Reasoning Method Based on Intervals with Symmetric Truncated Normal Density

: Error parameters are inevitable in systems. In formal veriﬁcation, previous reasoning methods seldom considered the probability information of errors. In this article, errors are described as symmetric truncated normal intervals consisting of the intervals and symmetric truncated normal probability density. Furthermore, we also rigorously prove lemmas and a theorem to partially simplify the calculation process of truncated normal intervals and independently verify the formulas of variance and expectation of symmetric truncated interval given by some scholars. The mathematical derivation process or veriﬁcation codes are provided for most of the key formulas in this article. Hence, we propose a new reasoning method that combines the probability information of errors with the previous statistical reasoning methods. Finally, an engineering example of the reasoning veriﬁcation of train acceleration is provided. After simulating the large-scale cases, it is shown that the simulation results are consistent with the theoretical reasoning results. This method needs more calculation, while it is more effective in detecting non-error’s fault factors than other error reasoning methods.


Introduction
Formal verification technology has been widely used in industry [1,2]. The reasoning method is an essential step in theorem proving in formal verification. It requires strict mathematical deduction to ensure the correctness of the reasoning process [3]. In engineering, it is often combined with model-based verification methods [4] to complement each other [5][6][7]. Before verifying whether a system satisfies the safety properties, it is necessary to use certain logical semantics to precisely describe the system states and transition guards in mathematical language. In the past decades, numerous logical semantics have been proposed from binary logic [8] to polynomial algebraic logic [9] and semi-algebraic logic [10,11] for real numbers. Moreover, many achievements have emerged in the field of symbolic computation, which has been used as a mathematical deduction tool, such as Wu's method [12], Gröbner basis method [13], and quantifier elimination method [14,15]. With the development of semantic and symbolic computation, reasoning verification for complex systems has become a reality. At present, several verification tools based on theorem proving have appeared for the verification of complex systems, such as KeYmaera [16] and ACL2 [17]. Polynomials-related reasoning methods based on the Gröbner basis have been widely applied in reasoning verification of polynomial and hybrid systems [18]. Nevertheless, a completely different Gröbner basis may be obtained when the polynomial coefficient changes slightly, which makes these methods invalid for the

•
We propose a novel reasoning method, which can make a conclusion about whether the system is likely to have potential risks caused by non-error factors when the system state is still inside the Zero(ϕ) set. However, the previous method can give the assessment only when the system state is not inside the Zero(ϕ) set. The method is more effective than other methods [20][21][22] for safety-critical systems if the time complexity of the specific problem is acceptable. • Some lemmas (Lemmas 1, 2 and Theorem 1) and their proofs are provided, which partially simplify the calculations. These lemmas and theorem are beneficial to the methods, which are also based on symmetric truncated normal intervals in other fields.

•
We provide an engineering example and the Maple codes to make our reasoning method easier to apply to the industrial field.

Interval Random Errors
In this section, we introduce some of the mathematical concepts that have been established and are involved in our method (Definitions 1-3). We also prove Lemmas 1 and 2 and Theorem 1, which are the contributions of this study. Definition 1. The interval random error ε is a random variable in the interval [ε − , ε + ], ε − ≤ ε + , and f (ε) is the probability density function of ε, denoted by ε f , or [ε − , ε + ] f . Thus, f (ε) must satisfy the normalization condition ε + ε − f (ε) = 1. In engineering, the upper and lower bounds of ε are generally not infinite. When ε − < 0, η g can be obtained by replacing η g = ε f + c, and η g is an interval random error. The probability density function of η g is as follows: As long as c is sufficiently large, ε − + c ≥ 0 will always hold. Therefore, the four operations of interval random errors discussed below only consider the case in which the lower bound of the interval random errors is not negative. Let x f and y g be interval random errors in intervals [x − , x + ] and [y − , y + ] respectively, and the probability density functions of x f and y g are f (x), g(y), respectively. s(x, y) is the joint probability density of (x, y), and c is a constant real number. The probability density function ε h is h(ε) The four operations of random interval errors can be given as follows: For addition: When x f , y g are independent, we have s(ε − y, y) = f (ε − y) · g(y).

