




Fault Tree Analysis 
G. Weber 
Institut für Datenverarbeitung in der Technik 




Institut für Datenverarbeitung in der Technik 
Projekt Nukleare Sicherheit 
Kf K 3384 
Failure Diagnosis 
and 
Fault Tree Analysis 
G. Heber 
Kernforschungs~entrum Karlsruhe GmbH~ Karlsruhe 
Als Manuskript vervielfältigt 
Für diesen Bericht behalten wir uns alle Rechte vor 
Kernforschungszentrum Karlsruhe GmbH 
ISSN 0303-4003 
Abstract 
With the increased complexity of many current systems, safety and 
reliability considerations are becoming increasingly importantant. 
Various methods and techniques employed for design, construction 
and operation of nuclear reactors, reprocessing plants, chemical 
plants etc. lead to more safety and reliability. This is due to a 
great extent to an increase of reliability and maintainability on 
the component level. However, this increase may be offset by a 
considerable complexity of the system. Here methods of reliability 
engineering are required. A systematic approach to the problems 
is needed. Thus reliability engineering uses a number of strategies, 
among them the techniques of reliable design (e.g. redundancy) 
and techniques of failure diagnosis (e.g. automatic search for failed 
units). 
In this report a methodology of failure diagnosis for complex systems 
is presented. Systems which ·can be represented by fault trees are con-
sidered. This methodology is based on switching algebra, failure diagnosis 
of digital circuits and fault tree analysis. Relations between these 
disciplines are shown. These relations are due to Boolean algebra and 
Boolean functions used throughout. It will be shown on this basis that 
techniques of failure diagnosis and fault tree analysis are useful to 
solve the following problems: 
- Describe an efficient search of all failed components if the system 
is failed. 
- Describe an efficient search of all states which are close to a system 
failure if the system is still operating. 
The first technique will improve the availability, the second the reliabi-
lity and safety. 
For these problems, the relation to methods of failure diagnosis for 
combinational circuits is required. Moreover, the techniques are demonstrated 
for a number of systems which can be represented by fault trees. 
Fehlerdiagnose und Fehlerbaumanalyse 
Zusammenfassung 
Mit der steigenden Komplexität von zahlreichen Systemen sind heutzutage 
Sicherheits- und Zuverlässigkeitsüberlegungen von steigender Bedeutung. 
Verschiedene Methoden und Techniken, die bei Entwurf, Konstruktion und 
Betrieb von Reaktoren, Wiederaufarbeitungsanlagen, chemischen Anlagen 
u.s.w. eingesetzt werden, ergeben mehr ~icherheit und Zuverlässigkeit. 
Dies ist insbesondere auf eine Erhöhung von Zuverlässigkeit und Instand-
haltbarkeit auf der Komponentenebene zurückzuführen. Jedoch können diese 
Verbesserungen durch eine erhebliche Komplexität des Systems zumindest 
abgeschwächt werden. Darum sind Methoden der Zuverlässigkeitssicherung 
erforderlich. Eine systematische Behandlung dieser sicherheitsrelevanten 
Probleme ist notwendig. So verwendet die Zuverlässigkeitssicherung eine 
Anzahl von Strategien. Typische Beispiele sind die Behandlung von Zuver-
lässigkeitsfragen beim Entwurf (z.B. Verwendung von Redundanz) und der 
Einsatz von Fehlerdiagnose (z.B. automatische Erkennung von ausgefallenen 
Einheiten). In diesem Bericht soll eine Methodologie der Fehlerdiagnose 
für komplexe Systeme dargestellt werden. Die Methoden sind anwendbar auf 
Systeme, die durch Fehlerbäume dargestellt werden können. Die Methologie 
beruht auf Überlegungen aus Schaltalgebra, Fehlerdiagnose von digitalen 
Schaltnetzen und Fehlerbaumanalyse. Die Beziehungen zwischen diesen Dis-
ziplinen werden aufgezeigt. Die Beziehungen beruhen insbesondere auf der 
Boole'schen Algebra und den Boole'schen Funktionen, die im ganzen Bericht 
verwendet werden. 
Es kann auf dieser Basis gezeigt werden, daß Techniken der Fehlerdiagnose 
und Fehlerbaumanalyse nUtzlieh sind, folgende Probleme zu behandeln: 
- Eine effiziente Suche aller ausgefallenen Komponenten (wenn das System 
ausgefallen ist), soll ausgeführt werden. 
Eine effiziente Suche aller Zustände, die in der Nähe eines Systemaus-
falls sind (wenn das System noch intakt ist), soll ausgeführt werden. 
Die erste Technik wird die Verfügbarkeit erhöhen, die zweite die Zuver-
lässigkeit und Sicherheit. 
Für diese Probleme ist die Beziehung zu Methoden der Fehlerdiagnose 
kombinatorischer Schaltnetze erforderlich. Die angeführten Techniken werden 
für eine Anzahl von Systemen demonstriert, die durch Fehlerbäume dargestellt 
sind. 
F gures 
1. Major gate types 
2. Karnaugh-map 
3. Parity bit generator 
4. Combinational Circuit 
5. Graphie Representation 
6. Redundant Ci rcui t 
7. Example (Top down) 
8. Example (Bottom up) 
9. Illustrative Example of Fault Tree 
10. Cubical Representation 
11. AND-Gate with s-a-1 fault 
12. Bridge Fault 
13. Combinational Circuit 
14. Fault Table 
15. Simplified Fault Table 
16. Combinational Circuit 
17. Combinational Circuit 
18. Irredundant Circuit 
19. Network 
20. System S1 




25. Schematic Diagram of Device 
26. Fault Tree 
27. Standby System 
28. Fault Tree 
29. Residual Heat Removal Fault Tree 
30. Block Diagram for Nitric Acid Cooler 
31. Input-output Mode 1 s 
32. Flow Diagram for Nitric Acid Cooler Process 
33. Fault Tree for Ni tri c Acid Cooler 
34. Subtree 
35. Illustrative Example of Fault Tree 
CONTENTS 
o. Introduction 
1. Introduction to Switching Algebra 2 
2. Introduction to Failure Diagnosis 41 
3. Fault Trees 53 
4. Diagnosis Procedures 61 
5. Tests for two Types of Faults 69 




The design, construction and operation of complex systems (nuclear reactors, 
reprocessing plants, chemical plants etc.) has to meet requirements regarding 
safety, reliability and availability. Here methods of reliabiliy engineering 
are required. A systematic approach to these problems is needed. Thus relia-
bility engineering uses a number of strategies, among them the techniques 
of reliable design (e.g. static and dynamic redundancy) and techniques of 
failure diagnosis (e.g. automatic search for failed units, design for diag-
nosabil ity). 
In this report a methodology for complex systems is presented. Systems which 
can be represented by fault trees are considered. The following subjects are 
significant for our approach: 
Concepts of switching algebra including some questions of representation. 
This leads to the representation by prime implicants and min cuts (sect. 1 ). 
Basic concepts of failure diagnosis are introduced (sect. 2). Concepts of 
fault tree analysis are introduced: coherence, min cuts (sect. 3). Diagnosis 
procedures are introduced which may be applied to systems represented by fault 
trees: A test which leads to a prompt failure diagnosis for a failed system. 
A test which finds all states adjacent to system failure. The first test in-
creases availability, the second test increases safety (sect. 4). 
Then a discussion of the corresponding concepts of failure diagnosis of com-
binational circuits is given (sect. 5). Finally, a number of examples demon-
strates the use of the introduced methods for nuclear and other technologies. 
Results of diagnosis and conclusions on the efficiency of test methods are 
presented (sect. 6). 
While all methods mentioned have been used extensively either for computer 
science or for safety questions a unified approach was not yet available. 
-2-
1. Introduction~ to Switching Algebra 
1.1 Basic Concepts 
1.2 Basic Properties 
1.3 Switching Functions 
1.4 Representations of Boolean Expressions 
1.5 Prime Implicants and Coverage 
1.6 Methods to obtain Prime Implicants 
1.7 Algorithms to find~ simplified sum-of-products Representation 
1.8 Cubical Representation of Boolean Functions 
-3-
1. Introduttion to Switching Algebra 
We give some basic concepts for switching algebra. This technique 
is closely related to Boolean algebra. It is useful for 
- failure diagnosis and 
- fault tree analysis. 
1.1 Basic concepts 
We assume the existence of a two-valued switching-variable 11 X11 
which can assume the values 0 and 1. (Note, that 0, 1 are not 
the real numbers.) No other values are possible here. 
A switching algebra is an algebraic system consisting of the 
set ~0,1}, two binary operations called 1disjunction•(inclusive OR), 
•conjunction• (AND)·, and one unary operation called •negaHon• 
(NOT). 
We write + (v) for OR, · (A) for AND, - for NOT. 
The definitions of the following relations {AND, OR, NOT, etc.) 
are given in Fig. 1 (see /1/). 
All the gate definitions exept NOT can easily be generalized to 
allow any input numbe~ 
A set G of gate types is called •complete• if any combinational 
function can be realized by a circuit that contains gates from 
G only. Examples of complete sets are {NANDI , {NOR}, {AND, NOT}, 
{ OR, NOT} , { AND, OR,· NOT } . 
We use the set { AND, OR, NOT f as complete set G. 
-4-
Circuit Truth 
Name symbol table Equation 
x, Xz z 
0 0 0 I Z 'T XtXs 
AND Xt=D-z 0 0 ori 
x2 0 0 z = X1 II Xt 
x, Xt z 
Xt=D-
0 0 0 z = x1 +x2 
OR x2 z 0 I or1 
0 z = x1 V X2 
m NOT x --[>o-z I z=x 0 
x, Xt z 
Xt=D-- 2 
0 0 I 




x, Xt z 
Xt=Do-- 2 
0 0 I 




x, x2 z 
xt=lD-z 
0 0 0 
EXCLUSIVE- 0 I z = x, E9 x2 
OR x2 I 0 
0 
Fig. 1 Major Gate Types 
-5-
1.2 Basic Properties 
We mention a few basic properties of switching algebra. They 
are also sufficient for a set of axioms. Note that there are 
also other sets of axioms. 
Let x,y,z, ... be variables. Then we use the following pairs of 
identities: 
Idempotency 
X + X = X 
X • X = X 
Note the difference from arithmetic where no idempotency law exists. 




(x + y) + l = x + (y + z) 
(X • Y) ' Z = X ' (Y ' Z ) 
Distri buti vi ty 
X • (y + Z.) = X • y + X • Z 
x + y . z = (x + y) (x + z) 
Note the difference from arithmetic. 
Complementation 
X + X = 1 
X · X = 0 
Note the difference from arithmetic. 
From the Basic Concepts (1.1) and Basic Properties we can deduce 
many theorems. Two important theorems are the theorems of De Morgan: 
X+y = X·Y 
X · y = X + y 
-6-
We can use truth-tables to prove De Morgan•s theorems: 
~ 
- - --X y X y X+ y X + y X y 
0 0 1 1 0 1 1 
0 1 1 0 1 0 0 
1 0 0 1 1 0 0 
1 1 0 0 1 0 0 
Note 
For n variable we can write 
n 
( a ) L: Xi = xl + x2 + ... + xn 




