• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Enterprise Architecture Dependency Analysis using Fault Trees ...

Enterprise Architecture Dependency Analysis using Fault Trees ...






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Enterprise Architecture Dependency Analysis using Fault Trees ... Enterprise Architecture Dependency Analysis using Fault Trees ... Document Transcript

    • Enterprise Architecture Dependency Analysis using Fault Trees and Bayesian Networks Ulrik Franke, Waldo Rocha Flores, and Pontus Johnson Industrial Information and Control Systems Royal Institute of Technology 100 44 Stockholm, Sweden {ulrikf, waldorf, pj101}@ics.kth.se Keywords: Enterprise Architecture, DoDAF, Fault Tree the description of how high-level operational concepts (air- Analysis, Bayesian networks, dependency analysis lift capability, search and rescue, etc.) depend upon particular technical systems (vehicles, radars, IT systems, etc.). If the Abstract gap between the high-level concepts used for enterprise-level Analysis of dependencies between technical systems and decision making and the low-level concepts used for decision business processes is an important part of the discipline of implementation is not bridged, decision makers will be at the Enterprise Architecture (EA). However, EA models typically mercy of their intuition when it comes to assessing the impact provide only visual and qualitative decision support. This pa- of decisions. per shows how EA frameworks for dependency analysis can The present paper proposes an improvement and formal- be extended into the realm of quantitative methods by use of ization of EA dependency analysis by methods from Fault the Fault Tree Analysis (FTA) and Bayesian networks (BN) Tree Analysis (FTA) and Bayesian networks (BN). FTA was techniques. Using DoDAF – the Department of Defense Ar- born as a combinatorial model of systems dependability and chitecture Framework – as an example, we provide a method is widely used for safety and reliability evaluations, as well for how these EA models can be adapted for use of FTA and as for product certifications [9]. At the heart of the method BN. Furthermore, we use this method to perform dependency is a translation of the failure behavior of a physical system analysis and scenario evaluation on a sample DoDAF model. into a visual diagram and a logical model. Bayesian networks are a powerful mathematical tool for reasoning under uncer- tainty, representing causal dependencies as graphs [12]. The 1. INTRODUCTION focus of this paper is to extend the EA analysis toolbox with During the last decade, Enterprise Architecture (EA) has the combined FTA-BN method, thus enabling more powerful grown into an established approach for management of infor- dependency analysis. DoDAF, an EA framework where de- mation systems in organizations. EA is model-based, in the pendency analysis is at the forefront, has been used to create sense that diagrammatic descriptions of the systems and their our running example. environment constitute the core of the approach. Using EA The remainder of this paper is structured as follows. Sec- models not only increases the general understanding of an en- tion 2 contrasts the present paper with some related works. terprise’s business and information system landscape but also Section 3 introduces the DoDAF framework as well as our aids in decision making. Thus, the greatest benefits are not running example. Section 4 describes the FTA and BN tech- found in the creation of models, but in their use for analysis niques more in-depth, and explains how they can be inte- [14]. When models are used to analyze the future behavior of grated. Section 5 is the locus of the main contribution, giv- potential target architectures, more rational decision making ing a method for how DoDAF models can be mapped into is facilitated. Formal approaches for general EA analysis [13], combined FTA-BN models to enable more powerful analy- or for particular sub-disciplines such as maintainability [15], sis. Section 6 gives some practical examples in the form of interoperability [24], and security [23] are a growing field. scenario analysis. Section 7 discusses the implications of the DoDAF, the Department of Defense Architecture Frame- contribution, and section 8 concludes the paper. work, is designed to support the creation of architectures within the US