Event tree analysis
Event tree analysis (ETA) is a forward, bottom up, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis. This analysis technique is used to analyze the effects of functioning or failed systems given that an event has occurred. ETA is a powerful tool that will identify all consequences of a system that have a probability of occurring after an initiating event that can be applied to a wide range of systems including: nuclear power plants, spacecraft, and chemical plants. This technique may be applied to a system early in the design process to identify potential issues that may arise, rather than correcting the issues after they occur. With this forward logic process, use of ETA as a tool in risk assessment can help to prevent negative outcomes from occurring, by providing a risk assessor with the probability of occurrence. ETA uses a type of modeling technique called event tree, which branches events from one single event using Boolean logic.
The name Event Tree was first introduced during the WASH-1400 nuclear power plant safety study (circa 1974), where the WASH-1400 team needed an alternate method to fault tree analysis due to the fault trees being too large. Though not using the name event tree, the UKAEA first introduced ETA in its design offices in 1968, initially to try to use whole plant risk assessment to optimize the design of a 500MW Steam Generating Heavy Water Reactor. This study showed ETA condensed the analysis into a manageable form. ETA was not initially developed during WASH-1400, this was one of the first cases in which it was thoroughly used. The UKAEA study used the assumption that protective systems either worked or failed, with the probability of failure per demand being calculated using fault trees or similar analysis methods. ETA identifies all sequences which follow an initiating event. Many of these sequences can be eliminated from the analysis because their frequency or effect are too small to affect the overall result. A paper presented at a CREST symposium in Munich, Germany, in 1971 shows how this was done. The conclusions of the US EPA study of the Draft WASH-1400 acknowledges the role of Ref 1 and its criticism of the Maximum Credible Accident approach used by AEC. MCA sets the reliability target for the containment but those for all other safety systems are set by smaller but more frequent accidents and would be missed by MCA.
In 2009 a risk analysis was conducted on underwater tunnel excavation under the Han River in Korea using an earth pressure balance type tunnel boring machine. ETA was used to quantify risk, by providing the probability of occurrence of an event, in the preliminary design stages of the tunnel construction to prevent any injuries or fatalities because tunnel construction in Korea has the highest injury and fatality rates within the construction category.
Performing a probabilistic risk assessment starts with a set of initiating events that change the state or configuration of the system. An initiating event is an event that starts a reaction, such as the way a spark (initiating event) can start a fire that could lead to other events (intermediate events) such as a tree burning down, and then finally an outcome, for example, the burnt tree no longer provides apples for food. Each initiating event leads to another event and continuing through this path, where each intermediate event's probability of occurrence may be calculated by using fault tree analysis, until an end state is reached (the outcome of a tree no longer providing apples for food). Intermediate events are commonly split into a binary (success/failure or yes/no) but may be split into more than two as long as the events are mutually exclusive, meaning that they can not occur at the same time. If a spark is the initiating event there is a probability that the spark will start a fire or will not start a fire (binary yes or no) as well as the probability that the fire spreads to a tree or does not spread to a tree. End states are classified into groups that can be successes or severity of consequences. An example of a success would be that no fire started and the tree still provided apples for food while the severity of consequence would be that a fire did start and we lose apples as a source of food. Loss end states can be any state at the end of the pathway that is a negative outcome of the initiating event. The loss end state is highly dependent upon the system, for example if you were measuring a quality process in a factory a loss or end state would be that the product has to be reworked or thrown in the trash. Some common loss end states:
- Loss of Life or Injury/ Illness to personnel
- Damage to or loss of equipment or property (including software)
- Unexpected or collateral damage as a result of tests
- Failure of mission
- Loss of system availability
- Damage to the environment
The overall goal of event tree analysis is to determine the probability of possible negative outcomes that can cause harm and result from the chosen initiating event. It is necessary to use detailed information about a system to understand intermediate events, accident scenarios, and initiating events to construct the event tree diagram. The event tree begins with the initiating event where consequences of this event follow in a binary (success/failure) manner. Each event creates a path in which a series of successes or failures will occur where the overall probability of occurrence for that path can be calculated. The probabilities of failures for intermediate events can be calculated using fault tree analysis and the probability of success can be calculated from 1 = probability of success (ps) + probability of failure (pf). For example, in the equation 1 = (ps) + (pf) if we know that pf=.1 from fault tree analysis then through simple algebra we can solve for ps where ps = (1) - (pf) then we would have ps = (1) - (.1) and ps=.9.