1 = x1 v .x2 v ~ .. V X n 
n 
(b) 1T x. 1 = x1 x2 ... xn Conjuncti on, 
t=1 Boolean monomial, 
product-term 
n 
or (\ x. = X 1\X /\" 1\ xn 1 1 2 
i=1 
Thi s can be represented by an AND-gate or OR-gate wi th n i nputs. 
1.3 Switching Functions 
We introduce the concept of switching function, extending the 
switching algebra to functions of binary variables. The switching 
function is a Boolean function. Thus it is clearly related to the 
structure function. 
Def.: A •switching function• -
of n two-valued variables x1, x2, , xn (x1 = 0,1) is a correspon-
dence which assigns for each of the 2n combinations one value of { 0,1}. 
-7-
The switching function can be represented using 
(a) a truth table 
(b) maps 
(c) graphic representations, diagrams, fault trees 
(d) Boolean expressions, structure functions. 
Clearly, for a high number of variables, (a) and (b) become extremely 
large. E.g. we will habe for n variables 2n rows in the truth table. 
Example: 
We will introduce all representations (a) - (d) for an example: 
( a) Truth tab 1 e 
A parallel parity-bit generator /2/: This unit must produce an 
output 1 if and only if an odd number of its inputs have value 1. 
Take the example of three-bit code words, i.e. the circuit has three 
inputs x1, x2, x3 and its output f must be equal to 1 if 1 or 3 of 
the inputs are 1. We can immediately constructthe truth table: 
row x1 x2 x3 f Number of inputs = 1 
0 0 0 0 0 0, even 
1 0 0 1 1 1, odd 
2 0 1 0 1 1' odd 
3 0 1 1 0 2, even 
4 1 0 0 1 1, odd 
5 1 0 1 0 2' even 
6 1 1 0 0 2, even 
7 1 1 1 1 3, odd 
Table I, truth table 
-8-
(b) Map 
We give a map-representation, based on the truth table. 
0 0 0 1 1 1 1 0 
x3 0 1 0 1 
0 
1 1 0 1 0 
Fi g. 2: M a p 
( c) Graphi c 
' 
6oR Repres.entati on 
] f 
""'AND AND AND 
1"""1"""> ..,.., NOT C-.., HOT~,-,'"" AND 
Fi g. 3: parallel parity-bit generator 
-9-
(d) Boolean Representation (Boolean polynomial ). 
For this circuit we get as Boolean representation: 
= 
i.e. f = 1 if either x1 and x2 and x3 are = 1 or 
exactly one input is = 1. 
It is possible to represent switching functions using different 
techniques. Each will lead to the same truth table. 
Canonical forms 
We recall that truth-tables are a means for representing switching func-
tions (Boolean functions). We also mentioned that Boolean expressions may 
be written as Boolean polynomials. Now we give some considerations which 
are 
closely related to truth tables and are 
- easily generalized for switching algebra (Boolean algebra). 
Assume, we have a function f (x1, x2, ... , xn) represented in a truth table. 
Then we get two representations which are called 'canonical forms' which 
will be discussed next: 
the disjunctive normal form (dnf) 
the conjunctive normal form (cnf). 
Disjunctive normal form 
We introduce the concept of 'minterm'. A minterm is a conjunction (product) 
of n variables: 
p (x1' x2, ... ' xn) 
Each variable may be either complemented or uncomplemented. The charac-
teristic property of a minterm is that it assumes the value 1 for exactly 
one combination of the variables. 
-10-
-
Then we can write any Boolean function as a disjunction of minterms, 
called disjunctive normal form (dnf}: 
2n-1 
xn) = V c; P; ( x1, x2, · · 
i =o 
where the constant c. is defined as follows: 
1 
X ) ' n 
c; = 1 denotes the minterms which in a disjunction generate the function 
Relation to truth-table 
Foreach row j where f (x1, x2, · 
If in this row we have 
we write 






xn) = 1, we get a minterm 
Now we get a disjunction of minterms 
which is equal to the given function ... 
where j goes over all rows where f = 1, i. e. r1 is the set of a 11 
row- n umbe rs where f = 1. 
Note: 
2n-:-1 
V f (x1, x2' • .. X ) = V c. p. ( x1' x2' • Cl • ' xn) = P j ( x 1 'x2 ' ... 'xn ) ' n i =o 1 1 j t:r1 
-11-
Example 
We refer again to Table I (parity-bit generator). 
It can be seen that f (x1, x2, x3) = 1 fo·r the set r1, r1 = {1,2,4,7}. 
We get the minterms p.: 
J 
Decimal notation 
row 1: 0 0 1 p1 - X - 1 x2 x3 1 
row 2: o: 1 0 p2 - X - 1 x2 x3 2 
row 4 1 0 0 • I> p4 = x1 x2 ~3 4 
row 7 1 1 1 p7 = x1 x2 x3 7 
The disjunctive normal form is 
or, in decimal notation f (x1, x2, x3) = ~(1, 2, 4, 7) 
Note: 
1. This .form is a sum-of-products-form (sop), if we consider the dis-
junction as sum, the conjunction as product, a special form of a 
Boolean polynomial. 
2. There are some noteworthy properties of the dnf: There is only one 
dnf for a given Boolean function f (x1, x2, ... , xn), equivalent to 
the Unique truth table. 
3. All terms are disjoint, pj · pk = 0 for j ~ k. 
Assurne the contrary, i.e. each variable of p. which is uncomplemented 
J 
(complemented} in pj must also be uncomplemented (complemented) in pj. 
Thus pj and pk cannot be different, i.e. j = k. 
-12-
Relation to Boolean Expressions 
To obtain the disjunctive normal form for any given Boolean function 
a simple procedure can be used. This procedure will also be useful 
for further considerations. It can be shown that this procedure always 
leads to a result /1/. 
Step 1: Expand the given function to a sum of products form which 
needs no brackets. 
Step 2: Examine each product term. If it is a minterm, retain it, 
and continue to the next term. 
Step 3: In each product which is not a minterm check the variables 
that do not occur. For each X; that does not occur multiply 
the product by (x; +X;)· 
Step 4: Multiply out all products and eliminate redundant terms. 
Example 
Determine the dnf for the following function 
f (x, y, z) = x3 + x2 (x1 + x1 x3) 
This function could be represented graphically as follows: 
AND 





f (xl, x2' x3) = x3 (x2 + x2) (xl + xl) + xl x2 (x3 + x3) + x1 x2 x3 
Step 4: 
Note 
A similar discussion is possible for •maxterms •. A maxterm is a dis-
junction (sum) of n variables. The conjunction of maxterms is called 
a conjunctive normal form. This will not be of much use for problems 
di scussed here. 
-14-
1.4 Representations of Boolean Expressions 
It is useful to have several alternative representations for 
Boolean expressions /3/. Assurne again we have a switching func-
tion given as follows: 
or 
t s 
r q p 
r q 
Fig. 5 Graphie Representation 
The tree representation (Fig. 5b) is probably most graphic, we 
can easily see the predecessors, sucessors etc. We can write the 
expressionalso using the usual Boolean operations, 
f = ( ( q II. r) V p) A ( S V t) 
We also want to introduce a representation which will be needed 
for some methods (as discussed in 1.7. ). We introduce the following 
notation for Fig. 5b: 
For branches between vertices we give 
1 if the branch goes to the right 
2 if the branch goes to the left. 
Thus we get (Fig. 5c): 
p 
Fi g. 5c 
-15-
E.g. for r we can write 122, for the gate rAp we can write 12 
(as 'coordinates• ). We can represent the 'tree as a data structure, 
called the 'full left list matrix' /3/: 
Here in collumn 1 is the number of predecessors, 
in collumn 2 the type of operator or operand, 
in collumn 3,4,· ·· the numbers giving 'coordinates•. 
Coll umn 1 2 3 4 5 
2 1\ 
2 V 1 
0 p 1 1 
2 1\ 1 2 
0 q 1 2 1 
0 r 1 2 2 
2 V 2 
0 s 2 1 
1 - 2 2 
0 t 2 2 1 
It is sometimes convenient, to simplify the full left list matrix to a 
left list matrix, dropping the coordinates: 












It can be shown that, if a binary relation such as 11 , is written 
in front of its two operands in the form 11 x y (instead of x11y), 
then by sonsistent use of such a notation ('prefix notation') no 
parentheses are necessary. As polish equivalents of Boolean connec-
tives, we get (/3/, /4/): 
Boolean Polish Reverse Polish 
-
X -,x x,-
X 1\ y Ä' x, y x, y,/\ 
X V y v, x, y x, y, V 
' 
X$ y EE),x, y x, y, ~ 
Thus our tree may be written in a Lucasiewicz- or parenthesis-free-nota-
tion (also called Polish notation): 
(a) Polish Notation, prefix notation 
(A, v, p, I\, q, r, v, s, -, t) 
(b) Rev.erse Polish Notation, postfix notation 
( t , - , S , V , q , r , ,I\ , p , V , ,/\) 
Note: 
The reverse Polish notation requires that the operators are written 
in reverse order. Since all operators needed here are related to 
commutative operations, the order of the Variables is not affected. 
If the operators cover more than two variables this should be indi-
cated, e.g.xt.yAzcan be writtenl\(3), x, y, z. 
It will be seen in sect. 1.7 how the left list matrix and the reverse 
polish notation is of direct relevance to problems of switching theory 
and fault tree analysis. 
-17-
1.5 Prime Implicants and Coverage 
A switching function f (x1, x2, ... , xn) is said to cover another 
function g (x1, x2, ···, xn)' denoted 
f 2 g 
if f assumes the value 1 whenever g does. Thus, if f covers, then 
it has a 1 in every row in the truth table in which 9 has a 1. 
Example: 
Let f = x1 (f) x2 (Exclusive OR) 
xl x2 f x1 x2 91 92 
0 0 0 0 0 0 0 
1 0 1 1 0 1 0 
0 1 1 0 1 0 1 
1 1 0 1 1 0 0 
Thus: f 2 91 and f 2 92 
If f covers g and 9 covers f, then f and 9 are equivalent. 
Example: 
Let f = x1 $ x2 and 
g = 91 V 92 
Then fand 9 are equivalent. 
Let f(x 1, x2, ... ,xn) be a switching function and h (x1, x2, ... , xn) 
be a product of literals (conjunction). If f covers h, then h is said 
to imply f, or h is said to be an implicant of f. The implicant is de-
noted h~f. 
Example: 91 and g2 are implicants of f. 
-18-
Definition: A prime implicant p of a function f is a product term 
which is covered by f such that the deletion of any literal from p 
results in a new product which is not covered by f. In other words: 
p is a prime implicant if and only if p implies f but does not imply any 
product with fewer literals which also implies f. The set of all prime 
implicants will be denoted { P; }· 
Example: 
x y is a prime implicant of 
--f = X y + X Z + Y Z 
since it is covered by f but neither x nor y alone implies f. 
A combinational circuit is 'redundant' if it is possible to remove 
lines and/or gates in such a way that the resulting circuit is equiva-
lent. A combinational circuit which is not redundant, will be called 
irredundant. 
Example: 
Fig. 6 Redundant Circuit 
This circuit is redundant. 
Every circuit may be represented as a sum-of-products form /1/. 
Theorem: Every irredundant sum-of-products (sop) equivalent to f is a 
union of prime implicants of f: 
f = \1 p. 
. 1 1 1= 
Proof: Let f* be an irredundant sop-expression equivalent to f, and 
suppose that f contains a product term p which is not a prime impli-
cant. Since p is not a prime implicant, it is possible to replace it 
with another product term which consists of fewer literals. Hence f con-
tains redundant literals, which contradicts our initial assumption. o 
-19-
1.6 Methods to obtain Prime Implicants 
We discuss some methods to obtain p~ime implicants. Many methods 
use explicitly the representation of Boolean functions by min-terms. 
This is true e.g. for the Quine-Mc Cluskey method and others, given 
in the literature e.g. /5/, /6/. 
It seems to be more important, to have a method which may be used for 
a Boolean function represented without using min-terms. This will also 
prove useful for fault trees /7/. 
Nelson's Algorith~ 
The following remarks are in order: 
- F is a Boolean function which already has been transformed into a 
sum-of-products form. 
If in this algorithm a Boolean expression Eis 'complemented', this 
means not only applying the complement to the expression, but also 
repeatedly using Oe Morgan's rules, i.e. 
E = x y + y z leads to 
t = X Y + y Z = X Y • y Z = (X + y) (Y + z) 




Obtain F applying Oe Morgan's rules. 
Expand F into a disjunctive normal form. 
Dropzero products (x x = 0), 
repeated literals (x x = x), 
make absorptions (x + xy = x). 
This result is~. 
-Complement <P 
Obtain ~ applying Oe Morgan's rules. 




The result is~P;,'the sumofall prime implicants, and 





- -F = x1 x2 + x2 x3 x4 + x3 x4 
Complement: 
F = (x1 + x2)(x2 + x3 + x4) (x3 + x4) 
Expand and simplify: 
~= x1 x2 x4 + x1 x3 + x2 x3 
Complement 
~ = (x1 + x2 + x4) (x1 + x3) (x2 + x3) 
Expand and simplify: 
~P; = x1 x2 + x1 x3 + x2 x3 + x3 x4 
lt is often useful to simplify the Boolean functions needed in 
Algorithm by factoring. 
Example: 
may be rewritten (factored) as 
F = x1 x2 + x3 (x2 x4 + x4) 
Then the algorithm may be done with a considerable amount of saving 
Operations /8/. 
Algorithm 2 (with factoring) 
Step 1 Factor anywhere possible in F. 
Complement F. 
Obtain F applying De Morgan•s rules. 
Expand F into a disjunctive normal form. 
Dropzero products (xx = 0), 
repeated literals (xx = x), 
make absorptions (x + x y = x). 





