Fault Tree Analysis (FTA) is a prominent technique in industrial and scientific risk assessment. Repairable Fault Trees (RFT) enhance the classical Fault Tree (FT) model by introducing the possibility to describe complex dependent repairs of system components. Usual frameworks for analyzing FTs such as BDD, SBDD, and Markov chains fail to assess the desired properties over RFT complex models, either because these become too large, or due to cyclic behaviour introduced by dependent repairs. Simulation is another way to carry out this kind of analysis. In this paper we review the RFT model with Repair Boxes as introduced by Daniele Codetta-Raiteri. We present compositional semantics for this model in terms of Input/Output Stochastic Automata, which allows for the modelling of events occurring according to general continuous distribution. Moreover, we prove that the semantics generates (weakly) deterministic models, hence suitable for discrete event simulation, and prominently for Rare Event Simulation using the FIG tool. combinatorial behavior of SFT gates. New analysis methods were introduced in order to capture temporal requirements, such as cut sequences, translation to Markov models [16, 16, 6] , Sequence BDDs [19, 28, 35] , algebraic approaches [25,1], simulation, and combination and optimisations thereof [3, 20] .
Introduction
Fault Tree Analysis is a prominent technique for dependability assessment of complex industrial systems. Standard or Static Fault Trees (SFTs [21] ) are DAGs whose leafs are called Basic Events (BE), and usually represent the failure of a physical system component. Each leaf is equipped with a failure rate or discrete probability, indicating the frequency at which the component breaks. The other FT nodes are called gates, and they model how basic components failures combine to induce more complex system failures, until the failure of interest (the top event of the tree) occurs. SFTs thus encode a logical formula. One of the most efficient analysis techniques uses Binary Decision Diagrams (BDD) to represent the formula, and then perform dependability studies using specialised algorithms. This assumes the absence of stochastic dependency among BEs.
Many extensions to SFTs allow for further modelling capabilities. One of the most studied are Dynamic Fault Trees (DFTs [16, 22] ). DFTs add gates to describe time-and order-dependence among the tree nodes, in contrast to the plain guarantee that there will be a significant state space reduction in general models. This is a specially difficult situation in big and complex industrial size systems analysis involving repair. A second drawback is the restriction to exponentially distributed events, not allowing to correctly model real life systems where timing is governed by other continuous distributions. This is the case for example of phenomena such as timeouts in communication protocols, hard deadlines in realtime systems, human response times or the variability of the delay of sound and video frames (so-called jitter) in modern multi-media communication systems, which are typically described by non-memoryless distributions such as uniform, log-normal, or Weibull distributions [17] . A second approach to RFT analysis would be recurring to simulation, which does not need the full state space of the model to be constructed, and does not impose per se the restriction to any kind of probabilistic distributions. The main problem when confronting simulation is the big amount of computation needed to reach a sufficiently accurate result. This is a most relevant issue when analyzing highly dependable or fault tolerant systems, where the failure probability is very small and plane Monte Carlo simulation becomes infeasible. To face this problem one can make use of Rare Event Simulation techniques such as Importance Splitting or Importance Sampling [33, 10, 11, 29] .
Our main contribution in this work consists in a method for precisely modelling RFTs with generally distributed events. Furthermore, by yielding a deterministic IOSA model, thus amenable to discrete event simulation, we are able to analyze it on the FIG Rare Event Simulation Tool [11, 12] , greatly improving efficiency when analyzing highly dependable systems. Also the recent work [31] takes on the matter of using rare event simulation to analyze DFTs with complex repairs. Nevertheless, they restrict to Exponential and Erlang distributions and they finally conduce their analysis over a Markov model hence suffering of potential states space explosion.
