The (Christmas) Fault Tree


October 13th, 2022 – Reading time: 5 minutes

The „Fault Tree“ (FTA) analysis method is vividly explained using a burning Christmas tree.

– – –

Every year, Christmas trees catch fire in many living rooms. The causes are manifold, and yet they are interrelated. Fault tree analysis is an industry-proven method that uncovers cause-effect relationships of faults in complex systems for a top undesired event and, in particular, identifies the critical paths that contribute most to the occurrence of the disaster. Applied to the example of a burning Christmas tree, it can be vividly demonstrated how easily the probability of a fire can be reduced.

A situation that affects everyone

What do sleeping grandpa, Christmas tree stands, and exciting new gifts have in common? They can all be the cause of the Christmas tree catching fire. With an estimated 30 million Christmas trees in German households, many of these trees burn down every year. The analyses of the fire departments of the Christmas room fires show the main causes of fire (here with little Ida, Grandpa & Co. a little more vividly depicted). But how are causes and fire connected? Where can one start particularly efficiently to prevent room fires? A fault tree can provide the answer.

How the fault tree works

Fault Tree Analysis (FTA) is a proven method that has its strengths in linking individual risks and identifying common cause failures. It is easy to follow and provides good quantitative accuracy in the range of one order of magnitude for the (cumulative) probability of occurrence of the Top Level Mishap (TLM). While many other safety analyses dissect risks very strongly and work out details, a fault tree directs the focus back to the overall system and its interdependencies. In addition to the probability of the worst-case event (TLM), this analysis reveals critical combinations of individual events that can interact to trigger the TLM. An optional sensitivity analysis shows which failure paths are particularly susceptible to probability changes. For example, when replacing components in technical systems within these paths, special care must be taken to ensure that the failure probabilities do not change negatively, as this particularly greatly influences the TLM occurrence probability.

Structure of the FTA

An FTA is structured systematically and typically has a top, middle, and base structure. The top structure consists of the TLM and a basic branching into relevant system functions. In this simple example, this has been omitted.

The middle structure further breaks down the system functions and considers system phases (e.g. ignition, extinguishing, „tree in operation“) for this purpose if necessary. The detailed error chains can also be found here.

The basic structure is the „root“ of the fault tree. This is where the fault chains end in the basic fault events or those that are not broken down further due to a previously defined level of detail.

Logical elements of the FTA

The FTA uses Boolean logic to link the events together. For the representation of the linking possibilities and further depiction, a special notation has been established. Basic events and logical nodes, so-called gate events, are to be distinguished.

The logic is constructed via the gates, and the tree grows in width and depth.

The most crucial logic symbols: left: AND, right OR

The most crucial logic symbols: left: AND, right OR

  • AND operation: the error output occurs when all error inputs occur. Strongly constrains as the probabilities multiply P(A∩B)=P(A)*P(B).
  • OR operation: fault output occurs if at least one fault input occurs. Can be approximated by the mathematical addition of the individual probabilities in conservative calculations. P(AUB)=P(A)+P(B) – P(A∩B)

Evaluation of the FTA

A quantitative fault tree offers several evaluation options. For the Christmas fault tree shown here, the following can be evaluated:

Critical path: It is readily apparent that the largest risk contributor to the overall risk is not extinguishing promptly. Here, leaving the tree alone is particularly dangerous. The candles themselves are not that risky. It is much more dangerous that flammable material is present at all. In particular, these are dried-out trees or flammable ornaments.

Particularly effective starting points for countermeasures, therefore, lie in observing the tree and preventing the presence of flammable material. Then candles are also harmless.

Interpretation of the numerical values: The values reflect the probability of occurrence of the event normalized to one year. The probability of a Christmas tree being ablaze (not just slightly flickering) is 1.2*10^-5. This means that every year, 365 Christmas trees catch fire heavily on a statistical average.

Experience shows that the accuracy of these figures is in the range of one order of magnitude since the basic events are only estimated in terms of probability of occurrence. This means that in Germany, neither 30 nor 3000 trees will burn.

This estimate is the most accurate that currently exists in terms of numerical values. Interestingly, neither the firefighters‘ associations nor the Federal Fire Commissioner have exact figures. We wish you a Merry Christmas!


Volker Lippitz
Volker LippitzHead of Consulting

How can we accelerate your development?

Let’s start

INVENSITY Center of Safety Management

Core Competences

  • Safety of the intended functionality (SOTIF)
  • Product Safety
  • Functional Safety
  • System Safety

Learn more