Decision Diagram Algorithms to Extract Minimal Cutsets of Finite Degradation Models

In this article, we propose decision diagram algorithms to extract minimal cutsets of finite degradation models. Finite degradation models generalize and unify combinatorial models used to support probabilistic risk, reliability and safety analyses (fault trees, attack trees, reliability block diagrams. . . ). They formalize a key idea underlying all risk assessment methods: states of the models represent levels of degradation of the system under study. Although these states cannot be totally ordered, they have a rich algebraic structure that can be exploited to extract minimal cutsets of models, which represent the most relevant scenarios of failure. The notion of minimal cutsets we introduce here generalizes the one defined for fault trees. We show how algorithms used to calculate minimal cutsets can be lifted up to finite degradation models, thanks to a generic decomposition theorem and an extension of the binary decision diagrams technology. We discuss the implementation and performance issues. Finally, we illustrate the interest of the proposed technology by means of the use case stemmed from the oil and gas industry.


Introduction
Since the famous WASH report [1] that followed the Three Mile Island nuclear accident, probabilistic risk, reliability and safety analyses have been developed considerably. They are nowadays applied to virtually all industrial systems the operation of which presents a risk for the systems themselves, their operators or their environment.
Probabilistic risk, reliability and safety assessment models describe how a system may degrade and eventually fail under the occurrence of random events such as failures of mechanical components, sudden changes in environmental conditions or human errors. They can be split into three nested categories: combinatorial models, state automata and process algebras [2].
Combinatorial models are the simplest, but also by far the most widely used. In these models, the state of the system is described as a combination of the states of its components. As the number of possible states considered for each component is finite, and in general small, the number of possible states of the system is also finite, although subject to an exponential blow-up. Boolean models, i.e., fault trees, reliability block diagrams and event trees, belong to this category, see e.g., [3,4] for reference textbooks. So-called multistate systems [5][6][7], i.e., extensions of Boolean models to the case where components can be in more than two-but still a finite number of-states, enter also in this category.
Intuitively, combinatorial models take a snapshot of the system at a given point in time. They do not consider the trajectory that lead the system from its initial state to its current state. Consequently, they can only approximate time dependencies induced for instance by cold-redundancies or reconfigurations. To take into account such dependencies, one needs more expressive models such as Markov chains [8], stochastic Petri nets [9], or guarded transition systems [10,11]. These models enter either in the category of state automata or in the category of process algebras. However, the more expressive the model, the more computationally expensive the calculation of probabilistic indicators from that model. Consequently, probabilistic risk, reliability and safety assessment models result always of a tradeoff between the accuracy of the description of the system under study and the ability to perform calculations on this description, see reference [2] for an in-depth discussion. Moreover, the more expressive the model, the harder it is to design, to validate and to maintain. This is the reason why combinatorial models, and more specifically Boolean models, dominate the industrial practice.
It remains that, with the steadily increasing complexity of technical systems, the more expressive power we can have for the models, the better, with the proviso that the added expressive power does not degrade the computational complexity of assessments. This is why lots of efforts have been made in the recent years on the study of multistate systems. This is also what led us to introduce the algebraic concept of finite degradation structures [12]. Finite degradation models generalize and unify both Boolean models and multistate systems. They can be seen as the most general mathematical framework that can be used to design probabilistic risk assessment models, while staying in the realm of combinatorial models.
Calculations performed on Boolean models belong formally to two distinct categories: qualitative assessments and quantitative assessments. The former aim primarily at extracting and classifying minimal cutsets. Minimal cutsets represent minimal scenarios of failure. The latter aim primarily at calculating probabilistic risk indicators such as the unavailability of the system (probability that the system is failed at time t), safety integrity levels or importance measures. In practice, this distinction is blurred because there are so many minimal cutsets that only the most relevant, i.e., the most probable, ones can be extracted. Moreover, the best way of calculating probabilistic indicators is to assess them via minimal cutsets. This is the reason why the extraction of the most probable minimal cutsets plays a central role in probabilistic risk and safety analyses.
Finite degradation structures formalize what is probably the most fundamental idea underlying all risk assessment methods: the states of a model represent essentially various levels of degradation of the system under study. Although these states cannot be totally ordered, they have rich algebraic structure that can be exploited both by analysts and by assessment algorithms: when studying a given level of degradation of the system, one is interested in the minimal conditions that produce this degradation level. These conditions are in turn characterized by the minimal states, according to the degradation order, in which the system is in the given degradation level. In other words, the notion of minimal cutset, or minimal state, of finite degradation models generalizes and sheds a new light on the one defined for fault trees.
There are essentially two families of algorithms to extract minimal cutsets. The first one consists of top-down algorithms. MOCUS [13] and its modern versions such as the one implemented in RiskSpectrum [14] and the one implemented in XFTA [15], belong to this family. The second family consists of bottom-up algorithms based on the binary decision diagrams technology [16][17][18]. We show here how to extend this technology so to handle finite degradation structures, via ideas introduced by Minato [19] (in a different context). For this purpose, we introduce the notion of implicative normal form for formulas encoding discrete functions. We demonstrate a generic decomposition theorem making it possible the extraction of the most probable minimal states. This theorem generalizes the one of reference [16], which is at core of minimal cutsets calculations.
The contribution of this article is thus fourfold. First, it shows how to generalize the concept of minimal cutsets to finite degradation models. Second, it demonstrates a decomposition theorem that makes possible to lift-up Boolean algorithms proposed in reference [16] to finite degradation models. Third, it shows how to extend the binary decision diagram technology so to handle finite degradation models. Last, it discusses approximation schemes in the context of finite degradation models.
The remainder of this article is organized as follows. Section 2 presents an illustrative example stemmed from the oil and gas industry. Section 3 introduces finite degradation structures and finite degradation models. Section 4 shows how to lift-up the notion of minimal cutset. Section 5 shows how to extend the binary decision diagrams technology. Section 6 discusses approximation schemes. Section 7 provides some experimental results. Finally, Section 8 concludes the article.
Appendix A presents the full model of the use case.

