Abstract
The process of developing civil aircraft and their related systems includes multiple phases of Preliminary Safety Assessment (PSA). An objective of PSA is to link the classification of failure conditions and effects (produced in the functional hazard analysis phases) to appropriate safety requirements for elements in the aircraft architecture. A complete and correct preliminary safety assessment phase avoids potentially costly revisions to the design late in the design process. Hence, automated ways to support PSA are an important challenge in modern aircraft design. A modern approach to conducting PSAs is via the use of abstract propagation models, that are basically hypergraphs where arcs model the dependency among components, e.g. how the degradation of one component may lead to the degraded or failed operation of another. Such models are used for computing failure propagations: the fault of a component may have multiple ramifications within the system, causing the malfunction of several interconnected components. A central aspect of this problem is that of identifying the minimal fault combinations, also referred to as minimal cut sets, that cause overall failures.
In this paper we propose an expressive framework to model failure propagation, catering for multiple levels of degradation as well as cyclic and nondeterministic dependencies. We define a formal sequential semantics, and present an efficient SMTbased method for the analysis of failure propagation, able to enumerate cut sets that are minimal with respect to the order between levels of degradation. In contrast with the state of the art, the proposed approach is provably more expressive, and dramatically outperforms other systems when a comparison is possible.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
The process of developing civil aircraft and their related systems is guided by documents ARP4754A [17] and ARP4761 [16] produced by the engineering and standards organization SAE International. These documents describe a structured process for the safety assessment of these classes of platforms. An important stage is that of the Preliminary Aircraft Safety Assessment (PASA) and Preliminary System Safety Assessment (PSSA). The PASA is followed by multiple PSSA, carried out at the level of the systems composing the aircraft. One important goal of these process stages is to link the classification of failure conditions and effects (produced in the aircraft functional hazard analysis phase) to appropriate safety requirements for elements in the aircraft architecture. These safety requirements drive, among other things, assignment of target Development Assurance Levels (DAL) for items within the architecture. A complete and correct preliminary safety assessment phase avoids potentially costly revisions to the design late in the design process. Hence, automated ways to support PSA are an important challenge in modern aircraft design [18].
An important goal of PSAs is to fully understand how faults of simple functions (e.g. providing electrical power, onground braking) interact and propagate to affect the overall behaviours (e.g. landing, takeoff, taxiing). A modern approach to conducting such safety assessments is via propagation models [1, 14, 19], that model the dependency among components, e.g. how the degradation of one component may lead to the degraded or failed operation of another. Such models are used for computing failure propagations: the fault of a component may have multiple ramifications within the system, causing the malfunction of several interconnected components. A central problem is identifying the minimal fault combinations, also referred to as minimal cut sets, that cause overall failures [12].
Given that PSAs occur in the early stages of the development process when limited information regarding the design is available, reasoning is carried out at a very high level of abstraction. Therefore, instead of using behavioural models (e.g., infinitestate transition systems) adopted in formal verification, the system is more naturally modeled by a simpler formalism of propagation graphs. This does not make PSA any easier. There are in fact several aspects that must be taken into account. The first problem is the sheer size of propagation graphs, both in terms of nodes and hyperpaths to be explored, which make enumerative techniques completely inadequate.
Second, the propagation is nonBoolean [19]. That is, the degradation levels of the system functions are not binary (working vs not working) but the functions may be subject to different levels of degradation (e.g. fully operational, partly failed, completely failed), and fail in different ways (e.g. detected vs undetected, stuck open vs stuck closed), and different failures may be associated to different probabilities [19]. For example, the state of a component can be abstractly modeled into working (w), failed safe (fs), failed detected (fd), or failed undetected (fu), with degrees of degradation partially ordered as shown in Fig. 1.
In this setting, the notion of minimality needs to take into account the order among the levels of degradation, and can not be simply considered in terms of minimality with respect to setinclusion. Third, various forms of failure propagation may be possible, e.g., nondeterministic, temporallyconstrained, cyclic. For example, the failure of a power generator may lead, within a certain amount of time, to a depleted battery and then to the loss of an engine. In turn, the loss of an engine may compromise the ability to generate power, which clearly requires the ability to deal with cyclic propagation graphs. Additionally, a failure of the control system might cause a pressure valve to become either stuck open or stuck closed; this requires the ability to deal with nondeterministic propagations.
In this paper we tackle the problem of analyzing failure propagation in the full generality required by realworld applications. We start from Finite Degradation Structures (fds) [14], a recentlyproposed modeling framework, which unifies various combinational models traditionally used in safety analysis (such as fault trees and minimal cut sets) and generalizes them to deal with different levels of degradation. We propose a framework, referred to as pgfds (Propagation Graphs over fds), that allows to model nondeterministic and cyclic propagation graphs. The framework is general and can be used in other safetycritical domains.
In order to deal with cyclic behaviours, pgfds require a sequential semantics, expressed via symbolic transition systems. The computation of minimal cut sets over pgfds can be carried out by means of techniques based on model checking, developed for the general case of behavioural models [6].
Then, we prove that it is possible to carry out the same analysis within a combinational setting, leveraging two widely adopted assumptions: that faults are persistent and that the fault propagation is monotone. These assumptions allow us to devise an efficient algorithm that can analyze fault propagations of realistic industrial benchmarks that are currently out of reach of stateoftheart methods. The analysis of pgfds is reduced to model enumeration for an SMT formula that does not require the explicit unrolling of the transition system. We tackle two key difficulties. The first one is to ensure causality and rule out selfsupporting fault configurations in the combinational encoding. This is done by imposing cyclebreaking constraints requiring the existence of a partial order that is then constructed by the SMT solver during the analysis. The second one is to devise efficient enumeration techniques of models that are fdsminimal, i.e., minimal with respect to the severity of the degradation given by the fds. To this end, we propose an SMTbased enumerator of fdsminimal models.
We have experimentally evaluated our approach on a comprehensive set of realistic benchmarks, also generating random systems that have a similar structure as our proprietary systems^{Footnote 1}. The results demonstrate substantial advances with respect to the state of the art. Our approach is clearly superior to the approach proposed in [14], that is limited to the case of acyclic deterministic pgfds. For the cyclic pgfdss, we contrast our approach against the sequential approach based on modelchecking and show that our approach is able to scale to large pgfds, dramatically outperforming the sequential approach.
This paper is structured as follows. In Sect. 2 we present the mathematical notation and background on fds. In Sect. 3 we describe Propagation Graphs over fds (pgfds). In Sect. 4 we present the combinational encoding of pgfds into SMT. In Sect. 5 we describe how to use the SMT encoding for the enumeration of fdsminimal cut sets. In Sect. 6 we discuss some related work, and in Sect. 7 we present the experimental evaluation. In Sect. 8 we draw some conclusions and outline directions for future work.
2 Preliminaries
In the section, we explain the basic mathematical conventions that are used in the paper. We assume that the reader is familiar with the basic ideas of Satisfiability Modulo Theories (SMT) and in particular with the theory of linear integer arithmetic and the DPLL(T) procedure, as presented, e.g., in [2].
If convenient, we define unary functions with small domains inplace extensionally, e.g., \(\{ 1 \mapsto 2, 2 \mapsto 3 \}\) is a function with domain \(\{ 1, 2 \}\) that maps 1 to 2 and 2 to 3. We say that the nary function \(f(x_1, x_2, \ldots , x_n)\) depends on its formal argument \(x_i\) if there are some values \(v_1, v_2, \ldots , v_n, v_i'\) in the corresponding domains such that \(f(v_1, v_2, \ldots , v_i, \ldots v_n) \not = f(v_1, v_2, \ldots , v_i', \ldots v_n)\). Given sets A and B, we denote as \(B^A\) the set of all functions from A to B. Given a partially ordered set \((A, \le )\), its subset \(B \subseteq A\) is called an upper (resp. lower) set if for all \(b \in B\), \(a \in A\), the condition \(a \ge b\) (resp. \(a \le b\)) implies \(a \in B\).
A Finite Degradation Structure (fds) [14] is a triple \(( FM , \le , \bot )\), where \( FM \) is a finite set of failure modes and \(\le \) is a partial order on \( FM \) with the least element \(\bot \). For any set A and an fds \(B = ( FM _B, \le _B, \bot _B)\), the fds \(B^A\) for the set of functions from A to \( FM _B\) is defined as \((( FM _B)^A, \le _{B^A}, \bot _{B^A})\), where \(\bot _{B^A}(a) = \bot _B\) for all \(a \in A\), and \(f \le _{B^A} f'\) if and only if \(f(a) \le _{B} f'(a)\) for all \(a \in A\). We assume that each fds contains at least two elements. We say that an fds is Boolean if it is isomorphic to the structure \((\{\bot , \top \}, \bot \le \top , \bot )\). In the following, for an fds \(D = ( FM , \le , \bot )\), we denote elements of the set \( FM \)with \(f, f'\) and call them failure modes.
Given a firstorder formula \(\varphi \) over the language of the theory of linear integer arithmetic, an assignment \(\mu \) that assigns a value \(\mu (b) \in \{ \mathbf{false} , \mathbf{true} \}\) to each free Boolean variable b of \(\varphi \) and a value \(\mu (n) \in \mathbb {Z}\) to each free integer variable n of \(\varphi \) is called a model of \(\varphi \) (denoted \(\mu \models \varphi \)) if \(\mu \) makes \(\varphi \) true. If B is a subset of free Boolean variables of \(\varphi \), the model \(\mu \models \varphi \) is called subsetminimal with respect to B if there is no model \(\mu ' \models \varphi \) such that \(\{ b \in B \mid \mu '(b) = \mathbf{true} \} \subsetneq \{ b \in B \mid \mu (b) = \mathbf{true} \}\).
A transition system TS is a tuple (X, I, T) where X is a set of (state) variables, I(X) is a formula representing the initial states, and \(T(X,X')\) is a formula representing the transitions. A state of TS is an assignment to the variables X. A trace of M is a (possibly infinite) sequence \(s_0,s_1,\ldots \) of states such that \(s_0\models I\) and, for all \(i\ge 0\), \(s_i,s'_{i+1}\models T\).
3 Propagation Graphs over FDSs
In this section, we introduce our model for fault propagation, which we call Propagation Graphs over fdss (pgfds), and provide a sequential semantics for it which can be used to encode pgfdss into transition systems.
Intuitively, a Propagation Graph over fds (pgfds) consists of a set of components of the system and of the \( next \) function. In each step of the failure propagation, each component is in some failure mode from the underlying fds. In the next step of the failure propagation, each component can either 1) stay in its previous failure mode or 2) switch to an arbitrary failure mode from the set of possible next failure modes. The set of possible next failure modes for each component is given by the function \( next \), based on the current failure modes of all components in the system.
Definition 1 (Propagation Graph over FDS (PGFDS))
Given a finite degradation structure \(D = ( FM , \le , \bot )\), a propagation graph over D is a pair \(S = (C, next )\), where

