A compositional semantics for Repairable Fault Trees with general distributions

by   Raúl E. Monti, et al.

Fault Tree Analysis (FTA) is a prominent technique in industrial and scientific risk assessment. Repairable Fault Trees (RFT) enhance the classical Fault Tree (FT) model by introducing the possibility to describe complex dependent repairs of system components. Usual frameworks for analyzing FTs such as BDD, SBDD, and Markov chains fail to assess the desired properties over RFT complex models, either because these become too large, or due to cyclic behaviour introduced by dependent repairs. Simulation is another way to carry out this kind of analysis. In this paper we review the RFT model with Repair Boxes as introduced by Daniele Codetta-Raiteri. We present compositional semantics for this model in terms of Input/Output Stochastic Automata, which allows for the modelling of events occurring according to general continuous distribution. Moreover, we prove that the semantics generates (weakly) deterministic models, hence suitable for discrete event simulation, and prominently for Rare Event Simulation using the FIG tool.



There are no comments yet.


page 1

page 2

page 3

page 4


Combination of component fault trees and Markov chains to analyze complex, software-controlled systems

Fault Tree analysis is a widely used failure analysis methodology to ass...

Rare Event Simulation for non-Markovian repairable Fault Trees

Dynamic Fault Trees (DFT) are widely adopted in industry to assess the d...

One Net Fits All: A unifying semantics of Dynamic Fault Trees using GSPNs

Dynamic Fault Trees (DFTs) are a prominent model in reliability engineer...

Input/Output Stochastic Automata with Urgency: Confluence and weak determinism

In a previous work, we introduced an input/output variant of stochastic ...

Quantitative system risk assessment from incomplete data with belief networks and pairwise comparison elicitation

A method for conducting Bayesian elicitation and learning in risk assess...

Quantum Fault Trees

Fault tree analysis is a technique widely used in risk and reliability a...

A Formal Transformation Method for Automated Fault Tree Generation from a UML Activity Model

Fault analysis and resolution of faults should be part of any end-to-end...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Fault Tree Analysis is a prominent technique for dependability assessment of complex industrial systems. Standard or Static Fault Trees (SFTs [21]

) are DAGs whose leafs are called Basic Events (BE), and usually represent the failure of a physical system component. Each leaf is equipped with a failure rate or discrete probability, indicating the frequency at which the component breaks. The other FT nodes are called gates, and they model how basic components failures combine to induce more complex system failures, until the failure of interest (the

top event of the tree) occurs. SFTs thus encode a logical formula. One of the most efficient analysis techniques uses Binary Decision Diagrams (BDD) to represent the formula, and then perform dependability studies using specialised algorithms. This assumes the absence of stochastic dependency among BEs.

Many extensions to SFTs allow for further modelling capabilities. One of the most studied are Dynamic Fault Trees (DFTs [16, 22]

). DFTs add gates to describe time- and order-dependence among the tree nodes, in contrast to the plain combinatorial behavior of SFT gates. New analysis methods were introduced in order to capture temporal requirements, such as cut sequences, translation to Markov models 

[16, 16, 6], Sequence BDDs [19, 28, 35], algebraic approaches [25, 1], simulation, and combination and optimisations thereof [3, 20].

Repairable Fault Trees (RFT [4, 27, 2, 6]) increase FTs expressiveness by introducing the possibility to model complex inter-dependent repair mechanisms for basic components, i.e. system components that produce the basic events. In former models such as DFT, certain notions of repair had been addressed by allowing components to be repaired independently. Nevertheless, this is not usual in real world systems, where repair scheduling, resources management, and maintenance play an important role. To address this, we will focus on the Repair Box model (RBOX [18, 27]). A RBOX models a repair unit in charge of repairing certain BEs following certain policy. Different repair policies such as first come first serve, priority service, random or nondeterministic choice, allow to analyze the impact of taking these decisions in the real system. The introduction of these boxes greatly changes the dynamic of the tree. Quantitative analyses are no longer a combinatorial calculation, since the evolution of the system over time has to be considered [32]. Furthermore, traditional qualitative analysis such as cut sets lack of utility by not taking repairability into account. Traditional quantitative analysis is also discarded by the cyclic behavior introduced by this model which disallows to use combinatorial solutions proposed for non repairable FTs and require a state based solution instead [3].

In this work we present a formal definition of Repairable Fault Trees (RFT), along with its semantics given in terms of Input/Output Stochastic Automata (IOSA) [15, 17]. We show that the underlying IOSA semantics of the RFT specification is weakly deterministic, that is, the non-determinism present in the IOSA model is spurious. Hence the model is equivalent to a fully stochastic model and thus amenable to discrete event simulation. IOSA allows us to model RFTs general continuous failure and repair distributions.

A variety of works address the problem of defining a rigorous syntax and semantics to FT, DFT, and RFT [14, 4, 6, 2, 6, etc.]. They usually differ, for example, in the types and meaning of gates, expressiveness power, how spare elements are claimed and how repair races are resolved. Presence of non-deterministic situations is also a main discording issue. Comprehensive surveys on FTs can be found in [22] and [32]. In Section 5 we formally define the syntax for RFTs in a similar manner as [5] has done for DFTs. Furthermore, in order to define the compositional and weakly deterministic semantics using IOSA, we discuss different concerns about determinism on RFTs.

As discussed before, RFT analysis requires a state space solution. This usually means one of the following two approaches. A first approach would be translating the model to a Markov model, applying as much optimisations as possible during the modelling and analysis in order to relieve the state explosion problem as much as possible. This is the approach followed by many works such as [2, 3, 4]

. Two main drawbacks can be pointed out on this approach. The first one is that no matter which existing optimisation methods are used, there is no guarantee that there will be a significant state space reduction in general models. This is a specially difficult situation in big and complex industrial size systems analysis involving repair. A second drawback is the restriction to exponentially distributed events, not allowing to correctly model real life systems where timing is governed by other continuous distributions. This is the case for example of phenomena such as timeouts in communication protocols, hard deadlines in real-time systems, human response times or the variability of the delay of sound and video frames (so-called jitter) in modern multi-media communication systems, which are typically described by non-memoryless distributions such as uniform, log-normal, or Weibull distributions 

[17]. A second approach to RFT analysis would be recurring to simulation, which does not need the full state space of the model to be constructed, and does not impose per se the restriction to any kind of probabilistic distributions. The main problem when confronting simulation is the big amount of computation needed to reach a sufficiently accurate result. This is a most relevant issue when analyzing highly dependable or fault tolerant systems, where the failure probability is very small and plane Monte Carlo simulation becomes infeasible. To face this problem one can make use of Rare Event Simulation techniques such as Importance Splitting or Importance Sampling [33, 10, 11, 29].