Illustrative Example
This section presents an example we shall use throughout the article to illustrate the proposed approach.

Description
The high pressure protection system pictured in Figure 1 is referred to as TA4 in ISO/TR 12489 standard [20]. The objective of this safety instrumented system is to protect a pipe section from overpressures. It involves seven main components: three sensors (S1, S2 and S3), two logic solvers (LS1 and LS2) and two actuators (the isolation valves V1 and V2). When the sensors detect an overpressure in the protected section, the logic solvers order the isolation valves to close so to release the pressure. The logic solver LS2 works according to a 1-out-of-2 logic, i.e., that it sends the order to close the valves if at least one out of two sensors S2 and S3 detects an overpressure.
As the failure of the TA4 HIPPS may result in a catastrophic accident, it is of importance to assess its reliability. This is classically done by means of a fault tree such as the one pictured in Figure 2.

Classification of Failures
The fault tree pictured in Figure 2 does not distinguish however the different types of failures. According to the standard IEC61508 [21], individual failures of components and global failures of a safety instrumented system can be classified along two directions: safe versus dangerous failures, and detected versus undetected failures. One finds similar classifications in other safety standards such as ISO 26262 [22].
In our example, safe failures are those which contribute to close the isolation valves, even though there is no overpressure (spurious triggers), while dangerous failures are those which contribute to keep the isolation valves open, even though there is an overpressure. These two types of failures have indeed very different consequences: the former hampers the profitability of the production while the latter may result in catastrophic accidents. Moreover, their frequencies may be very different.
If we look more specifically at dangerous failures, we need to distinguish detected and undetected ones. Logic solvers embed autotest facilities so that their failures are immediately detected. On the contrary, failure of valves remain undetected between two maintenance interventions. Failures of sensors may be detected or not.
ISO/TR 12489 makes the additional following assumptions.
• All other components may fail (independently). Their probabilities of failure follow negative exponential distributions. The parameters of these distributions are given in Table 1. Safe failures are always detected.

•
The system is maintained once a year (once in 8760 hours). The production is stopped during the maintenance. Components are as good as new after the maintenance.

Discussion
The Boolean logic at work in fault trees and related formalisms does not make it possible to distinguish the different types of failures. More exactly, it would be possible to design a fault tree for each type of failure, but this would be both tedious and error prone. Hence the idea to use multi-valued logics, in which variables and formulas can take more than two, but still a finite number of values [7]. This raises however two conceptual and practical issues:

•
Which algebraic properties such a logic should they obey so that usual notions of reliability engineering (minimal cutsets, top-event probability, importance measures, safety integrity levels. . . ) can be lifted-up into the logic? • Once the mathematical foundations have been established, how to perform efficiently calculations of risk indicators?
Finite degradation structures provide a general mathematical framework to answer the first question. In this article, we provide a concrete answer to the second one.

Finite Degradation Models
This section introduces finite degradation models which unify and generalize the various types of combinatorial models used in the framework of probabilistic risk, reliability and safety analyses.

Finite Degradation Structures
A finite degradation structure is a triple C, ≤ C , ⊥ C where: • C is a finite set of constants. • ≤ C is a partial order over C.
• ⊥ C is the unique lower bound of C, i.e., the unique element such that ⊥ C ≤ C x for all x ∈ C.
Technically, finite degradation structures are thus semi-lattices. C is called the support set of the finite degradation structure.
The idea behind finite degradation structures is that each element of C represents a possible state of the system under study. The partial order ≤ C sorts states according to their level of degradation, i.e., s ≤ C t if the system is less degraded in the state s than in the state t. Finally, ⊥ C represents the initial, nominal state of the system. Figure 3 shows Hasse diagrams representing some typical finite degradation structures. In these diagrams, the degradation order is represented bottom-up.  The finite degradation structure WF is the classical Boolean domain: w and f stand respectively for working and failed. Indeed, f is more degraded than w. The finite degradation structure WDF introduces the intermediate value d, which stands for degraded. Hence the natural degradation order w < d < f. In the finite degradation structure WFsd, the failure state fs (failed safe) is not comparable with the failure state fd (failed dangerous) although both are more degraded than the working state w. The finite degradation structure WFdu distinguishes two types of dangerous failures: detected ones (fd) and undetected ones (fu). Of course, undetected failures are more problematic than detected ones. Hence the order w < fd < fu. Last but not least, the finite degradation structure W3F combines WFsd and WFsd. We shall come back on this finite degradation structure that is, implicitly, at the core of safety standards such as IEC61508 [21] and ISO/TR 12489 [20].
Note that WDF and WFdu are isomorphic. However, operations on these two finite degradation structures are different. It is thus worth to consider them as distinct.

Product
Now, let C : C, ≤ C , ⊥ C and D : D, ≤ D , ⊥ D be two finite degradation structures, the product of C and D, denoted by C ⊗ D, is the triple C × D, ≤ C×D , ⊥ C×D , where: • C × D stands for the Cartesian product of C and D.

•
For all x, x ∈ C and y, y ∈ D, x, y ≤ C×D x , y if and only if x ≤ C x and y ≤ D y .
It is easy to verify that C ⊗ D is a finite degradation structure. This is by no means surprising as the category of partial orders has a product [23].
The product ⊗ is commutative and associative up to an isomorphism, i.e., C ⊗ D ∼ = D ⊗ C and C ⊗ (D ⊗ E ) ∼ = (C ⊗ D) ⊗ E for all finite degradation structures C, D and E . The finite degradation structure 1 = {⊥}, ⊥ ≤ ⊥, ⊥ is a neutral element for this product: 1 ⊗ C ∼ = C ⊗ 1 ∼ = C for any finite degradation structure C.
The existence of a product over finite degradation structures makes it possible to describe the state of system as the combination of the states of its components.
Consider, for instance, a system made of two components A and B. Assume that both A and B are represented by means of the finite degradation structure WDF. Then, the state space of the system is represented by the finite degradation structure WDF 2 pictured in Figure 4. Note that although WDF encodes a total order over its elements, WDF 2 encodes only a partial order.

