International Journal of Automation and Computing 2 (2006) 151-156

A Simple Method to Derive Minimal Cut Sets for a

Non-coherent Fault Tree
Takehisa Kohda

Department of Aeronautics and Astronautics, Kyoto University, Yoshida-Honmachi, Sakyo-ku, Kyoto 606-8501, Japan
Abstract: Minimal cut sets (or prime implicants: minimal combinations of basic event conditions leading to system failure)
are important information for reliability/safety analysis and design. To obtain minimal cut sets for general non-coherent
fault trees, including negative basic events or multi-valued basic events, a special procedure such as the consensus rule must
be applied to the results obtained by logical operations for coherent fault trees, which will require more steps and time.
This paper proposes a simple method for a non-coherent fault tree, whose top event is represented as an AND combination
of monotonic sub-trees. A monotonic sub-tree means that it does not have both positive and negative representations for
each basic event. It is proven that minimal cut sets can be obtained by a conventional method for coherent fault trees. An
illustrative example of a simple event tree analysis shows the detail and characteristics of the proposed method.
Keywords: Non-coherent fault trees, monotonic sub-trees, minimal cut sets.
1 Introduction
Minimal cut sets
[1]
(or prime implicants: minimal
combinations of basic event conditions leading to sys-
tem failure) are important information for system reli-
ability/safety analysis and design. To obtain minimal
cut sets for general non-coherent fault trees, including
negative basic events, or multi-valued basic events, a
special procedure such as the consensus rule
[2,3]
must
be applied to the results obtained by the logical opera-
tions for coherent fault trees
[4]
, which will require more
steps and time. Especially, in event tree analysis
[5]
where an accident scenario is represented as an AND
combination of minimal path sets (or minimal combina-
tions of normal component conditions leading to sys-
tem success) for normal subsystems and minimal cut
sets for failed subsystems, its minimal cut sets must be
obtained in the same way as non-coherent fault trees,
which includes both negative and positive events for
some basic event.
This paper proposes a simple novel method for a
non-coherent fault tree, whose top event is represented
as an AND combination of monotonic sub-trees. A
monotonic sub-tree means that it does not have both
positive and negative representations for each basic
event. First, it is proven that minimal cut sets for
a fault tree whose top event is represented as an AND
combination of monotonic sub-fault trees can be ob-
tained using conventional methods for coherent fault

Manuscript received September 27, 2005; revised January 5,

2006.

E-mail address: kohda@kuaero.kyoto-u.ac.jp

trees
[5]
. Based on this property, a conventional Boolean
logical operation can be applied to each monotonic sub-
tree to obtain minimal path sets or cut sets. Then, an
AND logical operation of minimal cut sets for corre-
sponding sub-trees gives the minimal cut sets for an
entire fault tree. Thus, the use of a consensus rule is
not necessary to derive minimal cut sets or prime impli-
cants. Further, using De Morgans laws
[5]
, the derived
approach can be applied to such a non-coherent fault
tree as an OR combination of monotonic sub-trees to
obtain minimal path sets, which can easily be trans-
formed to minimal cut sets by the same procedure.
Using simple non-coherent fault trees, the property of
the proposed method is explained. Another illustra-
tive example shows the applicability of the proposed
method to the event tree analysis of a simple system,
where exact minimal cut sets can be obtained for each
scenario.
2 AND combination of monotonic sub-
trees
2.1 Monotonic fault trees
Consider monotonic fault trees dened as fault
trees, which meet the following conditions:
1) Logic gates are OR and AND.
2) Each basic event appears as either its armative
or its negative, but not both.
Though condition (2) depends on the denition of
basic events, in considering a combination of fault trees
the same event, such as a component failure, may ap-
pear dierently; a basic event may appear armatively
in one fault tree, while appear negatively in another.
152 International Journal of Automation and Computing 2 (2006) 151-156
From the denition of monotonic fault trees, the fol-
lowing property holds.
(P0) The negative of a monotonic fault tree is
monotonic.
In considering only one fault tree, a monotonic fault
tree is equivalent to a coherent fault tree. Therefore,
the derivation of minimal cut sets for a fault tree can be
obtained by a conventional method for coherent fault
trees, such as MOCUS
[6]
, which utilizes the basic prop-
erties of Boolean variables: 1) X X = X (idempo-
tent), 2) XX = X (idempotent), 3) X(XY ) = X
(absorption), 4) X (X Y ) = X (absorption), 5)
X

