Books - Minimal Cut Sets

8/12/2019 Books - Minimal Cut Sets

1/10

A P P E N D I XMinimal Cut Set Analysis

D I In t roduct ionAll quantitative fault tree analysis methods are approximations of reality. By far thelargest contributions to error and uncertainty result from qualitative aspects of faulttree analysis and arise from

1. Lack of understanding of the system modeled, including all possible failuremechanisms (what is not included in the analysis because experience and/orjudgment are deficient);

2 . Inc orre ct fault tree logic desc ribing the system failures (if the logic is incorre ctthen quantitative evaluation by any method will be incorrect);

3 . Lack of unde rstanding of or imprope r accounting for com m on cause failures.In constructing a fault tree, the analyst usually follows a gate-by-gate approach.

The fault tree developed consists of many levels of basic events and subevents linkedtogeth er by AN D gates and O R gates. M inima l cut set analysis rearranges the fault treeso tha t any basic even t tha t appears in different pa rts of the fault tree is no t do ub lecou nte d in the quantitative ev aluation. Th e result of minima l cut set analysis is a newfault tree, logically equivalent to the original, consisting of an O R gate be neath t he to pevent, wh ose inp uts are the minimal cut sets. Each minim al cut set is an AN D gate containing a set of basic inputs necessary and sufficient to cause the top event.

Some advantages and disadvantages of gate-by-gate and minimal cut set methodsinclude

1. No rm al gate-by-gate methods are not as exact as minimal cut set me thod s. Special formulas may be required, for example, when failure rates or demand ratesare very high. Simple gate-by-gate methods cannot calculate the wide range ofreliability parameters generated by minimal cut set methods. More advancedgate-by-gate methods (Doelp et al., 1984) can overcome this deficiency.

2 . Events that occur in different branches of the tree are treated co rrectly by min imal cut set analysis. Gate-by -gate m etho ds require special efforts in co nstructing a tree that does not contain repeated events. Any repeated events notremoved will introduce a bias (positive or negative) in the results.

66

Guidelines for Chem ical Process Quan titative Risk Analysis Second Ed itionby C enter for Chem ical Process SafetyCopyright 2 Am erican Institute of Chemical Engineers


2/10

662 Appendix D Minimal Cut Set Analysis3. Gate-by-gate methods may make it easier to identify thosc subevents or basic

events that are the ma jor contributors to the top event. Cut set methods calcu-late reliability parameters for the t o p event only and use othe r parameters suchas importance of identify major contributors to the top event. It is possible toseparately calculate reliability parameters for subevents using minimal cut setmethods if it is impor tant to determine these parameters for subevents.

Th ere are trade-offs in the selection o f which approac h to use. Simple gate-by-gatecalculations can rapidly produce results using hand calculations. Minimal cut set meth-ods use computer programs that are well developed and eliminate effects of repeatedevents. As fault trees become larger in size comp uterized m cthods becom e m or e attrac-tive, particularly when a large nu mb er of alternatives are to be evaluated.

0.2. Minimal Cut Set AnalysisMinim al cu t set analysis is a mathematical technique for manipulating the logic struc-ture of a fault tree to identify all comb inations o f basic events that result in the occur-rence of the to p event. These basic event combinations, called cut sets, are then reducedto identify those minimal cut sets, which contain the minimum sets of events neces-sary and sufficient to cause of the t o p event. T h e logic structure if the original fault treeis mathematically transformed, using the rules of Boolean Algebra, into an equivalentminimal c ut set fa& tree. T he transformed fault tree is mathematically a nd logicallyequivalent to the original fault tree, but the m inimal cut set form is m or e amena ble toquantlfication. The transformation process also ensures that any single event thatappears repeatedly in various branches o f the fault tree is properly accounted for. Mini-mal cuts set analysis is described in many texts including Henley and Kumamoto(1981) and Roberts et al. (1981).This methodology is applicable to all fault trees,regardless o f size of com plexity, tha t satisfy the following co nditions.

All failures are binary in nature (components are either working or failed).Transition between working and failed states occurs instantaneously ( n o time

All com po ne nt failures are statistically independ ent.T he failure rate of reach eq uip me nt item is constant.The repair rate for each equipment item is constant.After repair, the system will be as good as old, not as good as new (i.e., therepaired component is returned to the sam e state, with the sam e failure charac-teristics, tha t is would have had if the failure had n ot occurred; repair is not co n-sidered to be a renewal process.)T he fault tree for system failure is the same as the repair tree ( ix ., repair o f thefailed component results in the immediate return to their normal state of allhigher intermediate events that failed as a result of th e failed com po nen t).

delays).

