On the Formalization of Importance Measures using HOL Theorem Proving
Waqar Ahmed, Shahid Ali Murtza, Osman Hasan, Sofiene Tahar

TL;DR
This paper formalizes importance measures like Birnbaum and Fussell-Vesely using HOL theorem proving to verify critical component relationships, enabling scalable and rigorous analysis of system reliability without extensive simulations.
Contribution
It introduces a HOL theorem proving framework for importance measures, formalizing key measures and applying them to a railway signaling system for validation.
Findings
Formalized importance measures in HOL
Verified importance relationships for system components
Applied to railway signaling system case study
Abstract
Importance measures provide a systematic approach to scrutinize critical system components, which are extremely beneficial in making important decisions, such as prioritizing reliability improvement activities, identifying weak-links and effective usage of given resources. The importance measures are then in turn used to obtain a criticality value for each system component and to rank the components in descending manner. Simulations tools are generally used to perform importance measure based analysis, but they require expensive computations and thus they are not suitable for large systems. A more scalable approach is to utilize the importance measures to obtain all the necessary conditions by proving a generic relationship describing the relative importance between any pair of components in a system. In this paper, we propose to use higher-order-logic (HOL) theorem proving to verify…
| HOL Symbol | Standard Symbol | Meaning |
|---|---|---|
| Logical | ||
| Logical | ||
| Logical | ||
| Adds a new element to a list | ||
| Joins two lists together | ||
| Head element of list | ||
| Tail of list | ||
| element of list L | ||
| True if is a member of list | ||
| Function that maps to | ||
| Successor of a |
| FT Gates | Formalization |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Mathematical Expressions | Theorem’s Conclusion |
|---|---|
| Symbol | Basic Events | () |
|---|---|---|
| x1 | Vehicle Failure | |
| x2 & x4 | Human Factor | |
| x3 | Rail Failure | |
| x5 | Program Error | |
| x6 | Programmable Logic Controller Failure | |
| x7 | Network Communication Failure | |
| x8 | Power Network Failure | |
| x9 & x10 | Alarm Failure | |
| x11 & x12 | Light Failure | |
| x13 & x14 | Motor Failure | |
| x15 & x16 | Transmission System Failure |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsFormal Methods in Verification · Advanced Database Systems and Queries · Software Reliability and Analysis Research
On the Formalization of Importance Measures using HOL Theorem Proving
††thanks: The final publication is available at http://ieeexplore.ieee.org
Waqar Ahmad1, Shahid Ali Murtza2, Osman Hasan2, and Sofiène Tahar1
1Electrical and Computer Engineering,
Concordia University, Montreal, QC, Canada
Email: {waqar,tahar}@ece.concordia.ca
2School of Electrical Engineering and Computer Science,
National University of Sciences and Technology, Islamabad, Pakistan
Email: {smurtza.msee15seecs,osman.hasan}@seecs.nust.edu.pk
Abstract
Importance measures provide a systematic approach to scrutinize critical system components, which are extremely beneficial in making important decisions, such as prioritizing reliability improvement activities, identifying weak-links and effective usage of given resources. The importance measures are then in turn used to obtain a criticality value for each system component and to rank the components in descending manner. Simulations tools are generally used to perform importance measure based analysis, but they require expensive computations and thus they are not suitable for large systems. A more scalable approach is to utilize the importance measures to obtain all the necessary conditions by proving a generic relationship describing the relative importance between any pair of components in a system. In this paper, we propose to use higher-order-logic (HOL) theorem proving to verify such relationships and thus making sure that all the essential conditions are accompanied by the proven property. In particular, we formalize the commonly used importance measures, such as Birnbaum and Fussell-Vesely, and conduct a formal importance measure analysis of a railway signaling system at a Moroccan level crossing as an application for illustration purpose.
Index Terms:
Importance Measures, Higher-order Logic, Fault Tree, Theorem Proving.
I Introduction
Importance measures [1] provide an effective way to evaluate the relative criticality of components in a system. Particularly, they are employed to identify a subset of components that are more important to a system so that given resources can be effectively utilized. The underline concept is to focus on the most problematic areas in a system aiming to achieve the most significant gains. A study at Microsoft Corp. has revealed that about 20% of the entire pool of detected bugs lead to about 80% of the errors and crashes in Microsoft Windows and Office software [2]. In reliability engineering, determining the importance of components significantly helps to solve several reliability problems, such as component assignment, redundancy allocation, system upgrading, and fault diagnosis and maintenance.
