Dynamic dependability models, such as dynamic fault trees (DFTs) and dynamic reliability block diagrams (DRBDs), are introduced to overcome the modeling limitations of traditional models. Recently, higher-order logic (HOL) formalizations of both models have been conducted, which allow the analysis of these models formally, within a theorem prover. In this report, we provide the formal dynamic dependability analysis of shuffle-exchange networks, which are multistage interconnection networks that are commonly used in multiprocessor systems. We use DFTs and DRBDs to model the terminal, broadcast and network reliability with dynamic spare gates and constructs in several generic versions. We verify generic expressions of probability of failure and reliability of these systems, which can be instantiated with any number of system components and failure rates to reason about the failure behavior of these networks.
Introduction
Dependability describes the ability of a system to provide a trusted service [1] . Dynamic dependability models, such as dynamic fault trees (DFTs) [2] and dynamic reliability block diagrams [3] , capture the dynamic failure and success dependencies, respectively, among system components, and hence are more suitable in modeling realworld systems. Recently, higher-order logic (HOL) theorem proving has been used in the formal analysis of both models algebraically [4, 5] , where generic expressions are formally verified that are independent of the failure distributions of system components. This ensures the soundness of the analysis, which is suitable for safety-critical systems. In this report, we use both formalizations in conducting the dynamic dependability analysis of the interconnection network of multiprocessor systems.
With the ongoing demands for intensive processing applications, multiprocessor systems represent one of the solutions that satisfies such demand. Nowadays, such systems are feasible due to their reduced cost and thus it is possible to have systems of hundreds of processors. Multiprocessor systems allow parallel computing, where tasks are executed in parallel with the possibility of interacting with one another when required. This parallel execution highly impacts the overall system performance, such as throughput. However, memory and I/O peripheral resources are shared among processors and thus an efficient data routing among system nodes is necessary to maintain high system performance, reliability and low cost. This is of a great importance, particularly with scientific applications, where a huge number of processors are used, i.e., large-scale multiprocessor systems [6] . Therefore, a dedicated interconnection network is used to connect processors and memory modules, as depicted in Figure 1 [6] . The complexity of interconnection networks ranges from simple networks, such as time-shared bus to crossbar switching. The former has a negative impact on the system performance, while the latter has much higher cost as there exists a separate link between each pair of nodes in the systems. For example, for a system of N nodes, i.e., N inputs and N outputs, it is required to have N 2 links or switching elements between each input and output.
Multistage interconnection networks (MINs) are introduced to reduce the number of required switching elements and hence, reduce the cost while providing better performance than shared-bus networks. The main idea of MINs is to have multiple small stages of crossbar switches that are connected between sources (inputs) and destinations (outputs), which results in a much reduced number of used switching elements. The number of paths available between each input and output determines the category of the MIN. A single-path MIN has only one path to route information between each source-destination pair. A shuffle-exchange network (SEN) is an example of such type of networks. Each stage has log 2 N switching elements, where N is the number of inputs and outputs of the network. Usually the switching elements are of size 2 × 2 to reduce the cost. The number of stages required to establish the single-path MIN is N log 2 N , which is lower than crossbar networks. An 8 × 8 SEN is shown in Figure 2 , where only a single path is available for each input-output pair. However, the reliability of single-path MINs and SENs depends on the switching elements and thus a fault in any of these switches cannot be tolerated. Enhancing the reliability of MINs is of great importance in order to maintain high system performance. Therefore, redundant switching elements are used to ensure that the network is able to provide the required switching even after the failure of some of these elements [7, 8] . Multiple-path MINs are used to increase the fault tolerance and hence the network reliability. SEN+ is a SEN, where an additional stage is added to provide two paths between each input-output pair, as shown in Figure 3 . However, even with the additional path, the failure of some switches can lead to the failure of the connection in some situations. Spare parts have been used in [9] to replace switches after failure. However, the analysis was not conducted formally to ensure its correctness.
