Traceable Engineering of Fault-Tolerant SoSs

Transcription

1 Traceable Engineering of Fault-Tolerant SoSs Zoe Andrews, Claire Ingram, Richard Payne and Alexander Romanovsky Newcastle University, UK Jon Holt and Simon Perry Scarecrow Consultants Limited, UK SoSECIE webinar: 09/15/2015 SoSECIE 09/15/2015 1

2 Outline Introduction Engineering Fault-Tolerant SoSs Conclusions SoSECIE 09/15/2015 2

3 Outline Introduction Systems of Systems Systems of Systems and Dependability The Fault Modelling and Analysis Method Engineering Fault-Tolerant SoSs Conclusions SoSECIE 09/15/2015 3

4 Our Research Design technology (foundations, methods, tools) for: Systems of Systems (SoS) Cyber-Physical Systems (CPS) We focus on model-based design: Models as a basis for collaborative development Machine-assisted analysis of models as a means of managing development risk "HVAC Ventilation Exhaust" by PictorialEvidence - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - SoSECIE 09/15/2015 4

5 Current Projects Strongly supported by European Union Current Priorities: Research: development of sound toolchains for verifying global properties of CPSs (INTO-CPS) Innovation Support: creating ecosystems in model-based engineering for CPS (CPSE Labs) Strategic Actions: Roadmaps and Transatlantic Research Agenda (Road2CPS, TAMS4CPS) SoSECIE 09/15/2015 5

6 Systems of Systems Assembly and integration of independent constituent systems interacting via a networked infrastructure Collectively offer a new global ( emergent ) service on which value and reliance is placed. Independence Distribution Evolution Emergence Model-based SoS Engineering as a way of mastering complexity SoSECIE 09/15/2015 6

7 COMPASS Technology «Fault Activation View» {faultsofinterest = Complete Failure of the Radio System} Initiate Rescue Fault Activation [Fault 1] CC : Call Centre : Radio System ERU1 : ERU : Start rescue : Find idle ERUs «Fault Activation» : Fault 1 activation [idle ERU] : Allocate idle ERU [no idle ERU] : Send rescue info to ERU : Process message : Receive message [higher criticality] : Divert ERU [lower criticality] : Wait : Log diversion «Error Detection» «erroneous» : Error 1 detection : Drop message «Failure Event» : Target not attended : Service rescue : Start rescue «Start Recovery» : Start Recovery 1 «End Recovery» : End Recovery 1 Semi-formal Modelling SysML used for SoS modelling Guidelines for Requirements, Architecture, Integration SoS modelling profiles Architectural patterns and extensible architectural frameworks (AFs) SoSECIE 09/15/2015 7

8 COMPASS Technology «Fault Activation View» {faultsofinterest = Complete Failure of the Radio System} Initiate Rescue Fault Activation [Fault 1] CC : Call Centre : Radio System : Start rescue «Fault Activation» : Find idle ERUs : Fault 1 activation [idle ERU] : Allocate : Send rescue : Process idle ERU info to ERU message [no idle ERU] [higher criticality] : Divert ERU [lower «Error Detection» «erroneous» criticality] : Error 1 detection : Drop message : Wait : Log diversion «Failure Event» : Target not attended : Start rescue «Start Recovery» : Start Recovery 1 ERU1 : ERU : Receive message : Service rescue «End Recovery» : End Recovery 1 process CallCentreProc = begin actions MERGE1(r) = (dcl e: set of e := findidleerus(); if e = {} then DECISION2(r) else (dcl e1: e1 := allocateidleeru(e, r); MERGE2(e1, r))) process InitiateRescue = CallCentreProc [ SEND_CHANNELS ] RadioSystemProc [ RCV_CHANNELS ] ERUsProc Semi-formal Modelling SysML used for SoS modelling Guidelines for Requirements, Architecture, Integration SoS modelling profiles Architectural patterns and extensible architectural frameworks (AFs) Formal Modelling CML allows representation of behavioural semantics of the SoS Supports contract specification Describes functionality, objectorientation, concurrency, real-time, mobility. Can be extended to new paradigms SoSECIE 09/15/2015 8