Formulas
In the previous example, the state of the system is represented by a pair. Now if, for instance, the components A and B are in series, we can map each pair onto an element of WDF, e.g. (w, w) is mapped onto w, (w, d) is mapped onto d, (w, f) is mapped onto f, and so on. There are indeed several ways to define such a mapping. Moreover the target finite degradation structure does not need to be the same as the source ones, which themselves may differ one another. In other words, it is possible to define a collection of operators on finite degradation structures.
In the sequel, we shall thus assume a finite set U of finite degradation structures and a finite set O of symbols called operators. It is often, but not always, the case that operators are abstractions. Abstractions are surjective structure preserving mappings, i.e., an abstraction α : 1≤i≤n s i → s obeys the following conditions: As abstractions are epimorphisms in the sense of category theory, we shall use in the sequel the usual symbol for their signature, i.e., 1≤i≤n s i s. It is easy to check that the notion of abstraction generalizes the notion of monotone Boolean function. As an illustration, one can consider the two binary operators and from W3F ⊗ W3F into W3F. The operator represents the series composition. It generalizes the Boolean operator ∨ (or). The operator represents the parallel composition. It generalizes the Boolean operator ∧ (and). These operators are defined in Table 2.
It is easy to verify that the series operator is not commutative but associative and that the parallel operator is both commutative and associative.
We can now define formulas of the finite degradation calculus. Let U be a finite set of finite degradation structures, let O be a finite set of operators on U defined as above, and finally, let V be a finite set of symbols called variables. Each variable V of V is assumed to take its value in the support set of one of the finite degradation structures of U . This finite degradation structure is called the domain of V and is denoted dom(V).  In the sequel, we shall say simply formula instead of a well-formed formula.
The set of variables occurring in the formula f is denoted var( f ).
, a function that associates with each variable a value of its domain.
f is interpreted as a mapping f : V∈var( f ) dom(V) → s where s is the codomain of the outmost operator of f , by lifting up as usual variable valuations. Let σ be a variable valuation of var( f ), then: . . , f n (σ)).

Finite Degradation Models
Finite degradation models are obtained by lifting up fault tree constructions to the finite degradation calculus. Namely, a finite degradation model is a pair V = S F , E where: . . , W n := f n } is a finite set of equations such that for 1 ≤ j ≤ n: We say that the flow variable W j depends on the (state or flow A finite degradation model is looped if one of its flow variable depends on itself. It is loop-free otherwise.
A finite degradation model is uniquely rooted if there is only one variable that occurs in no right member of an equation. Such a variable is a called the root of the model.
From now, we shall consider only well-typed, loop-free, uniquely rooted models.
It is easy to see that finite degradation models generalize fault trees: state and flow variables play respectively the roles of basic and internal events, while equations play the role of gates. Moreover, the root variable plays the role of the top event. The terms "state" and "flow" comes from guarded transition systems [10].
As an illustration, consider TA4 HIPPS presented Section 2. We can use the finite degradation structure W3F and the operators defined in Table 2 to represent this system.
The fault tree pictured in Figure 2 can be re-interpreted in this logic. Equations implementing this fault tree are given in Table 3. Table 3. Equations implementing the fault tree given in Table 2 in the W3F logic.
Note that LS1 and LS2 cannot take the value fu as we assumed that failures of logic solvers always detected. Similarly, V1 and V2 cannot take the value fs as we assumed that spurious closures of valves, if any, are immediately fixed.

Semantics
The following property holds, thanks to the fact that the model is loop-free. In the sequel, we shall denote σ M , or simply σ when the model M is clear from the context, this unique extension.
There is indeed a one-to-one correspondence between variable valuations and elements of V∈V dom(V). We shall thus make no distinction between them in the sequel. It follows from the above lemma, that we can interpret a model M : V = S F , E as a mapping: Note that flow variables include in particular the root variable R of the model. Therefore, if we restrict M to its R component, we can interpret it as a mapping: This is indeed true for any other flow variable.
The following result holds.
Lemma 2 (Coherent finite degradation models). Let M : V = S F , E be a uniquely rooted, loop-free finite degradation model, whose root variable is R ∈ F . If all operators used to build equations of E are abstractions, then M defines an abstraction: Lemma 2 generalizes the well-known result that a sufficient (but not necessary) condition for a fault tree to be coherent is that it is written using only ∧, ∨ and k-out-of-n connectives.
The finite degradation model given in Table 3 is thus a mapping: W3F 3 ⊗ WFsd 2 ⊗ WFdu 2 → W3F as the states of the three sensors are described with the finite degradation structure W3F, the states of the two logic solvers are described with the finite degradation structure WFsd, the states of the two valves are described with the finite degradation structure WFdu, and the state of the unique root variable (TA4) is described with the finite degradation structure W3F.
Note that this model is not an abstraction, because the operator introduces non-coherencies. Consider for instance the case where the three sensors are failed dangerous undetected and all other components are working. In this case, the HIPPS as a whole is failed dangerous undetected. Now, consider the case where the three sensors are failed dangerous undetected as previously but, in addition, the logic solver LS1 is failed safe. In this case, the closure of valves is triggered, even in absence of an overpressure. Consequently, the HIPPS as a whole is failed safe. The latter state is however clearly more degraded than the former. It is often the case that partial orders induce this kind of non-monotone behavior. This is one of the reason why handling different types of failures, as suggested by safety standards such as IEC61508, is far from easy when staying in the realm of Boolean models.
From now and for the sake of the simplicity, we shall omit brackets . when it is clear from the context that we speak about the interpretation of a model M and not the model M itself.

