An Improved FFIP Method Based on Mathematical Logic and SysML

In recent years, the model-based safety analysis (MBSA) has been developing continuously. The Functional Failure Identification and Propagation (FFIP) method is a graphics processing technology which supports the analysis of fault propagation paths before making costly design commitments. However, the traditional FFIP has some deficiencies. In this paper, we extend the functional failure logic (FFL) in the FFIP and introduce the concept of deviation. So, FFIP can be used to analyze the failure process of the systems and make the logical analysis of functional failure easier. Based on the extended FFL, we present a new overview of the FFIP. The FFIP is improved by using mathematical logic and Systems Modeling Language (SysML). The standard expression of FFL is realized, which is conducive to the subsequent modeling and modification. Additionally, we use the failure logic analysis in the FFIP to improve the state machine diagram (SMD) in SysML. Finally, the improved FFIP method is used to analyze the fault propagation paths of the system and Simulink is used for simulation. The fault tree is generated according to the simulation results, the minimum cut set is calculated, and the key failure parts of the system are obtained.


Introduction
With the development of new technology, the demands for system safety, especially in complex industrial systems, are constantly increasing. Currently, there are several safety analysis methods that have been proposed, such as Fault Tree Analysis, Event Tree Analysis, Failure Mode Effect Analysis, Hazard and Operational Analysis, etc. [1]. However, the above methods rely too much on the analyzers' experience and subjective judgment. With increasing complexity of industrial systems, it is difficult to use these traditional safety analysis methods to achieve accurate and complete analysis results.
In the past few years, some new safety analysis methods have emerged, for example, the Functional Resonance Analysis Method (FRAM) and the Systems-Theoretic Process Analysis (STPA) method. FRAM [2] is a systematic analysis method, which can be used to model complex social-technology system. Although it is powerful for visualizing and understanding the functions of system, it does not do well in quantization. It is also difficult to obtain safety constraints. STPA [3] is based on the system theory and cybernetics, it treats the research object as a hierarchical control structure. STPA carries out safety analysis by determining analysis objectives, constructing hierarchical control structure, identifying unsafe control actions, and identifying loss scenarios. However, all these analyses methods need to rely on the subjective experience of personnel, which leads to the deviation of the results of different personnel analysis.
With the advancement of the whole life cycle of the system, relevant safety analysis is constantly updated, and the MBSA was gradually developed [4]. The purpose of MBSA is to study the modeling of complex industrial systems, implement automated or semiautomated safety analysis and perform verification based on system models [5]. MBSA is executed as follows: 1.
Establish a general and unified model according to the purpose of system design and analysis.

2.
Use formal tools to describe the model. 3.
Use simulation or model checking to evaluate the safety of the system based on the model. 4.
Generate the analysis results, such as the FTA minimum cut set, FMEA form (Failure Mode Effect Analysis), etc.
At present, some typical MBSA methods include Failure Propagation and Transformation Notation (FPTN), Hierarchical Performed Hazard Origin and Propagation Studies (HIP-HOPS), Failure Propagation and Transformation Calculus (FPTC), AltaRica 3.0, etc. FPTN [6,7] is aimed at software safety analysis. FPTN limits artificial logic reasoning to the module level, reduces the capability requirements for analyzer and increases the accuracy of reasoning. However, this method is not supported by other tools and its scope of application is limited. FPTC [8] is a further development based on FPTN, in which system model is linked with failure model and requires a repeated analysis after injection failure. HIP-HOPS [9,10] is a hierarchical and modular analysis method, it can be used for system reliability modeling and analysis. In this method, the input failure and output failure are linked, and the SAM tool is used to generate the fault tree and calculate the minimum cut to find all propagation paths that cause the output faults. AltaRica [11,12] has been one of the most popular modeling languages in the MBSA field, it is advanced description language based on pattern automata. The modeling languages of MBSA also include Systems Modeling Language (SysML), Architecture Analysis & Design Language (AADL), east-adl2, Security Assertion Markup Language (SAML), etc. [13]. When it comes to model checking, MBSA also has a lot of tools. The most representative of them are Symbolic Model Verifier (SMV) and Simple Promela Interpreter (SPIN) [14][15][16].
In this paper, we study the Functional Failure Identification and Propagation (FFIP), a graphical evaluation method, which is composed of structural models, functional models, behavior rules, functional failure logic (FFL) analysis and failure simulation. By using this method, a designer can analyze the system function effectively, realize the path of failure propagation, and reduce the influence of human subjectivity through simulation [17]. Simulation and reasoning methods in FFIP are derived from qualitative physics and qualitative reasoning. In other words, the finite state of system behavior is represented, and then the fault propagation path is deduced based on the qualitative relationship between function and behavior [18]. In recent years, FFIP has been constantly expanding and improving. General speaking, FFIP has the following advantages:

