System Modeling and Fault Tree Analysis Based on AltaRica

With the increasing scale and complexity of system, it is very necessary to analyze the safety of complex system. Fault tree is an effective method to safety analysis. However, traditional fault tree relies on manual construction and analysis. When fault nodes and systems are complex, the efficiency and correctness of manual analysis can hardly be guaranteed. To the varied understanding of analysts, it is difficult to ensure the consistency of failure mode and system architecture due to the different understanding from safety analysts and system designers. The same node needs fault analysis again in different systems, which has poor reusability and low efficiency. AltaRica is a fault-oriented Safety Modeling Language. It takes the guard transformation system(GTS) as its core, describes nodes and faults with a style of reusable object-oriented language, and describes information of interaction between nodes and systems through interface connections between nodes and nested systems. Therefore, this paper proposed an automatic system modeling and fault analysis method and its detailed computer algorithm on single class node, multiple nodes and nodes with subsystems based on AltaRica. Finally we developed a software prototype and carry out the automatic modeling and fault analysis in a detailed example. The results showed that the proposed method, algorithm and software prototype can realize automatic graphical modeling of the system on AltaRica, the automatic fault analysis is correct and efficient, has reusability of modeling and fault analysis, and greatly improve the accuracy, objectivity and efficiency of fault modeling and analysis.


I. INTRODUCTION
With the rapid development of science and technology, the integration of system is getting very high, the scale is getting larger, and the function is getting more complex. A small fault may cause the whole system failed, leading to serious safety accidents. Therefore, more and more attentions have been paid on the system safety.
In safety-critical systems, researchers widely used system safety modeling and analysis technology [1]. Traditional system safety analysis techniques mainly include Markov process analysis, FMEA(failure mode effect analysis) [2], and FTA (fault tree analysis) [3]. These analysis techniques can provide efficient algorithms and tools. However, the models The associate editor coordinating the review of this manuscript and approving it for publication was Zhaojun Li . designed using these forms are far from the specifications of the system. Therefore, they are difficult, expensive and inefficient to design and maintain throughout the life cycle of the system. Traditional fault analysis techniques rely too much on the analysts, and the understanding of system structure by analysts plays a great role in the construction of fault systems, which is highly subjective. Nowadays, safety-critical systems and equipment are more and more complex, so it is difficult to achieve complete, continuous and error-free analysis process and results by brains and hands of analysts. Once a change in the system, it often forces the reconstruction of the fault model, resulting in a large waste of human and time resource.
At the same time, with the continuous development of model driven and formal technology, researchers combine safety analysis model with system design model, and many model-based safety analysis (MBSA) and evaluation methods emerged with a characters of related modeling language and automation [4]. MBSA techniques include Failure Propagation and Transformation Notation (FPTN) [5], Hierarchically Performed Hazard Origin and Propagation Studies (HiPHOPS) [6] and AltaRica language [7].
Jean-Yves Choleya and etc derived from previous MBSE and MBSA integration studies, performed mainly on M2M and M2T transformations, and appropriate SysML metamodeling, proposed CPS safety analysis methodology with an aeronautic industrial case study [8].
Model Checking language and tool such as NuSMV, Spin and AADL are integrated to MBSA due to their powerful abilities of searching the model space. Lu Chen, Jian Jiao and etc put forward a failure analysis method using NuSMV to manually transform the counterexample into FMEA or FTA result [9]. There are some limitations of model checking in MBSA, one as only by dynamic operation, partial information of FT or FM can get, because when counterexample occurs, the operation will stop the analysis which is ongoing. The other limitation is there still has no mature tool to support all this process automatically which is mainly divided into relatively independent parts of system and safety modeling, translating into model checking language, model checking, safety analysis and FT generation based on counterexample manually.
Petri Nets (PNs) are a formal graphical and mathematical modelling tool which is appropriate for specifying and analyzing the behavior of complex, distributed and concurrent systems. Many papers related to PNs and its extensions are summarized in [10] including Bayesian network and extensions of PNs. PNs originated from a mathematic model and method to analyze system with characteristics of resource production and consuming, condition trigger, concurrence and confliction, and etc. It is not a specific model to deal with fault and safety, and when be used and developed with computer science PNs have some extensions as Stochastic PNs, Time PNs, Colored PNs, Temporal PNs, PNs related to model checking language, and etc. Now PNs is not an independent modeling method, it is tightly combined with computer science and the core is formal automata. So the PNs is suitable to model system behavior and not specific in safety, it can be used in safety analysis if the system is safety-critical.