Intervals with Symmetric Truncated Normal Density Function
Definition 2 is mainly due to the authors of reference [24], and it has been applied in industry [25]. The normalization of probability on interval was verified independently after Definition 2. Definition 2. The symmetric truncated interval normal density function (short for truncated normal density) f (x, a, b, σ) is as formula (6) whereµ = b+a 2 , the function curve is symmetric about µ = b+a 2 , that is, µ = b+a 2 is the axis of symmetry as shown in Figure 1; a, b respectively represent the upper and lower bounds of the interval [a, b]; φ(x) is the probability density function of the standard normal distribution; Φ(x) is the standard normal cumulative distribution function; σ is the parameter for the shape of the interval normal density. In Figure 1, the largerσ corresponds to a flatter function curve, which is similar to meaning in the normal probability density. The following verification in formula (7) shows that the formula " b a f (x, a, b, σ) = 1" holds, which must be satisfied according to Definition Figure 1 shows the truncated normal density curve for a = 1, b = 4, σ = 1, and σ = 2. Figure 2 shows the function curve of the normal density function when µ = 2.5, σ = 1, and σ = 2.
≤ , and the probability density ( , , , ) f x a b σ of X has the form of formula (6). The truncated normal As shown in Figure 1, when x / ∈ [a, b] and f (x, a, b, σ) ≡ 0, which are different from the normal probability density function. Combining definitions 1 and 2, the definition of the interval normal interval can be given as follows: Definition 3. (Symmetric truncated normal interval, short for truncated normal interval) An interval random error X is a truncated normal interval, if X is in the range [a, b] , a ≤ b, and the probability density f (x, a, b, σ) of X has the form of formula (6). The truncated normal interval X can be denoted by [a, b] f σ , f (x, a, b, σ).
Obviously, taking x = b+a 2 as the midline, the errors variables appearing on the left and right sides of the midline are symmetrical. The normal truncation interval is used to represent uncertain parameters in the method introduced later in this paper.
Properties 1 and 2 (introduced in reference [26]) show how to calculate the expectation and variance of the truncated normal interval, respectively.
In formula (10), F X_cp f (x) and F Y_cp f (y) are the cumulative distribution functions of X and Y, respectively. After calculating the derivative of y in Equation (10), the probability density of Y can be obtained as follows: In addition: According to formula (6) and formula (11), we have: That is, formula (13) is obtained: Formula (13) conforms to the definition of "truncated normal density" introduced in Definition 2. Thus, we have: In summary, according to the definitions of the truncated normal interval introduced in Definition 3, Y(Y = C 1 X) can be regarded as the truncated normal interval with Proof. According to probability knowledge, we have: After calculating the derivation of formula (15) on y, we have ) is a truncated normal interval, C 0 , C 1 are two real constants, and C 1 > 0, and Y(Y = C 1 X + C 0 ) is also a truncated normal interval with the probability density f (y, C 1 a + C 0 , Proof. According to Lemma 1, C 1 X is a truncated normal interval with probability density f (y, C 1 a, The parameter σ of the truncated normal interval X(X = [a, b] f , f (x, a, b, σ)) is not the standard deviation of X. X can be regarded as a random variable generated by the normal random variable Y ∼ N( a+b 2 , σ 2 ) by truncating Y on [a, b]. As introduced in properties 1 and 2, the expectation of X can be calculated by a and b, and the variance of X is calculated by a, b, and σ. According to Theorem 1, the operations of truncated normal intervals introduced in Section 2.1, can be partially accelerated, especially for operations on truncated normal intervals. The following section introduces the reasoning methods based on truncated normal intervals.

Truncated Normal Interval-Based Reasoning Method
According to Definition 3, truncated normal intervals can be regarded as an extension of the interval by adding a truncated normal density to the interval. Hence, this makes the interval-based polynomial reasoning method (such as the methods from reference [20][21][22]) still valid for truncated normal intervals. In Section 3.2, we improved the reasoning methods [20,21] by adding the calculation of the truncated normal density into them. Before that, we introduce an implication relationship.

