APPENDIX

Minimal Cut Set Analysis

D. I . Introduction
All quantitative fault tree analysis methods are approximations of reality. By far the
largest contributions to error and uncertainty result from qualitative aspects of fault
tree analysis and arise from
1. Lack of understanding of the system modeled, including all possible failure
mechanisms (what is not included in the analysis because experience and/or
judgment are deficient);
2. Incorrect fault tree logic describing the system failures (if the logic is incorrect
then quantitative evaluation by any method will be incorrect);
3. Lack of understanding of or improper accounting for common cause failures.
In constructing a fault tree, the analyst usually follows a gate-by-gate approach.
The fault tree developed consists of many levels of basic events and subevents linked
together by AND gates and OR gates. Minimal cut set analysis rearranges the fault tree
so that any basic event that appears in different parts of the fault tree is not "double
counted" in the quantitative evaluation. The result of minimal cut set analysis is a new
fault tree, logically equivalent to the original, consisting of an OR gate beneath the top
event, whose inputs are the minimal cut sets. Each minimal cut set is an AND gate con-
taining a set of basic inputs necessary and sufficient to cause the top event.
Some advantages and disadvantages of gate-by-gate and minimal cut set methods
include
1. Normal gate-by-gate methods are not as exact as minimal cut set methods. Spe-
cial formulas may be required, for example, when failure rates or demand rates
are very high. Simple gate-by-gate methods cannot calculate the wide range of
reliability parameters generated by minimal cut set methods. More advanced
gate-by-gate methods (Doelp et al., 1984) can overcome this deficiency.
2. Events that occur in different branches of the tree are treated correctly by mini-
mal cut set analysis. Gate-by-gate methods require special efforts in construct-
ing a tree that does not contain repeated events. Any repeated events not
removed will introduce a bias (positive or negative) in the results.
661
Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition
by Center for Chemical Process Safety
Copyright 2000 American Institute of Chemical Engineers
662 Appendix D Minimal Cut Set Analysis
3. Gate-by-gate methods may make it easier to identify thosc subevents or basic
events that are the major contributors to the top event. Cut set methods calcu-
late reliability parameters for the top event only and use other parameters such
as importance of identify major contributors to the top event. It is possible to
separately calculate reliability parameters for subevents using minimal cut set
methods if it is important to determine these parameters for subevents.
There are trade-offs in the selection of which approach to use. Simple gate-by-gate
calculations can rapidly produce results using hand calculations. Minimal cut set meth-
ods use computer programs that are well developed and eliminate effects of repeated
events. As fault trees become larger in size computerized mcthods become more attrac-
tive, particularly when a large number of alternatives are to be evaluated.
0.2. Minimal Cut Set Analysis
Minimal cut set analysis is a mathematical technique for manipulating the logic struc-
ture of a fault tree to identify all combinations of basic events that result in the occur-
rence of the top event. These basic event combinations, called cut sets, are then reduced
to identify those minimal cut sets, which contain the minimum sets of events neces-
sary and sufficient to cause of the top event. The logic structure if the original fault tree
is mathematically transformed, using the rules of Boolean Algebra, into an equivalent
minimal cut set fa& tree. The transformed fault tree is mathematically and logically
equivalent to the original fault tree, but the minimal cut set form is more amenable to
quantlfication. The transformation process also ensures that any single event that
appears repeatedly in various branches of the fault tree is properly accounted for. Mini-
mal cuts set analysis is described in many texts including Henley and Kumamoto
(1981) and Roberts et al. (1981). This methodology is applicable to all fault trees,
regardless of size of complexity, that satisfy the following conditions.
All failures are binary in nature (components are either working or failed).
Transition between working and failed states occurs instantaneously ( no time
All component failures are statistically independent.
The failure rate of reach equipment item is constant.
The repair rate for each equipment item is constant.
After repair, the system will be as good as old, not as good as new (i.e., the
repaired component is returned to the same state, with the same failure charac-
teristics, that is would have had if the failure had not occurred; repair is not con-
sidered to be a renewal process.)
The fault tree for system failure is the same as the repair tree (ix., repair of the
failed component results in the immediate return to their normal state of all
higher intermediate events that failed as a result of the failed component).
delays).
