Proof of Compositionality of CFT Correctness
Simon Greiner, Peter Munk, Arne Nordmann

TL;DR
This paper provides a formal proof demonstrating the compositional correctness of component fault trees, ensuring that system reliability can be verified through modular analysis.
Contribution
It offers the first formal proof of the central theorem on the compositionality of fault tree correctness, advancing theoretical understanding.
Findings
Formal proof of fault tree compositionality
Validation of modular reliability analysis
Theoretical foundation for fault tree methods
Abstract
In the paper Compositionality of Component Fault Trees, we present a discussion of the compositionality of correctness of component fault trees. In this technical report, we present the formal proof of the central theorem of the aforementioned publication.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Software Engineering Research
11institutetext: Robert Bosch GmbH, Corporate Sector Research, Renningen, Germany 11email: {firstname.lastname}@bosch.com
Compositionality of Component Fault Trees – Definitions and Proofs
Simon Greiner
Peter Munk
Arne Nordmann
Abstract
In the paper Compositionality of Component Fault Trees [3], we present a discussion of the compositionality of correctness of component fault trees. In this technical report, we present the formal proof of the central theorem of the aforementioned publication.
1 Introduction
This technical report presents the formal proof for the compositionality of correctness of Component Fault Trees (CFTs). This report accompanies the paper [3], which contains additional explanations and examples for the definitions, Lemmas and theorems presented here. Please note that this technical report is not meant to be self contained, but is intended to be comprehensible only in combination with the original paper.
The structure of this report is as follows: First we provide a formal definition for components, Component Fault Trees, and correctness of CFTs. In the following section, we define composition of component fault trees and formulate our central theorem stating that correctness of CFTs is compositional. The formal proof for this theorem is rather lengthy and technical and is presented in the final section.
2 Components and Component Fault Trees
In the remainder of this work we take the formalization of components from Greiner and Grahl [1] and reuse their notation for better comparability of further results in this paper.
A component has an internal state, input ports, and output ports. A component can receive messages via input ports and send messages via its output ports. Received messages can trigger the component to change its internal state. Formally, we consider components as Input-Output Labeled Transition Systems (see [2] for a formal definition of IOLTS). A port has a name and a signature, i. e. names and types of variables that can be communicated via the port. For a message communicated via an input port with name with value , we write , for a message communicated via an output port with name with value , we write . We refer to the set of all messages communicated via an input port as inputs, and the set of all messages communicated via an output port as outputs. If it does not matter whether a message is an input or an output, we write or respectively. We write for a component communicating message and transitioning to a component . You can consider to have a changed internal state. If is irrelevant, we write , if there exists some such that .
The behavioral definition of a component limits the sequence of messages a component can communicate. We refer to a sequence of messages as a trace. We use as the concatenation operator for traces and to refer to the empty trace. The length of a trace is defined as the amount of messages in a trace. We write if a component transitions to component while communicating the trace . A component can communicate a trace while transitioning to component , if there exists a component such that and . We again write , if there exists some such that . We refer to all possible traces as . Finally, we explicitly define environments in which components can run. Environments model the entities providing inputs to a component after observing the behavior of the component.
Definition 1 (Environment).
An environment is a function , where is the powerset of all inputs.
Definition 2 (Communication under Environment).
A component can communicate a trace under an environment , written , iff and for all with , it holds that .
Definition 3 (Event).
An event is a tuple , where is port and is a type. If is an input (output) port, is an input (output) event.
Definition 4 (CFT).
A CFT is a tuple , where is a propositional logic formula, where each literal in is an input event, and each input event only appears non-negated in . is an output event.
For every propositional formula , with literals only appearing non-negated, the formula is a propositional formula with literals only appearing negated. For we can always find a disjunctive normal form with clauses , such that . then holds, iff for all clauses it holds that .
Definition 5 (Clause).
A clause is a propositional formula, where each literal only appears negated and is the only logical operator in the formula.
Definition 6 (Message Event-Equivalence).
A message is irrelevant w.r.t. an event , if . For a message that is irrelevant, we write .
Two messages and are event-equivalent w.r.t. an event , written , if
[TABLE]
Two messages and are event-equivalent w.r.t. a clause , written , if
Two messages and are event-equivalent w.r.t. a clause and an event , written , if
Definition 7 (Trace Event-Equivalence).
