Home / Guides
Long-form how-to articles
Fault tree analysis guides
In-depth, worked-example articles on the parts of fault-tree analysis that don't fit in a glossary entry: how the algorithms compose, how the importance measures relate, how to structure a fault tree for a specific safety case, and how to defend a quantified result against a reviewer who isn't predisposed to believe it.
What's already here
Before guides land, the rest of the site already covers a lot. If you're after a quick definition or a specific calculation, start there:
- Glossary — short definitions with formulas: MOCUS, minimal cut sets, Birnbaum, Fussell-Vesely, RAW, RRW, PMHF, Beta-factor CCF.
- Standards reference — what each major safety standard expects from FTA: IEC 61025, ISO 26262, ARP 4761, EN 50126, MIL-STD-882.
- Industry templates — eight worked fault trees you can open in FTA Studio in a click, spanning automotive, aerospace, rail, medical, process, oil & gas and nuclear.
- Calculators — free, browser-only: λ → PFD / SIL band, ASIL decomposition, lognormal Monte Carlo.
- Component failure-mode pages — λ ranges, dominant modes, detection and mitigation for 15 common components.
- Embed widget — drop a read-only fault tree into any blog or Stack Exchange answer with a single iframe.
What guides add
Reference pages answer "what is it?". Guides answer "how do I use it on a real project?". Each guide goes deeper than a glossary entry: walks through the workflow, shows the numbers, calls out where the standard is opinionated, and links back to the reference pages and tools that support it. Targeting 1,500–3,000 words each.
Three editorial principles:
- Worked examples, not abstractions. Every claim is grounded in a concrete tree, with concrete numbers, with a concrete safety case behind it.
- Honest about edge cases. Where the standard is ambiguous, where two interpretations are common, where the textbook formula breaks down — we say so.
- Cite-able for safety-case use. Sources called out inline; no marketing-driven over-claiming. If you reference a guide in a design review or audit, you should be able to defend the claim.
Published
Buyer's guide · 2026
Open-source vs commercial FTA tools — a 2026 comparison
The four FTA-tool market segments — heavy-iron commercial, government-research, open-source, modern web-first — explained without picking a winner. Covers what each segment optimises for, the major tools per segment (SAPHIRE, Isograph FaultTree+, scram, OpenFTA, FTA Studio), and a 12-row decision matrix mapping common situations to the right segment. With explicit publisher disclosure throughout.
Uncertainty · Comparative
Monte Carlo for FTA — lognormal vs uniform leaf distributions
Point-estimate FTA gives one number; Monte Carlo propagates leaf-event uncertainty into a percentile band. Covers the leaf-distribution choice (lognormal default, uniform / triangular / beta when), sample-size convergence (1/√N law, LHS gives 5-10× efficiency), correlated-leaf handling via common-factor decomposition, and a worked SPAD tree at EF = 3 showing 5th–95th band of 9× — turning "passes by point estimate" into "passes by median, fails by mean, fails by 95th".
IEC 61511 · Worked example
LOPA + FTA — closing the loop on SIS verification
LOPA sets the SIL target for a Safety Instrumented Function; FTA verifies the as-designed SIF actually achieves it. Walks the lifecycle separation per IEC 61511, the LOPA reduction-factor math on a worked pressure-vessel hazard (1.0/yr IE × BPCS × PRV → SIL 3 gap), and the bottom-up SIF FTA showing 1oo1 fails the target while 1oo2 valves at β=0.05 passes by 22%. Covers PTC, demand-mode classification, and the architectural-constraint (SFF/HFT) check that's separate from PFD.
EN 50126 · Worked example
EN 50126 RAMS — running FTA at SIL 4
SIL 4 is the highest railway safety integrity level (THR ≤ 10⁻⁹/h). RAMS threads FTA through the V-cycle in three roles: apportionment (Phase 5 top-down), verification (Phase 6 bottom-up), and ISA review at validation. Covers the apportionment math, a worked ETCS L2 Movement Authority enforcement tree showing Phase-5-vs-Phase-6 numbers side-by-side, what an Independent Safety Assessor probes, and how rail-side conventions differ from automotive ASIL and aerospace ARP 4761.