Altarica is a formal language developed by the computer science laboratory of Bordeaux jointly with industries partners. The purpose of creating AltaRica language is to overcome the shortcomings of traditional formal methods which deviate from the research system, such as fault tree, Markov chain, and Petri net. AltaRica language is a formal, objectoriented modeling language. It can describe the functional behavior of the system under normal conditions and the failure behavior of the system.
Later with the cooperation of academia and industry, AltaRica's capability of system safety assessment has been well strengthened. Using AltaRica model can truly reflect the structure of the system, the operating mechanism of the system, and has a good reusability on its style of object-oriented language. Many companies have used AltaRica for safety assessment analysis in their important projects, including Alston Railway, Total, Schneider Electric, and France Telecom and so on. AltaRica has became the standard of model-based safety assessment in European industry.
The structure of the AltaRica model has a strict grammatical definition, which can describe the system structure and generates the safety model according to the fault propagation logic of the system [11]. Based on this, the FTA method can be combined with AltaRica to implement safety analysis and generate fault tree.
As the inventors of AltaRica, Batteux M, Prosvirnova T and Rauzy A illustrated the whys and wherefores of the fixpoint assertion mechanism introduced in AltaRica 3.0 to perform changes of states in literature [12]. Based on the key GTS(Guarded Transition System) of AltaRica, it can increase expressive power and in particular the ability to handle looped systems is obtained without any significant overhead for dataflow models by using the fixpoint mechanism introduced in AltaRica 3.0.
In system modeling and analysis using AltaRica, there are some researches on it. Issad M, Kloul L and Rauzy A proposed a scene-oriented modeling approach which relies on semi-formal representation to describe the scene and relies on the formal execution model described in the AltaRica 3.0 modeling language [13]. In literature [14], a method was described that extends the AltaRica model developed for safety analysis with time information and provides a tool to interpret the correctness of time safety conditions. Michael Lipacewski, Frank Ortmeier, and et al compared the SAML and AltaRica and pointed out that AltaRica is more convenient to large system modeling and easier to be reused due to the object-oriented style [15]. Brunel et al. [16] introduced the principles of the AADL and AltaRica languages and the connections between them, proposed a conversion procedure from AADL to AltaRica, and applied its prototype to the simplified flight control system of the drone. Literature [17] proposed the use of AltaRica language to build electrical and electronic system models protected by first-order and second-order safety mechanisms, and clarified that the model is helpful to analyze the behavior of the system and determine the validity areas of simpler models. Duo and Li [18] proposed a practical safety modeling methodology based on Altarica, which contains three phases like information collection, model construction and model V&V, with an example of a hydraulic system. Long G and Liang A proposed a fault modeling and analysis method for complex systems. Taking the heating and cooling backup system and the reconstruction system as examples, the accuracy of the fault logic conversion process is verified in [19].
In fault analysis and fault tree generation from AltaRica, there are some researches on it. Humbert S, Seguin C, Castel C, and et al took a part of the control system of a helicopter turboshaft engine as the research object, extracted requirement from the system fault propagation model by using AltaRica for modeling and analysis [20]. Batteux M, Prosvirnova T and Rauzy A, et al mentioned the transform GTS model into fault tree, which is, to transform state/transition model into a set of Boolean formulas, and then verifies the safety of AltaRica system with relevant safety assessment tools [21]. In literature [22], Prosvirnova T and Rauzy A briefly introduced fault tree generation from independent GTS and simply illustrated the process of getting one single fault tree from connected nodes without mentioning the generation from subsystems and nodes. XiaoXun Li, ShaoJun Li extracted failure logic relations from Altarica component models and system models to generate fault trees, and discussed the fault tree generation method from multiple nodes in AltaRica [23]. They showed this method in example of graphical modeling to connect Altarica nodes in figures drawn in hand without details of computer algorithm to implement it [24].
OCAS [25] is the MBSA tool that was accepted by regulatory agencies as a basis for certification of safety-critical systems. Bozzano et al. [26] considered the limitations of OCAS as no ability to perform an exhaustive space examination and limitations in in presence of industrial-sized systems hindering the generation of important artifacts such as Fault Trees.
