Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons Building System Models for RE Chapter 9 Modeling.

Published byDelilah O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons Building System Models for RE Chapter 9 Modeling."— Presentation transcript:

1 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons Building System Models for RE Chapter 9 Modeling What Could Go Wrong: Risk Analysis on Goal Models

2 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 2 Building models for RE Chap.8: Goals Chap.9: Risks Chap.10: Conceptual objects Chap.11: Agents on what? why ? how ? who ?

3 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 3 Risk analysis as seen in Chapter 3  Risk  Risk = uncertain factor whose occurrence may result in loss of corresponding objective satisfaction of corresponding objective –has likelihood & consequences (each having likelihood, severity)  Poor risk management is a major cause of software failure  Early risk analysis at RE time: checklists, component inspection, risk trees qualitative, quantitative explore countermeasures (tactics), new reqs select best as new reqs

4 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 4 Risk analysis can be anchored on goal models

5 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 5 Risk analysis on goal models: outline  Goal obstruction by obstacles –What are obstacles? –Completeness of a set of obstacles –Obstacle categories  Modeling obstacles –Obstacle diagrams –Obstacle refinement –Bottom-up propagation of obstructions in goal AND-refinements –Annotating obstacle diagrams  Obstacle analysis for a more robust goal model –Identifying obstacles –Evaluating obstacles –Resolving obstacles in a modified goal model

6 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 6 What are obstacles ?  Motivation: goals in refinement graph are often too ideal, likely to be violated under abnormal conditions (unintentional or intentional agent behaviors)  Obstacle  Obstacle = condition on system for violation of corresponding assertion (generally a goal) O{O, Dom } |= not G obstruction O{O, Dom } |  falsedomain consistency O can be satisfied by some system behavior feasibility If e.g. G: TrainStoppedAtBlockSignal If StopSignal Ifthen Dom: If TrainStopsAtStopSignal then DriverResponsive Un O: DriverUnresponsive  For behavioral goal: existential property capturing negative unadmissible behavior (negative scenario)

7 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 7 Completeness of a set of obstacles  Ideally, a set of obstacles to G should be complete { not O 1,..., not O n, Dom } |= G domain completeness e.g. Ifnotandnotand If not DriverUnresponsive and not BrakeSystemDown and StopSignal then then TrainStoppedAtBlockSignal ???  Completeness is highly desirable for mission-critical goals... ... but bounded by what we know about the domain !  Obstacle analysis may help elicit relevant domain properties

8 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 8 Obstacle categories for heuristic identification Correspond to goal categories & their refinement...  HazardSafety  Hazard obstacles obstruct Safety goals  ThreatSecurity  Threat obstacles obstruct Security goals –Disclosure, Corruption, DenialOfService,...  InaccuracyAccuracy  Inaccuracy obstacles obstruct Accuracy goals  MisinformationInformation  Misinformation obstacles obstruct Information goals –NonInformation, WrongInformation, TooLateInformation,...  DissatisfactionSatisfaction  Dissatisfaction obstacles obstruct Satisfaction goals –NonSatisfaction, PartialSatisfaction, TooLateSatisfaction,...  UnusabilityUsability  Unusability obstacles obstruct Usability goals ...

9 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 9 Risk analysis on goal models: outline  Goal obstruction by obstacles –What are obstacles? –Completeness of a set of obstacles –Obstacle categories  Modeling obstacles –Obstacle diagrams –Obstacle refinement –Bottom-up propagation of obstructions in goal AND-refinements –Annotating obstacle diagrams  Obstacle analysis for a more robust goal model –Identifying obstacles –Evaluating obstacles –Resolving obstacles in a modified goal model

10 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 10 Obstacle diagrams as AND/OR refinement trees  Anchored on leafgoals in goal model (unlike risk trees) –root –root = not G ANDOR –obstacle AND -refinement, OR -refinement: same semantics as goals –leaf –leaf obstacles: feasibility, likelihood, resolution easier to determine

11 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 11 Obstacle diagrams as AND/OR refinement trees (2)

12 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 12 Obstacle refinement  AND  AND-refinement of obstacle O should be... –complete: {subO 1,..., subO n, Dom } |= O –consistent: {subO 1,..., subO n, Dom } |  false –minimal: {subO 1,..., subO j-1, subO j+1,..., subO n, Dom } |= O  OR  OR-refinement of obstacle O should be... –entailments: {subO i, Dom } |= O –domain-consistent: {subO i, Dom } |  false –domain-complete: { not subO 1,..., not subO n, Dom } |= not O –disjoint: {subO i, subO j, Dom } |= false  Ifand  If subO i OR-refines O and O obstructs G then then subO i obstructs G