T he Boolean meth od for determining minimal cu t sets is mathematically and logi-cally id entical to the matrix method reviewed in the HEP Guidelines (AIChE/CCPS,1992).


3/10

D.3. Boolean Algebra 66D.3. Boolean AlgebraT he logical structure o f a fault tree can be expressed in terms o f Boolean algebraic equa-tions. Boolean algebra is used to reduce eq uations com posed of variables that can takeo n only tw o values. It is comm only used to describe the operations o f power switchinggrids, computer memories, or logic diagrams. Selected basic mathematical rules ofBoolean algebra are given in Table D . 1. Conventionally, th e symbol is used to rep-resent the logical OR oper ator and the symbol is used to represent th e logical ANDoperator. R oberts e t al. (19 81 ) present a m ore comprehensive rule tabulation and dis-cussion of Boolean algebra.T he use o f Boolean algebra in fault tree analysis is first illustrated by a simp le example.Consider the fault tree of Figure D . l . It consists of a top event, four intermediateevents, and fo ur basic events.Th e minimal cut sets for this example are determined by representing th e fault treeas a Boolean equation. This equation is reduced using the laws of Boolean algebra(Table D.1 ). Th is reduction involves replacement of intermediate events with theircauses. If the fault tree in Figure D . l were quantified b y the gate-by-gate met ho d(Section 3.2. l ) , an incorrect answer would b e obtained, because the basic events B E1and BE 2 appear in mu ltiple branches of the tree.

Step 1o Table D .2 presents the Boolean representation of th e top event in termsof intermediate events IE 1 and IE 2. In step 2, intermediate event IE 1 (a n AND gate)and intermediate event IE 2 (a n OR gate) are replaced by their Boolean equivalents.This process of replacing intermediate events is continued in Steps 3 and 4, until theBoolean rep resentation of th e fault tree contains only basic events.

Step 4 represents the top event in terms o f basic events only. Each term is a cu t set.How ever, the representation is not in minimal cut set form because further Booleanreduction is possible. Even t BE 4 appears twice in on e term of the expression, an d on eof the terms containing BE1 can be eliminated. In Step 5 of Table D.2 the termBE3.BE4.BE 4.BE2 is reduced to BE3.BE4 .BE2 using the idempotent law (relation 4,

D .4. S ample Problem 1-Minimal C ut Set Determ ination

TABLE D.1 . Selected Rules of Boolean Algebra

A B = B AA . B . C )= A . B ) .CA ( B C )= A B ) CA . ( B C )= A .B + A .CA ( B .C ) = A B ) . A C )A . A = AA + A = A

Associativc Rule

Distributive Rule


4/10

664 Appendix D Minimal C u t Set Analysis

INTERMEDIATE INTERMEDIATEWENT WENTIE 1 IE 2

EVENT

FIGURE D.1 . Simple fault tree.Table D. l ) . n Step 6 ofTable D.2 the term BE1 BE1 . RE2 is reduced to BE1 usingthe law of absorption Relation 5, Table D.1 ) .

Step 7, the commutative law is used to reorder the basic events of the second termputting them in numerical order for convenience).

The two erms in Step 7 (BE1 and BE2. BE3. BE4)ofTable D.2are the minimalcut sets for the fault tree of Figure D. 1. The occurrence of either of these two cuts setswill cause the top event of the simple fault tree of Figure D.1 . The minimal cuts sets can

TABLE D.2. Reductionof Sample Fault Tree of FigureD.Using Boolean Algebra

T = (RE1 . RE2) (RE1 IE3)T = BE1 . RE2 RE1 RE3 B E 4 . IE4)T = BE1 . RE2+ BE1 ( R E 3 . R E 4 BE4.HE2)T = RE1 RE1 . RE2 B E 3 . RE4. E2

456 T = R E l + R E 3 . R E 4 . R E 2

I 7 RE4= RE1 R E 2 . B E 3


5/10

D 5 . Sample Problem2 665be used to create a new fault tree that is logically and mathematically identical to theoriginal. Figure D . 2 presents the simp le fault tree of Figu re D.1 in the equivalent mini-mal cut set form.

D.5. Sample Problem 2For dem onstration purposes the sample problem in Section 3.2 .1 is recalculated usingthe minimal cuts set metho d. The treatment o f Steps 1, 2, and 3 (Figure 3 .3 ) is thesame as discussed in Section 3.2 .1 , resulting in the fault tree of Figure 3.5 . Step 4(Figure 3 .3 ) , qualitative examination of structure, and Step 5 (Figure 3.3) , quantita-tive evaluation, are do ne usin g m inimal cut se t analysis.

