By Clif Ericson
[Editor’s note: This opinion piece originally appeared in Vol 36 Issue 3 of Journal of System Safety in 3Q 2000. It has been reformatted from the original, but the text is otherwise unchanged.]
I often overhear, or am involved in, discussions in which safety engineers are discussing the pros and cons of using Fault Tree Analysis (FTA) during an accident investigation. The discussion often degenerates into a heated argument over whether FTA can be used effectively in an accident investigation. After giving the question much thought and performing some accident FTA, my response is a resounding yes.
Fault Tree Analysis is normally a proactive analysis tool for predicting potential causes of undesired events during the design of a new system. FTA is very powerful as a structured methodology for identifying root causes, and also provides a visual communication model that most individuals can readily understand and follow with little knowledge of the tool, the system design or the accident situation. The visual model displays the logical progression in the chain of events leading to an anomaly or accident. Therefore, it also makes an excellent reactive analysis tool for ferreting out the root causes leading to an event, anomaly, incident or accident that has already occurred.
“The discussion often degenerates into a heated argument over whether FTA can be used effectively in an accident investigation. After giving the question much thought and performing some accident FTA, my response is a resounding yes.”
Accident investigation is much like performing a system autopsy. Its purpose is to determine what caused the accident so that preventive measures can be implemented to prevent future occurrences of the same problem. The analysis uses all available clues, data and information to develop a model that adequately describes the sequence of events leading to the accident. Root cause analysis of an incident is sometimes required in real time to correct and prevent an anomaly from further progressing into a fullblown accident. In this situation, time is of the essence.
FTA provides a model for tying all of the accident investigation data and clues together. One of the valuable FTA tools specifically suited for accident analysis is the Evidence Gate. The Evidence Gate is similar to a check valve in that it is either open or closed, based on input conditions. In accident investigation, the Evidence Gate either opens or closes a fault tree branch based on the collected empirical evidence. Evidence can be derived from many different sources, such as instrumentation data, witnesses, flight data recorder, video cameras, built-in tests, etc. When a branch can be closed based on hard evidence, no further investigation is necessary in that particular area. Only the true root cause branches with supporting evidence are followed. In addition, branches with insufficient evidence must be followed until either positive or negative evidence is found, or until the root causes are identified. For example, an undesired state in a fault tree might be Tank Overpressurization, but if a review of available evidential data found that the tank’s relief valves were working properly, this path would be eliminated as a contributor to the incident.
Figure 1 shows the Evidence Gate. The methodology for developing an accident investigation fault tree is very similar to normal fault tree construction. First, analyze the system and incident using normal FTA construction rules and logic. Identify and establish major system fault states that could possibly lead to the accident. Second, go through the first tree and determine where known evidence applies or where additional evidence is needed. Place these conditions in the FT using the Evidence Gate. Continue down branches with positive evidence or insufficient evidence, and terminate branches with negative evidence.
The Fault Tree, using the Evidence Gate, provides a complete cause-consequence root cause analysis diagram of the accident or incident under investigation. The Evidence Gate allows you to insert actual evidence into fault tree branches, and thereby infer which events were active during an incident. This also allows the analyst to quickly identify actual root causes and avoid analyzing possible scenarios that did not actually cause the accident. It also provides a visual model, including a list of all scenarios considered, as well as those ruled out due to specific evidence.
This approach facilitates rapid accident investigation to quickly and correctly identify root causes, without wasting analysis time in areas that did not actually contribute to the accident. It provides a notation for the inclusion of evidence either supporting or negating a particular suspected causal event. It also creates a visual model that sequentially ties all of the relevant contributing events together. For more information on the Evidence Gate, see my paper entitled “Accident Investigation Using EEFTA” in the Proceedings of the 18th International System Safety Conference.
About the Author
Clif Ericson is a past President of the International System Safety Society and former editor of the Journal of System Safety. He is the author of 12 books on system safety.
You may also be interested in: