Fast Abstracts Archives . .

Automatic Dependability Modeling of Systems Described in UML

1: Introduction

UML (Unified Modeling Language, [3]) is the most recently created modeling language of object-oriented systems which covers the entire functional design process and comprises a variety of formalisms adapted to the engineer's way of thinking, hierarchical model refinement and design re-use. However, UML based design environments do not support yet the assurance of the quality of service during the design processes. Dependability, performance and conformance to the initial specification are properties that usually require specialised expert groups to be checked and validated. UML, as a language intended to be understood also by machines and tools, should support automatic model-based analysis and validation of the above properties.

Our project HIDE (High-Level Integrated Design Environment for Dependability) aims at analysing dependability attributes (reliability, availability and safety) by means of transformations from UML descriptions to stochastic and concurrency semantics models. To do this, the necessary model parameters and design structures important for dependability analysis have to be identified, necessary extensions of UML defined and the approach and algorithm of the transformations elaborated.

In the current phase of the project, we focus on the early dependability modeling based on high-level, structural descriptions. Modeling in the early design phases allows comparing different solutions, to select the most suitable one, and to highlight problems in the design. Modeling of complex systems consisting of a large number of hardware and software components and including also redundancy structures may introduce complexity problems. A feasible approach is to start with simple, high-level models and make them more and more complex by refining the critical parts of the system.

Accordingly, we are focusing on a subset of UML consisting of the static structure diagrams (class, object, component and deployment diagrams). Redundancy structures providing fault tolerance are restricted to class-level ones, i.e. a distinguished controller object is used to coordinate the objects (usually variants) providing services in a redundant way [4]. Note that these redundancy structures may be available for the designer in the form of predefined library elements or schemes. Behavioural diagrams are not considered, they are used only in the case of controllers to derive the (static) relations of the objects being coordinated. The formalism of the target dependability model is a timed transition Petri-net.

2: Construction of the dependability model

UML diagrams representing the static structure are mapped to a general system model used as an intermediate step towards the dependability model [1]. UML model elements (objects, nodes, packages, and components) are mapped to simple elements, while redundancy structures (usually in packages) are mapped to composite elements of the intermediate model. UML relations (associations, compositions, dependencies, deployments) are mapped to "uses service of" (in a special case "deployed on") and "composed of" relations of the intermediate model. The "uses service of" relation may induce a layering of the model. Note that the resolution of the dependability model depends on the refinement of the UML source selected for the mapping (e.g. whether a package is mapped to a single element or the objects forming that package are mapped separately).

In general, each non-composite model element is assigned a set of parameters used to characterise the fault, error and failure chain. "Private" errors are characterised by the rate of errors and activated faults. Failure of an element is due to its private error as well as failures of elements referred to by the "uses service of" and "deployed on" relations, in the latter cases also the sensitivity of the element can be defined. Permanent failures are distinguished (given as a proportion of all failures). Restoration of service is characterised by a repair process (with a repair rate). Error detection is characterised by local detection coverage (self-checking of elements) as well as global detection coverage (in the case of external error detectors).

Failure of a composite element, i.e. a redundancy structure, is not only an OR relation of the failures of the simple elements belonging to the given composite one. Usually, a fault tree can be used to describe the effects of separate and common mode failures of the elements. In our approach, it is available either directly from the library of redundancy schemes (constructed by dependability experts), or derived by analysing the behavioural description of the controller. In the latter case, the designer is required to provide the complete behaviour of the controller in the form of an annotated UML statechart diagrams. In such diagrams the paths (trajectories) from initial state leading to failure states or events are followed and the incoming events and conditions are examined, deriving in this way the fault tree automatically.

According to the above described system structure and parameters, the target Petri-net model consists of three sub-nets as follows.

• A subnet models the fault activation process leading to basic events, i.e. private errors of elements (separate and common mode failures are distinguished only in the case of redundancy structures). In the simplest case, exponential distributions and independent fault activation, exponentially timed transitions are assumed.
• The second subnet models the propagation of basic events leading to derived events, i.e. failures of elements. It contains immediate transitions and (intermediate) places representing the logic relations described above. Failure of a simple element is an OR relation of its private failure and failures induced by the "uses service of" and "deployed on" relations, while failure of a composite element is a fault tree induced by the "is composed of" relation. Fault trees can be easily mapped to Petri-nets [2]. Note that the system failure is one of the derived events caused by failures of the elements on the uppermost layer.
• The third subnet models the service restoration. Basic as well as derived events can be removed implicitly (as an event disappears when its underlying causes are removed, e.g. in the case of stateless objects) or by explicit repair (actions defined and scheduled by the designer). Different policies of repair (e.g. in case of permanent hardware failures) and recovery (e.g. in case of software elements) can be distinguished. Accordingly, the designer has to specify the policy in the form of an UML stereotype, and the corresponding (predefined) subnet is used in the dependability model. Note that usually the policy is not global in the system, but may be defined for sets of elements independently.

These sub-nets are connected by places representing the basic and derived events. Due to this interfacing, predefined or library-based sub-nets can be constructed and composed easily.

3: Dependability analysis

The Petri-net model can be used to compute dependability attributes and to analyse sensitivity to model parameters. Both transient analysis (thus deriving reliability and availability functions) or steady-state one (resulting in asymptotic availability) can be performed. Reliability analysis requires to stop the computation of the net when the system failure occurs (by inhibitor arcs or a halting condition). For safety analysis, a separate model is built to look for catastrophic failures; when no additional information is available, undetected failures are used.

Acknowledgements

The HIDE (ESPRIT LTR project 27439) consortium consists of: University of Erlangen (Germany), Pisa Dependable Computing Centre (Italy), Technical University of Budapest (Hungary), MID GmbH (Germany) and INTECS Sistemi (Italy).

References

1. 1. J.-C. Laprie and K. Kanoun: Software Reliability and System Reliability. In M. R. Lyu, Handbook of Software Reliability Engineering, pp. 27-69, McGraw Hill, New York, 1995
2. 2. M. Malhotra and K. S. Trivedi: Dependability Modeling Using Petri-Nets. IEEE Transactions on Reliability, vol. 44, no. 3, pp. 428-440, September 1995
3. 3. UML Summary, Version 1.1. Rational Software Corporation, http://www.rational.com/uml/, 1997
4. 4. J. Xu, B. Randell, C. M. F. Rubira-Calsavara and R. J. Stroud: Towards an Object-Oriented Approach to Software Fault Tolerance. PDCS TR No. 140, University of Newcastle upon Tyne, 1994