564 5 Safety and Risk i n Engineering Design
structural dependencies. For each sequence of the event tree, the fault trees of the
composing events are linked in one large fault tree that follows the logic depicted in
the event tree, and the fault tree is then solved with the usual techniques to compute
the p robability of occurrence of that sequence.
Figure 5.12 shows the previous example of an initiating event that requires two
systems, S
1
and S
2
, to intervene, where both systems are explicit on the event tree
without care to their dependence. The hazardous event (accident and/or incident)
sequences in Fig. 5.12 may now be calculated using Bayes’ theorem of conditional
probability:
(I)(S
1
)(S
2
)=P(S
2
|S
1
I)P(S
1
|I)P(I)
(I)(S
1
)(F
2
)=P(F
2

|S
1
I)P(S
1
|I)P(I)
(I)(F
1
)(S
2
)=P(S
2
|F
1
I)P(F
1
|I)P(I)
(I)(F
1
)(F
2
)=P(F
2
|F
1
I)P(F
1
|I)P(I)
(5.4)
If the probab ility of the sequence (I)(S
1

)(S
2
) is to be evaluated, a fault tree is
developed with the top event occurring when the initiating event I, and the failure
of both systems S
1
and S
2
occur. In place of the events S
1
and S
2
, the corresponding
system fault trees can be substituted, thu s obtaining a large fault tree that can be
logically simplified (accounting for the existing dependencies) and evaluated so as
to give the probability of the top event, i.e. the probability of the sequence of interest.
With this method, the dependencies are properly treated even if the analysis had,
a priori, no information that the dependency existed. This is particularly useful in
evaluating systems for safety critical consequences during the engineering design
stage when information concerning the d ependencies of hazardous events is still
System 1
success state S1
System 2 S2 (I) (S1) (S2)
System 2 F2 (I) (S1) (F2)
(I) (F1) (S2)
(I) (F1) (F2)
System 2 S2
System 2 F2
System 1
failed state F1

Initiating
Event E1
Fig. 5.12 Event tree with fault-tree linking
5.2 Theoretical Overview of Safety and Risk in Engineering Design 565
vague. Conversely, the resulting fault tree for an accident sequence may b e rather
large, necessitating more time for safety analysis during the design stage.
In summary, all the significant dependencies of hazardous events among systems
are explicitly represented in the event trees with boundary conditions. The fault
trees for the individual events are then simple and independent. However, great care
must be taken in identifying all the existing dependencies. In the fault-tree link
approach, dependencies of hazardous events are included in the fault trees for the
various systems and, thus, are not dependent. The accident sequence in the linked
fault tree is rather large and complex but all dependencies are treated automatically.
In Fig. 5.13, a simplified version o f a functional event tree is illustrated for the
case of a pipe rupture in the primary cooling circuit of a nuclear reactor. It is evident
from these simplified event trees that for realistic systems, event tree analysis and,
thus, safety analysis in engineering design can become quite complicated.
5.2.1.4 Cause-Consequence Analysis for Safety in Engineering Design
The cause-consequence analysis (CCA) method or, alternatively, the cause-
consequencediagram (CCD) method is a tool forsystem safety and risk analysis. As
with the fault-tree analysis method, the cause-consequence diagram documents the
failure logic of the system. In addition to this, the cause-consequence diagram pro-
duces the exact failur e probability in an efficient calcu lation p rocedure. The cause-
consequence diagram technique, as applied to static systems, has been shown to
yield the same result as those produced by the solution of the equivalent fault tree
and binary decision diagram. On this basis, general rules have been devised for the
construction of a cause-consequence diagram, given a static system. The use of the
method in this manner has significant implications in terms of efficiency of con-
ducting safety analysis, and can be shown to have benefits for determining safety in
engineering design.

Safety analysis of industrial systems is carried out to reduce the risk of adverse
events such as injury or death, as well as to aid in the protection of systems and
facilities, by reducin g the frequency or consequences of accide nts and/or incidents.
Since the early 1960s, various mathematical models have been used to perform re-
liability analysis in order to predict the likelihood that a system will function under
a given demand. Each analysis model had different features that made it more ap-
propriate to specific types of systems, and the most efficient analysis was to utilise
the simplest technique. The most commonly employed technique to assess the prob-
ability of failure of industrial systems is fault-tree analysis (FTA).
For systems containing independent failure events, it has been shown that the
FTA technique produces a logical description of the failure process and yields,
among o ther results, the system’sunreliability.It has been highlighted, however, that
this technique has limitations even when it is applied to systems containing indepen-
dent failure events, in that the structural extent of backward analysis for this tree-
based deductive method quickly becomes multi-branch ed for complex systems, and
in itself becomes complex. Qualitatively, if the fault tree is complex, the n finding the
566 5 Safety and Risk in Engineering Design
Fig. 5.13 Function event tree for loss of coolant accident in nuclear reactor (NUREG 75/014 1975)
5.2 Theoretical Overview of Safety and Risk in Engineering Design 567
minimal cut sets can be time-intensive. In addition, the top event probability, found
via the inclusion-exclusion formula, may also be computationally time-consuming
if the system contains a moderate number of m inimal cut sets.
In the past, this problem was solved by using a simple approximation for the
probability of occurrence of the top event. These approximations, however, can be
inaccurate if the likelihood of component failure is large. The problem of inaccu-
racies due to approximation techniques has been alleviated by the development of
the binary decision diagram (BDD) approach. BDDs are based on Bryant’s trees
(Bryant 1986) to obtain the exact top event probability efficiently by expressing the
system failure mod es a s disjoint paths. The calculation of the top event probabil-
ity is achieved by summing the probabilities of these disjoint paths. This analysis

