Research Article Failure Propagation Modeling and Analysis via … · 2019. 7. 30. · F : e interface models of railroad crossing control system. e parallel composition of interface

Research ArticleFailure Propagation Modeling and Analysisvia System Interfaces

Lin Zhao1 Krishnaiyan Thulasiraman2 Xiaocheng Ge3 and Ru Niu1

1State Key Laboratory of Rail Traffic Control and Safety Beijing Jiaotong University Beijing 100044 China2School of Computer Science University of Oklahoma Norman OK 73019 USA3Institute of Railway Research University of Huddersfield Huddersfield HD1 3DH UK

Correspondence should be addressed to Lin Zhao lzhao3bjtueducn

Received 12 January 2016 Revised 30 March 2016 Accepted 5 April 2016

Academic Editor Egidijus R Vaidogas

Copyright copy 2016 Lin Zhao et alThis is an open access article distributed under the Creative CommonsAttribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Safety-critical systems must be shown to be acceptably safe to deploy and use in their operational environment One of the keyconcerns of developing safety-critical systems is to understand how the system behaves in the presence of failures regardless ofwhether that failure is triggered by the external environment or caused by internal errors Safety assessment at the early stages ofsystem development involves analysis of potential failures and their consequences Increasingly for complex systems model-basedsafety assessment is becomingmore widely used In this paper we propose an approach for safety analysis based on system interfacemodels By extending interactionmodels on the system interface level with failure modes as well as relevant portions of the physicalsystem to be controlled automated support could be provided for much of the failure analysis We focus on fault modeling and onhow to compute minimal cut sets Particularly we explore state space reconstruction strategy and bounded searching technique toreduce the number of states that need to be analyzed which remarkably improves the efficiency of cut sets searching algorithm

1 Introduction

Our society is relying more and more on the safety of anumber of computer-based systems for example the controlsystem of managing air traffic or operating a nuclear powerplantThese systems are usually called safety-critical systemswhich are a class of engineered systems that may posecatastrophic risks to its operators the public and the environ-ment The development of these systems demands a rigorousprocess of system engineering to ensure that safety risks ofthe system even if some of its components fail are mitigatedto an acceptable level System safety analysis techniques arewell established and are used extensively during the design ofsafety-critical systems

The size scale heterogeneity and distributed natureof current (and likely future) systems make them difficultto verify and to analyze particularly for nonfunctionalproperties including availability performance and securityas well as safety Due to the manual informal and error-prone nature of the traditional safety analysis process the

use of models and automatic analysis techniques as anaid to support safety-related activities in the developmentprocess has attracted increasing interest Model-based safetyanalysis (MBSA) where the analysis is carried out on formalsystem models that take into account system behaviors inthe presence of faults has been proposed to address some ofthe issues specific to safety assessment Recent work in thisarea has demonstrated some advantages of this methodologyover traditional approaches for example the capability ofautomatic generation of safety artifacts and shown that itis a promising way to reduce costs while further improvingefficiency and quality of safety analysis process

The existing approaches to MBSA for example ESACSISAAC [1 2] AltaRica [3ndash5] Failure Propagation and Trans-formation Notation (FPTN) [6 7] Hierarchically PerformedHazardOrigin and Propagation Studies (HiP-HOPS) [8] andthe AADL with its error annex [9] can be classified intotwo groups (a) failure logic based or (b) system states basedOriginal MBSA techniques such as FPTN and HiP-HOPShave sought to unify classical safety analysis methods such

Hindawi Publishing CorporationMathematical Problems in EngineeringVolume 2016 Article ID 8593612 11 pageshttpdxdoiorg10115520168593612

2 Mathematical Problems in Engineering

as Fault Tree Analysis (FTA) and Failure Modes and EffectsAnalysis (FMEA) and to provide a formalism for capturinga single authoritative safety model of the system Theseapproaches emphasized the model of failure propagationlogic The second group of MBSA approaches addresses theanalysis of the transition of system states [10ndash12] in orderto identify the routes that a system transits from a safe stateto a hazardous state Since these search-based techniquesnormally require exhaustive enumeration of all reachablestates they do not fully exploit the advantage of the internalstructure of the state space and domain knowledge of safetyanalysis

Safety is clearly an emergent property of a system thatcan only be determined in the context of the whole Asan emergent property safety arises only when the systemcomponents interactwith each other in an environment Suchproperty is controlled or enforced by a set of constraintsrelated to behaviors of system components Accidents oftenresult from interactions among components that violate theseconstraints In general the term interaction is conceptuallysimple it is a kind of action that occurs as two ormore objectshave an effect upon one another In practice interactionsamong the components dramatically increase the complexityof the overall system It is intuitively obvious that growinginteraction complexity poses a great challenge to engineersafety of the system In some cases although hazard iden-tification and safety assessment had been undertaken forsystem components the hazards could be missed apparentlyat least in part because they arise out of the complex andindirect interactions in a complex system especially when thecomponents of the system are independently developed oroperated The new challenge to MBSA due to the complexityof a system is that it is very hard to analyze all possibledysfunctional interactions in the system so that its hazardousstates which reflect the effects of dysfunctional interactionsand inadequate enforcement of safety constraints can beidentified

Using interface models to capture these interactionswould offer twofold benefits Interface information could beabstracted from the existing system design models conve-niently This is helpful to the tight integration of the systemsand safety engineering processes Furthermore interfacemodels are often more abstract and contain much lesscorresponding implementation details which help to combatthe state space explosion problem in the following automaticanalysis

In this paper we propose an approach of model-basedsafety analysiswhich utilizes extended interface automata [13]to model the nominal behaviors as well as fault behaviors ofthe system To avoid the exploration of the entire reachabilityset we present a structural analysis strategy which takes intoaccount the inner structure of state space This has madepossible development of efficient algorithms for the purposeof safety analysis By applying state space reduction andheuristic search a much smaller reachable space needs to beexplored and thus the efficiency of proposedminimal cut setsalgorithm has been improved

The rest of the paper is organized as follows In Section 2we introduce interface automaton as a formalmodel for safety

analysis In Section 3 we show how to use domain knowledgefor efficient state space reduction and minimal cut setsgeneration Section 4 mainly demonstrates our approach ona small yet realistic safety-related example whereminimal cutsets are generated and analyzedConclusions andoutlooks forfuture work are presented in Section 5

2 Interfaces and Fault Modeling

21 Definitions and Notation Interface automata give aformal and abstract description of the interactions betweencomponents and the environment This formalism capturesthe temporal aspects of component interfaces includinginput assumptions and output guarantees in terms of 119868119874

actions and the order in which they occur in automataInput assumptions describe the possible behaviors of thecomponentrsquos external environment while output guaranteesdescribe the possible behaviors of the component itself

Definition 1 (interface automata) An interface automaton isdefined as a tuple 119875 = ⟨V

119875VInit119875

I119875O119875H119875T119875⟩ where

(i) V119875is a finite set of states

(ii) VInit119875

sube V119875is a set of initial states

(iii) I119875 O119875 and H

119875are mutually disjoint sets of input

output and internal actions one denotes by A119875

=

I119875

cup O119875

cup H119875the set of all actions

(iv) T119875

sube V119875

times A119875

times V119875is a transition relation

A trace on interface automaton is an alternatingsequence consisting of states and actions such as1199010 1198860 1199011 1198861 119886

119896minus1 119901119896 where 119901

119894isin V119875and 119886

119895isin A119875

(119894 isin 0 119896 and 119895 isin 0 119896 minus 1) If an action 119886 isin I119875

(resp 119886 isin O119875 119886 isin H

119875) then (V 119886 V1015840) isin T

119875is called an

input (resp output internal) transition We denote by TI119875

(resp TO119875 TH119875) the set of input (resp output internal)

transitions An action 119886 isin A119875is enabled at a state V isin V

119875

if there is a transition (V 119886 V1015840) isin T119875for some V1015840 isin V

119875 We

denote by I119875(V) O

119875(V) and H

119875(V) the subsets of input

output and internal actions that are enabled at the state VWe illustrate the basic features of interface automata by

applying them to the modeling of a railroad crossing controlsystem Figure 1 depicts the interfaces of three componentsmodeling the train controller and gate respectively Twosensors are used to detect the approach and exit of the trainThe state changes of the controller stand for handshakingwith the train (via the actions Approach and Exit) and thegate (via the actions Lower and Raise by which the controllercommands the gate to close or to open) When everything isready a signal Enter is sent to authorize the entrance of thetrain

In the graphic representation each automaton is enclosedin a box whose ports correspond to the input and outputactions The symbols and are appended to the name of theaction to denote that the action is an input and output actionrespectively An arrowwithout source denotes the initial stateof the automaton

Mathematical Problems in Engineering 3

Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Raise Enter

EnterRaise Lower

Lowerg0 g1

g2

(c) Gate

Figure 1 The interface models of railroad crossing control system

The parallel composition of interface automata showshow they all relate and work together In Alfaro and Hen-zingerrsquos original paper of interface automata [13] providinga particular form of parallel composition mainly aimed toanalyze the compatibility of components In this paper thecompatibility is not our concern Therefore we abandonthis kind of parallel composition using a more traditionalone which is common in automaton theory Two interfaceautomata 119875 and 119876 are composable if I

119875cap I119876

= = O119875

cap

O119876 that is they have neither common inputs nor common

outputs We let shared(119875 119876) = A119875

cap A119876 In a composition

the two automata will synchronize on all common actionsand asynchronously interleave all other actions

Definition 2 (parallel composition) If 119875 and 119876 are compos-able interface automata the parallel composition 119875 times 119876 is theinterface automaton defined by

V119875times119876

= V119875

times V119876

VInit119875times119876

= VInit119875

times VInit119876

I119875times119876

= (I119875

cup I119876

) shared (119875 119876)

O119875times119876

= (O119875

cup O119876

) shared (119875 119876)

H119875times119876

= (H119875

cup H119876

) shared (119875 119876)

T119875times119876

= ((V 119906) 119886 (V1015840 119906)) | (V 119886 V1015840) isin T119875

and 119886

notin shared (119875 119876) and 119906 isin V119876

cup ((V 119906) 119886 (V 1199061015840)) | (119906 119886 1199061015840) isin T

119876and 119886

notin shared (119875 119876) and V isin V119875

cup ((V 119906) 119886 (V1015840 1199061015840)) | (V 119886 V1015840) isin T119875

and (119906 119886 1199061015840)

isin T119876

and 119886 isin shared (119875 119876)

(1)

The parallel composition of train and controller is shownin Figure 2(a) Here we have only depicted the reachable

Approach

Enter

Enter

Raise

Lower

Lower

Exit(a) Train times controller

Approach

Raise

Enter

Lower

Exit(b) Train times controller times gate

Figure 2 The parallel composition of interface models

states of the compositionThe automaton 119905119903119886119894119899times119888119900119899119905119903119900119897119897119890119903times

119892119886119905119890 in Figure 2(b) where all the actions have been hiddenas internal ones after synchronization describes the systemfunction in an orderly and concise manner

22 Fault Propagation Modeling on Interface Automata Formodel-based safety analysis failure modes must be explicitlymodeled Our approach to modeling fault behaviors is tospecify them using the interface automata notation itselfThe incorporation of the fault behaviors directly on thesystem interface models will promote ease of specification ofcomplex fault behaviors for both the system design and safetyengineers allowing them to create simple but realisticmodelsfor precise safety analysis

Fault modeling is aiming to specify the direct effects offailure modes In our approach this is done via importingnew actions states and transitions to the existing modelsThere are two types of faults in interface automata basic faultsand propagating faults Basic faults differ from propagatingfaults in their activation condition Basic faults are intrinsic toa component and originate within the component boundaryTheir activation occurs independently of other componentfailures and can be modeled using an independent inputaction

The faults that get activated by interaction or interferencedue to error propagation are considered as propagating faultsIn interface automata propagating faults will be synchro-nized during the composition of two components and then


Broken

BrokenEmptyEmpty

Water

WaterWater

Water

NoWater

NoWater NoWater

Pumping

Pumping

Stop

Stop

NoWater

Pow_F

Pow_F

Figure 3 Basic faults and propagating faults in interface automata

hidden as internal actions We denote by Ebf and Epf respectively the mutually disjoint sets of basic faults andpropagating faults

Consider the cooling water supply system in Figure 3This system consists of an electric pump and a water tankTwo components synchronize on actionWater which meansthere is water in the tank and the pump will start working(action Pumping) However the tank may be broken orempty denoted by input actions Broken and Empty HereBroken and Empty are basic faults since they originate withinthe tank component NoWater is defined as a propagatingfault to model the failure propagation from water tank tothe pump Also there are other propagating faults likepower failure (action Pow F) and the stop of pump (actionStop) between pump and other devices not listed in thisexample

Our extension towards interface automata lies on twoaspects Firstly as shown in Figure 3 the extended definitionof interface automata could be regarded as a 7-tuple 119875 =

⟨V119875VInit119875

I119875O119875H119875T119875Ebf

Epf⟩ Since Ebf and Epf

also have input or output attributes they do not need specialtreatment during the composition Besides solid lines in thefigure depict the nominal system interfaces while the dashlines show the fault behaviors of each of the componentsBased on the real system interfaces this kind of extension iseasy to perform and easy to understand and provides usefulsystem insights and shared formalmodels between the designand safety analysis stages

3 Algorithms Assist in Failure Analysis

Minimal cut set is the combination of basic faults which canguarantee occurrence of a top-level event (TLE) that is a setof undesired states but only has the minimum number ofthese faultsThe key problem investigated in this paper is howto efficiently produce minimal cut sets through exhaustivestate space explorationWe first give the following definitionsof (minimal) cut sets

Definition 3 (cut set) Let 119875 = ⟨V119875VInit119875

I119875O119875H119875T119875⟩

be an interface automatonEbf the set of basic faults and top-level event TLE sube V

119875 cs sube Ebf is a cut set of TLE if there

exists a trace 119905 = 1199010 1198860 1199011 1198861 119886

119896minus1 119901119896on 119875 satisfying the

following

(1) 1199010

isin VInit119875

119901119894notin VInit119875

(119894 isin 1 119896) and 119901119896

isin TLE

(2) forall119894 isin 0 119896 minus 1 (119886119894isin Ebf

rarr 119886119894isin cs)

(3) forall119886 isin cs rarr 119886 isin 119905

Intuitively a cut set is a combination of some basic faultswhich can lead to the occurrence of the given top-levelevent that is the set of all basic faults contained in a tracefrom initial states VInit

119875to top-level event (TLE) is a cut set

with respect to TLE We use CS119875TLE to represent all cut setson automaton 119875 with respect to TLE Minimal cut sets areformally defined as follows

Definition 4 (minimal cut sets) Let CS119875TLE be the set of all cutsets on automaton 119875 with respect to TLE One has the set ofall minimal cut sets of TLE on automaton 119875 as follows

MCS119875TLE = cs isin CS119875TLE | forallcs1015840

isin CS119875TLE (cs1015840 sube cs 997888rarr cs1015840 = cs)

(2)

Based on the previous definitions the computation ofminimal cut sets is to find out all traces leading to the TLEthat is all cut sets CS119875TLE and then minimize these sets

31 State Space Reconstruction Several automatic analysistechniques for minimal cut sets generation have been devel-oped on a variety of models for example Petri net finitestate machine NuSMV model and AltaRica model Themain difficulty in this kind of search-based minimal cut setsgeneration is state space reduction because in general thecomplexities of searching algorithms depend on the size ofthe state space

We observed that for safety analysis on interface modelsonly those actions that contribute to the occurrence ofthe predefined TLE need to be analyzed During the stateexploration noncontributing actions could be ruled out as faras possible This means that a majority of transitions relevantto internal and output actions could be peripheral to our coresearching algorithm Based on this observation we develop aprocedure of state space reduction