Probability Measures
Let C : C, C , ⊥ C be a finite degradation structure. We can associate C with a probability measure p, i.e., a function p : C → [0, 1] such that ∑ s∈C p(s) = 1.
The probability measure could also be a function of time, i.e., p : C × R + → [0, 1], where p(s, τ) represents the probability of being in the state s ∈ C at time τ ∈ R + . However, as it makes no difference computationally speaking, we keep the above simplest definition. Now, let C : C, C , ⊥ C and D : D, D , ⊥ D be two finite degradation structures equipped respectively with probability measures p C and p D .
Then, their product C ⊗ D can be associated with the natural probability measure p defined as follows. ∀ s, t ∈ C × D, It is easy to verify that p is actually a probability measure on C ⊗ D. Its construction assumes indeed that the events represented by C and D are statistically independent.
Let C : C, C , ⊥ C and D : D, D , ⊥ D be two finite degradation structures. Assume moreover that C is associated with the probability measure p C . Let ϕ : C → D be a mapping from C into D. Then, the natural probability measure p D over D is defined as follows. ∀t ∈ D: The above two natural constructions make it possible to lift-up probabilistic indicators defined for fault trees to finite degradation models.

Minimal Cutsets
The notion of minimal cutset plays a central role in system reliability theory, as well as in practical probabilistic risk analyses. Intuitively, in fault trees, a minimal cutset represents a minimal set of component failures that induces a failure of the system as a whole. In other words, minimal cutsets represent the most significant and in general the most probable scenarios of failure. This intuitive idea works fine for coherent models for which the notion of minimal cutset coincide with the classical notion of prime implicant. However, it needs to be refined to handle non-coherent ones [16].
In this section, we shall lift-up the notion of minimal cutset to finite degradation models. We shall also characterize minimal cutsets in terms of states of finite degradation structures.

Definition
One of the main objective of probabilistic risk and safety analyses is to characterize dangerous states of the system under study as well as the cumulated probability of these states. Dangerous states are represented by biggest elements of finite degradation structures. We can formalize this idea by considering upper sets.
Let C : C, ≤, ⊥ be a finite degradation structure, an upper set of C is a subset U of C such that ∀s, t ∈ C, if s < t and s ∈ U, then t ∈ U. Upper sets are sometimes called upward closed sets [24].
Let M : V = S F , E be finite degradation model with a root variable R and let U be an upper set of dom(R). We call the predicate R ∈ U an observer of M.
As an illustration, in the finite degradation model given Table 3, we could consider the observers TA4 ∈ {fs} (the system is failed safe), TA4 ∈ {fu} (the system is failed dangerous undetected), TA4 ∈ {fd, fu} (the system is failed dangerous) and TA4 ∈ {fs, fd, fu} (the system is failed).
We are interested in characterizing the subset of valuations σ of the state variables whose admissible extension σ verifies σ (R) ∈ U, i.e., that satisfies the observer R ∈ U. To do so, we shall lift-up the notions of literals, product and minterm.
A literal over S is an equality of the form V = c, where V is a variable of S and c is constant of dom(V).
A product over S is a conjunct of literals over S in which each variable of S occurs at most once. A minterm over S is a product over S in which each variable of S occurs exactly once. We denote by Minterms (S) the set of minterms that can be built over a set S of variables. Minterms one-to-one correspond with variable valuations of S: the variable valuation assigns the value c to the variable V if and only if the literal V = c occurs in the corresponding minterm. Products one-to-one correspond thus with partial variable valuations.
Let M : V = S F , E be finite degradation model and R ∈ U be an observer for M. For each valuation σ of the state variables, the root variable R takes a certain value σ (R). We do not care which specific value it takes, but whether this value belongs to U or not. Consequently, we can simply consider σ as a function from dom(S ) into {0, 1}, i.e., as the characteristic function of the set of state variable valuations σ such that σ (R) ∈ U, or equivalently as the set of minterms verifying the same condition. We denote by M R∈U this latter set: Let π be a product over S, we can extend π to obtain a minterm over S as follows.
We can now define minimal cutsets: • A product π is a cutset for the observer R ∈ U if π c (R) ∈ U. • A cutset π for R ∈ U is minimal if none of its proper subproducts is a cutset.
We denote by MCS (M R∈U ) the set of minimal cutsets for the observer R ∈ U (in the model M). For instance, in the model given Table 3, the product π = S2 = fd ∧ S3 = fu ∧ V1 = fu is a cutset for the observer TA4 ∈ {fu} because π c (TA4) = fu. However, it is not minimal because, ρ = S2 = fd ∧ S3 = fd ∧ V1 = fu verifies also ρ c (TA4) = fu and ρ < π. It is easy to verify that ρ is minimal if the valve V1 is not failed undetected, then the first safety barrier SB1 is not failed undetected, and if either sensors S2 or S3 are not failed dangerous, then the second safety barrier SB2 is not failed dangerous, therefore it cannot produce a dangerous undetected failure of the HIPPS in combination with the dangerous undetected failure of the valve V1.

Minimal States
Let M : V = S F , E be finite degradation model and R ∈ U be an observer for M. Let σ be a state of dom(S ), or equivalently a variable valuation of S. We say that σ is minimal for R ∈ U, if the following conditions hold.
There is no other state ρ of dom(S ) such that ρ (R) ∈ U and ρ < σ.
For instance, in the model given Table 3, the state ρ c , where ρ is defined as above, is minimal for the observer TA4 ∈ {fu}.
We denote by MinimalStates M (R ∈ U) the set of minimal states of dom(S ) for the observer R ∈ U.
The following theorem follows from the definitions. The above theorem presents no difficulty: it asserts that minimal cutsets one-to-one correspond with minimal states for the chosen degradation order (the sets of minimal cutsets and minimal states are isomorphic), i.e., they are essentially the same thing. It is actually easy to check that the product π is a minimal cutset if and only if its extension π c is a minimal state. Despite of its simplicity, this theorem is probably the most important of system reliability theory, as it shows that the core notion of minimal cutsets arises naturally from the more fundamental notion of degradation order. Finite degradation structures capture the latter. This is the reason why they are a central concept of system reliability theory, at least for what concerns combinatorial models.