Implication Relationship
In this section, we first introduce the polynomial error assertion, its zero set, Axiom 1, and the implication relationship, which were proposed by reference [22]. The implication relationship between assertions is the fundamental rule in the reasoning method based on theorem proving. The equivalence relationship can be attributed to assessing whether there are implication relationships with each other [27]. Hence, only the implication relationship is discussed below.
Definition 5 (Real zero set of PEAs, short for zero set of PEAs). ϕ is a PEA. The real zero set of ϕ, denoted by zero(ϕ), satisfies (18).
Apparently, the definition of the zero set of PEAs is self-consistent with that of classic polynomials. This is because when the upper and lower bounds of the interval are equal, the interval degenerates into a real number. For example, [ε − , ε + ] degenerates into a real number ε when ε = ε − = ε + . Here, the definition of the zero set of PEAs and that of the classical polynomial equations are identical.
For polynomials, here is an example of Axiom 1. Let. ϕ 1 : x − 5 = 0, ϕ 2 : x 2 − 4x − 5 = 0. Now, we need to determine whether ϕ 1 |= ϕ 2 , which means whether ϕ 1 implies ϕ 2 . Simply put, if ϕ 1 is true, then ϕ 2 must be true. Indeed, For PEAs, Zero(ϕ) is the set of all possible states of the system caused by the error parameters. In the polynomial-described system, the state of the system needs to satisfy specific polynomial equations, whose solutions define the safe area of the system in this state. For example, if the set Zero(ϕ) indicates the safe area in a certain state of the system, we find that the variable value x of the system in this state is not included in Zero(ϕ), which means that the system is unsafe at the moment, and the fault should be eliminated immediately.

Problems of Previous Reasoning Methods
For error polynomial assertions, the previous reasoning methods [20][21][22] are all based on only characterizing errors as intervals, while ignoring the probability distribution information of the errors within the interval. In fact, the probability information of errors in the interval does exist and can be obtained from the statistics of the previous data. For example, in a large number of statistics on the measurement results of a certain physical quantity by a certain sensor, it can always be obtained that the measurement values closer to the true value will appear more frequently than the measurement values farther away. Ignoring the probability information of errors may lead to incomplete reasoning results, which affects the validity of the reasoning methods.
The set Zero(ϕ) of all possible states caused by error parameters can be obtained. When designing the system, the impact of errors on the system should be fully considered. Thus, the system must have the ability to withstand the influence of errors. Hence, the system must allow the system states to appear at any position inside the set Zero(ϕ); that is, set Zero(ϕ) must be the subset of the designed state range of the system. Based on previous reasoning methods [20][21][22], if it is found that the state of the system (x = (x 1 , x 2 , . . . , x n )) at a certain time is not in the set Zero(ϕ), that is, (x 1 , x 2 , . . . , x n ) ∈ Zero(ϕ) does not hold, then it indicates that there must be non-error factors (the non-error factors here and below are not the factors caused by similar uncertain parameters but the mechanical, electrical, and other factors that affect the performance of the system) affecting the system at this time, and the detection should be carried out immediately. In other words, only when we find that the system state is not in the set Zero(ϕ) can we conclude that there must be the influence of non-error factors by previous reasoning methods. The following question is: Can it be concluded in advance that there is a great possibility of non-error factors in the system when the system state is still inside set Zero(ϕ)? Yes, but this requires more information about the error besides the interval. The focus of this study is to obtain such answers by combining statistical methods and reasoning methods.

