sign in sign up
<<
Home , Type theory

arXiv:1904.01605v1 [cs.FL] 2 Apr 2019 eey[] oaayemr opiae ytm,lk nucle like systems, Fussell developmen complicated as more the such analyze to measures, to led [1], importance Vesely This sophisticated [3]. more failed of or functioning either of diagno fault solve assignmen and maintenance. to component upgrading, and system as helps allocation, such significantly redundancy problems, components reliability of several Windows determ Microsoft engineering, importance in reliability has crashes In the [2]. and Corp. software errors le Office the Microsoft bugs and detected of at of 80% pool achieve about study entire to the to of A aiming 20% about system gains. that foc a revealed significant resources to in given most is areas that concept problematic the so most underline system the The components on utilized. a of effectively to be important can a more Par identify system. are to a that employed in are components they of ularly, criticality relative the uate re hoe Proving. , railway applicat a an as of crossing level analysis purpose. Moroccan illustration measure a for at importance system th formal signaling Fussell-Vesely, by a and u accompanied Birnbaum commonly conduct as are the such formalize makin conditions measures, we importance thus essential particular, and In the . relationships a proven all such in that verify components sure higher-order- to of use proving to pair propose theorem we any paper, this between In all system. importance des obtain relationship relative to generic scala a measures the more proving importance by A the conditions systems. importance utilize necessary large for to perform suitable is not approach to computa are expensive they require used thus they manner.and but generally descending analysis, in based sy are measure each components for tools the value criticality rank Simulations a to obtain and to meas used importance component turn The in resources. are then given are of which usage effective as components, and such identifyi activities, decisions, system improvement important reliability oritizing making critical in beneficial scrutinize extremely to proach nteFraiaino motneMaue using Measures Importance of Formalization the On h nlpbiaini vial thttp://ieeexplore.ie at available is publication final The Keywords Abstract n16,Brbu a h rtt rps h concept the propose to first the measure was importance Birnbaum 1968, In eval- to way effective an provide [1] measures Importance Iprac esrspoieasseai ap- systematic a provide measures —Importance — motneMaue,Hge-re oi,Fault Logic, Higher-order Measures, Importance .I I. aa Ahmad Waqar NTRODUCTION o iaysseso w states, two of systems binary for ainlUiest fSine n ehooy Islamabad Technology, and Sciences of University National mi:{smurtza.msee15seecs,osman.hasan}@seecs.nust. Email: 2 O hoe Proving Theorem HOL colo lcrclEgneigadCmue Science, Computer and Engineering Electrical of School 1 hhdAiMurtza Ali Shahid , ocri nvriy otel C Canada QC, Montreal, University, Concordia 1 mi:{waqar,tahar}@ece.concordia.ca Email: lcrcladCmue Engineering, Computer and Electrical ee.org gweak-links ng cribing (HOL) ining tions stem ures and pri- tic- sed the ion ble sis ad us ar t, g e - t 2 sa Hasan Osman , tutr ucini agrwhen larger is structure componen to particular 0 a of system failure simulation a a the that by im- over caused component’s of is the percentage event determine the failure computing analy [5], by reliability ReliaSoft portance compo- based as a Simulation such than value. ranking as tools, lower the regarded a in is with above value nent placed higher and with critical component highly [ a syst manner words, descending a other in in data In obtained component the each tabulating then for and value criticality a calculating t is contributing components actively their of is failure. increa each system component the (2) every and with i.e., failures; increases relevant, of model number failure the syst given in the the or the i.e., of satisfying function behavior, ability non-decreasing systems structure exhibits are their model failure which (1) conditions: [1], following systems defin coherent primarily are for measures importance These plants. power ta.[]dvlpdarltosi ttn httecompone the that stating relationship mathematically a developed i using Bo [6] instance, by al. For . et resolved this in be methods reduction verified can analysis measure components. many with these systems components, with especia dealing of requirements when computational pairs high very all have methods between importance relative i.Tu,teei iene fdvlpn oerigorous more developing usage. guarantee appropriate of to their need and relationships dire correctness foundational a these anal of is measure conditions consideri analysis there importance concern necessary some Thus, grave all of sis. a that is safety-critical guaranty This the no identified. explicitly is are there bee metho complex thus have proof and based and relationships paper-and-pencil large using analytical verified component for manually these a tedious However, of be values systems. can pract exact measures in the importance helpful calculating These extremely since components. be scenarios system can of relationships pair on analytical any based of descri are conditions, importance relationships that analytical relative necessary the measures, proving the for importance essential obtain extended Fussell-Vesely further to and is Birnbaum [7] work This Meng case. by opposite the to compared ssrcual oeciia hntecomponent the than critical more structurally is yia ehdi motnemaueaayi involves analysis measure importance in method typical A h clblt iiain fsmlto ae importanc based simulation of limitations scalability The nti ae,w rps ouiiehigher-order-logic utilize to propose we paper, this In 2 n oèeTahar Sofiène and , edu.pk Pakistan , t oee,fraayigthe analyzing for However, . i 