X = 0 (complementation), 6) X

X = 1 (comple-
mentation), 7) X0 = 0, X1 = X, and 8) X0 = X,
X 1 = 1 in its simplication procedure.
2.2 AND combination of monotonic fault
trees
Consider a fault tree whose top event is repre-
sented as an AND combination of n monotonic sub-
trees. Note that each sub-tree under the top event
is monotonic but the entire fault tree is not always
monotonic. For example, consider the simple non-
coherent fault tree in Fig. 1 where sub-trees below the
top event are monotonic.
Fig. 1 AND combination of monotonic fault trees
This kind of fault tree has the following properties:
(P1) Minimal cut sets for each sub-tree below the
top event can be obtained using a conventional method
for coherent fault trees, such as MOCUS.
(P2) Minimal cut sets for a top event can be repre-
sented as an AND of minimal cut sets for sub-trees.
According to the denition of monotonic fault trees,
the derivation of minimal cut sets is equivalent to that
for coherent fault trees. Therefore, property (P1) is
obvious. Property (P2) can be proven as follows: For
a conjunction term to be a minimal cut set for the en-
tire fault tree, it must satisfy the establishment of each
sub-tree. In other words, it must contain at least one
minimal cut set for each sub-tree, because it cannot
satisfy the establishment of a sub-tree without the in-
clusion of its minimal cut set. From the requirement for
minimal combination, supersets within the AND com-
binations must be deleted. Therefore, for this kind of
fault tree, a conventional method such as MOCUS can
obtain minimal cut sets without consensus rules.
Let Y denote the binary indicator variable for sys-
tem failure in Fig. 1. Minimal cut sets can be obtained
as follows:
Y = (X
1
X
2
) (

X
1


X
3
)
= (X
1


X
1
) (X
1


X
3
) (X
2


X
1
) (X
2


X
3
)
= (X
1


X
3
) (X
2


X
1
) (X
2


X
3
). (1)
Therefore, minimal cut sets can be obtained as
{X
1
,

X
3
}, {X
2
,

X
1
}, and {X
2
,

X
3
}.
2.3 OR combination of monotonic fault
trees
Though the applicability of an AND combination
of monotonic fault trees may be limited, the pro-
posed method can be applied to an OR combination
of monotonic sub-trees using De Morgans laws:
X
1
X
2
=

X
1


X
2
(2)
X
1
X
2
=

X
1


X
2
(3)

X
1


X
2
= X
1
X
2
. (4)
The procedure is described as follows:
(O1) Using De Morgans laws, obtain the negative
of an OR combination of monotonic sub-trees, i.e. an
AND combination of the negative of monotonic fault
trees.
(O2) Obtain minimal cut sets for an AND of the
negative of monotonic fault trees.
(O3) Using De Morgans laws, obtain the negative
of an OR combination of minimal cut sets obtained
in (O2), i.e. an AND combination of the negatives of
minimal cut sets.
(O4) Obtain minimal cut sets for the fault tree ob-
tained in (O3).
Using property (P0) of monotonic fault trees and
the proposed method, a conventional method can ob-
tain minimal cut sets.
Consider an OR monotonic fault tree as shown in
Fig. 2.
T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree 153
Fig. 2 OR combination of monotonic fault trees
This fault tree is a non-coherent fault tree, whose
minimal cut sets cannot be obtained completely us-
ing MOCUS. Let Y be a binary indicator variable for
system failure, and the proposed method can obtain
minimal cut sets as follows:
(O1)