Department of Defense. Specifically, the DoDAF is designed to provide a ”structured, repeatable 2. RELATED WORKS method for evaluating investments and investment alterna- Automatic generation of fault trees from other sorts of tives, as well as the ability to effectively implement organiza- models is previously described in the literature. In [18] dy- tional change, create new systems, and deploy new technolo- namic fault trees are generated from data flow models. In [20] gies” [5]. One important kind of analysis, facilitating more fault trees are extracted from UML system models. In [3] an rational decision making, is that of dependency analysis, i.e. algorithm for generating fault trees from Little-JIL process
    • <<Op. Activity>> <<Op. Activity>> Operational activities Request target Accept strike Prepare the acquisition <<Node>> s ed request Target strike strike order Strike Ground Control ne by C2 Station at one Wh e d m Target location b to who <<Op. Activity>> <<Op. Activity>> UGV TA X System functions Operational <<Op. Activity>> Request target C2 information Analysis of target information UAV TA X Strike order Satellite comms X X X Target location UAV firing X Identifies What <<System>> <<Op. Activity>> Target Artillery firing X Systems and e ms Needs to be Comms satellite Identify target information Services Syst and Accomplished and SV-5a es Who Does It servic port <<System>> <<Op. Activity>> su p Armed UAV Kill target Relates Systems, that ities activ OV-5 Services, and Figure 2. The running example depicted as DoDAF OV-5 Te and teria Characteristics to (with swimlanes) and SV-5a products. st cr i ch a r ni ds Operational Neds ca l Technical vices view (SV) contains systems, services, and interconnec- Sy ab ired Standards ca r e q tions between these. System functions and service resources st ilite p u em s described here all support the operational activities, including Prescribes Standards and Conventions exchange of information described in the OV. The Techni- Figure 1. An illustration of the DoDAF views, and how they cal Standards view (TV) contains rules, guidelines, technical interrelate. Adapted from [5]. standards, etc., that govern systems and services described in the SV [5]. Figure 1 describes the relations between the OV, SV, and TV. definitions is presented. All of these, however, remain within The field of dependency analysis is an important rationale a rather limited scope of technical systems and processes di- for Enterprise Architecture in general and DoDAF in particu- rectly supported by such. The present contribution adopts a lar. By defining a set of products, DoDAF attempts to ensure a wider perspective in its extension of FTA into the realm of common understanding of the complex systems, and their in- Enterprise Architecture. teractions, employed in military operations of today. The OV- The use of Bayesian networks, and related probabilistic 5 and SV-5 (a, b, and c) products, specifying the dependen- methods, for EA analysis in general is described in [13]. The cies of operational activities upon each other and upon sys- present contribution aims to tie the diverse strands of FTA, tem functions, are prime examples of how DoDAF attempts BN, and EA together, thus adding the combination of FTA to handle dependency analysis. and BN into the EA analysis toolbox. Example. In this article, we will illustrate dependency anal- 3. THE DEPARTMENT OF DEFENSE AR- ysis by the use of a running example involving target acqui- CHITECTURE FRAMEWORK sition, command and control, and physical attack, using un- The current version (1.5) of DoDAF was released in 2007. manned aerial and ground vehicles. The overall aim of this The framework is ”data centric” in the sense that a Core Ar- example is not to go into tactical or technical details, but to chitecture Data Model (CADM) defines the structure of the illustrate how DoDAF, as a framework for dependency anal- underlying architectural information presented in the prod- ysis, can be improved. Figure 2 illustrates the example – be- ucts. The data centric approach is intended to ensure seman- fore improvement – using the DoDAF products Operational tic rigor, consistency and maintainability of the architectural Activity Model (OV-5) and Operational Activity to Systems models. The products, therefore, should be considered con- Function Traceability Matrix (SV-5a). The scope is a ”kill venient snapshot representations of underlying architectural chain”, i.e. the process leading from the acquisition of a target data stored in a repository, rather than independent (sets of) to its destruction. We assume that target acquisition (TA) can entities. be performed either by an unmanned aerial vehicle (UAV) or DoDAF defines four different views of the data model, by unmanned ground vehicle (UGV), that the target can be at- where each view is further decomposed into different view- tacked either from a UAV with a payload (such as the Predator points, or products. The All view (AV) provides an overall system) or by conventional artillery, and that the whole pro- description of the architecture itself. The Operational view cess needs to be supervised from a command and control (C2) (OV) contains operational nodes, tasks, and activities, and center. also describes information exchange. The Systems and Ser-
    • Probabilistic conditional Employee Sick At work Process Computer Failed Non-failed Failed Non-failed probability matrix Process High 0 0 0.1 0.8 quality Medium 0 0 0.5 0.1 quality Low 1 1 0.4 0.1 Computer Employee failure Arcs absence Deterministic gates OR Internal event, HDD Screen Power IE failure failure outage Unexpanded basic events AND Primary disk Secondary Basic events, BE:s failure disk failure Disk 1 Failed Non-failed Disk 2 Failed Non-failed Failed Non-failed Deterministic conditional Failed 1 0 0 0 HDD Non-failed 0 1 1 1 probability matrix (AND) Figure 3. A simple example of a combined FTA-BN model, describing the impacts of computer failure and absent employees on the quality of a process. 4. ANALYSIS METHODS purposes, it is common not to expand all events, but mark un- Before proceeding to the main contribution, we briefly dis- expanded events with a rhombus underneath. In Fig. 3, the cuss the combined methods of Fault Tree Analysis (FTA) and power outage event has been thus marked, illustrating that it Bayesian networks (BN). The integration of FTA with BN is can be further expanded (severed cable, burnt-out fuse, etc.). a concept previously described in the literature. In-depth de- To similarly distinguish the basic events, they can be marked scriptions of transformation algorithms are provided in [2], with a circle. [17], and [25]. Formally, fault trees can be described as follows [4]. Let Fault Tree Analysis (FTA) is based on reliability theory, the set of events be designated E , the set of gates G , and Boolean algebra and probability theory [9]. A fault tree repre- the set of arcs connecting them A (cf. Fig. 3). Now, the FT sents how combinations of basic events (BE:s) lead to the oc- formalism is given by the tuple F T = (E , G , A , BG , γ, λ, φ), currence of a particular undesired event (viz. complete system with the symbols defined as follows: failure) called the top event (TE). A graph is drawn, where the nodes are either events or gates. Events concern the fail- Event set: E = BE ∪ I E ∪ {T E} is the set of the events in ure of components, subsystems or of the whole system, and the FT. BE is the set of all BE:s; I E is the set of all IE:s. they are graphically represented by rectangles. Each event is Arc set: A ⊆ (E × G ) ∪ (G × E ) is the set of the arcs ac- a Boolean variable, where its initial state is false and changes cording to the logic circuit orientation. to true whenever failure occurs [4]. All events that are neither TE nor BE:s are called internal events (IE:s). A simple fault Boolean gate types: BG = {AND, OR} is the set of Boolean tree is depicted in the computer failure part of Fig. 3. gate types and is composed of the AND gate type and the Gates are connected by arcs (the edges of the graph) to OR gate type. several input events and to a single output event. Thus, a gate propagates failure to its output event if a particular combina- Gate type assignment: γ : G → BG is the function assign- tion of input events occurs. The TE must be the output of a ing a type to each gate. gate and cannot be the input of any gate, hence it is the root of the fault tree. Furthermore, arcs respect a logic circuit ori- Failure rate assignment: λ : BE → R+ is the function as- entation: from the input events to the gate, and from the gate signing a failure rate to each BE, assuming that BE:s to the output event. In fault tree diagrams used for illustrative follow a negative exponential distribution.
