Professional Documents
Culture Documents
A Simple Method To Derive Minimal Cut Sets For A Non-Coherent Fault Tree
A Simple Method To Derive Minimal Cut Sets For A Non-Coherent Fault Tree
A Simple Method To Derive Minimal Cut Sets For A Non-Coherent Fault Tree
Department of Aeronautics and Astronautics, Kyoto University, Yoshida-Honmachi, Sakyo-ku, Kyoto 606-8501, Japan
Abstract: Minimal cut sets (or prime implicants: minimal combinations of basic event conditions leading to system failure)
are important information for reliability/safety analysis and design. To obtain minimal cut sets for general non-coherent
fault trees, including negative basic events or multi-valued basic events, a special procedure such as the consensus rule must
be applied to the results obtained by logical operations for coherent fault trees, which will require more steps and time.
This paper proposes a simple method for a non-coherent fault tree, whose top event is represented as an AND combination
of monotonic sub-trees. A monotonic sub-tree means that it does not have both positive and negative representations for
each basic event. It is proven that minimal cut sets can be obtained by a conventional method for coherent fault trees. An
illustrative example of a simple event tree analysis shows the detail and characteristics of the proposed method.
Keywords: Non-coherent fault trees, monotonic sub-trees, minimal cut sets.
1 Introduction
Minimal cut sets
[1]
(or prime implicants: minimal
combinations of basic event conditions leading to sys-
tem failure) are important information for system reli-
ability/safety analysis and design. To obtain minimal
cut sets for general non-coherent fault trees, including
negative basic events, or multi-valued basic events, a
special procedure such as the consensus rule
[2,3]
must
be applied to the results obtained by the logical opera-
tions for coherent fault trees
[4]
, which will require more
steps and time. Especially, in event tree analysis
[5]
where an accident scenario is represented as an AND
combination of minimal path sets (or minimal combina-
tions of normal component conditions leading to sys-
tem success) for normal subsystems and minimal cut
sets for failed subsystems, its minimal cut sets must be
obtained in the same way as non-coherent fault trees,
which includes both negative and positive events for
some basic event.
This paper proposes a simple novel method for a
non-coherent fault tree, whose top event is represented
as an AND combination of monotonic sub-trees. A
monotonic sub-tree means that it does not have both
positive and negative representations for each basic
event. First, it is proven that minimal cut sets for
a fault tree whose top event is represented as an AND
combination of monotonic sub-fault trees can be ob-
tained using conventional methods for coherent fault
X
1
X
2
= X
1
X
2
. (4)
The procedure is described as follows:
(O1) Using De Morgans laws, obtain the negative
of an OR combination of monotonic sub-trees, i.e. an
AND combination of the negative of monotonic fault
trees.
(O2) Obtain minimal cut sets for an AND of the
negative of monotonic fault trees.
(O3) Using De Morgans laws, obtain the negative
of an OR combination of minimal cut sets obtained
in (O2), i.e. an AND combination of the negatives of
minimal cut sets.
(O4) Obtain minimal cut sets for the fault tree ob-
tained in (O3).
Using property (P0) of monotonic fault trees and
the proposed method, a conventional method can ob-
tain minimal cut sets.
Consider an OR monotonic fault tree as shown in
Fig. 2.
T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree 153
Fig. 2 OR combination of monotonic fault trees
This fault tree is a non-coherent fault tree, whose
minimal cut sets cannot be obtained completely us-
ing MOCUS. Let Y be a binary indicator variable for
system failure, and the proposed method can obtain
minimal cut sets as follows:
(O1)
Y = (
X
1
X
2
) (X
1
X
3
) (5)
(O2)
Y = (
X
1
X
1
)(
X
2
X
1
)(
X
1
X
3
)(
X
2
X
3
)
= (
X
2
X
1
) (
X
1
X
3
) (
X
2
X
3
) (6)
(O3)Y =
Y = (X
2
X
1
)(X
1
X
3
)(X
2
X
3
) (7)
(O4)Y = (X
2
X
1
) (X
1
X
3
) (X
2
X
3
)
= (X
2
X
1
) ((X
1
X
2
) X
3
)
= (X
1
X
2
) (X
2
X
3
) (
X
1
X
3
). (8)
Finally, minimal cut sets can be obtained as {X
1
, X
2
},
{X
2
, X
3
}, and {
X
1
, X
3
}.
Therefore, minimal cut sets for an OR of monotonic
sub-trees can be obtained by a conventional method
using a transformation into an AND of monotonic sub-
trees. Using the proposed methods for AND and OR
combinations repeatedly, minimal cut sets can be ob-
tained for a general fault tree represented as a logi-
cal combination of monotonic sub-trees. For example,
consider the fault tree in Fig. 3, whose top event is
represented as an AND of a non-coherent fault tree
{X
1
OR {
X
1
AND X
2
}} and basic event X
3
.