To reconstruct the state space of the given interface mod-els our approach is to cluster states that are noncontributingto the occurrence of TLE into equivalent classes and eliminate


relevant transitionsThe numbers of states and transitions arereduced using a restricted forward and backward reachabilityanalysis from initial states and TLE respectively The resultis a representation of the state space that is compact andminimal in some sense and keeps all necessary informationabout faults propagation

Definition 5 (state space partition) Let 119875 be an interfaceautomaton Ebf the set of basic faults and top-level eventTLE sube V

119875 The set of states V

119875consists of three dis-

joint parts denoted by SafetyArea119875 TriggeringArea119875 andHazardCore119875 where

(i) SafetyArea119875 is a forward closure119880 sube V119875such that (1)

VInit119875

sube 119880 and (2) if 119906 isin 119880 and (119906 119886 1199061015840) isin (TO

119875cupTH119875

)then 119906

1015840isin 119880

(ii) HazardCore119875 is a backward closure119880 sube V119875such that

(1) TLE sube 119880 and (2) if 119906 isin 119880 and (1199061015840 119886 119906) isin (TO

119875cup

TH119875

) then 1199061015840

isin 119880(iii) TriggeringArea119875 = V

119875 (SafetyArea119875 cup Hazard

Core119875)

Definition 5 divides the state space of an interfaceautomaton into three separate areas based on top-level event(TLE) Intuitively the set SafetyArea contains the reachablestates of an automaton from the initial states by takingonly internal or output transitions In this area the currentrunning of the system is safe and there is no occurringof any basic faults HazardCore consists of all states thatcan reach TLE through a series of continuous internal oroutput transitions States within the scope of HazardCorecould evolve into TLE without any external stimulation thatis the occurrence of any basic fault TriggeringArea is acomplement set containing all states of V

119875excepting those

in SafetyArea cup HazardCore According to this definition allof the basic faults are contained in the TriggeringArea whichis the focus of our state exploration algorithm forminimal cutsets generation

We use a directed graph DG119875 consisting of vertices and

labeled edges to denote the underlying transition diagram ofan interface automaton 119875

Definition 6 (state space reconstruction) Given an interfaceautomaton 119875 119877119890119889119906119888119890119889(DG

119875) is the reduced form of its

original transition diagram by applying the following stepson DG

119875

(1) remove all transitions from TriggeringArea119875 toSafetyArea119875

(2) remove all transitions from HazardCore119875 toSafetyArea119875 or TriggeringArea119875

(3) combine all states of SafetyArea119875 into a new state Init(4) combine all states of HazardCore119875 into a new state

Top

Definition 6 and Figure 4 show the process of our statespace reduction strategy All states in the set SafetyArea are

Init

Top

Triggeringarea

Safety area

Hazard core

Triggeringarea

Statespace

Figure 4 The reconstruction of system state space

merged into a new state Init All states in the set HazardCoreare combined into state Top After removing all reversetransitions on the fault propagation path we get a new statespace for further analysis

Theorem 7 Let 119875 be an interface automaton If 119888119904 is a cut setwith respect to top-level event (119879119871119864) then there exists a trace 119905

in 119877119890119889119906119888119890119889(119863119866119875) from Init to Top containing all elements of

119888119904

Proof Since the set of basic faults cs is a cut set ofTLE according to Definition 3 there is a trace 119905

1015840=

1199010 1198860 1199011 1198861 119886

119896minus1 119901119896in DG

119875fromVInit

119875to TLE satisfying

forall119886 isin cs rarr 119886 isin 1199051015840 By applying steps (3) and (4) of

Definition 6 at both ends of this trace respectively we geta new path 119905 = Init 119886

119898 119901119898+1

119901119899 119886119899Top Obviously 119905 is

in 119877119890119889119906119888119890119889(DG119875) During this process only those internal

and output transitions in SafetyArea119875 and HazardCore119875 areremoved Because all basic faults are defined as input actionshence no basic fault is eliminated from 119905

1015840 that is trace 119905 stillcontains all elements of cs

The essence of the search-based minimal cut sets gen-eration is to find out all combinations of basic faults thatcontributed to the top-level event in DG

119875 Theorem 7 shows

that DG119875and119877119890119889119906119888119890119889(DG

119875) are equivalent for this purpose

whereas the latter contains far fewer states and transitionsWeuse an example to illustrate the effectiveness of this approachReconsider the previous railroad crossing control system inFigure 1 which is in an ideal world where no errors occurThenext step is to extend thesemodels such that failuremodes arealso correctly described The following three failure modesare taken into account in this example

(i) Failure of the sensors (actions 1198781 119865 and 1198782 119865) whichwill prevent sending signals (actions Approach andExit) when the train is approaching or exiting

(ii) Failure of the brake (action Bra 119865) which will lead tononauthorized entering of the cross that is bypassingaction Enter

(iii) Failure of the barrier (action Stuck) which results inthe barrier being stuck at any location a new state 119892

3

is added to represent the stuck state of the barrier

These failure modes are integrated into the formal inter-face models as shown in Figure 5This model extension pro-vides us a failure propagationmap on nominal systemmodel


S2_F

S2_F

S1_F

S1_F

Bra_F

Bra_F

Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Stuck

Stuck

Stuck

Stuck

Raise Enter

EnterRaise Lower

Lowerg0 g1

g3

g2

(c) Gate

Figure 5 The extended interface models of railroad crossing control

Init

Stuck Bra_F

Top

(a)

Init

Stuck

Stuck

Stuck

Bra_FBra_FBra_F

Top

S1_F

S1_FApproach

(b)

Stuck Stuck

Stuck

Stuck

Stuck

ExitStuck

Stuck

Stuck

Bra_F

Bra_F

Bra_FBra_F

Top

Init

S1_F

S1_F

S1_F

S2_F

S1_F

S1_F

S2_F

(c)

Figure 6 The reshaped state space 119877119890119889119906119888119890119889(DGRC)

reflecting both normal interactions and fault propagationThe safety goal of this system is clear

SR 1 it must never happen that the train is on the crossing(at state 119905

2) and the crossing is not secured (at state 119892

0

or 1198923)

RC = 119905119903119886119894119899times119888119900119899119905119903119900119897119897119890119903times119892119886119905119890 is the parallel compositionof those extended interfacemodelsThere are 30 states and 63transitions in the state space DGRC By using the state spacereduction technique in Definition 6 we can obtain a reducedstate space119877119890119889119906119888119890119889(DGRC) as shown in Figure 6 which onlycontains 17 states and 31 transitions For brevity we use 3

separate subgraphs to represent the entire state space whilethese subgraphs have the common endpoints Init and Top

32 Minimal Cut Sets Generation Here we discuss the basicsearching algorithm for cut sets generation using forwardreachability analysisThefirst step is to find all possible simplepaths (paths without cycles) between two vertices that is Initand Top in the graph 119877119890119889119906119888119890119889(DG

119875) To solve this problem

the traditional depth-first search algorithm could be adjustedin the following manner

(1) Start at source vertex Init and perform a depth-firstwalk All nodes on the path are pushed in a stack andset as visited

(2) When the top element of the stack is target node Topa path is successfully found Record this path pop outTop and set it as unvisited

(3) For the current top of the stack 119906 find its successorthat is unvisited and push this node in the stack Ifno such successor exists pop out 119906 and set 119906 and itssuccessors unvisited

(4) Go back to step (2) until the stack is emptyTo better visualize this process one can think of a search

tree rooted at the vertex Init and all simple paths leading tonode Top constitute the body of this tree As an illustrationconsider the searching of Figure 6(b) The tree structure inFigure 7(a) depicts all simple paths between Init and Topgenerated by the above algorithm Since a cut set only consistsof basic faults we get the following four cut sets from this treeby removing extra actions and duplicate paths