Factor anywhere possible in ~ • 
Compl ement ~ . 
Obtain ~ applying De Morgan•s rules. 
Expand ~ into a disjunctive normal form. 
Drop zero products, 
repeated literals, 
make absorptions. 
The results is~pi' the sumofall prime implicants, and 
1 
only of prime implicants.o 
Complement: 
F = (x1 + x2) (x2 + x4) x4 + x3) 
Expand and simlify: 
~ = x1 x2 x4 + x1 x3 + x2 x3 
Step 2 
Factor: ~= x1 (x2 x4 + x3) + x2 x3 
Complement: 
~ = x1 (x2 x4 + x3) . x2 x3 
Expand and simplify: 
:EP; 
; 
Notice the savings in the number of terms if ~ and~has been factored. 
-22-
1.7 Algorithms to find a simplified sum-of-products representation (sop) 
The algorithms to find a simplified.s-o-p-representation can be used 
for the Nelson-Algorithm, Algorithm 1. For some special cases, i.e. 
Boolean functions which can be represented using AND and OR alone 
(but without complements; see sect. 3.3) these algorithms even give 
all prime implicants /9/. 
Top-Down-Algorithm (Fussell 's Algorithm) 
We assume a switching network represented by a logical diagram. 
Algorithm 3 
Step 0 Start at top A
0
• 
Step 1 Search for predecessors of A; (i = 1,2, ... ) 
Define predecessors of A .. 
' 1 
1 2 ( A. , A. ) = pred ( A. ) . 
1 1 1 
Step 2 If A. is an OR-gate, we get 
1 
1 2 1 A~ A. + A. = A., rename A., 
1 1 1 1 1 
If A. is an AND-gate, we get 
1 
A ~ • A~ = A.' 1 A~ rename A., 1 1 1 1 1 
Step 3 Multiply out all identified terms to obtain a sum of 
products. If the sum-of-products contains still gates 
(A;) go to step 1, else go to step 4. 
Step 4 The sum-of-product expression (consisting of components) 
can be simplified: 
Drop repeated literals, 
make absorbtions.o 
x, x2 












This switching network can be 
represented in a form which 
contains all gates and inputs 
but is closer to graph theory. 
-24-
A3 AND-gate 
If repeated literals are dropped and if absorptions are made, we get 
Bottom-Up-Algorithm (Bennett•s Algorithm) 
The Bottom-up-algorithm is a development of Bennett•s algorithm which 
leads to a sum of products representation. 
We recall that the reverse polish notation (left list matrix) intro-
duced in sect. 1.4 is used /10, 11/. 
We have again the tree which was also used for our top-down-algorithm. 
Fig. 8 Example 
We can characterize all branches and thus get a full left list matrix: 
-25-
~ 
Ao 2 A 
A2 2 A 1 
0 x4 1 1 
0 x2 1 2 
Al 2 V 2 
A3 2 A 2 1 
0 x3 2 1 1 
0 x2 2 1 2 
0 xl 2 2 
Full left list matrix 
reverse polish notation 
Now we describe the bottom-up-algorithm. Note, that here only AND and OR-
operators are assumed. Complements are assumed to be with the variables 
only. 
A general form of this algorithm which will be useful for large and 
complex trees will be discussed later /10,11/. 
Bottom-up-a}gorithm 
Algorithm 4 
Step 1 Left list matrix L given 
Step 2 Take next item from L 
Step 3 If item Operator, go to 4, else if item Operand, go to 5. 
















If the operator is AND (1 ), withdraw the last l. 
items in the list (stack) and make a conjunction, 
else if the operator is OR (1 ), withdraw the last 
1 items in the list (stack) and make a disjunction. 
Push operand down into list (stack). 
Check if terms like 
X X, X X, X + X y 
are in the result and drop/simplify. 
Evaluate the already withdra~·m terms to obtain s-o-p-
expressions. Go to 2. 
If L is empty, a s-o-p-expression for the whole Boolean 
function is obtained. o 
Left list matrix L 
Note: We present a number of lists (stacks) showing 
the mechanism of Algorithm 4, and a number of 
reduced trees, illustrating the bottom-up-method. 
-27-
Steps 2-5 
List Operand Reduced tree 
A 




x2 . x3 x2 
Steps 6-8 gi ve 
-28-
Example 2 
We discuss a further example which.leads to a generalization of the 
bottom-up algorithm. We have the following fault tree from the pub-
lished literature /11,24/. 
Fig. 9 Illustrative Example of Fault Tree 
This fault tree is also used as an example for our section 6 
(Applications of Failure Diagnosis). This fault tree is also part 
of the studies on hardware simulation /23/. 
Note: 
To simplify the representation of our left-list matrix, we make the 
following convention: 
(a) Operands may be written in the same line as the operators if 
no ambi g·ui ty ari ses. 
(b) If not otherwise indicated the number 1 (in A (1 ), v (1 )) 
is equal to 2. 
E. g. 





0 x2 or more concisely A (3) x1, x2, x3 
0 x
3 
We divide the tree into two left-lists (subtrees). 





" (3) 1 1 
" 1 2 
V 1 2 1 
" 1 2 1 1 
1 6 1 2 1 2 
1 0 1 2 2 
V 2 
" 2 1 
V 2 1 1 
A 2 1 1 1 
V 2 1 1 1 1 
3 2 1 1 1 2 
1 2 1 1 2 
6 2 1 2 
A 2 2 
V 2 2 1 
2 2 2 2 
8,9,13 
5 '11 
(Here the simplified 























1 1 1 




2 1 1 
2 1 2 
2 1 2 1 
2 1 2 2 
2 2 
2 2 1 












2·3 + 2·5 




2·3 + 2·5 





10·16 + 5·10·11 
8' 9' 13 
{13) 
From (8) and (15) we get 
-30-
3 + 5 
2 
(2) 
2·3 + 2·5 




2·3 + 2·5 + 1·6 
+ 3·6~10 + 3·6·14 
{8) 
16 + 5·11 
10 
( 11) 
10·16 + 5·10·11 
8·9.13 
(14) 






2·3 + 2·5 







10·16 + 5·10·11 
(12) 
10. 16 + 5. 10. 11 
+ 8·9·13 
(15) 
= 2·3 + 2·5 + 1·6 + 3·6·10 + 3·6·14 
<P E1 
+ 8·9·13 + 10·16 + 5·10·11 (s-o-p-expression) 
-31-
Left List E2 
3 3 3·2 + 3·6 
2,6 2 + 6 7 
12,15 
8,13 
(1) (2) (3) 
3·2 + 3·6 3'2 + 3·6 3·2 + 3·6 
7 7·12·15 + 7·8·13 + 7·12·15 + 7·8·13 
12·15 
8·13 
( 4) (5) (6) 
6,14,15 6' 14' 15 6·14· 15 
1 1 1 
4,12 4·12 4·12 
(7) (8) (9) 
1·6·14·15 1·6·14·15 
4·12 + 4·12 
(10) ( 11) 
From (6) and (11) we get 
~E2 = 2·3 + 3·6 + 7·8·13 + 7·12·15 + 1·6·14·15 + 4·12 
(s-o-p-expression) 
-32-
Now we obtain the Boolean function for the whole tree (Fig. 9) 
i n a few s te ps : 
1. Allocate primary events to the set of common/non-common events; 
2. Multiply <PE and <PE 
1 2 
3. Drop/simplify all terms of type x x, x x, x + xY· 
We introduce a technique which makes this step with a reasonable 
amount of calculation /11/. 
1. Search for primary events which are common to E1 and E2 (c) and 



















2. Divide primary events into the following subsets: 
Events from E1 
Events from E2 
Sets which 
contain only c1a c2a 
C-events 
Sets which 
contain c1b c2b 
C and non-C 
events 
Sets which 
contain c1c c2c 
only non-C 
events 
3. We get for E
1 
the fo 11 owi ng sets ( correspondi ng to product terms): 
c11 = { 2,5}, c12 = {3,6,10}, c13 = {1o,16}, c14 = {2,3} 
c15 = {3,6,14}, c16 




c21 = {3,6}, c22 = {4,12}, c23 = {1,6,14,15} 
c24 = {7,8,13}, c25 = {7,12,15}, c26 = {2,3}. 
-34-
4. Allocation of cik to subsets Cla, Clb' Clc etc. 
i c14' c15' clB} ( cla 
t 
{ cll, c12' c17} · c clb 
{ cl3' c16:} c clc 
a n d 
{ c21' c26} c c2a 
{ c23' c24} c c2b 
{ c22' c25} c c2c 
5. Now, each subset of El is related to each subset of E2. 
We write for this Cartesian product: 
cla X c2a = c14 (c21 uc26) uc15 (c21u c26)u c1a (C21U c26) 
cla X c2b = c14 ( c23 u c24) u c15 ( c23 u c24) u clB ( c23 u c24) 
cla X c2c = c14 ( c22 u c25) u cl5 ( c22 u c25) u cl8 ( c22 u c25) 
clb X c2a = cll (C21 u c26) u c12 (C21 u c26) u c17 (c21 u c26) 
clb X c2b = cll (c23 u c24) u c12 (C23 u c24) u c17 (C23 u c24) 
clb X c2c = cll (C22 u c25) u c12 (c22u c25) u c17 (C22u c25) 
clc X c2a = cl3 (C21uc26)uc16 (C2luc26) 
clc X c2b = c13 (c23uc24)uc16 (C23uc24) 
clc X c2c = c13 (c22 uc25) uc16 (C22 uc25) 
-35-
6. We get the following s-o-p expressions, where 
- the absorbed terms ar-e without index 
- the remaining terms getan index j (j=1,2, ... ) 
to be identified for further calculations. 
c1a X c2a 
= c14 (c21 U c26) U c15 (c21 U c26) U c18 (c21 U c22) 
= 2·3·6 + 2·3 + 3·6·14 + 2·3·6·14 + 1·3·6 + 1·2·3·6 
(1) (4) (8) 
c1a X c2b 
= c14 (c23u c24)U c15 (c23U c24)u c18 (c23U c24) 
= 2·3·1·6·14·15 + 2·3·7·8·13 + 1·3·6·14·15 + 3·6·7·8·13·14 
+ 1·6·14·15 + 1·6·7·8·13 
(2) (9) 
c1a X c2c 
= c14 (c22 U c25) U c15 (c22 U c25) U c18 (c22 U c25) 
= 2·3·4·12 + 2·3·7·12·15 + 3·4·6·12·14 + 3·6·7·12·14•15 
+ 1·4·6·12 + 1·6·7·12·15 
( 11) ( 12) 
c1b X c2a 
= cll (c21 U c26) U c12 (c21 U c26) U c17 (c21 U c26) 
= 2·5·3·6 + 2·5·3 + 3·6·10 + 2·3·6·10 + 8·9·13·3·6 + 8·9·13·2·3 
(3) (18) 
c1b X c2b 
= cll (c23Uc24)Uc12 (c23uc24)Uc17 (c23uc24) 
= 2·5·1·6·14·15 + 2·5·7·8·13 + 8·9·13·1·6·14·15 + 3·6·10·1~6·14·15 
+ 3·6·10·7·8·13 + 8·9·13·7 
= 1·2·5·6·14·15 + 2·5·7·8·13 + 1·6·8·9·13·14·15 + 1·3·6·10·14·15 
( 5) 
+ ~·6·7·8·10·13 + 7·8·9·13 
(19) 
-36-
c1b X c2c 
= c11 (c22° c25)U c12 (c22U c25)u c17 (c22U c25) 
= 2·4·5·12 + 2·5·7·12·15 + 2·3·4·6·10 + 3·6·7·10·12·15 
(7) (6) 
c1c X c2a 
+ 4·8·9·12·13 + 7·8·9·12·13·15 
{20) 
= c13 (c21° c26)U c16 (c21° c26) 
= 3·6·10·16 + 2·3·10·16 + 5·10·11·3·6 + 15·10·11·2·3 
= 3·6·10·16 + 3·5·6·10·11 
c1c X c2b 
= c13 (c23uc24)ucl6 (c23uc24) 
= 10·16·1·6·14:15 + 10·16·7·8·13 + 5·10·11·1·6·14·15 
+ 5·10·11·7·8·13 
= 1·6·10·14·15·16 + 7·8·10·13·16 + 1·5·6·10·11·14·15 
( 10) 
c1c X c2c 
+ 5·7·8·10·11·13 
(15) 
= cl3 (c22° c25)U c16 (c22° c25) 
= 10·16•4•12 + 10·16·7·12·15 + 5·10·11·4·12 + 5·10·11·7·12·15 
= 4·10·12·16 + 7·10·12·15·16 + 4·5·10·11·12 + 5·7·10·11·12·15 
(17) (16) {14) {13) 
These results can be obtained by an algorithm (see /11/). We will here 
simply list the s-o-p-expression for<t>El <t>E 2 
which is a unique (irredundant) cover by prime implicants (see also 
sect. 1.5, minimal cuts). 
-37-
Table of prime implicants 
Index Index 
j Term Pj j Term p. 
J 
1 2·3 11 1·4·6·12 
2 1· 6·14·15 12 1·6·7·12·15 
3 3·6·10 13 5· 7·10·11·12·15 
4 3·6·14 14 4·5·10·11·12 
5 2·5·7·8·13 15 5·7·8·10·11·13 
6 2·5·7·12·15 16 5· 7·10·11·12·15 
7 2·4·5·12 17 4·5·10·11·12 
8 1·3·6 18 3·6·8·9·13 
9 1·6·7·8·13 19 7·8·9·13 
10 7·8·10·13·16 20 4·8·9·12·15 
All terms for the s-o-p-expression of <'t> 
<'t> = <'t> E 1 • <'t> E 2 
20 
= 2: Pj 
j=i 
-38-
1.8 Cubical Representation of Boolean Functions 
x3 
001 
We defined a switching function as a correspondence which 
assigns for each of the 2n combinations of x1, x2, ···, xn 
one value of { 0,1}. E.g. for a switching function 
for each of 23 = 8 combinations of x1, x2, x3 a value of{ 0,1} 
is assigned (Fig. 10) . 
• 
x1 x2 x3 f ( x1, x2' x3) 
0 0 0 0 
0 0 1 0 
0 1 0 0 
0 1 1 1 
1 0 0 0 x3 0 0 0 1 1 1 
1 0 1 0 
1 1 0 1 0 0 0 'I' 
1 1 1 1 
1 0 (1 
,, 
' 1.) 
Fig. 10 a Truth Table Fi g. 10 b Map 
p1 = 1 1 -
111 









