D. I . Introduction All quantitative fault tree analysis methods are approximations of reality. By far the largest contributions to error and uncertainty result from qualitative aspects of fault tree analysis and arise from 1. Lack of understanding of the system modeled, including all possible failure mechanisms (what is not included in the analysis because experience and/or judgment are deficient); 2. Incorrect fault tree logic describing the system failures (if the logic is incorrect then quantitative evaluation by any method will be incorrect); 3. Lack of understanding of or improper accounting for common cause failures. In constructing a fault tree, the analyst usually follows a gate-by-gate approach. The fault tree developed consists of many levels of basic events and subevents linked together by AND gates and OR gates. Minimal cut set analysis rearranges the fault tree so that any basic event that appears in different parts of the fault tree is not "double counted" in the quantitative evaluation. The result of minimal cut set analysis is a new fault tree, logically equivalent to the original, consisting of an OR gate beneath the top event, whose inputs are the minimal cut sets. Each minimal cut set is an AND gate con- taining a set of basic inputs necessary and sufficient to cause the top event. Some advantages and disadvantages of gate-by-gate and minimal cut set methods include 1. Normal gate-by-gate methods are not as exact as minimal cut set methods. Spe- cial formulas may be required, for example, when failure rates or demand rates are very high. Simple gate-by-gate methods cannot calculate the wide range of reliability parameters generated by minimal cut set methods. More advanced gate-by-gate methods (Doelp et al., 1984) can overcome this deficiency. 2. Events that occur in different branches of the tree are treated correctly by mini- mal cut set analysis. Gate-by-gate methods require special efforts in construct- ing a tree that does not contain repeated events. Any repeated events not removed will introduce a bias (positive or negative) in the results. 661 Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition by Center for Chemical Process Safety Copyright 2000 American Institute of Chemical Engineers 662 Appendix D Minimal Cut Set Analysis 3. Gate-by-gate methods may make it easier to identify thosc subevents or basic events that are the major contributors to the top event. Cut set methods calcu- late reliability parameters for the top event only and use other parameters such as importance of identify major contributors to the top event. It is possible to separately calculate reliability parameters for subevents using minimal cut set methods if it is important to determine these parameters for subevents. There are trade-offs in the selection of which approach to use. Simple gate-by-gate calculations can rapidly produce results using hand calculations. Minimal cut set meth- ods use computer programs that are well developed and eliminate effects of repeated events. As fault trees become larger in size computerized mcthods become more attrac- tive, particularly when a large number of alternatives are to be evaluated. 0.2. Minimal Cut Set Analysis Minimal cut set analysis is a mathematical technique for manipulating the logic struc- ture of a fault tree to identify all combinations of basic events that result in the occur- rence of the top event. These basic event combinations, called cut sets, are then reduced to identify those minimal cut sets, which contain the minimum sets of events neces- sary and sufficient to cause of the top event. The logic structure if the original fault tree is mathematically transformed, using the rules of Boolean Algebra, into an equivalent minimal cut set fa& tree. The transformed fault tree is mathematically