StuckBra 119865

Stuck 1198781 119865Bra 119865

1198781 119865Bra 119865

1198781 119865 StuckBra 119865

(3)

After finding all possible cut sets in 119877119890119889119906119888119890119889(DG119875)

it is easy to identify those minimal ones According to


Init

Stuck Stuck

Stuck

S1_F

S1_F

Bra_F Bra_F

Bra_FBra_FBra_F

Approach

Top

Top Top Top

Top

(a)Init

S1_F

(b)

Figure 7 The comparison of different search strategies

Definition 4 given two cut sets cs1and cs

2 if cs1

sub cs2 cs2

must not be a minimal cut set This fact could be used todesign a simple filter through pairwise comparison of thesecut sets It is worth noting that sorting this set of cut sets bysize in advance will make the comparison more efficient Sofar we have presented a simple search-based algorithm forminimal cut sets generation

Unfortunately this naive algorithm has a major draw-back it needs to traverse all possible simple paths betweenInit and Top during the searching However from a practicalperspective some branches of the search tree could bepruned Since the ultimate goal is to get minimal cut setsaccording to Definition 4 no further extension of the currentpath is necessary if it contains a cut set which has beenfound in the previous exploration Using this observationwe present a heuristic searching strategy based on a boundedbreadth-first search to improve the performance of state spaceexploration

The basic idea is to search for all simple paths betweenInit and Top whose lengths are bounded by some integer 119896This problem can be efficiently solved in 119877119890119889119906119888119890119889(DG

119875) via

a breadth-first search with bound 119896 The result is a set of cutsets whose lengths are nomore than 119896 denoted by 119870sets andcan therefore be used for guiding the branch pruning duringthe rest searching Figure 7 shows a very distinct optimizationeffect on the graph 119877119890119889119906119888119890119889(DGRC) Firstly we perform abounded breadth-first search (let 119896 = 1) on 119877119890119889119906119888119890119889(DG

119875)

Via a breadth-first search with depth 1 the searching processwill find two traces from Init to Top which are exactly shownas Figure 6(a) Thus we get

119870sets = Stuck Bra 119865 (4)

We then use part of the state space (ie Figure 6(b)) todemonstrate the branches pruning effect of119870sets Figure 7(a)shows the paths generated by the naive algorithm whileFigure 7(b) represents the results of the optimized algorithmwhich uses119870sets to prune superfluous pathsThe comparisonindicates that over half of the total vertices and edges areruled out of the searching In order to tail off the search spaceand boost converging rate of the algorithm unnecessarybranches are trimmed in terms of the results of the 119896 boundedsearching

Algorithm 1 implements the above discussed techniqueswhich takes as input a directed graph 119877119890119889119906119888119890119889(DG

119875) a set of

basic faults BasicFaults and bounded searching result 119870setsThe output MCSList returns all minimal cut sets as a listwhich will be initialized with 119870sets The set cs is used torecord all basic faults in the current path and it will be addedto the end ofMCSList once the node Top in 119877119890119889119906119888119890119889(DG) isreached All nodes on the current searching path are pushedinto a stack 119878 If the top element of the stack is node Topor cs isin 119872119862119878119871119894119904119905 the algorithm will backtrack to continuethe search for a new path by popping out the old stacktop and trying out the unvisited neighbor of the new stacktop This procedure is repeated over and over until 119878 getsempty Procedure Filter(MCSList) carries out the pairwisecomparison of all elements in MCSList to get those minimalcut sets as we mentioned before

For 119877119890119889119906119888119890119889(DGRC) in Figure 6 computing 119870sets =

Stuck Bra 119865 with 119896 = 1 firstly and then using Algo-rithm 1 to perform a full search in state space we get allminimal cut sets 119872119862119878119871119894119904119905 = Stuck Bra 119865 This resultshows that the necessary and sufficient conditions for theoccurrence of top-level event (ie a train is on the crossingwhile the crossing is not secured) are as follows the barrieris stuck or the brake fails while sensors failure will notconsequentially lead to a dangerous situation

In this approach the choosing of parameter 119896 in thebounded searching is relatively flexible depending on thesize of 119877119890119889119906119888119890119889(DG) The role of 119870sets will gradually changewith the increasing of 119896 Obviously if the value of 119896 is bigenough all simple paths between Init andTopwill be found ina breadth-first way with low efficiency Therefore providingan appropriate value for 119896 is key to the solution For largemodels we recommend a relatively small 119896 for the boundedsearching firstly If Algorithm 1 can not terminate withina reasonable amount of time gradually increase 119896 until anadequate number of searching branches have been cut downso that the algorithm gets terminated

4 Fuel Supply System Example

In this section we exemplify our approach with a fuel supplysystem for small aircraft Figure 8 is the schematic diagramof this system The engine is supplied with fuel pumped athigh pressure from a collector tankmdasha small tank locatedclose to the engineThis demonstration is not concernedwiththe high-pressure fuel system The main fuel storage in theaircraft is in the left and rightmain tanks Each tank contains alow-pressure pump (119875 and 119876 in the diagram) which transfersfuel to the collector tank via valves 119860 and 119861 as required In


Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904

Output 119872119862119878119871119894119904119905 is a list of minimal cut sets(1) Push 119877119890119889119906119888119890119889(DG)119868119899119894119905 in stack 119878 and set it visited(2) 119872119862119878119871119894119904119905 fl 119870119904119890119905119904(3) cs fl 119873119906119897119897(4) while 119878 is not empty do(5) V fl 119878119905119900119901() Get the top element of stack 119878

(6) if There exist a vertex 119906 satisfying ((V 119887 119906) isin 119877119890119889119906119888119890119889(DG) and 119906 is unvisited) then(7) if 119887 isin 119861119886119904119894119888119865119886119906119897119905119904 then(8) Add basic fault 119887 into the set cs(9) if cs notin 119872119862119878119871119894119904119905 then(10) Push 119906 in stack 119878(11) else(12) Remove 119886 from cs(13) Set 119906 visited(14) else(15) Pop V from stack 119878 and set V as well as its successors unvisited(16) 119880119901119889119886119905119890(cs)(17) if the current top element of the stack is 119877119890119889119906119888119890119889(DG)119879119900119901 then(18) Add a copy of cs to the end of 119872119862119878119871119894119904119905(19) Pop out 119877119890119889119906119888119890119889(DG)119879119900119901 and set it unvisited(20) 119880119901119889119886119905119890(cs)(21) Filter(119872119862119878119871119894119904119905)(22) Return(119872119862119878119871119894119904119905)

Algorithm 1 Generation of minimal cut sets

flight valves 119860 and 119861 are normally left open The aircraftalso has a smaller reserve tank also fitted with its own low-pressure pump 119877 All pumps are protected by nonreturnvalves 119882 119883 119884 and 119885 Valves 119862 and 119863 (normally closedand opened when required) allow fuel to be transferred fromthe reserve to either wing tank as necessary The pumps havebuilt-in overpressure protection in the event of attemptingto pump into a closed or blocked pipe the overpressure reliefsystem will simply return fuel to the tank

We model this system at interface level by three com-ponents interacting with each other as shown in Figure 9The automaton at the top left denoted by 119875Left describes theinterface behavior of the left tank pump 119875 and valves 119882

and 119860 The top right model 119875Right consists of the right tankpump 119876 and valves 119883 and 119861 The reserve tank pump 119877 andvalves 119862 119863 119884 and 119885 are modeled as 119875Bottom at the bottomThe solid part of the figure depicts the nominal interactionsamong these components

In order to analyze the system behavior in presence offaults we would like to extend this nominal system modelwith the given failuremodes In Table 1 we list all faults underconsideration defined as input or output actions and theirintuitive meaning Those dash lines as well as the new addedactions in Figure 9 demonstrate our model extension Theparallel composition FSS = 119875Lefttimes119875Bottomtimes119875Right describes thebehavior of this fuel supply system in the presence of faults