Studying the reliability of SENs has been an active research area [10] [11] [12] [13] . The reliability of MINs are commonly analyzed using simulation or analytically. For example, in [14] , Monte Carlo simulation is used to analyze the reliability of SENs. However, as mentioned previously, simulation cannot provide accurate results due to its sampling based nature. Although CTMCs can analytically solve the reliability of MINs [15] , they cannot be used with large-scale systems since the state space grows exponentially with the increase in the number of system components. On the other hand, when the complexity of the network increases, reliability bounds provides estimate values for the MIN reliability [16, 17] . RBDs have been also used in the analysis of MINs with single and multiple paths. For example, in [18] , the reliability of SEN, SEN+ and SEN+2 (a SEN with two additional stages) is modeled using traditional RBDs. Generic expressions of success rates of the switching elements are provided analytically assuming that all these elements have the same failure rates. However, these generic expressions are not formally verified , which may raise questions about its accuracy. Furthermore, dynamic dependencies among system components, like warm spares, are not considered or modeled.
Based on the previous discussion, accurate modeling and analysis of these networks is necessary to capture the dynamic behavior as this will provide the design engineers with some measures that can help enhancing the performance of the entire multiprocessor system. To the best of our knowledge, dynamic dependability analysis using formal methods has not been used with MINs. Therefore, we propose to add spare switches to replace the critical ones after failure and conduct the analysis of MINs, particularly SENs using our formal dependability framework. Since the reliability of MINs affects the performance of the overall multiprocessor system, it is required to accurately model and analyze their reliability. In this work, we use both DRBDs and DFTs to model the dynamic reliability of these networks, particularly SEN and SEN+, and conduct the analysis using our framework. In this work, we formally verify the terminal, broadcast and network reliability of SEN and SEN+ in HOL and provide generic expressions of reliability and probability of failure. It is worth noting that the formalization provided in this work uses the HOL theories (libraries) of DFT and DRBD, which have been developed in [4, 5, 19] and can be accessed from [20, 21] .
Terminal Reliability Analysis of Shuffle-exchange Networks
The terminal reliability is the reliability of the connection between a given source and destination, i.e., the probability of having a reliable connection between one sourcedestination pair. We analyze the terminal reliability of the SEN and SEN+ using both DFT and DRBD models.
DFT Analysis of SEN and SEN+
We model the sources of failure of both SEN and SEN+ using DFTs. We use n-ary gates, which enable verifying expressions of the probability of failure for generic number of system components. Figure 4 shows the DFT model of the SEN system. Since SENs are single path MINs, the failure of any of the switches in the path between a given source and destination leads to losing the connection. Therefore, adding spare parts will lower the probability of failure. For illustration purposes, we use a spare part to replace the main switch Y after failure. The DFT consists of an n-ary OR gate, which means that the failure of any of the switches, interrupts the connection between the source and the destination.
Figure 4: DFT of SEN
Since the top event is an n-ary OR gate, we need first to verify that the DFT event of the n-ary OR is equal to the union of the individual events, as:
∀ p X t s. FINITE s ⇒ (DFT event p (n OR (MAP X (SET TO LIST s))) t = i∈s {rv to devent p X t i}) where s is a set of numbers that has the indices of the system components. X is a group of random variables that represent the time-to-failure of the switches in the system. We need to recall that n OR accepts a list of random variables as an argument. Therefore, we create this list using MAP X (SET TO LIST s). rv to devent, in Theorem 2.1, is similar to the rv to event of the DRBD, but it creates DFT events. It is defined as:
This way, we can use this function to create a group of DFT events for a set of indexed random variables. Then, we verify the probability of the n-ary OR gate in a way similar to the probability of the DRBD parallel structure, which is defined as the union of events.
In Theorem 2.2, it is required that the set of indices, s, to be nonempty and to be finite, which is a realistic condition as in any system the number of components is finite. The last condition of Theorem 2.3, ensures that the random variables of X are greater than or equal to 0 and not equal to +∞, which is required to be able to use the CDF of the random variable as given in [19] .