Two traces are event-equivalent w.r.t. an event , written , iff
[TABLE]
Event-equivalence of traces w.r.t. a clause is defined analogously.
Definition 8 (Erroneous Environment).
is an erroneous environment for w.r.t. a clause and an output event , written , iff for all it holds that
[TABLE]
Definition 9 (Environment (extd.)).
A function is an environment w.r.t. a clause and an event , iff it is an environment according to Definition 1, and is an erroneous environment to itself according to Definition 8 (i. e., ).
Definition 10 (Clause correctness w.r.t. a component).
Given the relation for the clause and the output event . and are correct w.r.t. a component , if
[TABLE]
Definition 11 (CFT correctness w.r.t. a component).
Given a component , a CFT with . is correct w.r.t. , iff and are correct w.r.t. for all .
3 Compositionality of Component Fault Tree Correctness
Definition 12 (CFT composition).
Let and be components, ports, which are input ports of and outputs ports of , events with being an event on port , i.e. an input event of and an output event of . Let further be be a CFT of and the CFTs of for the output events .
We define the CFT of the composition of and for output event as , where is formula with each occurrence of is replaced by .
Definition 13 (Deterministic components).
A component is deterministic, if
[TABLE]
In the remainder, we assume all components to be deterministic.
Theorem 3.1 (Composed CFT correctness w.r.t. composition).
Given components and , CFT of and of as in Definition 12, such that the CFTs are correct w.r.t. the respective components. Then the composed CFT is correct w.r.t. the composition of and .
4 Proof of Compositionality of CFT Correctness
In this section, we present the proof for Theorem 3.1.
The structure of the proof is as follows. First we define a notion of CFT composition in Definition 14 which is more strict than the composition as defined above. We then show two lemmas about the structure of the formula resulting from the strict CFT composition in Lemmas 1 and 2. We then show correctness of the strict composed CFT w.r.t. the component (Lemma 3) and (Lemma 5). For the correctness w.r.t. , we require an additional Lemma about counterexamples for the correctness (Lemma 4).
Finally, the proofs for the correctness of the strict composition w.r.t. the composition of and (Theorem 4.1) and finally Theorem 3.1 follow relatively directly from the Lemmas.
Definition 14 (Strict CFT composition).
Let and be components, ports, which are input ports of and outputs ports of , events with being an event on port , i.e. an input event of and an output event of . Let further be be a CFT of and the CFTs of for the output events .
We then define the CFT of the strict composition of and for the output event as , where is the formula with each occurrence of is replaced by .
Note that Definition 14 differs from Definition 12 only in a way such that we keep the events of the connected ports in the formula.
Lemma 1.
Let be the clauses of the CFT , i. e.
Then with , where is the formula from the CFT of .
Proof.
[TABLE]
∎
Lemma 2.
Let be the clauses of the CFT , i. e.
Then with
[TABLE]
where are clauses of the CFT and is a clause of the CFT of .
Proof.
We continue the re-ordering of the formula of from the proof of Lemma 1
[TABLE]
∎
Now we can show that the strict composition of the CFTs is correct w.r.t. the component .
Lemma 3.
If CFT is correct w.r.t. , then is also correct w.r.t. .
Proof.
A closer look at Lemma 1 shows that the clause differs from only by the clauses to , which only contain events of input ports of . By assumption, can not communicate messages over these ports, therefore the difference has no effect on the specification of w.r.t. messages can communicate. Therefore, the correctness of w.r.t. follows directly from the correctness of . ∎
Lemma 4.
Let be a counterexample for correctness of clause w.r.t. and does not provide irrelevant inputs w.r.t. .
Let further and be environments such that for all with for all prefixes of , i. e. it does not hold that , it holds
[TABLE]
Let further and be such that for all with for all and (i. e. there exists a prefix of equivalent to ), it holds
[TABLE]
Then is a counterexample for correctness of clause w.r.t. .
Note that only offers input messages used in the counterexample and only offers messages required to be equivalent to . Further, of course, does not provide irrelevant input messages.
Proof.
By definition, only contains one message per trace and port, and does not provide invisible input.
By construction, and are environments w.r.t. (Definition 9).
It holds that , , and for all traces it holds .
Therefore, if is a counterexample for the correctness of w.r.t. , then is a counterexample. ∎
Showing correctness of w.r.t. is more complex.