There are 140 states and 560 transitions in the state spaceDGFSS

For this example assume that the safety requirement is asfollows

SR 2 simultaneous loss of fuel supply from the left and rightmain tank will not occur

That is to say it must never happen that 119875Left is at the state 1199012

and at the same time 119875Right at 1199022 Thus the top-level event is

TLE = 1199012

lowast 1199022 where lowast is used as a wildcard to substitute for

any state of automaton119875BottomThe set of all basic faults couldbe obtained from Table 1 that is

Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)

According to Definition 5 DGFSS could be dividedinto three parts SafetyAreaFSS TriggeringAreaFSS andHazardCoreFSS while TriggeringAreaFSS is the focus of ourattention Using the reconstruction approach given in Def-inition 6 we get a reduced state space 119877119890119889119906119888119890119889(DGFSS) Incontrast the new state space only contains 88 states and 442transitions


Table 1 Parameters of the fuel supply system interface models

Name Action Type Meaning119860 119865 119861 119865 Input Basic fault Unintended shutdown of valve 119860 or 119861

119862 119865 119863 119865 Input Basic fault Failure to open valve 119862 or 119863

119882 119865 119883 119865 119884 119865 119885 119865 Input Basic fault Clogging of valve 119882 119883 119884 or 119885

119875 119865 119876 119865 119877 119865 Input Basic fault Pump failure in 119875 119876 or 119877

119874119906119905119901119906119905119875 119874119906119905119901119906119905119876 Output Propagating fault Fuel supplied successfully by pump 119875 or 119876

119873119900 119900119906119905119901119906119905119875 119873119900 119900119906119905119901119906119905119876 Output Propagating fault No Fuel supplied by pump 119875 or 119876

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877 Input Basic fault Left right or reserve tank is empty119868119899119901119906119905119875119877 119868119899119901119906119905119876119877 Input amp output Propagating fault Fuel supplied successfully from reserve tank to the left or right one119873119900 119894119899119901119906119905119875119877 119873119900 119894119899119901119906119905119876119877 Input amp output Propagating fault No Fuel supplied from reserve tank to the left or right one

Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve

Figure 8 The fuel supply system for a small aircraft

In our case we choose 119896 = 4 for the bounded breadth-firstsearch which returns a few cut sets 119870sets as a key parameterfor the further computation where

119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)

Then Algorithm 1 is performed with 119870sets and its successfultermination returns the following MCSList including 39minimal cut sets

119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876

Additionally this kind of automatic analysis on interfacemodels provides a convenient way to explore the feasibilityof different architectures and design choices For instanceconsider the following safety requirement

SR 3 any loss of fuel supply from the left or right main tankis not allowed

An interface automaton implicitly represents bothassumptions about the environment and guarantees aboutthe specified component One interesting note about thisformalism is that while the environment changed it wouldexhibit different system behavior The environment couldalso be modeled explicitly by another interface automatonFor safety requirement SR 3 any occurrence of outputactions 119873119900 119900119906119905119901119906119905119875 or 119873119900 119900119906119905119901119906119905119876 will lead to danger Theautomaton in Figure 10 provides such an environment byaccepting these actions as legal inputs Using the composition


Table 2 The comparison of experimental results

RC + SR 1 FSS + SR 2 FSS2 + SR 3States in DG 30 140 132States in 119877119890119889119906119888119890119889(DG) 16 88 26Transitions in DG 63 560 536Transitions in 119877119890119889119906119888119890119889(DG) 31 442 176Paths generated by naive searching 19 59721 603Paths generated by Algorithm 1 8 34875 316Minimal cut sets 2 39 14

No_outputP No_outputQ

No_inputQRNo_inputPR

W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR

No_inputPR No_inputQR

No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F

Figure 9 The interface models of fuel supply system

No_outputQ

No_outputP

e1e0

Figure 10 An environment model of fuel supply system

of FSS and Env we can quickly locate all dangerous states byTLE = lowastlowastlowast 119890

1in the new interfacemodel FSS2 = FSStimesEnv

which consist of 132 states and 536 transitions In a similarway the state space can be reduced to 119877119890119889119906119888119890119889(DGFSS2)containing only 26 states and 176 transitions and then thecorresponding minimal cut sets are generated as follows(with the choice of parameter 119896 = 2)

119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876

The above demonstration and experimental resultsshown in Table 2 indicate that not only is the state spacereduction effect satisfactory but also the improved searchingalgorithm has more quick convergence speed than naiveexhaustive searching Both of these models can benefitfrom state space reconstruction but the impact is morepronounced on FSS2 where nearly eighty percent of thestates and seventy percent of the transitions are eliminatedThe number of simple paths generated by the searchingprocess is considered as an index of efficiency The naivesearching strategy will deliver all corresponding simplepaths in the state space while Algorithm 1 discards someunnecessary branches for further exploration Essentiallythese two technical measures contribute to the efficiencyimprovement by narrowing down the search region fromdifferent perspectives


5 Conclusions and Future Directions

Safety analysis is indispensable for ensuring the system safetybut is very time-consuming and error-prone The approachpresented in this paper has shown that applying interfaceautomata and restricted reachability analysis techniques tofaults modeling and minimal cut sets generation yields apromising means to improve automation and reduce theeffort of the analysis We believe that it is in these areas thatformalmethods could bemost effectively used to aid in safetyanalysis

Although several search-based failure analysis approach-es have been proposed this is the first reported applicationof using the characteristics of faults propagation and cutsets to speed up the search process in a reduced statespace (ie via our state space reconstruction and guidedsearching strategy) Besides taking full advantage of domainknowledge a further very important merit is the flexibility ofthis approach With different setting of environment param-eters interface automata could exhibit different behaviorwhich provides an efficient way for engineers to exploredifferent design choices as we have shown in the casestudy

However we note that directly adding complex faultbehaviors to nominal system model tends to severely clutterthe model with failure information This added complexitytypically obscures the actual nonfailure system functionalitywhich will make model evolution and maintenance difficultWithout favorable tool supporting manual incorporation ofthe fault behaviors may also lead to error-prone extensionof the nominal model Therefore it is crucial to sepa-rately specify fault behavior with a formal notation (egFPTN) and provide a merge mechanism for automatic modelextension

In this paper we concentrated our attention on faultpropagation analysis but the other important features suchas failure ordering analysis and fault tree generation andoptimizationwere not discussedWewill work on those issuesand larger case studies aimed at analyzing the scalabilityof this approach will be the emphasis of our further workFurthermore we find some useful characteristics of our statespace partition strategy such as the identification of Hazard-Core and TriggeringArea can provide valuable informationfor runtime monitoring failure forecast and fault diagnosisThat might be an interesting attempt to explore the roleof model-based safety analysis in system verification andvalidation

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This work was partially supported by the National BasicResearch Program of China (no 2014CB340703) the Foun-dation of State Key Laboratory of Rail Traffic Control andSafety (no RCS2015ZT002) and the Fundamental ResearchFunds for the Central Universities (no 2015JBM113)

References

[1] M Bozzano A Villafiorita O Akerlund et al ldquoESACS an inte-grated methodology for design and safety analysis of complexsystemsrdquo in Proceedings of the European Safety and ReliabilityConference pp 237ndash245 2003

[2] O Akerlund P Bieber E Boede et al ldquoISAAC a framework forintegrated safety analysis of functional geometrical and humanaspectsrdquo in Proceedings of 3rd European Congress on EmbeddedReal Time Systems (ERTS rsquo06) pp 109ndash120 Toulouse FranceJanuary 2006

[3] A Arnold G Point A Griffault and A Rauzy ldquoThe AltaRicaformalism for describing concurrent systemsrdquo FundamentaInformaticae vol 40 no 2-3 pp 109ndash124 1999

[4] M Boiteau Y Dutuit A Rauzy and J-P Signoret ldquoTheAltaRica data-flow language in use modeling of productionavailability of a multi-state systemrdquo Reliability Engineering andSystem Safety vol 91 no 7 pp 747ndash755 2006