We express the structure function of the DFT of SEN as:
We notice that the structure of the DFT is defined using the indices in {0} ∪ L. 0 is the index of the spare gate and L has the indices of the rest of the switches in the system.
Finally, we verify the probability of failure of this top event as:
where DISJOINT {0} L ensures that the indices of the elements are unique. While FINITE L ∧ L = {} ascertain that set L, which has the indices, is finite and not empty. Finally, the independence of the events is added using indep sets. Theorem 2.3 can be further rewritten based on the probability of the spare gate [19] . However, the required conditions of the latter should be satisfied, such as the continuity of the distributions. Since we need a group of indexed sets in indep sets, we define a function event set that accepts a list of pairs each of which is composed of a DFT event with its index. This function also accepts the remaining blocks of the DFT that have their indices embedded in a set (that can be generic of any size).
In SEN+, an additional path is added to increase the redundancy in the system. Therefore, for the connection between a given source and a destination to be broken, it is required that these two paths must be disconnected. The DFT of the SEN+ is shown in Figure 5 , where two spares are added to replace the main switches Y and Z after failure. Switch Y is the input switch connected to the source and switch Z is connected to the destination. This DFT is composed of three levels of OR of AND of OR gates. Therefore, in order to verify the probability of the top event, we need first to verify that the DFT event of the n-ary AND gate is equal to the intersection of the input events. We formally verify this in HOL as:
Then, we verify the probability of failure of the top event of the AND gate as:
The first three conditions are needed to be able to use Theorem 2.4, while indep sets ensures the independence of the events.
We use Theorems 2.2 and 2.5 to verify the probability of OR of AND of OR, which is required for the probability of the top event. We express the top event of the DFT of 
where {0; 1; 2} indicates that the OR gate has three inputs with indices 0 for the first spare, 1 for the AND of ORs, and 2 for the second spare. L1 and L2 has the indices of the switches in the two redundant paths (for the two lower ORs). The DFT top event can be expressed using union and intersection of events, which can be quite useful in reusing the existing theorems of probability of union of intersections and intersection of unions. We verify this relationship as:
Finally, we verify the probability of failure of Q dSEN+ :
where SEN set req ensures the required conditions of the input sets including that the sets are finite and nonempty. It also ensures the independence of the input events over the probability space. We also define ind set that accepts a list of sets and returns a group of indexed sets. This is required to be able to create the hierarchy of the DFT using sets.
In order to use the above generic probability of failure expressions on a concrete instance of SEN+, we evaluate in MATLAB [22] the probability of failure of the terminal connection of a 128 × 128 SEN+, where each OR gate of the first level of Figure 5 has 6 inputs. We assume that the failure rate of each switching element is 1 × 10 −5 . We evaluate the probability of failure for the SEN+ system without and with spare parts with a dormancy factor of 0.1, as shown in Figure 6 . This result shows that considering the spares in the analysis leads to having more reliable and realistic system than the traditional FTs.
DRBD Analysis of SEN and SEN+
For SENs (single-path MIN), the terminal reliability is modeled as a series RBD. For illustration purposes, we use a spare part to replace the first input switch, and thus Figure 7 , where Y is the main switch that will be replaced by Y s after failure and the series structure has m + 1 elements.
Figure 7: DRBD of SEN
Using the proposed DRBD algebra in [5] , we express the structure function of the SEN DRBD as:
where X is a group of indexed time-to-failure functions that represent the blocks of the series structure and L is a set with their indices. L can be instantiated with any group of numbers, which makes this function generic to represent the reliability model of any SEN with any size. Then, we verify that the DRBD event of Q SEN can be represented using the series parallel structures as:
where DISJOINT ensures that all sets are disjoint. We use event set and ind set to create the events, similar to the DFTs. Since we are dealing with a series structure, we only need to specify the heirarchy of the architecture in one direction using {0} ∪ L. We verify Theorem 2.8 using the relationship between nR AND and DRBD series verified in [5] and some set-related theorems. Based on Theorem 2.8, we verify a generic expression for the reliability of the SEN system:
In a similar manner, the SEN+ is modeled as a series-parallel-series structure. To further enhance the reliability, we use spare constructs as shown in Figure 8 , where Y and Z are the main single switches that are connected to the source and destination with their spares Y s and Zs, respectively. The parallel structure in the middle represents the reliability model of the two alternative paths between the source and the destination. Therefore, this DRBD consists of a series of two spare constructs and one parallel structure that consists of two series structures. 
