📋 IEC 61025:2006 Compliant

FTA Studio v5

Professional Fault Tree Analysis web application for safety-critical systems. Complete user manual covering all features, analysis methods, and best practices.

Version1.0

StandardIEC 61025:2006 / EN 50126

PlatformWeb Browser (PWA)

Year2026

1 Introduction

1.1 What is FTA Studio?

FTA Studio v5 is a professional-grade Fault Tree Analysis (FTA) web application built to the IEC 61025:2006 standard. It enables safety engineers to construct, analyse, and document fault trees entirely within a web browser — with no installation, no server, and no data transmitted externally. All project data is stored locally in your browser.

The application is designed for use in safety-critical industries including railway (EN 50126), nuclear, aerospace (ARP 4761), chemical process, and software safety (IEC 61508).

1.2 Key Capabilities

Visual fault tree construction — drag-and-drop canvas with all IEC 61025 node types
Quantitative analysis — exact Inclusion-Exclusion and Rare Event Approximation methods
Minimal Cut Set computation using the MOCUS algorithm (IEC 61025 Annex B)
Importance measures — Birnbaum, Fussell-Vesely, RAW and RRW (IEC 61025 §7.6)
Common Cause Failure (CCF) modelling with β-factor groups
Multi-project, multi-FTA workspace with full undo/redo history
Approval workflow — file-embedded draft → review → approve lifecycle with audit trail
Review comments — node-level and tree-level comments with resolution tracking
Integrity verification — SHA-256 hash detects post-approval modifications
Export to PNG, JPEG, SVG, and full HTML/PDF safety reports
Five built-in reference examples covering major engineering domains
IEC 61025 completeness checklist, FMEA cross-reference, and 5×5 risk matrix
Offline-capable Progressive Web App — installable on desktop and mobile

1.3 Standards Alignment

Standard	Coverage
IEC 61025:2006	Full FTA methodology — gate types, MOCUS algorithm, probability calculation, importance measures
EN 50126-1:2017	Railway RAMS — hazard traceability, SIL targeting, approval workflow concepts
IEC 61508:2010	SIL 1–4 probability ranges, PFH and PFD parameters, safety integrity fields
ARP 4761	Aerospace — supported via Aircraft Hydraulic example and node field set

1.4 System Requirements

Modern web browser: Chrome 90+, Edge 90+, Firefox 90+, Safari 15+
Screen resolution: 1280 × 800 minimum; 1920 × 1080 recommended
No installation required — access via any web browser
Internet connection: required for first visit (fonts); fully offline after that
Storage: approximately 5–10 MB of browser localStorage per project

ℹ️FTA Studio is a client-side application. No data is sent to any server at any time. All projects are stored in your browser's local storage. Use File → Save to export project files for backup and sharing.

2 Interface Overview

2.1 Application Layout

Area	Description
Top Bar	Primary toolbar with all menus, mode controls, and action buttons
Left Sidebar	Project and FTA tree navigator — list all projects and fault trees
Canvas	Main working area — the interactive fault tree diagram
Right Panel	Context-sensitive panel: node properties, analysis results, CCF, checklist, FMEA, risk matrix
Status Bar	Bottom bar showing current mode, node count, zoom level, and hint messages

2.2 Top Bar — Toolbar Groups

📁 File Menu

New Project — create a new project container
Open Project — load a previously saved .json file
Examples — load one of five built-in reference fault trees
Save Ctrl+S — save changes to the current file
Save As… Ctrl+Shift+S — save to a new file

Mode Group

◈ Select S — select and drag nodes on the canvas
→ Connect C — draw connections between nodes
✥ Pan Space — pan the canvas without selecting nodes

Add Group

⊞ Gate ▾ — add a logic gate node (AND, OR, XOR, PAND, INHIBIT, NOT)
○ Event ▾ — add a leaf event node (Basic, Undeveloped, Conditioning, House, Transfer In/Out)
↗ Reuse — place a shared reference copy of an existing event
⎘ Copy — deep-copy an entire subtree to a new location

Analysis Group

▶ Analyze R — run the full IEC 61025 quantitative analysis
⚠ CCF — open the Common Cause Failure β-factor group manager
📥 Data — import failure rate data from a CSV file

View Group

⊞ Layout L — auto-arrange nodes on the current page using the Reingold-Tilford hierarchical algorithm. On the main page, transferred gates are treated as leaf stubs. On sub-pages, the root gate is locked at top-centre. Run Layout on each page independently.
⛶ Fit F — zoom and pan to fit all visible nodes on the current page

History Group

↩ Undo Ctrl+Z — undo the last action
↪ Redo Ctrl+Y — redo the last undone action

Export Diagram…

Click Export Diagram… to open the export dialog. For multi-page FTAs you can select which pages to export and the format:

PNG — White BG — high-resolution raster with white background and annotated border
PNG — Transparent — transparent background, no annotation border
JPEG — compressed raster with white background and annotated border
SVG — scalable vector, print-ready, separate file per page
RTF (Word/LibreOffice) — all selected pages embedded as images in a single Word-compatible document. Recommended for FTAs with many pages.

For FTAs with more than 8 pages, RTF format and All Pages are automatically pre-selected. Use All / None buttons to quickly toggle page selection.