[5] P Bieber C Castel and C Seguin ldquoCombination of fault treeanalysis and model checking for safety assessment of complexsystemrdquo in Proceedings of the European Dependable ComputingConference pp 19ndash31 Toulouse France 2002

[6] P Fenelon and J A McDermid ldquoNew directions in softwaresafety causal modelling as an aid to integrationrdquo Tech RepHigh Integrity Systems Engineering Group Department ofComputer Science University of York 1992

[7] P Fenelon and J A McDermid ldquoAn integrated tool set forsoftware safety analysisrdquo The Journal of Systems and Softwarevol 21 no 3 pp 279ndash290 1993

[8] Y Papadopoulos and M Maruhn ldquoModel-based synthesis offault trees from Matlab-Simulink modelsrdquo in Proceedings of theInternational Conference on Dependable Systems and Networks(DSN rsquo01) pp 77ndash82 Goteborg Sweden July 2001

[9] P Feiler and A Rugina ldquoDependability modeling with thearchitecture analysis amp design language (AADL)rdquo Tech RepSoftware Engineering Institute Carnegie Mellon University(SEICMU) 2007

[10] J Bowen and V Stavridou ldquoSafety-critical systems formalmethods and standardsrdquo Software Engineering Journal vol 8no 4 p 189 1993

[11] A Rauzy ldquoMode automata and their compilation into faulttreesrdquo Journal of Logic and Algebraic Programming vol 78 no1 pp 1ndash12 2002

[12] M Bozzano and A Villafiorita ldquoImproving system reliabilityvia model checking the FSAPNuSMV-SA safety analysis plat-formrdquo inComputer Safety Reliability and Security S AndersonM Felici and B Littlewood Eds vol 2788 of Lecture Notes inComputer Science pp 49ndash62 2003

[13] L D Alfaro and T A Henzinger ldquoInterface automatardquo inProceedings of ACM SIGSOFT International Symposium onFoundations of Software Engineering pp 109ndash120 September2001

Submit your manuscripts athttpwwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of


Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of


Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of


Mathematical PhysicsAdvances in

Complex AnalysisJournal of


OptimizationJournal of


CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of


Operations ResearchAdvances in

Journal of


Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences


The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Algebra

Discrete Dynamics in Nature and Society



Decision SciencesAdvances in

Discrete MathematicsJournal of


Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of


as Fault Tree Analysis (FTA) and Failure Modes and EffectsAnalysis (FMEA) and to provide a formalism for capturinga single authoritative safety model of the system Theseapproaches emphasized the model of failure propagationlogic The second group of MBSA approaches addresses theanalysis of the transition of system states [10ndash12] in orderto identify the routes that a system transits from a safe stateto a hazardous state Since these search-based techniquesnormally require exhaustive enumeration of all reachablestates they do not fully exploit the advantage of the internalstructure of the state space and domain knowledge of safetyanalysis

Safety is clearly an emergent property of a system thatcan only be determined in the context of the whole Asan emergent property safety arises only when the systemcomponents interactwith each other in an environment Suchproperty is controlled or enforced by a set of constraintsrelated to behaviors of system components Accidents oftenresult from interactions among components that violate theseconstraints In general the term interaction is conceptuallysimple it is a kind of action that occurs as two ormore objectshave an effect upon one another In practice interactionsamong the components dramatically increase the complexityof the overall system It is intuitively obvious that growinginteraction complexity poses a great challenge to engineersafety of the system In some cases although hazard iden-tification and safety assessment had been undertaken forsystem components the hazards could be missed apparentlyat least in part because they arise out of the complex andindirect interactions in a complex system especially when thecomponents of the system are independently developed oroperated The new challenge to MBSA due to the complexityof a system is that it is very hard to analyze all possibledysfunctional interactions in the system so that its hazardousstates which reflect the effects of dysfunctional interactionsand inadequate enforcement of safety constraints can beidentified

Using interface models to capture these interactionswould offer twofold benefits Interface information could beabstracted from the existing system design models conve-niently This is helpful to the tight integration of the systemsand safety engineering processes Furthermore interfacemodels are often more abstract and contain much lesscorresponding implementation details which help to combatthe state space explosion problem in the following automaticanalysis

In this paper we propose an approach of model-basedsafety analysiswhich utilizes extended interface automata [13]to model the nominal behaviors as well as fault behaviors ofthe system To avoid the exploration of the entire reachabilityset we present a structural analysis strategy which takes intoaccount the inner structure of state space This has madepossible development of efficient algorithms for the purposeof safety analysis By applying state space reduction andheuristic search a much smaller reachable space needs to beexplored and thus the efficiency of proposedminimal cut setsalgorithm has been improved

The rest of the paper is organized as follows In Section 2we introduce interface automaton as a formalmodel for safety

analysis In Section 3 we show how to use domain knowledgefor efficient state space reduction and minimal cut setsgeneration Section 4 mainly demonstrates our approach ona small yet realistic safety-related example whereminimal cutsets are generated and analyzedConclusions andoutlooks forfuture work are presented in Section 5

2 Interfaces and Fault Modeling

21 Definitions and Notation Interface automata give aformal and abstract description of the interactions betweencomponents and the environment This formalism capturesthe temporal aspects of component interfaces includinginput assumptions and output guarantees in terms of 119868119874

actions and the order in which they occur in automataInput assumptions describe the possible behaviors of thecomponentrsquos external environment while output guaranteesdescribe the possible behaviors of the component itself

Definition 1 (interface automata) An interface automaton isdefined as a tuple 119875 = ⟨V

119875VInit119875

I119875O119875H119875T119875⟩ where

(i) V119875is a finite set of states

(ii) VInit119875

sube V119875is a set of initial states

(iii) I119875 O119875 and H

119875are mutually disjoint sets of input

output and internal actions one denotes by A119875

=

I119875

cup O119875

cup H119875the set of all actions

(iv) T119875

sube V119875

times A119875

times V119875is a transition relation

A trace on interface automaton is an alternatingsequence consisting of states and actions such as1199010 1198860 1199011 1198861 119886

119896minus1 119901119896 where 119901

119894isin V119875and 119886

119895isin A119875

(119894 isin 0 119896 and 119895 isin 0 119896 minus 1) If an action 119886 isin I119875

(resp 119886 isin O119875 119886 isin H

119875) then (V 119886 V1015840) isin T

119875is called an

input (resp output internal) transition We denote by TI119875

(resp TO119875 TH119875) the set of input (resp output internal)

transitions An action 119886 isin A119875is enabled at a state V isin V

119875

if there is a transition (V 119886 V1015840) isin T119875for some V1015840 isin V

119875 We

denote by I119875(V) O

119875(V) and H

119875(V) the subsets of input

output and internal actions that are enabled at the state VWe illustrate the basic features of interface automata by

applying them to the modeling of a railroad crossing controlsystem Figure 1 depicts the interfaces of three componentsmodeling the train controller and gate respectively Twosensors are used to detect the approach and exit of the trainThe state changes of the controller stand for handshakingwith the train (via the actions Approach and Exit) and thegate (via the actions Lower and Raise by which the controllercommands the gate to close or to open) When everything isready a signal Enter is sent to authorize the entrance of thetrain

In the graphic representation each automaton is enclosedin a box whose ports correspond to the input and outputactions The symbols and are appended to the name of theaction to denote that the action is an input and output actionrespectively An arrowwithout source denotes the initial stateof the automaton


Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Raise Enter

EnterRaise Lower

Lowerg0 g1

g2

(c) Gate



119875cap I119876

= = O119875

cap






V119875times119876

= V119875

times V119876


= VInit119875

times VInit119876

I119875times119876

= (I119875

cup I119876

) shared (119875 119876)

O119875times119876

= (O119875

cup O119876

) shared (119875 119876)

H119875times119876

= (H119875

cup H119876

) shared (119875 119876)

