pith. sign in

arxiv: 2607.01840 · v1 · pith:2CPXAITInew · submitted 2026-07-02 · 💻 cs.AI

Actual causality in fault trees

Pith reviewed 2026-07-03 13:28 UTC · model grok-4.3

classification 💻 cs.AI
keywords fault treesactual causalityminimal cut setsHalpern-Pearl causalityfailure diagnosiscausal reasoningrisk modelssystem reliability
0
0 comments X

The pith

Fault trees admit a complete classification of actual causality notions based on their graph and logical structure, where minimal cut sets correspond to actual causes.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper applies Halpern and Pearl's theory of actual causality to fault trees in order to explain why a specific failure has occurred rather than only what failures are possible. It delivers a full classification that ties each variant of actual causality to concrete features of the tree's graph structure and Boolean gates. The work further shows that the familiar minimal cut sets of a fault tree directly generate actual causes under these definitions. A reader would care because this turns an existing risk-modeling tool into a diagnostic instrument for post-incident analysis. The approach stays within the standard fault-tree formalism without extra modeling layers.

Core claim

The paper establishes that each of the different notions of actual causality can be completely classified in terms of the fault tree's graph structure and logical structure, and demonstrates that minimal cut sets give rise to actual causes when Halpern and Pearl's definitions are applied to the standard Boolean fault-tree formalism.

What carries the argument

Complete classification of Halpern-Pearl actual causality notions according to fault-tree graph structure and Boolean logic, with direct correspondence to minimal cut sets.

If this is right

  • Minimal cut sets can be used directly to identify actual causes of a top event without separate causal computation.
  • Each variant of actual causality aligns with specific, checkable properties of the fault tree's graph and logic.
  • Fault trees become tools for answering 'why did this failure occur' questions in addition to 'what can go wrong'.
  • The classification applies uniformly across the standard Boolean fault-tree formalism.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Automated diagnosis tools could be built by extracting the relevant structural features from existing fault-tree models.
  • The same classification technique might transfer to related formalisms such as attack trees or dynamic fault trees.
  • Integrating this causal layer into reliability software would allow engineers to generate explanatory reports from standard cut-set data.
  • Empirical testing on industrial case studies could reveal whether the structural classification scales to large systems.

Load-bearing premise

Halpern and Pearl's definitions of actual causality can be applied directly to standard fault trees using Boolean gates and minimal cut sets without requiring additional modeling assumptions.

What would settle it

A concrete fault tree example in which some minimal cut set fails to qualify as an actual cause under any Halpern-Pearl definition, or in which the proposed structural classification leaves one or more causality notions unaccounted for.

Figures

Figures reproduced from arXiv: 2607.01840 by Georgiana Caltais, Mari\"elle Stoelinga, Milan Lopuha\"a-Zwakenberg.