Thus the set of all 2n combinations of 
wi th the correspondi ng· va 1 ues (1 ,0) i s ca 11 ed a cubi ca 1 representati on 
of f (x1, x2, xn)· E.g. the set all all 23 combinations of 
x1' x2, x3 
with the corresponding va1ues n,o)(see Fig. 10) is ca11ed a cubica1 
representation of 
(see also Fig. 10). 
Each subset of the 2n combinations generated by fixing some variables, 
while others take values (1,0) is called a subcube. 
Examples 
1. We obtain a subcube of Fig. 10c, fixing x3 = 0, while x1, x2 may 
take values 1,0. 
2. We obtain prime implicants of f (x1, x2, x3) fixing x1 = 1, x2 = 1, 
while x3 may take values 1,0 (p1 = x1 x2), and fixing x2 = 1, 
x3 = 1 while x1 may take values 1,0 (p2 = x2 x3). 




Let p1 be a prime implicant which is represented as subcube. Then 
each subcube which differs in exactly one variable (say the kth 
variable) from p. will be called the adjacent subcube p~k /1/. 
1 1 
Of course, this concept can be generalized. But this will be suffi-
cient for our purposes. 
E x a m p 1 e 
p1 = x1 x2 
Adjacent subcubes 
X k 1 plk = 
k = 2 
p2 = x2 x3 
Adjacent subcubes 
X k 1 p2k = 
































(prime impl i cant 
represented as 
subcube) 
If a prime implicant P; consists of 1 literals, the number 
X 
of adjacent subcubes P;k is 1 (k = 1,2, .. ·,1). 
-41-
2. Introduction to Failure Diagnosis 
2.1 Types of Faults 
2.2 Basic Concepts of Failure Diagnosis 
2.3 Boolean Difference and Tests 
2.4 Interpretation of Redundancy 
-42-
2.1 Types of Faults 
We assume Combinational Circuits. There are various types of 
fail ures /12/: 
- permanent faults 
intermittent faults. 
We only deal with permanent faults. If they are present, they 
will remain (until a repair is done). The permanent faults fall 
into two classes: 
1. Classical faults, i.e. 
- stuck at zero (s-a-o) 
- stuck at one (s-a-1) 
where a failed item behaves as if it had always the value 0 or 1. 
Example: 
Fig. lla Fig. llb 
The circuit of Fig. 11a has for x1 a s-a-1-fault (Fig. 11b). 
Note 
It will be our purpose to model all faults as logical faults. 
Thus the problern of failure diagnosis becomes a logical problern 
which is usually independent of the technology used. The same 
fault model is applicable to various technologies /12/. 
-43-
2. Non-classical faults 
- e.g. Bridge faults 
- and others. 
Example: 
Fig. 12a Fig. 12b 
It can be seen that the bridge-fault leads to Boolean expressions 
for 
which differ from Fig. 12a. We will not deal explicitly with these 
faults {/12/). Note that non-classical faults have no evident rela-
tion to systems represented by fault trees. 
-44-
2.2. Basic Concepts of Failure Diagnosis 
Now some basic notions for failure diagnosis of combinational 
circuits will be given /1/, /12/. Let C be a combinational 
circuit which realizes the function 
Let a be an arbitrary fault in the combinational circuit, where 
a number of variables change the output f to fa . 
Def. If fa 4~ f for at least one input x1, x2, ... , xn' we call 
the fault adetectable. 
If fa = f for all inputs x1, x2, ... ,xn' we call the fault a 
undetectable. 
Def. If for two faults a, a~,and for all inputs, 
f a = f a'·' 
we call these faults functionally equivalent. There are in general 
equivalence classes of faults. A fault can be identified up to 
an equivalence class. 
Example: 
Let C be the following combinational circuit: 
m 
Fig. 13 Combinational Circuit 
-45-
which realizes the function 
Let f denote the fault free output and let f«., denote the output 
of thi s ci rcui t in presence of fault a . 
Denote by 




the fault of wire m, s-a-1, 
s i mi 1 a r 1 y n. , p . , q . ( i = 0, 1). 
l l l 
The truth-table for this circuit is shown in Fig. 14. Here all 
possible single faults aare indicated. 
Input f fa 
. 
x1 x2 x3 f f fp f f f f 'f mu nb 0 qö mt n 1 Pt q 1 
0 0 0 1 1 1 1 0 1 1 1 1 
0 0 1 0 0 0 0 0 0 0 1 1 
0 1 0 1 1 1 1 0 1 1 1 1 
0 1 1 0 0 0 0 0 1 0 1 1 
1 0 0 1 1 1 1 0 1 1 1 1 
1 0 1 0 0 0 0 0 0 1 1 1 
1 1 0 1 1 1 1 1 1 1 1 1 
1 1 1 1 0 0 0 1 1 1 1 1 
Fi g. 14 
-46-
We observe {fig. 15) that 
- co11umns f , f , f are identical for all possible inputs, 
m~o n'o P·o 
i.e. they are equivalent (cannot be distinguished), similarly 
f , f , are equivalent, 
p.l q I 
there is no fault which is undetectable. 
It is possible to simplify the fault table, which will be done below, 
but which is of little practical value. 
Def. A tes t for fault a i s an i nput ( x1, x2, 
input the output fa is different from f. 
Example: 
Input Possible faults 
x1 x2 x3 { mo' n ' 0 Po} qo m1 
0 0 0 1 
0 0 1 
0 1 0 1 
0 1 1 1 
1 0 0 1 
1 0 1 
1 1 0 
1 1 1 1 
Fig. 15 Simplified fault table 
x ) if in response to this 
n 






- the only test for {m, n, p t;s 111; o o o r 
- q can be tested by 000 or 010 or 100; 
0 
- m1 can be tested by Oll, provided there is no response for 001 and 101; 
- n1 can be tested by 101, provided there i s iio response for 001 ,Oll; 
{ p1, q1} can be tested by 001, Oll, 101, provided there is a response 
for all three inputs. 
Note: A fault table (Fig. 15) is a table in which there is a row for 
each possible test and a collumn for every fault. A "1" is entered at 
the intersection of the i-th row and the j-th collumn if the fault corre-
sponding to the j-th collumn can be detected by the i-th test. 
The problern of finding the minimal test set is closely related to the 
problern of finding a minimal cover of a Boolean function (by prime im-
plicants). We will come back on a similar technique in section 5. 
2.3 Boolean Difference and Tests 
Assurne a circuit C which realizes the oolean function 
f (x1 , x2 , ·· ·, xn). 
Let~be a fault in which input x. is s-a-o. Then the function realized 
1 
by this faulty circuit is 
fo<, = f ( x1 , x2 , · · · , X; _1, 0, X; tl, · · · , xn) 
Similarly, if x. is s-a-1, the function realized by the faulty circuit is 
1 
f~ = f (x1, x2 , .. ·, xi-l' 1, xitl'' .. , xn) 
= f (1_; ) 
The Boolean difference method is an algebraic procedure to determine a 
complete set of tests to detect a given fault /1/. 
-48-
Def. The Boolean difference of function f (x1, x2, ... , xn) with 
respect to its variable x. is defined as 
1 








where~denotes the exclusive OR. It will be convenient to denote the 
Boolean difference as 
Rules: 
d f (~) 
d x. 
1 
= f (o.) "..,,f (1.) 
1 lW' 1 
1. If f (o. )~f (1.) ; o for all variables, the fault related to x. 
1 1 1 
is undetectable (redundant). 
2. We get all tests for s-a-o-faults if 
x. 
1 




3. We get all tests for s-a-1-faults if 
x. • 
1 
d f (~) = L 
d x. 
1 
I.e. if we have input combinations x which fulfil the conditions (2), (3), 




Fig. 16 Combinational circuit 
We are interested in possible failures related to x3. The Boolean 
difference with respect to x3 is 
= 
For a s-a-o fault at x3 we get with 
x3 d f (_~) = x1 x2 x3 x4 + x1 x3 x4 + x2 x3 x4 = 1 
d x
3 
Thisexpression is equal to one if any of the product terms is equal 
to one. Thus we get as tests: 
(x1,x2,x3,x4) = { (o,o,1,1) , (1,*,1,o), (*,1,1,o)} 
The DONT CARE-sign 11*11 tells that we are free to choose o or 1. 
For a s-a-1 fault at x3 we get with 





Fig. 17 Combinational Circuit 
Is an error at input x2 detectable? 
= x·oE.&x·T 1 1 
= 0' 
i.e. an error at input x2 is not detectable. 
Note: 
Some interesting developments of the Boolean difference are: 
There are various rules which make the application for subsystems 
(subcircuits) easier. 
- There is a generalization of Boolean difference for multiple faults. 
- The Boolean difference is only for relatively small systems. 
There are many methods for failure diagnosis available /1/, /12/. 
We will deal with a few methods in sect. 5.2 and 5.3 of this report. 
-51-
2.4 Interpretation of Redundancy 
Sometimes, an interpretation of redundancy is desirable, which 
is not directly related to the detectability of failures. 
Assume, we have a circuit which consists only of inputs, out-
puts and gates (AND, OR, NOT) and is acyclic (contains no 
directed circuits). 
This type of combinational circuit is sometimes called 
•wellformed• /2/ and will be considered here. 
Definition: 
Let N (Z) be a set of (wellformed) networks~ which realize a given 
(Multioutput) combinational function 
where 
A network N ( N (Z) is redundant if it is possible to remove 
lines and gates from N in such a way that the resulting network 
N1 is in N (Z)~ and still realizes the same switching function. 
A network which is not redundant will be called irredundant. 
Note 
A wellformed circuit can be defined recursively. We only mention 
one of its properties: A wellformed circuit is acyclic, i.e. it has 




