Towards Refinement and Generalization of Reliability Models Based on Component States

1 T o wa rds Refinement and Generaliza tion of Reliabili ty Models Based on Compon ent States Natasha Jarus, Sahra Sedigh Sa rvestani, and Ali R. Hurson Department of Electrical an d Computer En gineering Missouri University of Science a nd T echnology Rolla, MO 65409 , USA Email: {jarus , sedigh s , hurson}@mst.ed u Abstract —Complex system design often proceeds in an iterativ e fashion, starting from a high-level model and adding detail as the design matures. This process can b e assisted by metamod- eling techniqu es that automate some model manipulations and check fo r or eliminate modeling mistakes. Our work f ocuses on metamodeling reliability models: we describe generalization and refinement operations f or these models. Gen eralization relaxes constraints that may be in f easible or costly to ev aluate; refine- ment adds furth er detail t o produce a model that more closely describes the desired system. W e define these operations i n terms of operations on system constraints. T o illustrate th e p roposed method, we relate these constraints to a common Marko v ch ain- based reliability modeling forma lism. I . I N T R O D U C T I O N Designers of critical complex systems—such as au tonomo us vehicles, power grid s, or water distribution networks—mu st ensure their systems can d ependa b ly m e e t perf ormance re- quiremen ts. Depen dability en compasses a variety of system metrics that describ e the ability of a system to continue to provide service as its compo nents degrade. Amon g the most common o f these metric s is reliability : th e pr obability that a system rem ains functional up to tim e t . Reliability takes a binary view of system fun c tion: componen ts, an d the system, are eith e r functio nal or failed. Reliability models based on compon ent states compu te a system’ s r eliability as a fu n ction of the reliabilities of its co mponen ts. Th is function is d eter- mined by the structure of the system—how its compon ents are co nnected. For example, a power grid consisting of two transmission lines in pa r allel is m ore reliab le than the system with the same lines conn ected in series. Complex systems ar e often de signed iterati vely . Require- ments are gath ered and an initial design is prepared , m odeled, and an alyzed. Based o n the results, the design is m odified to better fit the req uirements (or the req uiremen ts are modified so the design can better fit them) and the process repeats. I nitial designs and models may be quite genera l; but th ey b ecome more detailed as the d esign pro gresses. As the design process can h av e many iterations, meta modeling app roaches, which model operation s app lied to models, are often used to r educe the labor in volved, eliminate certain modeling m istakes, an d ev en to help explore the design space . When modify ing a mod el, we typ ically want to either add more detail—a new comp o nent, a stronger constra in t on how that c ompon ent beh av es—or we want to rem ove a constraint that is unrea listic or would rend e r th e design in feasible. Th e first action we call r efin ement and the secon d generalization . Refinement can be used to fill out d etail in a high -level model that m eets desig n requirem ents; g eneralization can be used to “back out” of a design choice that isn’t work ing. Both can be used tog ether to explore the design space—r efinement asks “what is the smallest detail that co uld be ad ded to this mode l?” ; generalizatio n asks “wha t hap pens if this detail is removed?” It is our goal to make these actions explicit a nd exact, enabling further analysis and sof tware auto mation. In this work, we pr opose a m ethod f or generalizatio n a n d refinement of Markov Imbedd a ble Structure (MIS) reliab ility models where system-level s tates are iden tified based on compon ent-level states. The in itial state is on e where e very compon ent is f unctional; th e term inal state is one wher e enoug h comp onents have failed to cau se system failure, and intermediate states c o rrespon d to the system remain ing fun c- tional despite some the failure of some of its compo n ents. These mod els describe a system co mposed of n co mponen ts as a Markov chain, encod ing each co mpon ent’ s reliability and the effect o f its failure on o ther componen ts. The reliability of the system is th en the probab ility that the system remains function al af ter tak ing n steps thro ugh the M arkov ch ain. Our work f ocuses on MIS mod e ls wh ere the states of the Mar kov chain are d efined by componen t status (e.g., “compon ent 3 failed” or “only compon e nt 2 fu nctional”) and where the compon ent status describe d by a state remain s th e same regardless o f which co mponen t’ s failure is being con sidered. This enco mpasses the vast major ity of MIS models, especially as used in pr actice; howe ver, it do es not encomp ass cer tain unusual MIS models, such as models of co nsecutive- k -o f- n systems. 