The proposed method for an AND cannot be ap-
plied directly, but the proposed method for an OR com-
bination can be applied to a non-coherent sub-tree and
obtain the minimal cut sets {X
1
} and {X
2
} using the
following calculation:
(X
1
(
X
1
X
2
)) = (
X
1
(X
1
X
2
))
= (
X
1
X
2
)
= X
1
X
2
. (9)
From which the minimal cut sets for Fig. 3 can be ob-
tained as: {X
1
, X
3
} and {X
2
, X
3
}.
Fig. 3 A simple non-coherent fault tree
2.4 Event sequences in event trees
Consider an event sequence represented by an event
tree, as shown in Fig. 4, where each intermediate event
(or subsystem failure) is usually represented using a
fault tree.
Fig. 4 Event tree for a swimming pool reactor
Let Y
i
denote a binary indicator variable for inter-
mediate event i as follows:
Y
i
=
jEi(1)
Y
j
) (
jEi(0)
Y
j
). (11)
Conventionally, intermediate events in an event tree are
represented by fault trees. For simplicity, assume the
following conditions for a fault tree for intermediate
event i (i = 1, , N):
154 International Journal of Automation and Computing 2 (2006) 151-156
(E1) Fault tree i is coherent.
(E2) Fault tree i has N
i
path sets, and each path
set is represented as P
ij
(j = 1, , N
i
), which has M
i
minimal cut sets denoted C
ij
(j = 1, , M
i
).
Let X
j
denote a binary indicator variable for basic
event j as follows:
X
j
=
j=1
(
lCij
X
l
) (13)
Y
i
=
Ni
j=1
(
Pij
X
l
). (14)
Substituting (13) and (14) into (11), minimal cut sets
for E
i
can easily be obtained by a simplication proce-
dure according to property (P2).
3 Illustrative example
Obtain minimal cut sets for an event sequence for
a swimming pool reactor
[7]
, as shown in Fig. 5.
3.1 Swimming pool reactor
In the swimming pool reactor in Fig. 5, coolant en-
ters through inlet slide valve C1 and leaves through
outlet slide valve C2. During normal operation, actu-
ators C3 and C4 are open because compressed air can
pass solenoid operated valve C9 and mechanically oper-
ated valve C10. Moreover, the signal initiate SCRAM
is low, because all inputs to NAND gate C15 are high.
Fig. 5 Swimming pool reactor
In the case of a low water level, two protective sys-
tems are available. One is an isolation system which
prevents the swimming pool from emptying by clos-
ing slide valves C1 and C2. The other is a trip system,
which initiates a scram to prevent a dangerous temper-
ature increase. First, two redundant devices, electrode
C11 and oat C13, are able to detect this condition.
Electrode C11 opens the contact of relay C12 such that
valve C9 is actuated and a low signal is given to NAND
gate C15. Float C13 actuates valve C10 and opens the
contact of oat switch C14, from which a low signal is
given to NAND gate C15. Consequently, the signal ini-
tiate SCRAM is high, and actuators C3 and C4 close
slide valves C1 and C2 (because compressed air can es-
cape either through valve C9 or C10). When actuators
C3 and C4 close, redundant low signals from magnet
switches C5, C6, C7 and C8 are given to NAND gate
C15.
3.2 Event sequences in an event tree
Suppose that the water level in the swimming pool
sinks. Event tree analysis for this situation is shown in
Fig. 4. For simplicity, consider a dangerous situation
where the isolation system works but the trip system
does not work, in other words, the initiate SCRAM
signal remains low. This sequence is represented as
I
Y
1
Y
2
. For each protective system to work, minimal
path sets are given as follows (for the derivation of
minimal path sets, see [7], which gives a success tree
for the isolation system and a fault tree for the trip
system):
For the isolation system:
{
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
}
{
X
1
,
X
2
,
X
3
,
X
4
,
X
9
,
X
11
,
X
12
}.
For the trip system:
{
X
11
,
X
12
,
X
15
}, {
X
13
,
X
14
,
X
15
}
{
X
4
,
X
7
,
X
10
,
X
13
,
X
15
}
{
X
4
,
X
8
,
X
10
,
X
13
,
X
15
}, {
X
3
,
X
5
,
X
10
,
X
13
,
X
15
}
{
X
3
,
X
6
,
X
10
,
X
13
,
X
15
}.
Here, note that binary indicator variable X
i
denotes a
failure of component C
i
.
