International Journal of Automation and Computing 2 (2006) 151-156

A Simple Method to Derive Minimal Cut Sets for a

Non-coherent Fault Tree
Takehisa Kohda
Department of Aeronautics and Astronautics, Kyoto University, Yoshida-Honmachi, Sakyo-ku, Kyoto 606-8501, Japan

Abstract: Minimal cut sets (or prime implicants: minimal combinations of basic event conditions leading to system failure)
are important information for reliability/safety analysis and design. To obtain minimal cut sets for general non-coherent
fault trees, including negative basic events or multi-valued basic events, a special procedure such as the consensus rule must
be applied to the results obtained by logical operations for coherent fault trees, which will require more steps and time.
This paper proposes a simple method for a non-coherent fault tree, whose top event is represented as an AND combination
of monotonic sub-trees. A monotonic sub-tree means that it does not have both positive and negative representations for
each basic event. It is proven that minimal cut sets can be obtained by a conventional method for coherent fault trees. An
illustrative example of a simple event tree analysis shows the detail and characteristics of the proposed method.
Keywords: Non-coherent fault trees, monotonic sub-trees, minimal cut sets.

Introduction

Minimal cut sets[1] (or prime implicants: minimal

combinations of basic event conditions leading to system failure) are important information for system reliability/safety analysis and design. To obtain minimal
cut sets for general non-coherent fault trees, including
negative basic events, or multi-valued basic events, a
special procedure such as the consensus rule[2,3] must
be applied to the results obtained by the logical operations for coherent fault trees[4] , which will require more
steps and time. Especially, in event tree analysis[5]
where an accident scenario is represented as an AND
combination of minimal path sets (or minimal combinations of normal component conditions leading to system success) for normal subsystems and minimal cut
sets for failed subsystems, its minimal cut sets must be
obtained in the same way as non-coherent fault trees,
which includes both negative and positive events for
some basic event.
This paper proposes a simple novel method for a
non-coherent fault tree, whose top event is represented
as an AND combination of monotonic sub-trees. A
monotonic sub-tree means that it does not have both
positive and negative representations for each basic
event. First, it is proven that minimal cut sets for
a fault tree whose top event is represented as an AND
combination of monotonic sub-fault trees can be obtained using conventional methods for coherent fault

Manuscript received September 27, 2005; revised January 5,

2006.

E-mail address: kohda@kuaero.kyoto-u.ac.jp

trees[5] . Based on this property, a conventional Boolean

logical operation can be applied to each monotonic subtree to obtain minimal path sets or cut sets. Then, an
AND logical operation of minimal cut sets for corresponding sub-trees gives the minimal cut sets for an
entire fault tree. Thus, the use of a consensus rule is
not necessary to derive minimal cut sets or prime implicants. Further, using De Morgans laws[5] , the derived
approach can be applied to such a non-coherent fault
tree as an OR combination of monotonic sub-trees to
obtain minimal path sets, which can easily be transformed to minimal cut sets by the same procedure.
Using simple non-coherent fault trees, the property of
the proposed method is explained. Another illustrative example shows the applicability of the proposed
method to the event tree analysis of a simple system,
where exact minimal cut sets can be obtained for each
scenario.

2 AND combination of monotonic subtrees

2.1

Monotonic fault trees

Consider monotonic fault trees defined as fault

trees, which meet the following conditions:
1) Logic gates are OR and AND.
2) Each basic event appears as either its affirmative
or its negative, but not both.
Though condition (2) depends on the definition of
basic events, in considering a combination of fault trees
the same event, such as a component failure, may appear differently; a basic event may appear affirmatively
in one fault tree, while appear negatively in another.

152

International Journal of Automation and Computing 2 (2006) 151-156

From the definition of monotonic fault trees, the following property holds.
(P0) The negative of a monotonic fault tree is
monotonic.
In considering only one fault tree, a monotonic fault
tree is equivalent to a coherent fault tree. Therefore,
the derivation of minimal cut sets for a fault tree can be
obtained by a conventional method for coherent fault
trees, such as MOCUS[6] , which utilizes the basic properties of Boolean variables: 1) X X = X (idempotent), 2) X X = X (idempotent), 3) X (X Y ) = X
(absorption), 4) X (X Y ) = X (absorption), 5)
= 0 (complementation), 6) X X
= 1 (compleX X
mentation), 7) X 0 = 0, X 1 = X, and 8) X 0 = X,
X 1 = 1 in its simplification procedure.

