 In this video, you will find all the information you need to perform a fault tree analysis on the propulsion subsystem of our Earth Observation Satellite. This technique is part of the risk identification and analysis activities required to develop this case study. Remember, you are participating in a project to design an Earth Observation Satellite able to capture detailed images of a chosen part of the world. Our customer has some requirements regarding safety and dependability. The two safety requirements are First, during round phase and launch, the satellite can tolerate two failures leading to catastrophic risk. Second, the probability of having a catastrophic risk shall be less than 10 power minus 6. To demonstrate compliance with these requirements, we will develop a fault tree analysis. A fault tree analysis is a deductive technique which means that it deduces the causes that contribute to the top event, also known as undesired event. The first step is to define the top event. This top event has to be precise and answer the following questions. What, for instance, what failure occurs? Where, for instance, which function is affected? When, for instance, which life cycle phase is involved? Then, the different possible causes leading to this event are identified. These causes are combined through logic gates. The basic events could be failures, human errors, or external conditions. Finally, from the probabilities of the basic events, you can calculate the probability of occurrence of the top event. This method also allows us to search for minimal cut sets, which are the smallest combinations of events leading to the undesired event. Let's go back to our satellite. Now, we will talk about the propulsion subsystem. The tank contains hydrazine propellant. Hydrazine is a colorless, flammable liquid. This fuel is a good choice for low Earth orbit satellites, but it has some drawbacks. There is a risk of explosion at high temperatures. Also, it is highly toxic for humans. The tank is filled with hydrazine during the ground phase, just before launch, using the fill and drain valve. In case of launch delay, the same valve is used to drain the propellant. The filter is needed to avoid thruster mark function in case of hydrazine impurities. Since this is a critical system, there are three levels of safety barriers. A pre-arm valve, an arm valve, and a fire valve. Note that for each thruster, an arm valve and fire valve exist. These valves are closed during the ground phase. You have to take into account that these valves operate independently. For example, if the pre-arm valve is opened in an untimely manner for any reason, it does not mean that a leak will occur as long as the arm valves and the fire valves work properly. In order to have a leak through the thrusters, there has to have an untimely opening of the pre-arm valve and of both valves of the same thruster. So, assuming that the ground operation with the tank filled lasts for 10 hours, this represents a risk for operators in the integration room. It is very important to consider this risk in our safety assessment. Due to the toxicity of hydrazine, a leak would represent a catastrophic event during the ground phase. We will develop our fault tree analysis considering, as the unwanted event, human poisoning by hydrazine after the tank filling activity during the ground phase. Now that you know how to do a fault tree analysis for this system, it's your turn to try it.