Simfia is a software package that, based on the knowledge and functional analysis of an equipment, product or system, can be used to analyse and simulate its overall behaviour and automate R.A.M.S. studies [27]. Fukai Zhang used Simfia to make the AltaRica model of HUDS visually to achieve assessing formal safety [28]. In [29], Event-B language is used to model application layer to check the integrity of operations modes and AltaRica is used to model dySfunction of system to solve the problem of dynamic failuret The efficiency and practice of the method are illustrated by analyzing safety of auto pilot system thmugh Rodin t()01 which is used for analyzing operational modes of application and Simfia tool which is used for safety analysis.
In those existed literatures, we have found AltaRica has been successfully used in system and fault modeling and analysis [13]- [19], and most of those literatures only proposed the principle and framework to generate fault tree from assertions in single or multiple class [20]- [24]. So there are relatively absence in method to automatically generate and programming realize the safety analysis as FT from complex nested systems including interaction between nodes and subsystems. Some papers used OCAS [25], [26] and Simfia [28], [29] to implement MBSA, but there are some limitations and no details of how the computer algorithms implemented and no expansions to nodes and subsystems. The details of realization of automatic computer algorithm and tool developing are absent and not open enough.
This paper studied the grammar and semantics of AltaRica language, proposed NAltaSys(Nested AltaRica System) to well support complex system modeling, detailed illustrated the automatic algorithms including analyzing assertion and link information in AltaRica models and fault tree generation from single node, multiple nodes and subsystems, combined visual modeling techniques with fault logic description ability of AltaRica language to improve the safety description and analysis ability of the model, and developed an automated system fault modeling and analysis tool named SSMA based on AltaRica to system modeling and automatically generate system fault tree. The fault tree is convenient to modify and maintain according to the change of class in AltaRica fault model. This paper realized the synchronous work of fault modeling, analysis, modification and maintenance based on AltaRica, and greatly improved the efficiency of fault modeling and analysis of safety-critical systems.
The contents of this paper are arranged as following. Section I is an introduction of system modeling and analysis, and the AltaRica with researches related to it. Section II makes a detailed description of AltaRica language includes all elements and GTS mechanism in it. Section III introduces the NAltaSys(Nested AltaRica System) proposed by this paper which will support the system modeling, algorithm design and code programing to visual software development. Section IV introduces the algorithm of fault tree generation from single class, multiple nodes and nodes with subsystem, and then makes examples for each situation. In Section V, a detailed example is put forward to prove the correctness of the algorithm proposed and the tool developed in this paper. Finally, there comes to the conclusion.

II. AltaRica MODELING LANGUAGE
AltaRica is a high-level modeling language for safety analysis. It is based on GTS and its mathematical model [12]. The basic component of the AltaRica model is node which is an instance of Class. The class and its important parts are described as: 1) Class: In order to use a box with certain given characteristics (encapsulating a GTS), you need to declare a class, the type of the box. The AltaRica model is a series of declarations of classes. Classes can be nested into other instances of other classes to achieve hierarchical description of the research system.
2) Domain: Domain has domain name and its states which normally represent the different state of class.
3) Boolean: The logical type that represents the state of variables in class. 4) Reset: Represents a reset value of variables in class. 5) Variable: Two types of variables called domain variable and class variable are in the class. Domain variable represents the external state of class not limited to Boolean value. Class variable represent the state of internal variable in class. 6) Flow: Flow is like interface variables, are divided into input and output flow, which are used to describe the state of interface variables between class nodes or class node with subsystem. 7) Trans: Trans is a triple < e, G, P >, which is defined as: where e is the event marking the transition, G is a Boolean condition about the state and flow variables, called the Guard of transformation, P is the action performed by the new state  The state transition diagram of a pump is shown in FIGURE 1, and its AltaRica model is shown in FIGURE 2.
The model first needs to declare the domain (''Pump-State''), namely two symbol constants 'WORKING' and 'FAILED', of course we can define more than two constants as you need. Then, declare a class (the type of box), in that case the GTS is called ''Pump''.
