Modelling and analysing contextual failures for dependability requirements

Modelling and Analysing Contextual Failures forDependability Requirements

Danilo F. MendonaRaian Ali

Genana N. Rodrigues

The 9th International Symposium on Software Engineering for Adaptive andSelf-Managing Systems (SEAMS 2014)

Hyderabad, India. June 2014

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 1

Presentation Outline

MotivationContextual Dependability

BaselineDependabilityGoal-oriented requirements engineering

ProposalDependable Contextual Goal ModelReasoning with DCGM

FeasibilityMobile Personal Emergency Response System

DrawbacksScalability

Conclusions and Following StepsConclusionsNext steps

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 2

Motivation

Contextual Dependability

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 3

Motivation

I The context in which systems operate may not be static, butdynamic.

I Some failures will be activated only in specific contexts ofoperation.

Context: heavy traffic

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 4

Baseline

I Contexts can affect the likelihood of a failure to occur.

Contextually decreasedavailability

ActiveWi-Fi, GPS & Bluetooth

⇓

Battery life decreased

⇓

Increased likelihood of failure

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 5

Baseline

I They can also affect the consequence of failures to users andenvironment.

Contextually increased failureconsequence

User is unfamiliar with the city(travelling)

⇓

Erroneous data used by thecollaborative bus adviser system

⇓

User drops off in an unsafe city zone

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 6

Motivation

I Non-functional requirements such as reliability, availabilityand safety are paramount for many daily used services.

I Systems specified for a static context of operation may not bedependable.

I Systems may have to adapt to contexts changes to remaindependable.

I Systems need alternative configurations and properdependability specification.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 7

Motivation

Goal: Reach location

Context: Lowtemperature. Reliable?

Context: Heavy traffic.Reliable?

Context: Tube strike.Reliable?

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 8

Research Question 1

How to specify contextual dependability requirements?

Research Question 2

How to estimate contextual dependability requirements?

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 9

Baseline

Dependability definition

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 10

Baseline

Dependability is ‘the ability to avoid service failures that aremore frequent and more severe than is acceptable’. Itencompasses the following attributes [Avizienis, 2004]:

I Reliability

I Availability

I Integrity

I Maintainability

I Safety

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 11

Baseline

Contexts definition

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 12

Baseline

I Contexts are ‘monitorable pieces of information about theenvironment in which systems operate’ [Ali et al., 2010].

I Environment consists of ‘whatever over which the systemhas no control’ [Finkelstein et al., 2001]. Ex:

I Environment conditionsI User characteristicsI Availability of resources

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 13

Baseline

Goal oriented requirements engineering

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 14

Baseline

I Goal-oriented analysis is meant to capture the intentionalitybehind software requirements [Mylopoulos et al., 1998].

I Goals are a useful abstraction that represent stakeholders’expectations and needs at early phases of RE.

I GORE1 is a mature methodology for RE that has beenvalidated by different goal oriented frameworks such as i*,KAOS, and TROPOS.

1Goal Oriented Requirements EngineeringCiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 15

Baseline

TROPOS [Mylopoulos et al., 2010]

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 16

Baseline

TROPOS methodology

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 17

Contextual goal model (CGM) [Ali et al., 2010]

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 18

Baseline

Contextual goal model (CGM) [Ali et al., 2010]

CGM extends TROPOS methodology.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 19

Baseline

I By the time system requirements are being analysed, adependability analysis can be performed.

I It should analyse the context effects over the consequencelevel of failures.

I It should guide the specification of contextual dependabilityrequirements (CDR).

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 20

Baseline

I Some proposals have added quality constraints (QC) to goalmodels. E.g.: Souza et al., SEAMS 2011.

I Dependability requirements could also be modelled as QCsfor different system goals (Research question 1).

I However, TBMK the causal relation between contexts andfailures have not been modelled in previous (static)estimation approaches (Research question 2).

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 21

Proposal

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 22

Contextual Failure Implication

The Contextual Failure Implication (CFI) is conceptually modelledas the effect of a context on a specific dependability attribute ofsystem tasks in a CGM.