1 These we will ad dress in futu re work . When fo rmalizing ge n eralization and refinemen t, we should consider system prop erties that ar e p reserved by the se opera- tions. Roug h ly speaking, if th e model m r is a refine ment of a model m g , the con stra in ts im posed on the system by m r should imply the constraints imp osed b y m g . For example, if m r requires a comp onent c to hav e reliability ≥ 0 . 9 , m g can require th a t c have reliab ility ≥ 0 . 7 —this constraint is 1 In short, the transition probability matrices for consecuti ve- k -of- n systems are not upper triangular; for more detail, see [1, pp. 344–345]. 2 strictly weaker than th e constrain t of m r . Howev er , m g could not requ ire c to have reliability ≥ 0 . 99 . In other words, a system m eeting th e requ irements of m r would provid e eq ual or better reliability th an a system m eeting m g ’ s req uirements alone. If m r refines m g , then m g generalizes m r , so we can use the same implication relationship to describe both refinement an d gener alization. W e formally abstract system proper ties an d imp lication to an a lyze the soundness of o ur definitions of ge n eralization and refinemen t. Another advantage of describing refinement and gener al- ization in this fashion is that it can be used for model- to - model tran sformation s as shown in our previous work [2]. Provided ano ther fo rmalism repr esents some of th e same system properties, we can relate these MIS models to this formalism in a way that lets us so undly convert between the two. Thus, th e ef fort req uired to develop this formalism enables more tha n the single ap p lication this work discusses. The r est of this paper is as follows. Section II provides a summary of the theory behind our appro ach. System con- straints, gen eralization, and refinement are de fin ed in Sec- tion III. These operation s ar e con nected to MIS models in Section IV. Fina lly , r e lated work is surveyed in Section V and Section VI pr esents our conclu sions. I I . B AC K G RO U N D The central th eory th at und e rlies the work in this p aper has been ar ticulated in our pr evious work [2]. Here we recap th e results in ter ms of the go als of this paper . Our goal is to relate tw o domains—a d o main o f MIS mod els and a do main of system pr operties—so that if a certain set of proper ties describe a given system, the mod el gen erated from those pr operties also describes the system. Likewise, if a model d escribes a sy stem , th e prop erties generated from that model also describ e the system. W e use this relationship to define g e neralization an d refinem ent on MI S mo dels based on generalizatio n and refin ement of pr o perties. For ou r approach , the dom ains must b oth b e complete lattices L , ( L , ⊑ , F , d , ⊥ , ⊤ ) . Recall that ⊑ is a partial order relation; for any subset L ′ ⊆ L , F L ′ is the least u pper bound ( join ) and d L ′ the greatest lower bound ( meet ) o f L ′ ; and ⊥ an d ⊤ are the least and greatest elements of th e lattice. For L ′ = { l 1 , l 2 } , we wr ite d L ′ as l 1 ⊓ l 2 and F L ′ as l 1 ⊔ l 2 . Suppose we have a com p lete system pr operties lattice P rop , ( Prop , ⇒ , W , V , ⊥ P , ⊤ P ) (see Sec. III) and a co m - plete MIS model lattice M IS , ( MIS , ⊑ , F , d , ⊥ M , ⊤ M ) (see Sec. IV). W e order both domains by spe cificity . Intu - iti vely , pr operties p 1 are more specific tha n pro perties p 2 (i.e., p 1 ⊑ p 2 ) if p 1 provides additional in formation about th e system th at p 2 does no t. Likewise with mo dels: if m 1 ⊑ m 2 , m 1 may offer more detail about the system; for example, m 1 may divide a compo nent in m 2 into se veral compo nents with a mo re com p lex interrelation ship. Th e me et of two pro p erties p 1 ⊓ p 2 is th eir lo gical co njunction ; the join p 1 ⊔ p 2 is th eir disjunction. W e will discuss both of these d omains in more detail later in the paper . W e u se a Galois conn ection to soun dly relate elemen ts of these two domains. A Galois connectio n between comp lete lattices is a pair o f functions α and γ with prope rties similar to, but less strict than, those o f an or der isomorp hism. In formally , Galois connections allow one of the lattices to have “more detail” than the other ; they are often used in cases where one lattice is an abstraction of the o ther . Definition II.1. A Galois connection ( P , α, γ , M ) betwee n complete lattices P a n d M is a pair of fu nctions α : P → M and γ : M → P suc h that (i) ∀ p ∈ P , p ⊑ ( γ ◦ α )( p ) and (ii) ∀ m ∈ M , ( α ◦ γ )( m ) ⊑ m . α is ca lled the ab straction func tio n ( or abstraction opera- tor ) ; γ is called the concretization function (operator) . Giv en a Galois connection ( P rop , α, γ , M IS ) , what do proper ties II. 1.(i) and II.1.(ii) mea n in term s of system p r op- erties and MIS mo dels? Property II.1.(i) states tha t for every collection o f properties p , p ⇒ ( γ ◦ α )( p ) : if we abstract a model f rom p , then concretize p roperties fro m that mod el; the result is a t worst more gen eral than the proper ties with wh ich we began. Likewise, property II.1.