2.2 AND combination of monotonic fault

trees
Consider a fault tree whose top event is represented as an AND combination of n monotonic subtrees. Note that each sub-tree under the top event
is monotonic but the entire fault tree is not always
monotonic. For example, consider the simple noncoherent fault tree in Fig. 1 where sub-trees below the
top event are monotonic.

Fig. 1 AND combination of monotonic fault trees

This kind of fault tree has the following properties:

(P1) Minimal cut sets for each sub-tree below the
top event can be obtained using a conventional method
for coherent fault trees, such as MOCUS.
(P2) Minimal cut sets for a top event can be represented as an AND of minimal cut sets for sub-trees.
According to the definition of monotonic fault trees,
the derivation of minimal cut sets is equivalent to that
for coherent fault trees. Therefore, property (P1) is
obvious. Property (P2) can be proven as follows: For

a conjunction term to be a minimal cut set for the entire fault tree, it must satisfy the establishment of each
sub-tree. In other words, it must contain at least one
minimal cut set for each sub-tree, because it cannot
satisfy the establishment of a sub-tree without the inclusion of its minimal cut set. From the requirement for
minimal combination, supersets within the AND combinations must be deleted. Therefore, for this kind of
fault tree, a conventional method such as MOCUS can
obtain minimal cut sets without consensus rules.
Let Y denote the binary indicator variable for system failure in Fig. 1. Minimal cut sets can be obtained
as follows:
1 X
3)
Y = (X1 X2 ) (X
1 ) (X1 X
3 ) (X2 X
1 ) (X2 X
3 )
= (X1 X
3 ) (X2 X
1 ) (X2 X
3 ).
= (X1 X

(1)

Therefore, minimal cut sets can be obtained as

3 }, {X2 , X
1 }, and {X2 , X
3 }.
{X1 , X

2.3 OR combination of monotonic fault

trees
Though the applicability of an AND combination
of monotonic fault trees may be limited, the proposed method can be applied to an OR combination
of monotonic sub-trees using De Morgans laws:
1 X
2
X1 X2 = X
1 X
2
X1 X2 = X

(2)

1 X
2 = X1 X2 .
X

(4)

(3)

The procedure is described as follows:

(O1) Using De Morgans laws, obtain the negative
of an OR combination of monotonic sub-trees, i.e. an
AND combination of the negative of monotonic fault
trees.
(O2) Obtain minimal cut sets for an AND of the
negative of monotonic fault trees.
(O3) Using De Morgans laws, obtain the negative
of an OR combination of minimal cut sets obtained
in (O2), i.e. an AND combination of the negatives of
minimal cut sets.
(O4) Obtain minimal cut sets for the fault tree obtained in (O3).
Using property (P0) of monotonic fault trees and
the proposed method, a conventional method can obtain minimal cut sets.
Consider an OR monotonic fault tree as shown in
Fig. 2.

T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree

153

Fig. 2 OR combination of monotonic fault trees

This fault tree is a non-coherent fault tree, whose

minimal cut sets cannot be obtained completely using MOCUS. Let Y be a binary indicator variable for
system failure, and the proposed method can obtain
minimal cut sets as follows:
1 X
2 ) (X1 X
3)
(O1)Y = (X
(5)

(O2)Y = (X1 X1 )(X2 X1 )(X1 X3 )(X2 X3 )

2 X1 ) (X
1 X
3 ) (X
2 X
3)
= (X
(6)
1 )(X1 X3 )(X2 X3 )
(O3)Y = Y = (X2 X
1 ) (X1 X3 ) (X2 X3 )
(O4)Y = (X2 X
1 ) ((X1 X2 ) X3 )
= (X2 X
1 X3 ).
= (X1 X2 ) (X2 X3 ) (X

2.4

Event sequences in event trees

Consider an event sequence represented by an event

tree, as shown in Fig. 4, where each intermediate event
(or subsystem failure) is usually represented using a
fault tree.

(7)

(8)

Finally, minimal cut sets can be obtained as {X1 , X2 },

1 , X3 }.
{X2 , X3 }, and {X
Therefore, minimal cut sets for an OR of monotonic
sub-trees can be obtained by a conventional method
using a transformation into an AND of monotonic subtrees. Using the proposed methods for AND and OR
combinations repeatedly, minimal cut sets can be obtained for a general fault tree represented as a logical combination of monotonic sub-trees. For example,
consider the fault tree in Fig. 3, whose top event is
represented as an AND of a non-coherent fault tree
1 AND X2 }} and basic event X3 .
{X1 OR {X
The proposed method for an AND cannot be applied directly, but the proposed method for an OR combination can be applied to a non-coherent sub-tree and
obtain the minimal cut sets {X1 } and {X2 } using the
following calculation:
1 X2 )) = (X
1 (X1 X
2 ))
(X1 (X
1 X
2 )
= (X
= X1 X2 .

