West Virginia University Architectural-Level Risk Analysis for UML Dynamic Specifications Dr. Sherif M. Yacoub Dr. Sherif M. Yacoub [email protected]Hewlett-Packard Laboratories Palo Alto, CA Alaa Ibrahim, and Hany H. Ammar Alaa Ibrahim, and Hany H. Ammar {ibrahim,ammar}@csee.wvu.edu Department of Computer Science and Electrical Engineering West Virginia University 9 9 th th International Conference on Software Quality International Conference on Software Quality Management, SQM2001 Management, SQM2001 18 18 th th -20 -20 th th April, 2001 April, 2001 Loughborough University, Loughborough, England Loughborough University, Loughborough, England
34
Embed
West Virginia University Architectural-Level Risk Analysis for UML Dynamic Specifications Dr. Sherif M. Yacoub [email protected] Hewlett-Packard Laboratories.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
West Virginia
University
Architectural-Level Risk Analysis for UML Dynamic Specifications
Alaa Ibrahim, and Hany H. Alaa Ibrahim, and Hany H. AmmarAmmar
{ibrahim,ammar}@csee.wvu.eduDepartment of Computer Science
and Electrical Engineering
West Virginia University99thth International Conference on Software Quality International Conference on Software Quality Management, SQM2001Management, SQM2001
1818thth-20-20thth April, 2001 April, 2001Loughborough University, Loughborough, EnglandLoughborough University, Loughborough, England
West Virginia
University
Outline
Research Objectives
Methodology
Towards an Automated Methodology
Process
Case Study: The Pacemaker example
Conclusions
West Virginia
University
Architectural-Level Risk Assessment
Methodology at the early stages of
development(S. Yacoub, H. Ammar. ISSRE'00, IEEE Comp. Soc., October,
In performing severity analysis, each potential failure mode is ranked according to the consequences of that failure mode.
Steps:
• Identifying Failure Modes Failure modes of individual components.
(Functional faults and state-based faults) Failure modes of individual connectors.
(Interface fault analysis)
West Virginia
University3) Perform Severity Analysis (cont’d)
Steps (cont’d):
• Conducting Effect Analysis Inject the fault. Simulate the faulty model. Monitor output and compare to expected output. Identify the effect of the fault.
• Rank Severity Identify category: Minor, Marginal, Critical, or
Catastrophic. Assign severity index to each component i as (svrtyi),
which takes a value of 0.25, 0.50, 0.75, and 0.95
West Virginia
University
Worst case severity found for the RS, CD, CG, VT, and AR are Minor(0.25), Minor(0.25), Marginal(0.50), Catastrophic(0.95) and Catastrophic (0.95), respectively
Connector Name Failure Mode Cause of Failure Effect of Failure Criticality of effectsRS Failed to enable
communicationError in translatingmagnet command
Unable to program thepacemaker, schedulemaintenance task.
Minor
CD Failed to generategood command
Fault in developingthe command
Unable to program thepacemaker, schedulemaintenance task.
Minor
CG Failed to validatecommand
Fault in thevalidationprocedure
Cannot program thepacemaker, schedulemaintenance task.
Minor
Mis-interpreting aVVT command forVVI
Fault in processingcommand routine
Heart is continuously triggeredbut device is still monitored byphysician, need immediate fixor disable.
Marginal
VT No heart pluses aresensed though heart isworking fine.
Heart sensor ismalfunctioning.
Heart is incorrectly paced,patient could be harmed bycontinuous pulses.
Critical
Refract timer does notgenerate a timeout inan AVI mode
Timer not setcorrectly.
AR and VT are in refactoringstate, no pace is generated forthe heart, patient could die.
Catastrophic
AR Wait timer does notgenerate a timeout inAAI mode
Timer not setcorrectly.
AR stuck at the wait state, nopacing is done to the heart
Catastrophic
FMEA table for the Pacemaker components
West Virginia
UniversityFMEA table for the Pacemaker connectors
Connector Name Failure Mode Cause of Failure Effect of Failure Criticality of effectsRS-CG Failure to enable
communication of theCG
Magnet malfunctioning.RS failed to generatemessage.
Pacemaker is not programmed,schedule maintenance task
Minor
RS-CD Unable to disablecommunication of theCD with theprogrammer
Magnet malfunctioning.RS failed to generatecorrect disable message.
Pacemaker receive bits accidentallyfrom hazards but device is neverprogrammed because CG is disabled,schedule maintenance task.
Minor
CD-Programmer Failed to acknowledgeprogramming
Fault in coding thesending message
Pacemaker is not programmed,schedule maintenance task.