Y = (

X
1


X
2
) (X
1


X
3
) (5)
(O2)

Y = (

X
1
X
1
)(

X
2
X
1
)(

X
1

X
3
)(

X
2

X
3
)
= (

X
2
X
1
) (

X
1


X
3
) (

X
2


X
3
) (6)
(O3)Y =

Y = (X
2

X
1
)(X
1
X
3
)(X
2
X
3
) (7)
(O4)Y = (X
2


X
1
) (X
1
X
3
) (X
2
X
3
)
= (X
2


X
1
) ((X
1
X
2
) X
3
)
= (X
1
X
2
) (X
2
X
3
) (

X
1
X
3
). (8)
Finally, minimal cut sets can be obtained as {X
1
, X
2
},
{X
2
, X
3
}, and {

X
1
, X
3
}.
Therefore, minimal cut sets for an OR of monotonic
sub-trees can be obtained by a conventional method
using a transformation into an AND of monotonic sub-
trees. Using the proposed methods for AND and OR
combinations repeatedly, minimal cut sets can be ob-
tained for a general fault tree represented as a logi-
cal combination of monotonic sub-trees. For example,
consider the fault tree in Fig. 3, whose top event is
represented as an AND of a non-coherent fault tree
{X
1
OR {

X
1
AND X
2
}} and basic event X
3
.
The proposed method for an AND cannot be ap-
plied directly, but the proposed method for an OR com-
bination can be applied to a non-coherent sub-tree and
obtain the minimal cut sets {X
1
} and {X
2
} using the
following calculation:
(X
1
(

X
1
X
2
)) = (

X
1
(X
1


X
2
))
= (

X
1


X
2
)
= X
1
X
2
. (9)
From which the minimal cut sets for Fig. 3 can be ob-
tained as: {X
1
, X
3
} and {X
2
, X
3
}.
Fig. 3 A simple non-coherent fault tree
2.4 Event sequences in event trees
Consider an event sequence represented by an event
tree, as shown in Fig. 4, where each intermediate event
(or subsystem failure) is usually represented using a
fault tree.
Fig. 4 Event tree for a swimming pool reactor
Let Y
i
denote a binary indicator variable for inter-
mediate event i as follows:
Y
i
=

1, if intermediate event i occurs

0, otherwise
. (10)
An event sequence can be composed of an AND of Y
i
for the occurrence of intermediate events (i.e. a failure
condition) and

Y
i
for the non-occurrence of intermedi-
ate events (i.e., a success condition), as shown in Fig. 4.
For event sequence E
i
, let E
i
(1) denote the set of inter-
mediate events which occur, and let E
i
(0) denote the
set of intermediate events which do not occur. There-
fore, event sequence E
i
can be represented as:
E
i
= (

jEi(1)
Y
j
) (

jEi(0)

Y
j
). (11)
Conventionally, intermediate events in an event tree are
represented by fault trees. For simplicity, assume the
following conditions for a fault tree for intermediate
event i (i = 1, , N):
154 International Journal of Automation and Computing 2 (2006) 151-156
(E1) Fault tree i is coherent.
(E2) Fault tree i has N
i
path sets, and each path
set is represented as P
ij
(j = 1, , N
i
), which has M
i
minimal cut sets denoted C
ij
(j = 1, , M
i
).
Let X
j
denote a binary indicator variable for basic
event j as follows:
X
j
=

1, if basic event j occurs

0, otherwise
. (12)
From the denition of minimal cut sets and minimal
path sets, Y
i
are represented as follows in terms of X
j
:
Y
i
=
Mi

j=1
(

lCij
X
l
) (13)

