Interval Number-Based Safety Reasoning Method for VerificationofDecentralizedPower Systems inHigh-SpeedTrains

School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China School of Innovation, Design and Engineering, Mälardalen University, 72123 Västerås, Sweden Institute of Artificial Intelligence, Guangxi University for Nationalities, Nanning 530006, China China Railway First Survey and Design Institute Group, Xi’an 710043, China School of Computer, Electronics and Information, Guangxi Universiy, Nanning 530004, China


Introduction
eorem proving is well established in formal verification [1,2]. Unlike model checking [3,4], the deductive reasoning method is used to verify the safety conditions or properties of the system. is method and model checking have complementary strengths and disadvantages [5,6]. To verify certain properties of the system, labeled transition systems (LTSs) are widely used to describe the system behaviors in the field of system verification, such as communication protocols and hardware logic testing [7,8], and a similar structure is used. Abstract labels of the labeled transition system (LTS) describe the system states by a set of logical assignments. For instance, the LTS model of a microwave oven, where "close" represents the state that the door of microwave oven is close, "∼close" represents the state of "open door," "heat" represents the heating state, and "∼heat" represents the nonheating state. us, (close, ∼heat) indicates that the oven is closed and not heating. However, it is not completely adequate to describe the state of complex systems. For example, train motion must be described by algebraic equations Naturally, algebraic transition systems can be modeled in the above example, being labeled by polynomial algebraic equations [9,10]. as the promotion of the logical labeled transition system. In recent years, algebraic polynomial-labeled transition systems or their similar structures are still largely involved with the verification of more complex systems [11]. Especially for verification of hybrid systems characterized by differential polynomial algebraic equations, many theories based on polynomial invariants have been put forward [12][13][14][15][16]. However, to find polynomial invariants, the symbolic calculation theory with high time complexity is involved, such as the Gröbner bases, cylindrical algebraic decomposition, and fixed points.
However, in some complex systems, some parameters may be uncertain. For example, in high-speed trains, some model parameters are uncertain, such as the changing weight with the number of passengers [17]. Even if it is assumed that the uncertain parameters change continuously, nonetheless, this may result in the discontinuity of the obtained Gröbner bases. Simply put, the Gröbner bases of two polynomial systems with very close coefficients may be completely different, which limits the application of the above theory to the verification of these systems. In contrast, for the design of systems with uncertain parameters, some scholars have performed system design based on fault-tolerant methods [18,19]. e fault-tolerant method is mature and has been applied in many aspects [20][21][22]. e success of the faulttolerant method in the design of complex systems implies that it may also be effective in the verification of complex systems [23][24][25]. Nevertheless, verification methods with fault-tolerance are rarely reported.
Furthermore, regardless of the uncertain parameters, even measurements cannot be completely accurate. For example, in a real system, it is impossible to accurately measure the temperature just to reach a specified value and often with a certain error. e measurement process is also accompanied by a certain error. Hence, verification with fault tolerance is significant in the industry. In addition, nonlinear problems can be approximated as linear problems in small parts of the system design space [26]. e generalized linear assertion also has a certain theoretical value.
In this paper, we present a new reasoning method with fault tolerance between generalized linear algebraic assertions to verify decentralized power systems in high-speed trains, and the method does not involve the methods in numerical calculations. Although the numerical calculation method is much faster than symbolic calculation to solve equations, the accumulation of errors during the reasoning process is inevitable and may lead to incorrect conclusions. In numerical calculations, the iterative algorithm for solving equations is terminated after reaching the termination condition. In fact, we still do not know the exact distance between the numerical solution and the unknown exact solution [27]. On the other hand, some scholars have studied fault detection in power systems, in which machine learning algorithms are involved [28,29]. eir method is effective on nonlinear problems. However, there are still few reports about their methods in dealing with the system with uncertain parameters.

Problem Descriptions
Proper decentralized power can reduce the maintenance cost of high-speed trains and avoid unsafe speeds. Safe speed and decentralized power need to be considered.