1.
It does not require the users to make the hypothesis of causality in advance [19], and it avoids the subjective influence of human.

2.
It can identify the functional failures caused by global interaction, and simulate any number of failures.

3.
It can help engineers identify the key components of the system and quantify the related risks of specific components.
Since FFIP was proposed [17], it has been applied in many fields and developed continuously. In reference [20], a method of automatically generating an event tree based on the FFIP framework was formed, and an automatic tool was developed. In reference [21], the FFIP method is extended to generate training and test data sets for the development of failure detection systems based on a data-driven machine learning method. Reference [22] shows that the FFIP method can effectively evaluate software and hardware. Additionally, in reference [23], human factors are considered, and the impact of human error on system failure is analyzed by using FFIP. In reference [24], external events are considered, the Time-Based Failure Flow Evaluator (TBFFE) is developed based on FFIP method. In reference [25], the Function Failure Propagation Potential Method (FFPPM) is proposed by extending FFIP with graph theory and matrix theory.
Of course, the FFIP still has its own shortcomings. First, the FFIP method is suitable for the early design stage of the system, but MBSA pursues a unified model in the whole life cycle of the system, from design to use to inspection. Secondly, the FFL of FFIP is not specific and clear for the description and lacks the standardized description. On top of that, the FFIP method uses graphics to describe the model, missing a standardized and unified modeling language.
SysML is a multipurpose standard modeling language, and can support the detailed description, analysis, design, validation, and verification of various complex industrial systems, such as hardware, software, information, process, personnel and facilities and other systems. A SysML diagram contains many elements that can be combined with each other, which can represent the structure, function and behavior of the system in a standardized way [26][27][28].
In recent years, researchers have combined some parts of FFIP with SysML. In reference [29], the FFL of FFIP is integrated into the Block Definition Diagram (BDD) to evaluate and compare the input and output streams. In reference [30], StateCharts are used to further expand the FFL. The framework of FFIP is expanded by clearly listing the hierarchical relationship among system state, function state, component state, command signal and sensor signal. In the above literatures, FFIP has been combined with SysML, but they only used SysML to expand FFL, and did not combine with the whole modeling process of FFIP.
In this paper, we introduce mathematical logic and SysML to extend the FFIP method from two aspects: the applicable stage of the method and the formation of standardized expression. Firstly, we introduce the concept of failure deviation and extend the FFL. Then, we use mathematical logic to normalize the failure logic. In addition, we combined FFIP with SysML. On one hand, we combine SysML with the whole modeling process of FFIP and propose an integral modeling method under the MBSA framework. It includes building the structure model, function model and behavior model in FFIP with SysML. This solves the problem of lacking standardized language description of FFIP, and makes it easier for the modification and analysis. On the other hand, we improve the state machine diagrams (SMD) in SysML to better represent the FFL of the system. In the end, the S18 brake system in SAE ARP4761 is taken as an example to demonstrate the feasibility of the extended FFIP method, in which we use Simulink to simulate failure and generate a fault tree based on the output of simulation. By calculating the minimum cut set, the key failure location is obtained, and a quantitative probability-based analysis of the FFIP method can be achieved.