Decomposition Theorem
Decomposition theorems are recursive principles at the core of algorithms to extract prime implicants [25] and minimal cutsets [16]. We shall now extend the latter. But before doing so, we need to introduce a few notations and results on sets of products.
Let P be a set of products built over a set of variables V, let V ∈ V and W ∈ V be two variables and finally let c and d be two constants. Then (\ stands for the set difference), The following equality holds.
Lemma 4 (Pivot decomposition). Let P be a set of products built over a set of variables V, let V ∈ V be a variable and finally let c be a constant. Then, We extend the degradation order to products as follows. Let π and ρ be two products built over a set of variables V, then π ρ if either of the two following condition holds.
The second condition makes it possible to distinguish π and ρ = (V = ⊥ dom(V) ) ∧ π. Now, let P and Q be two sets of products built over the set of variables V. The operator ÷ generalizes the Boolean without operator introduced in [16].
The following decomposition theorem holds.
Theorem 5 (Decomposition of without operator). Let P and Q be two sets of products built over the set of variables V, let V ∈ V and let c be a constant. If Q does not contain products of the form V = d ∧ π with d > c, then, The proof follows from the definitions and the remark that for any three sets of products P, Q and R, P ÷ (Q ∪ R) = (P ÷ Q) ÷ R.
The following decomposition theorem holds, which is at the core of the decision diagrams algorithm to extract minimal cutsets (the proof follows from the definitions and previous lemmas).
Theorem 6 (Decomposition of minimal cutsets). Let M : V = S F , E be finite degradation model, R ∈ U be an observer for M, let V ∈ S and c ∈ dom(V). Moreover, let P = MCS (M R∈U | V=c ) and Q = MCS M R∈U | V =c . If Q does not contain products of the form V = d ∧ π with d > c, then, The proof follows again from the definitions. The theoretical framework is now in place, we can move to algorithmic issues.

Decision Diagram Algorithms
The modern implementation of binary decision diagrams has been introduced by Bryant and his colleagues [26]. We shall rely here on this implementation as well as on ideas introduced by Minato [19]. The algorithms presented in this section generalize to finite degradation models those developed by Rauzy for Boolean models [16].

Implicative Normal Form
Let M : V = S F , E be finite degradation model. Each equation W := f of E describes eventually a function from dom(S ) into dom(W).
We want to write a logical formula that encodes this function. The implicative normal form is a way to do so. To define this normal form, we need a few additional definitions.
An implication is a formula in the form π → W = c, where π is a product and W = c is a literal. The product π is the hypothesis of the implication. The literal W = c is the consequence of the implication.
A formula f is in implicative normal form if it is a conjunct of implications such that: Consider for instance the variable SL2 of the model given in Table 3. Table 4 gives a complete formula in implicative normal form that defines this variable. This formula is not the simplest one may imagine a priori, but we shall see that it can be encoded efficiently by means of a decision diagram.
Finally, we need to lift-up the definition of the operator introduced in the last section to formulas in an implicative normal form. Let f be a formula in implicative normal form, let V be a variable and let c be a constant, then:

Decision Diagrams
Let M : V = S F , E be finite degradation model. Each equation W := f of E describes a function from dom(S ) into dom(W). The decision diagram associated with the variable W encodes this function. To build this decision diagram, one needs first to build the decision diagrams associated with all variables of var( f ), then to build the decision diagram encoding f . The first step consists thus in building the decision diagrams associated with each variable by traversing bottom-up the model.
Building these decision diagrams requires choosing an order over the literals V = c, where V ∈ S and c ∈ dom(V), i.e., associating each literal V = c with an index ι(V = c). This indexing must fulfill the following constraints.

•
Indices of the literals built over a variable V ∈ S must be consecutive, i.e., it is not allowed to intertwine indices associated with literals built over different variables.
The justification for these two constraints will appear in the next section. A decision diagram is a directed acyclic graph with three types of nodes: • The leaf nil.

•
Other leaves, which are labeled with constants.

•
Internal nodes, which are labeled with the index of a literal and have two out-edges: the then out-edge and the else out-edge.
In the sequel, we shall denote (c) the leaf labeled with the constant c, and ∆(i, m, n) the internal node labeled with the index i and whose then and else out-edges point respectively to nodes m and n. m and n are called respectively the then-child and the else-child of the node ∆(i, m, n).
Decision diagrams are ordered, i.e., that the index labeling an internal node is always smaller than the indices labeling its children (if they are internal nodes).
A decision diagram encodes a formula in implicative normal form. The semantics of decision diagrams is defined then recursively as follows.
Decision diagrams are built bottom-up, i.e., that nodes m and n are always built before the node ∆(i, m, n). This makes it possible to store nodes into a unique table. When one needs the leaf (c) or the internal node ∆(i, m, n), the unique table is looked up. If the node is already present in the table, it is returned. Otherwise, it is created and inserted in the table. This technique, introduced in reference [26], ensures the unicity of each node in the table. It is one of the main reasons, if not the main reason, of the efficiency of the decision diagrams technology. The insertion and look-up in the unique table are implemented by means of hashing techniques, so to ensure a nearly linear complexity.
The semantics of decision diagrams makes it possible to simplify the representation. The node ∆(i, nil, n) encodes actually the formula V = c 1 ∧ n , which is equivalent to n . ∆(i, nil, n) is thus useless and can be replaced by n. A decision diagram is reduced if it contains no node of the form ∆(i, nil, m). This reduction generalizes to the one of Minato's zero-suppressed binary decision diagrams [19].
From now, we shall simply say the decision diagram, but we shall mean the reduced, ordered decision diagram.

