The Conversion of Dynamic Fault Trees to Stochastic Petri Nets, as a case of Graph Transformation  by Codetta-Raiteri, Daniele
The Conversion of Dynamic Fault Trees
to Stochastic Petri Nets, as a case of
Graph Transformation
Daniele Codetta-Raiteri1 ,2
Dipartimento di Informatica
Universita` di Torino
Torino, Italy
Abstract
A model-to-model transformation from Dynamic Fault Trees to Stochastic Petri Nets, by means
of graph transformation rules, is presented in this paper. Dynamic Fault Trees (DFT) are used
for the reliability analysis of complex and large systems and represent by means of gates, how
combinations or sequences of component failure events, lead to the failure of the system. DFTs
need the state space solution which can be obtained by converting a DFT to a Stochastic Petri Net:
this task is expressed by means of graph transformation rules, and is applied to a case of system.
Keywords: Dynamic Fault Tree, Stochastic Petri Net, Reliability.
1 Introduction
One of the measure to quantify the dependability of safety or mission critical
systems, is the reliability (R(t)) [9]. The reliability of a system as a function
of the time t, is the probability that the system performs the required func-
tion in the interval (0, t). The unreliability of the system (U(t)) instead, is
the probability that the system is failed at time t, equal to 1 − R(t). The
construction of models, is the typical way to evaluate the (un)reliability or
other dependability measures.
1 The work of D. Codetta-Raiteri is partially supported by MIUR under grant FIRB PERF
RBNE019N8N.
2 Email: codetta@di.unito.it
Electronic Notes in Theoretical Computer Science 127 (2005) 45–60
1571-0661 © 2005 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.02.005
Open access under CC BY-NC-ND license.
The Fault Tree (FT) [8] is a widespread stochastic model for the unrelia-
bility analysis of complex and large systems; a FT represents by means of
boolean gates (logic ports), how combinations of component failure events
can determine the failure of the subsystems or of the whole system.
In the standard version of this model, component failure events are as-
sumed to be statistically independent; this assumption allows to compute
easily the unreliability of the system using the combinatorial method [8], but
it is also a limit to the modelling power of FTs. One of the FT evolutions
proposed in the literature, is called Dynamic Fault Tree (DFT) [5] (section
2). The combinatorial solution used for FTs, is not enough for DFTs, where
dependencies can be present among events or component states. DFTs need
the state space solution; this means generating all the possible system states
and stochastic transitions between states; in other words, we need to obtain
the Continuous Time Markov Chain (CTMC) [9] of the system.
Eﬃcient techniques to generate the CTMC from a Generalized Stochastic
Petri Net (GSPN) [1] (section 5) are already available and are implemented
in several tools, such as GreatSPN [4]. So, a way to perform the state space
solution of a DFT, consists of converting the DFT to the equivalent GSPN;
then, the CTMC can be generated from the GSPN, and the unreliability of
the system is computed on the CTMC.
The conversion of DFTs in GSPNs can be classiﬁed as a model-to-model
transformation; such conversion can be expressed by means of graph trans-
formation rules [6] (section 6) and is motivated by the implementation of a
software tool (section 4) for the DFT analysis using the already available
GSPN solver implemented for GreatSPN.
2 DFT deﬁnition
Despite its name, a DFT is a bipartite directed acyclic graph (DAG), even
if it appears very similar to a tree graph from a graphical point of view; an
example of DFT is reported in Fig. 3. The nodes can be failure events or
gates: failure events are indicated by rectangles and are equivalent to boolean
variables whose value is initially false and turns to true when the failure event
occurs; gates are connected to events by means of arcs and have several input
events and a unique output event, connected respectively below and above the
gate.
The DFT arcs always respect a circuit logic orientation: from input events
to the gate, and from the gate to the its output event. For this reason, their
orientation is not graphically shown.