Our main contribution in this work consists in a method for precisely modelling RFTs with generally distributed events. Furthermore, by yielding a deterministic IOSA model, thus amenable to discrete event simulation, we are able to analyze it on the FIG Rare Event Simulation Tool [11, 12], greatly improving efficiency when analyzing highly dependable systems. Also the recent work [31] takes on the matter of using rare event simulation to analyze DFTs with complex repairs. Nevertheless, they restrict to Exponential and Erlang distributions and they finally conduce their analysis over a Markov model hence suffering of potential states space explosion.

2 Repair Fault Trees

In Fig. 1 we depict the set of RFTelements that we consider in this work. Each of them has a set of inputs where to connect its subtrees, and an output (if applicable) to propagate the failure, repair and other signals. The propagation of a failure and its subsequent repair starts at the leafs of the fault tree, including only (spare) basic elements. When one of them fails, or gets repaired, it instantaneously propagates the event to the gates to which it is connected. The state of a gate changes based on the signals it receives from its inputs and propagates its new state to the gates it serves as input. Thus, a proper combination and timing of fail signals may change a gate’s state to failing, and similarly, a proper combination and timing of repair signals may change it back to a working state. This very much depends on the type of gate. The state changes will at the same time trigger output signals accordingly. Not only fail and repair signals, but also other signals may be produced, as it can be in the case of repair boxes, which may output a start repairing signal to any of their input basic elements.

Figure 1: RFT elements

The intuition about the behavior of each gate is as follows. An AND gate fails whenever all its inputs fail, and gets repaired (stop failing) when at least one of its inputs is repaired. An OR gate fails whenever at least one of its inputs fails and is repaired when all of its inputs are repaired. A VOTING gate fails whenever at least of its inputs fail and stops failing if at most of its inputs remain failing. A PAND gate fails whenever its inputs fail from left to right, inducing an order on the failure occurrence, and it is repaired if the last input is repaired. A functional dependency gate (FDEP) has inputs. The fail signal of one of its inputs (the triggering one) makes all the other inputs inaccessible to the rest of the system. Note that the dependent inputs do not necessarily fail, and they will be accessible again as soon as the triggering component is repaired (note the difference with [6, 31] where dependent BEs do fail). In fact this gate can be easily replaced by a system of OR gates [34]. A spare basic element (SBE) is a special case of BE which can be enabled and disabled, and can be used as spare parts for other BEs through spare gates. A same SBE can be shared by several spare gates, and different sharing policies are introduced for this purpose. A spare gate (SG) allows to replace a basic element by one of several spare basic elements in case it fails. Each spare gate has a main input and spare parts inputs. The main input can only be a BE. The spare inputs can only be SBEs. As soon as the main input fails, the SG uses its own policy to ask for the replacement by one of its spare inputs. The SG will fail whenever it does not obtain a replacement, and will signal repair whenever the main input gets repaired or a spare input is obtained. If an in-use replacement fails the SG will look for a new one. If the main input is repaired, the SG will free the acquired spare input, in case there is one. A repair box (RBOX) is the unit in charge of managing the repairing of failed BEs and SBEs. They have inputs, which are the elements administered for repairing, and a dummy output. A RBOX policy determines in which order the failing elements will be repaired. Also notice that a RBOX can only repair one of its inputs at a time, while the rest of its failing inputs are waiting for repair.

3 Input/Output Stochastic Automata

Input/Output Stochastic Automata [15, 17]

is a modelling formalism tailored to model stochastic systems for the purpose of simulation. IOSA combine continuous probability jumps from Stochastic Automata, with discrete event synchronisation for a compositional style of modelling. IOSAs use continuous random variables to control and observe the passage of time. These variables, called clocks, are set to a value according to their associated probability distribution, and, as time evolves, count down all at the same rate until they reach the value of zero. Clocks control the moments when actions are taken, and thus allow to model systems where events occur at random continuous time stamps. Output and input transitions can be used to synchronize and communicate between different IOSAs. Output transitions are autonomous, while inputs occurrence depends on synchronisation with outputs. A transversal classification for actions allows to mark them as urgent or non urgent. While a non-urgent output is controlled by the expiration of clocks (i.e., clocks reaching the value zero), an urgent output action is taken as soon as the state in which it is enabled is reached. Though an IOSA may be non-deterministic,

[17] provides a set of sufficient conditions that guarantee weak determinism (i.e. only spurious non-determinism is present). Furthermore, such conditions can be checked with a polynomial algorithm on the components of the model.

Definition 1

An input/output stochastic automaton with urgency (IOSA) is a structure , where is a (denumerable) set of states, is a (denumerable) set of labels partitioned into disjoint sets of input labels and output labels , from which a subset is marked as urgent, is a (finite) set of clocks such that each has an associated continuous probability measure on s.t. , is a transition function, is the set of clocks that are initialized in the initial state, and is the initial state. In addition it should satisfy the following constraints:

  1. If and , then .

  2. If and , then is a singleton set.

  3. If and then , and .

  4. For every and state , there exists a transition .

  5. For every , if and , and .

  6. There exists a function such that: (i) , (ii) , (iii) if is stable, , and (iv) if then .

where , and is stable if there is no such that . ( indicates the existential quantification of a parameter.)

Restrictions (a) to (f) are there to ensure that at most one non-urgent output action is enabled at a time. If in addition the IOSA is closed (i.e., all communications have been resolved and hence the set of inputs is empty) and all its urgent actions are confluent (in the sense of [26], see also Def. 5) it turns out all the non-determinism is spurious and does not alter the stochastic behavior (i.e. regardless of how non-determinism is resolved, the stochastic properties remain the same) [15, 17]. We call this property weak determinism.

