contains conflicting

84 FaultTree+ V11.2
 Project Management

initiator names for event trees, the appended initiators and branches will be
automatically renamed.

The Single Project Append Options Dialog allows you to specify individual fault
tree gates and event trees to be appended (rather than appending all the data from
the specified file).

To append an individual gate or event tree, simply select the appropriate name in
the list (you can toggle between the fault tree gate and event tree lists using the
buttons at the top of the dialog). Note that if you select an individual gate, the
program will also append all gates logically connected to the selected gate. If you
select an individual event tree, the program will also append all data connected to
the event tree (including any connected fault trees). You may select more than one
gate or event tree by holding down the Ctrl key whilst selecting list items in the list
with the mouse.

If you select the Only Append Data Connected to Selected Gates and Event Trees
flag, the program will not append events, generic data, consequences, CCFs,
bitmaps and Markov models that are not associated with the appended fault and
event trees.

Appending Data from Multiple Projects

The Append Project, Multiple Projects option on the File pull-down menu allows
users to append data from a group of projects in one go. Any existing project data is
removed before the append operation takes place. Data will only be appended if it is
attached to a fault or event tree. For example, if a generic model is not attached to
an event, then it will not be appended.

Data is appended in the order in which the project files are specified in the Append
Multiple Projects Dialog. Conflicting definitions are not renamed and not replaced.
For example, if a generic model PUMP is defined in two of the appended projects,
the first definition (occurring in the project nearest the top of the list) will be
accepted.

Multiple append project file lists may be saved in template files for future use. Use
the Save Template Button to save a file list in a template file. Template files are
given the extension .amf. Use the Open Template Button to retrieve a file list.

Library Files

Connecting to a Library

Library files are identical in structure to project files. FaultTree+ library files are
given an extension .psl to distinguish them from project files that have an extension

FaultTree+ V11.2 85
Project Management

.psa. Library files will normally contain generic fault and event tree structures as
well as generic event and failure model data. Libraries may be connected to a
project using the File, Connect to Library pull-down menu option. Once a library file
has been connected, the user may view the contents of the library by selecting the
Library Tab above the tree control. Library data is displayed in the library tree
control and various dialogs that are revealed when adding library data to a project.
Library data is not displayed in the diagram area or grid control in the right-hand
window.

Connecting Project Files as a Library

Project files may be connected temporarily as a library. This allows easy transfer of
data from one project to another. To connect a project, simply select .psa from the
Files of Type list in the Open Dialog after selecting the File, Connect to Library
pull-down menu option.

Adding Data to a Library

You may populate a FaultTree+ library file with data by opening it as a temporary
project, using the File, Open Project pull-down menu option, and then saving any
changes, using the File, Save Project pull-down menu option. After editing a new
library file as a temporary project, you will need to name the library file using the
Save As Dialog and you will need to specify the extension .psl.

Copying Library Data

Once a library has been connected to a project (the connected library file name will
be displayed in the window header together with the current project name), users
may copy data from the library to the project and save project data to the library. If
data is added to the library then the Save Library and Save Library As pull-down
menu options may be used to save the changes.

Data may be copied from the library to the project in a number of different ways.
One method is to select the Library Tab above the tree control window. The library
tree control may then be used to drag and drop library objects onto the project
diagram in the right-hand window. Another method is to use the Add Library Gate
and Add Library Event toolbar options. After selecting either of these options, move
the mouse cursor to a gate in the fault tree diagram and press the left mouse
button. A dialog will be revealed allowing you to choose the gate or event from the
library that is to be added below the selected gate in the diagram. You may add
event trees to a project by selecting the Add Library Event Tree toolbar option. You
may also copy library objects to the project by selecting the object in the library tree
control. Then press the right mouse button to reveal a pop-up menu. Then select
the Add to Project option.

86 FaultTree+ V11.2
 Project Management

When adding library objects to a project, FaultTree+ will obey the user settings
defined in the Project Options Dialog under the Library Tab.

Updating Data Originating from a Library

Libraries may also be used to refresh the failure and repair data associated with
events in a project. For example, suppose that a project was created using events
and failure models originating from a library demo.psl. The library failure and repair
data is later modified. The project data may be brought back in line with the library
data by re-connecting the library to the project and selecting the Tools, Update
Project with Library Failure and Repair Data. Events and data models with
matching names will have their failure and repair parameters set from the library.
This facility will also replace consequence weight values and CCF model factors for
matching objects.

Adding Project Data to a Library

Users may add data directly to a connected library. Fault tree diagram gates and
events may be selected and added to the library by selecting the Add, Selection to
Library pull-down menu option. Objects may also added to a library by selecting the
object on the project tree control and then selecting the Add to Library option on
the right mouse button pop-up menu.

The Add to Library facility obeys the settings in the Library Tab of the Project
Options Dialog. In this dialog, users may specify whether objects are added to the
library if their names conflict with existing library objects.

Note that library data may also be modified by opening a library temporarily as a
project. This may be done via the File, Open Project pull-down menu option and
specifying the .psl extension in the Files of type list.

Library Element Properties

Users may view the properties of individual library elements by selecting the
element in the library tree control and then selecting the Properties option from the
right mouse button pop-up menu. It is not possible to edit the properties of a library
element when the library is connected to a project.

FaultTree+ V11.2 87
 Constructing Fault Trees

7. Constructing Fault Trees

Adding New Gates and Events

Fault trees are constructed simply by adding gates and events directly into the fault
tree diagram edit area. As gates and events are added to a fault tree diagram,
FaultTree+ automatically positions the diagram symbols, allowing the user to
concentrate on building the correct logical structure.

To start a new fault tree project, select the New Project option from the File pull-
down menu. A single TOP gate will be displayed in the diagram edit area. To add a
new TOP gate to an existing project, first ensure that the Fault Tree Tab is
selected at the top of the edit area. Then select the Add, New Top Gate pull-down
menu option or equivalent toolbar button. Now the fault tree diagram may be
modified directly from the diagram edit area.

To add new gates and events to the initial TOP gate, select either the Add, Gate to
Fault Tree or Add, Event to Fault Tree pull-down menu options or equivalent
toolbar buttons. After selecting either of these options, you will notice that the cursor
will change its shape when moved into the diagram edit area. The shape of the
cursor indicates that the program is in Add Gate or Add Event mode. Whilst in
either of these two modes, new gates and events may be added to the fault tree
diagram by clicking the left mouse button with the cursor placed over an existing
gate symbol. A gate or event will then be added below the selected symbol. As
inputs are added to a TRANSFER gate symbol (no inputs), the gate symbol will be
automatically modified to a NULL gate (one input) and then an OR gate (more than
one input). These gate types may later be modified using the Edit, Selection
facility.

If you wish to repeat existing gates or events in different parts of the fault tree, this
may be achieved by using the right mouse button whilst in Add Gate or Add Event
mode. Clicking the right mouse button over a gate symbol will reveal a dialog listing
existing gate or event names and their descriptions. You may select or type in an
existing name. Selection of the OK Button will add the existing gate or event to the
target gate in the fault tree.

The user may exit from Add mode by selecting the Add, Clear Add Mode pull-
down menu option or equivalent toolbar button. Alternatively, tapping the Escape
key will have the same result. On leaving Add mode, the cursor returns to a pointer
within the diagram edit area.

FaultTree+ permits users to add up to 18 inputs to gates, unless there is a logical

restriction to the number of inputs (e.g. a NOT gate may have only one input).

FaultTree+ V11.2 89
Constructing Fault Trees

Gate and Event Symbols

The program uses internationally recognised gate and event symbols.

The gate symbols are listed below, together with their causal relations. Note that the
NULL gate type is not included in this list. NULL gates (which have a single input
only) have no effect on the logic of the fault tree. They are used to allow additional
descriptions to be added to the fault tree for system events.

Symbol Name Causal Relation Valid

No of
Input
s
OR Output event occurs if any 2
one of the input events
occurs.

AND Output event occurs if all 2

input events occur.

MAJORITY Output event occurs if m of 3

VOTE the input events occur.

EXCLUSIVE Output event occurs if one 2

OR but not both of the input
events occurs.

INHIBIT Output event occurs if both 2

GATE input events occur. One of
the inputs represents a
conditional event.
PRIORITY Output event occurs if all 2
AND input events occur in
sequential order from left to
right.
NOT Output event occurs if the 1
input event does not occur.

90 FaultTree+ V11.2
 Constructing Fault Trees

Note that FaultTree+ provides the option of displaying additional symbols that
conform to the British 5760 (Part 7) and IEC 1025 standards. These additional
symbols will only be displayed if the Use IEC Symbols in Diagrams option is
selected in the Project Options Dialog (General Tab).

The event symbols used by FaultTree+ are illustrated below, together with their
meanings.

Symbol Name Meaning

System or component event

description.

BASIC Basic event for which failure and

repair data is available.

UNDEVELOPED Represents a system event that

is yet to be developed.

CONDITIONAL Similar to basic event but

represents a conditional
probability connected to an
inhibit gate.
HOUSE Represents definitely operating
or definitely not operating events.

DORMANT Similar to basic event but

indicates that the event
represents a dormant failure.

TRANSFER Indicates that this part of the fault

tree is developed in a different
part of the diagram or on a
different page.

Editing Gates and Events

Gate symbols may be selected using the left mouse button, followed by choosing
the Selection option on the Edit pull-down menu or equivalent toolbar option.
Alternatively, double-click the left mouse button with the cursor over the gate
symbol. This action results in the program displaying the Edit Gate Dialog for the

FaultTree+ V11.2 91
Constructing Fault Trees

selected gate. The Edit Gate Dialog allows the user to modify the gate and event
inputs. This is an alternative method to using the Add mode described above. On
selecting the OK Button on the Edit Gate Dialog, the program will automatically
draw any new inputs to the gate in the diagram edit area.

Events may also have their attributes revealed by double-clicking on the event
symbol in the diagram edit area.

Fault Tree Pagination

As the fault tree increases in size, you may wish to split up the tree into pages. This
may be done by setting the Page check-box on in the Edit Gate Dialog. Gates
with the page flag set on will appear in the fault tree diagram at the top of the visible
tree, or as transfer symbols. Paged transfer symbols have a rectangle drawn
around the symbol in the tree diagram. You may navigate between pages using the
fault tree combo-box in the toolbar area or by selecting the Change Page option on
the View pull-down menu. The Change Page option requires that a gate symbol is
already selected. If the TOP gate in the display is selected, the program will
automatically display the fault tree page above the selected gate (unless the
selected gate does not feed into another page). If a gate other than the displayed
TOP gate is selected, the program will reset the selected gate as the new displayed
TOP gate.

Adding Labels and Notes to a Fault Tree

Labels and notes may be placed in a diagram using the Label or Notes option on
the Add pull-down menu. After selecting this option you will notice that the cursor
will change its shape when moved into the diagram edit area. The shape of the
cursor indicates that the program is in Add Label or Notes mode. Whilst in this
mode, a new label may be added to the fault tree diagram by clicking the left mouse
button with the cursor positioned within the diagram edit area, outside of any
existing gates or events. The top left of the new label will be placed at the cursor
position. If the cursor is positioned over a gate or event in the drawing area, the
program will add a note to the gate or event rather than add a label. The user may
exit from Add Label or Notes mode before a new label or note has been created,
by selecting the Add, Clear Add Mode pull-down menu option or equivalent toolbar
button. Alternatively, tapping the Escape key will have the same result. On leaving
Add mode, the cursor returns to a pointer within the diagram edit area.

To modify the text within a label, double-click the left mouse button whilst the cursor
is over the label. A dialog will appear allowing the labels text to be modified.

To modify notes added to a gate or an event, double-click the left mouse button with
the cursor over the gate or event in the diagram. This will reveal the Edit Gate or
Edit Event Dialog. Select the Notes Button and then type in the new notes data.

92 FaultTree+ V11.2
 Constructing Fault Trees

Notes will be automatically displayed as the mouse cursor moves over the
associated gate or event in the fault tree diagram if the relevant View, Reveal Notes
and Hyperlinks pull-down menu option is set.

Adding Hyperlinks to a Fault Tree

Hyperlinks may be placed in a diagram using the Hyperlink option on the Add pull-
down menu. After selecting this option, you will notice that the cursor will change its
shape when moved into the diagram edit area. The shape of the cursor indicates
that the program is in Add Hyperlink mode. Whilst in this mode, a new hyperlink
may be added to a gate or event in the fault tree diagram by clicking the left mouse
button with the cursor positioned over a gate or event in the drawing area. The user
may exit from Add Hyperlink mode before creating a new hyperlink by selecting the
Add, Clear Add Mode pull-down menu option or equivalent toolbar button.
Alternatively, tapping the Escape key will have the same result. On leaving Add
mode, the cursor returns to a pointer within the diagram edit area.

To modify a hyperlink added to a gate or an event, double-click the left mouse

button with the cursor over the gate or event in the diagram. This will reveal the Edit
Gate or Edit Event Dialog. Select the Hyperlink Button and then type in, or
browse for, the new hyperlink.

Hyperlinks will be automatically displayed as the mouse cursor moves over the
associated gate or event in the fault tree diagram if the relevant View, Reveal Notes
and Hyperlinks pull-down menu option is set.

Fault Tree Copy and Append Facilities

The cut, copy and paste functions apply to fault tree gate and event symbols. The
copy and paste facilities also apply to fault and event tree labels.

The cut operation is used to transfer the selected gate or event symbol to the
FaultTree+ clipboard. To perform a cut operation, select a symbol followed by
selection of the Cut Symbol option on the Edit pull-down menu or equivalent
toolbar button. Top gates are the only gates that cannot be transferred to the
clipboard using the cut operation. When the cut operation is performed on a gate or
event symbol the symbol is removed as an input to the gate above. Note that the
removed gate or event is not deleted from the project database table. The Delete
option on the Edit pull-down menu should be used to perform a permanent
deletion.

The copy operation is similar to the cut operation except that the gate or event is not
removed as an input to the gate above. The gate or event symbol definition is

FaultTree+ V11.2 93
Constructing Fault Trees

transferred to the FaultTree+ clipboard. To copy a symbol, select the Copy Symbol
or Label option on the Edit pull-down menu or equivalent toolbar button.

The standard paste operation transfers the gate or event definition in the FaultTree+
clipboard to the selected gate in the fault tree diagram. The transferred symbol is
drawn as an input to the selected gate. To paste a symbol, select the Paste
Symbol or Label option on the Edit pull-down menu or equivalent toolbar button.

The cut, copy and standard paste functions allow gates and events to be quickly
transferred within, or removed from, the visible fault tree. Note that the cut and
paste operations may result in the target gate type being automatically modified by
the program due to the number of resulting inputs. For example, if one of two inputs
is cut from an OR gate the gate type is changed to type NULL (with one input).

The FaultTree+ cut, copy and standard paste facilities are used to transfer or copy
the identical logical structure to another part of the fault tree. Gate names and event
names will be identical to the original names when a standard paste operation is
performed. Copy and standard paste operations will therefore result in the same
gates and events being repeated in different parts of the fault tree. There is,
however, a special paste facility available that reproduces the clipboard fault tree
structure but changes some or all the names of gates and events before transferring
the clipboard contents to the project. All new gates and events will be given unique
names based on the original name of the gate or event in the clipboard. Only the
names of new gates and events will change - all other attributes will be identical.
The special paste operation may be activated by selecting the Edit, Paste Symbol
Special pull-down menu option.

If you copy a fault tree structure and then paste this structure to another part of the
project (using Paste Special), you will be given the option of selecting one or more
gates and events as common events. These common events will not have their
names changed.

In the example below, a Paste Special operation is performed by first copying the
gate SYS1 to the clipboard and then pasting this tree to another part of the project
(using the Paste Special menu option). If the user selects gates ELECA and
ELECB as common events (the names should not be changed) then the resulting
new tree is drawn as shown (note that gate and event names have been
automatically changed except for ELECA and ELECB).

94 FaultTree+ V11.2
 Constructing Fault Trees

System fault tree to be copied

New system fault tree created after special paste operation

FaultTree+ V11.2 95
Constructing Fault Trees

Another way to reproduce similar fault tree structures in different places in the
project, but with some or all of the gate and event names modified, requires the use
of the single project append and global name edit facilities. This may be done by
opening a new project and constructing the part of the fault tree that is to be
reproduced. Gates and events in the project to be appended should be given
names that contain a convenient string of text that will later be substituted when the
append operation takes place. For example, the symbol $ might be used as a
substitution symbol as illustrated by the following example:

Library fault tree

Project fault tree before append

96 FaultTree+ V11.2
 Constructing Fault Trees

Project fault tree after append and global name substitution

Deleting Symbols

Fault and event tree symbols may be deleted from a diagram in the edit area
directly. Selection of a gate or event symbol in a fault tree diagram, followed by
selecting the Delete Selection option in the Edit pull-down menu (or pressing the
delete key), will delete the symbol. Labels may also be deleted from diagrams in a
similar manner. Note that when gate or event symbols in a fault tree are deleted in
this manner, they are removed as an input from the gate above and also deleted
from the gate or event tables if they do not appear anywhere else in the project fault
or event trees. If they do appear elsewhere, they will only be deleted from the gate
or event tables if either the Disable Deletion Dependency Checks flag is set on or
Delete Selection and Below in Fault Trees flag is set on in the Project Options
Dialog (General Tab). If you wish to remove a gate or event as an input to another
gate, but do not wish to delete its definition, then you should use the Edit, Cut
Symbol pull-down menu option.

A whole section of a fault tree may be deleted by first selecting a gate in the fault
tree diagram and then selecting the Edit, Delete Selection and Below pull-down
menu option. After selecting this option, FaultTree+ will first display all gates and

FaultTree+ V11.2 97
Constructing Fault Trees

events that are about to be deleted and then provide the user with an option to
cancel the operation. This facility deletes the selected gate and all gates and events
connected below it, except for those gates and events appearing in other parts of
the project fault trees. Also, events appearing in event trees will not be deleted.

FaultTree+ also provides a facility to delete hidden data. This facility should be used
with caution as large portions of project data may be deleted. Make a backup copy
of your project (using the Save Project As option on the File pull-down menu)
before performing a hidden data deletion. The delete hidden data facility is
accessed by selecting one of the Edit, Delete Hidden FT Data pull-down menu
options. Three options are available :

Delete all non-visible

Delete all non-visible disconnected
Delete all non-visible except below

To delete all gates and events that are not currently displayed on the screen, select
the All Non-Visible pull-down menu option or press the Ctrl and Delete keys
together. To delete all gates and events except those logically connected to the
visible tree (including gates above the displayed TOP event), select the All Non-
Visible Disconnected pull-down menu option or press the Alt and Delete keys
together. To delete all gates and events except those logically connected below the
displayed tree, select the All Non-Visible Except Below pull-down menu option or
press the Shift and Delete keys together. A warning will be given before the
deletion takes place.

98 FaultTree+ V11.2
 Navigating Fault Trees

8. Navigating Fault Trees

There are a number of different ways you can locate and display data associated
with the fault trees in your project. This chapter describes these different methods.

For large projects, it is essential that the fault tree structure is split up into
manageable pages. This may be done by manually selecting the Page check box
in the Edit Gate Dialog for those gates which are required to appear at the top of
each fault tree page. Alternatively, page flags may be set automatically by the
program by selecting the View, Auto Paginate pull-down menu option.

Using the Tree Control to Locate Fault Tree Pages

The tree control on the left-hand side of the diagram edit area may be used to
change the page of the fault tree displayed in the diagram edit area. The names of
pages in the tree control correspond to the names of gates appearing at the top
each fault tree page in the project.

FaultTree+ provides a facility which automatically changes the displayed page in the
diagram edit area when you select a new page name underneath the 'Fault Tree
Pages' node of the project tree control. This facility will only operate if the 'Auto
Change Page on Selection' flag is set on. This flag may be toggled on or off from
the project tree control pop-up menu (revealed when you press the right mouse
button in the tree control area).

If you are operating with the 'Auto Change Page on Selection' flag set off then, to
display any fault tree page, first select the page name in the tree control using the
left mouse button. Then click the right mouse with the cursor positioned within the
tree control area. A pop-up menu will appear. Select the Display option on the
menu. The selected page will now appear in the diagram edit area.

FaultTree+ V11.2 99
Navigating Fault Trees

Selecting the Display Option from the Pop-Up Menu

Using the Combo-Box to Locate Fault Tree Pages

The combo-box in the toolbar area of the FaultTree+ window may be used to
change the page of the fault tree displayed in the diagram edit area. The names of
pages in the combo-box correspond to the names of gates appearing at the top of
each fault tree page in the project.

Selecting a Page from the Combo-Box

100 FaultTree+ V11.2

 Navigating Fault Trees

To display a fault tree page, simply select the page name in the combo-box control
using the left mouse button. The selected page will now appear in the diagram edit
area.

Locating Gates using the Gate Table

A fault tree gate in a project may be located using the Gate Table Dialog. This
dialog is accessed by selecting the Edit, Gate Table pull-down menu option.

Gate Table Dialog

By default, the Gate Table Dialog lists all the gates in the current project in
alphabetical order. An individual gate may be located in the displayed fault tree
diagram by selecting the gate in the list, followed by selection of the Display Button
in the dialog.

For large projects, it may be more convenient to reduce the number of entries in the
list by using the filter facility. Selection of the Filter Button in the Gate Table Dialog
produces the Filter Dialog. The user may enter a filter text string into this dialog
and select the Direct Filter Button to list only those gates whose names or
descriptions contain the specified string. For example, the filter text loss will only
list gates whose names or descriptions contain the string loss. Alternatively, the
Dependency Filter Button may be selected, revealing gates which are dependent
on (are connected to on the same page) gates or events containing the text string.

FaultTree+ V11.2 101

Navigating Fault Trees

Using the Filter Facility with the Gate Table

Locating Fault Tree Labels using the Labels, Notes and Hyperlinks Table

The fault tree page containing a given label may be located using the Labels, Notes
and Hyperlinks Table Dialog. This dialog is accessed by selecting the Edit, Labels,
Notes and Hyperlinks Table pull-down menu option.

Labels, Notes and Hyperlinks Table Dialog

102 FaultTree+ V11.2

 Navigating Fault Trees

To view the fault tree page containing the label, select the label (with type Fault
Tree) in the dialog list and then select the Display Button in the dialog. The fault
tree page will now be displayed in the diagram edit area.

Using the Dependency List to Locate Events

Events may be located within the fault tree diagram structure by first selecting the
event in the tree control and then selecting the Dependencies option in the tree
control pop-up menu (the tree control pop-up menu is revealed by pressing the right
mouse button with the cursor inside the tree control area).

Selecting the Dependencies Option

This action will reveal the Dependencies Dialog containing a list of dependent
gates (gates which have the event as an input) in the fault tree. Selection of the

FaultTree+ V11.2 103

Navigating Fault Trees

Display Button in the dialog will result in the relevant page of the fault tree being
displayed in the diagram edit area.

Dependencies Dialog

Note that the Dependencies Dialog may also be accessed from the Event Table
Dialog. To view the Event Table Dialog, select the Edit, Event Table pull-down
menu option.

104 FaultTree+ V11.2

 Constructing Event Trees

9. Constructing Event Trees

Creating New Event Trees

FaultTree+ provides facilities to allow the user to construct event trees within the
diagram edit area. This allows the user to immediately see the changes made to
the event tree as it is constructed. The program automatically positions event tree
branches as they are created, allowing the user to concentrate on building the
correct logical structure.

Two types of event tree may be created - primary (the default) and secondary event
trees. Primary event trees have an initiating event or fault tree associated with the
initiating branch. Secondary event trees do not have a project event or fault tree
associated with the initiating branch. Instead, the initiator branch provides a link with
primary event trees and other secondary event trees. Once a secondary event tree
is defined, you may connect the end branches of other event trees to the secondary
tree. You many connect as many end branches to a single secondary event tree as
you wish.

During the calculation process, the minimal cut sets representing sequences
leading up to end branches connected to a secondary tree are fed through to the
secondary event tree initiating branch. This bears some resemblance to the
methodology normally associated with cause-consequence diagrams, where
sequences of events are combined through an OR gate.

Secondary event trees usually represent repeated event tree logic. Rather then
repeat an identical portion of an event tree, with identical consequences, in different
parts of the project, a single secondary event tree may be defined.

To create a new event tree, select the Add, New Event Tree pull-down menu
option or equivalent toolbar button. A dialog will appear, requesting the user to enter
the initial number of columns for the event tree and the event tree type (primary or
secondary). On selection of the OK Button, the new event tree will be displayed in
the diagram edit area. Event tree branches will have been automatically created.
Each branch will split into two branches (failure and success) in the next column.

Branches

Branches may be selected by clicking the left mouse button whilst the mouse cursor
is positioned over the branch line. Selected branches will be highlighted. Only one
branch may be selected at a time. Choosing the Selection option on the Edit pull-
down menu or equivalent toolbar button will reveal the Edit Branch Dialog for the
selected branch. Alternatively, double-click the left mouse button with the cursor

FaultTree+ V11.2 105

Constructing Event Trees

over the branch. The Edit Branch Dialog allows the user to set various branch
attributes, including the branch type and description. Terminal branch dialogs allow
the user to set the consequence for the entire branch sequence.

Individual branches may be added to an event tree simply by selecting an existing

branch and selecting the Add, NULL Branch to Selection pull-down menu option or
equivalent toolbar option. The Add, Success Branch to Selection and Add, Failure
Branch to Selection pull-down menu options will have the same effect but will
create success and failure branches, respectively. Individual branches representing
partial failures may also be created by first adding a NULL branch and then editing
the branch to change its type. Branches are added to the right of the selected
branch.

Branches may be deleted from the event tree by selecting the appropriate branch
and selecting the Edit, Delete Selection pull-down menu option or tapping the
Delete key. Note that all branches connected to the right of the deleted branch will
also be deleted. FaultTree+ provides a facility that changes an event tree branch
type to NULL if the user deletes a branch within a failure and success pair. The
Auto Set ET Branches to NULL on Delete option can be set on or off in the
General Tab of the Project Options Dialog.

Columns

Column headers may also be selected in a similar fashion to branches. The Edit
Column Dialog is revealed on double-clicking over a column header. The Edit
Column Dialog allows the user to set the event or fault tree gate representing the
column and provide a description for the column. If a description is not provided by
the user for a column, FaultTree+ displays the name or description of the gate or
event associated with the column.

New columns may be added to an existing event tree by selecting a column,

followed by selection of the Add, Insert Event Tree Column pull-down menu option
(alternatively, press the Insert key). A new column will be added to the right of the
selected column. The user will be requested to indicate how the branches to the left
of the new column should be connected to the branches on the right of the new
column. The available options are:

Connect with single NULL branch

Connect with single SUCCESS branch
Connect with single FAILURE branch
Connect with FAILURE and SUCCESS branches

106 FaultTree+ V11.2

 Constructing Event Trees

Insert Column Dialog

Event Tree Copy and Paste Facilities

FaultTree+ provides facilities to copy and paste either whole event trees, or parts of
event trees, within a project.

To copy an entire event tree, first select the event tree in the tree control to the left
of the diagram edit area. Then press the right mouse button with the cursor
positioned in the tree control area to reveal a pop-up menu. Select the Copy option
from this menu. Now select the Paste Event Tree option from the same pop-up
menu. The new event tree will immediately appear in the tree control.

To copy part of an event tree, simply select the left-most branch of the part of the
tree you wish to copy in the diagram edit area. Select the Edit, Copy Structure or
Label pull-down menu option or equivalent toolbar option. Then select the branch of
the event tree you wish to be attached to the copied part of the tree. Select the Edit,
Paste Structure or Label pull-down menu option or equivalent toolbar button. If
there are insufficient columns in the event tree to support the paste operation then
the event tree columns will be extended.

Event Tree Pagination

If the event trees in your project contain many columns, it may be convenient to split
up each event tree into manageable pages. This may be done by selecting a
column in the event tree, followed by selection of the View, Set Column Page
Markers pull-down menu option. A page flag will be set for each branch in the
column and FaultTree+ will automatically paginate the event tree diagram. Page
markers may also be set for individual branches in the Edit Branch Dialog
(accessed by double-clicking the left mouse button with the cursor positioned over
the branch). You can navigate between pages by selecting page branches (page
branches are drawn with double arrows) and then selecting the View, Change
Page pull-down menu option or equivalent toolbar button. Note that you may
navigate between different event trees using the event tree combo-box in the
toolbar area.

FaultTree+ V11.2 107

Constructing Event Trees

Adding Labels to an Event Tree

Labels may be placed in a diagram using the Label option on the Add pull-down
menu. After selecting this option, you will notice that the cursor will change its shape
when it is moved into the diagram edit area. The shape of the cursor indicates that
the program is in Add Label mode. Whilst in this mode, new labels may be added
to the fault tree diagram by clicking the left mouse button with the cursor positioned
within the diagram edit area. The top left of the new label will be placed at the
cursor position. The user may exit from Add Label mode by selecting the Add,
Clear Add Mode pull-down menu option or equivalent toolbar button. Alternatively,
tapping the Escape key will have the same result. On leaving Add mode, the
cursor returns to a pointer within the diagram edit area. To modify the text within a
label, double-click the left mouse button whilst the cursor is over the label. A dialog
will appear allowing the labels text to be modified.

Deleting Event Trees and Branches

Branches in an event tree diagram may be deleted by selecting the appropriate

branch and then selecting the Edit, Delete Selection pull-down menu option. The
deletion process will remove the branch and all sibling branches (branches to the
right of the selected branch).

Columns in an event tree may be deleted by selecting the column in the diagram
edit area and then selecting the Edit, Delete Selection pull-down menu option.

Whole event trees may be deleted from a project by selecting the event tree in the
tree control to the left of the diagram edit area and then selecting the Delete option
from the tree control pop-up menu. To access the pop-up menu, click the right
mouse button with the cursor placed in the tree control area. Whole event trees may
also be deleted from the Event Tree Table Dialog. This dialog may be accessed by
selecting the Edit, Event Tree Table pull-down menu option.

Deleting Unattached Gates, Events and Consequences

You may delete all the consequences in a project that are not currently attached to
any event tree end branch by selecting the Edit, Delete Unattached Consequences
pull-down menu option. This option is only available when an event tree is displayed
in the diagram edit area.

You may delete all the gates and events in a project that are not currently attached
to any event tree column or branch by selecting the Edit, Delete Unattached Gates
and Events pull-down menu option. This option is only available when an event tree
is displayed in the diagram edit area. Note that on selecting this option, FaultTree+
will display all the gates and events that are about to be deleted and then allow the
user to cancel the operation.

108 FaultTree+ V11.2

 Navigating Event Trees

10. Navigating Event Trees

There are a number of different ways you can locate and display data associated
with the event trees in your project. This chapter describes these different methods.

If the event trees in your project contain many columns, it may be convenient to split
up each event tree into manageable pages. This may be done by selecting a
column in the event tree, followed by selection of the View, Set Column Page
Markers pull-down menu option. A page flag will be set for each branch in the
column and FaultTree+ will automatically paginate the event tree diagram. Page
markers may also be set for individual branches in the Edit Branch Dialog
(accessed by double clicking the left mouse button with the cursor positioned over
the branch). You can navigate between pages by selecting page branches (page
branches are drawn with double arrows) and then selecting the View, Change
Page pull-down menu option or equivalent toolbar button.

Event Tree Diagram with Page Markers

Using the Tree Control to Locate Event Trees

The tree control on the left-hand side of the diagram edit area may be used to
change the event tree displayed in the diagram edit area. The names of event trees
in the tree control correspond to the names of the initiator branches of each event
tree.

FaultTree+ provides a facility which automatically changes the displayed event tree
in the diagram edit area when you select a new event tree name underneath the
'Event Trees' node of the project tree control. This facility will only operate if the

FaultTree+ V11.2 109

Navigating Event Trees

'Auto Change Page on Selection' flag is set on. This flag may be toggled on or off
from the project tree control pop-up menu (revealed when you press the right
mouse button in the tree control area).

If you are operating with the 'Auto Change Page on Selection' flag set off, then, to
display an event tree, first select the event tree name in the tree control using the
left mouse button. Then click the right mouse with the cursor positioned within the
tree control area. A pop-up menu will appear. Select the Display option on the
menu. The selected event tree will now appear in the diagram edit area.

Selecting the Display Option from the Pop-Up Menu

Using the Combo-Box to Locate Event Trees

The combo-box in the toolbar area of the FaultTree+ window may be used to
change the event tree displayed in the diagram edit area. The names identifying the
event trees in the combo-box correspond to the names of the initiator branches of
each event tree in the project.

Selecting an Event Tree from the Combo-Box

110 FaultTree+ V11.2

 Navigating Event Trees

To display an event tree, simply select the event tree name in the combo-box
control using the left mouse button. The selected event tree will now appear in the
diagram edit area.

Locating Event Tree Labels using the Labels, Notes and Hyperlinks Table

The event tree containing a given label may be located using the Labels, Notes and
Hyperlinks Table Dialog. This dialog is accessed by selecting the Edit, Labels,
Notes and Hyperlinks Table pull-down menu option. To view the event tree
containing the label, select the label (with type Event Tree) in the dialog list and
then select the Display Button in the dialog. The event tree will now be displayed in
the diagram edit area.