Operations
The calculation of the decision diagram encoding a formula f is performed bottom-up. There are four cases: • f = c, for some constant c. In this case, the unique table is looked up for the node (c), which is added if it did not exist before. • f = V, for some state variable V. In this case, the decision diagram associated with this variable is built. This decision diagram is made of a series of internal nodes in the form ∆(i, (c), m), where i is the index of the literal V = c, as illustrated in Figure 5 for the variable S2 of our example. • f = W, for some flow variable W. In this case, the decision diagram associated with W is calculated (via the equation defining W) and returned. . . . , f k ) for some operator op. In this case, the decision diagrams for the arguments f 1 , . . . , f k are calculated, then the operator op is applied onto these decision diagrams. The application of op may require the applications of more primitive operators. For instance, the calculation of f ∧ g ∧ h requires first the calculation of r = g ∧ h, then the calculation of f ∧ r. Algorithm 1 gives the pseudo-code of the function that performs binary operations on decision diagrams. The algorithms for operations with different arities (unary, ternary,. . . ) can be easily derived for this one.
The first step of the algorithm (line 2) consists in checking whether the result can be calculated directly, e.g., if the first argument is the leaf ( f ) while computing a . If so, the result is returned. In general, when one of the arguments is nil, nil is returned.
Then, one looks whether the result on the operation has been cached (line 5). If so, the result is returned. Otherwise, it is computed and inserted into the cache (line 30). Caching techniques, which have been introduced for binary decision diagrams in the seminal article by Bryant et al. [26], are the second pillar of the efficiency of the technology. As unique tables, caches are managed by means of hashing techniques. In case binary operators are commutative, the caching policy can be improved by setting an order over the arguments.
The core of the algorithm consists in a case study on the type of arguments. In the case where the first argument is a node m : ∆(i, m 1 , m 0 ) and the second one a node n : ∆(j, n 1 , n 0 ) such that the literals corresponding to indices i and j, i < j are respectively V = c and V = d (line 17), the function must be recursively called on m 1 . However, it cannot be called on n, because the then-branch of n assigns also the variable V. This is the reason why the function GetOtherwiseChild is called.
In Algorithm 1, the function NewNode that creates a new node (e.g., line 29), checks whether the node r is nil, in which case it returns r0.

Discussion
The algorithm to build the decision diagrams associated with variables of a finite degradation model is thus similar to the one to build the binary decision diagrams associated with variables of a Boolean model, e.g., fault tree or reliability block diagram. However, two nodes are used for each Boolean variable: one for the value 1 and one for the value 0. This induces an overcost compared to the algorithm dedicated to the binary case. However, this overcost is acceptable, especially when truncations are applied (see next section).
All complexity results that hold for binary decision diagrams see e.g., [27] for a review, hold for decision diagrams as well. In particular, caching ensures that the worst case complexity of the function PerformBinaryOperation is in the product of the sizes of its arguments (without caching, it is exponential).
It is well known that the size of binary decision diagrams, and therefore the efficiency of the whole method, depends heavily on the chosen variable ordering, see again [27]. The same applies indeed to decision diagrams. As the calculation of an optimal ordering is computationally intractable, heuristics are applied which are essentially the same as for the Boolean case, see e.g., [28]. The only difference regards dynamic reordering of decision diagrams, notably sifting [29]. As indices of literals built over the variable must be consecutive, group sifting has to be applied rather than individual sifting.
Note finally that efficient algorithms exist to calculate probabilistic risk indicators such as the top-event probability or importance measures [30]. These algorithms can be lifted-up to decision diagrams. The key idea is to extend the pivotal decomposition: assume that we have a decision diagram encoding a function dom(S ) → dom(W) and that we want to calculate the probability p(W ∈ U) that W ∈ U for some subset U of dom(W). Then the recursive equations to do so are as follows.
The mathematical definition of importance measures for finite degradation models is, however, non-trivial and will be the subject of a forthcoming article.

Extraction of Minimal Cutsets
As in the Boolean case [16], the principle of the extraction of minimal cutsets is to build a second decision diagram encoding the minimal cutsets from the one associated with the root variable the model. Technically, this second decision diagram is a zero-suppressed binary decision diagram. Zero-suppressed binary decision diagrams have been introduced by Minato [19]. They encode sets of products and not Boolean functions: • They have two leaves: the leaf (1) which encodes the set containing only the empty product and the leaf (0) which encodes the empty set of products.
(1) = {1} (0) = ∅ • An internal node ∆(i, n 1 , n 0 ) encodes the set of products defined by the pivot decomposition (Lemma 4), i.e., For this reason, they have a different reduction rule, namely ∆(i, (0), n) ≡ n, hence their name. This semantics is actually almost the same as the one we have given for decision diagrams: the leaf nil of decision diagrams plays the role of the leaf (0) of the zero-suppressed binary decision diagrams, all what we need is another leaf to play the role of the leaf (1), we shall denote it (1).
The algoritm to extract minimal cutsets follows the two decomposition Theorems 5 and 6 demonstrated Section 4. Algorithm 2 gives the pseudo-code for the functions extracting minimal cutsets. The operator ÷ (without) is implemented by means of two mutually recursive functions. Algorithms 3 and 4 give their respectective pseudo-codes.
The code for the function ExtractMinimalCutsets is essentially the same in the Boolean case. The only difference stands in the test whether the constant labeling a leaf belongs to the upper set or not.
The code for the without operator is trickier than in the Boolean case. One has actually to take into account the degradation order. It is worth noticing that the algorithm relies heavily on the order chosen over the literals built over the same variable. The algorithm works because we are sure that else-branches do not contain nodes labeled with literal smaller than the literal labeling the node.