13 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 13 Obstructions propagate bottom-up in goal AND -refinement trees  Cf. De Morgan’s law: not (G1 and G2) equivalent to not G1 or not G2 consequences => Severity of consequences of an obstacle can be assessed in terms of higher-level goals obstructed

14 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 14 Annotating obstacle diagrams Obstacle DriverUnresponsive Def Situation of a train driver failing to react to a command and take appropriate action according to that command not [ FormalSpec  in temporal logic for analysis, not in this chapter  ] [ Category Hazard ] [ Likelihood likely ] [ Criticality catastrophic ] DriverUnresponsive precise definition features annotation

15 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 15 Risk analysis on goal models: outline  Goal obstruction by obstacles –What are obstacles? –Completeness of a set of obstacles –Obstacle categories  Modeling obstacles –Obstacle diagrams –Obstacle refinement –Bottom-up propagation of obstructions in goal AND-refinements –Annotating obstacle diagrams  Obstacle analysis for a more robust goal model –Identifying obstacles –Evaluating obstacles –Resolving obstacles in a modified goal model

16 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 16 Obstacle analysis for increased system robustness  Anticipate obstacles...   more realistic goals, new goals as countermeasures to abnormal conditions  more complete, realistic goal model  Obstacle analysis: For selected goals in the goal model... –identify as many obstacles to it as possible; –assess their likelihood & severity; –resolve them according to likelihood & severity => new goals as countermeasures in the goal model

17 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 17 Obstacle analysis and goal model elaboration are intertwined  Goal-obstacle analysis loop terminates when remaining obstacles can be tolerated –unlikely or acceptable consequences  Which goals to consider in the goal model? –leafgoals –leafgoals (requirements or expectations): easier to refine what is wanted than what is not wanted (+ up-propagation in goal model) –based on annotated Priority & Category (Hazard, Security,...)

18 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 18 Identifying obstacles For obstacle to selected assertion G (goal, hypothesis, suspect dom prop)...  negate G; {=> root obstacle}  find AND/OR refinements of not G in view of valid domain properties... {according to desired extensiveness} ... until reaching obstruction preconditions whose feasibility, likelihood, severity, resolvability is easy to assess goal-anchoredrisk-tree = goal-anchored construction of risk-tree

19 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 19 Identifying obstacles: tautology-based refinement Goal negation as root => use tautologies to drive refinements e.g.  notandnotornot  not (A and B) amounts to not A or not B  notornotandnot  not (A or B) amounts to not A and not B  notifthenandnot  not (if A then B) amounts to A and not B  notiffandnotornotand  not (A iff B) amounts to (A and not B) or (not A and B) or => complete OR-refinements when or-connective gets in

20 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 20 Identifying obstacles by tautology-based refinement MotorReversed Iff MovingOnRunway MotorReversed Iff WheelsTurning MovingOnRunway Iff WheelsTurning

21 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 21 Identifying obstacles by tautology-based refinement NOT MovingOnRunway Iff WheelsTurning NOT MotorReversed Iff WheelsTurning obstruction MotorReversed Iff MovingOnRunway MotorReversed Iff WheelsTurning MovingOnRunway Iff WheelsTurning

22 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 22 Identifying obstacles by tautology-based refinement NOT MovingOnRunway Iff WheelsTurning NOT MotorReversed Iff WheelsTurning MotorReversed AndNot WheelsTurning obstruction OR -refinement (complete) WheelsTurning AndNot MotorReversed MovingOnRunway AndNot WheelsTurning AndNot MovingOnRunway MotorReversed Iff MovingOnRunway MotorReversed Iff WheelsTurning MovingOnRunway Iff WheelsTurning

23 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 23 Identifying obstacles by tautology-based refinement NOT MovingOnRunway IffWheelsTurning NOT MotorReversed IffWheelsTurning MotorReversed AndNot WheelsTurning Aquaplaning... obstruction OR -refinement (complete) WheelsTurning AndNot MotorReversed MovingOnRunway AndNot WheelsTurning AndNot MovingOnRunway WheelsNotOut WheelsBroken... MotorReversed Iff MovingOnRunway MotorReversed Iff WheelsTurning MovingOnRunway Iff WheelsTurning

24 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 24 Obstacle identification: another example BrakeReleased  DriverWantsToStart BrakeReleased  MotorRaising MotorRaising  AccelerPedalPressed  DriverWantsToStart

25 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 25 MotorRaising And Not AccelerPedalPressed... Obstacle identification: another example BrakeReleased  DriverWantsToStart BrakeReleased  MotorRaising MotorRaising  AccelerPedalPressed  DriverWantsToStart AccelerPedalPressed And Not DriverWantsToStart

26 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 26 MotorRaising And Not AccelerPedalPressed AirConditioningRaising... cf. driver killed by his luxurious car on a hot summerday Obstacle identification: another example BrakeReleased  DriverWantsToStart BrakeReleased  MotorRaising MotorRaising  AccelerPedalPressed  DriverWantsToStart AccelerPedalPressed And Not DriverWantsToStart...