Labels, Notes and Hyperlinks Table Dialog

Using the Dependency List to Locate Events and Gates

Events or fault tree gates are associated with each column in an event tree. The
event trees associated with a given event or gate may be located by selecting the
event or gate in the tree control and then selecting the Dependencies option in the
tree control pop-up menu (the tree control pop-up menu is revealed by pressing the
right mouse button with the cursor inside the tree control area).

FaultTree+ V11.2 111

Navigating Event Trees

Selecting the Dependencies Option

This action will reveal the Dependencies Dialog containing a list of dependent
event trees (event trees which have the event or gate associated with a column in
the event tree). Selection of the Display Button in the dialog will result in the
relevant event tree being displayed in the diagram edit area.

Dependencies Dialog

Note that the Dependencies Dialog may also be accessed from the Gate Table
Dialog or Event Table Dialog. To view these dialogs, use the appropriate Edit pull-
down menu option.

112 FaultTree+ V11.2

 The Spelling Checker

11. The Spelling Checker

Once you have entered your data you will naturally want to check descriptive text
for spelling errors. The spelling checker facility will check individual text phrases or
the entire project for errors and recommend suitable replacements. User-defined
dictionaries may also be constructed to eliminate common technical words from
being flagged. A global text replacement facility is also provided allowing you to
replace an old text string with a new one throughout your project data.

Spelling Checker Scope Dialog

You can check descriptive text for spelling errors by selecting the Check Spelling
option on the Tools pull-down menu. The Spelling Checker Scope Dialog will then
appear allowing you to select which text field categories you wish to check for
errors.

You may refine your search and eliminate common technical names from the
search using the Spelling Checker Options and Spelling Checker Dictionaries
options on the Tools pull-down menu.

Check-Spelling Dialog

The CheckSpelling Dialog appears if a word requiring your attention is detected.

You can use the dialog to specify whether the word should be ignored or replaced.
Note that the labels of some buttons and text boxes in the dialog change according
to the context.

Add button: Causes the reported word to be added to the dictionary selected in the
Add Words To list. Use the Add Button if a correctly spelled word you use often is
reported as a misspelling (e.g., your family name). If the word is not used frequently,
you may want to select the Ignore or Ignore All Buttons instead. This button is
enabled only if a user dictionary has been selected in the Add Words To list.

Add Words To list: Indicates which user dictionary words will be added to when
you select the Add Button. The Add Words To list shows all user dictionaries
currently open. You can open or close other dictionaries via the Dictionaries
Dialog, which is accessible by selecting the Dictionaries Button.

Cancel button: Stops the current spelling check.

Capitalization box: Contains an uncapitalized word that exists in the dictionaries in

capitalized form only. You can edit the word in this box or select a suggestion from

FaultTree+ V11.2 113

The Spelling Checker

the list, then click the Change Button to correct the word, or press the Ignore
Button to skip the word.

Change button: Causes the reported word to be replaced. If the problem word was
edited, the edited word is used as the replacement. Otherwise, the selected
suggestion is used as the replacement. Only this occurrence of the reported word is
replaced. If you want this and all following occurrences of the word replaced, select
the Change All Button.

Change All button: Causes this and all following occurrences of the reported word
to be replaced. If the problem word was edited, the edited word is used as the
replacement. Otherwise, the selected suggestion is used as the replacement. If you
want only this occurrence of the word to be replaced, use the Change Button. If the
reported word is one you frequently misspell, you might consider adding it to a user
dictionary via the Dictionaries Dialog. You can display the Dictionaries Dialog by
selecting the Dictionaries Button.

Consider Changing box: Contains a word which may be misspelled or otherwise

incorrect and is presented with a candidate replacement word. You can change the
word by selecting the Change Button, or skip it by selecting the Ignore Button.

Delete button: Removes the word from the text. This button appears when a
doubled word has been detected, or when the contents of the problem-word box are
deleted.

Dictionaries button: Causes the Dictionaries Dialog to be displayed. You can use
the Dictionaries Dialog to open or close user dictionaries and to edit the contents of
user dictionaries.

Ignore button: Causes this occurrence of a misspelled word to be skipped. If the

same misspelled word appears later, it will be reported again.

Ignore All button: Causes this and all further occurrences of a misspelled word to
be skipped. You might use this button if the word reported as a misspelling is
actually spelled correctly. If the word is one you use frequently, you may wish to
ignore it permanently by selecting the Add Button.

Not in dictionary box: Indicates that a misspelled word was detected. The word is
considered misspelled because it could not be located in any open dictionaries, or
was marked with an exclude action. You can edit the word in this box or select a
suggestion from the list, then click the Change Button to correct the word, or press
the Ignore Button to skip the word.

Options button: Displays the Options Dialog. You can use the Options Dialog to
set spelling-checker options.

114 FaultTree+ V11.2

 The Spelling Checker

Suggest button: Search more thoroughly for suggested replacements for the
current misspelled word. Each time you press the Suggest Button, a "deeper"
search is made. The Suggest Button is disabled once all possible suggestions
have been located.

Suggestions list: Contains a list of suggested replacements for the word reported
as misspelled. Subsequent presses of the Suggest Button may yield more
suggestions. The word selected in the Suggestions list will be used as the
replacement when the Change or Change All Buttons are pressed, unless the
word in the problem box was edited.

Undo button: Removes the last change made. The Undo Button can be pressed
several times to remove the last several changes.

Undo Edit button: Remove any changes made to the text in the problem box. This
button appears only if the text in the problem box has been changed.

Dictionaries Dialog

The Dictionaries Dialog allows you to open and close user dictionaries and to edit
the contents of an open user dictionary. The contents of dictionaries are saved in
disk files. You can open some or all of your user dictionary files at any time. Only
open dictionaries are searched during a spelling check.

Action list: Used to select an action that is associated with words in the dictionary.
The action tells the spelling checker what to do when it finds a word in the
dictionary. The following actions can be selected:

Auto change (use case of checked word): This action allows you to automatically
replace one word with another. For example, if you often type recieve instead of
receive, you might enter the word recieve with receive as the other word and Auto
change (use case of checked word) as the action. The spelling checker will
automatically correct recieve wherever it appears. If recieve was capitalized
(Recieve), the spelling checker would automatically replace it with Receive. Note
that the replacement is made automatically only if the Auto Change option is
enabled (see the Options Dialog for information on the Auto Change option).

Auto change (use case of other word): This action allows you to automatically
replace one word with another, always with the same case pattern as the other
word. This action is useful for automatically expanding abbreviations. For example,
you could enter the word TBD with to be determined as the other word and Auto
change (use case of other word) as the action. The spelling checker will
automatically replace TBD with to be determined wherever it appears. Note that the
replacement is made automatically only if the Auto Change option is enabled (see
the Options Dialog for information on the Auto Change option).

FaultTree+ V11.2 115

The Spelling Checker

Conditionally change (use case of checked word): This action allows you to
optionally replace one word with another. For example, if you often type recieve
instead of receive, you might enter the word recieve with receive as the other word
and Auto change (use case of checked word) as the action. The spelling checker
will ask if you want to replace recieve with receive. If recieve was capitalized
(Recieve), the spelling checker would ask if you wanted to replace it with Receive.

Conditionally change (use case of other word): This action allows you to
optionally replace one word with another, always with the same case pattern as the
other word. This action is useful for optionally expanding abbreviations. For
example, you could enter the word TBD with to be determined as the other word
and Conditionally change (use case of other word) as the action. The spelling
checker will ask if you want to replace TBD with to be determined.

Exclude (treat as misspelled): This action tells the spelling checker that the word
is misspelled, even if it is listed in another dictionary. Words marked with this action
will never be offered as suggestions for misspelled words and they will be reported
as misspellings when they are encountered by the spelling checker. Note that the
spelling checker looks up words in user dictionaries in the order in which they
appear in the Files list. If you want to exclude a word, make sure it doesn't appear
in a previous user dictionary.

Ignore (skip): This action tells the spelling checker that the word is spelled correctly
and so can be skipped over. This is the most common action.

Add File button: Opens a user dictionary file. When you select the Add File Button,
a dialog appears which you can use to select the dictionary file to open. The set of
open dictionary files is remembered, so once you add a dictionary file you don't
need to add it again. If you need to create a new user dictionary, use the New
Button. You can open other applications' user dictionary files.

Add Word button: Causes the word entered in the edit area of the Words list to be
added to the currently selected dictionary. The currently selected action and other
word are associated with the word. You can use the Add Word Button to change
the action or other word associated with a word. Note that the Add Word Button is
enabled only when a new word is typed in the edit area of the Words list. The
words you add may contain virtually any character, but only words that contain
embedded periods should have trailing periods (e.g., U.S.A. is OK, but USA. is not).

Close button: Closes the Dictionaries Dialog.

Delete Word button: Causes the word appearing in the edit area of the Words list
to be removed from the currently selected dictionary. The associated action and
other word are also removed.

116 FaultTree+ V11.2

 The Spelling Checker

Export button: Saves the contents of the currently selected dictionary to a text file.
When you select the Export Button, a dialog appears which you can use to select
the name of the text file to which words in the dictionary will be exported. The words
are written to the file one per line.

Files list: Contains the list of open dictionary files. When you select a file from the
list, its contents are displayed in the Words list.

Import button: Adds the words contained within a text file to the currently selected
dictionary. When you select the Import Button, a dialog appears which you can use
to select the text file to be imported. Each word in the selected file is loaded into the
dictionary. Note that importing a large list of words may take some time.

Language: Displays the language (e.g., English or French) of the words in the
currently selected dictionary.

New button: Creates a new user dictionary file. When you select the New Button, a
dialog appears which you can use to specify attributes of the new dictionary. See
the New Dictionary Dialog for details.

Other Word box: Contains an alternate word associated with the currently selected
word. The other word is used in the Auto change and Conditionally change
actions to supply a replacement word. You can enter more than one word in the
Other Word box, but the total length should be limited to 63 characters.

Remove File button: Closes the currently selected dictionary file. Closed
dictionaries are not checked during a spelling check. Although the file is closed, it is
not deleted. Closed dictionary files can be later reopened using the Add File
Button.

Words list: Contains the list of words in the currently selected user dictionary.

Spell checker Options Dialog

You can use the Options Dialog to specify various spelling-checker options. These
options affect the way the spelling checker operates.

Ignore Capitalized Words: When enabled, any words beginning with a capital
letter are ignored (i.e., are skipped over without being checked). You might enable
this option if the text being checked contains many proper names.

Ignore All-Caps Words: When enabled, any words containing all capital letters are
ignored (i.e., are skipped without being checked). You might enable this option if the
text being checked contains many acronyms.

FaultTree+ V11.2 117

The Spelling Checker

Ignore Words with Numbers: When enabled, any words containing embedded
digits are ignored (i.e., are skipped without being checked). Examples of such
words include Win95 and Q4. You might enable this option if the text being checked
contains many code words or other symbols containing digits.

Ignore Words with Mixed Case: When enabled, any words containing an unusual
mixture of upper- and lower-case letters are ignored (i.e., are skipped without being
checked). Examples of such words include MicroHouse and CapsLock. You might
enable this option if the text being checked contains many variable names or other
symbols which use case changes to distinguish words.

Ignore Domain Names: When enabled, any words that appear to be Internet
domain names (such as wintertree-software.com) are ignored (i.e., are skipped
without being checked).

Report Doubled Words: When enabled, any word appearing twice in a row is
reported via the Check Spelling Dialog.

Case Sensitive: When enabled, a distinction is made between capitalized and non-
capitalized words. For example, canada is considered different from Canada, so
canada would be reported as a misspelling. When the option is disabled, canada
and Canada are considered identical. Note that the performance of the spelling
checker will be reduced if this option is disabled.

Phonetic Suggestions: When enabled, suggestions are made based on phonetic

(sounds-like) similarity to the misspelled word. This option tends to improve
suggestions for badly misspelled words. Enabling this option will increase the time
required to locate suggestions. Note that either this option or the Typographical
Suggestions option must be enabled, or no suggestions will be offered.

Typographical Suggestions: When enabled, suggestions are made based on

typographical (looks-like) similarity to the misspelled word. This option is
appropriate for people who are generally good spellers. Note that either this option
or the Phonetic Suggestions option must be enabled, or no suggestions will be
offered.

Suggest Split Words: When enabled, two separate words will be suggested as a
replacement for a misspelling containing two joined words. For example, is the
would be suggested as a replacement for isthe.

Auto Correct: When enabled, words marked with Auto Change actions will
automatically be changed to their specified replacements. When disabled, you will
be prompted before the words are changed.

Suggestions: Determines the speed and accuracy of the initial search for
suggested replacements for misspelled words. When a misspelled word is detected,

118 FaultTree+ V11.2

 The Spelling Checker

a search is automatically made for suggestions. This option controls the speed and
accuracy of this automatic search. Pressing the Suggest Button in the Check
Spelling Dialog causes an increasingly more accurate (but slower) search for
suggestions.

OK button: Closes the Options Dialog and saves any changes made to the option
settings.

Cancel button: Closes the Options Dialog and discards any changes made to the
option settings.

New Dictionary Dialog

You can use the New Dictionary Dialog to specify the attributes of a new user
dictionary.

Browse button: Displays a dialog that shows the names of other user dictionary
files. You can use the dialog to view the names of existing dictionary files and to
enter the name of the new dictionary file.

Cancel button: Closes the New Dictionary Dialog without creating a new
dictionary.

File Name box: Contains the name of the disk file used to hold the contents of the
new dictionary. You can enter a name here or use the Browse Button to display a
dialog showing the names of other dictionary files.

Language list: Specifies the language (e.g., French, English) of the words the new
user dictionary will contain. If the language you want to use is not listed, select
"Any."

OK button: Closes the New Dictionary Dialog and creates the new dictionary.

FaultTree+ V11.2 119

 Diagram Layout Options

12. Diagram Layout Options

Fault Tree Layout Options

A number of layout options are available allowing the user to specify the data
displayed in fault tree diagrams and determine the appearance of fault tree
symbols.

The user may choose whether to hide or show the following items in fault tree
diagrams:

Background grid
Notes and Hyperlinks
Event probability values
Event parameters (principal parameters only)
Gate probability values
Calculated gate and event probability values
Sequencing status
Generic data names
Name borders
CCF model names
CCF parameters
CCF tags
Repeat bars

The background grid, notes and hyperlinks hide/show status may be set on the
View pull-down menu. The other hide/show settings may be set in the View Tab of
the Project Options Dialog.

The background grid is used to snap objects into position when performing shift
operations. Calculated gate and event probability values will only be shown if the
calculation results are up-to-date. Gate probability values will only be shown for
gates with the Retain Results flag set on. Initiator/enabler status flags will only be
shown for gates when the calculation results are up-to-date and the gate status is
initiator only or enabler only. CCF tags indicate that a CCF model has been
associated with the event.

Users may request the program to display a special tag symbol if the gate is
repeated on the same page. This special symbol (a triangle with a bar drawn below
it) will only be visible in screen displays and not in printed reports (they are not
necessary in printed reports as the page reference indicates that the gate is
repeated on the same page). The special symbol will be displayed if the Show
Repeat Bars check box is set in the Project Options Dialog (View Tab). The

FaultTree+ V11.2 121

Diagram Layout Options

program will also draw a bar below transfer symbols associated with the repeated
events on the same page.

Special Tag with Repeat Bar

The Reveal Notes and Hyperlinks setting on the View pull-down menu indicates
whether a note category or hyperlink is revealed as the mouse cursor passes over
the gate or event symbol in the diagram.

Line weights may be modified for fault tree symbols and event tree branches and
column headers. A value of 1, 2 or 3 may be selected for the line weight. To
modify line weights, select the Line Weight options on the View pull-down menu.

The View menu may also be used to disable fault tree paging. If the Disable
Paging flag is set on, the program will ignore all gate page flags when drawing the
fault tree. This allows the user to quickly view the whole fault tree under a given
TOP gate without switching individual page flags off. To toggle the disable fault tree
paging mode on and off, select the View, Disable Paging option or press the Ctrl
and F keys together.

Users may also request FaultTree+ to automatically paginate all the fault trees in a
project. Selection of the View, Auto Paginate pull-down menu option results in the
user being prompted to enter the number of levels per page required. This
corresponds to the number of rows of gate and event symbols you would like as a
maximum on each page.

Auto Paginate Prompt

The View menu may also be used to navigate between fault tree pages. The
Change Page option allows a user to switch pages according to which gate is
selected in the fault tree diagram. If the TOP gate in the display is selected, the
program will automatically display the fault tree page above the selected gate
(unless the selected gate does not feed into another page). If a gate other than the
displayed TOP gate is selected, the program will reset the selected gate as the new
displayed TOP gate. The Change Page option may also be selected by pressing
the Ctrl and P keys together or by selecting the equivalent toolbar button.

122 FaultTree+ V11.2

 Diagram Layout Options

Users may also modify the colour scheme used for fault tree gates and events via
the Project Options Dialog (Colours Tab). Default colours may be set for the
various gate and event types. Users may override the default colour for an
individual gate or event in the Edit Gate Dialog and Edit Event Dialog,
respectively.

The user may select different fonts and different font colours for elements in the
fault tree diagram. Diagram fonts fall into two categories - global fonts and local
fonts. By default, the descriptive and name text appearing in fault tree diagrams is
associated with global fonts. When a global font is changed, all the text associated
with the global font category is changed. Local fonts are used to highlight text
associated with individual items (e.g. a gate). For example, the user may wish to
select an italic font or a red colour for the font to emphasise the importance of an
individual gate failure.

Global fonts are specified for the following text categories:

Fault tree names

Fault tree descriptions
Plots and charts

Eight different local fonts may be set at any one time. Local fonts are identified by
an index number (0 to 7).

Both global and local fonts may be changed by selecting the Fonts option on the
View pull-down menu. A standard Windows Font Dialog will be displayed
allowing you to choose the required font. FaultTree+ will allow you to choose any
installed fonts on your system.

Fonts Dialog

FaultTree+ V11.2 123

Diagram Layout Options

You may associate either a general font or a local font with individual items using
the Edit Dialog for that item. For example, the Edit Event Dialog provides a
combo-box allowing you to select a global or local font for the event description that
appears in the rectangle above the event in fault trees. A similar combo-box is
provided for gates in the Edit Gate Dialog.

Note that the fonts used in fault tree diagrams are automatically scaled when you
use any of the fault tree scaling functions. Font sizes selected in the Font Dialog
correspond to the font size actually used when the fault tree diagram scale factor is
set to the default value of 1.

Scaling Fault Tree Diagrams

FaultTree+ provides a number of different options for scaling fault tree diagrams.

Zoom Out

The zoom out facility reduces the scale of fault tree diagrams by half. To implement
this function, select the Zoom Out option on the Scale pull-down menu.

Zoom In

The zoom in facility doubles the magnification of the fault tree diagram. To
implement this function, select the Zoom In option on the Scale pull-down menu.

Set Scale Factor

This facility allows the user to specify a scale factor for fault tree diagrams. The
default scale factor is 1. Values between 0.01 and 10 are permitted. To change the
scale factor, select the Set Scale Factor option on the Scale pull-down menu.

Reset to Default

This facility allows the user to reset the scale factor to its default value of 1. To reset
the scale factor to its default value, select the Reset to Default option on the Scale
pull-down menu. This option also shifts the diagram to its default position.

Fit To Screen

The fit to screen facility automatically rescales fault tree plots so that the visible plot
fits neatly into the current diagram edit area. To fit the plot to the diagram edit area,
select the Fit to Screen option on the Scale pull-down menu.

124 FaultTree+ V11.2

 Diagram Layout Options

Shifting Fault Tree Diagrams

FaultTree+ provides the user with a number of different methods for shifting the
visible fault tree diagram or parts of that diagram.

Whenever a fault tree diagram is displayed, you will see vertical and horizontal
scroll bars positioned alongside the edit area. You may shift the whole of the fault
tree diagram using the scroll bar arrow buttons or thumb controls. Arrow buttons
are activated by clicking the left mouse button whilst thumb controls are moved by
holding the left button down with the cursor over the thumb area.

Gates, events and labels within a fault tree diagram may be shifted by selecting the
appropriate object and then using the mouse to drag the object to a new position.
When an object is selected, it is surrounded by a red frame that can be used to drag
the object around in the drawing area. When the cursor is moved over the frame, it
changes to a familiar 'drag' cursor. If the left mouse button is then pressed down,
the frame will move around with the cursor. When the left mouse button is released
the object will be shifted to the frame position. If a gate is shifted in this way, the
visible sub-tree underneath the gate will also be shifted.

Shifted objects are snapped to a background grid according to the Grid Alignment
options in the Project Options Dialog (General Tab). You may display the
background grid if you wish by selecting the Show Grid option on the View pull-
down menu.

You may also shift parts of the visible fault tree by selecting a gate, event or label
symbol and choosing one of the Shift Selection options on the Shift pull-down
menu. Alternatively, use the associated accelerator keys. Objects will be shifted
pixel by pixel on the screen and will not be snapped to the grid.

When you shift a fault tree gate or event symbol, the program records horizontal
and vertical offset distances for that individual symbol. These offsets will be
retained even if the tree structure is extended. You may clear offsets by selecting
the Clear Visible Offsets or Clear All Offsets options on the Shift pull-down menu.

Fault tree diagrams may be compressed automatically to allow more information to

be displayed on each printed portrait page. This facility may be accessed from the
Shift pull-down menu option. The automatic shift facility will assign offset values to
gates and events to achieve the compressed layout. Selection of the Clear All
Offsets option will therefore restore gate and event positions to the default layout.

FaultTree+ V11.2 125

Diagram Layout Options

LOSS OF
COOLING LEG
1

SYS2

PUMP 1 VALVE 1 NON-RET URN

U NAVAIL ABL E CLOSED VALVE
STUCK
CLOSED

PUMP1 VALVE1 NRV1 EVENT 1

LOSS OF PUMP 1 LOSS OF VALVE 1

BOARD A PRIMARY SUPPLY T O ST UCK
S UP PLY FAILURE BOARD B CLOSED

ELECA EP1 ELECB EV1 EVENT 2

LOSS OF ROUTE FROM

BOARD A BOARD A T O
SUPPLY BOARD B
LOST

ELECA LAT OB

T 3 OR C3 T 4 OR C4
FAIL ED FAILED

T 3C3 T 4C4

CONT ACT TRANSFORMER CONT ACT TRANSFORMER

BREAKER 3 3 FAILURE B REAKER 4 4 FAILURE
F AIL UR E FAILURE

C3 T3 C4 T4

Diagram before compression

126 FaultTree+ V11.2

 Diagram Layout Options

LOSS OF
COOLING LEG
1

SYS2

PUMP 1 VALVE 1 NON-RETURN

UNAVAILABLE CLOSED VALVE STUCK
CLOSED

PUMP1 VALVE1 NRV1 EVENT1

LOSS OF PUMP 1 LOSS OF VALVE 1

BOARD A PRIMARY SUPPLY TO STUCK
SUPPLY F AILU RE BOARD B CLOSED

ELECA EP1 ELECB EV1 EVENT2

LOSS OF ROUTE FROM

BOARD A BOARD A T O
SUPPLY BOARD B LOST

ELECA LATOB

T3 OR C3 T4 OR C4
FAILED FAILED

T3C3 T4C4

CONTACT T RANSFORMER CONTACT T RANSFORMER

BREAKER 3 3 FAILURE BREAKER 4 4 FAILURE
F AILU RE FAILURE

C3 T3 C4 T4

Diagram after compression

Fault tree diagrams may be aligned to the centre of the diagram edit area by
selecting the Align to Centre option on the Shift pull-down menu.

Gates and events in the diagram may be aligned to the same horizontal level by
selecting the Shift, Align Selections pull-down menu option. The user must first
select all gates and events to be aligned. To make multiple selections, hold the Ctrl
key down whilst selecting symbols with the mouse.

If you wish to re-order the inputs to a gate in the fault tree then select the input gate
or event and use the left and right arrow keys to move the selected input.

FaultTree+ V11.2 127

Diagram Layout Options

Event Tree Layout Options

A number of layout options are available, allowing the user to specify the data
displayed in event tree diagrams and select the line weight of event tree branches
and columns.

The user may choose whether to hide or show the following items in the event tree
diagrams:

Background grid
Notes and Hyperlinks associated with columns
Branch types
Branch names
Partial probability values
Branch probability values
Column probability values
Column event names
Total frequency
Borders
Probability column

The background grid, notes and hyperlinks hide/show status may be set on the
View pull-down menu. The other hide/show settings may be set in the View Tab of
the Project Options Dialog.

The background grid is used to snap labels into position when performing shift
operations. Gates associated with event tree columns should have the Retain
Results flag set on to allow the columns to display the gate unavailability. Partial
probabilities are shown for branches associated with a partial failure gate or a
partial failure event. The total frequency is displayed at the top of the event tree
frequency column. It represents a summation of all the sequence failure frequencies
displayed in that column. The probability column will appear to the right of the
frequency column. Probability values are displayed in this column after a calculation
has been successfully completed. The probability column displays the probability of
enabler sequences (the sequence frequency divided by the initiating event
frequency).

Line weights may be modified for event tree branches and column headers. A
value of 1, 2 or 3 may be selected for the line weight. To modify line weights select
the Line Weight options on the View pull-down menu.

The View menu may also be used to set page markers on all branches in a given
column. This has the effect of splitting large event trees into separate pages that
may be accessed using the View, Change Page pull-down menu option or
equivalent toolbar button. The View, Change Page option will navigate between
event tree pages depending on which branch is currently selected. If a branch is

128 FaultTree+ V11.2

 Diagram Layout Options

selected with page arrows pointing to the left then the event tree to the left of the
branch will be displayed. If a branch with arrows pointing to the right is selected, the
page to the right of the branch will be displayed. The Change Page option may
also be selected by pressing the Ctrl and P keys together, or by selecting the
equivalent toolbar button.

The View menu may also be used to disable event tree paging. If the Disable
Paging flag is set on, the program will ignore all branch page flags when drawing
the event tree. This allows the user to quickly view the whole event tree without
switching individual page flags off. To toggle the disable paging mode on and off,
select the View, Disable Paging option or press the Ctrl and E keys together.

The user may select different fonts for elements in the event tree diagram. Diagram
fonts fall into two categories - global fonts and local fonts. By default, the
descriptive and name text appearing in event tree diagrams is associated with
global fonts. When a global font is changed all the text associated with the global
font category is changed. Local fonts are used to highlight text associated with
individual items (e.g. a column or a branch). For example, the user may wish to
select an italic font to emphasise the importance of an individual branch failure.

Global fonts are specified for the following text categories:

Column descriptions
Column probabilities and events
Branch descriptions
Consequence descriptions
Plots and charts

Eight different local fonts may be set at any one time. Local fonts are identified by
an index number (0 to 7). Both global and local fonts may be changed by selecting
the Fonts option on the View pull-down menu. A standard Windows Font Dialog
will be displayed, allowing you to choose the required font. FaultTree+ will allow
you to choose any installed fonts on your system.

Fonts Dialog

FaultTree+ V11.2 129

Diagram Layout Options

You may associate either a general font or a local font with individual items using
the Edit Dialog for that item. For example, the Edit Column Dialog provides a
combo-box allowing you to select a global or local font for the column description
that appears in the column header. A similar combo-box is provided for branches in
the Edit Branch Dialog.

Note that the fonts used in event tree diagrams are automatically scaled when you
use any of the event tree scaling functions.

Scaling Event Trees

The diagram edit area is occupied by a background grid that is used to position the
branches in an event tree. No more than one branch can occupy a single cell in the
grid. By modifying the number of rows and columns in the grid, you can effectively
magnify or diminish the event tree diagram. If you wish to view the background grid,
select the View, Show Grid pull-down menu option.

The number of rows and columns in the event tree grid may be modified by
selecting the Event Tree Grid option on the Scale pull-down menu. Note that the
number of columns must be between 6 and 32. The number of rows must be
between 8 and 128.

The scale setting you choose will apply to the currently visible event tree page.

Edit Rows and Columns Dialog

130 FaultTree+ V11.2

 Project Options

13. Project Options

General Options

General project and environment options may be accessed by selecting the Tools,
Options pull-down menu option and then selecting the General Tab in the Project
Options Dialog.

Project Options Dialog (General Tab)

Environment settings will apply to all projects, whereas project settings will only
apply to the specific project. Note that project settings will be saved in the project
file.

Default Project Folder

The default project folder is used by the File, Open Project pull-down menu option.
Use the Browse Button to specify the default project folder for your project files.

Default Library Folder

The default library folder is used by the File, Connect to Library pull-down menu
option. Use the Browse Button to specify the default library folder for your library
files.

FaultTree+ V11.2 131

Project Options

Auto Backup

If the automatic backup is set on, FaultTree+ will save project data to a backup file
at the specified interval. The backup file will be given the same base name as the
current project (or temp, if there is no current project name defined) and the
extension .bak. If necessary, backup files may be opened using the File, Open
Project pull-down menu option.

Delete Selection and Below in Fault Trees

If this option is set, FaultTree+ will assume that when you delete a gate that is
selected in the fault tree diagram, all connected gates and events below the gate
should also be deleted.

Disable Deletion Dependency Checks

This option disables dependency checks whenever an item from any of the project
tables is deleted. Dependencies arise when one item (e.g. an event) has some
connection with another item (e.g. a gate). The user will be prevented from deleting
dependent items unless the dependency check is disabled.

Use IEC Symbols in Diagrams

The IEC Standard 1025 and British Standard 5760 (Part 7) specify alternative
symbols which may be used to indicate OR, AND, VOTE and EXCLUSIVE OR
gates within a fault tree. If this option is selected, FaultTree+ displays these symbols
within the normal diagram symbols.

Gate Logic IEC/BS Symbol

OR >=1
AND &
VOTE >=m
EXCLUSIVE OR =1

No Tags on Transfer Gates

Individual gates in a fault tree may be drawn with transfer tags according to the
setting of the Tag Option in the Edit Gate Dialog. Users may force FaultTree+ not
to draw a transfer tag if the gate type is TRANSFER by setting the No Tags on
Transfer Gates option.

132 FaultTree+ V11.2

 Project Options

Disable Identical Gate/Event Name Checks

When the name of a gate is changed, FaultTree+ will check to see if an event exists
with the same name (identical gate and event names may cause confusion). If such
an event exists then the user will be forced to change the gate name. If the Disable
Identical Gate/Event Name Checks flag is set then this check will not be made.
Similar checks are made when changing the names of events.

It is possible, although unlikely, that matching gate and event names will occur
when adding new gates and events to the diagram or when copying and pasting
data. If the Disable Identical Gate/Event Name Checks flag is not set then a check
will be made during data verification. Data verification is automatically performed
before an analysis takes place.

Delimiter for Cut Sets

By default, events within a single cut set are delimited by a . (dot) symbol in the
Results Summary Dialog and also in printed reports. Users may wish to change
the delimiter (particularly if a dot symbol has been used in event names). Suggested
alternative symbols are illustrated for a cut set containing three events, EV1, EV2
and EV3:

EV1. EV2. EV3

EV1^ EV2^ EV3
EV1& EV2& EV3

Default Data Model

The default failure and repair data model is the model that will be applied to all
newly created events and generic models. The data model may later be modified
by the user via the Edit Event Dialog or Edit Generic Model Dialog.

Disable Fault Tree Description Reformat

If the Disable Fault Tree Description Reformat flag is set on, all text in fault tree
diagram description boxes will be left-justified rather than centralised.

Disable Fault Tree Descriptions

If the Disable Fault Tree Descriptions flag is set on, the program will draw the fault
tree diagram without any text in the description boxes. This option prevents
cluttering of information when viewing large fault trees at a low magnification.

FaultTree+ V11.2 133

Project Options

Disable Circular Logic Checks

This option disables circular logic checks when creating new gates in a fault tree.
As you construct a fault tree, the program checks for circular logic when you modify
a gate.

Set Names to Upper Case

FaultTree+ distinguishes between upper and lower case characters when

comparing object names. For example, an event with the name PUMP1 will be
considered to be a different event from an event with the name pump1. Many
users will find it convenient just to use upper case characters for names. If the Set
Names to Upper Case flag is set on, the program will automatically convert
characters to uppercase as they are typed into the dialog controls by the user. If you
wish to convert lowercase names to uppercase (for example, when they have
originally been entered in old projects) then FaultTree+ will offer the user the
opportunity to do this when exiting the Project Options Dialog.

Auto Set ET Branches to NULL on Delete

If this flag is checked, the program will change the remaining event tree branch type
to NULL if the user deletes a branch within a failure and success pair.

Use TRUE/FALSE for ET Branch Labels

If this flag is set on, the program will use TRUE and FALSE rather than FAILURE
and SUCCESS for labelling event tree branches.

Check ET Branch Probability Consistency

If this flag is set on, FaultTree+ will check that the probability values of all event tree
branches originating from a single branch in the previous column summate to 1.
The check is performed as part of the results verification process, so
inconsistencies will only be identified after an analysis has been performed.

Apply Strict Initiator/Enabler Checks

If you categorise any events as being initiator only or enabler only events then
FaultTree+ automatically checks that you have not specified any invalid
combinations of events in the tree structure before performing an analysis. Error
messages are given in the Structure and Data Verification Dialog. The program
checks that AND gates have no more than one initiator input. If the Apply Strict
Initiator/Enabler Checks flag is set on, the program also checks that OR gates have
either no initiator inputs, or all inputs are initiators.