1 sdw and down is j su as up is igthe bing j prob- fits if the o their land ical em em 4]. lly sis ng ed ds se y- nt n e t (HOL) theorem proving to assure the formal guarantees about III. PRELIMINARIES the relationships, obtained by Boland and Meng, governing the In this section, we first give a brief introduction to the relative importance of any pair of system components. The HOL theorem prover, formalization of and HOL theorem prover is a system of deduction with precise an approach for the formal FT analysis to facilitate the and provides a sound reasoning support for verifying understanding of the rest of the paper. the given properties, stated as a theorem, rigorously [8]. We first formalize the properties of coherent systems by describing their structure function as a fault tree (FT) [9] model, which A. HOL Theorem Prover is a graphical model for analyzing the conditions and factors HOL [18] is an interactive theorem prover, developed at the causing the system failure. Secondly, we formalize commonly University of Cambridge, UK, for conducting proofs in higher- used importance measures, such as Birnbaum, Fussell-Vesely, order logic. It utilizes the simple type theory of Church [19] Reduction Worth and Achievement Worth [1]. We then use along with Hindley-Milner polymorphism [20] to implement the formalization of Birnbaum importance measure to formally higher-order logic. HOL has been successfully used as a verify the relative importance properties of any pair of system verification framework for both software and hardware as well components as described by Boland and Meng using HOL as a platform for the formalization of pure . theorem proving. For illustration purposes, we conduct the formal importance measure analysis of a railway signaling The HOL core consists of only 4 basic and 8 system at a Moroccan level crossing (LC) [10] consisting primitive rules, which are implemented as ML of several critical components, such as lights, programmable functions. The ML’s ensures that only valid logic controllers, alarms and also human factor, using the HOL can be constructed. is assured as every theorem prover [11]. new theorem must be verified by applying these basic axioms and primitive inference rules or any other previously verified The rest of the paper is organized as follows: An overview theorems/inference rules. of the related work is presented in Section II. In Section III, In this paper, we utilize the HOL (libraries) of we provide a brief summary of the HOL theorem prover Booleans, lists, sets, positive integers, real numbers, measure and the fundamentals of the HOL . A brief and probability [21]. In fact, one of the primary motivations of introduction to the recent formalization of FT analysis is selecting the HOL theorem prover for our work was to benefit also described to facilitate the understanding of the paper. from these built-in mathematical theories. Table I provides Section IV presents the HOL formalization of the concept the mathematical interpretations of some frequently used HOL of importance measure and its related properties. Section V symbols and functions, which are inherited from existing HOL applies our proposed approach by describing the formal impor- theories. tance measure analysis of the signaling system at a Moroccan level crossing. Finally, Section VI concludes the paper. TABLEI. HOLSYMBOLS AND FUNCTIONS HOL Standard Symbol Meaning ∧ and Logical and ∨ or Logical or II. RELATED WORK ¬ not Logical :: Adds a new to a list Importance measure is a useful concept in reliability en- ++ append Joins two lists together HD L head Head element of list L gineering and has been analyzed analytically [1] as well as TL L tail Tail of list L using simulation tools [5]. The latter approach is practically EL n L element nth element of list L adopted by industrial engineers due to their powerful features. MEM a L member True if a is a member of list L λx.t λx.t Function that maps x to t(x) These tools follow the typical approach of ranking the system SUC n components according to their criticality value. However, this n + 1 Successor of a num approach requires high computations to obtain the criticality value for all system components and then perform the suc- cessive analysis, which may not be possible for large and B. Probability Theory complex systems. An alternate approach is to verify a relative Mathematically, a measure space is defined as a triple measure relationship for any pair of components and obtain (Ω, Σ,µ), where Ω is a , called the sample space, Σ the necessary conditions, as described by Meng [7]. represents a σ- of of Ω, where the subsets are usually referred to as measurable sets, and µ is a measure Recently, a formal analysis framework [12], with domain Σ. A probability space is a measure space based on Reliability Block Diagram [13], [14] and FT mod- (Ω, Σ, P r), such that the measure, referred to as the probability eling techniques, has been developed using HOL theorem and denoted by P r, of the sample space is 1. In the HOL proving. This framework has been successfully utilized to formalization of probability theory [21], given a probability carry out the reliability analysis of a railway traction drive space p, the functions space, subsets and prob return the system [15], failure analysis of satellite solar arrays [16] and corresponding Ω, Σ and P r, respectively. This formalization an air traffic management system [17]. In the current work, we also includes the formal verification of the commonly used formalize the of coherent system and the importance probability laws, which play a pivotal role in formal reasoning measure by representing the system structure function based about dependability properties. on existing FT models. To the best of our knowledge, this is the first formal work describing the formalization of the A random variable is a measurable function between a importance measures