Actual causality in fault trees
Pith reviewed 2026-07-03 13:28 UTC · model grok-4.3
The pith
Fault trees admit a complete classification of actual causality notions based on their graph and logical structure, where minimal cut sets correspond to actual causes.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper establishes that each of the different notions of actual causality can be completely classified in terms of the fault tree's graph structure and logical structure, and demonstrates that minimal cut sets give rise to actual causes when Halpern and Pearl's definitions are applied to the standard Boolean fault-tree formalism.
What carries the argument
Complete classification of Halpern-Pearl actual causality notions according to fault-tree graph structure and Boolean logic, with direct correspondence to minimal cut sets.
If this is right
- Minimal cut sets can be used directly to identify actual causes of a top event without separate causal computation.
- Each variant of actual causality aligns with specific, checkable properties of the fault tree's graph and logic.
- Fault trees become tools for answering 'why did this failure occur' questions in addition to 'what can go wrong'.
- The classification applies uniformly across the standard Boolean fault-tree formalism.
Where Pith is reading between the lines
- Automated diagnosis tools could be built by extracting the relevant structural features from existing fault-tree models.
- The same classification technique might transfer to related formalisms such as attack trees or dynamic fault trees.
- Integrating this causal layer into reliability software would allow engineers to generate explanatory reports from standard cut-set data.
- Empirical testing on industrial case studies could reveal whether the structural classification scales to large systems.
Load-bearing premise
Halpern and Pearl's definitions of actual causality can be applied directly to standard fault trees using Boolean gates and minimal cut sets without requiring additional modeling assumptions.
What would settle it
A concrete fault tree example in which some minimal cut set fails to qualify as an actual cause under any Halpern-Pearl definition, or in which the proposed structural classification leaves one or more causality notions unaccounted for.
Figures
read the original abstract
Fault trees are a widely used as effective risk models for complex systems, answering the question "what can go wrong?", especially through minimal cut set analysis. We study fault trees from the perspective of Halpern & Pearl's theory of actual causality. This allows us to use fault trees to answer the question "why has it gone wrong?", which is fundamental to failure diagnostics. We give a complete classification of each of the different notions of actual causality in terms of the fault tree's graph structure and logical structure, and show how minimal cut sets give rise to actual causes.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper applies Halpern and Pearl's theory of actual causality to fault trees. It claims to deliver a complete classification of the different HP notions of actual causality expressed purely in terms of the fault tree's graph structure and logical (Boolean) structure, and to show that minimal cut sets give rise to actual causes. This is positioned as enabling fault trees to answer diagnostic 'why' questions in addition to the usual 'what can go wrong' analysis.
Significance. If the classification is exhaustive and the translation from standard fault-tree Boolean gates to HP structural equations is shown to preserve the contingency quantification and other core properties without extra modeling choices, the result would usefully connect reliability engineering with actual-causality formalisms. The absence of free parameters or invented entities in the approach would be a positive feature.
major comments (2)
- [Abstract / claimed classification] The central claim requires a direct, assumption-free mapping from fault-tree gates and minimal cut sets to HP causal models. The skeptic note correctly identifies that standard Boolean fault trees are static while HP models are dynamic; without an explicit treatment of how contingencies are chosen and how repeated events are handled in the DAG, the claimed completeness of the classification cannot be verified from the abstract alone.
- [Abstract / relation to minimal cut sets] The abstract states that 'minimal cut sets give rise to actual causes' but supplies neither the structural-equation encoding nor a proof that the HP definition (with its 'but-for' test under contingencies) reduces exactly to the minimal-cut-set condition. This mapping is load-bearing for the 'complete classification' result.
minor comments (2)
- [Introduction / preliminaries] Recall or cite the precise HP definitions (original, updated, etc.) used for each notion so that the classification can be checked against them.
- [Preliminaries] Clarify whether the fault-tree formalism is restricted to coherent systems or includes non-coherent gates; this affects the scope of the claimed classification.
Simulated Author's Rebuttal
We thank the referee for the detailed comments on our application of Halpern-Pearl actual causality to fault trees. We address each major comment below by reference to the explicit constructions and proofs already present in the full manuscript. No changes to the core claims or abstract are required, as the requested mappings and reductions are supplied in Sections 3 and 4.
read point-by-point responses
-
Referee: [Abstract / claimed classification] The central claim requires a direct, assumption-free mapping from fault-tree gates and minimal cut sets to HP causal models. The skeptic note correctly identifies that standard Boolean fault trees are static while HP models are dynamic; without an explicit treatment of how contingencies are chosen and how repeated events are handled in the DAG, the claimed completeness of the classification cannot be verified from the abstract alone.
