SEAMS 2014

1. Modelling and Analysing Contextual Failures for
Dependability Requirements
Danilo F. Mendona
Raian Ali
Genana N. Rodrigues
The 9th International Symposium on Software Engineering for Adaptive and
Self-Managing Systems (SEAMS 2014)
Hyderabad, India. June 2014
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 1

2. Presentation Outline
Motivation
Contextual Dependability
Baseline
Dependability
Goal-oriented requirements engineering
Proposal
Dependable Contextual Goal Model
Reasoning with DCGM
Feasibility
Mobile Personal Emergency Response System
Drawbacks
Scalability
Conclusions and Following Steps
Conclusions
Next steps
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 2

3. Motivation
Contextual Dependability
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 3

4. Motivation
The context in which systems operate may not be static, but
dynamic.
Some failures will be activated only in specific contexts of
operation.
Context: heavy traffic
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 4

5. Baseline
Contexts can affect the likelihood of a failure to occur.
Contextually decreased
availability
Active
Wi-Fi, GPS & Bluetooth
⇓
Battery life decreased
⇓
Increased likelihood of failure
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 5

6. Baseline
They can also affect the consequence of failures to users and
environment.
Contextually increased failure
consequence
User is unfamiliar with the city
(travelling)
⇓
Erroneous data used by the
collaborative bus adviser system
⇓
User drops off in an unsafe city zone
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 6

7. Motivation
Non-functional requirements such as reliability, availability
and safety are paramount for many daily used services.
Systems specified for a static context of operation may not be
dependable.
Systems may have to adapt to contexts changes to remain
dependable.
Systems need alternative configurations and proper
dependability specification.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 7

8. Motivation
Goal: Reach location
Context: Low
temperature. Reliable?
Context: Heavy traffic.
Reliable?
Context: Tube strike.
Reliable?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 8

9. Research Question 1
How to specify contextual dependability requirements?
Research Question 2
How to estimate contextual dependability requirements?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 9

10. Baseline
Dependability definition
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 10

11. Baseline
Dependability is ‘the ability to avoid service failures that are
more frequent and more severe than is acceptable’. It
encompasses the following attributes [Avizienis, 2004]:
Reliability
Availability
Integrity
Maintainability
Safety
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 11

12. Baseline
Contexts definition
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 12

13. Baseline
Contexts are ‘monitorable pieces of information about the
environment in which systems operate’ [Ali et al., 2010].
Environment consists of ‘whatever over which the system
has no control’ [Finkelstein et al., 2001]. Ex:
Environment conditions
User characteristics
Availability of resources
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 13

14. Baseline
Goal oriented requirements engineering
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 14

15. Baseline
Goal-oriented analysis is meant to capture the intentionality
behind software requirements [Mylopoulos et al., 1998].
Goals are a useful abstraction that represent stakeholders’
expectations and needs at early phases of RE.
GORE1 is a mature methodology for RE that has been
validated by different goal oriented frameworks such as i*,
KAOS, and TROPOS.
1
Goal Oriented Requirements Engineering
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 15

16. Baseline
TROPOS [Mylopoulos et al., 2010]
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 16

17. Baseline
TROPOS methodology
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 17

18. Contextual goal model (CGM) [Ali et al., 2010]
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 18

19. Baseline
Contextual goal model (CGM) [Ali et al., 2010]
CGM extends TROPOS methodology.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 19

20. Baseline
By the time system requirements are being analysed, a
dependability analysis can be performed.
It should analyse the context effects over the consequence
level of failures.
It should guide the specification of contextual dependability
requirements (CDR).
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 20

21. Baseline
Some proposals have added quality constraints (QC) to goal
models. E.g.: Souza et al., SEAMS 2011.
Dependability requirements could also be modelled as QCs
for different system goals (Research question 1).
However, TBMK the causal relation between contexts and
failures have not been modelled in previous (static)
estimation approaches (Research question 2).
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 21

22. Proposal
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 22

23. Contextual Failure Implication
The Contextual Failure Implication (CFI) is conceptually modelled
as the effect of a context on a specific dependability attribute of
system tasks in a CGM.
It provides contextual dependability estimations.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 23