27 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 27 necessary Identifying obstacles from necessary conditions for obstructed target alwaysIf always TrainStoppedIfStopSignal sooner-or-later not If sooner-or-later not TrainStoppedIfStopSignal If If If TrainStoppedIfStopSignal then then DriverResponsive sooner-or-laternot sooner-or-later not DriverResponsive

28 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 28 necessary Identifying obstacles from necessary conditions for obstructed target (2) Can also be used for eliciting relevant domain properties necessary –“what are necessary conditions for TargetCondition ?”

29 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 29 Obstacle models as goal-anchored fault trees WorstCaseStoppingDistanceMaintained AccelerationSent InTimeToTrain SafeAcceleration Computed SentCommand ReceivedByTrain ReceivedCommand ExecutedByTrain

30 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 30 Obstacle models as goal-anchored fault trees Acceleration NotSafe AccelerationCommand Not SentInTimeToTrain NotSent WorstCaseStoppingDistanceMaintained AccelerationSent InTimeToTrain SafeAcceleration Computed SentCommand ReceivedByTrain ReceivedCommand ExecutedByTrain AccelerationCommand Not ReceivedInTimeByTrain... SentLate SentToWrongTrain... ReceivedLate CorruptedNotReceived

31 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 31 Evaluating obstacles  Check domain-consistency & feasibility conditions –satisfying scenario ?  Assess Likelihood and Criticality –cf. Chap. 3 –with domain experts –rough estimates can be obtained from propagation rules: min i AND Likelihood (O) = min i (Likelihood (sO i ) if O is AND-refined to sO i max i OR Likelihood (O) = max i (Likelihood (sO i ) if O is OR-refined to sO i –severity of consequences can be estimated from number & Priority of higher-level goals obstructed by up-propagation in goal trees

32 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 32 Resolving obstacles  Resolution through countermeasures –new or modified goals in goal model –often to be refined  For every identified obstacle... –explore alternative resolutions –select “best” resolution based on... likelihood/severity of obstacle non-functional/quality goals in goal model

33 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 33 Exploring alternative countermeasures model transformation operators By use of model transformation operators –encode resolution tactics  Goal substitution  Goal substitution: consider alternative refinement of parent goal to avoid obstruction of child goal G alternative less exposed to risk e.g. MotorReversed Iff WheelsTurning    MotorReversed Iff PlaneWeightSensed

34 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 34 Exploring alternative countermeasures (2)  Agent substitution  Agent substitution: consider alternative responsibilities for obstructed goal so as to make obstacle unfeasible more reliable agent e.g. Maintain [SafeAccelerationComputed] obstructed by ComputedAccelerationNotSafe OnBoardTrainController    VitalStationComputer

35 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 35 Exploring alternative countermeasures (3)  Goal weakening  Goal weakening: weaken the obstructed goal ’s formulation so that it no longer gets obstructed if-thenif –for if-then goal specs: add conjunct in if-part then or disjunct in then-part e.g. Maintain [TrafficControllerOnDutyOnSector] obstructed by NoSectorControllerOnDuty  goal weakening: WarningToNextSector TrafficControllerOnDutyOnSector or WarningToNextSector

36 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 36 Exploring alternative countermeasures (4)  Obstacle preventionAvoid [obstacle]  Obstacle prevention: introduce new goal Avoid [obstacle] e.g. AccelerationCommandCorrupted Avoid   Avoid [AccelerationCommandCorrupted] –to be further refined = standard resolution tactics for security threats  Goal restoration  Goal restoration: enforce target condition as obstacle occurs ifsooner-or-later => new goal: if O then sooner-or-later TargetCondition Not e.g. ResourceNotReturnedInTime   ReminderSent Not WheelsNotOut   WheelsAlarmGenerated

37 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 37 Exploring alternative countermeasures (5)  Obstacle reduction  Obstacle reduction: reduce obstacle likelihood by ad-hoc countermeasure