The Boolean method for determining minimal cut sets is mathematically and logi-
cally identical to the matrix method reviewed in the HEP Guidelines (AIChE/CCPS,
1992).
D.3. Boolean Algebra 663
D.3. Boolean Algebra
The logical structure of a fault tree can be expressed in terms of Boolean algebraic equa-
tions. Boolean algebra is used to reduce equations composed of variables that can take
on only two values. It is commonly used to describe the operations of power switching
grids, computer memories, or logic diagrams. Selected basic mathematical rules of
Boolean algebra are given in Table D. 1. Conventionally, the symbol + is used to rep-
resent the logical OR operator and the symbol . is used to represent the logical AND
operator. Roberts et al. (1981) present a more comprehensive rule tabulation and dis-
cussion of Boolean algebra.
The use of Boolean algebra in fault tree analysis is first illustrated by a simple example.
Consider the fault tree of Figure D. l . It consists of a top event, four intermediate
events, and four basic events.
The minimal cut sets for this example are determined by representing the fault tree
as a Boolean equation. This equation is reduced using the laws of Boolean algebra
(Table D. 1). This reduction involves replacement of intermediate events with their
causes. If the fault tree in Figure D. l were quantified by the gate-by-gate method
(Section 3.2. l ) , an incorrect answer would be obtained, because the basic events BE1
and BE 2 appear in multiple branches of the tree.
Step 1 of Table D.2 presents the Boolean representation of the top event in terms
of intermediate events IE1 and IE2. In step 2, intermediate event IE1 (an AND gate)
and intermediate event IE2 (an OR gate) are replaced by their Boolean equivalents.
This process of replacing intermediate events is continued in Steps 3 and 4, until the
Boolean representation of the fault tree contains only basic events.
Step 4 represents the top event in terms of basic events only. Each term is a cut set.
However, the representation is not in minimal cut set form because further Boolean
reduction is possible. Event BE4 appears twice in one term of the expression, and one
of the terms containing BE1 can be eliminated. In Step 5 of Table D.2 the term
BE3.BE4.BE4.BE2 is reduced to BE3.BE4.BE2 using the idempotent law (relation 4,
D.4. Sample Problem 1-Minimal Cut Set Determination
TABLE D. 1 . Selected Rules of Boolean Algebra
A + B = B + A
A . ( B. C) = (A . B ) . C
A + ( B + C) = (A + B) + C
A . ( B + C) = A . B + A . C
A + ( B . C) = (A + B ) . (A + C)
A . A = A
A + A = A
Associativc Rule
Distributive Rule
664 Appendix D Minimal Cut Set Analysis
INTERMEDIATE INTERMEDIATE
WENT
WENT
IE-1
IE-2
EVENT
FIGURE D. 1. Simple fault tree.
Table D. l ) . In Step 6 ofTable D.2 the term BE1 + BE1 . RE2 is reduced to BE1 using
the law of absorption (Relation 5, Table D. 1) .
Step 7, the commutative law is used to reorder the basic events of the second term
(putting them in numerical order for convenience).
The two terms in Step 7 (BE1 and BE2. BE3. BE4) ofTable D.2 are the minimal
cut sets for the fault tree of Figure D. 1. The occurrence of either of these two cuts sets
will cause the top event of the simple fault tree of Figure D. 1. The minimal cuts sets can
TABLE D.2. Reduction of Sample Fault Tree of Figure D. 1
Using Boolean Algebra
T = (RE1 . RE2) + (RE1 + IE3)
T = BE1 . RE2 + RE1 + (RE3 . BE4 . IE4)
T = BE1 . RE2+ BE1 + ( RE3 . RE4 BE4. HE2)
T = RE1 + RE1 . RE2 + BE3 . RE4. BE2
4
5
6 T = R E l + R E 3 . R E 4 . R E 2
I 7
RE4 T = RE1 + RE2 . BE3
D 5. Sample Problem 2
665
be used to create a new fault tree that is logically and mathematically identical to the
original. Figure D. 2 presents the simple fault tree of Figure D. 1 in the equivalent mini-
mal cut set form.