To obtain minimal cut sets for the trip system, pro-
cedure (O4) can be applied. Using (14) and De Mor-
gans laws, Y
2
can be represented as:
Y
2
=
Y
2
=
Ni
j=1
(
Pij
X
l
) =
Ni
j=1
(
Pij
X
l
). (15)
Substituting minimal path sets into (15) and using the
transformation and simplication methods, Y
2
can be
obtained as:
Y
2
= X
15
(X
13
X
11
) (X
13
X
12
)
(X
11
X
14
X
10
) (X
12
X
14
X
10
)
(X
11
X
14
X
4
X
3
)
T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree 155
(X
12
X
14
X
4
X
3
)
(X
11
X
14
X
4
X
5
X
6
)
(X
12
X
14
X
4
X
5
X
6
)
(X
11
X
14
X
3
X
7
X
8
)
(X
12
X
14
X
3
X
7
X
8
)
(X
11
X
14
X
5
X
6
X
7
X
8
)
(X
12
X
14
X
5
X
6
X
7
X
8
). (16)
Therefore, minimal cut sets for I
Y
1
Y
2
are obtained as:
{X
15
,
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
}
{X
15
,
X
1
,
X
2
,
X
3
,
X
4
,
X
9
,
X
11
,
X
12
}
{X
11
, X
14
, X
5
, X
6
, X
7
, X
8
,
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
}
{X
12
, X
14
, X
5
, X
6
, X
7
, X
8
,
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
}
where minimal cut sets for I are omitted in the above
calculation. Obviously, the most important component
is NAND gate C15, because this component has no re-
dundancy. Similarly, minimal cut sets can be obtained
for other event sequences as shown in the Appendix.
4 Conclusions
This paper shows that conventional methods for co-
herent fault trees without using a consensus rule can
obtain minimal cut sets for a non-coherent fault tree
whose top event is represented as an AND of monotonic
sub-trees. Using De Morgans laws, a conventional
method can obtain minimal cut sets for a more gen-
eral fault tree, which can be a logical combination of
monotonic sub-trees with AND and OR gates, although
some transformation is necessary in intermediate steps.
The proposed method for an OR of monotonic sub-
trees is very similar to Nelsons algorithm
[8]
, but we
show that a normal formula is not necessary in the
rst step.
An event sequence in an event tree can be an AND
of minimal cut sets for failed sub-systems and mini-
mal path sets for normal sub-systems. This fault tree
is a typical non-coherent one, an AND of monotonic
sub-trees. Therefore, without using a consensus rule,
minimal cut sets for an event sequence can be obtained
using conventional logical operations.
However, this paper does not consider event se-
quence dependency in deriving minimal cut sets in an
event tree. Consideration of event sequence depen-
dency does not always allow the property of Boolean
variables: X
X = 0. For example, for t1 < t2,
X(t1)
X(t2) = 0, but X(t2)
X(t1) does not always
vanish, because a situation can hold where a compo-
nent was normal at time t1 and then failed at time t2.
To consider dependencies between fault tree events at
dierent time steps, such as in phased mission prob-
lems, time-related information must be introduced to
represent basic events. An analysis of non-coherent
fault trees with event sequence dependency is a prob-
lem to be considered in the next step.
Appendix: Minimal cut sets for event se-
quences
Minimal cut sets for an isolation system and event
sequences I
Y
1
Y
2
, IY
1
Y
2
, and IY
1
Y
2
are obtained as fol-
lows by the proposed method.
For the isolation system:
{X
1
}, {X
2
}, {X
3
}, {X
4
}, {X
9
, X
10
}, {X
9
, X
13
}
{X
11
, X
10
}, {X
11
, X
13
}, {X
12
, X
10
}, {X
12
, X
13
}.
For event sequence I
Y
Y
2
:
{
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
,
X
11
,
X
12
,
X
15
}
{
X
1
,
X
2
,
X
3
,
X
4
,
X
9
,
X
11
,
X
12
,
X
15
}
{
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
,
X
14
,
X
15
}
{
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
,
X
7
,
X
15
}
{
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
,
X
8
,
X
15
}
{
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
,
X
5
,
X
15
}
{
X
1
,
X
2
,
X
3
,
X
4
,
X
10
,
X
13
,
X
6
,
X
15
}.