IOSAs are closed under parallel composition which is defined according to rules in Table 1. In order to avoid unintended behavior, the component IOSAs are requested to be compatible, that is, they should not share output actions nor clocks, and be consistent with respect to urgent actions.

Table 1: Parallel composition on IOSA

4 IOSA symbolic language

1module BE
2 fc, rc : clock;
3 inform : [0..2] init 0;
4 broken : [0..2] init 0;
6 [fl!]     broken=0 @ fc -> (inform’=1) & (broken’=1);
7 [r??]     broken=1 -> (broken’=2) & (rc’=);
8 [up!]     broken=2 @ rc -> (inform’=2) &
9                            (broken’=0) & (fc’=);
11 [f!!] inform=1 -> (inform’=0);
12 [u!!] inform=2 -> (inform’=0);
Figure 2: Basic Element IOSA symbolic model.

We present a symbolic language to describe an IOSA model. This language is the input language of the tool FIG [12, 10] and has some strong resemblance with the PRISM modelling language [23]. IOSAs compositional style of modelling is also reflected in the language, where each component is modeled separately by what we call a module. A module is composed of a set of variables, whose valuation represent the actual state of the component, a set of clocks corresponding to the enabling clocks for non urgent transitions, and a set of transitions which symbolically describe the possible jumps between states (changes of valuations and resetting of clocks). Fig. 2 models a basic element as an example. Variables can be of integer (with finite range) or boolean type. As we will see later, also arrays can be defined as variables. An initial value for each variable is determined after the keyword init. Clocks measures are defined at the transitions where they are reset. A transition is described by the name of the action which takes place, a guard that defines the origin states, an enabling clock (only for the case of non-urgent output transitions), a condition describing the target states, and the set of clocks to be reset. A quick overview of Fig. 2 will help to further understand our symbolic language: Two clocks, fc and rc, are defined at line . These clocks will be used as enabling clocks for transitions at lines and , and reset on transitions at lines and where and are the distribution associated with rc and fc, respectively. Lines and define variables inform and broken, both of integer type ranging between and , and initialized with value . Line defines a set of non-urgent output transitions, which produce the output action fl. More precisely, this line defines the set of non-urgent transitions , where meets the condition broken=0, and is the result of changing the values of variables inform and broken to 1 while other variables remain with the same values as those in state . The @ symbol precedes the enabling clock for the transition while the -> symbol distinguishes between conditions for the origin state and the target state. The conditions on the target state are expressed as assignments to the next values of the variables, indicated with an apostrophe. Line defines an urgent input transition with label r. The double question marks after the name indicates that it describes urgent input transitions. Urgent output transition are indicated with double exclamation marks (!!), non urgent input transitions with a single question mark, and non-urgent output transitions with a single exclamation mark. At the end of line we find the reset of the clock rc to a value from a probability distribution . This line then defines transitions , where meets with condition broken=1 and is identical to except for variable broken which has value 2. At line , an urgent output transition is defined, indicating the failure of this component through action f!!. We will usually use these urgent transitions to synchronize and communicate with other modules.

The text of Fig. 2 is tacitly completed with self-loops with all inputs in all constraints that are not explicitly written. For example, in Fig. 2, the line “[r??] broken != 1 -> ;” is assumed to exist.

5 A formal syntax for RFT and its semantics

In this section we present a formal definition of the RFT similar to those of [5, 7] along with its semantics given in terms of IOSA. Each element of a RFT is characterized by a tuple consisting of its type, its arity (i.e. number of inputs), and possibly other parameters like probability distributions for fail and repair events in a BE.

Definition 2

Let , and let , and be continuous probability distributions. We define the set of elements of a RFT to be composed of the following tuples:

  • and , which represents basic and spare basic elements, with no inputs, with an active failure distribution , a dormant failure distribution , and a repair distribution .

  • , and , which represent AND, OR and PAND gates with inputs, respectively,

  • , which represent a from voting gate,

  • , which represents a functional dependency gate, with trigger input and dependent ones. By convention the first input is the triggering one.

  • , which represents a SPARE gate with one main input and spare inputs. By convention the first input is the main one.

  • , which represents a RBOX element for BEs (or SBEs).

A RFT is a directed acyclic graph, for which every vertex is labeled with an element . An edge from to means that the output of is connected to an input of . Since the order of the inputs is relevant, we give them in terms of a list instead of a set. Similarly, will list all the spare gates to which a spare basic element is connected as an input. Let indicate the type of . That is, is the first projection of . Let indicate the number of inputs of , that is, it is the second projection .

Definition 3

A repair fault tree is a four-tuple , where is a set of vertices, is a function labeling each vertex with a RFT element, is a function assigning inputs to each element in , and which indicate which spare gates manage each spare BE. The set of edges is the set of pairs such that is an input of . If such an edge exists, we will say that is connected to and to . In addition, a RFT should satisfy the following conditions:

  • The tuple is a directed acyclic graph (DAG).

  • has a unique top element, i.e. a unique element whose non dummy output is not connected to another gate. That is, there is a unique vertex such that for all , and .

  • An output can not be more than once the input of a same gate. That is, for all with , we have .

  • Since FDEP and RBOX outputs are dummy, if then .

  • The inputs of a repair box can only be basic elements. I.e., if and then either or .

  • Each (spare) basic element can be connected to a single RBOX. I.e., if and and , then .

  • The spare inputs of a spare gate can only be spare basic elements, while its main input can only be a basic element. I.e., if and then and for . Furthermore, a spare basic element can only be connected to a spare gate or a RBOX, i.e., if and then .

  • A spare basic element is an input of a spare gate, if and only if that spare gate is spare input of the spare basic element, i.e. for and such that and , if and only if there exists such that .

  • A basic element can be connected to at most one spare gate, i.e. if and with and then .

  • If a basic element is connected to a spare gate then it can not be connected to a FDEP gate, i.e. if and and , then there is no such that .

