System safety is a complex concept, which is represented by multiple attributes and which requires diverse sources of evidence to demonstrate its achievement. Safety-critical systems, which provide safety-critical services to their users, must be designed to be safe. This means that despite their complexities and despite variable environmental conditions, their operation should be demonstrably safety. A fundamental difficulty in measuring system safety arises due to the complexity of the notion – it is made up of multiple, potentially conflicting attributes, and difficult trade-offs may need to be made between these attributes. The attributes themselves are evaluated using multiple diverse sources of evidence, thus compounding the problem of measuring system safety.
Software safety has become an ever increasingly important issue in system safety due to the larger role software plays in complex cyber-physical systems. Such a system is a consisted of a number of components distributed over a predefined space. Components of a typical cyber-physical system communicate with each other and with an external world through communication gateway. The safety failures of the components of such a system result in safety hazard of the whole system. Additionally, external attackers can attack the system through sensor network and communication gateway and can manipulate software processes and data stored and exchanged in the system.
Over the last decades a good many number of safety analysis methods (i.e., FMEA, HAZOP, FTA) have been developed. Among them Fault Tree Analysis (FTA)  is a widely accepted method. It graphically shows how basic failures of components, in combination, cause a safety hazard at the system level. However, classical FTA lacks the precise semantics to check the correctness or consistency of the problem description . In other words, classical FTA is based on the informal description of the underlying system, which makes it very difficult to check the description for correctness and consistency  .
In recent years a number of formal fault tree models have been developed    . Most of these methods provide formal semantics for the fault tree constructs, such as different logic gates  ; and have not considered on the formal construction of the fault tree in a deductive manner. In these methods the formal model and the fault trees are developed as separate documents   . The safety analysts develop the fault trees by using their intuition, while the events and sub-events of a gate are formalized afterwards with respect to the formal model . Although this approach is effective for quickly constructing fault trees, it results some problems when verifying its correctness . In order to overcome these problems Xiang et. al. have proposed a formal fault tree analysis model based on propositional logic and state transition .
In this paper we would like to propose the extension the...