(ii) states that f o r every MIS model m , ( α ◦ γ )( m ) ⊑ m . Thu s, concretizing p roperties fr o m an MIS mo del, then abstracting a mod el fro m those prop erties, produ ces at worst a model more specific than the initial mod el. (It is of ten the case that the ⊑ in II. 1.( ii) is equality . ) What remains is to relate our d o mains an d the G a lo is connectio n between them to a notion o f soundn ess . Soundness is a relativ e proper ty; whether a model o r a collection of proper ties is sound or not depen d s on the system being modeled. Let S ∈ Sys d enote the system we are mo deling. W e encode soundn ess by a relation: Definition II.2. A relation R L : Sys → L between systems and elements of a lattice L is a soundn ess r elation if (i) if S R L l 1 and l 1 ⊑ l 2 , then S R L l 2 and (ii) if L ′ ⊆ L an d ∀ l ∈ L ′ , S R L l , then S R L d L ′ . W e supp o se th at we have a sou ndness re la tio n R P : Sys → P rop such that S R P p if and o n ly if the prop erties in p describe S . Every gener alization o f a correct collection of proper ties is sou nd by p roperty II.2.(i). Not every refinement of a collection of pr operties is necessarily soun d —otherwise, ev ery pr operty would be soun d for every system. H owever , if we k now several sound prope rties, p roperty II.2.(ii) states that they can be r efined to a single soun d prope r ty that implies all known sou n d properties. Giv en the so undness r elation R P , we can indu ce a soundness relation R M : Sys → M IS by S R M m ⇐ ⇒ S R P γ ( m ) . Therefo re, if proper ties p r soundly refine p g , then α ( p r ) soundly refines α ( p g ) . In sh o rt, we need only co nsider the soundn e ss of refinements in P rop ; th e sound n ess of our MI S models follows. I I I . P RO P E RT I E S Before we de scribe r e finement and g eneralization of MIS models, we formalize the constraints they place on system design. The MIS m odels we c o nsider in this work p lace three broad c onstraints on a system: what componen ts ar e in the system, how r eliable each comp onent is, and which compo- nents d epend on others to remain functional. The proper ties 3 domain P rop d efines these as a lattice, allowing us to relate these pro perties to MIS models. As we will n eed som e way to identify components, let Comps , { c 1 , c 2 , . . . } be the set of all possible compon ent names. Each element p ∈ P rop is a triplet p = ( C , R , D ) whe re • C ⊆ C omps is th e finite set of names o f compo nents in the system (e.g., { c 1 , c 2 , c 3 } ); • R : C → [0 , 1] is a fu nction th at specifies a lower bo und for the reliability of eac h co mpon e n t: if the reliability of c is p , then R ( c ) ≤ p ; and • D ⊆ Deps is the finite set of com p onent dep endenc ie s, as described in th e next section. For example, a system c o nsisting of two 90% reliable power lines in p arallel wher e the failure of o n e cau ses the other to become overloaded an d thus fail as well would be de scr ibed by the pro perties ( C = { c 1 , c 2 } , R ( c 1 ) = R ( c 2 ) = 0 . 9 , D = {h c 1 c 2 , S i , h c 2 c 1 , S i} ) . A. Dependenc ies Compone n t dependen c ies (e lements of Deps ) are repre- sented by the relation h _ _ i : P ( C ) → P ( C ∪ { S } ) . 2 The stateme n t h· · · 1 · · · 2 i means “the failure of the compon ents in the set · · · 1 immediately leads to the failur e o f the comp onents in · · · 2 ”. Shou ld S appear in · · · 2 , the system also fails as a r e sult of the compon ents of · · · 1 failing. Th e compon ents on the left side ( · · · 1 ) are refe rred to as causes and the comp onents on the right ( · · · 2 ) as effects . These depen dencies correspond to state transitions. Suppose we have a system with comp onents C = { c 1 , c 2 , c 3 } . W e can rep resent the state of the com ponen ts as thr ee-bit strings: 111 correspo n ds to the system state wher e all componen ts are fu nctional, 101 correspo n ds to the state where c 2 has failed, etc. A depen dency h c 1 ∅ i cor respond s to a tran sition from 111 to 011 when c 1 fails—the failure o f c 1 does not in fluence the function a lity of other co m ponen ts in the system. Likewis e, a depend ency h c 1 , c 2 c 3 , S i co rrespon ds to transition s from 101 to 000 when c 1 fails and fro m 011 to 000 when c 2 fails; further more, in state 000 the system is considere d failed. Sec. I V form alizes this c orrespon dence. As there are a nu mber of ways to write d ependen cies, we place some constraints on them to e n sure the co nstraints on the system a r e consistent with how c o mpon e nts fail and fully cover all cases o f system behavior . T hese co nstraints are split into equiva len ces an d well-formedness (WF) p r operties . 1) Equivalen ces: The first equ iv alenc e r u le states that if a compon ent app ears on both sides of , we can remove it from the right side. Th e failure o f any com ponent trivially causes that compo n ent to fail; this rule states that we need not write this fact explicitly: 3 h c · · · 1 c · · · 2 i ≡ h c · · · 1 · · · 2 i . (T auto logy) The rem aining two eq uiv alen ces are b etween sets of de p en- dencies, rath er than between two ind ividual dep endencies. If 2 P ( S ) denotes the s et of subsets (“powerse t”) of the set S . 