D.5. Sample Problem 2
For demonstration purposes the sample problem in Section 3.2.1 is recalculated using
the minimal cuts set method. The treatment of Steps 1, 2, and 3 (Figure 3.3) is the
same as discussed in Section 3.2.1, resulting in the fault tree of Figure 3.5. Step 4
(Figure 3.3), qualitative examination of structure, and Step 5 (Figure 3.3), quantita-
tive evaluation, are done using minimal cut set analysis.
The same methods used in Sample Problem 1 are applied to the fault tree of Figure
3.5. The Boolean algebra analysis of the fault tree is presented in Table D.3. The 20 mini-
mal cut sets identified in Step 6 ofTable D.3 are listed in Table D.4. These are ranked in
terms of the number of basic events per cut set and are assigned reference numbers (Cl-
C20). There are 5 single-event, 2 two-event, 12 three-event, and 1 five-event cut sets.
The qualitative ranking of importance would assume that small cut sets (e.g., one and
two events) are more likely to occur. However, this is not necessarily true in all cases. The
HEP &idelinex (AIChE/CCPS, 1985) discuss how other factors such as human error or
active and passive equipment failure can be used to further rank the cut sets. In Step 5
(Figure 3.3), Quantitative Evaluation, it is shown that some larger cut sets in this exam-
ple are more likely to occur than smaller ones.
Another objective of qualitative examination is to identlfy the susceptibility of the
system to common-cause failures. As discussed in Section 3.2.1, several factors can lead
to common-cause failure including:
operator error
common manufacturer
local environmental factors
proximity of common equipment items
loss of a utility.
MINIMAL
Gj
MINIMAL
GI
I
FIGURE D.2. Simple fault tree transformed into minimal cut sets.
666 Appendix D. Minimal Cut Set Analysts
TABLE 0.3. Minimal Cut Set Determination Stepsa
T = M1 + M2 + R1 + M 3 + M4
T = ( R 2 . MS ) + ( B3 + R4 + RS + 86) + B1 + ( R 7 . M6 . RX) + ( M7 . MX)
T = (B2. (MY + M1 0 ) ] + R3 + R4 + RS + 136 + R1 +[ R7 (RY + 1310 + H l l ) . BX]
+[(I312 + M1 1 ) . ( R13 + R14) ]
T= H2 . ( Bl S . R16 + H1 7 . Rl X B1Y. R20) + B3 + B4 + 135 + H6 + I31 + B 7 . BX
. BY + R 7 . R X . R 1 0 + R 7 . R 8 . 1 ~ 1 1 +[ R1 2 +( M1 2 . . B2 1 ) ] - ( R1 3 +B1 4 )
T = B2 . R1S . R16 + 132. 817, Bl X .131Y. B20 + R3 + R4 + RS + 06 + 131 + R 7 . B X
. B9 + B 7 . B 8 . R10 + B 7 . BX
( R13 + R14)
R11 + [I312 + ( R22 + B23 + B2 4 + B2S) R21]
T = R2 H1 5 . H16 + R 2 . R1 7 . Bl X . H1Y. R20 + B3 + R4 + 135 + 136 + R1 + B 7 . RX
. B9 + R7. RX . R10 + R 7 . B 8 . I311 + R1 2 . B1 3 + R 1 2 . R14 + B2 1 . B2 2
I313 + R21 . R23 . R13 + I321 . B 2 4 . R1 3 + 821
. B1 4 + B21 . B2 3 . I314 + B21 . B2 4 . R14 + B21 . R2 5 . R14
B25 . R13 + 1321 . R2 2
Every term of the final expansion is a minimal cut set (Table D.4). T, top event; M, intermediate event; B, hasic
event.
The susceptibility to common-cause failure due to human error for one of the cut
sets is illustrated as follows. Events B15, B16, B17, B18, and B21 are associated with
human errors. Examining the cut sets (Table D.4), C8 contains two of the basic events
associated with human error (B15, B16). Hence, this cut set is susceptible to human
error. An inexperienced operator, who unloads the truck into the tank when there is
insufficient volume to receive it (Bl S), might also not respond to the LIA-1 high level
alarm (B16).
Thus, these two events may not be truly independent because the same inexperi-
enced operator is involved in both events. Their combined probability may be substan-
tially higher than the 1 x lo- . 1 x lo4 assuming independence.