9 COMPASS Technology «Fault Activation View» {faultsofinterest = Complete Failure of the Radio System} Initiate Rescue Fault Activation [Fault 1] CC : Call Centre : Radio System : Start rescue «Fault Activation» : Find idle ERUs : Fault 1 activation [idle ERU] : Allocate : Send rescue : Process idle ERU info to ERU message [no idle ERU] [higher criticality] : Divert ERU [lower «Error Detection» «erroneous» criticality] : Error 1 detection : Drop message : Wait : Log diversion «Failure Event» : Target not attended : Start rescue «Start Recovery» : Start Recovery 1 ERU1 : ERU : Receive message : Service rescue «End Recovery» : End Recovery 1 process CallCentreProc = begin actions MERGE1(r) = (dcl e: set of e := findidleerus(); if e = {} then DECISION2(r) else (dcl e1: e1 := allocateidleeru(e, r); MERGE2(e1, r))) process InitiateRescue = CallCentreProc [ SEND_CHANNELS ] RadioSystemProc [ RCV_CHANNELS ] ERUsProc Semi-formal Modelling SysML used for SoS modelling Guidelines for Requirements, Architecture, Integration SoS modelling profiles Architectural patterns and extensible architectural frameworks (AFs) Formal Modelling CML allows representation of behavioural semantics of the SoS Supports contract specification Describes functionality, objectorientation, concurrency, real-time, mobility. Can be extended to new paradigms Tool-supported Analysis Model-checker Automated proof Static Fault Analysis Test generation Simulation Model-in-Loop Test Exploration of design space SoSECIE 09/15/2015 9

10 SoS and Dependability Independence Distribution Evolution Emergence Challenge: CSs are autonomous and independent, responsibility for preventing SoS failure when a CS fails or withdraws from the SoS is unclear Approach: Record explicitly where responsibility for fault tolerance lies SoSECIE 09/15/

11 SoS and Dependability Independence Distribution Evolution Emergence Challenge: Networking technology that SoSlevel functionality relies on may introduce faults Approach: Model-based support for exploration of recovery strategies that can be applied when networking failures occur SoSECIE 09/15/

12 SoS and Dependability Independence Distribution Evolution Emergence Challenge: CSs evolve independently, need to preserve dependability under evolutions of the SoS Approach: Model-based traceability facilitates impact analysis to understand the impact of unexpected changes SoSECIE 09/15/

13 SoS and Dependability Independence Distribution Evolution Emergence Challenge: Need to analyse the emergent dependability of the SoS, but constituents systems may be black boxes Approach: Document fault assumptions for constituents and provide tool support for analysis of emergent dependability properties SoSECIE 09/15/

14 SoS and Dependability SoS failure SoS error SoS fault a deviation of the service provided by the SoS from expected (correct) behaviour the part of the SoS state that can lead to its subsequent service failure the adjudged or hypothesised cause of an error The focus of our work is on fault-tolerant SoSs preventing SoS failures from arising in the presence of faults achieved by detecting errors and conducting system recovery Avizienis, A.; Laprie, J.-C.; Randell, B. & Landwehr, C., "Basic concepts and taxonomy of dependable and secure computing," Dependable and Secure Computing, IEEE Transactions on, vol.1, no.1, pp.11,33, Jan.-March SoSECIE 09/15/

15 Methodology Informal Requirements Fault Tolerance Verification Requirements Engineering Architectural Design Fault Analysis Traceability SoSECIE 09/15/

16 Technologies Fault Tolerance Verification Plugin HiP-HOPS Traceability Pattern Fault Analysis Tool SoS-ACRE Fault Modelling Architectural Framework Fault Analysis Architectural Framework SoSECIE 09/15/

17 Technologies Fault Tolerance Verification Plugin HiP-HOPS Modelling Traceability Pattern Fault Analysis Tool SoS-ACRE Fault Modelling Architectural Framework Fault Analysis Architectural Framework Analysis SoSECIE 09/15/

18 COMPASS AF Framework (CAFF) Approach CAFF APPROACH Define Ontology Define Viewpoints Define Rules SoSECIE 09/15/

19 COMPASS AF Framework (CAFF) Approach CAFF APPROACH Define Ontology Define Viewpoints Define Rules Ontology System System of Systems Constituent System SoSECIE 09/15/

20 COMPASS AF Framework (CAFF) Approach CAFF APPROACH Define Ontology Define Viewpoints Define Rules Ontology System Fault/Error/Failure Definition Viewpoint Viewpoints Threats Chain Viewpoint Fault Tolerance Structure Viewpoint System of Systems Fault Tolerance Connections Constituent Viewpoint System Erroneous/Recovery Processes Viewpoint Viewpoints use modelling elements from ontology SoSECIE 09/15/

21 COMPASS AF Framework (CAFF) Approach CAFF APPROACH Define Ontology Define Viewpoints Define Rules Ontology System Fault/Error/Failure Definition Viewpoint Viewpoints Rules Rule Threats FMAF01: All faults, Fault errors Tolerance and failures modelled in the Fault Chain Modelling Architectural Structure Framework must be defined in the ViewpointFault/Error/Failure Viewpoint Definition View (FEFDV). System of Systems Fault Tolerance Connections Constituent Viewpoint System Rule Erroneous/Recovery FMAF02: All constituents included in a Threats Chain View (TCV) must Processes be included in the corresponding Fault Tolerance Structure View (FTSV) and Fault Tolerance Connections View Viewpoint (FTCV). Rules restrict how the viewpoints may be applied SoSECIE 09/15/

