Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 62502: Event Tree Analysis (ETA) for Dependability and Risk Assessment — Engineering Guide
IEC 62502 defines the basic principles and procedures for Event Tree Analysis (ETA), a systematic technique for evaluating the possible outcomes of an initiating event through a sequence of success or failure of safety functions, systems, or operator actions. Published in 2010, this international standard is part of the IEC 60300 dependability management series. ETA was first successfully applied in the landmark WASH 1400 nuclear safety study (1975) and has since become a mature methodology used across nuclear power, aviation, chemical processing, offshore oil and gas, automotive safety, and railway signaling. For reliability and safety engineers, IEC 62502 provides the formal framework for constructing, analyzing, and interpreting event trees in a consistent and auditable manner.
1960s
Methodology Origins
6+
Industry Sectors
2
Analysis Approaches: Inductive
3
Outcome Categories
📖 1. Principles of Event Tree Analysis
1.1 What is Event Tree Analysis?
Event Tree Analysis is an inductive (forward-looking) technique that starts with an initiating event (e.g., loss of coolant, component failure, external hazard) and traces forward through sequences of system responses and operator actions. Each branching point represents the success or failure of a safety function or barrier. The end states of each sequence define the possible consequences, which may range from safe recovery to catastrophic failure.
The key characteristics that distinguish ETA from other dependability techniques are:
- Inductive orientation: Moves from cause to effect (unlike Fault Tree Analysis which moves from effect to cause)
- Time-dependent sequencing: The order of events matters — the tree structure reflects the chronological sequence of protective system actuations
- Multi-outcome capability: A single initiating event can lead to multiple distinct end states with different probabilities and severities
- Quantitative and qualitative: Provides both identification of accident sequences and probabilistic quantification
💡 Engineering Insight — ETA vs. FTA Complementarity
ETA and Fault Tree Analysis (FTA, covered by IEC 61025) are complementary rather than competing. In practice, the two techniques are combined: FTA analyzes the failure of each safety function (branch point in the event tree), while ETA analyzes the overall accident sequence. The probabilities from FTA feed directly into ETA branch probabilities. This combined approach is standard practice in probabilistic safety assessment (PSA) for nuclear power plants and is increasingly adopted in functional safety (IEC 61508) applications.
ETA and Fault Tree Analysis (FTA, covered by IEC 61025) are complementary rather than competing. In practice, the two techniques are combined: FTA analyzes the failure of each safety function (branch point in the event tree), while ETA analyzes the overall accident sequence. The probabilities from FTA feed directly into ETA branch probabilities. This combined approach is standard practice in probabilistic safety assessment (PSA) for nuclear power plants and is increasingly adopted in functional safety (IEC 61508) applications.
1.2 Event Tree Structure and Symbols
IEC 62502 standardizes the symbols and structure of event trees. The basic elements include:
- Initiating event node: The root cause that starts the sequence (e.g., “Pipe break,” “Loss of off-site power”)
- Branch nodes: Represent safety functions or systems, each with two or more outcomes (success/failure, yes/no)
- Sequence paths: The logical combination of branch outcomes from initiating event to end state
- End states: The final consequence of each unique sequence path (categorized as safe, hazardous, or catastrophic)
| Symbol | Name | Meaning |
|---|---|---|
| ▶ | Initiating event | Beginning of the accident sequence |
| ■ | Branch point | Safety function or system actuation |
| ↑ | Success path (upper branch) | Safety function succeeds |
| ↓ | Failure path (lower branch) | Safety function fails |
| ◉ | End state (safe) | Consequence with acceptable risk |
| ◎ | End state (hazardous) | Consequence with significant risk |
| ✖ | End state (catastrophic) | Consequence with unacceptable risk |
🏂 2. The ETA Process
2.1 Step-by-Step Procedure
IEC 62502 defines a structured procedure for conducting an event tree analysis:
- Define the system and scope: Establish boundaries, assumptions, and analytical objectives
- Identify initiating events: Use systematic methods (HAZOP, FMEA, checklist, operating experience)
- Identify safety functions: Determine systems and operator actions that can prevent or mitigate consequences
- Order the safety functions: Arrange in chronological order based on the accident progression timeline
- Construct the event tree: Draw the tree connecting initiating event through branch points to end states
- Collect data: Estimate probabilities for initiating event frequency and branch point success/failure
- Quantify sequences: Calculate the probability of each unique sequence path
- Interpret results: Identify dominant risk contributors, sensitivity cases, and uncertainty ranges
- Document and update: Maintain the analysis as part of the living safety case
⚠️ Common Pitfall — Improper Branch Ordering
The ordering of safety functions in the event tree must reflect the actual time sequence of events. A common mistake is ordering by perceived importance rather than chronology. For example, in a loss-of-coolant accident in a nuclear reactor, the sequence is: reactor trip occurs first, then emergency core cooling, then containment isolation, then containment heat removal. Reversing this order produces misleading results because the analysis would suggest that containment heat removal could affect the need for reactor trip, which is physically impossible.