Other Export Options

Full Report (HTML) — complete safety report with analysis
Print / Save as PDF — opens print dialog for PDF generation
Cut Sets CSV — minimal cut sets with probabilities for offline review
Node Inventory CSV — all events with reliability, safety and importance data
IEC 61025 JSON — structured, schema-aligned export for tool interchange

Utility Buttons

🌓 Theme — toggle between dark and light mode
🔒 Lock — lock the canvas to prevent accidental edits
⊗ Clear — clear all nodes from the current FTA (with confirmation)

2.3 Left Sidebar — Project Navigator

The left sidebar lists all projects. Each project contains one or more fault trees (FTAs). Click any FTA to open it on the canvas.

Click a project name to expand or collapse it
Click an FTA name to open it on the canvas
Use the search box at the top to filter nodes by name or UID
Use the depth controls (+ / –) to show nodes up to a given tree depth
Use ✕ next to a project or FTA to delete it

2.4 Right Panel — Tabbed Panels

Tab	Content
Properties	Edit the selected node's name, UID, description, reliability data, and safety attributes
Analysis	View quantitative results: top event probability, minimal cut sets, and importance measures
CCF	View and manage Common Cause Failure groups and their β-factor contributions
✅ Checklist	IEC 61025 completeness checklist — 22 automated checks with pass/warn/fail status
FMEA	Cross-reference table mapping basic events to their failure modes and detection mechanisms
⬦ Risk	5 × 5 risk matrix showing all nodes plotted by severity and likelihood

3 Getting Started

3.1 Opening the Application

Navigate to the FTA Studio URL in your browser. The application loads instantly with a blank canvas and an empty project list. No login or account is required.

✅Press Ctrl+Shift+R (or Cmd+Shift+R on Mac) on your first visit to ensure you load the latest version, bypassing any browser cache.

3.2 Loading a Built-in Example

The fastest way to explore FTA Studio is to load one of the five included reference examples:

Click 📁 File in the top-left of the toolbar

Hover over Examples

Select any example from the list

Example	Top Event	Standard / Domain
🚆 EN50126 Rail Braking	Loss of Braking Function	EN 50126 — Railway
⚛ Nuclear Reactor SCRAM	Failure to SCRAM	IEC 61025 — Nuclear
✈ Aircraft Hydraulic	Total Hydraulic Loss	ARP 4761 — Aerospace
🏭 Chemical Plant	Reactor Overpressure	IEC 61025 — Chemical Process
💻 Software Safety Monitor	Safety Monitor Failure	IEC 61508 — Software Safety

3.3 Creating a New Fault Tree

Click 📁 File → ✦ New Project

In the left sidebar, click the + FTA button next to your new project

Enter a name for the fault tree (e.g. "Loss of Power Supply")

A Top Event node (AND gate) appears on the canvas automatically

Double-click the Top Event to edit its name and description in the Properties panel

ℹ️Every fault tree must have exactly one Top Event. It is created automatically and cannot be deleted — but you can rename it and change its gate type.

3.4 Project Settings

Click the gear icon (⚙) next to your project name in the left sidebar

Fill in: Project Name, System Name, Organization, Analyst, Standard, SIL Target, Revision, and Mission Time

Click Save

ℹ️Mission Time defaults to 8760 hours (one year). This is used to calculate failure probability from failure rates where Q = 1 − e^(−λT).

4 Building Fault Trees

4.1 Gate Node Types (Logic Gates)

AND

AND Gate

P = Π P(inputs) · MCS = Cartesian product

Output occurs only if ALL inputs occur simultaneously.

OR Gate

P ≈ Σ P(inputs) · MCS = union

Output occurs if ANY one or more inputs occur.

XOR

XOR Gate

MCS = symmetric difference

Output occurs if EXACTLY ONE input occurs.

PAND

Priority AND

P(PAND) ≤ P(AND)

All inputs must occur in a specified order.

INHIBIT

INHIBIT Gate

P = P(input) × P(condition)

AND of an input event and a condition event.

NOT

NOT Gate

P = 1 − P(input)

Negation of the input event.

4.1b Leaf Event Node Types

Type	Definition
Basic Event	A primary failure with a defined probability. The leaf nodes — all quantitative analysis is based on these.
Undeveloped	An event not further developed due to lack of information or being outside scope.
Conditioning	A condition that affects a gate (used with PAND and INHIBIT gates).
House Event	A switch event that is either normally occurring (P=1) or not occurring (P=0).
Transfer In	References a subtree defined elsewhere (incoming transfer). Used to modularise large trees.
Transfer Out	Marks a point where the tree continues in another diagram (outgoing transfer).

4.2 Adding Nodes to the Canvas

Method 1 — Toolbar Menus

Select the ⊞ Gate ▾ or ○ Event ▾ menu from the Add group in the toolbar

Choose a gate or event type from the dropdown

The cursor changes to crosshair (+) mode

Click anywhere on the canvas to place the node

Method 2 — Right-Click Context Menu

Right-click on an empty area of the canvas

Select "Add Node at cursor" from the context menu

Choose the node type — the node is placed at the cursor position

4.3 Connecting Nodes

⚠️A node can have only one parent (output). Each gate can have multiple children (inputs). The tree must be acyclic — circular references are not permitted and will be flagged by validation.