T119875times119876

= ((V 119906) 119886 (V1015840 119906)) | (V 119886 V1015840) isin T119875

and 119886


cup ((V 119906) 119886 (V 1199061015840)) | (119906 119886 1199061015840) isin T

119876and 119886


cup ((V 119906) 119886 (V1015840 1199061015840)) | (V 119886 V1015840) isin T119875

and (119906 119886 1199061015840)

isin T119876

and 119886 isin shared (119875 119876)

(1)


Approach

Enter

Enter

Raise

Lower

Lower


Approach

Raise

Enter

Lower









Broken

BrokenEmptyEmpty

Water

WaterWater

Water

NoWater

NoWater NoWater

Pumping

Pumping

Stop

Stop

NoWater

Pow_F

Pow_F





⟨V119875VInit119875

I119875O119875H119875T119875Ebf






I119875O119875H119875T119875⟩



exists a trace 119905 = 1199010 1198860 1199011 1198861 119886


following

(1) 1199010

isin VInit119875

119901119894notin VInit119875

(119894 isin 1 119896) and 119901119896

isin TLE










(2)












VInit119875


119875cupTH119875

)then 119906

1015840isin 119880



119875cup

TH119875

) then 1199061015840



Core119875)









119875




Top


Init

Top

Triggeringarea

Safety area

Hazard core

Triggeringarea

Statespace





119888119904


1015840=

1199010 1198860 1199011 1198861 119886

119896minus1 119901119896in DG

119875fromVInit




119898 119901119898+1

119901119899 119886119899Top Obviously 119905 is






that DG119875and119877119890119889119906119888119890119889(DG






3




S2_F

S2_F

S1_F

S1_F

Bra_F

Bra_F

Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Stuck

Stuck

Stuck

Stuck

Raise Enter

EnterRaise Lower

Lowerg0 g1

g3

g2

(c) Gate


Init

Stuck Bra_F

Top

(a)

Init

Stuck

Stuck

Stuck

Bra_FBra_FBra_F

Top

S1_F

S1_FApproach

(b)

Stuck Stuck

Stuck

Stuck

Stuck

ExitStuck

Stuck

Stuck

Bra_F

Bra_F

Bra_FBra_F

Top

Init

S1_F

S1_F

S1_F

S2_F

S1_F

S1_F

S2_F

(c)





0

or 1198923)











StuckBra 119865

Stuck 1198781 119865Bra 119865

1198781 119865Bra 119865

1198781 119865 StuckBra 119865

(3)




Init

Stuck Stuck

Stuck

S1_F

S1_F

Bra_F Bra_F

Bra_FBra_FBra_F

Approach

Top

Top Top Top

Top

(a)Init

S1_F

(b)



2 if cs1

sub cs2 cs2




119875) via


119875)


119870sets = Stuck Bra 119865 (4)



119875) a set of








Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904













TLE = 1199012



Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)











Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Raise Enter

EnterRaise Lower

Lowerg0 g1

g2

(c) Gate



119875cap I119876

= = O119875

cap






V119875times119876

= V119875

times V119876


= VInit119875

times VInit119876

I119875times119876

= (I119875

cup I119876

) shared (119875 119876)

O119875times119876

= (O119875

cup O119876

) shared (119875 119876)

H119875times119876

= (H119875

cup H119876

) shared (119875 119876)

T119875times119876

= ((V 119906) 119886 (V1015840 119906)) | (V 119886 V1015840) isin T119875

and 119886


cup ((V 119906) 119886 (V 1199061015840)) | (119906 119886 1199061015840) isin T

119876and 119886


cup ((V 119906) 119886 (V1015840 1199061015840)) | (V 119886 V1015840) isin T119875

and (119906 119886 1199061015840)

isin T119876

and 119886 isin shared (119875 119876)

(1)


Approach

Enter

Enter

Raise

Lower

Lower


Approach

Raise

Enter

Lower









Broken

BrokenEmptyEmpty

Water

WaterWater

Water

NoWater

NoWater NoWater

Pumping

Pumping

Stop

Stop

NoWater

Pow_F

Pow_F





⟨V119875VInit119875

I119875O119875H119875T119875Ebf






I119875O119875H119875T119875⟩



exists a trace 119905 = 1199010 1198860 1199011 1198861 119886


following

(1) 1199010

isin VInit119875

119901119894notin VInit119875

(119894 isin 1 119896) and 119901119896

isin TLE










(2)












VInit119875


119875cupTH119875

)then 119906

1015840isin 119880



119875cup

TH119875

) then 1199061015840



Core119875)









119875




Top


Init

Top

Triggeringarea

Safety area

Hazard core

Triggeringarea

Statespace





119888119904


1015840=

1199010 1198860 1199011 1198861 119886

119896minus1 119901119896in DG

119875fromVInit




119898 119901119898+1

119901119899 119886119899Top Obviously 119905 is






that DG119875and119877119890119889119906119888119890119889(DG






3




S2_F

S2_F

S1_F

S1_F

Bra_F

Bra_F

Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Stuck

Stuck

Stuck

Stuck

Raise Enter

EnterRaise Lower

Lowerg0 g1

g3

g2

(c) Gate


Init

Stuck Bra_F

Top

(a)

Init

Stuck

Stuck

Stuck

Bra_FBra_FBra_F

Top

S1_F

S1_FApproach

(b)

Stuck Stuck

Stuck

Stuck

Stuck

ExitStuck

Stuck

Stuck

Bra_F

Bra_F

Bra_FBra_F

Top

Init

S1_F

S1_F

S1_F

S2_F

S1_F

S1_F

S2_F

(c)





0

or 1198923)











StuckBra 119865

Stuck 1198781 119865Bra 119865

1198781 119865Bra 119865

1198781 119865 StuckBra 119865

(3)




Init

Stuck Stuck

Stuck

S1_F

S1_F

Bra_F Bra_F

Bra_FBra_FBra_F

Approach

Top

Top Top Top

Top

(a)Init

S1_F

(b)



2 if cs1

sub cs2 cs2




119875) via


119875)


119870sets = Stuck Bra 119865 (4)



119875) a set of








Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904













TLE = 1199012



Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)











Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Broken

BrokenEmptyEmpty

Water

WaterWater

Water

NoWater

NoWater NoWater

Pumping

Pumping

Stop

Stop

NoWater

Pow_F

Pow_F





⟨V119875VInit119875

I119875O119875H119875T119875Ebf






I119875O119875H119875T119875⟩



exists a trace 119905 = 1199010 1198860 1199011 1198861 119886


following

(1) 1199010

isin VInit119875

119901119894notin VInit119875

(119894 isin 1 119896) and 119901119896

isin TLE










(2)












VInit119875


119875cupTH119875

)then 119906

1015840isin 119880



119875cup

TH119875

) then 1199061015840



Core119875)









119875




Top


Init

Top

Triggeringarea

Safety area

Hazard core

Triggeringarea

Statespace





119888119904


1015840=

1199010 1198860 1199011 1198861 119886

119896minus1 119901119896in DG

119875fromVInit




119898 119901119898+1

119901119899 119886119899Top Obviously 119905 is






that DG119875and119877119890119889119906119888119890119889(DG






3




S2_F

S2_F

S1_F

S1_F

Bra_F

Bra_F

Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Stuck

Stuck

Stuck

Stuck

Raise Enter

EnterRaise Lower

Lowerg0 g1

g3

g2

(c) Gate


Init

Stuck Bra_F

Top

(a)

Init

Stuck

Stuck

Stuck

Bra_FBra_FBra_F

Top

S1_F

S1_FApproach

(b)

Stuck Stuck

Stuck

Stuck

Stuck

ExitStuck

Stuck

Stuck

Bra_F

Bra_F

Bra_FBra_F

Top

Init

S1_F

S1_F

S1_F

S2_F

S1_F

S1_F

S2_F

(c)





0

or 1198923)











StuckBra 119865

Stuck 1198781 119865Bra 119865

1198781 119865Bra 119865

1198781 119865 StuckBra 119865

(3)




