www.wileyeurope.com/college/van lamsweerde chap.9: risk analysis on goal models © 2009 john wiley...

www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons

Building System Models for REBuilding System Models for RE

Chapter 9

Modeling What Could Go Wrong:

Risk Analysis on Goal Models

www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 2

Building models for RE

Chap.8: Goals Chap.9: RisksChap.9: Risks

Chap.10: Conceptual objects Chap.11: Agents

on what?on what?

whywhy ??howhow ??

whowho ??


Risk analysis as seen in Chapter 3

RiskRisk = uncertain factor whose occurrence may result in loss of satisfaction of corresponding objectivecorresponding objective

– has likelihood & consequences (each having likelihood, severity)

Poor risk management is a major cause of software failure

Early risk analysis at RE time:

Riskidentification

Riskassessment

Riskcontrol

checklists,

component inspection,

risk treesrisk trees

qualitative,

quantitative

explore countermeasures

(tactics),

select best as new reqsnew reqs


Risk analysis can be anchored on goal models


Risk analysis on goal models: outline

Goal obstruction by obstacles– What are obstacles?– Completeness of a set of obstacles

– Obstacle categories

Modeling obstacles– Obstacle diagrams

– Obstacle refinement

– Bottom-up propagation of obstructions in goal AND-refinements

– Annotating obstacle diagrams

Obstacle analysis for a more robust goal model– Identifying obstacles– Evaluating obstacles

– Resolving obstacles in a modified goal model


What are obstacles ? Motivation: goals in refinement graph are often too ideal, likely to be violated under abnormal conditions

(unintentional or intentional agent

behaviors)

ObstacleObstacle = condition on system for violation of corresponding assertion (generally a goal)

• {OO, Dom } |= not G obstruction

• {OO, Dom } | false domain consistency

• O can be satisfied by some system behavior feasibility

e.g. G: TrainStoppedAtBlockSignal IfIf StopSignal Dom: IfIf TrainStopsAtStopSignal thenthen DriverResponsive

O: DriverUnUnresponsive

For behavioral goal: existential property capturing unadmissible behavior (negativenegative

scenario)


Completeness of a set of obstacles

Ideally, a set of obstacles to G should be complete

{not O1,..., not On, Dom } |= G domain completeness

e.g.

IfIf notnot DriverUnresponsive andand notnot BrakeSystemDown andand StopSignal

thenthen TrainStoppedAtBlockSignal ???

Completeness is highly desirable for mission-critical goals ...

... but bounded by what we know about the domain !

Obstacle analysis may help elicit relevant domain properties


Obstacle categories for heuristic identification

Correspond to goal categories & their refinement ...

HazardHazard obstacles obstruct SafetySafety goals

ThreatThreat obstacles obstruct SecuritySecurity goals– Disclosure, Corruption, DenialOfService, ...

InaccuracyInaccuracy obstacles obstruct AccuracyAccuracy goals

MisinformationMisinformation obstacles obstruct InformationInformation goals– NonInformation, WrongInformation, TooLateInformation, ...

DissatisfactionDissatisfaction obstacles obstruct SatisfactionSatisfaction goals– NonSatisfaction, PartialSatisfaction, TooLateSatisfaction, ...

UnusabilityUnusability obstacles obstruct UsabilityUsability goals

...

Usability Convenience

Goal

Functional goal Non-functional goal

Quality of service Compliance Architectural Development

Confidentiality Integrity Availability

DistributionInstallationSafety Security PerformanceReliability MaintainabilityCost

Time Space

Deadline Variability

Softwareinteroperability

Interface

Userinteraction

Deviceinteraction

Satisfaction Information Stim-Response

Accuracy

Cost


Obstacle diagrams as AND/OR refinement trees

Anchored on leafgoals in goal model (unlike risk trees)

– rootroot = not G

– obstacle ANDAND-refinement, OROR-refinement: same semantics as goals

– leafleaf obstacles: feasibility, likelihood, resolution easier to determine

obstruction

TrainStoppedAtBlockEntryIf StopSignal

StopSignal AndNot TrainStoppedAtBlockEntry

SignalNotVisible DriverUnresponsive BrakeSystemDown

…

root obstacle

OR-refinement

ResponsivenessCheckSentRegularly

resolution countermeasure goal

obstacle


Obstacle diagrams as AND/OR refinement trees (2)

MobilizedAmbulanceAtIncidentInTime

MobilizedAmbulance NotAtIncidentInTime

AmbulanceLost AmbulanceStopped TrafficDeviation

…

AmbulanceCrewNotInFamiliarArea

AND-refinement

In-carGPSNotWorking

…


Obstacle refinement

ANDAND-refinement of obstacle O should be ...

– complete: {subO1,..., subOn, Dom } |= O

– consistent: {subO1,..., subOn, Dom } | false

– minimal: {subO1,..., subOj-1, subOj+1 , ..., subOn, Dom } |= O

OROR-refinement of obstacle O should be ...

