Modelling and Analysing Contextual Failures for Dependability Requirements Danilo F. Mendona Raian Ali Genana N. Rodrigues The 9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2014) Hyderabad, India. June 2014 CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 1
48
Embed
Modelling and analysing contextual failures for dependability requirements
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Modelling and Analysing Contextual Failures forDependability Requirements
Danilo F. MendonaRaian Ali
Genana N. Rodrigues
The 9th International Symposium on Software Engineering for Adaptive andSelf-Managing Systems (SEAMS 2014)
Hyderabad, India. June 2014
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 1
ProposalDependable Contextual Goal ModelReasoning with DCGM
FeasibilityMobile Personal Emergency Response System
DrawbacksScalability
Conclusions and Following StepsConclusionsNext steps
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 2
Motivation
Contextual Dependability
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 3
Motivation
I The context in which systems operate may not be static, butdynamic.
I Some failures will be activated only in specific contexts ofoperation.
Context: heavy traffic
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 4
Baseline
I Contexts can affect the likelihood of a failure to occur.
Contextually decreasedavailability
ActiveWi-Fi, GPS & Bluetooth
⇓
Battery life decreased
⇓
Increased likelihood of failure
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 5
Baseline
I They can also affect the consequence of failures to users andenvironment.
Contextually increased failureconsequence
User is unfamiliar with the city(travelling)
⇓
Erroneous data used by thecollaborative bus adviser system
⇓
User drops off in an unsafe city zone
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 6
Motivation
I Non-functional requirements such as reliability, availabilityand safety are paramount for many daily used services.
I Systems specified for a static context of operation may not bedependable.
I Systems may have to adapt to contexts changes to remaindependable.
I Systems need alternative configurations and properdependability specification.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 7
Motivation
Goal: Reach location
Context: Lowtemperature. Reliable?
Context: Heavy traffic.Reliable?
Context: Tube strike.Reliable?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 8
Research Question 1
How to specify contextual dependability requirements?
Research Question 2
How to estimate contextual dependability requirements?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 9
Baseline
Dependability definition
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 10
Baseline
Dependability is ‘the ability to avoid service failures that aremore frequent and more severe than is acceptable’. Itencompasses the following attributes [Avizienis, 2004]:
I Reliability
I Availability
I Integrity
I Maintainability
I Safety
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 11
Baseline
Contexts definition
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 12
Baseline
I Contexts are ‘monitorable pieces of information about theenvironment in which systems operate’ [Ali et al., 2010].
I Environment consists of ‘whatever over which the systemhas no control’ [Finkelstein et al., 2001]. Ex:
I Environment conditionsI User characteristicsI Availability of resources
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 13
Baseline
Goal oriented requirements engineering
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 14
Baseline
I Goal-oriented analysis is meant to capture the intentionalitybehind software requirements [Mylopoulos et al., 1998].
I Goals are a useful abstraction that represent stakeholders’expectations and needs at early phases of RE.
I GORE1 is a mature methodology for RE that has beenvalidated by different goal oriented frameworks such as i*,KAOS, and TROPOS.
1Goal Oriented Requirements EngineeringCiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 15
Baseline
TROPOS [Mylopoulos et al., 2010]
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 16
Baseline
TROPOS methodology
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 17
Contextual goal model (CGM) [Ali et al., 2010]
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 18
Baseline
Contextual goal model (CGM) [Ali et al., 2010]
CGM extends TROPOS methodology.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 19
Baseline
I By the time system requirements are being analysed, adependability analysis can be performed.
I It should analyse the context effects over the consequencelevel of failures.
I It should guide the specification of contextual dependabilityrequirements (CDR).
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 20
Baseline
I Some proposals have added quality constraints (QC) to goalmodels. E.g.: Souza et al., SEAMS 2011.
I Dependability requirements could also be modelled as QCsfor different system goals (Research question 1).
I However, TBMK the causal relation between contexts andfailures have not been modelled in previous (static)estimation approaches (Research question 2).
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 21
Proposal
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 22
Contextual Failure Implication
The Contextual Failure Implication (CFI) is conceptually modelledas the effect of a context on a specific dependability attribute ofsystem tasks in a CGM.