C is a finite set of system components, and

\( next :C \rightarrow ( FM ^C \rightarrow 2^ FM )\) is a mapping that assigns to each component \(c \in C\) a next failure mode function \( next (c)\), which maps failure modes of all components in C to a set of possible next failure modes of c.
A state of S is a mapping \(s :C \rightarrow FM \) that assigns a failure mode \(f \in FM \) to each system component \(c \in C\).
Example 1
Consider a system with three components, \({\textsc {h}}\) (hydraulic), \({\textsc {e}}\) (electric), and \({\textsc {g}}\) (control on ground), over the Boolean fds \((\{\bot , \top \}, \bot \le \top , \bot )\). Each of the components is either working correctly (represented by the failure mode \(\bot \)) or incorrectly (\(\top \)). Component \({\textsc {g}}\) depends on the correct functionality of either \({\textsc {e}}\) or \({\textsc {h}}\). Component \({\textsc {e}}\) depends on \({\textsc {h}}\) to function correctly and, symmetrically, \({\textsc {h}}\) depends on \({\textsc {e}}\). The failure propagation of this system can be described by a pgfds \(S = (\{ {\textsc {g}}, {\textsc {e}}, {\textsc {h}} \}, next )\), where

\( next ({\textsc {g}})(s) = \{ \top \}\) if \(s({\textsc {e}}) = s({\textsc {h}}) = \top \) and \( next ({\textsc {g}})(s) = \emptyset \) otherwise;

\( next ({\textsc {e}})(s) = \{ \top \}\) if \(s({\textsc {h}}) = \top \) and \( next ({\textsc {e}})(s) = \emptyset \) otherwise;

\( next ({\textsc {h}})(s) = \{ \top \}\) if \(s({\textsc {e}}) = \top \) and \( next ({\textsc {h}})(s) = \emptyset \) otherwise.
Note that \( next (c)(s) = \emptyset \) means that if the system is in the state s, the component c cannot change its current failure mode.
The structure is intuitively associated with the hypergraph depicted in Fig. 2. The dashed rectangles represent the fact that each component can fail on its own (locally); the hyperarc from \({\textsc {e}}\) and \({\textsc {h}}\) to \({\textsc {g}}\) is conjunctive, while the arcs incoming into a node are disjunctive. \(\square \)
The important assumption of our approach is that we consider only faultpersistent propagations, i.e., fault propagations where each component can fail only once and after it does, it stays in the same failure mode forever. Note that this is a realistic assumption that is also used in other techniques for reliability analysis [5]. It is also implicitly used in other modeling techniques that are purely combinational (e.g., [19]) because they model the system only in a single time step, without considering any change in time whatsoever. Single propagation step of such computations can be described by a faultpersistent transition relation; the whole such computation as faultpersistent failure propagation.
Definition 2 (Faultpersistent transition relation)
Let \(S = (C, next )\) be a pgfds over an fds with the least element \(\bot \). The faultpersistent transition relation of S, denoted as \(R_s\), is the binary relation between states of S such that for all states \(s, s'\), the relation \(R_s(s, s')\) holds if and only if for each \(c \in C\)

