Table Of ContentAnton Tarasyuk
Formal Development and
Quantitative Verification of
Dependable Systems
Turku Centre for Computer Science
TUCS Dissertations
No 156, January 2013
Formal Development and
Quantitative Verification of
Dependable Systems
Anton Tarasyuk
To be presented, with the permission of the Department of Information
Technologies of the ˚Abo Akademi University, for public criticism in
Auditorium Gamma on January 28, 2013, at 12 noon.
Turku Centre for Computer Science
˚Abo Akademi University
Department of Information Technologies
Joukahaisenkatu 3-5, 20520 Turku
Finland
2013
Supervisors
Docent Elena Troubitsyna
Department of Information Technologies
˚Abo Akademi University
Joukahaisenkatu 3-5 A, 20520 Turku
Finland
Docent Linas Laibinis
Department of Information Technologies
˚Abo Akademi University
Joukahaisenkatu 3-5 A, 20520 Turku
Finland
Reviewers
Professor Dominique M´ery
LORIA & Universit´e de Lorraine
F-54506 Vandoeuvre l`es Nancy
France
Professor Aad van Moorsel
School of Computing Science
Newcastle University
Newcastle upon Tyne, NE1 7RU
United Kingdom
Opponent
Professor Aad van Moorsel
School of Computing Science
Newcastle University
Newcastle upon Tyne, NE1 7RU
United Kingdom
ISBN 978-952-12-2832-2
ISSN 1239-1883
To my mother
Ìîåé ìàìå ïîñâÿùàåòñÿ
i
It is good to have an end to journey towards; but it is the
journey that matters, in the end.
Ursula K. Le Guin, “The Left Hand of Darkness”
ii
Abstract
Modern software-intensive systems are becoming increasingly complex. Yet
weareobservingthepervasiveuseofsoftwareinsuchcriticalinfrastructures
as transportation systems, healthcare, telecommunication, energy produc-
tion, etc. Consequently, we tend to place increasing reliance on computer-
basedsystemsandthesoftwarethattheyarerunning. Thedegreeofreliance
that we can justifiably place on a system is expressed by the notion of de-
pendability.
Designing highly-dependable systems is a notoriously difficult task. It
requires rigorous mathematical methods to prevent design errors and guar-
antee the correct and predictable system behaviour. However, fault pre-
vention via rigorous engineering still cannot ensure avoidance of all faults.
Hence we need powerful mechanisms for tolerating faults, i.e., the solutions
that allow the system to confine the damage caused by fault occurrence
and guarantee high reliability and safety. Traditionally, such dependabil-
ity attributes are assessed probabilistically. However, the current software
development methods suffer from discontinuity between modelling the func-
tional system behaviour and probabilistic dependability evaluation. To ad-
dress these issues, in the thesis we aim at establishing foundations for a
rigorous dependability-explicit development process. In particular, we pro-
pose a semantic extension of Event-B – an automated state-based formal
development framework – with a possibility of quantitative (probabilistic)
reasoning. Event-Banditsassociateddevelopmenttechnique–refinement–
providethedesignerswithapowerfulframeworkforcorrect-by-construction
systems development. Via abstract modelling, proofs and decomposition
it allows the designers to derive robust system architectures, ensure pre-
dictable system behaviour and guarantee preservation of important system
properties.
We argue that the rigorous refinement-based approach to system devel-
opment augmented with probabilistic analysis of dependability significantly
facilitates development of complex software systems. Indeed, the proposed
probabilistic extension of Event-B allows the designers to quantitatively as-
sesstheeffectofdifferentfaulttolerancemechanismsandarchitecturalsolu-
tionsonsystemdependability. Moreover, itenablesthestochasticreasoning
iii
about the impact of component failures and repairs on system reliability
and safety from the early design stages. The proposed enhanced version
of the standard Event-B refinement allows the designers to ensure that the
developed system is not only correct-by-construction but also dependable-
by-construction, i.e., it guarantees that refinement improves (or at least
preserves) the probabilistic measure of system dependability.