Y
i
=
Ni

j=1
(

Pij

X
l
). (14)
Substituting (13) and (14) into (11), minimal cut sets
for E
i
can easily be obtained by a simplication proce-
dure according to property (P2).
3 Illustrative example
Obtain minimal cut sets for an event sequence for
a swimming pool reactor
[7]
, as shown in Fig. 5.
3.1 Swimming pool reactor
In the swimming pool reactor in Fig. 5, coolant en-
ters through inlet slide valve C1 and leaves through
outlet slide valve C2. During normal operation, actu-
ators C3 and C4 are open because compressed air can
pass solenoid operated valve C9 and mechanically oper-
ated valve C10. Moreover, the signal initiate SCRAM
is low, because all inputs to NAND gate C15 are high.
Fig. 5 Swimming pool reactor
In the case of a low water level, two protective sys-
tems are available. One is an isolation system which
prevents the swimming pool from emptying by clos-
ing slide valves C1 and C2. The other is a trip system,
which initiates a scram to prevent a dangerous temper-
ature increase. First, two redundant devices, electrode
C11 and oat C13, are able to detect this condition.
Electrode C11 opens the contact of relay C12 such that
valve C9 is actuated and a low signal is given to NAND
gate C15. Float C13 actuates valve C10 and opens the
contact of oat switch C14, from which a low signal is
given to NAND gate C15. Consequently, the signal ini-
tiate SCRAM is high, and actuators C3 and C4 close
slide valves C1 and C2 (because compressed air can es-
cape either through valve C9 or C10). When actuators
C3 and C4 close, redundant low signals from magnet
switches C5, C6, C7 and C8 are given to NAND gate
C15.
3.2 Event sequences in an event tree
Suppose that the water level in the swimming pool
sinks. Event tree analysis for this situation is shown in
Fig. 4. For simplicity, consider a dangerous situation
where the isolation system works but the trip system
does not work, in other words, the initiate SCRAM
signal remains low. This sequence is represented as
I

Y
1
Y
2
. For each protective system to work, minimal
path sets are given as follows (for the derivation of
minimal path sets, see [7], which gives a success tree
for the isolation system and a fault tree for the trip
system):
For the isolation system:
{

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
}
{

X
1
,

X
2
,

X
3
,

X
4
,

X
9
,

X
11
,

X
12
}.
For the trip system:
{

X
11
,

X
12
,

X
15
}, {

X
13
,

X
14
,

X
15
}
{

X
4
,

X
7
,

X
10
,

X
13
,

X
15
}
{

X
4
,

X
8
,

X
10
,

X
13
,

X
15
}, {

X
3
,

X
5
,

X
10
,

X
13
,

X
15
}
{

X
3
,

X
6
,

X
10
,

X
13
,

X
15
}.
Here, note that binary indicator variable X
i
denotes a
failure of component C
i
.
To obtain minimal cut sets for the trip system, pro-
cedure (O4) can be applied. Using (14) and De Mor-
gans laws, Y
2
can be represented as:
Y
2
=

Y
2
=
Ni

j=1
(

Pij

X
l
) =
Ni

j=1
(

Pij
X
l
). (15)
Substituting minimal path sets into (15) and using the
transformation and simplication methods, Y
2
can be
obtained as:
Y
2
= X
15
(X
13
X
11
) (X
13
X
12
)
(X
11
X
14
X
10
) (X
12
X
14
X
10
)
(X
11
X
14
X
4
X
3
)
T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree 155
(X
12
X
14
X
4
X
3
)
(X
11
X
14
X
4
X
5
X
6
)
(X
12
X
14
X
4
X
5
X
6
)
(X
11
X
14
X
3
X
7
X
8
)
(X
12
X
14
X
3
X
7
X
8
)
(X
11
X
14
X
5
X
6
X
7
X
8
)
(X
12
X
14
X
5
X
6
X
7
X
8
). (16)
Therefore, minimal cut sets for I

Y
1
Y
2
are obtained as:
{X
15
,

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
}
{X
15
,

X
1
,

X
2
,

X
3
,

X
4
,

X
9
,

X
11
,

X
12
}
{X
11
, X
14
, X
5
, X
6
, X
7
, X
8
,

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
}
{X
12
, X
14
, X
5
, X
6
, X
7
, X
8
,