Repair Fault Trees
In Fig. 1 we depict the set of RFTelements that we consider in this work. Each of them has a set of inputs where to connect its subtrees, and an output (if applicable) to propagate the failure, repair and other signals. The propagation of a failure and its subsequent repair starts at the leafs of the fault tree, including only (spare) basic elements. When one of them fails, or gets repaired, it instantaneously propagates the event to the gates to which it is connected. The state of a gate changes based on the signals it receives from its inputs and propagates its new state to the gates it serves as input. Thus, a proper combination and timing of fail signals may change a gate's state to failing, and similarly, a proper combination and timing of repair signals may change it back to a working state. This very much depends on the type of gate. The state changes will at the same time trigger output signals accordingly. Not only fail and repair signals, but also other signals may be produced, as it can be in the case of repair boxes, which may output a start repairing signal to any of their input basic elements. The intuition about the behavior of each gate is as follows. An AND gate fails whenever all its inputs fail, and gets repaired (stop failing) when at least one of its inputs is repaired. An OR gate fails whenever at least one of its inputs fails and is repaired when all of its inputs are repaired. A k/n VOTING gate fails whenever at least k of its n inputs fail and stops failing if at most k−1 of its inputs remain failing. A PAND gate fails whenever its inputs fail from left to right, inducing an order on the failure occurrence, and it is repaired if the last input is repaired. A functional dependency gate (FDEP) has n + 1 inputs. The fail signal of one of its inputs (the triggering one) makes all the other inputs inaccessible to the rest of the system. Note that the dependent inputs do not necessarily fail, and they will be accessible again as soon as the triggering component is repaired (note the difference with [6, 31] where dependent BEs do fail). In fact this gate can be easily replaced by a system of OR gates [34] . A spare basic element (SBE) is a special case of BE which can be enabled and disabled, and can be used as spare parts for other BEs through spare gates. A same SBE can be shared by several spare gates, and different sharing policies are introduced for this purpose. A spare gate (SG) allows to replace a basic element by one of several spare basic elements in case it fails. Each spare gate has a main input and n spare parts inputs. The main input can only be a BE. The spare inputs can only be SBEs. As soon as the main input fails, the SG uses its own policy to ask for the replacement by one of its spare inputs. The SG will fail whenever it does not obtain a replacement, and will signal repair whenever the main input gets repaired or a spare input is obtained. If an in-use replacement fails the SG will look for a new one. If the main input is repaired, the SG will free the acquired spare input, in case there is one. A repair box (RBOX) is the unit in charge of managing the repairing of failed BEs and SBEs. They have n inputs, which are the elements administered for repairing, and a dummy output. A RBOX policy determines in which order the failing elements will be repaired. Also notice that a RBOX can only repair one of its inputs at a time, while the rest of its failing inputs are waiting for repair.
Input/Output Stochastic Automata [15, 17] is a modelling formalism tailored to model stochastic systems for the purpose of simulation. IOSA combine continuous probability jumps from Stochastic Automata, with discrete event synchronisation for a compositional style of modelling. IOSAs use continuous random variables to control and observe the passage of time. These variables, called clocks, are set to a value according to their associated probability distribution, and, as time evolves, count down all at the same rate until they reach the value of zero. Clocks control the moments when actions are taken, and thus allow to model systems where events occur at random continuous time stamps. Output and input transitions can be used to synchronize and communicate between different IOSAs. Output transitions are autonomous, while inputs occurrence depends on synchronisation with outputs. A transversal classification for actions allows to mark them as urgent or non urgent. While a non-urgent output is controlled by the expiration of clocks (i.e., clocks reaching the value zero), an urgent output action is taken as soon as the state in which it is enabled is reached. Though an IOSA may be non-deterministic, [17] provides a set of sufficient conditions that guarantee weak determinism (i.e. only spurious non-determinism is present). Furthermore, such conditions can be checked with a polynomial algorithm on the components of the model.
A is a (denumerable) set of labels partitioned into disjoint sets of input labels A i and output labels A o , from which a subset A u ⊆ A is marked as urgent, C is a (finite) set of clocks such that each x ∈ C has an associated continuous probability measure µ x on R s.t. µ x (R >0 ) = 1, − → ⊆ S ×C×A×C×S is a transition function, C 0 is the set of clocks that are initialized in the initial state, and s 0 ∈ S is the initial state. In addition it should satisfy the following constraints: Restrictions (a) to (f) are there to ensure that at most one non-urgent output action is enabled at a time. If in addition the IOSA is closed (i.e., all communications have been resolved and hence the set of inputs is empty) and all its 
urgent actions are confluent (in the sense of [26] , see also Def. 5) it turns out all the non-determinism is spurious and does not alter the stochastic behavior (i.e. regardless of how non-determinism is resolved, the stochastic properties remain the same) [15, 17] . We call this property weak determinism.