In 1968, Birnbaum was the first to propose the concept of importance measure for binary systems of two states, either functioning or failed [3]. This led to the development of more sophisticated importance measures, such as Fussell-Vesely [1], to analyze more complicated systems, like nuclear power plants. These importance measures are primarily defined for coherent systems [1], which are systems satisfying the following conditions: (1) their structure function or system failure model exhibits non-decreasing behavior, i.e., the probability of the given failure model increases with the increase in the number of failures; and (2) each of their components is relevant, i.e., every component is actively contributing to the system failure.
A typical method in importance measure analysis involves calculating a criticality value for each component in a system and then tabulating the obtained data in descending manner [4]. In other words, a component with higher value is regarded as highly critical and placed above in the ranking than a component with a lower value. Simulation based reliability analysis tools, such as ReliaSoft [5], determine the component’s importance by computing the percentage of times that a system failure event is caused by a failure of a particular component over the simulation time 0 to t. However, for analyzing the relative importance between all pairs of components, these methods have very high computational requirements especially when dealing with systems with many components.
The scalability limitations of simulation based importance measure analysis can be resolved by using mathematically verified reduction methods in this context. For instance, Boland et al. [6] developed a relationship stating that the component i is structurally more critical than the component j if its structure function is larger when i is down and j is up as compared to the opposite case. This work is further extended by Meng [7] to obtain the necessary conditions, based on Birnbaum and Fussell-Vesely importance measures, that are essential for proving the analytical relationships describing the relative importance of any pair of system components. These analytical relationships can be extremely helpful in practical scenarios since calculating the exact values of a component importance measures can be tedious for large and complex systems. However, these analytical relationships have been manually verified using paper-and-pencil based proof methods and thus there is no guaranty that all necessary conditions are explicitly identified. This is a grave concern considering the safety-critical nature of some importance measure analysis. Thus, there is a dire need of developing more rigorous analysis of these foundational relationships to guarantee their correctness and their appropriate usage.
In this paper, we propose to utilize higher-order-logic (HOL) theorem proving to assure the formal guarantees about the relationships, obtained by Boland and Meng, governing the relative importance of any pair of system components. The HOL theorem prover is a system of deduction with precise semantics and provides a sound reasoning support for verifying the given properties, stated as a theorem, rigorously [8]. We first formalize the properties of coherent systems by describing their structure function as a fault tree (FT) [9] model, which is a graphical model for analyzing the conditions and factors causing the system failure. Secondly, we formalize commonly used importance measures, such as Birnbaum, Fussell-Vesely, Reduction Worth and Achievement Worth [1]. We then use the formalization of Birnbaum importance measure to formally verify the relative importance properties of any pair of system components as described by Boland and Meng using HOL theorem proving. For illustration purposes, we conduct the formal importance measure analysis of a railway signaling system at a Moroccan level crossing (LC) [10] consisting of several critical components, such as lights, programmable logic controllers, alarms and also human factor, using the HOL theorem prover [11].
The rest of the paper is organized as follows: An overview of the related work is presented in Section II. In Section III, we provide a brief summary of the HOL theorem prover and the fundamentals of the HOL probability theory. A brief introduction to the recent formalization of FT analysis is also described to facilitate the understanding of the paper. Section IV presents the HOL formalization of the concept of importance measure and its related properties. Section V applies our proposed approach by describing the formal importance measure analysis of the signaling system at a Moroccan level crossing. Finally, Section VI concludes the paper.
II Related Work
Importance measure is a useful concept in reliability engineering and has been analyzed analytically [1] as well as using simulation tools [5]. The latter approach is practically adopted by industrial engineers due to their powerful features. These tools follow the typical approach of ranking the system components according to their criticality value. However, this approach requires high computations to obtain the criticality value for all system components and then perform the successive analysis, which may not be possible for large and complex systems. An alternate approach is to verify a relative measure relationship for any pair of components and obtain the necessary conditions, as described by Meng [7].
Recently, a formal dependability analysis framework [12], based on Reliability Block Diagram [13, 14] and FT modeling techniques, has been developed using HOL theorem proving. This framework has been successfully utilized to carry out the reliability analysis of a railway traction drive system [15], failure analysis of satellite solar arrays [16] and an air traffic management system [17]. In the current work, we formalize the notion of coherent system and the importance measure by representing the system structure function based on existing FT models. To the best of our knowledge, this is the first formal work describing the formalization of the importance measures using HOL theorem proving.
III Preliminaries
In this section, we first give a brief introduction to the HOL theorem prover, formalization of probability theory and an approach for the formal FT analysis to facilitate the understanding of the rest of the paper.
III-A HOL Theorem Prover
HOL [18] is an interactive theorem prover, developed at the University of Cambridge, UK, for conducting proofs in higher-order logic. It utilizes the simple type theory of Church [19] along with Hindley-Milner polymorphism [20] to implement higher-order logic. HOL has been successfully used as a verification framework for both software and hardware as well as a platform for the formalization of pure mathematics.