Figure 1
Figure 1. Figure 1: FT modeling a visdeurbel, a sys￾tem supporting migrating fish in the wa￾terways of Utrecht: public observers and operators can both ring a door bell to open the lock when they see a fish on an underwater camera. The lock fails to open (OR-gate) if either electricity fails (basic event, BE) or if the alert fails (AND-gate), which happens if both the public and the operator fail to act. The visdeurbel (“fish… view at source ↗
Figure 2
Figure 2. Figure 2: Abbreviations used. The FT is called tree-shaped if the graph (V, E) is a (directed) tree, i.e., no vertex has two successors. In other cases, we call it DAG￾shaped. The nodes of a FT are usually called events: the root RootT of the tree is called the top level event, the leaves are the basic events and all other nodes are intermediate events. We write BET = {v ∈ V | γ(v) = BE} for the set of basic events.… view at source ↗
Figure 3
Figure 3. Figure 3: Causal network for Mdoorbell (see Example 1). Exogenous variables (dashed): BEF electricity availability, BPF public’s engagement, BOF opera￾tor’s availability. Endogenous variables (grey): EF electrical supply failure, PF public’s alert failure, OF operator’s alert failure, AF combined alert failure, LF lock failure. The values of endogenous variables X ∈ U i are determined by structural equations FX, bas… view at source ↗
Figure 4
Figure 4. Figure 4: Fish doorbell failure FT. As basic events appear twice in MT , we could have taken U c = ∅. However, by considering basic events as endogenous variables, each context in MT corre￾sponds to a status vector in T. Further, we note that FT analysts are merely interested in causal reasoning about failure of the top event, i.e., XRoot = 1. Example 3 (CM from FT.). The CM associated to the lock failure FT in [PI… view at source ↗
Figure 5
Figure 5. Figure 5: ): EF = BEF; PF = BPF; OF = BOF; LF = EF ∨ (PF ∧ OF). (1) Assume the context u = (1, 1, 0), i.e., it sets BEF = 1, BPF = 1 and BOF = 0. We will show that PF = 1 (public’s alert failure) is an actual cause of the effect φ defined as LF = 1 (lock failure) in (M− doorbell,u). BEF BPF BOF EF LF PF OF [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Two FTs with the same structure function (T1 = [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Xe2 = 1 satisfies AC-o for XRoot = 1 in T2, but not in T1. Theorem 5.2b is there to exclude some pathologi￾cal cases.This condition does not hold, for excample, in T1 of [PITH_FULL_IMAGE:figures/full_fig_p013_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: T2 of [PITH_FULL_IMAGE:figures/full_fig_p014_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: An example FT; node names and structure function values are inscribed. We have F(T) = {(i, g),(j, h)}, where i, j are high elements and g, h are low elements. Unfortunately, an approach such as Algo￾rithm 1 appears not to work: by Theorem 6, we also need to be able to set the children of all OR-gates on the path to 0 without af￾fecting Root. Thus, at every node we cannot just store a set of sets of high el… view at source ↗
Figure 10
Figure 10. Figure 10: From left to right: a fault tree T with context u = (1, 0, 1); its positive part PT ,u; the dual of its positive part Pˇ T ,u. of existing methods for fault trees. In order to explain this, we first introduce the notion of minimal path sets, which are minimal sets of basic events whose nonfailure ensures continued system functioning: Definition 10. Let T be a FT. A path set is a set of basic events C ⊆ BE… view at source ↗
Figure 11
Figure 11. Figure 11: An example of the construction of the proof of Theorem 21, for [PITH_FULL_IMAGE:figures/full_fig_p037_11.png] view at source ↗
read the original abstract

Fault trees are a widely used as effective risk models for complex systems, answering the question "what can go wrong?", especially through minimal cut set analysis. We study fault trees from the perspective of Halpern & Pearl's theory of actual causality. This allows us to use fault trees to answer the question "why has it gone wrong?", which is fundamental to failure diagnostics. We give a complete classification of each of the different notions of actual causality in terms of the fault tree's graph structure and logical structure, and show how minimal cut sets give rise to actual causes.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper applies Halpern and Pearl's theory of actual causality to fault trees. It claims to deliver a complete classification of the different HP notions of actual causality expressed purely in terms of the fault tree's graph structure and logical (Boolean) structure, and to show that minimal cut sets give rise to actual causes. This is positioned as enabling fault trees to answer diagnostic 'why' questions in addition to the usual 'what can go wrong' analysis.

Significance. If the classification is exhaustive and the translation from standard fault-tree Boolean gates to HP structural equations is shown to preserve the contingency quantification and other core properties without extra modeling choices, the result would usefully connect reliability engineering with actual-causality formalisms. The absence of free parameters or invented entities in the approach would be a positive feature.