Th e same methods used in Sample Problem 1 are applied to the fault tree of Figure3.5.T he Boolean algebra analysis of the fault tree is presented in Table D . 3 .The 20 mini-mal cut sets identified in Step 6 ofTable D . 3 are listed in T able D.4.These are ranked interms of the num ber of basic events per cut set and are assigned reference num bers (Cl-C20). There are 5 single-event, 2 two-event, 12 three-event, and 1 five-event cut sets.Th e qualitative ranking of impo rtance would assume that small cut sets (e.g., on e andtwo events) are more likely to occur. Ho we ver, this is not necessarily true in ll cases. TheHEP idelinex (AIChE/CCPS, 1985) discuss how other factors such as hum an error oractive and passive equipment failure can be used to further rank the cut sets. In Step 5(Figure 3.3) ,Quan titative Evaluation, it is show n tha t som e larger cut sets in this exam-ple are more likely to occur than smaller ones.

Another objective of qualitative examination is to identlfy the susceptibility of th esystem to com mo n-ca use failures. As discussed in Section 3.2 .1 ,several factors can leadto com mo n-cause failure including:

operator errorcomm on manufacturerlocal environm ental factorsproximity of com mo n equipment itemsloss o f a utility.

MINIMALj MINIMALGIFIGURED.2.Simple fault tree transformed into minimal cut sets .


6/10

Appendix D. Minimal Cut Set AnalystsTABLE 0.3. Minimal Cut Set Determination Stepsa

T = M 1 M 2 R1 M 3 M 4T = ( R 2 . M S ) ( B3 R 4 R S 86) B1 ( R 7 . M 6 . RX ( M 7 . M X )T = (B2. ( M Y M 1 0 ) ] R 3 R 4 RS 136 R1 +[R7 (RY 1310 H l l ) . BX]

+ [( I3 12 M 1 1 ) . ( R 1 3 R 1 4 ) ]T = H 2 . ( B l S . R 1 6 H 1 7 . R l X B 1 Y . R20) B3 B4 135 H 6 I31 B 7 . BX

. B Y + R 7 . R X . R 1 0 + R 7 . R 8 . 1 ~ 1 1 + [ R 1 2 + ( M 1 2 . . B 2 1 ) ] - ( R 1 3 + B 1 4 )T = B 2 . R1S . R16 132. 817, Bl X .131Y. B20 R3 R4 RS 06 131 R 7 . B X.B9 B 7 . B 8 . R10 B 7 . BX

( R 1 3 R 1 4 )R 1 1 [ I3 12 ( R 2 2 B 2 3 B 2 4 B 2 S ) R 2 1 ]

T = R 2 H 1 5 . H 1 6 R 2 . R 1 7 . B l X .H 1 Y. R 2 0 B 3 R 4 135 1 3 6 R 1 B 7 . RX. B 9 R 7 . RX . R 1 0 R 7 . B 8 . I311 R 1 2 . B 1 3 R 1 2 . R 1 4 B 2 1 . B 2 2 I313 R21 R23 . R13 I321 . B 2 4 . R 1 3 8 2 1. B 1 4 B 2 1 . B 2 3 . I3 14 B 2 1 B 2 4 . R 1 4 B 2 1 . R 2 5 . R 1 4B25 . R1 3 1321 R2 2

Every term of the final expansion is a minim al cut set (Table D.4 . T, to p event; M , intermediate event; B hasicevent.

The susceptibility to common-cause failure due to human error for one of the cutsets is illustrated as follows. Events B15, B16, B17, B18, and B21 are associated withhuman errors. Examining the cut sets Table D.4), C8contains twoof the basic eventsassociated with human error (B15, B16). Hence, this cut set is susceptible to humanerror. An inexperienced operator, who unloads the truck into the tank when there isinsufficient volume to receive it ( B l S ) , might also not respond to the LIA-1high levelalarm (B16).

Thus, these two events may not be truly independent because the same inexperi-enced operator is involved in both events. Their combined probability may be substan-tially higher than the 1 x lo- . 1 x lo4 assuming independence.STEP 5. QUANTITATIVE EVALUATION OFSAMPLE PROBLEM 2 FAULT TREEThe approach described here is based on simple assignment of probabilities and fre-quencies to Basic events in the minimal cut sets. A more detailed treatment is reviewedin Appendix E. Table D.5 presents the frequency and probability data for the basicevents from Figure 3.5). Table D.6 summarizes the calculated frequency of occur-rence of the minimal cuts sets. A calculation for Cut Set 8 in table D.5 is provided fordemonstration:

