Home / Guides / Open-source vs commercial FTA tools — 2026

Buyer's guide · 2026

Open-source vs commercial FTA tools — a 2026 comparison

The fault-tree-analysis tool market is small enough to know by name and large enough that picking the wrong category can cost a programme its certification timeline. Four distinct segments serve four different buyer profiles — heavy-iron commercial for nuclear PRA and installed base, government-research for cost-controlled regulatory work, open-source for research and education, and modern web-first for design-review-velocity teams. They optimise for genuinely different things; the right choice depends on tree size, regulator familiarity, integration needs and budget tier, not on which has the best demo. This guide explains the trade-offs without picking a winner.

≈ 17 min read Coverage: 2026 market · vendor data current to Q1 2026 Disclosure: published by the makers of FTA Studio

Why this comparison is harder than it looks

The temptation is to do feature-checklist scoring: which tool ticks more boxes? On a fault-tree-analysis purchase that approach actively misleads. Three structural reasons:

Capability per tree size is highly non-linear. A tool that handles a 50-event design-review tree elegantly may collapse on a 50,000-event PRA model — and vice versa. Article 3's MOCUS-vs-BDD complexity story is the reason: tools optimised for one regime aren't gracefully degraded versions of tools for the other; they're architecturally different. A feature checklist that treats "supports MOCUS" as a single column hides this.
Regulator familiarity is a real cost line item. An NRC reviewer who has spent 15 years reading SAPHIRE outputs reviews them quickly and trusts the underlying machinery. The same reviewer reading a tool's output for the first time spends substantially more cycles asking foundational questions. The cost differential per review is real and recurring; tools with regulator-familiar output formats are cheaper to operate even when nominally more expensive to license.
Integration mechanics dominate total cost of ownership at scale. A safety case is touched by 5–50 engineers across its lifecycle. CLI / API access for reproducibility, diff-friendly storage formats for version control, and CI integration for regression testing turn out to dwarf the licence cost in most lifecycle calculations. GUI-only tools without an export-and-reload story add multiplicative friction over time.

The honest answer to "which FTA tool is best?" is "best for what tree, in what regulatory context, with what integration constraints, and what budget?". This article works through those four dimensions rather than pretending they reduce to one.

Disclosure This guide is published by the makers of FTA Studio. Three operating principles: (1) FTA Studio appears in the comparison alongside competitors, with the same axes scored on the same evidence basis; (2) we don't claim FTA Studio is the right choice for every situation — Step 4 names cases where it isn't; (3) competitor characterisations come from publicly stated capabilities (vendor docs, published case studies, NRC's PRA tool comparisons) rather than internal sales material. Where we're uncertain about a competitor's current state, we say so.

Step 1The four market segments

Every FTA tool fits into one of four segments, and each segment optimises for a different buyer profile. Understanding which segment your problem belongs to determines about 80% of the choice; remaining trade-offs are within-segment.

Segment	Buyer profile	Representative tools	Optimised for
Heavy-iron commercial	Nuclear PRA contractors, large aerospace primes, oil & gas safety case shops with 5+ analysts and existing tool investments	Isograph FaultTree+, ITEM ToolKit, RAM Commander, Reliability Workbench (Item Toolkit), Riskman	50,000+ event PRA, BDD with sophisticated variable-ordering, deep CCF / event-tree integration, formal model interchange (XFTA), audit-grade vendor support
Government / research	NRC contractors, INL, US national labs, regulator-internal use; nuclear and defence applications	SAPHIRE (NRC, free for nuclear industry under EPRI agreement), CAFTA (EPRI), HiP-HOPS (academic)	Regulator-grade auditable output; cross-acceptance between government bodies; PRA-scale model performance; institutional continuity over decades
Open-source	Research, education, smaller programmes with budget constraints, organisations where tool source-code review is itself a procurement requirement	scram (BDD, OpenPSA-compatible), OpenFTA (legacy), Riskontology (XFTA-based), various PyPI / academic packages	Algorithmic transparency, source-code auditability, Linux/CLI native, integration with research workflows, zero licence cost
Modern web-first	Design-review-velocity teams, smaller programmes, automotive ASIL-A/B work, design consultancies, education	FTA Studio, FaultTree+ Web (limited), various startup offerings	Time-to-first-tree (browser open → first analysis in < 5 minutes), shareability, modern collaboration mechanics, IEC 61025 JSON interchange, no-install workflow