In the following, we present a parametric semantics for RFT elements. This will be used later to obtain the semantics for each vertex in a given RFT, and the consequent semantics of the full model as a parallel composition of its components. In this section, we only give the semantics for BEs, AND gates, OR gates, PAND gates, and RBOX. Remember that FDEP can be replaced by OR gates. Similarly, voting gates can be modeled by a series of AND and OR gates (although a simpler model can be found in Appendix 0.D). In the design of the IOSA modules we should take into account the communication of each element of a RFT with its children and parents. For instance a basic element has to communicate its failure and repair to those gates for which it is an input. Similarly, a RBOX has to communicate to its inputs a start repairing signal. In order to do so, the semantics of each element will be given by a function, which takes actions as parameters.

1module AND
2 informf: bool init false;
3 informu: bool init false;
4 count: [0..2] init 0;
6 [f??] count=1 -> (count’=2) & (informf’=true);
7 [f??] count=0 -> (count’=1);
8 [f??] count=2 -> ;
9 [f??] count=1 -> (count’=2) & (informf’=true);
10 [f??] count=0 -> (count’=1);
11 [f??] count=2 -> ;
13 [u??] count=2 -> (count’=1) & (informu’=true);
14 [u??] count=1 -> (count’=0);
15 [u??] count=0 -> ;
16 [u??] count=2 -> (count’=1) & (informu’=true);
17 [u??] count=1 -> (count’=0);
18 [u??] count=0 -> ;
20 [f!!] informf & count=2 -> (informf’=false);
21 [u!!] informu & count!=2 -> (informu’=false);
Figure 3: AND gate IOSA symbolic model.

For a BE element , its semantics is a function , where results in the IOSA of Fig. 2. The state of a basic element is defined by the fail clock fc, the repair clock rc, a variable signal that indicates when to signal the failure or repair, and variable broken to distinguish between broken and normal states. A basic element fails when clock fc expires (line 6) and immediately informs it with the urgent signal f!! at line 11. As soon as the repair begins by the corresponding connected repair box (line 7), clock rc is set. When it expires, the component becomes repaired. Hence, fc is set again at line 8, and the repair is signaled with urgent action u!! at line 11. At the starting state of an IOSA module all its clocks are set randomly according to their associated distributions. Thus, rc is set at the initial state and could eventually expire without having been set by a repair transition. This is why we have to distinguish between cases when the BE is being repaired (broken=2) from when it is not.

For an AND gate element with two inputs, its semantics is a function , where results in the IOSA in Fig. 3. At lines 6 to 11, the AND gate gets informed of the failure of either of its inputs. Upon failure of some input, we distinguish between the case where the other input has already failed (count=1) and the case where it has not (count=0). In the first case the AND gate has to move to a failure state, for which we set the informf variable in order to enable the signaling of failure at line 20. Furthermore in both cases we increase the value of count so that we take note of the failure of an input. A similar reasoning is done for the case of the repairing of an input at lines 13 to 18. In this case we have to set the module to signal a repair when an input gets repaired at a state where both inputs were failing (lines 13 and 16), by enabling transition at line 21. From now on, we omit writing down self loops originated by IOSA’s input enabledness, such as lines and as they are assumed to be there. Nevertheless, we remark that it is necessary to take them into account when analyzing confluence in the next section. The semantics for an OR gate is similar to the AND gate and can be found in Appendix 0.B.

The semantics of a inputs repair box with priority policy, is a function , where results in the IOSA of Fig. 4. The RBOX with priority uses the array broken[n]

1module RBOX
2 broken[n]: bool init false;
3 busy: bool init false;
5 [fl?] -> (broken[0]’=true);
6 ...
7 [fl?] -> (broken[n-1]’=true);
9 [r!!] !busy & broken[0] -> (busy’=true);
10 ...
11 [r!!] !busy & broken[n-1] & !broken[n-2]
12               & ... & !broken[0] -> (busy’=true);
14 [up?] -> (broken[0]’=false) & (busy’=false);
15 ...
16 [up?] -> (broken[n-1]’=false) & (busy’=false);
Figure 4: RBOX with priority policy

to keep track of failed inputs, updating it when it receives their fail signals (lines 5 to 7) and up signals (lines 13 to 15). At the same time, when not busy, it sends repair signals to broken inputs (lines 9 to 12). Guards ensure the priority order for repairing. Note that instead of listening to the urgent output signals of the input BEs, it listens for the non-urgent actions of the transitions that trigger the failure or repair. This is done with the only purpose of facilitating the confluence analysis over this module. Other types of repair boxes can be modeled, taking into account different repairing policies. (see App. 0.C).

The semantics of a Priority AND gate with inputs is defined by , where results in the IOSA of Fig. 5. PAND gates fail only when their inputs fail from left to right. This allows to condition the failure of a system not only to the failure of the subsystems but also to the ordering in which they fail. Notice that an inputs PAND gate is simply a syntax sugar for a system of two-input PAND gates connected in cascade. Literature is not always clear or even disagrees on what should be the behavior of the PAND gate in case both inputs fail at the same time [24, 14]. This situation arises in some constructions with AND and OR gates, or when the inputs of a PAND gate are connected to the a same FDEP (see Fig. 6). Some proposals disallow these situations and discard them on early syntactic checks [31].

1module PAND
3 f1: bool init false;
4 f2: bool init false;
5 st: [0..4] init 0; \\ up, inform fail, failed,
6                       inform up, unbreakable
8 [_?] st=0 & f1 & !f0 -> (st’=4); 
10 [f??] st=0 & !f0 & !f1-> (f0’=true);
11 [f??] st=0 & !f0 & f1 -> (st’=1) & (f0’=true);
12 [f??] st!=0 & !f0     -> (f0’=true);
13 [f??] f0              -> ;
15 [f??] st=0 & !f0 & !f1         -> (f1’=true);
16 [f??] st=0 & f0 & !f1          -> (st’=1) & (f1’=true);
17 [f??] st=3 & !f1               -> (st’=2) & (f1’=true);
18 [f??] (st==1|st==2|st=4) & !f1 -> (f1’=true);
19 [f??] f1                       -> ;
21 [u??] st!=1 & f0 -> (f0’=false);
22 [u??] st=1  & f0  -> (st’=0) & (f0’=false);
23 [u??] !f0 -> ;
25 [u??] (st=0|st=3) & f1 -> (f1’=false);
26 [u??] (st=1|st=4) & f1 -> (st’=0) & (f1’=false);
27 [u??] st=2 & f1 -> (st’=3) & (f1’=false);
29 [f!!] st=1 -> (st’=2);
30 [u!!] st=3 -> (st’=0);
Figure 5: PAND gate.