    • Logic: φ : E → B = {true, f alse} is the function returning method outlined in the previous section. In the following, we the Boolean value of an event (Boolean variable). therefore define a method for the augmentation of DoDAF models with proper attributes and causal relations, so that the Mathematically, the fault tree is a bipartite directed acyclic analytical power of the FTA-BN method can be used: graph (DAG). For more comprehensive treatments on FTA, cf. [9], [4], [16], and [2]. Identify goals The first step is to identify the goals relevant A Bayesian network B = (G, P) is described in [11] as a in the DoDAF model considered. Here, it is vital to dis- representation of a joint probability distribution, where the tinguish our EA modeling goal, i.e. dependency analy- first component G = (V, E) is a directed acyclic graph con- sis, from the modeled goal, i.e. the desired outcome of sisting of vertices, V , and edges, E. the process being modeled. In a Bayesian network, the vertices denote a domain of random variables X1 , . . . , Xn , also called chance nodes. Each Example. The running example describes a kill-chain, with chance node, Xi , may assume a value xi from the finite domain the modeled goal being the destruction of an enemy target. Val(Xi ). The advantage of the graph representation is that it Therefore, the modeling goal is to illustrate as succinctly as provides a compact way of expressing the dependency rela- possible, how the ability to destroy an enemy target depends tions between the random variables, i.e. which variables are upon the processes and technical systems involved in the ex- conditionally independent given another variable. Each edge isting DoDAF model, viz. Fig. 2. denotes a causal dependency between its nodes. In order to specify the joint distribution, the respective con- Identify model entities Having identified the goals, the next ditional probabilities that appear in the product form logical step is to pinpoint the entities relevant to causal n analysis. These entities typically correspond to a goal P (X1 , ..., Xn ) = ∏ P (Xi |Pa (Xi )) . breakdown structure of the modeled goal, i.e. descrip- i=1 tions of concrete physical assets or core processes. En- must be defined [11]. The second component of the net- tities too abstract or purely formal (such as UML- work, P, describes distributions for each possible value xi of notation) are to be excluded. the chance node Xi , given the values pa(Xi ) of its causal par- Example. From the views of the running example, it is easy ents Pa(Xi ). These conditional probabilities are represented to identify physical assets such as UAV and satellite, and core in matrices, here forth called Conditional Probability Matri- processes such as target acquisition. However, the data model ces (CPMs). Using a Bayesian network, it is possible to spec- underlying the OV-5 and SV-5a products also contain plenty ify the answers to questions such as ”What is the probability of detail unnecessary to dependency analysis, e.g. the UAV of the process quality being high, given that the computer has belonging to an air force wing and the UGV to an army bat- failed and the employee is at work?”. From the example CPM talion. shown in Fig. 3, this particular probability can be read off as 0.1. More comprehensive treatments on Bayesian networks Identify model attributes Assigning proper attributes to the can be found in e.g. [19], [12], [22] and [21]. entities plays a crucial role in the procedure. Typ- Formally, the combined FTA-BN formalism is just another ically, different attributes are required for different Bayesian network, where one or several fault trees have been modeling goals. For dependency analysis, technical mapped into the Bayesian network. It is straightforward to see (sub-)systems should usually receive the standard FTA how this works. The event set E of the fault tree is mapped to attribute System Status, with the binary scale of a vertex set VFT which becomes a subset of the vertex set V non-failed and failed. In the case of processes of the resulting Bayesian network. The arc set A of the fault and more abstract modeled goals, more elaborate at- tree is mapped to an edge set EFT which becomes a subset tributes and scales should often be used. Our use of dis- of the edge set E of the Bayesian network. The logical gates crete Bayesian networks allows only discrete scales. G are mapped to conditional probability