Dynamic fault trees (DFTs) have emerged as an important tool for capturing the dynamic behavior of system failure. These DFTs are then analyzed qualitatively and quantitatively using stochastic or algebraic methods to judge the failure characteristics of the given system in terms of the failures of its subcomponents. Model checking has been recently proposed to conduct the failure analysis of systems using DFTs with the motivation to provide a rigorous failure analysis of safety-critical systems. However, model checking has not been used for the DFT qualitative analysis and the reduction algorithms used in model checking are usually not formally verified. Moreover, the analysis time grows exponentially with the increase of the number of states. These issues limit the usefulness of model checking for analyzing complex systems used in safety-critical domains, where the accuracy and completeness of analysis matters the most. To overcome these limitations, we propose a comprehensive methodology to perform the qualitative and quantitative analysis of DFTs using an integration of theorem proving and model checking based approaches. For this purpose, we formalized all the basic dynamic fault tree gates using higher-order logic based on the algebraic approach and formally verified some of the simplification properties. This formalization allows us to formally verify the equivalence between the original and reduced DFTs using a theorem prover, and conduct the qualitative analysis. We then use model checking to perform the quantitative analysis of the formally verified reduced DFT. We applied our methodology to five benchmarks and the results show that the formally verified reduced DFT was analyzed using model checking with up to six times less states and up to 133000 times faster.
Contents

Introduction
A fault tree (FT) [1] is a graphical representation of the causes of failure of a system that is usually represented as the top event of the fault tree. FTs can be categorized as Static Fault trees (SFT) and Dynamic Fault trees (DFT) [1] . In SFT, the structure function (expression) of the top event describes the failure relationship between the basic events of the tree using FT gates, like AND and OR, without considering the sequence of failure of these events. DFTs, on the other hand, model the failure behavior of the system using dynamic FT gates, like the spare gate, which can capture the dependent behavior of the basic events along with the static gates. DFTs provide a more realistic representation of systems using the dynamic gates. For example, the spare DFT gate can model the failure of the car tires and their spares that cannot be modeled using the SFT gates. Fault Tree Analysis (FTA) [1] has become an essential part of the safety-critical system design process, where the causes of failure and their probabilities should be considered at an early stage. There are two main phases for FTA, the qualitative analysis and the quantitative analysis [2] . In the qualitative analysis, the cut sets and cut sequences are determined, which, respectively, represent combinations and sequences of basic events of the DFT that cause a system failure [1] . The quantitative analysis provides numeric analysis results about the probability of failure of the top event and the mean time to failure among other metrics [1] . Dynamic FTA is commonly done algebraically [3] and using Markov chains [2] . In the algebraic approach, an algebra similar to the Boolean algebra is used to determine the structure function of the top event. Based on this algebra, the structure function can be reduced to determine a reduced form of the cut sets and sequences. The probabilistic analysis of the FT can then be performed based on the reduced form of the generated structure function by considering the probability of failure of the basic events. For the Markov chain based analysis, the FT is first converted to its equivalent Markov chain and then the probability of failure of the top event is determined by analyzing the generated Markov chain. The resultant Markov chain can be very large, while dealing with complex systems, which limits the usage of Markov chains in DFT analysis.
Traditionally, the dynamic FTA is performed using paper-and-pencil proof methods or computer simulation. While the former is error prone, specially for large systems, the latter provides a more scalable alternative. However, the results of simulation cannot be termed as accurate due to the involvement of several approximations in the underlying computation algorithms and the sampling based nature of this method. Given the dire need of accuracy in failure analysis of safety-critical systems, formal methods [1] have also been recently explored for DFT analysis. For example, the STORM probabilistic model checker [4] has been used to analyze DFTs based on Markov chain analysis [5] . Similarly, higher-order logic (HOL) theorem proving has been used to formalize and analyze SFTs [6] . However, probabilistic model checking has not been used in the formal qualitative analysis of DFTs. Moreover, it cannot support the analysis of large systems unless a reduction algorithm is invoked, and the implementation of such reduction is usually not formally verified. This means that one cannot ascertain that the analysis results after reduction are accurate or correspond to the original system.
On the other hand, the only support for FTs in HOL is limited to SFTs.