The events indicated by rectangles with a circle, are called basic events and
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6046
correspond to the failure events of the physical components of the system; the
occurrence time of such events is a random variable ruled by a probability
distribution, typically a negative exponential distribution whose parameter λ
is the component failure rate.
The internal events, indicated by white rectangles, model the failures of
subsystems and are the output of a gate. An internal event occurs when a
particular combination of the input events of the gate, occurs: the type of
combination is determined by the type of gate.
While basic events can not be the output of any gate, there is a unique
event called top event (indicated by a black rectangle) that can only be the
output of gates; the top event represents the failure of the whole system.
A DFT diﬀers from a tree graph by the fact that an event node may belong
to several subtrees, i. e. an event may be the input of several gates.
A DFT can contain both boolean and dynamic gates. Boolean gates were
introduced in standard FTs, and model boolean conditions; they are:
• AND (Fig. 1.a): given a set of n (n ≥ 2) input events X1, . . .Xn and an
output event Y , Y is failed (true) if every input event is failed (true).
• OR (Fig. 1.b): given a set of n (n ≥ 2) input events X1 . . .Xn and an
output event Y , Y is failed if at least one input event is failed.
• k OUT OF n (Fig. 1.c): given a set of n (n ≥ 3) input events X1 . . .Xn
and an output event Y , Y is failed if at least k (1 < k < n) input events
are failed (k must be speciﬁed).
Dynamic gates [5] were introduced in the DFT formalism, and model func-
tional or temporal dependencies among failure events or component states;
dynamic gate are:
• Functional Dependency Gate (FDEP) (Fig. 1.d): given a trigger event T ,
a set of m (m ≥ 1) dependent input events D1 . . .Dm, and an output event
Y , D1 . . .Dm are forced to fail when T fails; Y fails when T fails.
• Priority And (PAND) (Fig. 1.e): given a set of n (n ≥ 2) input events
X1 . . .Xn and an output event Y , Y gets failed if every input event is failed,
and X1 . . .Xn failed in a speciﬁc temporal order (graphically, from left to
right).
• Sequence Enforcing Gate (SEQ) (Fig. 1.f): given a set of n (n ≥ 2) input
events X1 . . .Xn and an output event Y , X1 . . .Xn are forced to fail in a
speciﬁc order (graphically, from left to right); Y fails when Xn fails. In this
paper, we assume that this gate can have only basic input events.
• Warm Spare Gate (WSP) (Fig. 1.g): this gate models the presence of a
main component (M) and a spare component (S). S is initially in the
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–60 47
dormant state (stand-by); when M fails, S turns from the dormant state
to the working state replacing M in its function. A spare can fail both
during the dormant and the working state, but it changes its failure rate
with respect to its current state: if in the working state its failure rate is
λ, while it is dormant its failure rate is αλ, where α is the dormancy factor
(0 < α < 1). If Y is the output of this gate, Y fails when both M and S are
failed. In this paper, we assume that a main component can be replaced
by only one spare, and S can not be the input of another gate. Moreover,
we graphically represent the basic event relative to a spare, using a bold
symbol (Fig. 1.g), in order to be distinguished from the other basic events.
X1
...
X2
Y
X1
...
X2
Y
X1
...
X2
Y
X3
T D1
Y
.....
Y
.....
X1 X2
Y
.....
AND OR k OUT OF n
FDEP PAND SEQ
(a) (b) (c)
(d) (e) (f)
M S
Y
(g)
WSP
X1 X2
Fig. 1. Boolean (a, b, c) and dynamic (d, e, f, g) gates.
3 The case of the multiprocessor system
Let us consider the case of a multiprocessor computing system; its scheme is
shown in Fig. 2. The system is composed by three computing devices (C1,
C2, C3), two hard disks (primary and backup), and one bus connecting all the
components together; every computing device is composed by one processor
and one memory.
The disks are shared among the computing devices: they store their data
on the primary disk, while the task of updating periodically the backup (spare)
disk, is assigned to the device C3. The data stored on the backup disk, is not
accessed while the primary disk is not failed; during this period, the backup
disk is used only for the update operations, so we can imagine that its failure
rate is less than the failure rate of the primary disk.