Authors: Section 3 of the manuscript supplies the required mapping: each standard fault-tree gate (AND, OR, etc.) is translated directly into a structural equation whose right-hand side is the corresponding Boolean function, with no free parameters or auxiliary variables introduced. The resulting causal model is therefore assumption-free relative to the fault tree. Contingencies are selected exactly according to the HP definition (i.e., settings of the exogenous variables that make the cause non-redundant); because the fault tree is acyclic, these settings correspond to alternative paths through the tree and require no additional dynamic machinery. Repeated events are represented by shared endogenous variables in the DAG, so the same variable appears in multiple equations; the HP definitions already accommodate this without modification. The complete classification of the four HP notions then follows from the resulting graph and Boolean structure, as stated in Theorems 1–4. revision: no
-
Referee: [Abstract / relation to minimal cut sets] The abstract states that 'minimal cut sets give rise to actual causes' but supplies neither the structural-equation encoding nor a proof that the HP definition (with its 'but-for' test under contingencies) reduces exactly to the minimal-cut-set condition. This mapping is load-bearing for the 'complete classification' result.
Authors: Section 4 contains both the encoding and the reduction. After the gate-to-equation translation of Section 3, Theorem 5 proves that a set C of basic events is a minimal cut set if and only if C is an actual cause of the top event under the HP definition (with the contingency chosen to be the minimal set of other basic events that must be set to false). The proof proceeds by showing that the HP “but-for” test under such a contingency is satisfied precisely when C is minimal and sufficient to force the top event, matching the classical cut-set definition. The argument is fully formal and does not rely on extra modeling choices. revision: no
Circularity Check
No circularity: direct mapping of HP definitions to fault-tree structures
full rationale
The paper applies Halpern-Pearl actual-causality definitions to standard fault trees and derives a classification from the trees' graph and Boolean structure plus minimal cut sets. The abstract and description present this as a straightforward translation without any fitted parameters renamed as predictions, self-definitional equations, or load-bearing self-citations. No equations or steps reduce the output to the input by construction; the result is self-contained against the external HP framework and fault-tree formalism.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Aleksandrowicz, G., Chockler, H., Halpern, J.Y., Ivrii, A.: The computational complexity of structure-based causality. J. Artif. Intell. Res.58, 431–451 (2017). https://doi.org/10.1613/JAIR.5229,
-
[2]
In: Proceedings of the 19th international symposium on Software testing and analysis
Baah, G.K., Podgurski, A., Harrold, M.J.: Causal inference for statistical fault lo- calization. In: Proceedings of the 19th international symposium on Software testing and analysis. pp. 73–84 (2010)
2010
-
[3]
In: NASA Formal Methods Symposium
Basgöze, D., Volk, M., Katoen, J.P., Khan, S., Stoelinga, M.: Bdds strike back: efficient analysis of static and dynamic fault trees. In: NASA Formal Methods Symposium. pp. 713–732. Springer (2022)
2022
-
[4]
Beckers, S., Chockler, H., Halpern, J.Y.: A causal analysis of harm. Minds Mach. 34(3), 34 (2024). https://doi.org/10.1007/S11023-024-09689-7,
-
[5]
Beer, I., Ben-David, S., Chockler, H., Orni, A., Trefler, R.J.: Explaining coun- terexamples using causality. Formal Methods Syst. Des.40(1), 20–40 (2012). https://doi.org/10.1007/S10703-011-0132-2,
-
[6]
Bonsangue, M.M., Caltais, G., Feng, H., Tunç, H.C.: A language-based causal model for safety. In: Ameur, Y.A., Craciun, F. (eds.) Theoretical Aspects of Soft- ware Engineering - 16th International Symposium, TASE 2022, Cluj-Napoca, Ro- mania, July 8-10, 2022, Proceedings. Lecture Notes in Computer Science, vol. 13299, pp. 290–307. Springer (2022). https:/...
