Extending UML towards a Useful OO-Language for ... - CiteSeerX

Extending UML towards a Useful OO-Language for Modeling Dependability Features M. Dal Cin University of Erlangen-Nürnberg, Informatik 3, Germany [email protected]

Abstract The paper presents an UML profile which defines a language for specifying, visualizing, analysing and documenting dependability mechanisms. It helps to cope with the complexity of fault-tolerant system design by providing specifications of (common) dependability constructs that can be incorporated into models of fault-tolerant real-time systems.

1. Introduction The Unified Modeling Language (UML) [3] is a visual language for creating object-oriented models of a wide variety of systems, e.g., software systems, embedded systems, or business systems. It developed into a widely accepted standard for object-oriented notations. Therefore, it is natural to consider UML also for modeling dependability features of real-time systems [1,2,13,14,15,16]. However, how useful is UML for this task, and in which aspects should UML be extended in order to become a useful modeling language for dependability mechanisms? The new standard UML 2.0 is a step in this direction. For example, it provides interruptable regions, exceptions and timing diagrams. However as we see it, there are many more requests to present dependability features that can not be described with ULM 2.0 in its current version. In this paper we briefly present our approach to making UML a useful OO-language for modeling dependability features of real-time systems.

2. Profiles To tailor UML to particular application domains the concept of profiles is introduced. A useful profile provides an extension of the UML standard with specific modeling elements and their semantics grouped in packages. For example, proposal [4] contains, among other things, a specification of generic resource modeling, a generic model for representing time and timerelated mechanisms, a generic model of concurrency, and an approach to perform basic schedulability analysis. In [17] a UML profile for reliable embedded software is presented. To complement these proposals, we are currently

developing a generic profile for certain aspects of dependability also. The profile defines a language for defining, visualizing, analysing and documenting dependability mechanisms. It is intended to help to cope with the complexity of fault-tolerant system design by providing specifications of (common) dependability constructs that can be incorporated into models of fault-tolerant real-time systems. The profile shall support the modular representation of dependability mechanisms and shall capture the desired terminology.

3. DMP A profile is a predefined set of packages of UML extensions for a particular domain, technology, or methodology. The following packages define the UML Dependability Mechanisms Profile (DMP): Dependability Architecture, Dependability Cases, and Dependability Data: •

Dependability Architecture (DA) defines dependability components. A component is a structured classifier participating in dependability behaviors of a system. Dependability components can specify, for example, error detection units, error recovery mechanisms, or redundancy management strategies. A component is commonly an active class with a set of ports and interfaces.

•

Dependability Cases (DC) defines dependability mechanisms and their actions on the system. A dependability mechanism is usually a structured classifier acting as a grouping of components providing a dependability feature (Fig. 4).

•

Package Dependability Data (DD) contains sub-packages of prefabricated classes and class diagrams which define, e.g., fault patterns, fault statistics, or repair time distributions for dependability components.

1

Package Dependability Data is needed when the system model is to be evaluated with respect to its dependability behavior (Sec.7). Dependability Cases imports package Dependability Architecture to get access to the dependability components (Fig.1).



Dependability Architecture

DependabilityCases

Fig. 1 Relation between profile packages

Fig. 2 indicates the general structure of a system model based on DMP comprising several dependability mechanisms. The model incorporates dependability mechanisms which in turn contain dependability components.

System Dependability Mechanism

Component

Fig. 2 Model Structure

The essential parts of DMP are dependability mechanisms. The mechanism of Fig.4 defines, as an example, the behavior and objective of a specific error detection unit. Stereotype indicates the behavior of this dependability mechanism. It defines sequences of interactions of the dependability mechanism objects with the system objects. Behavior classifier can specify activity diagrams, statecharts or interaction diagrams. Error_Detection (single error detection by voting) is an element of sub-package PError_Detection of profile package DC.

This error detection mechanism (stereotype : fault tolerance mechanism) could be part of a Break Control model (Fig.5). Ftm Channel_Switch is an element of sub-package PRedundancy_Management.

DC



4. Dependability Mechanisms

The example mechanism is executed to reveal erroneous behavior of the system in accordance with the specified detection objective. The execution results in a verdict. Verdict is a predefined enumeration indicating the possible results of the error detection (pass, fail, inconclusive, error). For example, an inconclusive verdict indicates that the dependability mechanism cannot determine whether the system performs well; an error verdict indicates that the mechanism itself is faulty.

Behavior

Break Control

For example, in Fig.3 the Break Control model may contain submodels such as HWControl or BreakControlLogic. The model imports from Package Dependability Cases. Package Dependability Cases is the focus of the specified dependability mechanism. Sub-packages Error Detection and Redundancy Management import from Dependability Architecture.

PError_ Detection



DA

DD

PRedundancy_ Management

Fig. 3 DMP Packages

2

clarify UML elements and their participation in a system. They are applied to existing UML entities, such as classes and associations, and augment the semantics of these elements with newly defined meanings. Stereotypes allow the extended elements to ”behave as if they were instantiated from the meta-model construct”. A stereotype may have attributes that can be modelled as tags. New tags may also be introduced as independent modeling elements.