We propose to overcome the above-mentioned limitations of formal DFT analysis by using an integrated model checking and theorem proving based methodology. We propose to use theorem proving for verifying the equivalence between the original and the reduced form of the DFT. The formally verified reduced DFT can then by quantitatively analyzed using model checking. Thus, the proposed methodology tends to provide a more sound analysis than the sole model checking based analysis due to the involvement of a theorem prover in the verification of the reduced model. Moreover, it caters for the state-space based issues of model checking by providing it a reduced model for the quantitative analysis. The foremost components of the proposed methodology include the formalization of the dynamic gates and their formally verified reduction theorems, which in turn are used to verify the equivalence between the original DFTs and the reduced ones. Using this verified reduced DFT, a reduced form of the cut sets and sequences of the structure function of the DFT can be formally verified within a theorem prover. We then perform the quantitative analysis of the formally verified reduced DFT in model checking and thus reduce the generated state space and the analysis time. More importantly, we are confident that the analysis results of the reduced DFT correspond to the original DFT, as the reduction is verified using theorem proving. In order to illustrate the utilization and effectiveness of the proposed methodology, we analyzed five benchmark DFTs, i.e., a Hypothetical Example Computer System (HECS) [2] , a Hypothetical Cardiac Assist System (HCAS) [3, 7] , a scaled cascaded PAND DFT [7, 8] , a multiprocessor computing system [7, 9] and a variant of the Active Heat Rejection System (AHRS) [10] .
The reduced DFTs and their reduced cut sequences are formally verified using HOL4 theorem prover. In addition, each DFT is analyzed twice using STORM model checker, one without any reduction and the other using the reduced DFTs. The analysis results show that using the verified reduced DFT for the quantitative analysis allows us to reduce the number of generated states by the model checker and the time required to perform the analysis.
The rest of the report is structured as follows: Section 2 presents some related work. Section 3 provides a detailed description of the proposed methodology. In Section 4, we present our HOL formalization of DFT gates. In Section 5, we provide the details of the verification of the simplification theorems. Section 6 describes a set of experimental results. Finally, we conclude the report in Section 7.
Related Work
DFT analysis has been conducted using various tools and techniques [1] . For example, Markov chains have been extensively used for the modeling and analysis of DFTs [2] . The scalability of Markov chains in analyzing large DFTs is achieved by using a modularization approach [11] , where the DFT is divided into two parts: static and dynamic. The static subtree is analyzed using the ordinary SFT analysis methods, such as Binary Decision Diagrams (BDD) [1] , and the dynamic subtree is analyzed using Markov chains. This kind of modularization approach is available in the Galileo tool [12] . In [7] , the authors use a compositional aggregation technique to develop Input-Output Interactive Markov Chains (I/O-IMC) to analyse DFTs. This approach is implemented in the DFTCalc tool [13] . The algebraic approach has also been extensively used in the analysis of DFTs [3] , where the top event of the DFT can be expressed and reduced in a manner similar to the ordinary Boolean algebra. The reliability of the system expressed algebraically can be evaluated based on the algebraic expression of the top event [8] . The main problem with the Markov chain analysis is the large generated state space when analyzing complex systems, which requires high resources in terms of memory and time. Moreover, simulation is usually utilized in the analysis process, which does not provide accurate results. Although modularization tends to overcome the large state-space problem with Markov chains, we cannot obtain a verified reduced form of the cut sequences of the DFT. The algebraic approach provides an algebraic framework for performing both the reduction and the analysis of the DFT. However, the foundations of this approach have not been formalized, which implies that the results of the analysis should not be relied upon especially in safety-critical systems.
Formal methods can overcome the above-mentioned inaccuracy limitations of traditional DFT analysis techniques. Probabilistic model checkers, such as STORM [4] , have been used for the analysis of DFTs. The main idea behind this approach is to automatically convert the DFT of a given system into its corresponding Markovian model and then analyze the safety characteristics quantitatively of the given system using the model checker [14] . The STORM model checker accepts the DFT to be analyzed in the Galileo format [12] and generates a failure automata of the tree. This approach allows us to verify failure properties, like probability of failure, in an automatic manner. However, the approach suffers from scalability issues due to the inherent state-space explosion problem of model checking. Moreover, the implementation of the reduction algorithms used in model checkers are generally not formally verified. Finally, model checkers have only been used in the context of probabilistic analysis of DFTs and not for the qualitative analysis, as the cut sequences in the qualitative analysis cannot be provided unless the state machine is traversed to the fail state, which is difficult to achieve for large state machines.