22 Outline Introduction Engineering Fault-Tolerant SoSs Case Study Requirements Engineering Fault Modelling Requirements Tracing Fault Analysis Conclusions SoSECIE 09/15/

23 Emergency Response SoS SoSECIE 09/15/

24 Emergency Response SoS SoSECIE 09/15/

25 Emergency Response SoS SoSECIE 09/15/

26 Emergency Response SoS??? SoSECIE 09/15/

27 Requirements Engineering Apply SoS-ACRE: a structured way of engineering and managing the requirements of an SoS We focus on the requirements engineering processes Key elements of SoS-ACRE for fault tolerance: define the fault tolerance requirements of the SoS (what faults) examine the fault tolerance requirements in the context of the CSs identify error detection and recovery scenarios SoSECIE 09/15/

28 ER SoS: Context Interaction Requirement: Tolerate Radio System Failure SoSECIE 09/15/

29 ER SoS: Context Interaction Requirement: Tolerate Radio System Failure SoSECIE 09/15/

30 ER SoS: Context Interaction SoSECIE 09/15/

31 Fault Modelling Defined a Fault Modelling Architectural Framework (FMAF) + SysML profile Prompts an SoS engineer to consider the impact of faults at the early stages of design A coherent set of views & concepts for designing fault-tolerant SoSs FMAF Ontology Viewpoints Rules SoSECIE 09/15/

32 Fault Modelling Defined a Fault Modelling Architectural Framework (FMAF) + SysML profile Prompts an SoS engineer to consider the impact of faults at the early stages of design A coherent set of views & concepts for designing fault-tolerant SoSs FMAF Ontology Viewpoints Rules SoSECIE 09/15/

33 FMAF: Ontology Definition SoSECIE 09/15/

34 FMAF: Ontology Definition SoSECIE 09/15/

35 FMAF: Ontology Definition SoS failure: a deviation of the service provided by the SoS from expected (correct) behaviour SoS error: the part of the SoS state that can lead to its subsequent service failure SoS fault: the adjudged or hypothesised cause of an error SoSECIE 09/15/

36 FMAF: Viewpoints FMAF Viewpoints Ontology Structure Behaviour Rules SoSECIE 09/15/

37 FMAF: Viewpoints FMAF Viewpoints Ontology Structure Behaviour Rules Structural Viewpoints Fault/Error/Failure Definition Threats Chain Fault Tolerance Structure Fault Tolerance Connections SoSECIE 09/15/

38 FMAF: Viewpoints FMAF Viewpoints Ontology Structure Behaviour Rules Structural Viewpoints Behavioural Viewpoints Fault/Error/Failure Definition Threats Chain Erroneous/Recovery Processes Erroneous/Recovery Scenarios Fault Tolerance Structure Fault Tolerance Connections Fault Activation Recovery SoSECIE 09/15/

39 FMAF: Viewpoints FMAF Viewpoints Ontology Structure Behaviour Rules Structural Viewpoints Behavioural Viewpoints Fault/Error/Failure Definition Threats Chain Erroneous/Recovery Processes Erroneous/Recovery Scenarios Fault Tolerance Structure Fault Tolerance Connections Fault Activation Recovery SoSECIE 09/15/

40 ER SoS: Threats Chain SoSECIE 09/15/

41 ER SoS: Threats Chain SoSECIE 09/15/

42 ER SoS: Threats Chain SoSECIE 09/15/

43 ER SoS: Fault Activation «Fault Activation View» {faultsofinterest = Complete Failure of the Radio System} Initiate Rescue Fault Activation [Fault 1] CC : Call Centre : Radio System ERU1 : ERU : Start rescue : Find idle ERUs : Send rescue info to ERU : Process message : Receive message [no idle ERU] [idle ERU] : Allocate idle ERU «Fault Activation» : Fault 1 activation [higher criticality] : Divert ERU [lower criticality] : Wait For the rescue the ERU was diverted from : Log diversion : Start rescue «Error Detection» : Error 1 detection... «Erroneous... : Drop message «Failure Event» : Target not attended : Service rescue «Start Recovery» : Start Recovery 1 «End Recovery» : End Recovery 1 SoSECIE 09/15/

