26/10/11 1

On Methods for the On Methods for the Formal Specification Formal Specification of Fault Tolerant Systemsof Fault Tolerant Systems

Manuel Mazzara - Newcastle UniversityManuel Mazzara - Newcastle University

DEPEND 2011 – DEPEND 2011 – The Fourth International The Fourth International Conference on DependabilityConference on Dependability

24/8/2011 Nice, France24/8/2011 Nice, France

Manuel.Mazzara@newcastle.ac.ukManuel.Mazzara@newcastle.ac.uk

26/10/11 2

26/10/11 3

Overall ViewOverall View

Study on Methods

(Formal)Methods

Definitions

HJJ paper (PF + RG + DC)

Examples Motivations Tools and Ideas

PF RobustnessRely

Problem Diagrams

Context Diagrams

Patterns

PQ Fault as interference

Ideal FT operations

Research ChallengesCase

Studies

RG

26/10/11 4

Our tripOur trip

26/10/11 5

A schema for methods evaluationA schema for methods evaluationDefining precise steps for the methodDefining precise steps for the method

26/10/11 6

Formal Methods and SW life cycleFormal Methods and SW life cycle

”Formal methods are methods that use mathematics and logic to introduce rigor into the software life cycle. By rigor

we mean logically accurate, precise and unambiguous”.

26/10/11 7

Applications?Applications?

26/10/11 8

Keeping an eye on the real world…Keeping an eye on the real world…

“Man has such a predilection for systems and abstract deductions that he is ready

to distort the truth intentionally, he is ready to deny the evidence of his

senses only to justify his logic”

(Fyodor Dostoyevsky)

26/10/11 9

Are Formal Methods actual methods?Are Formal Methods actual methods?

The majority of formal methods are not methods at all because they lack one or more of the components defined in [*]

”Most typically formal methods have a strong language and underlying computational model but lack defined steps and guidance for applying the method”

[*] Klaus Kronlőf, editor Method integration: concepts and case studies John

Wiley & Sons, Inc., New York, NY, USA, 1993

26/10/11 10

Definition of methodDefinition of method

“Dubium Sapientiae initium“Doubt is the origin of wisdom (René Descartes)

””A method is a way, technique, or process A method is a way, technique, or process of or for doing something”of or for doing something”

It is worth noting that the definition of It is worth noting that the definition of method depends on the one of process:method depends on the one of process:

””a series of actions or operations a series of actions or operations conducing to an end”conducing to an end”

Websters dictionary

26/10/11 11

The method of science*The method of science*

1. Accept only that which you are sure of

2. Divide each difficulty into small parts

3. Solveproblems in an ascending order

4. Assure nothing was omitted

* Rene Descartes: Discourse on Method and Meditations

26/10/11 12

We worked on case studies…We worked on case studies…

26/10/11 13

Descartes + Case StudiesDescartes + Case Studies

1. Structured phases, steps, work-flow

2. Formally defined unambiguous

3. Usable by non experts

1. Scalability non ”ad hoc”

2. Abstractions what and not how

3. Extensibility to FT LFTS

Product

Process

26/10/11 14

The Evaluation SchemaThe Evaluation Schema

1. An underlying computational model the structures that are represented, manipulated and analyzed

2. A language the concrete means of describing the product of the method

3. Defined steps and ordering the activities performed by the user

4. Guidance for applying the method informal text description, example case studies manuals, handbooks, guides

Product

Process

26/10/11 15

In Paris now…In Paris now…

Problems in the real world are described in terms of what we perceive and do, not in terms our brain functioning!

Brain/mind system cannot acquire information about the world (it can only do that through eyes, ears…)

It can modify the world only through arms, voice….

Similar philosophy for computer systems consisting of sensors and actuators

26/10/11 16

Digital Digital SystemSystem

Interface to the physical world

Define system boundaries

Derive spec of thedigital system3

1

Expose assumptions about the world 2

The Method’s StepsThe Method’s Steps

• Defining the boundaries of system

• Identify and record assumptions

• Derive the specification

• (Make-it robust)

26/10/11 17

From the Ideal World to the Real From the Ideal World to the Real Thinking how to cope with Fault ToleranceThinking how to cope with Fault Tolerance

26/10/11 18

The Plato’s MatrixThe Plato’s Matrix

26/10/11 19

Escape the cave (safely)!Escape the cave (safely)!

A model of the system Faults has to be viewed as interference Determined abnormal situations considered Error Injector contracted by R/G (or similar)

The basic idea of layering vs. monolithic

26/10/11 20

“There are no facts, only interpretations”

(Friedrich Nietzsche)

26/10/11 21

The ModelThe Model

Global state

P1

“Error” Injector

RH1 P2 RH2

Recovery mode

Normal mode

Error Injector: a model of the erroneous behavior of the environment EI always plays its role respecting the provided R/G

26/10/11 22

Monolithic vs. LayeredMonolithic vs. Layered

Monolithic specifications would not be intelligible including high and low frequency situations all together

The specification can be organized in (at least) two layers (ideal/real) Layered Fault Tolerant Specification (LFTS) Specification organized considering normal/abnormal

cases explicitly

26/10/11 23

Main Achievements of this researchMain Achievements of this research

1. An understanding of what a method is 2. An evaluation schema3. A formalization of the three step method4. The addition of the fourth “make-it robust” step5. (Experimentation on a practical case studies)

26/10/11 24

Questions?

"Did science promise happiness? I do not believe it. It promised truth, and the question is to know if we will ever

make happiness with truth." (Emile Zola)