Reasoning Method Based on Truncated Normal Interval
In this section, by introducing a truncated normal interval and combining the knowledge of probability and statistics, we generalize the methods in reference [20,21]. According to the quantile theory in statistics [28,29], the system state regions with a low probability in Zero(ϕ) can be marked. If the system states often appear in the low probability area within a certain time period, then there is reason to believe that there are non-error factors affecting the system at this time. Although, at this time, the non-error factors can be withstood by the system; however, for safety-critical systems, it is necessary to eliminate potential mechanical or electrical problems early. The specific steps of the reasoning method are given below, which can be applied to the linear error assertion and the nonlinear problem in which the cross section (cross plane) of Zero(ϕ) is a convex set, such as the example in Section 4.
In the following steps of the reasoning method, x(t) is the observation vector of the system state variables x 1, x 2, . . . , x n at time t: The error assertion that the system satisfies in a certain state is ϕ. Now, it is necessary to assess whether the system has non-error factors affecting the system at this time. The specific steps of the reasoning methods based on truncated normal intervals are given below.
Step 2: Put any internal point p of set Zero(ϕ) into the inequalities obtained in step 1 to obtain a specific inequality relationship.
Step 3: Put x(t) into the inequalities obtained in step (2). If x(t) cannot satisfy the inequalities, there must be non-error factors affecting the system. Here, fault detection is instantly required. If x(t) satisfies the inequalities, proceed to step (4).
Step 4: Calculate the probability distribution information of the area represented by set Zero(ϕ), and calculate the set Ω (Ω is the subset of Zero(ϕ), Ω where represents the area where the system state x(t) has a higher probability of occurrence when the system is running without potential failures). When x(t) / ∈ Ω, it is still very likely that there are non-error factors in the system, and it is still necessary to detect the system to avoid non-error factors beyond the acceptable range of the system.
In the next section, an example is provided regarding the application of the reasoning method to the two-body problem of decentralized power systems under train acceleration.

Verification of Two-Body Decentralized Power System during Train Acceleration
In Section 4.1, we present a case of the train acceleration state. In Section 4.2, we simulated the results obtained in Section 4.1, with a large number of random test cases.

Two-Body Problem of Train Acceleration
Assume that the train has two carriages (the 8-carriage and 16-carriage problems can be obtained recursively from the two-carriage problem). The two carriages have independent power outputs. When the train starts, the train moves from the acceleration state to the constant-speed state. The guard (guard: v = 80 m/s = 288 km/h) is the transition condition from acceleration to a constant state, as shown in Figure 3. ϕ and φ are the formulas that need to be satisfied in the acceleration state and the constant speed state, respectively. For example, in the acceleration state, if ϕ is not satisfied, the train power output system runs abnormally. Here, immediate detection is required.
nonlinear problem in which the cross section (cross plane) of ( ) Zero ϕ is a convex set, such as the example in Section 4.
In the following steps of the reasoning method, ( ) t x is the observation vector of the system state variables 1, 2, ..., n x x x at time t: The error assertion that the system satisfies in a certain state is ϕ . Now, it is necessary to assess whether the system has non-error factors affecting the system at this time. The specific steps of the reasoning methods based on truncated normal intervals are given below.
Step 1: Calculate all the vertices of the set, Zero ϕ into the inequalities obtained in step 1 to obtain a specific inequality relationship.
Step 3: Put ( ) t x into the inequalities obtained in step (2). If ( ) t x cannot satisfy the inequalities, there must be non-error factors affecting the system. Here, fault detection is instantly required. If ( ) t x satisfies the inequalities, proceed to step (4).
Step 4: Calculate the probability distribution information of the area represented by set ( ) Zero ϕ , and calculate the set Ω ( Ω is the subset of ( ) Zero ϕ , Ω where represents the area where the system state ( ) t x has a higher probability of occurrence when the system is running without potential failures). When ( ) t ∉ Ω x , it is still very likely that there are non-error factors in the system, and it is still necessary to detect the system to avoid non-error factors beyond the acceptable range of the system.
In the next section, an example is provided regarding the application of the reasoning method to the two-body problem of decentralized power systems under train acceleration.

Verification of Two-Body Decentralized Power System during Train Acceleration
In Section 4.1, we present a case of the train acceleration state. In Section 4.2, we simulated the results obtained in Section 4.1, with a large number of random test cases.