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
}
where minimal cut sets for I are omitted in the above
calculation. Obviously, the most important component
is NAND gate C15, because this component has no re-
dundancy. Similarly, minimal cut sets can be obtained
for other event sequences as shown in the Appendix.
4 Conclusions
This paper shows that conventional methods for co-
herent fault trees without using a consensus rule can
obtain minimal cut sets for a non-coherent fault tree
whose top event is represented as an AND of monotonic
sub-trees. Using De Morgans laws, a conventional
method can obtain minimal cut sets for a more gen-
eral fault tree, which can be a logical combination of
monotonic sub-trees with AND and OR gates, although
some transformation is necessary in intermediate steps.
The proposed method for an OR of monotonic sub-
trees is very similar to Nelsons algorithm
[8]
, but we
show that a normal formula is not necessary in the
rst step.
An event sequence in an event tree can be an AND
of minimal cut sets for failed sub-systems and mini-
mal path sets for normal sub-systems. This fault tree
is a typical non-coherent one, an AND of monotonic
sub-trees. Therefore, without using a consensus rule,
minimal cut sets for an event sequence can be obtained
using conventional logical operations.
However, this paper does not consider event se-
quence dependency in deriving minimal cut sets in an
event tree. Consideration of event sequence depen-
dency does not always allow the property of Boolean
variables: X

X = 0. For example, for t1 < t2,
X(t1)

X(t2) = 0, but X(t2)

X(t1) does not always
vanish, because a situation can hold where a compo-
nent was normal at time t1 and then failed at time t2.
To consider dependencies between fault tree events at
dierent time steps, such as in phased mission prob-
lems, time-related information must be introduced to
represent basic events. An analysis of non-coherent
fault trees with event sequence dependency is a prob-
lem to be considered in the next step.
Appendix: Minimal cut sets for event se-
quences
Minimal cut sets for an isolation system and event
sequences I

Y
1

Y
2
, IY
1

Y
2
, and IY
1
Y
2
are obtained as fol-
lows by the proposed method.
For the isolation system:
{X
1
}, {X
2
}, {X
3
}, {X
4
}, {X
9
, X
10
}, {X
9
, X
13
}
{X
11
, X
10
}, {X
11
, X
13
}, {X
12
, X
10
}, {X
12
, X
13
}.
For event sequence I