using HOL theorem proving. probability space and a measurable space. The measurable functions belong to a special of functions, which preserve Hol_datatype ‘gate = AND of gate list | the property that the inverse of each measurable set is OR of gate list | also measurable. A measurable space refers to a pair (S, A), NOT of gate | where S denotes a set and A represents a nonempty collection atomic of ’a event‘ of sub-sets of S. Now, if S is a set with finite elements, then the corresponding random variable is termed as a discrete The type constructors AND and OR recursively function on otherwise it is called continuous. gate-typed lists and the NOT operates on gate- type variable. The type constructor atomic is basically a The cumulative distribution function (CDF) is defined as typecasting operator between event and gate-typed variables. the probability of an event where a random variable X has a value less than or equal to some value t, i.e., P r(X ≤ t). A semantic function is then defined over gate datatype that This definition characterizes the distribution of both discrete can yield the corresponding event from the given FT gate as and continuous random variables and has been formalized [22]: follows:

p X t. CDF p X t = ⊢ (∀ p. FTree p (AND []) = p_space p) ∧ ⊢ ∀ (∀ xs x p. distribution p X {y | y ≤ Normal t} FTree p (AND (x::xs)) = FTree p x ∩ FTree p (AND xs)) ∧ The function Normal takes a real number as its input and (∀ p. FTree p (OR []) = {}) ∧ converts it to its corresponding value in the extended-real (∀ xs x p. data-type, i.e, it is data-type with the inclusion of FTree p (OR (x::xs)) = positive and negative infinity. The function distribution FTree p x ∪ FTree p (OR xs)) ∧ takes three parameters: a probability space p, a random variable (∀ p a. FTree p (NOT a) = X : (α → extreal) and a set of extended-real numbers p_space p DIFF FTree p a) ∧ and returns the probability of the given random variable X (∀ p a. FTree p (atomic a) = a) acquiring all the values of the given set in probability space. The unreliability or the probability of failure F (t) is The function FTree takes a list of type gate, identified by the defined as the probability that a system or component will type constructor AND, and returns a complete probability space fail by the time t. It can be described in terms of CDF, known p_space p if a given list is empty and otherwise returns the as the failure distribution function, if a random variable X intersection of events in a given list. Similarly, to model the represents the time-to-failure of the component. This time-to- behavior of the OR FT gate, the function FTree returns the failure random variable X usually exhibits the exponential or union of all the events after applying the function FTree on Weibull distribution. each element of a given list or an if a given list is empty. The function FTree takes the type constructor NOT The notion of mutual independence of n random variables and returns the complement of a failure event obtained from is a major requirement for reasoning about the failure analysis the function FTree. The function FTree returns the failure of the given systems. According to this notion, a list of n event using the type constructor atomic. events are mutual independent if and only if for each set of k If the occurrence of a failure event at the output is caused events, such that (1 ≤ k ≤ n), we have: by the occurrence of all the input failure events, then this k k of behavior can be modeled by using the AND FT gate. Similarly, in the OR FT gate, the occurrence of an output P r( A )= P r(A ) (1) \ i Y i failure event depends upon the occurrence of any one of i=1 i=1 its input failure event. The NOT FT gate can be used in conjunction with the AND and OR FT gates to formalize other The mutual independence concept has been formalized in FT gates. The formalization of these gates is based on [17], the HOL theorem prover and more details can be found in [22]. given in Table II. The NAND FT gate, represented by the function NAND_FT_gate in Table II, models the behavior of the occurrence of an output failure event when at least one of C. Fault Trees the failure events at its input does not occur. This type of gate is used in FTs when the non-occurrence of a failure event in Fault Tree (FT) analysis is a widely used technique to conjunction with other failure events cause the top failure event determine the dependability of real-world systems, like rail- to occur. This behavior can be expressed as the intersection of ways signaling, automotive or avionics. It mainly provides complementary and normal events, where the complementary a graphical model for analyzing the conditions and factors events model the non-occurring failure events and the normal causing an undesired top event, i.e., a critical event, which events model the occurring failure events. The output failure can cause the complete system failure upon its occurrence. event occurs in the 2-input XOR FT gate if only one, and not The preceding nodes of the FT are represented by gates, like both, of its input failure events occur. OR, AND and XOR, which are used to link two or more cause events of a fault in a prescribed manner. The verification of the corresponding failure probability expressions, of the above-mentioned FT gates, is presented The FT gates are formally modeled by using a new in Table III. These expressions are verified under the fol- recursive datatype gate in HOL as follows [17]: lowing assumptions: (i) prob_space p ensures that p is TABLE II. HOL FORMALIZATION OF FAULT TREE GATES