38 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 38 Exploring alternative countermeasures (6)  Obstacle mitigation  Obstacle mitigation: introduce new goal to mitigate consequences of obstacle –Weak mitigation –Weak mitigation: new goal ensures weaker version of goal when obstructed IfAnd e.g. Achieve [AttendanceIfInformedAndMeetingConvenient]   Achieve [ImpedimentNotified] –Strong mitigation: –Strong mitigation: new goal ensures parent of goal when obstructed e.g. OutdatedSpeed/PositionEstimates   Avoid [TrainCollisionWhenOutDatedTrainInfo] Resolution goals must then be further refined in the goal model

39 www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 39 Selecting best resolution  Evaluation criteria for comparing alternative resolutions... –number of obstacles resolved by the alternative –their likelihood & criticality –the resolution’s contribution to soft goals –its cost  May be based on estimates of... –risk-reduction leverage (cf. Chap.3) –qualitative/quantitative contribution to soft goals (cf. Chap.16)  If obstacle not eliminated, multiple alternatives may be taken e.g. FineCharged + ReminderSent (for book copies not returned in time)  Selected alternative => new/weakened goal in goal model –resolution link to obstacle for traceability –weakening may need to be propagated in goal model –to be refined & checked for conflicts & new obstacles

Download ppt "Www.wileyeurope.com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons Building System Models for RE Chapter 9 Modeling."

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Chapter 7 Goal Orientation in RE

Chapter 7 Goal Orientation in RE
 Is extremely important  Need to use specific methods to identify and define target behavior  Also need to identify relevant factors that may inform.

 Is extremely important  Need to use specific methods to identify and define target behavior  Also need to identify relevant factors that may inform.
Risk Modeling The Tropos Approach PhD Lunch Meeting 07/07/2005 Yudistira Asnar –

Risk Modeling The Tropos Approach PhD Lunch Meeting 07/07/2005 Yudistira Asnar –
First Order Logic Resolution

First Order Logic Resolution
UC San Diego CSE 294 May 7, 2010 Barry Demchak

UC San Diego CSE 294 May 7, 2010 Barry Demchak
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Www.wileyeurope.com/college/van lamsweerde Chap.12: Modeling System Operations © 2009 John Wiley and Sons Building System Models for RE Chapter 12 Modeling.

lamsweerde Chap.12: Modeling System Operations © 2009 John Wiley and Sons Building System Models for RE Chapter 12 Modeling.
Building System Models for RE

Building System Models for RE
Www.wileyeurope.com/college/van lamsweerde Part 1: Introduction © 2009 John Wiley and Sons 1 Requirements Engineering From System Goals to UML Models to.

lamsweerde Part 1: Introduction © 2009 John Wiley and Sons 1 Requirements Engineering From System Goals to UML Models to.
Www.wileyeurope.com/college/van lamsweerde Part 2: Building System Models for RE © 2009 John Wiley and Sons 1 Part 2: Building System Models for RE Introduction.

lamsweerde Part 2: Building System Models for RE © 2009 John Wiley and Sons 1 Part 2: Building System Models for RE Introduction.
Chapter 3 Requirements Evaluation

Chapter 3 Requirements Evaluation
Goal-Oriented Requirements Engineering (GORE) “Goal-oriented requirements engineering is concerned with the use of goals for eliciting, elaborating, structuring,

Goal-Oriented Requirements Engineering (GORE) “Goal-oriented requirements engineering is concerned with the use of goals for eliciting, elaborating, structuring,
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Software Quality Engineering Roadmap

Software Quality Engineering Roadmap
Amirkabir University of Technology, Computer Engineering Faculty, Intelligent Systems Laboratory,Requirements Engineering Course, Dr. Abdollahzadeh 1 Requirements.

Amirkabir University of Technology, Computer Engineering Faculty, Intelligent Systems Laboratory,Requirements Engineering Course, Dr. Abdollahzadeh 1 Requirements.
Reza Gorgan Mohammadi AmirKabir University of Technology, Department of Computer Engineering & Information Technology, Intelligent.

Reza Gorgan Mohammadi AmirKabir University of Technology, Department of Computer Engineering & Information Technology, Intelligent.
Analysing Fault-Tolerant System using KAOS/FAUST C. Ponsard, P. Massonet, J.F. Molderez (CETIC) A. van Lamsweerde (UCL/INGI) Short presentation & Demo.

Analysing Fault-Tolerant System using KAOS/FAUST C. Ponsard, P. Massonet, J.F. Molderez (CETIC) A. van Lamsweerde (UCL/INGI) Short presentation & Demo.
Www.wileyeurope.com/college/van lamsweerde Chap.8: Modeling System Objectives © 2009 John Wiley and Sons Building System Models for RE Chapter 8 Modeling.

lamsweerde Chap.8: Modeling System Objectives © 2009 John Wiley and Sons Building System Models for RE Chapter 8 Modeling.
Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.

Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.

Similar presentations

Ads by Google