The Design of Complex Software-Intensive Systems

May 6, 2009 Synergy of SW Architecture, Process, and Organization 1

The Design of Complex Software-Intensive Systems

A Quest for Intellectual Control

Alan R. Hevner – University of South Florida

Richard C. Linger – CERT Software Engineering Institute

Carnegie Mellon University


England: 11th Century Norman conquerors conduct census to determine

what they have won Results never added up, despite the intent to

produce a sum Best minds were overwhelmed by the complexity of

adding up so many Roman numerals! If done in decimal arithmetic and place notation, any

child could have performed the addition Lesson: The right foundations

Transform the problem space Sweep away complexities Enable new human capabilities


21st Century World

Overwhelming network system complexities: Systems-of-systems integration Unknown boundaries and components Compositions of stovepipe systems Pervasive asynchronous operations Survivability an urgent priority

Approach Mathematical semantics first, engineering practices later Develop engineering foundations that address system realities Limit complexity and improve survivability with practical

engineering methods


UAVs

Other Layered Sensors

Network Centric

Force

Robotic Direct Fire

Robotic NLOS Fire

Robotic Sensors

Manned C2

Network System ComplexitiesFuture Combat System:

• 100s of nodes and users

• Nodes and usage evolve

• Distributed platforms

• A system of systems

Mission C4I


Complexity’s Burden

Development of large-scale network systems frequently exceeds our engineering capabilities

We experience difficulty defining the systems we have, and the systems we need

Intellectual control is lost when complexity exceeds human reasoning capabilities

Result is frustration and delay that impacts mission capability and survivability


Issues in Network Systems

Survivability improvement requires Knowing usage dependencies in all situations Preparing for compromises in all situations Defining system actions for every situation

Complexity reduction requires New approach for human intellectual control Foundations based on deep simplicities Practical engineering methods

Complexity and survivability are deeply related


Three Key Questions In a world of large-scale, asynchronous

network systems with dynamic function and structure … What are the unifying engineering foundations for

system analysis, specification, design, implementation, and verification?

How should quality attributes such as survivability, reliability, and performance be specified, managed, and achieved?

What architecture frameworks can simplify system development and operation?


Three Engineering Concepts

1. Flow Structures - User task flows and their architecture flows of service uses are engineering anchors for analysis, specification, and design of functionality and quality attributes

2. Computational Quality Attributes - Quality attributes can be specified as dynamic functional properties to be computed, not as static, a priori predictions

3. Dynamic Flow Management - User task flow designs support architecture templates that manage flows and their quality attributes in execution


Foundations: First-Class Artifacts

Flows Defines mission, user functions and quality

attributes, refines into service uses Services

Provides functionality and quality attributes, refines into flows

Quality Attributes Attribute requirements attached to flows, service

attribute matches computed dynamically


Foundations: Theorems

Structure Theorem Guarantees sufficiency of flow structure primitives

Abstraction/Refinement Theorem Guarantees correctness of mathematical semantics

Verification Theorem Defines conditions for ensuring flow correctness

Implementation Theorem Defines conditions to express a function as a flow

System Testing Theorem Shows how to derive usage from flows for testing


Flow Structure Concepts

Enterprise missionUser task flow

User task flow

Architecture flowof service uses

Architecture flowof service uses

Architecture flowof service uses Enterprise mission is embodied in user

task flows of operations and decisions in system usage Architecture flow refinements of user task flows define uses of

system services that provide function and quality attributes

User task flow

Enterprise Users Systems

Flows traverse a network architecture to satisfy mission requirements

credit database

credit card company

customer

land telecom satellite

telecom

gas pump

system 1 system 2 system 3 system 4 system 5

land telecom

Gas purchase flow:


Flow Structure Semantics

Service invocations in Flow Structures are specified by service response (R*) semantics

Semantics are response-based, not intention-based – a natural fit with COTS and components

Service invocations are composed with post-fix predicates on equivalence classes over all possible responses

Logic of a flow accounts for all possible circumstances of use, each flow is a self-contained and complete entity

R* semantics permit deterministic flow abstraction, refinement, and verification for human understanding, even though services are engaged in simultaneous asynchronous uses

16

Network Centric

Force

Transitive Dependencies in Flows

UAV Robotic Direct Fire

store sensor data

OK?yn

…

…

…

resp?yn

…

…valid?

yn

…

run sensor data flow

compute target data

run fire control flow

…

valid?yn

…

…range?

yn

…

run check target flow

fire on target

…

Primary Flow:

Mission Control

Sensor Data Flow: Fire Control Flow:Target Attack Flow:

… …

run check sensor flow

Transitivity analysis reveals precise dependencies from mission down to code, and defines impact of changes

……

May 6, 2009 Synergy of SW Architecture, Process, and Organization

17

UAVs

Other Layered Sensors

Network Centric

Force

Robotic Direct Fire

Robotic NLOS Fire

Robotic Sensors

Manned C2

FlowSets can manage complexity in the Future Combat System:

Network-Centric Capability Integration

FlowSet: Preparation Deployment C3 Retrieval Safing Maintenance …


FlowSet: Preparation Launch C3 Retrieval Maintenance …


FlowSet: Preparation Launch C3 Maintenance ..