STEP 5. QUANTITATIVE EVALUATION OF
SAMPLE PROBLEM 2 FAULT TREE
The approach described here is based on simple assignment of probabilities and fre-
quencies to Basic events in the minimal cut sets. A more detailed treatment is reviewed
in Appendix E. Table D.5 presents the frequency and probability data for the basic
events (from Figure 3.5). Table D.6 summarizes the calculated frequency of occur-
rence of the minimal cuts sets. A calculation for Cut Set 8 in table D.5 is provided for
demonstration:
From Table D.4: C8 = B2 . B15 . B16
From Table D.5: B2 = 300/year, B1S = 1 x lo-, B16 = 1 x lo-
Cut Set Frequency (Table D.6): C8 = B2 . B15 . B16
= 300/yr . 1 x lo- . 1 x lo-
= 3 x lO-/yr
D.5. Sample Problem 2 66 7
1 rAl3LE D.4. Minimal Cut Sets for Sample Problem 2
Minimal cut set reference number Basic Events
<: 1 R1
<:2 B3
c3 134
CA RS
<:5 B6
<:6 H12. B13
<:7 1312. R14
C X R2. R1S 816
CY
C10 H 7 . BX . R10
<:11 H7. R8. B11
<:12 I321 . R22. B13
C13 R21 . R23. R13
C14 H21 . B24. R13
<:15 R21 . B2 S. B13
C16 Ril . B22. R14
C17 R21 . B23. R14
C18 R21 . H24. R14
C19 B21 . B25. R14
C20
R7 RX R9
B2. B17. B18. B19. B20
The frequency (probability) of the top event is calculated from the cut set frequen-
cies (or probabilities) by
F., = 2 F,
i
or
where F., (or P.,.) is the frequency (probability) of the top event; Fi (or PI) is the fre-
quency (probability of minimal cut set C, ; and Ci is the minimal cut set number z.
The frequency of the top event (3 x 10-2/yr) is the same as calculated using the
gate-by-gate approach Figure 3.5. This is because no basic events appear more than
once in the fault tree. The frequency of the top event is expressed to one significant
figure to be consistent with the basic event frequency data.
Using the frequencies of the minimal cut sets in Table D.6, it is easy to identify the
main contributors to the top event. In the example used, cut sets C8, C9, and C10 are
668 Appendix D Minimal Cut Set Analysis
TABLE D.5. Basic event Input Data for Sample Problem 2
Basic Event Probability Frequency (yr-') Reference"
R 1-Tank drain hreaks
B2-Unloading tank truck
B3-Vchiclr impact
BGAr cr af t impact
RS-Earthquake
B6-Tornado
H7-Unloading tank requires nitrogen purge
HX-Hoil-off insuficicnt to prcvcnt vacuum
RY-PV-2 fails closed
R10-PICA-1 fails, closing PV-2
Bll-I,oss of nitrogen supply
B12-PICA-1 fails, closing PV-1
R 13-Excccd capacity of RV- 1
B14-V-8 closed
B15-Insufficient volume in tank to unload truck
Bl&-Failure of o,r ignoring 1,IA-1
B17-Wrong material in tank truck
B18-Tank truck not sampled before unloading
R19-Reagent rcacts with ~ h ~ d ~ d material
B20-Pressurc rise exceeds capacity of PV-1
B21--E'ailurc of or ignoring PICA-]
R22-PV- 1 fails closed
B23-V-7 c l ~ ~ e d
BZGTrmpcrature of inlct higher than normal
B25-High pressure in flare header
1 x 10-2
1 x 10-2
1 x 10-2
1 x 10-4
1 x 10-3
1 x 10-3
1 x 10-2
1 x 10-2
1 x 10-3
1 x 10-2
1 x lo-'
1 x lo-'
1 x 10-2
1 x 1 ( P
300
1 x 10-5
1 x 10"
1 x 10-5
1 x 10-5
10
1 x 10-2
1 x 10-3
1 x 10-3
1 x 10- 3
1 x 10-3
o./,og (1985)
ozog (1YX5)
oiog (1985)
07mg ( 1985)
< h g (1985)
ozog (1985)
ozog (1985)
o z o g (1985)
ozog (1985)
ozog (1985)
ozog (1985)
07KIg (1985)
Ozog (1985)
ozog (1985)
ozog (1985)
ozog (1985)
ozog (1985)
o w g (1985)
mmg (1985)
ozog (1985)
ozog (1985)
o/ mg (1985)
ozog (1985)
oiog (1985)
07mg (1985)
'In a real analysis, this column documents data sources for future reference. In this example all data are from
Ozog (1985).