-
[7]
In: Cyber-Physical System Design From an Architecture Analysis Viewpoint: Communications of NII Shonan Meetings
Bozzano, M., Bruintjes, H., Cimatti, A., Katoen, J.P., Noll, T., Tonetta, S.: Formal methods for aerospace systems: Achievements and challenges. In: Cyber-Physical System Design From an Architecture Analysis Viewpoint: Communications of NII Shonan Meetings. pp. 133–159. Springer (2017)
2017
-
[8]
Caltais, G., Mousavi, M.R., Singh, H.: Causal Reasoning for Safety in Hennessy Milner Logic. Fundam. Informaticae173(2-3), 217–251 (2020). https://doi.org/10.3233/FI-2020-1922,
-
[9]
Acta informatica36(5), 335–374 (1999)
Degano, P., Priami, C., Leth, L., Thomsen, B.: Causality for debugging mobile agents. Acta informatica36(5), 335–374 (1999)
1999
-
[10]
Dhillon, B.S., Singh, C.: Engineering reliability: new techniques and applications (1981)
1981
-
[11]
Dubslaff, C., Weis, K., Baier, C., Apel, S.: Causality in configurable software sys- tems. In: 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25-27, 2022. pp. 325–337. ACM (2022). https://doi.org/10.1145/3510003.3510200,
-
[12]
British Journal for the Philosophy of Science68(4), 1061–1124 (2017)
Fenton-Glynn, L.: A Proposed Probabilistic Extension of the Halpern and Pearl Definition of ‘Actual Cause’. British Journal for the Philosophy of Science68(4), 1061–1124 (2017). https://doi.org/10.1093/bjps/axv056
-
[13]
In: Globersons, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tom- czak, J.M., Zhang, C
Galhotra, S., Halpern, J.Y.: Intervention and Conditioning in Causal Bayesian Networks. In: Globersons, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tom- czak, J.M., Zhang, C. (eds.) Advances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada, December 10 ...
2024
-
[14]
In: International Conference on Computer Safety, Reliability, and Security
Garagiola, N., Hermanns, H., D’Argenio, P.R.: Coyan: Fault tree analysis–exact and scalable. In: International Conference on Computer Safety, Reliability, and Security. pp. 235–250. Springer (2024)
2024
-
[15]
International Journal of Prognostics and Health Management15(10 2024)
van Gerwen, E., Barbini, L., Borth, M., Passmann, R.: Efficient differential diagno- sis using cost-aware active testing. International Journal of Prognostics and Health Management15(10 2024). https://doi.org/10.36001/ijphm.2024.v15i3.3849
-
[16]
In: International Conference on Nu- clear Engineering
Guohua, W., Diping, Y., Yiqing, X., Jiaxin, W.: Review of application on dynamic fault tree method in nuclear power plants. In: International Conference on Nu- clear Engineering. vol. 83778, p. V002T08A023. American Society of Mechanical Engineers (2020)
2020
-
[17]
Halpern, J.Y.: Causality, responsibility, and blame: A structural-model approach. In: Benferhat, S., Grant, J. (eds.) Scalable Uncertainty Management - 5th Inter- national Conference, SUM 2011, Dayton, OH, USA, October 10-13, 2011. Pro- ceedings. Lecture Notes in Computer Science, vol. 6929, p. 1. Springer (2011). https://doi.org/10.1007/978-3-642-23963-2\_1,
-
[18]
MIT Press (2016)
Halpern, J.Y.: Actual Causality. MIT Press (2016)
2016
-
[19]
In: Breese, J.S., Koller, D
Halpern, J.Y., Pearl, J.: Causes and explanations: A structural-model approach: Part 1: Causes. In: Breese, J.S., Koller, D. (eds.) UAI ’01: Proceedings of the 17th Conference in Uncertainty in Artificial Intelligence, University of Washing- ton, Seattle, Washington, USA, August 2-5, 2001. pp. 194–202. Morgan Kaufmann (2001),
2001
-
[20]
Hurdle, E.E., Bartlett, L.M., Andrews, J.D.: System fault diagnostics us- ing fault tree analysis. Proceedings of the Institution of Mechanical En- gineers, Part O: Journal of Risk and Reliability221(1), 43–55 (2007). https://doi.org/10.1243/1748006XJRR6
-
[21]
Ibrahim, A., Rehwald, S., Scemama, A., Andres, F., Pretschner, A.: Causal model extraction from attack trees to attribute malicious insider attacks. In: III, H.E., Gadyatskaya, O. (eds.) Graphical Models for Security - 7th International Work- shop, GraMSec 2020, Boston, MA, USA, June 22, 2020 Revised Selected Pa- pers. Lecture Notes in Computer Science, v...
-
[22]
In: 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).pp
Kushnir, D., Goldstein, M.: Causality inference for failures in NFV. In: 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).pp. 929–934. IEEE (2016)
2016
-
[23]
In: Giacobazzi, R., Berdine, J., Mastroeni, I
Leitner-Fischer, F., Leue, S.: Causality checking for complex system models. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) Verification, Model Checking, and Abstract Interpretation, 14th International Conference, VMCAI 2013, Rome, Italy, January 20-22, 2013. Proceedings. Lecture Notes in Computer Science, vol. 7737, pp. 248–267. Springer (2013). h...