The proposed extension has been validated by a number of case stud-
ies from a variety of application domains, including service-oriented sys-
tems, aerospace, railways and communicating systems. We believe that
the research presented in the thesis contributes to creating an integrated
dependability-explicit engineering approach that facilitates rigorous devel-
opment of complex computer-based systems.
iv
Sammanfattning
Programvaruintensiva system ¨okar allt mera i komplexitet, men trots detta
anv¨andsprogramvaraikritiskinfrastrukturinomomr˚adens˚asomtransport,
telekommunikation, h¨alsov˚ard och energiproduktion. Vi litar allt mera p˚a
datorbaserade system och deras programvara, och graden till vilken vi kan
lita p˚a ett system beskriver vi med uttrycket p˚alitlighet.
Att utveckla starkt p˚alitliga system ¨ar erk¨ant sv˚art, och kr¨aver rigor¨osa
matematiska metoder f¨or att f¨orhindra designfel och garantera att syste-
met uppf¨or sig korrekt och f¨orutsebart. Dessa metoder kan dock inte ga-
rantera att alla fel undviks, och d¨arf¨or beh¨ovs kraftfulla mekanismer f¨or
feltolerans, dvs. l¨osningar som g¨or det m¨ojligt f¨or systemet att f¨orhindra
spridningen av den skada som felet orsakade samt garantera h¨og p˚alitlighet
och s¨akerhet. Dessa egenskaper utv¨arderas traditionellt probabilistiskt, men
i de utvecklingsmetoder som anv¨ands i dag finns det ingen kontinuitet mel-
lanmodelleringavsystemetsfunktionalitetochprobabilistiskutv¨arderingav
p˚alitligheten.Idennaavhandling¨arv˚arm˚als¨attningattetableragrunderf¨or
en rigor¨os utvecklingsmetod med explicit p˚alitlighet. Specifikt f¨oresl˚ar vi ett
semantiskttill¨aggtillEvent-B–ettautomeratramverkf¨ortillst˚andsbaserad
formell utveckling – som till˚ater ett kvantitativt (probabilistiskt) resone-
mang. Event-B och dess tillh¨orande utvecklingsteknik – precisering – ger
ett kraftfullt ramverk f¨or utveckling av system som ¨ar korrekta genom kon-
struktionen. Detta g¨or det m¨ojligt att via abstrakt modellering, bevis och
dekomposition skapa robusta systemarkitekturer och f¨ors¨akra sig om att sy-
stemets uppf¨orande ¨ar f¨orutsebart och att viktiga egenskaper hos systemet
bevaras under systemets exekvering.
Vi h¨avdar att utvecklingen av p˚alitliga komplexa system underl¨attas av
rigor¨ospreciseringsbaseradsystemutvecklingkombineradmedprobabilistisk
analysavp˚alitlighet.Detf¨oreslagnaprobabilistiskatill¨aggettillEvent-Bg¨or
det m¨ojligt att kvantitativt uppskatta effekten av olika feltoleransmekanis-
mer och arkitekturbaserade l¨osningar p˚a systemens p˚alitlighet. Dessutom
m¨ojligg¨or det redan fr˚an ett tidigt stadium stokastiskt resonemang om vil-
ken effekt komponentfel och -reparationer har p˚a systemets p˚alitlighet och
s¨akerhet. Den f¨oreslagna f¨orb¨attrade versionen av preciseringen i Event-B
g¨or det m¨ojligt att s¨akerst¨alla att systemet som utvecklas inte enbart ¨ar
v
korrekt genom konstruktionen, utan ocks˚a p˚alitligt genom konstruktionen,
dvs. garanterar att preciseringen f¨orb¨attrar, eller˚atminstone bibeh˚aller det
sannolikhetsbaserade m˚attet av systemets p˚alitlighet.
Det f¨oreslagna till¨agget har validerats av ett antal fallstudier inom olika
applikationsomr˚aden, vilka inkluderar serviceinriktade system, flygindustri,
sp˚artrafik och kommunikationssystem. Vi tror att forskningen som presen-
teras i denna avhandling medverkar till att skapa en integrerad utvecklings-
teknik som har explicit p˚alitlighet och underl¨attar rigor¨os utveckling av
komplexa datorbaserade system.
vi
Description:safety: the ability of a system not to incur, under given conditions, any critical failures; specific standards (e.g., IEC 61508, ISO 26262, IEC 62278, etc.) provide the support for quantitative verification of non-functional system .. same set of outcomes Q. In practice, the set Q is usually fini