Fig. 3 A simple non-coherent fault tree

Fig. 4 Event tree for a swimming pool reactor

Let Yi denote a binary indicator variable for intermediate event i as follows:


1, if intermediate event i occurs
Yi =
.
(10)
0, otherwise
An event sequence can be composed of an AND of Yi
for the occurrence of intermediate events (i.e. a failure
condition) and Yi for the non-occurrence of intermediate events (i.e., a success condition), as shown in Fig. 4.
For event sequence Ei , let Ei (1) denote the set of intermediate events which occur, and let Ei (0) denote the
set of intermediate events which do not occur. Therefore, event sequence Ei can be represented as:
^
^
Ei = (
Yj ) (
Yj ).
(11)
jEi (1)

(9)

From which the minimal cut sets for Fig. 3 can be obtained as: {X1 , X3 } and {X2 , X3 }.

jEi (0)

Conventionally, intermediate events in an event tree are

represented by fault trees. For simplicity, assume the
following conditions for a fault tree for intermediate
event i (i = 1, , N ):

154

International Journal of Automation and Computing 2 (2006) 151-156

(E1) Fault tree i is coherent.

(E2) Fault tree i has Ni path sets, and each path
set is represented as Pij (j = 1, , Ni ), which has Mi
minimal cut sets denoted Cij (j = 1, , Mi ).
Let Xj denote a binary indicator variable for basic
event j as follows:

1, if basic event j occurs
Xj =
.
(12)
0, otherwise
From the definition of minimal cut sets and minimal
path sets, Yi are represented as follows in terms of Xj :
Yi =

Mi ^
_
(
Xl )

(13)

Ni
_

(14)

j=1 lCij

Yi =

l ).
X

3.2

j=1 l Pij

Substituting (13) and (14) into (11), minimal cut sets

for Ei can easily be obtained by a simplification procedure according to property (P2).

Illustrative example

Obtain minimal cut sets for an event sequence for

a swimming pool reactor[7], as shown in Fig. 5.

3.1

which initiates a scram to prevent a dangerous temperature increase. First, two redundant devices, electrode
C11 and float C13, are able to detect this condition.
Electrode C11 opens the contact of relay C12 such that
valve C9 is actuated and a low signal is given to NAND
gate C15. Float C13 actuates valve C10 and opens the
contact of float switch C14, from which a low signal is
given to NAND gate C15. Consequently, the signal initiate SCRAM is high, and actuators C3 and C4 close
slide valves C1 and C2 (because compressed air can escape either through valve C9 or C10). When actuators
C3 and C4 close, redundant low signals from magnet
switches C5, C6, C7 and C8 are given to NAND gate
C15.

Swimming pool reactor

In the swimming pool reactor in Fig. 5, coolant enters through inlet slide valve C1 and leaves through
outlet slide valve C2. During normal operation, actuators C3 and C4 are open because compressed air can
pass solenoid operated valve C9 and mechanically operated valve C10. Moreover, the signal initiate SCRAM
is low, because all inputs to NAND gate C15 are high.

Event sequences in an event tree

Suppose that the water level in the swimming pool

sinks. Event tree analysis for this situation is shown in
Fig. 4. For simplicity, consider a dangerous situation
where the isolation system works but the trip system
does not work, in other words, the initiate SCRAM
signal remains low. This sequence is represented as
I Y1 Y2 . For each protective system to work, minimal
path sets are given as follows (for the derivation of
minimal path sets, see [7], which gives a success tree
for the isolation system and a fault tree for the trip
system):
For the isolation system:
1, X
2, X
3, X
4, X
10 , X
13 }
{X
1, X
2, X
3, X
4, X
9, X
11 , X
12 }.
{X
For the trip system:
11 , X
12 , X
15 }, {X
13 , X
14 , X
15 }
{X
4, X
7, X
10 , X
13 , X
15 }
{X
4, X
8, X
10 , X
13 , X
15 }, {X
3, X
5, X
10 , X
13 , X
15 }
{X
3, X
6, X
10 , X
13 , X
15 }.
{X
Here, note that binary indicator variable Xi denotes a
failure of component Ci .
To obtain minimal cut sets for the trip system, procedure (O4) can be applied. Using (14) and De Morgans laws, Y2 can be represented as:
Y2 = Y 2 =

Ni
_

j=1

Fig. 5 Swimming pool reactor

In the case of a low water level, two protective systems are available. One is an isolation system which
prevents the swimming pool from emptying by closing slide valves C1 and C2. The other is a trip system,

l Pij

l ) =
X

Ni
^

j=1

Xl ).