Safe Speeds.
e safe speed defines the safe speed range of high-speed trains. Excessive speed increases the risk of derailment, especially when the train is turning. For example, the derailment of a high-speed railway caused more than 80 deaths in Spain in 2013. When the train turns, excessive or insufficient speed increases the force between the train wheel flanges and the rails, which is a crucial cause of rail scratches. Moreover, rail scratches reduce the tolerance of the rail, which further increases the risk of derailment. Usually, when the train turns, there is an inclination angle in the rail to balance the centripetal force. Ideally, the centripetal force when the train turns is equal to the component of the train's gravity along the inclination. At this time, the force between the wheel flange and the rail is zero.
According to Newtonian mechanics, we have where m denotes the mass of a carriage, g is the acceleration due to gravity, f w denotes the combined force of all wheel flanges of the two carriages on their wheels, v denotes the speed of the train, R is the turning radius, and θ is the inclination angle of the rail. During train movement, some of the above parameters have inevitable errors. For example, m varies within a certain range depending on the passengers and their luggage.

Power Distribution.
Decentralized power systems are often used in high-speed railways, compared with centralized power systems. High-speed trains usually consist of four or eight carriages. e power-decentralization problem of the two carriages can be considered first because the problem for sixteen carriages can be solved by the recursive 2-carriage problem. Among them, some parameters remain uncertain. For example, when the train is moving at a constant speed, the air resistance changes with the change in air pressure. In addition, the speed of the train cannot be held exactly constant, only within a very small range. e air resistance is proportional to the air pressure and the square of the speed. Hence, changing the air resistance will cause dynamic changes in the net power.
In the verification field based on the theorem proof, a reasoning method that fully considers the parameters with errors is necessary to verify the safety conditions and properties of the system.

Preliminary
In this section, we introduce some of the mathematical concepts that have been established and involved in our approach.
Let A � < S, F, Ψ, Λ > be an algebraic transition system, where S is the set of all states in the algebraic transition system F is the set of transitions between states, F⊆S × S Ψ is the set of the algebraic assertions Λis the set of mapping relationships from F to Ψ and from S to Ψ. Each state or transition can be distributed into algebraic equations based on the mapping relationship e algebraic transition system describes the system's transition relationship and the state itself of the system. e set F of an algebraic transition system describes the transition relations between states. Correspondingly, Λ provides each state satisfied algebraic equations or satisfied conditions of transitions between states.
In recent years, the algebraic transition system and its generalized structure have been well established in the field of verification [30,31].
To establish a reasoning method with fault tolerance, we generalize linear algebraic assertions to quantitatively describe uncertain parameters. A quantitative description of these errors is necessary. Interval numbers have been widely used in the field of error estimation [32,33]. As a result, we introduce interval numbers to describe the errors. e following is the definition and operation of interval numbers.
Definition 2 (Interval number). An interval number is a set of all real numbers in a closed interval.
Let X be an interval number. en, X � [x − , x + ], where x − ≤ x + ; x − is the lower bound of X and x + is the upper bound of X. us, X can be any value in this closed interval. In particular, when x − � x + , the interval number becomes a normal real number.

Definition 3 (Interval number operation).
e interval number operation includes the operations of addition, subtraction, multiplication, and division. Some operations are given as follows. Let Subtraction: Multiplication: Especially when Division: In addition, there are some other definitions of interval number operations [34]. However, we do not elaborate here, as different definitions are irrelevant for the reasoning approach.
Unfortunately, although the errors can be described as any possible values over given intervals, the operation of interval number is not sufficient for reasoning between linear algebra assertions because it may lead to incorrect ]. According to the interval operation defined above, the linear equations can be solved as follows: is is not a correct result. e correct result is in the blue diamond area in Figure 1.

Definition 4 (Polynomial).
A polynomial is a mathematical expression consisting of a sum of terms, where each term includes one or more variables raised to a power and multiplied by a coefficient. Let . , x n ] be a set that comprising all polynomials with real coefficients on V. An example of a polynomial is as follows: Definition 6 (Linear algebraic assertions). A linear algebraic assertion consists of one or more linear equations. ψ is a linear algebraic assertion that contains the following equations: . . . ,

Implication and Equivalence Relations Based on Interval Numbers
In this section, we introduce the judgment rule of implication and equivalence relations based on interval numbers. Implication and equivalence relations are the most basic rules in any reasoning method. We first introduce the reasoning method (Definitions 7 and 8) involving implication and equivalence relations. en, we introduce the definitions (Definitions 9-12).