If the primary disk fails, it is replaced by the backup disk; from this mo-
ment, the computing devices access the backup disk to read or write data, so
the failure rate of the backup disk becomes equal to the failure rate of the
primary one.
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6048
PROC1 MEM1
PROC2 MEM2
PROC3 MEM3
PRIMARY
DISK
BACKUP
DISK
B
U
S
C1
C2
C3
Fig. 2. The scheme of the multiprocessor computing system.
3.1 DFT model of the system failure
Fig. 3 shows the DFT for this system, modelling all the possible ways leading
to the system failure. The ”root” of the DFT is TE representing the whole
system failure; TE is the output of an OR gate, so it happens if at least one
of these events, occurs: COMP , BUS, UPDATE, DATA.
The event COMP represents the failure of all the computing devices;
COMP is the output of an AND gate whose input events are C1, C2, C3;
each of them corresponds to the failure of a computing device. In the case of
C1, its failure occurs if its processor or its memory fails, so the event C1 is
the output of an OR gate connected to the basic events PROC1 and MEM1,
modelling the failure of such basic components. The subtrees below C2 and
C3 have the same structure of the subtree below C1.
The basic event BUS is another direct cause of TE; if the bus fails, the
connection among the components is not possible avoiding the system to work.
The system fails also if the event UPDATE occurs; such event means that the
the backup disk update has not been perfomed recently. The event UPDATE
is the output of a PAND gate whose input events are C3 and PRIMARY ,
so UPDATE occurs if both C3 and PRIMARY have occurred, and C3
occurred before PRIMARY . This means that at the moment of the failure
of the primary disk and the consequent replacement by the backup disk, this
one is not correctly updated, because C3 failed before the primary disk, and
did not update recently the backup disk.
The whole system fails also if the data are not available on any disk; this
is represented by the event DATA that is the output of a WSP gate whose
input events are PRIMARY and BACKUP modelling the failure of the
primary and backup disk respectively. The WSP gate models the fact that
the backup disk is the spare of the primary one, with the consequent reduction
of the failure rate of the backup disk while it is not accessed for the reading
or writing data (dormant state).
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–60 49
TE
COMP
C2
PROC2 MEM2
PRIMARY BACKUP
DATA
OR
WSP
C3
PROC3 MEM3
BUS
AND
UPDATE
PAND
C1
PROC1 MEM1
Fig. 3. The DFT model for the multiprocessor computing system.
4 Tool architecture
Fig. 4 shows the architecture of the tool we implemented for the DFT analysis.
The DFT is drawn by means of the graphic tool DrawNET [7] which can be
adapted to draw any kind of model, in this case the DFT. DrawNET generates
a XML ﬁle describing the structure of the DFT with the indication of the time
t; such ﬁle is passed to DFT2GSPN, the converter from DFT to GSPN.
Fig. 4. Tool architecture.
Such converter implements in an ad-hoc way the model-to-model trans-
formation described in this paper; its input is the XML representation of the
DFT, while its output is the equivalent GSPN expressed in the formalism used
by GreatSPN (text ﬁle).
The GSPN returned by the converter, is passed to the GSPN solver of
GreatSPN performing its state space analysis and returning the probability
at time t of the system failure state. Such measure is the unreliability of the
system, and is graphically displayed by DrawNET.
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6050
5 Some notions on GSPNs
This section describes some of the elements of the GSPN formalism, used in
the transformation rules described in section 6. More information on GSPNs
can be found in [1].
GSPN composing elements are places, immediate transitions, timed tran-
sitions, oriented arcs and inhibitor arcs. Places (graphically represented by
circles) can contain tokens, while transitions are enabled to ﬁre when a certain
net marking (number of tokens inside each place) holds. Immediate transitions
(black rectangles, not to be confused with the DFT top event) ﬁre as soon as
they are enabled, while timed transitions (white rectangles, not to be confused
with DFT internal events) ﬁre after a random period of time which is a ran-
dom variable ruled by a negative exponential distribution whose parameter is
the ﬁring rate of the transition.
