What is FTA (Fault Tree Analysis)?

Introduction to Risk Management Methods in the Pharmaceutical and Medical Device Industries

In the pharmaceutical and medical device industries, various risk management methods are employed as part of comprehensive risk management strategies. According to ISO 14971:2019 (Medical devices – Application of risk management to medical devices), which is the international standard for risk management in medical devices, numerous analytical techniques can be applied to identify hazards and estimate risks. Among the well-known risk management methods are the following:

• Failure Mode and Effects Analysis (FMEA)
• Failure Mode, Effects and Criticality Analysis (FMECA)
• Fault Tree Analysis (FTA)
• Hazard Analysis and Critical Control Points (HACCP)
• Hazard and Operability Study (HAZOP)
• Preliminary Hazard Analysis (PHA)
• Risk ranking and filtering
• Supporting statistical methods

These methodologies are recognized in ISO 14971:2019 Annex B as examples of tools and techniques that can be used for risk analysis. The selection of appropriate methods depends on the specific context, the nature of the medical device or pharmaceutical process, and the stage of the product lifecycle.

FMEA and FTA: Two Complementary Approaches

In the risk management of manufacturing facilities and equipment, Failure Mode and Effects Analysis (FMEA) is frequently employed. However, Fault Tree Analysis (FTA) is often underutilized, and its application methods are not well understood by many practitioners, despite its significant value in certain analytical contexts.

FMEA is an inductive method that systematically poses questions such as “If this type of failure occurs, what consequences will result?” It is essentially a bottom-up approach that starts with potential failure modes at the component or subsystem level and traces their effects upward through the system hierarchy to determine their impact on overall system performance and safety.

In contrast, FTA employs a deductive, top-down methodology. It begins with an assumed “undesired consequence” (such as a hazardous event or accident) and works backward to identify all possible causal factors. FTA is a cause-analysis method that traces back through various contributing factors and events until reaching basic events that cannot be further decomposed into more fundamental causes.

By using logical symbols (such as AND gates, OR gates, and other Boolean logic operators) to create a graphical representation, FTA enables the visualization and comprehension of complex causal relationships. This makes it particularly effective as an analytical tool for several purposes: comprehensive and early identification of accident causes and hazards that are difficult to anticipate, cross-verification and horizontal deployment of FMEA findings, and analysis to develop recurrence prevention measures for specific accidents or incidents.

The complementary nature of FMEA and FTA can be summarized in the following comparison:

Aspect	FMEA	FTA
Approach	Inductive (Bottom-up)	Deductive (Top-down)
Starting Point	Potential failure modes	Undesired top event (accident/hazard)
Direction of Analysis	From cause to effect	From effect to cause
Graphical Representation	Tabular format with columns for failure modes, effects, causes, and risk ratings	Tree diagram with logical gates
Primary Question	“What happens if this component fails?”	“How could this accident occur?”
Best Application	Identifying potential failure modes in design phase; systematic component-level analysis	Root cause analysis of known incidents; analyzing complex systems with multiple failure paths
Output	Risk Priority Number (RPN) for each failure mode	Probability of top event; minimal cut sets

Practical Application: FTA for Gas Explosion Analysis

To illustrate the application of FTA, let us examine a gas explosion incident and perform a root cause analysis using this methodology.

For a gas explosion to occur, three elements must coexist simultaneously: an ignition source, oxygen (from air), and combustible gas. This is commonly known as the fire triangle. In this analysis, since the presence of air in the environment cannot realistically be eliminated in most operational settings, we exclude “air” from our preventive control strategy and focus on the other two elements.

The presence of “combustible gas” can only result from leakage from a storage tank or piping system. In the FTA diagram, this “leakage from tank” represents an event that cannot be further developed or broken down into more fundamental causes within the scope of this analysis, and is therefore classified as a basic event or undeveloped event. In FTA notation, undeveloped events are represented by diamond shapes.

Next, we analyze the “ignition source,” which could originate from one of three potential sources: a heat source, an electrical spark, or an open flame. “Heat source” and “open flame” are also classified as basic events in this analysis. However, “electrical spark” can be further analyzed and may result from either a “wire break” or a “short circuit.” Both “wire break” and “short circuit” are basic events that represent fundamental failure modes.

The logical structure of this analysis can be represented as follows:

Top Event: Gas Explosion

• Requires (AND gate): Ignition Source AND Combustible Gas (AND Air – excluded from control strategy)

Ignition Source branch (OR gate):

• Heat source (basic event)
• Electrical spark (intermediate event)
  • Wire break (basic event) OR
  • Short circuit (basic event)
• Open flame (basic event)

Combustible Gas branch:

• Leakage from tank (basic event)

From this FTA, the recurrence prevention strategy becomes clear. To prevent gas explosions, we must implement controls to: eliminate or segregate heat sources and open flames from areas where gas may be present, prevent wire breaks through proper installation, maintenance, and protection of electrical wiring, prevent short circuits through appropriate electrical system design, protective devices, and maintenance, and prevent leakage from tanks through regular inspection, proper maintenance, pressure testing, and integrity management of storage systems.

Integration of FTA in Quality Systems and CAPA

FTA proves particularly valuable when accidents or incidents occur and Corrective and Preventive Action (CAPA) must be implemented to prevent recurrence. CAPA, as required by regulations such as FDA 21 CFR Part 820.100 for medical devices and EU MDR Article 10(9), demands thorough investigation and analysis of nonconformities, incidents, and other quality problems.

In CAPA processes, “5 Whys analysis” is commonly employed as a root cause analysis technique. FTA enhances this approach by using logical symbols and structured graphical representation to conduct a more rigorous and systematic investigation of root causes. Unlike the sequential questioning of 5 Whys, FTA considers multiple concurrent causes and their logical relationships, providing a more comprehensive view of complex failure scenarios.

FTA is particularly effective when applied during medical device design changes, process modifications, or when investigating field failures and adverse events. According to ISO 14971:2019, risk management is an iterative process throughout the lifecycle of a medical device, and FTA serves as a valuable tool for risk analysis during design changes, investigating residual risks, and analyzing post-market surveillance data.

Synergistic Application of FMEA and FTA

When FMEA and FTA are combined systematically, they provide a more comprehensive and reliable risk analysis framework. FMEA can identify potential failure modes during the design and development phases, while FTA can be used to verify whether all causal pathways leading to critical hazards have been adequately addressed. This combined approach is particularly valuable in meeting regulatory requirements for risk management in medical devices under ISO 14971:2019, FDA Quality System Regulation (21 CFR Part 820), and EU Medical Device Regulation (EU MDR 2017/745).

The integrated use of both methods enables organizations to achieve both proactive hazard identification (through FMEA) and thorough root cause analysis (through FTA), thereby establishing a robust risk management program that satisfies both regulatory requirements and industry best practices. This comprehensive approach supports not only initial design validation but also ongoing risk management activities throughout the product lifecycle, including post-market surveillance, periodic safety updates, and continuous improvement initiatives mandated by current Good Manufacturing Practice (cGMP) and Quality Management System requirements.