Upload
mazzara1976
View
167
Download
0
Embed Size (px)
Citation preview
26/10/11 1
On Methods for the On Methods for the Formal Specification Formal Specification of Fault Tolerant Systemsof Fault Tolerant Systems
Manuel Mazzara - Newcastle UniversityManuel Mazzara - Newcastle University
DEPEND 2011 – DEPEND 2011 – The Fourth International The Fourth International Conference on DependabilityConference on Dependability
24/8/2011 Nice, France24/8/2011 Nice, France
[email protected]@newcastle.ac.uk
26/10/11 2
26/10/11 3
Overall ViewOverall View
Study on Methods
(Formal)Methods
Definitions
HJJ paper (PF + RG + DC)
Examples Motivations Tools and Ideas
PF RobustnessRely
Problem Diagrams
Context Diagrams
Patterns
PQ Fault as interference
Ideal FT operations
Research ChallengesCase
Studies
RG
26/10/11 4
Our tripOur trip
26/10/11 5
A schema for methods evaluationA schema for methods evaluationDefining precise steps for the methodDefining precise steps for the method
26/10/11 6
Formal Methods and SW life cycleFormal Methods and SW life cycle
”Formal methods are methods that use mathematics and logic to introduce rigor into the software life cycle. By rigor
we mean logically accurate, precise and unambiguous”.
26/10/11 7
Applications?Applications?
26/10/11 8
Keeping an eye on the real world…Keeping an eye on the real world…
“Man has such a predilection for systems and abstract deductions that he is ready
to distort the truth intentionally, he is ready to deny the evidence of his
senses only to justify his logic”
(Fyodor Dostoyevsky)
26/10/11 9
Are Formal Methods actual methods?Are Formal Methods actual methods?
The majority of formal methods are not methods at all because they lack one or more of the components defined in [*]
”Most typically formal methods have a strong language and underlying computational model but lack defined steps and guidance for applying the method”
[*] Klaus Kronlőf, editor Method integration: concepts and case studies John
Wiley & Sons, Inc., New York, NY, USA, 1993
26/10/11 10
Definition of methodDefinition of method
“Dubium Sapientiae initium“Doubt is the origin of wisdom (René Descartes)
””A method is a way, technique, or process A method is a way, technique, or process of or for doing something”of or for doing something”
It is worth noting that the definition of It is worth noting that the definition of method depends on the one of process:method depends on the one of process:
””a series of actions or operations a series of actions or operations conducing to an end”conducing to an end”
Websters dictionary
26/10/11 11
The method of science*The method of science*
1. Accept only that which you are sure of
2. Divide each difficulty into small parts
3. Solveproblems in an ascending order
4. Assure nothing was omitted
* Rene Descartes: Discourse on Method and Meditations
26/10/11 12
We worked on case studies…We worked on case studies…
26/10/11 13
Descartes + Case StudiesDescartes + Case Studies
1. Structured phases, steps, work-flow
2. Formally defined unambiguous
3. Usable by non experts
1. Scalability non ”ad hoc”
2. Abstractions what and not how
3. Extensibility to FT LFTS
Product
Process
26/10/11 14
The Evaluation SchemaThe Evaluation Schema
1. An underlying computational model the structures that are represented, manipulated and analyzed
2. A language the concrete means of describing the product of the method
3. Defined steps and ordering the activities performed by the user
4. Guidance for applying the method informal text description, example case studies manuals, handbooks, guides
Product
Process
26/10/11 15
In Paris now…In Paris now…
Problems in the real world are described in terms of what we perceive and do, not in terms our brain functioning!
Brain/mind system cannot acquire information about the world (it can only do that through eyes, ears…)
It can modify the world only through arms, voice….
Similar philosophy for computer systems consisting of sensors and actuators
26/10/11 16
Digital Digital SystemSystem
Interface to the physical world
Define system boundaries
Derive spec of thedigital system3
1
Expose assumptions about the world 2
The Method’s StepsThe Method’s Steps
• Defining the boundaries of system
• Identify and record assumptions
• Derive the specification
• (Make-it robust)
26/10/11 17
From the Ideal World to the Real From the Ideal World to the Real Thinking how to cope with Fault ToleranceThinking how to cope with Fault Tolerance
26/10/11 18
The Plato’s MatrixThe Plato’s Matrix
26/10/11 19
Escape the cave (safely)!Escape the cave (safely)!
A model of the system Faults has to be viewed as interference Determined abnormal situations considered Error Injector contracted by R/G (or similar)
The basic idea of layering vs. monolithic
26/10/11 20
“There are no facts, only interpretations”
(Friedrich Nietzsche)
26/10/11 21
The ModelThe Model
Global state
P1
“Error” Injector
RH1 P2 RH2
Recovery mode
Normal mode
Error Injector: a model of the erroneous behavior of the environment EI always plays its role respecting the provided R/G
26/10/11 22
Monolithic vs. LayeredMonolithic vs. Layered
Monolithic specifications would not be intelligible including high and low frequency situations all together
The specification can be organized in (at least) two layers (ideal/real) Layered Fault Tolerant Specification (LFTS) Specification organized considering normal/abnormal
cases explicitly
26/10/11 23
Main Achievements of this researchMain Achievements of this research
1. An understanding of what a method is 2. An evaluation schema3. A formalization of the three step method4. The addition of the fourth “make-it robust” step5. (Experimentation on a practical case studies)
26/10/11 24
Questions?
"Did science promise happiness? I do not believe it. It promised truth, and the question is to know if we will ever
make happiness with truth." (Emile Zola)