Detection Objective

TMR_Voting Error_Detection

Stereotypes make UML diagrams easier to understand for non-experts, and at the same time preserve UML. For example, the ftm stereotype is applied to one or more properties of a classifier to specify that they constitute a fault tolerance mechanism.

Exceptions no_mayority_ex Verdict

We have developed a language for notes and tag values that captures dependability requirements. This language is called SQIRL:

pass fail inconcluvive error

Stochastic Qantitative requIRement Language [10].

Fig. 4 Structure of error detection mechanism sError_Detection

Break

Break Control Logic

sError_ Detection

Channel_ Switch

Fig. 5 Break Model

SQIRL has a grammar for English-like sentences which allows specifying non-functional dependability and performance requirements. The user can compile English sentences from a list of English fragments. The sentences represent (stochastic) requirements which are also the basis for the evaluation of stochastic models. (Then the requirements define properties that can be evaluated. The implementer has to guarantee that the properties hold.) Note, however, that SQIRL sentences are independent of the modeling language used and of the concrete system model. To define their precise semantics, SQIRL sentences have, therefore, to be translated to the modeling environment. For example, the stereotype of profile package Dependability Architecture models a voting activity and can be applied to the base elements: component, message, action state, action, and method. Associated tags are „response_time“ of type INTEGER, and „ query“, „required“ and „modelled“ of type: SQIRL expression. Thus, SQIRL expressions are used to specify the value part of a tagged value according to the following syntax: {tag-name = }, cf. Fig. 6.

5. Stereotypes and associated tags Main elements of profile packages are new stereotypes. Stereotypes provide a way of extending UML by defining simple terms and using them to

3

action response_time = 5

required = probability _of_fuctioning within time interval 0 to 5 >0.98

Fig. 6 Tag and Note This way the UML-Dependability Mechanisms Profile provides facilities for capturing dependability requirements for dependability mechanisms, and for specifying parameters which can be used by model analysis tools to compute predicted dependability and performance characteristics . Thus, the UML Dependability Mechanisms Profile provides specification means for dependability structures and behavior. It enhances UML with concepts like test architecture, redundancy configuration, error detection components, fault patterns, fault recovery behavior. Moreover, it integrates seamlessly into UML: being based on UML meta-model, using UML syntax. However, as we see it, profiling alone is not sufficient to achieve a useful modeling tool for dependablity mechanisms. Profiling should be complemented by patterns and model validation methods.

6. Patterns for models of dependable systems Patterns have been introduced as general solutions to common problems. A collection of patterns typically encodes expert knowledge about the relation between a problem, its context and its solution. Several types of patterns have been identified, i.e., design patterns, analysis patterns and architectural patterns. A first attempt towards modeling of dependability mechanisms with help of patterns was proposed in [5]. However, this work made clear that much more effort is needed and that naïvely designed patterns can be a source for misleading concepts.

We developed a (still small) library of patterns like NMR Pattern, IAmALive Pattern, or DiverseRedundancy Pattern (Fig.7) employing the UML-Dependability Mechanisms Profile. We also introduced an appropriate notation based on the UML for the formal representation of patterns of dependability features [6]. It is, however, not yet clear whether syntax and semantics as defined in the official standard will be sufficient to achieve the required precision. On the other hand, it is good policy to keep as close to the standard as possible and to avoid modifying UML beyond the possibilities for extensions offered by the language itself in order not to hinder its acceptance. We designed the pattern language employing “parameterised collaborations” (indeed called “Patterns” by the standard) and the notational elements of SQIRL that allow to express stochastic attributes. Furthermore, in [7] we proposed to extend the pattern language by the main abstraction mechanisms of QML, a Quality-of-Service specification language [8]: contract type, contract and profile (not to be confused with the notion of UML-profiles). A contract type defines the dimensions that can be used to characterise a particular quality of service aspect; a contract is an instance of a contract type and profiles associate contracts with interfaces and operations of certain units.

7. Validation of UML-models of dependable systems. As computer-based analysis of dependability features of real-time systems deals with complex system behaviour, a rigorous specification language such as SQIRL for non-functional, quantitative requirements – especially with respect to dependability - becomes a prerequisite for the validation of these features. If a mathematical, stochastic-related language is used, it often turns out that even engineers with mathematical background have severe problems to compile correct requirement specifications. Non-functional requirements given in structured English as in SQIRL can be communicated easier to other persons. Furthermore, structured English sentences are non-ambiguous and, therefore, can be used for documentation purposes. As mentioned, requirements expressed in SQIRL define also (stochastic) properties of modelling elements that can be the basis for model evaluation.