Exploiting the expressiveness of higher-order logic (HOL) and the soundness of theorem proving, Ahmad et.al [6, 15] formalized static fault trees in HOL4 and evaluated the probability of failure based on the Probabilistic Inclusion-Exclusion principle. However, the main problem in theorem proving lies in the fact that it is interactive, i.e., it needs user guidance in the proof process. Moreover, to the best of our knowledge, no higher-order-logic formalization of DFTs is available in the literature so far and thus it is not a straightforward task to conduct the DFT analysis using a theorem prover as of now.
It can be noted that both model checking and HOL theorem proving exhibit complementary characteristics, i.e., model checking is automatic but cannot deal with large systems and does not provide qualitative analysis of DFTs, while HOL theorem proving allows us to verify universally quantified generic mathematical expressions but at the cost of user interventions. In this work, we leverage upon the complementary nature of these approaches to present an integrated methodology that provides the expressiveness of higher-order logic and the existing support for automated probabilistic analysis of DFTs using model checking. The main idea is to use theorem proving to formally verify the equivalence between the original and the reduced DFT and then use a probabilistic model checker to conduct quantitative analysis on the reduced DFT. As a result, both the generated state machine and the analysis time are reduced. In addition, a formally verified reduced form of the cut sequences is also obtained.
Proposed Methodology
The proposed methodology for the formal DFT analysis is depicted in Figure 1 . It provides both formal DFT qualitative analysis using theorem proving and quantitative analysis using model checking. The DFT analysis starts by having a system description. The failure behavior of this system is then modeled as a DFT, which can be reduced based on the algebraic approach [3] . The idea of this algebraic approach is to deal with the events, which can represent the basic events or outputs, according to their time of failure (d). For example, d(X) represents the time of failure of an event X. In the algebraic approach, temporal operators (Simultaneous (∆), Before ( ) and Inclusive Before ( )) are defined to model the dynamic gates. Based on these temporal operators, several simplification theorems exist to perform the required reduction. This reduction process can be erroneous if it is performed manually using paper-and-pencil. Moreover, reduction algorithms may also provide wrong results if they are not formally verified. In order to formally check the equivalence between the original model and the reduced one, we developed a library of formalized dynamic gates in HOL and verified their corresponding simplification theorems. These foundations allow us to develop a formal model for any DFT using the formal gate definitions. Based on the verified simplification theorems, we can then verify the equivalence between the formally specified original and the reduced DFT models using a theorem prover. The formally verified reduced structure function can then be utilized to perform the qualitative analysis of the reduced model in the theorem prover as well as its quantitative analysis by using a model checker.
The qualitative analysis represents an important and a crucial step in DFT analysis, since it allows to identify the sources of failure of the system without the availability of any information or actual numbers about the failure probabilities of the basic events. In static fault trees, the qualitative analysis is performed by finding the cut sets. Due to the temporal behavior of the dynamic gates, just finding the cut sets does not capture the sequence of failure of events that can cause the system failure. The cut sequences on the other hand capture not only the combination of basic events but also the sequence of events that can cause the system failure. In the proposed methodology, a theorem prover is used to verify a reduced expression of the structure function of the top event, which ensures that the reduction process is accurate. Using this reduced structure function, a formally verified reduced form of the cut sequences can also be determined.
The formally verified cut sets and sequences for the DFT and a reduced form of the structure function of the top event can now be used in a probabilistic model checker to do the quantitative analysis of the given system. Because of the reduced model, we 
Formalization of Dynamic Fault Trees in HOL
In this section, we present the formal definitions in HOL of the identity elements, the temporal operators and the dynamic gates. It is assumed that a fault is represented using an event. The occurrence of a fault indicates that the corresponding event is true. It is also assumed that the events are non-repairable.
Identity Elements
Two identity elements are defined, these are the ALWAYS and the NEVER elements. The ALWAYS identity element represents an event with a time of failure equals to 0. The NEVER element represents an event that never occurs. These two elements are defined based on their time of failure in HOL as follows:
where extreal is the HOL data type for extended real numbers, which includes positive infinity (+∞) and negative infinity (-∞) and PosInf is the (+∞) representation in HOL.
Temporal Operators
We formalize three temporal operators to model the dynamic behavior of the DFT: Simultaneous (∆), Before ( ) and Inclusive Before ( ). The Simultaneous operator has two input events, which represent basic events or subtrees. The time of occurrence (failure) of the output event of this operator is equal to the time of occurrence of the first or the second input event considering that both input events occur at the same time:
It is assumed that for any two basic events, if the failure distribution of the random variables that represent these basic events is continuous then they cannot have the same time of failure, and hence the result of the Simultaneous operator between them is NEVER.
where A and B are basic events with random variables that exhibit continuous failure distributions.