Some others assume a non-deterministic situation and find it important to analyze scenarios where the behavior is in fact unknown [5]. Other works decided that the PAND gate does not fail unless its inputs break strictly from left to right [6, 4]. Some others state that PAND gates also fail when both their inputs fail at the same time [14, 9, 8]. We opted for this last case, so the gates needs to be able to identify if time has passed between the occurrence of the failures, and act consequently. In the particular case where no time passes between the failure of the inputs, we consider that the order in which the dependent BEs fail does not really matter and thus the non-determinism is spurious. To identify if time has passed between the occurrence of the input failures, the model listens to any output actions, which indicate that a clock has expired.

Figure 6: Spurious non-determinism.

This is done by a special input action at line 5, which synchronizes with all non-urgent outputs, regardless the name of the action. Notice that there is only one scenario that we want to rule out, which is when the second input fails and then time passes without the first input failing too. This is in fact the case described by the guard of line 5. Furthermore, this transition moves to the ‘unbreakable’ state, from which it can only go back when input 1 is fixed. In consequence, the failure of the gate occurs either if both inputs fail at the same time or if the first input fails, then time passes, and then the second input fails.

The semantics of a RFT is that of the parallel composition of the semantics of its components, being conveniently synchronized.

Definition 4

Given a RFT  we define the semantics of as where is defined by:

In Section 7, we extend the semantics to spare gates and spare basic elements.

6 RFTs are weakly deterministic

In this section we show that RFTs composed only by BEs, AND gates, OR gates, PAND gates, and RBOX, are weakly deterministic. Since voting and FDEP gates can be constructed using OR and AND gates, the result extends to these gates. Results in this section rely heavily on results about weak determinism on IOSA proven in [17]. Therefore, we first summarize the essentials of [17] for this paper.

Definition 5

An IOSA is confluent if for all pair of urgent actions and , and for every (reachable) state , it satisfies that, if and , then there is a state such that and .

Note that, according to this definition, regardless the order of the confluent transitions, the same state is reached. This non-determinism is spurious in the sense that it does not alter the stochastic properties of the given IOSA, regardless the manner it is solved. Since non-determinism can only arise on urgent actions, we say that a closed IOSA is weakly deterministic if all its urgent actions are confluent. In [17], we provided sufficient conditions to ensure that a closed IOSA is weakly deterministic. This is stated in Theorem 6.1 below which requires the following definition.

Definition 6

Given an IOSA  with state space and actions , we distinguish the following sets of actions:

  • A set of urgent output actions is initial if each is enabled in , i.e. if for each there is a state and , such that .

  • We say that a set of output urgent actions is spontaneously enabled by if there are stochastically reachable states (a state is stochastically reachable if there is a path in the IOSA from the initial state that reaches such state with probability greater than zero) such that is stable, , and all actions in are enabled in .

  • Let and . We say that triggers if there are stochastically reachable states such that: , , and, if , then there is no outgoing transition from labeled with . The set is called the triggering relation.

The approximate indirect triggering relation of a composite IOSA is defined as the reflexive transitive closure of the union of the triggering relations of its components. The following theorem from [17], gives necessary conditions for a closed IOSA not to be confluent. As a consequence, it provides sufficient conditions for a closed IOSA to be weakly deterministic.

Theorem 6.1

Given a closed composite IOSA  with actions , if is not confluent then there exist a pair of urgent actions such that

  1. one of the components is not confluent with respect to and ,

  2. there are actions and that approximately indirectly trigger both and , respectively, and

  3. one of the following hold: (i) and are initial actions, or (ii) there exists an action and possible empty sets to spontaneously enabled by in to respectively, such that and are in .

In the following, we prove accessory propositions to eventually prove, using Theorem 6.1, that the IOSA defined by a RFT is weakly deterministic.

Proposition 1

Let be a RFT. has no initially enabled actions. Moreover, the only spontaneous sets of actions are singletons of the form and }, for , which are spontaneously enabled by and , respectively.


As a consequence of [17], the initially enabled actions of are contained in the union of the sets of initially enabled actions of its components , , and the spontaneously enabled actions of are contained in the union of the spontaneously enabled sets of . It is direct to see that, for any element , none of the urgent outputs are enabled at the initial state of , since their guards are initially false. Furthermore, the only non-urgent output transition in our models are at lines 6 and 8 of the BE (Fig. 2). Let such that . Then, after taking transition at line 6 the only urgent output enabled is (on the instance ), while after taking transition at line 8 the only one is , and thus these are the only possible spontaneous enabled actions. ∎

Proposition 2

Let be a RFT. The only possible pairs of non-confluent actions in are .


The proof of this Proposition follows an exhaustive check over each urgent transition of each model, in order to single out any non-confluent situation, and can be found at Appendix 0.E

Proposition 3

Let be a RFT. For each , the triggering relation of is given by:

  • , if ,

  • , if , and

  • , if .

Proof (sketch)

It sufficies to make a satisfiability analysis over guards and postconditions of each pair with an output urgent symbolic transition and any urgent symbolic transition, taking into account only reachable states. ∎

Theorem 6.2

Let be a RFT. Then is weakly deterministic.


