Initial Circuiting inoperationEntry : incrB incrB Entry : incrD Entry : Decr Initial CircuitingEntry : incrB incrB Entry : incrD Entry :

System safety is a vital non-functional requirement whose satisfaction is essential for system software. However, modern aerospace system software is more and more complicated, which results in a high complexity of analyzing system faults. With the increased acceptance of Model-based Systems Engineering as a new method for systems engineering, Model-based Safety Analysis is also proposed to formalize the task of safety analysis and automate the safety calculations. Our work is grounded on State/Event Fault Tree to analyze system faults and build functional model. Firstly, we can translate SEFT to state machine based on SysML with fault syntactic messages and match elements together with translating logic gates; after which, transforming state machine into Petri Net model by means of rigorous semantic relations to extract preliminary analytical model is deduced theoretically in this paper; finally, we can derive analyses of causes and results of faults from Petri Net model by adopting a set of mathematical and statistical analysis. Practically, we have also validated our work by a case study of an aeronautic control system to support this paper.


Introduction
Increasing system complexity results in an increase in complexity of the safety analyst's task to ensure that systems are safe.Thus, how to exactly build models to express a complicated control system and identify the safety-related fragments is an imminent issue in domain of avionics [1].In theory, system safety uses systems theory and systems engineering approaches to prevent foreseeable accidents and to minimize the result of unforeseen ones.It is a planned, disciplined, and systematic approach to identifying, analyzing, and controlling hazards throughout the life cycle of a system in order to prevent or reduce accidents.Model-based Safety Analysis methods have been developed for formalising the work and subsequent automation of the safety calculatio a ns.However, these techniques use their own models that are not identical to the design models.Keeping consistency between these models often requires model-to-model transformations.
There exists varieties of difficulties in modelling and analysis,because the nature of a software with high complexity is still not identified clearly.FTA, i.e.Fault Tree Analysis [2], is a conventional modeling technique for describing safety and reliability analysis, which also plays a vital role in domains such as avionics, railways, maritime and automation.Nevertheless, FTA is not propitious to setting up software modelling for three factors as follows [3], (1) FTP consisted of a series of fault sub-trees with precise logics is not adequate to indicating a complex component system with its architectures; (2) FTP can reliably apply to domain safety analysis, but it is not a good idea to depict system behaviors; (3) FTP does not put an emphasis on conveying components with multi-state for its restrictive two-state.Although FTP can be not directly used in modelling, it is considerable and mentionable to combine this method with other mature modelling methodologies (e.g., Petri Net model) for quantized analysis.
State/Event Fault Tree (SEFT) [4] is assembled by Fault Tree (FT) and Component State (CS), which is not only able to conduct safety analysis but also build system model by explicating logic gates and elementary component.In this paper, we primarily obtain state machine based on SysML by extending SEFT, which requires logical corresponding relations; then, transforming state machine into Petri Net model is also a significant part of our work; at last, we can perform an automated safety analysis to get feedback and results on our analysis without the need for a safety specialist.

Theoretical Principle
This part briefly narrates ideological system of SEFT and discusses techniques of modeling grounded on SysML state machine.Moreover, software safety analysis framework based on SEFT is introduced in the rest of this chapter as well.

SEFT
Component Fault Tree (CFT) is an integration of both component and fault tree [5], which comprises a large number of independent structures together with system behaviors and fault messages [6]. Figure 1 shows internal elements and their mutual relations of a CFT whose interface is an interactive bridge with external environment.However, it is considerable that a state can not trigger off an event, but can be detonated by an event.
Then, we can transform CFT into SEFT which consists of a set of elements by mapping function, as shown in Figure 2.

SysML State Machine
State Machine [7] describes serial states involved by the instance of a class and a series of responses generated by events based on the object of a class through the whole life cycle of software.What is more, State Machine is a integration consisted of states, events and transitions.

Petri Net
The essence of petri net [8] indicates the flow of resources, which can build model grounded on realtime system and system function can be reflected by petri net.Software and Hardware Fault Petri Net (SHFPN) is one of Petri Net (PN) models which can be defined as six-tupes (P,T;F,K,W,M0), when expressing causality between faults and fault modes, especially to its formation mechanism.Moreover, petri net can be depicted graphically, as exhibited in Figure 3 and Figure 4.

Ph
Pm Ps Th Tc F

Analyical Framework
Existing safety engineering processes are normally based on standards that define a common framework for the derivation of safety requirements which combines hazard assessment and risk analysis techniques [9].Our contextual framework is given by Figure 5 as below.

transition-related algorithms
In order to get an accurate state machine, we have developed a model check algorithm to automatically satisfy a set of conditionss which is shown in Figure 6.
Algorithmic A: check the transformation conditions

Figure 6. SEFT checking algorithm
The following excerpt is illustrative of reflection about state, event, port and transition to capture state machine from SEFT.There are four algorithms illustrated in Figure 7

transition from logic gates to state machine
Generally, fault tree includes "AND" gate, "OR" gate and their combination.The rest of this section will describe the conversion between logic gates and state machine."AND" gate demonstrated as "∧" represents interactive parts of several input terminals usually with two input terminals and one output terminal."OR" gate illustrated as "∨" indicates that at least only one event occurs among multiple input events.As is shown in Figure 8, it clearly declares reflection from logic gates to state machine [

MATEC Web of Conferences
In Figure 11, it represents the result of transition from AND gate and OR gate.Here more detailed messages of AND gate transition are interpreted , but the OR gate transition is not given in this section for same manner.For the derivation of the logic gates transition it is assumed that event A and event B are all fault element which must belong to the type of state-occurrence.When component A arrives a state s1, event incr will be detonated and accordingly component A∧B will arrive at state s3.However, once component A can't withdraw from state s1 and component B arrives at state s2, event incr will be touched off and component A∧B will arrive at state s4, which is consistent with Fault Tree in semantic categories.