4

Redundant Channels

Diverse Redundany Pattern

Break 1

Control Logic

sError_ Detect

*

Channel Interface

Channel_ Switch

response_time = 7 required = steady state probability of_fuctioning >0.98

Fig. 7 DiverseRedundancy Pattern [5]

For validation we follow then a three-step approach. In the first step, non-functional properties can be specified in general terms with help of SQIRL. In the second step, this specification is refined within the context of the modeling environment defined by the UML Dependability Mechanisms Profile. The final step is required to translate the specification (and the system model) to a notation that can be interpreted by an analysis tool [9]. For the later step we use the language of stochastic Petri Nets, in particular the language of Stochastic Reward Nets (SRN) [11,12]. For SRNs we have developed a powerful analysis tool. This analysis tool PANDA (Petri Net Analysis and Design Assistant) contains an UML-interface and an automatic mapping of UML dynamic models to Stochastic Reward Nets [13].

8. Conclusion Our next goal is to collect best practice modeling knowledge and to find out whether profile and pattern based modeling supports quantitative analysis of dependability features of real-time systems.

References [1] A. Bondavalli, M. Dal Cin, D. Latella and A. Pataricza, High-level Integrated Design Environment for Dependability (HIDE), Proc. Fifth International Workshop on Object-Oriented Dependable Systems (WORDS 1999 Fall), Monterey, pp. 87-92, 1999. [2] A. Bondavalli, I. Majzik and I. Mura, Automatic Dependability Analysis for Supporting Design Decisions in UML, Proc. Fourth IEEE International High-Assurance Engineering Symposium, Washington DC, pp. 64-71, 1999, and Majzik, A. Pataricza, A. Bondavalli: Stochastic Dependability Analysis of System Architecture based on UML Models. in Architecting Dependable Systems (eds. R. de Lemos, C. Gacek and A. Romanovsky, Springer LNCS-2677, pp.219-244. 2003. [3] OMG Unified Modeling Language Specification; Technical Report 1.4, Object Management Group, 2001 [4] UML Profile for Schedulability, Performance and Time, OMG Object Management Group, 2001 [5] B. P. Douglas, Doing Hard Time, Addison-Wessley, 1999 [6] M. Sand, Modeling Dependable Systems with Patterns, EDCC4, Toulouse, 2002, and Technical Report Informatik 3, University of ErlangenNürnberg, 2002 [7] G. Huszerl and K. Kosmidis, Object Oriented Notation for Modeling Quantitative Aspects, Proc. of Int. Conf. On Architecture of Computing Systems ARCS 2002, pp 91-100, 2002 [8] S. Forlund and J. Koistinen, Quality of Service Specification in Distributed Object Systems, Proc. of 5th USENIX Conf. On Object-Oriented Technology and Systems, pp. 69-89, 1999 [9] G. Huszerl, I. Majzik, A. Pataricza, K. Kosmidis and M. Dal Cin, Quantitative Analysis of UML Statecharts Models of Dependable Systems, The Computer Journal Vol.45, pp. 220-277, 2002 [10] M. Dal Cin, Structured Language for Specifications of Quantitative Requirements, Proc. Fifth IEEE International High-Assurance Engineering Symposium, Albuquerque, pp. 221-227, 2000

5

[11] S. Allmaier and D. Kreische, PANDA Petri Net Analysis and Design Assistant User's Guide, technical report 1/2000 Informatik 3 University of Erlangen, 2000. [12] S. Allmaier and D. Kreische, Parallel approaches to the numerical transient analysis of stochastic solution of GSPNs on a shared memory multiprocessor, Proc. IEEE Int. Workshop on Petri Nets and Performance Models (PNPM'97), 1997. [13] S. Allmaier and S. Dalibor (1997): PANDA -- Petri net ANalysis and Design Assistant, Tools Descriptions, 9th Int. Conf. on Modeling Techniques and Tools for Computer Performance Evaluation, St. Malo, 1999 [14] A. Pataricza: From the General Resource Model to a General Fault Modeling Paradigm? Workshop on Critical Systems Development with UML at UML 2002, Dresden, Germany., 2002 [15 ] C. D. Gill: RT-POD: a framework for Real-Time systems Participation in Own Defense, this volume (WORDS 2003 Fall), Anacapri, Italy, 2003 [16] J. Park, S. Kim, S Hong: Weaving Aspects into Real-Time Operating System Design using ObjectOriented Model Transformation, this volume (WORDS 2003 Fall), Anacapri, Italy, 2003 [17] J. Matthes, H. Keller, W-D Hecker , M. Kersten, and C. Fouda: Zuverlässige Software durch den Einsatz von UML, MDA und der Programmiersprache ADA, Proceedings Informatik 2003 mit Sicherheit Informatik, GI Lecture Notes in Informatics, pp. 167-178, Franfurt am Main, Germany, 2003 [18] M. Dal Cin, G. Huszerl, and K. Kosmidis: Transformation of Guarded Statecharts for Quantitative Evaluation of Dependable Embedded Systems, Proceedings 10th European Workshop on Dependable Computing (EWDC-10), pp- 143-148, 1999

6