procedure makes the BDD technique more efficient than the traditional FTA tech-
nique. The BDDs, however, cannot be constructed from the system description, and
are developed from the fault-tree representation of the system. During the conver-
sion process, the BDD loses all the cau sality information that is represented in the
fault-tree structure. In additio n to this, an inefficient ordering of the basic events can
result in an excessively large diagram that can prove difficult to analyse, reducing
the efficiency of the method.
A technique has been developed that represents all system outcomes, given an
initial event, on a diagram that contains a full textual description of th e systems
behaviour, and produces an exact quantification of system failure prob a bility. This
technique is based on the cause-consequence diagram (CCD) method developed at
RISO Laboratories in Denmark in the 1970s to aid in reliability analysis of nuclear
power p lant (Villemeur 1991).
The cause-consequence diagram method involves the identification of the poten-
tial modes of failure of individual components and then relates the causes to the
ultimate consequences for the system. The consequences evaluated inclu de those
that represent system failure as well as those that represent other systems behaviour.
As all consequence sequences are investigated, the method can assist in identifying
system outcomes that may not have been envisaged during the earlier design phases.
Cause-consequence analysis (CCA) is most frequently applied to systems where
the system state changes with time (Nielsen et al. 1975). Application of cause-
consequence analysis to a static system, and development of rules for the construc-
tion of a cause-consequence diagram representing a static system have been used in
a high-integrity protection system (HIPS) to prevent the passage of a high-pressure
surge in downstream vessels in a process engineering design (Ridley et al. 1996).
The Cause-Consequence Diagram Method
Cause-consequence diagramming is a technique that embodies both causal and con-
sequence analysis. The technique provides a diagrammatic notation for expressing
the potential consequencesofanevent(normally,ahazard)andthe factors that influ-
ence the outcome. The basic notation is introduced in the context of the example in

Fig. 5 . 14. In this diagram, the hazard is ‘ignition’. The final outcomes (or so-called
568 5 Safety and Risk in Engineering Design
Fig. 5.14 Example cause-
consequence diagram
YES
No fire Minor fire Major fire
Alarm on
Sprinkler on
Ignition
YES NO
NO
significant consequences) are shown in octagons and vary from ‘no fire’, ‘minor
fire’, to ‘major fire’. The main factors that influence the outcomes are shown in
‘condition vertices’ (i.e. YES or NO branching), specifically ‘alarm on’ and ‘sprin-
kler on’. The diagram shows that a major fire will occur as a resu lt of the ignition
hazard only if both the sprinkler and alarm system fail. If the frequency with which
the hazard will occur can be estimated, and the probability that the sprinkler and
alarm systems will fail on demand (and, importantly, to what degree these failures
are correlated), then the frequency with wh ich the hazard will give rise to this in-
cident can be estimated. This is an essential step on the way to estimating the risk
arising from the hazard.
Symbols Used for a Cause-Consequence Diagram
There are basically six types o f symbols used for constructing a cause-consequence
diagram. These symbols include the decision box, fault-tree arrow, initiator triangle,
time delay box, OR gate, and consequence box, as illustrated in Table 5.4.
The cause-consequence diagram is thus developed from an initiating event, i.e.
an event that starts a particular operational sequence, or an event that activates cer-
tain safety systems. The cause-consequence diagram is comprised of two conven-
tional safety analysis techniques, the fault-tree analysis (FTA) method and the event
tree analysis (ETA) method.

The event tree analysis method is used to identify the various paths that the sys-
tem could take, following the initiating event, depending on whether certain sub-
systems/components function correctly or not.
The fault-tree analysis method is used to describe the failure causes of the sub-
systems considered in the event tree part of the diagram. This relationship is shown
in Fig. 5.15.
5.2 Theoretical Overview of Safety and Risk in Engineering Design 569
Table 5.4 Cause-consequence diagram symbols and functions
SYMBOL FUNCTION
The decision box represents the functionality
of a component/system. The NO box represents
failure to perform correctly, the probability of
which is obtained via a fault tree or single
component failure probability q
i
Fault tree arrow represents the number of the
fault tree structure which corresponds to the
decision box
The initiator triangle represents the initiating
event for a sequence where λ indicates the rate
of occurrence
YES
Ft1
t = x hrs
λ=
NO
Sprinkler
on
q
i