Init

Stuck Stuck

Stuck

S1_F

S1_F

Bra_F Bra_F

Bra_FBra_FBra_F

Approach

Top

Top Top Top

Top

(a)Init

S1_F

(b)



2 if cs1

sub cs2 cs2




119875) via


119875)


119870sets = Stuck Bra 119865 (4)



119875) a set of








Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904













TLE = 1199012



Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)











Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra
















VInit119875


119875cupTH119875

)then 119906

1015840isin 119880



119875cup

TH119875

) then 1199061015840



Core119875)









119875




Top


Init

Top

Triggeringarea

Safety area

Hazard core

Triggeringarea

Statespace





119888119904


1015840=

1199010 1198860 1199011 1198861 119886

119896minus1 119901119896in DG

119875fromVInit




119898 119901119898+1

119901119899 119886119899Top Obviously 119905 is






that DG119875and119877119890119889119906119888119890119889(DG






3




S2_F

S2_F

S1_F

S1_F

Bra_F

Bra_F

Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Stuck

Stuck

Stuck

Stuck

Raise Enter

EnterRaise Lower

Lowerg0 g1

g3

g2

(c) Gate


Init

Stuck Bra_F

Top

(a)

Init

Stuck

Stuck

Stuck

Bra_FBra_FBra_F

Top

S1_F

S1_FApproach

(b)

Stuck Stuck

Stuck

Stuck

Stuck

ExitStuck

Stuck

Stuck

Bra_F

Bra_F

Bra_FBra_F

Top

Init

S1_F

S1_F

S1_F

S2_F

S1_F

S1_F

S2_F

(c)





0

or 1198923)











StuckBra 119865

Stuck 1198781 119865Bra 119865

1198781 119865Bra 119865

1198781 119865 StuckBra 119865

(3)




Init

Stuck Stuck

Stuck

S1_F

S1_F

Bra_F Bra_F

Bra_FBra_FBra_F

Approach

Top

Top Top Top

Top

(a)Init

S1_F

(b)



2 if cs1

sub cs2 cs2




119875) via


119875)


119870sets = Stuck Bra 119865 (4)



119875) a set of








Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904













TLE = 1199012



Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)











Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra










S2_F

S2_F

S1_F

S1_F

Bra_F

Bra_F

Approach

Approach Enter

Exit

Exit

Enter

t0 t1

t2

(a) Train

Approach

Approach

Raise

Raise

Lower

Lower

Exit

Exit

c0 c1

c3 c2

(b) Controller

Stuck

Stuck

Stuck

Stuck

Raise Enter

EnterRaise Lower

Lowerg0 g1

g3

g2

(c) Gate


Init

Stuck Bra_F

Top

(a)

Init

Stuck

Stuck

Stuck

Bra_FBra_FBra_F

Top

S1_F

S1_FApproach

(b)

Stuck Stuck

Stuck

Stuck

Stuck

ExitStuck

Stuck

Stuck

Bra_F

Bra_F

Bra_FBra_F

Top

Init

S1_F

S1_F

S1_F

S2_F

S1_F

S1_F

S2_F

(c)





0

or 1198923)











StuckBra 119865

Stuck 1198781 119865Bra 119865

1198781 119865Bra 119865

1198781 119865 StuckBra 119865

(3)




Init

Stuck Stuck

Stuck

S1_F

S1_F

Bra_F Bra_F

Bra_FBra_FBra_F

Approach

Top

Top Top Top

Top

(a)Init

S1_F

(b)



2 if cs1

sub cs2 cs2




119875) via


119875)


119870sets = Stuck Bra 119865 (4)



119875) a set of








Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904













TLE = 1199012



Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)











Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Init

Stuck Stuck

Stuck

S1_F

S1_F

Bra_F Bra_F

Bra_FBra_FBra_F

Approach

Top

Top Top Top

Top

(a)Init

S1_F

(b)



2 if cs1

sub cs2 cs2




119875) via


119875)


119870sets = Stuck Bra 119865 (4)



119875) a set of








Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904













TLE = 1199012



Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)











Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Input 119877119890119889119906119888119890119889(DG) 119861119886119904119894119888119865119886119906119897119905119904 119870119904119890119905119904













TLE = 1199012



Ebf

= 119860 119865 119861 119865 119862 119865 119863 119865 119883 119865 119884 119865 119885 119865 119882 119865

119864119898119901119905119910 119875 119864119898119901119905119910 119876 119864119898119901119905119910 119877

(5)











Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra


















Engine

Collector

A B

Right

Q

Left

P

ZDY C

R

W X

Reserve



119870sets = 119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865

119882 119865 119876 119865 119882 119865 119883 119865 119882 119865 119861 119865 119860 119865 119876 119865

119860 119865 119883 119865 119860 119865 119861 119865

(6)


119875 119865 119876 119865 119875 119865 119883 119865 119875 119865 119861 119865 119882 119865 119876 119865

119882 119865 119883 119865

119882 119865 119861 119865 119860 119865 119876 119865 119860 119865 119883 119865 119860 119865 119861 119865

119875 119865 119877 119865 119864119898119901119905119910119876

119875 119865 119864119898119901119905119910119877 119864119898119901119905119910119876 119875 119865 119863 119865 119864119898119901119905119910119876

119875 119865 119885 119865 119864119898119901119905119910119876

119882 119865 119877 119865 119864119898119901119905119910119876 119882 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119882 119865 119863 119865 119864119898119901119905119910119876

119882 119865 119885 119865 119864119898119901119905119910119876 119860 119865 119877 119865 119864119898119901119905119910119876

119860 119865 119864119898119901119905119910119877 119864119898119901119905119910119876

119860 119865 119863 119865 119864119898119901119905119910119876 119860 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119877 119865 119876 119865

119864119898119901119905119910119875 119877 119865 119883 119865 119864119898119901119905119910119875 119877 119865 119861 119865

119864119898119901119905119910119875 119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119864119898119901119905119910119877 119876 119865 119864119898119901119905119910119875 119864119898119901119905119910119877 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119861 119865

119864119898119901119905119910119875 119884 119865 119861 119865 119864119898119901119905119910119875 119862 119865 119876 119865

119864119898119901119905119910119875 119862 119865 119883 119865

119864119898119901119905119910119875 119862 119865 119861 119865 119864119898119901119905119910119875 119884 119865 119876 119865

119864119898119901119905119910119875 119884 119865 119883 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119863 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119862 119865 119885 119865 119864119898119901119905119910119876

119864119898119901119905119910119875 119863 119865 119864119898119901119905119910119876 119884 119865

119864119898119901119905119910119875 119884 119865 119885 119865 119864119898119901119905119910119876









W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra














W_F

P_F

A_F

p0

p1p q2q1

q0

q4 q3

2

p3p4

EmptyPOutputP

OutputP

InputPR

InputPR

InputQR No_inputPR

No_inputPR


No_inputQR

No_inputQR

EmptyQ

EmptyR

OutputQ

OutputQ

InputQR

X_F

Q_F

B_F

C_F

Y_F

R_F

Z_F

D_F


No_outputQ

No_outputP

e1e0





119875 119865 119882 119865 119860 119865 119876 119865 119883 119865 119861 119865

119864119898119901119905119910119875 119877 119865

119864119898119901119905119910119875 119864119898119901119905119910119877 119864119898119901119905119910119875 119862 119865 119864119898119901119905119910119875 119884 119865

119877 119865 119864119898119901119905119910119876

119864119898119901119905119910119877 119864119898119901119905119910119876 119863 119865 119864119898119901119905119910119876

119885 119865 119864119898119901119905119910119876








Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra















Competing Interests


Acknowledgments


References





















Volume 2014




Journal of











Journal of


Function Spaces






Algebra
















Volume 2014




Journal of











Journal of


Function Spaces






Algebra









Documents

Research Article Failure Propagation Modeling and Analysis via … · 2019. 7. 30. · F : e interface models of railroad crossing control system. e parallel composition of interface