The GTS includes: (1) a state variable ''state'', which takes its value in the definition domain ''PumpState'' and its initial state is ''WORKING'' (2) two Boolean flow variables ''inFlow'' and ''outFlow'', whose default values are false (3) two events ''failure'' and ''repair'', each event corresponds to a transition and an assertion that constrains the value of the variable. (4) When one event occurs, the state will change in transition and result in the change of outflow through related assertion (5) After change of outflow, it will pass out if connects to other node or subsystem. When it is false, that means it is a fault will pass out and the reason is the assertion related to this outflow. All state variables are initialized once. Their initial values are given by the attribute ''init''. This attribute describes the characteristics of state variables. After each conversion is triggered, the flow variables are updated. Its value is deter-mined by the assertion or by the default value given by the attribute ''reset''. This attribute describes the characteristics of flow variables. If the box ''Pump'' is used alone, ''inFlow'' will be reset to the default value after each conversion trigger. If it is connected to another box through the ''inFlow'' and the pump is working properly, the assertion will be used to pass the value. The transition marked by event ''failure'' triggers only when the state variable ''state'' takes the value of ''WORKING''. After the conversion triggers, the ''state'' value is first set to ''FAILED'', and then the value of the flow variable is updated.

III. NESTED AltaRica SYSTEM MODELING
Complex system has many nodes and subsystems, the fault information will pass into or come from subsystem. In complex nested system, faults reason hides in the single node or subsystem and it is very hard to uncover the reasons of top system faults manually that originate from single node and subsystem passing by interface. So it is significantly meaningful to propose a nested system model which can be transacted by computer, and based on that the algorithm of automated fault analysis of nested system with related tool can be developed.
This paper put forward a nested system model based on AltaRica to well support system and fault modeling with analysis.
This model called NAltaSys(Nested AltaRica System) is formally described as: < InNode, Class, Node, SubSys, Connection, OutNode >, where: (1) InNode: InNode is a virtual entry of all input, that means all input passed to nodes through InNode. (2) Class: The definition of Class is the same as in the section II. It have domain, variable, flow, trans, assert and etc. (3) Node: Node is an instance of Class which inherits all properties in Class defined in the section II. (4) SubSys: SubSys has a recursive definition as < InNode, Class, Node, SubSys, Connection, OutNode >. It is a part of whole system which has some nodes or even subsys in it, and connections among nodes with subsys. (5) Connection: Connection has the interface information between nodes or node to SubSys. The fault will pass or backtrack through connections and obey the mechanism defined in flow and assertion in Class. (6) OutNode: OutNode is a virtual exit of all output, which means all output from nodes should pass through OutNode. The NAltaSys model is described as in Fig3.
This paper models nested system based on AltaRica and implemented automatic safety analysis (Fault Tree Analysis).
The Fault Tree Analysis can be done in three situations: (1) Single Class Node The basic Fault Tree Analysis is implemented in single class node. This paper used the information of assert in class, then scan, cut it and calculate the position of FTA node with algorithm detailed described in Part A of Section IV.
(2) Multiple Class Nodes This paper firstly gets the nodes link to OutNode, then gets the connected interface information bind in links to the OutNode, and trace back from the inflows to outflows with assertions bind with them, then recursively trace back to generate the whole fault tree of multiple class nodes.
(3) Nodes with SubSystem When implement FTA in nodes with subsystem connected, this paper firstly gets the nodes link between node and subsystem, then analysis connected interface information between node and subsystem, and trace back the inflow and outflow to get the fault information based on the algorithm in (1) and (2) to generate the whole fault tree of nodes with subsystem.

IV. FAULT TREE GENERATION ALGORITHM
We have known the outflow will pass out if connects to other node or subsystem. The fault reason is in description of assertion related to outflow.
In a class, one fault tree to one outflow can be got through the analysis of the related assertion. The assertion will transacted to construct fault tree. The assertion will be scanned and cut into fault node automatically by algorithm proposed by this paper. And then this algorithm will also get the level that is the position of each fault node. By having got fault tree node and its position, we will get the whole fault tree of outflow from GTS in AltaRica.
When an outflow connected to other node or subsystem, it will pass out the related fault. The information in the link of node to node or node to subsystem is as an interface. Because we have known the link information of each outflow, so we can known how the fault pass out by analysis of the interface. If we can correctly get the path that outflow which bind the fault, we will get the whole path that the fault pass out in the whole system.
So the most important work is to design the computer algorithm and make the computer automatically implement the system modeling, assertion analysis of single node, analysis of link information, automated fault tree analysis and generation between nodes and subsystems.
