Dependability Case Editor with Pattern Library Yutaka Matsuno
Hiroki Takamura
Yutaka Ishikawa
Information Technology Center The University of Tokyo Email:
[email protected]
Dependable Embedded OS R & D Center Email:
[email protected]
Information Technology Center The University of Tokyo Email:
[email protected]
I. I NTRODUCTION This abstract discusses our current work on the collection of patterns of dependability cases for a software/system lifecycle. We also describe a prototype implementation of a dependability case editor called D-Case Editor, which has a pattern selection function. As stated in the white paper by the System Assurance Task Force in the Object Management Group1 (OMG) [4], software assurance is crucial for software suppliers to meet the challenges and risks in such a way that users and other stakeholders can rationally maintain confidence in their suppliers - or at least assess the level of risks. The suppliers must not only ensure the delivery of adequate systems, but also the acquirers and users must have explicit, valid, well-reasoned, and evidence-supported grounds for their confidence and decision making, which are then incorporated into related engineering conclusions and their uncertainties. Consequently, assurance cases [2] have been receiving much attention. In particular, assuring dependability [1], which has been recognized as an important metric for computer systems, is crucial. In our study, we focus on dependability cases. To expand the use of dependability cases in a software/system lifecycle, our contributions are the following. • We collect the patterns of dependability cases for a software/system lifecycle and design a library containing these patterns. • We implement a dependability case editor with the function of selecting patterns from the library. Related Work Studies of assurance cases have primarily been conducted in the field of safety. Safety cases are often written in graphical notations such as Goal Structuring Notations (GSN) [5]. Safety cases tend to be huge and complex, and thus are hard to write and verify. Kelly and his colleagues introduced safety case patterns in GSN [6], [9] in order to reuse successful safety cases patterns. However, because their case patterns were constructed primarily for safety cases, they do not cover all the attributes of dependability. Also, as far as we know, their patterns are available only in their papers, and no assurance case editor and pattern library are available. Therefore, finding successful patterns by their tools is limited. Many studies have investigated security patterns2 . In the security field, a pattern is generally applied to solutions to se-
curity problems that arise within a specific context. Currently, security patterns are not widely used for assurance cases. II. D EPENDABILITY C ASE PATTERN L IBRARY Dependability is the property that enables the users to rely on a system. Such a property is characterized by several attributes. In [1], Avizienis et al. defined dependability as a composite of availability, safety, integrity, reliability, and maintainability. However, although widely accepted, the attributes in [1] are merely examples of what users can demand. Dependability is a composite system property consisting of a number of different heterogeneous (and possibly conflicting) attributes [3] that vary based on the domains of the systems, the users, the system environments, and so on. As a result, no widely recognized standard criteria exists for dependability in the software/system area, unlike in the areas of safety and security, which have well-established safety integrity levels (SIL) and evaluation assurance levels (EAL), respectively. We contend that dependability cases patterns should contain information of the dependability attributes and the criteria for each domain (e.g., home electronics, network systems, mobile phones) . Furthermore, it would be helpful if the patterns were made by using proposed techniques, such as the conflict resolution method in [3]. Therefore, we have been designing a library for dependability case patterns. Fig. 1 shows an example of the patterns we are collecting. The patterns, drawn by engineers who have experience with movable robotic arms, are collected as a library in our prototype dependability case editor called the “D-Case Editor” (the “ D ” stands for dependability.) The engineers assume that the dependability attributes for robotic arms are availability, functionality, safety, reliability, capability, extensibility and maintainability, based on their own experiences and the guidebook of non-functional requirements published by the Information Technology Promotion Agency in Japan3 . The focus in the example in Fig. 1 is to assure the availability of robotic arms. The top goal is “Robotic arm does not freeze.” To assure this top goal, the engineers consider two causes of freezing. One is an abnormal moving of the arm and the other is the shutdown of the whole system. The assumption is that the abnormal moving of the arm is primarily due to low pressure and out-of-range movement. To avoid abnormal moves, the engineers cite evidence, such as abnormal moves
1 http://www.omg.org 2 http://www.securitypatterns.org/
3 http://www.ipa.go.jp/index-e.html
Fig. 2. Fig. 1.
Pattern Selection View in the D-Case Editor
An Example of Patterns in the D-Case Editor
are avoided by runtime monitoring of the pressure and arm movement. The evidence shown on the right side in Fig. 1 says that a hot standby sub system can be installed so that the robotic arm does not freeze when shut down. Please note that this particular example has not been well validated. However, such patterns can only be written by experts in the domain and are worthwhile for collection in a library. III. D EPENDABILITY C ASE E DITOR WITH THE PATTERN L IBRARY The D-Case Editor is based on the Eclipse GMF framework4 . D-Case, which is our implementation of a dependability case, is currently based on GSN. Fig. 2 shows the pattern selection view. As shown in this view, a user can select patterns and paste them on the canvas. In Fig. 2, there are patterns for general dependability attributes (e.g., availability, operability, and security) that can be used in many domains. The attributes have three levels (rank A, B, and C, which are not based on any standard criteria) and patterns specific to a movable robotic arm. The structure of the library has not been comprehensively designed. We consider that for each domain of systems, the dependability attributes and the dependability levels (according to some criteria, if defined) would be items for classification in the library. Also, because assurance cases are maintained throughout the whole lifecycle of the system [2], the patterns should be collected for every lifecycle phase. IV. C ONCLUDING R EMARKS Last year we began our studies on assurance cases, as will be shown in [7], and on activities for standardizing the assurance case patterns in OMG [8]. 4 http://www.eclipse.org/modeling/gmp/
We have been devising a method to connect the D-Case Editor to the system itself so that runtime evidences are directly available during operation phase. This is our primary goal, and we intend to report our progress in the near future. ACKNOWLEDGMENT This work is funded by the JST CREST program “Dependable Embedded Operating System (DEOS) for Practical Uses” 5 . We would like to thank Fuji Xerox for implementing the D-Case Editor and Kenji Taguchi for valuable comments. R EFERENCES [1] Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, and Carl Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secur. Comput., 1(1):11–33, January 2004. [2] Peter Bishop and Robin Bloomfield. A methodology for safety case development. In Safety-critical Systems Symposium (SSS 98), 1998. [3] Georgious Despotou. Managing the Evolution of Dependability Cases for Systems of Systems. PhD thesis, Department of Computer Science, University of York, 2007. [4] OMG System Assurance Task Force. A white paper on software assurance, 2007. [5] Tim Kelly and Rob Weaver. The goal structuring notation - a safety argument notation. In Proc. of the Dependable Systems and Networks 2004, Workshop on Assurance Cases, 2004. [6] T.P. Kelly and J.A. McDermid. Safety case construction and reuse using patterns. In In Proceedings of 16th International Conference on Computer Safety, Reliability and Security (SAFECOMP’97), 1997. [7] Yutaka Matsuno, Jin Nakazawa, Makoto Takeyama, Midori Sugaya, and Yutaka Ishikawa. Toward a language for communication among stakeholders. In Proc. of the 16th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC’10), 2010. To appear. [8] Toshinori Takai, Makoto Takeyama, Kenji Taguchi, Atsushi Ito, Hajime Ueno, Hiroki Takamura, Jin Nakazawa, and Yutaka Matsuno. A white paper on assurance case process metamodel. Presented in OMG System Assurance Task Force, June 21-25, 2010. [9] Robert Andrew Weaver. The Safety of Software - Constructing and Assuring Arguments. PhD thesis, Department of Computer Science, University of York, 2003. 5 http://www.jst.go.jp/kisoken/crest/en/category/area04-4.html