It provides contextual dependability estimations.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 23

Proposal

How to estimate dependability?

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 24

Proposal

I Probabilistic model checking (PMC) technique providesformal verification. It is suitable for critical features of thesystem (a myth?).

I Dependability of less critical features may be analysed withoutformal verification, for instance:

I Fuzzy logic can be used to express estimations based ondomain knowledge.

I Other languages can be used to express dependabilityestimations based on domain knowledge.

I The framework architecture should leave this decision to theanalysts and provide an easy integration with differenttechniques.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 25

Proposal

Fuzzy logic approach [SEAMS 2014]

I IF-THEN rules syntax;I IF context THEN availability/reliability/safety/etc

I Inference mechanism that produces a crispy output givensome fuzzy inputs.

I Enables the use of qualitative fuzzy words to expresscontexts and dependability attribute levels.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 26

Proposal

Strong, average and weak are fuzzy GPS levels.

They are associated to a membership function.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 27

Proposal

A small set of rules can produce a large number of outputs.

I If GPS signal is weak then reliability is average.

I If GPS signal is not weak then reliability is high.

I If battery is not strong then availability is low.

I If battery is strong then availability is average.

I If power source is connected then availability is high.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 28

Proposal

PMC approach [Work in progress]

I Behavioural diagrams generated by TROPOS methodology

I Parametric models with PRISM/PARAM language

I PCTL properties

I Estimation of dependability attributes such as reliability

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 29

PMC must consider context effects on failures.

Different components, different dependability estimation for the samegoal.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 30

Proposal

What about dependability requirements?

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 31

Proposal

Contexts may also affect the consequence level of failures:

I Minor consequences, lower dependability requirements

I Major consequences, higher dependability requirements

Thus, the dependability requirements are also context dependent.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 32

Contextual Dependability Requirement

The Contextual Dependability Requirement (CDR) is modelled asthe accepted level of one or more dependability attributes for anysystem goal in a CGM given some context condition.

It provides contextual dependability requirements.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 33

Proposal

Dependable Contextual Goal Model (DCGM)

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 34

Baseline

Reasoning with DCGM

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 35

Reasoning with DCGM

I A Goal will be valid if one of its Means-end tasks are valid forthat context.

I Stakeholders should be aware of contextual violations ofdependability requirements.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 36

Reasoning with DCGM

Static validation of CDRs

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 37

Reasoning with DCGM

What about runtime reasoning?

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 38

Reasoning with DCGM

Given the existence of the following information:

I A goal reached by alternative tasks;

I A context condition that can be evaluated throughmonitoring or prediction techniques;

I A set of CFIs for the alternative tasks and a CDR for the[goal, context] tuple;

A decision can be made about which task to use at runtime.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 39

Reasoning with DCGM

DCGM at runtime

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 40

Drawbacks

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 41

Drawbacks

Scalability concerns (declarative rules):

I Effort may increase exponentially with:I Number of contextsI Analysed goalsI Dependability attributes

I Analysis should be oriented by criticality:I Critical contextual goalsI Critical dependability attributes

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 42

Drawbacks

Scalability concerns (PMC):

I State explosion is a known issue with PMC

I Verification of contextual models may contribute negatively tothis problem

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 43

Conclusions and Next Steps

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 44

Conclusions

I Dependability requirements can be specified using a GOREextended language.

I Techniques used for estimations must comply with thecorresponding criticality of analysed system goal.

I Scalability is a major concern for both declarative and formalverification approaches considered so far.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 45

Next steps

I Validate the framework using a more extensive case study.

I Integrate the framework with a DSL as a CDR realization toprovide more complex dependability specification.

I Integrate the framework with a probabilistic model checkingtechnique.

I Integrate the framework with a proactive self-adaptivearchitecture based on dependability criteria.

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 46

Questions?

Acknowledgement

The research was supported by an FP7 Marie Curie CIG grant(SOCIAD project), CNPq grant number 482280/2012-3, underedital MCT/CNPq 14/2012, and Bournemouth University – FusionInvestment Fund (BBB and VolaComp projects)

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 47

Thank you

[email protected]

CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 48