the main contributors. Cut set C8 contributes 94% of the top event frequency. The
qualitative evaluation ranks this cut set eighth in a list of 20. This example is a warning
of the potential danger of relying on qualitative rankings of importance. I n addition,
the qualitative examination did show that cut set C8 was susceptible to human error, so
its frequency may be even higher than predlcted qualitatively assuming independence
of all basic events. Therefore, both qualitative and quantitative evaluations provide evi-
dence of a need to consider mitigating design features or revised operating procedures.
Most fault tree computer codes can determine reliability measures such as unavail-
ability and unreliability as well as the failure rate (frequency) of the top event. A manual
0.6. References 669
TABLE D.6. Frequencies of the Cut Sets and Top Event for Sample Problem 2
Minimal cut Sets Frequency of cut set (yf') Cut Set importanccl
C1 = B1 = 1 x 10-4 0.3
<:2 = R3 = 1 x 10-5 0.03
C3 = B4 = 1 x 10" 0.003
C4 = R5 = 1 x 10-5 0.03
CS = B6 = 1 x 10-5 0.03
c6 = R12 ' R1 = 1 x 10-5 0.03
C7 = B12. R14 = 1 x 10-5 0.03
(3 = B2. R15 . R16 = 1 x 10-2 94.0
C9 = B7. R8 R9 = 1 x 10-3 3.0
C10 = B7 . B8 . R10 = 1 x 10-3 3.0
C11 = B7. R8, B11 = 1 x 10-5 0.03
C12 = B21 . R22. 313
C13 = B21 . B23. R13
C14 = R21 . B24. R13
C1S = R21 . B25. B13
C16 = R21 . R22. R14
C17 = R21 . H23. R14
C18 = B21 . R24. R14
C1Y = R21 . B2S . 814
L' 20=B2. R17. Rl S-Rl 9. B20 = 1 x 0.03
= 1 x 10-8
= 1 x 10-8
= 1 x 10-8
= 1 x 10-8
= 1 x 10-8
= 1 x 1 0 4
= 1 x 10-8
= 1 x 10-8
3.0 x 10-5
3.0 x 10-5
3.0 x 10-5
3.0 x 10-5
3.0 x 10-5
3.0 x 10-5
3.0 x 10-5
3.0 x 10-5
Total 100
Top event frcqucncy = ZC, =3 x 10-2 per year
Cut set importance = [(cut set frequency)/(top event frequency)] x 100.
calculation approach described by Fussell ( 1975) can be used for small fault trees ( up to
about 50 basic events). However, for larger fault trees, computer methods are required
because of the large number of Boolean manipulations and calculations involved in
quantification. More detailed approaches to fault tree quantification are reviewed in
Appendor E.
0.6. References
AIChE/CCPS (1992). Guidelines fw Hazard Evaluation Procedures, 2nd Edition with Wwkd
Examples. Center for Chemical Process Safety, American Institute of Chemical Engineers,
New York.
670 Appendix D Minimal Cut Set Analysis
Doelp, L. C., Lee, G. K., Linney, R. E., and Orrnsby, R. W. (1984). Quantitative Fault Tree
Analysis: Gate-by-Gate Method. PlantlOpeYatwns Propess 4(3), 227-238.
Fussell, J. B. (1975), HOW to Hand Calculate System Reliability and Safety Characteristics.:
Henley, E. J . and Kumamoto, H. (198 1) . Reliability Etrgineering and Risk Assessment. Prentice-
Ozog, H. ( 1985). Hazard Identification, Analysis and Control. Chentical Engzneerinp,Febru-
Roberts, N. H., Veseley, W. E., Haasl, D. F., and Goldberg F. F. (1981). Fault Tree Handbook.
IEEE Transactiuns on Reliability R-24(3), 169-174.
Hall, Englewood Cliffs, NJ. (ISBN 0-13-772251-6).
ary 18,161-170.
NUREG-0492. U.S. Nuclear Regulatory Commission, Washington, DC.