Functional Architecture of the System
The MBSA emphasizes the model as the basis and core of safety analysis [31]. Building the unified model is one of the major differences between MBSA and traditional safety analysis. Based on the model, it carries out more efficient safety analysis than the traditional methods. Generally, designers tend to start with the functional requirements of the system and build the model from top to bottom. On the other hand, analysts prefer from bottom to top based on the functional state of the system. However, in order to build a unique system model, we need to unify the modeling process and standards [32,33]. Therefore, a modeling framework based on function, behavior and structure is formed, as shown in Figure 1.
In the function-behavior-structure modeling framework, defining the overall function is the beginning of system design. The overall function describes the tasks that the system needs to complete. Based on the understanding of the overall function, the framework breaks it down to different levels of functions, builds the relationship between the functions, and constitutes the functional model. As the realization of function depends on the implementation of behavior, we need to extend the function model to behavior and the behavior relationship, and then constitute the behavior model. Behavior needs specific structure to perform, so we need to obtain structure and structural relationship in the components of the system, using them to constitute the structural model. In a system design, function is the king, while behavior is the foundation of function realization. Structure is the basis of building the whole system. It is the foundation of the existence of the system. FFIP is a modeling method based on the mapping of function, behavior and structure [17]. FFIP is composed of three parts. The first part is the structure and function modeling: to draw the structure flow chart and function model diagram according to the system schematic diagram. The second part is behavior modeling, including setting behavior rules and analyzing the FFL. The third part is functional failure propagation simulation, to analyze the path of functional failure propagation. The FFIP is based on the functionbehavior-structure relationship mapping, which realizes the systematic safety analysis of failure simulation and qualitative reasoning. In specific failure scenarios, FFIP can simulate the potential function failure mode and determine the fault propagation paths using a qualitative method, to evaluate the impact of the functional failure.
The purpose of FFIP is to find the path of failure propagation. Therefore, FFL is the core of FFIP. This paper focuses on the component failures, which is manifested by the deviation of the key process variables. These variables include flow, pressure, signal, amplitude, etc. In the process of system operation, human factors and external events could also cause system fault, these are all valuable things we need to spend some time on. The common result of these unexpected events is the changes of the key process variables of the components. However, the changes of these variables do not always cause system failure. In other words, component failures do not necessarily cause system fault. Therefore, it is meaningful to analyze the component failures and carry out failure simulation.

The Extension of Functional Failure Logic
In the modeling process, we need to identify the functions of products and components first, and then complete the system design according to the mapping relationship of function-behavior-structure. However, the function and structure of components are not always a correspondence of one-to-one. As shown in Figure 1, one function might correspond to multiple structures, and one structure might participate in the implementation of multiple functions. Under the design idea of V-model [35], in the design phase, the personnel need to allocate the equipment according to the function corresponding to the structure. In the verification phase, the personnel need to verify and integrate equipment for the target function. Therefore, the functional requirements of the single component should be considered in the early design stage of the system. One of the purposes of MBSA is to use a unified modeling method in the whole life cycle of equipment [36]. It is incomplete to consider only FFL in the safety system modeling.
Failure logic describes the relationship among the causes, processes, and consequences of failure. FFL is the functional highlights of failure logic. To improve the deficiency that the FFIP method has, namely, that it is mainly suitable for the early design stage of the system, this paper extends the FFL in FFIP and introduces the concept of deviation. The deviation is the degree to which the real situation deviates from the normal situation. Based on the magnitude of the deviation, the state of the components can be classified to infer the extent of the component exception. We can also classify failure deviations and determine failure types based on observed values. In this way, the FFIP method not only stays on the function analysis, but also extends to the specific failure. By analyzing the specific failure of the system, the FFIP method can be applied to the design stage and other stages of the system operation, including the decision-making and formation stage, and the use and maintenance stage [37].
The extension of the concept will lead to a change of the FFIP framework. Firstly, the extended FFIP method needs more detailed modeling of the behavior and function of the system to cover the whole life cycle of the system. It is because the typical FFIP method is suitable mainly for the early design stage, and the function description of the system and components is unspecific. Secondly, the extended FFIP method is changed from analyzing FFL to analyzing failure logic, which makes the level of analysis higher. Additionally, it is necessary to classify failure logic to facilitate subsequent failure logic analysis.