Time delay 1 indicates that the time starts from
the time at which the delay symbol is entered
and continues up to the end of the time interval
in the delay symbol
OR gate symbol: Used to simplify the cause-
consequence diagram when more than one
decision box enters the same decision box or
consequence box
Consequence box represents the outcome event
due to a particular sequence of events
Initiating event
Consequence part:
Identification of sequence
depending on accident or
incident limiting systems.
Event tree analysis
Causal part:
Cause of accident or incident
limiting systems.
Fault tree analysis
Fig. 5.15 Structure of the cause-consequence diagram
570 5 Safety and Risk in Engineering Design
Rules for construction and quantification The cause-consequence diagram tech-
nique has been applied to a static safety system and found to yield results similar
to those produced by a conventional fault tree (Ridley et al. 1996). On the basis of
this study, general rules have been devised for the correct construction of the cause-
consequence d iagram, as given below. The use of the cause-consequence method in
this manner has significant implications in terms of efficiency o f reliability analysis,
and can be shown to have computational benefits for analysing static safety systems.
Step 1. Component failure event ordering If th e order of failure is irrelevant,

which is typically the case in a static system, then the CCD can be initiated by
considering any of the components in the system. The analysis of the CCD should
yield identical results regardless of the component or variable ordering; however,
the actual diagrams may vary in size. The first step of CCD construc tion is there-
fore deciding on the order in which component failure events are to be taken. To
ensure a logical development of the causes of the system failure mode (i.e. initiating
event), the ordering should follow the temporal action of the system, or the system’s
activation for the function required.
Step 2. Cause-consequence diagr am construction The second stage involves the
actual construction of the CCD. Starting from the initiating component, the func-
tionality of each component or sub-system is investigated and the consequences of
these sequences determined. If the decision box is governed by a sub-system, then
the probab ility of failure will be ob tained via a fault-tr ee diagram.
Step 3. Reduction If any decision boxes are deemed irrelevant (for example, the
boxes attached to the NO and YES branches are identical, and their outcomes and
consequences are the same), then these should be removed and the diagram reduced
to a minimal form. Removal o f these boxes will in no way affect the end result. Th is
is illustrated in Fig. 5.16 where failure (F) can occur due to either of the two paths
that terminate in the same failure fu nction consequence, affecting either the NO or
YES branches of component A.
On one path, the component (A) works, on the other it fails, proving that the state
of component (A) represented by the decision box is irrelevant. When a redundant
Fig. 5.16 Redundant decision
box
5.2 Theoretical Overview of Safety and Risk in Engineering Design 571
decision box is identified, reduction is achieved by removing the box and replacing
it with the next decision/consequence box. When no further redundancies exist, the
cause-consequence diagram is deemed minimal.
Step 4. System failure quantification The probability of each consequence for
a static system is determined by su mming the probability of each set of events that

lead to this particular outcome. Each sequence probability is obtained by simply
multiplying the probabilities of the component events represented by the branch.
This is possible b ecause each sequence of events is mutually exclusive, and the
probability of a component failure event is assumed independent.
Three-component systems The cause-consequence diagram approach for static
systems can be demonstrated by a very simple system example. The approachshows
that it has potential advantages in comparison to a conventional fault-tree analysis
for larger systems. The system example contains three components A, B and C, and
system failure is caused by either A and B failing together, or C failing alone. The
system failure causes are illustrated as a fault-tree structure in Fig. 5.17.
The cause-consequence diagram can be constructed according to the following
steps:
Step 1. Componentfailure eventordering The ordering chosen is that of A, B and C.
Step 2. Cause-consequence diagram construction The CCD is constructed by in-
specting the failures of the components in that order (refer to Fig. 5.18).
Step 3. Reduction Boxes 3 and 4 are both irrelevant and are therefore removed.
This process reduces the CCD, the final form being illustrated in Fig. 5.19 and, as
no further redundancies exist, the diagram is minimal.
Step 4. System failure quantification The probability of system failure is equal
to the sum of the probability of the three sequence paths that lead to the conse-
Fig. 5.17 Example fault tree
indicating system failure
causes
TOP
G1 Function C
Function A Function B
C
AB
572 5 Safety and Risk in Engineering Design
Fig. 5.18 Cause-consequence diagram for a three-component system

5.2 Theoretical Overview of Safety and Risk in Engineering Design 573
quence ‘F’. Therefore, since the paths are mutually exclusive:
Probability of failure = P(path 1 )+P(path 2)+P(path 4)
= q
A
·q
B
+ q
A
·(1−q
B
) ·q
C
+(1−q
A
) ·q
C
= q
A
·q
B
+ q
A
·q
C
−q
A
·q
B
·q

C
+ q
C
−q
A
·q
C
= q
A
·q
B
+ q
C
−q
A
·q
B
·q
C
The fault-tree quantification calculates the top event probability to be iden tical to
that obtained by the cause-consequence diagram approach. By studying the reduced
form of the CCD, it can be noted that it is equivalent to the binary decision diagram
(BDD) for the fault tree in Fig. 5.17 with the variable ordering A < B < C, as il-
lustrated in Fig. 5.20. The top event probability can also be obtained directly from
the BDD by multiplying the probabilities down the paths that lead to the terminal 1
node.
Fig. 5.19 Reduced cause-
consequence diagram
Fig. 5.20 BDD with variable
ordering A < B < C