matrices, which are in fact deterministic, i.e. contain only ones and zeros. Such Example. Figure 3 contains of a few different attribute a conversion is illustrated in Fig. 3, where an AND gate has scales; {non-failed, failed}, {sick, at work}, and been explicitly rendered as a CPM. {high, medium, low}. In the running example, proper model attributes include the status of technical subsystems 5. DODAF AND THE FTA-BN METHOD (e.g. the entity Armed UAV gets both an overall System Having briefly considered the existing dependency analysis Status attribute and a more specific UI enhancement tools of DoDAF in section 3, we now proceed to describe how status reflecting the status of a specific user interface fea- they can benefit from the extension offered by the FTA-BN ture. Processes such as Target Acquisition are given
    • <<Op. Activity>> <<Node>> Kill target System Status Target - Successful kill <<Node>> satellite Non-failed Failed - Moving UAV operator platform Operational Signal delay Yes No Yes No Moving target Yes No Yes No Yes No Yes No - Moving High 0.3 0.4 0.6 0.7 0 0 0 0 Quality AND Medium 0.1 0.2 0.2 0.2 0 0 0 0 of C2 None 0.6 0.4 0.2 0.1 1 1 1 1 Inspired by Dougherty [7] <<Op. Activity>> <<Op. Activity>> <<Op. Activity>> Target acquisition C2 Strike - Quality - Quality - Precision OR AND OR System status Systems/Services of UGV Non-failed Failed System status <<System>> of UAV Comms satellite Non-failed Failed Non-failed Failed Video UI enhancement Non- Non- Non- Non- - Signal latency status failed Failed failed Failed failed Failed failed Failed <<System>> <<System>> <<System>> <<System>> High 0.6 0.6 0.4 0.4 0.6 0.4 0 0 - System status Quality UGV TA UAV TA Armed UAV Artillery Medium 0.3 0.3 0.2 0.2 0.3 0.2 0 0 of TA - Video UI None 0.1 0.1 0.4 0.4 0.1 0.4 1 1 - System - Autopilot - System Inspired by Fincannon et. al [10] status enhancement status status status - System - System status status Inspired by Antonov et. al [1] and Dixon et al. [6] Antonov et. al and Dixon et. al System Status of Armed UAV Non-failed Failed System Status of Artillery Non-failed Failed Non-failed Failed Moving UAV op. Plattform Yes No Yes No Yes No Yes No Non- Non- Non- Non- Non- Non- Non- Non- Autopilot status failed Failed failed Failed failed Failed failed Failed failed Failed failed Failed failed Failed failed Failed High 0.6 0.6 0.8 0.7 0.6 0.5 0.8 0.6 0.6 0.6 0.6 0.6 0 0 0 0 Precision Medium 0.2 0.2 0.1 0.2 0.2 0.3 0.1 0.2 0.2 0.2 0.2 0.2 0 0 0 0 None 0.2 0.2 0.1 0.1 0.2 0.2 0.1 0.2 0.2 0.2 0.2 0.2 1 1 1 1 Figure 4. A DoDAF model using the FTA-BN analysis method to describe dependencies between processes and systems. a Quality attribute, whereas the target and the UAV opera- Example. In our running example, a number of complex in- tor platform are attributed to reflect the fact that their moving teractions between attributes have arisen. These include the or standing still affects the kill chain. cooperation between the UAV and the UGV [10], the benefits of autopilots [6], the impact of the satellite uplink when tar- Identify deterministic attribute relations Starting with the geting moving targets [7], the impact of the UAV pilot being relevant attributes, the next step is to describe how these in a moving platform [1] and his use of an enhanced interface attributes relate to each other and to the modeled goals. for piloting [8]. In Fig. 4, the sources cited on these issues The first step is to identify the necessary conditions for have been used as inspiration to set the conditional proba- the goals to be reached. These are encoded in FTA-style bility matrices describing these interactions in the FTA-BN AND or OR gates. Typically, such relationships hold be- model. tween the various System Status attributes. The result of this process is the creation of an FTA-BN Example. In our running example, there are a number of nec- model. The model describing the running example is illus- essary conditions: If the satellite fails, we lose the C2 abil- trated in Fig. 4. Apart from the conditional probability matri- ity. If neither the UAV nor the UGV can perform the target ces depicted, an additional CPM describes the impact of the acquisition, we cannot fire. Similarly, strike is impossible if qualities of (i) target acquisition, (ii) C2, and (iii) the preci- both the armed UAV and the conventional artillery fails. The sion of strike on the probability of achieving a successful kill. necessity