Classification of Failure
Researchers always classify the failure modes of a particular system. For example, in reference [38], the faults of an automobile are divided into high oil temperature, abnormal fan speed, abnormal oil pressure, etc. In reference [39], the faults of the hydraulic cylinder are divided into leakage of the telescopic cylinder oil pipe, bending of the oil pipe after extending out of the hydraulic cylinder, and corrosion of the guide sleeve. The purpose of classifying these faults is to identify the fault category more accurately in the process of safety analysis for specific equipment, to determine better improvements. However, there is a lack of a universal classification method without considering the research object. References [40,41] creates a hierarchical fault mechanism taxonomy, using level 1, level 2 and level 3 terminology to describe the potential fault mechanisms. However, this classification is still for those products that have already failed.
In paper [42], the classification of HAZOP deviation is referred, and the failure deviation is divided into NONE, MORE, LESS, and REVERSE. In this paper, through the study of fault classification of different equipment, the failure deviation can be analyzed more comprehensively. Deviation is divided into three categories: Logic, Time, and Value. Each category has its own secondary classification, as shown in Table 1.
The advantage of the above classification is that the type of deviation only needs to be judged according to the observed value directly, not the failure mode of the system or component. The classification of failure deviation can help us to understand the failure cause of a system or component systematically. Then, we can define the transition conditions of the component state and analyze the failure logic. The classification of failure deviation can be applied to different kinds of equipment systems to form a standardized analysis process.

Description Method of Failure Logic
Failure logic analysis is the core of the extended FFIP method. It is important to analyze and express the failure logic of systems and components. Mathematical logic is a logical reasoning that uses mathematical symbols to describe objective objects [43]. In mathematical logic, generally, "1" and "0" are used to represent "true" and "false". Symbols such as "and", "or" and "not" are used to represent the operation rules, to realize the transformation from complex logical operation to simple numerical calculation. In this paper, mathematical logic is adopted to describe the failure logic of systems and components. Thus, the complex functions of a system can be expressed in a specific way, and the readability of information is increased with mathematical logic. Through the guideline on the specific mathematical expression in failure logic, the designer and the user can unify their expression for further communication and modification. Common connectives in mathematical logic are ¬, ∧, ∨, → and ↔. The method of using mathematical logic to express failure logic is shown as follows.
First, the failure deviations are classified according to the failure modes that may occur in the system. It is described with the symbol of mathematical logic, as shown in Table 2. Table 2. Mathematical description of failure deviation. Then, according to the formal graphical representation method [44,45], the conversion method of failure logic is expressed. As shown in Figure 2, we use circles to indicate the state of the component and arrows to indicate the transition relationship between states. The content on the arrow is the mathematical description of the failure logic using the failure deviation, and the conversion condition of the state is expressed in simple and clear language.

Conversion Method from FFIP to SysML
In this paper, we combine the FFIP method with SysML and use different graphs of SysML to demonstrate the FFIP model. Using SysML to represent the structure and function model of FFIP can make the information flow and function flow more closely related. Additionally, the use of SysML can facilitate communication and make design easier between system users, maintenance personnel, and those who may debug, integrate, extend, modify and change the system [46]. SysML is mainly composed of nine types of diagrams: activity diagrams, sequence diagrams, state machine diagrams, use case diagrams, requirement diagrams, block definition diagrams, internal block diagrams, parameter diagrams and package diagrams [47]. The mapping relationship between FFIP and SysML elements is shown in Table 3. Table 3. Mapping relationship between FFIP elements and SysML elements.

Component Block
It represents the events in the process dimension and the people, machines, and environment in the object dimension.

Information
Attributes It describes events, as well as the value attributes of people, machines, and environments.

Function
Operation It describes events, as well as the functional attributes of people, machines, and environments.