Thus, the outer series structure is expressed using the nR AND operator over the set {0; 1; 2} as this structure has three different structures; i.e., two spare constructs and one parallel structure. In order to re-utilize the verified expressions of reliability, it is required to express this DRBD using the series and parallel structures. Therefore, we verify that the DRBD event of the Q SEN+ is equal to a nested series-parallel-series structure as: where disjoint family on (ind set [{0; 3}; L1; L2]) {0;1;2} ensures that the sets {0; 3}, L1 and L2 are disjoint, i.e., each switch has a unique index. Since we are dealing with a series-parallel-series structure, we need three sets to identify the hierarchy of this nested structure. Set {0; 1; 2} in Theorem 2.10 indicates that the outer series structure has three elements, i.e., three parallel structures. ind set [{0}; {1;2}; {3}] indicates that the first parallel structure has only one series structure with index 0, the second parallel structure has two series structures with indices 1 and 2, and the third parallel structure has only one series structure with index 3. Finally, ind set [{0}; L1; L2; {3}] implies that the first series structure has only one element with index 0, the second and third series structures have an arbitrary number of blocks indexed by L1 and L2. The last series structure has one element with index 3. We verify Theorem 2.10 using the relationship between the event of nR AND and the DRBD series and the equivalence of the event of the OR with the union of events besides some set-related theorems.
Based on Theorem 2.10, we verify a generic expression for the reliability of the SEN+ system: (1 -Normal ( l∈L1 (real (Rel p (X l) t)))) * (1 -Normal ( l∈L2 (real (Rel p (X l) t))))))
where SEN set req is the same function that we use with DFTs. We first rewrite the goal using Theorem 2.10, then we use the reliability of the series-parallel-series to verify the final expression. The reliability of the spare constructs can be further rewritten using the probability of the spare construct verified in [5] given that the required conditions are ensured, such as the continuity of the CDFs. It can be noticed that the DRBD and the DFT models possess the same hierarchy represented by the sets of indices, which makes it easy to be used when going from one model to the other. Similar to the DFT analysis, we evaluate the terminal reliability of a 128 × 128 SEN+, where each inner series structure of Figure 8 has 6 blocks. We assume that the failure rate of each switching element is 1 × 10 −5 . We evaluate the reliability for the SEN+ system without and with spare parts with a dormancy factor of 0.1, as shown in Figure 9 . The broadcast reliability represents the probability of having a working connection between one source and all destinations. This is required when one of the processors in the system needs to transmit information to all destinations in the network. We present in this section, the broadcast reliability of the SEN and SEN+ using both DFT and DRBD models.
DFT Analysis of SEN and SEN+
Since in SENs there exists a single path between each source and destination, it is required to have a successful transmission through all these paths for a proper broadcast. Therefore, the DFT can be modeled using an OR gate. We further lower the probability of failure by adding an additional spare gate, as shown in Figure 4 . However, the number of DFT inputs, which represent the switches, varies between the terminal and broadcast reliability models. For example, consider an 8 × 8 SEN. The number of inputs for the terminal DFT is 3, i.e., log 2 8, while the broadcast DFT requires seven inputs, i.e., log 2 8 i=1 ( 8 2 i ) [18] . Therefore, we can also use Theorem 2.3 for the broadcast, since this theorem is verified for any number of system blocks with their indices in the set s . This highlights the importance of having generic verified expressions for any number of system blocks, which enables the re-utilization of the theorems in different contexts.