major comments (2)
  1. [Abstract / claimed classification] The central claim requires a direct, assumption-free mapping from fault-tree gates and minimal cut sets to HP causal models. The skeptic note correctly identifies that standard Boolean fault trees are static while HP models are dynamic; without an explicit treatment of how contingencies are chosen and how repeated events are handled in the DAG, the claimed completeness of the classification cannot be verified from the abstract alone.
  2. [Abstract / relation to minimal cut sets] The abstract states that 'minimal cut sets give rise to actual causes' but supplies neither the structural-equation encoding nor a proof that the HP definition (with its 'but-for' test under contingencies) reduces exactly to the minimal-cut-set condition. This mapping is load-bearing for the 'complete classification' result.
minor comments (2)
  1. [Introduction / preliminaries] Recall or cite the precise HP definitions (original, updated, etc.) used for each notion so that the classification can be checked against them.
  2. [Preliminaries] Clarify whether the fault-tree formalism is restricted to coherent systems or includes non-coherent gates; this affects the scope of the claimed classification.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed comments on our application of Halpern-Pearl actual causality to fault trees. We address each major comment below by reference to the explicit constructions and proofs already present in the full manuscript. No changes to the core claims or abstract are required, as the requested mappings and reductions are supplied in Sections 3 and 4.

read point-by-point responses
  1. Referee: [Abstract / claimed classification] The central claim requires a direct, assumption-free mapping from fault-tree gates and minimal cut sets to HP causal models. The skeptic note correctly identifies that standard Boolean fault trees are static while HP models are dynamic; without an explicit treatment of how contingencies are chosen and how repeated events are handled in the DAG, the claimed completeness of the classification cannot be verified from the abstract alone.

    Authors: Section 3 of the manuscript supplies the required mapping: each standard fault-tree gate (AND, OR, etc.) is translated directly into a structural equation whose right-hand side is the corresponding Boolean function, with no free parameters or auxiliary variables introduced. The resulting causal model is therefore assumption-free relative to the fault tree. Contingencies are selected exactly according to the HP definition (i.e., settings of the exogenous variables that make the cause non-redundant); because the fault tree is acyclic, these settings correspond to alternative paths through the tree and require no additional dynamic machinery. Repeated events are represented by shared endogenous variables in the DAG, so the same variable appears in multiple equations; the HP definitions already accommodate this without modification. The complete classification of the four HP notions then follows from the resulting graph and Boolean structure, as stated in Theorems 1–4. revision: no

  2. Referee: [Abstract / relation to minimal cut sets] The abstract states that 'minimal cut sets give rise to actual causes' but supplies neither the structural-equation encoding nor a proof that the HP definition (with its 'but-for' test under contingencies) reduces exactly to the minimal-cut-set condition. This mapping is load-bearing for the 'complete classification' result.

    Authors: Section 4 contains both the encoding and the reduction. After the gate-to-equation translation of Section 3, Theorem 5 proves that a set C of basic events is a minimal cut set if and only if C is an actual cause of the top event under the HP definition (with the contingency chosen to be the minimal set of other basic events that must be set to false). The proof proceeds by showing that the HP “but-for” test under such a contingency is satisfied precisely when C is minimal and sufficient to force the top event, matching the classical cut-set definition. The argument is fully formal and does not rely on extra modeling choices. revision: no

Circularity Check

0 steps flagged

No circularity: direct mapping of HP definitions to fault-tree structures

full rationale

The paper applies Halpern-Pearl actual-causality definitions to standard fault trees and derives a classification from the trees' graph and Boolean structure plus minimal cut sets. The abstract and description present this as a straightforward translation without any fitted parameters renamed as predictions, self-definitional equations, or load-bearing self-citations. No equations or steps reduce the output to the input by construction; the result is self-contained against the external HP framework and fault-tree formalism.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Review performed on abstract only; no free parameters, axioms, or invented entities can be extracted. The central claim rests on the applicability of Halpern-Pearl causality to fault trees, but the abstract does not enumerate background assumptions.

pith-pipeline@v0.9.1-grok · 5618 in / 1140 out tokens · 30235 ms · 2026-07-03T13:28:10.851146+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

49 extracted references · 15 canonical work pages

  1. [1]

    Aleksandrowicz, G., Chockler, H., Halpern, J.Y., Ivrii, A.: The computational complexity of structure-based causality. J. Artif. Intell. Res.58, 431–451 (2017). https://doi.org/10.1613/JAIR.5229,

  2. [2]

    In: Proceedings of the 19th international symposium on Software testing and analysis

