DEOS and D-Case for Open Systems Dependability

DEOS and D-Case for Open Systems Dependability
Dr Yutaka Matsuno University of Tokyo JST CREST DEOS Project

Contents Achieving Open Systems Dependability Our Approach
Using Assurance Cases in both design and operational phases Assurance Cases and D-Case Example Use Case: Web Server System D-Case Tool Demo Standardization and Future Plan Conclusion

Open System New: A system whose boundary, function, structure, and interfaces change over time Traditional: Open systems are computer systems that provide some combination of interoperability, portability, and open software standards. (wikipedia) Today’s systems have revealed themselves as open systems, and many serious failures happened

How to Achieve Dependability of Open System
Conventional Methods such as Formal Methods are limited for Open System They assume ``closed systems assumption” Best way we can do is Stakeholders together with experts argue dependability of the system with evidences, and try to make agreement that the system is dependable

Achieving Open Systems Dependability
All stakeholders must communicate each other and agree on dependability of the system System must provide evidence for the agreement System Product Provider Provide End User Authority Service Use ----- 会議メモ (10/12/07 11:14) ----- best effort Dependability Agreement

Using Assurance Cases in both design and operational phases Assurance Cases Example Use Case: Web Server System D-Case Tool Demo Standardization and Development Plan Conclusion

Our Approach Assurance is a key concept
Cf. “Dependability through Assuredness” Assurance Cases seem a good framework Based on Assurance Cases, we have started to develop D-Case, which is a method for dependability agreement among stakeholders

Current Status of Assurance Cases
Assurance Case is only used in a few specific system domain Not applied to IT-Based social systems, enterprise architecture, … Assurance Case is used only in development phases It is difficult to assure that system behaves as intended in run-time, especially for failure mitigation behaviors

Ideas Extend well developed Process (e.g., TOGAF) with Assurance Case
Use Assurance Cases in both development and operational phases In development, consider operational environment and risks as much as possible In operational, always monitoring that dependability is sustained or not

Using Assurance Cases in both design and operational phases Assurance Cases and D-Case Example Use Case: Web Server System D-Case Tool Demo Standardization and Development Plan Conclusion

Assurance Case A documented body of evidence that provides a convincing and valid argument that a system is adequately dependable for a given application in a given environment. Goal Evidence Argument Structure Eg: FTA(Fault Tree Analysis) Result Eg. System is Safe

Brief History “Case” is one of words in courts Recognized after serious incidents in UK Piper Alpha North Sea Oil（167 death, 1988) Clapham Junction rail crash (35 death, 1988) Not only following a procedure, but arguing why the procedure makes the system safe, based on evidence Widely required for regulation in UK, and now worldwide EUROCONTROL, Rail Yellow Book, MoD Defence Standard 00-56, and ISO 26262: Functional Safety for Automobile

GSN (Goal Structuring Notation): A Graphical Notation
Developed by Tim Kelly and his colleagues in University of York [1] The Goal Structuring Notation - A Safety Argument Notation, T P Kelly, R A Weaver in Proceedings of Workshop on Assurance Cases, 2004 Simple, Patterns, and Modules

GSN Main nodes Rationale for Claim to be decomposing a goal argued:
Strategy Context Evidence Claim to be argued: Eg: System is safe Rationale for decomposing a goal Eg. Argue for each identified fault Final object For supporting A goal Eg: FTA results Environmental Information for arguing goals Eg. System environment, list of all identified faults

GSN Example (from [1])

D-Case We add monitoring node as a sub-class of evidence Monitoring
Goal Strategy Context Evidence Claim to be argued: Eg: System is safe Rationale for decomposing a goal Eg. Argue for each identified fault Final object For supporting A goal Eg: FTA results Environmental Information for arguing goals Eg. System environment, list of all identified faults Evidences obtained from run-time system Eg. System Logs by monitoring,

Example Use Case: Simple Web Server System
Requirement ・Maximum Access Number: 2500 times/minute ・Response Time is within 3 seconds ・Recovery for one failure is within 5 minutes …. Service Risk Analysis Result 　　・Too Many Access from Users 　　・Response Time Delay 　　・Memory Leak, …

D-Case Basic Structure (Tentative)
Requirement Dependability Goal Service Risk Failure Response Argument Change Accommodation Argument Failure Detection Argument Failure Mitigation Action Argument

D-Case Editor http://www.il.is.s.u-tokyo.ac.jp/deos/dcase/
Parameterized Pattern Library Monitoring Runtime system Consistency Checking by an proof assistant Google ``D-Case/Agda” Will be open source in next March

Run-Time Monitoring Demo in Failure Response Cycle
Client Web Server Application Server Database Server Client Network Client Demo System Overview Monitor Polling → ← Node Status D-Case Editor Demonstration at ET2011, Yokohama, Japan, Nov 2011

Using Assurance Cases in both design and operational phases Assurance Cases and D-Case Example Use Case: Web Server System D-Case Tool Demo Standardization and Future Plan Conclusion

Standardization Plan Dependability Plug-in for TOGAF
Add-on Process for D-Case Current Status (Joint work with Ed) 1st version of Dependability Metamodel An EPF model of basic process