FT Gates Formalization n 1 ⊢ ∀ p L1 L2. |t|+1 AND P( Ai)= (−1) P( Aj ) (2) n AND_FT_gate p L1 L2 = FTree p (AND (gate_list L)) [ X \ i=1 j∈t 1 ⊢ ∀ p L. t6={},t⊆{1,2,...,n} OR n OR_FT_gate p L = FTree p (OR (gate_list L)) 1 ⊢ ∀ p L1 L2. The above equation has been formally verified in HOL and k NAND NAND_FT_gate p L1 L2 = details can be found in [17]. n FTree p (AND (gate_list(compl_list p L1 ++ L2))) ⊢ ∀ p L. 1 NOR NOR_FT_gate p L = IV. IMPORTANCE MEASURES n FTree p (NOT (OR (gate_list L))) ⊢ ∀ p A B. The concept of importance measure is proposed by Birn- 1 XOR XOR_FT_gate p A B = baum mainly for components of coherent systems. This section 2 FTree p (OR [AND [NOT A; B]; AND [A; NOT B]]) describes the essential properties of a coherent system that is then followed by the commonly used importance measures and their respective formalizations in HOL. a valid probability space; (ii) 2 ≤ LENGTH L makes sure that the given list L must have at least two elements; (iii) A. Coherent System in_events p L ensures that all the corresponding events in the given list L are drawn from the events space p; and Let, φ(¯x) be the structure function of a system functioning on the n-components state vector x¯ = (x1, x2,...,xi,...,xn), (iv) mutual_indep p L guarantees that events in the given th list L are mutually independent [22]. where xi is the state of the i component. According to Birnbaum [3], a system of binary state, where both the system

TABLE III. PROBABILITYOF FAILURESOF FAULT TREE GATES and its components can either be in state of failure or success, is said to be coherent if its structure function, φ(¯x), satisfies Mathematical Expressions Theorem’s Conclusion N the following conditions: FAND(t) = Pr( \ Ai(t)) ⊢ ∀ p L1 L2. i=2 (prob p (AND_FT_gate L) = (1) φ ¯ with ¯ , ,..., N (0)=0 0=(0 0 0) = Y Fi(t) list_prod (list_prob p L)) i=2 N ⊢ ∀ p L1 L2. (2) φ(1)=1¯ with 1=(1¯ , 1,..., 1) FOR(t) = Pr( [ Ai(t)) i=2 (prob p (OR_FT_gate p L) = N 1 - list_prod(one_minus_list (3) φ(¯x) ≤ φ(¯y) if x¯ ≤ y¯ with relationship x¯ ≤ y¯ means = 1 − Y(1 − Fi(t)) i=2 (list_prob p L))) xi ≤ yi, ∀i =1, 2, ...n. ⊢ ∀ p L1 L2. k N (prob p The first two conditions state that a system must go in state FNAND(t) = Pr( \ Ai(t) ∩ \ Ai(t)) i=2 j=k (NAND_FT_gate p L1 L2) = 0 (full working) or 1 (complete failure) if all of its components k N list_prod (list_prob p = (1 − F (t)) ∗ (F (t)) are in state 0 or 1, respectively. The third condition defines the Y i Y j (compl_list p L1)) i=2 j=k * monotonicity property of a system structure function ensuring list_prod (list_prob p L2)) ⊢ ∀ p L. that a component in working state must not contribute in N (prob p (NOR_FT_gate p L) = causing a system failure and vice versa. The use of the NOT FNOR(t) = 1 − FOR(t) = Y(1 − Fi(t)) gate in a FT model (structure function) results in a non- i=2 list_prod (one_minus_list (list_prob p L))) coherent structure, which also means that components not ⊢ ∀ p A B. failing, i.e., working, can contribute to a system failure event prob_space p ∧ A ∈ events p ∧ FXOR (t) = Pr(A(t)B(t) ∪ A(t)B(t)) and thus violating the condition (3). Therefore, the use of the B ∈ events p ⇒ = (1 − F (t))F (t)+ A B (prob p (XOR_FT_gate p A B) = NOT logic is often discouraged [23]. FA(t)(1 − FB (t)) (1 - prob p A) * prob p B + prob p A * (1 - prob p B)) In order to formally verify that a given failure structure function (FT model) satisfies the Birnbaum coherent system conditions, we first formally define a structure function in HOL D. PIE as follows: In FT analysis, the first step is to identify all the basic Definition 1: ⊢ ∀ f L. φ fL=fL failure events that can cause the occurrence of the system top failure event. These failure events are then combined to where φ is a HOL Unicode that is used as a pretty- model the overall fault behavior of a given system by using printing of the function coherent_struct mapping an the fault gates. These combinations of basic failure events, arbitrary real-valued function f : (α → bool) → real to a called cut sets, are then reduced to minimal cut sets (MCS) list of sets L : (α → bool)list. Using the above definition, by using set-theory rules, such as idempotent, associative and Conditions (1-2) can be verified in HOL on a given fault tree commutative. Then, the Probabilistic Inclusion Exclusion (PIE) (structure function) consisting of AND and OR FT gates as: principle is used to evaluate the overall failure probability of a given system based on the MCS events. According to th the PIE principle, if Ai represents the i basic failure event Theorem 1: ⊢ ∀ p L. or a combination of failure events, then the overall failure prob_space p ∧ ¬NULL L ∧ probability of a given system can be expressed as follows: coherent_state_vec (λa. a = {}) (FLAT L) ⇒ (prob p (φ (λb. ∂h(¯x) FTree p ((OR of (i) = IB (φ(¯x)) = Pr{φ((1i, x¯))}− Pr{φ((0i, x¯))} (3) (λa. AND (gate_list a))) b)) L) = 0) ∂pi

Theorem 2: ⊢ ∀ p L. where φ(¯x) represents the structure function of a given co- prob_space p ∧ ¬NULL L ∧ herent system, which is applied on components state vector x¯ coherent_state_vec and returns the corresponding state of a system. The notations (λa. a = p_space p) (FLAT L) ⇒ φ((1i, x¯)) and φ((0i, x¯)) represent the state of a system if the (prob p ith component is updated with the state values 1 (failure) and (φ (λb. 0 (working), respectively. FTree p ((OR of (λa. AND (gate_list a))) b)) L) = 1) To formalize Equation 3 in HOL, we first formally define the notion of component state update in a given structure where, the HOL function FLAT is used to flatten the two- function as follows: dimensional list, i.e., to transform a list of lists, into a single list. The assumptions in the above theorems are al- Definition 2: ⊢ ∀ i f L. most similar. The first two assumptions ensure that the vari- φ’eifL= φ f (LUPDATE e i L) able p is a valid probability space and the given list of state vectors is not empty. In the last assumption, the function where the HOL function LUPDATE updates the given list L coherent_state_vec asserts that all the system com- with element e at index i. The above function updates the state ponents are either in fully working or in completely failure of the component i in a state vector L before passing it to the state, which are modeled using empty event ({}) and the system structure function. Similarly, we can formally define a complete probability space (p_space p), respectively. The function to update the states of any two system components conclusions of the above theorems model the probabilistic in HOL as follows: sense of the conditions (1-2). Definition 3: ⊢ ∀ e e’ i j f L. Now, we formally verify the Condition 3 for the given φ”ee’ijfL= structure function in HOL as follows: φ f (LUPDATE e’ j (LUPDATE e i L))