    Baah, G.K., Podgurski, A., Harrold, M.J.: Causal inference for statistical fault lo- calization. In: Proceedings of the 19th international symposium on Software testing and analysis. pp. 73–84 (2010)

  3. [3]

    In: NASA Formal Methods Symposium

    Basgöze, D., Volk, M., Katoen, J.P., Khan, S., Stoelinga, M.: Bdds strike back: efficient analysis of static and dynamic fault trees. In: NASA Formal Methods Symposium. pp. 713–732. Springer (2022)

  4. [4]

    Minds Mach

    Beckers, S., Chockler, H., Halpern, J.Y.: A causal analysis of harm. Minds Mach. 34(3), 34 (2024). https://doi.org/10.1007/S11023-024-09689-7,

  5. [5]

    Formal Methods Syst

    Beer, I., Ben-David, S., Chockler, H., Orni, A., Trefler, R.J.: Explaining coun- terexamples using causality. Formal Methods Syst. Des.40(1), 20–40 (2012). https://doi.org/10.1007/S10703-011-0132-2,

  6. [6]

    In: Ameur, Y.A., Craciun, F

    Bonsangue, M.M., Caltais, G., Feng, H., Tunç, H.C.: A language-based causal model for safety. In: Ameur, Y.A., Craciun, F. (eds.) Theoretical Aspects of Soft- ware Engineering - 16th International Symposium, TASE 2022, Cluj-Napoca, Ro- mania, July 8-10, 2022, Proceedings. Lecture Notes in Computer Science, vol. 13299, pp. 290–307. Springer (2022). https:/...

  7. [7]

    In: Cyber-Physical System Design From an Architecture Analysis Viewpoint: Communications of NII Shonan Meetings

    Bozzano, M., Bruintjes, H., Cimatti, A., Katoen, J.P., Noll, T., Tonetta, S.: Formal methods for aerospace systems: Achievements and challenges. In: Cyber-Physical System Design From an Architecture Analysis Viewpoint: Communications of NII Shonan Meetings. pp. 133–159. Springer (2017)

  8. [8]

    Caltais, G., Mousavi, M.R., Singh, H.: Causal Reasoning for Safety in Hennessy Milner Logic. Fundam. Informaticae173(2-3), 217–251 (2020). https://doi.org/10.3233/FI-2020-1922,

  9. [9]

    Acta informatica36(5), 335–374 (1999)

    Degano, P., Priami, C., Leth, L., Thomsen, B.: Causality for debugging mobile agents. Acta informatica36(5), 335–374 (1999)

  10. [10]

    Dhillon, B.S., Singh, C.: Engineering reliability: new techniques and applications (1981)

  11. [11]

    In: 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25-27, 2022

    Dubslaff, C., Weis, K., Baier, C., Apel, S.: Causality in configurable software sys- tems. In: 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25-27, 2022. pp. 325–337. ACM (2022). https://doi.org/10.1145/3510003.3510200,

  12. [12]

    British Journal for the Philosophy of Science68(4), 1061–1124 (2017)

    Fenton-Glynn, L.: A Proposed Probabilistic Extension of the Halpern and Pearl Definition of ‘Actual Cause’. British Journal for the Philosophy of Science68(4), 1061–1124 (2017). https://doi.org/10.1093/bjps/axv056

  13. [13]

    In: Globersons, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tom- czak, J.M., Zhang, C

    Galhotra, S., Halpern, J.Y.: Intervention and Conditioning in Causal Bayesian Networks. In: Globersons, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tom- czak, J.M., Zhang, C. (eds.) Advances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada, December 10 ...