Using AltaRica to define a class, we can make the instance of it repeatedly. We can just connect those instances in anywhere in the system, we will automatically get the analysis result of whole system because we have known the fault result of assertion in single node and how it connect by system modeling and the analysis of the link information between node and subsystem using the algorithm proposed in this paper. That is we only need to define a class in which the variable, inflow, outflow and assertion have been described.
After that, we can use those class to define instance repeatedly and to construct the whole system. And we need not do any additional system analysis but can automatically get the fault tree analysis of whole system, for we may get the fault tree in each node and the link information of connected interface by the algorithm proposed in this paper. Comparing to traditional fault tree analysis, it is no need to implement fault tree analysis in node, subsystem and whole system. Once the system is modeled, it will construct the whole system fault tree automatically without any additional analysis as in traditional fault tree analysis.
This paper designed the fault tree generation algorithms from AltaRica system models include single class node, multiple nodes, and nodes with subsystems.

A. SINGLE CLASS NODE
Here we make Class1 as an example of fault tree generation from single class node which is described by AltaRica in Figure 4.
We get the fault information from assertion ''U1: if ((A1==false) and (B1==false)) or (Y1==false) then false else true'' where: U1: an output flow A1, B1: class variable Y1: inflow We find that if the expression ''((A1==false) and (B1==false)) or (Y1==false)'' is satisfied, the U will come into false that means it causes the fault. So we can get the reasons of the fault by the expression of assertion and can also get the position and preposition of nodes to be drawn in fault tree.
There are two main steps in Assertion Analysis Algorithm of Single Class Node. VOLUME 8, 2020  The first step is to record the valid character string and calculate its level which is scanned and cut from Assertion which includes: (1) Scan, cut and record valid character string of assertion in single class node (2) Record the embrace level of each character string (3) Add to AssertionNodeArray realized by function MakeAssertionToAssertionArray() in class CAltaRica-Analyser. The details of the first step in algorithm is shown in Fig5.
Here are the result of assertion scanned, cut with levels of each valid string in the Table 1.
The second step is to recursively generate the prepositions of Expression and Logic Operation nodes will be drawn in Fault Tree which includes: (1) Scan the AssertionNodeArray, get the position of first root node and set its preposition to −1 (2) Cut the AssertionNodeArray into left part and right part with the center position of the first root node (3) If only one expression or logic operation node in the left, get the position of this node, and set the position of the first root node to its preposition, else recursively run this algorithm on the left part as step (1) (4) If only one expression node or logic operation node in the right, get the position of this node, and set the position of the first root node to its preposition, else recursively run this algorithm on the right part as step (1) The details of the second step in algorithm is shown in Fig 6. Here are the example results of Assertion U1 scanned, cut and recursively run in the Table 2.
Then this paper will draw the fault tree by the position and preposition of each node in AssertionNodeArray as in Fig 7. Here are Class2 and Class3 that will be related to multiple nodes and nodes to subsystem.
Class2 as detailed in Fig 8 has an inner variable C2, an inflow V2, two outflows W2 and X2, and two assertions

B. MULTIPLE NODES
This paper put forth the fault tree generation algorithm from multiple nodes connected which include five steps: (1) Find the 'Out' node in current view (2) Initialize the Analyser which has functions described in Part A of Section IV (3) Traverse the LinkInfoArray to get and cut the assertion bind with the links connected to the 'Out' node in current view (4) Analyze the link and assertion cut, get the class of variable in assertion (5) Recursively trackback and generate the final unfolded assertion to be analyzed and get the position and preposition of each valid string or operation node in the final unfolded assertion The first three steps in the algorithm are described in Fig 12. The fourth and fifth steps are to recursively run an algorithm described in Fig 13 to get the position and preposition of each node need to be drawn in fault tree.   Then, this paper makes three instances comp1, comp2 and comp3 of Class1, Class2 and Class3 as in Fig 14, and connect them to hand over fault by flow bind in the link between the three nodes.

C. NODES WITH SUBSYSTEM
This paper put forward the fault tree generation algorithm among nodes with subsystem which includes steps partly same as multiple nodes, and the difference is in the analysis of the link connected to subsystem.