134 FaultTree+ V11.2

 Project Options

Grid Alignment

If the grid alignment is set to fine, medium or coarse snap then gates, events and
labels in fault tree diagrams will be aligned with the background grid after they are
manually shifted by the user (using the symbol drag facility). The background grid
may be displayed by selecting the Show Grid option on the View pull-down menu.
Labels in the event tree diagram will also be aligned to the grid if this option is
selected. Note that fine shifts performed on labels and fault tree symbols (Shift,
Shift Selection pull-down menu options or the associated accelerator keys) will not
be aligned to the background grid.

Reports Options

Reports options may be accessed by selecting the Tools, Options pull-down menu
option and then selecting the Reports Tab in the Project Options Dialog.

Project Options Dialog (Reports Tab)

Show Note Symbols

If this flag is set on, the program will show a note symbol in reports alongside gates,
events and event tree columns if there is an associated note.

FaultTree+ V11.2 135

Project Options

Show Transfer Page Nos.

FaultTree+ automatically assigns page numbers to transfer symbols in a printed

report if this option is selected. Page number references are very useful in large
reports as they allow users to quickly navigate their way through the fault tree
structure.

Colour Fault Tree Reports

If this flag is set, FaultTree+ will produce colour fault tree reports rather than black
and white reports.

Don't Repeat Already Drawn Structures

Users may request FaultTree+ to only print repeated fault tree structures a single
time in a report. If this option is requested, the structure will only be drawn on the
first page in which it appears.

Auto Resize Event Tree Pages

Printed event tree pages are scaled according the number of rows and columns
values set using the Scale, Event Tree Grid pull-down menu option. This scale
setting also determines the number of rows and columns of an event tree page
shown in the diagram edit area. If an individual page of an event tree has more rows
or columns than the specified scale setting, only part of the event tree page will be
shown in a printed report. If the Auto Resize Event Tree Pages flag is set on,
printed event tree pages will be re-scaled automatically to ensure that the entire
event tree page is shown in the report.

Use Names for Metafiles

If this option is selected, FaultTree+ will append the names of page TOP gates or
event tree initiator branches to the names of metafiles created by the program (File,
Diagram to Metafile pull-down menu options). This allows users to readily identify
the source of each metafile.

Start Page Number

If you are inserting printed diagrams (or diagram metafiles) into an external
document containing text (e.g. a Microsoft Word document), you may wish the page
number references within the diagrams to be consistent with your external
document. By default, all printed diagrams are assumed to start at page 1.
However, this may be changed by the user by resetting the Start Page Number
value. Note that this setting does not affect the page numbers displayed in the
footers of printed reports produced directly by the FaultTree+ report generator.
Normally this facility would be used when exporting diagrams to a rich text format

136 FaultTree+ V11.2

 Project Options

file that is to be inserted into a Word document at a position other than the first
page.

Maximum Symbol Size

The maximum symbol size value determines the size of fault tree symbols drawn in
printed reports. If the size requested by the user would result in a particular fault
tree diagram not fitting the printer page then FaultTree+ will override the size
requested to ensure the diagram fits on the printed page. The default setting is 1.

FT/ET Line Weight Multipliers

The FT and ET Line Weight Multipliers change the weight of lines drawn in fault and
event tree diagrams for reports only. They do not affect the weight of lines drawn on
the screen.

Metafile Page Width and Height

The metafile page width and height values specify the width and height settings of
metafiles created using the File, Diagram to Clipboard and File, Diagram to
Metafile pull-down menu options. Page widths and heights must be specified in
millimetres.

Fault and Event Tree Report Rotation

Fault and event tree diagrams may be rotated by 90 degrees in FaultTree+ reports.
This facility allows users to maintain their header information in portrait format whilst
rotating the diagrams to landscape. Note that this facility is available for Windows
NT/2000/XP but is not supported in Windows 95/98/Me.

Library Options

Library options may be accessed by selecting the Tools, Options pull-down menu
option and then selecting the Library Tab in the Project Options Dialog.

FaultTree+ V11.2 137

Project Options

Project Options Dialog (Library Tab)

Before appending data from a connected library or an external project file, the user
may specify whether items with matching names should be renamed. In addition,
the user may specify whether labels are to be transferred from an appended project.
The renaming facility is provided to ensure that different items which are given the
same name in different projects and libraries (maybe because default names were
used) are not treated as the same item when the append operation takes place. For
example, the event EVENT1 might represent a pump failure in one project or library
and a valve failure in another project or library. As the events haven't been given
unique names such as PUMP and VALVE, the event from the appended project or
library needs to be renamed. Using the renaming facility ensures the independence
of items is maintained where necessary during an append operation. There may be
other circumstances when you do not wish items to be renamed during the append
operation. For example, if you have many common events occurring in different
fault tree projects and libraries that are later to be appended, you may wish to set
the rename function off for events. If one such event was named POWER
(representing power supply failure), and this event occurred in the current project as
well as the appended project or connected library, then, if the rename function was
set off for events, FaultTree+ would not rename this or any other event during the
append operation.

138 FaultTree+ V11.2

 Project Options

Note that if the rename facility is set off, the append function will ignore conflicting
data definitions in appended projects or connected libraries for events, generic data,
CCFs, consequences, Markov models, event groups and model groups. For
example, if the current project contains a CCF named VIBRATION and a project is
appended which also contains a CCF named VIBRATION, the original CCF
definition will be retained and the new definition ignored. If the appended project
contains conflicting initiator names for event trees, the appended initiators and
branches will be automatically renamed.

The Append Labels flag indicates whether fault and event tree diagram labels
should be transferred along with the associated fault and event trees.

The Create models when importing library parts indicates whether a generic model
or generic parameter will be created as items are dragged and dropped onto the
Generic Data node from the IsoLib Parts Library. When checked a generic model
will be created, otherwise a generic parameter failure rate will be created.

Colour Options

Colour options may be accessed by selecting the Tools, Options pull-down menu
option and then selecting the Colours Tab in the Project Options Dialog.

Project Options Dialog (Colours Tab)

The Colours Tab may be used to set the default colours for gate and event symbols
in the fault tree diagram. Default gate and event colours may be overridden on

FaultTree+ V11.2 139

Project Options

individual gates and events by setting the colour in the Edit Gate or Edit Event
Dialogs, respectively.

View Options

View options may be accessed by selecting the Tools, Options pull-down menu
option and then selecting the View Tab in the Project Options Dialog.

Project Options Dialog (View Tab)

Show Event Probability

If this flag is selected, the program will display calculated probability values for
events in the fault tree diagram. Calculated values will only be shown if the analysis
results are up-to-date.

Show Event Parameters

If this flag is selected, the program will display event failure model parameters in the
fault tree diagram.

140 FaultTree+ V11.2

 Project Options

Show Gate Probability

If this flag is selected, the program will display calculated probability values for
gates in the fault tree diagram. Calculated values will only be shown if the analysis
results are up-to-date.

Gate and Event Probability Preferences

These radio buttons allow users to select the types of calculated probability
parameters to be displayed for gates and events. The options are:

Unavailability
Frequency
Unavailability & Frequency
MTTF
MTTR
MTTF & MTTR

Show Q/T Preference

If this flag is selected, the program will display Q/T (unavailability divided by system
lifetime), rather than calculated unavailability values for gates.

Show CFI Preference

If this flag is selected, the program will display CFI (conditional failure intensity),
rather than calculated frequency values for gates.

Show MTBF Preference

If this flag is selected, the program will display MTBF (mean time between failures),
rather than calculated MTTF (mean time to failure) values for gates.

Show Sequencing Status

If this flag is selected, the program will display the sequencing status alongside
gates (initiators or enablers) and events. The status for events will only be displayed
if the sequencing setting differs from off. The status for gates will only be displayed
if the gate is an initiator only or enabler only gate and the calculations are up-to-
date.

Show Generic Data Names

If this flag is selected, the program will display the names of generic models and
parameters below the event to which they are attached.

FaultTree+ V11.2 141

Project Options

Show Name Borders

If this flag is selected, the program will display a border around gate and event
names in the fault tree diagram.

Show CCF Model Names

If this flag is selected, the program will display the names of CCF models below the
event to which they are attached.

Show CCF Parameters

If this flag is selected, the program will display the CCF parameters below the
events to which the CCF model is attached.

Show CCF Tags

If this flag is selected, the program display will a CCF model tag alongside events
attached to a CCF model.

Show Repeat Bars

Users may request the program to display a special symbol if the gate is repeated
on the same page. This special symbol (a triangle with a bar drawn below it) will
only be visible in screen displays and not in printed reports (they are not necessary
in printed reports as the page reference indicates that the gate is repeated on the
same page). The special symbol will be displayed if the Show Repeat Bars check
box is checked. The program will also draw a bar below transfer symbols
associated with the repeated events on the same page.

Special Tag with Repeat Bar

Show Branch Type

If this flag is selected, the program will display the type of each branch in the event
tree diagram. Valid types are Failure, Success and Null. If the user has set the Use
TRUE/FALSE for ET Branch Labels flag in the General Tab of the Project Options
Dialog then the valid types will be True, False and Null. If a branch is associated
with a partial gate or partial event failure then the name of the gate or event will be
displayed.

Show Branch Name

If this flag is selected, the program will display branch names.

142 FaultTree+ V11.2

 Project Options

Show Partial Probability

If this flag is selected, the program will display the probability of partial events and
partial gates alongside the branch, if the calculation results are up-to-date.

Show Probability on Branches

If this flag is selected, the program will display the probability associated with a
branch. This probability value will originate from the gate or event associated with
the column header if the failure (true) or success (false) branch type is set. The
probability value will originate from the gate or event associated with the branch if
the partial gate or partial event branch type is set. Probability values will only be
shown if the calculation results are up-to-date.

Show Column Probability

If this flag is selected, the program will display probability values below the column
headers. If an enabler column is associated with a gate then the gate unavailability
will be shown. If an enabler column is associated with an event then the event
unavailability will be shown. The initiator column will have the frequency of the gate
or event displayed. Probability values will only be shown if the calculation results
are up-to-date.

Show Column Names

If this flag is selected, the program will display the names of gates and events
associated with the column. Gate names will be preceded with a # symbol.

Total Frequency

If this flag is selected, the program will display the total frequency and total
probability (if the probability column is visible) of all sequences in the visible event
tree.

Show Borders

If this flag is selected, the program will display vertical border lines either side of the
consequence, frequency and probability columns.

Probability Column

If this flag is selected, the program will display the probability column to the right of
the frequency column. The probability column displays the probability of sequences
calculated by dividing the sequence frequency by the initiating event frequency.

FaultTree+ V11.2 143

Project Options

Precision Options

Precision options may be accessed by selecting the Tools, Options pull-down

menu option and then selecting the Precision Tab in the Project Options Dialog.

Project Options Dialog (Precision Tab)

The settings in the Precision Options Dialog determine the precision of calculated
numbers (such as unavailability, frequency, etc.) displayed within the FaultTree+
program. Settings in this dialog do not affect the precision of numbers displayed in
printed reports.

The user may specify a precision value of 2, 3, 4, 6 or 9 and a format type of

automatic or exponent. The precision value determines the number of significant
figures displayed in floating point numbers. Selection of the automatic format will
result in floating point numbers being displayed either in standard numerical format
or as a number followed by an exponent. The format chosen by the program will
depend on the absolute value of the individual floating point number. If the exponent
option is chosen then floating point numbers will be followed by an exponent unless
the exponent value is zero. Consider the floating-point number

0.001234567

144 FaultTree+ V11.2

 Project Options

The table below illustrates how the number will be displayed for a variety of format
and precision combinations.

Format Precision Displayed Number

Automatic 6 0.00123457
Automatic 3 0.00123
Exponent 6 1.234567e-3
Exponent 3 1.234e-3

Sets Generation Options

The sets generation options affect the methods that are used to generate the
minimal cut sets during an analysis and the way in which quantitative results are
calculated.

Sets generation options may be accessed by selecting the Tools, Options pull-
down menu option and then selecting the Sets Generation Tab in the Project
Options Dialog.

Project Options Dialog (Sets Generation Tab)

FaultTree+ V11.2 145

Project Options

Order Cut-Off

The Order Cut-Off, when set on, will determine which minimal cut sets are
discarded, during an analysis, due to the number of events occurring within the cut
set. For example, a minimal cut set consisting of 5 basic events will be discarded if
the order cut-off is set at 4, but not if the order cut-off is set at 5. Note that success
states are included when determining the order of a cut set unless the Exclude
Success option is selected.

Probability Cut-Off

If the Probability Cut-Off is set on, the program will determine which minimal cut
sets are discarded, during an analysis, due to the occurrence probability or
frequency of the cut set. The frequency cut-off value is applied to cut sets
representing an initiator gate within a fault tree and to all cut sets generated within
an event tree. The unavailability cut-off value is applied to all other cut sets
generated within a fault tree. It is advisable to apply a probabilistic cut-off, rather
than an order cut-off, as high order cut sets cannot be guaranteed to have a low
occurrence probability.

Consequence Cut-Off

If the Consequence Cut-Off flag is set on, the specified frequency factor will be
used to determine how many cut sets are retained for individual consequences
connected to event tree end branches. Each cut set frequency is compared with the
maximum cut set frequency for the consequence. If the factor difference is lower
than the factor cut-off, the cut set is discarded.

Success State Cut-Off

If the Success State Cut-Off flag is set on, the specified probability factor will be
used to determine whether or not to retain individual success states appearing in a
cut set. If the probability of the failure state of an event is relatively small then the
effect of the success state on the probability of the cut set will be relatively small
also. Removing success states of events with low failure probabilities may speed up
the calculation process significantly whilst providing very little loss of accuracy.
Success states will only be introduced into the cut sets for a fault tree if the user has
included NOT or XOR (exclusive OR) gates with Full Fault Tree NOT Logic
applied. The default probability factor setting is 0.01.

Dormant Failure Model

Users may choose one of three dormant failure model analysis options. Selecting
different options will affect the way calculations are performed for events associated
with the DORMANT and SEQUENTIAL failure and repair models.

146 FaultTree+ V11.2

 Project Options

If the Mean option is selected the following expression is used to determine the
unavailability of events associated with the DORMANT failure model:

. (1 e ) + . MTTR.(1 e )
Q=
. + . MTTR.(1 e )

where Q = event unavailability

= failure rate
= inspection interval
This expression represents a mean unavailability value for an individual event
between inspections.

If the Max option is selected, the program will use maximum risk values for events
associated with the DORMANT failure model. If maximum risk is applied to the
DORMANT model, the following expression is used:

Q = 1 e
If the IEC 61508 option is selected then DORMANT failure models will be treated
the same as the Mean case except when evaluating a cut set containing two
dormant events (i.e. two events associated with the DORMANT failure model). In
such cases the program will calculate the mean of the product of the individual
unavailability values as recommended in IEC 61508-6 (this is a different approach
to the Mean option calculation that calculates the product of the means).

The SEQUENTIAL failure model uses the following expression if either the Mean
or IEC 61508 settings are selected:

Qn = 1 exp( n Tn / 2)
If the Max option is selected, the SEQUENTIAL model will use the following
expression to represent dormant unavailability for a component:

Qn = 1 exp( n Tn )

Approximation Methods

There are a number of different approximation methods that are available to

calculate the unavailability values and failure frequencies of gates within the fault
tree and consequences associated with an event tree. These approximation

FaultTree+ V11.2 147

Project Options

methods are necessary due to the computational time involved in calculating exact
probabilistic parameters when more than just a few minimal cut sets are produced.
The default fast upper bound approximation methods provided by FaultTree+ are
widely used and, as the name suggests, provide an upper bound (pessimistic) value
to calculated TOP event unavailability and frequency values. For reliable systems,
these approximations are usually very close to the exact values that may take
significantly longer to compute. The recommended setting for approximation
methods is therefore Default.

Large Memory Buffer

During the cut set generation process, FaultTree+ automatically allocates memory
to temporarily store cut set information. If the analysis process generates many tens
of thousands of retained minimal cut sets, the program may require additional
memory. This memory is automatically re-allocated. The re-allocation of memory,
however, may reduce the efficiency of the cut set generation process (the time
taken to generate the cut sets is increased). By initially assigning a greater amount
of memory, it is possible to reduce the time taken to generate the minimal cut sets.
Users may choose a large initial memory allocation by selecting the Large Memory
Buffer option.

Implicit House Events

If the Implicit House Events flag is set on, all events associated with a FIXED data
model will be set to house events for the purposes of the analysis, if their
probabilities are exactly 0 (FALSE house event) or 1 (TRUE house event). If the
Implicit House Events flag is set off, only events with their logic modes explicitly set
to True or False will be treated as house events during the analysis.

Visible ET Consequences Only

If the Visible ET Consequences Only flag is set on, consequence results will only
be produced for the visible event tree and any connected secondary event trees.

Auto Sequence PRIORITY AND

If this flag is set on, FaultTree+ will automatically assign sequence settings to gates
and events connected directly below a PRIORITY AND gate. The sequence setting
will depend on the order of the event inputs working from left to right. An events
sequence setting may also be modified directly in the Edit Event Dialog.

Perform CCF Analysis

If the Perform CCF Analysis flag is set on, the program will take note of CCF
models associated with events and automatically generate the additional cut set

148 FaultTree+ V11.2

 Project Options

events required to represent these models. The final cut sets produced for gates
and consequences will therefore contain additional CCF events if this flag is set on.

Adjust Independent Q

If the Adjust Independent Q flag is set on, FaultTree+ will calculate the
independent and dependent unavailability of events in a CCF group using the
following expressions:
QI = (1 ). QT
QCCF = . QT

where = beta factor

QI = independent unavailability
QT = total unavailability
QCCF = unavailability due to CCF
If the Adjust Independent Q flag is set off, FaultTree+ will calculate the
independent and dependent unavailability of events in a CCF group using the
following expressions:
Q I = QT
QCCF = .QT

Use Minimum/Maximum/Mean Q in Group

A single CCF model may be assigned to a group of events with different failure
models or parameters assigned to them. If the event failure models are different for
the same CCF group, the program will use the minimum, maximum or mean total
event probability to calculate the CCF probability values. Users may select which
method to adopt in the Project Options Dialog.

Sort Cut Sets

Cut sets may be sorted by unavailability, failure frequency or by cut set order.
Alternatively, sorting may be set off. You may also set the maximum number of
sets to be sorted. Specifying a maximum limit reduces the amount of computing
time required for sorting large numbers of sets. You may wish to set the sort limit to
the same value as the maximum number of sets printed in a report (set in the
Print/Export Options Dialog).

FaultTree+ V11.2 149

Project Options

Custom Options for Approximation Methods

As an alternative to the default method, selection of the Custom Options Button in

the Sets Generation Tab in the Project Options Dialog reveals a range of options
for the experienced user (which include the exact calculation of TOP event
parameters).

Custom Options Dialog

Custom options are discussed in more detail below. The default custom options
(which are also the same options used for the default method) are:

Defaults for fault tree calculations:

Optimum upper-bound quantitative calculation

Full fault tree NOT logic on
Post process success states off
Lower bound calculation off
Disable automatic modularisation off
Combinatorial set generation off

150 FaultTree+ V11.2

 Project Options

Defaults for event tree calculations:

Optimum upper-bound quantitative calculation

Use dual fault trees for success on
Post process success states off
Lower bound calculation off
Enforce exclusivity off
Always modularise enabler gates on
Always modularise initiator gates on

If you are performing an event tree analysis where there are strong dependencies
between fault tree TOP events feeding into the event trees, we recommend the
following custom settings:

Esary-Proschan quantitative calculation

Use dual fault trees for success off
Post process success states on
Lower bound calculation off
Enforce exclusivity on
Always modularise enabler gates off
Always modularise initiator gates on

Note that these custom settings assume that fault tree success probabilities are
close to 1 and effectively ignore success states.

Quantitative Calculation Method

If the rare approximation method is specified, gate and consequence probabilities

are calculated by summating the individual minimal cut set occurrence probabilities.
If the Esary-Proschan method is specified, unavailability values are calculated by
applying the expression:
Q = Qc [1 i (1 Qi )]

where Qc = Product of probabilities of events common to all cut sets

Qi = Occurrence probability of ith cut set

If the optimum upper bound method is specified then FaultTree+ compares the
results from applying more than one method. The lowest (optimum) upper bound
value is then taken as the result. FaultTree+ will first apply a cross-product
calculation method. The upper bound unavailability is therefore determined by
calculating cross-product terms. The order of cross-product terms considered
depends on the maximum number of such terms specified by the user. FaultTree+
will calculate cross-products to produce an upper bound such that the number of

FaultTree+ V11.2 151

Project Options

terms specified by the user is never exceeded. FaultTree+ then applies another
cross-product calculation with success terms removed and an Esary-Proschan
calculation with success terms removed. The lowest of the computed upper bound
values is taken as the most accurate calculation for the unavailability upper bound.

If the rare approximation method is specified, gate failure frequencies are calculated
by summating the individual cut set failure frequencies. If the Esary-Proschan
method is specified, gate failure frequencies are calculated by applying the
expression:

i j =1 (1 Q j )
n n
= i =1 ji

where i = Failure frequency of ith cut set

Qj = Occurrence probability of jth cut set

If the cross-product method is used for the unavailability calculations, it will also be
used for the frequency calculations. The cross-product frequency is calculated by
adding or subtracting the frequencies of the cross-product cut sets.

You may set the quantitative calculation method in the Custom Options Dialog. It
is recommended that the Esary-Proschan method is not used if the cut sets contain
success states originating from fault trees.

Full Fault Tree NOT Logic

If the Full Fault Tree NOT logic flag is set on, the program will generate the full
minimal cut set representation (to the specified order and probabilistic cut-off) for
gates in the project fault trees. Minimal cut sets may therefore contain
combinations of event failure and success states.

If the Full Fault Tree NOT logic flag is set off, the program will ignore NOT logic in
the fault tree. In effect, NOT gates will be removed from the tree for the purposes of
the analysis and exclusive OR gates will be replaced by OR gates.

152 FaultTree+ V11.2

 Project Options

Use Dual Fault Trees for Success

If the Use Dual Fault Trees for Success flag is set on, the program will use the path
sets originating from fault tree gates to represent success branches in the event
tree.

If the flag is set off, the program will not add any events to the sequence cut sets
when a success branch associated with a fault tree gate is encountered.

Post Process Success States

If the Post Process Success States flag is set on, the program will remove all event
success states from generated cut sets, so long as the events do not appear in all
the cut sets for the gate or consequence. This operation is performed only after all
the cut sets have been generated and is generally applied to provide a more
accurate upper bound solution for the gate and consequence unavailability values.

Lower Bound Calculations

A lower bound value for gate and consequence unavailability values may be
calculated by setting the Lower Bound Calculation flag on. A lower bound value is
obtained by evaluating cross-product terms for the gate or consequence cut sets.
Lower bound unavailability values may be used to determine the accuracy of gate
and consequence upper bound unavailability values. If an analysis produces a large
number of minimal cut sets, the lower bound calculations may take some time.

Disable Automatic Modularisation

At the start of an analysis and before generating the minimal cut sets, the program
checks the structure of fault trees to determine whether individual sub-sections of a
tree may be modularised. Modularisation is performed if the sub-section is
independent from the rest of the tree structure. Independence requires that none of
the events or gates appearing below the top gate of the sub-section appears
elsewhere in the project fault trees. A modularised gate is automatically replaced
with a super event during the analysis, reducing the amount of computing time
required during cut set generation and also dramatically reducing the number of cut
sets produced. Once the cut set generation process has been completed, the super
events may be expanded to reveal the original cut sets. Expansion will only be
performed if the Disable Automatic Modularisation flag is set on. Note that you may
override this operation for an individual gate in the fault tree by setting the Always
Modularise flag on in the Edit Gate Dialog.

FaultTree+ V11.2 153

Project Options

Combinatorial Set Generation

This method may be selected as an alternative to the default bottom-up Boolean

algebra method for evaluating the minimal cut sets for fault trees. The combinatorial
method is likely to produce cut sets more efficiently than the default method when
analysing complex fault trees where basic event probabilities are relatively small
compared to the cut-off values set in the Sets Generation tab of the Project
Options Dialog. The new method is also likely to be significantly more efficient than
the default method when handling fault trees containing complex NOT logic
arrangements at high or intermediate levels of the fault tree structure. The new
combinatorial method may only be used with the Post Process Success States
option set on for fault trees (i.e. where success states are removed from the
remaining cut sets once invalid sets have been removed). Cut sets are generated to
th
a maximum of 6 order. The method may not be applied to event trees.

Enforce Exclusivity

If the Enforce Exclusivity flag is set on, the program post-processes the generated
consequence cut sets to ensure that identical sets do not occur for sequences
leading to different consequences. Where matching sets are identified, the set is
removed from the consequence with the smaller weight factor. This method of post-
processing sets provides a more accurate result for analyses where the Use Dual
Fault Trees for Success flag has been set off.

Always Modularise Enabler Gates

This option allows users to specify that fault tree gates that are associated with
event tree columns (other than the initiator column) will always be modularised. This
means that such columns will always be represented by super events during the
calculation process. If this option is chosen then the program automatically
assumes that gates modularised in this way are independent and will therefore not
take into account common failures. Setting this option on effectively simplifies the
minimal cut set generation process for event trees. Effectively, each sequence in an
event tree will be represented by a single cut set.

Always Modularise Initiator Gates

This option allows users to specify that fault tree gates that are associated with the
first column of an event tree (the initiator column) will always be modularised. This
means that event tree initiators will always be represented by super events during
the calculation process. If this option is chosen then the program automatically
assumes that gates modularised in this way are independent of any enabler gates
feeding into the same event tree and will therefore not take into account common
failures. Setting this option on effectively simplifies the minimal cut set generation
process for event trees. It is relatively rare for event tree initiators to be dependent
on events that also occur underneath other enabler gates in the same event tree.

154 FaultTree+ V11.2

 Project Options

This would require certain events to act as initiators or enablers within an event
tree. The default is therefore to modularise initiator gates. However, if you switch
this option off, FaultTree+ will analyse the effects of events that may be initiators or
enablers. Special event symbols may be introduced into consequence cut sets if
initiator gates are not modularised. Depending on the cut set, a single event may
potentially appear as an initiator or an enabler. If the program needs to distinguish
an event as being in its initiating mode or its enabler mode (because it may appear
as either) then the ~ is placed after its occurrence as an initiator. The following cut
sets represent two event tree sequences where events A and B (originating from
fault trees attached to the event tree) may exist as initiators or enablers :

A~.B.C
B~.A.C

Calculation Options

Calculation options may be accessed by selecting the Tools, Options pull-down

menu option and then selecting the Calculation Tab in the Project Options Dialog.

Project Options Dialog (Calculation Tab)

FaultTree+ V11.2 155

Project Options

System Lifetime

Many predicted system parameters are based on the system lifetime value specified
by the user. For a process system, the system lifetime would normally represent the
life of the plant. For an aircraft, the system lifetime will normally be set to the
average flight time or a single flight hour. The system unavailability, failure
frequency, conditional failure intensity and unreliability point values are all
calculated at the system lifetime. Other parameters such as the expected failures,
total down time and mean unavailability are all calculated by numerical integration
over the system lifetime.

Units

By default, FaultTree+ requires users to enter consistent units for frequency and
time parameters. However, users may optionally specify alternative units for failure
frequencies and MTTRs. Failure frequencies may be specified as FITS (failures per
thousand million hours), fpmh (failures per million hours), failures per year or
failures per hour. MTTRs may be specified in units of minutes or hours. The failure
frequency units chosen will determine the units of all parameters, excluding MTTRs
(including the units of time parameters such as total down time and system lifetime).
For example, choosing failures per hour for the frequency units will require the
system lifetime, inspection intervals and other time parameters to be entered in
hours. The units specified for MTTR will affect MTTR values entered by the user
and calculated MTTR values for the system only.

Sensitivity Analysis

A sensitivity analysis evaluates gate and consequence quantitative parameters after

modifying event unavailability and failure frequencies by a specified percentage.
The purpose of a sensitivity analysis is to determine how sensitive gate and
consequence parameters are to a change in event unavailability and failure
frequencies. Event unavailability values and failure frequencies are varied above
and below the normal values by the specified percentage. Note that varied
unavailability values are given a maximum value of one.

A sensitivity analysis is only performed if the percentage variation is set to a non-

zero value.

Time-Dependent Analysis

A time-dependent analysis evaluates gate and consequence quantitative

parameters over a range of time-points rather than just a single time-point. Time-
dependent summary gate and consequence parameters information is provided on
printed reports and graphs. The system lifetime is divided into the number of
intermediate time-points specified by the user. Note that quantities such as the
number of expected system failures and total down time are evaluated by numerical

156 FaultTree+ V11.2

 Project Options

integration over the system lifetime using intermediate parameter values.

Specifying a larger number of intermediate time points will increase the accuracy of
the numerical integration. The number of time points specified should be an even
number between 2 and 100. Note that the program will divide the time mesh into 2
groups. The first group of time points, covering the initial time period, will be closely
spaced, whereas the second group of points will be more widely spaced. This is
due to the fact that the rate of change of gate and consequence parameters is
usually much greater over the initial time period. The recommended value for the
number of intermediate time points is 20.

If you do not wish a time-dependent analysis to be performed, simply uncheck the

on option.

Importance Calculations

By default, importance measures are calculated using the rare approximation

method, irrespective of the Quantitative Calculation Method used to calculate
system probability values. Now users may request the program to use the same
method as used to calculate system probability values (Rare, Esary-Proschan or
Optimum Upper Bound) by setting the Use Rare Approximation flag off. Note that
the rare approximation method may be substantially quicker than other methods
when large numbers of minimal cut sets are being processed.

MTTF/MTBF/MTTR Calculations

If the Off Button is selected, no MTTF, MTBF or MTTR calculations will be

performed. These calculations require numerical integration methods to be
employed and may be time consuming for large numbers of minimal cut sets.
Setting these calculations off may significantly reduce the overall calculation time
required.

If the Standard MTTF/MTBF/MTTR option is selected, the program will calculate

these three parameters for each gate in the fault tree with the Retain Results flag
set on. If the system represented by the gate is non-repairable, or partially non-
repairable (the unavailability does not reach a steady state value), the program will
not calculate the MTBF or MTTR parameters.

If the Mission Repairable MTTF Only flag is set then the program will only calculate
the MTTF parameter. The calculation will assume that the lifetime specified by the
user represents a mission length and that multiple missions would be performed
one after the other. At the beginning of each mission, the program will assume that
all failed components will be repaired (i.e. the unavailability of the system will be
zero at the beginning of each mission).

FaultTree+ V11.2 157

Project Options

Confidence Analysis Options

Confidence analysis options may be accessed by selecting the Tools, Options pull-
down menu option and then selecting the Confidence Analysis Tab in the Project
Options Dialog.

Project Options Dialog (Confidence Analysis Tab)

During a confidence analysis, the program determines the confidence in predicted

gate and consequence parameters using Monte Carlo simulation techniques. The
gate and consequence parameters are evaluated separately for each simulation.
For each simulation, event unavailability values and failure frequencies are
determined by random sampling from the specified uncertainty distribution for event
data model parameters.

No. of Simulations

The number of simulations to be performed in a confidence analysis run. Greater

statistical accuracy in the results will be obtained by increasing the number of
simulations performed. The only disadvantage of performing a large number of
simulations is the increase in the computing time involved. The recommended

158 FaultTree+ V11.2

 Project Options

number of simulations is 100 and the maximum number that may be specified is
20,000.

Random Number Seed

Changing the random number seed modifies the random number list used during
the simulation process. This seed number may range from 0 to 20,000.

Independent Sampling for Generic Data

Users may request that dependent or independent sampling be used for events
during a confidence analysis. If the Independent Sampling for Generic Data flag is
set on then event failure and repair parameters will be sampled independently even
if they are associated with events attached to the same generic model or parameter.
If the Independent Sampling for Generic Data flag is set off, FaultTree+ will sample
parameters only once for each generic model or parameter per simulation.

Generalised Distribution for Results

If the Generalised Distribution for Results flag is set off then FaultTree+ will
assume that the predicted system parameter variations conform to a normal
distribution. If the Generalised Distribution for Results flag is set on, the program
will calculate upper and lower bound values using a generalised distribution. For a
generalised distribution, the program will store the predicted parameter (e.g. system
unavailability) for each individual simulation. A histogram representing the
probability density function for the predicted parameter value will be constructed
(and may be viewed by the user when an analysis is completed, as a confidence
distribution graph). The program will numerically integrate the area under the
distribution curve to determine the upper and lower bounds of the parameter. Using
a generalised distribution requires more computer time than assuming a normal
distribution but provides more accurate results for confidence analysis where the
confidence distribution for the predicted parameter is skewed.

Lognormal Point Value Interpretation

This setting determines how FaultTree+ will interpret the lognormal error factor
parameter. Error factors are specified by the user when entering lognormal
uncertainty data for an event, generic parameter or generic model.

The error factor is given by

EF = e (84 percentile)
EF = e1.285 (90 percentile)
EF = e1.65 (95 percentile)
EF = e 2.33 (99 percentile)

FaultTree+ V11.2 159

Project Options

Results Percentile Preference

The preference for system confidence results. Users may request confidence
bounds to be expressed as 90, 95 or 99 percentiles.

