Introducing Cut Sequences

The essential difference between Pandora and normal fault trees is that Pandora fault trees contain temporal gates that impose a sequence on a set of events: the order in which the events occur is important in Pandora. In the cut sets of ordinary static FTs, this is not the case; the events can occur in any order and still cause the top event. To distinguish between ordinary cut sets and cut sets in which the order of events may be significant, the term cut sequence (CSQ) is used; thus a cut sequence is a cut set in which some events occur in a certain order (i.e. some events have temporal significance). Similarly, a cut sequence in which every event must occur – and occur in the given order – to cause the top event to occur is termed a minimal cut sequence or MCSQ, analogous to a minimal cut set. A cut sequence takes the form of a conjunction of basic events or temporal gates (each containing only either further temporal gates or basic events).

Note that for a normal cut set to be minimal, it must contain no redundant basic events, i.e. if the occurrence of a subset of the events is sufficient to cause system failure, then that cut set is not minimal. With cut sequences, the meaning of "minimal" is not so straightforward. A cut sequence can be minimal if it contains no redundant events and no unnecessary sequences, i.e. if the occurrence of all events in any order is sufficient to cause system failure, then the cut sequence is redundant (since the ordering is not important). Thus, as will be seen shortly, a cut sequence like X<Y.Z is redundant if X.Y.Z is also a cut sequence/cut set. However, the issue of minimality is complicated further by the issue of Completion, i.e. that some operators are subsets of others (particularly PAND and SAND being subsets of AND). Thus an expression such as X.Y + (X<Y).Z is non-minimal because X.Y includes (X<Y).Z. This type of problem – where a temporal redundancy is hidden within a conjunction (or disjunction) – is known as a Completion Problem, because the best way to detect it is to first apply the Completion Law, e.g. expand X.Y into X<Y + X&Y + Y<X. In this case, the redundancy between X<Y and (X<Y).Z then becomes immediately apparent.

The definition of minimality is further complicated by the fact that there is often more than one way of representing a cut sequence – typically thanks to the Completion Laws. For example, is "X.Y" more minimal than "X<Y + X&Y +Y<X"? The latter is perhaps more explicit and more detailed, whilst the former is more concise, but the two representations are equivalent and both are 'minimal' in the sense that they contain no redundancies or unnecessary sequences. This point will be discussed again later but the reason for producing minimal cut sets or sequences in the first place is to allow the analyst to draw conclusions about the behaviour of the system; in

most cases, the fewer cut sequences there are, the easier it is for the analyst to understand the results, so the more concise form is generally preferred over the expanded form.

Figure 37 – Transformation of a fault tree (left) into its cut sets (right)

Regardless of their form, the goal of qualitative analysis in Pandora is to obtain the MCSQs for a temporal fault tree. Unfortunately, the process is not as simple as it is for non-temporal fault trees because there are now five gates to deal with, instead of just two. The first problem to be overcome is how to prioritise these gates in cut sequences – what is the equivalent of disjunctive normal form in Pandora? In normal cut set form, AND has a higher precedence than OR, so that groups of events are connected by AND gates which in turn are connected by a single OR gate. This can be seen in Figure 37; note that the cut sets are not minimised here (they minimise to just A + B.C.D). But in a cut sequence, we may also have PANDs, SANDs and PORs – so where should they appear?

One of the objectives of Pandora is to produce results as similar to existing qualitative FTA as possible. Therefore, in Pandora, CSQs are constructed such that OR and AND gates still appear at the top, in that order (i.e. one OR gate with one or more AND gates beneath it). This is still a disjunctive normal form. However, CSQs contain temporal gates, which indicate that part or all of the CSQ has to occur in a certain sequence (or, in the case of the SAND, must occur all at the same time). In cut sequence form, therefore, these must then appear beneath the AND gate, i.e. as part of the conjunction.

This is achieved by using the precedence of the operators (OR < AND < POR < PAND < SAND) to construct a hierarchy amongst the temporal gates such that SAND gates contain only basic events, PAND gates contain SANDs, and events, while PORs contain any event, PAND, or SAND, but not ANDs/ORs. For example, A.(B<(C&D)) is in the correct hierarchical order, but A.(B&(C|D)) is not. The resulting cut sequence form is called hierarchical temporal form

or HTF; it can be thought of as a temporal disjunctive normal form in which each AND gate represents a different cut sequence.

Note that not all of a cut sequence has to be ordered; it is entirely possible for some events to be temporally significant and others not to be, i.e. only the temporally significant events need to come in a certain order, though all the events in a cut sequence still need to occur to cause the top event. The only potential exception to this is the POR gate, because its non-priority inputs (all except its left-most) do not necessarily need to occur. In this chapter, the term cut sequence (or minimal cut sequence) is often used inclusively, referring both to cut sequences proper and non-temporal cut sets collectively.