The DFT model of the broadcast SEN+ is shown in Figure 10 . Its top event is modeled using an OR gate that is connected to a spare gate for the input switch, AND of OR to model the two alternative paths and finally, the rest of the destination switches in order to have a proper broadcast transmission.
We formally express the structure function of the top event as:
Q dSEN+ Broadcast = n OR (MAP (λi. if i = 0 then WSP Y Ys a Ys d else if i = 1 then (n OR (MAP X (SET TO LIST L1))) · (n OR (MAP X (SET TO LIST L2))) else (n OR (MAP X (SET TO LIST L3)))) (SET TO LIST {0; 1; 2}))
The hierarchy of the DFT is divided using the sets of indices. We need to recall that MAP X (SET TO LIST L1), MAP X (SET TO LIST L2) and MAP X (SET TO LIST L3) are used to create the lists of the group of random variables for the n-ary gates. L1 and L2 has the indices of the switches in the two alternative paths, i.e., the inputs of the two lower OR gates in the DFT of Figure 10 , while L3 has the indices of the remaining inputs of the top OR gate. The set {0; 1; 2} indicates that the top OR gate has three inputs, which is similar to the terminal DFT model. (1 -i∈L1 (real (1 -F Xi (t)))) * (1 -i∈L2 (real (1 -F Xi (t))))) * Normal ( i∈L3 (real (1 -F Xi (t))))))
where SEN broad set req ascertains the conditions required for the sets such as finiteness. It also ensures the independence of the events. Figure 11 shows the evaluation results of the probability of failure of the DFT of Figure 10 for a 128 × 128 SEN+. This SEN+ has 63 inputs for each first level OR gate and the top level OR gate has 66 inputs. As with the terminal SEN+, we assume that the failure rate of each switching element is 1 × 10 −5 with a dormancy factor of 0.1. 
DRBD Analysis of SEN and SEN+
Similar to the DFT SEN broadcast model, we can use the model in Figure 7 . However, as mentioned previously, the number of the blocks is different. Therefore, we can also use Theorem 2.9 for the broadcast reliability, since this theorem is verified for any number of system blocks using set s. Figure 12 . The first block (with the spare) represents the input switch that is connected directly to the source. The failure of this switch will interrupt the broadcast transmission. Therefore, we add a spare part to replace it after failure. The series structure on the right side of the figure models the switches of all destinations, as they are all receiving the transmission. Finally, the parallel-series structure in the middle, represents the two alternative paths that are available for each broadcast transmission. For example, for the SEN+ shown in Figure 3 , the number of switches connected to the destinations are four, while each one of the alternative paths has three switches.
In order to formally verify the reliability of the broadcast of the SEN+, we first express it using our operators as: 
where L1 and L2 are the sets that have the indices of the inner series structures of the parallel-series structure in the middle. The set {0; 1; 2} indicates that the outer series structure consists of three main components. The first spare construct has index 0, while the parallel-series structure has index 1. Finally, the series structure on the left side of Figure 12 has index 2, and L3 has the indices of the blocks in this series structure. We verify the reliability of this DRBD as: (rv to event p X t)) ⇒ (prob p (DRBD event p Q SEN+ Broadcast t) = Rel p (R WSP Y Ys a Ys d ) t * Normal ( i∈L3 (real (Rel p (X l) t))) * (1 -(1 -Normal ( l∈L1 (real (Rel p (X l) t)))) * (1 -Normal ( l∈L2 (real (Rel p (X l) t))))))
We evaluate the broadcast reliability, in Figure 13 , of a 128 × 128 SEN+, where each inner series structure of Figure 12 has 63 blocks and the series structure on the right hand side of the figure has 64 blocks. We use the same failure rates of 1 × 10 −5 for each switching element with a dormancy factor of 0.1.