– entailments: {subOi, Dom } |= O

– domain-consistent: {subOi, Dom } | false

– domain-complete: {not subO1,..., not subOn, Dom } |= not O

– disjoint: {subOi, subOj, Dom } |= false

IfIf subOi OR-refines O andand O obstructs G

thenthen subOi obstructs G


Obstructions propagate bottom-up in goal AND-refinement trees

Cf. De Morgan’s law: not (G1 and G2) equivalent to not G1 or

not G2

=> Severity of consequencesconsequences of an obstacle can be assessed

in terms of higher-level goals obstructed

G

propagatedobstruction

G1 G2 not G1 not G2

not G


Annotating obstacle diagrams

Obstacle DriverUnresponsive

Def Situation of a train driver failing to react to a command and take appropriate action according to that command

[ FormalSpec in temporal logic for analysis, notnot in this chapter ]

[ Category Hazard ]

[ Likelihood likely ]

[ Criticality catastrophic]

DriverUnresponsive

precise definition

features

annotation


Obstacle analysis for increased system robustness

Anticipate obstacles ...more realistic goals, new goals as countermeasures to abnormal conditions

more complete, realistic goal model

Obstacle analysis:Obstacle analysis:

For selected goals in the goal model ...

– identify as many obstacles to it as possible;

– assess their likelihood & severity;

– resolve them according to likelihood & severity

=> new goals as countermeasures in the goal model


Obstacle analysis and goal model elaboration are intertwined

Goal modelelaboration

data dependency

Obstacleidentification

Obstacleassessment

Obstacleresolution

Goal-obstacle analysis loop terminates when remaining obstacles can be tolerated– unlikely or acceptable consequences

Which goals to consider in the goal model?– leafgoalsleafgoals (requirements or expectations): easier to refine what is wanted

than what is not wanted (+ up-propagation in goal model)

– based on annotated Priority & Category (Hazard, Security, ...)


Identifying obstacles

For obstacle to selected assertion G (goal, hypothesis, suspect dom prop) ...

negate G; {=> root obstacle}

find AND/OR refinements of not G in view of valid domain properties ... {according to desired extensiveness}

... until reaching obstruction preconditions whose feasibility, likelihood, severity, resolvability is easy to assess

= goal-anchoredgoal-anchored construction of risk-treerisk-tree


Obstacleassessment

Obstacleresolution


Identifying obstacles: tautology-based refinement

Goal negation as root => use tautologies to drive refinements e.g.

notnot (A andand B) amounts to notnot A oror notnot B

notnot (A oror B) amounts to notnot A andand notnot B

notnot (ifif A thenthen B) amounts to A andand notnot B

notnot (A iffiff B) amounts to (A andand notnot B) oror (notnot A andand B)

=> complete OR-refinements when oror-connective gets in


Identifying obstacles by tautology-based refinement

MotorReversed Iff MovingOnRunway

MotorReversedIff WheelsTurning

MovingOnRunway Iff WheelsTurning



NOTMovingOnRunway Iff WheelsTurning

NOTMotorReversed Iff WheelsTurning

obstruction






NOTMovingOnRunway Iff WheelsTurning

NOTMotorReversed Iff WheelsTurning

MotorReversed AndNotWheelsTurning

obstruction

OR-refinement (complete)

WheelsTurning AndNotMotorReversed

MovingOnRunway AndNot WheelsTurning

WheelsTurning AndNot MovingOnRunway






NOTMovingOnRunway IffWheelsTurning

NOTMotorReversed IffWheelsTurning

MotorReversed AndNotWheelsTurning

Aquaplaning ...

obstruction

OR-refinement (complete)

WheelsTurning AndNotMotorReversed

MovingOnRunway AndNot WheelsTurning

WheelsTurning AndNot MovingOnRunway

WheelsNotOut WheelsBroken ... ...

...





Obstacle identification: another example

BrakeReleased DriverWantsToStart

BrakeReleased MotorRaising

MotorRaising AccelerPedalPressed

AccelerPedalPressed DriverWantsToStart


MotorRaising And NotAccelerPedalPressed

...

...






AccelerPedalPressedAnd Not DriverWantsToStart


MotorRaising And NotAccelerPedalPressed

AirConditioningRaising

...

...

cf. driver killed by hisluxurious car on a hot summerday






AccelerPedalPressedAnd Not DriverWantsToStart

... ...

...


Identifying obstacles from necessarynecessary conditions for obstructed

target

alwaysalways TrainStoppedIfIfStopSignal [If CurrentCondition then] always GoodCondition

[CurrentCondition and] sooner-or-laternot GoodCondition

If GoodCondition then NecessaryCondition

[CurrentCondition and]sooner-or-later

not NecessaryCondition

Maintain goal

Domain property

sooner-or-latersooner-or-later not not

TrainStoppedIfIfStopSignal

If If TrainStoppedIfIfStopSignalthenthen DriverResponsive

sooner-or-latersooner-or-later notnot DriverResponsive


Identifying obstacles from necessary necessary conditions for obstructed target

(2)

Can also be used for eliciting relevant domain properties

– “what are necessarynecessary conditions for TargetCondition?”

