K26479 6000 Broken Sound Parkway, NW Suite 300, Boca Raton, FL 33487 711 Third Avenue New York, NY 10017 an informa business 2 Park Square, Milton Park www.crcpress.com Abingdon, Oxon OX14 4RN, UK A SCIENCE PUBLISHERS BOOK Open Systems Dependability Dependability Engineering for Ever-Changing Systems Second Edition Open Systems Dependability Dependability Engineering for Ever-Changing Systems Second Edition Editor Mario Tokoro Co-founder, Executive Advisor Sony Computer Science Laboratories, Inc., Tokyo, Japan Formerly Sr. Vice President and CTO Sony Corporation, Tokyo, Japan p, A SCIENCE PUBLISHERS BOOK GL--Prelims with new title page.indd ii 4/25/2012 9:52:40 AM CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2015 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20150519 International Standard Book Number-13: 978-1-4987-3629-9 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a photo- copy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com PP RREEFFAACCEE Technological advancements in the 20th century–—particularly in the fi elds of electronics, computers, the internet, and mobile communications—have drastically expanded our capabilities from the twin perspectives of time and space. Industries have developed and the world economy has grown. Our standard of living has improved signifi cantly in terms of quantity and quality thanks to the support of services made possible by these advancements. In the recent past, the functionality of services has also expanded, especially where realized in conjunction with sensors and actuators, and the underlying systems, which are fused with the real world, form an integrated infrastructure that supports our everyday life. Ultimately, our daily lives have taken on a new dimension never experienced before. On any morning you could wake up, switch on your TV set, check your e-mail, eat breakfast, and leave your house for work. TV shows are transmitted under the control of computers. The electricity that runs your TV set and appliances is also distributed under computer control. Traffi c lights are synchronized by computers in order to ensure that traffi c fl ows smoothly. Electronic ticketing cards for public transit rail are controlled by computers that calculate your fare by detecting where you enter and leave the system. Train operation is, of course, also controlled by computers. These systems operate for long periods of time without any interruption to services. During this lifetime, however, their purpose and the environment in which they operate may change. For example, the Suica® system of electronic fare cards operated by the East Japan Railway Company was initially used for commuting pass, but its scope has now been extended to include regular rail tickets, taxi fares, and kiosk purchases; in addition, other railway companies are also now using similar electronic fair cards interoperable with Suica. Systems such as this operate impassively, while unbeknownst to most users, they undergo revision and modifi cation to accommodate changes in their purpose and environment. There are almost certainly numerous examples of this type of system very close to you as you read this book. However, once a problem occurs in a system and services are interrupted, we are greatly inconvenienced, and only then become aware that how our daily lives depend upon them. We therefore need to think about how we can make these systems dependable in order to prevent similar inconvenience in the future. vi Open Systems Dependability Fields such as reliability engineering and dependability engineering have studied problems in systems, but their methods target systems with specifi cations that do not change over time. This assumption did work for the systems of the past, i.e., those that were independent, not connected to one another, and rarely saw changes in purpose or environment. Today’s systems are, however, interconnected and always changing. Therefore, there is a pressing need for a concept and methods that will allow dependability to be attained in ever-changing systems. As the second edition of Open Systems Dependability—Dependability Engineering for Ever-Changing Systems, this book answers that need. It describes systematically the concept and methods for reducing problem incidences, avoiding serious accidents, supporting accountability, and ensuring continuous operation in a large and complex system that runs over a long period of time. A system having a boundary, functions, and a structure that are all subject to change is called an open system. We refer to the concept as Open Systems Dependability and to the technical