Two-Body Problem of Train Acceleration
Assume that the train has two carriages (the 8-carriage and 16-carriage problems can be obtained recursively from the two-carriage problem). The two carriages have independent power outputs. When the train starts, the train moves from the acceleration state to the constant-speed state. The guard (guard: ) is the transition condition from acceleration to a constant state, as shown in Figure 3. ϕ and φ are the formulas that need to be satisfied in the acceleration state and the constant speed state, respectively. For example, in the acceleration state, if ϕ is not satisfied, the train power output system runs abnormally. Here, immediate detection is required. When the train is accelerating and starting, the mass sum (including passengers) of carriage 1 and carriage 2 is a fixed value M. During a certain acceleration of the train, there is a random flow of passengers between the two carriages. However, the total mass of the two carriages was constant. However, for passengers to experience a comfortable train ride, a constant acceleration (a = 4 m/s −2 in this case) must be maintained during the acceleration state. The power control system of the train has a complex feedback mechanism that can maintain stable acceleration during acceleration. However, whether there are potential mechanical or electrical faults requires further verification and analysis.
After 200 s of acceleration with a = 4 m/s −2 , the train speed reached v = 288 km/h. In the acceleration state with a = 4 m/s −2 , some of the following parameters affect the power output: M 1 and M 2 represent the masses of two train cars (including passengers and their luggage), respectively; and f 1 , f 2 represent the traction provided by carriage 1 and carriage 2, respectively, f 12 is the force of carriage 1 on carriage 2, ζ is a parameter related to air density and pressure, a represents acceleration (a = 4 m/s −2 ), and g is the gravity acceleration (g = 10 m·s −2 ). In a certain acceleration state, the sum of the masses of the two carriages is a fixed value of 110,000 kg. According to statistics of past passenger flow information and weather information during the same period, some of the above parameters can be regarded as truncated normal intervals, which were introduced in Section 2.2; that is, M 1 = m 1 + ∆m 1 = [50, 000, 60, 000] h 1 , h 1 (x, 50, 000, 60, 000, σ 1 ); M 2 = m 2 + ∆m 2 = [50, 000, 60, 000] h 2 , h 2 (x, 50, 000, 60, 000, σ 2 ); ζ = [1.5, 2] h ζ , h ζ x, 1.5, 2, σ ζ ; According to the knowledge of mechanics, we can obtain Equation (20): From the "step 1-step2" given in Section 3.2, the space area can be obtained shown in Figure 4 (The area surrounded by red lines, which short for red area as below).    ) is the inside enclosed area (including the boundary) by the black line shown in Figure 5, which is short for the black area as shown below. The black area (it is a quadrilateral, as shown in Figure 6) is The possible power value at a certain time t s (t s ∈ [0, 200]) is the inside enclosed area (including the boundary) by the black line shown in Figure 5, which is short for the black area as shown below. The black area (it is a quadrilateral, as shown in Figure 6) is actually the horizontal section of the red area at t = t s .     According to the definitions of the truncated normal interval and the arithmetic rules in Sections 2.1 and 2.2, the probability distribution information of f 1 , f 2 can be obtained.