The HOL core consists of only 4 basic axioms and 8 primitive inference rules, which are implemented as ML functions. The ML’s type system ensures that only valid theorems can be constructed. Soundness is assured as every new theorem must be verified by applying these basic axioms and primitive inference rules or any other previously verified theorems/inference rules.
In this paper, we utilize the HOL theories (libraries) of Booleans, lists, sets, positive integers, real numbers, measure and probability [21]. In fact, one of the primary motivations of selecting the HOL theorem prover for our work was to benefit from these built-in mathematical theories. Table I provides the mathematical interpretations of some frequently used HOL symbols and functions, which are inherited from existing HOL theories.
III-B Probability Theory
Mathematically, a measure space is defined as a triple (), where is a set, called the sample space, represents a -algebra of subsets of , where the subsets are usually referred to as measurable sets, and is a measure with domain . A probability space is a measure space (), such that the measure, referred to as the probability and denoted by , of the sample space is 1. In the HOL formalization of probability theory [21], given a probability space , the functions space, subsets and prob return the corresponding , and , respectively. This formalization also includes the formal verification of the commonly used probability laws, which play a pivotal role in formal reasoning about dependability properties.
A random variable is a measurable function between a probability space and a measurable space. The measurable functions belong to a special class of functions, which preserve the property that the inverse image of each measurable set is also measurable. A measurable space refers to a pair (), where denotes a set and represents a nonempty collection of sub-sets of . Now, if is a set with finite elements, then the corresponding random variable is termed as a discrete otherwise it is called continuous.
The cumulative distribution function (CDF) is defined as the probability of an event where a random variable has a value less than or equal to some value , i.e., . This definition characterizes the distribution of both discrete and continuous random variables and has been formalized [22]:
p X t. CDF p X t =
distribution p X {y | y Normal t}
The function Normal takes a number as its input and converts it to its corresponding value in the - data-type, i.e, it is the data-type with the inclusion of positive and negative infinity. The function distribution takes three parameters: a probability space , a random variable and a set of - numbers and returns the probability of the given random variable acquiring all the values of the given set in probability space.
The unreliability or the probability of failure is defined as the probability that a system or component will fail by the time . It can be described in terms of CDF, known as the failure distribution function, if a random variable represents the time-to-failure of the component. This time-to-failure random variable usually exhibits the exponential or Weibull distribution.
The notion of mutual independence of random variables is a major requirement for reasoning about the failure analysis of the given systems. According to this notion, a list of events are mutual independent if and only if for each set of events, such that , we have:
[TABLE]
The mutual independence concept has been formalized in the HOL theorem prover and more details can be found in [22].
III-C Fault Trees
Fault Tree (FT) analysis is a widely used technique to determine the dependability of real-world systems, like railways signaling, automotive or avionics. It mainly provides a graphical model for analyzing the conditions and factors causing an undesired top event, i.e., a critical event, which can cause the complete system failure upon its occurrence. The preceding nodes of the FT are represented by gates, like OR, AND and XOR, which are used to link two or more cause events of a fault in a prescribed manner.
The FT gates are formally modeled by using a new recursive datatype in HOL as follows [17]:
Hol_datatype ‘gate = AND of gate list |
OR of gate list |
NOT of gate |
atomic of ’a event‘
The type constructors AND and OR recursively function on gate-typed lists and the type constructor NOT operates on gate-type variable. The type constructor atomic is basically a typecasting operator between event and gate-typed variables.
A semantic function is then defined over gate datatype that can yield the corresponding event from the given FT gate as follows:
( p. FTree p (AND []) = p_space p)
( xs x p.
FTree p (AND (x::xs)) =
FTree p x FTree p (AND xs))
( p. FTree p (OR []) = {})
( xs x p.
FTree p (OR (x::xs)) =
FTree p x FTree p (OR xs))
( p a.
FTree p (NOT a) =
p_space p DIFF FTree p a)
( p a. FTree p (atomic a) = a)
The function FTree takes a list of type gate, identified by the type constructor AND, and returns a complete probability space p_space p if a given list is empty and otherwise returns the intersection of events in a given list. Similarly, to model the behavior of the OR FT gate, the function FTree returns the union of all the events after applying the function FTree on each element of a given list or an empty set if a given list is empty. The function FTree takes the type constructor NOT and returns the complement of a failure event obtained from the function FTree. The function FTree returns the failure event using the type constructor atomic.