system comprising the concept and methods as Dependability Engineering for Open Systems, or DEOS for short. We hope that this book will help to ensure greater dependability in future information systems, and in doing so, will make our modern society safer, more secure, and more convenient. January, 2015 Mario Tokoro AA CCKKNNOOWWLLEEDDGGEEMMEENNTTSS This book is based on the DEOS Project supported by the Core Research for Evolutional Science and Technology (CREST) program of the Japan Science and Technology Agency (JST) under the Ministry of Education, Culture, Sports, Science and Technology in Japan (MEXT). I am indebted to JST and MEXT for their strong support for the DEOS Project. I would like to extend my gratitude to Dr. Koichi Kitazawa (then representative director of JST), Dr. Toshiaki Ikoma (then head of the Center for Research and Development Strategy), and Mr. Shigeru Ishimasa (then Director of Research and Development Strategy) for their understanding of the importance of this project and for various arrangements that allowed it to proceed. I would also like to thank Mr. Shigeki Sakai, Mr. Takashi Yakushiji, Mr. Masanori Emori, and Mr. Katsumi Takeda of JST for their strong administrative support. I am very grateful to Co-Research Supervisor Professor Yoichi Muraoka and all of the Area Advisors from the DEOS project—Dr. Kazuo Iwano, Prof. Toru Kikuno, Dr. Koichi Matsuda, Prof. Koichiro Ochimizu, Dr. Yoshiki Seo, Prof. Hideki Tanaka, and Prof. Hiroto Yasuura—without whose advice this project could not have been successful. I also thank the Research Promotion Board members—Mr. Nobuhiro Asai, Mr. Shingo Kamiya, Mr. Tadashi Morita, Dr. Masamichi Nakagawa, Mr. Takeshi Ohno, Mr. Ichiro Yamaura, and Dr. Kazutoshi Yokoyama—for their close communication with research teams in order to ensure that the project’s fi ndings and deliverables could be put to practical use. I am indebted to the Area Management Advisors—Mr. Kazuo Kajimoto, Prof. Yuzuru Tanaka, Mr. Tetsuya Toi, Prof. Seishiro Tsuruho, and Dr. Daiji Nagaoka—for their advice from the industrial and application perspectives. And I would also like to thank Mr. Makoto Yashiro, Director of the DEOS R&D Center, as well as Mr. Shigeru Matsubara, Dr. Hiroki Takamura, and all of the other members of the center for their daily support and for integrating the research results into actual processes. I am grateful to our external reviewers—the late Dr. Jean-Claude Laperie, Prof. Robin Bloomfi eld, Prof. Jean-Charles Fabre, Mr. Masayuki Hattori, Dr. Karama Kanoun, and Prof. Miroslav Malek—for their perceptive comments and advice throughout the course of this project. I would like to give my personal thanks to Mr. Junkyo (Jack) Fujieda for his valuable advice on standardization. I also thank Mr. Matthew Heaton and Mr. Paul O’Hare viii Open Systems Dependability of Translation Business Systems Japan (TBSJ) for their help in accurately translating this book from Japanese into clear and comprehensible English. Last but not least, I thank all of the contributors to this project—Prof. Yutaka Ishikawa, Dr. Satoshi Kagami, Prof. Yoshiki Kinoshita, Prof. Kenji Kono, Prof. Kimio Kuramitsu, Prof. Toshiaki Maeda, Prof. Tatsuo Nakajima, Prof. Mitsuhisa Sato, and Prof. Hideki Tokuda—for their team leadership, support for the DEOS core team, and hard work in both research and team management. I am also grateful to all members of each of these teams. And as we publish this second edition, it is with great pleasure that I extend my most sincere thanks to my fellow authors. CC OONNTTEENNTTSS Preface v Acknowledgements vii Authors per Chapter/Section xi 1. Introduction 1 2. Open Systems Dependability 4 2.1 Evolution of Approach 4 2.2 Characteristics of Today’s Systems and Causes of their Failure 9 2.3 Concept and Defi nition of Open Systems Dependability 13 2.4 Toward the Realization of Open Systems Dependability 17 3. The DEOS Technological System 20 3.1 The DEOS Process 22 3.2 D-Case and D-Script 28 3.3 DEOS Architecture 31 3.4 Assurance of DEOS Process Execution using D-Case 35 4. D-Case—Building Consensus and Achieving Accountability 41 4.1 Consensus Building and Accountability 41 4.2 From Assurance Case to D-Case 43 4.3 D-Case Syntax and Notation Method 49 4.4 Roles Played by D-Case 66 4.5 d* Framework 69 4.6 D-Case Patterns 75 5. D-Case Tools 82 5.1 D-Case Editor 82 5.2 D-Case Weaver and D-Case Stencil 93 5.3 D-Case & Tools—Current Status and Challenges 95 6. D-Case Integrity Checking Tool and Formal Assurance Case 98 6.1 Benefi ts of Formal Assurance Cases 101 6.2 Formal Assurance Case 103 6.3 Formal D-Case and System Openness 115