-
[24]
Leitner-Fischer, F., Leue, S.: Probabilistic fault tree synthesis using causal- ity computation. Int. J. Crit. Comput. Based Syst.4(2), 119–143 (2013). https://doi.org/10.1504/IJCCBS.2013.056492,
-
[25]
Blackwell, Malden, Mass
Lewis, D.K.: Counterfactuals. Blackwell, Malden, Mass. (1973)
1973
-
[26]
Liu, X., Li, H., Li, L.: Building method of diagnostic model of Bayesian networks based on fault tree. In: Fang, J., Wang, Z. (eds.) Seventh International Symposium on Instrumentation and Control Technology: Sensors and Instruments, Computer Simulation, and Artificial Intelligence. vol. 7127, p. 71272C. International Society for Optics and Photonics, SPIE...
-
[27]
SN Computer Science6(8), 965 (2025)
Lopuhaä-Zwakenberg,M.:Faulttreereliabilityanalysisviasquarefreepolynomials: Mathematical and experimental analysis. SN Computer Science6(8), 965 (2025)
2025
-
[28]
IEEE Transactions on Dependable and Secure Computing20(5), 4169–4187 (2022)
Lopuhaä-Zwakenberg, M., Budde, C.E., Stoelinga, M.: Efficient and generic algo- rithms for quantitative attack tree analysis. IEEE Transactions on Dependable and Secure Computing20(5), 4169–4187 (2022)
2022
-
[29]
In: International Conference on Information Security and Cryptology
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: International Conference on Information Security and Cryptology. pp. 186–198. Springer (2005)
2005
-
[30]
(2023), accessed: October 2025
Municipality of Utrecht, Hoogheemraadschap De Stichtse Rijnlanden: Visdeurbel: The fish doorbell project. (2023), accessed: October 2025
2023
-
[31]
In: 2017 ieee international symposium on technologies for homeland security (hst)
Nagaraju, V., Fiondella, L., Wandji, T.: A survey of fault and attack tree modeling and analysis for cyber risk management. In: 2017 ieee international symposium on technologies for homeland security (hst). pp. 1–6. IEEE (2017)
2017
-
[32]
Smithsonian Magazine (March 2023),
Osborne, M.: You can help migrating fish traverse a Dutch canal by ringing this digital doorbell. Smithsonian Magazine (March 2023),
2023
-
[33]
Papadopoulos, Y.: Model-based system monitoring and diagnosis of failures using statecharts and fault trees. Reliab. Eng. Syst. Saf.81, 325–341 (2003),
2003
-
[34]
In: de Freitas, N., Murphy, K.P
Pearl, J.: The do-calculus revisited. In: de Freitas, N., Murphy, K.P. (eds.) Pro- ceedings of the Twenty-Eighth Conference on Uncertainty in Artificial Intelligence, Catalina Island, CA, USA, August 14-18, 2012. pp. 3–11. AUAI Press (2012),
2012
-
[35]
Engi- neering Secure and Dependable Software Systems p
Pretschner, A., et al.: Efficient checking of actual causality with sat solving. Engi- neering Secure and Dependable Software Systems p. 241 (2019)
2019
-
[36]
In: Wei, Y., Chong, K.T., Takahashi, T., Liu, S., Li, Z., Jiang, Z., Choi, J.Y
Qian, G., Zheng, S., Cao, L.: Bayesian network based on a fault tree and its appli- cation in diesel engine fault diagnosis. In: Wei, Y., Chong, K.T., Takahashi, T., Liu, S., Li, Z., Jiang, Z., Choi, J.Y. (eds.) ICMIT 2005: Control Systems and Robotics. vol. 6042, p. 60421P. International Society for Optics and Photonics, SPIE (2006). https://doi.org/10.1...
-
[37]
Computer science review15, 29–62 (2015)
Ruijters, E., Stoelinga, M.: Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Computer science review15, 29–62 (2015)
2015
-
[38]
Springer Nature (2025)
Stoelinga, M.: Concise Guide to Fault Tree Analysis: Models, Methods and Algo- rithms. Springer Nature (2025)
2025
-
[39]
Vesely, W.E., Roberts, N.H., Haasl, D.F., Goldberg, F.F.: Fault tree handbook. Tech. Rep. NUREG-0492, U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, Washington, D.C. (1980) A Proofs In this appendix we prove the mathematical results of this paper. Before moving to the proofs proper, we reformulate causal models asgraph causal m...