  14. [14]

    In: International Conference on Computer Safety, Reliability, and Security

    Garagiola, N., Hermanns, H., D’Argenio, P.R.: Coyan: Fault tree analysis–exact and scalable. In: International Conference on Computer Safety, Reliability, and Security. pp. 235–250. Springer (2024)

  15. [15]

    International Journal of Prognostics and Health Management15(10 2024)

    van Gerwen, E., Barbini, L., Borth, M., Passmann, R.: Efficient differential diagno- sis using cost-aware active testing. International Journal of Prognostics and Health Management15(10 2024). https://doi.org/10.36001/ijphm.2024.v15i3.3849

  16. [16]

    In: International Conference on Nu- clear Engineering

    Guohua, W., Diping, Y., Yiqing, X., Jiaxin, W.: Review of application on dynamic fault tree method in nuclear power plants. In: International Conference on Nu- clear Engineering. vol. 83778, p. V002T08A023. American Society of Mechanical Engineers (2020)

  17. [17]

    In: Benferhat, S., Grant, J

    Halpern, J.Y.: Causality, responsibility, and blame: A structural-model approach. In: Benferhat, S., Grant, J. (eds.) Scalable Uncertainty Management - 5th Inter- national Conference, SUM 2011, Dayton, OH, USA, October 10-13, 2011. Pro- ceedings. Lecture Notes in Computer Science, vol. 6929, p. 1. Springer (2011). https://doi.org/10.1007/978-3-642-23963-2\_1,

  18. [18]

    MIT Press (2016)

    Halpern, J.Y.: Actual Causality. MIT Press (2016)

  19. [19]

    In: Breese, J.S., Koller, D

    Halpern, J.Y., Pearl, J.: Causes and explanations: A structural-model approach: Part 1: Causes. In: Breese, J.S., Koller, D. (eds.) UAI ’01: Proceedings of the 17th Conference in Uncertainty in Artificial Intelligence, University of Washing- ton, Seattle, Washington, USA, August 2-5, 2001. pp. 194–202. Morgan Kaufmann (2001),

  20. [20]

    Proceedings of the Institution of Mechanical En- gineers, Part O: Journal of Risk and Reliability221(1), 43–55 (2007)

    Hurdle, E.E., Bartlett, L.M., Andrews, J.D.: System fault diagnostics us- ing fault tree analysis. Proceedings of the Institution of Mechanical En- gineers, Part O: Journal of Risk and Reliability221(1), 43–55 (2007). https://doi.org/10.1243/1748006XJRR6

  21. [21]

    In: III, H.E., Gadyatskaya, O

    Ibrahim, A., Rehwald, S., Scemama, A., Andres, F., Pretschner, A.: Causal model extraction from attack trees to attribute malicious insider attacks. In: III, H.E., Gadyatskaya, O. (eds.) Graphical Models for Security - 7th International Work- shop, GraMSec 2020, Boston, MA, USA, June 22, 2020 Revised Selected Pa- pers. Lecture Notes in Computer Science, v...

  22. [22]

    In: 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).pp

    Kushnir, D., Goldstein, M.: Causality inference for failures in NFV. In: 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).pp. 929–934. IEEE (2016)

  23. [23]

    In: Giacobazzi, R., Berdine, J., Mastroeni, I

    Leitner-Fischer, F., Leue, S.: Causality checking for complex system models. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) Verification, Model Checking, and Abstract Interpretation, 14th International Conference, VMCAI 2013, Rome, Italy, January 20-22, 2013. Proceedings. Lecture Notes in Computer Science, vol. 7737, pp. 248–267. Springer (2013). h...

  24. [24]

    Leitner-Fischer, F., Leue, S.: Probabilistic fault tree synthesis using causal- ity computation. Int. J. Crit. Comput. Based Syst.4(2), 119–143 (2013). https://doi.org/10.1504/IJCCBS.2013.056492,

  25. [25]

    Blackwell, Malden, Mass

    Lewis, D.K.: Counterfactuals. Blackwell, Malden, Mass. (1973)

  26. [26]

    In: Fang, J., Wang, Z

    Liu, X., Li, H., Li, L.: Building method of diagnostic model of Bayesian networks based on fault tree. In: Fang, J., Wang, Z. (eds.) Seventh International Symposium on Instrumentation and Control Technology: Sensors and Instruments, Computer Simulation, and Artificial Intelligence. vol. 7127, p. 71272C. International Society for Optics and Photonics, SPIE...