1. f (x1, x2) = x1 x2 + x1 x2 (N) 
Since 
x1 x2 + x1 x2 = x1 (x2 + x2) 
= X 1 
we can delete lines and gates related to x2. Only 
is needed. This is equivalent to saying that the circuit (N) 
i s redundant. 
2. A circuit, represented as a sum of prime implicants (without 
camp 1 emen ts ) . 
Fig. 18 Irredundant circuit 
As can be seen in section 3.3 ( 1 coherence 1 ), no line or gate can be 
omitted, if the circuit z has to realize the same Boolean function. 
This circuit is irredundant. 
-53-
3. F a u 1 t T r e e s 
3.1 Definition of Fault-Trees 
3.2 Structure Function 
3.3 Coherence of Systems and Minimal Cuts 
3.4 A few Results on Coherent Structure Functions 
-M-
3.1 Definition of Fault-Trees 
We define a fault-tree and discuss a few properties of 
fault-trees, also indicating some relations to switching 
theory /13/. 
Definition 
A fault-tree is a finite directed graph without (directed) 
circuits. Each vertex may be in one of several states. For 
each vertex a function is given which specifies its state in 
terms of the states of its predecessors. The states of those 
vertices without predecessors are considered the independent 
variables of the fault-tree. 
Some general properties of a fault-tree: 
The vertices without predecessors are the inputs to the 
fault-tree, representing the components. We are interested 
in the state of every other vertex, but in particular with 
the state of one vertex without successors, an output ver-
tex which we identify with the state of the system as a 
whole. The graphical term 'vertex' here is roughly synonymaus 
with 'item' and generally denotes any level in the system, 
whether a component, sub-system or the whole system. 
- We specialize to only two states per vertex. This makes all 
of the functions Boolean functions. We call one of the two 
states 'functioning', 'false' or 0, and the other 'failed', 
'true' or 1. 
Note, that this difinition of a two-state fault-tree is 
equivalent to a combinational network with one output. 
The no-circuit condition in the graph is equivalent to the 
condition that the current output of a switching circuit 
is e~tirely determined by current inputs, without memory 
of previous inputs or internal states. 
-55-
3.2 Structure Function 
We introduce the concept of structure function. It is of central 
importance for all problems of fault tree analysis {14 I, ;15/, 
{16 /. It can be seen that it is closely related to the concept 
of switching function (see sect. 1.3). 




Also the system S can be in two states, either functioning or failed. 
The components are the vertices without predecessors of our fault 
tree definition. The function which specifies the state of a · 
vertex in terms of its predecessor is a Boolean function {AND, OR, 
NOT). The states of the top vertex can be given by a structure func-
tion. 
Definition of Structure-Function 
Let x1, x2, 
0,1, where 
xn be Boolean variables which can assume the values 
_ l o if component i is functioning 
X; - 1 if component i is failed. 
The assumption that 1 corresponds to failure is used throughout this 
paper and is useful for fault tree analysis. The Boolean variable X; 
indicates the state of component i, whereas the state vector 
X = 
indicates the state of the system. 
The Boolean function 
X ) n 
cp ( x 1 ' x2 ' ... ' xn ) 
is called structure function and determines completely the state 
of the system S in terms of the state-vectors: 
q, ( x 1 ' x2 ' ... ' xn ) 
if system S is functioning 
if SystemS is failed. 
-56-
We note: 
The structure function is related to the switching function as follows: 
They beleng to two isomorphic algebraic systems. We call two algebraic 
systems isomorphic if they are identical up to the symbols used for 
operatioffiand elements. Thus we can use all concepts and methods from 
switching algebra for fault tree analysis (and vice versa). 
3.3 Coherence of Systemsand Minimal Cuts 
We introduced in sect. 1.1 the concept of completeness, especially refer-
ring to the set of operations 
{ AND, OR, NOT } . 
This (and other complete sets) are usually used in switching algebra. In 
fault tree analysis we find quite frequently the set 
{ AND,OR}, 
which is not complete.(See examples in section 6.) We want to define 
coherence and show its relation to a simplified s-o-p representation, 
the minimal cut-representation. Note that failure diagnosis is not 
restricted to coherent systems (sect. 2 and 5) /14/, /15/, /16/. 
Definition: 
A system is called coherent if and only if 
(a) a structure function exists which is nondecreasing in each variable, i.e. 
l > X Where 
y. > x. (i = L , n), 
1 - 1 
(b) the relations hold 
~ (o) = 2 where o = (o, o, o) 
~ (l) = 1 where 1 = (1, 1, 1). 
-57-
Thi s means: 
{a) lf a system is functioning, then no transition of a component 
from failure to function can cause a system failure. 
(b) If all components are functioning, the system is functioning. 
If all components are failed, then the system is failed. 
Examples: 
1. ~(!) = x1 x2 v x2 x3 v x, x3, representing a 2/3-system, 
i s coherent. 
2. <P (!) = x1 x2 V X 1 x2 representi ng an exclusive - OR - gate. 
(Fig. 1 ) is not coherent, since 
(o, 1)~(1, 1) does not imply<P(o, 1)~c;P(1, 1). 
3. Examples of coherent and noncoherent fault trees are given in sect.6. 
Minimal Cut c. 
J 
Let M = { Ki , K2, , Kn } be the set of components of a coherent sys tem S. 
A subset V of M such that S is failed if all components belanging to V are 
failed and all componenets not belanging to V are not failed, is called a 
•cut•. A cut is •minimal • if no proper subsets exist which are ilso cuts. 
We call such a cut •minimal cut• (C.). 
J 




- K1 I 
- Ks 
'----1 K2 I 




X ) • n 
minimal cuts 
{ K1' K2 } 
{ K3' K4 } 
{K1' K4' K5~ 
{ K2' K3' K5 } 
-58-
Structure function 
~ (1, 1, 0, 0, 0) = 1 (failed) 
but ~ ( 0, 1, 0, 0, 0) = 0 (not fa i 1 ed) 
We write all components as K. (i = 1, 2, ... , n). 
1 
If a component K; belongs to Cj we can use the notation K; [Cj. 









= 11 x. 
K. f.c. 1 
1 J 
The first expression is a conjunction of all K. belanging to C .. 
1 J 
The second expression isamultilinear form in x .. 
1 
Example: 
Let c1 ={K1, K2}. Then, 
a{,(Cl) = K;~Cl X; = xl A Xz = Xl Xz 
Note that every min cut is a prime implicant without complements. 
It is possible to express a coherent function using a sum of min cuts. 
Example: For the network (Fig. 19) shown above, we get 
(~) = x1 x2 v x3 x4 v x1 x4 x5 v x2 x3 x5 
or,as multi-linear-form: 
q, (~) = 1 - (1 - x1 x2) ( 1- x3 x4) ( 1 - x1 x4 x5) 
· (1 - x2 x3 x4) 
-59-
3.4 A few Results on Coherent Structure Functions 
We mentioned in sect. 1.5 that every irredundant sum-of-products 
representation of a switching function is a union of prime impli-
cants of this function. In section 3.2 we introduced the structure 
function which is isomorphic to the switching function. Moreover, 
we introduced the concept of coherence and the min cuts. 
If the structure function is coherent, the representation by prime 
implicants greatly simplifies. We quote a theorem which leads to 
this simplification. 
Theorem 
A coherent s tructure functi on <tl (_~.) can be represented as a s -o-p ., 
= ~ P. J 
J = 1 
of prime implicants, where this representation is unique and can 
be written using the concept of ~in cuts 
cP(~) = L: 1( x. 
where Ki E. Cj are the 
variables describing 
ponents /16, 17/. 
Note, that there 
j = 1 K1 f. C j
1 
components belanging to c.,x. the Boolean 
J 1 
the states (functioning, failed} of the com-
is only one (minimal) cover, and there 
- are only essential prime implicants which may not be replaced 
by any other prime implicants. 
This has the following consequences for the search for minimal cuts. 
The algorithm 3 (top-down-algorithm) or 4 (bottom-up-algorithm} 
leads to all min-cuts. Algorithms like 1,2 (using the complement) 
are not needed for this type of search. It may be also interesting 
to note that the problern of testing considerably simplifies if 
coherent structures are given. One of the simplifications will be 
evident in sections 4 and 5 (search for min-cuts instead of prime 
implicants for coherent structures). 

-61-
4. Diagnosis Procedures 
4.1 Diagnosis Procedure 'a' 
4.2 Diagnosis Procedure 'b' 
-62-
4. Some Diagnosis Procedures 
Assurne a system where for each relevant component a component failure 
is automatically detected. E.g. some systems of the Automated Labara-
tory for the WAK allow this type of failure detection /18, 19/. 
The possible size of a fault table (dictionary and the use of Boolean 
differences (see sect. 2))is soon impractical. Thus, a method is 
needed which 
- skips redundant information, 
- decreases alarms which unnecessarily contribute to system 
unavailability 
- may be used for realistic systems. 
We discuss the following two types of tests: 
(a) A test which leads to a prompt failure diagnosis for a failed 
system. This test is based on a structure function with minimal 
cuts. 
The test aids to increase the availability of the system. 
(b) A test which finds all states adjacent to system failure but 
only these. This test is based on a structure function with 
minimal cuts. 
The test aids to increase the safety but the unavailability due 
to repair remains moderate. 
Both tests can be used for systems which are not coherent as well 
(see sect. 5). 
-63-
4.1 Diagnosis Procedure 'a' 
1. Given a system S in fault tree representation or Series-
parallel representation with structure function~, where 
e 
L: 
j = 1 
2. If a min cut Pj is equal to 1, there is system failure. 
3. For all min cuts of <:P, test patterns (minterms) can be 
generated which uniquely determine whether a min cut is 
a cause for a system failure or not. This systematic 
account is called 'Diagnosis Procedure a' (Set of a-tests). 
The relation to failure diagnosis concepts will be shown in sect. 5. 
It can be seen that no failure dictionary is needed. We give an 
example for 'Diagnosis Procedure a•, (also called a-test). 
Example: 
CD a-tests search for min cuts of f 
min cut p1 min cut p2 I 
I 
I 
Fig. 20 System s1 
-64-
GD Structure function f = f (x1, x2, x3, x4) 
0 comp. intact 
f = x1 x2 + x3 x4 x. = i fa i 1 ed 1 1 comp. 
x1 x2 = 0 0 system intact 
f = system failed 




min cut ~ 1,2} 
Mint~ 
x1 x2 x3 x4 x1 x2 x3 x4 
1 1 - - - - 1 1 
1 1 0 0 1 0 
x1 x2 = 
1 failed 
intact 
0 min cut{3,4} 
x3 x4 = 
1 failed 
0 0 1 1 0 1 
By the a-test we can determine, whether min cuts lead to system failure or 
not. Every mi n cut whi eh has va 1 ue 0, i s not a cause for sys tem fa il ure 1 *'.. 
The min cut which has value 1 is the cause for system failure. A search for 
components is not needed. The entire cut needs repair. 
1*l In some cases also a direct search for the responsible cut may be 
possible, simply searching for the cut which has value 1. 
-65-
4.2 Diagnosis Procedure 'b' 
1. Given a system S in fault tree representation or series parallel 
representation with structure function~, where 
2. If a min cut pk is equal to 1, the system fails. 
3. For all min cuts pk adjacent sub~ubes p~k can be found which refer 
to states of a coherent system where only one more component has 
to fail to cause a system failure. 
4. Test patterns can be generated uniquely determining the states 
adjacent to system ·failure. This systematic account is called 
'Diagnosis Procedure b' (set of b-tests). 
The relation to failure diagnosiswill be discussed in sect. 5. 
We give an example for Diagnosis Procedure a (also called b-test). 
Example: 
Search for min cuts 
I 
I 
min cut p1 min cut p2 
Fig. 21 System s
2 
-66-
0 Structure function f 
f = f {XI, x2, x3' x4, x5) 
f = xi x2 + x3 x4 x5 (in mi n cuts) 
G) b-test 
Let P; be prime implicants (min cuts) 
p~k be adjacent subcubes to the P; 
PI = xi x2 
p2 = 
k = I 
2 
x3 x4 x5 
I 2 3 4 5 
I 1 - - -
0 I -
I 0 -
- - I I I 
I 2 3 4 5 
Minterms 
0 I 0 0 0 
I 0 0 0 0 
X k = 1 p2k 0 I I 0 0 0 I I 
2 I 0 I 0 0 I 0 I 
3 1 I 0 0 0 I I 0 
We obtain all states of the system s2 which are adjacent to 
system failure: 
1. component I failed: X 0 I Pu = 
component 2 failed: X I 0 -PI2 = 
2. component 4 and 5 failed: X 0 I I p2I = 
component 3 and 5 failed: X 1 0 1 p22 = 
component 3 and 4 failed: X I 1 0 p23 = 
By the b-test we can locate all states which are adjacent to system-
failure. Then it is possible to prevent system failure replacing the 
failed components. 
-67-
Clearly, all the techniques from a and b-Tests, also in 
relation with search for prime implicants (or min cub) 
can be applied for automatic diagnosis of systems. This 
will be shown in more detail in our next section. 