(15)

l Pij

Substituting minimal path sets into (15) and using the

transformation and simplification methods, Y2 can be
obtained as:
Y2 = X15 (X13 X11 ) (X13 X12 )
(X11 X14 X10 ) (X12 X14 X10 )
(X11 X14 X4 X3 )

T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree

(X12 X14 X4 X3 )

represent basic events. An analysis of non-coherent

fault trees with event sequence dependency is a problem to be considered in the next step.

(X11 X14 X4 X5 X6 )
(X12 X14 X4 X5 X6 )

Appendix: Minimal cut sets for event sequences

(X11 X14 X3 X7 X8 )
(X12 X14 X3 X7 X8 )
(X11 X14 X5 X6 X7 X8 )
(X12 X14 X5 X6 X7 X8 ).

(16)

Therefore, minimal cut sets for I Y1 Y2 are obtained as:

1, X
2, X
3, X
4, X
10 , X
13 }
{X15 , X

12 }
{X15 , X1 , X2 , X3 , X4 , X9 , X11 , X
1, X
2, X
3, X
4, X
10 , X
13 }
{X11 , X14 , X5 , X6 , X7 , X8 , X
1, X
2, X
3, X
4, X
10 , X
13 }
{X12 , X14 , X5 , X6 , X7 , X8 , X
where minimal cut sets for I are omitted in the above
calculation. Obviously, the most important component
is NAND gate C15, because this component has no redundancy. Similarly, minimal cut sets can be obtained
for other event sequences as shown in the Appendix.

155

Conclusions

This paper shows that conventional methods for coherent fault trees without using a consensus rule can
obtain minimal cut sets for a non-coherent fault tree
whose top event is represented as an AND of monotonic
sub-trees. Using De Morgans laws, a conventional
method can obtain minimal cut sets for a more general fault tree, which can be a logical combination of
monotonic sub-trees with AND and OR gates, although
some transformation is necessary in intermediate steps.
The proposed method for an OR of monotonic subtrees is very similar to Nelsons algorithm[8], but we
show that a normal formula is not necessary in the
first step.
An event sequence in an event tree can be an AND
of minimal cut sets for failed sub-systems and minimal path sets for normal sub-systems. This fault tree
is a typical non-coherent one, an AND of monotonic
sub-trees. Therefore, without using a consensus rule,
minimal cut sets for an event sequence can be obtained
using conventional logical operations.
However, this paper does not consider event sequence dependency in deriving minimal cut sets in an
event tree. Consideration of event sequence dependency does not always allow the property of Boolean
= 0. For example, for t1 < t2,
variables: X X

X(t1) X(t2)
= 0, but X(t2) X(t1)
does not always
vanish, because a situation can hold where a component was normal at time t1 and then failed at time t2.
To consider dependencies between fault tree events at
different time steps, such as in phased mission problems, time-related information must be introduced to

Minimal cut sets for an isolation system and event

sequences I Y1 Y2 , IY1 Y2 , and IY1 Y2 are obtained as follows by the proposed method.
For the isolation system:
{X1 }, {X2 }, {X3 }, {X4 }, {X9 , X10 }, {X9 , X13 }
{X11 , X10 }, {X11 , X13 }, {X12 , X10 }, {X12 , X13 }.
For event sequence I Y Y2 :
1, X
2, X
3, X
4, X
10 , X
13 , X
11 , X
12 , X
15 }
{X
1, X
2, X
3, X
4, X
9, X
11 , X
12 , X
15 }
{X
1, X
2, X
3, X
4, X
10 , X
13 , X
14 , X
15 }
{X