The ordering of safety functions in the event tree must reflect the actual time sequence of events. A common mistake is ordering by perceived importance rather than chronology. For example, in a loss-of-coolant accident in a nuclear reactor, the sequence is: reactor trip occurs first, then emergency core cooling, then containment isolation, then containment heat removal. Reversing this order produces misleading results because the analysis would suggest that containment heat removal could affect the need for reactor trip, which is physically impossible.
2.2 Quantification and Uncertainty
The probability of each end state is calculated by multiplying the conditional probabilities along each branch path. The standard emphasizes that uncertainty analysis is an essential component of ETA — single-point estimates without uncertainty bounds can lead to overconfident decisions. IEC 62502 recommends using Monte Carlo simulation or analytical methods (e.g., moment propagation) to propagate input data uncertainties through the tree. A key result is the identification of dominant sequences — the accident paths that contribute the most to overall risk.
🏭 3. Applications Across Industries
ETA has proven valuable across diverse sectors:
- Nuclear power: Level 1 and Level 2 probabilistic safety assessment (PSA) for core damage frequency and containment performance
- Chemical process: Loss of containment scenarios, runaway reactions, and toxic release analysis
- Aviation: Engine failure during takeoff, system failure during flight, and emergency landing scenarios
- Railway: Signaling failure, train collision scenarios, level crossing protection analysis
- Oil and gas: Blowout preventer (BOP) reliability, pipeline rupture scenarios, platform evacuation analysis
- Automotive (ISO 26262): Hazard analysis and risk assessment (HARA) for autonomous driving functions
✅ Best Practice — Living ETA Program
An event tree analysis is not a one-time exercise. IEC 62502 recommends establishing a living ETA program where the analysis is updated when: (1) design changes occur, (2) new operating experience reveals new initiating events or failure modes, (3) component reliability data changes significantly, or (4) regulatory requirements evolve. This living approach is mandatory in the nuclear industry and is becoming standard practice in functional safety management.
An event tree analysis is not a one-time exercise. IEC 62502 recommends establishing a living ETA program where the analysis is updated when: (1) design changes occur, (2) new operating experience reveals new initiating events or failure modes, (3) component reliability data changes significantly, or (4) regulatory requirements evolve. This living approach is mandatory in the nuclear industry and is becoming standard practice in functional safety management.
❓ Frequently Asked Questions
- Q1: What is the difference between Event Tree Analysis and Fault Tree Analysis?
- ETA is inductive (cause to effect) and can handle multiple outcomes from a single initiating event. FTA is deductive (effect to cause) and analyzes all possible root causes leading to a single top event. ETA is better for analyzing accident progression; FTA is better for diagnosing specific failure mechanisms. They are complementary and often used together in PSAs.
- Q2: How many branch points (safety functions) should an event tree have?
- There is no fixed limit, but practical experience shows that trees with more than 15–20 branch points become difficult to manage and interpret. For complex systems, consider decomposing the analysis into multiple linked event trees: a principal tree for main accident progression and supporting trees for detailed subsystem analysis.
- Q3: How do I handle common cause failures in ETA?
- Common cause failures (CCFs) can affect multiple safety functions simultaneously. IEC 62502 recommends explicitly modeling CCFs as additional branch points or using parametric models (e.g., beta factor, multiple Greek letter method) to introduce dependency between branches. Ignoring CCFs can underestimate risk by a factor of 10–100 in redundant safety systems.
- Q4: Does IEC 62502 require software tools for ETA?
- No, the standard does not mandate any specific software. Small event trees (5–10 branches) can be analyzed manually or with spreadsheets. For larger analyses or when uncertainty propagation is required, specialized PSA software tools (e.g., SAPHIRE, RiskSpectrum, CAFTA) are recommended to maintain consistency, traceability, and auditability.