Minor
CD-CG Failed to send bytes ofprogram data to CG
Inappropriate count ofnumber of bits in a byte.
Pacemaker is not programmed,schedule maintenance task.
Minor
CG-AR Send incorrectcommand (ex ToOffinstead of ToIdle)
Incorrect interpretationof program bytes
Incorrect operation mode andincorrect rate of pacing the heart.Device is still monitored by thephysician, immediate maintenance ordisable is required.
Marginal
CG-VT Send incorrectcommand (ex ToOffinstead of ToIdle
Incorrect interpretationof program bytes
Incorrect operation mode andincorrect rate of pacing the heart.Device is still monitored by thephysician, immediate maintenance ordisable is required.
Marginal
AR-Heart Failed to sense heart inAAI mode
Sensor error. Heart is always paced while patientcondition requires only pacing theheart when no pulse is detected
Critical
Failed to pace the heartin AVI mode
Pacing hardware devicemalfunctioning
Heart could be in serious problembecause of no pacing.
Catastrophic
VT-AR VT failed to informAR of finishingrefractoring in AVImode
Timing mismatchesbetween AR and VToperation.
Failure to pace the heart. Catastrophic
West Virginia
University4) Develop Risk Factorshrfi = cpxi x svrtyi
where:
0 <= cpxi <= 1, is the normalized complexity level (dynamic complexity for components or dynamic coupling for connectors), and
0<= svrtyi < 1 , is the severity level for the architecture element.
consumes CDG, AEappl,(average execution time for the application)produces Riskappl
Initialization:Rappl = Rtemp = 1 (temporary variables for (1-RiskFactor) )Time = 0Algorithmpush tuple <C1, hrf1, EC1 >, Time, Rtemp
while Stack not EMPTY dopop < Ci, hrfi , ECi >, Time, Rtemp
if Time > AEappl or Ci = t; (terminating node)Rappl += Rtemp ;(an OR path)
else < Cj ,hrfj , ECj > children(Ci)
push (<Cj, hrfj ,ECj>, Time += ECi , Rtemp = Rtemp*(1-hrfi)*(1-hrfij )*PTij ) ( AND path)
endend while
Riskappl = 1- Rappl
end Procedure AssessRisk
West Virginia
UniversityRisk Aggregation Algorithm
The algorithm can be used for
• System-level Risk Assessment The risk of the pacemaker that is found to be ~ 0.9
• Subsystem-level Risk Comparison Complex systems are composed of many subsystems. The algorithm can be used to obtain a risk factor for a
subsystem using risk factors of its individual components. Compare risk factors of individual subsystems.
• Sensitivity Analysis Sensitivity to Uncertainties in Component Risk Factors Sensitivity to Uncertainties in Connector Risk Factors
West Virginia
UniversitySensitivity Analysis
0.0
0.2
0.4
0.6
0.8
1.0
0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1
Risk Factor of Individual Components
Ove
rall
Ris
k F
acto
r o
f th
e S
yste
m
R(AR)
R(VT)
R(CG)
R(CD)
R(RS)
0.0
0.2
0.4
0.6
0.8
1.0
0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1
Risk Factor of Individual Connectors
Ove
rall
Sys
tem
Ris
k V
alu
e
R(RS-CD)
R(CG-CD)
R(AR-Heart)
R(VT-AR)
R(VT-Heart)
The Pacemaker risk factor as function of connector risk factors (one at a time)
The Pacemaker risk factor as function of component risk factors (one at a time)
West Virginia
UniversityBenefits
The approach helps in:
• Deciding which components in the architecture require more development resources.
• Deciding which connectors in the architecture are of highest risk. A high risk connector indicates that the interfaces between the corresponding components and the messaging protocol should be carefully designed.
• Studying how uncertainties in component risk factors affect the overall risk value of the system.
• Studying how uncertainties in connector risk factors affect the overall risk value of the system.
West Virginia
UniversityConclusion : Benefits The methodology is applicable early at the
architectural level.
The methodology is based on dynamic metrics. We use dynamic metrics to account for the fact that a fault in a frequently executed component will frequently manifest itself into a failure.
The methodology is based on simulation of architecture models. Simulation helps in:
• Performing FMEA procedures .
• Calculating the CDG parameters such as probability of transitions.
• Obtaining dynamic metrics.
West Virginia
UniversityConclusion : Issues
Using ordinal scale for measuring severity.
Effect of uncertainties in the scenario probabilities and the estimated average execution times.
Scalability issues, applying the methodology to a larger case study.
Methodology is limited to systems with statechart and sequence diagram specifications.