Modelling and analysing contextual failures for dependability requirements
-
Upload
engineering-of-social-informatics-esotics -
Category
Engineering
-
view
99 -
download
1
Transcript of Modelling and analysing contextual failures for dependability requirements
![Page 1: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/1.jpg)
Modelling and Analysing Contextual Failures forDependability Requirements
Danilo F. MendonaRaian Ali
Genana N. Rodrigues
The 9th International Symposium on Software Engineering for Adaptive andSelf-Managing Systems (SEAMS 2014)
Hyderabad, India. June 2014
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 1
![Page 2: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/2.jpg)
Presentation Outline
MotivationContextual Dependability
BaselineDependabilityGoal-oriented requirements engineering
ProposalDependable Contextual Goal ModelReasoning with DCGM
FeasibilityMobile Personal Emergency Response System
DrawbacksScalability
Conclusions and Following StepsConclusionsNext steps
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 2
![Page 3: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/3.jpg)
Motivation
Contextual Dependability
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 3
![Page 4: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/4.jpg)
Motivation
I The context in which systems operate may not be static, butdynamic.
I Some failures will be activated only in specific contexts ofoperation.
Context: heavy traffic
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 4
![Page 5: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/5.jpg)
Baseline
I Contexts can affect the likelihood of a failure to occur.
Contextually decreasedavailability
ActiveWi-Fi, GPS & Bluetooth
⇓
Battery life decreased
⇓
Increased likelihood of failure
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 5
![Page 6: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/6.jpg)
Baseline
I They can also affect the consequence of failures to users andenvironment.
Contextually increased failureconsequence
User is unfamiliar with the city(travelling)
⇓
Erroneous data used by thecollaborative bus adviser system
⇓
User drops off in an unsafe city zone
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 6
![Page 7: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/7.jpg)
Motivation
I Non-functional requirements such as reliability, availabilityand safety are paramount for many daily used services.
I Systems specified for a static context of operation may not bedependable.
I Systems may have to adapt to contexts changes to remaindependable.
I Systems need alternative configurations and properdependability specification.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 7
![Page 8: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/8.jpg)
Motivation
Goal: Reach location
Context: Lowtemperature. Reliable?
Context: Heavy traffic.Reliable?
Context: Tube strike.Reliable?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 8
![Page 9: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/9.jpg)
Research Question 1
How to specify contextual dependability requirements?
Research Question 2
How to estimate contextual dependability requirements?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 9
![Page 10: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/10.jpg)
Baseline
Dependability definition
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 10
![Page 11: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/11.jpg)
Baseline
Dependability is ‘the ability to avoid service failures that aremore frequent and more severe than is acceptable’. Itencompasses the following attributes [Avizienis, 2004]:
I Reliability
I Availability
I Integrity
I Maintainability
I Safety
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 11
![Page 12: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/12.jpg)
Baseline
Contexts definition
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 12
![Page 13: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/13.jpg)
Baseline
I Contexts are ‘monitorable pieces of information about theenvironment in which systems operate’ [Ali et al., 2010].
I Environment consists of ‘whatever over which the systemhas no control’ [Finkelstein et al., 2001]. Ex:
I Environment conditionsI User characteristicsI Availability of resources
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 13
![Page 14: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/14.jpg)
Baseline
Goal oriented requirements engineering
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 14
![Page 15: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/15.jpg)
Baseline
I Goal-oriented analysis is meant to capture the intentionalitybehind software requirements [Mylopoulos et al., 1998].
I Goals are a useful abstraction that represent stakeholders’expectations and needs at early phases of RE.
I GORE1 is a mature methodology for RE that has beenvalidated by different goal oriented frameworks such as i*,KAOS, and TROPOS.
1Goal Oriented Requirements EngineeringCiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 15
![Page 16: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/16.jpg)
Baseline
TROPOS [Mylopoulos et al., 2010]
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 16
![Page 17: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/17.jpg)
Baseline
TROPOS methodology
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 17
![Page 18: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/18.jpg)
Contextual goal model (CGM) [Ali et al., 2010]
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 18
![Page 19: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/19.jpg)
Baseline
Contextual goal model (CGM) [Ali et al., 2010]
CGM extends TROPOS methodology.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 19
![Page 20: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/20.jpg)
Baseline
I By the time system requirements are being analysed, adependability analysis can be performed.
I It should analyse the context effects over the consequencelevel of failures.
I It should guide the specification of contextual dependabilityrequirements (CDR).
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 20
![Page 21: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/21.jpg)
Baseline
I Some proposals have added quality constraints (QC) to goalmodels. E.g.: Souza et al., SEAMS 2011.
I Dependability requirements could also be modelled as QCsfor different system goals (Research question 1).
I However, TBMK the causal relation between contexts andfailures have not been modelled in previous (static)estimation approaches (Research question 2).
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 21
![Page 22: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/22.jpg)
Proposal
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 22
![Page 23: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/23.jpg)
Contextual Failure Implication
The Contextual Failure Implication (CFI) is conceptually modelledas the effect of a context on a specific dependability attribute ofsystem tasks in a CGM.