-69-
5. Tests for Two Types of Faults 
5.1 General Assumptions 
5.2 Tests for s-a-0-Faults 
5.3 Tests for s-a-1-faults 
5.4 Examples for Tests 
5.5 Existence of Tests 
5.6 Relation to Diagnosis Procedures 
-70-
Introduction 
We discuss tests for two types of faults which occur in combinatio-
nal networks: 
- the stuck at one fault (s-a-1) 
- the stuck at zero fault (s-a-0). 
Other faults are not considered. Combinational networks are related 
to fault trees due to the isomorphism of switching function and struc-
ture function·. We concentrate here on two tests which use prime imp-
licants (or min cuts). They were developed in /1, 17/. These tests have 
been introduced on an informal basis in sect. 4 (Diagnosis Procedures 
a,b). 
5.1 General Assumptions 
We assume a two-level ~etwork (AND-OR-Type), or a network which 
can be transformed into an equivalent two-level network (i.e. with-
out deletion of real failures and/or introduction of new failures). 
In Fig. 22, the AND-OR-type network is shown: 
ANO 
k 
Fig. 22 AND-OR-network 
We assume that this is an irredundant network which is equivalent 
to an irredundant sum of prime implicants. Thus, the switching 
function f can be written 
... ' 
where p. denotes the ;th prime implicant, 1 is the number of prime 
1 
implicants of the irredundant sum. 
-71-
Each AND-gate is equivalent to one prime imlicant. Here we need an 
algorithm to search for prime implicants (see sect.1). lf the system 
is coherent, a search for min cuts is sufficient (see sect. 1.7). 
A circuit which consists of r wires may have as many as 
2r distinct single faults (s-a-0, s-a-1), and 3r-1 multiple faults 
(single, double, ... , r-tuple faults). This is due to the binomial 
theorem /1/: 
r 
3r = (2 + 1 { = L: ( r) 2; {-i , where 1 r- i = 1. 
i =0 ·. ; 
5.2 Tests for s-a-0 Faults 
We discuss the tests for s-a-0 faults, which correspond to the •oiag-
nosis Procedure a•. 
A s-a-0 fault at any of the inputs of the jth AND-gate causes the out-
put of this gate to be s-a-0, regardless of the value of the remaining 
variables. Such a fault eliminates the corresponding prime implicant pj 
from the function f: 1 
f = L: p. 
i =1 1 
To check whether a given prime implicant P; has completely vanished, 
it is sufficient to have one minterm a. as input which is covered by 
J 
that prime implicant p. and by no other prime implicant /17/. 
J 
For all •essential prime implicants• such a minterm exists, this is 
especially true for min cuts (unique representation). The requirement 
that a minterm a. must be one that is covered by the prime implicant p. 
J ' J 
and by no other prime implicant P; (i t j) is essential. We note, that 
a complete set of tests for s-a-0 faults for a s-o-p-network consists 
of n tests corresponding to the 1 prime implicants in f. 
To test the jth AND-gate for s-a-0 faults, it is necessary and sufficient 




The systematic account of minterms a. to test the AND-gates for s-a-0 
J 
is referred to as a set of a-tests. It can be shown that all single and 
multiple stuck-at-faults can be detected by this method. 
-72-
We give an algorithm for generating the (minimal) a-tests. 




The covering matrix shows for all minterms m. if they are covered by 
1 
prime implicants. 
If m. is covered by p., we have e .. = 1, 
1 J 1J 
m1 is not covered by pj, we have eij = 0. 
Algorithm 5 
Step 1 Construct a covering matrix E whose collumn headings are pj' 




Delete all rows which contain two or more 1's. 
Is there a p. which cannot be covered? 
J 
Choose for every pj in E one minterm aj. 
Thus we get the minterms 
aj = Pj lf P; 
; .• 1 
Hj D 
-73-
5.3 Tests for s-a-1 Faults 
We discuss the tests for s-a-1 faults, which correspond to the 
11 Diagnosis Procedure b11 • A s-a-1 faultat any of the inputs of 
the jth AND-gate causes the prime implicant not to vanish. But 
the output of the gate becomes independent of the variable as-
sociated with a s-a-1 fault. 
Example: 
Let the input xk of AND-gate x1x2x3 
s-a-1. This is for 
k = 1 1 • x2 . x3 = x1x2x3 
k = 2 x1 . 1 • x3 = x1x2x3 







To test the kth input the jth AND-gate for s-a-1-faults, it is 
necessary and sufficient to have as input one minterm bjk such that 
(f 
; = 1 
where 
p1k is a subtube adjacent to pj (see sect. 1.8) and pj is the jth prime 
implicant. 
The systematic account of minterms bjk to test all AND - gates for 
s-a-1 faults is called a set of b-tests. It can be shown that all 
singl~ and mutiple ~tuck-at-fa~lts can be detected by this method. 
-74-
Before giving the Algorithm a few remarks seem in order (see 
also Examples given below). 
- Pairwise intersection: Assurne a cubical representation 
(sect. 1.8.). For terms like 11--and-11-the pairwise 
intersection is 111-. 
- Prime intersection: If intersecting with other terms leads 
to no further intersection, we have a prime intersection. 
- Prime tests: The prime intersections are related to prime 
tests. 
- Prime test chart: Achart with collumn headings Pjk and with 
row headings bjk (prime tests) is called prime test chart. 
With these remarks we can state our Algorithm. 
Algorithm 6 
Step Listall pjk for all j = 1,2, ... , 1 and 
k = 1, 2, ... , rj where 1 is the number of 
prime implicants and r. the number of literals 
in the jth prime imp1i~ant. Thus we get all 
adjacent subcubes. 
Step 2 For every p~ ~ p~t delete px,.s form list. 
1 s - J 
Step 3 Findall pairwise intersections of the terms that 
are now contained in the list. Whenever an intersec-
tion is nonempty and contains a minterm for which 
f = 0, checkmark the intersected terms. This step 
lists the minterms for which f = 0 which are con-
tained in 2 or more adjacent subcubes. 
Step 4 Repeat Step 3 unti1 no new terms are generated. The 
terms generated in step 3 and those checkmarked in 
step 2 are called prime intersections. Steps 3 and 4 
thus indicate those minterms which simultaneously test 
as many subcubes as possible. 
-75-
Step 5 From the list of prime intersections construct a list 
of prime tests by selecting arbitrarily an input com-
bination bjk for which the value of the function is 0. 
Step 6 Construct a prime test chart where the collumn headings 
are Pjk (found in step 2) and the row headings prime 
tests (found in step 5). A sign (x) is inserted at the 
intersection of any one row and collumn if the corre-
sponding prime test is covered by pJk' We get 
e 
bJ. k E: p~k rr p. 
J i = 1 1 
Step 7 Select a set of prime tests that check each of the 
Pjk- terms, i.e. find a cover for the prime test 
chart. D 
5.4 Example for Tests (s-a-0 and s-a-1-faults) 
Given the following network: 
Fig. 23 
This can be represented as a sum of prime implicants: 
4 
f = .}; P· = 
J=1 J 
- - -




It can be seen that each prime implicant covers at least 
one minterm which is not covered by any other prime im-
plicant (see also Karnaugh-map, Fig. 24). 
We write as covering matrix with headings 
- p . ( co 11 ums) 
J 
- m; ( rows): 
p. 
m. J 
1 p1 p2 p3 
x1x2x3x4x5 --11- -100- 1--11 
01000 0 0 
11 000 0 0 
00010 0 0 0 
00110 1 0 0 
1 011 0 0 0 
01110 0 0 
1111 0 0 0 
01001 0 1 0 
11 001 0 0 
10011 0 0 1 
11 011 0 0 
00111 1 0 0 
1 0111 0 1 
01111 0 0 
11111 0 1 
Covering Matrix 


















Step 2 Delete all rows which contain more 
than one 1 (rows checkmarked by ail). 
stee 3 There is no pj which cannot be detected by a mi nterm. 
Note: These tests (aj) are necessary and sufficient to test for all 
s-a-o-fau]ts. 
-77-
Step 4 We choose for every pj one minterm aj' e.g. 
{a} = {11110, 11000, 10011, 00010} 
p1 p2 p3 p4 
Note: Thesetests (aj) are necessary and sufficient to test 
for all s-a-0-faults. 
Finally, we show a Karnaugh-map with prime implicants p. 
J 
and minterms aj. 
000 001 011 010 110L111 1 01 
I 






<D CD CD /1 1 
1 0 CD 1 CD CD CD 
I 
I \ ' " .._ ______ _,... I -"' p4 ;-----------------
P, Fig. 24 Karnaugh Map 
Note: 
All the circled minterms belong to the minterms of f with 
e 
a. s P· • 'T( p. 





The minterms which are covered by more than one P; have been 




Step From prime implicants pj we find all adjacent 
X subcubes pjk' 
p1 = --11--
X --10-p 11 = 
X 
p12 = --01-
p2 = -100- X -000-p21 = 
X -110-p22 = 
X 
p23 = -101-
p3 = 1 --11 
X o--11 p31 = 
X 
p32 = 1--01 
X 
p33 = 1--10 
p4 = 00-10 X 1 0-10 p41 = 
X 01-10 p42 = 
X 
p43 = 00-00 
X 
p44 = 00-11 
Step 2 For every p~ 5 2 Pjt delete p~ 5 
X --01- :J X -110-We get p12 = p22 = 
X --10- :J X -110-p11 = p23 = 
X 1--10 :J X 10-10 p33 = p41 = 
X o--11:J p31 = 






















We find pairwise intersections, e.g. 
P~3 n. P~2 = -·101- n 01-10 = 01010. 
We get: 
01010, 11101, 10001, 00000 
The prime intersections (where intersection leads to no 
further terms) are 
10-10, 00-11 
01010, 11101, 10001, 00000 
To find a test from the intersection 00-11,'note that this 
intersection covers two minterms 
00011 and 00111 
since 00111 s ..,.-11- = p1, only 
00011 is admitted as a test. 
We get as prime tests (minterms) 
00011, 10010 
01010, 11101, 10001' 00000 
-80-
Step 6 The prime test chart is given next: 
-ooo- -11o- -1o1- 1--01 10-10 01-10 00-00 00-11 
00011 
10010 X 
01010 X X 
111 01 X X 
10001 X X 
00000 X 
Note: 
These tests (bjk) are necessary and sufficient to test for all 
s-a-1-faults. We give no representation with Karaugh-map here. 
X 
The method of covering a prime test chart is similar to the 
covering of a fault table. But almost always, the size of a 
prime test chart is small compared with the corresponding fault 
table (see sect. 2.2). 
5.5 Exixtence of Tests 
Theorem: The set T of a-tests and b-tests detects all multiple 
faults in the two-level AND-OR-network, where all 
e 
a-tests are of the type aj e pj . rr P· . 1 1 
and all 