Two structural points the segmentation makes explicit:

The segments are not on a single ladder. Modern web-first isn't "lighter heavy-iron commercial"; open-source isn't "free heavy-iron commercial". They optimise for different things, and their architectures reflect those different optimisations. A team trying to use FTA Studio for a 50,000-event nuclear PRA is misusing the segment; a team trying to use SAPHIRE for an automotive ASIL-B 50-event tree review is also misusing the segment.
Regulator familiarity correlates strongly with segment. NRC reviewers know SAPHIRE; FAA reviewers know Isograph and Reliability Workbench; ISO 26262 functional-safety reviewers are increasingly comfortable with web-first tools and the IEC 61025 JSON exchange format; rail (CENELEC) reviewers vary by national authority. Picking a tool whose output your reviewer has seen before is a real efficiency.

Step 2The open-source landscape

Open-source FTA tools cluster around three things: BDD-based PRA-scale solvers (the practical workhorse), legacy MOCUS GUIs (mostly historical), and the OpenPSA Model Exchange Format ecosystem (the interchange standard that ties everything together). Headline tools in 2026:

scram — the active BDD-based open-source PRA tool

scram (Olzhas Rakhimov, 2014, Apache 2.0 / MIT) is the open-source FTA tool that scales to PRA-class trees. C++ implementation, BDD and ZBDD-based, native OpenPSA Model Exchange Format support, scriptable from the command line. The algorithmic side is comparable to commercial heavy-iron tools; what's missing is the GUI, the institutional support, and the regulator-familiar output formats.

Strengths: Genuine PRA-scale capability — has been benchmarked against SAPHIRE on the OpenPSA challenge problems with comparable accuracy and runtime. CLI-native, fits cleanly into CI / automation pipelines. Apache-licensed, source-auditable. Importance measures (F-V, RAW, RRW, Birnbaum) all implemented per the standard formulas.
Weaknesses: Active development tapered after ~2020; community maintenance varies by year. No GUI; tree authoring is XML-by-hand or via converter scripts. Documentation is engineer-grade — sufficient for someone who already knows what they're doing, sparse for newcomers. No formal vendor support; no liability backstop.
Right when: Source-auditable procurement requirement; CI-integrated regression-test pipeline; strong Linux / CLI engineering culture in-house; comfortable with XML-driven model authoring.

OpenFTA — the legacy MOCUS GUI

OpenFTA (originally Formal Software Construction, now Auvation, GPL-licensed) is the Java desktop GUI everyone tries first. Top-down MOCUS implementation, drag-and-drop tree editor, runs on Windows / macOS / Linux. Active development is essentially dormant in the late-2020s; the codebase still works but doesn't reflect modern conventions.

Strengths: GUI-based, drag-and-drop tree authoring is approachable. Imports / exports IEC 61025-style XML. Genuinely free (GPL).
Weaknesses: MOCUS-only with no BDD path — the truncation issues from Article 3 apply directly. UI hasn't been substantively updated since the early 2010s. No Monte Carlo support. No CCF modelling. Not maintained.
Right when: Education / introductory use only. For any production safety-case work, the lack of CCF and Monte Carlo rules it out.

OpenPSA Model Exchange Format (MEF) — the interchange backbone

OpenPSA MEF isn't a tool — it's the XML schema that lets fault tree models move between tools. Reference repository at github.com/open-psa/mef; the spec is ISO-style versioned and supported by scram (full producer + consumer), Riskontology, SAPHIRE (import), and the major commercial tools (import / export at least, sometimes full round-trip).

Why MEF matters: it lets you build the model in one tool, run it through a second for cross-validation, and submit through a third that the regulator prefers. The Article 3 recommendation to cross-validate MOCUS vs BDD on the same tree is operationally enabled by MEF — without it, the cross-validation is a manual re-entry exercise. Reviewers increasingly ask "is your model in OpenPSA MEF?"; "yes" is a positive signal of toolchain maturity even if you submit through a different format.