24. Proposal
How to estimate dependability?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 24

25. Proposal
Probabilistic model checking (PMC) technique provides
formal verification. It is suitable for critical features of the
system (a myth?).
Dependability of less critical features may be analysed without
formal verification, for instance:
Fuzzy logic can be used to express estimations based on
domain knowledge.
Other languages can be used to express dependability
estimations based on domain knowledge.
The framework architecture should leave this decision to the
analysts and provide an easy integration with different
techniques.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 25

26. Proposal
Fuzzy logic approach [SEAMS 2014]
IF-THEN rules syntax;
IF context THEN availability/reliability/safety/etc
Inference mechanism that produces a crispy output given
some fuzzy inputs.
Enables the use of qualitative fuzzy words to express
contexts and dependability attribute levels.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 26

27. Proposal
Strong, average and weak are fuzzy GPS levels.
They are associated to a membership function.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 27

28. Proposal
A small set of rules can produce a large number of outputs.
If GPS signal is weak then reliability is average.
If GPS signal is not weak then reliability is high.
If battery is not strong then availability is low.
If battery is strong then availability is average.
If power source is connected then availability is high.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 28

29. Proposal
PMC approach [Work in progress]
Behavioural diagrams generated by TROPOS methodology
Parametric models with PRISM/PARAM language
PCTL properties
Estimation of dependability attributes such as reliability
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 29

30. PMC must consider context effects on failures.
Different components, different dependability estimation for the same
goal.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 30

31. Proposal
What about dependability requirements?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 31

32. Proposal
Contexts may also affect the consequence level of failures:
Minor consequences, lower dependability requirements
Major consequences, higher dependability requirements
Thus, the dependability requirements are also context dependent.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 32

33. Contextual Dependability Requirement
The Contextual Dependability Requirement (CDR) is modelled as
the accepted level of one or more dependability attributes for any
system goal in a CGM given some context condition.
It provides contextual dependability requirements.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 33

34. Proposal
Dependable Contextual Goal Model (DCGM)
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 34

35. Baseline
Reasoning with DCGM
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 35

36. Reasoning with DCGM
A Goal will be valid if one of its Means-end tasks are valid for
that context.
Stakeholders should be aware of contextual violations of
dependability requirements.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 36

37. Reasoning with DCGM
Static validation of CDRs
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 37

38. Reasoning with DCGM
What about runtime reasoning?
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 38

39. Reasoning with DCGM
Given the existence of the following information:
A goal reached by alternative tasks;
A context condition that can be evaluated through
monitoring or prediction techniques;
A set of CFIs for the alternative tasks and a CDR for the
[goal, context] tuple;
A decision can be made about which task to use at runtime.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 39

40. Reasoning with DCGM
DCGM at runtime
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 40

41. Drawbacks
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 41

42. Drawbacks
Scalability concerns (declarative rules):
Effort may increase exponentially with:
Number of contexts
Analysed goals
Dependability attributes
Analysis should be oriented by criticality:
Critical contextual goals
Critical dependability attributes
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 42

43. Drawbacks
Scalability concerns (PMC):
State explosion is a known issue with PMC
Verification of contextual models may contribute negatively to
this problem
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 43

44. Conclusions and Next Steps
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 44

45. Conclusions
Dependability requirements can be specified using a GORE
extended language.
Techniques used for estimations must comply with the
corresponding criticality of analysed system goal.
Scalability is a major concern for both declarative and formal
verification approaches considered so far.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 45

46. Next steps
Validate the framework using a more extensive case study.
Integrate the framework with a DSL as a CDR realization to
provide more complex dependability specification.
Integrate the framework with a probabilistic model checking
technique.
Integrate the framework with a proactive self-adaptive
architecture based on dependability criteria.
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 46

47. Questions?
Acknowledgement
The research was supported by an FP7 Marie Curie CIG grant
(SOCIAD project), CNPq grant number 482280/2012-3, under
edital MCT/CNPq 14/2012, and Bournemouth University – Fusion
Investment Fund (BBB and VolaComp projects)
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 47

48. Thank you
dfmendonca@gmail.com
CiC/UnB - Modelling and Analysing Contextual Failures for Dependability Requirements 48