Theorem 3: ⊢ ∀ p L. Now, using Definition 2, we can formally model Equation 3 prob_space p ∧ in HOL as follows: in_events p (FLAT (XL_vec L)) ∧ in_events p (FLAT (YL_vec L)) ∧ Definition 4: ⊢ ∀ p i f L. mem_subset_vec L ⇒ Iβ pifL= prob p prob p (φ’ (p_space p) i f L) - (φ (λb. prob p (φ’ {} i f L) FTree p((OR of (λa. AND (gate_list a))) b)) (XL_vec L)) ≤ As described earlier in Section I, Meng [7] developed the prob p analytical relationship describing the relative importance of (φ (λb. FTree p ((OR of any pair of system components and obtained the necessary (λa. AND (gate_list a))) b)) (YL_vec L)) conditions based on Boland and Birnbaum importance mea- sures. We formally verify this relationship in HOL as follows: where the function in_events ensures that each element of 2 c ∂ h(x) a given list belongs to a valid event space p. The functions Theorem 4: Meng [7]: Suppose that i = j and ≥ 0 XL_vec and YL_vec returns the first and second member ∂pi∂pj of the two-dimensional pair list, respectively. The relationship for all x. Then, Iβ(j,x) ≤ Iβ(i,x) for all x satisfying pi ≤ pj . between these two lists, XL_vec and YL_vec, is described ⊢ ∀ p L i j. by the function mem_subset_vec, which ensures that each [A1]: prob_space p ∧ in_events p L ∧ member of XL_vec list is a subset of the corresponding [A2]: ¬NULL L ∧ i < j ∧ member of YL_vec list. The conclusion of the above theorem [A3]: mutual_indep p models Condition 3. The proof of Theorem 3 follows from ({} :: {} ::p_space p::p_space p::L) ∧ the fact that if A B, then their corresponding [A4]: SUC (SUC j) < LENGTH L ∧ ⊆ ′′ satisfy the monotonicity property, i.e., Pr(A) ≤ Pr(B). [A5]: Iβ p i j (λa. FTree p (AND (gate_list a))) L ≥ 0 ∧ [A6]: prob p (EL i L) ≤ prob p (EL j L) ⇒ B. Birnbaum Importance (Iβ p j (λa. FTree p (AND (gate_list a))) L ≤ Iβ p i (λa. FTree p (AND (gate_list a))) L) For a coherent system of n-components with independent (i) c failures, the Birnbaum importance (IB ) of component i is In the above statement, the symbol i = j is described by Boland defined as a probability that the ith component is critical to et al. [6] as components i and j are permutation equivalent if the system failure or functioning. Mathematically, it can be φ(1i, 0j , x) = φ(0i, 1j, x) for all x. Using Definition 3, we expressed as follows [3]: formally verify this property in HOL as follows: Lemma 1: ⊢ ∀ p i j L. prob_space p ∧ i < j ∧ Pr(φ(x)) in_events p L ∧ SUC (SUC j) < LENGTH L ∧ I RW = ′ mutual_indep p ({} ::p_space p::L) ⇒ Pr(φ (1i, x)) (prob p (φ” (p_space p) {} i j ′ (6) Pr(φ (0i, x)) (λa. FTree p (AND (gate_list a))) L) = IAW = prob p (φ” {} (p_space p) i j Pr(φ(x)) (λa. FTree p (AND (gate_list a))) L)) Using Definitions 1-2, we formally define the above functions ∂2h(x) in HOL as follows: Similarly, the notation is a partial differentiation w.r.t ∂pi∂pj Definition 6: ⊢ ∀ f i L. probability of components i and j that can be represented prob p (φ f L) I_RW p i f L = mathematically as: prob p (φ′ (p_space p) i f L)

⊢ ∀ Definition 7: f i L. ′ 2 prob p (φ ({}) i f L) ∂ h(x) ′′ ′ I_AW p i f L = = Pr(φ (1i, 1j , x)) − Pr(φ (1i, 0j, x))− prob p (φ f L) ∂pi∂pj (4) ′′ ′′ Pr(φ (0i, 1j , x)) + Pr(φ (0i, 0j, x)) The HOL formalization of the above-mentioned importance measures is also available at [24]. The proof script of the above formalizations and proofs consists of about 1400 lines The above equation is formalized using Definition 3 and it of HOL code that roughly took 70 man-hours of development ′′ is represented by the function Iβ in the assumption (A5) of time. To illustrate the effectiveness of our proposed approach, Theorem 4. we conduct the formal importance measure analysis of a The assumptions of Theorem 4 are similar to the ones railway signaling system at Moroccan level crossing in the used in Theorems 1-3. The inclusion of {} and p_space next section. p in assumption (A3) reflects the change caused by flipping the state of the i and j components and also makes sure V. SIGNALING SYSTEM AT MOROCCAN LEVEL CROSSING that they are mutually independence. The assumption (A4) There are three main parts in the Moroccan level crossing ensures that the index j starts after two increments since railway signaling (LC) system [10]: (1) Rail part consisting we require at least two components in a list. Although a of a material component (train and rail-road), and human brief proof sketch of Theorem 4 is described by Meng [7], component (the train operator); (2) Road part containing a the sound environment of the HOL theorem prover provides material component (vehicle and road), and a human compo- additional formal guarantees in the verification of Theorem 4 nent (vehicle driver); and (3) Level crossing, which is further accompanying all the necessary conditions. The composed of three main components: (i) Power and com- of Theorem 4 utilizes several essential lemmas, which can be munication network between the components of the railway found in [24]. signaling system; (ii) Control component consisting of Pro- grammable Logic Controller and its program; (iii) Operative component representing sensors, such as road lights, the alarms C. Other Common Types of Importance Measures and the barriers. Table IV describes the basic failure events Another well-known importance measure is Fussell- along with the corresponding failure rates (λ) associated with Vesely [1], which describes the importance of component i the components of Moroccan signaling system [10]. The FT as a probability that the failure of component i contributes to diagram of the signaling system at Moroccan LC is depicted a system failure given that system fails. It can be expressed in Figure 1 [10]. mathematically as follows: TABLE IV. EVENTS FOR SIGNALING SYSTEM AT MOROCCAN LC