Method 1 — Connect Mode

Press C or click → Connect in the toolbar

Click the child node (the one feeding into the gate)

Click the parent gate node — the connection is drawn

Method 2 — Right-Click on Node

Right-click on the child node

Select "Start Connection Here"

Click the parent gate node

4.4 Editing Node Properties

Field	Unit / Range	Description
UID	Text	Unique identifier (e.g. BE-001, G-AND-001). Must be unique within the tree.
Name	Text	Short event name displayed on the canvas node.
Description	Text	Full description of the failure event or gate. Shown in reports.
Failure Prob. Q	[0, 1]	Dimensionless failure probability. Used directly in analysis if provided.
Fail Rate λ	failures / hr	Failure rate. If Q is not set, Q = 1 − e^(−λT) is computed using Mission Time.
Repair Rate μ	repairs / hr	Repair rate. Used to compute unavailability Q = λ / (λ + μ).
Mission Time T	hours	Operating period. Defaults to project setting (8760 hr = 1 year).
Failure Mode	Text	The specific failure mode (e.g. "Stuck closed", "Open circuit"). Links to FMEA.
Detection Mechanism	Text	How this failure is detected (e.g. "BCU watchdog, pressure sensor").
Linked Hazards	Text	Hazard references providing traceability to the hazard log.
Evidence Reference	Text	Document references (FMEA report, test report, standard).
Mitigation Notes	Text	Design mitigations or safety measures applied to this event.

4.4b Probability Display

After running an analysis (R), the computed failure probability for each gate and event is displayed in the right side of the node's UID strip — the coloured band at the bottom of each node rectangle. The value is colour-coded by risk level:

Red — Q ≥ 1×10⁻³ (high)
Orange — Q ≥ 1×10⁻⁵
Amber — Q ≥ 1×10⁻⁷
Green — Q ≥ 1×10⁻⁹
Blue — Q < 1×10⁻⁹ (very low)

The probability label is placed inside the node boundary to avoid overlapping connector lines.

4.5 Moving and Arranging Nodes

Drag any node to reposition it — the connections follow automatically
Press L or click ⊞ Layout to auto-arrange nodes on the current page using hierarchical layout. Works independently per page.
Press F or click ⛶ Fit to zoom to fit all visible nodes on the current page
Use mouse wheel to zoom in/out
Hold Space (Pan mode) and drag to pan the canvas
Delete removes selected nodes (single or multi-selection)

ℹ️Position-locked nodes: The Top Event (main page) and the root gate of each sub-page are locked at the top-centre position (0, 0) and cannot be dragged. They display a 🔒 badge. This ensures a consistent reference point for the layout algorithm.

4.9 Multi-Page Diagrams (Gate Transfer)

For large fault trees, any gate can be transferred to its own diagram page, keeping each page manageable. This is different from the legacy Transfer In/Out node types — it is a first-class page management feature.

Select a gate node on the canvas

In the Properties panel, click Transfer to Page. A new page tab appears at the bottom of the canvas.

The gate on the main page shows a dashed triangle (→Pn) indicating its subtree continues on the linked page. Click the triangle to navigate.

Navigate between pages using the page tabs at the bottom of the canvas, or by clicking the transfer triangle symbol on any gate.

On the sub-page, the root gate shows a ←P1 indicator. Press L to auto-layout and F to fit the view.

✅Independent positions: Node positions on the main page and sub-pages are completely independent. Moving a gate on the main page does not affect its position on its sub-page, and vice versa. Each page has its own coordinate space.

ℹ️Nested transfers: A gate on a sub-page can itself be transferred to a further sub-page. Nested transferred gates appear as transfer stubs on their parent page. Each level is managed independently.

To remove a page transfer, click ✕ on the page tab (or use Remove Transfer in the Properties panel). The subtree returns to the main page.

4.6 Reusing Events (Reference Nodes)

When the same physical failure event contributes to multiple branches (e.g. a shared power supply), use a reference node rather than duplicating the event.

ℹ️Reference nodes are treated as the SAME event in Minimal Cut Set analysis. This correctly models common cause and shared component failures per IEC 61025.

4.7 Copying Subtrees

Use the ⎘ Copy (deep copy) feature to duplicate an entire subtree — including all child gates and events — to another location in the tree. All nodes are duplicated with new IDs.

4.8 Multi-Select & Bulk Editing

When you need to update the same parameter across many events at once, use multi-select to edit them in bulk.

Action	How
Add/remove node from selection	`Shift+Click` on a node
Select all leaf events	`Ctrl+A` (or `⌘A` on macOS)
Clear selection	`Esc` or click empty canvas
Delete all selected	`Delete` key (with confirmation)

When two or more nodes are selected, the Properties panel switches to Bulk Edit mode with three groups of fields:

Reliability Parameters — set failure rate λ, probability Q, repair rate μ, and mission time for all selected leaf events at once
Safety Integrity — assign or clear a SIL level across all selected events
Qualitative Attributes — set detection mechanism, failure mode, or mitigation notes (blank fields are skipped — only filled fields are applied)

✅Bulk edit is especially useful when importing a new FTA and need to set a common mission time or SIL level across all basic events. Select all with Ctrl+A, set the value, and click Apply.