For event sequence IY
1
Y
2
:
{X
1
,
X
11
,
X
12
,
X
15
}, {X
1
,
X
13
,
X
14
,
X
15
}
{X
1
,
X
4
,
X
7
,
X
10
,
X
13
,
X
15
}
{X
1
,
X
4
,
X
8
,
X
10
,
X
13
,
X
15
}
{X
1
,
X
3
,
X
5
,
X
10
,
X
13
,
X
15
}
{X
1
,
X
3
,
X
6
,
X
10
,
X
13
,
X
15
}
{X
2
,
X
11
,
X
12
,
X
15
}, {X
2
,
X
13
,
X
14
,
X
15
}
{X
2
,
X
4
,
X
7
,
X
10
,
X
13
,
X
15
}
{X
2
,
X
4
,
X
8
,
X
10
,
X
13
,
X
15
}
{X
2
,
X
3
,
X
5
,
X
10
,
X
13
,
X
15
}
{X
2
,
X
3
,
X
6
,
X
10
,
X
13
,
X
15
}
{X
3
,
X
11
,
X
12
,
X
15
}, {X
3
,
X
13
,
X
14
,
X
15
}
{X
3
,
X
4
,
X
7
,
X
10
,
X
13
,
X
15
}
{X
3
,
X
4
,
X
8
,
X
10
,
X
13
,
X
15
}
{X
4
,
X
11
,
X
12
,
X
15
}, {X
4
,
X
13
,
X
14
,
X
15
}
{X
4
,
X
3
,
X
5
,
X
10
,
X
13
,
X
15
}
{X
4
,
X
3
,
X
6
,
X
10
,
X
13
,
X
15
}
{X
9
, X
10
,
X
11
,
X
12
,
X
15
}, {X
9
, X
10
,
X
13
,
X
14
,
X
15
}
{X
9
, X
13
,
X
11
,
X
12
,
X
15
}, {X
11
, X
10
,
X
13
,
X
14
,
X
15
}
{X
12
, X
10
,
X
13
,
X
14
,
X
15
}.
For event sequence IY
1
Y
2
:
{X
1
, X
15
}, {X
2
, X
15
}, {X
3
, X
15
}, {X
4
, X
15
}, {X
13
, X
11
}
{X
13
, X
12
}, {X
9
, X
15
, X
10
}, {X
9
, X
15
, X
13
}
156 International Journal of Automation and Computing 2 (2006) 151-156
{X
11
, X
10
, X
15
}, {X
12
, X
10
, X
15
}, {X
10
, X
14
, X
11
}
{X
10
, X
14
, X
12
}, {X
4
, X
3
, X
14
, X
11
}
{X
4
, X
3
, X
14
, X
12
}, {X
4
, X
5
, X
6
, X
14
, X
11
}
{X
4
, X
5
, X
6
, X
14
, X
12
}, {X
3
, X
7
, X
8
, X
14
, X
11
}
{X
3
, X
7
, X
8
, X
14
, X
12
}
{X
5
, X
6
, X
7
, X
8
, X
1
, X
14
, X
11
}
{X
5
, X
6
, X
7
, X
8
, X
1
, X
14
, X
12
}
{X
5
, X
6
, X
7
, X
8
, X
2
, X
14
, X
11
}
{X
5
, X
6
, X
7
, X
8
, X
2
, X
14
, X
12
}
References
[1] W. E. Vesely, F. F. Goldberg, N. H. Roberts, D. F. Haasl.
Fault Tree Handbook, United States Nuclear Regulatory
Commission, NUREG-0492, 1981.
[2] W. V. Quine. The Problem of Simplifying Truth Functions.
American Mathematical Monthly, vol. 59, no. 8, pp. 521
531, 1952.
[3] W. V. Quine. A Way to Simplify Truth Functions. Amer-
ican Mathematical Monthly, vol. 62, no. 9, pp. 627631,
1955.
[4] R. E. Barlow, F. Proschan. Statistical Theory of Reliabil-
ity and Life Testing, Probability Models, Holt, Rinehart and
Winston, New York, 1975.
[5] E. J. Henley, H. Kumamoto. Probabilistic Risk Assessment,
Reliability Engineering, Design, and Analysis, IEEE Press,
New York, 1992.
[6] J. B. Fussell, E. B. Henry, N. H. Marshall. MOCUS: A Com-
puter Program to Obtain Minimal Cut Sets from Fault Trees.
Aerojet Nuclear Company, ANCR-1156, 1974.
[7] T. Nicolescu, R. Weber. Reliability of Systems with Vari-
ous Functions. Reliability Engineering, vol. 2, no. 2, pp.
147157, 1981.
[8] R. J. Nelson. Simplest Normal Truth Functions. Journal of
Symbolic Logic, vol. 2, no. 2, pp. 105108, 1955.
Takehisa Kohda is an Associate Pro-
fessor at the Department of Aeronau-
tics and Astronautics, Kyoto Univer-
sity. He received his B.Eng., M.Eng.,
and Dr.Eng. degrees, all in Precision
Mechanics, from Kyoto University in
1978, 1980, and 1983, respectively.
His research interests include systems
safety and reliability, and risk analysis.