and logically equivalent to the original fault tree, but the minimal cut set form is more amenable to quantlfication. The transformation process also ensures that any single event that appears repeatedly in various branches of the fault tree is properly accounted for. Mini- mal cuts set analysis is described in many texts including Henley and Kumamoto (1981) and Roberts et al. (1981). This methodology is applicable to all fault trees, regardless of size of complexity, that satisfy the following conditions. All failures are binary in nature (components are either working or failed). Transition between working and failed states occurs instantaneously ( no time All component failures are statistically independent. The failure rate of reach equipment item is constant. The repair rate for each equipment item is constant. After repair, the system will be as good as old, not as good as new (i.e., the repaired component is returned to the same state, with the same failure charac- teristics, that is would have had if the failure had not occurred; repair is not con- sidered to be a renewal process.) The fault tree for system failure is the same as the repair tree (ix., repair of the failed component results in the immediate return to their normal state of all higher intermediate events that failed as a result of the failed component). delays). The Boolean method for determining minimal cut sets is mathematically and logi- cally identical to the matrix method reviewed in the HEP Guidelines (AIChE/CCPS, 1992). D.3. Boolean Algebra 663 D.3. Boolean Algebra The logical structure of a fault tree can be expressed in terms of Boolean algebraic equa- tions. Boolean algebra is used to reduce equations composed of variables that can take on only two values. It is commonly used to describe the operations of power switching grids, computer memories, or logic diagrams. Selected basic mathematical rules of Boolean algebra are given in Table D. 1. Conventionally, the symbol + is used to rep- resent the logical OR operator and the symbol . is used to represent the logical AND operator. Roberts et al. (1981) present a more comprehensive rule tabulation and dis- cussion of Boolean algebra. The use of Boolean algebra in fault tree analysis is first illustrated by a simple example. Consider the fault tree of Figure D. l . It consists of a top event, four intermediate events, and four basic events. The minimal cut sets for this example are determined by representing the fault tree as a Boolean equation. This equation is reduced using the laws of Boolean algebra (Table D. 1). This reduction involves replacement of intermediate events with their causes. If the fault tree in Figure D. l were quantified by the gate-by-gate method (Section 3.2. l ) , an incorrect answer would be obtained, because the basic events BE1 and BE 2 appear in multiple branches of the tree. Step 1 of Table D.2 presents the Boolean representation of the top event in terms of intermediate events IE1 and IE2. In step 2, intermediate event IE1 (an AND gate) and intermediate event IE2 (an OR gate) are replaced by their Boolean equivalents. This process of replacing intermediate events is continued in Steps 3 and 4, until the Boolean representation of the fault tree contains only basic events. Step 4 represents the top event in terms of basic events only. Each term is a cut set. However, the representation is not in minimal cut set form because further Boolean reduction is possible. Event BE4 appears twice in one term of the expression, and one of the terms containing BE1 can be eliminated. In Step 5 of Table D.2 the term BE3.BE4.BE4.BE2 is reduced to BE3.BE4.BE2 using the idempotent law (relation 4, D.4. Sample Problem 1-Minimal Cut Set Determination TABLE D. 1 . Selected Rules of Boolean Algebra A + B = B + A A . ( B. C) = (A . B ) . C A + ( B + C) = (A + B) + C A . ( B + C) = A . B + A . C A + ( B . C) = (A + B ) . (A + C) A . A = A A + A = A Associativc Rule Distributive Rule 664 Appendix D Minimal Cut Set Analysis INTERMEDIATE INTERMEDIATE WENT WENT IE-1 IE-2 EVENT FIGURE D. 1. Simple fault tree. Table D. l ) . In Step 6 ofTable D.2 the term BE1 + BE1 . RE2 is reduced to BE1 using the law of absorption (Relation 5, Table D. 1) . Step 7, the commutative law is used to reorder the basic events of the second term (putting them in numerical order for convenience). The two terms in Step 7 (BE1 and BE2. BE3. BE4) ofTable D.2 are the minimal cut sets for the fault tree of Figure D. 1. The occurrence of either of these two cuts sets will cause the top event of the simple fault tree of Figure D. 1. The minimal cuts sets can TABLE D.2. Reduction of Sample Fault Tree of Figure D. 1 Using Boolean Algebra T = (RE1 . RE2) + (RE1 + IE3) T = BE1 . RE2 + RE1 + (RE3 . BE4 . IE4) T = BE1 . RE2+ BE1 + ( RE3 . RE4 BE4. HE2) T = RE1 + RE1 . RE2 + BE3 . RE4. BE2 4 5 6 T = R E l + R E 3 . R E 4 . R E 2 I 7 RE4 T = RE1 + RE2 . BE3 D 5. Sample Problem 2 665 be used to create a new fault tree that is logically and mathematically identical to the original. Figure D. 2 presents the simple fault tree of Figure D. 1 in the equivalent mini- mal cut set form. D.5. Sample Problem 2 For demonstration purposes the sample problem in Section 3.2.1 is recalculated using the minimal cuts set method. The treatment of Steps 1, 2, and 3 (Figure 3.3) is the same as discussed in Section 3.2.1, resulting in the fault tree of Figure 3.5. Step 4 (Figure 3.3), qualitative examination of structure, and Step 5 (Figure 3.3), quantita- tive evaluation, are done using minimal cut set analysis. The same methods used in Sample Problem 1 are applied to the fault tree of Figure 3.5. The Boolean algebra analysis of the fault tree is presented in Table D.3. The 20 mini- mal cut sets identified in Step 6 ofTable D.3 are listed in Table D.4. These are ranked in terms of the number of basic events per cut set and are assigned reference numbers (Cl- C20). There are 5 single-event, 2 two-event, 12 three-event, and 1 five-event cut sets. The qualitative ranking of importance would assume that small cut sets (e.g., one and two events) are more likely to occur. However, this is not necessarily true in all cases. The HEP &idelinex (AIChE/CCPS, 1985) discuss how other factors such as human error or active and passive equipment failure can be used to further rank the cut sets. In Step 5 (Figure 3.3), Quantitative Evaluation, it is shown that some larger cut sets in this exam- ple are more likely to occur than smaller ones. Another objective of qualitative examination is to identlfy the susceptibility of the system to common-cause failures. As discussed in Section 3.2.1, several factors can lead to common-cause failure including: operator error common manufacturer local environmental factors proximity of common equipment items loss of a utility. MINIMAL Gj MINIMAL GI I FIGURE D.2. Simple fault tree transformed into minimal cut sets. 666 Appendix D. Minimal Cut Set Analysts TABLE 0.3. Minimal Cut Set Determination Stepsa T = M1 + M2 + R1 + M 3 + M4 T = ( R 2 . MS ) + ( B3 + R4 + RS + 86) + B1 + ( R 7 . M6 . RX) + ( M7 . MX) T = (B2. (MY + M1 0 ) ] + R3 + R4 + RS + 136 + R1 +[ R7 (RY + 1310 + H l l ) . BX] +[(I312 + M1 1 ) . ( R13 + R14) ] T= H2 . ( Bl S . R16 + H1 7 . Rl X B1Y. R20) + B3 + B4 + 135 + H6 + I31 + B 7 . BX . BY + R 7 . R X . R 1 0 + R 7 . R 8 . 1 ~ 1 1 +[ R1 2 +( M1 2 . . B2 1 ) ] - ( R1 3 +B1 4 ) T = B2 . R1S . R16 + 132. 