We look for and as well as sets with as Theorem 6.1 suggests. Since Prop. 1 ensures that there are no initially enabled actions in , and should be spontaneously enabled actions. By the same proposition either is of the form for some and then , or is of the form for some and then . In the first case, we get for some , and in the second case . Furthermore, by Prop. 2, either is of the form for some and is of the form for some or the other way around. As shown by Prop. 3, fail actions ( for some ) only trigger fail actions and up actions ( for some ) only trigger up actions, thus it is impossible that and indirectly trigger and respectively. Therefore, it is not possible to find actions , , , , and satisfying conditions 1 to 3 in Theorem 6.1, and hence is confluent. Since is also closed, then it is weakly deterministic. ∎

7 An extended Semantics

In this section we add the spare gate and spare basic element to the semantics of RFTs. As before, we aim to guarantee that the IOSA model derived from the RFT is weakly deterministic. In order to do so, we need to bring special attention to two particular scenarios that could introduce non-determinism if not correctly tackled.

The first scenario is given when a main basic element fails at a spare gate which is served with several spare basic elements. At this point, it arises the question of which of the available spare basic elements should the spare gate take. Traditionally, spare elements are selected in order from an ordered set. To generalize this mechanism for the selection of the spares we intend to allow for more complex state-involved policies. It should be always the case that this policy is deterministic in its elections. The second scenario arises when several spare gates have requested a broken or already taken SBE, which eventually gets fixed by a repair box or freed by the owning spare gate. At this point, it is unclear which of the requesting spare gates will take the newly available SBE. For this, we define sharing policies on the SBE. Thus, to provide semantics to an SBE, we actually introduce two IOSA modules: one providing the extended behavior of a BE that can be taken from dormant to enabled state and vice versa, and another one, the multiplexer module, which manages the sharing of the SBE. Notice that this scenario is not a problem in the absence of repair boxes, since in such cases SBEs do not become available after they are taken or fail. It is neither a problem when spare elements are not shared by different spare gates [4, 3]. The work [22] also studies race conditions in spare gates when two spare gates fail at the same time. This last situation is impossible in our settings given the last two properties of Definition 3 and the fact that two simultaneous failures of our basic elements is discarded by the IOSA deterministic semantics.

The models for the spare gate, the spare basic element and the multiplexer can be found in Appendix 0.F. We extend the semantics of the RFT with the SBE and SG elements as follows.

Definition 7

Given a RFT , we extend Definition 4 with the following cases:

Notice that in the case of the SBE and SG, several signals are indexed by a pair of elements. This pair indicates which gate performs the action and which one listens for synchronisation. As an example, indicates that the multiplexer that manages , assigns its spare basic element to its first connected spare gate ().

Unfortunately, we could not find an easy or direct way to prove that this extension is indeed weakly deterministic, as we did with the RFT without spares. This is due in part to the complexity of the IOSA modules, intended to avoid the aforementioned non-deterministic situations. While the spare basic element module can be easily proved to be confluent, this is not the case for the modules of the multiplexer and the spare gate. When analyzing these modules in isolation we find that some transitions are not confluent and Theorem 6.1 could not be used directly. However, by partially composing spare gates with multiplexers, we were able to check that conditions of Theorem 6.1 are not met. We automatically perform this check in several configurations, and showed that they are confluent. As parallel composition preserves confluence, they can be inserted in other RFT contexts yielding weakly deterministic IOSAs. 111For the reviewers eyes, only: the scripts that prove said configurations are available at https://git.cs.famaf.unc.edu.ar/raulmonti/DeterminismScriptsRFT.

8 Conclusion

In this work we have defined a semantics for Dynamic Fault Trees with repair box in terms of Input/Output Stochastic Automata, introducing the novel feature of general probability measures for failure and repair rates of basic elements. Furthermore we have shown that our semantics produces weakly deterministic models which are hence amenable for discrete event simulation. In particular, our models serve as direct input to the FIG Simulator (http://dsg.famaf.unc.edu.ar/fig[12, 10], as well as other tools through the intermediate language Jani [13]. A future work direction could be introducing maintenance mechanism and levels of degradation as in [30], in order to increase the possibilities for defining repair models. Another line of work would be defining an automatic translation from a graphical modelling tool for fault trees into the IOSA models, in order to automate and ease the modelling and analysis of industrial size systems. Adding support for spare sub-trees such as in would be an interesting upgrade too, also along with support for sub-tree dedicated repair boxes.


  • [1] Amari, S., Dill, G., Howald, E.: A new approach to solve dynamic fault trees. In: Reliability and Maintainability Symposium, 2003. Annual. pp. 374–379. IEEE (2003)
  • [2] Beccuti, M., Raiteri, D.C., Franceschinis, G., Haddad, S.: Non deterministic repairable fault trees for computing optimal repair strategy. In: Baras, J.S., Courcoubetis, C. (eds.) 3rd International ICST Conference on Performance Evaluation Methodologies and Tools, VALUETOOLS 2008, Athens, Greece, October 20-24, 2008. p. 56. ICST/ACM (2008), https://doi.org/10.4108/ICST.VALUETOOLS2008.4411
  • [3] Bobbio, A., Franceschinis, G., Gaeta, R., Portinale, L.: Parametric fault tree for the dependability analysis of redundant systems and its high-level petri net semantics. IEEE Trans. Software Eng. 29(3), 270–287 (2003), https://doi.org/10.1109/TSE.2003.1183940
  • [4] Bobbio, A., Raiteri, D.C.: Parametric fault trees with dynamic gates and repair boxes. In: Reliability and Maintainability, 2004 Annual Symposium-RAMS. pp. 459–465. IEEE (2004)
  • [5] Boudali, H., Crouzen, P., Stoelinga, M.: A compositional semantics for dynamic fault trees in terms of interactive markov chains. In: Namjoshi, K.S., Yoneda, T., Higashino, T., Okamura, Y. (eds.) ATVA 2007. LNCS, vol. 4762, pp. 441–456. Springer (2007), https://doi.org/10.1007/978-3-540-75596-8_31
  • [6] Boudali, H., Crouzen, P., Stoelinga, M.: Dynamic fault tree analysis using input/output interactive markov chains. In: DSN 2007. pp. 708–717. IEEE Computer Society (2007), https://doi.org/10.1109/DSN.2007.37
  • [7] Boudali, H., Crouzen, P., Stoelinga, M.: A rigorous, compositional, and extensible framework for dynamic fault tree analysis. IEEE Trans. Dependable Sec. Comput. 7(2), 128–143 (2010), https://doi.org/10.1109/TDSC.2009.45
  • [8]