− Symbol Basic Events λ (h 1) ′ −3 Pr(φ(x)) − Pr(φ (1i, x)) x1 Vehicle Failure 18 ∗ 10 IF V = (5) −4 x2 & x4 Human Factor 1.347 ∗ 10 Pr(φ(x)) −6 x3 Rail Failure 2.85 ∗ 10 −8 x5 Program Error 5 ∗ 10 −6 x6 Programmable Logic Controller Failure 4 ∗ 10 We can formally define the above function by using Defi- −6 x7 Network Communication Failure 5 ∗ 10 nitions 1-2 in HOL as follows: −6 x8 Power Network Failure 5 ∗ 10 −4 x9 & x10 Alarm Failure 4 ∗ 10 −4 Definition 5: ⊢ ∀ f i L. x11 & x12 Light Failure 4 ∗ 10 −6 x13 & x14 Motor Failure 3 ∗ 10 I_FV p i f L = −5 x15 & x16 Transmission System Failure 5 ∗ 10 prob p (φ f L) - prob p (φ′ (p_space p) i f L) prob p (φ f L) A. Formal Model and Failure Analysis Similarly, the criticality importance measures Reducation Using the FT gates, described in Section III-C, we can Worth (IRW ) and Achievement Worth (IAW ) describe a prob- formally model the FT diagram of the Moroccan signaling ability when component i is always functioning and failed, system in HOL as follows: respectively. They can be expressed as follows: Top Event Theorem 6: ⊢ ∀ p x1 x2 · · · x16 c1 c2 · · · c16 t. [A1]: 0 ≤ t ∧ [A2]: FT_conds p [x1;x2;· · · ;x16] t [A3]: exp_dist_list p [x1;x2;· · · ;x16] [c1;c2;· · · ;c16] ⇒ (prob p (Signal_FT p x1 x2 · · · x16 t) = −(λ 3t) −(λ 4t) −(λ 5t) −(λ 6t) x3 x4 x1 x2 1 - e c e c e c e c − * − * − * − * e (λc7t) e (λc8t) e (λc1t) e (λc2t) *− *− * * (1 - (1 - e (λc9t) e (λc10t) − −* * x5 x6 x8 x7 (1 - e (λc13t) e (λc14t)) − * − * (1 - e (λc15t) e (λc16t)) − * − * (1 - e (λc11t) * e (λc12t))))

where the function exp_dist_list takes a list of x9 x10 x11 x12 random variables and a list of failure rates and makes sure that each random variable is exponentially distributed and assigned with its corresponding failure rates [17], i.e., exp_dist_list [x1;x2] [c1;c2] = (!t. x13 x14 x15 x16 0 ≤ t ==> ((Pr(ω p x1 t) = 1 − e−λc1∗t) ∧ ( ω p x t e−λc2∗t)). The function FT_conds Fig. 1. FT of the Signaling System at Moroccan LC Pr( 2 )=1 − contains two predicates mutual_indep and in_events, which ensure that all events associated to rail_signal_FT Definition 8: ⊢ Signal_FT p x1 x2 · · · x16 t = are mutually independent and belong to events space p, FTree p (OR [OR ([ω p x3 t;ω p x4 t]) respectively. The proof of Theorem 6 is based on formally OR ([ω p x5 t;ω p x6 t])); verified expressions of the AND and OR FT gates, presented AND [OR ([ω p x9 t;ω p x10 t])); in Table III, and the PIE principle described in Section III-D. OR ([ω p x13 t;ω p x14 t])); OR ([ω p x15 t;ω p x16 t])); To evaluate Theorem 6, we wrote an ML function OR ([ω p x11 t;ω p x12 t]))]; auto_signal_morco_FT [24] that takes failure rates and OR ([ω p x7 t;ω p x8 t])); time index, given in Table IV, and returns the following in OR ([ω p x1 t;ω p x2 t]))]) HOL evironment: where ωpxt represent various failure events, such as an Under the following assumptions alarm, associated with the various component of the Moroccan ⊢ [A1]: 0 ≤ 5 ∧ signaling system. It is defined in HOL as PREIMAGE x {y [A2]: FT_conds p [x1;x2;· · · ;x16] 5 | y ≤ t} ∩ p_space p [17]. [A3]: exp_dist_list p [x1;x2;· · · ;x16] [0.00000285;0.00000005;·· · ;0.0004] ⇒ Now, we obtain the minimal cut sets (MCS) of the above Failure probability of Moroccan Railway FT model by utilizing some set properties, like distribution of Signaling System intersection over union and idempotent law of intersection [9]. (prob p (Signal_FT p x1 x2 · · · x16 5) = 0.0003494028541)

C1 = {x3, x4, x5, x6}, C2 = {x9, x13, x15, x11}, ··· , We can also plot these values to get a better understanding (7) C17 = {x10, x14, x16, x12}, C18 = {x7, x8, x1, x2} of the dependability of the Moroccan signaling system as given in Figure 2. It can be observed from the plot that initially We can also formally verify the equivalence of the obtained the probability of failure is very low but as the time passes, signaling system MCS with the orignal FT model as follows: in hours, the failure probability gradually increases and at 2,000 hours the failure becomes absolutely certain, i.e., with a probability 1. Lemma 2: ⊢ Signal_FT p x1 x2 · · · x16 t = (λb. FTree p((OR of B. Formal Importance Measure Analysis (λa. AND (gate_list a))) b)) [ωL p [x3;x4;x5;x6] t; As described in Section IV, the importance measure analy- ωL p [x9;x13;x15;x11] t;· · · ; sis requires the given system structure function to be coherent ωL p [x10;x14;x16;x12] t; in nature. Therefore, we start by formally verifying the con- ωL p [x7;x8;x1;x2] t] ditions of a coherent system for the railway signaling system MCS, described in Lemma 2, in HOL as: where the function ωLpLt returns the list of events by mapping the function ω p x t, described in Definition 8, on Theorem 7: ⊢ each element of the given list of random variables. prob_space p ∧ coherent_state_vec (Îza.˙ a = {}) (FLAT By using the above lemma and Definition 8, the failure [ωL p [x3;x4;x5;x6] t; probability of the Moroccan signaling system can be formally ωL p [x9;x13;x15;x11] t;· · · ; verified in HOL as follows: ωL p [x10;x14;x16;x12] t; rbp prob rbp t2 prob < t1 po p (prob po p (prob !.i_vnsp(FLAT p in_events (!t. p prob_space 9: Theorem oeetsaevc(Î coherent_state_vec p prob_space 8: Theorem i.2 ltfrPoaiiyo alr fSgaigSse a System Signaling of Failure of Probability for Crossing Plot 2. Fig. ( ( φ φ ( ( Te (O of p((OR FTree Te (O of p((OR FTree Te (O of p((OR FTree φ φ Te (Rof ((OR p FTree ( ( ( ( (

