Risk Modeling The Tropos Approach PhD Lunch Meeting 07/07/2005 Yudistira Asnar –

Definition Failure: The inability of a system or component to perform its required functions within specified performance Failure mode: The physical or functional manifestation of a failure Model of Risk: Likelihood, but also effect of the failure Risk = Likelihood * Severity –Severity: [0,5] –Likelihood: [0,1]

Every Choice has the own consequences

Risk Modeling

Goal Analysis

Objective of Risk Analysis Traditionally: –Find the most effective and efficient set of mitigation plans such that the risk can be manageable  Strategy of choosing option –Increasing Quality of System (Reliability, Safety, Available, etc) Tropos Approach: The evaluation of the best solution must be based on –Adopt traditional ones –REAL Cost is the cost of achieving main goals and the cost of associated Mitigation Plans This means selecting subgoals taking into account their risks and the associated mitigation plans –We should optimize not only one of them, but both at the same time

Basic Assumption Failure Mode-Risk can be associated with Objective-Asset Tropos: Goal, Task/Plan, Resource Property of Assets (Necessary): –Rank –Threshold (Confidence Level): Denial Likelihood (DL) [0,1] Satisfaction Level (SL) [0,100]

Risk Analysis Scenario Given Threshold of each assets –Find the most efficient set of solutions, that can be acceptable for given threshold (satisfaction level and denial likelihood) Given Budget for accomplishment –Find the set of solutions (Assets and Mitigation) with the highest satisfaction level and the least denial likelihood How much does it cost for achieving the highest satisfaction and confidence level Etc.

Case Study

Computing Impact Top-Level Goals are annotated with their importance ( Imp ), that define by user Leaf-Goal has rank ( R ), value that come form the function. It calculates order among all of them. Failure modes are annotated with likelihood ( L ), a.k.a probability, and severity ( S ) Links between failure modes and goals are annotated with Impact ( I )[-20,20] (e.g. Satisfaction reduction)

Computing Impact The risk of a goal G is computed as Possibility of Loss ( PL ) PL G = R G * Σ G (S * L * |I|) ; I ≤ 0 Mitigation Plans are chosen in order to reduce PL G, until acceptable value PL G is acceptable if PL G ≤ R G * SL * DL If there is no mitigation plan for it, we can de- idealize (Confidence Level) of the least importance goal –How much we can do de-idealize?

Defining Importance Propagation Importance of Top-Level Goal (value: 1, 2, 3, etc., the bigger means more important) Set of Goals with the cheapest cost of satisfaction of top level goal Rules:[??] –And-Decomposition: AND(G1,G2)  G3 Imp G1 =Imp G2 =Imp G3 Cost G3 = Cost G1 + Cost G2 –Or-Decomposition: OR(G1,G2)  G3 Imp G3 =1; Imp G2 =[1,2) and Imp G3 =[1,2)  needs more precise Cost G2 > Cost G1 ↔ Imp G2 < Imp G1 Cost G3 = Min(Cost G1, Cost G2 ) –G3 is sub goal of G1 and G2 Imp G3 = Max(Imp G3-G1,Imp G3-G2 )

Defining Rank

Failure Mode Failure Mode contribute to Intermediate Goal, not just leaf goal Failure modes can contribute not only to goals but to other failure modes Failure Mode is traditionally represented as an isolated event, but in reality, there is interrelation among failure modes Failure Mode property: –Severity and Likelihood

Failure Mode Contribution of FM 1 to FM 2, depends on the intrinsic risk of FM 1 and the weight of edge connecting FM 1 to FM 2 Contribution among FMs can be meant: –Modifying Likelihood –Modifying Severity Weight of edge should represent both Traditional Fault Trees are incomplete and faults should be represented as graphs

Computing Risk In Case Study: –Contribution of Explosive User Added means increasing just likelihood of Limited Key Space R  Original Risk, R’  Contributed Risk, R”  Mitigated Risk –R 2 ”  R 2 * M 1 –R 1 ”  R 1 ’ * M 2 –R 1 ’  R 1 + R 2 ”

Failure Mode Identification Goal has 2 dimension: Satisfy and Maintain Failure Mode of Goal (Negative-Goal) –Undesired thing –Something that not suppose to be maintained Undesired Thing –Set-Theory A’ = U – A –What is the Universe? [??] Context Domain Something that not suppose to be maintained[??]

Mitigation Plan Mitigations are set of actions to reduce (Likelihood and Severity) of Failure Mode –Likelihood ≤ Threshold Denial-Likelihood –Severity * Impact ≤ Threshold Satisfaction-Level One mitigation action can reduce the one risk and can also increase the other risk Choosing plan with considering –Severity Level of Risk –Some mitigation plan give the same effect to one particular failure mode

Mitigation Plan Mitigations are annotated with Costs (C), Category (Transfer, Prevention, Detection, Retention, Alleviation, etc) Link between mitigation and failure mode is annotated as Effect (E) (e.g. reduce/increase the risks) Mitigation Plan Analysis –And-Or Decomposition –Positive-Negative Contribution Mitigation Plan contribute to Goal, instead of Failure Mode Mitigation Plan can fail Introducing concept of time constrain to satisfy goal and to accomplish mitigation

Mitigation Plan Identification Based on experience and repository [??]

Re-Writing Tree Solution to satisfy G1 and G6 –S1: G3,G4,G8 –S2: G3,G5,G8 –S3: G3,G4,G9,G10 –S4: G3,G5,G9,G10

Classic Approach Top-Down

Approach to Solve Classic: Top-Down  Bottom-Up  Adjustment Re-Writing Tree

S1: G3,G4,G8 + M1,M2,M3 S2: G3,G5,G8 + M2,M3 S3: G3,G4,G9,G10 + M1,M2,M3,M4 S4: G3,G5,G9,G10 + M2,M3,M4

Re-Writing Tree Find all possible set goal solutions to satisfy top-level goal Find all Mitigation Plans that is reachable from set goal solution Calculate (Cost, Confidence Level) all possible combination between set goal solutions and all subset of mitigation plans Needs something to reduce the search space

Severity - Mitigation Plan SeverityType of Mitigation Plan 0Ignorable 1Alleviation 2Alleviation, Transfer, Detection, Prevention 3Detection, Transfer, Prevention 4Transfer, Prevention 5Retention