Fault Tree Analysis vs Event Tree Analysis
Confused by the acronyms? We explain the difference between Fault Tree Analysis (FTA) and Event Tree Analysis (ETA)—and when to use each for your facility.
Fault Tree Analysis vs Event Tree Analysis
When you go beyond a basic HAZOP, two tools appear again and again: Fault Tree Analysis (FTA) and Event Tree Analysis (ETA).
You can think of them as:
- FTA – works backwards from an accident to find causes.
- ETA – works forwards from a failure to show possible outcomes.
This article explains: - How each technique works with practical examples.
- When to use FTA vs ETA in South African MHI assessments.
- How they combine in LOPA and SIL studies.
- Typical costs for these studies in Rand.
Fault Tree Analysis (FTA): The Detective (Top-Down)
Direction: Top-Down (Deductive)
Question: "Why did this happen?"
FTA starts with the Top Event (the disaster, e.g., "Tank Explosion") and works backward to find the root causes. It uses logic gates (AND / OR) to combine failures.
How it Works
- Top Event: Fire in Storage Tank.
- Logic: The fire happens IF (Fuel is present) AND (Ignition Source is present).
- Drill Down:
- Fuel present IF (Leak occurred) OR (Spill occurred).
- Ignition source IF (Static spark) OR (Maintenance work) OR (Lightning).
FTA Logic Gates
| Gate | Symbol | Meaning |
|---|---|---|
| AND | ∩ | All inputs must occur for output to occur |
| OR | ∪ | Any input can cause the output |
When to Use FTA
- When you want to find the Probability of Failure of a specific system.
- When investigating an accident (Root Cause Analysis).
- When analysing complex control systems where multiple things must fail simultaneously.
- When calculating SIL (Safety Integrity Level) for safety instrumented functions.
SA Industry Example
Scenario: Ammonia release at a cold storage facility (Tiger Brands, RCL Foods).
Top Event: Ammonia release to atmosphere.
FTA branches:
- Pipe rupture (OR: corrosion, mechanical damage, overpressure)
- Valve failure (OR: stuck open, seal leak, operator error)
- Vessel failure (OR: fatigue, external impact, design flaw)
Each branch is assigned a failure rate from databases (IOGP, OREDA) to calculate the overall probability of the top event.
Event Tree Analysis (ETA): The Futurist (Bottom-Up)
Direction: Bottom-Up (Inductive)
Question: "What happens next?"
ETA starts with an Initiating Event (a failure, e.g., "Pipe Leak") and works forward to determine the possible outcomes (consequences). It looks at the success or failure of your safeguards (Barriers).
How it Works
- Initiating Event: Gas Pipe Leak.
- Barrier 1: Gas Detection System? (Success: Alarm / Failure: No Alarm).
- Barrier 2: ESD Valve? (Success: Flow Stops / Failure: Flow Continues).
- Barrier 3: Ignition? (Yes: Explosion / No: Safe Dispersion).
Each path through the tree has a calculated frequency, and each end state has a defined consequence.
When to Use ETA
- When you want to understand the different Consequences of a single failure.
- When evaluating the effectiveness of your protection layers (LOPA).
- To determine the frequency of different accident scenarios for a Quantitative Risk Analysis (QRA).
- When designing emergency response procedures.
SA Industry Example
Scenario: LPG leak at a bulk depot (Easigas, Afrox, Oryx).
Initiating Event: 50 mm flange leak on LPG transfer line.
| Barrier | Success | Failure |
|---|---|---|
| Gas detection | Alarm raised | No alarm |
| ESD activation | Flow isolated | Flow continues |
| Ignition | No ignition (safe dispersion) | Ignition (VCE or flash fire) |
| Outcome frequencies: |
- Safe dispersion: 60% of scenarios
- Flash fire: 25% of scenarios
- VCE (Vapour Cloud Explosion): 15% of scenarios
These frequencies feed directly into the QRA risk contour calculation.
The "Bow-Tie" Diagram: Putting Them Together
In modern risk management, we often combine FTA and ETA into a Bow-Tie Diagram:
[Causes] → [FTA] → [TOP EVENT] → [ETA] → [Consequences]
↑
(Loss of Containment)
- The Fault Tree is on the left (Causes leading to the Event).
- The Event (Loss of Containment) is the knot in the centre.
- The Event Tree is on the right (Consequences flowing from the Event).
Why Bow-Tie is Popular in SA
Many South African facilities (Sasol, Engen, AECI, Anglo American) use Bow-Tie diagrams because:
- They provide a visual summary of risk that management can understand.
- They clearly show prevention barriers (left side) and mitigation barriers (right side).
- They support barrier management programmes required under MHI Regulations.