If the occurrence of a failure event at the output is caused by the occurrence of all the input failure events, then this kind of behavior can be modeled by using the AND FT gate. Similarly, in the OR FT gate, the occurrence of an output failure event depends upon the occurrence of any one of its input failure event. The NOT FT gate can be used in conjunction with the AND and OR FT gates to formalize other FT gates. The formalization of these gates is based on [17], given in Table II. The NAND FT gate, represented by the function NAND_FT_gate in Table II, models the behavior of the occurrence of an output failure event when at least one of the failure events at its input does not occur. This type of gate is used in FTs when the non-occurrence of a failure event in conjunction with other failure events cause the top failure event to occur. This behavior can be expressed as the intersection of complementary and normal events, where the complementary events model the non-occurring failure events and the normal events model the occurring failure events. The output failure event occurs in the 2-input XOR FT gate if only one, and not both, of its input failure events occur.
The verification of the corresponding failure probability expressions, of the above-mentioned FT gates, is presented in Table III. These expressions are verified under the following assumptions: (i) prob_space p ensures that is a valid probability space; (ii) 2 LENGTH L makes sure that the given list must have at least two elements; (iii) in_events p L ensures that all the corresponding events in the given list are drawn from the events space ; and (iv) mutual_indep p L guarantees that events in the given list are mutually independent [22].
III-D *PIE Principle *
In FT analysis, the first step is to identify all the basic failure events that can cause the occurrence of the system top failure event. These failure events are then combined to model the overall fault behavior of a given system by using the fault gates. These combinations of basic failure events, called cut sets, are then reduced to minimal cut sets (MCS) by using set-theory rules, such as idempotent, associative and commutative. Then, the Probabilistic Inclusion Exclusion (PIE) principle is used to evaluate the overall failure probability of a given system based on the MCS events. According to the PIE principle, if represents the basic failure event or a combination of failure events, then the overall failure probability of a given system can be expressed as follows:
[TABLE]
The above equation has been formally verified in HOL and details can be found in [17].
IV Importance Measures
The concept of importance measure is proposed by Birnbaum mainly for components of coherent systems. This section describes the essential properties of a coherent system that is then followed by the commonly used importance measures and their respective formalizations in HOL.
IV-A Coherent System
Let, be the structure function of a system functioning on the n-components state vector , where is the state of the component. According to Birnbaum [3], a system of binary state, where both the system and its components can either be in state of failure or success, is said to be coherent if its structure function, , satisfies the following conditions:
- (1)
with 2. (2)
with 3. (3)
if with relationship means .
The first two conditions state that a system must go in state 0 (full working) or 1 (complete failure) if all of its components are in state 0 or 1, respectively. The third condition defines the monotonicity property of a system structure function ensuring that a component in working state must not contribute in causing a system failure and vice versa. The use of the NOT gate in a FT model (structure function) results in a non-coherent structure, which also means that components not failing, i.e., working, can contribute to a system failure event and thus violating the condition (3). Therefore, the use of the NOT logic is often discouraged [23].
In order to formally verify that a given failure structure function (FT model) satisfies the Birnbaum coherent system conditions, we first formally define a structure function in HOL as follows:
**Definition 1: **
f L. f L = f L
where is a HOL Unicode character that is used as a pretty-printing of the function coherent_struct mapping an arbitrary real-valued function to a list of sets . Using the above definition, Conditions (1-2) can be verified in HOL on a given fault tree (structure function) consisting of AND and OR FT gates as:
**Theorem 1: **
p L.
prob_space p NULL L
coherent_state_vec (a. a = {}) (FLAT L)
(prob p
( (b.
FTree p ((OR of
(a. AND (gate_list a))) b)) L) = 0)
**Theorem 2: **
p L.
prob_space p NULL L
coherent_state_vec
(a. a = p_space p) (FLAT L)
(prob p
( (b.
FTree p ((OR of
(a. AND (gate_list a))) b)) L) = 1)
where, the HOL function FLAT is used to flatten the two-dimensional list, i.e., to transform a list of lists, into a single list. The assumptions in the above theorems are almost similar. The first two assumptions ensure that the variable p is a valid probability space and the given list of state vectors is not empty. In the last assumption, the function coherent_state_vec asserts that all the system components are either in fully working or in completely failure state, which are modeled using empty event ({}) and the complete probability space (p_space p), respectively. The conclusions of the above theorems model the probabilistic sense of the conditions (1-2).
Now, we formally verify the Condition 3 for the given structure function in HOL as follows:
**Theorem 3: **
p L.
prob_space p
in_events p (FLAT (XL_vec L))
in_events p (FLAT (YL_vec L))
mem_subset_vec L
prob p
( (b.
FTree p((OR of
(a. AND (gate_list a))) b)) (XL_vec L))
prob p
( (b.