Transition from SysML State Machine to Petri Net Model
Software and hardware fault petri net (SHFPN) [11] is another mode of state machine which is defined by six-tuples via mathematical constraints, i.e., SHFPN= . ,which stands for software and hardware fault event, i.e., .(3)F defines as the flow of SHFPN, namely .( 4)K depicts the token, confirming whether an event occurs.( 5)W shows the weight coefficient constrained by .( 6)M0 is defined as the initial fault state.
Additionally,for p , and ∧ , we will name it software fault mode.Moreover, for p , and ∧ , we will name it hardware fault mode.To transform fault state machine into petri net in Figure 12, we need further to perform the reflection of state-to-state and event-to-event [12].

Initial
Circuiting inoperation As is shown in Figure 9, an automatic washing machine often malfunctions or breaks down by hardware circuit fault and software program error which are described as corresponding states [13].Besides, the event (such as incrB) is the trigger from one state to another state in the state machine above.According to consistency, it is considerable and reasonable for us to propose an algorithm depicted in Figure 10 [14].Because SHFPN consists of three states, i.e., software fault state, hardware fault state and software-hardware fault state, more considerable focus is based on identifying these three states, as shown in the left part of Figure 10.Of course, SHFPN also contains three events, namely software event, hardware event and software-hardware event, which is extracted shown in the right part of Figure 10.So far, we have accomplished the transition from fault/event tree to petri net [15].If you want to further analyze causes of faults,you can go far with existing theory of petri net.

Case Study
Automatic washing machine mainly contains software and hardware,the requirement of programmed control system [16] can be described as follows: (1) In any case, washing machine's sheathing material should be insulated or the automatic washing machine should be isolated from other materials.(2) When required,washing machine should work normally.
(3) When not required, washing machine must stop working.
According to this, fault analysis of washing machine is defined as a fault tree in Figure 11.As is illustrated in Figure 14, electrical faults in the electronics may lead to breakdown; Besides, errors of control block can generate system fault which will cause in-operation [17].We can build the State/Event Fault Tree (SEFT) depicted in Figure 12, which graphically displays fault messages and related functional behavior [18].According to the mapping algorithm demonstrated in Figure 7 and the transition of logic gates, we can transform SEFT into Fault State Machine (FSM) illustrated in Figure 13.The following job is to obtain SHFPN's incidence matrix based on methodology of petri net as shown in Figure 15.

Result analysis:
We can get related analysis results, i.e., which is a mode of software-hardware from corresponding incidence matrix above.In addition, we also have analyzed the fault mechanism whose results are described in Table 1.

Conclusion
Existing modeling language (such as UML and SysML) can clearly describe software system behavior and minutely express the change of system state, but their common defect is that they can't perform safety analysis.However, fault tree can express system fault behavior commendably, yet it is incapable of conveying functional behavior of system.Besides, methodology of petri net has been studied maturely, which has a set of holonomic theory of fault analysis.Therefore, it is complementary to combine fault tree with state machine based on SysML and petri net.This paper firstly introduces the related theory providing basis of analysis.In addition, we talk about the fault tree and transition from fault tree to State/Event Fault Tree (SEFT), which is the start point of our subsequent work.Additionally, mapping algorithm from SEFT to FSM is significantly described as above.Last but not least, transforming FSM into SHFPN is the innovative point whose executable algorithm is displayed in Figure 13.Of course, if necessary, we can also take efforts to combine Markov Chans (MC) [19] with probability theory used in our paper which can enable us to analyse safety faultlessly.

Figure 7 .
Figure 7.The transformation elements to one SM

Figure 9 . 6 MATEC
Figure 9. Transition from fault state machine to SHFPN based on washing machine 6

Figure 10 .
Figure 10.Mapping algorithm from SM to SHFPN Figure 10 demonstrates that a mapping algorithm from State Machine (SM) to Software and Hardware Fault Petri Net (SHFPN) describes state reflection and event reflection[14].Because SHFPN consists of three states, i.e., software fault state, hardware fault state and software-hardware fault state, more considerable focus is based on identifying these three states, as shown in the left part of Figure10.Of course, SHFPN also contains three events, namely software event, hardware event and software-hardware event, which is extracted shown in the right part of Figure10.So far, we have accomplished the transition from fault/event tree to petri net[15].If you want to further analyze causes of faults,you can go far with existing theory of petri net.

Figure 11 .
Figure 11.FT of washing machine

Figure 15 .
Figure 15.Incidence matrix of SHFPN delineated as follows via mapping function which is deduced by domain experts.If necessary, more detailed algorithms could be defined to deal with extremely complicated system. 10].
fulfilling the transition from fault state machine to Software and Hardware Fault Petri Net (SHFPN).
After that, we can get corresponding Software and Hardware Fault Petri Net (SHFPN) grounded on algorithm depicted in Figure14.

Table 1 .
Fault mechanism analysis of