Y

Y
2
:
{

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
,

X
11
,

X
12
,

X
15
}
{

X
1
,

X
2
,

X
3
,

X
4
,

X
9
,

X
11
,

X
12
,

X
15
}
{

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
,

X
14
,

X
15
}
{

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
,

X
7
,

X
15
}
{

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
,

X
8
,

X
15
}
{

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
,

X
5
,

X
15
}
{

X
1
,

X
2
,

X
3
,

X
4
,

X
10
,

X
13
,

X
6
,

X
15
}.
For event sequence IY
1

Y
2
:
{X
1
,

X
11
,

X
12
,

X
15
}, {X
1
,

X
13
,

X
14
,

X
15
}
{X
1
,

X
4
,

X
7
,

X
10
,

X
13
,

X
15
}
{X
1
,

X
4
,

X
8
,

X
10
,

X
13
,

X
15
}
{X
1
,

X
3
,

X
5
,

X
10
,

X
13
,

X
15
}
{X
1
,

X
3
,

X
6
,

X
10
,

X
13
,

X
15
}
{X
2
,

X
11
,

X
12
,

X
15
}, {X
2
,

X
13
,

X
14
,

X
15
}
{X
2
,

X
4
,

X
7
,

X
10
,

X
13
,

X
15
}
{X
2
,

X
4
,

X
8
,

X
10
,

X
13
,

X
15
}
{X
2
,

X
3
,

X
5
,

X
10
,

X
13
,

X
15
}
{X
2
,

X
3
,

X
6
,

X
10
,

X
13
,

X
15
}
{X
3
,

X
11
,

X
12
,

X
15
}, {X
3
,

X
13
,

X
14
,

X
15
}
{X
3
,

X
4
,

X
7
,

X
10
,

X
13
,

X
15
}
{X
3
,

X
4
,

X
8
,

X
10
,

X
13
,

X
15
}
{X
4
,

X
11
,

X
12
,

X
15
}, {X
4
,

X
13
,

X
14
,

X
15
}
{X
4
,

X
3
,

X
5
,

X
10
,

X
13
,

X
15
}
{X
4
,

X
3
,

X
6
,

X
10
,

X
13
,

X
15
}
{X
9
, X
10
,

X
11
,

X
12
,

X
15
}, {X
9
, X
10
,

X
13
,

X
14
,

X
15
}
{X
9
, X
13
,

X
11
,

X
12
,

X
15
}, {X
11
, X
10
,

X
13
,

X
14
,

X
15
}
{X
12
, X
10
,

X
13
,

X
14
,

X
15
}.
For event sequence IY
1
Y
2
:
{X
1
, X
15
}, {X
2
, X
15
}, {X
3
, X
15
}, {X
4
, X
15
}, {X
13
, X
11
}
{X
13
, X
12
}, {X
9
, X
15
, X
10
}, {X
9
, X
15
, X
13
}
156 International Journal of Automation and Computing 2 (2006) 151-156
{X
11
, X
10
, X
15
}, {X
12
, X
10
, X
15
}, {X
10
, X
14
, X
11
}
{X
10
, X
14
, X
12
}, {X
4
, X
3
, X
14
, X
11
}
{X
4
, X
3
, X
14
, X
12
}, {X
4
, X
5
, X
6
, X
14
, X
11
}
{X
4
, X
5
, X
6
, X
14
, X
12
}, {X
3
, X
7
, X
8
, X
14
, X
11
}
{X
3
, X
7
, X
8
, X
14
, X
12
}
{X
5
, X
6
, X
7
, X
8
, X
1
, X
14
, X
11
}
{X
5
, X
6
, X
7
, X
8
, X
1
, X
14
, X
12
}
{X
5
, X
6
, X
7
, X
8
, X
2
, X
14
, X
11
}
{X
5
, X
6
, X
7
, X
8
, X
2
, X
14
, X
12
}
References
[1] W. E. Vesely, F. F. Goldberg, N. H. Roberts, D. F. Haasl.
Fault Tree Handbook, United States Nuclear Regulatory
Commission, NUREG-0492, 1981.
[2] W. V. Quine. The Problem of Simplifying Truth Functions.
American Mathematical Monthly, vol. 59, no. 8, pp. 521
531, 1952.
[3] W. V. Quine. A Way to Simplify Truth Functions. Amer-
ican Mathematical Monthly, vol. 62, no. 9, pp. 627631,
1955.
[4] R. E. Barlow, F. Proschan. Statistical Theory of Reliabil-
ity and Life Testing, Probability Models, Holt, Rinehart and
Winston, New York, 1975.
[5] E. J. Henley, H. Kumamoto. Probabilistic Risk Assessment,
Reliability Engineering, Design, and Analysis, IEEE Press,
New York, 1992.
[6] J. B. Fussell, E. B. Henry, N. H. Marshall. MOCUS: A Com-
puter Program to Obtain Minimal Cut Sets from Fault Trees.
Aerojet Nuclear Company, ANCR-1156, 1974.
[7] T. Nicolescu, R. Weber. Reliability of Systems with Vari-
ous Functions. Reliability Engineering, vol. 2, no. 2, pp.
147157, 1981.
[8] R. J. Nelson. Simplest Normal Truth Functions. Journal of
Symbolic Logic, vol. 2, no. 2, pp. 105108, 1955.
Takehisa Kohda is an Associate Pro-
fessor at the Department of Aeronau-
tics and Astronautics, Kyoto Univer-
sity. He received his B.Eng., M.Eng.,
and Dr.Eng. degrees, all in Precision
Mechanics, from Kyoto University in
1978, 1980, and 1983, respectively.
His research interests include systems
safety and reliability, and risk analysis.