Rational
Industrial probabilistic risk assessment models may have a very large number of minimal cutsets. As of today, the largest models are event trees designed to assess nuclear safety. These models involve thousands of basic events and gates. Their number of minimal cutsets is just astronomical. However, most of these minimal cutsets have an extremely low probability. Intuitively, the average probability of each minimal cutset must decrease as the number of minimal cutsets increases. Minimal cutsets with a low probability should be ignored, at least for practical reasons. First, they represent a negligible risk. Second, given the uncertainties on basic event probabilities, ranking them according to their probability is hopeless. Third, there are anyway too many of them to expect to retrieve any valuable information out of their extraction. Fourth, extracting millions and millions of minimal cutsets would require much too much computation resources, both in terms of computation time and in terms of computer memory. This is the reason why algorithms implemented in assessment tools such as risk spectrum [14] or XFTA [15], are designed to extract only the most probable minimal cutsets, i.e., with a probability higher than a given predefined threshold. These algorithms can be seen as model pruners as they eliminate irrelevant parts of models, i.e., those that induce minimal cutsets with a low probability [31]. It has been observed that up to 95% of the basic events do not show up in the extracted minimal cutsets [32].
From a theoretical point of view, these approximations cannot be warrantied: it may be the case that, although the risk is high, each individual minimal cutset has a probability lower than the chosen threshold. This phenomenon is called the model refinement paradox in reference [2]. The more one refines a model, i.e., the more scenarios of failure are decomposed, the more minimal cutsets go under the algorithmic horizon, which eventually leads to eliminate all of them and conclude (falsely) that there is no risk at all. As demonstrated by Valiant [33], reliability problems are #P-hard, which means concretely that no efficient algorithm to assess them is expected to exist, even if we accept an approximate, but warrantied answer.
Nevertheless, approximations based on probabilistic cutoffs give satisfying results in practice. The question is thus how to implement such approximations within the decision diagram technology. Figure 6 helps to understand the problem at stake. The minimal cutsets extraction process we described in the previous section is represented by the upper line of the figure: first, the decision diagram encoding the model is built by means of the BuildDD algorithm, then the zero-suppressed binary decision diagram encoding the minimal cutsets of the observer is calculated by means of the ExtractMCS algorithm. The problem with this process stands in the sizes of decision diagram and zero-suppressed binary decision diagram, which may be exponential in the number of literals showing up in the model. It is, of course, possible to filter the zero-suppressed binary decision diagram so to keep only minimal cutsets with a probability higher than a given threshold, by means of a TruncateZBDD algorithm, but this does not solve the above problem.
A first approach consists in extracting only the most probable minimal cutsets from the decision diagram, combining the ExtractMCS and the TruncateZBDD algorithms into a ExtractTrMCS algorithm. This solution, although it still does not solve the exponential blow-up problem, has nevertheless some virtues: exact values of probabilistic indicators can be calculated from the decision diagram, while (most probable) minimal cutsets can be used for qualitative assessment purposes.
A more radical approach consists in performing the approximation onto the decision diagram itself by means of an algorithm BuildTrDD that combines the algorithm BuildDD performing the regular construction of decision diagram with the algorithm TruncateDD that truncates this decision diagram. The idea is that the truncated decision diagram encodes not the model itself, but a model whose minimal cutsets are those of the original model that have a probability higher than the given threshold. In other words, the diagram given Figure 6 commutes: We shall see that the last combination warranties a polynomial worst case complexity of the process.

Implementation
Algorithm 5 gives the pseudo-code to truncate a decision diagram for a given probability threshold.
Several important remarks must be made about this algorithm. First, ⊥ stands for the bottom element of the domain of the flow variable the decision diagram is associated with. If the decision diagram is a zero-suppressed decision diagram, then ⊥ = ∅. In the form given Algorithm 5, the algorithm works only for monotone functions (coherent models). If non-monotone functions must be represented, the best solution consists in introducing as special constant and to return ( ) when the decision diagram is truncated. This reduces the reduction of decision diagrams and forces to take into account the value in all operations. But in some sense, it is mathematically "cleaner" than just using ⊥. Moreover, it makes it possible to calculate bounds for the probability of an observer, rather than just an approximation: a lower bound is obtained by setting the probability of ( ) to 0, while a upper bound is obtained by setting it to 1. Attempts to discretize probabilities, e.g., by caching − log(pr) rather than pr, although nice conceptually, do not bring much in practice: one tends to store too many intermediate results in the cache, which makes lose here what we win there.
Third, this algorithm is intended to be applied to truncate decision diagrams and zero-suppressed decision diagrams calculated from formulas, i.e., at a relatively coarse grain. The reason is again to make the truncation compatible with other operations.
Fourth, the algorithm does not take into account probabilities of literals V = ⊥ dom(V) . The reason is that it is the only way to make the algorithm insensitive to the literal ordering. We shall come back on this point.

Complexity
To discuss the complexity of the approximate assessment process, we shall state a general theorem of the size of binary trees.
The size and the depth of a binary tree are defined as usual as, respectively, the number of nodes and the maximum number of levels of the tree.
The Horton-Strahler measure HS(t) of a binary tree t is defined as follows [34]: HS(t 1 ) + 1 if t is an internal node ∆(t 1 , t 2 ) and HS(t 1 ) = HS(t 2 ) max(HS(t 1 ), HS(t 2 )) if t is an internal node ∆(t 1 , t 2 ) and HS(t 1 ) = HS(t 2 ) The Horton-Strahler measure is almost like depth, except that one adds one to the children depth only if both children have the same depth, while for depth, one adds one (to the maximum depth of children) in any case. For this reason, the Horton-Strahler measure is always smaller than the depth.
The theorem goes as follows.
Theorem 7 (Size of binary trees). Let t be a binary tree of depth n and of Horton-Strahler measure k, k ≤ n. Then, the size of t is in O n k Proof. We can assume, without a loss of generality, that the right branches of the tree are always at least as deep as the left branches. Now, we can make a proof by induction. If HS(t) = 1, then the left-child of the root must be a leaf and the right branch can involve at most n nodes. If HS(t) = k, then, by induction hypothesis, the left branches can contain at most n k−1 nodes and there is less than n such branches. It is in general the case that components of a system are relatively reliable, i.e., the probability they are working correctly at time t is (much) greater than 1 2 . This means in turn that the probabilities of the other states must be less than 1 2 . Therefore, the probability of a product of k such literals must be less than 1 2 k . Consequently, if we put a threshold τ on the minimum probability of the products we consider, the size of these products must be smaller than − log 2 (τ). Hence the following corrolary of Theorem 7.
Corrolary 8 (Number of recursive calls to TruncateDecisionDiagram). Let d be the decision diagram representing a function built over n variables V 1 ,. . . V n . Assume that p(V i = ⊥ dom(V i ) ) ≥ 1 2 for i = 1, . . . n. Then, the number of recursive calls to TruncateDecisionDiagram on d for a threshold τ is in O n − log 2 (τ) , i.e., polynomial in n if τ is fixed independently of the problem. Consequently, the size of the returned decision diagram is also polynomial in n.
As we have seen, all of the other algorithms are polynomial in the size of their arguments, thanks to caching mechanisms. Hence the following second corollary. Corrolary 9 (Complexity of the approximation scheme). Let M be a finite degradation model, R ∈ U be an observer for M, and 0 < τ < 1 be a thresold. Then, the process of calculating {π ∈ MCS (M R∈U ) ; p(π) ≥ τ} is O n − log 2 (τ) , i.e., polynomial in n.
The algorithm ExtractMCS • BuildTrDD is thus efficient in the usual sense of computational complexity theory.