The values of f 1 , f 2 are determined using the other variables (M 1 , M 2 , ζ, f 12 ). First, the probability density of is calculated as f 2 . Let X = M 2 (gµ + a). According to Theorem 1, the probability density of X can be obtained as h X (x) =h 2 (x , 25000 , 32, 000 , 0.5σ 2 ) From the second sub-formula ( f 2 = M 2 gµ + M 2 a + f 12 ) in formula (20), and combined with the arithmetic rules of the truncated normal interval introduced in Section 2.1, the probability density of f 2 can be obtained as formula (22): After calculating Equation (22), h( f 2 ) (when 25, 000 ≤ f 2 ≤ 32, 000) can be obtained as formula (23): The function erf(x) appearing in formula (23) x 0 e −t 2 dt. In contrast, let Z be the sum of f 1 and f 2 , that is, (20), when t> 0, the probability density of Z = f 1 + f 2 can be obtained as formula (24): h ζ z, 1.5a 2 t 2 + M(gµ + a , 2a 2 t 2 + M(gµ + a , a 2 t 2 σ ζ ) 0.24t 2 + 55, 000 ≤ z ≤ 0.32t 2 + 55, 000 0 z < 0.24t 2 + 55, 000 , or z > 0.32t 2 + 55, 000 After calculating formula (24), h f 1 + f 2 (Z = f 1 + f 2 ) (when 0.24t 2 + 55, 000 ≤ z ≤ 0.32t 2 + 55, 000, and t> 0) can be obtained as Equation (25): When z < 0.24t 2 + 55, 000 or z > 0.32t 2 + 55, 000, h(Z = f 1 + f 2 ) = 0 ; When t= 0 and 0.24t 2 + 55, 000 ≤ z ≤ 0.32t 2 + 55, 000, h( The codes of Maple2020 to obtain the results of Equations (23) and (25) are as follows: phi:= x -> exp(−1/2*xˆ2)/sqrt(2*Pi); Phi:= x -> 1/2 + 1/2*erf(1/2*sqrt(2)*x); f:= (x, a, b, sigma) -> phi((x − 1/2*a − 1/2*b)/sigma)/(sigma*(Phi((1/2*b − 1/2*a)/ sigma) − Phi((1/2*a − 1/2*b)/sigma))); h(f [2], sigma [12], sigma [2]):= int(f(f [2] − f [12], 25,000, 30,000, 1/2*sigma [2])*f(f [12], 0, 2000, sigma [12] In Equation (28), 5 2 Root_Of 10 erf ( ) 9 erf ( represents the root of equation According to the numerical calculation from formulas (28) and (29), when t = 150(s),    P P P P ) is all possible areas of system power distribution caused by error parameters when t = 200. When designing the system, it is necessary to fully estimate the possible errors, and the power range 1 2 , f f must cover the 1 2 3 4 t t t t P P P P area to ensure that the system has the ability to withstand the error parameters. As time passes, the mechanical equipment of the trains will inevitably wear out. Hence, it is necessary to detect factors that may cause system failure in time. This section discusses how to divide the 1 2 3 4 t t t t P P P P area according to statistical knowledge. This is helpful for the safe operation of the system. Figure 9 shows the division of Figure 4, when From (26)-(29), we obtain inequality(30) below, which represents the white area in Figure 9.  the values of f 1 and f 2 appear in the red area for a period of time, it is reasonable to believe that there are non-error factors in the power system at this time, and the system must be checked for safety in time to inspect whether there are mechanical or electrical faults. The parallelogram in Figure 8 (the area enclosed by P 1t P 2t P 3t P 4t ) is all possible areas of system power distribution caused by error parameters when t = 200. When designing the system, it is necessary to fully estimate the possible errors, and the power range f 1 , f 2 must cover the P 1t P 2t P 3t P 4t area to ensure that the system has the ability to withstand the error parameters. As time passes, the mechanical equipment of the trains will inevitably wear out. Hence, it is necessary to detect factors that may cause system failure in time. This section discusses how to divide the P 1t P 2t P 3t P 4t area according to statistical knowledge. This is helpful for the safe operation of the system. Figure 9 shows the division of  From (26)- (29), we obtain inequality(30) below, which represents the white area in Figure 9.
The red area in Figure 9 indicates a low occurrence probability of f 1 , f 2 . It is unlikely that f 1 and f 2 will be in the red area for a long time, which means that there is a high possibility of non-error factors. Although the system can withstand it sometimes, early detection is still necessary for safety-critical systems.