Network Reliability Analysis of Shuffle-exchange Networks
According to [18] , the network reliability of SENs can be defined as the reliability of all connections between sources (inputs) and destinations (outputs). In other words, we are looking at the reliability of the overall network. This is usually modeled using RBDs. In this section, we use both DFT and DRBD models in different scenarios to model the reliability of the network.
DFT Analysis of SEN and SEN+
In the SEN, it is required that all switching elements must work properly in order to maintain a successful behavior of the network. Thus, the system fails with the failure Figure 13 : Broadcast Reliability of a 128 × 128 SEN+ of any of the switching elements. The behavior can be further enhanced by using spares. The DFT of the SEN network can be modeled as in Figure 4 . However, to further enhance the system reliability, the reliability engineer may suggest to use more spares to replace the switching elements. Therefore, we present a generic model, where the number of switching elements that have spares is generic, as shown in Figure 14 .
This model can be also used with both the terminal and broadcast models, when more spares are required.
Figure 14: DFT of SEN Network with Multiple Spares
The top event of the DFT of Figure 14 can be expressed using the DFT operators as:
We verify the probability of failure of the top event in a similar way to Theorem 2.3, as:
where Y, Ys a and Ys d are groups of indexed random variables that represent the main and spare switches. Theorem 4.1 provides a generic scenario for the SEN, where L1 and L2 can be instantiated with any number of distinct indices that represent the system switches, with and without spares.
The DFT model of the SEN+ network is shown in Figure 15 . It consists of a spare gate for one of the switches in the input stage. The rest of the input switches (X 1,0 -X 1,r ) are connected directly to the n-OR gate of the top event. Therefore, the failure of any of these switches leads to the failure of the network. The series of ANDs and ANDs of ORs are used to model the two available paths. Finally, all destination switches (X 4,0 -X 4,k ) are required to function and thus they are all connected to the output OR gate. This DFT is composed of three levels; OR of ANDs of ORs, and thus we can use the theorems of union of intersections of unions to verify its probability of failure if the sets of indices are handled properly.
We first express the top event using the DFT operators as: L1) ) else if i = 3 then (n OR (MAP X (SET TO LIST L2))) · (n OR (MAP X (SET TO LIST L3))) else if i = 4 then n OR (MAP X (SET TO LIST L4)) else (X (2 * i)) · (X (2 * i + 1))) (SET TO LIST ({0; 1; 3; 4} ∪ L))) (8) where the spare gate is assigned index 0. The second group of switches has index 1, while the indices of these switches, X 1,0 -X 1,r , are in set L1. They are represented as n OR (MAP X (SET TO LIST L1). The output of the AND of ORs is assigned index 3 and is modeled as (n OR (MAP X (SET TO LIST L2))) · (n OR (MAP X (SET TO LIST L3))), which is similar to both the terminal and broadcast models. The group of switches, X 4,0 -X 4,k , has index 4 and is represented using n OR (MAP X (SET TO LIST L4)). Thus, we have the indices {0; 1; 3; 4} for the outer groups in the DFT. However, the last part of the DFT, which is the series of ANDs in the middle of Figure 15 , has a generic number of AND gates and cannot be assigned a specific index. Therefore, we use set L to get a unique index for the output of each AND gate. We use this unique number to create the indices of the inputs of each AND gate. For example, for an index j in set L, we create two indices for the inputs of the AND gate as (2*j) and (2*j+1). This is modeled as (X (2 * i)) · (X (2 * i + 1))) and set L is used with the set of indices in the outer level as (SET TO LIST ({0; 1; 3; 4} ∪ L)). It is important to highlight that the indices of the individual inputs should be unique.
We then verify that the DFT event of Q dSEN Network is equal to the union of intersection of union of events as in the following theorem: Figure 15 , where the OR gates have indices 2 and 3. We use an empty set ({}) in the indices of the second level due to the fact that there is no index 2 in the outer level, and thus we assigned an empty set in the second level for this index.
