industry day paris 10.09.07 rodin methodology for developing fault tolerant systems elena...

Industry Day Paris 100907

Rodin Methodology for Developing Fault Tolerant Systems

Elena Troubitsyna Aringbo Akademi UniversityTurku Finland


Motivation

Formal methods and fault tolerance complement each other in achieving system dependability

Formal methods help us to clean up architecture handle complexity facilitate verification

Fault tolerance provide us with techniques to cope with failures of physical components

RODIN integrates fault tolerance and formal methods in systems approach


Talk outline Systems approach

Fault tolerant control systems

Distributed systems fault tolerance in service-oriented development

Middleware for fault tolerant multi-agent systems

Replicated data-base systems fault tolerant transactions


Systems approach System approach assumes that while developing SW we have a

picture of whole system in mind

Software fault ldquoBugrdquo -- bad implementation of good requirements Design fault -- good implementation of bad requirements

We cannot obtain ldquogoodrdquo requirements if we do not understand how the whole system works (and fails)

M Butler E Sekerinski and K Sere An Action System Approach to the Steam Boiler Problem In J-R Abrial E Borger and HLangmaack eds Formal Methods for Industrial Applications Specifying and Programming the Steam Boiler Control LNCS 1165 1996

IHayes MJackson CJones Determining the specification of a control system from that of its environment In KAraki SGnesi D Mandrioli (eds) FME 2003 Formal Methods LNCS 2805 2003


Control Systems

Computer

Sensors

Actuators

PlantEnvironment(Plant) evolves

Sensors registerthe state of plant

Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour

Controller sets actuators

Traditional development focus on controller (SW)


Control Systems

Computer

Sensors

Actuators





Systems approach model entire system and derive controlling SW by refinement and decomposition



Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant

routine control and failure Safety invariant

Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection

Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery

Decomposition the specification of overall system is split into specifications of the controller and the plant

Implementation executable code of controller is produced


Benefits of systems approach

Well-structured correct-by-construction development

Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance

Abstraction helps to tackle complexity

Stepwise requirement capturing

LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219


Transient faults in control systems

Normal Recover Freez Input

Input_Ok Input_Suspected

Input_Confirmed

Input_Ok

Input_Suspected

Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults

Formal patterns for detecting sensor failures and recovering from them

DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006

Tolerating transient faults to not overreact neither to neglect


Fault tolerance in service-oriented development Lyra is service-oriented method for developing

distributed communicating systems

Design flow is based on the concepts of decomposition and preservation of externally observable behaviour

The system behaviour is modularised and organised into layers according to external communication interfaces

Distributed network architecture is derived from functional requirements via model transformations


11

Service

Service Specification

SubserviceSC SubserviceSC SubserviceSC

Service Decomposition

Service Distribution

Service Implementation

Lyra Design Method

Service specification system-level services and interfaces are defined


12

Service






Lyra Design Method

Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them


13

Service






Lyra Design Method

Service distribution the logical architecture of services is distributed over a given network


14

Service






Lyra Design Method

Service implementation low-level implementation details are added and platform specific code is generated


Formalizing Lyra Service component is a coherent piece of functionality that

provides its services to a service consumer via PSAP

Formalized as ACC ndash Abstract Communicating Component consisting of

ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component

SYSTEM ACChellipEVENTS communicational

input output functional calculate

ENDNot only success but also

service failure


Service Decomposition Phase

hellip

SS1 SS2 SS3 SSN-1 SN

S

To provide service S system should execute subservices SS1SSN

In B model decomposition is represented as refinement of the initial abstract pattern ACC

New event Service_Director orchistrates execution flow


Service decomposition faults in execution flow

hellip


S

Error recovery by retrying execution of failed subservice



hellip


S

Error recovery by rollback



hellip


S

Service failure

Success

Unrecoverable errorAbort service execution


Convergence of error recovery

hellip


S

Error recovery by retrying infinite retry



hellip


S

Error recovery by rollback domino effect

We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left


Abort of service due to timeout

hellip


S

Execution_time gtMax_SRT


Service Distribution (B Model)

Service Distribution phase of Lyra corresponds to one or several B refinements

Refinement steps introduce separate B components modelling external service components