44 ER SoS: Fault Activation «Fault Activation View» {faultsofinterest = Complete Failure of the Radio System} Initiate Rescue Fault Activation [Fault 1] CC : Call Centre : Radio System ERU1 : ERU : Start rescue : Find idle ERUs : Send rescue info to ERU : Process message : Receive message [no idle ERU] [idle ERU] : Allocate idle ERU «Fault Activation» : Fault 1 activation [higher criticality] : Divert ERU [lower criticality] : Wait For the rescue the ERU was diverted from : Log diversion : Start rescue «Error Detection» : Error 1 detection... «Erroneous... : Drop message «Failure Event» : Target not attended : Service rescue «Start Recovery» : Start Recovery 1 «End Recovery» : End Recovery 1 SoSECIE 09/15/

45 ivation [Fault 1] : Radio System ERU1 : ERU ER SoS: Fault Activation Send rescue info to ERU : Process message «Fault Activation» : Fault 1 activation : Receive message «Error Detection» : Error 1 detection... «Erroneous... : Drop message «Failure Event» : Target not attended : Service rescue «Start Recovery» : Start Recovery 1 «End Recovery» : End Recovery 1 SoSECIE 09/15/

46 Requirements Tracing Traceability Pattern a structured way of defining traceability in this case we will use it for fault tolerance requirements traceability Use case Detected by dependency (FMAF Threats Chain Viewpoint) (SoS-ACRE Context Interaction Viewpoint) Validation View (SoS-ACRE Viewpoint) SoSECIE 09/15/

47 Requirements Tracing (ER SoS) SoSECIE 09/15/

48 Fault Analysis Assists an SoS engineer in analysing the impact of CS/component level faults on SoS functionalities Provide modelling and tool support for static fault analysis Fault Analysis Architectural Framework (FAAF) + SysML profile Ergonomic profile and translation tool for Atego Modeler Fault analysis capabilities provided by HiP-HOPS tool Fault Tree Analysis Failure Modes and Effects Analysis SoSECIE 09/15/

49 Fault Analysis: Example SoS CS1 CS3 CS2 SoSECIE 09/15/

50 Fault Analysis: Example SoS CS1 A CS3 C CS2 B SoSECIE 09/15/

51 Fault Analysis: Example SoS SoS failure CS1 A CS3 C CS2 B C A B SoSECIE 09/15/

52 Tool Overview 1. Ergonomic profiling SoSECIE 09/15/

53 Tool Overview 1. Ergonomic profiling 2. Exporting models for analysis SoSECIE 09/15/

54 SoSECIE 09/15/

55 Outline Introduction Engineering Fault-Tolerant SoSs Conclusions SoSECIE 09/15/

56 Conclusions Systems of systems have characteristics that motivate a structured approach to fault modelling and analysis of SoSs: Modelling support for requirements engineering, architectural design, requirements tracing of fault-tolerant SoSs Modelling and tool support for fault tolerance verification and static fault analysis Future directions: Tool-supported integration of the fault modelling and fault analysis architectural frameworks and SysML profiles Support for modes of operation, either functional modes or degraded modes (e.g. partial functionality in presence of errors) Multi-objective optimisation, trading off attributes such as dependability, cost and energy consumption SoSECIE 09/15/

57 @riffio This work is part of the COMPASS project: research into model-based techniques for developing, maintaining and analysing SoSs thecompassclub.org SoSECIE 09/15/

58 Further Reading Andrews, Z.; Fitzgerald, J.; Payne, R. and Romanovsky, A. Fault Modelling for Systems of Systems, in Proceedings of the 11th International Symposium on Autonomous Decentralised Systems (ISADS 2013), March 2013, pp Andrews, Z.; Payne, R.; Romanovsky, A.; Didier, A. L. and Mota, A Model-based development of fault tolerant systems of systems in Proceedings of the 2013 IEEE International Systems Conference (SysCon 2013). Ingram, C.; Riddle, S.; Fitzgerald J.; Al-Lawati, S.A.H.J.; Alrbaiyan, A., SoS Fault Modelling at the Architectural Level in an Emergency Response Case Study in Proceedings of the Workshop on Engineering Dependable Systems of Systems, 2014 (EDSoS 2014) Andrews, Z.; Ingram, C.; Payne, R.; Plat, N., SysML Fault Modelling in a Traffic Management System of Systems in Proceedings of the 2014 IEEE International Systems of Systems Engineering Conference (SoSE 2014). Andrews, Z.; Ingram, C.; Payne, R.; Romanovsky, A.; Perry, S. & Holt, J., Traceable Engineering of Fault-Tolerant SoSs, in International INCOSE Symposium, Las Vegas, USA, June-July COMPASS Deliverables D24.2, D33.3 and D43.3: Fault Analysis Tool: Atego Modeler: HiP-HOPS: SoSECIE 09/15/