It provides contextual dependability estimations.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 23
Proposal
How to estimate dependability?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 24
Proposal
I Probabilistic model checking (PMC) technique providesformal verification. It is suitable for critical features of thesystem (a myth?).
I Dependability of less critical features may be analysed withoutformal verification, for instance:
I Fuzzy logic can be used to express estimations based ondomain knowledge.
I Other languages can be used to express dependabilityestimations based on domain knowledge.
I The framework architecture should leave this decision to theanalysts and provide an easy integration with differenttechniques.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 25
Proposal
Fuzzy logic approach [SEAMS 2014]
I IF-THEN rules syntax;I IF context THEN availability/reliability/safety/etc
I Inference mechanism that produces a crispy output givensome fuzzy inputs.
I Enables the use of qualitative fuzzy words to expresscontexts and dependability attribute levels.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 26
Proposal
Strong, average and weak are fuzzy GPS levels.
They are associated to a membership function.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 27
Proposal
A small set of rules can produce a large number of outputs.
I If GPS signal is weak then reliability is average.
I If GPS signal is not weak then reliability is high.
I If battery is not strong then availability is low.
I If battery is strong then availability is average.
I If power source is connected then availability is high.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 28
Proposal
PMC approach [Work in progress]
I Behavioural diagrams generated by TROPOS methodology
I Parametric models with PRISM/PARAM language
I PCTL properties
I Estimation of dependability attributes such as reliability
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 29
PMC must consider context effects on failures.
Different components, different dependability estimation for the samegoal.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 30
Proposal
What about dependability requirements?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 31
Proposal
Contexts may also affect the consequence level of failures:
I Minor consequences, lower dependability requirements
I Major consequences, higher dependability requirements
Thus, the dependability requirements are also context dependent.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 32
Contextual Dependability Requirement
The Contextual Dependability Requirement (CDR) is modelled asthe accepted level of one or more dependability attributes for anysystem goal in a CGM given some context condition.
It provides contextual dependability requirements.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 33
Proposal
Dependable Contextual Goal Model (DCGM)
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 34
Baseline
Reasoning with DCGM
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 35
Reasoning with DCGM
I A Goal will be valid if one of its Means-end tasks are valid forthat context.
I Stakeholders should be aware of contextual violations ofdependability requirements.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 36
Reasoning with DCGM
Static validation of CDRs
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 37
Reasoning with DCGM
What about runtime reasoning?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 38
Reasoning with DCGM
Given the existence of the following information:
I A goal reached by alternative tasks;
I A context condition that can be evaluated throughmonitoring or prediction techniques;
I A set of CFIs for the alternative tasks and a CDR for the[goal, context] tuple;
A decision can be made about which task to use at runtime.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 39
Reasoning with DCGM
DCGM at runtime
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 40
Drawbacks
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 41
Drawbacks
Scalability concerns (declarative rules):
I Effort may increase exponentially with:I Number of contextsI Analysed goalsI Dependability attributes
I Analysis should be oriented by criticality:I Critical contextual goalsI Critical dependability attributes
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 42
Drawbacks
Scalability concerns (PMC):
I State explosion is a known issue with PMC
I Verification of contextual models may contribute negatively tothis problem
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 43
Conclusions and Next Steps
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 44
Conclusions
I Dependability requirements can be specified using a GOREextended language.
I Techniques used for estimations must comply with thecorresponding criticality of analysed system goal.
I Scalability is a major concern for both declarative and formalverification approaches considered so far.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 45
Next steps
I Validate the framework using a more extensive case study.
I Integrate the framework with a DSL as a CDR realization toprovide more complex dependability specification.
I Integrate the framework with a probabilistic model checkingtechnique.
I Integrate the framework with a proactive self-adaptivearchitecture based on dependability criteria.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 46
Questions?
Acknowledgement
The research was supported by an FP7 Marie Curie CIG grant(SOCIAD project), CNPq grant number 482280/2012-3, underedital MCT/CNPq 14/2012, and Bournemouth University – FusionInvestment Fund (BBB and VolaComp projects)
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 47