Results Bounds Preference

Selecting the Single-Sided option will mean that confidence results are presented
as upper bound values (to the specified results percentile). Selecting the Double-
Sided option will mean that confidence results are presented as upper and lower
bound values (to the specified results percentile).

Phase Options

Phase options may be accessed by selecting the Tools, Options pull-down menu
option and then selecting the Phases Tab in the Project Options Dialog.

Project Options Dialog (Phases Tab)

160 FaultTree+ V11.2

 Project Options

Specifying a finite number of phases enables users to change the failure

parameters associated with individual events during different phases of the system
lifetime. Events associated with different phase behaviour must be associated with
the Fixed-Phased failure model or the Rate-Phased failure model. These models
are similar to the Fixed and Rate models except that they allow users to change
the unavailability, failure frequency and failure rate parameters during different
phases of operation. If the Use absolute probability and rate values flag is set on
then the Fixed-Phased and Rate-Phased failure models will require absolute
unavailability values or failure rates to be specified for each phase. If the Use
absolute probability and rate values flag is set off then the Fixed-Phased and
Rate-Phased failure models will require a base unavailability or failure rate to be
specified followed by adjustment factors for each phase.

Before using these models, the user must set the number of operational phases
required for the project, as well as the phase durations. If the Set project lifetime to
total of phase durations flag is set on then the program will automatically set the
project lifetime. If this flag is not set on, and the total of all the phase durations is
less than the specified system lifetime (specified on the Calculation Tab of the
Project Options Dialog), the program will assume that phases are cyclic until the
specified lifetime is reached.

FaultTree+ V11.2 161

 Performing an Analysis

14. Performing an Analysis

Performing an Analysis

Before commencing an analysis, ensure that the correct sets generation and
calculation options are specified in the Project Options Dialog.

The analysis procedure may be initiated by selecting the Perform Full Analysis
option on the Analysis pull-down menu or equivalent toolbar option. The program
will perform the following operations:

Check the fault and event tree data for logical errors
Organise the fault and event tree structure for analysis
Generate CCF events
Modularise independent sub-trees
Calculate event unavailability values and failure frequencies
Evaluate the minimal cut sets
Expand modularised events, if necessary
Process success states, if necessary
Perform sensitivity analysis, if requested
Perform confidence analysis, if requested
Perform time-dependent analysis, if requested
Perform standard system quantitative analysis
Sort the cut sets

If any fatal errors are encountered when checking the project data, the analysis will
be aborted and the errors displayed to the user.

During the analysis, the program will indicate which operations are being performed
via the message area at the bottom of the principal window. The minimal cut set
evaluation process is often the most time-consuming part of an analysis. During the
minimal cut set generation, you may temporarily halt the analysis by selecting the
Pause Analysis option on the Analysis pull-down menu, or by selecting the
equivalent toolbar option. A dialog will appear allowing you to increase the
probability cut-off values, decrease the order cut-off and reset the consequence cut-
off. The analysis may then be restarted. Alternatively, you may abort the analysis.

FaultTree+ V11.2 163

Performing an Analysis

Analysis Pause Dialog

When an analysis is successfully completed, the analysis results are said to be up-
to-date. Subsequent modifications to the project data may render the results out-
of-date. The Status option on the Results pull-down menu may be used to inquire
the current results status.

The program automatically performs a verification check when an analysis is

completed. TOP gate unavailability values are checked for possible inaccuracies in
the calculated upper bound values. Inaccuracies are quantified if the lower bound
unavailability has also been calculated and are displayed to the user in the Results
Verification Dialog. Inaccuracies generally occur for systems with high unavailability
values where the rare approximation option has been selected. Note that a user
may request a 'results verification check' at any time by selecting the Verify option
on the Results pull-down menu.

Performing a Partial Analysis

Users may request the program to analyse selected parts of a project rather than
the whole project at once. This facility reduces the computing time for large and
complex projects when the user is only interested in the results for part of a fault
tree, a single event tree, a group of event trees or a specific group of
consequences. Before starting a partial analysis, the user must set the Include in
Partial Analysis flag on for gates (in the Edit Gate Dialog), event trees (in the Edit
Branch Dialog) or consequences (in the Edit Consequence Dialog).

164 FaultTree+ V11.2

 Performing an Analysis

A partial analysis is initiated by selecting the Analysis, Perform Partial Analysis

pull-down menu option. Gates and event tree sequences that are not included in a
partial analysis run will be labelled <Not calculated> ,where appropriate.

All the partial analysis flags in a project may be removed by selecting the Clear
Partial Analysis Flags option on the Analysis pull-down menu.

Performing a Batch Analysis

Batch Analysis

The batch analysis facility enables users to define a group of fault tree project files
that are to be analysed one after another, without any interaction from the user.
Once the analyses are completed, it is possible to compare summary results from
the different projects. This is a useful facility if you are comparing predicted
parameters for slight design variations of the same system. To perform a batch
analysis, select the Analysis, Perform Batch Analysis pull-down menu option. A
dialog will appear allowing you to define the projects to be analysed. The dialog also
contains buttons enabling you to start a full or partial analysis and compare results
once the analyses have been completed.

Batch Run Comparison

On completing a batch run, the user may compare summary results from each run.
This is done by selecting the Results Button in the Batch Analysis Dialog. The
Batch Run Comparison Dialog will appear displaying predicted parameters for
each project in the batch run. A list box at the top of the dialog allows the user to
select the parameters to be displayed.

The full set of results for each project in the batch run may be viewed by quitting the
batch analysis dialogs and opening the individual project files.

FaultTree+ V11.2 165

 Data and Results Verification

15. Data and Results Verification

FaultTree+ automatically performs verification checks before and after an analysis.
If any fatal errors occur during verification before an analysis, these are displayed to
the user and the analysis is aborted.

The user may also choose to perform a verification check without performing an
analysis. This may be done by selecting the Verify Data option on the Analysis
pull-down menu or the equivalent toolbar option. Such verification runs will display
warning messages as well as fatal error messages. Some of the verification
procedures performed are:

Check for conflicting sequence positions under PRIORITY AND gates (Fatal
Error).
Check for invalid event tree initiator data models - the event tree initiator data
model may only be associated with initiator branches of an event tree (Fatal
Error).
Circular logic checks for fault trees - gates that feed into themselves directly or
indirectly cannot be analysed (Fatal Error).
Check for secondary event trees that feed into themselves (Fatal Error).
Check for gates with no inputs (transfer gates) (Warning).
Check for event tree columns with null events (Warning).
Check for retain results flag off for all gates with no event trees defined (Fatal
Error).
Check for TOP gates with retain results flag off (Warning).
Check for invalid initiator/enabler combinations (Fatal Error).
Check for event tree initiating event gates that feed into other fault trees (Fatal
Error)
If Disable Identical Gate/Event Name Checks flag is set off then a check is
made for events with matching gate names (Fatal Error)

Note that other verification checks are performed as the project data is being
entered. For example, the validity of data model parameters is checked as they are
assigned to an event, generic model or CCF.

The program automatically performs a verification check when an analysis is

completed. TOP gate unavailability values are checked for possible inaccuracies in
the calculated upper bound values. Inaccuracies are quantified if the lower bound
unavailability has also been calculated and are displayed to the user in the Results
Verification Dialog. Inaccuracies generally occur for systems with high unavailability
values where the rare approximation option has been selected. Note that a user
may request a results verification check at any time by selecting the Verify option
on the Results pull-down menu.

FaultTree+ V11.2 167

Data and Results Verification

Verification results are displayed in the Verification Dialogs. These dialogs contain
a Print Button allowing you to send the verification messages directly to a printer.

168 FaultTree+ V11.2

 Examining Analysis Results

16. Examining Analysis Results

Displaying Results in Fault and Event Tree Diagrams

When an analysis has been completed, gates that have the retain results flag set
on will have their calculated unavailability values or frequencies displayed in the
fault tree diagram if the appropriate options have been selected in the View Tab of
the Project Options Dialog.

Terminal branch frequencies are displayed on the event tree diagram. The initiator
frequency and other column unavailability values may be displayed underneath
each column header if the appropriate options have been set in the View Tab of the
Project Options Dialog. For columns associated with fault tree gates, the displayed
values represent the unavailability of the gate. For columns associated with events,
the displayed values represent the unavailability of the event. Branch probability
values may also be displayed in the event tree.

Fault and Event Tree Summary Results

Analysis results may be examined by selecting the Summary option on the

Results pull-down menu. The Results Summary Dialog will appear on selecting
this option. The dialog contains two lists. The list at the top of the dialog contains
gate, consequence names or risk categories from the current project. Only gates
that have their retain results flag set on appear in this list (this flag is set for
individual gates in the Edit Gate Dialog and may also be set for groups of gates
using the Analysis, Retain Results For pull-down menu options). You may toggle
between the gate, consequence and risk category list by selecting the relevant radio
button above the list. Selecting an item in the top list will produce the appropriate
results information in the bottom list. Summary results, importance values or cut
sets may be viewed according to the selected radio button option.

If you are reviewing gate cut sets in the Results Summary Dialog, the Trace Cut
Set button will be enabled. Selection of this button will highlight all gates in the fault
tree that are TRUE if all the events in the cut set are set to TRUE.

If you select a cut set, the Cut Set Details Button will be enabled. Selection of this
option will reveal a new dialog displaying the names and descriptions for all the
events in the cut set.

FaultTree+ V11.2 169

Examining Analysis Results

Results Summary Dialog

Graphs Displaying Fault and Event Tree Results

Results may also be examined in the form of graphs. Selection of the Results,
Graphs pull-down menu option or equivalent toolbar button will result in the Graph
Options Dialog being displayed. This dialog allows the user to choose from a
number of graph categories and sub-categories.

Graph Options Dialog

170 FaultTree+ V11.2

 Examining Analysis Results

Typical Importance Chart

Selection of the Graph Button in the dialog will result in the graph being displayed.
Graphs may be sent to a printer or copied to the clipboard (the recommended
method for inserting FaultTree+ graphs into a word processing document).

For the F-N curve plot category, a number of additional options may be set from the
dialog that displays the graph (via the Options Button). F-N curves display the
variation of frequency or cumulative frequency with the weight of each event tree
consequence. The cumulative frequency for a given consequence is its own
frequency added to the frequency of all other consequences with a higher weight.
Only consequences with non-zero weights and frequencies are displayed

F-N Curve Options Dialog

FaultTree+ V11.2 171

Examining Analysis Results

Typical F-N Curve

172 FaultTree+ V11.2

 Event Data Models

17. Event Data Models

For a quantitative analysis to be performed, event failure and repair data models
must be specified for the events in the fault and event trees defined in the current
project.

There are fourteen data models provided by the program:

Fixed unavailability and failure frequency (Fixed)

Constant failure and repair rate (Rate)
Mean time to failure and repair (MTTF)
Dormant failure with periodic inspection (Dormant)
Sequential failure model (Sequential)
Event tree initiator model (ET Initiator)
Standby failure (Standby)
Time at risk model (Time at Risk)
Binomial failure model (Binomial)
Poisson failure model (Poisson)
Constant failure rate and mean time to repair (Rate/MTTR)
Weibull failure model (Weibull)
Fixed unavailability and failure frequency phased (Fixed-Phased)
Constant failure and repair rate phased (Rate-Phased)

The event tree initiator model may only be assigned to events associated with the
initiator branch of an event tree (initiating events).

During an analysis, the program will calculate the unavailability (Q) and failure
frequency ( ) of each event from the model parameters specified by the user.

Each model type is discussed in detail below.

Fixed Unavailability and Failure Frequency Model

This model represents event unavailability values and failure frequencies that do not
vary with time. This model is often used to represent probability of failure on
demand (e.g. operator errors), simple event probability values (e.g. probability of
adverse weather conditions) and conditional probability events (probability of a tank
rupture under a high pressure condition).

Users are recommended to use the fixed model for initiators within a fault tree.
FaultTree+ will ignore the fixed unavailability value entered for initiator events.

In program dialogs, this model is identified with the keyword Fixed.

FaultTree+ V11.2 173

Event Data Models

Constant Failure and Repair Rate Model

This model is used to represent component failures that are immediately revealed
and repaired. It assumes exponential distributions for both the failure and repair
processes. The failure and repair rates are both constant. It may also be used to
represent non-repairable components by setting the repair rate to zero. In program
dialogs, this model is identified with the keyword Rate.

The unavailability and failure frequency of a component represented by the constant

failure and repair rate model are given by

Q( t ) = (1 e ( + )t )
+

( t ) = (1 Q( t ))

where Q( t ) = component unavailability

(t ) = component failure frequency
= component failure rate
= component repair rate

Plot showing Q(t) versus t for the constant rate model

Repairable components represented by the constant failure and repair rate model
approach a steady-state value of unavailability given by

174 FaultTree+ V11.2

 Event Data Models

Q( t ) for ( + )t >> 1
+
The initial transient part of the unavailability curve reflects the assumed working
condition of the component at time zero.

For very small system lifetimes, the constant rate model expression reduces to

Q ( t ) t for ( + )t << 1
For non-repairable components, a value of zero should be specified for the
component repair rate. Substitution of = 0 into the general expression for
unavailability gives

Q( t ) = 1 e t for =0
which, for very small system lifetimes, reduces to

Q ( t ) t for t << 1

Note also that where Q( t ) << 1 (which is often the case in practice) :

Mean Time to Failure and Repair Model

This model is the same as the constant failure and repair rate model (Rate)
described above, except that the parameters entered by the user are the mean time
to failure (MTTF) and the mean time to repair (MTTR). These parameters are
related to the failure and repair rates by the following expressions:

1
=
MTTF

1
=
MTTR

In program dialogs, this model is identified with the keyword MTTF.

FaultTree+ V11.2 175

Event Data Models

Dormant Failure with Periodic Inspection Model

Components that form part of a protection or standby system may not have their
failures revealed until they are required to operate, or until a maintenance or
inspection (test) takes place. For example, a standby diesel generator may only be
started-up when it is required to supplement or replace electrical power or when it
is tested during an inspection. Only at these times can repairs be performed.

In effect, dormant components exhibit characteristics similar to non-repairable

components during periods between inspections. The actual variation of
unavailability with time is periodic in nature.

Q versus t plot for the dormant failure model with t << MTTF

The FaultTree+ Dormant model produces mean or maximum risk unavailability and
failure frequency values from the failure rate, mean time to repair and inspection
interval parameters entered by the user. If the Dormant Failure Model flag is set to
Mean or IEC 61508 (in the Sets Generation Tab of the Project Options Dialog),
the model takes a mean value of the event unavailability.

The expression for the mean unavailability of an individual dormant event is given
below:

. (1 e ) + . MTTR.(1 e )
Qmean =
. + . MTTR(1 e )

where Qmean = Mean unavailability value

= Constant failure rate
MTTR = Mean time to repair
= Inspection interval

176 FaultTree+ V11.2

 Event Data Models

This expression simplifies to an approximate representation in the case where

<< 1 and . MTTR << 1 :
.
Qmean = + . MTTR
2
If the IEC 61508 flag is set, then the program will perform a special calculation
when combining the unavailability values of two dormant failures in the same cut
set. Instead of simply multiplying the individual dormant event unavailability values
together (product of mean), the program will calculate the average of the time-
dependent product of unavailability values (mean of product). This calculation is
performed in accordance to IEC 61508-6 and only applies to cut sets containing two
dormant failures where the inspection intervals are the same or an integer multiple
of one another. If these conditions are not met the Mean model will be applied.

If the Max flag is set, then the following expression is used to represent the event
unavailability:
Qmax = 1 e

where Qmax = Maximum unavailability value over the

inspection interval

The failure frequency is given by the expressions:

mean = (1 Qmean )

max = (1 Qmax )
for the mean, and maximum risk models, respectively. In program dialogs, the
model is identified by the keyword Dormant.

Sequential Failure Model

This special model is designed to reflect the unavailability of components that may
be affected by sequential dependencies and dormant failures during different
phases. In program dialogs, the model is identified by the keyword Sequential.

The model takes account of dependencies between component failures and is

therefore only applied after the minimal cut sets have been calculated. Events
associated with this model are assigned pessimistic unavailability values for cut-off

FaultTree+ V11.2 177

Event Data Models

calculations. The model applies only to double and triple failures within a sequential
model group. A group identifier is specified as part of the model.

Sequence factors that are used in the model are determined within the program by
evaluating the possible number of failure sequences allowed. For example, if 3 out
of 6 possible sequences are allowed, the sequence factor is 0.5.

The sequence model requires the user to provide 6 parameters. The parameters
are: the failure rate, inspection interval, double failure sequence flag, triple failure
sequence flag, dormancy flag and group identifier. The double failure sequence
flag may be set to 0, 1 or 2. A value of zero indicates that the component failure
may occur at any position within a sequence. A value of 1 or 2 indicates that the
component may only fail at position 1 or 2, respectively, within a double failure
sequence. The triple failure sequence flag may be set to 0, 1, 2, 3, -1, -2 or -3.
Negative values indicate that the failure cannot occur at the given position in a triple
failure sequence. The dormancy flag is only effective for double failures and will
allow detection of failures before a mission if both components are failed with the
dormancy flag set on (=1) for both components. The group identifier is used to
distinguish between events in the same cut set that may belong to different
sequential models. For example, suppose a minimal cut set contains 5 events A, B,
C, D and E. All events are associated with the Sequential Model. If events A, B and
C are associated with group 1 and events D and E are associated with group 2, the
program will apply the triple failure sequential model to A, B and C and the double
failure sequential model to D and E. The resulting unavailability values are
multiplied together to obtain the overall cut set unavailability.

For double failures the following expressions are used to evaluate the cut set
unavailability, Qc :

Qc = S .(C. F . Q1. Q2 + q1. q 2) + A12. Q1. q 2 + A21. Q2. q1

If maximum risk (Max dormant failure model option) is applied then the Sequential
model will use the following expression to represent dormant unavailability for a
component:

Qn = 1 exp( n Tn )

If the mean or IEC 61508 options are selected, the following expression is used:

Qn = 1 exp( n Tn / 2)
You may set the Mean, Max or IEC 61508 dormant failure model options in the
Sets Generation Tab of the Project Options Dialog.

178 FaultTree+ V11.2

 Event Data Models

q n = 1 exp( n t )
C = 1 if dormancy flag on for both components
C = 0 otherwise
S = sequence factor
A12 = 1 if sequence 1-2 allowed
A21 = 1 if sequence 2-1 allowed
Both 0 otherwise

1 T2
F = 4( + 3) / 12 N= whereT2 T1
N T1

Tn = dormant phase length

t = mission length

For triple failures, the following expressions are used to evaluate the cut set
unavailability, Qc:

Qc = A12.F12.Q1.Q2.q3 + A13.F13.Q1.Q3.q2
+ A23.F23.Q2.Q3.q1 + S12.q1.q2.Q3
+ S13.q1.q3.Q2 + S23.q2.q3.Q1 + S.q1.q2.q3

Aij (A12, A13, A23) = 0 if component failure 3, 2, 1 at third position

does not cause a system failure

= if a sequence between i and j components

exists

= 1 if no sequence between i and j components

Sij (S12, S13, S23) = 0 if component 3, 2, 1 at first position does not

cause a system failure

= if a sequence between i and j exists

= 1 if no sequence between i and j

1 Tj
Fij = 4( + 3) / 12 N ij = T j Ti
N ij Ti

FaultTree+ V11.2 179

Event Data Models

Qn and qn as for double failures.

Special symbols are used to indicate that the Sequential model has been assigned
to an event in the fault tree diagram. A rectangular tag is used to indicate the
Sequential model with the dormancy flag set off. A diamond tag is used to indicate
the Sequential model with the dormancy flag on.

Event Tree Initiator Model

The event tree initiator model is used to represent event tree initiating events.
These initiating events are events associated with an event tree initiator branch.
The event tree initiator model may not be used for any other events. The model
simply specifies the event failure frequency.

In program dialogs, this model is associated with the keywords ET Initiator.

Standby Model

This special model may be used to represent the failure and repair characteristics of
a redundant sub-system. Events associated with this failure model therefore
represent a group of components (some of which may be in standby), rather than a
single component.

The Standby Model requires the following parameters to be specified:

Operating failure rate

Standby failure rate
Repair rate
Total no. of components
No. of operating components
No. of repair crews available

The operating failure rate is the failure rate of the components in the standby
system when they are actually in use. The standby failure rate is the failure rate of
each component when in standby mode. These rates are assumed to be constant,
as is the repair rate. The total number of components in the sub-system must be

180 FaultTree+ V11.2

 Event Data Models

specified, together with the number of normally operating components. If there are
fewer components available at any time than the specified number of operating
components then the standby sub-system is considered to be unavailable. The
number of repair crews available indicates the maximum number of components in
the sub-system that may be repaired at the same time.

FaultTree+ automatically determines the unavailability and failure frequency of the

standby system using Markov analysis.

Note that the calculated unavailability for the standby model is the steady-state
value.

In program dialogs this model is associated with the keyword Standby.

Time at Risk Failure Model

This model allows users to specify a time at risk that differs from the system
lifetime. The model is useful for representing component failures that only contribute
to system failure during certain phases of the lifetime of the system or duration of a
mission.

The unavailability of events associated with this model are calculated using the
expression

Q = 1 e T

where = failure rate

T = time at risk

The model is similar to the Constant Failure and Repair Rate model except that the
time used is the time at risk specified as part of the model and the component
associated with the model is assumed to be non-repairable over the time at risk.

In program dialogs, this model is associated with the keyword Time at Risk.

Binomial Failure Model

The Binomial model is particularly useful for representing voting arrangements

where m out of n failures will result in a sub-system failure. The Binomial model
allows users to represent such a sub-system by a single event rather than a VOTE
gate with n input events. Note that the model only applies if all of the failures have
identical failure and repair rates and the failure events are independent.

FaultTree+ V11.2 181

Event Data Models

When employing the Binomial model, the program will use the following expressions
to determine the unavailability and failure frequency of the associated event:

n
n!
Q= m! (n m)!q
k =m
k
(1 q ) n k

q= (1 e ( + ) t )
+

m (1 q )Q
=
q

where Q = sub-system unavailability

=sub-system failure frequency
n = total number of failure events
m = minimum number of failure events required to cause sub-system
failure
q = unavailability of individual failures
= failure rate for each individual failure
= individual repair rate
t = system lifetime

In program dialogs, this model is associated with the keyword Binomial.

Poisson Failure Model

The Poisson model allows users to represent the effects of a limited number of
backup spares on the unavailability of a component. This model is particularly
useful when analysing a mission scenario where on-board spares cannot be
replenished once they have been used up.

The following expressions are used to determine the unavailability and failure
frequency of an event associated with the Poisson model:

s
( nt ) k e nt
R=
k =0 k!

Q =1 R

182 FaultTree+ V11.2

 Event Data Models

n ( nt ) s e nt
=
s!

where

n = number of components required to be operating

s = number of backup spares
= component failure rate
t = system lifetime (mission length)
In program dialogs, this model is associated with the keyword Poisson.

Rate/MTTR Model

This model is the same as the constant rate model described above except that the
parameters entered by the user are the failure rate and the mean time to repair
(MTTR). The MTTR parameter is related to the repair rate by the following
expression:

1
=
MTTR
In program dialogs, this model is identified with the keyword Rate/MTTR.

Weibull Model

The Weibull model may be used to represent components with varying failure rates.
The model may be used to represent a component that will not be repaired over the
system lifetime if a failure occurs or it may be used to represent a component that
will only be repaired when an inspection reveals a failure. In the latter case the
repair is assumed to leave the component in an as good as old condition after
repair (i.e. the component is fixed but not replaced with a new component).

The Weibull model requires users to specify three parameters that define the basic
Weibull distribution:

Characteristic Lifetime
Shape Parameter
Location Parameter

FaultTree+ V11.2 183

Event Data Models

In addition the user must specify the inspection interval at which tests for dormant or
hidden failures are performed. If an inspection interval of zero is specified the
component is assumed to be non-repairable over the system lifetime.

For the non-repairable Weibull model (inspection interval set to zero) :

The Weibull failure rate is given by

( t ) 1
r(t ) =

where r(t ) is the failure rate

= characteristic life parameter
= shape parameter
= location parameter

The unreliability, F ( t ) , is given by

t
F ( t ) = 1 exp

As the model represents a non-repairable component, the unavailability, Q (t ) , is

given by

Q (t ) = F (t )

184 FaultTree+ V11.2

 Event Data Models

This is equivalent to a failure density function, f ( t ) , given by

( t ) 1 t

f (t ) = exp

and a mean time to failure (MTTF) given by

1 +
MTTF =

where = gamma function

For the dormant Weibull model (inspection interval greater than zero) :

This model smooths the periodic nature of the component unavailability by setting
the unavailability of each interval to the actual peak unavailability at the end of each
interval using the expression

(n 1)

n


Qn = 1 exp . exp

where Qn = the unavailability value used over the entire interval n

= characteristic life parameter
= shape parameter
= location parameter
= inspection interval

In program dialogs, this model is identified with the keyword Weibull.

FaultTree+ V11.2 185

Event Data Models

Fixed Unavailability and Failure Frequency Phased Model

This model is similar to the Fixed Unavailability and Failure Frequency model
except it allows users to change the unavailability and failure frequency parameters
during different phases of operation.

Before using this model, the user must set the number of operational phases
required, together with the phase durations, in the Project Options Dialog (Phases
Tab). In program dialogs, this model is identified with the keyword Fixed-Phased.

If the Use absolute probability and rate values flag is set on in the Phases tab of
the Project Options dialog then the model will require absolute unavailability values
to be specified for each phase. If the Use absolute probability and rate values flag
is set off then the model will require a base unavailability to be specified followed by
adjustment factors for each phase. The adjustment factor simply multiplies the base
unavailability and failure frequency parameters during the appropriate phase. The
model is particularly useful if you wish to effectively modify the structure of the fault
tree during a given phase. Consider the example below. A special conditional event
has been included in the fault tree. The event has a local Fixed-Phased data model
assigned to it. Three phases are defined in the project and the event is assigned a
base unavailability of 1 and adjustment factors 1, 0, 1 for the three phases,
respectively. During the second phase, when the unavailability is adjusted to 0,
system 1 cannot contribute to the hazard defined by the top event. For example, an
aircraft system may only contribute to a hazard if it fails during take-off or landing
but will not contribute to the hazard if it fails at any other time during the flight.

186 FaultTree+ V11.2

 Event Data Models

TOP LEVEL
HAZARD

HAZARD

System 1 failure System 2 System 3

during failure failure
hazardous phase

GATE4 SYS2 SYS3

System 1 Hazardous
failure phase

SYS1 EVENT1

Q=1

Unavailability Plot for Top Gate HAZARD

Constant Failure and Repair Rate Phased Model

This model is similar to the Constant Failure and Repair Rate model except it
allows users to change the failure rate parameter during different phases of
operation.

FaultTree+ V11.2 187

Event Data Models

Before using this model, the user must set the number of operational phases
required, together with the phase durations, in the Project Options Dialog (Phases
Tab).

If the Use absolute probability and rate values flag is set on in the Phases tab of
the Project Options dialog then the model will require absolute failure rates to be
specified for each phase. If the Use absolute probability and rate values flag is set
off then the model will require a base failure rate to be specified followed by
adjustment factors for each phase. The adjustment factor simply multiplies the base
failure rate parameter during the appropriate phase. The Rate-Phased model is
particularly useful if you wish to model standby phases, or phases under which a
system is placed under high stress (launch of a satellite for example) in addition to
normal operational phases. In program dialogs, this model is identified with the
keyword Rate-Phased.

Uncertainty Values

Uncertainty values may be specified for selected parameters in the event data
models. These uncertainty values are only used during a confidence analysis and
need not be set if a confidence analysis will not be performed. Each uncertainty
value may be associated with a normal (gaussian), lognormal, log-triangular or log-
uniform distribution.

Normal Distribution

If a normal distribution is specified, the uncertainty value is the standard deviation

and the parameter value entered represents the mean value.

Lognormal Distribution

If a lognormal distribution is specified, the uncertainty value is the error factor and
the parameter value may represent the median, mode or mean of the distribution.
Users may choose whether the parameter value represents the median, mode or
mean value in the Calculation Tab of the Project Options Dialog accessed via the
Analysis, Options, Calculations pull-down menu option. Users may also choose
whether the lognormal error factor should represent the 84, 90, 95 or 99 percentile.

The expression for the normal distribution is given by

1
f = exp[ ( x ) 2 / 2 2 ]
(2 )
where = mean
= standard deviation

188 FaultTree+ V11.2

 Event Data Models

The expression for the lognormal distribution is given by

1
f = exp[ (ln x ) 2 / 2 2 ]
x 2
with the median, mode, mean and standard deviation given by

Median = e
2
Mode = e
2
Mean = e + 0.5
2 2
( Std )2 = e 2 + ( e 1)
The error factor is given by

EF = e (84 percentile)
EF = e1.285 (90 percentile)
EF = e1.65 (95 percentile)
EF = e 2.33 (99 percentile)

Log-Triangular Distribution

The log-triangular distribution defines a possible range of the reliability parameter

on a log scale as illustrated below. The probability density function, f(x), indicates
the probability that the value of the parameter falls between x and x + dx. The value
of the parameter specified by the user is the mid-point of the parameter range on a
log scale. Dividing or multiplying the mid-point value by the error factor gives the
minimum and maximum parameter values. The example below corresponds to a
-4
parameter value (for example, failure rate) of 10 and error factor of 100.

FaultTree+ V11.2 189

Event Data Models

Log-Uniform Distribution

The log-uniform distribution defines a possible range of the reliability parameter on

a log scale as illustrated below. The probability density function, f(x), indicates the
probability that the value of the parameter falls between x and x + dx. The value of
the parameter specified by the user is the mid-point of the parameter range on a log
scale. Dividing or multiplying the mid-point value by the error factor gives the
minimum and maximum parameter values. The example below corresponds to a
-4
parameter value (for example, failure rate) of 10 and error factor of 100.

Parameters Associated with Uncertainty Values

The following model parameters may have uncertainty values assigned to them:

Fixed Model : Unavailability, Failure Frequency

Rate Model : Failure Rate, Repair Rate
MTTF Model : MTTF, MTTR
Dormant Model : Failure Rate, MTTR
ET Initiator Model : Failure Frequency
Standby Model : Operating Failure Rate, Standby Failure Rate, Repair Rate
Time at Risk Model : Failure Rate
Binomial Model : Failure Rate, Repair Rate
Poisson Model : Failure Rate
Rate/MTTF Model : Failure Rate, MTTR
Weibull Model : Characteristic Lifetime
Fixed-Phased Model : Unavailability, Failure Frequency
Rate-Phased Model : Failure Rate, Repair Rate

Note that the Sequential model has no associated uncertainty values.

190 FaultTree+ V11.2

 Systems Analysis Methods

18. Systems Analysis Methods

This chapter describes the procedures used by the program to evaluate the fault
and event tree minimal cut sets and the methods for calculating the standard
system quantitative parameters.

Boolean algebra techniques are used to produce the minimal cut sets representing
fault tree gates and event tree branches and consequences. A bottom-up approach
is adopted by the program during the evaluation process. Cut sets are first
generated for gates at the bottom of the project fault trees and the program works
its way up through the fault trees into the event tree branches and finally through to
the consequences. The following Boolean expressions are applied to produce the
minimal cut sets:

A + A. B = A
A. A = A
A+A = A
A. A = 0

A. B = A + B

A + B = A.B

During the cut set generation process, cut sets with an occurrence probability or
frequency below the specified probabilistic limit will be discarded. The frequency
cut-off value is only applied to the cut sets representing initiator gates in a fault tree
and cut sets generated within an event tree. Initiator gates will only be present in a
fault tree if the user has assigned the initiator only flag to events within the fault
tree. The unavailability cut-off is applied to all cut sets generated within a fault tree
except those cut sets associated with initiator gates. Cut sets whose order is greater
than the order cut-off will also be discarded. The order of a cut set represents the
total number of event failure and success states in the cut set.

The program will automatically modularise suitable gates in the project fault trees
before producing the cut sets. Modularisation is performed if the gate represents a
sub-tree that is independent from the rest of the tree structure. Independence
requires that none of the gates or events appearing within the sub-tree appear
elsewhere in the project fault trees. A modularised gate is automatically replaced
with a super event during the analysis, reducing the amount of computing time
required during cut set generation and also reducing the number of cut sets
produced. Once the cut set generation process has been completed, the super
events may be expanded or, alternatively, left in the cut sets generated in a report.

FaultTree+ V11.2 191

Systems Analysis Methods

The user may request the program to modularise all gates associated with event
tree initiator or enabler columns (by setting the Always Modularise Initiator Gates
and Always Modularise Enabler Gates options in the Custom Options Dialog).
Enabler columns are all columns in an event tree that follow the initiator column.

Cut set occurrence probabilities and failure frequencies are determined from the
following expressions:
Qcut = i =1 Qi
n

where Qi = the unavailability of the ith event in the cut set

Qcut = the cut set occurrence probability
n = number of events in the cut set

j i=1 Qi
n n
cut = j =1 i j

where j = failure frequency of the jth event in the cut set

cut = cut set occurrence frequency

System unavailabilities are calculated by applying the Esary-Proschan expression

Qsys = i =1 Qi [1 j =1 (1 Qcutj )]
m n

where Qi = unavailability of common event i

m = number of common events occurring in all
cut sets
Qcutj = unavailability of cut set j excluding common
events
n = number of cut sets
Qsys = system unavailability

or by the rare approximation or cross-product methods, depending on the options

stipulated by the user.