IOSAs are closed under parallel composition which is defined according to rules in Table 1 . In order to avoid unintended behavior, the component IOSAs are requested to be compatible, that is, they should not share output actions nor clocks, and be consistent with respect to urgent actions. We present a symbolic language to describe an IOSA model. This language is the input language of the tool FIG [12, 10] and has some strong resemblance with the PRISM modelling language [23] . IOSAs compositional style of modelling is also reflected in the language, where each component is modeled separately by what we call a module. A module is composed of a set of variables, whose valuation represent the actual state of the component, a set of clocks corresponding to the enabling clocks for non urgent transitions, and a set of transitions which symbolically describe the possible jumps between states (changes of valuations and resetting of clocks). Fig. 2 models a basic element as an example. Variables can be of integer (with finite range) or boolean type. As we will see later, also arrays can be defined as variables. An initial value for each variable is determined after the keyword init. Clocks measures are defined at the transitions where they are reset. A transition is described by the name of the action which takes place, a guard that defines the origin states, an enabling clock (only for the case of non-urgent output transitions), a condition describing the target states, and the set of clocks to be reset. A quick overview of Fig. 2 will help to further understand our symbolic language: Two clocks, fc and rc, are defined at line 2. These clocks will be used as enabling clocks for transitions at lines 6 and 8, and reset on transitions at lines 7 and 9 where γ and µ are the distribution associated with rc and fc, respectively. Lines 3 and 4 define variables inform and broken, both of integer type ranging between 0 and 2, and initialized with value 0. 
IOSA symbolic language

A formal syntax for RFT and its semantics
In this section we present a formal definition of the RFT similar to those of [5, 7] along with its semantics given in terms of IOSA. Each element of a RFT is characterized by a tuple consisting of its type, its arity (i.e. number of inputs), and possibly other parameters like probability distributions for fail and repair events in a BE. Definition 2. Let n, m, k ∈ N + , and let µ, ν and γ be continuous probability distributions. We define the set E of elements of a RFT to be composed of the following tuples:
-(be, 0, µ, γ) and (sbe, 0, µ, ν, γ), which represents basic and spare basic elements, with no inputs, with an active failure distribution µ, a dormant failure distribution ν, and a repair distribution γ. -(and, n), (or, n) and (pand, n), which represent AND, OR and PAND gates with n inputs, respectively, -(vot, n, k), which represent a k from n voting gate, -(fdep, n), which represents a functional dependency gate, with 1 trigger input and n−1 dependent ones. By convention the first input is the triggering one. -(sg, n), which represents a SPARE gate with one main input and n − 1 spare inputs. By convention the first input is the main one. -(rbox, n), which represents a RBOX element for n BEs (or SBEs).
A RFT is a directed acyclic graph, for which every vertex v is labeled with an element l(v) ∈ E. An edge from v to w means that the output of v is connected to an input of w. Since the order of the inputs is relevant, we give them in terms of a list i(w) instead of a set. Similarly, si(v) will list all the spare gates to which a spare basic element v is connected as an input
If such an edge exists, we will say that v is connected to w and w to v. In addition, a RFT T should satisfy the following conditions:
-T has a unique top element, i.e. a unique element whose non dummy output is not connected to another gate. That is, there is a unique vertex v ∈ V such that for all w ∈ V , (v, w) / ∈ E and t(v) = fdep, rbox. -An output can not be more than once the input of a same gate. That is, for -If a basic element is connected to a spare gate then it can not be connected to a FDEP gate, i.e. if (v, w) ∈ E and t(v) = be and t(w ) = sg, then there is no
In the following, we present a parametric semantics for RFT elements. This will be used later to obtain the semantics for each vertex in a given RFT, and the consequent semantics of the full model as a parallel composition of its components. In this section, we only give the semantics for BEs, AND gates, OR gates, PAND gates, and RBOX. Remember that FDEP can be replaced by OR gates. Similarly, voting gates can be modeled by a series of AND and OR gates (although a simpler model can be found in Appendix D). In the design of the IOSA modules we should take into account the communication of each element of a RFT with its children and parents. For instance a basic element has to communicate its failure and repair to those gates for which it is an input. Similarly, a RBOX has to communicate to its inputs a start repairing signal. In order to do so, the semantics of each element will be given by a function, which takes actions as parameters. Fig. 2 . The state of a basic element is defined by the fail clock fc, the repair clock rc, a variable signal that indicates when to signal the failure or repair, and variable broken to distinguish between broken and normal states. A basic element fails when clock fc expires (line 6) and immediately informs it with the urgent signal f!! at line 11. As soon as the repair begins by the corresponding connected repair box (line 7), clock rc is set. When it expires, the component becomes repaired. Hence, fc is set again at line 8, and the repair is signaled with urgent action u!! at line 11. At the starting state of an IOSA module all its clocks are set randomly according to their associated distributions. Thus, rc is set at the initial state and could eventually expire without having been set by a repair transition. This is why we have to distinguish between cases when the BE is being repaired (broken=2) from when it is not.