Riskontology and the academic / PyPI scene

Riskontology (CEA, France) is a web platform built on XFTA / OpenPSA tooling. Smaller user base than scram or commercial tools, but actively developed and used in some European nuclear research contexts. The academic / PyPI scene includes scattered Python packages — pyFTA, various faultTree implementations of varying authorship, university-released codebases — that are useful for prototyping and research but rarely production-ready. Treat these as research tools rather than safety-case infrastructure.

When open-source is and isn't the right choice

Open-source is right when…	Open-source is wrong when…
Source-code review is itself a procurement requirement (defence, intelligence, certain nuclear contracts where vendor source isn't accessible).	Regulator hours are scarce and expensive; vendor familiarity directly cuts review cycles.
Strong Linux / CLI / Python engineering culture in-house, capacity to invest in operational expertise.	Smaller team without the operational capacity to maintain integration scripting.
CI-integrated regression testing is a programme requirement (every safety-case revision triggers automated re-quantification).	GUI-driven design-review process where the analysis tool sits at the centre of multi-engineer collaboration.
Research / algorithmic experimentation, novel tree structures.	Liability-sensitive contexts where accountability via vendor warranty matters.
Education and training programmes where licence cost would be prohibitive.	Time-to-first-tree matters (open-source tools have higher set-up overhead than web-first or commercial GUIs).

The community-sustainability question Open-source FTA tools have a long history of being abandoned. OpenFTA's stagnation is the cautionary tale. scram's active-development gap in the early 2020s caused some industrial users to switch back to commercial alternatives. Before committing a multi-year safety case to an open-source tool, look at the commit history of the past 24 months and ask "if this project stopped tomorrow, who continues it?". If the answer is "nobody specific", treat that as a real risk and budget for it — either by sponsoring maintenance, pinning to a specific version with internal patches, or having a commercial fallback ready.

Step 3Government, commercial, and modern web-first

The non-open-source landscape splits into three sub-segments — each optimising for a different combination of regulator familiarity, tree scale, and time-to-first-tree.

Government / research-backed

SAPHIRE (Idaho National Laboratory for the NRC) is the dominant government-backed tool in nuclear PRA. Free for US nuclear industry under EPRI / DOE arrangements; commercial licence available outside that envelope. BDD-based, full PRA-scale, decades of regulator familiarity in the US nuclear industry. The SAPHIRE 8.x line introduced full OpenPSA MEF support, which materially expanded its interoperability story with European PRA work.

Strengths: Regulator-familiar by default for NRC-regulated work; PRA-scale BDD performance; accepted XFTA / OpenPSA round-trip. The institutional support continuity (INL maintains it on a multi-decade basis) is unique to government-backed tools.
Weaknesses: Windows-only (a real friction in CI / Linux-native infrastructure environments). The licence boundary outside US nuclear can be operationally awkward. UI is functional, not modern. Steep learning curve — institutional knowledge stays inside specific consultancies.
Right when: NRC-regulated nuclear work, especially anything aligned with EPRI's PRA-quality programme. Smooth interface to government reviewers.

CAFTA (EPRI) is the long-running PRA workhorse for plant safety analysis at Boiling Water and Pressurised Water reactor sites. Closed-source, EPRI-licensed. Less actively developed than SAPHIRE in recent years but still in production use at many US plants. HiP-HOPS (academic, University of Hull) is a research-grade tool that automatically synthesises fault trees from system models — interesting for early-stage architectural exploration, less for safety-case-grade quantification.

Heavy-iron commercial

The commercial heavy-iron segment is dominated by three vendor families that have been competing for two decades:

Isograph FaultTree+ (UK, part of Isograph Reliability Workbench) — the standard tool in UK and European aerospace, defence, and rail industries. BDD-based, deep ZSA / CCA integration, FaultTree+ XML interchange. Strong UK Civil Aviation Authority and EASA reviewer familiarity. Per-seat licence in the £4-8k/year range for the full Reliability Workbench bundle.
Reliability Workbench (Isograph's bundled product, sometimes referred to interchangeably with FaultTree+) — superset including FMEA, RBD, Markov, weibull. Common buyer is a defence prime that wants one tool for all reliability deliverables. Total cost of ownership runs five-figure annually per seat.
ITEM ToolKit (Item Software) — comparable scope, similar pricing, more popular in oil & gas and process industries. The reliability prediction (217+/IEC 61709) integration is particularly mature.
RAM Commander (ALD) — strong in defence and Israeli aerospace; good MIL-STD-882 alignment.
Riskman (PLG) — long-running PRA tool, primarily nuclear; smaller user base than SAPHIRE / CAFTA but still in production at some utilities.