of these three activities for the modeled goal is en- For the purpose of the example, we let these three have equal coded in the logical gates of Fig. 4. influence on this success probability. Identify Bayesian attribute relations The second step in setting the attribute relations is to identify sufficient con- 6. SCENARIO EVALUATION ditions for the modeled goal. These conditions are cap- Having described the method for generating FTA-BN mod- tured using the probabilistic framework of BN. The full els in the previous section, we now proceed to illustrate its behavior of these complex attributes is typically not fully use as a decision support tool. One important such use is the encoded in standard DoDAF models, but is rather im- evaluation of scenarios. A scenario is a description of a set plicit in the professional (military) expertise of the users. of possible future events, that is interesting to evaluate before Making this knowledge explicit and subject to objective making important decisions on technical systems, processes, analysis is a benefit of the FTA-BN method. Literature etc. sources are also helpful for modeling these relations. Consider our example model in Fig. 4. Assume, for the
    • Scenario 1: Baseline Scenario 2: No UGV Scenario 4: High reliability satellite Scenario 3: Stationary target Figure 5. Four different scenarios evaluated using the FTA-BN analysis method. The scenarios are depicted as Bayesian networks, with the probability of kill as the top node, and with the scenario-defining parameters highlighted. sake of the example, that all System Status attributes matter. Even if there is uncertainty in the figures, as is the have a probability of 95% of being in the non-failed state. case in our example no less than in reality, the possibility of In practice, of course, these figures can be replaced with real performing quantitative analysis gives valuable decision sup- statistics on the relevant components. Further, assume that the port for operational planning, maintenance prioritizing, and probability of the target being moving is 80%, as is that of the procurement. UAV pilot’s platform being moving. Finally, assume that the probability of there being satellite signal delay is 50%. This gives us a 34% baseline probability of a successful target kill. 7. DISCUSSION Now, this baseline scenario can be modified. Assume in- DoDAF was developed to enable and guide the architec- stead that we have no UGV for targeting – the probability of ture efforts of the US Department of Defense. FTA and BN, successful kill drops, but is still 32%. Apparently, the gain on the other hand, are well-defined and precise mathematical from multiple target acquisition is not so great. Assume in- methods. Inevitably, there is a tension between the width and stead that we know our target to be stationary – the prob- abstraction of DoDAF and the rigorous need for precision in ability of successful kill now rises to 40%. Finally, assume FTA and BN. Nevertheless, this tension is reflected in a real instead that we can increase the quality of the satellite sig- world gap between management-level abstraction on the one nal, so that we have a 95% probability of no delay. This gives hand and operational and implementation level concretion on a 43% probability of successful kill. These scenarios are all the other hand – a gap that has to be bridged if adequate de- depicted as Bayesian networks in Fig. 5. cision support is to be provided. The point of this kind of scenarios is that they are far more The present contribution bridges this gap by proposing a powerful tools for analysis than are the the DoDAF OV-5 and method, outlined in section 5, whereby existing DoDAF mod- SV-5 products – or any standard DoDAF products, for that els can be converted into FTA-BN models, thus enabling the