3 A note on notation: c · · · 1 refers to a set containing the component c and the components of the set · · · 1 . we have two depend encies with the same cause but d ifferent effects, we can pro duce one depend ency th at represen ts both by taking the u nion of their effects: ( h· · · 1 · · · 2 i h· · · 1 · · · 3 i ) ≡ {h· · · 1 · · · 2 · · · 3 i} . (Union) Finally , a depend ency with no causes cannot occu r: {h∅ · · ·i} ≡ ∅ . (Inaction ) 2) W ell-formedness Pr o perties: The WF pro perties describe a system- lev el v iew of depend encies: what dep endencies need to be present in D to m ake a consistent set of system constraints. First, every co mponen t mu st have a dependen cy where it is the sole cause of failure (althou gh the effect may be the empty set). These correspo nd to transitions from the initial 1 · · · 1 state: ∀ c ∈ C , ∃h c · · ·i ∈ D . (Initiality) In addition, at least one seq uence of failures m ust lead to the system failing (o therwise, the system’ s reliability would be 1 and th ere would be noth in g to model): ∃h· · · 1 S · · · 2 i ∈ D . (T ermination) Finally , com ponen ts can n ot recover as a result of th e failure of other co m ponen ts. Thus, if c o mpon e nts · · · 1 cause compo - nents · · · 2 to fail, any oth e r depend ency wh ere · · · 1 have failed must also have · · · 2 failed. ∀h· · · 1 · · · 2 i ∈ D , ∀h· · · 1 · · · 3 · · · 4 i ∈ D , · · · 2 ⊆ · · · 3 ∪ · · · 4 . (Monoto nicity) For in stance, if we have h c 1 c 2 i , Mon otonicity would permit the depen d encies h c 1 , c 3 c 2 i and h c 1 , c 2 c 3 i but forbid h c 1 , c 3 ∅ i , as c 2 must always fail wh en c 1 fails. 3) Examples: Before ad dressing gener alization an d refine- ment o f pro perties, we de m onstrate a f ew examples of how de- penden cies are used to specify system behavior . First, consider the d e penden c ies in the earlier parallel-com ponent example: D = { h c 1 c 2 , S i , h c 2 c 1 , S i} . In this system, the failure of compone n t c 1 leads to the failur e of c 2 and system failure, and vice versa f or c 2 . Th is system has two states, 11 and 00 ; the failure of either co mponen t cau ses a transition from the first to the second. By contrast, a parallel-com ponen t system where the two compon ents are indep e ndent would be spe c ified by D = {h c 1 ∅i , h c 2 ∅i , h c 1 , c 2 S i} . This system h a s all four possible states an d all valid transitions between states. A system with two compo nents in series pro duces a mor e interesting “failed” state. Th ese compo nents are indepen dent, as one failing do es no t cau se th e oth er to fail, but bo th need to be f unctiona l f or the system to fu n ction: D = {h c 1 S i , h c 2 S i} .Th is system also has two states: the initial state 11 and the failed superstate 01 10 . 4 Once the system has failed, we are no lo nger in ter ested in its behavior; thu s, for this system, we consider 00 unreach able. 4 MIS modeling requires a single “failed” system (super)state; we leav e unificat ion of functional states into superstates for future work. 4 B. Generalization Now that w e hav e d escribed the ele m ents of P rop , we can describe how to generalize th em. The g o al o f g eneralizing an element of P rop is to produ ce an element of P rop th at r e laxes the co nstraints of the first elemen t but d o es not contrad ict it. Understand ing how constraints can be genera lized allows us to ord er P rop by gene r alization. 1) One-step generalizations o f dep e n dencies: For a given reliability model, one way to gen eralize d ependen cies is to lower the c o nstraint o n a comp onent’ s reliability : a more reliable compon ent can alw ays be substituted for a less reliable one. W e can relax th e reliability of a compo n ent, c , to a lower constraint r < R ( c ) by relax _ rel ( C , R , D ) [ _ , _ ] : C → [0 , 1] → P rop relax _ rel ( C , R , D ) [ c, r ] , ( C , R ′ , D ) (1) where R ′ ( c ′ ) , ( r if c = c ′ R ( c ) o therwise. (1.1) The other means of gen eralizing system constra in ts is to generalize com ponen t d e penden c ies. W e begin b y c o nsidering the smallest actio n s we can take that gen eralize system de- penden cies while maintaining th e WF p roperties. Th ere a r e two p ossible operation s: merging two compo n ents and addin g a new d ependen cy h· · · c i among existing comp onents. Both of these opera tions take on e element of P rop and infe r another . T wo d istinct com p onents c 1 and c 2 can b e merged into a single co mpone nt c m (where the nam e c m does not a lr eady appear in C \ { c 1 , c 2 } ) by repla c in g e very instance of c 1 and c 2 with c m : merge ( C , R , D ) [ _ , _ → _ ] : C → C → Com ps → P rop merge ( C , R , D ) [ c 1 , c 2 → c m ] , ( C ′ , R ′ , D ′ ) (2) where C ′ , { c m } ∪ C \ { c 1 , c 2 } (2.1) R ′ ( c ) , ( min( R ( c 1 ) , R ( c 