Fault-tree analysis is one system of making a detailed analysis of failure or potential failure. It was successfully applied initially in aerospace, and has more recently been used in other fields. Although it has been used almost entirely to date in product safety (aircraft, missiles, automobiles, etc.), it seems likely that the technique will be used in industrial safety in the future.
The fault tree is actually a logic diagram that traces all the events that might have led to the undesired result being studied. A fault tree can be constructed for any event. First, an undesired event is selected. Then it is necessary to reason backward to visualize and identify all the ways in which it might have occurred. Each contributing factor or cause is then studied and analyzed to determine how it could possibly happen. Such tracing of causes and factors can point to many different system failures that might not otherwise be noticed.
Say that the undesired event selected is a severe injury to the operator of a power press in an industrial plant. The fault tree (see Figure 7-1) for this event is made by listing those events which might have occurred, or which must have occurred, for the undesired event to happen. These events are connected by either AND or OR gates. An AND gate means that both events noted must be present for the event to occur. An OR gate means that either event alone can be responsible for the major event to occur. Thus in Figure 7-1, events B, c, D, and E must all be present for the major, undesired, event A to occur.
However, either event F or G alone could cause subevent B, and either H or I alone could cause subevent C. Event N, O, or P alone could cause subevent G.
This fault tree shows that for a severe injury to occur to the operator of the power press, four things must happen:
The press must be operating.
The ram must be descending.
The operator must have his hand under the die.
There must be an inoperative guard or no guard on the die.
Hence, prevention lies in the elimination of one of these four events.
Each of the four is then analyzed. For the press ram to be descending, the clutch must have been tripped by the operator, or the clutch must have failed, and the press repeated without being tripped. Any of these could happen if a clutch part had broken, the clutch was worn out, or the clutch had been poorly designed, with no fail-safe built into it.
The operator’s hand might have been under the die if he had been working under it to arrange his piece or if he had been distracted and was paying poor attention to his work. The die could be unguarded if the guard were removed, the guard were in some way defective, there was no guard, or because on this particular die and setup a guard was impractical or impossible.
Each of these subevents could then be further analyzed, which might lead to such conclusions as (Q) maintenance priorities do not include press die-guard construction, (R) press department supervision are not finding defective guards (are not looking for them), (S) press operators are removing guards, (T) supervision is not enforcing the use of guards, (U) supervision is not stopping work on a press when guards are absent, and (V) management is not setting and enforcing a policy of press guarding. (Notice that in this particular fault-tree analysis, human failures have been included.)
The above analysis is very simple; it was chosen merely to illustrate the general idea of fault-tree analysis and to indicate how it might possibly be used in industrial safety as well as in systems safety. You can no doubt visualize a complex analysis, for example, one that might be used in the aerospace or missile fields.