Simulation and Test
The three truncated normal intervals in ϕ are, M 1 = [50, 000, 60, 000] h 1 , ζ = [1.5, 2] h ζ and f 12 = [0, 2000] h f 12 h 1 ,h ζ ,h f 12 and are the probability density functions. According to acceptance-rejection sampling, when t = t s , we can obtain n groups of test cases, denoted as can be obtained. We can then count the distributions of these solutions. Figure 10a,b show the distributions of f 2 and Z = f 1 + f 2 in their truncated intervals, respectively, when n = 10,000; Figure 10c shows the distribution of that when t = 200. t = t + ∆t; end while 7: end From the above algorithm, taking n = 100 for every discrete integer t value, t = 1, 2, . . . , 200, we can obtain Figure 11, where the power distributions of f 1 and are f 2 represented by the blue points. immediately.
From Figure 11, most of the distributions of 1 f and 2 f are inside the white area.

Discussion
Previous reasoning methods have mainly focused on systems with precise parameters. Most of these are invalid for systems with uncertain parameters because the Gröbner basis changes discontinuously with coefficients. The authors proposed some reasoning methods [20][21][22] for systems with uncertain parameters. Power distribution areas caused by error parameters can be obtained, and it can be used to determine whether the system According to step 3 and step 4 of the reasoning method given in Section 3.2, we obtain the following: during the acceleration, if it is found that the power distribution of f 1 and f 2 are not within the area enclosed by "P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 " in Figure 11, it means that there must be non-error factors affecting the power system, and fault detection should be carried out immediately; if the power distributions of f 1 and f 2 are inside the area "P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 " in Figure 11, and if f 1 and f 2 continuously appear inside the red area of Figure 11, according to statistics, there is a high probability that non-error factors affect the system in the train power system at this time; fault detection is still required immediately.
From Figure 11, most of the distributions of f 1 and f 2 are inside the white area.

Discussion
Previous reasoning methods have mainly focused on systems with precise parameters. Most of these are invalid for systems with uncertain parameters because the Gröbner basis changes discontinuously with coefficients. The authors proposed some reasoning methods [20][21][22] for systems with uncertain parameters. Power distribution areas caused by error parameters can be obtained, and it can be used to determine whether the system has non-error fault factors (mechanical and electrical faults) by observing whether the system states are inside the area, but these methods ignore the probability information of the errors within the interval. The method proposed in this paper combines the probability information of errors with previous reasoning methods. Hence, not only can the power distribution areas be obtained, but also an area divided area by statistics, by which it can be earlier determined whether there are non-error fault factors compared with the methods [20][21][22]. Hence, the results obtained by this method are more complete than those of the methods [20,21]. Nevertheless, the method in this paper involves more calculations than the methods [20,21]. Finally, it is noteworthy while that this method increases the complexity of the calculation, it is necessary for safety-critical systems. Some scholars have studied based-fuzzy logic [30] reasoning rules [31], which have been applied in some aspects [32,33]. These are different from those of our method. Our method has a more obvious statistical significance. Table 1 shows the advantages and disadvantages of this method and other reasoning methods. Table 1. Advantages and disadvantages of this method and other methods.

Advantage Disadvantage
Methods [20,21] (linear error assertions) Better time complexity compared to other methods in the table.
May be invalid for non-convex zero set; Lack of error probability information.
Very high time complexity; Lack of error probability information.
Method [30] (fuzzy reasoning) Based on fuzzy logic; it has well-established theoretical support.
Weak statistical significance.

The method in this article
Strong statistical significance. Identifies potential faults earlier than methods [20,21].
Higher time complexity than that of the methods [20,21].

Conclusions
Our main contributions are as follows: First, the errors were represented by symmetric truncated normal intervals, and the probability information of the errors was described by a truncated normal probability density function. Lemmas 1, 2 and Theorem 1 and their proofs are provided, which partially simplify the calculations between truncated normal intervals. Second, we combined symmetric truncated normal intervals with the previous reasoning methods and provided the steps of the reasoning method. The calculation of probability information is added to the reasoning method, which makes the reasoning method more effective and valuable than the method in [20][21][22] for safety-critical systems. Finally, a reasonable example of train acceleration was provided. Most of the points were inside the white area in Figure 11, which indicates that the theoretical calculation results (the white area comes from the reasoning method in this article) was consistent with the simulation results in this example.