Mathematical Problems in Engineering
In the classic rules of reasoning, the implication relationship between algebraic assertions can be judged by the inclusion relationship of their zero set.
Definition 9 (LEI and LAI). An LEI is a linear algebraic equation whose variables and coefficients can be interval numbers. e LAI consists of one or more LEIs.
Definition 10 (Zero set of LEIs). Let f(x 1 , . . . , x n ) � a 0 + a 1 x 1 + a 2 x 2 + · · · + a n x n � 0 be an LEI. a 0 , a 1 , a 2 , . . . , a n are given some interval numbers, as defined above. e zero set of f(x 1 , . . . , x 2 ) is the set as below and is denoted as Zero (f): Definition 11 (Implication relations between LAIs). Let φ 1 and φ 2 be two LAIs that have been defined above. φ 1 implies Definition 12 (Equivalence relations between LAIs). Let φ 1 and φ 2 be two LAIs. φ 1 is equivalent to φ 2 , denoted as . e implication and equivalence relations are the two main reasoning rules. A simple example is shown in Figure 1 for reasoning between LAIs.

Reasoning Method between LAIs.
In this section, we present a reasoning method to judge inclusion relations between zero sets of LAIs. Implication relations between LAIs can be judged by whether their zero set has an inclusion relation just like Definition 11 introduced above. e equivalence relations between LAIs can be judged by whether their zero sets have inclusion relations with each other. If the two sets are equal, the two sets contain each other. Before we introduce the reasoning method, we need to introduce the theorems (Lemma 1 and eorem 1) and two basic mathematical definitions involving our reasoning method.

(17)
Furthermore, assuming a α1 ≤ a β1 (the case of a α1 > a β1 is similar), we easily obtain Because both α and β belong to the first quadrant, we have By dividing (18) that is, Similarly, a zn ∈ [a αn , a βn ] ⊂ [a n− , a n+ ] � a n .

Theorem 1. the intersection of the zero set of LAI and the first quadrant is a convex set.
Proof. As the definition of LEI, an LAI consists of one LEI or much more LEI.
Let φ be an LAI, .
According to one of the properties of a convex set [35], we find that For most engineering problems, only solutions in the first quadrant are meaningful. Although it may be meaningful that the solutions are negative to some problems, it is still possible to make the solution meaningful in the first quadrant through proper coordinate transformation.
For example, if c represents the temperature value in degrees Celsius, and represents c ′ represents the temperature in Kelvin. e coordinate transformation is c ′ � c + 273.15. Apparently, c ′ is meaningful only when it is positive. In this article, the zero set of LAIs to which we refer is its intersection with the first quadrant.
Because, if A and B are both convex sets and p 1 , p 2 , . . . , p n are all vertexes of A, then A⊆B iff ∀p i ∈ B, i � 1, 2, . . . , n. erefore, we can judge whether all of its vertexes are contained by another zero set of LAI to determine whether there is an inclusion relationship between the two sets. We thus obtain the following reasoning method.
Let φ 1 and φ 2 be two linear algebraic assertions. Is φ 1 | � φ 2 correct? A method for judging inclusion relations between the LAI can be given as follows: Step 1. Calculate all vertexes of φ 1 .
Step 2. Determine the inequality equations, which are equivalent to the zero set of φ 2 .
Step 3. If all vertexes of φ 1 satisfy the inequalities obtained in Step 2, we have that φ 1 | � φ 2 is true; otherwise, it is not true.
Proof. First, we can easily obtain the boundary equations as follows to find all vertexes of φ 1 : We obtain three equation systems, each of which contains two equations. An equation is selected arbitrarily from each equation system, so eight groups of equations can be formed. By solving these eight groups of equations, we obtain eight vertexes.
Calculate all vertexes of φ e above eight vertexes of φ 1 constitute a hexahedron in 3D space. To mathematically represent the interior region of the hexahedron (including boundary), we need to obtain a group of linear inequalities defining this region. According to the theory of cylindrical algebraic decomposition, all points in a linear closed region isolated by finite points satisfy the same inequalities. To find a point in the interior region of a hexahedron, we need to solve a group of equations, in which the coefficients can take any value within their interval according to eorem 1, as proven above. If there is no solution or if the solution is not unique for arbitrarily selected coefficients, we can reselect a group of coefficients until the system of equations has a solution.
Find an interior point P(X P , Y P , Z P ), P(X P , Y P , Z P ) must be in the interior region of the hexahedron (including the boundary), as shown in Figures 2  and 3.
Substituting point P(X P , Y P , Z P ) into formula (24), we obtain three groups of linear inequalities as follows: Calculate all vertexes of φ 2 :