The Before operator accepts two input events, which can be basic events or two subtrees. The time of occurrence of the output event of this operator is equal to the time of occurrence of the first input event if the first input event (left) occurs before the second input event (right), otherwise the output never fails:
The Inclusive Before combines the behavior of both the Simultaneous and Before operators, i.e., if the first input event (left) occurs before or at the same time as the second input event (right), then the output event occurs with a time of occurrence equal to the time of occurrence of the first input event:
We formalize these temporal operators in HOL as follows: 
Fault Tree Gates
Fig . 2 shows the main FT gates [2] ; dynamic gates as well as the static ones.
Although, the AND (·) and OR (+) gates are considered as static operators or gates, their behavior can be represented using the time of occurrence of the input events. For example, the output event of an AND gate occurs if and only if all its input events occur. This implies that the output of the AND gate occurs with the occurrence of the last input event, which means that the time of occurrence of the output event equals the maximum time of occurrence of the input events. The OR gate is defined in a similar manner with the only difference that the output event occurs with the occurrence of the first input event, i.e., the minimum time of occurrence of the inputs:
We model the behavior of these gates in HOL as follows: where max and min are functions that return the maximum and the minimum values of their arguments, respectively. The Priority-AND (PAND) gate is a special case of the AND gate, where the output occurs when all the input events occur in sequence, conventionally from left to right. For the PAND gate, shown in Figure 2c , the output Q occurs if A and B occur and A occurs before or with B. The behavior of the PAND gate can be represented using the time of failure as:
The behavior of the PAND gate can be expressed using the temporal operators as:
We define the PAND in HOL as:
We verify in HOL that the PAND exhibits the behavior given in Equation 8:
The Functional Dependency (FDEP) gate , shown in Figure 2d , is used when there is a failure dependency between the input events or sub-trees, i.e., the occurrence of one input (or a sub-tree) can trigger the occurrence of other input events (or subtrees) in the fault tree. For example, in Figure 2d , the occurrence of T triggers the occurrence of A. This implies that A occurs in two different ways: firstly, when A occurs by itself, and secondly, when the trigger T occurs. This means that the time of failure of A T (triggered A) equals the minimum time of occurrences of T and A:
We define the FDEP in HOL as:
where T is the occurrence time of the trigger. We also verify in HOL that the FDEP is equivalent to an OR gate as follows:
The spare gate, shown in Figure 2e , represents a dynamic behavior that occurs in many real world systems, where we usually have a main part and some spare parts. The spare parts are utilized when the main part fails. The spare gate, shown in Figure  2e , has a main input (A) and a spare input (B). After the failure of A, B is activated. The output of the spare gate fails if both the main input and the spare fail. The spare gate can have several spare inputs, and the output fails after the failure of the main input and all the spares. The spare gate has three variants depending on the failure behavior of the spare part: the hot spare gate (HSP), the cold spare gate (CSP) and the warm spare gate (WSP). In the HSP, the probability of failure for the spare is the same in both the dormant and the active states. For the CSP, the spare part cannot fail unless it is activated. The WSP is the general case, where the spare part can fail in the dormant state as well as in the active state, but the failure distribution of the spare in its dormant state is different from the one in the active mode, and it is usually attenuated by a dormancy factor. In order to be able to distinguish between the different states of the spare input, two different variables are assigned to each state. For example, for the spare gate, shown in Figure 2e , B is represented using two variables; B a for the active state and B d for the dormant state.
The input events of the spare gate cannot occur at the same time if they are basic events. However, if these events are subtrees then they can occur at the same time.
For a two input warm spare gate, with A as the primary input and B as the spare input, the output event occurs in two ways; firstly, if A fails first then B, i.e., the spare part, is activated and then B fails in its active state. The second way is when B fails in its dormant state (inactive) then A fails with no spare to replace it. For the general case where the input events can occur at the same time (if they are subtrees or depend on a common trigger), an additional option for the failure of the spare gate is added, where the two input events occur at the same time. This general warm spare gate can be described as:
We formalize the WSP in HOL as: The time of failure of the CSP gate with primary input A and cold spare B can be defined as:
which means that the output event of the CSP occurs if the primary input fails and then the spare fails while in its active state. We define the CSP in HOL as: We verify in HOL that the CSP gate is a special case of WSP, where the spare part cannot fail in its dormant state. where ALL DISTINCT ensures that A and B a are not equal, which means that they cannot fail at the same time, and COLD SPARE B d indicates that the spare B is a cold spare, i.e., it cannot fail in its dormant mode (B d).