FTree p ((OR of
(a. AND (gate_list a))) b)) (YL_vec L))
where the function in_events ensures that each element of a given list belongs to a valid event space p. The functions XL_vec and YL_vec returns the first and second member of the two-dimensional pair list, respectively. The relationship between these two lists, XL_vec and YL_vec, is described by the function mem_subset_vec, which ensures that each member of XL_vec list is a subset of the corresponding member of YL_vec list. The conclusion of the above theorem models Condition 3. The proof of Theorem 3 follows from the fact that if , then their corresponding probabilities satisfy the monotonicity property, i.e., .
IV-B Birnbaum Importance
For a coherent system of n-components with independent failures, the Birnbaum importance () of component is defined as a probability that the component is critical to the system failure or functioning. Mathematically, it can be expressed as follows [3]:
[TABLE]
where represents the structure function of a given coherent system, which is applied on components state vector and returns the corresponding state of a system. The notations and represent the state of a system if the component is updated with the state values 1 (failure) and 0 (working), respectively.
To formalize Equation 3 in HOL, we first formally define the notion of component state update in a given structure function as follows:
**Definition 2: **
i f L.
’ e i f L = f (LUPDATE e i L)
where the HOL function LUPDATE updates the given list L with element e at index i. The above function updates the state of the component i in a state vector L before passing it to the system structure function. Similarly, we can formally define a function to update the states of any two system components in HOL as follows:
**Definition 3: **
e e’ i j f L.
’’ e e’ i j f L =
f (LUPDATE e’ j (LUPDATE e i L))
Now, using Definition 2, we can formally model Equation 3 in HOL as follows:
**Definition 4: ** p i f L.
p i f L =
prob p (’ (p_space p) i f L) -
prob p (’ {} i f L)
As described earlier in Section I, Meng [7] developed the analytical relationship describing the relative importance of any pair of system components and obtained the necessary conditions based on Boland and Birnbaum importance measures. We formally verify this relationship in HOL as follows:
**Theorem 4: **
*Meng [7]: Suppose that i j and 0 for all x. Then, (j,x) (i,x) for all x satisfying . *
p L i j.
[A1]: prob_space p in_events p L
[A2]: NULL L i < j
[A3]: mutual_indep p
({} :: {} ::p_space p::p_space p::L)
[A4]: SUC (SUC j) < LENGTH L
[A5]: p i j
(a. FTree p (AND (gate_list a))) L 0
[A6]: prob p (EL i L) prob p (EL j L)
( p j (a. FTree p (AND (gate_list a))) L
p i (a. FTree p (AND (gate_list a))) L)
In the above statement, the symbol i j is described by Boland et al. [6] as components i and j are permutation equivalent if for all x. Using Definition 3, we formally verify this property in HOL as follows:
**Lemma 1: ** p i j L. prob_space p i < j
in_events p L SUC (SUC j) < LENGTH L
mutual_indep p ({} ::p_space p::L)
(prob p (’’ (p_space p) {} i j
(a. FTree p (AND (gate_list a))) L) =
prob p (’’ {} (p_space p) i j
(a. FTree p (AND (gate_list a))) L))
Similarly, the notation is a partial differentiation w.r.t probability of components i and j that can be represented mathematically as:
[TABLE]
The above equation is formalized using Definition 3 and it is represented by the function in the assumption (A5) of Theorem 4.
The assumptions of Theorem 4 are similar to the ones used in Theorems 1-3. The inclusion of {} and p_space p in assumption (A3) reflects the change caused by flipping the state of the and components and also makes sure that they are mutually independence. The assumption (A4) ensures that the index starts after two increments since we require at least two components in a list. Although a brief proof sketch of Theorem 4 is described by Meng [7], the sound environment of the HOL theorem prover provides additional formal guarantees in the verification of Theorem 4 accompanying all the necessary conditions. The formal proof of Theorem 4 utilizes several essential lemmas, which can be found in [24].
IV-C Other Common Types of Importance Measures
Another well-known importance measure is Fussell-Vesely [1], which describes the importance of component i as a probability that the failure of component i contributes to a system failure given that system fails. It can be expressed mathematically as follows:
[TABLE]
We can formally define the above function by using Definitions 1-2 in HOL as follows:
**Definition 5: ** f i L.
I_FV p i f L =
\dfrac{\texttt{prob p (\phi\phi^{\prime} (p\_space p) i f L)}}{\texttt{prob p (\phi f L)}}
Similarly, the criticality importance measures Reducation Worth () and Achievement Worth () describe a probability when component i is always functioning and failed, respectively. They can be expressed as follows:
[TABLE]
Using Definitions 1-2, we formally define the above functions in HOL as follows:
**Definition 6: ** f i L.
I_RW p i f L = \dfrac{\texttt{prob p (\phi f L)}}{\texttt{prob p (\phi^{\prime} (p\_space p) i f L)}}
**Definition 7: ** f i L.
I_AW p i f L = \dfrac{\texttt{prob p (\phi^{\prime} (\{\}) i f L)}}{\texttt{prob p (\phi f L)}}
The HOL formalization of the above-mentioned importance measures is also available at [24]. The proof script of the above formalizations and proofs consists of about 1400 lines of HOL code that roughly took 70 man-hours of development time. To illustrate the effectiveness of our proposed approach, we conduct the formal importance measure analysis of a railway signaling system at Moroccan level crossing in the next section.