The event tree diagram models all possible pathways from the initiating event. The initiating event starts at the left side as a horizontal line that branches vertically. the vertical branch is representative of the success/failure of the initiating event. At the end of the vertical branch a horizontal line is drawn on each the top and the bottom representing the success or failure of the first event where a description (usually success or failure) is written with a tag that represents the path such as 1s where s is a success and 1 is the event number similarly with 1f where 1 is the event number and f denotes a failure (see attached diagram). This process continues until the end state is reached. When the event tree diagram has reached the end state for all pathways the outcome probability equation is written.
- Define the system: Define what needs to be involved or where to draw the boundaries.
- Identify the accident scenarios: Perform a system assessment to find hazards or accident scenarios within the system design.
- Identify the initiating events: Use a hazard analysis to define initiating events.
- Identify intermediate events: Identify countermeasures associated with the specific scenario.
- Build the event tree diagram
- Obtain event failure probabilities: If the failure probability can not be obtained use fault tree analysis to calculate it.
- Identify the outcome risk: Calculate the overall probability of the event paths and determine the risk.
- Evaluate the outcome risk: Evaluate the risk of each path and determine its acceptability.
- Recommend corrective action: If the outcome risk of a path is not acceptable develop design changes that change the risk.
- Document the ETA: Document the entire process on the event tree diagrams and update for new information as needed.
1 = (probability of success) + (probability of failure)
The probability of success can be derived from the probability of failure.
Overall path probability = (probability of event 1) X (probability of event 2) X (probability of event n....)
In risk analysis
Event tree analysis can be used in risk assessment by determining the probability that is used to determine the risk when multiplied by the hazard of the event. Event Tree Analysis is a tool that makes easy to see what pathway is creating the greatest probability of failure for a specific system. It is common to find single point failures that do not have any intervening events between the initiating event and a failure. With Event Tree Analysis single point failure can be targeted to include an intervening step that will reduce the overall probability of failure and thus reducing the risk of the system. The idea of adding an intervening event can happen anywhere in the system for any pathway that generates too great of a risk, the added intermediate event can reduce the probability and thus reduce the risk.
- Enables the assessment of multiple, co-existing faults and failures
- Functions simultaneously in cases of failure and success
- No need to anticipate end events
- Areas of single point failure, system vulnerability, and low payoff countermeasures may be identified and assessed to deploy resources properly
- paths in a system that lead to a failure can be identified and traced to display ineffective countermeasures.
- Work can be computerized
- Can be performed on various levels of details
- Visual cause and effect relationship
- Relatively easy to learn and execute
- Models complex systems into an understandable manner
- Follows fault paths across system boundaries
- Combines hardware, software, environment, and human interaction
- Permits probability assessment
- Commercial software is available
- Addresses only one initiating event at a time.
- The initiating challenge must be identified by the analyst
- Pathways must be identified by the analyst
- Level of loss for each pathway may not be distinguishable without further analysis
- Success or failure probabilities are difficult to find.
- Can overlook subtle system differences
- Partial successes/failures are not distinguishable
- Requires an analyst with practical training and experience
Though ETA can be relatively simple, software can be used for more complex systems to build the diagram and perform calculations more quickly with reduction of human errors in the process. There are many types of software available to assist in conducting an ETA. In nuclear industry, RiskSpectrum PSA software is widely used which has both event tree analysis and fault tree analysis. Professional-grade free software solutions are also widely available. SCRAM is an example open-source tool that implements the Open-PSA Model Exchange Format open standard for probabilistic safety assessment applications.
- Clemens, P.L.; Rodney J. Simmons (March 1998). "System Safety and Risk Management". NIOSH Instructional Module, A guide for Engineering Educators. Cincinnati,OH: National Institute for Occupational Safety and Health: IX-3–IX-7.
- Wang, John et al. (2000). What Every Engineer Should Know About Risk Engineering and Management, p. 69., p. 69, at Google Books
- Ericson, Clifton A. (2005). Hazard Analysis Techniques for System Safety. John Wiley & Sons, Inc.
- Hong, Eun-Soo; In-Mo Lee; Hee-Soon Shin; Seok-Woo Nam; Jung-Sik Kong (2009). "Quantitative risk evaluation based on event tree analysis technique: Application to the design of shield TBM". Tunneling and Underground Space Technology. 24 (3): 269–277. doi:10.1016/j.tust.2008.09.004.