For an AND gate element with two inputs, its semantics is a function [[e]] : and, 2) ]](f, u, f1, u1, f2, u2) results in the IOSA in Fig. 3 . At lines 6 to 11, the AND gate gets informed of the failure of either of its inputs. Upon failure of some input, we distinguish between the case where the other input has already failed (count=1) and the case where it has not (count=0). In the first case the AND gate has to move to a failure state, for which we set the informf variable in order to enable the signaling of failure at line 20. Furthermore in both cases we increase the value of count so that we take note of the failure of an input. A similar reasoning is done for the case of the repairing of an input at lines 13 to 18. In this case we have to set the module to signal a repair when an input gets repaired at a state where both inputs were failing (lines 13 and 16), by enabling transition at line 21. From now on, we omit writing down self loops originated by IOSA's input enabledness, such as lines 8, 11, 15 and 18 as they are assumed to be there. Nevertheless, we remark that it is necessary to take them into account when analyzing confluence in the next section. The semantics for an OR gate is similar to the AND gate and can be found in Appendix B.
The semantics of a n inputs repair box with priority policy, is a function to keep track of failed inputs, updating it when it receives their fail signals (lines 5 to 7) and up signals (lines 13 to 15). At the same time, when not busy, it sends repair signals to broken inputs (lines 9 to 12). Guards ensure the priority order for repairing. Note that instead of listening to the urgent output signals of the input BEs, it listens for the non-urgent actions of the transitions that trigger the failure or repair. This is done with the only purpose of facilitating the confluence analysis over this module. Other types of repair boxes can be modeled, taking into account different repairing policies. (see App. C).
The semantics of a Priority AND gate with 2 inputs is defined by [[(pand, 2)]] : Fig. 5 . PAND gates fail only when their inputs fail from left to right. This allows to condition the failure of a system not only to the failure of the subsystems but also to the ordering in which they fail. Notice that an n inputs PAND gate is simply a syntax sugar for a system of n − 1 two-input PAND gates connected in cascade. Literature is not always clear or even disagrees on what should be the behavior of the PAND gate in case both inputs fail at the same time [24, 14] . This situation arises in some constructions with AND and OR gates, or when the inputs of a PAND gate are connected to the a same FDEP (see Fig. 6 ). Some proposals disallow these situations and discard them on early syntactic checks [31] . Some others assume a nondeterministic situation and find it important to analyze scenarios where the behavior is in fact unknown [5] . Other works decided that the PAND gate does not fail unless its inputs break strictly from left to right [6, 4] . Some others state that PAND gates also fail when both their inputs fail at the same time [14, 9, 8] . We opted for this last case, so the gates needs to be able to identify if time has passed between the occurrence of the failures, and act consequently. In the particular case where no time passes between the failure of the inputs, we consider that the order in which the dependent BEs fail does not really matter and thus the non-determinism is spurious. To identify if time has passed between the occurrence of the input failures, the model listens to any output actions, which indicate that a clock has expired. This is done by a special input action at line 8, which synchronizes with all nonurgent outputs, regardless the name of the action. Notice that there is only one scenario that we want to rule out, which is when the second input fails and then time passes without the first input failing too. This is in fact the case described by the guard of line 8. Furthermore, this transition moves to the 'unbreakable' state, from which it can only go back when input 1 is fixed. In consequence, the failure of the gate occurs either if both inputs fail at the same time or if the first input fails, then time passes, and then the second input fails.