5 Quantitative Analysis

5.1 Running an Analysis

Ensure all Basic Events have a Failure Probability Q or Failure Rate λ assigned

Click ▶ Analyze in the toolbar (or press R)

The analysis runs instantly for trees up to ~200 nodes

Results appear in the Analysis tab of the right panel

All nodes on the canvas are colour-coded by probability (heat map)

5.2 Analysis Methods

Method	Description
Exact (Inclusion-Exclusion)	Computes the exact top event probability using the Inclusion-Exclusion principle over all Minimal Cut Sets. Exact for independent events. Recommended for final results.
Approximate (Rare Event)	Upper bound approximation: Q_top ≈ Σ P(MCSᵢ). Valid when all probabilities are small (< 0.1). Faster for large trees with many cut sets.

5.3 Minimal Cut Set Analysis

Minimal Cut Sets (MCS) are the smallest combinations of basic event failures that cause the top event to occur. They are computed using the MOCUS algorithm as specified in IEC 61025:2006 Annex B.

The Analysis tab shows each MCS with its identifier, the events in the cut set (by UID and name), the cut set probability, and the cut set order.

⚠️First-order cut sets (single events that alone can cause the top event) represent single points of failure. These should be reviewed as priority risk reduction candidates.

5.4 Importance Measures (IEC 61025 §7.6)

Birnbaum Importance

I_B = Q(1|i) − Q(0|i)

Partial derivative of top event probability with respect to event i. Measures structural importance — how sensitive the system is to event i regardless of its probability.

Fussell-Vesely

I_FV = [Q − Q(0|i)] / Q

Fraction of the top event probability attributable to event i. Values > 10% are high-importance; > 30% are critical.

Risk Reduction Worth (RRW)

RRW = Q / Q(0|i)

Factor by which top event probability reduces if event i is made perfectly reliable. Guides risk reduction investment.

Risk Achievement Worth (RAW)

RAW = Q(1|i) / Q

Factor by which top event probability increases if event i always fails. Indicates how critical the event is to system integrity.

5.5 Sensitivity Analysis

The sensitivity analysis perturbs each basic event probability by ±10% and measures how the top event probability responds. The key output is the elasticity — a normalised measure of sensitivity:

Elasticity ε

ε = (ΔQ_top/Q_top) / (Δq_i/q_i)

A dimensionless ratio that indicates proportional sensitivity. An elasticity of 1.0 means a 10% change in event probability causes a 10% change in top event probability. Values above 0.5 are considered highly sensitive.

Elasticity Range	Level	Interpretation
ε ≥ 0.5	High	Top event is highly sensitive to this input — verify data quality and consider additional mitigation
0.1 ≤ ε < 0.5	Medium	Moderate sensitivity — normal monitoring
ε < 0.1	Low	Top event is insensitive to changes in this input

Sensitivity results appear both in the Analysis panel and in Section 5 of the Full Report.

5.6 Probability Heat Map

≥ 10⁻³

Unacceptable

Immediate design change required

10⁻⁵ to 10⁻³

High

Risk reduction measures required

10⁻⁷ to 10⁻⁵

Medium

ALARP demonstration required

10⁻⁹ to 10⁻⁷

Low

Monitor and document

< 10⁻⁹

Negligible

Acceptable — no action required

6 Common Cause Failure Analysis

6.1 What is CCF?

Common Cause Failure (CCF) occurs when multiple apparently independent events share a common failure cause — such as a common manufacturing defect, maintenance error, or environmental stressor. Standard FTA assumes independence; CCF analysis adds a correction for dependent failures.

FTA Studio implements the β-factor model, the most widely used CCF method in IEC 61508 and EN 50126 safety assessments.

6.2 The β-Factor Model

The β-factor represents the fraction of the total failure rate attributable to common cause failures:

Independent failure rate per component: λ_ind = (1 − β) × λ_total
Common cause failure rate for the group: λ_CCF = β × λ_total
The CCF event is added as an additional cut set that fails the entire group simultaneously

Typical β-factor values range from 0.01 (1%) for well-separated diverse systems to 0.10 (10%) for identical co-located components.

6.3 Creating CCF Groups

Click ⚠ CCF in the Analysis group of the toolbar

Click "+ Add CCF Group"

Enter a group name (e.g. "Solenoid Valves SV-01 and SV-02")

Set the β-factor value (e.g. 0.05 for 5%)

Click on basic events from the list to add them to the group

Click Save — the CCF contribution is included in the next analysis

ℹ️After creating CCF groups, run ▶ Analyze again to see the updated results with CCF contributions included. CCF cut sets are highlighted in the cut sets table and in the CCF tab.

7 Saving, Importing and Exporting

7.1 Saving Your Project

FTA Studio automatically saves your work to browser localStorage after every action. However, localStorage can be cleared. Always use File → Save to create a permanent backup file.

Action	Description
File → Save `Ctrl+S`	Save to the current file. If no file exists yet, prompts for Save As.
File → Save As `Ctrl+⇧S`	Save to a new .json file with a name of your choosing.
File → Open Project	Load a previously saved .json project file.

✅Project files are saved as standard JSON. They contain all nodes, connections, properties, CCF groups, and analysis results. They can be version-controlled with Git or shared via email.

7.2 Importing Failure Rate Data

You can import failure rates from a CSV file to populate multiple basic events at once. The CSV format uses these columns:

UID — must match the UID of an existing event in the tree
failureProbability — Q value [0, 1] (optional)
failureRate — λ in failures/hour (optional)
missionTime — T in hours (optional, overrides project default)

7.3 Exporting Diagrams

Click Export Diagram… in the toolbar to open the export dialog. For multi-page FTAs, select which pages to include and the output format. For FTAs with more than 8 pages, RTF and All Pages are pre-selected automatically.

