Event tree analysis (ETA) is a forward-looking risk assessment technique that maps the potential consequences of a triggering event by tracing all the possible paths that could follow from it. Borrowed from systems engineering and safety-critical industries, it has found application in service design and UX for mapping failure scenarios, understanding how small errors cascade into serious consequences, and designing resilience into complex systems before they are built.
What It Is
An event tree begins with an initiating event — a user error, a system failure, a missed step — and then branches at each subsequent decision point or system response. Each branch represents a different outcome depending on whether a safeguard succeeds or fails. The resulting tree visualises all possible consequence paths from the single initiating event, allowing the design team to identify which paths lead to acceptable outcomes and which lead to critical failures, and to prioritise design interventions accordingly.
How to Run It
- Identify the initiating event to analyse — a specific user error, a system timeout, a missing input, or a process failure.
- List the key safeguards, checks, or responses that exist downstream of the initiating event.
- For each safeguard, draw a branch for success (safeguard works) and failure (safeguard fails).
- Trace each path to its end state and classify it as safe, acceptable, degraded, or critical failure.
- Assign approximate probabilities to branches where data exists.
- Identify the branches leading to critical failures and design targeted interventions to prevent them.
When to Use It
Event tree analysis is most valuable in safety-critical design contexts — medical devices, financial transaction flows, emergency response systems, and complex multi-step processes where errors can cascade into serious consequences. It is also useful for designing error recovery flows in consumer digital products, particularly when the cost of an unrecovered error is high in terms of data loss, financial impact, or user distress.
Tips for Success
- Keep the initiating event specific and well-defined — broad initiating events produce unwieldy trees.
- Involve domain experts and frontline staff in building the tree: they know where safeguards actually fail in practice.
- Focus on consequence paths that lead to serious harm or significant failure — not every branch needs equal attention.
- Use the event tree alongside fault tree analysis for a complete picture: ETA looks forward from a trigger, FTA looks backward from a failure.

