Chương 9: Modeling What Could Go Wrong: Risk Analysis on Goal Models docx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1001.43 KB, 39 trang )
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 2
!"#$%#
!!
on what?
on what?
why
why
?
?
how
how
?
?
who
who
?
?
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 3
&
'
'
##(###
##(###
#
#
#$%#)
#$%#)
* +#,#-#).)/
0%#(
0%#(
Risk
identification
Risk
assessment
Risk
control
##.
##.
,).
,)
1#
-##/.
#$
(,
(,
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 4
#$#
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 5
$#$$#
$#$$#
*
$#2
* $#
*
3$##
$#
$#
*
3$#
*
3$#
* 4$#564
* $#
3$#$
3$#$
* 7$#
*
)$#
* )$#
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 6
$#2
).
).
$)$#
$)$#
-
$)/
3$#
3$#
'
'
#)
#)
#
#
-/
-/
•
{
O
O, Dom } |= not
obstruction
•
{
O
O, Dom } |≠ false domain consistency
8
3
#$$$)feasibility
G: TrainStoppedAtBlockSignal
If
If StopSignal
Dom:
If
If TrainStopsAtStopSignal
then
then DriverResponsive
O: Driver
Un
Unresponsive
9$)1#
9$)1#
$$)-
$$)-
)
)
#/
#/
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 7
$#
7.$#$#
7.$#$#
{not O
1
, , not O
n
, Dom } |=
domain completeness
If
If
not
not DriverUnresponsive
and
and
not
not BrakeSystemDown
and
and StopSignal
then
then TrainStoppedAtBlockSignal
$4##
$4##
$$$((($:
$$$((($:
3$##)
3$##)
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 8
3$####
#+
#+
Hazard
Hazard
$#$#
$#$#
Safety
Safety
Threat
Threat
$#$#
$#$#
Security
Security
–
Disclosure, Corruption, DenialOfService,
Inaccuracy
Inaccuracy
$#$#
$#$#
Accuracy
Accuracy
Misinformation
Misinformation
$#$#
$#$#
Information
Information
–
NonInformation, WrongInformation, TooLateInformation,
Dissatisfaction
Dissatisfaction
$#$#
$#$#
Satisfaction
Satisfaction
–
NonSatisfaction, PartialSatisfaction, TooLateSatisfaction,
Unusability
Unusability
$#$#
$#$#
Usability
Usability
Us
ability
Convenience
Goal
Functional goal
Non-functional goal
Quality of service
Compliance
Architectural
Development
Confident
i
ality
Integrity
Availability
Distribution
Installation
Safety
Security
Performance
Reliability
Maintainability
Cost
Time
Space
Deadline
Variability
Software
interoperability
Interface
User
interaction
Device
interaction
Satisfaction
Information
Stim-Response
Accuracy
Cost
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 9
$#$$#
$#$$#
*
$#2
* $#
*
3$##
$#
$#
*
3$#
*
3$#
* 4$#564
* $#
3$#$
3$#$
* 7$#
*
)$#
* )$#
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 10
3$#56;3
#
#
-/
-/
*
'not
* $#
56
564.
3
34#
*
$#$..
obstruction
TrainStoppedAtBlockEntry
If StopSignal
StopSignal And
Not TrainStoppedAtBlockEntry
SignalNotVisible
DriverUnresponsive
BrakeSystemDown
…
root obstacle
OR-refinement
ResponsivenessCheck
SentRegularly
resolution
countermeasure goal
obstacle
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 11
3$#56;3-</
MobilizedAmbulance
AtIncidentInTime
MobilizedAmbulance Not
AtIncidentInTime
AmbulanceLost
AmbulanceStopped
TrafficDeviation
…
AmbulanceCrew
NotInFamiliarArea
AND-refinement
In-carGPS
NotWorking
…
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 12
3$#
56
56
4$#
4$#
3
3
$
$
*
#{subO
1
, , subO
n
, Dom } |=
3
*
#{subO
1
, , subO
n
, Dom } |≠ false
*
{subO
1
, , subO
j-1
, subO
j+1
, , subO
n
, Dom } |=
3
3
3
4$#
4$#
3
3
$
$
*
{subO
i
, Dom } |=
3
*
4#{subO
i
, Dom } |≠ false
*
4#{not subO
1
, , not subO
n
, Dom } |= not
3
*
%{subO
i
, subO
j
, Dom } |= false
7
7
subO
subO
i
i
34
34
3
3
3
3
$#
$#
subO
subO
i
i
$#
$#
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 13
3$#$4
564
6=(
6=(
not
not
-!