The spare part in the HSP has only one failure distribution, i.e., the dormant state and the active state are the same. The output of the HSP fails when both the primary and the spare fail, and the sequence of failure does not matter, as the spare part has only one failure distribution. The HSP is defined as:
where A is the primary input and B is the spare. We define this in HOL as: It is important to mention that more than one spare gate can share the same spare input. In this case, there is a possibility that one of the primary inputs is replaced by the spare, while the other input does not have a spare in case it fails. The outputs of the spare gates, shown in Figure 3 , are represented as follows (assuming that A, B and C are basic events):
The last term in Q 1 indicates that if B occurs before A, then the spare part C is used by the second spare gate. This means that no spare is available for the first spare gate, which causes the failure of the output of the first spare gate if A occurs. We formalize the output Q 1 of the first spare gate in HOL as: We define a function in HOL called Never events, which ensures that its operands are mutual exclusive, i.e., only one of them can occur. We formalize it in HOL as: This function is useful when we want to make sure that two events cannot happen together. For example, for a CSP gate, the spare part can only fail in one of its two states and not in both.
Formal Verification of the Simplification Theorems
As with classical Boolean algebra, many simplification theorems also exist for DFT operators, which can be used to simplify the structure function of the DFT. We formally verified over 80 simplification theorems for the operators, defined in the previous section, including commutativity, associativity and idempotence of the AND, OR and Simultaneous operators, in addition to more complex theorems that include a combination of all operators. The verification process of these theorems was mainly based on the properties of extended real numbers, since the DFT operators are defined based on the time of failure of the events, which we choose to model using the extreal data type in HOL. During the verification process, each theorem was divided into several sub-goals based on the definition of the operators. Most of these sub-goals were automatically verified using automated tactics that utilize theorems from the extreal HOL theory. These simplification theorems can be classified into four groups depending on the operators involved in the simplification.
Simplification Theorems using OR and AND
These simplification theorems are similar to the OR and AND related Boolean algebra theorems, such as commutativity and associativity. Based on the theorems presented in [3] , Table 1 lists the formalization for these theorems, which we proved in HOL. 
Simplification Theorems using Before Operator
As with the AND and OR, several simplification theorems were introduced in [3] to simplify expressions that include the Before operator. Our formalization of these theorems in HOL is given in Table 2 . 
D AND (D BEFORE A B) D BEFORE B A) = NEVER (A B).(B A) = N EV ER
∀ A B C.
D BEFORE A (D BEFORE B C) = D OR (D BEFORE A B)(D AND (D AND A B) (D OR (D BEFORE C B)(D SIMULT C B)))
A (B C) = (A B) + (A.B.
((C B) + (C∆B)))
D BEFORE A (D BEFORE B C) = D OR (D BEFORE A B)( D AND (D AND A B) (D INCLUSIVE BEFORE C B))
A (B C) = (A B) + (A.B. ((C B)))
D BEFORE (D BEFORE A B) C = D AND (D BEFORE A B)(D BEFORE A C) (A B) C = (A B).(A C) ∀ A. D BEFORE NEVER A = NEVER N EV ER A = N EV ER ∀ A. D BEFORE A NEVER = A A N EV ER = A ∀ A. D BEFORE A A = NEVER
A A = N EV ER ∀ A B C.
D BEFORE A (D OR B C) = D AND (D BEFORE A B)(D BEFORE A C)
A (B + C) = (A B).(A C)
D BEFORE A (D AND B C) = D OR (D BEFORE A B)(D BEFORE A C)
A (B.C) = (A B) + (A C)
D BEFORE A (D SIMULT B C) = D OR (D OR (D OR (D AND A (D BEFORE B C)) (D AND A (D BEFORE C B))) (D BEFORE A B))(D BEFORE A C)
A (B∆C) = (A.(B C))+ (A.(C B)) + (A B)+ (A C)
D BEFORE A (D INCLUSIVE BEFORE B C) = D OR (D BEFORE A B)(D AND (D AND A B)(D BEFORE C B))
A (B C) = (A B)+ (A.B.(C B))
D BEFORE (D OR A B) C = D OR (D BEFORE A C)(D BEFORE B C) (A + B) C = (A C)+ (B C)
D BEFORE (D AND A B) C = D AND (D BEFORE A C)(D BEFORE B C) (A.B) C = (A C).(B C)
HOL Theorems
DFT Algebra Theorems ∀ A B C. Table 3 shows the simplification theorems which can be used with the Simultaneous operator along with their formalizations in HOL. 