Behavior
Message It describes the relationship between basic events and people, machines, and environment factors.

Reply
Reply message It describes the feedback of behavior.

Structure connection Directed Association
It describes the relationship between the events and their processes.

State transfer Transition
It describes the transition conditions between different states.
The block definition diagrams (BDD) in SysML define the attributes of modules and the relationships among them, which includes association, generalization, and dependency. The block attributes of BDD can be divided into two types: structure attributes and behavior attributes. The value attribute of a structure attribute can be used to represent the output signal and flow value of the module. Moreover, the operation attribute of the behavior attribute can be used to represent the functional behavior of the module. Therefore, we can use BDD to describe the structure and function model of FFIP. In this way, the structure model and function model of FFIP can be represented in the same BDD of SysML. The advantage of using BDD is that the structure, function, and data flow can be expressed at the same time, which makes the functional design of components clearer and easier to communicate and modify by different users.
Sequence diagrams (SD) in SysML can describe the sequence of actions and information flow transmission. There are two advantages of using sequence diagrams. They can describe the behavior rules in the behavior models of FFIP and can also describe the information transfer relationship between modules. Using the SD of SysML presents the complex task process in a more organized way, which makes up for the disadvantages of using tables to list behavior rules in the FFIP method.

Improvement of SysML State Machine Diagram
In the previous section, we use the BDD and SD in SysML to make a standardized modeling of the structure model, function model and part of the behavior model in FFIP. What has not been built in the behavior model is failure logic. Failure logic is the core of the extended FFIP method. However, none of the nine diagrams in SysML can describe failure logic. To combine SysML with FFIP, this paper extends the elements of SysML to describe failure logic.
State machine diagrams (SMD) in SysML are mainly used to describe the life cycles of objects, subsystems and systems [48]. Through the SMD, we can know all the states that an object can reach and the impact of events on the state. Therefore, the SMD can represent the state transition of components and the transformation relationship between different states.
In this paper, we divided the functional states of components into three categories: nominal state, failure state and degradation state. The nominal state is the normal operation state of the system. Failure state refers to the state in which the system produces some failure when the deviation exceeds a certain value. Degradation state refers to a state between nominal and failure state, which has not had a significant impact but deviates from normal performance. Failure logic can be represented using key process variables. The logical relationship between the input, output, and deviation of variables can explain the current state of the component, and the deviation can express the internal failure of component behavior and the effect of other components.
However, we need more information in the state diagrams to describe the failure logic: • the representation of deviation; • the representation of different state types of components. Table 4 shows the extension of SysML elements to meet the above two requirements. When we use the SMD to represent the FFIP behavior model, the state blocks are used to represent different states of the components. The arrows are used to show the factors that cause the state transition. The text on the arrow shows the mathematical logic to describe the conditions for triggering failure. The SMD of SysML can better show the transformation relationship of failure logic, making the models more coherent and readable.

Improved FFIP Method
According to the above improvements, the proposed FFIP method is mainly divided into the following five steps: Step 1: Establish structure model and function model Use the BDD of SysML to build the structure model and function model in FFIP. These two models describe the structural configuration and functional relationship between system components. In addition to the two models, information flow and function flow of a component could be built into one graph more explicitly, making the model more coherent.
Step 2: Introduce deviation of key process variables Select the key process variables that can reflect the behavior state of components. Then, calculate the deviation with formula (1). The deviation value can reflect the change of component state.
where D is the deviation; RV is the present value; DV is the design value.
Step 3: Build behavior model The behavior model includes behavior rules and failure logic. Behavior rules represent the activities of system components, as well as the inputs and outputs that lead to the activities. The SD in SysML is used to build the behavior rules in FFIP, which can better emphasize the occurrence order of behaviors and help to clarify the logic. Failure logic describes the relationship between the cause, process, and consequences of component failures. The state and state transformation conditions of the component also need to be analyzed. According to Table 2, using mathematical logic, we express the transformation conditions of states. Then, we describe the state and transformation relationships of the components, in combination with the improved state machine diagrams in SysML.
Step 4: Establish the simulation model and simulate the failure According to the established FFIP models, the nominal model and failure model are established in Simulink. The failure injection method is used to simulate the failure.
Step 5: Analyze the simulation results and output the fault tree.
Using the fault propagation paths obtained by simulation, the fault tree is generated, and the minimum cut set is calculated to obtain the key failure components.