    • powerful scenario analysis described in the previous section. in different settings, that the cross-disciplinary area of En- One strength of this method is how it makes use of the two terprise Architecture can benefit from. Both for purposes constituent analysis methods for different tasks. The logical of analysis and of communication, this is preferable to re- gates of FTA are used to to identify necessary conditions for inventing the wheel. Not in the least, this is true of methods obtaining the desired goals. In a sense, this covers the basic that enable quantitative analysis of areas previously open only functioning of the model, but also sets the stage for adding for qualitative consideration. more details by the use of BN. The finer grains of the model are set with the identification of sufficient conditions for the REFERENCES desired goal, and encoded in the probabilistic framework of [1] Guennadi S. Antonov, Mark C. Domogala, and Wes- BN. This also suggests the use of the method for prioritiz- ley A. Olson. Operating an unmanned aerial system ing: First, use standard DoDAF models to determine an area from a moving platform. Technical report, Air Force for further investigation. Second, create the FTA framework, Academy, Colorado Springs, November 2007. thus outlining the logical framework of necessary conditions. Third, use BN to add details to the most interesting parts of [2] Andrea Bobbio, Luigi Portinale, Michele Minichino, the model, until the desired level of precision is reached. and Ester Ciancamerla. Comparing fault trees and There is also a possibility for iterative use of the method. bayesian networks for dependability analysis. In SAFE- The detail of the FTA-BN model can give rise to ideas for im- COMP ’99: Proceedings of the 18th International Con- provement of the original DoDAF models. Extra entities, for ference on Computer Computer Safety, Reliability and instance, might be identified when the modeler is forced by Security, pages 310–322, London, UK, 1999. Springer- the FTA method to describe an accurate causal chain. Simi- Verlag. larly, attributes frequently required by the BN modeling could be made mandatory when creating future DoDAF models of [3] Bin Chen, George S. Avrunin, Lori A. Clarke, and the relevant ares, so as to ease FTA-BN modeling of these. Leon J. Osterweil. Automatic fault tree derivation from It might be objected that the use of the FTA-BN method little-jil process definitions. In SPW/ProSim, pages 150– makes unwarranted use of numbers, and in this sense re- 158, 2006. quires much more from the modeler than do the correspond- ing DoDAF products. This is not correct. All decisions on [4] Daniele Codetta-Raiteri. Extended Fault Trees Analysis modeling must always be made based on the information supported by Stochastic Petri Nets. PhD thesis, Univer- available. What the present method does is to force the mod- sity of Torino, Torino, Italy, 2005. eler to make this pre-existing knowledge explicit, by putting numbers on it. While the merit of the numbers as such may [5] Department of Defense Architecture Framework Work- be questioned, their mere existence forces the modeler to be ing Group. DoD Architecture Framework, version 1.5. consistent in her judgments. Indeed, the present method as- Technical report, Department of Defense, USA, 2007. sists critical reviewing by enabling the modeler to see pre- [6] Stephen R. Dixon, Christopher D. Wickens, and Dervon cisely which of her assumptions are critical, and which are Chang. Mission control of multiple unmanned aerial not. vehicles: A workload analysis. Human Factors: The Journal of the Human Factors and Ergonomics Society, 8. CONCLUSIONS 47:479–487(9), Fall 2005. The contribution of the present paper is three-fold: (i) The [7] Shane A. Dougherty. An Examination of Latency and feasibility of performing enterprise architecture dependency Degradation Issues in Unmanned Combat Aerial Vehi- analysis by combining Fault Tree Analysis with Bayesian net- cle Environments. Master’s thesis, Air Force Institute works has been demonstrated. (ii) A method for extending of Technology, Wright-Patterson Air Force Base, March DoDAF models with attributes and attribute relations proper 2002. for such FTA-BN analysis has been proposed. (iii) The use of scenario analysis as support for decision makers has been [8] Jill L. Drury, Justin Richer, Nathan Rackliffe, and contrasted with, and found superior to, the dependency anal- Michael A. Goodrich. Comparing situation awareness ysis products currently included in DoDAF. for two unmanned aerial vehicle human interface ap- More generally speaking, we have described how different proaches. Technical report, Mitre Corp, Bedford, MA, analysis methods, each well established in their own right, 2006. can be combined to achieve greater analytical capabilities within an architecture framework. There exists a multitude [9] C. Ericson. Fault tree analysis – a history. In 17th Inter- of engineering methods, thoroughly explored and validated national System Safety Conference, 1999.