D BEFORE (D SIMULT A B) C = D AND (D SIMULT A B)(D BEFORE A C) (A∆B) C = (A∆B).(A
D AND (D AND (D BEFORE A B) (D BEFORE B C))(D BEFORE A C) = D AND (D BEFORE A B)(D BEFORE B C) (A B).(B C).(A C) = (A B).(B C)
Simplification Theorems using Simultaneous Operator
D SIMULT A (D OR B C) = D OR (D OR (D AND (D SIMULT A B)(D SIMULT B C)) (D AND (D SIMULT A B)(D BEFORE B C))) (D AND (D SIMULT A C)(D BEFORE C B))
A∆(B + C) = (A∆B).(B∆C) +(A∆B).(B C) +(A∆C).(C B)
D SIMULT A (D OR B C) = D OR (D AND (D SIMULT A B) (D INCLUSIVE BEFORE B C))(D AND (D SIMULT A C)(D INCLUSIVE BEFORE C B))
A∆(B + C) = (A∆B).(B C)+ (A∆C).(C B)
D SIMULT A (D AND B C) = D OR (D OR (D AND (D SIMULT A B) (D SIMULT B C))(D AND (D SIMULT A B) (D BEFORE C B)))(D AND (D SIMULT A C)(D BEFORE B C))
A∆(B.C) = (A∆B).(B∆C) +(A∆B).(C B) +(A∆C).(B C)
D SIMULT A (D AND B C) = D OR (D AND (D SIMULT A B) (D INCLUSIVE BEFORE C B)) (D AND (D SIMULT A C) (D INCLUSIVE BEFORE B C))
A∆(B.C) = (A∆B).(C B) +(A∆C).(B C)
D SIMULT A (D BEFORE B C) = D AND (D SIMULT A B)(D BEFORE B C)
A∆(B C) = (A∆B).(B C)
D SIMULT A (D INCLUSIVE BEFORE B C) = D AND (D SIMULT A B) (D INCLUSIVE BEFORE B C)
A∆(B C) = (A∆B).(B C)
∀ A B. 
D OR A (D SIMULT A B) = A
D AND (D AND (D SIMULT A B) (D SIMULT B C))(D SIMULT A C) = D AND (D SIMULT A B)(D SIMULT B C) (A∆B).(B∆C).(A∆C) = (A∆B).(B∆C)
5.4 Simplification Theorems using Inclusive Before Operator Table 4 shows the HOL verified formalization of the theorems that can be used with the Inclusive Before operator. 
D AND (D INCLUSIVE BEFORE A B) (D INCLUSIVE BEFORE B A) = D SIMULT A B (A B).(B A) = A∆B
D INCLUSIVE BEFORE A (D INCLUSIVE BEFORE B C) = D OR (D OR (D BEFORE A B) (D AND (D AND A B)(D BEFORE C B))) (D AND (D SIMULT A B) (D INCLUSIVE BEFORE B C))
A (B C) = (A B) +(A.B.(C B)) +(A∆B).(B C)
D INCLUSIVE BEFORE (D INCLUSIVE BEFORE A B) C = D AND (D INCLUSIVE BEFORE A B) (D INCLUSIVE BEFORE A C) (A B) C = (A B).(A C)
∀ A. 
D INCLUSIVE BEFORE NEVER A = NEVER
D INCLUSIVE BEFORE A (D SIMULT B C) = D OR(D OR(D OR(D OR(D AND A (D BEFORE B C))(D AND A (D BEFORE C B)))(D BEFORE A B)) (D BEFORE A C))(D AND (D SIMULT A B)(D SIMULT B C))
A (B∆C) = (A.(B C)) +(A.(C B)) +(A B) + (A C) +
(A∆B).(B∆C)
D INCLUSIVE BEFORE (D OR A B) C = D OR (D INCLUSIVE BEFORE A C) (D INCLUSIVE BEFORE B C) (A + B) C = (A C) +(B C)
D INCLUSIVE BEFORE (D AND A B) C= D AND (D INCLUSIVE BEFORE A C) (D INCLUSIVE BEFORE B C) (A.B) C = (A C).(B C)
D INCLUSIVE BEFORE (D SIMULT A B) C = D AND (D SIMULT A B) (D INCLUSIVE BEFORE A C) (A∆B) C = (A∆B).(A C)
D INCLUSIVE BEFORE (D SIMULT A B) C = D AND (D SIMULT A B) (D INCLUSIVE BEFORE B C) (A∆B) C = (A∆B).(B C)
∀ A B C. Table 5 shows our formalization in HOL for some simplification theorems from [3] , which can be used to simplify expressions involving combinations of operators. 