-!
and
and
</
</
,)
,)
not
not
!
!
or not
or not
<
<
'>
)
#,#
#,#$##$
4)$#
G
propagated
obstruction
G1
G2
not G1
not G2
not G
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 14
$#
Obstacle DriverUnresponsive
Def Situation of a train driver failing to react to a command
and take appropriate action according to that command
? FormalSpec in temporal logic for analysis,
not
not in this chapter @
? Category Hazard @
? Likelihood likely @
? Criticality catastrophic@
DriverUnresponsive
#
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 15
$#$$#
$#$$#
*
$#2
* $#
*
3$##
$#
$#
*
3$#
*
3$#
* 4$#564
* $#
3$#$
3$#$
* 7$#
*
)$#
* )$#
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 16
3$#
#$
#$#
#$#
⇒ #.
(#$#
⇒#.#
3$#
3$#
9#
9#
* $#$A
* +)A
* )##+)
'>
(#
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 17
3$#$
(
Goal model
elaboration
data dependency
Obstacle
identification
Obstacle
assessment
Obstacle
resolution
4$#($##$
4$#($##$
* ##$#,#
##2
##2
*
-,1#/(((
(-B4/
*
$0+-CD.#./
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 18
7$#
9$##
9$##
-..#/
-..#/
A
A
E'>$#F
E'>$#F
56;3
56;3
not
not
)()
)()
E##1)F
E##1)F
#$##(
#$##(
$..).)$
$..).)$
'
'
4#
4#
##
##
4
4
Obstacle
identification
Obstacle
assessment
Obstacle
resolution
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 19
7$#
4$
'>
'>
)
)
not
not
(A
(A
and
and
B)
B)
not
not
A
A
or
or
not
not
B
B
not
not
(A
(A
or
or
B)
B)
not
not
A
A
and
and
not
not
B
B
not
not
(
(
if
if
A
A
then
then
B)
B)
A
A
and
and
not
not
B
B
not
not
(A
(A
iff
iff
B)
B)
(A
(A
and
and
not
not
B)
B)
or
or
(
(
not
not
A
A
and
and
B)
B)
'>
'>
#34(
#34(
4##)
4##)
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 20
7$#$4$
MotorReversed Iff MovingOnRunway
MotorReversed
Iff WheelsTurning
MovingOnRunway
Iff WheelsTurning
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 21
7$#$4$
NOT
MovingOnRunway
Iff WheelsTurning
NOT
MotorReversed
Iff WheelsTurning
$#
MotorReversed Iff MovingOnRunway
MotorReversed
Iff WheelsTurning
MovingOnRunway
Iff WheelsTurning
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 22
7$#$4$
NOT
MovingOnRunway
Iff WheelsTurning
NOT
MotorReversed
Iff WheelsTurning
MotorReversed
AndNot
WheelsTurning
$#
34
-#/
WheelsTurning
AndNot
MotorReversed
MovingOnRunway
AndNot
WheelsTurning
WheelsTurning
AndNot
MovingOnRunway
MotorReversed Iff MovingOnRunway
MotorReversed
Iff WheelsTurning
MovingOnRunway
Iff WheelsTurning
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 23
7$#$4$
NOT
MovingOnRunway
IffWheelsTurning
NOT
MotorReversed
IffWheelsTurning
MotorReversed
AndNot
WheelsTurning
Aquaplaning
$#
34
-#/
WheelsTurning
AndNot
MotorReversed
MovingOnRunway
AndNot
WheelsTurning
WheelsTurning
AndNot
MovingOnRunway
WheelsNotOut
WheelsBroken
MotorReversed Iff MovingOnRunway
MotorReversed
Iff WheelsTurning
MovingOnRunway
Iff WheelsTurning
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 24
3$##1
BrakeReleased ↔ DriverWantsToStart
BrakeReleased
↔ MotorRaising
MotorRaising ↔
AccelerPedalPressed
AccelerPedalPressed
↔ DriverWantsToStart
www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 25
MotorRaising And Not
AccelerPedalPressed
3$##1
BrakeReleased ↔ DriverWantsToStart
BrakeReleased
↔ MotorRaising
MotorRaising ↔
AccelerPedalPressed
AccelerPedalPressed
↔ DriverWantsToStart
AccelerPedalPressed
And Not DriverWantsToStart