(27)
According to the properties of convex sets, if all vertexes of φ 2 are in the interior region (including the boundary) of the zero set of φ 1 , then Zero(φ 2 )⊆Zero(φ 1 ).
Take all eight vertexes of φ 2 into formula (26) to verify all inequalities in formula (26). We find that only q 3 is not satisfied with one inequality of formula (26). For q 3 , 1.1X − 0.7Y + Z ≥ 0.5 does not hold, as 1.
In other words, φ 2 | � φ 1 does not hold. If only looking at Figures 4 and 5, it seems that all vertexes of φ 2 are interior regions of the zero set of φ 1 . However, after the above calculations, q 3 is almost inside. So it dose not hold.

Verification of Decentralized Power Systems during Turn
In this section, we present a case that can be solved by the reasoning method mentioned above in this article. e problem in four or eight carriages can be solved by a recursive 2-carriage problem. Hence, we mainly discuss the power decentralization of 2 carriages.
A simplified algebraic transition system for the train is shown in Figure 6. g 1 and g 2 represent the conditions satisfied by corresponding transitions between the states. φ 1 , φ 2 and φ 3 are the equations that need to be satisfied in the corresponding states. at is, when the train is in the acceleration state and if φ 1 is not satisfied, there is a strong 6 Mathematical Problems in Engineering possibility that the train is in an abnormal acceleration process, which requires timely troubleshooting. e following case is when a constant-speed train is turning. Decentralized power systems are widely used in high-speed trains. e power source is scattered among the engines of the carriages. e net traction power of each compartment in a train will vary randomly within a small range, caused by the movement of passengers, their luggage, and wind resistance. e role of the wheel flange of the train is to prevent derailment, especially when the train is turning. e force analysis during turning is shown in Figure 6. e two self-powered carriages at constant speed are shown in Figure 7. Carriage 1 and carriage 2 may be two connected carriages or two groups of carriages. We have the following description: f 1 and f 2 denote the traction force of carriage 1 and carriage 2, respectively; m denotes the initial mass of each carriage; and Δm denotes the quality change in each carriage due to the variation of passengers and their luggage and is similar to the effect of mass change. When a train passes the inclined plane in turning, a part of the gravity caused by a certain inclination provides the centripetal force for the train to turn, which is also similar to the change in the mass of the train. μ stands for the friction coefficient; f 12 denotes the force of carriage 1 on carriage 2; g is the acceleration due to gravity; and f w denotes the combined force of all wheel flanges of the two carriages on their wheels. Wheel flange is a special device to reduce risks when turning. It is shown in Figure 8. When the train turns quickly, f w may exceed the force limit of the wheel flange, which may cause the train to derail. Moreover, a larger f w will increase the friction between the wheel flanges and the rail and cause injures on the wheel flange of both rail flats. Injured rails and wheels further increase the possibility of derailment when turning. erefore, f w should be within a certain range. ζ is related to the air density and the shape of  According to mechanics, we have From the third equation in (28), we obtain e boundary equation of each equation in φ can be obtained as follows, which can solve all vertexes of φ: We obtain three equation groups, each of which contains two equations. Select an equation arbitrarily from each equation system, so eight equation systems can be formed. Solving these eight equations, we can obtain eight vertexes.
Calculate all vertexes of φ 1 (f 1 , f 2 , v 2 ): As before, the above eight vertexes of φ constitute a hexahedron in 3D space. To mathematically represent the interior region of the hexahedron (including boundary), we need to obtain a group of linear inequalities of this region. According to the theory of cylindrical algebraic decomposition, all points in a linear closed region isolated by finite points satisfy the same inequalities. To find a point in the interior region of a hexahedron, we just need to solve a group of equations, in which coefficients can take any value of their interval according to eorem 1.
An interior point P(f 1 ′ , f 2 ′ , v 2′ ) can be solved by equations with certain coefficients in the allowable error range. Without losing generality, P(f 1 ′ , f 2 ′ , v 2′ ) can be solved by the following equations:  Mathematical Problems in Engineering By substituting point P(f 1 ′ , f 2 ′ , v 2′ ) into formula (31), we obtain the following three groups of linear inequalities: e inequality groups in formula (34) represent the fault-tolerance area of the system, which is the area where the system allows controllable errors. e fault-tolerance area is shown in Figures 9 and 10.
We can verify whetherf 1 , f 2 , and v 2 satisfy the inequality group in formula (34) to judge whether the decentralized power systems and train speed are working properly. Whenf 1 , f 2 , and v 2 do not satisfy formula (34), the decentralized power system or train speed is probably working incorrectly and requires timely error detection.
In the fault-tolerance area, the interval number of v 2 can be transformed into an interval number of v. e equivalent fault-tolerance area will not be described again:

Simulation and Comparison
7.1. Simulation. In this section, we test the fault-tolerance area in Section 6. Δm denotes the quality change; ζ is related to the air density and the shape of the train; f w denotes the combined force of all wheel flanges of the two carriages on their wheels; and f 12 denotes the force of carriage 1 on carriage 2. ere are four parameters (Δmζf w f 12 ) with errors in (28). e meanings of these four uncertain parameters are the same as those in Section 6. erefore, it will not be described in detail here. e four interval numbers are as follows:  An arbitrary test case refers to randomly assigned values for the four parameters. e N test cases can be described by the following formula: 12 1 , . . . , case n � Δm n , ζ n , f w n , f 12 n . (37) By substituting formula (37) into formula (28), we can obtain the solutions of the corresponding test cases as the following formula: By substituting formula (38) into formula (28), we can verify the correctness of the fault-tolerance area. After testing, the solutions of all test cases are inside the faulttolerance area, including its boundary. Figures 11(a) and 11(b) show that the solutions of these 1000 test cases are all inside the fault-tolerance area. Figures 11(c) and 11(d) show that the solutions of these 10,000 and 100,000 test cases.
When the number of test cases is 10,000 and 100,000, the same conclusion is obtained, as shown in Figures 11(c) and 11(d), respectively. e sensitivities of these four uncertain parameters are different. e change of mass and air coefficient is the most sensitive to safety conditions. For example, China's Fuxing high-speed railway has strict limits on the number of passengers.

Comparison.
Previous reasoning methods based on algebraic polynomials have mainly concentrated on nonerror systems [9,[12][13][14][15], whose coefficients and variables are accurately described.  and variables, most previous methods are incompetent. However, the method of Reference [16] is very valuable in theory but is only effective for a single variable or coefficient with error not for multiple error variables or coefficients. Among the fault-tolerant methods, there are many similar fault-tolerant error analysis methods [23][24][25], but formal reasoning methods are rarely reported.

Conclusion
Our main contribution is to show that the reasoning method is reliable and the error controllable, even though errors exist in the coefficients and variables in the linear assertion. Furthermore, the method proposed in this paper is not limited only to the verification of decentralized power systems, as errors in many systems are common and unavoidable. is method is promising in systems described by linear equations with error parameters. In such systems, our method may remain effective by using linear equations to approximate the nonlinearity within a small time interval. Hence, the method in this study has a wide range of applications.
Nevertheless, if not to approximate the nonlinearity of the system by linear equations within a small time interval, our reasoning method may not be applicable to these nonlinear systems with errors. is is also the focus of our work in the future.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.