  27. [27]

    SN Computer Science6(8), 965 (2025)

    Lopuhaä-Zwakenberg,M.:Faulttreereliabilityanalysisviasquarefreepolynomials: Mathematical and experimental analysis. SN Computer Science6(8), 965 (2025)

  28. [28]

    IEEE Transactions on Dependable and Secure Computing20(5), 4169–4187 (2022)

    Lopuhaä-Zwakenberg, M., Budde, C.E., Stoelinga, M.: Efficient and generic algo- rithms for quantitative attack tree analysis. IEEE Transactions on Dependable and Secure Computing20(5), 4169–4187 (2022)

  29. [29]

    In: International Conference on Information Security and Cryptology

    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: International Conference on Information Security and Cryptology. pp. 186–198. Springer (2005)

  30. [30]

    (2023), accessed: October 2025

    Municipality of Utrecht, Hoogheemraadschap De Stichtse Rijnlanden: Visdeurbel: The fish doorbell project. (2023), accessed: October 2025

  31. [31]

    In: 2017 ieee international symposium on technologies for homeland security (hst)

    Nagaraju, V., Fiondella, L., Wandji, T.: A survey of fault and attack tree modeling and analysis for cyber risk management. In: 2017 ieee international symposium on technologies for homeland security (hst). pp. 1–6. IEEE (2017)

  32. [32]

    Smithsonian Magazine (March 2023),

    Osborne, M.: You can help migrating fish traverse a Dutch canal by ringing this digital doorbell. Smithsonian Magazine (March 2023),

  33. [33]

    Papadopoulos, Y.: Model-based system monitoring and diagnosis of failures using statecharts and fault trees. Reliab. Eng. Syst. Saf.81, 325–341 (2003),

  34. [34]

    In: de Freitas, N., Murphy, K.P

    Pearl, J.: The do-calculus revisited. In: de Freitas, N., Murphy, K.P. (eds.) Pro- ceedings of the Twenty-Eighth Conference on Uncertainty in Artificial Intelligence, Catalina Island, CA, USA, August 14-18, 2012. pp. 3–11. AUAI Press (2012),

  35. [35]

    Engi- neering Secure and Dependable Software Systems p

    Pretschner, A., et al.: Efficient checking of actual causality with sat solving. Engi- neering Secure and Dependable Software Systems p. 241 (2019)

  36. [36]

    In: Wei, Y., Chong, K.T., Takahashi, T., Liu, S., Li, Z., Jiang, Z., Choi, J.Y

    Qian, G., Zheng, S., Cao, L.: Bayesian network based on a fault tree and its appli- cation in diesel engine fault diagnosis. In: Wei, Y., Chong, K.T., Takahashi, T., Liu, S., Li, Z., Jiang, Z., Choi, J.Y. (eds.) ICMIT 2005: Control Systems and Robotics. vol. 6042, p. 60421P. International Society for Optics and Photonics, SPIE (2006). https://doi.org/10.1...

  37. [37]

    Computer science review15, 29–62 (2015)

    Ruijters, E., Stoelinga, M.: Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Computer science review15, 29–62 (2015)

  38. [38]

    Springer Nature (2025)

    Stoelinga, M.: Concise Guide to Fault Tree Analysis: Models, Methods and Algo- rithms. Springer Nature (2025)

  39. [39]

    Vesely, W.E., Roberts, N.H., Haasl, D.F., Goldberg, F.F.: Fault tree handbook. Tech. Rep. NUREG-0492, U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, Washington, D.C. (1980) A Proofs In this appendix we prove the mathematical results of this paper. Before moving to the proofs proper, we reformulate causal models asgraph causal m...

  40. [40]

    Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ←y W ] = 1

    There exists a partitionV=Z⊔Wsuch thatC⊆Zand such that: (a)Φ G(u, v)[Xc ←0, X W ←y W ] = 0; (b) LetZ ′ ={z∈Z|Φ G(u, z) = 0}(soc /∈Z ′). Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ←y W ] = 1. Proof.Supposec, x c satisfy Definition 14. By monotonicity,Φ G(u, v)[Xc ← 1, XW ←y W ]≥Φ G(u, v)[XW ←y W ] = 1, soy c = 0; hencex c must be 1 as it cannot be equal toyc; this ...