Format	Use Case	Notes
PNG — White BG	Reports, docs	White background, annotated border with project name, date, and page number. One file per page.
PNG — Transparent	Presentations	Transparent background, no annotation. Suitable for placement on coloured slides.
JPEG	Email, web	Compressed raster with white background. Smaller file size.
SVG	Print, CAD	Scalable vector — ideal for large format printing. One file per page.
RTF	Multi-page FTAs	All selected pages embedded as images in a single Word / LibreOffice document. Ideal for FTAs with many pages — no need to manage dozens of separate image files.
Full Report (HTML)	Safety case	Complete safety report: cover, executive summary, all diagram pages, cut sets, importance measures, CCF, node inventory.
Print / Save PDF	Formal records	Opens the browser print dialog. Select "Save as PDF". Use A3 Landscape for best results.
Cut Sets CSV	Offline review	All minimal cut sets with event UIDs, names, probability, order, and CCF info.
Node Inventory CSV	Data exchange	All events with 23 columns including computed Q, importance measures, and canvas coordinates.
IEC 61025 JSON	Tool interchange	Structured JSON aligned to the IEC 61025 schema. Suitable for import into other FTA tools.

ℹ️Sub-page export: All export formats (PNG, JPEG, SVG, RTF, PDF) correctly render each page using that page's independent coordinate space. Sub-page diagrams are exported exactly as they appear on screen.

✅For the best PDF quality, use Chrome or Edge and select A3 Landscape page size in the print dialog. The report is formatted for A3 landscape automatically.

8 Approval Workflow

FTA Studio includes a full safety-document approval workflow, allowing a fault tree to progress through a defined lifecycle — from initial draft through review to formal approval — all within the project file. This mirrors the approach used by commercial safety tools such as CAFTA and ISOGraph: the project file is the record.

ℹ️The approval workflow is entirely offline and file-based. When an engineer submits a tree for review, they save the file and send it to the reviewer. The reviewer opens the same file, adds comments or approves, then saves and returns it. The complete audit trail and approval record is embedded in the file.

8.1 Setting Your User Identity

Before using the workflow, set your name and role by clicking your name chip in the top-right of the toolbar (or the Set User button). Your identity is stored in your browser session and embedded in all audit entries and approval signatures.

Role	Permissions
Engineer	Creates and edits FTAs; submits for review; resolves comments
Reviewer	Reads the tree (read-only); adds review comments; can reject back to draft; signs off to advance to Reviewed status
Approver	All reviewer permissions; can formally approve and lock the tree (requires reviewer sign-off first)

8.2 Workflow Lifecycle

Each FTA has a status field that controls what actions are available:

Status	Meaning	Canvas
● Draft	Active editing phase	Editable
⏳ In Review	Submitted; awaiting reviewer decision	Locked (read-only)
✎ Reviewed	Reviewer has signed off; awaiting approver	Locked (read-only)
✓ Approved	Formally approved; tree locked	Locked + integrity hash
✕ Rejected	Reviewer or approver rejected; returned to engineer	Locked until reopened

When you open an FTA that is not in Draft status, the canvas automatically locks to prevent accidental edits. A warning appears in the hint bar and the status badge is shown in the toolbar.

8.3 Typical Approval Workflow

Set identity: Engineer clicks Set User in the toolbar, enters name and selects role Engineer

Build and analyse: Engineer creates the fault tree, runs analysis, resolves checklist warnings

Submit: In the 🔏 Workflow tab, click Submit for Review. The tree locks, a snapshot is saved automatically, and the audit log records the submission

Share file: Engineer saves the file (Ctrl+S) and emails / shares it with the reviewer

Review: Reviewer opens the file, sets their identity (role: Reviewer), inspects the tree and adds comments via the Workflow tab

Reviewer sign-off: Reviewer clicks ✎ Reviewer Sign-Off, types their full name as a signature, and advances the FTA to Reviewed status. The file is then shared with the Approver

Approve: Approver opens the file, sets their identity (role: Approver), and clicks ✓ Approve & Lock — typing their name as a digital signature. A SHA-256 integrity hash is captured

Reject (optional): At any point during review, the reviewer or approver can Reject the FTA back to Draft with a reason. The engineer reopens, resolves comments, and resubmits

Approved file: The approved .json file contains the complete three-party audit trail (engineer → reviewer → approver), approval signatures, and integrity hash — this is the safety record

8.4 Review Comments

Comments can be attached to the whole tree or to specific nodes:

Click Add Tree-Level Comment in the Workflow tab for general observations
Nodes with unresolved comments show an amber badge with the comment count
Click any comment badge on a node to jump to the Workflow tab
Engineers resolve comments by clicking ✓ Resolve and entering a response
Resolved comments remain visible (greyed out) for the audit record

8.5 Version Snapshots

Snapshots capture the exact state of the tree at a point in time:

Automatic snapshots are created on Submit and Approve
Manual checkpoints can be saved at any time via Save Checkpoint in the Workflow tab
Any snapshot can be restored (in Draft status only) — the canvas is replaced with the snapshot state
Up to 20 snapshots are stored per FTA

8.6 Integrity Verification

When a tree is approved, a SHA-256 hash of the tree structure is stored in the approval record. When you open an approved file, FTA Studio checks whether the tree matches this hash.