V Signaling System at Moroccan Level Crossing
There are three main parts in the Moroccan level crossing railway signaling (LC) system [10]: (1) Rail part consisting of a material component (train and rail-road), and human component (the train operator); (2) Road part containing a material component (vehicle and road), and a human component (vehicle driver); and (3) Level crossing, which is further composed of three main components: (i) Power and communication network between the components of the railway signaling system; (ii) Control component consisting of Programmable Logic Controller and its program; (iii) Operative component representing sensors, such as road lights, the alarms and the barriers. Table IV describes the basic failure events along with the corresponding failure rates () associated with the components of Moroccan signaling system [10]. The FT diagram of the signaling system at Moroccan LC is depicted in Figure 1 [10].
V-A Formal Model and Failure Analysis
Using the FT gates, described in Section III-C, we can formally model the FT diagram of the Moroccan signaling system in HOL as follows:
**Definition 8: ** Signal_FT p x1 x2 x16 t =
FTree p (OR [OR ([ p x3 t; p x4 t])
OR ([ p x5 t; p x6 t]));
AND [OR ([ p x9 t; p x10 t]));
OR ([ p x13 t; p x14 t]));
OR ([ p x15 t; p x16 t]));
OR ([ p x11 t; p x12 t]))];
OR ([ p x7 t; p x8 t]));
OR ([ p x1 t; p x2 t]))])
where represent various failure events, such as an alarm, associated with the various component of the Moroccan signaling system. It is defined in HOL as PREIMAGE x {y y t} p_space p [17].
Now, we obtain the minimal cut sets (MCS) of the above FT model by utilizing some set properties, like distribution of intersection over union and idempotent law of intersection [9].
[TABLE]
We can also formally verify the equivalence of the obtained signaling system MCS with the orignal FT model as follows:
**Lemma 2: ** Signal_FT p x1 x2 x16 t =
(b.
FTree p((OR of
(a. AND (gate_list a))) b))
[L p [x3;x4;x5;x6] t;
L p [x9;x13;x15;x11] t;;
L p [x10;x14;x16;x12] t;
L p [x7;x8;x1;x2] t]
where the function L p L t returns the list of events by mapping the function p x t, described in Definition 8, on each element of the given list of random variables.
By using the above lemma and Definition 8, the failure probability of the Moroccan signaling system can be formally verified in HOL as follows:
**Theorem 6: **
p x1 x2 x16 c1 c2 c16 t.
[A1]: 0 t
[A2]: FT_conds p [x1;x2;;x16] t
[A3]: exp_dist_list p [x1;x2;;x16]
[c1;c2;;c16]
(prob p (Signal_FT p x1 x2 x16 t) =
1 - * * * *
* * * *
(1 - (1 - * *
(1 - * ) *
(1 - * ) *
(1 - * )))
where the function exp_dist_list takes a list of random variables and a list of failure rates and makes sure that each random variable is exponentially distributed and assigned with its corresponding failure rates [17], i.e., exp_dist_list [x1;x2] [c1;c2] = (!t. 0 t ==> (() ()). The function FT_conds contains two predicates mutual_indep and in_events, which ensure that all events associated to rail_signal_FT are mutually independent and belong to events space , respectively. The proof of Theorem 6 is based on formally verified expressions of the AND and OR FT gates, presented in Table III, and the PIE principle described in Section III-D.
To evaluate Theorem 6, we wrote an ML function auto_signal_morco_FT [24] that takes failure rates and time index, given in Table IV, and returns the following in HOL evironment:
Under the following assumptions
[A1]: 0 5
[A2]: FT_conds p [x1;x2;;x16] 5
[A3]: exp_dist_list p [x1;x2;;x16]
[0.00000285;0.00000005;;0.0004]
Failure probability of Moroccan Railway Signaling System
(prob p (Signal_FT p x1 x2 x16 5) =
0.0003494028541)
We can also plot these values to get a better understanding of the dependability of the Moroccan signaling system as given in Figure 2. It can be observed from the plot that initially the probability of failure is very low but as the time passes, in hours, the failure probability gradually increases and at 2,000 hours the failure becomes absolutely certain, i.e., with a probability 1.