Oriented arcs are used to move tokens when a transition ﬁres, while in-
hibitor arcs can connect a place to a transition in order to disable the transition
ﬁring if the place is not empty. Inhibitor arcs end with a small circle. A car-
dinality can be assigned to an arc in order to set the number of tokens to be
moved, or necessary to disable the ﬁring of a transition.
The ﬁrst step of the analysis of a GSPN, consists of generating the reach-
ability graph, i. e. all the possible GSPN markings due to transition ﬁrings.
From the reachability graph, the corresponding CTMC can be obtained and
analyzed.
6 The conversion from DFT to GSPN
This section provides a set of transformation rules allowing the conversion of
DFTs in GSPNs.
The starting graph is a DFT and at each step of the conversion process,
a transformation rule is applied with the eﬀect of replacing a DFT node with
the equivalent GSPN elements. So, during the conversion steps, the graph
has an hybrid form, containing both DFT and GSPN elements. At the end of
the conversion process, when every DFT node has been replaced, we obtain a
”pure” GSPN semantically equivalent to the initial DFT.
The transformation rules are in the form r = (L,K,R) [6], where L is the
left hand side of the rule, K is the interface graph (a common subgraph of L
and R), R is the right hand side of the rule.
Assuming that the current source graph is G, the application of a rule
follows these steps:
1. ﬁnd an occurrence of L in G;
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–60 51
2. if found, remove L−K from G, obtaining the graph D;
3. glue R in D via K, obtaining the target graph H .
There is a correspondence between the DFT and the GSPN elements:
- generic event ⇔ place
- not occurred event ⇔ empty place
- occurred event ⇔ marked place
- basic event occurrence ⇔ timed transition ﬁring
- gate ⇔ set of immediate transitions
Such equivalences are exploited in the transformation rules.
In DFTs, the number of gates an event can be input of, is at least one,
whereas a minimum number of input events is deﬁned for each type of gate;
at the same time, such quantities have no upper limit. For this reason, in our
transformation rules, some nodes or arcs may be dashed; this means that such
elements can be present in the graph for a number of times whose minimum
is zero. For instance, in the rule in Fig. 5.a relative to a basic event, two
generic gates are present: one of them is drawn using a solid line meaning
that a basic event is surely the input of one gate, the other one is dashed
meaning that a basic event may be also the input of more gates. In general,
the transformation of an occurrence of dashed nodes or arcs in the left hand
side of a rule, is still indicated by dashed elements in the right hand side.
Actually, the presence of dashed parts in a rule, is equivalent to have an
inﬁnite number of rules for the same DFT node; for instance, in the case of
the basic event (Fig. 5.a), we would have a rule for each possible number of
gates the basic event may be input of. Such inconvenient could be avoided by
ﬁxing an upper limit for such quantity, or by formulating the rules in recursive
form. However, we chose the form with dashed parts, because it allows the
reader to see directly in the right hand side of the rule, the complete subnet
corresponding to the DFT node present in the left hand side. This is useful
to show the semantic equivalence between a DFT node and its conversion to
GSPN elements.
Events transformation
Fig. 5.a shows the transformation rule for a basic event. Such event is
the failure of a component of the system, and occurs after a random period of
time. So, a basic event BE, input of any number of gates (left hand side of the
rule in Fig. 5.a), is converted in the timed transition BE fail modelling the
component failure occurrence, and in the place BE dn (dn is the abbreviation
of ”down”, i. e. failed) modelling the state of the component (right hand
side of the rule in Fig. 5.a). The ﬁring rate of the transition BE fail is the
failure rate of the component (λBE); when such transition ﬁres, it puts one
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6052
token inside the place BE dn; this means that the failure of the component
has occurred. The ﬁring of BE fail is not repeatable. The place BE dn is
connected to the same gate(s), the event BE was input of.