The semantics of a RFT is that of the parallel composition of the semantics of its components, being conveniently synchronized.
Definition 4. Given a RFT T = (V, i, si, l) we define the semantics of T as
In Section 7, we extend the semantics to spare gates and spare basic elements.
RFTs are weakly deterministic
In this section we show that RFTs composed only by BEs, AND gates, OR gates, PAND gates, and RBOX, are weakly deterministic. Since voting and FDEP gates can be constructed using OR and AND gates, the result extends to these gates. Results in this section rely heavily on results about weak determinism on IOSA proven in [17] . Therefore, we first summarize the essentials of [17] for this paper. Note that, according to this definition, regardless the order of the confluent transitions, the same state is reached. This non-determinism is spurious in the sense that it does not alter the stochastic properties of the given IOSA, regardless the manner it is solved. Since non-determinism can only arise on urgent actions, we say that a closed IOSA is weakly deterministic if all its urgent actions are confluent. In [17] , we provided sufficient conditions to ensure that a closed IOSA is weakly deterministic. This is stated in Theorem 1 below which requires the following definition. Definition 6. Given an IOSA I with state space S and actions A, we distinguish the following sets of actions: The approximate indirect triggering relation of a composite IOSA is defined as the reflexive transitive closure of the union of the triggering relations of its components. The following theorem from [17] , gives necessary conditions for a closed IOSA not to be confluent. As a consequence, it provides sufficient conditions for a closed IOSA to be weakly deterministic. an action e and possible empty sets B 1 to B n spontaneously enabled by e in I 1 to I n respectively, such that c and d are in n i=1 B i . In the following, we prove accessory propositions to eventually prove, using Theorem 1, that the IOSA defined by a RFT is weakly deterministic. 
Proof. The proof of this Proposition follows an exhaustive check over each urgent transition of each model, in order to single out any non-confluent situation, and can be found at Appendix E 
Proof (sketch). It sufficies to make a satisfiability analysis over guards and postconditions of each pair (t a , t b ) with t b an output urgent symbolic transition and t a any urgent symbolic transition, taking into account only reachable states. 
An extended Semantics
In this section we add the spare gate and spare basic element to the semantics of RFTs. As before, we aim to guarantee that the IOSA model derived from the RFT is weakly deterministic. In order to do so, we need to bring special attention to two particular scenarios that could introduce non-determinism if not correctly tackled.
The first scenario is given when a main basic element fails at a spare gate which is served with several spare basic elements. At this point, it arises the question of which of the available spare basic elements should the spare gate take. Traditionally, spare elements are selected in order from an ordered set. To generalize this mechanism for the selection of the spares we intend to allow for more complex state-involved policies. It should be always the case that this policy is deterministic in its elections. The second scenario arises when several spare gates have requested a broken or already taken SBE, which eventually gets fixed by a repair box or freed by the owning spare gate. At this point, it is unclear which of the requesting spare gates will take the newly available SBE. For this, we define sharing policies on the SBE. Thus, to provide semantics to an SBE, we actually introduce two IOSA modules: one providing the extended behavior of a BE that can be taken from dormant to enabled state and vice versa, and another one, the multiplexer module, which manages the sharing of the SBE. Notice that this scenario is not a problem in the absence of repair boxes, since in such cases SBEs do not become available after they are taken or fail. It is neither a problem when spare elements are not shared by different spare gates [4, 3] . The work [22] also studies race conditions in spare gates when two spare gates fail at the same time. This last situation is impossible in our settings given the last two properties of Definition 3 and the fact that two simultaneous failures of our basic elements is discarded by the IOSA deterministic semantics.