\(s'(c) = s(c)\) or

\(s(c) = \bot \) and \(s'(c) \in next (c)(s)\).
Definition 3 (Faultpersistent failure propagation)
Given a pgfds \(S = (C, next )\), its faultpersistent transition relation \(R_s\), and \(k \in \mathbb {N}\), the sequence \((s_i)_{ 0 \le i \le k}\) of states of S is called a faultpersistent failure propagation if the relation \(R_s(s_i, s_{i+1})\) holds for all \(0 \le i < k\).
Because we deal only with faultpersistent failure propagations in this paper, we from now on refer to the faultpersistent transition relation and the faultpersistent failure propagation only as transition relation and failure propagation, respectively.
Definition 4 (Cyclic PGFDS)
Let \(S = (C, next )\) be a pgfds. A component \(c \in C\) depends on a component \(d \in C\) iff \( next (c)(s) \not = next (c)(s')\) for some \(s, s' :C \rightarrow FM \) such that \(s(d) \not = s'(d)\) and \(s(c') = s'(c')\) for all \(c' \not = d\). Let \( deps (c) := \{ d \in C ~~ c \text { depends on } d \}\), \(D \subseteq C \times C\) be such that \(D(c, c')\) if and only if \(c' \in deps (c)\), and let \(D^+\) be the transitive closure of D. Then we say that S is cyclic if and only if there exists \(c \in C\) such that \(D^+(c, c)\) holds.
Example 2
In the pgfds S from Example 1, the component \({\textsc {g}} \) depends on components \({\textsc {e}} \) and \({\textsc {h}} \), the component \({\textsc {e}} \) depends on \({\textsc {h}} \), and the component \({\textsc {h}} \) depends on \({\textsc {e}} \). The pgfds S is therefore cyclic because \({\textsc {e}} \) (and also \({\textsc {h}} \)) transitively depends on itself. \(\square \)
To analyze reliability of the modeled system, it is important to identify the failures of its components (i.e., assignment of failure modes to the components) which cause the system to reach a given set of dangerous states, usually called top level event (TLE). Such assignments are called cut sets. Since the number of all cut sets can be prohibitively large, it is often enough to identify the least severe failures in terms of the underlying fds that are sufficient to cause the TLE. Such cut sets are called fds minimal, or minimal for short. These concepts are formalized in the following definitions.
Definition 5 (Top Level Event)
Given a pgfds S, a Top Level Event (TLE) is an arbitrary set of states of S.
Definition 6 ((FDSMinimal) Cut Set)
Given a pgfds \(S = (C, next )\), and a top level event \( TLE \), a cut set is any state s for which there is a faultpersistent failure propagation that starts in s and ends in some \(s_k \in TLE \). A cut set is called fds minimal (or minimal for short) if it is minimal with respect to the pointwise ordering \(\le \) of the underlying fds.
Given a system S and a top level event \( TLE \), we denote the set of all corresponding cut sets as \( CS ({S}, { TLE })\) and the set of all minimal cut sets as \( MCS ({S}, { TLE })\). As a convention, when talking about cut sets, we will explicitly mention only the components to which the cut set assigns a failure mode different from \(\bot \).
Example 3
Consider again the pgfds S from Example 1 and the top level event \(\mathrm {TLE} = \{ s :\{ {\textsc {g}}, {\textsc {e}}, {\textsc {h}} \} \rightarrow \{ \top , \bot \} \mid s({\textsc {g}}) = \top \}\), which corresponds to the component \({\textsc {g}} \) not working correctly. The minimal cut sets for the pgfds S and the given top level event are

1.
\(\{ {\textsc {g}} \mapsto \top \}\), witnessed by a failure propagation \((\{ {\textsc {g}} \mapsto \top , {\textsc {e}} \mapsto \bot , {\textsc {h}} \mapsto \bot \})\) of length 1.

2.
\(\{ {\textsc {e}} \mapsto \top \}\), witnessed by a failure propagation \((\{ {\textsc {g}} \mapsto \bot , {\textsc {e}} \mapsto \top , {\textsc {h}} \mapsto \bot \}, \{ {\textsc {g}} \mapsto \bot , {\textsc {e}} \mapsto \top , {\textsc {h}} \mapsto \top \}, \{ {\textsc {g}} \mapsto \top , {\textsc {e}} \mapsto \top , {\textsc {h}} \mapsto \top \})\) of length 3.

3.
\(\{ {\textsc {h}} \mapsto \top \}\), witnessed by a failure propagation \((\{ {\textsc {g}} \mapsto \bot , {\textsc {e}} \mapsto \bot , {\textsc {h}} \mapsto \top \}, \{ {\textsc {g}} \mapsto \bot , {\textsc {e}} \mapsto \top , {\textsc {h}} \mapsto \top \}, \{ {\textsc {g}} \mapsto \top , {\textsc {e}} \mapsto \top , {\textsc {h}} \mapsto \top \})\) of length 3.
Note that besides these three minimal cut sets, there are other cut sets that are not minimal, such as \(\{ {\textsc {e}} \mapsto \top , {\textsc {h}} \mapsto \top \}\). \(\square \)
Faultpersistent computations of a pgfds can be easily represented as traces of a (symbolic) transition system.
Definition 7 (Faultpersistent transition system)
Given a pgfds \(S = (C, next )\) and an fds \(D = ( FM , \le , \bot )\), the corresponding faultpersistent (symbolic) transition system is given by \( TS _S = (X, \mathbf {true}, T)\), where:

\(X = \{ x_c ~~ c \in C \}\) is the set of state variables, with domain \( FM \);