If we have a basic event connected to a WSP gate to represent the pre-
sence of a spare component, we have not to apply the rule in Fig. 5.a, but
the rule in Fig. 5.b. If S is such a basic event, it must be converted in a
subnet modelling both the failure in the dormant and in the working state.
Such subnet is composed by three places (S OFF , S ON , S dn) modelling
the states of a spare, and two timed transitions (S OFF fail, S ON fail)
modelling the failure occurrence with respect to the current state: the transi-
tion S OFF fail is enabled if S OFF is marked (the spare is dormant), while
S ON fail is enabled if S ON is marked (the spare is working); the eﬀect of
the ﬁring of both transitions is the marking of the place S dn (the spare is
failed). S OFF is initially marked because the spare is initially dormant. If
λS is the failure rate, and αS is the dormancy factor of the spare, the ﬁring
rate of S OFF fail is αSλS, while the ﬁring rate of S ON fail is λS.
An internal event E is always the output of one gate, and the input of one
or more gates (left hand side of the rule in Fig. 5.c). So, E is converted in the
place E dn connected to the same gates (right hand side of the rule in Fig.
5.c). Also in the rule in Fig. 5.c, we have a dashed gate to cope with the fact
that an internal event is the input of at least one gate.
The top event TE can only be the output of a gate, so it is converted in
the place TE dn connected to the same gate (Fig. 5.d).
AND gate transformation
The AND gate (Fig. 6.a) is transformed to a single immediate transition.
Each of the places corresponding to the gate input events (X1 dn,X2 dn, . . .),
is connected to the immediate transition by a couple of oriented arc. So, such
transition ﬁres when X1 dn,X2 dn, . . . are all marked; in other words, it ﬁres
when all the input events have occurred; as eﬀect of the ﬁring, one token
appears in the place corresponding to the output event of the gate (Y dn).
The token inside the places X1 dn,X2 dn, . . ., is not removed because in
the DFT, an event may be the input of several gates, so in the GSPN, the
corresponding place may enable several transitions if it is marked.
In the rule in Fig. 6.a, three places are present: one of them is dashed to
indicate that an AND gate may have more than two input events.
OR gate transformation
The OR gate is transformed to a set of immediate transitions (Fig. 6.b): for
each place corresponding to an input event (X1 dn,X2 dn, . . .), a transition
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–60 53
TE
L K
TE_dn
R
gate gate gate
(d)
E
gate
gate
gate gate
gate
gate gate
gate
gate
E_dn
(c)
L K R
S
S_OFF_fail S_ON_fail
S_dn
S_OFF S_ONL K
R
(b)
BE
gate gate gate gate
L K
gate gate
BE_dn
BE_fail
R
(a)
λs λ sαs
λ BE
Fig. 5. Transformation rules for the events: basic event (a), spare (b), internal event (c), top event
(d).
Y_dn
X1_dn X2_dn
Y_dn
X1_dn ...X2_dn
KL R
X1_dn ...X2_dn
Y_dn
and
...
Y_dn
X1_dn ...X2_dn
Y_dn
X1_dn X2_dn
KL R
...X1_dn ...X2_dn
Y_dn
or1 or2
Y_dn
X1_dn X2_dn
Y_dn
X1_dn
KL
R
...X1_c
Y_count
k
X3_dn
X2_dn
X2_c
X3_dn
X3_c
k_out_of_n
...
...
(a)
(b)
(c)
X1_dn X2_dn
Y_dn
X3_dn ...
Fig. 6. Transformation rules for the boolean gates: AND (a), OR (b), k OUT OF n (c).
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6054
is created; the transition or1 for instance, puts a token inside the place corre-
sponding to the output of the gate (Y dn), as soon as X1 dn becomes marked.