The models for the spare gate, the spare basic element and the multiplexer can be found in Appendix F. We extend the semantics of the RFT with the SBE and SG elements as follows.
Definition 7. Given a RFT T = (V, E), we extend Definition 4 with the following cases:
Notice that in the case of the SBE and SG, several signals are indexed by a pair of elements. This pair indicates which gate performs the action and which one listens for synchronisation. As an example, asg (v,si(v) [0]) indicates that the multiplexer that manages v, assigns its spare basic element to its first connected spare gate (si(v)[0]).
Unfortunately, we could not find an easy or direct way to prove that this extension is indeed weakly deterministic, as we did with the RFT without spares. This is due in part to the complexity of the IOSA modules, intended to avoid the aforementioned non-deterministic situations. While the spare basic element module can be easily proved to be confluent, this is not the case for the modules of the multiplexer and the spare gate. When analyzing these modules in isolation we find that some transitions are not confluent and Theorem 1 could not be used directly. However, by partially composing spare gates with multiplexers, we were able to check that conditions of Theorem 1 are not met. We automatically perform this check in several configurations, and showed that they are confluent. As parallel composition preserves confluence, they can be inserted in other RFT contexts yielding weakly deterministic IOSAs. 5 
Conclusion
In this work we have defined a semantics for Dynamic Fault Trees with repair box in terms of Input/Output Stochastic Automata, introducing the novel feature of general probability measures for failure and repair rates of basic elements. Furthermore we have shown that our semantics produces weakly deterministic models which are hence amenable for discrete event simulation. In particular, our models serve as direct input to the FIG Simulator (http [12, 10] , as well as other tools through the intermediate language Jani [13] . A future work direction could be introducing maintenance mechanism and levels of degradation as in [30] , in order to increase the possibilities for defining repair models. Another line of work would be defining an automatic translation from a graphical modelling tool for fault trees into the IOSA models, in order to automate and ease the modelling and analysis of industrial size systems. Adding support for spare sub-trees such as in [] would be an interesting upgrade too, also along with support for sub-tree dedicated repair boxes.
A IOSA Symbolic Language
The following context free grammar defines the complete IOSA symbolic modelling language. Here * stands for as many times as you want, + for at least one time, ? for optional, | for option, and parentheses group productions and elements. An IOSA model is composed by a set of modules, each one describing a concurrent component of the system to model. The body of a module can be clearly divided into three parts: the variables declarations, the clocks declarations, and the transitions specification. Arrays are declared along with variables, with the additional requirement of defining the range of the array between brackets. Transitions preconditions are boolean formulas describing the origin states for the symbolic transition. In this case the & symbol stands for the logical conjunction operator while | stands for the logical disjunction operator. Postconditions on the other side, describe the changes on the module's variables (state) by means of assignments to future values. Each assignment is enclosed by parenthesis, and the variable's name is followed by an apostrophe to indicate that corresponds to the value of the variable in the reached state after taking the transition. An & separates each assignment. Notice the similarity with PRISM [23] syntax for describing transitions. Along with the assignment of values to future variables, we find the reset of clocks. A clock is assigned a probability distribution (clock = γ) to indicate that it will be reset to a value from that probability distribution immediately before reaching the new state.
B OR Gate
For an OR gate element with two inputs, its semantics is a function [ In the OR gate model, a counter (count) is used to register how many inputs have failed at each moment. The failing of an input increases the counter, while the repair of an input decreases the counter. We of course take as a premise that an input will not break two times in a row without being repaired in the middle, neither will it be repaired if it has not failed. When the counter changes its value from 0 to 1, the gate has to inform a failure. It does so in transition at line 16, which gets enabled by the change of variable informf either at line 6 or 8. In the same way, when count becomes 0, the repair is informed by enabling transition at line 17 through the change of variable informu either at line 12 or 14.