817, Bl X .131Y. B20 + R3 + R4 + RS + 06 + 131 + R 7 . B X . B9 + B 7 . B 8 . R10 + B 7 . BX ( R13 + R14) R11 + [I312 + ( R22 + B23 + B2 4 + B2S) R21] T = R2 H1 5 . H16 + R 2 . R1 7 . Bl X . H1Y. R20 + B3 + R4 + 135 + 136 + R1 + B 7 . RX . B9 + R7. RX . R10 + R 7 . B 8 . I311 + R1 2 . B1 3 + R 1 2 . R14 + B2 1 . B2 2 I313 + R21 . R23 . R13 + I321 . B 2 4 . R1 3 + 821 . B1 4 + B21 . B2 3 . I314 + B21 . B2 4 . R14 + B21 . R2 5 . R14 B25 . R13 + 1321 . R2 2 Every term of the final expansion is a minimal cut set (Table D.4). T, top event; M, intermediate event; B, hasic event. The susceptibility to common-cause failure due to human error for one of the cut sets is illustrated as follows. Events B15, B16, B17, B18, and B21 are associated with human errors. Examining the cut sets (Table D.4), C8 contains two of the basic events associated with human error (B15, B16). Hence, this cut set is susceptible to human error. An inexperienced operator, who unloads the truck into the tank when there is insufficient volume to receive it (Bl S), might also not respond to the LIA-1 high level alarm (B16). Thus, these two events may not be truly independent because the same inexperi- enced operator is involved in both events. Their combined probability may be substan- tially higher than the 1 x lo- . 1 x lo4 assuming independence. STEP 5. QUANTITATIVE EVALUATION OF SAMPLE PROBLEM 2 FAULT TREE The approach described here is based on simple assignment of probabilities and fre- quencies to Basic events in the minimal cut sets. A more detailed treatment is reviewed in Appendix E. Table D.5 presents the frequency and probability data for the basic events (from Figure 3.5). Table D.6 summarizes the calculated frequency of occur- rence of the minimal cuts sets. A calculation for Cut Set 8 in table D.5 is provided for demonstration: From Table D.4: C8 = B2 . B15 . B16 From Table D.5: B2 = 300/year, B1S = 1 x lo-, B16 = 1 x lo- Cut Set Frequency (Table D.6): C8 = B2 . B15 . B16 = 300/yr . 1 x lo- . 1 x lo- = 3 x lO-/yr D.5. Sample Problem 2 66 7 1 rAl3LE D.4. Minimal Cut Sets for Sample Problem 2 Minimal cut set reference number Basic Events <: 1 R1 <:2 B3 c3 134 CA RS <:5 B6 <:6 H12. B13 <:7 1312. R14 C X R2. R1S 816 CY C10 H 7 . BX . R10 <:11 H7. R8. B11 <:12 I321 . R22. B13 C13 R21 . R23. R13 C14 H21 . B24. R13 <:15 R21 . B2 S. B13 C16 Ril . B22. R14 C17 R21 . B23. R14 C18 R21 . H24. R14 C19 B21 . B25. R14 C20 R7 RX R9 B2. B17. B18. B19. B20 The frequency (probability) of the top event is calculated from the cut set frequen- cies (or probabilities) by F., = 2 F, i or where F., (or P.,.) is the frequency (probability) of the top event; Fi (or PI) is the fre- quency (probability of minimal cut set C, ; and Ci is the minimal cut set number z. The frequency of the top event (3 x 10-2/yr) is the same as calculated using the gate-by-gate approach Figure 3.5. This is because no basic events appear more than once in the fault tree. The frequency of the top event is expressed to one significant figure to be consistent with the basic event frequency data. Using the frequencies of the minimal cut sets in Table D.6, it is easy to identify the main contributors to the top event. In the example used, cut sets C8, C9, and C10 are 668 Appendix D Minimal Cut Set Analysis TABLE D.5. Basic event Input Data for Sample Problem 2 Basic Event Probability Frequency (yr-') Reference" R 1-Tank drain hreaks B2-Unloading tank truck B3-Vchiclr impact BGAr cr af t impact RS-Earthquake B6-Tornado H7-Unloading tank requires nitrogen purge HX-Hoil-off insuficicnt to prcvcnt vacuum RY-PV-2 fails closed R10-PICA-1 fails, closing PV-2 Bll-I,oss of nitrogen supply B12-PICA-1 fails, closing PV-1 R 13-Excccd capacity of RV- 1 B14-V-8 closed B15-Insufficient volume in tank to unload truck Bl&-Failure of o,r ignoring 1,IA-1 B17-Wrong material in tank truck B18-Tank truck not sampled before unloading R19-Reagent rcacts with ~ h ~ d ~ d material B20-Pressurc rise exceeds capacity of PV-1 B21--E'ailurc of or ignoring PICA-] R22-PV- 