\(T(X, X')\) is a symbolic encoding of the faultpersistent transition relation of S as given in Definition 2. That is, for each assignment \(\mu :X \cup X' \rightarrow FM \), \(\mu \models T\) if and only if \(R_s(s, s')\) holds, where \(s :C \rightarrow FM \) is defined as \(s(c) = \mu (x_c)\) (and similarly for \(s'\)).
By definition, every faultpersistent computation of S has a corresponding trace (of the same length) in \( TS _S\). Therefore, encoding pgfdss as transition systems allows leveraging offtheshelf algorithms for subsetminimal cut set enumeration, such as those given in [6]. However, this might be inefficient, particularly for TLEs that are triggered by long failure propagations (corresponding to equallylong traces of the induced transition system). Moreover, as we show later, enumerating fdsminimal cut sets is more involved.
Fault propagation systems used in practice often have the property that no transition can be disabled by additional faults, i.e., by switching a failure mode of a component from \(\bot \) to \(f \not = \bot \). This is also the case for the pgfds from Example 1. Such systems are called subsetmonotone or monotone for short. This is formalized by the following definition.
Definition 8 (Subsetmonotone PGFDS)
A pgfds \(S = (C, next )\) is called subsetmonotone if for all \(s, s' :C \rightarrow FM \), the condition \( \forall c \in C. \; s(c) \not = \bot \rightarrow s(c) = s'(c) \) implies \( \forall c \in C. \; next (c)(s) \subseteq next (c)(s'). \)
4 From Sequential to Combinational
In this section, we describe a combinational encoding of faultpersistent computations of a pgfds, which is guaranteed to be exact for subsetmonotone pgfdss and provides a useful overapproximation for general pgfdss. In the rest of the section, let \(S = (C, next )\) be a pgfds over the fds \(D = ( FM , \le , \bot )\), and \( TLE \) be a top level event. We show how to construct a firstorder formula \(\varphi _{ cs }\) over the theory of linear integer arithmetic whose models correspond to cut sets of S with respect to \( TLE \). In the next section, we then use this formula to enumerate all fdsminimal cut sets of S.
To encode the propagations of S, for each component \(c \in C\) and each failure mode \(f \in FM \) we introduce two Boolean variables: \(I_{{c},{f}}\) and \(F_{{c},{f}}\). The variable \(I_{{c},{f}}\) encodes whether c was in the failure mode f in the initial state of the propagation. The variable \(F_{{c},{f}}\) encodes whether c has been in the failure mode f at any time during the propagation. We can then encode \( TLE \) as a formula \(\varphi _ TLE \) over variables \(F_{{c},{f}}\).^{Footnote 2}
Considering now a possible propagation, a component c can be in failure mode \(f \ne \bot \) at some time during the propagation for two reasons: either it was already in f in the initial state of the propagation, or it transitions to f because of its \( next \) function. The first case is represented by \(I_{{c},{f}}\) being true. The second case can be encoded as follows (for each \(c\in C\) and \(f \in FM \setminus \{ \bot \}\)):
stating that there must exist a row in the truth table of \( next (c)\), whose result includes f and which agrees with the current state on the failure modes of failed dependencies.^{Footnote 3} The above, however, would not work in the presence of cycles. This can already be seen on the simple cyclic pgfds from Example 1.
Example 4
Consider again the pgfds S from Example 1. The abovedescribed encoding of the propagations of S is
Although this encoding has a model \(\mu \) such that \(\mu \models \lnot I_{{{\textsc {g}}},{\top }} \, \wedge \, \lnot I_{{{\textsc {e}}},{\top }} \, \wedge \, \lnot I_{{{\textsc {h}}},{\top }} \, \wedge \, F_{{{\textsc {g}}},{\top }} \, \wedge \, F_{{{\textsc {e}}},{\top }} \, \wedge \, F_{{{\textsc {h}}},{\top }}\), there is no propagation path of S in which both components \({\textsc {e}} \) and \({\textsc {h}} \) are initially in the state \(\bot \) and switch to state \(\top \) during the propagation. The problem is that the encoding allows models where a failure of \({\textsc {e}} \) was caused by a failure of \({\textsc {h}} \), which was in turn caused by the same failure of \({\textsc {e}} \). \(\square \)
In order to solve the problem, we introduce constraints imposing a causal ordering among the components, stating that the failure of a component can be caused only by other components that precede it in the causal order. We encode this by introducing one additional integer variable \(o_c\) for each component c, which intuitively corresponds to the time when the component c switched to a failure mode different from \(\bot \), and modifying the formula (1) to take the causal ordering into account:^{Footnote 4}
Putting it all together, the encoding for the failure mode changes is given by the formula \(\varphi _{ next }\) below:
Example 5
For the pgfds S from Example 1, the correct encoding of the propagations of S is thus the following formula \(\varphi _{ next }\):
Note that the constraints for causal ordering now rule out the spurious selfsupporting propagation in which \({\textsc {e}} \) fails because of \({\textsc {h}} \) and \({\textsc {h}} \) fails because of \({\textsc {e}} \). This would require that \(o_{{\textsc {h}}} < o_{{\textsc {e}}}\) and \(o_{{\textsc {e}}} < o_{{\textsc {h}}}\) are both true, which is clearly impossible in the theory of linear integer arithmetic (or, more generally, in any theory in which < is interpreted as a strict ordering relation).
The propagations of S mentioned in Example 3 correspond to the following assignments:

1.
The propagation for the cut set \(\{ {\textsc {g}} \mapsto \top \}\) corresponds to an assignment \(\mu \) such that \(\mu \models I_{{{\textsc {g}}},{\top }} \, \wedge \, \lnot I_{{{\textsc {e}}},{\top }} \, \wedge \, \lnot I_{{{\textsc {h}}},{\top }} \, \wedge \, F_{{{\textsc {g}}},{\top }} \, \wedge \, \lnot F_{{{\textsc {e}}},{\top }} \, \wedge \, \lnot F_{{{\textsc {h}}},{\top }}\) and \(\mu (o_{{\textsc {g}}}) = \mu (o_{{\textsc {e}}}) = \mu (o_{{\textsc {h}}}) = 0\).

2.
The propagation for the cut set \(\{ {\textsc {e}} \mapsto \top \}\) corresponds to an assignment \(\mu \) such that \(\mu \models \lnot I_{{{\textsc {g}}},{\top }} \, \wedge \, I_{{{\textsc {e}}},{\top }} \, \wedge \, \lnot I_{{{\textsc {h}}},{\top }} \, \wedge \, F_{{{\textsc {g}}},{\top }} \, \wedge \, F_{{{\textsc {e}}},{\top }} \, \wedge \, F_{{{\textsc {h}}},{\top }}\) and \(\mu (o_{{\textsc {g}}}) = 2\), \(\mu (o_{{\textsc {e}}}) = 0\), \(\mu (o_{{\textsc {h}}}) = 1\).

3.
The propagation for the cut set \(\{ {\textsc {h}} \mapsto \top \}\) corresponds to an assignment \(\mu \) such that \(\mu \models \lnot I_{{{\textsc {g}}},{\top }} \, \wedge \, \lnot I_{{{\textsc {e}}},{\top }} \, \wedge \, I_{{{\textsc {h}}},{\top }} \, \wedge \, F_{{{\textsc {g}}},{\top }} \, \wedge \, F_{{{\textsc {e}}},{\top }} \, \wedge \, F_{{{\textsc {h}}},{\top }}\) and \(\mu (o_{{\textsc {g}}}) = 2\), \(\mu (o_{{\textsc {e}}}) = 1\), \(\mu (o_{{\textsc {h}}}) = 0\).
These assignments are not unique; there are infinitely many choices for the values of the ordering variables \(o_c\). Also note that there is no global causality ordering for the system: the causality ordering is different for different propagations. \(\square \)
Finally, we encode the faultpersistence constraint by stating that no component can be in two failure modes either in the initial state of the propagation or at any time during the propagation:
The final formula is then given by \(\varphi _{ cs }\):
As the following theorem shows, the formula \(\varphi _{ cs }\) for general systems encodes an overapproximation of the set \( CS ({S}, { TLE })\). The reason for this is that the encoding does not enforce failure mode of dependencies that are working, i.e., are in the failure mode \(\bot \). Note that even an overapproximation of \( CS ({S}, { TLE })\) is useful for safety analysis; it can be used, for example, for computing an upper bound on the probability of failure of the system. Moreover, if the system S is subsetmonotone, which is often the case in practice, the formula \(\varphi _{ cs }\) is guaranteed to encode the set \( CS ({S}, { TLE })\) exactly.
To formulate the relationship precisely, we define the function that provides the correspondence between the models of \(\mu \) and the cut sets of S. Observe that thanks to \(\varphi _{ once }\), each model \(\mu \) of \(\varphi _{ cs }\) corresponds to a unique initial state \( modelToState (\mu )\) of S as defined below:
Theorem 1
For an arbitrary pgfds S and a top level event \( TLE \),
Moreover, if S is subsetmonotone, these sets are equal.
5 Enumeration of FDSMinimal Cut Sets
In this section, we show how to efficiently enumerate fdsminimal cut sets of subsetmonotone systems using the formula \(\varphi _ cs \) and an SMT solver. We first consider a simplified case, in which the underlying fds D is Boolean. We then show how to generalize our solution to arbitrary fdss.
5.1 Algorithm for Boolean FDSs
The pseudocode of our procedure for the case when the underlying fds is Boolean is shown in Fig. 3. Intuitively, the algorithm enumerates all the subsetminimal models of \(\varphi _ cs \) with respect to the set of variables of form \(I_{{c},{f}}\). These models are enumerated one by one and each enumerated model is, together with all its supermodels, blocked by the assertion on line 13, until the formula becomes unsatisfiable. Each model of the formula is converted to a cut set by the function \( modelToState \).
The algorithm makes use of a DPLL(T)based SMT solver that provides the following functionalities:

1.
An assertformula method that allows to add constraints incrementally;

2.
A checksat method to determine the satisfiability of the current set of constraints;

3.
A getmodel method that returns a model for the current asserted set of constraints, in case they are satisfiable;

4.
An addpreferredvar method that allows to control the branching heuristics of the internal SAT engine of the solver, such that whenever a SAT decision needs to be performed, variables in the preferred set are always considered before the other variables for branching, and are assigned the value specified in the addpreferredvar call.^{Footnote 5}
The correctness for our algorithm is formalized by the theorem below.
Theorem 2 (MCS enumeration over Boolean FDS)
For a subsetmonotone pgfds S over the Boolean fds, the result of \({MCS}\) \({enumeration}(\varphi _{ cs }, modelToState )\) is the set of all fdsminimal cut sets of S.
Proof
Let \(S = (C, next )\) be a subsetmonotone pgfds. It was proven by Di Rosa et al. [15] that if branching heuristics of a CDCLbased SAT solver are modified to assign false to a subset V of variables before branching on other variables (lines 4–5 of our pseudocode), the produced model is subsetminimal with respect to the set of variables V. This claim straightforwardly extends to DPLL(T)based SMT solvers. In every iteration, the algorithm thus finds one subsetminimal model \(\mu \) of \(\varphi _ cs \) with respect to the set of variables \(I_{{c},{f}}\) and adds a constraint that prevents enumerating any model \(\mu '\) such that \(\{ I_{{c},{f}} \in vars (\varphi _ cs ) \mid \mu (I_{{c},{f}}) = \mathbf{true} \} \subseteq \{ I_{{c},{f}} \in vars (\varphi _ cs ) \mid \mu '(I_{{c},{f}}) = \mathbf{true} \}\) in the following iterations. Therefore, the described algorithm enumerates, for each model \(\overline{\mu }\) of the formula \(\exists \{ F_{{c},{f}} \mid c \in C, f \in FM \} \, \exists \{ o_c \mid c \in C \} \, (\varphi _ cs )\) that is subsetminimal with respect to the set of variables \(I_{{c},{f}}\), exactly one model \(\mu \) of \(\varphi _ cs \) that agrees with \(\overline{\mu }\) on all variables \(I_{{c},{f}}\).
Note that \( vars (\varphi _ cs )\) does not contain the variable \(I_{{c},{\bot }}\) for any \(c \in C\). For a Boolean fds and models \(\mu , \mu ' \models \varphi _ cs \), we thus have \(\{ I_{{c},{f}} \in vars (\varphi _ cs ) \mid \mu (I_{{c},{f}}) = \mathbf{true} \} \subseteq \{ I_{{c},{f}} \in vars (\varphi _ cs ) \mid \mu '(I_{{c},{f}}) = \mathbf{true} \}\) if and only if \( modelToState (\mu ) \le modelToState (\mu ')\). Therefore, Theorem 1 implies that for subsetmonotone S, subsetminimal models of \(\varphi _ cs \) with respect to the set of variables of form \(I_{{c},{f}}\) precisely correspond to fdsminimal cut sets of S and the correspondence is given by the function \( modelToState \). \(\square \)
5.2 Extension to Arbitrary FDSs
The algorithm of Fig. 3 does not work in general for arbitrary fdss, but only for the fdss in which all the failure modes different from \(\bot \) are incomparable. The problem is that the assumption that a cut set is fdsminimal iff the corresponding model of \(\varphi _ cs \) is subsetminimal with respect to the set of variables \(I_{{c},{f}}\) with \(f \not = \bot \) does not hold in general with the encoding of Sect. 4, as can be seen on the following simple example.
Example 6
Consider the fds \(D = (\{\bot , m, \top \}, \bot \le m \le \top , \bot )\) and the pgfds \(S = (\{c\}, next )\) with \( next (c)(s) = \emptyset \) for all c and s. Intuitively, S contains one component that cannot change its failure mode during the computation. Consider further the toplevel event \( TLE = \{ \{ c \mapsto m \}, \{ c \mapsto \top \} \}\).
Both \(\{ c \mapsto \top \}\) and \(\{c \mapsto m\}\) are cut sets, but only the latter is fdsminimal. However, the algorithm of Fig. 3 will return both, since they both correspond to subsetminimal models with respect to the set of variables \(I_{{c},{f}}\). \(\square \)
We can adapt the procedure of Fig. 3 to arbitrary fdss by using an encoding in which the ordering of assignments to the \(I_{{c},{f}}\) variables corresponds to the severity ordering \(\le \) of the underlying fds D. In order to do this, we exploit the isomorphism between \(D = ( FM , \le , \bot )\) and the poset \(D\!\downarrow \) of its lower subsets generated by single elements defined as \(D\!\downarrow = \{ \{ f' \in FM ~~ f' \le f\}~~ f \in FM \}\) with partial order \(\subseteq \) and the least element \(\{ \bot \}\). For example, the poset \((W3F\!\downarrow , \subseteq )\) for the fds W3F of Fig. 1 is shown in Fig. 4, together with an encoding of the elements as formulas.
With this isomorphism in mind, we define for each \(c \in C\) and \(f \in FM \) the formula \(\psi _{c = f}\) that represents the failure mode f of component c by assigning the subset of variables \(\{ I_{{c},{\hat{f}}} \mid \hat{f} \le f \}\) to true:
The important property of this definition is that for all \(c \in C\), \(f, f' \in FM \) and assignments \(\mu \models \psi _{c = f}\) and \( \mu ' \models \psi _{c = f'}\), we have \(f \le f'\) if and only if \(\{ I_{{c},{\hat{f}}} \mid \mu (I_{{c},{\hat{f}}}) = \mathbf{true} \} \subseteq \{ I_{{c},{\hat{f}}} \mid \mu '(I_{{c},{\hat{f}}}) = \mathbf{true} \}\).
We then modify the encoding \(\varphi _ cs \) of Sect. 4 as follows:

1.
First, we modify \(\varphi _{ next }\) to encode the initial state by using \(\psi _{c = f}\) instead of \(I_{{c},{f}}\). This ensures that the ordering of assignments to the initial variables reflects the ordering given by the underlying fds. We also remove the mutual exclusion constraints on the variables \(I_{{c},{f}}\) from \(\varphi _{once}\), because the mutual exclusion of initial failure modes is now guaranteed by the definition of \(\psi _{c = f}\):
$$\begin{aligned} \varphi _{ next }&= \bigwedge _{\begin{array}{c} c \in C \\ f \in FM \setminus \{\bot \} \end{array}} \left( F_{{c},{f}} \rightarrow \left( \psi _{c = f} \vee (2) \right) \right) \wedge (\psi _{c=f} \rightarrow F_{{c},{f}}),\\ \varphi _{once}&= \bigwedge _{\begin{array}{c} c \in C \\ f, f' \in FM \setminus \{ \bot \} \\ f \not = f' \end{array}} \left( \lnot F_{{c},{ f}} \vee \lnot F_{{c},{ f'}} \right) . \end{aligned}$$ 
2.
Then, we add domain constraints that ensure that the resulting formula represents only models with assignments to \(I_{{c},{f}}\) that correspond to elements of \(D\!\downarrow \):
$$\begin{aligned} \varphi _{D\!\downarrow }&= \bigwedge _{c \in C} \bigvee _{f \in FM } \psi _{c = f}. \end{aligned}$$
The new encoding is then given by \(\varphi _ cs ^ FM \):
The modified encoding \(\varphi _ cs ^ FM \) represents the cut sets in a different way: instead of representing the failure modes directly by \(I_{{c},{f}}\) as in \(\varphi _ cs \), they are now represented by the subformulas \(\psi _{c = f}\). Therefore, to prove correctness of the modified encoding, the function \( modelToState \) that maps models to cut sets also has to be changed. We define the initial state \( modelToState ^ FM (\mu )\) corresponding to the model \(\mu \) by \( modelToState ^ FM (\mu )(c) = \max \{ f \in FM \mid \mu (I_{{c},{f}}) = \mathbf{true} \}\). Note that the maximum is guaranteed to exist because of the \(\varphi _{D\!\downarrow }\) constraint.
Theorem 3
For an arbitrary pgfds S and a top level event \( TLE \),
Moreover, if S is subsetmonotone, these sets are equal.
Therefore, the algorithm MCSenumeration from Fig. 3 can be used to enumerate fdsminimal cut sets of a subsetmonotone pgfds, given as the inputs the modified encoding \(\varphi ^ FM _{ cs }\) and the modified function \( modelToState ^ FM \). This is formalized by the following theorem:
Theorem 4 (MCS enumeration for general FDS)
For a subsetmonotone pgfds S over an fds D, the result of \(\text {MCSenumeration}(\varphi ^ FM _{ cs }, modelToState ^ FM )\) is the set of all fdsminimal cut sets of S.
Note that our encoding of fdsminimality is general and does not depend on the algorithm for enumeration of subsetminimal models. Indeed, thanks to our encoding, any offtheshelf minimalmodel enumerator can be used to enumerate fdsminimal models. Therefore, any improvements to minimal model enumeration directly translate to improved performance of our method for fdsminimal cut set enumeration. From the opposite point of view, our encoding can in principle be employed by other tools to reduce fdsminimal cut set enumeration to subsetminimal cut set enumeration.
6 Related Work
Finite Degradation Models (fdms) [14] are an algebraic framework accommodating the concept of fault degradation, where faults may have different values organized into a semilattice. Using fdms (probabilistic) safety analysis (fault trees and minimal cut sets) can be generalized from Boolean models to multistate systems. Compared to fdms, faultpersistent pgfdss differ in two significant aspects: first, since the function \( next \) returns a set of possible next failure modes, pgfdss allow nondeterminism in the failure propagation, i.e., the failure of a component is not uniquely determined by the failure modes of its dependencies. Second, and more importantly, pgfdss allow cyclic dependencies and give them welldefined and expected semantics. Since the work on fdms is the closest to ours, we shall discuss it in detail below.
In [8] the authors present a framework for failure propagation which enables modeling sets of failure modes using a domain specific language. It is less expressive than fdms, in that sets of failure modes cannot be related by degradation orders, which significantly simplifies the enumeration of MCSs. Finally, classical formalisms for failure propagation, but less expressive than fds, include fptn [9] and HipHOps [11].
tfpgs (Timed Failure Propagation Graphs) [1] extend fault propagation model by enabling the specification of time bounds and mode constraints on the propagation links. However, tfpgs do not consider degradation, and they do not support cyclic dependencies. Conversely, the pgfds formalism can be easily extended to support time bounds, failure probabilities, mode constraints, and constraints on propagation delays similar to those available in tfpgs (e.g., following [5]). Moreover, once the minimal cut sets of a pgfds are computed, the existing approach to computing probability of overall failure [5] can be used almost unchanged.
Finally, xSAP [3] is a safety analysis platform that supports librarybased fault models and the generation of safety artifacts for fully general behavioral models, e.g., it can generate fault trees and minimal cut sets for arbitrary transition systems [6]. Currently, xSAP does not support fds and degradation models.
6.1 Detailed Comparison with Finite Degradation Models
As outlined above, the formalism Finite Degradation Models (fdms), introduced in [14], is closely related to our pgfds. Here, we describe fdm in further detail and show that pgfds are a strict generalization of fds, obtained by (i) considering nondeterminism in the propagation of failures, and (ii) by allowing cyclic dependencies among the components.
Each fdm has state variables, which correspond to the sources of failures in the system, and flow variables, which correspond to the propagated consequences of these failures. Each flow variable has an associated equation, which prescribes the failure mode of the corresponding flow variable based on the failure modes of state variables and other flow variables. We assume that the failure modes of all state and flow variables are modeled by the fds \(D = ( FM , \le , \bot )\).^{Footnote 6}
Definition 9
(Finite Degradation Model [14]). Given an arbitrary fds \(D = ( FM , \le , \bot )\), a Finite Degradation Model (fdm) is a pair \(M = ( \mathcal{V} = \mathcal{S} \uplus \mathcal{F}, \mathcal{E} )\), where

\(\mathcal{S} = \{ V_1, \ldots , V_m \}\) is a finite set of state variables,

\(\mathcal{F} = \{ W_{m+1}, \ldots , W_{m+n} \}\) is a finite set of flow variables,

