Evaluation Tool ? Hi hemBoudali 1 ,PepijnCrouzen 2;??
,andMarielleStoelinga 1
1
DepartmentofComputerS ien e,UniversityofTwente,
P.O.Box217,7500AEEns hede,TheNetherlands.
2
SaarlandUniversity,DepartmentofComputerS ien e,
D-66123Saarbru ken,Germany.
fhboudali s,p. rouzenalumnus ,mar ielle sg .utw ente .nl
Reliabilityandavailabilitymeasures,su hassystemfailureprobability
dur-ing agivenmission timeandsystemmean-time-between-failures,areoften
im-portantmeasurestoassessinembeddedsystemsdesign.Thereexistseveral
te h-niquesandformalismsforreliability/availabilityassessment.Onesu hformalism
isdynami faulttrees(DFT).DFTsareagraphi al,high-levelandversatile
for-malismto analyzethe reliabilityof omputer-based systems.A DFTdes ribes
thefailureofasystemintermsofthefailureofits omponentsandis omprised
ofbasi events(modelingthefailureofphysi al omponents)andgates
(model-inghow omponentfailures indu esystemfailures).DFTsextendstandard(or
stati )faulttrees(FT)byallowingthemodelingof omplexsystem omponents'
behaviorsand intera tions. Typi ally, aDFT is analyzedby rst onverting it
into a ontinuous-timeMarkov hain (CTMC) andby then omputing the
re-liability measures from this Markov hain. Foroverade ade now, DFTshave
beenexperien ingagrowingsu essamongreliabilityengineers.
Unfortunately, anumberofissues remainwhen usingDFTs, mostnotably:
(1)theDFTsemanti sisratherimpre iseandthela kofformalityhas,insome
ases, led to undened behaviorand misinterpretation of the DFT model. (2)
DFTs la k modular analysis. That is, even if sto hasti ally-independent
sub-modules exist in a DFT module, these sub-modules annot alwaysbe solved
separately.Consequently,DFTbe omevulnerabletothewell-knownstate-spa e
explosion problem; that is the size of theunderlying MarkovChain grows
ex-ponentially with the number of basi events in the DFT. (3) DFTs also la k
modular model-building, i.e. there are some rather severe restri tions on the
type of allowed inputs to ertain gates whi h greatly diminish the modeling
exibilityandpowerofDFTs.
We have developed a formal semanti s of DFTs in terms of input/output
intera tive Markov hains (I/O-IMCs), whi h extend ontinuous-time Markov
hains with dis rete input, outputand internal a tions [3℄. Thissemanti s
ad-dresses issue (1) mentioned aboveand provides a rigorous basis for the
inter-pretation and analysis of DFTs. Our semanti sis fully ompositional, that is,
the semanti s of aDFT is expressed in terms of thesemanti sof its elements
(i.e.basi eventsandgates). ThisenablesaneÆ ientanalysisofDFTsthrough
ompositional aggregation, whi h helps to alleviate the state-spa e explosion
problembyin rementallybuildingtheDFTstatespa e.Ourte hniquesis
om-pletely modular, whi h allows us to over ome issue (2). We have also ta kled
issue(3)andlifted somepreviouslyenfor edrestri tionsonDFTs.
Wehaveimplementedourmethodologybydevelopingaprototypetoolbased
on the CADP tool set [5℄. We have ompared our approa h to the existing
?
Thisresear hhasbeenpartiallyfundedbytheNetherlandsOrganisation for
S ien-ti Resear h(NWO)underFOCUS/BRICKSgrantnumber642.000.505(MOQS);
theEUundergrantnumberIST-004527(ARTIST2);andbytheDFG/NWO
bilat-eral ooperationprogrammeunderproje tnumberDN62-600(VOSS2).
ourapproa handitsee tivenessinredu ingthestatespa etobeanalyzed[3℄.
The prototype tool takes as input a DFT in Galileo's textual format and
a omposition s ript, whi h des ribes the order in whi h theI/O-IMC models
mustbe omposed inasimpletextualformat.Thetoolpro eedsinthreesteps:
1. Translation: The DFT is translatedinto agroupof I/O-IMC models. In
parti ular,ea hDFTelementistranslatedintoa orrespondingelementary
(withfewstatesandfewtransitions)I/O-IMCmodel.
2. Compositional aggregation: Usingthe omposition s ripttheI/O-IMC
modelsare iteratively omposed,abstra tedand aggregateduntilone
I/O-IMCmodelremains.
3. Analysis:Inmost asestheresultingI/O-IMCmodel anbeeasily
trans-formedintoa ontinuous-time Markov hain. Transientanalysis (usingthe
CADPtoolset) anthenbeapplied tondtheunreliabilityoftheDFT.
The ompositionalsemanti salsoallowstheDFTformalismtobeeasily
ex-tendedormodied.In[2℄weshowhowseveraloftheseextensions(forinstan e,
repairable omponents[7℄) ouldberealizedinourframework.Su hextensions
onlyimpa tthetranslationtothe orrespondingI/O-IMCmodelsofthe
modi-ed oradded DFTelements. Thus onlythetranslationstep(i.e.step1) ofthe
toolis ae ted.
Atthepresenttime,theprototypetoolisnotfullyautomati :Theusermust
supplytheorderinwhi htheI/O-IMCmodelsare omposed(asa omposition
s ript).The fo us ofthefuture work will be tofully automatethetool. Todo
thisanalgorithmtondgood(i.e. omputationallyeÆ ient) ompositionorders
is needed.Other possibletopi s forfuture resear h in lude theinvestigation of
improvements to our ompositional aggregation pro ess su h asusing ontext
onstraints [4℄ or interfa e spe i ations [6℄. We are also urrently looking at
otherreliability/availabilityformalismsandar hite turaldesignlanguages(su h
asthear hite tureanalysisanddesignlanguage(AADL)standardanditserror
model annex)andtryingtomaptheir onstru tsinto I/O-IMCmodels.Lastly,
weareplanningto improvetheoverallusabilityofthetoolto makeitavailable
to awideraudien e.
Referen es
1. GalileoDFTanalysistool. http://www. s.virginia.edu/~ftree.
2. H. Boudali, P.Crouzen,and M.I.A. Stoelinga. Dynami fault treeanalysis using
input/outputintera tivemarkov hains. A eptedtoDependableSystemsand
Net-works2007 onferen e.
3. H. Boudali,P.Crouzen,andM.I.A.Stoelinga. Compositionalanalysis ofdynami
faulttrees. Te hni alreport,UniversityofTwente,toappear.
4. S.C. Cheung and J. Kramer. Context onstraints for ompositional rea hability
analysis. ACMTransa tionsonSoftwareEngineeringandMethodology,5(4),
O to-ber1996.
5. Constru tion and Analysis of Distributed Pro esses (CADP) software tool.
http://www.inrialpes.fr/vasy/ adp/.
6. S.Graf,B.Steen,andG.Luttgen. Compositionalminimisationofnitestate
sys-temsusinginterfa espe i ations. FormalAspe tsof Computing,8(5),September
1996.
7. D.C.Raiteri,M.Ia ono,G.Fran es hinis,andV.Vittorini.Repairablefaulttreefor
theautomati evaluationofrepairpoli ies.InInternationConferen eonDependable