Strengths across the segment: PRA-scale BDD performance; deep integration with companion analyses (FMEA, ETA, Markov, RBD); regulator-familiar output formats; vendor support contracts with named technical contacts; multi-decade product continuity. Weaknesses: Windows desktop architecture rooted in the 2000s; CLI / scripting is uneven across vendors (Isograph's scripting is mature; some competitors have very limited automation); per-seat licensing scales poorly for larger teams; integration with modern CI / version control is workable but rarely native. Right when: Multi-year programmes where regulator-familiar output formats save review cycles, large teams where vendor support contracts are real value, programmes with companion deliverables (FMEA + RBD + FTA) that benefit from one-tool integration.

Modern web-first

The newest segment, only properly populated since around 2020. Optimised for time-to-first-tree, browser-based delivery, modern collaboration mechanics, and cleaner integration with ISO 26262 and IEC 61511 design-review-velocity workflows.

FTA Studio (the publisher of this guide) — browser-only, IEC 61025 JSON interchange, MOCUS for cut sets plus exact Boolean evaluation for P(TOP), CCF Manager (β-factor + MGL), Monte Carlo with lognormal / uniform / triangular leaves, eight industry templates, free Community edition + Enterprise tier with workflow / hazard register / FMEA cross-reference / analytics. Honest about scale: the MOCUS path means trees beyond a few thousand events are out-of-segment; PRA-scale work belongs on SAPHIRE or scram. The roadmap includes a BDD path for that case.

Strengths: Time-to-first-tree under five minutes (open browser → open template → analysis runs); IEC 61025 JSON interchange that round-trips with the heavy-iron commercial tools; collaboration mechanics built in (shareable links, browser-only embed); free tier with no licence cost up to the Community feature set; honest scale boundary.
Weaknesses: Not BDD; PRA-scale trees out-of-segment until the BDD path lands. Smaller user base than the heavy-iron commercial tools — fewer reviewers have seen the output format, although IEC 61025 JSON exchange mitigates this. Newer entrant; multi-decade institutional continuity is something one earns over time.
Right when: ISO 26262 ASIL A/B/C work, automotive design reviews, smaller-tree IEC 61511 SIS verification, education and training, programmes that want a free tier for early prototyping before committing to commercial. Right with caveats for ASIL D and EN 50126 SIL 4 work where the architecture trees are still small (a few hundred events) but the regulator review is heavy.
Wrong when: Nuclear PRA at full plant scale; IEC 61511 SIS verification on a multi-loop chemical complex with thousands of basic events; programmes whose regulator strongly prefers SAPHIRE or Isograph output.

Other web-first entrants worth tracking: FaultTree+ Web (Isograph's web edition; smaller feature set than the desktop version), and several younger startups serving the automotive ASIL space whose long-term continuity is yet to be established.

The honest summary the publisher of this guide can offer Each of the four segments is genuinely the right answer for some buyer, and genuinely the wrong answer for others. The "best FTA tool" question has no answer at the segment level; it has an answer per (tree size × regulator × team size × budget) tuple. We make FTA Studio for the modern-web-first segment and would be misleading you if we claimed we were the right tool for nuclear PRA. We're not, and the article should help you see that even when we're not the right answer.

Step 4Decision matrix — situation to recommended segment

Eight common situations and the segment that fits each. The recommendation isn't a specific tool — it's the segment to shortlist within. Within-segment selection (e.g. Isograph vs ITEM ToolKit) is then a vendor-relationship and pricing question rather than a technical one.