0.0000145 0.0000574 Probability of Failure λ λ λ λ λ ( ( 0.000349 0.00133 .AD(aels ))b)) a))) (gate_list [ AND a. .AD(aels ))b)) a))) (gate_list [ AND a. .AD(aels ))b)) a))) (gate_list [ AND a. [ [ b. b. λ λ 0.0234 0.0645 ω ω ω ω ω ω ω ω ω ω ω ω ω ω ω ω ω ω ω ω ω b. b. 0.55 ⇒ x;1;1;1]t1; [x9;x13;x15;x11] t1; p [x3;x4;x5;x6] L p L x;8x;2 t1]) [x7;x8;x1;x2] t1; p [x10;x14;x16;x12] L p L t; [x9;x13;x15;x11] t; p [x3;x4;x5;x6] L p L x;1;1;1]t; [x9;x13;x15;x11] t; p [x3;x4;x5;x6] L p L x;8x;2 ] 1) = t]) [x7;x8;x1;x2] t; p [x10;x14;x16;x12] L p L x;1;1;1]t; [x9;x13;x15;x11] t; p [x3;x4;x5;x6] L p L x;8x;2 ] 0) = t]) [x7;x8;x1;x2] t; p [x10;x14;x16;x12] L p L x;8x;2 t])) [x7;x8;x1;x2] t; p [x10;x14;x16;x12] L p L x;1;1;1]t; [x9;x13;x15;x11] t; p [x3;x4;x5;x6] L p L x;8x;2 t]) [x7;x8;x1;x2] t; p [x10;x14;x16;x12] L p L x;8x;2 t]) [x7;x8;x1;x2] p L 1 0t=5 0 t =t t= = t 1000 t= =1 100 t t =2 = 50 10 5 ⊢ ⊢ ∧ ∧ a _pc )(FLAT p) p_space = a za. ˙ Time ⇒ ⇒ ≤ ∧ · · · · · · · · · · · · · · · ; ; ; ; ; oocnLevel Moroccan t t = 2000 te opnnsi h Tmodel. FT the in components other h nsue nTerm6 tcnb bevdfo the from observed failure be alarm to can of similar importance It the quite ( 6. that component is 9 Theorem Theorem theorem in of conclusion above used the ones the of assumptions The hoe 10: Theorem railway the of component the as: associating each system by signaling to failure distribution alarm of exponential importance Birnbaum the lr,Term9i omlyvrfidb tlzn hoe 3 Theorem utilizing by assumption verified the formally discharging Sim MCS. is by signaling 9 railway of Theorem list descr ilary, given a 1-2, on on Theorems IV-A, based Section of verified in utilization formally are straight-forward 7-8 very Theorems a that seen be can It ento n h Tmdl ecie nDfiiin8 in 9: 8, Definition Definition in described model, FT as: the HOL and 4 Definition edsrb h omliprac esr nlsso an of analysis measure importance ( formal failure purp alarm the illustration now compo- For describe system. any can signaling we of we railway the measure model, of importance failure nent Birnbaum system the signaling determine railway the on .Fra inamIprac esr Analysis Measure Importance Birnbaum Formal C. i.e., time-of-failures, the increase. increasing by t2 that fact the I β ( A] x_itls [x1;x2; p exp_dist_list [A5]: A] neet ( p in_events [A4]: A] uulidpp( p mutual_indep p [A3]: prob_space [A2]: 0 [A1]: I ( h orsodn alr rbblte lomonotonica also probabilities failure corresponding the , h bv oe a lob sdt uniaieyanalyze quantitatively to used be also can model above The fe omlystsyn h odtosfrchrn syst coherent for conditions the satisfying formally After 0 p β 9 e e ([ λ − − 1- (1 1- (1 1- (1 .Frep(R[R([ [OR (OR p FTree b. 1x x3 x2 x1 p λ λ ω c c x;x2; [x1; x;x2; [x1; [ ( 7 3 ∗ ∗ ω ω λ ω ω 9t; x9 p t t [c1;c2; .AD(aels ))b)) a))) (gate_list AND a. x;1;1;1]t2; [x9;x13;x15;x11] t2; p [x3;x4;x5;x6] L p L x;8x;2 t2]) [x7;x8;x1;x2] t2; p [x10;x14;x16;x12] L p L e e e ≤ * * x − − − 9 x λ λ λ ∀ ⊢ t e e ⊢ scluae rmtefiuepoaiiisof probabilities failure the from calculated is ) c c c 9 − − 11 15 13 nteriwysgaigsse yutilizing by system signaling railway the in ) R([ OR N O ; b [OR AND R([ OR R([ OR λ λ ∧ I ∗ ∗ ∗ c c ω β 9 t t t 8 4 1x2 x1 p · · · · · · · · · ∗ ∗ · · · * * * t t 1x x3 x2 x1 p 1 t])) x10 p R([ OR ;c16] 1]t) x16] ; 1]t) x16] ; * * e e e R([ OR ([ OR ω ω ω − − − 1 = t x16 e e λ λ λ ω ∧ 5t; x5 p 7t; x7 p 1t; x1 p − − c c c p L 12 16 14 λ λ ω c c ∗ ∗ ∗ · · · 2 5 ω ω ω ⇒ t t t ∗ ∗ mem_subset_vec )) ) ) 1 t; x11 p p L t t ω 1 t; x15 t; p x13 p * * * * 1 1c2 c1 x16 · · · 3t; x3 p ω ω ω ∧ ∧ e e − − 6t]); x6 p 8t]); x8 p 2t])]) x2 p λ λ 1 = t x16 c c · · · 1 6 ∗ ∗ · · · ω t t ω ω ω 1 t])]; x12 p ;x16] * * ; 1 t]); x16 t]); p x14 p 4t]) x4 p · · · e − λ c 1 t. c16 10 ae on based ∗ t t1 oses, * ibed em lly ≤ - Similarly, we can also determine the Fussell-Vesely impor- theory. The HOL proof script of Theorems 6-12, which can tance measure for the alarm component by using Definition 5 be downloaded from [24], took about 1200 lines of HOL code in HOL as follows: and about 24 man-hours. It is quite evident that our proposed HOL-based formaliza- Theorem 11: ⊢ ∀ p x1 x2 · · · x16 c1 c2 · · · c16 t. tion approach provides the required rigor to the importance [A1]: 0 ≤ t ∧ [A2]: prob_space p ∧ measure properties about system components compared to [A3]: mutual_indep p (ωL p [10]. Also, all the necessary conditions are accompanying [x1; x2; · · · ; x16] t) ∧ the formally verified properties. Most importantly, the formal [A4]: in_events p (ωL p relative importance measure analysis reveals that the relative [x1; x2; · · · ; x16] t) ∧ importance of any pair of components is related according [A5]: exp_dist_list p [x1;x2; · · · ;x16] to their failure rates (Theorem 12). In other words, we can [c1;c2;· · · ;c16] ⇒ accurately analyze the components’ importance, due to the (I_FV_9 p x1 x2 x3 · · · x16 t = sound theorem proving approach, without using the traditional (1 - methods of ranking the system components for large systems. (−(λc3∗t)) (−(λc4∗t)) (−(λc5∗t)) e * e * e * By conducting the formal importance analysis of the railway · · · − λ ∗t − λ ∗t signaling system at a Moroccan LC, we believe that our (1 - e( ( c9 )) e( ( c10 ))) − ∗ * − ∗ * (1 - e( (λc13 t)) e( (λc14 t))) proposed approach provides a sound framework to reliability − ∗ * − ∗ * (1 - e( (λc15 t)) e( (λc16 t))) design engineers to meet the quality standards of their safety- − ∗ * − ∗ * (1 - e( (λc11 t)) * e( (λc12 t))) - critical systems. (1 - (−(λ 3∗t)) (−(λ 4∗t)) (−(λ 5∗t)) e c * e c * e c * VI. CONCLUSION · · · − ∗ − ∗ (1 - e( (λc13 t)) e( (λc14 t))) In this paper, we formalized the commonly used impor- − ∗ * − ∗ * (1 - e( (λc15 t)) e( (λc16 t))) tance measures, such as Birnbaum, Fussely-vesely, Reduction − ∗ * − ∗ * (1 - e( (λc11 t)) * e( (λc12 t)))) / worth and Achievement worth, in HOL theorem proving. We (1 - also formalized Meng’s approach of obtaining the relative (−(λ 3∗t)) (−(λ 4∗t)) (−(λ 5∗t)) e c * e c * e c * importance measure among any pair of system components. · · · − ∗ − ∗ For illustration purposes, we conducted the