D INCLUSIVE BEFORE (D SIMULT
A
D AND (D AND (D INCLUSIVE BEFORE A B) (D INCLUSIVE BEFORE B C)) (D INCLUSIVE BEFORE A C)) = D AND (D INCLUSIVE BEFORE A B) (D INCLUSIVE BEFORE B C) (A B).(B C).(A C) = (A B).(B C)
Simplification Theorems for Combinations of Operators
D AND (D AND (D BEFORE A B) (D BEFORE B C))(D INCLUSIVE BEFORE A C) = D AND (D BEFORE A B)(D BEFORE B C) (A B).(B C).(A C) = (A B).(B C)
Experimental Results
In order to illustrate the effectiveness of the proposed methodology, we utilize it to conduct the formal DFT analysis of five benchmarks. The first benchmark, depicted in Figure 4 , is a scaled version of the original cascaded PAND fault tree [7, 8] with repeated events. In this work, we consider a scaled version of this DFT, i.e., two similar DFTs with different basic events and a top event that fails whenever one of these DFTs fails. The second DFT is a modified and abstracted version of the Active Heat Rejection System (AHRS) [10] , which consists of two thermal rejection units A and B. The failure of any of these two units leads to the failure of the whole system. Each main input (A 1 or B 1 ) has two spare parts, and the unit will fail with the failure of the main input and the spare inputs. All the inputs are functionally dependent on the power supply.
The third benchmark represents a Multiprocessor Computer System (MCS) [7, 9] with two redundant computers, having a processor, a disk and a memory unit. Each disk has its own spare and the two memory units share the same spare. The two processors are functionally dependent on the power supply.
The fourth benchmark is a Hypotheical Example Computer System (HECS) [2] consisting of two processors with a cold spare, five memory units, which are functionally dependent on two memory interface units and two system buses. The failure of the system also depends on the application subsystem, which in turn depends on the software, the hardware and the human operator. The last benchmark is a Hypothetical Cardiac Assist System (HCAS) [3, 7] , which consists of two bumps (P 1 and P 2 ) with a shared spare (BP ), two motors and a CPU (P ) with a spare (B). Both CPUs are functionally dependent on a trigger, which represents the crossbar switch (CS) and the system supervisor (SS).
In the next section, the verification of the reduction will be introduced for each benchmark along with the reduced cut sets and sequences, then the quantitative analysis for the five benchmarks will be described in the subsequent section.
Verifying the Reduced DFTs
The first step in the proposed methodology is to create a formal model for both the original DFT and the reduced one. Then, these DFTs are checked if they are equal or not. After the equivalence verification, the cut sets and sequences can be determined.
Verifying the Reduced Cascaded PAND DFT (CPAND)
The top event (Q 1 ) of the system, shown in Figure 4 , is reduced using the simplification theorems as follows:
We verify this simplification in HOL as follows: H1 I1 J1 K1 L1 N1 O1 P1 A2 B2 C2 D2 E2 W2 G2 H2  I2 J2 K2 L2 N2 O2 P2. ALL DISTINCT [A1;B1;C1;D1;E1;W1;G1;H1;I1;J1;K1;L1;N1;O1;P1;A2;B2;C2;D2;E2;W2;G2;H2;I2;  J2;K2;L2;N2;O2; The predicate ALL DISTINCT ensures that the basic events cannot occur at the same time. This condition was found to be a prerequisite for the above-mentioned consequence. From this reduction, it can be noticed that the basic events (N 1 , O 1 , P 1 , N 2 , O 2 , P 2 ) have no effect on the failure of the top event since they are eliminated in the reduction. Considering the cut sets and sequences, the top event can fail in two cases. The first case corresponds to the first product in the structure function, which implies that the output event occurs if any one of the basic events (I 1 , J 1 , K 1 , L 1 ) occurs and A 1 occurs before all of them and the inputs (
. The second case represents the second product of the second subtree, which is similar to the first product but with different basic events. Since the Galileo format (which is used to model a DFT in STORM) supports only DFT gates and not operators, it is required that the reduced form is represented using DFT gates only. This representation is verified in HOL as follows: 
Verifying the Reduced AHRS DFT
The top event (Q 2 ) of the system shown in Figure 5 is reduced using the algebraic simplification theorems, assuming that the spares are cold spares:
We verify this in HOL as: This system has three sources of failure; the trigger, the sequence of failure of (A 1 then A 2 then A 3 ) and finally the sequence (B 1 then B 2 then B 3 ) 
Verifying the Reduced MCS DFT
The top event (Q 3 ) of the system shown in Figure 6 is reduced using the algebraic simplification theorems to:
We verify this in HOL as: From this verified reduced function, the sources of failure are: N , P S or the failure of both computers by the failure of any element in each one.
