Professional Documents
Culture Documents
A Simple Method To Derive Minimal Cut Sets For A Non-Coherent Fault Tree
A Simple Method To Derive Minimal Cut Sets For A Non-Coherent Fault Tree
Abstract: Minimal cut sets (or prime implicants: minimal combinations of basic event conditions leading to system failure)
are important information for reliability/safety analysis and design. To obtain minimal cut sets for general non-coherent
fault trees, including negative basic events or multi-valued basic events, a special procedure such as the consensus rule must
be applied to the results obtained by logical operations for coherent fault trees, which will require more steps and time.
This paper proposes a simple method for a non-coherent fault tree, whose top event is represented as an AND combination
of monotonic sub-trees. A monotonic sub-tree means that it does not have both positive and negative representations for
each basic event. It is proven that minimal cut sets can be obtained by a conventional method for coherent fault trees. An
illustrative example of a simple event tree analysis shows the detail and characteristics of the proposed method.
Keywords: Non-coherent fault trees, monotonic sub-trees, minimal cut sets.
Introduction
152
From the definition of monotonic fault trees, the following property holds.
(P0) The negative of a monotonic fault tree is
monotonic.
In considering only one fault tree, a monotonic fault
tree is equivalent to a coherent fault tree. Therefore,
the derivation of minimal cut sets for a fault tree can be
obtained by a conventional method for coherent fault
trees, such as MOCUS[6] , which utilizes the basic properties of Boolean variables: 1) X X = X (idempotent), 2) X X = X (idempotent), 3) X (X Y ) = X
(absorption), 4) X (X Y ) = X (absorption), 5)
= 0 (complementation), 6) X X
= 1 (compleX X
mentation), 7) X 0 = 0, X 1 = X, and 8) X 0 = X,
X 1 = 1 in its simplification procedure.
a conjunction term to be a minimal cut set for the entire fault tree, it must satisfy the establishment of each
sub-tree. In other words, it must contain at least one
minimal cut set for each sub-tree, because it cannot
satisfy the establishment of a sub-tree without the inclusion of its minimal cut set. From the requirement for
minimal combination, supersets within the AND combinations must be deleted. Therefore, for this kind of
fault tree, a conventional method such as MOCUS can
obtain minimal cut sets without consensus rules.
Let Y denote the binary indicator variable for system failure in Fig. 1. Minimal cut sets can be obtained
as follows:
1 X
3)
Y = (X1 X2 ) (X
1 ) (X1 X
3 ) (X2 X
1 ) (X2 X
3 )
= (X1 X
3 ) (X2 X
1 ) (X2 X
3 ).
= (X1 X
(1)
(2)
1 X
2 = X1 X2 .
X
(4)
(3)
T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree
153
2.4
(7)
(8)
(9)
From which the minimal cut sets for Fig. 3 can be obtained as: {X1 , X3 } and {X2 , X3 }.
jEi (0)
154
Mi ^
_
(
Xl )
(13)
Ni
_
(14)
j=1 lCij
Yi =
l ).
X
3.2
j=1 l Pij
Illustrative example
3.1
which initiates a scram to prevent a dangerous temperature increase. First, two redundant devices, electrode
C11 and float C13, are able to detect this condition.
Electrode C11 opens the contact of relay C12 such that
valve C9 is actuated and a low signal is given to NAND
gate C15. Float C13 actuates valve C10 and opens the
contact of float switch C14, from which a low signal is
given to NAND gate C15. Consequently, the signal initiate SCRAM is high, and actuators C3 and C4 close
slide valves C1 and C2 (because compressed air can escape either through valve C9 or C10). When actuators
C3 and C4 close, redundant low signals from magnet
switches C5, C6, C7 and C8 are given to NAND gate
C15.
In the swimming pool reactor in Fig. 5, coolant enters through inlet slide valve C1 and leaves through
outlet slide valve C2. During normal operation, actuators C3 and C4 are open because compressed air can
pass solenoid operated valve C9 and mechanically operated valve C10. Moreover, the signal initiate SCRAM
is low, because all inputs to NAND gate C15 are high.
Ni
_
j=1
In the case of a low water level, two protective systems are available. One is an isolation system which
prevents the swimming pool from emptying by closing slide valves C1 and C2. The other is a trip system,
l Pij
l ) =
X
Ni
^
j=1
Xl ).