ARP 4761 · Worked example
Structuring the fault tree for FAA / EASA review
ARP 4761 SSA submissions are read by certification engineers whose job is finding the hole the applicant didn't see. Covers the FHA / PSSA / SSA / CCA framework, the six things reviewers actually check on the tree, and a worked aircraft hydraulic-power-loss example showing why independent-failure quant gave 2.5×10⁻¹⁴/h while CCA-folded quant gave 1.2×10⁻⁹/h. With the post-Sioux City architectural response (RAT, zonal separation, servicing diversity) that gets the answer to 10⁻¹²/h.
ISO 26262 · Hardware metrics
Hardware random-failure metrics for ASIL D — PMHF, SPFM, LFM
The three ISO 26262 Part 5 hardware metrics, defined formally and walked through on a worked AEB MCU. Each measures something different; passing one says nothing about the others. The example MCU passes ASIL D on PMHF and LFM but fails on SPFM by a percentage point — the kind of misalignment teams that look at PMHF alone routinely miss. With three credible design responses ranked by cost (ECC upgrade, re-architect, ASIL decomposition) and five reviewer-grade pitfalls.
ISO 26262 · Worked example
ASIL decomposition through fault tree analysis
ISO 26262's ASIL decomposition rule — the most-used and most-misused mechanism in automotive functional safety. Covers the decomposition table (ASIL D = ASIL B(D) + ASIL B(D) etc.), the independence requirement (and the three failure patterns that violate it), a worked AEB ASIL D decomposition with PMHF check at four β values, plus four production patterns (lockstep dual-core, primary + diagnostic, cross-domain redundancy, ASIL D + QM(D)) and five reviewer-grade pitfalls.
Dependence · Comparative
Common-cause failure — Beta-factor vs Multiple Greek Letter
Beta-factor and MGL are the two dominant CCF models. This guide explains how CCF breaks redundancy's promise, defines both with worked math, and shows on a 2-of-3 voting example why "β-factor is the conservative default" is wrong half the time — specifically when redundancy buys partial-failure tolerance. With standards mapping (IEC 61508, ISO 26262, ARP 4761, NRC PRA, EN 50126).
Cross-technique · Comparative
FTA + FMEA + ETA — when to use which
Three safety-analysis techniques, three different questions, three different outputs. What each delivers, how the dataflow loops between them, the same SPAD scenario worked through all three (FTA cut sets, FMEA on the lamp basic event, ETA from SPAD-as-initiator to collision rate), and which standards demand which combination (ARP 4761, ISO 26262, IEC 61508/61511, EN 50126, MIL-STD-882).
Algorithms · Comparative
MOCUS vs BDD — when each algorithm wins
The two algorithms that quantify fault trees, side-by-side. How each works (MOCUS substitution, BDD Shannon decomposition), where each wins by tree size and shape, and the operational questions a reviewer will probe — truncation defensibility, variable ordering, importance-measure parity, common-cause modelling, tool versioning. With both algorithms walked through on the SPAD tree's ATP branch.
Importance measures · Comparative
Birnbaum, Fussell-Vesely, RAW, RRW — when to use each
All four importance measures defined, computed side-by-side on a worked SPAD tree, then mapped to the standards that ask for each (ISO 26262, IEC 61508, NRC PRA, EN 50126, ARP 4761). Includes the cases where the four rankings disagree, and the F-V + RAW two-measure default for a defensible safety case.
Foundations · Worked example
How to build a fault tree from scratch — a worked SPAD example
Full step-by-step build of an EN 50126-grade fault tree for a railway Signal Passed at Danger top event. Top-event scoping, structural decomposition, MOCUS cut sets, top-event probability, the wrong-side correction that brings the model into reality, and Fussell–Vesely importance ranking that points at the next pound of design effort.
First batch complete
The original 12-article roadmap has shipped. Together the articles cover the technical foundations of fault-tree analysis (Articles 1–5), the standards-specific workflows (Articles 6–10), uncertainty propagation (Article 11), and the buyer's-guide-without-a-winner (Article 12) — roughly 40,000 words of long-form, worked-example content across the series. Each article cross-references the others so the reading order is flexible; the SPAD tree from Article 1 is the recurring example most subsequent articles build on.
Want to suggest the next batch?
Email support@ftastudio.app with the topic and the question you'd want answered. We prioritise guides where there's a real workflow gap that the glossary and standards pages don't cover. Topics on the wait-list (subject to demand) include software FTA per DO-178C, dynamic fault trees and Markov coupling, MIL-STD-882 mishap risk, and HARA-to-FTA traceability tooling.