1 / 19

George Despotou Tim Kelly Presented by: Martin Hall-May High Integrity Systems Group

George Despotou Tim Kelly Presented by: Martin Hall-May High Integrity Systems Group Department of Computer Science University of York. An Argument Based Approach for Assessing Design Alternatives and Facilitating Trade-offs in Critical Systems. Dependability Assurance. Dependability

ada
Download Presentation

George Despotou Tim Kelly Presented by: Martin Hall-May High Integrity Systems Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. George Despotou Tim Kelly Presented by: Martin Hall-May High Integrity Systems Group Department of Computer Science University of York An Argument Based Approach for Assessing Design Alternatives and Facilitating Trade-offs in Critical Systems

  2. Dependability Assurance • Dependability • Consists of a number of attributes such as safety, reliability, security, performance • Represents stakeholders interests • Several standards require assurance that the acceptability levels of an attribute have been met • MoD Defence Standard 00-56 requires a Safety case • MoD Defence Standard 00-40 requires a Reliability and Maintainability (R&M) case • Common criteria of information technology security requires a description of how a security level is met • A few examples of security ‘cases’ now exist • All focus on a single dependability attribute Next: Dependability Case

  3. Dependability Cases • The purpose of the Dependability Case is to communicate an argument that a system is acceptably dependable in a given context • Based on concepts established for Safety Cases • Writing a case in a purely textual form is ineffective • Logical inferences • Clarity and ease of reading • Goal Structuring Notation introduced (10+ yrs ago) as a means to represent (safety) arguments • Used in a number of projects (e.g. Eurofighter, BAe Systems Hawk & Nimrod, ATC, Rolls-Royce Trent…) • Case and design evolve in parallel • Argument used to evaluate evolving design • Design used to structure evolving argument Next: GSN

  4. The Goal Structuring Notation Purpose of a Goal Structure To show how goals are broken down into sub-goals, and eventually supported by evidence (solutions) whilst making clear the strategies adopted, the rationale for the approach (assumptions, justifications) and the context in which goals are stated A/J Next: Example Argument

  5. Example Dependability Argument Next: Trade-offs

  6. Trade-offs • In this case extra checks are used between the system elements to avoid risks such as friendly fire • Impact on security (more messages more probable for interception) • May also impact performance • Dependability attributes can be at odds with each other • Trade-offs are inevitable • Unification of dependability viewpoints • Conflicts defining the specification of system • System should be acceptable by all • Consider the safest system but with unacceptable performance • The airliner paradox • Effect of trade-offs on overall system operation Next: ALARP

  7. Existing Trade-offs in Safety - ALARP System developers have a legal obligation to demonstrate to the safety governing bodies that the risks have been reduced to a level that is As Low As Reasonably Practicable (ALARP) • Risk is considered tolerable if costs of further risk reduction is shown to be greatly disproportionate to the actual risk reduction achieved. • Judgment on what is disproportionate • The ‘farthest’ from the safety target the less willing to accept the risk in favour of the cost benefit Next: Advantages Risk Matrix

  8. Advantages of ALARP • Uniformity in trade-off process • System stakeholders need to systematically apply a defined process • Uniform requirements and criteria using GSN pattern • Argument pattern for making justified ALARP decisions • Creation of the argument requires following a set of steps • Argument guides the process • Cost management • Prevent overspending on a single risk • Direct the expenses mitigating hazards with greater risk first • Awareness of risk • Safety levels below the target have been documented and recorded and accepted • Rationale Next: Trade-off Space

  9. Setting the Trade-off Space Goals are stated in the context of a Target and a Limit scoping admissible solutions; within an acceptable trade-off space Next: Design Solutions

  10. Identifying solutions • Design solutions … • Lie within the available design space • Should be admissible requirements • Within the acceptable trade-off space • Degree of satisfaction of a goal (Documented as Statement Of Impact) • Close or above target (high) • Close to limit (acceptable but not the best solution) • Below the limit (dismissible solution) • Different to the degree of confidence for the stated impact • This refers to how confident we are about our assessment of the degree of satisfaction Next: FANDA