Lemma 5.
If all CFTs are correct w.r.t. , then is correct w.r.t. .
Proof.
All CFTs of are correct w.r.t. . We assume towards contradiction that CFT is not correct w.r.t. .
Thus, there exist a clause defined by the CFT , such that is not correct w.r.t according to Definition 11.
According to Definition 10, there has to exists a correct environment and an erroneous environment with , and a trace with such that for all with , it does not hold that .
Note that and can only contain messages, which are communicated via ports which are input or output ports of , since according to Definition 10, can communicate the traces.
From the counterexample , and , we construct a simpler counterexample. We construct an environment by removing all invisible events: for all . According to Lemma 7 in [1], is a counterexample for correctness of w.r.t. .
According to Lemma 4, there exists a simpler counterexample , , .
We now show that can not be a counterexample for correctness.
Let be the longest prefix of , such that there exists a under and with . Then is a prefix of . Further, has to be relevant w.r.t. , because otherwise would be longer than and .
Also, can not be an input to . Otherwise, we would know that . Since there exists with . By construction of (Definition 6) and are communicated over the same port (Definition 13), and since is input-indiscriminate and (also Definition 13). This means, again, would not be the longest suffix with the property mentioned above.
Since all CFTs of are correct w.r.t. , also all clauses , defined by its CFTs, are correct w.r.t. . Let and be arbitrary clauses for CFTs with output events and contained in the clause . Due to correctness w.r.t. , we know that there exist traces and such that and with and .
We inductively show that and are in fact the same traces, i.e. .
Induction Hypothesis: For prefixes of with length , and all prefixes of with length it holds that .
Induction Start: For length and are empty traces and the Hypothesis holds trivially.
Induction Step: Let and .
Case 1: is input. Since does not provide irrelevant inputs, has to be relevant w.r.t. , and analogous for . Further, since and , there exists an with being a prefix of with and . Therefore, are communicated on the same port. By construction, only provides one relevant input per port, therefore , and thus with the induction hypothesis .
Case 2: is output. Since is output deterministic and by induction hypothesis, , and again .
Since and by the structure of (Lemma 2), by the definition of , , and according to Definition 6, and since , and , it follows iteratively over all respective clauses in that . Therefore, there exists a which contradicts the assumption that is a counterexample for the safety of , thus also is no counterexample. Finally, this shows that is correct w.r.t. . ∎
Now, we have constructed a CFT , which is correct w.r.t. and . We can show that is a also correct w.r.t. the composition o and .
Theorem 4.1.
Let and be components, ports, which are input ports of and outputs ports of , events with being an event on port , i.e. an input event of and an output event of . Let further be be a CFT of and the CFTs of for the output events .
Then the strict CFT composition (Definition 14) is correct w.r.t. to the composition of and .
Proof.
From Lemmas 3 and 5 it follows that is correct w.r.t. and w.r.t. . From Theorem 1 in [1], it then directly follows that is correct w.r.t. the composition of and . ∎
It is left to show that correctness of the strictly composed CFT for the composition, implies that the composed CFT according to Definition 12 is correct w.r.t. the composition of and . We prove Theorem 3.1.
Proof for Theorem 3.1.
When we compare the definition of strict CFT composition (Definition 14) and CFT composition (Definition 12), we see that the strict composition keeps the events, on which the components are composed in the formula, while they disappear in the definition of non-strict composition.
Note that the normal composition therefore considers messages over the respective ports irrelevant.
We consider messages over these ports as outputs, therefore is the equivalence relation over messages implied by strict composition more strict that the equivalence relation over messages implied by composition. Therefore every counterexample for is also a counterexample for
Therefore it directly follows that is correct w.r.t. the composition of and . ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Greiner, S., Grahl, D.: Non-interference with what-declassification in component-based systems. In: Proc. of the Computer Security Foundations Symposium (CSF). pp. 253–267 (2016).
- 2[2] Rafnsson, W., Hedin, D., Sabelfeld, A.: Securing interactive programs. In: Proc. of the Computer Security Foundations Symposium. pp. 293–307. (2012)
- 3[3] Greiner, S., Munk, P., Nordmann, A.: Compositionality of Component Fault Trees. In: Proc. of the 6th International Symposium on Model Based Safety and Assessment (IMBSA). (2019) [in press].