So, a token appears in Y dn as soon as one of the places X1 dn,X2 dn, . . .,
becomes marked, in other words, when one of the input events occurs.
k OUT OF n gate transformation
This gate is replaced by a net (Fig. 6.c) with the purpose of counting
the number of occurred input events. A transition is created for each place
corresponding to the gate input events (X1 dn,X2 dn, . . .); such transition
ﬁres when the relative place becomes marked and puts one token inside the
place Y count. The aim of such place is counting the number of occurred
input events. When Y count contains k tokens (k is the parameter of the
gate), a speciﬁc immediate transition called k out of n, puts one token inside
Y dn which corresponds to the output event of the gate.
FDEP gate transformation
For the place corresponding to the output event of a FDEP gate (Y dn),
and for each place corresponding to a dependent event (D1 dn, . . .), an im-
mediate transition is created. Such transitions ﬁre as soon as the place T dn
(modelling the occurrence of the trigger event) becomes marked, with the
eﬀect of putting one token inside Y dn, D1 dn, . . ., unless these places are
already marked (the dependent events may have already occurred for another
cause).
PAND gate transformation
The net replacing this gate (Fig. 7.b) must verify that the speciﬁed order of
the input events is respected: for every couple of adjacent places corresponding
to the gate input events, an immediate transition is created. If we consider
X1 dn and X2 dn, the transition pand2 ﬁres if X2 dn becomes marked and
X1 dn is empty, in other words if the event X2 occurs before X1. One token
appears in the place Y ok after the ﬁring of pand2, meaning that the speciﬁed
order has not been respected. In general, when an input event occurs, we
verify if its predecessor in the speciﬁed failure order, has already occurred or
not. When all X1 dn,X2 dn, . . . are marked, only if the place Y ok is not
marked, one token appears in the place Y dn, by means of the immediate
transition pand1.
SEQ gate transformation
We assume that this gate can be connected only to basic events, so after
the application of the transformation rule for the basic events (Fig. 5.a), the
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–60 55
D1_dn ...
Y_dn
KL
Y_dn
R
T_dn
...
T_dn
D1_dn
D1_dn ...
Y_dn
T_dn
Y_dn
X1_dn ...
Y_dn
X1_dn
...
KL
X2_dn
R
X2_dn
X1_dn ...
Y_dn
X2_dn
Y_ok
pand1
X1_dn
L
Y_dn
R
Y_dn
X2_dn ...
X1_fail X2_fail ...
Y_dn
K
X1_dn X2_dn ...
X1_fail X2_fail ...
S_OFF_fail S_ON_fail
S_dn
S_OFF S_ON
L
S_OFF_fail S_ON_fail
S_dn
S_OFF S_ON
K
M_dn M_dn
S_OFF_fail
S_ON_fail
S_dn
S_OFF S_ON
M_dn
Y_dn
R
Y_dn Y_dn
(a)
(b)
(c)
(d)
X1_dn X2_dn ...
X1_fail X2_fail ...
wsp2
wsp1
seq
pand2
Fig. 7. Transformation rules for the dynamic gates: FDEP (a), PAND (b), SEQ (c), WSP (d).
SEQ gate is connected to several subnets (left hand side of Fig. 7.c); each
of them is composed by a place and a timed transition, corresponding to a
basic event. This gate forces the input events to occur in a speciﬁed order,
so the eﬀect of the relative transformation rule is the addition of a couple of
oriented arcs connecting the timed transition relative to a basic event, with
the place relative to the previous basic event in the order. If we consider the
timed transition X2 fail, it can ﬁres only after the appearence of one token
in the place X1 dn. In this way, the event X2 can occur only after X1. The
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6056
place Y dn corresponding to the output event of the gate, becomes marked
by means of the immediate transition seq, when the last basic event occurs.