1980
-
[40]
Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ←y W ] = 1
There exists a partitionV=Z⊔Wsuch thatC⊆Zand such that: (a)Φ G(u, v)[Xc ←0, X W ←y W ] = 0; (b) LetZ ′ ={z∈Z|Φ G(u, z) = 0}(soc /∈Z ′). Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ←y W ] = 1. Proof.Supposec, x c satisfy Definition 14. By monotonicity,Φ G(u, v)[Xc ← 1, XW ←y W ]≥Φ G(u, v)[XW ←y W ] = 1, soy c = 0; hencex c must be 1 as it cannot be equal toyc; this ...
-
[41]
Proof.First, suppose that such a path exists
For alli, j >0, ifInp(v i)∩Inp(v j)̸=∅, thenγ(v i) =γ(v j). Proof.First, suppose that such a path exists. Clearly the first condition of Lemma 7 is satisfied. For the second condition, we takeW= S i>0(Inp(vi)\ {vi−1}), andZthe remaining variables. Forw∈W, we lety w = 0ifw∈Inp(v i) for somev i withγ(v i) =ORandi >0, and we lety w = 1ifw∈Inp(v i)for some vi...
-
[42]
For alli, j >0, ifInp(v i)∩Inp(v j)̸=∅, thenγ(v i) =γ(v j)
-
[43]
ThenΦ GT (u, vi)[XD ←0] = 1
LetD= S i:γ(v i)=OR(Inp(vi)\ {v i−1}). ThenΦ GT (u, vi)[XD ←0] = 1. The proof of Theorem 16 is to a large extent analogous to that of Theorem 15; we need two extra ingredients. The first is thatAC-uonly admits singleton causes: Theorem 17.LetGbe a graph causal model derived from a FT, letube a context, and letX C =x C be an actual cause ofXv =x v underAC-...
-
[44]
Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ′ ←0] = 1
There exists a partitionV=Z⊔Wsuch thatC⊆Z, and valuesy W ∈B W such that: (a)Φ G(u, v)[Xc ←0, X W ←y W ] = 0; (b) LetZ ′ ={z∈Z|Φ G(u, z) = 0}andW ′ ={w∈W|y w = 0}. Then ΦG(u, v)[Xc ←1, X Z′ ←0, X W ′ ←0] = 1. Theorem 16 is now proven completely analogous to Theorem 15. Proof (Theorem 6).This now follows directly from Theorem 16 and Lemma 6. A.6 Proof of Th...
-
[45]
property 3
IfD={v∈V|u v = 1}, thenΦ T (D\C,Root) = 0; 4.Cis minimal w.r.t. property 3. Proof.IfCsatisfies these conditions, then takingW=∅shows thatCsat- isfies Definition 14.3. Conversely, suppose thatXC =x C satisfiesAC-mfor XRoot= 1. 14.3(a) implies 18.1, and 14.3(c) implies 18.4. Furthermore, all v∈Cwithx v = 0can be removed by monotonicity, hence 18.2 holds. Fi...
-
[46]
If there is an MCSDsuch thatv∈D, thenu D is a context ofGT under whichX v = 1satisfiesAC-o,AC-u, andAC-mforX Root = 1
-
[47]
Proof.1.Φ GT (uD, v) =Φ GT (uD,Root) = 1by definition, so we satisfy Defi- nition 14.1(a)
If there exists a context under whichXv = 1satisfiesAC-mforX Root = 1, thenvis relevant. Proof.1.Φ GT (uD, v) =Φ GT (uD,Root) = 1by definition, so we satisfy Defi- nition 14.1(a). As for 1(b), takeW=∅. SinceDis a minimal cut set we getΦ GT (uD,Root)[X v ←0] = 0. Furthermore, sinceWis empty, setting variables inZto their actual value does nothing, soΦ GT (...
-
[48]
By Theorem 18.1,Dis a cut set
Suppose that there exists aD⊆BE T such thatX c = 1satisfiesAC-mfor XRoot = 1under contextu D. By Theorem 18.1,Dis a cut set. If we takeD to be minimal, thenDis a minimal cut set, hencecis relevant asc∈D. Proof (Theorem 8).This follows from Theorem 19 and Lemma 6. A.8 Proof of Theorem 9 In terms of graph causal models, Theorem 9 can be rephrased as follows...
-
[49]
First, suppose thatt1 is onπ
It suffices to show that for every pathπ:e→v n, setting all children of all OR-gates onπto0(except those children that are onπthemselves) does not change the value of any gate onπ. First, suppose thatt1 is onπ. Setting Xa1 →0now means that allw i,j for whichℓ i,j =¬x 1 are now also set to0. However, as argued above, these gates may not be onπanyway, so th...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.