LOPA: The Bridge Between Qualitative and Quantitative
Layer of Protection Analysis (LOPA) is a semi-quantitative technique that uses simplified event trees to determine if existing safeguards are sufficient.
How LOPA Works
- Start with an Initiating Event frequency (e.g., 1×10⁻² per year for a pump seal failure).
- Apply Independent Protection Layers (IPLs) – each IPL reduces the frequency by a factor (typically 10× to 100×).
- Calculate the Mitigated Event Frequency.
- Compare to the Risk Tolerance Criteria.
LOPA in South Africa
LOPA is widely used in SA for:
- SIL determination – deciding what SIL rating a Safety Instrumented Function (SIF) needs.
- Safeguard credit validation – proving that existing barriers are sufficient.
- Cost-benefit analysis – justifying the cost of additional safeguards.
Relevant standards: - IEC 61511 – Functional safety for the process industry.
- SANS 61511 – South African adoption of IEC 61511.
Typical LOPA Costs in South Africa
| Scope | Typical Cost (excl. VAT) |
|---|---|
| Single scenario LOPA | R20 000 – R40 000 |
| LOPA workshop (10–20 scenarios) | R80 000 – R150 000 |
| Full facility LOPA (50+ scenarios) | R200 000 – R400 000 |
SIL Studies: When FTA Gets Serious
When a LOPA identifies that a Safety Instrumented System (SIS) is required, you need to determine the Safety Integrity Level (SIL).
SIL Ratings
| SIL | Risk Reduction Factor | Probability of Failure on Demand (PFD) |
|---|---|---|
| SIL 1 | 10–100 | 0.1 – 0.01 |
| SIL 2 | 100–1 000 | 0.01 – 0.001 |
| SIL 3 | 1 000–10 000 | 0.001 – 0.0001 |
| SIL 4 | 10 000–100 000 | 0.0001 – 0.00001 |
SIL Verification
Once a SIL target is set, FTA is used to verify that the proposed SIS design can achieve the required PFD. This involves:
- Modelling the SIS architecture (1oo1, 1oo2, 2oo3, etc.).
- Assigning failure rates to each component.
- Calculating the overall PFD using FTA.
Typical SIL Study Costs in South Africa
| Study Type | Typical Cost (excl. VAT) |
|---|---|
| SIL determination (per SIF) | R15 000 – R30 000 |
| SIL verification (per SIF) | R20 000 – R50 000 |
| Full SIS lifecycle study | R100 000 – R300 000 |
Key Differences at a Glance
| Aspect | Fault Tree Analysis (FTA) | Event Tree Analysis (ETA) |
|---|---|---|
| Direction | Backward (Deductive) | Forward (Inductive) |
| Starting Point | Top Event (accident) | Initiating Event (failure) |
| Focus | Causes of an event | Consequences of an event |
| Logic | AND / OR Gates | Success / Failure Paths |
| Output | Probability of Top Event | Frequency of each outcome |
| Best For | Finding probability of complex failures | Analysing barrier effectiveness |
| SA Application | SIL verification, incident investigation | QRA, LOPA, emergency planning |
When to Use Each Technique
Use FTA When:
- You need to calculate the probability of a specific failure (e.g., SIS fails to act).
- You are investigating an incident and need to find root causes.
- You are designing a safety system and need to verify it meets SIL requirements.
- You have a complex system with multiple redundant components.
Use ETA When:
- You need to understand all possible outcomes of a single failure.
- You are conducting a QRA and need scenario frequencies.
- You are evaluating the effectiveness of barriers (LOPA).
- You are developing emergency response procedures and need to know what could happen.
Use Both (Bow-Tie) When:
- You want a complete picture of risk for a major hazard.
- You need to communicate risk to management or regulators.
- You are implementing a barrier management programme.
Common Pitfalls in South Africa
Based on our experience:
- Using generic failure rates without validation – SA operating conditions may differ from European/US data.
- Ignoring common cause failures – if two "independent" barriers share a power supply, they're not truly independent.
- Over-crediting human intervention – operators under stress may not respond as assumed.
- Not updating FTA/ETA after changes – MoC should trigger a review.
- Confusing SIL target with SIL achieved – you must verify the design meets the target.
Conclusion
Both FTA and ETA are essential for a complete understanding of risk:
- FTA helps you prevent the accident from starting (prevention).
- ETA helps you mitigate the impact if it does start (mitigation).
Together, they form the backbone of modern process safety analysis, from LOPA and SIL studies to full QRA.
Need FTA, ETA, or LOPA Support?
MMRisk provides expert support for all quantitative risk techniques:
- FTA for SIL verification and incident investigation.
- ETA for QRA scenario development.
- LOPA for safeguard validation and SIL determination.
- Bow-Tie development for barrier management programmes.
Typical study turnaround: 2–6 weeks depending on scope.
Contact us for a risk assessment consultation.