The rare approximation unavailability is given by

192 FaultTree+ V11.2

 Systems Analysis Methods

Qsys = i =1 Qcuti
n

The cross-product unavailability is given by

n n 1 n n 2 n 1 n
Qsys ( t ) = Qcuti ( t ) Qij ( t ) + Q ijk ( t )+...
i =1 i =1 j = i +1 i =1 j = i +1k = j +1

......( 1) n+1 Q123...n ( t )

where Qcuti ( t ) = unavailability of cut set i

n = number of cut sets
Qsys ( t ) = system unavailability

Qij ( t ) = product of the unavailabilities of the basic

events in cut sets i and j
Qijk ( t ) = product of the unavailability of the basic events
in cut sets i, j and k

System failure frequencies are calculated using either the cross-product method,
the Esary-Proschan method or the rare approximation method.

The Esary-Proschan expression for system frequency is

cuti j =1 (1 Qcutj )
n n
sys = i =1 j i

where cuti = failure frequency of cut set i

Qcutj = unavailability of cut set j

The expression for the system frequency calculated by the rare approximation
method is given below.

sys = i =1 cuti
n

where cuti = failure frequency of cut set i

sys = system failure frequency

FaultTree+ V11.2 193

Systems Analysis Methods

Cross-product system frequency values are determined by summating or

subtracting the frequencies for all cut set cross-product terms.

Note that the Esary-Proschan and rare approximation methods provide upper
bound approximations to the exact values for the system unavailability and failure
frequency for coherent systems (systems without any NOT logic). The rare
approximation method provides less accurate results than the Esary-Proschan
method of calculation when the unavailability of the system is very high (>0.2). The
accuracy of the result may be checked by computing the lower bound value for
unavailability. The exact value lies between the upper and lower bound values.

The following tables illustrate the difference between the exact value and upper
bound results provided by the rare and Esary-Proschan approximation methods for
a simple fault tree. The exact result may be computed by hand, due to the small
number of minimal cut sets produced. The minimal cut set expression used is given
below. Failure models for the events are assumed to be identical.

A + B.C + B.D

Computed System Unavailabilities

Exact Rare Upper E-P Upper Lower Bound
Bound Bound
0.6875 1.0 0.719 0.625
0.1171 0.12 0.11791 0.1170
0.01019701 0.0102 0.01019799 0.010197

% Difference
Exact Rare Upper E-P Upper Lower Bound
Bound Bound
0 45% 4.6% 9.1%
0 2.5% 0.7% 0.08%
0 0.02% 0.01% 0.0001%

These tables provide an illustration of the accuracy of upper bound calculations.

The rare approximation method generally provides accurate results where the
system unavailability < 0.2, whereas the Esary-Proschan upper bound method
provides accurate results where the system unavailability < 0.5 . This rule should
only be taken as a general guide, as individual events with very high unavailability
values may also affect the accuracy of upper bound calculations. If the lower bound
calculation flag is set on, the program will automatically check upper bound
unavailability values, against computed lower bound values on completing an
analysis. If the estimated maximum percentage error is greater than 1 percent, a
warning will be given.

Other system parameters are calculated from the following expressions:

194 FaultTree+ V11.2

 Systems Analysis Methods

T
TDTsys = Q sys (t ). dt
0
where T = system lifetime
TDT = total system down time

n
Q cut = i =1
Qi
where Wsys = no. of expected system failures over the lifetime

sys
sys =
1 Qsys
where sys = system conditional failure intensity (CFI) at the system lifetime

= 1 e 0
( t ).dt
Fsys
where Fsys = system unreliability

MTTFsys = R(t ).dt
0

where MTTFsys = system mean time to first failure

1
MTBFsys =
()
where MTBFsys = system mean time between failures

Q ( )
MTTRsys =
()
where MTTRsys = system mean time to repair

TDTsys
Q sys =
T

FaultTree+ V11.2 195

Systems Analysis Methods

where Q sys = system mean unavailability

Note that integration is performed numerically using linear interpolation between

consecutive time-points. The number of time-points is specified in the Calculation
Tab of the Project Options dialog.

The expression for Fsys is an approximate expression for the system unreliability,
unless the system conditional failure intensity is equal to the system failure rate.
The number of expected system failures ( Wsys ) also provides an approximation to
the system unreliability where Wsys << 1.

196 FaultTree+ V11.2

 Initiator/Enabler Events and Sequencing

19. Initiator/Enabler Events and Sequencing

Initiator and Enabler Events

This chapter refers to the setting of event sequences in fault trees. Initiator and
enabler events should only be set in fault trees for which the TOP event failure
frequency is the parameter of interest, rather than the TOP event unavailability.
Initiator and enabler analysis is usually applied to fault trees whose TOP event
represents a hazard such as FIRE or EXPLOSION.

In certain circumstances, the order in which events take place must be taken into
consideration when evaluating the frequency of a fault tree TOP event. A typical
example of such a case is when evaluating the frequency of a hazardous event that
may be prevented by the successful operation of one or more protective systems.
For example, consider a fire protection system which is designed to prevent small
fires running out of control in a hazardous location and leading to an explosion:

If a fire starts and the protection system is unavailable then the explosion is
assumed to take place. If the fire protection system is available at the time at which
the fire starts then it is assumed that there is no possibility of the explosion taking
place. In such a case, the Fire Starts event is referred to as an initiator and the
Protective System Unavailable is referred to as an enabler. The frequency of the
explosion may be determined from

EXPLOSION = FIRE . QPROTECT

where FIRE = frequency of initiator Fire Starts

Q PROTECT = unavailability of protective system

FaultTree+ V11.2 197

Initiator/Enabler Events and Sequencing

The definition of an initiator is: an event that must be the last event to occur in a
sequence to cause a failure.

The definition of an enabler is: an event which must occur at any position but last in
a sequence to cause a failure.

For initiators and enablers, we need to modify the general expression used to
calculate cut set frequencies.

The normal method adopted to evaluate cut set frequencies is to apply the
expression

cut = j =1 j i =1 Qi
n n

i j

where j (t ) = failure frequency of the jth event in the cut set

cut ( t ) = cut set failure frequency

If any of the events in the cut set represent initiators or enablers, the expression is
modified to eliminate all terms which do not correspond to a permitted sequence.
This is best illustrated by an example. Take a fourth order cut set A.B.C.D for which
event A is an initiator and events B, C and D are enablers. The expression for the
failure frequency would normally be

CUT = A. .QB .QC .QD + B .Q A .QC .QD +

C .Q A .QB .QD + D .Q A .QB .QC
However, the modified expression (taking into account the initiators and enablers)
would be

CUT = A. .QB .QC .QD

FaultTree+ allows the user to categorise events as:

Initiator and enabler (sequencing off)

Initiator only
Enabler only

These categories are set in the Edit Event Dialog and will affect the frequencies of
fault tree gate probabilities as described above. Note that if an event is categorised

198 FaultTree+ V11.2

 Initiator/Enabler Events and Sequencing

as both an initiator and an enabler (the default setting) then the event can occur in
any position in the cut set sequence.

If you categorise any events as being initiator-only or enabler-only events then

FaultTree+ automatically checks that you have not specified any invalid
combinations of events in the tree structure, before performing an analysis. Error
messages are given in the Structure and Data Verification Dialog. The program
checks that AND gates have no more than one initiator input. If the Apply Strict
Initiator/Enabler Checks flag is set on (in the General Tab of the Project Options
Dialog), the program also checks that OR gates have either no initiator inputs or all
inputs are initiators. FaultTree+ automatically determines whether gates are
initiator-only gates or enabler-only gates, at the point of performing an analysis and
will only display frequency-related results for initiators and unavailability-related
results for enablers. Gates which represent system events that are both initiators
and enablers will have unavailability or frequency parameters displayed, depending
on the View preference specified by the user.

Event Sequencing

Event sequencing calculations apply to unavailability calculations as well as

frequency calculations. Individual events may be assigned a position of first,
second, third, fourth, fifth or last in a sequence. The position indicates the allowable
position for the event in a time sequence. The program will adjust the calculated
unavailability and frequency values for cut sets containing events with a sequence
assignment. The sequence restrictions will be calculated based on the number of
events in a cut set sequence. Modular gates in a fault tree will affect the results of
sequence calculations in some circumstances. Users may wish to set the Always
Modularise flag on for a gate to affect sequence calculations. For example,
consider the fault tree illustrated below. Events A, B and C must occur in sequence
(A first, B second and C third) for the event represented by GATE1 to occur. If
GATE1 is modularised in the analysis (users may force a gate to be modularised
using the Always Modularise flag in the Edit Gate Dialog) then the TOP gate will
be represented by a single cut set GATE1*.D (GATE1* is the super event for
GATE1). As the super event GATE1* and D1 are not sequence-dependent, this
implies that the following sequences are allowable:

A->B->C->D
D->A->B->C

If GATE1 was not modularise during the analysis, we would obtain the cut set
A.B.C.D for the TOP gate. As the events A, B, and C must occur in positions 1, 2
and 3, respectively, in a cut set, only one sequence is permitted:

A->B->C->D

FaultTree+ V11.2 199

Initiator/Enabler Events and Sequencing

The two cases will lead to different results for the predicted unavailability of the TOP
gate.

TOP

GATE1 D

Q=0.1

1 2 3

A B C

Q=0.1 Q=0.1 Q=0.1

FaultTree+ calculates the unavailability and failure frequency values of a minimal

cut set affected by sequencing, by considering the state transition diagram (used in
Markov analysis) associated with a minimal cut set. For example, consider the state
transition diagram illustrated below. The diagram represents the possible states of a
third order minimal cut set (a cut set containing three events) representing three
component failures. The components are assumed to be non-repairable. State
ALLOK represents all the components working. States 1 to 3 represent one of the
three components being failed. States 4 to 9 represent two of the three components
being failed. States 10 to 15 represent all components failed together. State 10
represents a different sequence to states 11 to 15. State 10 represents the
sequence component 1 fails first, component 2 fails second and component 3 fails
last. If the user has indicated that this sequence is the only sequence that will
contribute to a hazard (by setting the First, Second and Third sequencing flags
for the appropriate events in the Edit Event Dialog) then the program will estimate
the probability of state 10, rather than the probability of being in any of the states 10
to 15. This will effectively reduce the probability of the cut set.

200 FaultTree+ V11.2

 Initiator/Enabler Events and Sequencing

State Transition Diagram Showing Possible Failure Sequences for 3 Components

Note that the calculated unavailability values for sequence-affected cut sets are an
approximation for non-repairable systems. For practical systems, the error is
restricted to around 2% of the exact result.

FaultTree+ V11.2 201

 Importance Analysis

20. Importance Analysis

The program calculates four importance measures during an analysis:

Fussell-Vesely Importance
Birnbaum Importance
Barlow-Proschan Importance
Sequential Importance

Fussell-Vesely, Birnbaum, Barlow-Proschan and Sequential Importance measures

are calculated for all fault tree gates with the Retain Results flag set on. Fussell-
Vesely and Birnbaum importance measures are calculated for event tree
consequences and risk categories. Importance measures are applied to events and
event groups.

By default, all four importance measures are calculated using the rare
approximation method. However, the Fussell-Vesely and Birnbaum importance
measures may be calculated using the same method as applied to calculate system
probability values (Rare, Esary-Proschan or Optimum Upper Bound). This option
may be set in the Project Options Dialog (Calculation Tab). Note that the rare
approximation method may be substantially quicker than other methods when large
numbers of minimal cut sets are being processed.

Note that the program only displays non-zero importance values in the Results
Summary Dialog.

Fussell-Vesely Importance

FaultTree+ calculates the standard Fussell-Vesely importance measure, the

Fussell-Vesely Failure importance measure and the Fussell-Vesely Success
importance measure.

The Fussell-Vesely standard importance measure for gates in a fault tree indicates
an event or event groups contribution to the gate unavailability. Increasing the
availability of events with high importance values will have the most significant
effect on gate availability.

If you have defined event trees in your project and assigned consequences to them,
FaultTree+ will also calculate the Fussell-Vesely frequency importance value for
each initiating and enabling event associated with a particular consequence. The
Fussell-Vesely standard importance measure for consequences indicates an
events, or event groups, contribution to the consequence frequency. Reducing the
failure frequency of events with high importance values will have the most
significant effect on the consequence frequency. FaultTree+ will also calculate risk

FaultTree+ V11.2 203

Importance Analysis

importance measures. Reducing the failure frequency of events with high

importance values will have the most significant effect on the risk.

The standard Fussell-Vesely unavailability importance value for an event is given by

Q SYS Q SYS ( qi = 0)
I iFV =
Q SYS

where I iFV = Fussell-Vesely importance for event i

Q SYS = system probability or risk

Q SYS ( qi = 0) = system probability or risk with the probability of event i

set to 0

The Failure Importance Measure is determined by considering the failure and

success states of the event to be independent:

QSYS QSYS ( qi = 0)
I iFV =
QSYS

where I FV
fi = Fussell-Vesely failure importance for event i

Q SYS = system probability or risk

Q SYS ( q fi = 0) = system probability or risk, with the probability of event i

set to 0 where the event occurs in its failure state only

The Success Importance Measure is calculated from

Q SYS Q SYS ( qsi = 1)

I siFV =
QSYS

where I siFV = Fussell-Vesely failure importance for event i

Q SYS = system probability or risk

Q SYS ( q si = 1) = system probability or risk, with the probability of event i

set to 1 where the event occurs in its success state only

204 FaultTree+ V11.2

 Importance Analysis

For fault tree gates, these measures are applied to the unavailability parameter. For
consequences, these measures are applied to the failure frequency parameter. For
risk categories, these measures are applied to the risk parameter.

By default, the Fussell-Vesely importance measures are calculated using the rare
approximation method. However, the Fussell-Vesely measures may be calculated
using the same method as applied to calculate system probability values (Rare,
Esary-Proschan or Optimum Upper Bound). This option may be set in the Project
Options Dialog (Calculation Tab). Note that the rare approximation method may be
substantially quicker than other methods when large numbers of minimal cut sets
are being processed.

Birnbaum Importance

The Birnbaum unavailability importance measure for an event represents the

sensitivity of system unavailability with respect to changes in the events
unavailability. This importance measure is calculated for gates in a fault tree.

Birnbaum Unavailability Importance

The Birnbaum unavailability importance is given by

Q SYS
I iBB =
qi

where I iBB = Birnbaum importance measure for component i

Q SYS = system unavailability

qi = unavailability of component i

Birnbaum Frequency Importance

The Birnbaum frequency importance measure for an event represents the sensitivity
of the frequency of a consequence with respect to changes in the events
unavailability (for an enabler event) or frequency (for an initiator event). This
importance measure is calculated for consequences attached to an event tree.

The Birnbaum frequency importance is given by

FaultTree+ V11.2 205

Importance Analysis

CON
I iBB =
qi

where I iBB = Birnbaum importance measure for component i

CON = consequence frequency

qi = unavailability (enabler) or frequency (initiator) of component i

Birnbaum Risk Importance

The Birnbaum risk importance measure for an event represents the sensitivity of the
total risk with respect to changes in the events unavailability (for an enabler event)
or frequency (for an initiator event).

The Birnbaum risk importance is given by

Risk
I iBB =
q i

where I iBB = Birnbaum importance measure for component i

Risk = total risk
qi = unavailability (enabler) or frequency (initiator) of component i

Barlow-Proschan Importance

The Barlow-Proschan event importance measure considers the sequence of event

failures. It is, in effect, the probability that the system fails because a critical cut set
containing the event fails, with the event failing last. The Barlow-Proschan
importance measure is given by

.Sum of unavailabilities of cut sets containing event

IMP BP = EVENT
Q .System failure frequency
EVENT

where EVENT = Event failure frequency

QEVENT = Event unavailability

206 FaultTree+ V11.2

 Importance Analysis

Sequential Importance

The sequential importance measure for an event considers the role of the failure of
component i when another component j actually causes the system to fail. The
method of calculation of the measure is best illustrated by an example. Take 3
events A, B and C all occurring in the same cut set

A.B.C

The contribution to the importance value for event A is given by

Q A . QB . c + Q A . QC . B
(i.e. all contributions to the cut set failure frequency except for the term where A is
the final failure). Contributions for each cut set are summated and divided by the
system failure frequency.

FaultTree+ V11.2 207

 Time-Dependent Analysis

21. Time-Dependent Analysis

Time-dependent analysis is performed by the program once the minimal cut sets
have been generated and the standard system quantitative parameters have been
evaluated.

A time-dependent analysis evaluates system quantitative parameters such as

unavailability over a range of time points rather than just a single time point. The
program uses the number of intermediate time points and system lifetime, specified
by the user in the Calculation Tab of the Project Options Dialog, to determine
intermediate system parameters such as unavailability and failure frequency. The
total down time and number of expected system failures are calculated by
numerically integrating unavailability and failure frequency, respectively, using
intermediate time point values. Note that the program automatically divides the time
mesh into two groups. The first group of time points, covering the initial time period,
will be closely spaced whereas the second group of time points will be more widely-
spaced. This is due to the fact that the rate of change of system parameters is
usually much greater over the initial time period.

FaultTree+ V11.2 209

 Sensitivity Analysis

22. Sensitivity Analysis

There are two types of sensitivity analysis that may be performed using FaultTree+.
The first type of analysis is a simple sensitivity analysis that varies each events
unavailability and failure frequency by a specified percentage and determines the
resulting effect on the system parameters. The second type of analysis is a special
sensitivity analysis that permits the variation of event or generic model parameters
individually.

Simple Sensitivity Analysis

Simple sensitivity analysis is performed by the program once the minimal cut sets
have been generated and the standard system quantitative parameters have been
evaluated.

A simple sensitivity analysis evaluates system quantitative parameters after

modifying all event unavailability and failure frequencies by a specified percentage.
The purpose of a sensitivity analysis is to determine how sensitive system
parameters are to a global change in event unavailability and failure frequencies.
Event unavailability values and failure frequencies are varied above and below the
normal values by the specified percentage. Note that event unavailability values
are not allowed to vary above 1.

To perform a simple sensitivity analysis set the Sensitivity Analysis Percentage

Variation field to a non-zero value in the Calculation tag of the Project Options
Dialog. The program will then automatically calculate system sensitivity parameters
during a standard analysis run. Results may be viewed in the Results Summary
Dialog.

Special Sensitivity Analysis

To perform a special sensitivity analysis select the Analysis, Special Sensitivity

Analysis pull-down menu option. On selecting this option the program will calculate
the minimal cut sets for the system using the Sets Generation Options specified in
the Project Options Dialog. Once the minimal cut sets have been generated the
Sensitivity Options Dialog will appear allowing you to set the required options for a
special sensitivity analysis run.

A special sensitivity run will recalculate system quantitative parameters for each
event or generic model change specified in the Sensitivity Options Dialog. When
the OK button in the Sensitivity Options Dialog is selected the user will be able to
select a file name to receive the results of the special sensitivity run. Data will be
written to the file in a comma delimited format suitable for opening in spreadsheet

FaultTree+ V11.2 211

Importance Analysis

packages such as Microsoft Excel. The table below is an example of sensitivity

analysis results. Generic models names and descriptions are listed together with
the resulting system unavailability when the event unavailability values are changed
by a factor of 0.1 or a factor of 10.

Generic Model Name Generic Model Description x 0.1 x1 x 10

CB-OP Circuit breaker faults - Operating 7.56E-04 8.30E-04 1.58E-03
CB-ST Circuit breaker faults - Standby 6.62E-04 8.30E-04 3.21E-03
FAN-OP Fan faults - Operating 8.30E-04 8.30E-04 8.30E-04
TR-OP Transformer faults - Operating 5.32E-04 8.30E-04 3.80E-03
TR-ST Transformer faults - Standby 7.50E-04 8.30E-04 1.51E-03
GRID Grid unavailability 7.78E-04 8.30E-04 1.35E-03
DGEN-ST Diesel generator faults - Standby 8.03E-04 8.30E-04 1.10E-03
BATTERY Battery faults - Standby 2.55E-04 8.30E-04 3.18E-03
QUENCHTANK Quench Tank Unavailability Model 8.30E-04 8.30E-04 8.30E-04
RECT-OP Rectifier faults 5.09E-04 8.30E-04 4.04E-03

Target Scope Tab

The target options allow you to select the gate, consequence or risk category for
which you require sensitivity analysis to be performed. If you had a gate selected in
the fault tree diagram before entering the Special Sensitivity Analysis facility then
the gate will already be selected for you in the list.

Object Types to Include in Analysis Scope Tab

These options allow you to specify whether events, generic models and generic
parameters are to be included in the analysis. If you specify an Event Filter Group
then the program will only analyse events belonging to the group. If you specify a
Generic Data Filter Group then the program will only analyse generic models and
parameters belonging to the group.

Results Parameter for Fault Tree Gates Parameters Tab

If you have specified a fault tree gate as the target for the sensitivity analysis then
you must also a select a results parameter. Valid results parameters are

Unavailability
Failure Frequency
CFI (Conditional Failure Intensity)
Q/T (Lifetime unavailability divided by the system lifetime)

212 FaultTree+ V11.2

 Sensitivity Analysis

FaultTree+ will recalculate the specified results parameter for multiple values of the
specified sensitivity parameter. Specification of a results parameter is not
necessary if you have selected a consequence or risk category target.
Consequences and risk category targets use failure frequency and risk results
parameters respectively.

Sensitivity Parameter Parameters Tab

The sensitivity parameter indicates the parameter you wish to vary for events,
generic models and generic parameters.

If you choose an event parameter that is not associated with an individual event,
then that event will not be analysed even if you have Events selected in Object
Types to Include in Analysis. This rule is applied for all parameters except
unavailability and frequency. Events always have their unavailability and frequency
values calculated irrespective of the local model type. A similar rule is applied to
generic models.

Generic parameters will only be analysed if the generic parameter type matches the
sensitivity parameter.

Valid sensitivity parameters are

Failure Rate
Inspection Interval
Time at Risk
Unavailability
Frequency
Repair Rate
MTTF
MTTR
Standby Failure rate
Characteristic Lifetime

No of Factors Factors Tab

The number of factors to be applied to each object during the sensitivity analysis.
The appropriate parameter is multiplied by each factor. Up to 9 factors may be
specified.

Factors Factors Tab

The factors to be applied during the sensitivity analysis

FaultTree+ V11.2 213

Importance Analysis

Auto Assign Factor Factors Tab

Selecting this button will automatically populate the factors. Consecutive factors will
differ by a factor of 10.

214 FaultTree+ V11.2

 Confidence Analysis

23. Confidence Analysis

Confidence analysis is performed by the program once the minimal cut sets have
been generated and the standard system quantitative parameters have been
evaluated.

The system parameters calculated during a fault or event tree analysis are usually
presented in terms of point values that assume that the event failure and repair
parameters that have been entered for the components are known exactly. Knowing
a failure rate exactly does not allow us to predict when the associated component
will fail next, but it does allow us to determine the exact probability that it will fail at a
given time. In reality, however, the statistical data available for failures and repairs
of a given component type may be sparse. This lack of statistical data may lead to
considerable uncertainties in the failure and repair data used in a fault tree study for
a given component.

One source of statistical data for failures may be obtained from testing components.
For example, suppose that a set of 10 identical components are tested for one year.
At the end of the test, we observe that two failures have occurred. Based on these
tests on a limited number of components, we would estimate the component failure
rate to be 0.2. However, the true failure rate might be 0.25 or 0.15, but it is unlikely
to be 0.9 or 0.01. If we had tested more components then the uncertainty in the
failure rate would be smaller.

Uncertainties in component failure rates are often expressed in terms of ranges of

values between given limits. In FaultTree+, normal, lognormal, log-triangular and
log-uniform distributions are generally used to represent the failure rate
uncertainties. For example, the failure rate of a component might be specified as

10 5 0.5x10-5 failures per hour (normal distribution)

or

10 6 to 10
4
failures per hour (lognormal, log-triangular or log-uniform
distribution)

Uncertainties in predicted system parameters such as the system unavailability and

failure frequency may be determined by Monte Carlo sampling techniques.
FaultTree+ uses these techniques to repeatedly sample failure and repair data from
the appropriate distribution and build a statistical picture of the uncertainty in system
parameters. The sampling procedure is summarised in the diagram below.

FaultTree+ V11.2 215

Confidence Analysis

The sampling loop is performed many times to build a statistical picture of the
uncertainties in TOP event parameters. Greater statistical accuracy in the results is
obtained by performing a larger number of simulations. The only disadvantage in
performing a large number of simulations is the increase in computing time
involved.

Results from a confidence analysis are often obtained in terms of system parameter
mean values, together with upper and lower confidence bound values. FaultTree+
provides confidence values in terms of 90%, 95% and 99% confidence limits. For
example, if the program were to compute a 99% single-sided upper confidence
value of 0.01 for system unavailability, this would effectively indicate that the true
value of system unavailability is no greater than 0.01 with 99% confidence.
Alternatively, this may be expressed as the probability of system unavailability
being equal or less than 0.01 is 0.99. If the user has requested that double-sided
confidence values are computed (in the Confidence Analysis Tab of the Project
Options Dialog) then a 99% double-sided upper and lower confidence values of
0.01 and 0.007 for system unavailability would effectively indicate that the true value
of system unavailability is between 0.01 and 0.007 with 99% confidence.

By default, computed confidence bounds assume that the predicted system

parameter variations conformed to a normal distribution. However, the user can
instruct the program to calculate upper and lower bound values using a generalised
distribution. This is done by selecting the Generalised Distribution for Results flag
in the Project Options Dialog (Confidence Analysis Tab). If this option is selected,
the program will store the predicted parameter (e.g. system unavailability) for each
individual simulation. A histogram representing the probability density function for
the predicted parameter value will be constructed (and may be viewed by the user,
when an analysis is completed, as a confidence distribution graph). The program
will numerically integrate the area under the distribution curve to determine the
upper and lower bounds of the parameter. Using a generalised distribution requires
more computer time than assuming a normal distribution but provides more

216 FaultTree+ V11.2

 Confidence Analysis

accurate results for confidence analysis where the confidence distribution for the
predicted parameter is skewed.

Generalise Distribution Plot for Predicted Unavailability

Confidence Correlation Coefficients

Correlation coefficients are calculated for the first parameter (usually failure rate or
unavailability) of generic models if the Generalised Distribution for Results flag has
been selected and parameters are sampled with Independent Sampling for Generic
Data set off. These settings may be made in the Confidence Analysis Tab of the
Project Options Dialog.

Confidence correlation coefficients indicate how much a generic model influences

the uncertainty in the predicted probability or risk for the system. The correlation
coefficient for parameter k is given by

(
j =1
k, j k )(Q j Q )
( k ) =
n n

(k , j k ) 2 . (Q j Q ) 2
j =1 j =1

where ( k ) = correlation coefficient for k

k , j = sample for parameter k during simulation k

FaultTree+ V11.2 217

Confidence Analysis

k = mean value for k over n simulations

Qj = predicted probability or risk during simulation k

Q = mean value for the predicted probability or risk over n simulations

218 FaultTree+ V11.2

 BDD Analysis

24. BDD Analysis

This method allows some fault and event trees to be evaluated exactly without
producing the minimal cut sets. The method will only succeed for certain types of
fault trees. The program will inform the user if it cannot evaluate the project using
the BDD method. Binary Decision Diagram methodology cannot be used if the fault
and event tree dependencies are too complex. FaultTree+ will not permit a BDD
analysis if event sequencing has been specified (although initiator/enabler analysis
is permitted). Note that the effect of disjoint events (set using event groups) will be
ignored in a BDD analysis. Frequencies will only be calculated for coherent fault
trees (fault trees that do not contain any NOT gates or Exclusive OR gates).

The method may be applied by selecting the Perform BDD Analysis option on the
Analysis pull-down menu. Note that importance rankings are not produced when a
BDD analysis is selected.

FaultTree+ V11.2 219

 Common Cause Failures

25. Common Cause Failures

Overview of Common Cause Failures

A common cause failure is the failure of more than one component, sub-system or
system due to the same common cause. FaultTree+ allows users to specify
common cause failures in fault tree diagrams simply by copying and pasting the
appropriate gate or event to the affected part of the diagram. Fault tree gates or
events with the same name will be treated as the same failure event during the
simulation.

It is important to represent common cause failures correctly in the fault tree diagram
as they often make a substantial contribution to the unavailability of systems that
contain redundancy. For example, suppose that a common electrical supply is used
to power 2 pumps in a standby arrangement. Failure of the common electrical
supply would render both pumps unavailable at the same time. If the reliability of the
electrical supply is comparable to the reliability of each pump then the beneficial
effects of employing a redundant configuration would be almost completely
negated.

To illustrate how FaultTree+ may be used to model common cause failures of this
type, let us consider the 2-pump example described above. If we were to ignore the
power supply common cause failure then the fault tree representing both pumps
failing would contain an AND gate with two event inputs. Each event would
represent the independent failure of each pump.

Fault Tree Ignoring Common Power Supply

If, however, we now wish to represent the power supply failure in the fault tree
diagram, we could replace the two pump events with two OR gates. Underneath
each OR gate, we would connect two events: one event to represent the power

FaultTree+ V11.2 221

Common Cause Failures

supply being unavailable and another to represent failures associated with the
pump.

Fault tree including common power supply

In the diagram above, the common cause failure is given the same event name (use
copy and paste to achieve this result). FaultTree+ recognises that the two blocks or
events labelled POWER represent the same failure event simply because they have
the same name.

It is important that common cause failures such as the one discussed above are
included in the fault tree diagram as they can negate the effects of designed
redundancy on the reliability performance of a system. In many cases, common
cause failures can affect the unavailability of a system by orders of magnitude. If
they are included in the fault tree diagram, FaultTree+ will take account of the
effects of common causes. The importance rankings produced during an analysis
will highlight critical common cause failures.

It is strongly recommended that common cause failures associated with system,

component and operator failures are directly included in the fault tree diagram as
discussed above. However, FaultTree+ does provide a facility to include common
cause failures in the calculations without specifically drawing them in the fault tree
diagram. This is done by defining CCF models in the CCF model table and
associating these models with events in the fault tree diagram. In the example
above, this could be done by drawing the original two-event fault tree but assigning
the same CCF beta model to event PUMP1 and event PUMP2.

222 FaultTree+ V11.2

 Common Cause Failures

The CCF models provided by FaultTree+ are generally used to model the following
types of common cause failures:

Environment
Maintenance and testing
Manufacturer
Installation
Calibration
External impacts
Stress
Ageing

As discussed above, we strongly recommend that common cause system,

component and operator faults are included in fault tree diagrams as repeated gates
and basic events. Other categories of common cause failures may be included
specifically in the diagram or represented by associating groups of events with a
CCF model.

If common cause failures are specifically included in the fault tree diagram, the
failure data for the common cause can be directly entered for the common cause
event itself. This is done in the same manner as for any other event in the fault tree.
The only difference between a common cause event and any other event added to
the fault tree diagram in this way is that the common cause event is repeated one or
more times at different places in the diagram. However, if the CCF model table is
used to include common cause failures into an analysis, the user needs to choose
one of the standard CCF model types available and enter certain parameters that
allow unavailability and frequency values to be calculated for the common cause
event.

FaultTree+ V11.2 223

Common Cause Failures

The CCF models provided by FaultTree+ are:

Beta Factor Model

Multiple Greek Letter (MGL) Model
Alpha Factor Model
Beta Binomial Failure Rate (BFR) Model

All of the above CCF models are applied to a group of two or more events. The
simplest and most commonly used model is the Beta Factor Model. To illustrate the
application of these models, consider a two-pump redundancy system where each
pump is driven by independent diesel generators. Suppose that the two pumps are
located close to each other and are attached to the same structure. They may be
affected by a number of different common cause failures such as vibration, high
temperature, humidity, impact or stress. If they are identical pumps with identical
maintenance procedures, they may also be affected by manufacturer and
maintenance-related causes. The four CCF models listed above may be used to
represent these common causes in a fault tree. First, let us define the simple fault
tree which represents the two-pump system:

-3 -6
If both pumps have unavailability values of 10 then the system unavailability is 10
if common causes are ignored.

Let us extend this fault tree representation to consider common cause failures using
the Beta Factor Model.

The Beta Factor Model is the simplest and most widely used of the four common
cause models provide by FaultTree+. This model is based on the assumption that, if
the common cause failure were to occur, all events in the CCF group would fail
together. The beta factor model is a single parameter model requiring only a beta
factor to be specified. In order to introduce the beta factor common cause model
into our fault tree, we could replace the independent events affected by the common

224 FaultTree+ V11.2

 Common Cause Failures

cause with an OR gate with two inputs. One input represents the independent
failures and the other input represents the common cause failures. If we had
included the common cause logic manually in our fault tree, we would produce the
following fault tree for our example pump system:

The resulting minimal cut sets for the TOP event are

TOP = CCF + P1.P2

indicating that occurrence of the common cause event will result in the TOP event
occurring.