Situation	Recommended segment	Why
Full-plant nuclear PRA, NRC submission	Government / heavy-iron commercial	SAPHIRE for NRC familiarity; heavy-iron commercial as backup. Open-source insufficient for the institutional backing; web-first out-of-scale.
Tier-1 automotive supplier, ASIL D safety case for production	Heavy-iron commercial or modern web-first	Tree size typically 200–2,000 events — within either segment's capability. Heavy-iron preferred when the team also needs FMEDA / Markov / reliability prediction in the same tool. Web-first preferred for design-review velocity.
OEM-internal automotive ASIL A / B	Modern web-first or open-source	Trees small (50–500 events); collaboration matters; per-seat heavy-iron licensing is uneconomic at this scale.
IEC 61511 SIS verification, multi-loop chemical complex (1000+ SIFs)	Heavy-iron commercial	Tree count + regulator review volume justifies the licensing cost; ITEM ToolKit / Isograph the typical incumbents.
IEC 61511 single-SIF verification, smaller process site	Modern web-first	Single SIF FTA is a few-hundred-event tree at most; web-first time-to-first-tree wins.
ARP 4761 SSA at large aerospace prime	Heavy-iron commercial	Full SSA covers thousands of failure conditions; FAA/EASA reviewer familiarity with Isograph / Reliability Workbench is dispositive.
ARP 4761 supplier-level SSA contribution	Modern web-first	Component-level FTAs are smaller; deliverable is the IEC 61025 JSON / OpenPSA MEF that flows up to the prime's heavy-iron toolchain.
EN 50126 RAMS, SIL 4 signalling system	Heavy-iron commercial	Multi-decade lifecycle, ISA review, cross-acceptance between national authorities — the institutional backing matters.
EN 50126 RAMS, SIL 2/3 station / depot system	Modern web-first	Smaller scope, shorter lifecycle, regulator review more proportionate to the scale.
Research, education, algorithm experimentation	Open-source	Source-code transparency is the value; licence cost matters; production-grade scale isn't the question being asked.
Source-auditable defence / intelligence procurement	Open-source	Source code review is itself a procurement requirement. Vendor source-code escrow on commercial alternatives sometimes works but adds friction.
Single-engineer consultancy doing varied client work	Modern web-first or open-source	Per-seat heavy-iron licensing crushes margins; web-first or open-source carry the work without amortisation pain.

If your situation isn't on the list, the right-segment question is usually answered by three sub-questions: what's my tree size at the limit (under 1k events / 1k–10k / 10k+), which regulator is reviewing this, and how many engineers across the lifecycle need to touch the tree. The four-by-three intersection of those answers maps cleanly onto the four segments without needing this guide's table.

Three things this guide deliberately didn't do

Score on price alone. Total cost of ownership is regulator review hours plus integration friction plus licensing — and licensing is usually the smallest term over a programme lifecycle. A tool that's "free" but adds 20% to review cycles is more expensive than a £6k/year tool the reviewer reads in their sleep.
Pretend to be objective when the publisher is in the comparison. The disclosure callout in the lede is the active version of this principle. Rather than affecting neutrality, this article tries to be honest about where FTA Studio is and isn't the right answer.
Try to predict the market five years out. The web-first segment is the youngest and changing fastest; the open-source community-sustainability question is genuinely uncertain; SAPHIRE's licensing arrangements have shifted before and may again. This guide describes the 2026 state. Re-read in 2028.

Where to go next

Try the modern-web-first segment with no commitment. FTA Studio Community is free, browser-only, no install, no signup. Open one of the eight industry templates and run an analysis in under five minutes — the right way to evaluate whether the segment fits your problem before any procurement conversation.
Read the underlying technical articles to understand what each tool actually does. Articles 3 (MOCUS vs BDD), 5 (CCF), 6 (ASIL decomposition), 7 (PMHF/SPFM/LFM), 8 (ARP 4761), 9 (EN 50126 RAMS), 10 (LOPA + FTA), 11 (Monte Carlo) — the technical content lets you read tool feature lists with the right level of scepticism.
Ask your regulator what they expect to see, before procurement. The cheapest cycle in the entire decision is a 20-minute conversation with the agency reviewer to find out what tool's output they're calibrated to. Most reviewers will answer plainly if asked.
Track the OpenPSA MEF interchange. Whichever tool you pick, ensuring round-trip MEF support is the future-proofing that lets you change tools without re-entering the model. github.com/open-psa/mef.