V-B Formal Importance Measure Analysis
As described in Section IV, the importance measure analysis requires the given system structure function to be coherent in nature. Therefore, we start by formally verifying the conditions of a coherent system for the railway signaling system MCS, described in Lemma 2, in HOL as:
**Theorem 7: **
prob_space p
coherent_state_vec (λa. a = {}) (FLAT
[L p [x3;x4;x5;x6] t;
L p [x9;x13;x15;x11] t;;
L p [x10;x14;x16;x12] t;
L p [x7;x8;x1;x2] t])
(prob p
( (b.
FTree p((OR of
(a. AND (gate_list a))) b))
[L p [x3;x4;x5;x6] t;
L p [x9;x13;x15;x11] t;;
L p [x10;x14;x16;x12] t;
L p [x7;x8;x1;x2] t]) = 0)
**Theorem 8: **
prob_space p
coherent_state_vec (λa. a = p_space p) (FLAT
[L p [x3;x4;x5;x6] t;
L p [x9;x13;x15;x11] t;;
L p [x10;x14;x16;x12] t;
L p [x7;x8;x1;x2] t])
(prob p
( (b.
FTree p((OR of
(a. AND (gate_list a))) b))
[L p [x3;x4;x5;x6] t;
L p [x9;x13;x15;x11] t;;
L p [x10;x14;x16;x12] t;
L p [x7;x8;x1;x2] t]) = 1)
**Theorem 9: **
prob_space p
(!t. in_events p (FLAT
[L p [x3;x4;x5;x6] t;
L p [x9;x13;x15;x11] t;;
L p [x10;x14;x16;x12] t;
L p [x7;x8;x1;x2] t]))
t1 < t2
prob p
( (b.
FTree p((OR of
(a. AND (gate_list a))) b))
[L p [x3;x4;x5;x6] t1;
L p [x9;x13;x15;x11] t1;;
L p [x10;x14;x16;x12] t1;
L p [x7;x8;x1;x2] t1])
prob p
( (b.
FTree p ((OR of
(a. AND (gate_list a))) b))
[L p [x3;x4;x5;x6] t2;
L p [x9;x13;x15;x11] t2;;
L p [x10;x14;x16;x12] t2;
L p [x7;x8;x1;x2] t2])
It can be seen that Theorems 7-8 are formally verified based on a very straight-forward utilization of Theorems 1-2, described in Section IV-A, on a given list of railway signaling MCS. Similary, Theorem 9 is formally verified by utilizing Theorem 3 by discharging the assumption mem_subset_vec based on the fact that by increasing the time-of-failures, i.e., t1 t2, the corresponding failure probabilities also monotonically increase.
V-C Formal Birnbaum Importance Measure Analysis
After formally satisfying the conditions for coherent system on the railway signaling system failure model, we can now determine the Birnbaum importance measure of any component of the railway signaling system. For illustration purposes, we describe the formal importance measure analysis of an alarm failure () in the railway signaling system by utilizing Definition 4 and the FT model, described in Definition 8, in HOL as:
**Definition 9: ** p x1 x2 x3 x16 t =
p 0
(b. FTree p (OR [OR ([ p x3 t; p x4 t])
OR ([ p x5 t; p x6 t]);
AND [OR b ;
OR ([ p x13 t; p x14 t]);
OR ([ p x15 t; p x16 t]);
OR ([ p x11 t; p x12 t])];
OR ([ p x7 t; p x8 t]);
OR ([ p x1 t; p x2 t])])
([ p x9 t; p x10 t]))
The above model can also be used to quantitatively analyze the Birnbaum importance of alarm failure by associating the exponential distribution to each component of the railway signaling system as:
Theorem 10: p x1 x2 x16 c1 c2 c16 t.
[A1]: 0 t
[A2]: prob_space p
[A3]: mutual_indep p (L p
[x1; x2; ; x16] t)
[A4]: in_events p (L p
[x1; x2; ; x16] t)
[A5]: exp_dist_list p [x1;x2; ;x16]
[c1;c2;;c16]
( p x1 x2 x3 x16 t =
* * * *
* * * * *
(1 - * ) *
(1 - * ) *
(1 - * ))
The assumptions of the above theorem is quite similar to the ones used in Theorem 6. It can be observed from the conclusion of Theorem 9 that the importance of alarm failure component () is calculated from the failure probabilities of other components in the FT model.
Similarly, we can also determine the Fussell-Vesely importance measure for the alarm component by using Definition 5 in HOL as follows:
Theorem 11: p x1 x2 x16 c1 c2 c16 t.
