190 likes | 337 Views
George Despotou Tim Kelly Presented by: Martin Hall-May High Integrity Systems Group Department of Computer Science University of York. An Argument Based Approach for Assessing Design Alternatives and Facilitating Trade-offs in Critical Systems. Dependability Assurance. Dependability
E N D
George Despotou Tim Kelly Presented by: Martin Hall-May High Integrity Systems Group Department of Computer Science University of York An Argument Based Approach for Assessing Design Alternatives and Facilitating Trade-offs in Critical Systems
Dependability Assurance • Dependability • Consists of a number of attributes such as safety, reliability, security, performance • Represents stakeholders interests • Several standards require assurance that the acceptability levels of an attribute have been met • MoD Defence Standard 00-56 requires a Safety case • MoD Defence Standard 00-40 requires a Reliability and Maintainability (R&M) case • Common criteria of information technology security requires a description of how a security level is met • A few examples of security ‘cases’ now exist • All focus on a single dependability attribute Next: Dependability Case
Dependability Cases • The purpose of the Dependability Case is to communicate an argument that a system is acceptably dependable in a given context • Based on concepts established for Safety Cases • Writing a case in a purely textual form is ineffective • Logical inferences • Clarity and ease of reading • Goal Structuring Notation introduced (10+ yrs ago) as a means to represent (safety) arguments • Used in a number of projects (e.g. Eurofighter, BAe Systems Hawk & Nimrod, ATC, Rolls-Royce Trent…) • Case and design evolve in parallel • Argument used to evaluate evolving design • Design used to structure evolving argument Next: GSN
The Goal Structuring Notation Purpose of a Goal Structure To show how goals are broken down into sub-goals, and eventually supported by evidence (solutions) whilst making clear the strategies adopted, the rationale for the approach (assumptions, justifications) and the context in which goals are stated A/J Next: Example Argument
Example Dependability Argument Next: Trade-offs
Trade-offs • In this case extra checks are used between the system elements to avoid risks such as friendly fire • Impact on security (more messages more probable for interception) • May also impact performance • Dependability attributes can be at odds with each other • Trade-offs are inevitable • Unification of dependability viewpoints • Conflicts defining the specification of system • System should be acceptable by all • Consider the safest system but with unacceptable performance • The airliner paradox • Effect of trade-offs on overall system operation Next: ALARP
Existing Trade-offs in Safety - ALARP System developers have a legal obligation to demonstrate to the safety governing bodies that the risks have been reduced to a level that is As Low As Reasonably Practicable (ALARP) • Risk is considered tolerable if costs of further risk reduction is shown to be greatly disproportionate to the actual risk reduction achieved. • Judgment on what is disproportionate • The ‘farthest’ from the safety target the less willing to accept the risk in favour of the cost benefit Next: Advantages Risk Matrix
Advantages of ALARP • Uniformity in trade-off process • System stakeholders need to systematically apply a defined process • Uniform requirements and criteria using GSN pattern • Argument pattern for making justified ALARP decisions • Creation of the argument requires following a set of steps • Argument guides the process • Cost management • Prevent overspending on a single risk • Direct the expenses mitigating hazards with greater risk first • Awareness of risk • Safety levels below the target have been documented and recorded and accepted • Rationale Next: Trade-off Space
Setting the Trade-off Space Goals are stated in the context of a Target and a Limit scoping admissible solutions; within an acceptable trade-off space Next: Design Solutions
Identifying solutions • Design solutions … • Lie within the available design space • Should be admissible requirements • Within the acceptable trade-off space • Degree of satisfaction of a goal (Documented as Statement Of Impact) • Close or above target (high) • Close to limit (acceptable but not the best solution) • Below the limit (dismissible solution) • Different to the degree of confidence for the stated impact • This refers to how confident we are about our assessment of the degree of satisfaction Next: FANDA
FANDA • Factor ANalysis and Design Alternatives • Brainstorming & design rationale • Helps capturing ‘the big picture’ when formulating alternatives • Factors: Actions on the design with respect to a goal • Increasingredundancyfavoursavailability • Reducingencryption strengthfavoursperformance • Factors defined in terms of… • Quality: The type of association to a goal (-ve or +ve) • Magnitude: Degree of association • Reducing encryption strength strongly favours performance • Prior experience can be one (among others) source for factors • In this example we identify as the main factor the weakening of safety policy rules that govern the elements’ actions Next: Evaluation of Alternatives
Evaluating Design Alternatives • Part of the Trade-Off Method (TOM) • Three design options (alternatives) identified • Option A: Baseline; Without safety policy • Option B: Full Policy; All identified rules applied • Option C: Relaxed policy; Weakened policy rules • Preliminary assessment of the design with the help of simulation • Use of other approaches may give us more confidence to the assessment • Difficult to compare heterogeneous attributes directly Next: Assessing Alternatives
Assessing the Alternatives • ‘Goodness’ of each option is assessed • Results interpreted with respect to the envisioned operation of the system • Options are assessed against goals • Assessment of acceptability with respect to target and limit (T&L) • We capture as metric for each option the willingness to trade-off • 1. Willing to trade-off, as A exceeds the defined target (above Target) • 2. Willing to trade-off A if there is benefit to another attribute with equal importance (Within T&L region, closer to target) • 3. Willing to trade-off A if there is significant benefit to other attributes (Within T&L region, closer to limit) • 4. A is within the intolerable region and hence alternative must be improved or discarded (below Limit) Willingness of the stakeholders to possibly trade a (dependability) goal, is a subjective evaluation, reflecting the level of achievement of the goals and the significance of the negative impact of compromising the goal Main purpose is to communicate where within the T&L each option is Next: Trading-Off
Trading-off Extending ALARP: When two dependability goals A and B are in conflict, compromising A may be tolerated, if the benefit from improving B is greater than the benefit from not compromising A Moving horizontally we can see the benefit/compromise from changing alternative, on other goals Moving vertically we can see the compromise/benefit of a goal when considering different options Next: Trading off 2
Trading-off Rule of thumb: Choose an option with most goals closer to target Extending ALARP: When two dependability goals A and B are in conflict, compromising A may be tolerated, if the benefit from improving B is greater than the benefit from not compromising A Moving horizontally we can see the benefit/compromise from changing alternative, on other goals Moving vertically we can see the compromise/benefit of a goal when considering different options Next: Trading off 3
Trading-off Rule of thumb: Choose an option with most goals closer to target Select a goal and move vertically to improve it Next: Argument Pattern Moving horizontally identify impact on other goals No definite correct answer but decision must be justified
Trade-off Argument Pattern • Trade-off documented in argument form using GSN • Pattern to be instantiated • Assists in defining the process Next: Information Recorded
Information Recorded Target and Limit define the acceptability of the goal Identified factors affecting the goal Proposed design alternatives i.e. Relaxed Policy Instantiated trade-off pattern. Impact of the design alternatives on goal • Information is recorded for further changes • Rationale and process followed for decisions can be retrieved Next: Summary
Summary • Argumentation in (mission) critical systems is widely used (especially in safety) • Trade-offs are inevitable • Need to justify and record trade-offs • ALARP in safety is a widely used principle (in UK) • Extension of the ALARP principles to address many dependability attributes • Design rationale and brainstorming for proposing design options • Meaningful (w.r.t operation) qualitative assessment of design options • Documentation of all information for future review & acceptance, use and maintenance • Recent work: Definition of a meta-model relating GSN, FANDA & TOM. Implementation in eclipse