It provides contextual dependability estimations.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 23
![Page 24: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/24.jpg)
Proposal
How to estimate dependability?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 24
![Page 25: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/25.jpg)
Proposal
I Probabilistic model checking (PMC) technique providesformal verification. It is suitable for critical features of thesystem (a myth?).
I Dependability of less critical features may be analysed withoutformal verification, for instance:
I Fuzzy logic can be used to express estimations based ondomain knowledge.
I Other languages can be used to express dependabilityestimations based on domain knowledge.
I The framework architecture should leave this decision to theanalysts and provide an easy integration with differenttechniques.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 25
![Page 26: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/26.jpg)
Proposal
Fuzzy logic approach [SEAMS 2014]
I IF-THEN rules syntax;I IF context THEN availability/reliability/safety/etc
I Inference mechanism that produces a crispy output givensome fuzzy inputs.
I Enables the use of qualitative fuzzy words to expresscontexts and dependability attribute levels.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 26
![Page 27: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/27.jpg)
Proposal
Strong, average and weak are fuzzy GPS levels.
They are associated to a membership function.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 27
![Page 28: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/28.jpg)
Proposal
A small set of rules can produce a large number of outputs.
I If GPS signal is weak then reliability is average.
I If GPS signal is not weak then reliability is high.
I If battery is not strong then availability is low.
I If battery is strong then availability is average.
I If power source is connected then availability is high.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 28
![Page 29: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/29.jpg)
Proposal
PMC approach [Work in progress]
I Behavioural diagrams generated by TROPOS methodology
I Parametric models with PRISM/PARAM language
I PCTL properties
I Estimation of dependability attributes such as reliability
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 29
![Page 30: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/30.jpg)
PMC must consider context effects on failures.
Different components, different dependability estimation for the samegoal.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 30
![Page 31: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/31.jpg)
Proposal
What about dependability requirements?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 31
![Page 32: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/32.jpg)
Proposal
Contexts may also affect the consequence level of failures:
I Minor consequences, lower dependability requirements
I Major consequences, higher dependability requirements
Thus, the dependability requirements are also context dependent.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 32
![Page 33: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/33.jpg)
Contextual Dependability Requirement
The Contextual Dependability Requirement (CDR) is modelled asthe accepted level of one or more dependability attributes for anysystem goal in a CGM given some context condition.
It provides contextual dependability requirements.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 33
![Page 34: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/34.jpg)
Proposal
Dependable Contextual Goal Model (DCGM)
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 34
![Page 35: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/35.jpg)
Baseline
Reasoning with DCGM
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 35
![Page 36: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/36.jpg)
Reasoning with DCGM
I A Goal will be valid if one of its Means-end tasks are valid forthat context.
I Stakeholders should be aware of contextual violations ofdependability requirements.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 36
![Page 37: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/37.jpg)
Reasoning with DCGM
Static validation of CDRs
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 37
![Page 38: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/38.jpg)
Reasoning with DCGM
What about runtime reasoning?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 38
![Page 39: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/39.jpg)
Reasoning with DCGM
Given the existence of the following information:
I A goal reached by alternative tasks;
I A context condition that can be evaluated throughmonitoring or prediction techniques;
I A set of CFIs for the alternative tasks and a CDR for the[goal, context] tuple;
A decision can be made about which task to use at runtime.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 39
![Page 40: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/40.jpg)
Reasoning with DCGM
DCGM at runtime
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 40
![Page 41: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/41.jpg)
Drawbacks
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 41
![Page 42: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/42.jpg)
Drawbacks
Scalability concerns (declarative rules):
I Effort may increase exponentially with:I Number of contextsI Analysed goalsI Dependability attributes
I Analysis should be oriented by criticality:I Critical contextual goalsI Critical dependability attributes
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 42
![Page 43: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/43.jpg)
Drawbacks
Scalability concerns (PMC):
I State explosion is a known issue with PMC
I Verification of contextual models may contribute negatively tothis problem
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 43
![Page 44: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/44.jpg)
Conclusions and Next Steps
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 44
![Page 45: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/45.jpg)
Conclusions
I Dependability requirements can be specified using a GOREextended language.
I Techniques used for estimations must comply with thecorresponding criticality of analysed system goal.
I Scalability is a major concern for both declarative and formalverification approaches considered so far.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 45
![Page 46: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/46.jpg)
Next steps
I Validate the framework using a more extensive case study.
I Integrate the framework with a DSL as a CDR realization toprovide more complex dependability specification.
I Integrate the framework with a probabilistic model checkingtechnique.
I Integrate the framework with a proactive self-adaptivearchitecture based on dependability criteria.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 46
![Page 47: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/47.jpg)
Questions?
Acknowledgement
The research was supported by an FP7 Marie Curie CIG grant(SOCIAD project), CNPq grant number 482280/2012-3, underedital MCT/CNPq 14/2012, and Bournemouth University – FusionInvestment Fund (BBB and VolaComp projects)
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 47
![Page 48: Modelling and analysing contextual failures for dependability requirements](https://reader036.fdocuments.net/reader036/viewer/2022062503/58ef12971a28ab41418b465d/html5/thumbnails/48.jpg)
Thank you
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 48