The differences include two situations are subsystem to node and node to subsystem which will be firstly analyzed of the information in the links between the node with subsystem.  For a simple example: compA.X=sub1.compA.Y, which is an information in the link from subsystem to node. We should analysis it as following: (1) Cut the whole strings into two parts at ''='' (2) By analysis of the strings in the left of equation, it is ''compA.X'' which only has one ''.'' VOLUME 8, 2020  (3) that means the strings in the left of equation is related to a node (4) X is an inflow of node compA, and compA is in the level of current system (5) By traversing all nodes in the level of current system, we can get that compA is an instance of what class (6) Then if an assertion in this class related to inflow X, it will be partly replaced  (7) By analysis of the strings in the right of equation, it is sub1.comp2.W2 which has two ''.'' (8) That means the strings in the right of equation is related to a node from subsystem (9) By cutting and analysis the strings, we get that the Y is an outflow from node compA in subsystem sub1 (10) By traversing all nodes in the level of subsystem sub1, we can get that compA is an instance of what class.
(For there may exist many nodes have same name in different levels of current system or subsystem, so those nodes may be instances of different class) (11) Get the assertion in this class related to outflow Y and partly replace the assertion in that class related to inflow X. Of course, we may also make a simple example: sub1.compA.Y = compA.X, which is an information in the link from node to subsystem. The process of dealing with it in this situation can be mostly referenced by what we have mentioned above.
Comparing to the algorithm of multiple nodes, there have some differences in nodes to subsystem:  (1) By cutting and analysis the information in the link, we should distinguish the information is related to nodes with subsystem or between nodes only (2) We should get the subsystem, the nodes and the inflow or outflow by analysis of the information (3) We should traverse all nodes in the subsystem to get what class is the nodes instance from (4) We should come into the level of subsystem to get the related assertion of the inflow or outflow in the class VOLUME 8, 2020 (5) We should go on traversing if the node in the subsystem has pre-node (6) We should back to the system level if all nodes in the level of subsystem has been transacted (7) We should set the view point correctly when coming into or out from the subsystem in developing the tool SSMA. The detailed algorithm of dealing with the situations including nodes to subsystem and subsystem to node are between the Lable1 and Lable2 as in Fig 17 and Fig 18. (1) The algorithm of analyzing link from subsystem to node is described in details as Fig 17. (2) The algorithm of dealing with the link from node to subsystem is described in details as Fig 18. The difference is from Lable1 to Lable2. After the algorithm in Fig 17 and Fig 18, the link will go into the subsystem and there will recursively run to get the corrected fault information bind in links and automatically generate fault tree.
Then, this paper makes two instance comp1 and comp3 of Class1 and Class3, and comp2 of Class2 in subsystem as in Fig 19, and connect them to hand over fault by flow bind in the link among nodes and subsystem.
The process, which is detailed described as following and the related information is shown in Fig 20, includes: (1) Get the linkinfo connects to ''Out'' node, which is ''comp3.Z3'' (2) Find the comp3 is an instance of Class3 and Z3 is an outflow of Class3 by traversing all outflows in Class3 (3) The fault assertion of Z3 in Class3 is ''(U3==false) and (W3==false)'', so the linkinfo is expanded to ''(U3==false) and (W3==false)'' (4) Find the U3 is an outflow, and comes from comp1 by analysis of the linkinfo ''comp3.U3=comp1.U1'' (5) Find the comp1 is an instance of Class1 and U1 is an outflow by traversing all outflows in Class1  (9) Find the outflow W2 in comp2 which is an instance of Class2, which related to the assertion ''((A2==false) and (B2==false)) or (Y2==false)'', so the linkinfo is expanded to ''(((A1==false) and (B1==false)) or (Y1==false)) and (W3==false)) and (((A2==false) and (B2==false) or (Y2==false))'' (10) For there is no more expression to be analyzed, the process and recursive algorithm runs over The result of recursive analysis on the linkinfo by flows and assertions in nodes and subsystem are described in Table 4. The operation result of tool developed by this paper and all explanations are shown in Fig 21.

V. OVERVIEW OF TOOL DEVELOPMENT
This paper here made a brief introduction of the tool named SSMA (System Safety Modeling and Analysis).
This development of System Safety Modeling and Analysis (SSMA) mainly uses Visual C++ programming to realize AltaRica's hierarchical system modeling and fault tree analysis, which includes: The main interface framework realizes the functions of project file creation, domain modeling panel, class modeling panel and system modeling panel creation, graphical modeling view, modeling element list and operation information window.
• Class Modeling Class modeling implements the visual modeling functions of class name, domain state, class state, input flow, output flow, event, transition, assertion, etc. After the modeling is completed, the class information is expanded hierarchically in the left class modeling area.