The unavailability values of the independent and CCF events are given by

Q I = (1 ).QT
QCCF = .QT

where = beta factor

QI = independent unavailability
QT = total unavailability

FaultTree+ V11.2 225

Common Cause Failures

QCCF = unavailability due to CCF

or they are given by

Q I = QT
QCCF = .QT

if the Adjust Independent Q method is set off in the Project Options Dialog (Sets
Generation Tab).

For our example pump system, let us assume the total unavailability value for each
3 1
pump is 10 and the CCF model beta factor is 10 and the Adjust Independent
Q method is set on. The resulting TOP event unavailability is given by

. x10-3 + 0.9x10-3 x0.9x10-3 = 10081

QTOP 01 . x10-4
If common cause failures hadnt been considered, the TOP event unavailability
would have been calculated as

QTOP 10 3 x10-3 = 10 6
which is two orders of magnitude lower than the value calculated when considering
common cause failures.

Using the FaultTree+ CCF model facility we can obtain the correct top event
unavailability and minimal cut sets without specifically including the common cause
failure events in the fault tree diagram.

For large, highly redundant systems, the automatic introduction of CCF events into
the fault trees may result in a significant increase in the amount of computing time
required for an analysis.

All four of the CCF models provided by FaultTree+ are applied to a group of two or
more events. The program determines which group a given event belongs to by
referencing the CCF model index assigned to an event in the project database
event table.

Beta Factor Model

The beta factor model is based on the assumption that, if the common cause failure
were to occur, all events in the CCF group would fail together. The beta factor
model is a single parameter model requiring only the beta factor to be specified.

226 FaultTree+ V11.2

 Common Cause Failures

If a CCF analysis is requested by the user, the program will automatically replace
events belonging to a beta factor CCF group with the original event plus a new
event representing the CCF. The new event will be given the name of the CCF
model. In effect, the original event is replaced by an OR gate with two inputs: the
original event and the new CCF event. For example, if the event A belongs to CCF
group CCF1 then the expression in Boolean algebra terms will be

A A + CCF 1
where A now represents independent failures of A.

The unavailability values of the independent and CCF events are given by

QI = (1 ). QT
QCCF = . QT

where = beta factor

QI = independent unavailability
QT = total unavailability
QCCF = unavailability due to CCF

or they are given by

Q I = QT
QCCF = .QT

if the Adjust Independent Q method is set off in the Project Options Dialog (Sets
Generation Tab).

MGL Model

The Multiple Greek Letter (MGL) model requires three parameters to be specified:

Beta ( )
Gamma ( )
Delta ( )

FaultTree+ V11.2 227

Common Cause Failures

Each event in a CCF group associated with the MGL model is now automatically
split into an independent failure event and other events representing combinations
of events CCF event failures within the group. For example, consider a MGL CCF
group of four events A, B, C and D. Where the event A occurs in a fault tree, it is
now automatically replaced by the following events:

A + [AB] + [AC] + [AD] + [ABC] + [ABD] + [ACD] + [ABCD]

The terms in brackets represent single CCF events effecting 2, 3 or 4 components

in the CCF group. The first event, A, now represents the independent failure of
event A. Unavailability values for the new events are calculated from the
expression
1 k
Qk = i (1 k +1 )QT
m 1 i =1
k 1

where Qk = unavailability of kth order CCF failure

1 = 1, 2 = , 3 = , 4 = , ....., m +1 = 0
QT = total unavailability
m = group size

m 1 (m 1)!
k 1 = m k ! k 1 !
( )( )

Note that the program only considers up to 4th order CCF combinations when
expanding an MGL CCF group.

Alpha Factor Model

The alpha factor model is treated in a similar manner to the MGL model. The alpha
factor model requires the following four parameters to be specified:

Alpha-1 ( 1 )
Alpha-2 ( 2 )
Alpha-3 ( 3 )
Alpha-4 ( 4 )

228 FaultTree+ V11.2

 Common Cause Failures

The following expressions are used to generate the new event unavailability values:

k k
Qk = QT
m 1 T
k 1

m
T = k k
k =1

where Qk = unavailability of kth order CCF failure

m = group size
QT = total unavailability

m 1 (m 1)!
k 1 = m k ! k 1 !
( )( )

Note that the program only considers up to 4th order calculations when expanding
an Alpha Factor CCF group.

Beta Binomial Failure Rate (BFR) Model

The Beta BFR model expands events in a CCF group in the same way as the MGL
method. The Beta BFR model requires the following three parameters to be
specified:

22
33
44

These factors represent the CCF factors applied to 2nd order failures in a 2nd order
group, 3rd order failures in a 3rd order group and 4th order failures in a 4th order
group, respectively. The general expression for evaluating the new event
unavailabilities is

Qk = mk QT

FaultTree+ V11.2 229

Common Cause Failures

where mk = beta factor for a kth order failure for group size m
Qk = unavailability of kth order failure
QT = total unavailability

The off-diagonal factors ( k m, k 1) may be calculated from the diagonal

factors ( k = m) using the expressions
np m + s
= m
m
f + n. p + s

np k (1 p) m k
=
k
m
f + n. p + s

Note that the program only considers up to 4th order calculations when expanding a
Beta BFR group.

CCF Event Names

The program automatically creates new events during an analysis to represent CCF
failures. In order for the user to identify the origin of CCF events occurring in cut set
lists and importance rankings, the program uses the following naming convention:
for the beta factor model, the name used for the new event is the CCF model name;
for the other CCF models, the CCF model name is used followed by the
combination of events associated with the CCF failure. For example, if three events
A, B and C are associated with a CCF model named CCF1, the new events created
will be named

CCF1[AB] CCF1[AC] CCF1[BC] CCF1[ABC]

The program can only adopt this convention if the new event name does not exceed
10 characters. If the new event name would exceed 10 characters then the CCF
name is followed by the failure order represented by the CCF event. For example if
the event names A, B and C were replaced with names EVENTA, EVENTB and
EVENTC the new events created will be named

CCF1-2 CCF1-2 CCF1-2 CCF1-3

230 FaultTree+ V11.2

 Using House Events

26. Using House Events

House events represent events that are either TRUE (probability = 1) or FALSE
(probability = 0).

House events may be used to temporarily re-configure the fault tree. For example,
this may be useful in determining the temporary effects on system unavailability
when one or more components are out of service due to preventive maintenance.
House events may also be used to allow a single fault tree to represent a number of
different operational phases.

As an example of the use of house events to re-configure a fault tree, consider the
situation where the analyst wishes to determine the temporary effect on
unavailability when a sub-system is undergoing preventive maintenance. If the sub-
system is unavailable when maintenance is being undertaken then the following
fault tree representation could be used.

If the house events HX and HY are set to FALSE, the fault tree represents the
system in the normal state with no preventive maintenance taking place on either of
the two sub-systems. If the house event HX is set to TRUE, the fault tree represents
the case where preventive maintenance is being undertaken on sub-system X.
Analysis of the fault tree for this latter case will provide TOP event unavailability
figures for the duration of preventive maintenance. A similar procedure could be

FaultTree+ V11.2 231

Using House Events

adopted for sub-system Y. The use of house events in this way is based on the
following Boolean relations:

SX + 0 = SX for FALSE house events

SX + 1 = 1 for TRUE house events

House events may be added to a FaultTree+ diagram using the Add, Event to Fault
Tree pull-down menu option or equivalent toolbar button. The event type should
then be modified to HOUSE by double-clicking the left mouse button with the cursor
positioned over the event in the diagram and then modifying the type in the Edit
Event Dialog. The Logic Mode of the event must then be changed to TRUE or
FALSE in the same dialog.

Edit Event Dialog with House Event Settings

Once house events have been added to a project, you may quickly change their
state from TRUE to FALSE and vice versa using the Event Table Dialog. This
dialog is accessed by selecting the Edit, Event Table pull-down menu option. The
Dialog contains a check box allowing the user to show house events only. Once this
check box is selected, the list will only contain house events and a Toggle State
Button will appear at the top left of the dialog. Selecting this button with an event in
the list highlighted will cause the state of the highlighted event to change.

In addition to defining house events explicitly, you can force FaultTree+ to treat
events with probabilities of 0 or 1 as if they were house events during an analysis. If
the implicit house events flag is set on in the Sets Generation Tab of the Project
Options Dialog, all events associated with a FIXED data model will be set to house
events for the purposes of the analysis if their probabilities are exactly 0 (FALSE
house event) or 1 (TRUE house event). If the implicit house events flag is set off,
only events with their logic modes explicitly set to TRUE or FALSE will be treated as
house events during the analysis.

232 FaultTree+ V11.2

 Using Bitmaps

27. Using Bitmaps

Fault and event tree diagrams may be enhanced by placing bitmap illustrations at
appropriate places in the diagram. Bitmaps may be used to highlight a specific part
of a diagram, to illustrate the system schematic relating to the failure logic in the
diagram or to represent a company logo within a diagram.

Bitmaps must be provided by the user in the form of a standard Windows bitmap
file. There are many programs available for producing bitmap images in this form
(Microsoft Paint is an example).

Before you can place a bitmap image within a diagram, you must first add at least
one bitmap to your FaultTree+ project. This is achieved using the tree control to the
left of the diagram edit area. Simply select the Bitmaps node in the tree control and
then click the right mouse button with the cursor positioned in the tree control area.
A pop-up menu will appear. Select the Add a Bitmap option to reveal the Bitmap
Definition Dialog.

Bitmap Definition Dialog

The Bitmap Definition Dialog allows you to browse directories to locate and open
your bitmap file. When a valid bitmap file name is selected, the bitmap picture will
be displayed in the dialog. Select the OK Button to add the bitmap definition to the
project.

There are two methods available for placing bitmaps in a fault or event tree
diagram. The first method is to drag the bitmap node from the tree control into the
diagram edit area. To drag a bitmap, hold the left mouse button down with the
cursor placed over the required bitmap in the tree control. Then, with the mouse
button still held down, move the cursor to the required position in the diagram and

FaultTree+ V11.2 233

Using Bitmaps

release the left mouse button. FaultTree+ will create a label object in the diagram
with the bitmap mode switched on and the bitmap image will be displayed in the
diagram. You may now select the bitmap label in the diagram and shift and scale it
in the same way as a text label. The second method for displaying a bitmap in a
diagram is to first create a standard text label using the Add, Label or Notes pull-
down menu option or equivalent toolbar button. Then select the Clear Add Mode
pull-down menu option, followed by double-clicking the left mouse button over the
new label. The Edit Label Dialog will now appear. Select the Bitmap Label check
box and then select the required bitmap from the list. Selection of the OK Button
will remove the dialog and reveal the bitmap image in the diagram.

Edit Label Dialog

234 FaultTree+ V11.2

 Converting to an AvSim+ Project

28. Converting to an AvSim+ Project

AvSim+ is a reliability and availability program that allows fault tree diagrams to be
analysed using simulation methods. Simulation methods enable the effects of
strong dependencies such as maintenance queuing, spares queuing, cold and
warm standby to be taken into effect when determining a systems reliability and
availability characteristics. AvSim+ can also model the effects of ageing and
scheduled maintenance activities on a component. Lifetime cost calculations may
also be performed.

FaultTree+ provides a facility to automatically create an AvSim+ project

corresponding to the current FaultTree+ project data. Due to various differences in
the database structures for AvSim+ and FaultTree+, certain parts of a FaultTree+
project cannot be converted directly into an equivalent format in an AvSim+ project.
The principal restrictions in the conversion process are listed below.

Event trees will not be transferred to the AvSim+ project

Only RATE, MTTF, RATE/MTTR, RATE-PHASED, WEIBULL and DORMANT
data model types will be transferred
EXCLUSIVE OR gates will be converted to OR gates
INHIBIT and PRIORITY gates will be transferred as AND gates
CCF models will not be transferred
Consequences will not be transferred

If you wish to convert the current FaultTree+ project into an AvSim+ project file,
simply select the Convert to AvSim+ option on the File pull-down menu. You will
be presented with a Save As Dialog allowing you to name the AvSim+ project file.
Once the file has been created, you may open the AvSim+ project from within
AvSim+.

FaultTree+ V11.2 235

 Constructing Markov Models

29. Constructing Markov Models

Markov models may be constructed interactively when in the Markov Models
diagram edit mode. To enter this mode, select the Markov Models Tab at the top of
the diagram edit area.

Adding States to a Markov Model

New states may be added to the Markov diagram by selecting the Add, State pull-
down menu option, or by pressing the equivalent toolbar button. The mouse cursor
will change shape when in the Add State mode. States may be placed in the
diagram simply by pressing the left mouse button with the cursor at the required
position. The program will not permit overlapping states. New states are snapped to
the nearest alignment grid position (the grid may be revealed by selecting the Show
Grid option on the View pull-down menu). In order to exit from the Add State
mode, select the Add, Clear Add Mode pull-down menu option. Alternatively, click
the right mouse button or press the Esc key.

Once a state has been added to the diagram, its attributes may be modified simply
by selecting the state with the left mouse button and then selecting the Edit,
Selection pull-down menu option. Alternatively, double-click the mouse button
whilst the cursor is positioned over the state. The Edit State Dialog will appear
allowing you to modify state attributes.

Edit State Dialog

State Descriptions

State descriptions appear in the Markov diagram. The short description field has a
maximum of 32 characters, whereas the long description field has a maximum of
120 characters. If the description fields have been left blank by the user then the
program will default to displaying the state ID. See the View pull-down menu to
select either the long or short description as a preference.

FaultTree+ V11.2 237

Constructing Markov Models

Initial State Probability

The initial state probability (value must be from 0 to 1) is the probability assigned to
the state at time zero. In a complete Markov system, all the initial state probabilities
should summate to 1.

Unavailability State Flag

The unavailability state flag indicates whether the calculated state probability should
contribute to the system unavailability. States which represent a condition of the
system that renders that system unavailable should have the unavailability state flag
set on.

Next, Previous, First and Last Options

Selection of the Next, Previous, First or Last options in the Edit State Dialog
will prompt the program to move the edit operation to another state. Modifications to
the current state will be retained. States are identified in the order they are created.
Selecting the First Button will therefore transfer the edit operation to the first state
that was created.

Defining Parameters for a Markov Model

Continuous phase transitions in the Markov diagram will be associated with

transition rates (usually failure or repair rates). For a given Markov model, we will
usually wish to vary one or more of the rates. For this reason, FaultTree+ provides a
facility which allows parameters to be associated with transitions. These parameters
may be associated with one or more transitions in the diagram.

To create a parameter, select the Edit, Parameter Table pull-down menu option or
equivalent toolbar button. The Parameter Table Dialog displays all the currently
defined parameters. New parameters may be added to the table by selecting the
Add Button. Existing parameters may be accessed using the Edit Button. The
Add or Edit Parameter Dialog will then appear allowing you to enter long and
short parameter descriptions and other data. For the short description, you may
wish to use Greek symbols and display these symbols in the Markov diagram. For
example, you may wish to represent the failure rate by . Use the View, Parameter
Font pull-down menu option to set the required font to allow symbols to be used
(the Symbol font supplies Greek characters).

238 FaultTree+ V11.2

 Constructing Markov Models

Edit Parameter Dialog

The base failure rate and Weibull data entered for a parameter will be transferred to
transitions associated with that parameter in the Markov diagram.

Defining Phases for a Markov Model

Many system reliability and availability problems may be solved using a single
phase. However, in some circumstances, the nature of the transitions between the
states in a Markov diagram may change during different phases of the system
lifetime. Models taking into account inspections, preventive maintenance and
different stress loads at different times will typically require the lifetime to be split
into phases.

FaultTree+ allows the user to define more than one phase over the system lifetime.
Each individual phase may have a different set of transitions to another phase but
must have the same set of states. Phases may also be defined as continuous time
phases (for which the transitions are associated with transition rates) or discrete
phases (for which the transitions are associated with discrete probabilities).
Continuous time phases must be associated with a finite phase duration. Discrete
phases are instantaneous.

Phases must be defined in the correct chronological order. That is, phase 1 always
follows phase 0 and phase 2 always follows phase 1, etc. If phases have been
defined for a particular project, the phases will be repeated in a cyclic manner until
the system lifetime is reached. For example, if a lifetime of 730 days is specified
with 2 phases of operation lasting 364 days and 1 day, respectively, the following
cyclic behaviour will be applied:

0-364 days Phase 0

FaultTree+ V11.2 239

Constructing Markov Models

364-365 days Phase 1

365-729 days Phase 0
729-730 days Phase 1

If you have more than two phases defined in a project, you may wish to specify that
one of the phases should not be applied on every cycle. You can identify such
phases by specifying an application frequency greater than one. For example,
suppose we have 3 phases (phase 0, phase 1 and phase 2). If we set an
application frequency of 3 for phase 2, the following cyclic behaviour will be applied:

0,1,0,1,0,1,2,0,1,0,1,0,1,2,0,1,0,1,0,1,2.

To define more than one phase over the system lifetime, select the Edit, Phase
Table pull-down menu option or equivalent toolbar button. The Phase Table Dialog
will be displayed showing any phases that have already been defined. New phases
may be added by selecting the Add Button. This action will result in the Add
Phase Dialog being revealed. This dialog allows the user to define whether the
phase is a continuous time phase or a discrete transition phase. For continuous
time phases, the phase duration may also be specified. For discrete transition
phases, the number of discrete operations may be specified. The number of
discrete operations indicates the number of times the user wishes the discrete
transition operations to be applied before moving on to the next phase. Normally,
this value will be set to 1. The Edit Phase Dialog also allows the user to specify a
description for the phase.

Edit Phase Dialog

Adding Transitions to a Markov Model

Transitions may be added to the currently displayed phase by selecting the Add,
Transition pull-down menu option or the equivalent toolbar button. As you move the
cursor into the drawing area, the cursor will change shape to indicate that you are in

240 FaultTree+ V11.2

 Constructing Markov Models

the Add Transition mode. Transitions are added to the diagram by first clicking the
left mouse button with the cursor over the origin state and then clicking the left
mouse button with the cursor over the target state. A message will appear at the
bottom of the screen giving you the appropriate instruction. In order to exit from the
Add Transition mode, select the Add, Clear Add Mode pull-down menu option.
Alternatively, click the right mouse button or press the Esc key.

Once a transition has been added to the diagram, its attributes may be modified
simply by selecting the transition with the left mouse button and then selecting the
Edit, Selection pull-down menu option. Alternatively, double-click the mouse button
whilst the cursor is positioned over the transition. If you have two overlapping
transitions, position the mouse nearer the target state for the required transition
before tapping the left mouse button to select it.

Edit Transition Dialog

The Edit Transition Dialog allows users to modify the attributes of the associated
transition. The dialog is divided into two pages, one for defining rate data and the
other for specifying the drawing style.

If the transition is associated with a discrete phase, the user will only be required to
enter a discrete probability.

If the transition is associated with a continuous phase, the user may modify the
following items associated with rate data:

Associated parameter and parameter multiplier

Constant base rate
Time-dependent parameters

FaultTree+ V11.2 241

Constructing Markov Models

If the user chooses to associate a parameter with the transition then the base rate
and time-dependent Weibull data will be extracted from the parameter definition. If
the user does not associate a parameter with the transition, the base rate and time-
dependent data must be entered in the Edit Transition Dialog.

The base transition rate defines the constant conditional transition rate between the
specified input and output states. This rate defines the probability that the system
will transfer from the input state to the output state in the interval
t t + t conditional on the system being in the input state at time t .
Time-dependent transition rates may be specified by setting the Absolute Time or
Phase Time options in the Edit Transition Dialog. If either of these options is
selected, FaultTree+ will use the Weibull data values (eta, beta and gamma) to
define the time-varying part of the transition rate. Note that eta is the Weibull
characteristic life, beta is the Weibull shape parameter and gamma is the location
parameter.

The time-varying transition rates are specified in the form of a Weibull distribution
which is superimposed on the base failure rate:

(t ) 1
(t ) = 0 +

where 0 = base failure rate
= Weibull characteristic lifetime
= Weibull shape parameter
= Weibull location parameter

If the transition is associated with a discrete phase, the user will only be required to
enter the discrete transition probability. The transition probability is used to
determine output state probabilities after a single discrete operation. State
probabilities after a discrete phase operation are determined by applying the
following expression.

n n
Pj = ij Pi ji Pj
i =1,i j i =1,i j

where Pj = probability of state j

ij = transition probability from state i to state j

242 FaultTree+ V11.2

 Constructing Markov Models

Markov Diagram Layout Options

FaultTree+ provides the following menu options which affect the layout when editing
a Markov diagram. These options may be found on the View pull-down menu.

Next Phase
Previous Phase
Diagram Font
Parameter Font
Show Grid
Show Transition Rates
Show Transition Parameters
Show Lifetime State Probabilities
Show Initial State Probabilities
Show Mean State Probabilities
Show State Long Descriptions
Shift Selected State(s) to the Left
Shift Selected State(s) to the Right
Shift Selected State(s) Up
Shift Selected State(s) Down

Selection of the Next Phase or Previous Phase changes the currently displayed
phase. More than one phase must first be defined in the Phase Table before this
option will become effective. The current phase shown in the visible Markov
diagram is indicated in the combo control in the toolbar area.

Selection of the Diagram Font option produces a standard font selection dialog.
The user may select the required font for the displayed Markov diagram (excluding
parameters).

Selection of the Parameter Font option produces a standard font selection dialog.
The user may select the required font for the displayed parameters.

If any of the Show options are set, the relevant data will be displayed in the Markov
diagram. Note that lifetime and mean probabilities will only be displayed if the
results are up-to-date. Note also that transition parameters and transition rates are
not displayed together.

The four shift options will shift selected states by a single grid interval in the
specified direction. Selection of the arrow keys will also shift selected Markov state
symbols.

FaultTree+ V11.2 243

Constructing Markov Models

Performing a Markov Analysis

Verifying Data

Before performing an analysis, the user may request FaultTree+ to verify the
existing Markov model data by selecting the Analysis, Verify Data pull-down menu
option. A Data Verification Dialog will be displayed showing warning messages or
fatal errors encountered. An analysis cannot be performed if any fatal errors are
encountered. FaultTree+ also automatically checks for fatal errors when an analysis
is started by the user.

Data Verification Dialog

The following error checks are performed by FaultTree+:

Check for no states defined (Fatal)

Check for initial state probabilities not summating to zero (Warning)
Check for no unavailability states (Warning)
Check for no availability states (Warning)
Check for no transitions defined (Fatal)
Check for no transitions defined for an individual phase (Warning)
Check for states with no connected transitions (Warning)

You may edit the state or phase relating to the error by selecting the error message
followed by selection of the Edit Button. Alternatively, you can just double-click the
mouse over the error message.

If there are a lot of error messages, you may wish to print the contents of the Data
Verification Dialog by selecting the Print Button.

244 FaultTree+ V11.2

 Constructing Markov Models

Setting the Analysis Options

Analysis options may be modified before starting an analysis by selecting the

Analysis, Options pull-down menu option or equivalent toolbar button. Selection of
this option will result in the Analysis Options Dialog being displayed.

Analysis Options Dialog

This dialog allows the user to set the following parameters:

System lifetime
Minimum time-step
Maximum time-step
Accuracy indicator
Number of time intervals

The user may also specify that the system lifetime should be set to the FaultTree+
project lifetime value. This is achieved by selecting the Use FaultTree+ Project
Lifetime flag.

During a Markov analysis, FaultTree+ will perform a numerical integration from time
zero until the specified system lifetime. The program employs 4th order Runge-
Kutta numerical integration methods using a time-step related to the accuracy
indicator and minimum and maximum values specified by the user. A high accuracy
indicator value will result in a larger time-step being employed and less accurate
results, but a faster analysis time. A low accuracy indicator value will result in a
smaller time-step being employed and more accurate results, but a slower analysis
time. The default value of 1 is recommended for this parameter. Note that
FaultTree+ takes into account a number of factors when determining the actual time
step used. These factors are:

User specified minimum and maximum step values

Accuracy indicator

FaultTree+ V11.2 245

Constructing Markov Models

Transition rates for a given phase

Time intervals specified by the user

The number of time intervals specified by the user determines the frequency at
which data will be recorded for reports and graphs.

Performing an Analysis

The user may start an analysis run by selecting the Start option on the Analysis
pull-down menu or by selecting the relevant toolbar button. The progress of the
analysis is indicated in the message strip along the bottom of the main window. The
analysis process involves numerically integrating the differential equations that
represent the Markov diagram. Fourth order Runge-Kutta methods are used to
perform the numerical integration between adjacent time-steps. The analysis will
terminate once the system lifetime has been reached, or when the user selects the
Abort option on the Analysis pull-down menu. The analysis process may also be
terminated by selecting the appropriate toolbar button or by pressing the Escape
key.

Analysis Data

The program calculates a wide range of parameters associated with the Markov
model system. These parameters are:

Unavailability
Availability
Unreliability
Reliability
Failure frequency (unconditional failure intensity)
Repair frequency (unconditional repair intensity)
Failure rate (conditional failure intensity)
Repair rate (conditional repair intensity)
Number of expected failures
Number of expected repairs
Mean unavailability over lifetime
Mean availability over lifetime
Expected total downtime over lifetime
Expected total uptime over lifetime

The program also calculates mean and lifetime probabilities for states in the
transition diagram.

246 FaultTree+ V11.2

 Constructing Markov Models

Markov Model Results and Graphs

A summary of the calculated parameters for an individual Markov model may be

obtained by selecting the Results, Summary pull-down menu option when the
Markov Models tab is selected at the top of the diagram edit area. A dialog will be
revealed listing lifetime data, mean values and error factors.

The Markov Models Module also provides a facility to view data in graphical format
after a Markov analysis run has been completed. A variety of data items may be
displayed. These data items are listed below.

Unavailability
Availability
Failure Frequency
Repair Frequency
Unreliability
Reliability
Conditional Failure Intensity
Conditional Repair Intensity
No. of Expected Failures
No. of Expected Repairs

To display a graph, select the Results, Graphs pull-down menu option or

equivalent toolbar button. A dialog will appear allowing the user to select the type of
graph to be displayed.

Graphs Dialog

After the graph type has been selected and the OK Button pressed, FaultTree+ will
display the requested graph.

FaultTree+ V11.2 247

Constructing Markov Models

Example Unavailability Graph

Attaching Markov Models to a FaultTree+ Project

FaultTree+ may be used to analyse Markov models individually. However, one of

the powerful features of FaultTree+ is that one or more Markov models may be
assigned to events in a fault or event tree. Once a Markov model has been created
and saved to a Markov model file, we can move back to either the fault tree or event
tree modes and attach that Markov model to a FaultTree+ project.

This may be achieved by selecting the Markov Models node in the project tree
control and then pressing the right mouse button with the cursor inside the tree

248 FaultTree+ V11.2

 Constructing Markov Models

control area. Then, select Add a Markov Model from the pop-up menu that
appears.

Selecting Add for a Markov Model

The Markov Model Definition Dialog will be revealed. The Markov Model File may
then be set to the name of a Markov model file using the Browse Button.

Markov models that have been attached to a FaultTree+ project (and therefore
appear in the project tree control) may be attached to events in the fault trees or
event trees in that project. The values of unavailability and failure frequency
calculated during the Markov analysis process are then transferred to the
appropriate events in the fault or event trees. It may not always be appropriate to
transfer the point unavailability and failure frequency values calculated at the
system lifetime. In some circumstances (e.g. for periodically varying unavailability
values), it may be appropriate to transfer the mean or maximum values. The
Markov Model Definition Dialog allows the user to specify the required option. Note
that if the Use Point Q and w option is selected and the Markov Model was defined
over a period other than the system lifetime, FaultTree+ will interpolate the values of
unavailability and frequency to the system lifetime.

FaultTree+ V11.2 249

Constructing Markov Models

Markov Model Definition Dialog

Markov models that have been attached to a FaultTree+ project may be associated
with any of the events in the project fault or event tree diagrams. This is achieved
via the Edit Event Dialog. In this dialog, you will be able to set the Use Markov
Model radio button and select the appropriate Markov model from the list box in the
dialog.

Markov Integration Methods

Criteria for Determining the Time-Step

For each system phase, the following criteria are applied sequentially when
determining the actual time-step to be used:

h = min{ / }

where = user-defined accuracy indicator

i = ith transition rate for phase
The expression above is only applied for non-zero transition rates.

If h < hmin then h is set equal to hmin

If h > hmax then h is set equal to hmax

where hmin = the minimum time-step set by the user

250 FaultTree+ V11.2

 Constructing Markov Models

hmax = the maximum time-step set by the user

If h>I /2 then h=I /2

If h>P /2 then h=P / 2

where I = interval duration

P = phase duration
Runge-Kutta Integration Method

The Markov module employs 4th order Runge-Kutta numerical integration methods
for calculating the time-dependent state probabilities. This method is defined by the
following expressions extended to systems of differential equations:

dp
= f (t, p)
dt

1 1 1 1
pn+1 = p n + k1 + k 2 + k3 + k4 + O( h 5 )
6 3 3 6

k1 = hf ( t n , pn )

1 1
k2 = hf ( t n + h, pn + k1 )
2 2

1 1
k3 = hf ( t n + h, p n + k 2 )
2 2

k4 = hf ( t n + h, p n + k3 )

Discrete Transitions

State probabilities after a discrete phase operation are determined by applying the
following expression:

FaultTree+ V11.2 251

Constructing Markov Models

n n
Pj = ij Pi ji Pj
i =1,i j i =1,i j

where Pj = probability of state j

ij = transition probability from state i to state j

Error Factors

The Markov module provides three different error factors that monitor the accuracy
of the results.

During a system analysis run, FaultTree+ actually performs two separate

integrations over the system lifetime. One integration is performed using a time-step
of one half the value used for the other integration. The following error factor is
determined at each recorded time-point:

= 2 q0 q1 / ( q0 + q1 )

where q0 and q1 represent calculated unavailabilites on the two runs.

Error factor 1 presented in the results is the maximum value of for all recorded
time-points over the system lifetime.

Error factor 2 presented in the results is the value of at the system lifetime.

If large time-steps are employed for a system which approaches a steady-state

value, the error in the lifetime result (when the steady-state value of unavailability
has been reached) will generally be far less than the error for values during the
transitional phase. This difference will be indicated in the values of error factor 1
and error factor 2.

Error factor 3 is determined by comparing the summated state probability at each

time-point with the initial summated state probability at time zero. Error factor 3
represents the maximum difference found.

252 FaultTree+ V11.2

 The Report Generator

30. The Report Generator

Printing, Previewing and Designing Reports

You may print, preview and design reports using the Report Generator that is
integrated into the FaultTree+ program. The Report Generator is a generic facility
that also provides the reporting functionality for other reliability applications. The
Report Generator is a very powerful and flexible tool that allows you to design
customised text reports and graphs as well as selecting standard reports provided
with the application.

When you select the Print, Print Preview or Design Report options on the File
pull-down menu, FaultTree+ will copy the current project data (including analysis
results, if they are up-to-date) into an application database and start up the Report
Generator. When the Report Generator starts up, it will access the data contained in
the database. The Report Generator provides facilities for designing your own
customised reports.

If calculations are up-to-date, selection of Print or Print Preview options on the

File pull-down menu will result in the Print/Export Options Dialog being displayed.

Print/Export Options Dialog

This dialog allows you to select one gate, one consequence and a risk category for
which importance data and cut set information will be transferred to the Report
Generator Database. You will be able to select any gate for which results have been
retained and any consequence and risk category. It is necessary to filter importance
and cut set data in this way to ensure that the Report Generator Database is not
excessively large. In addition, you may restrict the number of cut sets to be listed in
printed reports.

FaultTree+ V11.2 253

The Report Generator

Once the OK Button has been selected in the Print/Export Options Dialog, the
database for the Report Generator will be constructed and the Report Explorer
window will now be displayed, together with a list of standard reports.

Report Wizard

FaultTree+ also provides a Report Wizard that allows you to quickly create new
reports from scratch. The Report Wizard may be accessed from the File menu.

Further Reference

The Report Generator provides a wealth of options for printing, previewing and
designing reports. A full description of these facilities may be obtained by accessing
the Report Generator Help Facility or the Report Generator User Manual.

Ordering Fault Tree Pages in a Printed Report

FaultTree+ provides a facility for allowing the user to specify the order of fault tree
pages in a printed report. To access this facility, select the File, Fault Tree Page
Order pull-down menu option.

User-Specified Print Order Dialog

Move Selections Up and Down

A dialog will appear displaying the current order ranking of each fault tree page in
the project. Pages in the ranking list may be moved up or down by selecting the

254 FaultTree+ V11.2

 The Report Generator

appropriate pages in the list and then selecting the Move Selections Up or Move
Selections Down Buttons. Multiple pages are selected by holding the Ctrl key
down whilst selecting pages.

Order by Hierarchy or Alphanumerically

You may reset the ordering by selecting the Order by Hierarchy or Order
Alphanumerically Buttons.

Select All Pages Connected Below

The Select All Pages Connected Below automatically selects all pages logically
connected to the currently selected page gates in the list.

Filtering Fault Tree Pages in a Printed Report

FaultTree+ provides a facility that allows users to filter fault tree pages in a printed
report. To access this facility, select the File, Fault Tree Page Filter pull-down
menu option.

A dialog will appear displaying the current filter options.

All Pages

Printed reports will contain all fault and event tree pages.

Visible and Below

Printed reports will contain the visible fault or event tree page as well as all pages
that are connected logically below the visible fault or event tree.