2 )) if c = c m , R ( c ) otherwise . (2.2) D ′ , {h m ( c ) m ( e ) i | h c e i ∈ D } (2.3) m ( c ) , ( { c m } ∪ c \ { c 1 , c 2 } if c 1 ∈ c ∨ c 2 ∈ c , c otherwise . (2.4) When d efining a g e neralization, we should ensure that it only rela xes constraints. Thu s, when choosing the reliability bound R ′ ( c m ) of th e merged com ponen t, we must pick the least restrictiv e cho ice min( R ( c 1 ) , R ( c 2 )) . Effecti vely , this choice perf orms two gener a liza tions: first, we relax the tig hter of the reliability boun ds o f c 1 and c 2 by setting R ( c 1 ) = R ( c 2 ) , then we merge c 1 and c 2 into on e compon ent. The other po ssible generalizatio n is adding a depen dency among existing comp onents. This may seem counter intuitive; howe ver, it is a stronger claim to say that a co mponen t is indepen d ent of ano ther—the fewer depende n cies a system has, the mor e reliable it is. Adding a dep endency fro m a n onemp ty set of co mponen ts c to a comp onent e / ∈ c means that whenever the co mponen ts in c cause a failure, e is amongst the effects. As a ll the compo nents in c and e are in C alread y , we need only m o dify the dep endencies: add _ dep ( C , R , D ) [ _ _ ] : P ( C ) → C → P rop add _ dep ( C , R , D ) [ c e ] , ( C , R , D ′ ) (3) where D ′ , { a ( h c ′ e ′ i ) | h c ′ e ′ i ∈ D } (3.1) ∪ {h c u ∪ { e }i} a ( h c ′ e ′ i ) , ( h c ′ \ { e } e ′ ∪ { e }i if c ⊆ c ′ , h c ′ e ′ i otherwise . (3.2) u , [ { e ′ | h c ′ e ′ i ∈ D where c ′ ⊆ c } (3.3) For an example of the effect of gene ralization operations on a system, consider a system with thr ee indep endent com- ponen ts: p = ( C = { c 1 , c 2 , c 3 } , R ( _ ) = 0 . 9 , D = { h c 1 ∅ i , h c 2 ∅ i , h c 3 ∅ i , h c 1 , c 2 , c 3 S i } ) Introd u cing a depen d ency h c 1 , c 2 c 3 i results in the following system: p ′ = add _ dep p [ c 1 , c 2 c 3 ] = ( C ′ = { c 1 , c 2 , c 3 } , R ′ ( _ ) = 0 . 9 , D ′ = { h c 1 ∅ i , h c 2 ∅ i , h c 3 ∅ i , h c 1 , c 2 c 3 i † , h c 1 , c 2 c 3 , S i ‡ ) ≡ h c 1 , c 2 c 3 , S i } ) Of note: the dep endency marked † is the new depend ency added by add _ dep and th e d ependen cy mar ked ‡ is th e r e sult of the first substitution r u le in (3.2). Both ru les red uce to one via the Unio n p roperty . 2) Multi-step generalization of depen dencies: The exam- ple o f the previous section illu strates th e pr o cess by which successiv e generalization steps ar e applied to system prop - erties. T o describe this mo re formally , let G be the set o f all generalization oper ations and G ∗ be th e set of fin ite sequences of elements of G . W e define the a ct of applying a sequence of generalizatio n s to an element of pro perties, J _ K ( _ ) : G ∗ → P rop → P rop , by J g K ( p ) , ( p if g = () J g s K ( g ′ p ) if g = ( g ′ , g s ) . (4) W ith the ability to apply a sequence o f generalizatio ns, we now tur n to the task of orderin g elemen ts of P rop . 5 3) Generalization a s a pa rtial or d er: T o form a partial order on P rop using these generalization operations, we say that if p g generalizes p r , ther e exists some sequence of generalizatio ns tha t witnesses that fact: Definition III.1. p g = ∈ P rop generalizes p r ∈ P rop , written p r ⊑ p g , if ∃ g ∈ G ∗ , J g K ( p r ) = p g . Theorem III.1. ⊑ forms a pa rtial or de r on P rop . C. Refinemen t In addition to gen e ralization of constraints, we are interested in refin ing them: a dding new constrain ts or increasing the strictness of existing ones. Refinements are dual to general- izations, so for each generaliza tio n we exp e ct a correspo nding refinement. 1) One-step Refinemen ts: Correspond ing to relax _ rel we have tighten _ rel which r aises the bou nd on the reliab ility of compon ent c to a hig her constraint r > R ( c ) : tighten _ rel ( C , R , D ) [ _ , _ ] : C → [0 , 1] → P rop tighten _ rel ( C , R , D ) [ c, r ] , ( C , R ′ , D ) (5) where R ′ ( c ′ ) , ( r if c = c ′ R ( c ′ ) o therwise (5.1) T o undo a merge , we split one compo nent, c m , into two, c 1 and c 2 (where c 1 , c 2 / ∈ C \ { c } ). When splitting two compon ents, we make eac h fu lly depen dent on th e other , as that is the most gen eral set of co nstraints we can generate. In other words, the result of split p [ c m → c 1 , c 2 ] is the max im al element of the set { q ∈ P rop | p = merg e q [ c 1 , c 2 → c m ] } . split ( C , R , D ) [ _ → _ , _ ] : C → Comps → Com ps → P rop split ( C , R , D ) [ c m → c 1 , c 2 ] , ( C ′ , R ′ , D ′ ) (6) where C ′ , { c 1 , c 2 } ∪ C \ { c m } (6.1) R ′ ( c ) , ( R ( c m ) if c = c 1 ∨ c = c 2 , R ( c ) otherwise . (6.2) D ′ , [ { s ( h c e i ) | h c e i ∈ D } (6.3) s ( h c e i ) ,                       h{ c 1 , c 2 } ∪ c ′ e i h{ c 1 } ∪ c ′ e ∪ { c 2 }i h{ c 2 } ∪ c ′ e ∪ { c 1 }i    if c m ∈ c    h c e ′ ∪ { c 1 , c 2 }i h c e ′ ∪ { c 1 }i h c e ′ ∪ { c 2 }i    if c m ∈ e {h c e i} otherwise . (6.4) c ′ , c \ { c m } (6.5) e ′ , e \ { c m } (6.6) Finally , remove _ dep c o rrespon ds to undoing an add _ dep op- eration. Adding a depe n dency h· · · 1 e i states that e depe n ds