C Repair BOXes
For a repair box with first come first serve policy element e ∈ E with n inputs, its semantics is a function [[e]] : A 3 * n → IOSA, where [[(rbox, n)]](fl 0 , up 0 , r 0 , ..., fl n−1 , up n−1 , r n−1 ) results in the following IOSA: The model for a repair box with first come first serve policy uses an array to mark down each broken input. Notice that each position in the queue corresponds to each input. A value 0 on an index i means that the input i has not failed, while a greater value on that position indicates for "how long" has it been broken. Repair boxes use some syntactic elements present in FIG (http://dsg.famaf.unc.edu.ar/fig) simulator. These elements do not introduce a new semantics behavior and are there only to reduce the complexity and obfuscation that would represent modelling this using only the grammar presented at App. A. Examples of this are the function broken which given an array, in this case queue, and an index, in this case 0, it increases by one the value at that index and every other value greater than 0 in the array. In this way we can check the order in which the inputs failed by comparing the values at the corresponding index. The greater the value the sooner they broke. The syntactic function fstexclude on the other hand, takes an array and a value and returns the index of the first element with a different value to the one passed. In this case we use it to check if there is any failed input. If there is at least one, then maxfrom function will return the index of the highest value in queue, which corresponds to the input who broke first in between all the broken ones. For a quick determinism analysis we point out that all broken, fstexclude, and maxfrom are deterministic. Furthermore all pairs of urgent transitions in the model are confluent given that their preconditions are mutually exclusive given the value of variable r.
For a repair box with random policy element e ∈ E with n inputs, its semantics is a function [[e]] : A 3 * n → IOSA, where [[(rbox, n)]](fl 0 , up 0 , r 0 , ..., fl n−1 , up n−1 , r n−1 ) results in the following IOSA: The model for a random policy repair box presents two new syntactic elements from FIG. These are the function some, which returns a boolean value indicating if there is some value different to zero in the array, and the function random, which models an uniform selection of an index between the non zero valued positions at an array. Given that these two functions are deterministic, and with a similar analysis as for the first come first serve policy repair box, we can deduce that this is also a deterministic model.
D Voting gate
The following IOSA model corresponds to the modelling of a 2 from 3 voting gate. A generalisation to other values of N and K can be easily obtained. Voting gates are modeled using a counter which counts how many inputs have failed. This is done by listening to the corresponding fail signals at lines 5 to 7, and repair signals at lines 9 to 11. In these same lines we take into account if we have just reached the K value (2 in our example) or if we have just gone down this value, which are the circumstances under which to inform the failure and repair respectively, which is finally done at lines 13 and 14. Although an alternative modelling of these gates can be obtained by a combination of OR and AND gates, one may want to reduce the complexity of the system modelling by using this model, which also happens to be deterministic. E Proof (of Proposition 2.). Parallel composition does not introduce new nonconfluent pair of actions and, moreover, it preserves the confluency of its components [17] . Thus, we look at the components in isolation. First notice that transitions in an IOSA module are defined symbolically. Each symbolic transition in a module describes, in fact, a set of IOSA transitions, which become concrete when the symbolic transition is evaluated on a state that satisfies the guard. Notice also that a state in a module is defined by the current values of its variables. When analyzing that two urgent actions a and b are confluent in a module, for each symbolic transition t a and t b defined for those actions in that module, we look for a non-confluence witness, i.e, a state that satisfies the guards of t a and t b and shows that a and b are not confluent (i.e., the pair does not satisfy Def. 5). Note that by only checking reachable states in the component, we are already overapproximating the reachable states in the composition.
For this proof we only analyze the case of the AND gate. For other RFT elements, the proof follows similarly. Let v be a vertex in a RFT such that l(v) = (and, 2). We analyze f 1 against u 1 in [[(and, 2)]] ( Fig. 5 ) and show that they are not confluent. Take state s defined by count=1, informf=false and informu=false, which can be easily checked to be reachable. There, we find that it enables symbolic transitions at lines 6 (with label f 1 ) and 14 (with label u 1 ). On the one hand, transition at line 6 moves to the state where count=2, informf=true and informu=false is reached. At this point action u 1 can only be performed through transition at line 13, which yields state s defined by count=1, informf=true and informu=true. On the other hand, transition at line 14 moves to the state where count=0, informf=false and informu=false. This state only enables f 1 at line 7, which yields state s defined by count=1, informf=false and informu=false. Since s and s are two different states, we have proved that f 1 and u 1 are not confluent. Similarly, we can show that the pairs (f, u i ) and (u, f i ), for i = 1, 2, are not confluent.