[A1]: 0 t
[A2]: prob_space p
[A3]: mutual_indep p (L p
[x1; x2; ; x16] t)
[A4]: in_events p (L p
[x1; x2; ; x16] t)
[A5]: exp_dist_list p [x1;x2; ;x16]
[c1;c2;;c16]
(I_FV_9 p x1 x2 x3 x16 t =
(1 -
* * *
(1 - * )*
(1 - * )*
(1 - * )*
(1 - * ) -
(1 -
* * *
(1 - * )*
(1 - * )*
(1 - * )) /
(1 -
* * *
(1 - * ) *
(1 - * ) *
(1 - * ) *
(1 - * )))
By using the above-mentioned approach, we can formally determine the Reduction Worth (RW) and Achievement Worth (AW) importance measures, given in Equation 6. Next, we conduct the formal relative importance measure analyses of relative importance among alarm and vehicle failure, using Theorem 4, as follows:
Theorem 12:
p x1 x2 x16 c1 c2 c16 t.
[A1]: 0 t
[A2]: prob_space p
[A3]: mutual_indep p (L p
[x1; x2; ; x16] t)
[A4]: in_events p (L p
[x1; x2; ; x16] t)
[A5]: exp_dist_list p [x1;x2; ;x16]
[c1;c2;;c16]
[A6]: fail_rate_pos [c1;c2;;c16]
[A7]: c9 c1
p x1 x2 x3 x16 t
p x1 x2 x3 x16 t
where the function fail_rate_pos, in assumption (A6), ensures that the given list of failure rates must be positive. It can be implied from assumption (A7) that the Birnbaum relative importance of any two components in a system is related by their failure rates relationship. In other words, a component with higher failure rate is highly critical in a FT model (structure function) compared to a component with lower failure rate. The proof of Theorem 12 is based on Theorem 4 and some fundamental facts of probability theory. The HOL proof script of Theorems 6-12, which can be downloaded from [24], took about 1200 lines of HOL code and about 24 man-hours.
It is quite evident that our proposed HOL-based formalization approach provides the required rigor to the importance measure properties about system components compared to [10]. Also, all the necessary conditions are accompanying the formally verified properties. Most importantly, the formal relative importance measure analysis reveals that the relative importance of any pair of components is related according to their failure rates (Theorem 12). In other words, we can accurately analyze the components’ importance, due to the sound theorem proving approach, without using the traditional methods of ranking the system components for large systems. By conducting the formal importance analysis of the railway signaling system at a Moroccan LC, we believe that our proposed approach provides a sound framework to reliability design engineers to meet the quality standards of their safety-critical systems.
VI Conclusion
In this paper, we formalized the commonly used importance measures, such as Birnbaum, Fussely-vesely, Reduction worth and Achievement worth, in HOL theorem proving. We also formalized Meng’s approach of obtaining the relative importance measure among any pair of system components. For illustration purposes, we conducted the formal importance measure analysis of a signaling system at a Moroccan level crossing consisting of traffic lights, programmable logic controllers and alarms, within the HOL theorem proving environment. We plan to extend the formalization of Fussell-vesely importance measure to obtain the relative importance of system components. Just like the Birnbaum importance measure, it has great potential to highlight the critical components without running the computationally expensive simulations.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] W. Kuo and X. Zhu, Importance Measures in Reliability, Risk, and Optimization: Principles and Applications . John Wiley & Sons, 2012.
- 2[2] P. Rooney, “Microsoft’s CEO: 80-20 Rule Applies to Bugs, Not Just Features,” 2019. [Online]. Available: https://www.crn.com/news/security/18821726/microsofts-ceo-80-20-rule-applies-to-bugs-not-just-features.htm
- 3[3] Z. W. Birnbaum, “On the importance of Different Components in a Multicomponent System,” University of Washington, Seatle, Washington, USA, Tech. Rep., 1968. [Online]. Available: http://www.dtic.mil/dtic/tr/fulltext/u 2/670563.pdf
- 4[4] J. F. Espiritu, D. W. Coit, and U. Prakash, “Component Criticality Importance Measures for the Power Industry,” Electric Power Systems Research , vol. 77, no. 5-6, pp. 407–420, 2007.
- 5[5] Relia Soft, 2019. [Online]. Available: https://www.weibull.com/hotwire/issue 66/relbasics 66.htm
- 6[6] P. J. Boland, F. Proschan, and Y. L. Tong, “Optimal Arrangement of Components via Pairwise Rearrangements,” Naval Research Logistics , vol. 36, no. 6, pp. 807–815, 1989.
- 7[7] F. C. Meng, “Comparing Birnbaum Importance Measure of System Components,” Probability in the Engineering and Informational Sciences , vol. 18, no. 2, pp. 237–245, 2004.
- 8[8] J. Harrison, Handbook of Practical Logic and Automated Reasoning . Cambridge University Press, 2009.