on all of · · · 1 and therefore every depen dency con taining · · · 1 is rewritten to pr e ser ve Mon otonicity. Removing a dep endency h· · · 1 e i states that e is in depend ent of all compo nents in · · · 1 , so e very d epende n cy wh o se causes are containe d in · · · 1 is rewritten. remove _ dep ( C , R , D ) [ _ _ ] : P ( C ) → C → P rop remove _ dep ( C , R , D ) [ c e ] , ( C , R , D ′ ) (7) where D ′ , { r ( h c ′ e ′ i ) | h c ′ e ′ i ∈ D } (7.1) r ( h c ′ e ′ i ) , ( h c ′ e ′ \ { e } i if c ′ ⊆ c , h c ′ e ′ i otherwise . (7.2) 2) Multi-step R efinements: As with generalizatio ns, let R be th e set of all refinemen t operatio ns and R ∗ be th e set of all sequences of refinemen ts. W e abuse no tation slightly to define applicatio n of a sequ ence of refin e ments using th e same notation: f or rs ∈ R ∗ , J r s K ( p ) is the resu lt of applying th a t sequence of refinem ents to some system pro perties p . 3) Refinemen t a s the d u al of generalization: Each gen er- alization operatio n an d its correspo nding refinement are not necessarily in verses, as most ge n eralization oper ations map se veral eleme n ts o f P rop to the sam e more g eneral system (i.e., they are not injective). Thus, we do not have that ∀ g ∈ G , if q = J g K ( p ) then ∃ r ∈ R , p = J r K ( q ) . Howe ver , we can show the op p osite: if q = J r K ( p ) , then p covers q : there is no r such that q ⊏ r ⊏ p . Furthermo re, the refinem e nt operation s form a du al ord er to the order d e fin ed by generalizatio n : Theorem III.2. ∀ p r , p g ∈ P rop , p r ⊑ p g if and only if ∃ r s ∈ R ∗ , p r = J rs K ( p g ) . As such, p r r efin es p g if p g ⊒ p r , or, equ iv alently , p r ⊑ p g . D. The Pr ope rties La ttice T o be able to use a Galois connection to relate our n otions of generalizatio n and refin ement to MIS models, we m ust define P rop as a lattice. As such, w e need to define top and botto m elements of P rop , least u pper b ound s (or joins ), and greatest lower bo unds ( meets ). 5 The top elemen t of P rop is the one- element system with uncon stra in ed com ponen t reliability: ⊤ , ( { c } , R ( c ) = 0 , {h c S i} ) . (8) Any other one-element system constrains comp onent reliability and thus can be ge neralized to ⊤ by relax _ rel . Removing the one d ependen cy results in a system th at d oes not meet the WF proper ties, an d no fu rther depe n dencies can b e ad ded without adding another comp o nent. Finally , given p ∈ P rop , we can show p ⊑ ⊤ by repeatedly merging compon e n ts in p until the r esult h a s o ne com ponen t, the n r elaxing that comp onent’ s reliability bou nd, if necessary . The botto m element of P rop is a special elemen t which correspo n ds to an “overde ter mined” system—on e wher e the constraints are contradictory . W e do no t concern o u rselves with its representatio n, but simply define it as the elemen t ⊥ ∈ P rop su ch that ∀ p, ⊥ ⊑ p . 5 Discussion of meets and joins is omitted for lack of space. 6 I V . M I S M O D E L S Markov Imb e ddable Structure models are one appr oach to deriving a system’ s reliability from th e reliability of its compon ents. T h ese mo d els consist of states and tr ansitions between states caused by the failure of com ponents. Th e reliability of the system is determin ed by computin g th e probab ility o f the system n ot reach ing the “failed” state af te r considerin g the effect of each comp onent. This paper con siders MIS m odels where the states a r e defined by the co mponen ts functional in that state; e.g., 1101 correspo n ds to the state of a 4-co mponen t system whe re compon ents 1, 2, and 4 are fun ctional an d compon ent 3 has failed. Compo nents can not repair themselves, so every transition is either fr om on e state to th at same state or fro m one state to a state with mor e failed comp onents. T he failed state is ab sorbing—o nce the system fails, we are no lon ger interested in its b ehavior . These tran sitions are usually represented in the for m of tran- sition probability matrices (TPMs) T i , one fo r each co mponen t. As the system always starts in the fully fu n ctional state, th e initial state pr o bability vector is Π 0 , [1 , 0 , . . . ] . Another vector u , [1 , . . . , 0] de fin es which states are considered function al. Th e system r eliability is giv en b y the product of the initial state probab ilities, the TPMs, and the u vector: R ( S ) , Π T 0 ∗ T 1 ∗ T 2 ∗ · · · ∗ T n ∗ u (9) As an exam p le, con sider the system with two c ompon ents in series where R ( c 1 ) = R ( c 2 ) = p = 1 − q . The T PM for both comp onents is giv en by T 1 = T 2 =  p q 0 1  and the resulting sy stem reliability is R ( S ) = Π T 0 ∗ T 1 ∗ T 2 ∗ u = p 2 A. Abstraction an d Concr etization T o app ly o ur f o rmalization o f r efinement and gene ralization to MIS models, we need to connect our proper ties dom ain P rop to MIS mod els. W e achieve this by an abstraction operator which converts system con straints to MIS models and a concr etization operator which deriv es con straints f r om MIS