WSP gate transformation
The transformation rule for the WSP gate is shown in Fig. 7.d; in the left
hand side of the rule, the failure of the spare in both the dormant and the
working state, is already modelled by the eﬀect of the application of the rule
in Fig. 5.b. The gate is replaced in the right hand side of Fig. 7.d, by two
immediate transitions: wsp1 and wsp2; the aim of the ﬁrst one is turning the
spare from dormant to working when the place M dn becomes marked (the
main component fails); this is possible only if S OFF is marked (the spare
is dormant, not already failed). If this transition can ﬁre, it moves the token
from S OFF to S ON , enabling the ﬁring of the timed transition S ON fail,
previously created. The place Y dn gets marked by means of the transition
wsp2, when both M dn and S dn are marked.
6.1 Discussion on the transformation correctness
So far, we discussed for each transformation rule, the semantic equivalence
between the DFT element on the left hand side of the rule, and the subnet
replacing such element in the right hand side. This section provides some
considerations about the correctness of the whole conversion process.
Initially the graph is a DFT; the only transformation rules we can apply
on it, are relative to the conversion of the events. The conversion of an event
(basic, internal or top event) is not inﬂuenced by the type of gate the event is
connected to (as input or output), except in the case of a basic event which
is relative to a spare component and is the second input of a WSP gate. For
this case, a speciﬁc rule has been deﬁned (Fig. 5.b).
The transformation rule for the conversion of any kind of gate, is enabled
as soon as all the input events, and the output event of the gate, have been
converted in places.
Several rules may be enabled at the same time: the order of application
is not relevant to the eﬀect of the transformation. In other words, the re-
sult of the conversion process is unique: the left hand side of each rule is not
included in the left hand side of any other rule. So, for each subgraph com-
posed by a DFT node and all the elements connected to it, there is only one
transformation rule matching such subgraph. Moreover, the eﬀect of a rule
is the removal of a single DFT node and its substitution with the semanti-
cally equivalent subnet which will not be modiﬁed by the application of other
transformation rules.
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–60 57
Each rule is applied a number of times equal to the number of precences
of the relative DFT node in the initial graph. Since a DFT is composed by a
ﬁnite number of nodes, the conversion process will end after a ﬁnite number
of transformation steps, equal to the number of nodes in the initial DFT.
7 Unreliability evaluation on the GSPN
Fig. 8 shows the GSPN obtained by applying our transformation rules on
the DFT in Fig. 3. The unreliability of the system at time t, is equal to
the probability of the presence at time t of one token inside the place TE dn,
equivalent to the top event TE in the DFT; such measure can be computed
by the GSPN solver. Fig. 9 shows the unreliability of the multiprocessor
computing system as a function of the time varying from 0 to 5000 hours.
In a similar way, we can compute the unreliability of a single component or
subsystem; for instance, the unreliability at time t of the subsystem composed
by the computing devices, is the probability that the place COMP dn contains
one token at time t.
8 Further work on DFTs
In this paper, the model-to-model conversion from DFTs to GSPNs is realized
by means of graph transformation rules; the work is motivated by two reasons:
the state space solution of DFTs, and the implementation of a tool for DFTs
analysis exploiting the GSPN solver. However, the state space analysis may be
computationally expensive since the number of states grows exponentially with
respect to the number of components. For this reason, a modular approach is
preferable; it consists on the use of both the combinatorial and the state space
solution: instead of analyzing the whole DFT in the state space, independent
subtrees (modules) are analyzed in isolation. If a module contains one or
more dynamic gates the state space solution is used, else the less expensive
combinatorial solution. In this way, the state space size is reduced.