1 fails closed B23-V-7 c l ~ ~ e d BZGTrmpcrature of inlct higher than normal B25-High pressure in flare header 1 x 10-2 1 x 10-2 1 x 10-2 1 x 10-4 1 x 10-3 1 x 10-3 1 x 10-2 1 x 10-2 1 x 10-3 1 x 10-2 1 x lo-' 1 x lo-' 1 x 10-2 1 x 1 ( P 300 1 x 10-5 1 x 10" 1 x 10-5 1 x 10-5 10 1 x 10-2 1 x 10-3 1 x 10-3 1 x 10- 3 1 x 10-3 o./,og (1985) ozog (1YX5) oiog (1985) 07mg ( 1985) < h g (1985) ozog (1985) ozog (1985) o z o g (1985) ozog (1985) ozog (1985) ozog (1985) 07KIg (1985) Ozog (1985) ozog (1985) ozog (1985) ozog (1985) ozog (1985) o w g (1985) mmg (1985) ozog (1985) ozog (1985) o/ mg (1985) ozog (1985) oiog (1985) 07mg (1985) 'In a real analysis, this column documents data sources for future reference. In this example all data are from Ozog (1985). the main contributors. Cut set C8 contributes 94% of the top event frequency. The qualitative evaluation ranks this cut set eighth in a list of 20. This example is a warning of the potential danger of relying on qualitative rankings of importance. I n addition, the qualitative examination did show that cut set C8 was susceptible to human error, so its frequency may be even higher than predlcted qualitatively assuming independence of all basic events. Therefore, both qualitative and quantitative evaluations provide evi- dence of a need to consider mitigating design features or revised operating procedures. Most fault tree computer codes can determine reliability measures such as unavail- ability and unreliability as well as the failure rate (frequency) of the top event. A manual 0.6. References 669 TABLE D.6. Frequencies of the Cut Sets and Top Event for Sample Problem 2 Minimal cut Sets Frequency of cut set (yf') Cut Set importanccl C1 = B1 = 1 x 10-4 0.3 <:2 = R3 = 1 x 10-5 0.03 C3 = B4 = 1 x 10" 0.003 C4 = R5 = 1 x 10-5 0.03 CS = B6 = 1 x 10-5 0.03 c6 = R12 ' R1 = 1 x 10-5 0.03 C7 = B12. R14 = 1 x 10-5 0.03 (3 = B2. R15 . R16 = 1 x 10-2 94.0 C9 = B7. R8 R9 = 1 x 10-3 3.0 C10 = B7 . B8 . R10 = 1 x 10-3 3.0 C11 = B7. R8, B11 = 1 x 10-5 0.03 C12 = B21 . R22. 313 C13 = B21 . B23. R13 C14 = R21 . B24. R13 C1S = R21 . B25. B13 C16 = R21 . R22. R14 C17 = R21 . H23. R14 C18 = B21 . R24. R14 C1Y = R21 . B2S . 814 L' 20=B2. R17. Rl S-Rl 9. B20 = 1 x 0.03 = 1 x 10-8 = 1 x 10-8 = 1 x 10-8 = 1 x 10-8 = 1 x 10-8 = 1 x 1 0 4 = 1 x 10-8 = 1 x 10-8 3.0 x 10-5 3.0 x 10-5 3.0 x 10-5 3.0 x 10-5 3.0 x 10-5 3.0 x 10-5 3.0 x 10-5 3.0 x 10-5 Total 100 Top event frcqucncy = ZC, =3 x 10-2 per year Cut set importance = [(cut set frequency)/(top event frequency)] x 100. calculation approach described by Fussell ( 1975) can be used for small fault trees ( up to about 50 basic events). However, for larger fault trees, computer methods are required because of the large number of Boolean manipulations and calculations involved in quantification. More detailed approaches to fault tree quantification are reviewed in Appendor E. 0.6. References AIChE/CCPS (1992). Guidelines fw Hazard Evaluation Procedures, 2nd Edition with Wwkd Examples. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York. 670 Appendix D Minimal Cut Set Analysis Doelp, L. C., Lee, G. K., Linney, R. E., and Orrnsby, R. W. (1984). Quantitative Fault Tree Analysis: Gate-by-Gate Method. PlantlOpeYatwns Propess 4(3), 227-238. Fussell, J. B. (1975), HOW to Hand Calculate System Reliability and Safety Characteristics.: Henley, E. J . and Kumamoto, H. (198 1) . Reliability Etrgineering and Risk Assessment. Prentice- Ozog, H. ( 1985). Hazard Identification, Analysis and Control. Chentical Engzneerinp,Febru- Roberts, N. H., Veseley, W. E., Haasl, D. F., and Goldberg F. F. (1981). Fault Tree Handbook. IEEE Transactiuns on Reliability R-24(3), 169-174. Hall, Englewood Cliffs, NJ. (ISBN 0-13-772251-6). ary 18,161-170. NUREG-0492. U.S. Nuclear Regulatory Commission, Washington, DC.