formal importance (1 - e( (λc9 t)) * e( (λc10 t))) * − ∗ − ∗ measure analysis of a signaling system at a Moroccan level (1 - e( (λc13 t)) * e( (λc14 t))) * (−(λ 15∗t)) (−(λ 16∗t)) crossing consisting of traffic lights, programmable logic con- (1 - e c * e c ) * − ∗ − ∗ (1 - e( (λc11 t)) * e( (λc12 t))))) trollers and alarms, within the HOL theorem proving environ- ment. We plan to extend the formalization of Fussell-vesely importance measure to obtain the relative importance of system By using the above-mentioned approach, we can formally components. Just like the Birnbaum importance measure, it determine the Reduction Worth (RW) and Achievement Worth has great potential to highlight the critical components without (AW) importance measures, given in Equation 6. Next, we running the computationally expensive simulations. conduct the formal relative importance measure analyses of relative importance among alarm and vehicle failure, using Theorem 4, as follows: [1] W. Kuo and X. Zhu, Importance Measures in Reliability, Risk, and Theorem 12: ⊢ ∀ p x1 x2 · · · x16 c1 c2 · · · c16 t. Optimization: and Applications. John Wiley & Sons, 2012. [A1]: 0 ≤ t ∧ [2] P. Rooney, “Microsoft’s CEO: 80-20 Rule Ap- [A2]: prob_space p ∧ plies to Bugs, Not Just Features,” 2019. [On- [A3]: mutual_indep p (ωL p line]. Available: https://www.crn.com/news/security/18821726/ [x1; x2; · · · ; x16] t) ∧ microsofts-ceo-80-20-rule-applies-to-bugs-not-just-features.htm [A4]: in_events p (ωL p [3] Z. W. Birnbaum, “On the importance of Different Components [x1; x2; · · · ; x16] t) ∧ in a Multicomponent System,” University of Washington, Seatle, Washington, USA, Tech. Rep., 1968. [Online]. Available: http://www. [A5]: exp_dist_list p [x1;x2; · · · ;x16] dtic.mil/dtic/tr/fulltext/u2/670563.pdf [c1;c2;· · · ;c16] ∧ [A6]: fail_rate_pos [c1;c2;· · · ;c16] ∧ [4] J. F. Espiritu, D. W. Coit, and U. Prakash, “Component Criticality Importance Measures for the Power Industry,” Electric Power Systems [A7]: c9 ≤ c1 ⇒ 9 Research, vol. 77, no. 5-6, pp. 407–420, 2007. Iβ p x1 x2 x3 · · · x16 t ≤ 1 [5] ReliaSoft, 2019. [Online]. Available: https://www.weibull.com/hotwire/ Iβ p x1 x2 x3 · · · x16 t issue66/relbasics66.htm [6] P. J. Boland, F. Proschan, and Y. L. Tong, “Optimal Arrangement of where the function fail_rate_pos, in assumption (A6), Components via Pairwise Rearrangements,” Naval Research Logistics, ensures that the given list of failure rates must be positive. vol. 36, no. 6, pp. 807–815, 1989. It can be implied from assumption (A7) that the Birnbaum [7] F. C. Meng, “Comparing Birnbaum Importance Measure of System relative importance of any two components in a system is Components,” Probability in the Engineering and Informational Sci- ences, vol. 18, no. 2, pp. 237–245, 2004. related by their failure rates relationship. In other words, [8] J. Harrison, Handbook of Practical Logic and Automated Reasoning. a component with higher failure rate is highly critical in Cambridge University Press, 2009. a FT model (structure function) compared to a component [9] IEC, “International Electrotechnical Commission, 61025 Fault with lower failure rate. The proof of Theorem 12 is based Tree Analysis,” 2006. [Online]. Available: https://webstore.iec.ch/ on Theorem 4 and some fundamental facts of probability publication/4311 [10] J. Boudnnaya, A. Mkhida, and M. Sallak, “A Dependability Anal- ysis of a Moroccan Level Crossing Based on Fault Tree Analysis and Importance Measures,” in MOdeling, Optimization and SIMla- tion, 2014, pp. 1–5, https://recif.hds.utc.fr/wp-content/uploads/2014/11/ MOSIM_2014_1.pdf. [11] HOL Interactive Theorem Prover, 2019. [Online]. Available: https:// -theorem-prover.org/ [12] W. Ahmad, “Formal Dependability Analysis using Higher-order-logic Theorem Proving,” PhD Thesis, National University of Sciences and Technology, Islamabad, Pakistan, 2017. [13] K. S. Trivedi, Probability and with Reliability, Queuing and Applications. John Wiley and Sons Ltd., 2002. [14] W. Ahmed, O. Hasan, and S. Tahar, “Formalization of Reliability Block Diagrams in Higher-order Logic,” Journal of Applied Logic, vol. 18, pp. 19–41, 2016. [15] W. Ahmad, O. Hasan, and S. Tahar, Handbook of RAMS in Railways: Theory and Practice. Taylor and Francis, 2018, ch. Formal Reliability Analysis of Railway Systems using Theorem Proving Technique, pp. 651–668. [16] W. Ahmad and O. Hasan, “Towards Formal Fault Tree Analysis Using Theorem Proving,” in Intelligent Computer Mathematics, ser. LNCS. Springer, 2015, vol. 9150, pp. 39–54. [17] W. Ahmad and O. Hasan, “Formalization of Fault Trees in Higher- order Logic: A Deep Embedding Approach,” in Dependable Software Engineering: Theories, Tools, and Applications, ser. LNCS. Springer, 2016, vol. 9984, pp. 264–279. [18] M. J. Gordon and T. F. Melham, Introduction to HOL A Theorem Proving Environment for Higher-order Logic. Cambridge University Press, 1993. [19] A. Church, “A Formulation of the Simple Theory of Types,” Journal of Symbolic Logic, vol. 5, pp. 56–68, 1940. [20] R. Milner, “A Theory of Type Polymorphism in Programming,” Journal of Computer and System Sciences, vol. 17, pp. 348–375, 1977. [21] T. Mhamdi, O. Hasan, and S. Tahar, “On the Formalization of the Lebesgue Integration Theory in HOL,” in Interactive Theorem Proving, ser. LNCS. Springer, 2011, vol. 6172, pp. 387–402. [22] W. Ahmad, O. Hasan, S. Tahar, and M. S. Hamdi, “Towards the Formal Reliability Analysis of Oil and Gas Pipelines,” in Intelligent Computer Mathematics, ser. LNCS. Springer, 2014, vol. 8543, pp. 30–44. [23] J. D. Andrews and S. C. Beeson, “Birnbaum’s Measure of Component Importance for Noncoherent Systems,” IEEE Transcation on Reliability, vol. 52, no. 2, pp. 213–219, 2003. [24] W. Ahmad, “On the Formalization of Importance Mea- sures using HOL Theorem Proving,” 2019. [Online]. Available: https://github.com/ahmedwaqar/Formal-Dependability/tree/ importance_measures/Importance_Measures