If the tree matches: ✓ Integrity verified
If the tree has been modified since approval: a warning is shown identifying the discrepancy — the file may not be valid for safety case submission
To manually verify at any time, click 🔍 Verify Integrity in the Workflow tab

8.7 Audit Trail

Every significant action is recorded in the embedded audit log:

Node additions and deletions
Analysis runs (with top event probability)
Submit, approve, reject, and reopen events
Comment additions and resolutions
Snapshot creation and restoration

The audit log is visible in the Workflow tab and is permanently embedded in the saved .json project file. It stores a maximum of 500 entries per FTA.

⚠️Regulatory note: The built-in workflow provides a lightweight evidence trail suitable for internal review processes. For formal safety case submissions under IEC 61508, EN 50126 or similar, additional tool qualification and organisational controls may be required by your competent body.

9 Quality and Compliance Tools

8.1 IEC 61025 Completeness Checklist

Click the ✅ tab in the right panel to open the automated IEC 61025 compliance checklist. The checker runs 22 checks against your fault tree and reports pass, warning, or fail for each.

Checks include: top event defined with name and description; all basic events have a failure probability; no orphaned nodes; no intermediate events with missing gate connections; UIDs are unique; all gates have at least two inputs; no circular references; SIL claim consistent with calculated probability; PAND gates have ordered inputs; INHIBIT gates have a condition event assigned.

⚠️The checklist refreshes automatically after every edit. Address all failures before running a final analysis or generating an official report.

8.2 FMEA Cross-Reference

Click the FMEA tab to view an automatically generated cross-reference table linking each basic event to its failure mode, detection mechanism, and mitigation notes. This supports traceability between the FTA and any associated FMEA (IEC 60812 / SAE J1739). The table shows: UID, Name, Failure Mode, Detection Mechanism, Mitigation Notes, and Probability.

8.3 Risk Matrix

Click the ⬦ Risk tab to view a 5 × 5 risk matrix. All leaf events are plotted according to their Severity (Catastrophic → Negligible) and Likelihood (Frequent → Improbable). The matrix uses standard CENELEC EN 50126 hazard acceptance criteria with colour-coded risk regions (Unacceptable / ALARP / Acceptable).

8.4 Full FMEA with Risk Priority Numbers (RPN)

The FMEA tab now supports full IEC 60812 / SAE J1739 risk quantification. For each basic event in the Properties panel, enter three ratings (1–10):

Severity (S) — consequence severity if the failure occurs (1 = negligible, 10 = catastrophic)
Occurrence (O) — frequency/likelihood of the failure (1 = rare, 10 = certain)
Detectability (D) — ability to detect before harm (1 = certain detection, 10 = undetectable)

RPN = S × O × D is calculated automatically (range 1–1000). RPN ≥ 200 is shown in red (high risk), ≥ 100 in amber, below 100 in green. The FMEA tab allows sorting by RPN, Fussell-Vesely importance, or failure probability. Export via 📋 FMEA CSV in the Export menu.

8.5 Hazard Register

Click the ⚠️ tab to open the Hazard Register — a structured register of all identified hazards conforming to IEC 61508 §7.4 and ISO 26262 HARA practices.

Each hazard record contains: Hazard ID (e.g. H-001), Title, Risk Level (Critical / Major / Moderate / Minor / Negligible), Category, Status (Open / In Progress / Mitigated / Closed), and Mitigation / Controls.

Traceability: Link hazards to basic events by entering hazard IDs (comma-separated) in the Linked Hazards field of any event's Properties panel. The Hazard Register automatically shows which events are linked to each hazard, and linked event chips are clickable to navigate to the event. Export via 📄 Export Hazard Register CSV within the tab.

ℹ️Hazard Register data is included in the HTML/PDF report as a dedicated section with full traceability to FTA basic events.

8.6 Monte Carlo Simulation

Click the 🎲 tab to run a Monte Carlo simulation of the fault tree. This provides a stochastic cross-check of the analytical result and is particularly useful for trees with complex logic or when verifying rare-event approximations.

How it works: For each trial, each basic event is independently sampled as failed (with probability Q_i) or working. The top event fails if any minimal cut set is fully contained in the set of failed events. This process repeats N times (configurable: 1,000–100,000 iterations).

Results displayed:

Simulated Q̂_top with Wilson 95% confidence interval
Comparison bias vs. analytic result (percentage difference)
Convergence trace sparkline showing Q̂ settling across iterations

Results use a fixed random seed (configurable) for reproducibility. Export simulation results via Export CSV within the Monte Carlo tab. Results are also included in the HTML/PDF report.

⚠️Run ▶ Analyze first to compute cut sets — Monte Carlo uses MCS for top-event determination.

8.7 What-If Sensitivity Tornado Chart

After running analysis, the Analysis tab shows a What-If Sensitivity tornado chart. Each basic event's probability is perturbed by ±10% and the resulting change in Q_top is shown as horizontal bars:

Left bar (teal) — Q_top when that event's probability decreases by 10%
Right bar (coloured) — Q_top when it increases by 10%

Elasticity ε = (ΔQ_top/Q_top) / (Δq_i/q_i). Events with ε ≥ 0.5 are shown in red (high sensitivity). Up to 8 most-sensitive events are shown.