All new B components are specified according to the same (ACC) pattern


Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems

Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)

LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006


Fault tolerance in open systems challenges openness of the multi-agent systems

mobility and autonomy of agents

asynchrony and anonymity of the communication

complex types of faults temporal loss of connectivity mismatching interfaces


Interoperability of agents

Formal specification of middleware for mobile location-based systems

Location is abstraction of context

System approach start from specification of location and agents together and arrive at the specification of entire middleware

Decompose into part to be implemented by location and by agents

Individual agents can be developed independently but preserve ldquostandardrdquo part


Abstract specification

Implicit modelling of normal termination

and failure


Handling agent failure

Refining Disengage

1048708Agent can complete its activity and disengage

1048708Agent activity can be terminated by a (detectable) crash

1048708Agent can silently crash (eg disconnect or become slow)


Compatibility on functional levelbullScopes partition coordination space

bullEach scope supports certain set of roles ndash abstraction of agent functionality

bullFormal definition of scope properties

bullCompatibility on the level of agent functionality


System approach in MAS Ensuring interoperability of the independently developed agents and

supporting this by top-down stepwise development methods

Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics

Formal specifications in B provide input to model checking of dynamic properties

LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006

AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006


Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated

database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006

Replication improves availability of distributed database systems

when the transaction workload is predominantly read only

Keeping replicas identical during updates is difficult due to site failures and conflicting transactions

One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database


Approach

Verify through refinement that design of replicated database satisfies One Copy Serializability criterion

Abstract Model is based on Single Copy Database

Refinement is based on Replicated Database

Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database

The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism


Other topics in RODIN methodology Extension of Event B language by J-R Abrial

Library of case studies in J-R Abrial book

Extension of Event B to represent records by NEvans and MButler

Model checking of mobile fault tolerant systems by MKoutny et al

Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson

Formalization of UML in B by CSnook MButler MWalden

Design of various exception handling approaches by AIliasov and ARomanovsky


Motivation

Formal methods and fault tolerance complement each other in achieving system dependability

Formal methods help us to clean up architecture handle complexity facilitate verification

Fault tolerance provide us with techniques to cope with failures of physical components

RODIN integrates fault tolerance and formal methods in systems approach















Control Systems

Computer

Sensors

Actuators







Control Systems

Computer

Sensors

Actuators

























Input_Confirmed

Input_Ok

Input_Suspected












11

Service






Lyra Design Method



12

Service






Lyra Design Method



13

Service






Lyra Design Method



14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach




























Control Systems

Computer

Sensors

Actuators







Control Systems

Computer

Sensors

Actuators

























Input_Confirmed

Input_Ok

Input_Suspected












11

Service






Lyra Design Method



12

Service






Lyra Design Method



13

Service






Lyra Design Method



14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach















Control Systems

Computer

Sensors

Actuators

























Input_Confirmed

Input_Ok

Input_Suspected












11

Service






Lyra Design Method



12

Service






Lyra Design Method



13

Service






Lyra Design Method



14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
































Input_Confirmed

Input_Ok

Input_Suspected












11

Service






Lyra Design Method



12

Service






Lyra Design Method



13

Service






Lyra Design Method



14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach





















11

Service






Lyra Design Method



12

Service






Lyra Design Method



13

Service






Lyra Design Method



14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach















12

Service






Lyra Design Method



13

Service






Lyra Design Method



14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach















13

Service






Lyra Design Method



14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach















14

Service






Lyra Design Method










service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach






















service failure



hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
















hellip


S






hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
















hellip


S




hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
















hellip


S




hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
















hellip


S

Service failure

Success




hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
















hellip


S




hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
















hellip


S





hellip


S


























and failure



Refining Disengage
























Approach
















hellip


S


























and failure



Refining Disengage
























Approach






































and failure



Refining Disengage
























Approach
















Refining Disengage
























Approach


































Approach














industry day paris 10.09.07 rodin methodology for developing fault tolerant systems elena...

Documents

fault assumptions

verification fault tolerance

model entire system

action system approach

routine control

failure management system

steam boiler control

refinement of error