.Tf P· . 1 1 1= 
X 
-81-
Proof: We consider only the inputs x .. If any s-a-0 or s-a-1 
. 1 
occurs in one of the inputs, it will be detected by the tests T. 
If any input is s-a-1, its effect is to add a subcu~e pjk to the 
switching function. This subcube can only be deleted (i.e. the 
subcube will be with an undetectable fault s-a-1) if a s-a-0-
faults on an input to the same AND-gate occurs. 
This s-a-0 fault cannot be 11 masked 11 by another s-a-1 fault 
at the gate: 
From x1.x2 .. 1 .•• 0 ... xn. we get the vanishing of the 11 12 J 
prime implicant, therefore it will be detected by an a-test. 
A s-a-0 at an input to an AND gate causes the prime implicant 
pj to vanish. The pj is tested by a single a test. If, however, 
this a test (minterm) is included at the same time in an adjacent 
subcube added to the switching function as a result of some s-a-1 
fault, it will not detect the 11 vanished 11 prime implicant. The 
s-a-1, however, will be detected by the b-tests. 
In all other situations the a testwill detect all s-a-0 faults. 
The a-tests and b-tests tagether detect all multiple faults, but 
not necessarily a or b-tests alone. [J 
This proof has been presented in /1/. Here the proof has been 
simplified to some extent. 
5.6 Relation to Diagnosis Procedures 
To apply our concepts correctly to Diagnosis Procedures 
(introduced in sect. 4) some relationswill be outlined: 
There is a close correspondence between 
1. a-Tests (for s-a-0 faults) and a-DiaQnosis Procedures 
(for failure diagnosis of systems represented by fault trees), 
2. b-Tests (for s-a-1 faults) and b-Diagnosis Procedures (for 
diagnosis of subcubes adjacent to system failure). 
-82-
Clearly, all the techniques from a and b-Tests, also in 
relation with search for prime implicants (or min cubes) 
can be applied for automatic diagnosis of systems. This 
will be shown in more detail in our next section. 
-~-
6. Examples with Various Fault Trees 
6.1 Subsystem of Automated Labaratory 
6.2 Standby System with Motor 
6.3 Failure of Residual Heat Removal System 
6.4 Nitric Acid Cooler 
6.5 An illustrative Fault Tree 
-84-
6.1 Subsystem of Automated Labaratory 
Herewe regard the photometer and conductivity measurements, 
which have been discussed in more detail in /18/, as a first 













l u ft 
Fig. 25 Vereinfachtes Apparateschema (Schematic diagram of automated 
photometry and conductimetry system /18/). 
-85-
In a schematic diagram this device is shown. Then a subtree 
leading to the event 11 Error in a photometer measurement 11 is 
show. From the related structure function we get 
- a-tests and 
- b-tests. 
Component failures (Inputs), Fig. 26. 
V1b, V2B, V3a as well as PU1 (full), V8a, L4 indicate failures 
in the components of the device. Note that for the analysis step 
No. 5 (cuvette filled) (see /18/, /19/) two min cuts may lead to 
a measurement error. Note that this event only reduces availability 








Fig. 26 Fault Tree 
V Ba L4 
-86-
The structure function i s: 
~ = x1x2x3 + x4x5x6 





J 111--- ---111 
111000 0 
000111 0 
If two min cuts are possible causes of measurement error, 
we can exactly locate the failed component. 
We get as b-tests: 
p1 = x1x2x3 123456 123456 
111---
X k=1 011--- 011000 p1k b1k 
2 101--- 101000 
3 110--- 110000 
p2 = x4x5x6 ---111 
X 
p2k k=1 ---011 b2k 000011 
2 ---101 000101 
3 ---110 000110 
Thus we can detect all states which are adjacent to system failure. 
This is still much better than stop the device for any single failure, 
which considerably decreases unavailability. Moreover, this leads to 
a systematic search for all states adjacent to system failures in the 
whole operation of the device. 
-87-
Note: This test set can be used for the whole photometry and 
conductivity measurement subsystem (see also /18/). 
Efficiency: For n = 6 inputs we have 
3n-1 multiple faults (including single faults), i.e. 
36-1 = 7.28. 102 
All are automatically contained in the Lists for a-tests and b-test. 
6.2 A Standby System with Motor 
This system is reproduced in the literature /20/. It has been used 
for fault tree analysis. 
Push buttans 
Bo.ttery ...=... 
Fig. 27 S~andby system 
We describe this system shortly: Assume, the system is a standby 
system that is tested once every month. It consists of a battery, 
two switches in parallel, and a motor. To start the motor, two push 
buttans are pressed to close the two switch contacts 1 and 2. To 
stop the motor at the end of test, two push buttans are depressed. 
Periodically, say every six months, the operator must recharge the 
battery and perform routine maintenance on the motor. 
We have the following fault tree which describes the failure of the 





d i s c h arches )....----' 
Fig. 28 Fault Tree 
-89~ 
Next we give the structure function. 
By a top-down algorithm we find the min cuts. 
f = x, + B + x2 
= x, + c + F + x2 
= x, + D • E + x7 + G + x2 
= x, + D • E + x7 + Xg • H + x8 + x2 
= x, + x2 + x7 + x8 + D • E + Xg • H 
= x, + x2 + x7 + x8 
+ x3 • x5 + x3 • x6 + x4 • x5 + x4 • x6 
+ Xg • x10 + Xg • x11 + Xg • x12 
+ Xg • x13 + Xg • x14 
















Min Cut Set 














Description of failure combination 
Motor fails to start 
Inadequate maintenance of motor 
Dead battery (primary failure) 
Operator fails to recharge battery 
Switch 1 contacts fail to close 
Switch 2 contacts fail to close 
Switch 1 contacts fail to close 
Secondary failure of switch 2 
Secondary failure of switch 1 
Switch 2 contacts fail to close 
Secondary failure of switch 1 
Secondary failure of switch 2 
Battery operates sufficiently long 
to discharge 
Secondary failure of switch 1 
Battery operates sufficiently long to 
discharge 
Switch 1 contacts fail to open 
Battery operates sufficiently long to 
discharge 
Operator fails to depress push button 
Battery operates sufficiently long to 
discharge 
Switch 2 contacts fail to open 
Battery operates sufficiently long to 
discharge 
Secondary failure of switch 2 
List with failure combinations 


















are single Fctilures: b-test not applicable 
2 3 4 5 6 7 8 9 10 12 13 14 
- 1 
0 - 1 






- - - 1 0 - - -
- 1 
- - - 0 - 1 
- - - 1 - 0 - -




0 1 - - -
1 - 0 -







faults, i .e. 
-93-





0 - - 1 
1 - - - - 0 
For n = 22 inputs we have 3n- 1 multiple 
All these faults are automatically covered by the lists 
for a-tests and b-tests. 
-94-
6.3 Failure of a Residual Heat Removal System (RHR) 
Wehave this System /21/, represented by a fault tree. 
The undesired event is 11 RHR loss of isolation 11 • 
Fig. 29 RHR fault tree: restructured TOP. 
(RHR, Residual Heat Removal) 
-95-
The structure function is: 
q, ::: A2 • A4 • A10 42 Min Cuts 
+ A2 • A8 • A10 
+ A2 • 9 • A10 
+ A2 • 1 0 • A10 
+ A2 • A4 • 21 
+ A2 • A8 • 21 
+ A2 • 9 • 21 
+ A2 • 1 0 • 21 
where A2 = 1 + 2 
A4 = ((3 + 4)5 + 6) • 7 
A8 = 7 • 8 
14 II II 
= 84 Min Cuts 
14 II II 
14 II II 
6 II II 
2 II II 
= 12 Min Cuts 
2 II II 
2 II II 
96 Min Cuts 
A10= 11 • (12 + 13 +((14 + 15)16 + 17 + 19 + 20) ·18) . 
For simplicity, we restriet the tests to A10 (F023 OPEN). 
Structure function for A10 
A10 F023 OPEN 
= A11 + A12 + A13 +A17 + A18 
A11 = 11 • 1 2 
A12 = 11 • 13 
A13 = A14 • 11 ~ 18 
A1 4 = A1 5 + 17 CONTROL SIGNAL TO F023 
A1 5 = A16 • 16 
A16 = 14 + 15 INTERLOCK 2 PERMISSIVE 
-96-
A13 = 11((14 + 15)16 + 17)18 
A17 = 11 • 18 • 19 
A18 = 11 • 18 • 20 
A10 = 11·12+11·13+11((14+15)16+17)18+11·18·19+11·18·20 
= 11 • 1 2 + 11 • 1 3+ 11 • 14. 1 6. 18+ 11 • 1 5. 16. 18+ 11 • 17. 18+ 11 • 18. 19+ 11 • 18. 2 0 
a-Test 
Min Cuts p. 
J 
11 1 2 13 14 15 16 17 18 19 20 
2 - 1 - - -
3 - 1 - 1 
4 - 1 - 1 
5 - - -
6 1 -
7 - - - - - - - 1 
Minterms aj 11 12 13 14 15 16 17 18 19 20 
0 0 0 0 0 0 0 0 A11 
2 0 1 0 0 0 0 0 0 0 A12 
3 0 0 1 0 1 0 1 0 0 
4 0 0 0 1 0 0 0 A13 
5 0 0 0 0 0 1 0 0 
6 0 0 0 0 0 0 1 0 A17 







Here is also information on subsystems (A16' A15' A14) avaible. 
We get more details than the mincuts alone. 
-97-
b-Test 
X Minterm bjk P· and pjk J 
11 12 13 14 15 16 17 18 19 20 11 12 13 14 15 16 17 18 19 20 
p1 = x11x12 
X 
k = 1 0 1 0 1 0 0 0 0 0 0 0 0 p1k - - - -
2 1 0 - - - - - - 1 0 0 0 0 0 0 0 0 0 
P2 = x11x13 - 1 - - -
X 
0 1 0 0 1 0 0 0 0 0 0 0 p2k . k = 1 - - - - - - - -
2 1 - 0 - - - 1 0 0 0 o. 0 0 0 0 0 
P3 = x11x14x16x18 - 1 - 1 
X 
k = 1 0 1 1 1 0 0 0 1 0 1 0 1 0 0 p3k - - - -
2 1 - - 0 - 1 - 1 1 0 0 0 0 1 0 1 0 0 
3 ' 1 1 - 0 - 1 1 0 0 1 0 0 0 1 0 0 
4 1 1 - 1 - 0 1 0 0 1 0 1 0 0 0 0 
P4 = x11x15x16x18 - - - - 1 
X 
k = 1 0 - . 1 1 1 0 0 0 0 1 1 0 1 0 0 p4k - - -
2 1 - - - 0 1 - 1 1 0 0 0 0 1 0 1 0 0 
3 1 - - - 1 0 - 1 1 0 0 0 1 0 0 1 0 0 
4 1 - - - 1 1 - 0 - - 1 0 0 0 1 1 0 0 0 0 
P5 = x11x17x18 - - -
X 
0 1 1 0 0 0 0 0 0 1 1 0 0 p5k= k = 1 -
2 1 - - - - - 0 1 1 0 0 0 0 0 0 1 0 0 
3 1 - - - 1 0 - .., 1 0 0 0 0 0 1 0 0 0 
P6 = x11~18x19 - - - - 1 1 -
X 
k = 1 0 1 1 0 0 0 0 0 0 0 1 1 0 p6k - - -
2 1 - - - - - - 0 1 - 1 0 0 0 0 0 0 0 1 0 
3 1 1 0 - 1 0 0 0 0 0 0 1 0 0 
P7 = x11x18x20 - - - - - 1 
X 
k = 1 0 1 1 0 0 0 0 0 0 0 1 0 1 p7k - - - - - - -
2 1 - - 0 - 1 1 0 0 0 0 0 0 0 0 1 
3 1 - - - - 1 - 0 1 0 0 0 0 0 0 1 0 0 
Efficiency: For n = 21 inputs we have 3n-1 multiple faults, i.e. 
321 - 1 10 = 1 • 046 • 1 0 • 
All these faults are automatically covered by the lists for a-tests and b-tests. 
H HO 3 
-98-
6.4 Nitric Acid Cooler 
We consider a subsystem from chemical industry which cools in 
a process hot nitric acid (HN03) with a temperature feedback 
and a pump-shut-down feedforward. This has been analyzed by 
Lapp and Powers /22/. 
COOLING WATER 
(OUTLET) 

















Fig. 30 Block diagram for nitric acid cooler 
1. We list the components of this system giving: 
- possible inputs and outputs and 
- possible failures 
These may be translated into a fault table. But we will have 
a simpler way to deal with diagnosis by means of a-tests and 
b-tests. 
2. Then we give a flow diagram for the possible processes including 
faults. 
3. This leads to a non-coherent fault tree. 