8.8 Event Library

The reusable event library allows you to save pre-defined basic events (with reliability parameters) and reuse them across different FTAs in the same project.

Save: Select a basic event → Properties panel → 📚 Save to Event Library, or right-click any event → 📚 Save to Event Library
Browse and import: Click 📚 Library in the toolbar → search by UID, name, or failure mode → click a row to place the event on the canvas

The library is stored per-project. Imported events are placed as new independent basic events (not references) and must be connected to a gate.

8.9 Failure Rate Component Database

Click 🔧 DB in the toolbar (with a basic event selected) to open the component failure rate database. It contains 50+ generic failure rates sourced from:

IEC TR 62380 — electronic and electromechanical components
MIL-HDBK-217F — military/aerospace electronics and mechanical parts
OREDA — offshore/process industry sensors, valves, and pumps

Filter by keyword or category. Click any row to apply that failure rate (λ) directly to the selected event. The applied λ will be used in the exponential reliability formula Q = 1 − e^−λT (or ARP4761 linear / steady-state availability depending on project settings).

⚠️Generic database values are for preliminary analysis only. Always use project-specific or manufacturer data for final safety assessments.

8.10 Event Tree Analysis (ETA)

Click 🌿 ETA in the toolbar to open the Event Tree Analysis manager. ETA models the consequences of an initiating event propagating through a series of safety barriers or systems.

Each Event Tree consists of:

Initiating Event — description and frequency (events/hr)
Branches — each barrier/system with a P(success) probability and failure outcome label

FTA Studio computes all 2ⁿ consequence sequences (up to 10 branches), showing the outcome label and frequency (initiating event frequency × path probabilities) for each path. Sequences are sorted by frequency descending. Multiple event trees can be managed per project.

ℹ️ETA complements FTA — use FTA to determine the probability of the initiating event, then use ETA to model the conditional outcomes. See ARP4761 §E and IEC 61025 Annex B for guidance on combined FTA/ETA.

8.11 Reliability Input Models

FTA Studio supports three reliability input models, automatically selected by the parameters present on each event:

Model	Formula	When Used
Direct Q	Q as entered	When probability Q is set directly
IEC 61025 exponential	Q = 1 − e^−λT	When λ is set, μ is not set, standard ≠ ARP4761
Steady-state unavailability	Q = λ/(λ+μ)	When both λ and μ (repair rate) are set — IEC 61508 repairable systems
ARP4761 linear	Q = λ × FH	When λ is set and Project Standard = ARP4761 (per-flight-hour)

The active formula and computed Q value are shown in the Properties panel below the input fields. The "Mission Time" label changes to "Flight Hours FH" when ARP4761 is selected in Project Settings.

10 Keyboard Shortcuts

SaveCtrl+S

Save AsCtrl+Shift+S

UndoCtrl+Z

RedoCtrl+Y

Select modeS

Connect modeC

Pan modeSpace

Run analysisR

Auto-layout current pageL

Fit current page to viewF

Delete selectedDelete

Cancel / DeselectEscape

Zoom in / outMouse wheel

Context menuRight-click

11 Worked Example — Rail Braking System

10.1 Scenario

This section walks through the complete analysis of the built-in EN 50126 rail braking system example. The fault tree models the "Loss of Braking Function" for a metro vehicle braking control system, targeting SIL 2.

10.2 Tree Structure

▼ Top Event: Loss of Braking Function [AND - G1]
▼ G1 Input 1: Primary Brake Channel Fails [OR - G2]
○ BE-001 BCU Hardware Failure
○ BE-002 Solenoid Valve Failure
○ BE-003 Brake Pipe Rupture
▼ G1 Input 2: Backup Brake Channel Fails [OR - G3]
○ BE-004 EM Brake Coil Failure
○ BE-005 UPS Power Failure

10.3 Analysis Results

With the given failure rates and a mission time of 8,760 hours:

Top Event Probability: 2.34 × 10⁻⁹ /hr (SIL 2 compliant: PFH < 10⁻⁶)
Six second-order Minimal Cut Sets (all pairs — one from each channel)
Highest contributor: MCS-4 (BE-002 and BE-004): 1.84 × 10⁻¹⁰
Highest Fussell-Vesely: BE-002 Solenoid Valve (I_FV = 0.789 — 79% contribution)

⚠️The solenoid valve (BE-002) dominates the top event probability due to its relatively high failure rate (2.63 × 10⁻⁹ /hr). In a real safety case this would trigger a review of valve specification, testing interval, or architectural redundancy.

10.4 Step-by-Step Walkthrough

Load the example: File → Examples → 🚆 EN50126 Rail Braking System

The tree appears on the canvas. Press F to fit to view, L to auto-layout

Click BE-001 (BCU Hardware Failure) — inspect its properties in the right panel

Press R to run analysis — the canvas turns green (SIL 2 achieved)

Click the Analysis tab — review cut sets and importance measures

Click ✅ to open the checklist — all checks should pass for this example

Click ↑ Export → Full Report (HTML) to generate the safety report

12 Tips and Best Practices

11.1 FTA Construction Guidelines

Define the top event precisely — ambiguity leads to scope creep and incomplete trees
Use a consistent UID naming convention: TE-001 (top), G-AND-001, G-OR-001, BE-001
Decompose intermediate events until all leaf events are basic, quantifiable failures
Document all failure probabilities with evidence references (FMEA, test data, standards)
Run the ✅ Checklist after each major addition to catch structural errors early
Use Auto-Layout (L) regularly to keep the diagram readable