We verify the probability of failure of Q dSEN Network as: (rv to devent p X t)) ∧
where SEN network set req ensures all the required conditions for the sets to be finite, nonempty and distinct. It also ensures the independence of the input events. It accepts all the sets of the indices of the three levels. The second condition (rv gt0 ninfinity [X i]) ascertains that each element in the group of random variables of X that have their indices in L1 ∪ L2 ∪ L3 ∪ L4 ∪ {2 * i | i ∈ L} ∪ {2 * i + 1 | i ∈ L} are greater than or equal to 0 but not equal +∞. This condition is required to be able to use the CDF of the random variables.
Figure 16: DFT of SEN+ with Multiple Spares
In a similar manner to the SEN network, we provide a generic model where any number of spares can be used for the input switches. The modified DFT is shown in Figure 16 . We express the top event using the DFT operators as:
else if i = 1 then (n OR (MAP X (SET TO LIST L1))) else if i = 3 then (n OR (MAP X (SET TO LIST L2))) · (n OR (MAP X (SET TO LIST L3))) else if i = 4 then n OR (MAP X (SET TO LIST L4)) else (X (2 * i)) · (X (2 * i + 1))) (SET TO LIST ({0; 1; 3; 4} UNION L))) (9) where Y, Ys a and Ys d are indexed random variables that represent the main and spare parts for each spare gate. We choose to use the same hierarchy of Figure 15 , where we assign index 0 for the first spare and the rest of the spares have their indices in set L1. In addition, the model of these additional spares is embedded within X as will be explained shortly.
We verify the probability of failure of the top event as:
(real (1 -prob p (DFT event p (WSP (Y l) (Ys a l) (Ys d l)) t))) * (1 -(1 -Normal ( l∈L2 (real (1 -F Xl (t))))) * (1 -Normal ( l∈L3 (real (1 -F Xl (t)))))) * Normal ( l∈L4 (real (1 -F Xl (t)))) * Normal ( j∈L (1 -real (F X2*j (t) * F X2*j+1 (t)))))
where the conditions are similar to Theorem 4.3. However, we add the condition that (∀ i. i ∈ L1 ⇒ (X i = WSP (Y i) (Ys a i) (Ys d i)), which adds the additional spare gates. This way, we can use Theorem 4.3 to verify Theorem 4.4. Set {0} ∪ L1 is used to provide the indices of the spares, including the first one with index 0.
We evaluate the probability of failure of the network DFT, shown in Figure 16 , for a 128 × 128 SEN+. The DFT of this SEN has 32 AND gates in the first level. Each OR gate in the first level has 160 inputs. Furthermore, we assume that all the 64 input switches have spares. Figure 21 shows the evaluated result of the probability of failure, where the failure rates of each switching element is 1 × 10 −5 with a dormancy factor of 0.1. 
DRBD Analysis of SEN and SEN+
Similar to the DFT models, we start first with the network reliability model of the SEN. Since it is a single path, it can be modeled using the series DRBD of Figure 7 . Thus, we can use Theorem 2.9 to provide a generic expression for its reliability. We provide a generic model in Figure 18 , where additional spares are used. This provides a general case where we can choose how many switches can be replaced with spares.
We express the structure function of this DRBD using our DRBD operators as:
where L1 and L2 provide the indices of the blocks in the series structure for the spare constructs and the remaining blocks, respectively. Similar to the proof steps of Theorem 2.11, we verify the reliability of the SEN network as:
then DRBD event p (R WSP (Y i) (Ys a i) (Ys d i)) t else (rv to event p X t) i}) (L1 ∪ L2)⇒ (prob p (DRBD event p Q SEN Network t) = Normal ( i∈L1 (real (Rel p (R WSP (Y i) (Ys a i) (Ys d i)) t))) * Normal ( i∈L2 (real (Rel p (X i) t))))
The DRBD of the SEN+ network is modeled in Figure 19 , where only one of the switches of the input stage can be replaced by a spare. This DRBD is composed of a series-parallel-series structure. The indices of each level can be treated in a similar manner to the DFT.