Another way to reduce the state space size, consists on modelling the
redundancies or the symmetries in the system, using the parametric form:
in the Dynamic Parametric Fault Tree (DPFT) [2] formalism, subtrees with
the same structure can be folded into a unique parametric subtree. DPFT
dynamic modules can be converted in Stochastic Well-formed colored Nets
(SWN) [3], instead of GSPNs. From a SWN, a symbolic state space can be
generated instead of the ordinary one, with a reduction of the state space size
and consequently of the computational costs; such reduction is proportional
to the degree of symmetry or redundancy in the DPFT model. Our tool has
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6058
T
E
_d
n B
U
S
_d
n
B
U
S
_f
ai
l
C
3_
dn
C
O
M
P
_d
n
C
2_
dn
C
1_
dn
M
E
M
3_
dn
M
E
M
3_
fa
il
M
E
M
2_
dn
M
E
M
2_
fa
il
P
R
O
C
2_
dn
P
R
O
C
2_
fa
il
P
R
O
C
1_
dn
P
R
O
C
1_
fa
il
P
R
O
C
3_
dn
P
R
O
C
3_
fa
il
M
E
M
1_
dn
M
E
M
1_
fa
il
D
A
T
A
_d
n
P
R
IM
A
R
Y
_f
ai
l
U
P
D
A
T
E
_d
n
P
R
IM
A
R
Y
_d
n
U
P
D
A
T
E
_o
k
B
A
C
K
U
P
_O
F
F
_f
ai
l
B
A
C
K
U
P
_O
N
_f
ai
l
B
A
C
K
U
P
_d
n
B
A
C
K
U
P
_O
F
F
B
A
C
K
U
P
_O
N
or
1
or
2
or
3
or
4
an
d
or
1
or
2
or
1
or
1
or
2
or
2
pa
n
d1
w
sp
2
w
sp
1
pa
n
d2
Fig. 8. The GSPN corresponding to the DFT in Fig. 3
been extended in order to analyze DPFTs using both the modular approach
and the conversion of dynamic modules in SWNs [2].
References
[1] Ajmone-Marsan, M., G. Balbo, G. Conte, S. Donatelli and G. Franceschinis, “Modelling with
Generalized Stochastic Petri Nets,” Wiley Series in Parallel Computing, 1995.
[2] Bobbio, A. and D. Codetta-Raiteri, Parametric Fault-trees with Dynamic Gates and Repair
Boxes, in: Proceedings of the Annual Reliability and Maintainability Symposium, Los Angeles,
January 2004, pp. 459–465.
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–60 59
Fig. 9. System unreliability vs time. These are the component failure rates: λPROC = 5.0E−05
h
−1, λMEM = 3.0E−06 h
−1, λDISK = 8.0E−04 h
−1, λBUS = 1.0E−06 h
−1. The backup disk
dormancy factor is 0.1.
[3] Chiola, G., C. Dutheillet, G. Franceschinis and S. Haddad, Stochastic Well-Formed Colored Nets
and Symmetric Modeling Applications, IEEE Transactions on Computers 42 (1993), pp. 1343–
1360.
[4] Chiola, G., G. Franceschinis, R. Gaeta and M. Ribaudo, GreatSPN 1.7: Graphical Editor and
Analyzer for Timed and Stochastic Petri Nets, Performance Evaluation 24 (1995), pp. 47–68.
[5] Dugan, J. B., S. J. Bavuso and M. A. Boyd, Dynamic Fault-Tree Models for Fault-tolerant
Computer Systems, IEEE Transactions on Reliability 41 (1992), pp. 363–377.
[6] Ehrig, H. and J. Padberg, Graph Grammars and Petri Net Transformation, in: G. R. J. Desel,
W. Reisig, editor, Lectures on Concurrency and Petri Nets, LNCS 3098, Springer, 2004 pp.
496–536.
[7] Franceschinis, G., M. Gribaudo, M. Iacono, N. Mazzocca and V. Vittorini, Drawnet++: Model
objects to support performance analysis and simulation of systems, in: Computer Performance
Evaluation / TOOLS, LNCS 2324 (2002), pp. 233–238.
[8] Schneeweiss, W. G., “The Fault Tree Method,” LiLoLe Verlag, 1999.
[9] Trivedi, K. S., “Probability and Statistics with Reliability, Queuing and Computer Science
Applications,” Wiley and Sons, 2001.
D. Codetta-Raiteri / Electronic Notes in Theoretical Computer Science 127 (2005) 45–6060