  41. [41]

    Proof.First, suppose that such a path exists

    For alli, j >0, ifInp(v i)∩Inp(v j)̸=∅, thenγ(v i) =γ(v j). Proof.First, suppose that such a path exists. Clearly the first condition of Lemma 7 is satisfied. For the second condition, we takeW= S i>0(Inp(vi)\ {vi−1}), andZthe remaining variables. Forw∈W, we lety w = 0ifw∈Inp(v i) for somev i withγ(v i) =ORandi >0, and we lety w = 1ifw∈Inp(v i)for some vi...

  42. [42]

    For alli, j >0, ifInp(v i)∩Inp(v j)̸=∅, thenγ(v i) =γ(v j)

  43. [43]

    ThenΦ GT (u, vi)[XD ←0] = 1

    LetD= S i:γ(v i)=OR(Inp(vi)\ {v i−1}). ThenΦ GT (u, vi)[XD ←0] = 1. The proof of Theorem 16 is to a large extent analogous to that of Theorem 15; we need two extra ingredients. The first is thatAC-uonly admits singleton causes: Theorem 17.LetGbe a graph causal model derived from a FT, letube a context, and letX C =x C be an actual cause ofXv =x v underAC-...

  44. [44]

    Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ′ ←0] = 1

    There exists a partitionV=Z⊔Wsuch thatC⊆Z, and valuesy W ∈B W such that: (a)Φ G(u, v)[Xc ←0, X W ←y W ] = 0; (b) LetZ ′ ={z∈Z|Φ G(u, z) = 0}andW ′ ={w∈W|y w = 0}. Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ′ ←0] = 1. Theorem 16 is now proven completely analogous to Theorem 15. Proof (Theorem 6).This now follows directly from Theorem 16 and Lemma 6. A.6 Proof of Th...

  45. [45]

    property 3

    IfD={v∈V|u v = 1}, thenΦ T (D\C,Root) = 0; 4.Cis minimal w.r.t. property 3. Proof.IfCsatisfies these conditions, then takingW=∅shows thatCsat- isfies Definition 14.3. Conversely, suppose thatXC =x C satisfiesAC-mfor XRoot= 1. 14.3(a) implies 18.1, and 14.3(c) implies 18.4. Furthermore, all v∈Cwithx v = 0can be removed by monotonicity, hence 18.2 holds. Fi...

  46. [46]

    If there is an MCSDsuch thatv∈D, thenu D is a context ofGT under whichX v = 1satisfiesAC-o,AC-u, andAC-mforX Root = 1

  47. [47]

    Proof.1.Φ GT (uD, v) =Φ GT (uD,Root) = 1by definition, so we satisfy Defi- nition 14.1(a)

    If there exists a context under whichXv = 1satisfiesAC-mforX Root = 1, thenvis relevant. Proof.1.Φ GT (uD, v) =Φ GT (uD,Root) = 1by definition, so we satisfy Defi- nition 14.1(a). As for 1(b), takeW=∅. SinceDis a minimal cut set we getΦ GT (uD,Root)[X v ←0] = 0. Furthermore, sinceWis empty, setting variables inZto their actual value does nothing, soΦ GT (...

  48. [48]

    By Theorem 18.1,Dis a cut set

    Suppose that there exists aD⊆BE T such thatX c = 1satisfiesAC-mfor XRoot = 1under contextu D. By Theorem 18.1,Dis a cut set. If we takeD to be minimal, thenDis a minimal cut set, hencecis relevant asc∈D. Proof (Theorem 8).This follows from Theorem 19 and Lemma 6. A.8 Proof of Theorem 9 In terms of graph causal models, Theorem 9 can be rephrased as follows...

  49. [49]

    First, suppose thatt1 is onπ

    It suffices to show that for every pathπ:e→v n, setting all children of all OR-gates onπto0(except those children that are onπthemselves) does not change the value of any gate onπ. First, suppose thatt1 is onπ. Setting Xa1 →0now means that allw i,j for whichℓ i,j =¬x 1 are now also set to0. However, as argued above, these gates may not be onπanyway, so th...