Visible Only

Only the visible fault or event tree will appear in printed reports.

Creating Metafiles

FaultTree+ provides a facility that allows users to directly create metafiles for fault
and event tree diagrams. Metafiles may be inserted into Word documents and other
Windows applications. FaultTree+ creates Windows enhanced metafiles when the
user selects one of the File, Diagram to Metafile pull-down menu options. Users
may create a single metafile representing the visible diagram, or multiple metafiles
representing all fault and event tree pages.

FaultTree+ V11.2 255

The Report Generator

Each metafile will be given a default base name. This name may be changed by the
user (in a Save As Dialog that appears) when creating the metafile(s). If multiple
metafiles are produced, and the Use Names for Metafiles flag in the Reports Tab
of the Project Options Dialog has been set, then the name of the file will be
extended using the name of the fault tree page or the name of the event tree. If this
flag has not been set then multiple file names will be extended automatically with a
number.

You may control the page size using the Metafile Page Width (mm) and Metafile
Page Height (mm) fields in the Project Options Dialog (Reports Tab).

The Diagram to Clipboard options on the File pull-down menu will create an
enhanced metafile on the clipboard representing the visible diagram. Users may
paste this image directly into other applications such as Microsoft Word.

256 FaultTree+ V11.2

 Import/Export Facilities

31. Import/Export Facilities

A powerful import/export facility is provided with FaultTree+ allowing data to be
transferred directly to and from Microsoft Access databases and spreadsheet
programs such as Microsoft Excel. In addition, text files may be imported and
exported.

To access the import/export facility, select the File, Import or File, Export pull-
down menu options.

Print/Export Options Dialog

If you are accessing the Export facility, FaultTree+ will display the Print/Export
Options Dialog before entering the export facility.

Print/Export Options Dialog

This dialog allows you to select one gate, one consequence and one risk category
for which importance data and cut set information will be exported. You will be able
to select any gate for which results have been retained and any consequence. It is
necessary to filter importance and cut set data in this way to ensure that the amount
of exported data is not excessively large. In addition, you may restrict the number of
cut sets to be exported.

Further Reference

The import/export function provides its own user manual and help facility.

FaultTree+ V11.2 257

 Inserting Data from the Isograph Parts Library

32. Inserting Data from the Isograph Parts Library

The Isograph Parts Library (IsoLib) is a database that contains failure data for
mechanical and electronic parts. Licensed users may transfer data directly from the
Isograph Parts Library to the current project from within FaultTree+. To access the
Isograph Parts Library select the Parts Library button (third button) above the far
right of the right hand window. If a connection has not automatically been made to
the parts library you will need to connect to it by selecting the Tools, Connect to
Parts Database pull-down menu option. A dialog will appear allowing you to browse
for the parts database file. This file is named Parts.mdb and is normally located in
the FaultTree+ program folder.

When a successful connection has been made to the Parts Library the part groups
will be displayed in the top half of the right window. Only parts belonging to licensed
categories of the library will be displayed. Parts are available in the categories of
NPRD and IAEA. Selecting a part group in the top of the right window will result in
the associated parts being displayed in the grid control at the bottom of the right
window so long as the Filter by Group Selection flag is set on. This flag may be
toggled on or off from the right window pop-up menu or by selecting the group filter
button at the top left of the grid control. Parts may also be filtered by typing text
string filters in the first row of the grid control and then selecting the Apply Column
Filter option from the right window pop-up menu or alternatively by selecting the
Apply Column Filter button to the left of the first row. The current conditions under
which parts are filtered are displayed below the last row of the grid control.

Once you have located the required part you may transfer the part to the current
project using drag and drop. Drag the part from the grid control over the generic
data node in the project tree control in the left window. The part will be copied to the
project as a generic model or a generic parameter depending on the setting of the
Create models when importing library parts flag in the Library tab of the Project
Options Dialog. A generic model or parameter will be created with a failure rate
corresponding to the failure rate recorded in the IsoLib parts library.

You may sort the parts displayed by selecting a column in the grid control and then
selecting the Sort Ascending or Sort Descending option on the right button pull-
down menu.

You may modify the columns displayed in the grid control and set the maximum
number of parts displayed by selecting Grid Options on the right button pop-up
menu. The resulting dialog also provides another means by which to modify the sort
mechanism.

FaultTree+ V11.2 259

 Miscellaneous Dialog Descriptions

33. Miscellaneous Dialog Descriptions

This chapter describes FaultTree+ dialogs that are not described in other parts of
this manual.

The About Dialog

The About FaultTree+ Dialog provides information about the program version and
current limits. A copyright message is also displayed.

About FaultTree+ Dialog

The Prompt Dialog

The prompt dialog may appear at various points during program operation when a
single data item is required to be entered by the user. Press the OK Button after
entering the data value or press the Cancel Button to abort the operation.

FaultTree+ V11.2 261

Miscellaneous Dialog Descriptions

The Replace Text Dialog

You may globally replace text contained within description fields by using the
Replace Text facility. This facility is accessed by selecting the Edit, Replace Text
pull-down menu option. On selecting this option, the Replace Text Dialog will
appear, allowing one string of text to be replaced with another throughout the
description field categories defined on the right-hand side of the dialog.

Find what

The text to be found and replaced.

Replace with

The new text to be entered in place of the existing defined text.

Match case

Indicates that only text matching the case of that defined will be found.

Match whole word only

Indicates that the entire word must match the text to be found.

Replace Text Dialog

262 FaultTree+ V11.2

 Miscellaneous Dialog Descriptions

The Modify Inspection Intervals Dialog

The Modify Inspection Intervals Dialog appears when the user has selected the
Modify Inspection Intervals option on the project tree control pop-up menu. This
menu may be accessed by pressing the right button with the cursor positioned
within the project tree control area. This option is only available if the event or
generic model node is currently selected in the tree control, or if an individual event
group, generic model group, event or generic model is selected. Inspection intervals
will be modified for the events or generic models below the current tree control
selection.

Modify Inspection Intervals Dialog

Event or generic model list

When the Modify Inspection Intervals Dialog appears, it will contain a list of all the
events or generic models associated with the selected tree control node that are
associated with either the dormant or sequential failure model types. The user must
then select all, or some, of the items in this list before modifying their inspection
intervals. Items may be selected and deselected by pressing the left button of the
mouse with the cursor positioned over the name field of the appropriate item.
Multiple selections may be made by holding the Ctrl or Shift keys whilst pressing
the mouse button.

New inspection interval

After the appropriate items have been selected from the list, the new inspection
interval value should be entered in the New inspection interval field in the dialog.

Apply

The Apply Button may be selected to change the inspection intervals of all the
selected items in the list.

FaultTree+ V11.2 263

Miscellaneous Dialog Descriptions

The Modify Time at Risk Dialog

The Modify Time at Risk Dialog appears when the user has selected the Modify
Time at Risk option on the project tree control pop-up menu. This menu may be
accessed by pressing the right button with the cursor positioned within the project
tree control area. This option is only available if the event or generic model node is
currently selected in the tree control, or if an individual event group, generic model
group, event or generic model is selected. Times at risk will be modified for the
events or generic models below the current tree control selection.

Modify Time at Risk Dialog

Event or generic model list

When the Modify Time at Risk Dialog appears, it will contain a list of all the events
or generic models associated with the selected tree control node that are
associated with the Time at Risk failure model type. The user must then select all,
or some of, the items in this list before modifying their times at risk. Items may be
selected and deselected by pressing the left button of the mouse with the cursor
positioned over the name field of the appropriate item. Multiple selections may be
made by holding the Ctrl or Shift keys whilst pressing the mouse button.

New time at risk

After the appropriate items have been selected from the list, the new time at risk
value should be entered in the New time at risk field in the dialog.

Apply

The Apply Button may be selected to change the time at risk values of all the
selected items in the list.

264 FaultTree+ V11.2

 Miscellaneous Dialog Descriptions

The Dependencies Dialog

The Dependencies Dialog lists the dependencies for a given object within the
current FaultTree+ project. This dialog may be accessed by selecting an item from
the Table Dialog list for the appropriate object. For example, if you wish to list the
dependencies of a gate in the project, first select the Edit, Gate Table pull-down
menu option to reveal the Gate Table Dialog. Then, select the required gate in the
list, followed by selection of the Dependencies Button. The Dependencies Dialog
will now be displayed.

Dependencies Dialog for a Gate Object

Dependencies List

The Dependencies Dialog lists the type, name and descriptions of all
dependencies within the project. Dependencies exist where one object is
associated with another object in the project. For example, a generic model may be
associated with events and CCFs within a project. An event may be associated with
fault tree gates or event trees.

Display

If you are displaying dependencies for an event or a gate, you will be able to select
one of the listed dependencies and then select the Display Button. FaultTree+ will
then display the appropriate page of the fault or event tree in the diagram edit area.

FaultTree+ V11.2 265

Miscellaneous Dialog Descriptions

The Customise Event Group Categories Dialog

Selection of the Tools, Customise Event Group Categories pull-down menu option
reveals the Customise Event Group Categories Dialog.

Customise Event Group Categories Dialog

The Customise Event Group Categories Dialog allows the user to customise the
event group category descriptions. Event group categories are useful when filtering
event groups in reports. For example, event group importance rankings would
normally be filtered by category, particularly when many events belong to multiple
event groups.

There are ten event group category descriptions that may be modified in the dialog.

266 FaultTree+ V11.2

 Miscellaneous Dialog Descriptions

The Customise Consequence Categories Dialog

Selection of the Tools, Customise Consequence Categories pull-down menu

option reveals the Customise Consequence Categories Dialog.

Customise Consequence Categories Dialog

The Customise Consequence Categories Dialog allows the user to customise the
consequence category descriptions. The user may also indicate which
consequence categories are to be visible in the event tree diagram. If the View in
Diagram flag is set off then consequences belonging to the associated category will
not be displayed.

There are ten consequence category descriptions that may be modified in the
dialog.

FaultTree+ V11.2 267

Miscellaneous Dialog Descriptions

The Customise Notes Captions Dialog

Selection of the Tools, Customise Notes pull-down menu options reveal the
Customise Notes Captions Dialogs.

Customise Event Notes Captions Dialog

The Customise Notes Captions Dialogs allow users to customise the captions
identifying note categories. There are eight event group category descriptions that
may be modified in the dialog.

The Clipboard Parts Dialog

The Clipboard Parts Dialog is revealed when the user selects the Tools, Insert
Data from the Isograph Parts Library pull-down menu option or equivalent toolbar
button.

Clipboard Parts Dialog

268 FaultTree+ V11.2

 Miscellaneous Dialog Descriptions

The Isograph Parts Library is a separate application that serves a range of Isograph
products. The library provides part failure rates for generic component types. When
using the Isograph Parts Library, users place selected parts onto the clipboard
ready for insertion into applications such as FaultTree+.

The Clipboard Parts Dialog identifies the parts on the clipboard by their part
number and description.

Add to Generic Parameter Table

Selection of this button adds the selected parts in the list to the Generic Parameter
table.

Add to Generic Model Table

Selection of this button adds the selected parts in the list to the Generic Model
table.

Add to Event Table

Selection of this button adds the selected parts in the list to the Event table.

Refresh Clipboard List

Updates the list with any new parts added to the clipboard from the Isograph Parts
Library.

FaultTree+ V11.2 269

 Glossary of Terms

Appendix 1 - Glossary of Terms

Common Cause Failure The occurrence of more than one failure event due to the
same cause.

Conditional Failure Intensity The probability of failure per unit time given that the
component was as good as new at time zero and is working at time t.

Cut Set A group of events which will cause system failure when occurring
together.

Dormant Failure A failure which will remain unrevealed until an inspection takes
place.

Enabler Event An event which will only contribute to a system failure when it is
not the last event to occur in a cut set sequence.

Failure Frequency Term used by the program to represent the unconditional

failure intensity. The unconditional failure intensity is the probability that the
component or system fails per unit time given that it was as good as new at time
zero.

Failure Rate The probability of failure per unit time given that the component was
as good as new at time zero and has survived to time t.

F-N Curve A plot displaying the frequency of consequences against their

respective weights. The term F-N curve originates from the use of such curves to
depict the frequency of consequences harming N people.

Initiator Event An event which will only contribute to a system failure when it is
the last event to occur in a cut set sequence.

Lifetime The total time period for which the analysis is performed. Point system
values are provided at the specified lifetime and at intermediate time points in a
time-dependent analysis.

FaultTree+ V11.2 271

Glossary of Terms

Mean Time Between Failures (MTBF) The mean time between failures for
repairable systems is determined from the expression

1
MTBF =
()

where () is the failure frequency (unconditional failure intensity) at infinity.

Mean Time to Repair (MTTR) This parameter represents the mean time required
to repair the system and is given by

Q ( )
MTTR =
()

where Q () is the unavailability at infinity and () is the failure frequency

(unconditional failure intensity) at infinity. This parameter is only calculated for
repairable systems.

Mean Time to First Failure (MTTF) The mean time to first failure for the system.
This parameter is defined by the expression

MTTF = R(t ).dt
0

where R (t ) is the reliability of the system at time t. Note that the following
expression holds for repairable systems with a constant failure rate

MTBF = MTTF + MTTR

Minimal Cut Set A cut set which contains the minimum events required for failure.
If an event is removed from a minimal cut set the remaining events will not cause a
system failure on their own.

Number of Expected System Failures The number of times the system is

expected to fail over the specified lifetime.

Path Set A group of events which, when occurring together in their success states,
will ensure system success.

272 FaultTree+ V11.2

 Glossary of Terms

Point Value Parameter value at a single point in time. Program point values are
given at the system lifetime.

Total Down Time The total time the component or system is expected to be
unavailable for the specified system lifetime.

Unavailability The probability that the component or system is unavailable at any

given time.

Unreliability The probability of one or more failures over a specified time period.
The number of expected system failures (W) provides a good approximation for
system unreliability for cases where W << 1

FaultTree+ V11.2 273

 References

Appendix 2 - References
Mosleh A, Common Cause Failures : An Analysis Methodology and Examples.
Reliability Engineering and System Safety, 34 (1991) 249-292.

Andrews J D & Moss T R, Reliability and Risk Assessment, Longman Scientific and
Technical (1993)

Henley E J & Kumamoto H, Reliability Engineering and Risk Assessment, Prentice-

Hall (1981)

Aven T, Reliability and Risk Analysis, Elsevier Applied Science (1992)

Green A E & Bourne A J, Reliability Technology, Wiley (1972)

Hassel D F, Roberts N H, Vesely W E & Goldberg F F, Fault Tree Handbook, US

Nuclear Regulatory Commission, NUREG-0492

McCormick N J, Reliability and Risk Analysis, Academic Press (1981)

British Standard 5760 (Part 7 : 1991), Reliability of Systems, Equipment and

Components

FaultTree+ V11.2 275

 Database Structure

Appendix 3 Database Structure

This section details the FaultTree+ database structure utilised by the Report
Generator, Import and Export Programs. Note that some tables and fields are
import disabled.

The Events and Generic Model Tables all refer to parameter indices for defining
quantities such as failure rate, repair rate etc. The parameters have different
meanings depending on the data model type. For example, parameter 0 represents
the failure rate for the RATE model. However, parameter 0 represents the
unavailability for the FIXED model.

Each model type requires up to 14 parameters to be specified. The parameters

required for each model are given below. Note that the parameter index
corresponds to the order displayed in the FaultTree+ program dialogs.

Fixed Model
Index Description
0 Unavailability
1 Standard deviation or error factor for unavailability
2 Failure frequency
3 Standard deviation or error factor for failure frequency

Rate Model
Index Description
0 Failure rate
1 Standard deviation or error factor for failure rate
2 Repair rate
3 Standard deviation or error factor for repair rate

MTTF Model
Index Description
0 Mean time to failure (MTTF)
1 Standard deviation or error factor for MTTF
2 Mean time to repair (MTTR)
3 Standard deviation or error factor for MTTR

Dormant Model
Index Description
0 Failure rate
1 Standard deviation or error factor for failure rate
2 Mean time to repair (MTTR)
3 Standard deviation or error factor for MTTR
4 Inspection interval

FaultTree+ V11.2 277

Database Structure

Sequential Model
Index Description
0 Failure Rate
1 Inspection Interval
2 S2 parameter
3 S3 parameter
4 Dormancy flag
5 Group ID

ET Initiator Model
Index Description
0 Frequency
1 Standard deviation or error factor for frequency

Standby Model
Index Description
0 Operating failure rate
1 Standard deviation or error factor for operating rate
2 Standby failure rate
3 Standard deviation or error factor for standby rate
4 Repair rate
5 Standard deviation or error factor for repair rate
6 Total no. of components
7 No. of operating components
8 No. of repair crews available

Time at Risk Model

Index Description
0 Failure rate
1 Standard deviation or error factor for failure rate
2 Time at risk

Binomial Model
Index Description
0 Failure rate
1 Standard deviation or error factor for failure rate
2 Repair rate
3 Standard deviation or error factor for repair rate
4 n
5 m

278 FaultTree+ V11.1

 Database Structure

Poisson Model
Index Description
0 Failure rate
1 Standard deviation or error factor for failure rate
2 n
3 s

Rate/MTTR Model
Index Description
0 Failure rate
1 Standard deviation or error factor for failure rate
2 Mean time to repair (MTTR)
3 Standard deviation or error factor for MTTR

Weibull Model
Index Description
0 Characteristic lifetime
1 Standard deviation or error factor for characteristic lifetime
2 Shape parameter
3 Location parameter

Fixed-Phased Model
Index Description
0 Unavailability
1 Standard deviation or error factor for unavailability
2 Failure frequency
3 Standard deviation or error factor for failure frequency
4 Phase 1 adjustment factor
5 Phase 2 adjustment factor
6 Phase 3 adjustment factor
7 Phase 4 adjustment factor
8 Phase 5 adjustment factor
9 Phase 6 adjustment factor
10 Phase 7 adjustment factor
11 Phase 8 adjustment factor
12 Phase 9 adjustment factor
13 Phase 10 adjustment factor

FaultTree+ V11.2 279

Database Structure

Rate-Phased Model
Index Description
0 Failure rate
1 Standard deviation or error factor for failure rate
2 Repair rate
3 Standard deviation or error factor for repair rate
4 Phase 1 adjustment factor
5 Phase 2 adjustment factor
6 Phase 3 adjustment factor
7 Phase 4 adjustment factor
8 Phase 5 adjustment factor
9 Phase 6 adjustment factor
10 Phase 7 adjustment factor
11 Phase 8 adjustment factor
12 Phase 9 adjustment factor
13 Phase 10 adjustment factor

Failure model distribution settings (normal, lognormal, log-triangular or log-uniform)

indicate the distribution type for the failure model parameters representing standard
deviations or error factors. For example, failure model distribution 0 represents the
distribution type for the failure rate standard deviation or error factor parameter if the
model type is RATE. If the model type is FIXED then the failure model distribution 0
would represent the distribution type for the unavailability.

280 FaultTree+ V11.1

 Database Structure

Table : Events

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Symbol Type No Basic, Undeveloped,
Conditional,
House,
Dormant
Description No Max. 120 characters
Logic Mode No Basic, True, False
Use Generic Model No Off, Generic, Markov
Generic Model Name No Blank if not set
Failure Model Type No Fixed, Rate, MTTF,
Dormant,
Sequential, Event Tree
Initiator, Standby, Time
At Risk, Binomial,
Poisson, Rate/MTTR,
Weibull, Fixed-Phased,
Rate-Phased
Failure Model Parameter No Parameter values
0 to 13 represent different
quantities depending on
the failure model type
Failure Model No Normal, Lognormal,
Distribution 0 Log-Triangular, Log-
Uniform for parameter 0
Failure Model No Normal, Lognormal,
Distribution 1 Log-Triangular, Log-
Uniform for parameter 2
Failure Model No Normal, Lognormal,
Distribution 2 Log-Triangular, Log-
Uniform for parameter 4
CCF Model Name No Blank if not set
Fault Tree Sequencing No Off, Enabler Only,
Initiator Only, Last, First,
Second, Third, Fourth,
Fifth
Markov Model Name No Blank if not set
Event Group Name(s) No Multiple event groups
are delimited by a new
line character
Font No Use Global,

FaultTree+ V11.2 281

Database Structure

Font 0,
Font 1,
Font 2,
Font 3,
Font 4,
Font 5,
Font 6,
Font 7
Extend Name Box No On, Off
Numeric Sort Ranking Yes Used to sort numeric
type names
Notes1 to Notes8 No Notes for each category
(max. 255 characters)
Hyperlink No Hyperlink text (max. 255
characters)
Generic Parameters No Generic parameters
associated with the
event (delimited by
newline characters)
Dependent Event Trees Yes Event trees linked to the
event
Dependent Gates Yes Gates with the event as
an input
Number of Dependent Yes Number of gates with
Gates the event as an input

Table : Gates

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Type No OR, AND, EXCLUSIVE
OR, NOT, VOTE, INHIBIT,
PRIORITY AND, NULL,
TRANSFER
Description No Max. 120 characters
Input 0 to 17 Type and No Blank if not set. Format is
Name G:<Name> for gates and
E:<Name> for events
Vote Number No Must be > 1
Page Flag No On, Off
Tag Setting No Auto, On, Off
Font No Use Global,
Font 0,

282 FaultTree+ V11.1

 Database Structure

Font 1,
Font 2,
Font 3,
Font 4,
Font 5,
Font 6,
Font 7
Extend Name Box No On, Off
Retain Results No On, Off
Always Modularise No On, Off
Notes1 to Notes8 No Notes for each category
(max. 255 characters)
Hyperlink No Hyperlink text (max. 255
characters)
Dependent Event Yes Event trees linked to the
Trees gate
Dependent Gates Yes Gates with the gate as an
input
Number of Dependent Yes Number of gates with the
Gates gate as an input
Numeric Sort Ranking Yes Used to sort numeric type
names

Table : Generic Models

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Category No Model, Parameter
Model Type No Fixed, Rate, MTTF,
Dormant,
Sequential, Event Tree
Initiator, Standby, Time
At Risk, Binomial,
Poisson, Rate/MTTR,
Weibull, Fixed-Phased,
Rate-Phased
Parameter Type No Failure Rate, Inspection
Interval, Time at Risk,
Unavailability,
Frequency, Repair Rate,
MTTF, MTTR, Standby
Failure Rate,
Characteristic Lifetime

FaultTree+ V11.2 283

Database Structure

Description No Max. 120 characters

Parameter 0 to 13 No Parameter values
represent different
quantities depending on
the failure model type
Distribution 0 No Normal, Lognormal, Log-
Triangular, Log-Uniform
for parameter 0
Distribution 1 No Normal, Lognormal, Log-
Triangular, Log-Uniform
for parameter 2
Distribution 2 No Normal, Lognormal, Log-
Triangular, Log-Uniform
for parameter 4
Generic Model Group No Blank if not set.
Name
Numeric Sort Ranking Yes Used to sort numeric
type names
Notes1 to Notes8 No Notes for each category
(max. 255 characters)
Hyperlink No Hyperlink text (max. 255
characters)

Table : Common Cause Failures

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Type No Beta, MGL, Alpha, Beta
BFR
Description No Max. 120 characters
Factor 0 No Same order as in dialogs
Factor 1 No
Factor 2 No
Factor 3 No
Numeric Sort Ranking Yes Used to sort numeric
type names

284 FaultTree+ V11.1

 Database Structure

Table : Consequences

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Description No Max. 120 characters
Weight No
Font No Use Global,
Font 0,
Font 1,
Font 2,
Font 3,
Font 4,
Font 5,
Font 6,
Font 7
Numeric Sort Ranking Yes Used to sort numeric
type names
Category Index No 0 to 9 inclusive

Table : Bitmaps

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Description No Max. 120 characters
Filename No Max. 255 characters
Numeric Sort Ranking Yes Used to sort numeric
type names

Table : Markov Models

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Probability Interpretation No Use Mean Q and w,
Use Point Q and w
Description No Max. 120 characters
File Name No Max. 255 characters
Numeric Sort Ranking Yes Used to sort numeric
type names

FaultTree+ V11.2 285

Database Structure

Table : Event Groups

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Description No Max. 120 characters
Disjoint No Yes, No
Category Index No 0 to 9 inclusive
Numeric Sort Ranking Yes Used to sort numeric
type names

Table : Generic Model Groups

Field Name Import Option

Disabled ? names/Comments
Name No Max. 32 characters
Description No Max. 120 characters
Numeric Sort Ranking Yes Used to sort numeric
type names

Table : Project (single record)

This whole table is import disabled. The single record is only produced on
export if results are up-to-date.

Field Name Import Option

Disabled ? names/Comments

System Lifetime Yes

Number of Intermediate Yes
Time Points
Order Cut-Off Yes On, Off
Probabilistic Cut-Off Yes On, Off
Order Cut-Off Value Yes
Unavailability Cut-Off Yes
Value
Frequency Cut-Off Value Yes
Implicit House Events Yes On, Off
CCF Analysis Yes On, Off
Maximum Risk Dormant Yes On, Off-Mean, Off-
Model IEC61508
Visible Event Tree Yes On, Off
Consequences Only

286 FaultTree+ V11.1

 Database Structure

Number of Confidence Yes

Simulations
Random Number Seed Yes
Lognormal Point Value Yes Meridian, Median, Mean
Interpretation
Lognormal Error Factor Yes 84%, 90%, 95%, 99%
Percentile
Sensitivity Percentage Yes
Variation
Combinatorial Set Yes On, Off
Generation
Approximation Methods Yes Default,
Custom
Post Process Fault Tree Yes On, Off
Success States
Post Process Event Tree Yes On, Off
Success States
Disable Automatic Yes On, Off
Modularisation
CCF Adjust Independent Yes On, Off
Q
Always Modularise Yes On, Off
Enabler Gates
Enforce Exclusivity Yes On, Off
Quantitative Calculation Yes Esary-Proschan, Rare,
Method for Fault Trees Optimum Upper Bound
Quantitative Calculation Yes Esary-Proschan, Rare,
Method for Event Trees Optimum Upper Bound
Full Fault Tree NOT Yes On, Off
Logic
Use Dual Fault Trees for Yes On, Off
Success
Lower Bound Calculation Yes On, Off
for Fault Trees
Lower Bound Calculation Yes On, Off
for Event Trees
Product Terms Limit Yes
Selected Gate for Report Yes
Results
Selected Consequence Yes
for Report Results
Project File Yes
Consequence Cut-Off Yes On, Off
Consequence Cut-Off Yes
Factor

FaultTree+ V11.2 287

Database Structure

Visible Event Tree Name Yes

Always Modularise Yes On, Off
Initiator Gates
Time Dependent Yes On, Off
Analysis
Success Cut-Off Yes On, Off
Success Cut-Off Factor Yes
Exclude Success in Yes Yes, No
Order
Program Version Yes
Project File Base Name Yes
Frequency Units Yes FITS, fpmh, per yr, per hr
Time Units Yes Ghrs, Mhrs, yrs, hrs
MTTR Units Yes Hrs, mins
MTTF/MTBF/MTTR Yes Off, Standard
Calculations MTTF/MTBF/MTTR,
Mission Repairable
MTTF Only
CCF Group Q Yes Minimum, Maximum,
Mean
Confidence Distribution Yes Yes, No
Generalised
Confidence Independent Yes Yes, No
Sampling
No of Phases Yes 0 to 10 inclusive
Phase # Duration Yes Duration of phases 1 to
10

Table : Gate Lifetime Results

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Unavailability Yes Point unavailability at
system lifetime
Mean Unavailability Yes Mean unavailability over
system lifetime
Unavailability/Lifetime Yes Point unavailability
divided by system
lifetime
Modularised Yes

288 FaultTree+ V11.1

 Database Structure

Failure Frequency Yes

Conditional Failure Yes
Intensity
Number of Expected Yes
Failures
Unreliability Yes
MTTF Yes
MTBF Yes
MTTR Yes
Total Down Time Yes
Lower Bound Yes
Unavailability
Method Used Yes Esary-Proschan, Rare
Approximation,
Optimum Upper Bound,
Not Applicable
Number of Cut Sets Yes If gate event definitely
occurs this field will be
set to True
Fault Tree Sequencing Yes Initiator and Enabler,
Enabler Only, Initiator
Only

Table : Consequence Lifetime Results

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Frequency Yes
Cumulative Frequency Yes
Lower Bound Frequency Yes
Risk Yes
Number of Cut Sets Yes If consequence definitely
occurs this field will be
set to True

FaultTree+ V11.2 289

Database Structure

Table : Selected Gate Correlation

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1 gate
only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Name Yes Generic model or
parameter name
Q Correlation Yes Unavailability correlation
w Correlation Yes Frequency correlation
CFI Correlation Yes CFI correlation

Table : Selected Consequence Correlation

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1
consequence only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Name Yes Generic model or
parameter name
w Correlation Yes Frequency correlation

Table : Selected Risk Category Correlation

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1 risk
category only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Name Yes Generic model or
parameter name
Risk Correlation Yes Risk correlation

290 FaultTree+ V11.1

 Database Structure

Table : Selected Gate Importance

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1 gate
only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Name Yes Event name
Fussell-Vesely Yes
Importance
Birnbaum Importance Yes
Barlow-Proschan Yes
Importance
Sequential Importance Yes
Fussell-Vesely Failure Yes
Importance
Fussell-Vesely Success Yes
Importance

Table : Selected Consequence Importance

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1
consequence only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Name Yes Event name
Fussell-Vesely Yes
Importance
Birnbaum Importance Yes
Initiator Yes Yes, No
Fussell-Vesely Failure Yes
Importance
Fussell-Vesely Success Yes
Importance

FaultTree+ V11.2 291

Database Structure

Table : Risk Importance

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes Event name
Fussell-Vesely Yes
Importance
Birnbaum Importance Yes
Initiator Yes Yes, No
Category Index Yes 0 to 9 inclusive
Fussell-Vesely Failure Yes Fussell-Vesely Failure
Importance Importance
Fussell-Vesely Success Yes Fussell-Vesely Success
Importance Importance

Table : Selected Gate Group Importance

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1 gate
only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Name Yes Event group name
Group Category Yes Group category index (0
to 9)
Fussell-Vesely Yes
Importance
Birnbaum Importance Yes
Barlow-Proschan Yes
Importance
Sequential Importance Yes
Fussell-Vesely Failure Yes
Importance
Fussell-Vesely Success Yes
Importance

292 FaultTree+ V11.1

 Database Structure

Table : Selected Consequence Group Importance

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1
consequence only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Name Yes Event group name
Group Category Yes Group category index (0
to 9)
Fussell-Vesely Yes
Importance
Birnbaum Importance Yes
Fussell-Vesely Failure Yes
Importance
Fussell-Vesely Success Yes
Importance

Table : Risk Group Importance

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes Event group name
Group Category Yes Group category index (0
to 9)
Fussell-Vesely Yes
Importance
Birnbaum Importance Yes
Category Index Yes 0 to 9 inclusive
Fussell-Vesely Failure Yes Fussell-Vesely Failure
Importance Importance
Fussell-Vesely Success Yes Fussell-Vesely Success
Importance Importance

FaultTree+ V11.2 293

Database Structure

Table : Event Results

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Unavailability Yes
Failure Frequency Yes

Table : Gate Sensitivity Results

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Upper Bound Unavailability Yes
Lower Bound Unavailability Yes
Upper Bound Frequency Yes
Lower Bound Frequency Yes
Upper Bound Conditional Yes
Failure Intensity
Lower Bound Conditional Yes
Failure Intensity

Table : Gate Confidence Results

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Mean Unavailability Yes
90% Upper Bound for Yes
Unavailability
95% Upper Bound for Yes
Unavailability
99% Upper Bound for Yes
Unavailability

294 FaultTree+ V11.1

 Database Structure

Mean Frequency Yes

90% Upper Bound for Yes
Frequency
95% Upper Bound for Yes
Frequency
99% Upper Bound for Yes
Frequency
Mean Conditional Failure Yes
Intensity
90% Upper Bound for Yes
Conditional Failure Intensity
95% Upper Bound for Yes
Conditional Failure Intensity
99% Upper Bound for Yes
Conditional Failure Intensity
90% Double Lower Yes
Unavailability
95% Double Lower Yes
Unavailability
99% Double Lower Yes
Unavailability
90% Double Upper Yes
Unavailability
95% Double Upper Yes
Unavailability
99% Double Upper Yes
Unavailability
90% Double Lower Frequency Yes
95% Double Lower Frequency Yes
99% Double Lower Frequency Yes
90% Double Upper Frequency Yes
95% Double Upper Frequency Yes
99% Double Upper Frequency Yes
90% Double Lower CFI Yes
95% Double Lower CFI Yes
99% Double Lower CFI Yes
90% Double Upper CFI Yes
95% Double Upper CFI Yes
99% Double Upper CFI Yes

FaultTree+ V11.2 295

Database Structure

Table : Consequence Sensitivity Results

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Upper Bound Frequency Yes
Lower Bound Frequency Yes

Table : Consequence Confidence Results

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Mean Frequency Yes
90% Upper Bound for Yes
Frequency
95% Upper Bound for Yes
Frequency
99% Upper Bound for Yes
Frequency
90% Double Lower Yes
Frequency
95% Double Lower Yes
Frequency
99% Double Lower Yes
Frequency
90% Double Upper Yes
Frequency
95% Double Upper Yes
Frequency
99% Double Upper Yes
Frequency

296 FaultTree+ V11.1

 Database Structure

Table : Gate Time Profile

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Time Yes
Unavailability Yes
Frequency Yes
Unreliability Yes

Table : Consequence Time Profile

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Time Yes
Frequency Yes

Table : Markov Time Profile

This whole table is import disabled.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Time Yes
Unavailability Yes
Frequency Yes

FaultTree+ V11.2 297

Database Structure

Table : Selected Gate Cut Sets

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1 gate
only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Unavailability Yes
Frequency Yes
Cut Set Yes
Number Yes
Event Descriptions Yes
Unavailability Importance Yes
Frequency Importance Yes
Order Yes No of events in the
set

Table : Selected Consequence Cut Sets

This whole table is import disabled. There will be no entries in this table on
export if the project results are out-of-date. This table provides data for 1
consequence only (selected in FaultTree+ and identified in the Project Table).