    Boudali, H., Dugan, J.B.: A discrete-time bayesian network reliability modeling and analysis framework. Rel. Eng. & Sys. Safety 87(3), 337–349 (2005),

  • [9] Boudali, H., Dugan, J.B.: Corrections on "a continuous-time bayesian network reliability modeling and analysis framework". IEEE Trans. Reliability 57(3), 532–533 (2008), https://doi.org/10.1109/TR.2008.925796
  • [10] Budde, C.E.: Automation of Importance Splitting Techniques for Rare Event Simulation. Ph.D. thesis, Universidad Nacional de Córdoba (2017)
  • [11] Budde, C.E., D’Argenio, P.R., Hermanns, H.: Rare event simulation with fully automated importance splitting. In: Beltrán, M., Knottenbelt, W.J., Bradley, J.T. (eds.) EPEW 2015. LNCS, vol. 9272, pp. 275–290. Springer (2015), https://doi.org/10.1007/978-3-319-23267-6_18
  • [12] Budde, C.E., D’Argenio, P.R., Monti, R.E.: Compositional Construction of Importance Functions in Fully Automated Importance Splitting. ACM (2017), http://dx.doi.org/10.4108/eai.25-10-2016.2266501
  • [13] Budde, C.E., Dehnert, C., Hahn, E.M., Hartmanns, A., Junges, S., Turrini, A.: JANI: quantitative model and tool interaction. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10206, pp. 151–168 (2017), https://doi.org/10.1007/978-3-662-54580-5_9
  • [14] Coppit, D., Sullivan, K.J., Dugan, J.B.: Formal semantics for computational engineering: A case study on dynamic fault trees. In: ISSRE 2000. pp. 270–282. IEEE Computer Society (2000), https://doi.org/10.1109/ISSRE.2000.885878
  • [15] D’Argenio, P.R., Lee, M.D., Monti, R.E.: Input/output stochastic automata - compositionality and determinism. In: Fränzle, M., Markey, N. (eds.) FORMATS 2016. LNCS, vol. 9884, pp. 53–68. Springer (2016), https://doi.org/10.1007/978-3-319-44878-7_4
  • [16] Dugan, J.B., Bavuso, S.J., Boyd, M.A.: Dynamic fault-tree models for fault-tolerant computer systems. IEEE Transactions on Reliability 41(3), 363–377 (Sep 1992)
  • [17] D’Argenio, P.R., Monti, R.E.: Input/output stochastic automata with urgency: Confluence and weak determinism. In: International Colloquium on Theoretical Aspects of Computing. pp. 132–152. Springer (2018)
  • [18] Franceschinis, G., Gribaudo, M., Iacono, M., Mazzocca, N., Vittorini, V.: Towards an object based multi-formalism multi-solution modeling approach. In: Proc. of the Second Workshop on Modelling of Objects, Components and Agents Aarhus (MOCA02), Denmark. vol. 26, pp. 47–65 (2002)
  • [19] Ge, D., Lin, M., Yang, Y., Zhang, R., Chou, Q.: Quantitative analysis of dynamic fault trees using improved sequential binary decision diagrams. Rel. Eng. & Sys. Safety 142, 289–299 (2015), https://doi.org/10.1016/j.ress.2015.06.001
  • [20] Gulati, R., Dugan, J.B.: A modular approach for analyzing static and dynamic fault trees. In: Reliability and Maintainability Symposium. 1997 Proceedings, Annual. pp. 57–63. IEEE (1997)
  • [21] Haasl, D.F., Roberts, N., Vesely, W., Goldberg, F.: Fault tree handbook. Tech. rep., Nuclear Regulatory Commission, Washington, DC (USA). Office of Nuclear Regulatory Research (1981)
  • [22] Junges, S., Guck, D., Katoen, J., Stoelinga, M.: Uncovering dynamic fault trees. In: DSN 2016. pp. 299–310. IEEE Computer Society (2016), https://doi.org/10.1109/DSN.2016.35
  • [23] Kwiatkowska, M.Z., Norman, G., Parker, D.: PRISM: probabilistic symbolic model checker. In: Field, T., Harrison, P.G., Bradley, J.T., Harder, U. (eds.) TOOLS 2002. LNCS, vol. 2324, pp. 200–204. Springer (2002), https://doi.org/10.1007/3-540-46029-2_13
  • [24] Manian, R., Coppit, D.W., Sullivan, K.J., Dugan, J.B.: Bridging the gap between systems and dynamic fault tree models. In: Reliability and Maintainability Symposium, 1999. pp. 105–111. IEEE (1999)
  • [25] Merle, G., Roussel, J., Lesage, J., Bobbio, A.: Probabilistic algebraic analysis of fault trees with priority dynamic gates and repeated events. IEEE Trans. Reliability 59(1), 250–261 (2010), https://doi.org/10.1109/TR.2009.2035793
  • [26] Milner, R.: Communication and concurrency. PHI Series in computer science, Prentice Hall (1989)
  • [27] Raiteri, D.C., Iacono, M., Franceschinis, G., Vittorini, V.: Repairable fault tree for the automatic evaluation of repair policies. In: DSN 2004. pp. 659–668. IEEE Computer Society (2004), https://doi.org/10.1109/DSN.2004.1311936
  • [28] Rauzy, A.: Sequence algebra, sequence decision diagrams and dynamic fault trees. Rel. Eng. & Sys. Safety 96(7), 785–792 (2011), https://doi.org/10.1016/j.ress.2011.02.005
  • [29] Rubino, G., Tuffin, B.: Rare Event Simulation Using Monte Carlo Methods. Wiley Publishing (2009)
  • [30] Ruijters, E., Guck, D., Drolenga, P., Stoelinga, M.: Fault maintenance trees: reliability centered maintenance via statistical model checking. In: Reliability and Maintainability Symposium (RAMS), 2016 Annual. pp. 1–6. IEEE (2016)
  • [31] Ruijters, E., Reijsbergen, D., de Boer, P., Stoelinga, M.: Rare event simulation for dynamic fault trees. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) Computer Safety, Reliability, and Security - 36th International Conference, SAFECOMP 2017, Trento, Italy, September 13-15, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10488, pp. 20–35. Springer (2017), https://doi.org/10.1007/978-3-319-66266-4_2
  • [32] Ruijters, E., Stoelinga, M.: Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Computer Science Review 15, 29–62 (2015), https://doi.org/10.1016/j.cosrev.2015.03.001
  • [33] Villén-Altamirano, M., Villén-Altamirano, J.: The rare event simulation method RESTART: efficiency analysis and guidelines for its application. In: Kouvatsos, D.D. (ed.) Network Performance Engineering - A Handbook on Convergent Multi-Service Networks and Next Generation Internet, LNCS, vol. 5233, pp. 509–547. Springer (2011), https://doi.org/10.1007/978-3-642-02742-0_22
  • [34] Xing, L., Dugan, J.B., Morrissette, B.A.: Efficient reliability analysis of systems with functional dependence loops. Eksploatacja I Niezawodnosc-Maintenance and Reliability (3), 65–69 (2009)
  • [35] Xing, L., Shrestha, A., Dai, Y.: Exact combinatorial reliability analysis of dynamic systems with sequence-dependent failures. Rel. Eng. & Sys. Safety 96(10), 1375–1385 (2011), https://doi.org/10.1016/j.ress.2011.05.007