[If CurrentCondition then] sooner-or-later TargetCondition

[CurrentCondition and] never TargetCondition

If TargetCondition then NecessaryCondition

[CurrentCondition and] never NecessaryCondition

Achieve goal

Domain property


Obstacle models as goal-anchored fault trees

WorstCaseStoppingDistanceMaintained

AccelerationSentInTimeToTrain

SafeAccelerationComputed

SentCommandReceivedByTrain

ReceivedCommandExecutedByTrain


Obstacle models as goal-anchored fault trees

Acceleration NotSafe

AccelerationCommand Not SentInTimeToTrain

NotSent

WorstCaseStoppingDistanceMaintained

AccelerationSentInTimeToTrain

SafeAccelerationComputed

SentCommandReceivedByTrain

ReceivedCommandExecutedByTrain

AccelerationCommand NotReceivedInTimeByTrain

...

SentLate SentToWrongTrain ...

ReceivedLate

CorruptedNotReceived


Evaluating obstacles

Check domain-consistency & feasibility conditions– satisfying scenario ?

Assess Likelihood and Criticality

– cf. Chap. 3

– with domain experts

– rough estimates can be obtained from propagation rules:

Likelihood (O) = minminii (Likelihood (sOi) if O is ANDAND-refined to sOi

Likelihood (O) = maxmaxii (Likelihood (sOi) if O is OROR-refined to sOi

– severity of consequences can be estimated from number & Priority of higher-level goals obstructed by up-propagation in goal trees


Obstacleassessment

Obstacleresolution


Resolving obstacles

Resolution through countermeasures– new or modified goals in goal model

– often to be refined

For every identified obstacle ...

– explore alternative resolutions

– select “best” resolution based on ... • likelihood/severity of obstacle

• non-functional/quality goals in goal model


Obstacleassessment

Obstacleresolution


Exploring alternative countermeasures

By use of model transformation operatorsmodel transformation operators

– encode resolution tactics

Goal substitutionGoal substitution: consider alternative refinement of parent goal to avoid obstruction of child goal

Galternative less exposed to risk

e.g. MotorReversed Iff WheelsTurning

MotorReversed Iff PlaneWeightSensed


Exploring alternative countermeasures (2)

Agent substitutionAgent substitution: consider alternative responsibilities for obstructed goal so as to make obstacle unfeasible

more reliable agent

e.g. Maintain [SafeAccelerationComputed]

obstructed by ComputedAccelerationNotSafe

OnBoardTrainControllerVitalStationComputer



Goal weakeningGoal weakening: weaken the obstructed goal ’s formulation so that it no longer gets obstructed

– for if-thenif-then goal specs: add conjunct in ifif-part or disjunct in thenthen-part

e.g. Maintain [TrafficControllerOnDutyOnSector]

obstructed by NoSectorControllerOnDuty

goal weakening:

TrafficControllerOnDutyOnSector or WarningToNextSectorWarningToNextSector



Obstacle preventionObstacle prevention: introduce new goal AvoidAvoid [obstacle] [obstacle]

e.g. AccelerationCommandCorrupted

AvoidAvoid [AccelerationCommandCorrupted]

– to be further refined

= standard resolution tactics for security threats

Goal restorationGoal restoration: enforce target condition as obstacle occurs

=> new goal: ifif O then sooner-or-latersooner-or-later TargetCondition

e.g. ResourceNotNotReturnedInTime ReminderSent

WheelsNotNotOut WheelsAlarmGenerated



Obstacle reductionObstacle reduction: reduce obstacle likelihood by ad-hoc countermeasure



Obstacle mitigationObstacle mitigation: introduce new goal to mitigate consequences of obstacle

– Weak mitigationWeak mitigation: new goal ensures weaker version of goal when obstructed

e.g. Achieve [AttendanceIfIfInformedAndAndMeetingConvenient]

Achieve [ImpedimentNotified]

– Strong mitigation:Strong mitigation: new goal ensures parent of goal when obstructed

e.g. OutdatedSpeed/PositionEstimates

Avoid [TrainCollisionWhenOutDatedTrainInfo]

Resolution goals must then be further refined in the goal model


Selecting best resolution Evaluation criteria for comparing alternative resolutions ...

– number of obstacles resolved by the alternative

– their likelihood & criticality

– the resolution’s contribution to soft goals

– its cost

May be based on estimates of ...– risk-reduction leverage (cf. Chap.3)

– qualitative/quantitative contribution to soft goals (cf. Chap.16)

If obstacle not eliminated, multiple alternatives may be taken

e.g. FineCharged + ReminderSent (for book copies not returned in time)

Selected alternative => new/weakened goal in goal model– resolution link to obstacle for traceability

– weakening may need to be propagated in goal model– to be refined & checked for conflicts & new obstacles

www.wileyeurope.com/college/van lamsweerde chap.9: risk analysis on goal models © 2009 john wiley...

Documents