models. T o abstract an MIS mo del from ( C , R , D ) ∈ P rop , for each c i ∈ C let p i = 1 − q i = R ( c i ) be its reliability an d let T i be its TPM. Let n = | C | b e the number of componen ts in the system. Then , begin with the initial fully-f unctional state 1 · · · 1 . For each dependency h c i e i ∈ D , insert a transition f rom 1 · · · 1 to 1 · · · 1 with p robab ility p i in T i and a tran sition from 1 · · · 1 to the state wh ere all compon ents except c i and those in e are functional with pr o bability q i in T i . If S ∈ e , th en m a rk that state as “failed”. For each non-“failed” state added in the previous step, let s be the compon ents fun ctional in that state and let f = C \ s be the set o f failed compon ents. For each compo n ent c i ∈ s , select the dependen cy h c e i ∈ D where c i ∈ c and c is the largest set such that c ⊂ f . Insert transitions fr om s to s with p robab ility p i and from s to s \ e with p robab ility q i into T i . For each com ponen t c i ∈ f , insert a tran sition fr om s to s with pro bability 1 in to T i . Repeat th is step until there are no mor e n on-failed states to co nsider . Concretizing pr operties from an MIS m odel procee d s in an analogo u s fashion. For ea ch T i create a compon ent c i and set R ( c i ) = p i . For each c i , first let s ′ be the set of compo n ents function al af ter c i fails from the in itial 1 · · · 1 state and add a depend ency h c i C \ s ′ i to D . T hen consider all tran sitions in T i from state s to state s ′ where s ′ ⊂ s . Let f , s \ s ′ \ { c i } be the set o f co mpon e nts that also fail as a resu lt of the failure o f c i . T ake h c e i ∈ D where c i ∈ c and c is the largest set such that c ⊂ ( C \ s ) . If e 6 = f , add a depende n cy h C \ s \ { c i } f i . B. Examples As an examp le of the p ower of th is appro ach, let us refin e a 2-o f -3 system from ⊤ . Ou r star tin g system is ⊤ = ( { c 1 } , R ( c 1 ) = 0 , { h c 1 S i} ) . If we refine c 1 ’ s reliability to p by s 1 = tighten _ rel ⊤ [ c 1 , p ] , the resulting system has reliability R ( S ) = p . First, we create anothe r comp o nent via s 2 = split s 1 [ c 1 → c 1 , c 2 ] , we g e t the following system: s 2 = ( { c 1 , c 2 } , R ( c 1 ) = R ( c 2 ) = p, { h c 1 c 2 , S i , h c 2 c 1 , S i h c 1 , c 2 S i } ) This gives R ( S ) = p 2 as we now take two steps throug h the Markov ch ain. W e can a void adding excessive depen dencies later by remov- ing two, making c 1 indepen d ent: s 3 = remove _ dep s 2 [ c 1 c 2 , S ] . s 3 = ( { c 1 , c 2 } , R ( c 1 ) = R ( c 2 ) = p, { h c 1 ∅ i , h c 2 c 1 , S i h c 1 , c 2 S i } ) Removing these depen dencies ad ds a new state to the Mar kov chain: 11 01 00 c 1 , c 2 : p c 2 : q c 1 : q c 1 : 1 c 2 : p c 2 : q c 1 , c 2 : 1 This g i ves R ( S ) = p 2 + pq —either bo th comp onents r emain function al, or c 1 fails and c 2 remains fun c tio nal. Next, we introdu ce c 3 by s 4 = split s 3 [ c 2 → c 2 , c 3 ] . s 4 = ( { c 1 , c 2 , c 3 } , R ( c 1 ) = R ( c 2 ) = R ( c 3 ) = p, { h c 1 ∅ i , h c 2 c 1 , c 3 , S i , h c 3 c 1 , c 2 , S i h c 1 , c 2 S i , h c 1 , c 3 c 2 , S i , h c 2 , c 3 c 1 , S i } ) 7 The Markov chain is similar to the o ne abstracted fro m s 3 , but c 3 adds its own transition proba b ilities. This g i ves R ( S ) = p 3 + p 2 q —either all compo nents re m ain fu n ctional, or c 1 fails and c 2 and c 3 remain fun ctional. Finally , we ar riv e at the desired 2 -of-3 system by r emoving unneed ed d ependen cies: s 5 = remove _ dep s 4 [ c 2 c 1 , c 3 , S ] and s 6 = remove _ dep s 5 [ c 3 c 1 , c 2 , S ] . s 6 = ( { c 1 , c 2 , c 3 } , R ( c 1 ) = R ( c 2 ) = R ( c 3 ) = p, { h c 1 ∅ i , h c 2 ∅ i , h c 3 ∅ i h c 1 , c 2 S i , h c 1 , c 3 c 2 , S i , h c 2 , c 3 c 1 , S i } ) The ab stra cted M arkov cha in h as two new states: 101 111 110 011 000 c 1 , c 2 , c 3 : p c 1 : q c 2 : q c 3 : q c 1 , c 2 : p c 3 : 1 c 1 , c 2 : q c 1 , c 3 : p c 2 : 1 c 1 , c 3 : q c 1 : 1 c 2 , c 3 : p c 2 , c 3 : q 1 This gives R ( S ) = p 3 + 3 p 2 q —either all com ponents rem ain function al, or only one fails. V . R E L A T E D W O R K Markov chains form the theoretical b asis fo r n umero u s system reliability analyses. Of par ticular re levance to this work are two application s of MIS mod eling to smart grids— power grids augm ented with cyber monito ring and contro l capabilities to improve th e ir d ependab ility [3], [4]. Th ese studies d emonstrate how MIS modeling can be ap plied to re a l- world systems to capture system reliab ility and compone n t interdepen dencies. Refinement of specifications for software programs has been studied extensively; see [5] for an intro duction and [6] for a recent survey o f the literature. The essence of prog ram specification and refinemen t is augmen ting a pr ogramm ing languag e with a specification langu age. Thus, program s be- come specificatio n s that are executable. T o deriv e programs from no n-executable specifications, a refin ement relation is d e- fined an d various refinemen ts of spec ificatio ns are developed. This allows