11.2 Reliability Data Sources

Electronic components: IEC 62380 or MIL-HDBK-217 databases
Mechanical components: OREDA, FARADIP, or NPRD databases
Human errors: THERP, HEART, or SPAR-H methodologies
Software: IEC 61508-3 Table A.3 provides SIL-dependent failure rate ranges
Always state the data source in the Evidence Reference field

11.3 Common Mistakes to Avoid

Not defining failure modes — vague event names ("component fails") are not sufficient
Double-counting — use Reference nodes for shared events, not duplicate basic events
Ignoring CCF — in redundant architectures, CCF can dominate the top event probability
Mixing probability and frequency — ensure all inputs are in consistent units
Omitting undeveloped events from the checklist — they must be justified and documented

11.4 Backing Up Your Work

Use File → Save As after every session to maintain a named backup file
Store .json project files in a version-controlled repository (Git)
Do not rely solely on browser localStorage — it can be cleared by browser updates or privacy settings
Export the Full Report as HTML after completing an analysis for a permanent record

13 Troubleshooting

Canvas is locked and I can't edit nodes

The FTA status is In Review or Approved. Open the 🔏 Workflow tab and click Reopen for Editing to return it to Draft. If it was approved, this will clear the approval record — use only if a revision is genuinely needed.

⚠ Integrity warning appears when opening a file

The tree structure has been modified after approval — the current state does not match the SHA-256 hash locked at approval time. Do not use this file for safety case submission without first reopening, revising, and re-approving the tree.

Approve button is not visible

Approval requires (1) the FTA to be In Review status and (2) your user role to be set to Approver. Click your name chip in the toolbar to change your role.

Comments are not visible on nodes

Comment badges (amber dot) only appear on nodes when the FTA is In Review or Approved and there are unresolved comments. In Draft status, comments cannot be added — submit for review first.

Analysis shows 0 or NaN probability

One or more Basic Events have no failure probability. Check the ✅ Checklist tab — events with missing Q are flagged.

No Minimal Cut Sets found

The tree may have no path from the top event to any basic event. Check all connections are complete. Use the Checklist to find orphaned nodes.

Canvas is blank after reload

Browser localStorage may have been cleared. Restore from your last .json save file using File → Open Project.

Nodes cannot be moved or deleted

The canvas is locked. Click the 🔒 Lock button in the toolbar to unlock it.

PDF report prints on wrong paper size

In the browser print dialog, set the page size to A3 and orientation to Landscape. Disable "Fit to page" scaling.

Export image is very small or blurry

Use SVG export for scalable output. For raster (PNG/JPEG), zoom in on the canvas before exporting to increase the exported resolution.

Application shows old version after update

Press Ctrl+Shift+R (Cmd+Shift+R on Mac) to force a hard reload, bypassing the service worker cache.

Font appears as default browser font

The web fonts from Bunny CDN may be blocked on your network. The app falls back to system fonts automatically — functionality is not affected.

14 Glossary

ALARP

As Low As Reasonably Practicable. A risk level that has been reduced to the lowest level achievable within reasonable cost and effort constraints.

Audit Trail

An append-only log of all significant actions performed on a fault tree (node additions, analysis runs, submissions, approvals, comments), embedded in the project file for regulatory traceability.

Basic Event

A primary failure event at the leaf level of a fault tree. Has an assigned failure probability and requires no further decomposition.

β-factor

Beta factor. The proportion of failures attributable to common causes in the CCF β-factor model. Range: 0 to 1.

Birnbaum

A measure of the structural importance of a basic event — the sensitivity of the top event probability to changes in that event's probability.

CCF

Common Cause Failure. A failure mode in which multiple components fail simultaneously due to a shared cause.

Cut Set

A set of basic events whose simultaneous failure causes the top event to occur.

FTA

Fault Tree Analysis. A deductive, top-down method for analysing the causes of a defined undesired event.

Fussell-Vesely

An importance measure representing the fraction of the top event probability attributable to a specific basic event.

Gate

A logical operator in the fault tree that combines inputs (AND, OR, XOR, PAND, INHIBIT, NOT).

IEC 61025

International standard specifying the fault tree analysis method for safety and reliability assessment.

Minimal Cut Set

The smallest set of basic events that will cause the top event — removing any one event from the set prevents the top event.

MOCUS

Method Of Obtaining Cut Sets. The algorithm used by FTA Studio to compute Minimal Cut Sets, as described in IEC 61025 Annex B.

PFD

Probability of Failure on Demand. Used for low-demand safety functions (IEC 61508).

PFH

Probability of Failure per Hour. Used for continuous / high-demand safety functions (IEC 61508).

RAW

Risk Achievement Worth. The ratio of top event probability when an event always fails to the baseline probability.

RRW

Risk Reduction Worth. The ratio of baseline top event probability to the probability when an event is made perfectly reliable.

SIL

Safety Integrity Level. A discrete level (SIL 1–4) specifying the target failure rate for a safety function, defined in IEC 61508.

Top Event

The undesired event at the top of the fault tree — the event whose causes are being analysed.

UID

Unique Identifier. The alphanumeric code assigned to each node (e.g. BE-001, G-AND-001) for traceability.