A compositional reliability and availability evaluation tool

Evaluation Tool ? Hi hemBoudali 1 ,PepijnCrouzen 2;??

,andMarielleStoelinga 1

1

DepartmentofComputerS ien e,UniversityofTwente,

P.O.Box217,7500AEEns hede,TheNetherlands.

2

SaarlandUniversity,DepartmentofComputerS ien e,

D-66123Saarbru ken,Germany.

fhboudali s,p. rouzenalumnus ,mar ielle  sg .utw ente .nl

Reliabilityandavailabilitymeasures,su hassystemfailureprobability

dur-ing agivenmission timeandsystemmean-time-between-failures,areoften

im-portantmeasurestoassessinembeddedsystemsdesign.Thereexistseveral

te h-niquesandformalismsforreliability/availabilityassessment.Onesu hformalism

isdynami faulttrees(DFT).DFTsareagraphi al,high-levelandversatile

for-malismto analyzethe reliabilityof omputer-based systems.A DFTdes ribes

thefailureofasystemintermsofthefailureofits omponentsandis omprised

ofbasi events(modelingthefailureofphysi al omponents)andgates

(model-inghow omponentfailures indu esystemfailures).DFTsextendstandard(or

stati )faulttrees(FT)byallowingthemodelingof omplexsystem omponents'

behaviorsand intera tions. Typi ally, aDFT is analyzedby rst onverting it

into a ontinuous-timeMarkov hain (CTMC) andby then omputing the

re-liability measures from this Markov hain. Foroverade ade now, DFTshave

beenexperien ingagrowingsu essamongreliabilityengineers.

Unfortunately, anumberofissues remainwhen usingDFTs, mostnotably:

(1)theDFTsemanti sisratherimpre iseandthela kofformalityhas,insome

ases, led to undened behaviorand misinterpretation of the DFT model. (2)

DFTs la k modular analysis. That is, even if sto hasti ally-independent

sub-modules exist in a DFT module, these sub-modules annot alwaysbe solved

separately.Consequently,DFTbe omevulnerabletothewell-knownstate-spa e

explosion problem; that is the size of theunderlying MarkovChain grows

ex-ponentially with the number of basi events in the DFT. (3) DFTs also la k

modular model-building, i.e. there are some rather severe restri tions on the

type of allowed inputs to ertain gates whi h greatly diminish the modeling

exibilityandpowerofDFTs.

We have developed a formal semanti s of DFTs in terms of input/output

intera tive Markov hains (I/O-IMCs), whi h extend ontinuous-time Markov

hains with dis rete input, outputand internal a tions [3℄. Thissemanti s

ad-dresses issue (1) mentioned aboveand provides a rigorous basis for the

inter-pretation and analysis of DFTs. Our semanti sis fully ompositional, that is,

the semanti s of aDFT is expressed in terms of thesemanti sof its elements

(i.e.basi eventsandgates). ThisenablesaneÆ ientanalysisofDFTsthrough

ompositional aggregation, whi h helps to alleviate the state-spa e explosion

problembyin rementallybuildingtheDFTstatespa e.Ourte hniquesis

om-pletely modular, whi h allows us to over ome issue (2). We have also ta kled

issue(3)andlifted somepreviouslyenfor edrestri tionsonDFTs.

Wehaveimplementedourmethodologybydevelopingaprototypetoolbased

on the CADP tool set [5℄. We have ompared our approa h to the existing

?

Thisresear hhasbeenpartiallyfundedbytheNetherlandsOrganisation for

S ien-ti Resear h(NWO)underFOCUS/BRICKSgrantnumber642.000.505(MOQS);

theEUundergrantnumberIST-004527(ARTIST2);andbytheDFG/NWO

bilat-eral ooperationprogrammeunderproje tnumberDN62-600(VOSS2).

ourapproa handitsee tivenessinredu ingthestatespa etobeanalyzed[3℄.

The prototype tool takes as input a DFT in Galileo's textual format and

a omposition s ript, whi h des ribes the order in whi h theI/O-IMC models

mustbe omposed inasimpletextualformat.Thetoolpro eedsinthreesteps:

1. Translation: The DFT is translatedinto agroupof I/O-IMC models. In

parti ular,ea hDFTelementistranslatedintoa orrespondingelementary

(withfewstatesandfewtransitions)I/O-IMCmodel.

2. Compositional aggregation: Usingthe omposition s ripttheI/O-IMC

modelsare iteratively omposed,abstra tedand aggregateduntilone

I/O-IMCmodelremains.

3. Analysis:Inmost asestheresultingI/O-IMCmodel anbeeasily

trans-formedintoa ontinuous-time Markov hain. Transientanalysis (usingthe

CADPtoolset) anthenbeapplied tondtheunreliabilityoftheDFT.

The ompositionalsemanti salsoallowstheDFTformalismtobeeasily

ex-tendedormodied.In[2℄weshowhowseveraloftheseextensions(forinstan e,

repairable omponents[7℄) ouldberealizedinourframework.Su hextensions

onlyimpa tthetranslationtothe orrespondingI/O-IMCmodelsofthe

modi-ed oradded DFTelements. Thus onlythetranslationstep(i.e.step1) ofthe

toolis ae ted.

Atthepresenttime,theprototypetoolisnotfullyautomati :Theusermust

supplytheorderinwhi htheI/O-IMCmodelsare omposed(asa omposition

s ript).The fo us ofthefuture work will be tofully automatethetool. Todo

thisanalgorithmtondgood(i.e. omputationallyeÆ ient) ompositionorders

is needed.Other possibletopi s forfuture resear h in lude theinvestigation of

improvements to our ompositional aggregation pro ess su h asusing ontext

onstraints [4℄ or interfa e spe i ations [6℄. We are also urrently looking at

otherreliability/availabilityformalismsandar hite turaldesignlanguages(su h

asthear hite tureanalysisanddesignlanguage(AADL)standardanditserror

model annex)andtryingtomaptheir onstru tsinto I/O-IMCmodels.Lastly,

weareplanningto improvetheoverallusabilityofthetoolto makeitavailable

to awideraudien e.

Referen es

1. GalileoDFTanalysistool. http://www. s.virginia.edu/~ftree.

2. H. Boudali, P.Crouzen,and M.I.A. Stoelinga. Dynami fault treeanalysis using

input/outputintera tivemarkov hains. A eptedtoDependableSystemsand

Net-works2007 onferen e.

3. H. Boudali,P.Crouzen,andM.I.A.Stoelinga. Compositionalanalysis ofdynami

faulttrees. Te hni alreport,UniversityofTwente,toappear.

4. S.C. Cheung and J. Kramer. Context onstraints for ompositional rea hability

analysis. ACMTransa tionsonSoftwareEngineeringandMethodology,5(4),

O to-ber1996.

5. Constru tion and Analysis of Distributed Pro esses (CADP) software tool.

http://www.inrialpes.fr/vasy/ adp/.

6. S.Graf,B.Steen,andG.Luttgen. Compositionalminimisationofnitestate

sys-temsusinginterfa espe i ations. FormalAspe tsof Computing,8(5),September

1996.

7. D.C.Raiteri,M.Ia ono,G.Fran es hinis,andV.Vittorini.Repairablefaulttreefor

theautomati evaluationofrepairpoli ies.InInternationConferen eonDependable