\(\mathcal{E} = \{ W_{m+1} := \phi _{m+1}, \ldots W_{m+n} := \phi _{m+n} \}\) is a finite set of equations, where each \(\phi _{m+i}\) for \(1 \le i \le n\) is a function of type \( FM ^{\mathcal {V}} \rightarrow FM \).
We say that a flow variable \(W_{m+i}\) depends on a variable v if the function \(\phi _{m+i}\) depends on v. An fdm is called acyclic if there are no cyclic dependencies among its flow variables, i.e., no flow variable transitively depends on itself. We stress out that in contrast to our definitions of pgfds, the original paper [14] only deals with acyclic fdms and does not provide semantics and necessary definitions for cyclic fdms. We thus assume in the rest of the section that all fdms are acyclic.
An assignment \(\sigma :\mathcal {V} \rightarrow FM \) is called admissible if the failure modes assigned to the flow variables satisfy all the corresponding equations, i.e., \(\sigma (W_{m+i}) = \phi _{m+i}(\sigma )\) for each \(1 \le i \le n\). The assumption of acyclicity of fdms, together with the fact that all equations are deterministic functions and not general relations, guarantees that in each admissible assignment, failure modes of the flow variables are uniquely determined by the failure modes of the state variables. This defines a function \([\![M ]\!](\sigma ) = \overline{\sigma }_M\), which maps each state variable assignment \(\sigma \) to its unique admissible extension \(\overline{\sigma }_M\) that assigns values to all variables. This is a stark contrast to pgfds, where a single initial state can give rise to multiple different propagation paths.
A corresponding notion to our notion of top level event for fdm is the notion of observer. An observer is a pair (R, U), where R is a flow variable and \(U \subseteq FM \) is a set of failure modes. Intuitively, the observer represents a set of dangerous failure modes of the given flow variable. A cut set is any assignment \(\sigma :\mathcal {S} \rightarrow FM \) of failure modes to state variables such that \(\overline{\sigma }(R) \in U\).
A notion related to our notion of monotonicity for fdm is coherence. The observer is coherent if for all assignments \(\sigma , \sigma ' :\mathcal {S} \rightarrow FM \) such that \(\sigma \) is a cut set and \(\sigma \le \sigma '\), the assignment \(\sigma '\) is also a cut set.
Each fdm M can be translated to a pgfds \(S_M\) such that the cut sets of M correspond to the cut sets of \(S_M\). Moreover, if the fdm M is coherent, the resulting pgfds \(S_M\) is guaranteed to be subsetmonotone. This enables efficient analysis of coherent fdms by our SMTbased technique. Intuitively, the pgfds \(S_M\) has one component for each state variable of M and an additional component R for the observer flow variable R. The \( next \) function is defined in a way that the failure modes of all the components that correspond to state variables cannot change and that the component R can switch to a predefined set of failure modes if \(\overline{\sigma }(R) \in U\). This is achieved by composing all equations for the flow variables. If local variables are used in the symbolic encoding^{Footnote 7}, the size of the result is guaranteed to be polynomial.
7 Experimental Evaluation
To evaluate the performance and scalability of our approach, we have implemented the proposed algorithm MCSenumeration in a simple Python tool that uses the solver MathSAT [7], which supports all the required functionalities that are described in Sect. 5.1. In this section, we refer to the tool as SMTPGFPS.
As a comparison, we have used Emmy [13], a tool based on decision diagrams for the enumeration of fdsminimal cut sets of fdms, and xSAP [3], a tool for safety assessment for arbitrary transition systems. Each of these tools only supports a subset of the capabilities of our approach, as summarized in Table 1.

Emmy supports minimal cut set enumeration with respect to an arbitrary ordering of failure modes given by an fds, but only for acyclic and deterministic fdms;

xSAP supports analysis of arbitrary transition systems with cycles, given that it internally relies on the nuXmv model checker. However, it cannot enumerate fdsminimal cut sets, but only subsetminimal ones. Note that for computation of subsetminimal cut sets, xSAP is more general than our approach, as it supports general transition systems and arbitrary temporal properties. However, we use xSAP as a baseline to compare performance and scalability of our approach for cyclic pgfds because it is a subcase of general transition systems that is important in practice. In the evaluation, we use the IC3based engine described in [6] (denoted as xSAPIC3). Note that this algorithm assumes that the verified property is monotone and leverages this assumption for efficiency.
For the comparison, we have created three sets of benchmarks:

Scalable acyclic benchmarks consisting of linear structures extended by a triple modular redundancy scheme. The basic architecture of these structures is parameterized by its size n and the system contains 6n components: 3n modules and 3n voters. These benchmarks use the fds \(\mathrm {W2F}\), which is a restriction of the fds W3F of Fig. 1 to failure modes \(\{ w, fd , fu \}\), with the ordering \(w< fd < fu \). Note that fdsminimal cut sets of these benchmarks cannot be enumerated by xSAP, as the benchmarks use a nonBoolean fds.

Randomly generated systems with cycles over Boolean FDS which share some structural properties with realworld systems. In particular, we generated random systems that have a similar distribution of indegrees and outdegrees of the components as our proprietary systems, which we cannot disclose. We have generated 950 such systems of sizes ranging between 50 and 1000 components. We have used the Boolean fds for these benchmarks, so that they can be precisely analyzed also by xSAP. Note that these benchmarks cannot be solved by Emmy, as they contain cyclic dependencies among the components.