All other pairs are confluent. Take for instance transitions at lines 7 and 10 which are defined for actions f1 and f2 respectively, and the state s defined by count=0, informf=false and informu=false. On the one hand, line 7 leads to the state where count=1, informf=false and informu=false which in turns enables f2 only at line 9 yielding state s defined by count=2, informf=true and informu=false. On the other hand, line 10 at state s moves to the state where count=1, informf=false and informu=false which only enables f1 at line line 6 yielding the same state s . The proof follows similarly from any other reachable state enabling f1 and f2 showing, thus, that f1 and f2 are confluent. In some other cases the proof of confluence follows from the fact that the pair of actions are never enabled simultaneously, as it is the case, e.g., of f and u (notice that the guards enabling each one of them are mutually exclusive).
F The Spare Gate model
The Spare basic element (SBE). For a SBE element e ∈ E, its semantics is a function [[e]] : A 7+5 * n → IOSA, where [[(sbe, n, µ, ν, γ)]](fl, up, f, u, r, e, d, rq 0 , asg 0 , rel 0 , acc 0 , rj 0 , ..., rq n−1 , asg n−1 , rel n−1 , acc n−1 , rj n−1 ) results in the following pair of IOSA modules: The model for a Spare basic element consists in two IOSA modules. One of them presents the behaviour of a basic element which can be enabled and disabled, and an other module, the multiplexer, which presents the means to manage the sharing of the SBE between the interested Spare Gates. In this case, we have decided to model the multiplexer with a priority policy, which prioritizes lower index input spare gates to higher indexed ones (notice assignment transitions at line 15 and 22 of the multiplexer module.) Other kinds of policies can be defined as for repair box gates. In the model, actions rqi indicate that the spare gate input i is requesting the spare. acci indicates that input i accepts the spare that has previously been assigned to it through action asgi. On the other hand action rji indicates that it rejects it. Action reli indicates that input i is releasing the spare that has previously been assigned to it. Finally actions e and d enable and disable the spare basic element when needed.
The Spare Gate (SG). For a spare gate element e ∈ E with priority policy, its semantics is a function [[e]] : A 4+7 * n → IOSA, where [[(sg, n)]](f, u, fl 0 , up 0 , fl 1 , up 1 , rq 1 , asg 1 , acc 1 ,rj 1 , rel 1 ..., fl n , up n , rq n , asg n , acc n , rj n , rel n ) results in the following IOSA:
The Spare Gate model is using a priority policy over the available Spare BEs. This means that when looking for a Spare BE, it will start asking for it to the lower index inputs and go on with higher index until obtaining a replacement. Other policies can be defined into the spare gate too, just as with the multiplexer and the repair box. In the SG model, a variable state distinguishes from when the SG is working with its main BE, requesting a SBE, waiting for a response from its inputs, working on a SBE or broken. A vector named release indicates for each SBE input i when the SG has to release (value i) or accept (value −i) the assignment of that SBE. A variable idx indicates which of the inputs to request next. At line 7 the SG defines the transition which starts with the SBE acquiring protocol whenever the main BE fails. The following transitions up to line 15 are there to release the acquired SBEs whenever they fail or the main BE is repaired. Transitions from lines 17 to 19 are there to request for each available SBE. After doing so, we need to wait for a response from the corresponding multiplexer (state'=2). The request can be rejected (lines 29 to 32), and we proceed by asking for the next SBE by setting idx to the corresponding value if there is one, or by failing in case none of the SBE where available (state'=4 at line 32). A SBE can be assigned to us when not needed anymore (lines 21 and 25), or when we where expecting it in order to avoid failing (lines 22 and 26), or when we had already failed and thus we get repaired by using it (lines 23 and 27). I may want to release a SBE when it is assigned to me and I do not need it (lines 34 and 38) or when it fails while I am using it (lines 35 and 39).
Finally we accept assigned SBEs at lines 41 to 43 and we signal failure at line 45 and repair at line 46. To further understand the meaning and intuition of each transition we refer the reader to the SBE description which heavily synchronizes its transitions with the SG model.