Appendix 0.A IOSA Symbolic Language

The following context free grammar defines the complete IOSA symbolic modelling language. Here * stands for as many times as you want, + for at least one time, ? for optional, for option, and parentheses group productions and elements.

Figure 7: IOSA symbolic language grammar.

An IOSA model is composed by a set of modules, each one describing a concurrent component of the system to model. The body of a module can be clearly divided into three parts: the variables declarations, the clocks declarations, and the transitions specification. Arrays are declared along with variables, with the additional requirement of defining the range of the array between brackets. Transitions preconditions are boolean formulas describing the origin states for the symbolic transition. In this case the symbol stands for the logical conjunction operator while stands for the logical disjunction operator. Postconditions on the other side, describe the changes on the module’s variables (state) by means of assignments to future values. Each assignment is enclosed by parenthesis, and the variable’s name is followed by an apostrophe to indicate that corresponds to the value of the variable in the reached state after taking the transition. An separates each assignment. Notice the similarity with PRISM [23] syntax for describing transitions. Along with the assignment of values to future variables, we find the reset of clocks. A clock is assigned a probability distribution () to indicate that it will be reset to a value from that probability distribution immediately before reaching the new state.

Appendix 0.B OR Gate

For an OR gate element with two inputs, its semantics is a function , where results in the following IOSA:

1module OR
2  informf: bool init false;
3  informu: bool init false;
4  count: [0..2] init 0;
6  [f??] count=0 -> (count’=1) & (informf’=true);
7  [f??] count=1 -> (count’=2);
8  [f??] count=0 -> (count’=1) & (informf’=true);
9  [f??] count=1 -> (count’=2);
11  [u??] count=2 -> (count’=1);
12  [2??] count=1 -> (count’=0) & (informu’=true);
13  [u??] count=2 -> (count’=1);
14  [u??] count=1 -> (count’=0) & (informu’=true);
16  [f!!] informf & count!=0 -> (informf’=false);
17  [u!!] informu & count=0 -> (informu’=false);

In the OR gate model, a counter (count) is used to register how many inputs have failed at each moment. The failing of an input increases the counter, while the repair of an input decreases the counter. We of course take as a premise that an input will not break two times in a row without being repaired in the middle, neither will it be repaired if it has not failed. When the counter changes its value from 0 to 1, the gate has to inform a failure. It does so in transition at line 16, which gets enabled by the change of variable informf either at line 6 or 8. In the same way, when count becomes , the repair is informed by enabling transition at line through the change of variable informu either at line or .

Appendix 0.C Repair BOXes

For a repair box with first come first serve policy element with inputs, its semantics is a function , where results in the following IOSA:

1module RBOX % with first come first serve policy
2  queue[n]: [0..n] init 0;
3  busy: bool init false;
4  r: [0..n] init n;
5  dummy: [0..0] init 0;
7  [fl?] -> (dummy’=broken(queue,0));
8  ...
9  [fl?] -> (dummy’=broken(queue,n-1));
11  [!!] fstexclude(queue,0) != -1 & r = n -> (r’=maxfrom(queue,0));
13  [r!!] !busy & r = 0 -> (busy’=true) & (queue[0]’=0);
14  ...
15  [r!!] !busy & r = n-1 -> (busy’=true) & (queue[n-1]’=0);
17  [up?] -> (queue[0]’=0) & (busy’=false) & (r = n);
18  ...
19  [up?] -> (queue[n-1]’=0) & (busy’=false) & (r = n);

The model for a repair box with first come first serve policy uses an array to mark down each broken input. Notice that each position in the queue corresponds to each input. A value on an index means that the input has not failed, while a greater value on that position indicates for “how long” has it been broken. Repair boxes use some syntactic elements present in FIG (http://dsg.famaf.unc.edu.ar/fig) simulator. These elements do not introduce a new semantics behavior and are there only to reduce the complexity and obfuscation that would represent modelling this using only the grammar presented at App. 0.A. Examples of this are the function broken which given an array, in this case queue, and an index, in this case 0, it increases by one the value at that index and every other value greater than in the array. In this way we can check the order in which the inputs failed by comparing the values at the corresponding index. The greater the value the sooner they broke. The syntactic function fstexclude on the other hand, takes an array and a value and returns the index of the first element with a different value to the one passed. In this case we use it to check if there is any failed input. If there is at least one, then maxfrom function will return the index of the highest value in queue, which corresponds to the input who broke first in between all the broken ones. For a quick determinism analysis we point out that all broken, fstexclude, and maxfrom are deterministic. Furthermore all pairs of urgent transitions in the model are confluent given that their preconditions are mutually exclusive given the valu