{X1 , X2 , X3 , X4 , X10 , X13 , X7 , X15 }

1, X
2, X
3, X
4, X
10 , X
13 , X
8, X
15 }
{X
1, X
2, X
3, X
4, X
10 , X
13 , X
5, X
15 }
{X
1, X
2, X
3, X
4, X
10 , X
13 , X
6, X
15 }.
{X
For event sequence IY1 Y2 :
11 , X
12 , X
15 }, {X1 , X
13 , X
14 , X
15 }
{X1 , X
4, X
7, X
10 , X
13 , X
15 }
{X1 , X
4, X
8, X
10 , X
13 , X
15 }
{X1 , X
3, X
5, X
10 , X
13 , X
15 }
{X1 , X
3, X
6, X
10 , X
13 , X
15 }
{X1 , X
11 , X
12 , X
15 }, {X2 , X
13 , X
14 , X
15 }
{X2 , X
4, X
7, X
10 , X
13 , X
15 }
{X2 , X
4, X
8, X
10 , X
13 , X
15 }
{X2 , X
3, X
5, X
10 , X
13 , X
15 }
{X2 , X

{X2 , X3 , X6 , X10 , X13 , X15 }

11 , X
12 , X
15 }, {X3 , X
13 , X
14 , X
15 }
{X3 , X
4, X
7, X
10 , X
13 , X
15 }
{X3 , X
4, X
8, X
10 , X
13 , X
15 }
{X3 , X
11 , X
12 , X
15 }, {X4 , X
13 , X
14 , X
15 }
{X4 , X
3, X
5, X
10 , X
13 , X
15 }
{X4 , X

{X4 , X3 , X6 , X10 , X13 , X15 }

11 , X
12 , X
15 }, {X9 , X10 , X
13 , X
14 , X
15 }
{X9 , X10 , X
11 , X
12 , X
15 }, {X11 , X10 , X
13 , X
14 , X
15 }
{X9 , X13 , X
13 , X
14 , X
15 }.
{X12 , X10 , X
For event sequence IY1 Y2 :
{X1 , X15 }, {X2 , X15 }, {X3 , X15 }, {X4 , X15 }, {X13 , X11 }
{X13 , X12 }, {X9 , X15 , X10 }, {X9 , X15 , X13 }

156

International Journal of Automation and Computing 2 (2006) 151-156

{X11 , X10 , X15 }, {X12 , X10 , X15 }, {X10 , X14 , X11 }

{X10 , X14 , X12 }, {X4 , X3 , X14 , X11 }
{X4 , X3 , X14 , X12 }, {X4 , X5 , X6 , X14 , X11 }
{X4 , X5 , X6 , X14 , X12 }, {X3 , X7 , X8 , X14 , X11 }
{X3 , X7 , X8 , X14 , X12 }
{X5 , X6 , X7 , X8 , X1 , X14 , X11 }
{X5 , X6 , X7 , X8 , X1 , X14 , X12 }
{X5 , X6 , X7 , X8 , X2 , X14 , X11 }
{X5 , X6 , X7 , X8 , X2 , X14 , X12 }

References
[1] W. E. Vesely, F. F. Goldberg, N. H. Roberts, D. F. Haasl.
Fault Tree Handbook, United States Nuclear Regulatory
Commission, NUREG-0492, 1981.
[2] W. V. Quine. The Problem of Simplifying Truth Functions.
American Mathematical Monthly, vol. 59, no. 8, pp. 521
531, 1952.
[3] W. V. Quine. A Way to Simplify Truth Functions. American Mathematical Monthly, vol. 62, no. 9, pp. 627631,
1955.

[4] R. E. Barlow, F. Proschan. Statistical Theory of Reliability and Life Testing, Probability Models, Holt, Rinehart and
Winston, New York, 1975.
[5] E. J. Henley, H. Kumamoto. Probabilistic Risk Assessment,
Reliability Engineering, Design, and Analysis, IEEE Press,
New York, 1992.
[6] J. B. Fussell, E. B. Henry, N. H. Marshall. MOCUS: A Computer Program to Obtain Minimal Cut Sets from Fault Trees.
Aerojet Nuclear Company, ANCR-1156, 1974.
[7] T. Nicolescu, R. Weber. Reliability of Systems with Various Functions. Reliability Engineering, vol. 2, no. 2, pp.
147157, 1981.
[8] R. J. Nelson. Simplest Normal Truth Functions. Journal of
Symbolic Logic, vol. 2, no. 2, pp. 105108, 1955.
Takehisa Kohda is an Associate Professor at the Department of Aeronautics and Astronautics, Kyoto University. He received his B.Eng., M.Eng.,
and Dr.Eng. degrees, all in Precision
Mechanics, from Kyoto University in
1978, 1980, and 1983, respectively.
His research interests include systems
safety and reliability, and risk analysis.