Case Study
In this paper, we take the wheel brake system in the appendix of ARP 4761 as a case to apply the above method.

Structural and Functional Model
In the traditional FFIP method, the construction of the structure and function model is represented in the form of a flow chart, as shown in Figures 3 and 4.
In the improved FFIP method, SysML is used to describe the structure and function model of FFIP, as shown in Figure 5.
The sequence diagram of SysML can explain the behavior rules in FFIP, as shown in Figure 6. This model represents the following behavior process. After the operator presses the pedal, the BSCU subsystem receives the work instruction and transmits the signal outwardly. The selector valve receives an S1 signal and selects the green pump subsystem. The green pump subsystem returns error data to the selector valve, making it select the blue pump subsystem. The blue pump subsystem returns the correct data. Then, the blue pump subsystem performs the task of controlling the wheel rotation. Finally, the correct operation of the wheel is generated and fed back to the operator. Thus, this task has been completed.    The SMD of SysML can show the different states of the components, and the transformation relationship between them. The failure logic of the brake system described by the SMD is shown in Figure 7. In this case, the key process variables are quantity of flow: Q, pressure: P and time: T. The arrows represent transitions between different states, and the text above them is a mathematical description of the failure deviation.

Simulation Model and Failure Simulation
According to the structure model, function model and behavior model, the simulation model of the S18 brake system is established by using the Simulink. Firstly, the nominal model, representing the system under normal operation, is established according to the structure model and the function model. Then, according to the failure logic in the behavior model, the fault injection method is used to establish the failure extended model, as shown in Figure 8. The system can simulate 39 single failures and 741 double failures. Figure 8. Failure extended simulation model of S18 brake system.

•
Single failure simulation Single failure simulation is to simulate the system situation when one failure module is set to "1" and other failure modules are set to "0" each time. Limited by the length of the paper, only 9 typical single failures are selected for description in this section, as shown in Table 5. The single failures shown in the table are as follows. It should be noted that the example here only lists one failure mode for each component. There are still other failure modes for the components. Other failure deviations that may be involved in components are shown in Table 1.

•
Double failure simulation Double failure simulation is to simulate the system situation when two failure modules are set to "1" and other failure modules are set to "0" each time. Also due to space limits, this paper selects 8 typical double failures to explain, as shown in Table 6.

Further Analysis
According to the results of the single-failure and double-failure simulations, the fault propagation paths of the brake system can be deduced. Through analyzing the fault propagation paths, the fault tree of the brake system can be obtained, as shown in Figure 9. The propagation of single failure is represented by an OR gate in the fault tree, while the propagation of double failure is represented by an AND gate.  Figure 9. Fault tree of brake system.
Next, we use letters and numbers to present the failure events, as shown in Figure 10. The purpose is to facilitate the calculation of the minimum cut set.
Through calculation, the minimum cut set is obtained as follows: Based on the minimum cut set, it can be concluded that the key events are A1, A2, A3, A4 and A5. They represent the failure of the selection valve, power, System Model_SelCmd module, Auto Braking_Pressure Out module and accumulator pump. Sys-temModel_SelCmd and AutoBraking_PressureOut are two modules in BSCU modeling, so it is not considered as the key failure position. In addition, power-off belongs to external factors of equipment, so it is not considered. On the other hand, since A8 and A10 are related to the green hydraulic pump, and A9 and A11 are related to the blue hydraulic pump, the failure of these two hydraulic pumps also plays a key role in the whole system. Therefore, the key failure parts are the hydraulic pumps and the selector valve. Thus, in the process of equipment operation, more attention should be paid to the maintenance and repair of hydraulic pumps and the selector valve, to ensure the safety of the system.