(15)
l Pij
T. Kohda/A Simple Method to Derive Minimal Cut Sets for a Non-coherent Fault Tree
(X12 X14 X4 X3 )
(X11 X14 X4 X5 X6 )
(X12 X14 X4 X5 X6 )
(X11 X14 X3 X7 X8 )
(X12 X14 X3 X7 X8 )
(X11 X14 X5 X6 X7 X8 )
(X12 X14 X5 X6 X7 X8 ).
(16)
12 }
{X15 , X1 , X2 , X3 , X4 , X9 , X11 , X
1, X
2, X
3, X
4, X
10 , X
13 }
{X11 , X14 , X5 , X6 , X7 , X8 , X
1, X
2, X
3, X
4, X
10 , X
13 }
{X12 , X14 , X5 , X6 , X7 , X8 , X
where minimal cut sets for I are omitted in the above
calculation. Obviously, the most important component
is NAND gate C15, because this component has no redundancy. Similarly, minimal cut sets can be obtained
for other event sequences as shown in the Appendix.
155
Conclusions
This paper shows that conventional methods for coherent fault trees without using a consensus rule can
obtain minimal cut sets for a non-coherent fault tree
whose top event is represented as an AND of monotonic
sub-trees. Using De Morgans laws, a conventional
method can obtain minimal cut sets for a more general fault tree, which can be a logical combination of
monotonic sub-trees with AND and OR gates, although
some transformation is necessary in intermediate steps.
The proposed method for an OR of monotonic subtrees is very similar to Nelsons algorithm[8], but we
show that a normal formula is not necessary in the
first step.
An event sequence in an event tree can be an AND
of minimal cut sets for failed sub-systems and minimal path sets for normal sub-systems. This fault tree
is a typical non-coherent one, an AND of monotonic
sub-trees. Therefore, without using a consensus rule,
minimal cut sets for an event sequence can be obtained
using conventional logical operations.
However, this paper does not consider event sequence dependency in deriving minimal cut sets in an
event tree. Consideration of event sequence dependency does not always allow the property of Boolean
= 0. For example, for t1 < t2,
variables: X X
X(t1) X(t2)
= 0, but X(t2) X(t1)
does not always
vanish, because a situation can hold where a component was normal at time t1 and then failed at time t2.
To consider dependencies between fault tree events at
different time steps, such as in phased mission problems, time-related information must be introduced to
156
References
[1] W. E. Vesely, F. F. Goldberg, N. H. Roberts, D. F. Haasl.
Fault Tree Handbook, United States Nuclear Regulatory
Commission, NUREG-0492, 1981.
[2] W. V. Quine. The Problem of Simplifying Truth Functions.
American Mathematical Monthly, vol. 59, no. 8, pp. 521
531, 1952.
[3] W. V. Quine. A Way to Simplify Truth Functions. American Mathematical Monthly, vol. 62, no. 9, pp. 627631,
1955.
[4] R. E. Barlow, F. Proschan. Statistical Theory of Reliability and Life Testing, Probability Models, Holt, Rinehart and
Winston, New York, 1975.
[5] E. J. Henley, H. Kumamoto. Probabilistic Risk Assessment,
Reliability Engineering, Design, and Analysis, IEEE Press,
New York, 1992.
[6] J. B. Fussell, E. B. Henry, N. H. Marshall. MOCUS: A Computer Program to Obtain Minimal Cut Sets from Fault Trees.
Aerojet Nuclear Company, ANCR-1156, 1974.
[7] T. Nicolescu, R. Weber. Reliability of Systems with Various Functions. Reliability Engineering, vol. 2, no. 2, pp.
147157, 1981.
[8] R. J. Nelson. Simplest Normal Truth Functions. Journal of
Symbolic Logic, vol. 2, no. 2, pp. 105108, 1955.
Takehisa Kohda is an Associate Professor at the Department of Aeronautics and Astronautics, Kyoto University. He received his B.Eng., M.Eng.,
and Dr.Eng. degrees, all in Precision
Mechanics, from Kyoto University in
1978, 1980, and 1983, respectively.
His research interests include systems
safety and reliability, and risk analysis.