    • [10] Thomas Fincannon, Joseph R. Keebler, Florian Jentsch, [20] Ganesh J Pai and Joanne Bechta Dugan. Automatic syn- and A. William Evans III. Target identification support thesis of dynamic fault trees from uml system models. and location support among teams of unmanned sys- In Proceedings of the 13th International Symposium on tems operators. In Proceedings of the 26th Army Sci- Software Reliability Engineering (ISSRE’02), 2002. ence Conference, December 2008. [21] Judea Pearl. Probabilistic Reasoning in Intelligent Sys- [11] Nir Friedman, Michal Linial, and Iftach Nachman. Us- tems: Networks of Plausible Inference. Morgan Kauf- ing bayesian networks to analyze expression data. Jour- mann Publishers Inc., San Francisco, CA, USA, 1988. nal of Computational Biology, 7:601–620, 2000. [22] Ross D. Shachter. Probabilistic inference and influence [12] Finn V. Jensen. Bayesian Networks and Decision diagrams. Oper. Res., 36(4):589–604, 1988. Graphs. Springer-Verlag New York, Inc., Secaucus, NJ, [23] Teodor Sommestad, Mathias Ekstedt, and Pontus John- USA, 2001. son. Combining defense graphs and enterprise architec- [13] Pontus Johnson, Robert Lagerstr¨ m, Per N¨ rman, and o a ture models for security analysis. In Proceedings of the M˚ rten Simonsson. Enterprise architecture analysis a 12th IEEE International Enterprise Computing Confer- with extended influence diagrams. Information Systems ence (EDOC 2008), September 2008. Frontiers, 9(2), May 2007. [24] Johan Ullberg, Robert Lagerstr¨ m, and Pontus Johnson. o [14] Pontus Johnson, Lars Nordstr¨ m, and Robert Lager- o A framework for service interoperability analysis using str¨ m. Formalizing analysis of enterprise architecture. o enterprise architecture models. In IEEE International In Interoperability for Enterprise Software and Applica- Conference on Services Computing, July 2008. tions Conference, page 10, April 2006. [25] Philippe Weber and Lionel Jouffe. Complex system reli- [15] Robert Lagerstr¨ m and Pontus Johnson. Using architec- o ability modelling with dynamic object oriented bayesian tural models to predict the maintainability of enterprise networks (DOOBN). Reliability Engineering & System systems. In Proceedings of the 12th European Con- Safety, 91(2):149 – 162, 2006. Selected Papers Pre- ference on Software Maintenance and Reengineering, sented at QUALITA 2003. April 2008. [16] N.G. Leveson and P.R. Harvey. Software fault tree anal- Biographies ysis. The Journal of Systems and Software, vol. 3, no Ulrik Franke received his M.Sc. in Engineering Physics 2:173–181, 1983. from the Royal Institute of Technology (KTH) in Stockholm [17] X. Liu, H. Li, and L. Li. Building method of diagnostic in 2007, and is now pursuing a Ph.D. in Industrial Information model of Bayesian networks based on fault tree. In Soci- and Control Systems. He is also a graduate of the Military ety of Photo-Optical Instrumentation Engineers (SPIE) Academy Karlberg and an officer in the Swedish army re- Conference Series, volume 7127 of Society of Photo- serve. Optical Instrumentation Engineers (SPIE) Conference Waldo Rocha Flores received his B.Sc. in Business Ad- Series, November 2008. ministration and Economics from the Stockholm University in 2007 and his M.Sc. in Electrical Engineering from the [18] Mark McKelvin, Claudio Pinello, Sri Kanajan, Joseph Royal Institute of Technology (KTH) in Stockholm in 2008. Wysocki, and Alberto Sangiovanni-Vincentelli. Model- He is now pursuing a Ph.D. in Industrial Information and based design of heterogeneous systems for fault tree Control Systems. analysis. In CSP Rodney J. Simmons, Ph. D. and Pontus Johnson, Ph.D. received his M.Sc. in Engineer- Norman J. Gauthier, editors, 24th International System ing Physics from the Lund Institute of Technology in 1998 Safety Conference, pages 400–409. System Safety Soci- and his Ph.D. in Industrial Information and Control Systems ety, August 2006. from the Royal Institute of Technology (KTH) in Stockholm in 2002. He is now an associate professor and heads the re- [19] Richard E. Neapolitan. Learning Bayesian Networks. search program in Enterprise Architecture at KTH. Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 2003.