Randomly generated systems over W2F which are created from the abovementioned randomly generated systems by using the fds W2F instead of the Boolean one. Although this does not change the overall structure of the system, it makes the transition relation more complicated and significantly increases number of minimal cut sets. In the evaluation, we only used systems of size at most 400, as both the compared approaches timed out on the vast majority of larger systems. Note that these benchmarks cannot be solved by Emmy, as they contain cyclic dependencies among the components. They can be solved by xSAP, but the generated cut sets are only subsetminimal with respect to fault variables, and not (in general) fdsminimal.
For the scalable benchmarks, we have generated encodings in the SMT format described in this paper and in the fdsml format used by Emmy. For the randomly generated cyclic benchmarks, we have generated encodings in the SMT format and in the SMV format used by xSAP. The SMV encodings also include the assumption of faultpersistence. All the used benchmarks are subsetmonotone, and therefore our SMTbased approach can be used to compute the set of minimal cut sets correctly.
We have used wall time limit of 30 min for each solverbenchmark pair. All experiments were performed on a Linux laptop with Intel Core i78665U cpu and 32 GiB of ram.
A comparison of SMTPGFPS and Emmy on the scalable acyclic benchmarks can be seen in Table 2. It shows that Emmy times out already on systems of size 5, i.e., on systems with 30 components. On the other hand, our approach is able to scale to systems with three thousand components.
A comparison against the sequential approach of xSAP on cyclic benchmarks can be seen in Fig. 5. Figures 5a and 5b show that on random systems over Boolean fdss, our approach significantly outperforms the sequential approach of xSAP. As the size of the system grows, the difference can be up to several orders of magnitude. Both xSAP and SMTPGFPS compute exactly the same minimal cut sets. Hence, the dramatic difference in performance can be justified by the reduction to the combinational case, which prevents the unrolling of the transition relation by implicitly encoding the propagations in the total ordering(s) found by the SMT solver.
The performance difference on the systems over the fds W2F, shown in Figures 5c and 5d, is even more pronounced. This can be caused by two additional factors. First, the systems over the fds W2F have more complicated transition relation, more minimal cut sets, and are in general harder. Thus, the unrolling performed by xSAP is even more costly. Second, xSAP has to enumerate more cut sets, because it is enumerating all subsetminimal cut sets and not only fdsminimal cut sets. However, this cannot be the main source of the observed performance gap: on 35 from the 113 benchmarks on which both xSAP and SMTPGFPS finished before timeout, the number of cut sets are the same; on the remaining 78 benchmarks, xSAP enumerates on average 6% more cut sets and at most 62% more cut sets. In order to obtain fdsminimal cut sets from xSAP, the produced subsetminimal cut sets would have to be filtered or explicitly minimized, which would add yet another performance penalty for xSAP.
Overall, the SMTbased techniques presented in this paper yield a fundamental advancement with respect to the state of the art, both in terms of expressiveness as well as in terms of performance.
8 Conclusions and Further Work
We tackled the problem of supporting the Preliminary Safety Assessment phase of aircraft design. Specifically, we defined an expressive framework for modeling failure propagation over components with multiple levels of degradation, with nondeterminism and cyclic dependencies. We presented a sequential semantics and proved that the problem can be tackled by means of minimal models enumeration in SMT. The framework is more expressive than the state of the art, and the proposed method outperforms the BDDbased techniques from [14] on acyclic benchmarks over generic fdss, and the model checking techniques of [6] on cyclic benchmarks.
In the future, we are going to introduce timing constraints and analyze redundancy architectures. We also investigate ways to relax the monotonicity and faultpersistence assumptions to explore recovery mechanisms and to further extend the reach of our approach. We are also working on encoding the causality constraints in the frameworks of SAT modulo acyclicity [10] and ASP modulo acyclicity [4], which could improve the performance of our approach even further.
Notes
 1.
Unfortunately the proprietary systems cannot be disclosed.
 2.
A naive encoding would be using the formula \(\bigvee _{s \in TLE } ( \bigwedge _{c \in C, s(c) \not = \bot } F_{{c},{s(c)}} \wedge \bigwedge _{c \in C, s(c) = \bot } \bigwedge _{f \in FM \setminus \{ \bot \}} \lnot F_{{c},{f}} )\), but more compact representations are of course possible (particularly if \( TLE \) is given symbolically).
 3.
This formula can again be encoded more compactly; particularly if the \( next \) function is given symbolically, which is usually the case in practice.
 4.
We remark that such ordering constraints are needed only if the input pgfds is cyclic, and only between components in the same strongly connected component of the dependency graph.
 5.
For example, calling addpreferredvar(solver, v, true) means that if the solver has to perform a case split, v will be assigned before all nonpreferred variables, and it will always be assigned to true by the branching heuristic.
 6.
Both fdms and our pgfds can be defined over multiple different fdss for different variables. Such generalization is straightforward, but it complicates the notation and the exposition significantly.
 7.
For example, letexpressions of form (let ((var definition) ...) body) in SMTLIB.
References
Abdelwahed, S., Karsai, G., Mahadevan, N., Ofsthun, S.C.: Practical implementation of diagnosis systems using timed failure propagation graph models. IEEE Trans. Instrum. Meas. 58(2), 240–247 (2009)
Barrett, C.W., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In: Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.) Handbook of Satisfiability, volume 185 of Frontiers in Artificial Intelligence and Applications, pp. 825–885. IOS Press (2009)
Bittner, B., et al.: The xSAP safety analysis platform. In: Chechik, M., Raskin, J.F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 533–539. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662496749_31
Bomanson, J., Gebser, M., Janhunen, T., Kaufmann, B., Schaub, T.: Answer set programming modulo acyclicity. Fundamenta Informaticae 147(1), 63–91 (2016)
Bozzano, M., Cimatti, A., Gario, M., Micheli, A.: SMTbased validation of timed failure propagation graphs. In: Bonet, B., Koenig, S. (eds.) Proceedings of the TwentyNinth AAAI Conference on Artificial Intelligence, Austin, Texas, USA, 25–30 January 2015, pp. 3724–3730. AAAI Press (2015)
Bozzano, M., Cimatti, A., Griggio, A., Mattarei, C.: Efficient anytime techniques for modelbased safety analysis. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 603–621. Springer, Cham (2015). https://doi.org/10.1007/9783319216904_41
Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 93–107. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642367427_7
Delmas, K., Delmas, R., Pagetti, C.: SMTbased architecture modelling for safety assessment. In: 12th IEEE International Symposium on Industrial Embedded Systems, SIES 2017, Toulouse, France, 14–16 June 2017, pp. 1–8. IEEE (2017)
Fenelon, P., McDermid, J.A.: An integrated tool set for software safety analysis. J. Syst. Softw. 21(3), 279–290 (1993)
Gebser, M., Janhunen, T., Rintanen, J.: SAT modulo graphs: acyclicity. In: Fermé, E., Leite, J. (eds.) JELIA 2014. LNCS (LNAI), vol. 8761, pp. 137–151. Springer, Cham (2014). https://doi.org/10.1007/9783319115580_10
Papadopoulos, Y., McDermid, J.A.: Hierarchically performed hazard origin and propagation studies. In: Felici, M., Kanoun, K. (eds.) SAFECOMP 1999. LNCS, vol. 1698, pp. 139–152. Springer, Heidelberg (1999). https://doi.org/10.1007/3540482490_13
Rauzy, A.: Mathematical foundations of minimal cutsets. IEEE Trans. Reliab. 50(4), 389–396 (2001)
Rauzy, A., Yang, L.: Decision diagram algorithms to extract minimal cutsets of finite degradation models. Information 10(12), 368 (2019)
Rauzy, A., Yang, L.: Finite degradation structures. FLAP 6(6), 1447–1474 (2019)
Di Rosa, E., Giunchiglia, E., Maratea, M.: Solving satisfiability problems with preferences. Constraints Int. J. 15(4), 485–515 (2010). https://doi.org/10.1007/s106010109095y
SAE: ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, December 1996
SAE: ARP4754A Guidelines for Development of Civil Aircraft and Systems, December 2010
Wang, P.: Civil Aircraft Electrical Power System Safety Assessment: Issues and Practices. ButterworthHeinemann, Oxford (2017)
Yang, L., Rauzy, A., Haskins, C.: Finite degradation structures: a formal framework to support the interface between MBSE and MBSA. In: IEEE International Systems Engineering Symposium (ISSE), Rome, Italy, pp. 1–6 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this paper
Cite this paper
Bozzano, M., Cimatti, A., Fernandes Pires, A., Griggio, A., Jonáš, M., Kimberly, G. (2021). Efficient SMTBased Analysis of Failure Propagation. In: Silva, A., Leino, K.R.M. (eds) Computer Aided Verification. CAV 2021. Lecture Notes in Computer Science(), vol 12760. Springer, Cham. https://doi.org/10.1007/9783030816889_10
Download citation
DOI: https://doi.org/10.1007/9783030816889_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030816872
Online ISBN: 9783030816889
eBook Packages: Computer ScienceComputer Science (R0)