FlowSet: Preparation Deployment C3 Maintenance …

FlowSet: Mission Def’n Sensor Integration C4I Fire Integration Damage Assmt …

Flow Structures define capabilities and networks, link stovepipes, define compositions of services, support centralized and distributed control

• Distributed platforms• System-of-systems• 100s of nodes and users• Nodes and usage change/evolve

May 6, 2009 Synergy of SW Architecture, Process, and Organization


Analysis: From Systems to Flows

Flows reveal survivability dependencies for resistance, recognition, and recovery analysis and improvement

Existing network

architecture

flow 3

flow 1

flow 2

missiontask 1

missiontask 2

missiontask 3

Pervasive asynchronousbehavior

Response-based semantics for shared services gives flows deterministic properties for understanding and abstraction


Design: From Flows to Systems

User task flow design Flow Structures of mission tasks can be designed and

verified at multiple levels of refinement

Network behavior specification A network system specification is the set of flows of its

service uses

Component service specification The specification of each service in a network system

incorporates all its uses in all flows where it appears


Management: Flows from Start to End

Manage Flow Structures as first-class artifacts in

Acquisition Development Testing Operation Evolution

System implementation and operation must satisfy Flow Structure functions and quality attributes


Flow Structures and System Testing

Flows define system usage Usage models can be derived from flows and

probabilities of their use Flow-derived usage models can drive

statistical testing for certification of fitness for use

Flows can serve as oracles for test evaluation


Computational Quality Attributes

Quality attributes – survivability, reliability, ... Associate attribute requirements with flows and

service specifications, not with entire systems Computational approach

Move beyond static, a priori estimates Treat attributes as functions to compute Dynamic matching of flow attribute requirements

with service attribute capabilities


Computational Quality Attributes

Attribute model Computable function:

(service usage history attribute value) Probabilistic attribute values 0 and 1 are probabilities too Unifies treatment of many attributes

Function approach Characterizes attribute capabilities of services Reveals departures from history for analysis


FSQ Architecture Templates

Foundations Canonical FSQ architecture templates specify

management of Flow Structures through dynamic feedback control

Engineering usage Architecture implementation reconciles Flow

Structure functions and quality attribute specifications with dynamic service function and quality, to control flow execution and satisfy quality specifications


FSQ Complexity Reduction Flows unify, enable human reasoning in network systems Same structures for acquisition, development, operation Flows are expressed in a few simple structures Flows are simply abstracted, refined, and verified Flows seamlessly refine missions into architecture services Flows are scale-free and recursive Flows specify all required behavior and quality attributes Flow transitivity reveals dependencies, impact of changes Flows define logical topology and service specifications Flows as built can be verified against flows as specified FSQ architecture templates unify flow management Flows prescribe system testing requirements


FSQ Survivability Analysis

Flows extracted from existing systems reveal mission survivability dependencies on essential services

Transitivity analysis of extracted flows reveals cascade service dependencies that impact survivability

Intrusion flows reveal compromisible services Flows require definition of, and actions in, all possible

circumstances of use for survivability Flow dependencies focus survivability improvements


FSQ Observations FSQ supports complexity reduction and survivability improvement in development and

operation of large-scale network systems composed of any mix of newly developed and COTS/ESP components.

FSQ provides systematic, scale-free semantic structures for requirements, specification, design, verification, implementation, and maintenance.

FSQ supports seamless decomposition from user flows, services, and quality attribute requirements to flow structures, services, and quality attribute implementations, with intrinsic traceability.

User flows of services and quality attributes permit system development in terms of user views of services, as opposed to strictly functional decomposition or object-based composition.

Flow structures are deterministic for human understanding and analysis, despite the uncertainties of complex, network-centric behaviors, thus enabling compositional methods of refinement, abstraction, and verification.

Flow structures reflect the realities of network-centric systems in dealing the uncertainty factors, to support enterprise risk management and system survivability.

FSQ Observations Flow structures support the definition of attack and intrusion flows for assessing system

vulnerabilities and compromises, as a basis for security and survivability improvements. Computational quality attributes reflect the realities of network-centric systems, in

assessing and reconciling quality requirements and capabilities as an intrinsically dynamic process.

Computational quality attributes provide a scale-free, computational use-centric (rather than system-centric) view of quality.

Flow management architectures provide systematic and uniform methods for managing user flow instantiation and quality attribute satisfaction in execution.

Foundations of flow structures can stimulate research on representation and analysis of flows at the requirements level within enterprises, and at the implementation level within system architectures.

Foundations of Computational Quality Attributes can stimulate research in modeling and dynamic evaluation of important quality attributes and metrics.,



FSQ Research Directions

Complete Theory Development Flow Structure Semantics Computational Quality Attributes Flow Management Architectures

Exploratory Case Studies Engineering Practices Industrial Collaborators/Customers Automation Opportunities

The Design of Complex Software-Intensive Systems

Documents

Transcript of The Design of Complex Software-Intensive Systems