TOGAF ADM phases with dependability
Description Dependability architecture Preliminary Prepare the organization for successful TOGAF projects Prepare organization for dependability projects Architecture vision Set the scope, constraints, and expectations for a TOGAF project Set the dependability goal for TOGAF project Business architecture Develop baseline and target business architecture and analyze gaps Develop dependability cases of business architecture Information systems architecture Develop baseline and target information systems architecture and analyze gaps Develop dependability cases of information architecture Technology architecture Develop baseline and target technology architecture and analyze gaps Develop dependability cases of technology architecture. Opportunities and solutions Perform initial implementation planning and identify major implementation projects. Identify dependability implementation projects. Migration planning Analyze cost benefits and risk. Develop detailed implementation and migration plan. Dependability value and risk analysis. Implement mitigation scenarios. Implementation governance Prepare and issue architecture contracts. Ensure conformance of the implementation project. Dependable architecture contracts Architecture change management Provide continual monitoring and a change management process to ensure that architecture satisfy business needs. Dynamic monitoring of dependability evidence Requirements management TOGAF project is based on and validates business requirements Dependability requirements D-case 準備,A.アーキテクチャビジョン,B.ビジネスアーキテクチャ,C.情報システムアーキテクチャ,D.技術アーキテクチャ,E.ソリューション,F.移行計画,G.実装監督,H.アーキテクチャ変更管理,要求管理準備工程では，エンタープライズ・アーキテクチャ．プロジェクトの準備活動を実施する．アーキテクチャビジョン工程では，スコープ，制約，期待，ステークホルダを定義し，事業環境を確認する．ビジネスアーキテクチャ工程では，ビジネスの現行と目標アーキテクチャを定義することにより，差異を分析する．情報システムアーキテクチャ工程では，情報システムの現行と目標アーキテクチャを定義し，差異を分析する．技術アーキテクチャ工程では，技術の現行と目標アーキテクチャを定義し，差異を分析する．ソリューション工程では，実施計画，展開手段，要素を定義し移行アーキテクチャを構築する．移行計画工程では，費用対効果分析，リスク分析に基づき移行実施計画を詳細化する．実装監督工程では，アーキテクチャ移行計画を管理する．また実装結果を確認する．アーキテクチャ変更管理工程では，アーキテクチャの事業目標適合性を継続的監視し，変更管理する． Refs.: TOGAF V.9 A Pocket Guide, THE Open GROUP, 2008 Copyright Prof. Dr. Shuichiro Yamamoto 2011

TOGAF and DEOS Process ⇒
With Dependability Plug-in, TOGAF will be an instance of the DEOS Process Dependability Plug-in ⇒ ＋

Future Plan Current Semantic Mapping
Monitoring Nodes Current implementation is very naive “…” Monitor System Written in natural languages Code Semantic Mapping HandCoded

Example of Hand-coded Monitoring Codes
while : do traffic=`gettraffic` sleep 1 if [ ${traffic} -gt ${THRESHOLD} ]; then ${WORKPATH}/dcase/append.sh -n M_1 -s error > /dev/null 2>&1 break fi done id of a monitoring node

Future Plan Semantic Mapping of Monitoring Node
SBVR Rule Term1 Term2 Term3 Monitor System Semantic Mapping Code Term1 SBVR Vocabulary Term2 Term3 Automatic HandCoded Copyright Dr. Ed Roberts 2011

Conclusion D-Case: A Method for Dependability Agreement among Stakeholders Mitigating Failures at Development Phase, as much as possible Runtime Assurance by Monitoring Standardization and Future Plan Dependability Plug-in for TOGAF D-Case Monitoring Implementation

Appendix: Demo Module Structure
Client Web Browser OS (any) TCP Web Server Application Server Database Server Hardware (any) Application Container(LXC) Application Container(LXC) Application Container(LXC) Client Apache2 Tomcat MySQL Web Browser Apache Bench OS (any) DEOS MUSIC Website (Static part) DEOS MUSIC Website (Dynamic part) DEOS MUSIC Website (DB part) TCP Hardware (any) mod_deos.so New_Service1 demo1*.sh D-Case Editor Windows 7 Hardware (PC) Eclipse Console Linux kernel (of Ubuntu 10.04) Hardware (PC) Application Manager Control Panel Apache2 Monitor Console Node Block Diagram TCP TCP HTTP DRE CLI dreproc.py Application Manager DRE CLI dreproc.py Application Manager DRE CLI dreproc.py Application Manager Polling→ ← Node Status LXC LXC LXC Linux kernel (of Ubuntu 10.04) Linux kernel (of Ubuntu 10.04) Linux kernel (of Ubuntu 10.04) Application Manager Application Manager Application Manager Hardware (PC) Hardware (PC) Hardware (PC) TCP TCP TCP

DEOS and D-Case for Open Systems Dependability

Similar presentations

Presentation on theme: "DEOS and D-Case for Open Systems Dependability"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

DEOS and D-Case for Open Systems Dependability

Similar presentations

Presentation on theme: "DEOS and D-Case for Open Systems Dependability"— Presentation transcript:

Similar presentations

About project

Feedback