Field Name Import Option

Disabled ? names/Comments
Frequency Yes
Cut Set Yes
Number Yes
Event Descriptions Yes
Fussell-Vesely Yes
Importance
Order Yes No of events in the set

Table : Consequence Categories

This whole table is import disabled.

Field Name Import Option

Disabled ? names/Comments
Description Yes
Index Yes
Display Yes Yes, No

298 FaultTree+ V11.1

 Database Structure

Risk Yes
Confidence Mean Risk Yes
Confidence 90% Upper Yes
Bound Risk
Confidence 95% Upper Yes
Bound Risk
Confidence 99% Upper Yes
Bound Risk
Sensitivity Lower Bound Yes
Risk
Sensitivity Upper Bound Yes
Risk
90% Double Lower Risk Yes
95% Double Lower Risk Yes
99% Double Lower Risk Yes
90% Double Upper Risk Yes
95% Double Upper Risk Yes
99% Double Upper Risk Yes

Table : Event Pages

This whole table is import disabled.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Description Yes
Report Pages Yes
Numeric Sort Ranking Yes

Table : Gate Pages

This whole table is import disabled.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Description Yes
Report Pages Yes
Numeric Sort Ranking Yes

FaultTree+ V11.2 299

Database Structure

Table : Selected Risk Category Cut Sets

This whole table is import disabled.

Field Name Import Option

Disabled ? names/Comments
ID Yes
Risk Yes
Frequency Yes
Weight Yes
Cut Set Yes
Event Descriptions Yes
Fussell-Vesely Yes
Importance
Consequence Name Yes
Consequence Yes
Description
Other Category Yes If the cut set will result in
Consequence Names a consequence in
another category
occurring, the
consequence name is
recorded in this field
Other Category Yes
Consequence
Descriptions
Order Yes No of events in the set

Table : Event Trees

This whole table is import disabled.

Field Name Import Option

Disabled ? names/Comments
Name Yes
Description Yes
Transfers In Yes Transfers from
secondary event trees
Transfers Out Yes Transfers to secondary
event trees
Frequency Yes

300 FaultTree+ V11.1

 Installing FaultTree+

Appendix 4 Installing FaultTree+

Installation Introduction

These instructions apply to the Windows 95/98/Me, NT, Xp and 2000 operating
systems.

The installation instructions are categorised by installation type - standalone,

network server or network client. At the end of each installation type section are
notes for each particular operating system/server type (where appropriate).

Before starting the installation please ensure:

that all other processes on the target machine have been terminated.
that you are logged in as the system administrator.
that you have full access to the installation (usually Program Files) directory on
the target machine (and read/write access to the server for network client
installations).
that you read the notes appropriate to your operating system/server type at the
end of each installation type section.

File permissions are discussed more fully under each installation type.

Note that the installation process takes a conservative approach to updating

system DLLs and ActiveX controls. These components will only be updated if the
component version number contained in the CD-ROM installation is greater than
that of the component on the target machine.

To start the installation insert the CD in the CD-ROM drive. Normally the installation
will start automatically. If this is not the case then select Run from the Windows
Start menu and then Browse. Now navigate to the CD-ROM drive, open the
disk1 folder and select the Setup.exe program. Select OK on the Run Dialog to
start the installation.

Now refer to the standalone installation instructions if you have a licence to install
FaultTree+ on a single machine.

Refer to the network server installation type if you have a licence to install
FaultTree+ on a network server.

Refer to the network client installation type if you have already installed FaultTree+
on your network server and are now installing to a client.

FaultTree+ V11.2 301

Installing FaultTree+

At the end of the standalone and network server installations, you will be presented
with detailed instructions on how to obtain your FaultTree+ license. Please ensure
that you read and understand this information fully.

If you are installing a standalone or network server version then you must
refer to the chapter Licensing FaultTree+ for instructions on how to apply
for, and install, your license. Note that the program will not run until you have
installed the license. At the end of the installation process a readme file will
be displayed; this contains the FLEXNET hostid for your machine. Please
read this file and attach it to the e-mail you send to request your license.

If you are installing FaultTree+ in a network server/client configuration please install

the network server copy of FaultTree+ first and obtain the licence for this copy
before installing the network client(s).

302 FaultTree+ V11.1

 Installing FaultTree+

Installing on a Standalone Machine

After starting the installation process:

The Welcome Dialog is displayed initially. Select Next to display the Select Setup
Type Dialog.

Select the Standalone option from the list and then select Next to display the
Choose Destination Folder Dialog.

Select the folder (directory) in which you wish to install FaultTree+. This is the top-
level directory of the installation and is normally C:\Program Files, although any
directory may be chosen. This folder must be on a local hard disk drive of the
machine on which you are installing. Select Next to display the Select Program
Folder Dialog.

Enter the program folder name. This is FaultTree+ by default, although any name
may be chosen. A shortcut to the FaultTree+ program will be created in this folder.
Select Next to display the Select Shortcut Options Dialog.

By default, additional desktop and start menu shortcuts to the FaultTree+ program
are created. To prevent these being created de-select the check boxes. Select
Next to display the Select Default Paper Size Dialog.

Select either ISO A4 or US Letter as the default paper size for your reports.

Select Next to display the FLEXNET Server Hostid Dialog.

This dialog displays the FLEXNET hostid for your machine. You will send this hostid
to Isograph in order to receive your license. Detailed instructions on obtaining your
license are displayed at the end of the installation process. This hostid is unique to
the machine you have installed on. Select Next to display the Start Copying Files
Dialog.

NB: If you already have FaultTree+ installed on your machine you will be asked if
you wish to overwrite your Report Generator, Import and Export databases. These
contain your reports, import and export templates, respectively. If you choose to
overwrite your report database then your old report formats are still accessible via
the new Alternate Report Database option in the Report Explorer. The old report
database will be saved as MV5FtR.rkz.

Select Next to start the file copy and registration process. At the end of the file
copy process detailed instructions on how to obtain your license are displayed using
Notepad. These instructions are saved in the file <install
directory>\RAMS\License\readme.txt.

FaultTree+ V11.2 303

Installing FaultTree+

When this is finished the Setup Complete Dialog will be displayed. You may be
prompted as to whether you wish to reboot the machine now or later. If this prompt
appears it is because another process is using a shared DLL or ActiveX control that
the installation program tried to update. The new version will be installed when the
machine is rebooted.

File Permissions

Ensure that the FaultTree+ user has Read, Execute, List Folder Contents access to
the <install directory>\Rams directory and below. The following sub-directories
should have the additional permissions:

Directory Additional Permissions

RAMS\Common\Dictnry\User Write, Modify

RAMS\Common\Export\Data Write
RAMS\Common\Import\Data Write
RAMS\Common\RepGen\Data Write
RAMS\Export\?.?\Program Write
RAMS\Import\?.?\Program Write
RAMS\RepGen\?.?\Program Write
RAMS\Ftp\?.?\Examples Write, Modify
RAMS\Ftp\?.?\Program Write

304 FaultTree+ V11.1

 Installing FaultTree+

Installing on a Network Server

After starting the installation process:

The Welcome Dialog is displayed initially. Select Next to display the Select Setup
Type Dialog.

Select the Network Server option from the list and then select Next to display the
Choose Destination Folder Dialog.

Select the folder (directory) in which you wish to install FaultTree+. This is the top-
level directory of the installation and is normally C:\Program Files, although any
directory may be chosen. This folder must be on a local hard disk drive of the
machine you are installing on. Select Next to display the Select Program Folder
Dialog.

Enter the program folder name. This is FaultTree+ by default, although any name
may be chosen. A shortcut to the FaultTree+ program will be created in this folder.
Select Next to display the Select Shortcut Options Dialog.

By default, additional desktop and start menu shortcuts to the FaultTree+ program
are created. To prevent these being created de-select the check boxes. Select
Next to display the Select Default Paper Size Dialog.

Select either ISO A4 or US Letter as the default paper size for your reports. Select
Next to display the FLEXNET Server Hostid Dialog.

This dialog displays the FLEXNET hostid for your machine. You will send this hostid
to Isograph in order to receive your license. Detailed instructions on obtaining your
license are displayed at the end of the installation process. This hostid is unique to
the machine you have installed on. Select Next to display the FLEXNET Server
Location Dialog.

Enter the hostname or IP address of the machine where the FLEXNET license
server will be running. In the present case of a network server installation, this will
normally be the machine where the installation is being performed. It is only
necessary to enter this value if you intend to run the software on the network server.
If a non-default port is being used for the license server select the No Button and
enter the port number (see the chapter Licensing FaultTree+ for more details on
this). These values enable FaultTree+ to communicate with the FLEXNET license
server. Select Next to display the Start Copying Files Dialog.

NB: If you already have FaultTree+ installed on your machine you will be asked if
you wish to overwrite your Report Generator, Import and Export databases. These
contain your reports, import and export templates respectively. If you choose to

FaultTree+ V11.2 305

Installing FaultTree+

overwrite your report database then your old report formats are still accessible via
the new Alternate Report Database option in the Report Explorer. The old report
database will be saved as MV5FtR.rkz.

Select Next to start the file copy and registration process. At the end of the file
copy process detailed instructions on how to obtain your license are displayed using
Notepad. These instructions are saved in the file <install
directory>\RAMS\License\readme.txt.

When this is finished the Setup Complete Dialog will be displayed. You may be
prompted as to whether you wish to reboot the machine now or later. If this prompt
appears it is because another process is using a shared DLL or ActiveX control that
the installation program tried to update. The new version will be installed when the
machine is rebooted.

File Permissions

Ensure that all FaultTree+ network users have Read, List Folder Contents, Execute
access to the <install directory>\Rams directory and below. The following sub-
directories should have the additional permissions:

Directory Additional Permissions

RAMS\Export\?.?\Program Write
RAMS\Import\?.?\Program Write
RAMS\RepGen\?.?\Program Write
RAMS\Ftp\?.?\Program Write

For users running FaultTree+ on the network server set the file permissions as
detailed in the section on standalone installation.

Ensure that the Administrators (and Domain Admins) group and the System
account have Full Control permission on the License directory.

306 FaultTree+ V11.1

 Installing FaultTree+

Installing on a Network Client

Before installing a network client please ensure that you have shared either the
<Install Directory> or <Install Directory>\RAMS on the network server. Ensure also
that the user name you are using for installation of the network client has Full
Control permissions on this share.

After starting the installation process:

The Welcome Dialog is displayed initially. Select Next to display the Select Setup
Type Dialog.

Select the Network Client option from the list and then select Next to display the
Choose Destination Folder on Network Client Dialog.

Select the folder (directory) in which you wish to install the FaultTree+ client files.
This is the top-level directory of the installation and is either C:\Program Files or,
more probably, in a network installation, the users home directory or sub-directory
of the home directory, although any directory may be chosen. Report, import and
export templates that the user creates will be stored inside this directory structure
so ensure that this directory is part of your backup plan. Select Next to display the
Choose Installation Folder on Network Server Dialog.

Select Browse to choose the folder (directory) on the network server that contains
the FaultTree+ program executable. Note that either the <Install Directory> or
<Install Directory>\RAMS must be shared on the network server. The shared
directory on the server may be referenced on the client using a mapped drive letter
or using a UNC path name (e.g. \\servername\sharename).

To refresh the Directories tree when using UNC path names enter the
\\servername\sharename in Path text box of the Choose Folder Dialog and then
select OK. Now select Browse again and you will be able to navigate and select a
directory from the refreshed Directories tree.

After selecting the directory containing the FaultTree+ program executable, select
Next to display the Select Program Folder Dialog.

Enter the program folder name. This is FaultTree+ by default, although any name
may be chosen. A shortcut to the FaultTree+ program will be created in this folder.
Select Next to display the Select Shortcut Options Dialog.

By default, additional desktop and start menu shortcuts to the FaultTree+ program
are created. To prevent these being created de-select the check boxes. Select
Next to display the Select Default Paper Size Dialog.

Select either ISO A4 or US Letter as the default paper size for your reports.

FaultTree+ V11.2 307

Installing FaultTree+

Select Next to display the FLEXNET Server Location Dialog.

Enter the hostname or IP address of the machine where the FLEXNET license
server will be running. If a non-default port is being used for the license server
select the No Button and enter the port number (see the chapter Licensing
FaultTree+ for more details on this). These values enable FaultTree+ to
communicate with the FLEXNET license server. Select Next to display the Start
Copying Files Dialog.

NB: If you already have FaultTree+ installed on your machine you will be asked if
you wish to overwrite your Report Generator, Import and Export databases. These
contain your reports, import and export templates respectively. If you choose to
overwrite your report database then your old report formats are still accessible via
the new 'Alternate Report Database option in the Report Explorer. The old report
database will be saved as MV5FtR.rkz.

Select Next to start the file copy and registration process. When this is finished the
Setup Complete Dialog will be displayed. You may be prompted as to whether you
wish to reboot the machine now or later. If this prompt appears it is because another
process is using a shared DLL or ActiveX control that the installation program tried
to update. The new version will be installed when the machine is rebooted.

File Permissions

Ensure that the FaultTree+ user has Read, Execute, List Folder Contents access to
the <install directory>\Rams directory and below on the network client machine.
The following sub-directories should have the additional permissions:

Directory Additional Permissions

RAMS\Common\Dictnry\User Write, Modify

RAMS\Common\Export\Data Write
RAMS\Common\Import\Data Write
RAMS\Common\RepGen\Data Write
RAMS\Ftp\?.?\Examples Write, Modify

308 FaultTree+ V11.1

 Licensing FaultTree+

Appendix 5 Licensing FaultTree+

FlexNET License Server Introduction

At the end of the standalone or network server installations you will be you will be
presented with detailed instructions on how to obtain your FaultTree+ license.
Please ensure that you read and understand this information fully.

To receive your license you must e-mail the readme.txt file containing the
FLEXNET hostid, your company name, your site name, and which licenses you
wish to activate, to the appropriate contact address for your region. The license you
receive in return, by e-mail, will be a text file. You should only modify information in
the text file where detailed by the instructions below. Please note that the text file
contains one (or more) encrypted signatures preventing modification of the actual
license details.

After receiving you license you should:

Refer to the section Installing Standalone FLEXNET Licenses below if you

have selected the standalone installation.

Refer to the section Installing the FLEXNET License Server if you have
selected the network server installation and have not previously licensed an
Isograph product using FLEXNET.

Refer to the section Adding Licenses to an Existing FLEXNET License Server if

you have selected the network server installation and this is an additional
license.

Refer to the section Installing a Separate FLEXNET License Server if you have
selected the network server installation and wish to install the FLEXNET server
on a separate machine to the FaultTree+ network server installation.

Refer to the section Monitoring FLEXNET Licenses Using LMTOOLS for

information on the use of the LMTOOLS program for checking the license
status.

FaultTree+ V11.2 309

Licensing FaultTree+

Installing Standalone FLEXNET Licenses

Copy the license file to the <Installation Directory>\RAMS\License directory,

ensuring that it has a different filename to any existing license files. Alternatively,
you may, using a text editor such as Notepad, append the contents of the new
license file to an existing license file.

The license file you receive will be in the format:

SERVER this_host hostid

VENDOR isograph
{License Details}

The SERVER and VENDOR lines may be removed from the additional license if
you are appending to an existing license file.

310 FaultTree+ V11.1

 Licensing FaultTree+

Installing the FLEXNET License Server

Installing the FLEXNET License File

If you do not already have a licence file in the <Installation

Directory>\RAMS\License directory then simply copy the license file to the this
directory. If you do already have a licence file serving other applications in this
directory then append the contents of the new licence file to the existing file.

The license file you receive will be in the format:

SERVER this_host hostid

VENDOR isograph
{License Details}

You may edit the license file to specify the actual host name (or IP address), set the
port number that the license server uses and set the port number that the vendor
service (daemon) uses. The hostid must not be modified. Note that the license
server port number is the non-default port number specified during the client
installation. The vendor service port number is not referenced anywhere during the
installation. For example:

SERVER 168.192.0.200 hostid 8000

VENDOR isograph 8001

In this case the license server is running on 168.192.0.200, using port 8000 and the
vendor service is using port 8001. Note that if any clients are connecting via a
firewall then these ports must be opened for bi-directional communication.

In the default installation it is not strictly necessary to specify the host name
because the clients already have this information provided at installation time.
However if you wish the clients to connect to the license server by specifying the
directory path of the license file(s) (see the sub-section Modifying the Network
Client FLEXNET Server Reference) then it is necessary to set this_host to the host
name (or IP address).

Starting the FLEXNET License Server

On the license server machine start the FLEXNET license server by selecting the
Windows taskbar Start-Programs-FTP-FLEXNET License Server-LMTOOLS menu
option. This displays the FLEXNET LMTOOLS application.

Select the Service/Licence File Tab and select the File Configuration using
Services radio button. Then select the Config Services Tab.

FaultTree+ V11.2 311

Licensing FaultTree+

Now enter a name for the Service Name in the corresponding combo box.
Typically enter Isograph.

Next set the paths for the lmgrd.exe file, the license file and the path to the debug
log file. These will be:

<Install Directory>\RAMS\License\lmgrd.exe for lmgrd.exe.

<Install Directory>\RAMS\License\<licence.lic> for the license file.
<Install Directory>\RAMS\License\isograph.log for the debug log file

Set both the Use Services and Start Server at Power Up check boxes to selected.

Save the Isograph service by selecting Save Service.

Now select the Start/Stop/Reread Tab.

Select Start Server to start the license server and the isograph service.

This same tab may be used to stop the license server and to reread the license
directory.

Advanced configuration of the license server is described in the End User Guide
(PDF format). This is accessed by selecting the Windows taskbar Start-Programs-
FTP-FLEXNET License Server-End User Guide menu option.

The FLEXNET command line utility lmutil.exe is contained in the <Install

Directory>\RAMS\License directory. This utility is required to run many of the
command line utilities referenced in the End User Guide.

Modifying the Network Client FLEXNET Server Reference

When a network client is installed the user is prompted to specify the location (and
optionally the port number) of the FLEXNET license server. These values enable
FaultTree+ to communicate with the FLEXNET license server. This value is stored
in the registry string value:

HKEY_LOCAL_MACHINE\Software\RAMS\FTP\LicenseServerLocation

The format of the value is:

@hostname (or IP address)

or

port number@hostname (or IP address)

312 FaultTree+ V11.1

 Licensing FaultTree+

if a non-default port number has been specified. It may be necessary to change this
value if the hostname or port number is modified on the license server.

It is also possible to enter the path to the license server directory in place of the
hostname and port number. If this option is chosen (perhaps for reasons of
consistency with existing FLEXNET implementations) then the license file SERVER
line must be modified to specify the hostname (or IP address).

FaultTree+ V11.2 313

Licensing FaultTree+

Adding Licenses to an Existing FLEXNET License Server

Using a text editor such as Notepad, append the contents of the new license file to
the existing license file in the <Installation Directory>\RAMS\License directory.

See the section Installing the FLEXNET License Server for details on modifying the
hostname and the default port numbers.

To inform the FLEXNET license server of the additional license(s) select the
Windows taskbar Start-Programs-FTP-FLEXNET License Server-LMTOOLS menu
option. This displays the FLEXNET LMTOOLS application.

Select the Start/Stop/Reread Tab.

Select ReRead License File to register the new license(s) with the license server.

314 FaultTree+ V11.1

 Licensing FaultTree+

Installing a Separate FLEXNET License Server

Copy the <Install Directory>\RAMS\License directory to a directory on the required

license server machine. Ensure that the Administrator group has Full Control
permissions on this directory. Now follow the instructions in the section Installing
the FLEXNET License Server.

FaultTree+ V11.2 315

Licensing FaultTree+

The FLEXNET Select Licenses Dialog

Checking Out a License

To select the licenses to be checked out select the appropriate check box in the
Select column and then select OK.

Borrowing a License

Borrowing allows the user to borrow selected module license(s) from the FLEXNET
license server on to their own network client machine. This means that the client
can then be disconnected from the network and FaultTree+ will still be licensed
using the borrowed module license(s). When borrowing a license(s) the expiry date
is specified and when this date is reached the license(s) are automatically returned
to the FLEXNET license server. Whilst a license is borrowed, the license count on
the server will be reduced by one.

Please note that you will not be able to borrow licenses unless this option has been
activated in the license issued to you by Isograph.

To borrow a license(s) select Help-Licence to display the Select Licenses Dialog.

Enter the expiry date for borrowing in the Until: text box. This must be in the format
dd-mmm-yyyy (e.g. 30-Oct-2004). Now select Activate License Borrowing you
will be prompted that this action will turn on license borrowing for all future license
check outs and that any currently checked out licenses will be checked back in.
Select Yes to continue. Now select which license(s) you wish to check out and
then select OK. The selected license(s) have now been borrowed on to your local
machine.

To return a borrowed license(s) early select Return Borrowed License(s).

Displaying License Users and License Info

To display the current users of all the licensed modules, select Users All
Modules. This will display each of the licensed modules in turn along with the users
who have currently checked out licenses for each of these modules.

To display the current users of a selected module, first select the required module in
the list view and then select Users Selected Module.

Note that both these options use the term Feature in their display. This is because
although you are licensed by module in FaultTree+ the module licenses are
implemented using FLEXNET features. So, when describing a license issue to a
FLEXNET license server administrator, it is best to use the term feature as a
substitute for module license!

316 FaultTree+ V11.1

 Licensing FaultTree+

To display the current FaultTree+ license file information, select License Info. This
simply displays the contents of the license file.

FaultTree+ V11.2 317

Licensing FaultTree+

Monitoring FLEXNET Licenses Using LMTOOLS

LMTOOLS is only installed on server installations.

LMTOOLS provides facilities for a license server administrator to display what

license(s) are currently checked out and diagnose any license server problems.

On the license server machine start the FLEXNET license server by selecting the
Windows taskbar Start-Programs-FTP-FLEXNET License Server-LMTOOLS menu
option. This displays the FLEXNET LMTOOLS application.

Advanced configuration of the license server is described in the End User Guide
(PDF format). This is accessed by selecting the Windows taskbar Start-Programs-
FTP-FLEXNET License Server-End User Guide menu option.

Server Status

To display current checked out license(s), select the Server Status Tab, enter the
Individual Daemon as Isograph and then select Perform Status Enquiry.

Server Diags

To display license server diagnostics, select the Server Diags Tab, enter the
Feature Name and then select Perform Diagnostics.

318 FaultTree+ V11.1

 Index

Index
A B

abort 246 barlow-proschan importance 206

about dialog 261 base transition rate 242
absolute time 242 basic event 60, 91
accelerator keys 7 basic mode 60
accuracy indicator 245 batch analysis 165
add label 92, 108 bdd analysis 219
add table record 78 beta binomial failure rate (BFR) model
add to library 87 224, 229
adding branches 105, 106 beta binomial model 229
adding events 89 beta factor model 224, 226
adding failure and repair data 31 beta value 242
adding gates 89 BFR model 229
adding gates and events 89 binary decision diagrams 219
adding labels 108 binomial model 64, 181
adding states 237 birnbaum importance 205
adding transitions 240 bitmap 70
align to centre 127 bitmap table 73
alpha factor model 224, 228 bitmaps 233
Alt key 7 Boolean algebra techniques 191
always modularise 67 branch 105, 108
always modularise enabler gates 154, branches 105
192
analysis 163, 209, 211, 215, 219, 244,
246 C
analysis data 246
analysis options 145, 245 calculation 155
and gate 90 calculation options 155
AND gate 66 CCF analysis 148
append 82, 85, 96 CCF event names 230
append file 82 CCF events 230
apply strict initiator/enabler checks 134, CCF model 60
199 CCF models 222
approximation methods 147 ccf table 69
attaching markov models 248 CCF tags 121
attaching markov models to a FaultTree+ CCFs 69, 221, 226, 227, 228, 229, 230
project 56 CFI 195
auto backup 81, 132 change page 92
auto tag mode 66 check-spelling 113, 117
AvSim+ 235 clear add mode 89, 92, 93, 108

FaultTree+ V11.2 319

Index

clear all offsets 125 defining transitions 53

clear visible offsets 125 delete 97, 108
clipboard 93 delete hidden data 98
clipboard parts 268 delete key 7
clipboard parts dialog 268 delete selection and below 97
coherent systems 194 delete table record 78
column 106 deleting branches 108
columns 106, 130 deleting event trees 108
common cause failure 69, 271 deleting fault tree symbols 97
common cause failures 221 deleting unattached consequences 108
conditional event 60, 91 deleting unattached gates and events
conditional failure intensity 195, 271 108
confidence analysis 158 delimiter for cut sets 133
connecting to a library 85 dependencies 47, 103, 111, 265
consequence 72, 108 dependencies button 80
consequence table 72 dependencies dialog 265
constant rates 174 dependency filter 78
constructing an event tree 34 deselected 9
constructing fault trees 23 designing reports 253
continuous phases 239 dictionary 115, 119
controls 9 direct filter 78
converting 235 disable circular logic checks 134
converting to AvSim+ 235 disable deletion dependency checks 132
copy 93, 107 disable descriptions 133
creating event trees 105 disable paging 122
cross-product method 151, 192 disable reformat 133
cumulative frequency 171 discrete phases 239
customise consequence categories dialog discrete states 47
267 discrete transitions 251
customise event group categories dialog disjoint 75
266 display button 79
customise notees captions dialog 268 dormant event 60, 91
cut 93 dormant failure 271
cut set 271 dormant model 64, 147, 176
cut set sorting 149 drag and drop 11, 13

D E

data model 173 editing objects 9

data models 173 enabler 61, 197
database 59, 277 enabler event 271
default data model 133 enabler events 197
defining parameters 52 enforce exclusivity 154
defining phases 53, 239 error factor 188
defining states 51 error factors 252

320 FaultTree+ V11.1

 Index

Esary-Proschan method 151, 192 gate type 66

ET initiator model 64, 180 general 131
eta value 242 general options 131
event 89, 91, 103, 108, 111 generic data group 64, 76
event data models 173 generic data group table 76
event group 62 generic model group table 76
event group table 74 global fonts 123, 129
event sequencing 199 global name edit 79, 96
event table 59 graphs 170, 247
event tree 107, 108, 109 grid 130
event trees 105, 110 grid control 13
example markov diagram 50 grid options 17
exclusive or gate 90
exclusivity 154
expand super events 67 H
expanding super events 153
exponent 144 halt the analysis 163
export 257 help 19
exporting data 277 hidden data 98
extend name box 60, 66 hidden failures 176
house event 60, 91
house events 148, 231
F hyperlink 63, 64, 68, 71, 93
hyperlinks table 71
failure frequency 193, 271
failure rate 271
false 60, 231 I
file 80
file name 9 IEC 61508-6 69
filter 16, 78 IEC symbols 132
filter facility 101 immediately revealed failures 174
filtering pages 255 implicit house events 148
find 18 import 257
fit to screen 124 importance 203
fixed model 64, 173 importance measures 203
fixed-phase model 64, 186 importing data 277
F-N curve 171, 271 inaccuracies 164
full fault tree not logic 152 include in partial analysis 67, 71, 73
fussell-vesely importance 203 independence 47
inhibit gate 91
INHIBIT gate 66
G initial state probability 238
initiator 61, 197
gamma value 242 initiator event 271
gate 89, 91, 101, 108, 111 initiator events events 197
gate table 65, 66 initiator model 65, 180

FaultTree+ V11.2 321

Index

inspection intervals 263 maximum symbol size 137

installation 301, 303, 305, 307 mean time between failures 272
integration methods 250 mean time to failure 175
introduction 1 mean time to repair 175
mean value 188
message area 8
K metafile 255
MGL model 227
keyboard 7 minimal cut set 272
minimal cut set evaluation 163
minimal cut sets 145, 191
L modify inspection intervals dialog 263
modify time at risk dialog 264
label 69, 92, 102, 111 modularisation 153, 191
labels 92, 108 modularise enabler gates 154
labels table 69 Monte Carlo simulation 158, 215
large memory buffer 148 MTBF 195, 272
layout 128, 243 MTTF model 64, 175
layout options 121, 128 MTTR 196
left mouse button 7 multiple greek letter (MGL) Model 224
library 12, 85, 87, 137
library options 137
licensing 309, 310, 311, 314, 316, 318 N
lifetime 271
line weights 122, 128 names 230
local fonts 123, 129 navigating 99, 109
locating event trees 109, 110 navigating fault trees 99
locating events 103, 111 new 5, 80
locating gates 101, 111 new dictionary dialog 119
locating labels 102 new event tree 105
locating lables 111 new fault tree 89
logic mode 60 new file 80
lognormal distribution 188, 215 next phase 243
lower bound calculations 153 no of expected system failures 195
no tags on transfer gates 132
normal distribution 188, 215
M not gate 91
NOT gate 66
main window 7 note 70
majority vote gate 90 notes table 70
markov analysis 244 NULL gate 66, 90
markov analysis methods 47 number of expected system failures 272
markov model 237, 238, 240, 247, 248,
250
markov model table 73
maximum risk dormant model 147

322 FaultTree+ V11.1

 Index

O probability interpretation 74
producing reports 44
occurrence probabilities 192 project 10
open 81 project file options 80
open file 81 prompt dialog 261
options 117, 131, 135, 137, 139, 140, properties 87
144, 145, 155, 160
or gate 90
OR gate 66 Q
order cut-off 146
ordering pages 254 quantative calculation method 151

P R

page 68, 92, 99, 100, 107, 242, 254, random sampling 158
255 rare approximation method 151, 192,
pagination 107, 242 193
paging 122 rate model 64, 174
parameter font 243 rate/MTTR model 64, 183
parameters 238 rate-phase model 187
partial analysis 164 rate-phased model 64
parts library 268 recent files 81
paste 93, 107 references 275
paste special 94 repeat bar 67, 121, 142
path set 272 repeating events 89
pause analysis 163 repeating gates 89
percentile 188 replace 18
perform an analysis 163 replace text 262
performing a markov analysis 54 replace text dialog 262
performing an analysis 40, 246 reports 135, 253
phase 160 reports options 135
phase options 160 reset scale 124
phase time 242 results 169, 170, 247
phases 239 retain results 67, 128, 169
point value 273 rows 130
poisson model 64, 182 Runge-Kutta method 251
post process success states 153
precision 139, 144
precision options 139, 144 S
previewing reports 253
previous phase 243 save 81
primary event tree 105 save as 82
printing reports 253 save file 81
priority and gate 66, 91 saving the current markov model to file
probability cut-off 146 56

FaultTree+ V11.2 323

Index

scale 130 T
scaling 124
screen font 243 tables 59
scroll bars 125 tag 66
searching 80 tag indicator 66
secondary event tree 105 terminal branch 169
selecting object 9 time at risk 264
selecting objects 9 time at risk model 64, 181
selection 9 time step 245, 250
sensitivity analysis 156, 211 time-dependent analysis 156, 209
sequencing 61, 199 tool tip 8
sequential importance 207 toolbar 8
sequential model 64, 177 total down time 273
set names to upper case 134 total frequency 128
set scale factor 124 total system down time 195
sets generation 145 trace cut set 169
sets generation options 145 transfer event 91
severity 72 TRANSFER gate 66
shift 125 transfer page numbers 136
shift selection 125 transition 240
shift snap 135 transition phases 50
shifting fault trees 125 transitions 240
simulation 158 tree control 8, 10, 12, 99, 109
sorting 149 true 60, 231
special paste 94 tutorial 21
spelling checker 113, 117
spelling options 117
split screen 8 U
standby model 64, 65, 180
start analysis 246 unavailability 273
starting a new markov model 51 unavailability flag 238
starting up the program 7 uncertainty values 188
state transition diagram 47 undeveloped event 60, 91
states 237 unreliability 195, 196, 273
status 164 unrevealed failures 176
steady-state unavailability 174 update project with library data 87
strict initiator/enabler checks 134, 199 upper case 134
summary results 169 upper confidence values 216
super event 153, 191 use dual fault trees 153
symbol size 137
symbol type 60
system descriptions 21 V
system lifetime 195
system quantitative parameters 191 verification 167
verifying data 167, 244
view 121, 128, 140, 243

324 FaultTree+ V11.1

 Index

view options 140 X

visible event tree analysis 148
VOTE gate 66 XOR gate 66

W Z

Weibull data 242 zoom 124

weibull model 64 zoom in 124
weight 72, 73 zoom out 124
weight options 122, 128

FaultTree+ V11.2 325