From Table D.4: C8 = B2 . B15 .B16From Table D.5: B2 = 300/year, B1S = 1 x lo-, B16 = 1 x lo-Cut Set Frequency Table D.6): C8 = B2 . B15 . B16

= 300/yr . 1 x lo- . 1 x lo-= 3 x lO-/yr


7/10

D.5. ample Problem2 71Al3LED.4. Minimal Cut Sets for Sample Problem 2

Minimal cut set reference number Basic Events< R1


8/10

668 Appendix D MinimalCut Set AnalysisTABLE D.5. Basic event Input Data for Sample Problem 2

Basic Event Probability Frequency (yr- ) ReferenceR 1-Tank dra in hreaksB2-Unloading tank truckB3-Vchiclr impactB G A r c r a f t im pa ctRS-EarthquakeB6-TornadoH7-Unloading tank requires nitrog en purgeHX-Hoil-off insuficicnt to prcvcnt vacuumRY-PV-2 fails close d

R10-PICA-1 fails, closing PV -2Bll-I,oss of nitroge n supplyB12-PICA-1 fails, closing PV -1R 13-Excccd capacity of RV - 1B14-V-8 closedB15-Insufficient volum e in tank to unload truckBl&-Failure of o,r ignoring 1,IA-1B17-Wrong material in tank truckB18-Tank truck not sampled before unloadin gR19-Reagent rcacts with ~ h ~ d ~ daterialB20 -Pressu rc rise exceeds capacity of PV -1B21--E'ailurc of o r ign orin g PI CA -]R22-PV- 1 fails clos edB23-V-7 c l ~ ~ e dBZ GT rm pcr atu re of inlct higher than normalB25-High pressure in flare heade r

1 x 10-21 x 10-21 x 10-21 x 10-4

1 x 10-31 x 10-31 x 10-21 x 10-21 x 10-31 x 1 0 21 x lo-1 x lo-1 x 10-2

1 x 1 ( P300

1 x 10-51 x 101 x 10-51 x 10-5

1 0

1 x 1 0 2

1 x 10-31 x 10-31 x 1 0 31 x 10 3

o./,og (1985)ozog (1YX5)oiog (1985)7mg 1985)

< h g 1985)ozog (1985)ozog (1985)o z o g (1985)ozog (1985)ozog (1985)ozog (1985)7KIg (1985)

Ozog (1985)ozog (1985)ozog (1985)o z o g (1985)ozog (1985)o w g (1985)m m g (1985)ozog (1985)ozog (1985)o / m g (1985)

o z o (1985)oiog (1985)

7mg (1985)

'In a real analysis, this column documents data sources for future reference. In this example all data are fromOzog (1985) .

the main contributors. Cut set C8 contributes 94 of the top event frequency. Thequalitative evaluation ranks this cut set eighth in a list of 20. This example is a warningof the potential danger of relying on qualitative rankings of importance. I n addition,the qualitative examination did s how that c ut set C8 was susceptible to human error , soits frequency m ay be even higher tha n predlcted qualitatively assuming independ enceof all basic events. Therefore, bot h qualitative and qu antitative evaluations provide evi-dence o f a need to consider mitigating design features o r revised ope rating procedures.

M ost fault tree c ompu ter codes can determine reliability measures su ch as unavail-ability and u nreliability as well as the failure rate (freq uen cy) of the top event. A manual


9/10

0 6 References 9TABLE D.6. Frequencies of the Cut Sets and Top Event for Sample Problem 2

Minimal cut Sets Frequencyof cut set (yf ) Cut et importancclC1 = B1 = 1 x 10-4 0.3


10/10

67 Appendix D Minimal Cut Set AnalysisDoelp, L. C., Lee, G. K., Linney, R. E., and Orrnsby, R. W. (1984).Quantitative Fault Tree

Analysis: Gate-by-Gate Method. PlantlOpeYatwns Propess 4(3) , 227-238.Fussell, J. B. (1975), HOWo Hand Calculate System Reliability and Safety Characteristics.:Henley, E. J . and Kumamoto, H. (1981 ) . Reliability Etrgineering and Risk Assessment. Prentice-Ozog, H. 1985). Hazard Identification, Analysis and Control. Chentical Engzneerinp,Febru-Roberts, N. H., Veseley, W. E., Haasl, D. F., and Goldberg F. F. (1981).Fault Tree Handbook.

IEEE Transactiuns on Reliability R-24(3), 169-174.Hall, Englewood Cliffs, NJ. (ISBN 0-13-772251-6).ary 18,161-170.NUREG-0492.U.S. Nuclear Regulatory Commission, Washington, DC.

Documents

Books - Minimal Cut Sets