  11. FANDA • Factor ANalysis and Design Alternatives • Brainstorming & design rationale • Helps capturing ‘the big picture’ when formulating alternatives • Factors: Actions on the design with respect to a goal • Increasingredundancyfavoursavailability • Reducingencryption strengthfavoursperformance • Factors defined in terms of… • Quality: The type of association to a goal (-ve or +ve) • Magnitude: Degree of association • Reducing encryption strength strongly favours performance • Prior experience can be one (among others) source for factors • In this example we identify as the main factor the weakening of safety policy rules that govern the elements’ actions Next: Evaluation of Alternatives

  12. Evaluating Design Alternatives • Part of the Trade-Off Method (TOM) • Three design options (alternatives) identified • Option A: Baseline; Without safety policy • Option B: Full Policy; All identified rules applied • Option C: Relaxed policy; Weakened policy rules • Preliminary assessment of the design with the help of simulation • Use of other approaches may give us more confidence to the assessment • Difficult to compare heterogeneous attributes directly Next: Assessing Alternatives

  13. Assessing the Alternatives • ‘Goodness’ of each option is assessed • Results interpreted with respect to the envisioned operation of the system • Options are assessed against goals • Assessment of acceptability with respect to target and limit (T&L) • We capture as metric for each option the willingness to trade-off • 1. Willing to trade-off, as A exceeds the defined target (above Target) • 2. Willing to trade-off A if there is benefit to another attribute with equal importance (Within T&L region, closer to target) • 3. Willing to trade-off A if there is significant benefit to other attributes (Within T&L region, closer to limit) • 4. A is within the intolerable region and hence alternative must be improved or discarded (below Limit) Willingness of the stakeholders to possibly trade a (dependability) goal, is a subjective evaluation, reflecting the level of achievement of the goals and the significance of the negative impact of compromising the goal Main purpose is to communicate where within the T&L each option is Next: Trading-Off

  14. Trading-off Extending ALARP: When two dependability goals A and B are in conflict, compromising A may be tolerated, if the benefit from improving B is greater than the benefit from not compromising A Moving horizontally we can see the benefit/compromise from changing alternative, on other goals Moving vertically we can see the compromise/benefit of a goal when considering different options Next: Trading off 2

  15. Trading-off Rule of thumb: Choose an option with most goals closer to target Extending ALARP: When two dependability goals A and B are in conflict, compromising A may be tolerated, if the benefit from improving B is greater than the benefit from not compromising A Moving horizontally we can see the benefit/compromise from changing alternative, on other goals Moving vertically we can see the compromise/benefit of a goal when considering different options Next: Trading off 3

  16. Trading-off Rule of thumb: Choose an option with most goals closer to target Select a goal and move vertically to improve it Next: Argument Pattern Moving horizontally identify impact on other goals No definite correct answer but decision must be justified

  17. Trade-off Argument Pattern • Trade-off documented in argument form using GSN • Pattern to be instantiated • Assists in defining the process Next: Information Recorded

  18. Information Recorded Target and Limit define the acceptability of the goal Identified factors affecting the goal Proposed design alternatives i.e. Relaxed Policy Instantiated trade-off pattern. Impact of the design alternatives on goal • Information is recorded for further changes • Rationale and process followed for decisions can be retrieved Next: Summary

  19. Summary • Argumentation in (mission) critical systems is widely used (especially in safety) • Trade-offs are inevitable • Need to justify and record trade-offs • ALARP in safety is a widely used principle (in UK) • Extension of the ALARP principles to address many dependability attributes • Design rationale and brainstorming for proposing design options • Meaningful (w.r.t operation) qualitative assessment of design options • Documentation of all information for future review & acceptance, use and maintenance • Recent work: Definition of a meta-model relating GSN, FANDA & TOM. Implementation in eclipse

More Related