7  _j . ......-T---'-E 1 A-T URE---. 
l E~[H~OR 
ITJ 








































Une 11 plugged ® 
l11(0) .J 



















P11 ® ·lU --1 f 6 reversedvnlve !1 
nction 









































::: . _,. 
" ·-----""~ ' .... 
: c_, 







' .. ' fbl I + lW -;g-:-----:t 
a I .. ..I 
.. : :1 
.. 0 M 
3 ! : 
1 = 
I 





G'5 1 "\ A 1 
G7 11 ............ ~'\A2 AJr ~G13 
11 
A6~'" \ G14 
· G811" · "'\A4 AS/ "'\Q 9 T xa Xg 
...,____.,___ _ __, 
6181 '\A7 Xs 
X3 x. 
G 111" "\AB 
ls 
G15 I \A9 
Fig. 34 SUbtree 
-103-
Structure function of a non-coherent structure 
(We use the top down algorithm, which here gives all prime implicants, 
but not for non-coherent structures in general .) 
q, = A2 + x10 + A3 
= A4 + A5 + x10 + x7 • A6 
= A7 • x6 + A7 • x6 (EXOR) 
+ x10 + x7 • x8 + x7 • x9 
= (A8 + x3 + x4) x6 + (ÄJ . x3 • x4) x6 
+ x10 + x7 • x8 + x7 • x9 
= ((x1 + x2 + x4) x5 + x3 + x4) x6 
+ ( (><"1 • x2 • x4 + x5) x3 • x4) x6 
+ x10 + x7 • x8 + x7 • x9 
= x1 • x5 • x6 + x2 • x5 • x6 + x3 • x6 + x4 • x6 
+ x1 • x2 • x3 • x4 • x6 + x3 • x4 • x5 • x6 
+ x10 + x7 • x8 + x7 • x9 
a-Test 























1 2 3 4 5 6 7 8 9 10 




0 0 0 0 - 1 - - - -
- - 0 0 0 1 - - - -
1 1 
1 - 1 -
1 2 3 4 5 6 7 8 9 10 
100010 
010010 
0 0 1 0 0 0 
0 0 0 1 0 0 
000011 
110001 
0 0 0 0 0 0 0 0 0 1 
1 1 0 0 
1 0 1 0 
-104-
b-Test for G5 1 of nitric acid cooler 
k = 1 
2 
3 
k = 1 
2 
k = 1 
2 
-
Ps = x1x2x3x4x6 
X 





P6 = x3x4x5x6 
X 




2 3 4 5 6 7 8 9 10 
0 - - - -
0 - 1 0 -
1 - - - 0 0 -
1 1 1 -
-1--10-
- 0 - - 1 0 -
- 1 - - 0 0 -
- 1 1 1 -
- - 1 - - 0 -
- - 0 - - 0 -
1 1 
- 0 
- - _. 0 - 0 -
---1-1----
0 0 0 0 - 1 - - - -
1 0 0 0 - 1 - - - -
0 1 0 0 - 1 - - - -
0 0 1 0 - 1 - - - -
0001-1 
0 0 0 0 - 0 -
- - 0 0 0 - - - -
--1001----
- - 0 1 0 1 - - - -
--0011 
- - 0 0 0 0 - - - -
1 2 3 4 5 6 7 8 9 10 
32 16 8 4 2 
010010 
1 0 0 0 0 0 
100011 
100010 
0 1 0 0 0 0 
010011 
0 0 0 1 0 0 
001001 
0 0 1 0 0 0 
000101 








1 1 0 0 0 0 
*)we use a decimal numbering to check, if any of the bjk is also 
included in more than one adjacent cubcubes. If this is not the 






















P7 = x7x8 
X k 1 p7k = 
2 
p8 = x7x9 
X k = 1 p8k 
2 
P9 = x10 
-105-





0 - 1 -
1 - 0 -
1 2 3 4 5 6 7 8 9 10 
0 0 0 0 0 0 0 1 0 0 
0 0 0 0 0 0 1 0 0 0 
0 0 0 0 0 0 0 0 1 0 
0000001100 




For n = 24 inputs we have 3"- 1 multiple 
324- 1 = 2. 824 . 1 011 • 
All these faults are automatically covered by the lists for a-tests 
and b-tests. 
-106-
6.5 An illustrative Fault Tree 
We are presenting a fault tree which has been already analyzed 
in sect. 1.7. (see /11/). 
This fault tree is used for some research in simulation, where 
the system is not represented by software, but by hardware 
(e.g. with a s-o-p-representation, using diode logic /23/, /1/). 
It is important to check this hardware in two respects: 
- It is necessary to validate that the diode logic represents 
the original fault tree (This will not be discussed here). 
- It is also necessary to test, whether there are any s-a-0 
or s-a-1-faults in the diode logic. If there were any faults, 
this could seriously affect the simulation result. 
Here is another, more direct application of the a-tests and 
b- tests. 
The min-cuts for the following fault tree have been calculated 
by the bottarn up algorithm (sect. 1.7). 
Fig. 35 Illustrative Example of Fault Tree. 
-107-
Assume, we can get the outputs from E1, E2 separately. Then 
we get the following tests: 
~E = 2•3 + 2·5 + 1•6 + 3·6·10 + 3·6·14 + 8•9•13 + 10·16 + 5·10~11 
1 


















1 0 ·16 
5·10·11 
a-Tests (subtree E1) 
Mi n Cuts P j 2 3 4 
- 1 
2 - 1 
3 - - -
4 
5 
6 - - - -
7 
8 - - - -
Minterms aj 2 3 4 
0 0 
2 0 0 0 
3 1 0 0 0 
4 0 0 1 0 
5 0 0 0 
6 0 0 0 0 
7 0 0 0 0 
8 0 0 0 0 
5 6 7 8 9 1 0 11 
- - -
- - - -
- - - -
- - - -
- - -
- - - - -
- - - -
1 - - - -
5 6 7 8 9 1 0 11 
0 0 0 0 0 0 0 
0 0 0 0 0 0 
0 1 0 0 0 0 0 
0 0 0 0 1 0 
0 0 0 0 0 0 
0 0 0 1 1 0 0 
0 0 0 0 0 1 0 
1 0 0 0 0 1 
Similary, we get a-tests for subtree E2. 
12 13 14 15 16 
- - - -
- - - - -
- - - - -
- - - - -
- - - -
- - - -
- - -
12 13 14 15 16 
0 0 0 0 0 
0 0 0 0 0 
0 0 0 0 0 
0 0 0 0 0 
0 0 1 0 0 
0 1 0 0 0 
0 0 0 0 1 
0 0 0 0 0 
b-Tests (subtree E1) 
X p. and p.k 
J J 
-108-
1 2 3 4 56 7 8 9 10 11 12 13 14 15 16 
- 0 1 - - - - - - - - - - -
- 1 0 - - - - - - - - - - -
p2 - 1 - - 1 
- 0 - - 1 
- 1 - - 0 
0 - - - - 1 
1 - - - - 0 
p4 - - 1 - - 1 -
0--1---1 
1--o---1 
1 1 - - - 0 
p5 - - 1 - - - - -
0 - - 1 - - - - -












0 - 1 
1 - - - - - 0 
- - - - 1 
0 - - - - 1 
1 - - - - 0 1 
1----10 
Similarly, we get b-tests for subtree E2. 
ajk 














































Efficiency: For n = 20 inputs we get 3n- 1 multiple faults, i.e. 
320 - 1 = 3.487 • 109. 





/1/ Z. Kohavi, Switching and Finite Automata Theory 
Mc Graw-Hill Book Company, New York 1978 
/2/ J. P. Hayes, Computer Architecture and Organization 
Mc Graw-Hill Book Company, New York 1978 
/3/ K. E. Iverson, A Programming Language 
John Wiley and Sons Inc., New York 1962 
/4/ B. Girling, H.G. Moring 
Logic and Logic Design 
Intertext Books, International Texbook 
Company Limited, 1973 
/5/ V. T. Rhyne, ~t al. 
A new Technique for the Minmization of Switching Functions 
IEEE-Trans. on Computers 
Vol. C-26, pp. 757 -763 (1977) 
/6/ M. Davio, J.-P. Deschamps, A. Thayse 
Discrete and Switching Functions 
Mc Graw-Hill Book Company, 
New York 1978 
/7/ R. J. Nelson, Simplest Normal Truth Functions 
J. Symboliclogic, Vol. 20 pp. 105-108, (1954) 
/8/ B.L. Hulme, R. B. Worrell 
A Prime Implicant Algorithm with Factoring 
IEEE-Trans. on Computers 
Vol. C-24, pp. 1129-1131 (1975) 
/9/ J. B. Fussell, W. E. Vesely 
A new Methodology for obtaining 
Cut Sets for Fault Trees 
Trans. Amer. Nucl. Soc., Vol. 15, pp. 262-263, 
June 1972 
-112-
/10/ R. G. Bennetts 
On the Analysis of Fault Trees 
IEEE Trans. on Reliability 
Vol. R-24, pp. 175-185 (1975) 
/11/ K. Nakashima, Y. Hattori 
An Efficient Bottom-up Algorithm for Enumerating 
Minimal Cut Sets of Fault Trees 
IEEE-Trans. on Reliability, Vol. R-28 pp. 353-357 
( 1979) 
/12/ M. A. Breuer, A. D. Friedman, 
Diagnosis & Reliable Design of Digital Systems 
Pitman Publ. Ltd., London, 1977 
/13/ J. D. Murchland, G. G. Weber 
. I 14/ 
A Moment Method for the Calculation of a Confidence 
Interval for the Failure Probability of a System 
Proceedings of 1972 Annual 
Reliability and Maintainability Symposium, San Francisco, 
pp. 565-577 
R. E. Barlow, F. Proschan 
Statistical Theory of Reliability and Life Testing 
(Probability Models) 
Holt, Rinehart and Winston Inc., New York, 1975 
/15/ U. Höfle-Isphording 
Zuverlässigkeitsrechnung 
Springer Verlag, Berlin, 1978 
/16/ VDI Richtlinie 4008/Blatt 7 
Strukturfunktion und ihre Anwendung 
(Entwurf), Verein Deutscher Ingenieure, Düsseldorf 1979 
/17/ S. C. Lee, Modern Switching Theory and Digital Design 
Prentice-Hall Inc., Englewood Cliffs, 
New Jersey, 1978 
-113-
/18/ I. Kohavi, Z. Kohavi, 
Detectionof Multiple Faults on Combinational 
Logic Networks 
IEEE-Trans. on Computers, Vol. C-21, pp. 556-568 
( 1972) 
/19/ G. G. Weber 
Untersuchung des Zusammenhangs zwischen Fehlerbaumanalyse 
und Störfallanalyse am Beispiel des Photometer-Leitfähig-
keitsmeßstandes, KfK 2909, Februar 1980, 
Kernforschungszentrum Karlsruhe 
/20/ D. Stöckle, 
Unpublished Results 
/21/ H. E. Lambert 
F?ult Trees for Decision Making in Systems Analysis 
(Ph. D. -Thesis), UCRL-51829, University of California, 
Livermore, 1975 
/22/ S. L. Salem, G. E. Apostolakis, D. Okrent 
A new Methodology for the Computer-Aided 
Construction of Fault Trees 
Ann. of Nucl. Energy, Vol. 4, pp. 417-433, 
Pergarnon Press 1977 
/23/ S. A. Lapp, G. J. Powers 
Computer Aided Synthesis of Fault Trees 
IEEE-Trans. on Reliability, Vol. R-26, pp. 2-13, 1977 
and 
S. A. Lapp, G. J. Powers 
Update of Lapp-Powers Fault-Tree Synthesis Algorithm 
IEEE-Trans. on Reliability, Vol. R-28, pp. 12-15, 1979 
/24/ S. Fenyi 
Unpublished Results 
/25/ K. Nakashima 
Studies on Reliability Analysis and Design of 
Camplex Systems, 
PhD- Thesis, KYOTO UNIVERSITY, Kyoto Japan, March 1980 
- 114-
/26/ W. Görke, 
Generating Tests for Functional Expressions in 
Self-Diagnoses and Fault-Tolerance, Proceedings, 
MarioDal Cin, Elmar Dilger (Eds.) 
Attempo Verlag, Tübingen 1981 