Experimental Results
This section reports a few experimental results we got on the HIPPS TA4 described Section 2. Table 3 gives the equations implementing a fault tree-like model (pictured in Figure 2) for the HIPPS TA4. This fault tree makes it possible to study different types of failures by means of a unique model, both at component and at system level. To the best of authors' knowledge, such combinations have not been formally defined in the standard nor in any other previous work.

Modeling
Fault trees are not the only way of describing the failures of a system as a combination of the failures of its components. It is sometimes more convenient to use reliability block diagrams because they reflect better the architecture of the system and the way flows of information, matter and energy circulate in the network of components. With that respect, Figure 1 can be seen as a block diagram. Each component can be seen as a basic block, with an internal state, some input and some output flows. Failures propagate through the block diagram. Using operators and , the model for the whole safety instrumented could be as described in Table 5.
The sets of equations described in Table 3 and in Table 5 are actually equivalent.
For the experiments reported below, we implemented a block-diagram model using the S2ML+FDS domain-specific modeling language. S2ML+FDS is one of the languages of the S2ML+X family [35]. This model is described in Appendix A. S2ML+FDS enhances the descriptive power of finite degradation structures with structuring constructs stemmed from object-oriented programming. For this reason, it is much more powerful than the (implicit) internal modeling languages of tools such as HiP-HOPS [36].

Results
Results reported in this section have been obtained on the model described Appendix A with Emmy, a prototypical implementation of decision diagram algorithms to assess S2ML+FDS models.
Sensors can be in 4 different states, logic solvers and valves in 3. Therefore, the total number of possible states for the system is 4 3 × 3 4 = 5184. The decision diagram associated with the variable representing the global state of the safety instrumented system is made of 147 nodes. It encodes 3584 implications. Table 6 reports the probabilities calculated at t = 4380 (six months) and t = 8760 (one year) for the system to be failed safe, failed dangerous and failed dangerous undetected, calculated from the decision diagram. The five minimal cutsets describing the conditions under which the system is failed safe are given Table 7. They are encoded by a decision diagram made of seven7 nodes. This result is not surprising: if any of the electronic component fails safe, the production is stopped. The minimal cutsets describing the conditions under which the system is failed dangerous are given in Table 8. They are encoded by a decision diagram made of 13 nodes. Note that none of these minimal cutsets involve a safe or undetected failure. This follows from the partial order over states.
Finally, the minimal cutsets describing the conditions under which the system is failed dangerous undetected are given in Table 9. They are encoded by a decision diagram made of 23 nodes. Table 9. Minimal cutsets of the observer failedUndetected.

Conclusions
In this article, we presented decision diagram algorithms to extract minimal cutsets of finite degradation models. These algorithms rely on three pillars:

•
The concept of finite degradation structure, which is the core of combinatorial models used in reliability engineering.

•
Two decomposition theorems, one for minimal cutsets and one for the "without" operator, which generalize those proposed by the first author for the Boolean case.

•
The technology of decision diagrams, which generalizes Minato's zero-suppressed binary decision diagrams so to handle discrete variables and functions.
We implemented these algorithms into a prototype tool, which aims primarily at testing ideas. Nevertheless, experiments we have made on systems described in safety standards such as ISO/TR 12489 showed the interest and the feasibility of the approach.
Finite degradation models bring a significant additional expressive power compared to Boolean models. The key issue is the definition of suitable finite degradation structures, such as W3F we used to deal with the HIPPS TA4. This finite degradation structure makes actually possible to deal with a very large class of systems, typically those addressed by the IEC61508 standard. Other interesting finite degradation structures will probably emerge with experience.
As future work, we plan to perform a wide series of experiments and to lift-up to finite degradation models the calculation of risk indicators such as safety integrity levels or importance measures. Funding: This research received no external funding Acknowledgments: Although this research received no external funding, Antoine Rauzy benefits since several years a strong support from the SAFRAN group, via the sponsoring of the chair Blériot-Fabre at CentraleSupélec (Paris, France).

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. S2ML + FDS Model for the Illustrative Use Case
We implemented the model for HIPPS TA4 in the S2ML+FDS domain specific modeling language. S2ML stands for system structure modeling language. S2ML is a versatile and complete set of constructs to structure models stemmed from object-oriented and prototype-oriented programming [35].
Languages of the S2ML+X family are the combination of S2ML with a mathematical framework (the X) to describe the behaviors of the systems under study. In our case, this mathematical framework consists of finite degradation models.
The model for the safety instrumented system pictured in Figure 1 can be splitted into three parts. The first part, given in Figure A1 describes the domains (the finite degradation structures) as well as the operators that will be used. Languages of the S2ML+X family use the infix form for expressions. For instance, the expression (eq arg1 w) denotes the equality arg1 = w. Operators and, or and if (if-then-else) have their usual meaning. The second part, given in Figure A2 implements the classes used to describe the different types of components, i.e., sensors, logic solvers and valves. All these classes derive from an abstract class AbstractComponent which can be seen as the implementation of a basic block of a block diagram. State variables are introduced by means of the attribute init (setting their initial or default value) while flow variables are introduced by means of the attribute reset.
Finally the third part, given in Figure A3 implements the description of the safety instrumented system itself. It declares first instances of classes Sensor, LogicSolver and IsolationValve as well as a variable state to represent the state of the system as a whole. Then, it connects the different components. Finally, it declares observers, which are the predicates for which minimal cutsets are calculated.
The above model illustrates the power of S2ML + FDS: domains and operators are easily implemented. Classes can be defined to describe generic components, and models are designed by assembling components in a straightforward way.