• System Modeling System modeling realizes the new construction of subsystems and class nodes. Creating a node should be an instance from a class in the left list. When having created a subsystem, it will come into the internal by double click the icon of this subsystem on the left list.
• Automatic fault tree generation of class node Automatic fault tree generation of class node include automatic analysis of assertion in class node, and automatic generation of fault tree in graphic.
• Automatic fault tree generation of multiple nodes Automatic fault tree generation of multiple nodes include interface description between connected nodes, and VOLUME 8, 2020   automatic analysis of interface description, and automatic generation of fault tree of multiple nodes in graphic.
• Automatic fault tree generation of nested system Automatic fault tree generation of nested system include interface description between subsystem and node, automatic analysis of interface description, and automatic generation of fault tree in graphic.
SSMA has a friendly interface, good usability and ability of system modeling to well support AltaRica. We can easily build system model in graphic and automatically implement the fault analysis in high efficiency. It is easy to be transplanted to integration of other tools run in Windows platform of Micro Software.

VI. DETAILED EXAMPLE
This paper here made a detailed case study of the nested system modeling and automatic fault tree generation from single class node to multiple nodes and nodes with subsystem.
In the case study, this paper firstly created three classes of class1, class2, class3, class4 and class5, and two subsystem s1 and s2.  The class1 and class2 had been modified to show the fault propagation between nodes and subsystem which are introduced in section IV. And we here made a new description of Class4, Class5, s1 and s2.
As shown in Fig22, Class1 add V1 as an outflow, that means the assertion bind with it will propagate when V1 as an inflow to other node or subsystem.
As shown in Fig23, Class2 add U2 as an inflow, that means the assertion bind with outflow in other node or subsystem will propagate into Class2 when the outflow connect with U2. Class2 also modified the assertion bind with W2 changing (Y2==false) into (U2==false) which will cause a fault propagation if U2 connects to outflows comes from other nodes or subsystems.
Then back and continue analysis (16) All expressions have been traversed and analyzed, so the algorithm comes to the end The result of recursive analysis on the linkinfo by flows and assertions in case study are described in Table 5.
The system modeling using SSMA in the case study are shown in Fig 28, included comp1, comp2, comp3, s1, s2 and linkinfo. The details of s1 and s2 are shown in Fig 29. The operation result of case study and all explanations are shown in Fig 30. In this figure, we can see the final assertion after.
We may find the ''Final assertion after recursing backtracking'' on the Figure 30, that is ''((((A1==false) and (B1==false)) or ((D3==false))) and (A5==false)) and (((A2==false) and (B2==false)) or ((U4==false) and (V4==false)))''. The final assertion is the same as the line 6 of ''linkinfo after running recursive algorithm'' in Table 5 which proves the final assertion by using the algorithm proposed in this paper has been correctly transacted by computer. And more, the nodes and strcuture in the final whole system fault tree in Figure 30 is also correct in accordance with the ''Final assertion after recursing backtracking'' on the Figure 30.

VII. CONCLUSION
Based on the language specification of AltaRica, this paper studied the grammar and semantics of AltaRica language, combined visual modeling with fault logic description ability of AltaRica language, designed and implemented automatic fault tree generation algorithm from node to nested system, improved the ability of safety modeling and analysis, and realized synchronization of fault modeling and analysis.
This paper studied the structure and semantics of AltaRica, detailed illustrated the system modeling and automation fault tree generation including class, node and subsystem not only in theory but also is open in detailed programing and visual tool realization comparing to existed papers that some are absent in details of modeling and automation in visual fault tree generation and others are only focusing on the method in application using existed tools.
From the example it is found that's easy to modify and maintain the class, system and fault model, and greatly improves the accuracy and efficiency of fault modeling and analysis of safety critical system.
The method proposed in this paper and SSMA have been successfully applied in fault modeling and analysis of marine generator excitation system which will appear in our future paper.
Further work will focus on the situations of subsystem to subsystem, the issues on quantitative algorithm, and improvement on the artistic style of SSMA.
ZHENGQI JIANG was born in Suzhou, Jiangsu, China, in 1995. He received the bachelor's degree from the Huaiyin Institute of Technology, in 2018. He is currently pursuing the master's degree in electronics and communication engineering with the Jiangsu University of Science and Technology, Zhenjiang.
His research interests include system safety and reliability.