Verifying the Reduced HECS DFT
The top event (Q 4 ) of the system shown in Figure 7 is reduced using the algebraic simplification theorems to [3] :
We verify this in HOL as: 
Verifying the Reduced HCAS DFT
The top event (Q 5 ) of the system shown in Figure 8 is reduced using the algebraic simplification theorems to [3] :
We verify this in HOL as: The cut sets and sequences for Q 5 can be obtained from the verified reduced function. To model this function in STORM, it was verified using the dynamic gates, assuming that B is a cold spare: 
Probabilistic Analysis Results using STORM
The quantitative analysis for the five benchmarks was conducted using STORM on a Linux machine with i7 2.4 GHZ quad core CPU and 4 GB of RAM. The efficiency of the proposed methodology is highlighted by analyzing the original DFTs and the reduced ones. In addition, the probability of failure for each DFT is evaluated for different time bounds, e.g. the probability of failure after 100 working time units. A summary of the analysis results are given in Table 6 . It can be noticed that the number of states is reduced as well as the total analysis time. For the first benchmark, the analysis time is reduced due to the huge reduction in the number of states. As mentioned earlier, many basic events are eliminated using the algebraic reduction theorems, which in turn reduced the total analysis time as well as the number of states. For the rest of the benchmarks, the analysis time is significantly reduced when the reduced DFT is used in the analysis. This is mainly because of two reasons, firstly, the number of states is reduced, and secondly, the original DFT is modeled as a Markov Automata (MA) as there is a non-deterministic behavior, while the reduced DFT is modeled as a Continuous Time Markov Chain (CTMC). This means that in the reduced DFT the non-deterministic behavior caused by the failure dependency does not exist any more, as the reduction process depends on the time of failure of the gates. We used the STORM command (firstdep) [16] to resolve the non-deterministic behavior in the original DFT to generate a CTMC instead of a MA, and the results in Table 7 show that the number of states for the reduced DFTs is generally smaller than that of the original DFT with resolved dependencies, which emphasizes on the importance of the proposed methodology not only in providing a formal qualitative analysis but also in reducing the quantitative analysis cost in terms of time and memory, i.e., number of states. * The reported probability for the reduced DFT is closer to the probability reported in [3] for the same input failure distribution
Conclusion
In this work, we proposed a formal dynamic fault tree analysis methodology integrating theorem proving and model checking. We formalized the dynamic fault tree gates and operators in higher-order logic based on the time of failure of each gate. Using our formalization of the gates and the extreal library in HOL4, we proved over eighty simplification theorems that can be used to verify the reduction of any DFT. We used these theorems to verify the equivalence of the original and reduced DFT using theorem proving. In addition, we provided a formally verified qualitative analysis of the structure function in the form of reduced cut sets and sequences, which, to the best of our knowledge, is a novel contribution. The quantitative analysis of the reduced structure function is performed using model checking. This ensures that the model checking results correspond to the original DFT, since we use the formally verified reduced DFT in the quantitative analysis. Both the qualitative and the quantitative analyses were conducted on five benchmark DFTs, and the analysis results show that our proposed integrated methodology provides a formally verified reduced cut sets and sequences. In addition, the model checking results indicate that using the reduced DFT in the analysis has a positive impact on its cost in terms of both time and number of states. As a future work, we plan to provide the quantitative analysis of DFTs within the HOL theorem prover, which will allow us to have a complete framework for formal DFT analyses using theorem proving.