o ne to start with a high -level specification of a progr am’ s beh avior and derive, throu gh rep eated refinement, an executable progr am whose specification refines the initial specification. Research on refinement of Markov chains has taken two forms. The first f ocuses on Interval Markov Chains ( IMCs) an d their extension, Constrain t Mar kov Chains (CMCs) [7], [8]. In these formalisms, transition pro babilities are no t g iv en exactly , but are bou nded within an interval or g i ven by alg ebraic constraints, re sp ectiv ely . As each IMC or CMC cor respond s to a collection of Markov chains th at satisfy the requiremen ts giv en, it is possible to define r efinement d ir ectly in terms of these form alisms, rather than using a separate “system constraints” formalism, as we do. Each system spe c ification can b e written as an IMC or CMC and then refined into a com plete system mo del via refinement and co njunction operation s. The second approach uses cou nterexample g e neration to validate Mar kov chain abstractio ns u sed in mod el checking [9]. Starting with a coar se app roximatio n of th e or iginal Markov chain, mo del ch ecking is perform e d u n til a counter example is found. This counterexam p le is ch ecked ag ainst the o rig- inal specification; if the co u nterexample d oes not hold, the approx imate system is refined so the counterexamp le no lon g er holds. Th is process r epeats u ntil a g e nuine co unterexamp le is found (one th at h olds f or th e o riginal specificatio n) o r the model checking alg orithm can not find a counter example. A related work [ 1 0] bounds the unc ertainty introduced by this approa c h to state-space reduction b y separ a tely mod eling the uncertainty present in the model and the uncertainty added throug h abstractio n . V I . C O N C L U S I O N In this pa per , we have p roposed and d emonstrated an approa c h to refinemen t and genera liza tio n of MIS reliab ility models. Key to this ap p roach is a system con straints dom a in, which ca ptures the behavior of a system in an ab stract, easily m anipulated fashion. These constraints describe the compon ents o f the system, their reliability , an d dep e ndencies that describe how on e set of compo n ent failur es c a n trigger another . Given th ese co n straints, we create gen eralization and refinement operators that allo w u s to relax or add constraints as needed. Thus, we can simplify a system f or easier ev alu ation by generalizin g it or we can iterativ ely d ev elop one th r ough repeated refine ment. Finally , we link these constraints to MIS reliability m o dels, enabling u s to r efine or gen eralize mo dels of a com mon modeling formalism. W e plan to extend the refin ement framework to other mo d el- ing fo rmalisms and to defin e h igher-lev e l modeling opera tions, e.g., m odel com position, in terms of re finement. Fu rthermo re, we intend to implem ent this as a software tool so that it ca n be easily app lied to large-scale systems. R E F E R E N C E S [1] W . Kuo and M. J. Zuo, Optimal reli abilit y modeling: principles and applica tions . John Wile y & Sons, 2003. [2] N. Jarus, S. Sedigh Sarvestani , and A. R. Hurson, “Formalizin g cy- berâ ˘ A ¸ Sphysical system model transformat ion via abstract interpret ation, ” in 19th IEEE Internation al Symposiu m on High Assuranc e Systems Engineerin g (HASE) , pp. 107–114, J an. 2019. [3] M. N. Albasra wi, N. Jarus, K. A. Joshi, and S. S edigh Sarvestani , “ Analy sis of reliabilit y and resilienc e for smart grids, ” in 38th Annual IEEE Computer Softwar e and Applications Confere nce , pp. 529–534, July 2014. [4] K. Marashi, S. Sedigh Sarvesta ni, and A. R. Hurson, “Considerati on of cybe r-physi cal interdepend encies in reliabil ity modeling of smart grids, ” IEEE T rans. on Sustainable Computing , vol. 3, pp. 73–83, Apr . 2018. [5] C. Morgan, Pro gramming from Specific ations . Prentic e Hall internat ional series in computer science, Prentice Hall, 1990. [6] S. Gul wani, O. Polozov , and R. Singh, “Program synthesis, ” F oundations and Tr ends in P r ogramming Languag es , vol. 4, pp. 1–119, July 2017. [7] B. Caillaud, B. Delahaye, K. G. Larsen, A. Legay , M. L . Pedersen, and A. W ˛ aso wski, “Compositio nal design methodology with constraint Marko v chains, ” in 7th Internatio nal Confere nce on the Quantitati ve Evaluati on of Systems , pp. 123–132, Sept. 2010. 8 [8] B. Delahaye , K. G. Larsen, A. L egay , M. L. Pede rsen, an d A. W ˛ aso wski, “Consiste ncy and refinement for interv al Marko v chain s, ” Journal of Logic and Algebrai c Pr ogr amming , vol. 81, pp. 209–226, Apr . 2012. [9] R. Chadha a nd M. V iswana than, “ A countere xample-guided abstraction- refinement frame work for Marko v decision processes, ” ACM T rans. on Computati onal Logic , vol. 12, pp. 1:1–1:49, Nov . 2010. [10] M. Kattenbe lt, M. Kwiatko wska, G. Norman, and D. Parker , “ A game- based abstraction -refinement frame work for Ma rko v de cision processes, ” F ormal Methods in System Design , vol. 36, pp. 246–280, Sept. 2010.