We express the structure function using the operators with the same sets of indices of the DFT as: 
Then, we verify that the DRBD event of this structure can be expressed as a seriesparallel-series structure as: (rv to event p X t)) ⇒ (prob p (DRBD event p (Q SEN Network ) t) = Rel p (R WSP Y Ys a Ys d ) t * Normal ( l∈L1 (real (Rel p (X l) t))) * (1 -(1 -Normal ( l∈L2 (real (Rel p (X l) t)))) * (1 -Normal ( l∈L3 (real (Rel p (X l) t))))) * Normal ( l∈L4 (real (Rel p (X l) t))) * Normal ( j∈L (1real ((1 -Rel p (X (2 * j)) t) * (1 -Rel p (X (2 * j + 1)) t)))))
It is worth mentioning that the conditions of the sets are similar to Theorem 4.3 of the DFT.
Finally, we provide a generic model to have any number of spares that can replace the input switches as shown in Figure 20 . We choose to use the same indices of Figure 19 in order to reutilize the verified theorems.
We express the structure of the DRBD of Figure 20 as: 
where (Y 0), (Ys a 0) and (Ys d 0) are indexed groups of random variables that represent the main parts and their spares.
Finally, we use Theorem 4.7 to verify the reliability of this DRBD as:
(real (Rel p (R WSP (Y l) (Ys a l) (Ys d l)) t))) *
(1 -(1 -Normal ( l∈L2 (real (Rel p (X l) t)))) * (1 -Normal ( l∈L3 (real (Rel p (X l) t))))) * Normal ( l∈L4 (real (Rel p (X l) t))) * Normal ( j∈L (1real ((1 -Rel p (X (2 * j)) t) * (1 -Rel p (X (2 * j + 1)) t)))))
We evaluate the network reliability of a 128 × 128 as shown in Figure 20 . In Figure 20 , there are 32 parallel structures that are connected in series. The DRBD has 64 spare constructs, while there are 160 blocks in the inner series structures. Finally, the series structure on the right hand side of Figure 20 has 64 blocks. We assume that the failure rates of each switching element is 1 × 10 −5 with a dormancy factor of 0.1. 
Equivalence of SEN DFT and DRBD Models
In [23] , we proposed a methodology for where a DFT model can be formally analyzed using the DRBD algebra and vice versa. To illustrate the utilization of the proposed methodology, we formally verify the equivalence of the DRBD and the complement of the DFT events for both terminal and broadcast reliability of SEN and SEN+. The equivalence of the network models can be conducted in a similar manner. Proving this equivalence allows verifying the probability of one model and directly use the equivalence proof to provide the probability of the other model.
We verify the equivalence of the DRBD and DFT models of the terminal reliability of both SEN and SEN+ as: if i = 0 then WSP Y Ys a Ys d else if i = 1 then (n OR (MAP X (SET TO LIST L1))) · (n OR (MAP X (SET TO LIST L2))) else (n OR (MAP X (SET TO LIST L3)))) ({0; 1 2}))) t)
It is worth mentioning that Theorem 5.1 can be used for the equivalence of the DRBD-DFT models of the SEN in both the terminal and broadcast since they both share the same structure.
Based on these theorems, we can use one model to verify the probability of the other model using the probability of the complement.
Conclusion
In this report, we presented the formal dynamic dependability analysis of SEN and SEN+ MINs that form a critical part in the routing process of multiprocessor systems. We provided generic expressions of reliability and probability of failure that are independent of the failure distributions. Furthermore, we verified these expressions for an arbitrary number of system blocks that can be instantiated later to a certain number without the need to repeat the verification process. For instance, we evaluated the reliability and probability of failure using MATLAB for a specific number of system components based on these generic expressions. It is worth mentioning that such sound generic results cannot be obtained using simulation or model checking as the state space should be defined in advance. The proof script of the verification of SEN and SEN+ is available at [24] and it took around 80 hours to be developed.
