Exploitation of hierarchy/logical views

, PL = min

ACF{packet length.ACF}

The model ACF_k is also characterized by a result to be computed and to be verified with respect to the time requirements, that is its execution time. The model ACi represents the communication unit of an automation component; the parameter bandwidth corresponding to the homonym attribute of either the intra-network or of the inter-network, is used to define the rate parameter of transition T RANSF . Assuming that a mean value is assigned to the bandwidth attribute, the potential transmission rate is based on the minimum packet length transferred by an automation function and it is given by:

w(T RANSF ) =bandwidth

PL .

In case of synchronous communication, the sender and the receiver processes request the service to a function whose behavior can be represented by a GSPN model simplified with respect to the one depicted in Figure 4.4 for the function ACFk: labels S recv and E recv are added to transitions ts and te, respectively, and the subnet shown in the shaded part is not present. In this case it is also possible to define the mean execution time of the communication by looking at the structure of the GSPN model ACFk; from the Little’s formula we get:

E[execution time] = 1 X (t_e) being X (te) the throughput of transition te.

4.2.1 Exploitation of hierarchy/logical views

The hierarchy/logical views of the generic CD scheme allow to reuse predefined SPN component models repre-senting the behavior of super-classes to derive predefined SPN component models reprerepre-senting the behavior of the sub-classes through refinement and specialization. The refinement of a SPN component model can be traced back to the inheritance of the static structure of a class (i.e, attributes, operations, associations) and it consists of 1) inheriting parameters (rate/weight, initial marking), results to compute, constraints to verify, and possibly adding new ones; 2) inheriting, and in case modifying, the labels associated to either places or transitions. The specialization, instead, corresponds to the inheritance of the dynamic behavior of the super-class and it consists of either maintaining the same structure of the SPN model for the sub-class or modifying it by applying transfor-mation rules that preserve the behavioral inheritance [86]. In particular, in [86] two main notions of behavioral inheritance are introduced: protocol inheritance and projection inheritance. Although they have been defined for labeled transition systems it is trivial to use these definitions in the context of SPNs. Intuitively, let p and q two SPN models representing the behavior of a class P and of its super-class Q, respectively; protocol inheritance can be verified by not allowing to fire transitions that are present in p and not in q (i.e., blocking new actions) and by observing whether P and Q have the same behavior. Projection inheritance can be verified, instead, by

CHAPTER 4. USE OF STOCHASTIC PETRI NETS IN THE DEPAUDE METHODOLOGY 79 considering not observable transitions that are present in p and not in q (i.e., hiding the effect of new actions) and by checking whether P and Q have the same observable behavior.

Moreover, the two basic notions of inheritance are combined in order to obtain a stronger and a weaker notion.

Stronger inheritance is preserved if both protocol and projection inheritance are satisfied. Life cycle inheritance is the weaker notion: the set of transitions present in p and not in q is partitioned into “not-observable” and

“not-allowed to fire” such that the observable behavior of P equals the behavior of Q.

A library of GSPN component models for faults, errors and failures has been set up by exploiting the hierar-chy/logical views of the Fault Model, Error Model and Failure Model packages. In the following we examine, in detail, how these models have been constructed.

Fault Models GSPN component models for faults have been built according to the classification given by the CDs of the Fault Model package, represented by the hierarchy view of Figure 4.5(A) in which sub-trees of some fault classes have been replaced with a dotted rectangle.

Each GSPN component model is an elaboration of previous generic Petri net models of fault generator proposed in [62] where only physical faults are considered and they are classified with respect to their persistence in permanent and temporary, the latter being further specialized in transient and intermittent.

The behavior of Fault super-class of Figure 4.5(A) corresponds to the GSPN component model FT0 of Fig-ure 4.5(B) characterized by three states: the fault is not present (place no f t ), the fault is active and it may be perceived by a system entity (place act f t) and the fault is terminated (place gone f t). The fault occurrence is represented by the firing of transition f t occ, and when the fault is active it can be perceived (transition f t prcv) by a system entity, causing an error situation. Transition f t prcv is labeled so as to ensure synchronization with the affected system entity (i.e., the ACR_i models of Figure 4.2) and with an error model (i.e., the ER_h models of Figure 4.2). The fault termination is represented by the firing of transition f t end. Since neither attributes nor constraints are specified for the Fault super-class, the lists of parameters, results and constraints of the corre-sponding GSPN model FT₀are empty.

Classes Design Faults, Interaction Faults, Malicious Logic, and their corresponding sub-classes, present the same behavior of the more general class Fault, so that the GSPN model FT₀is reused to represent these classes also.

The class Physical Faults is associated with the GSPN model FT1 that inherits from FT0 and adds to the pa-rameter list fault rate and duration and to the result list fault dormancy (i.e., the time between the occurrence of a fault and the fault being perceived). Moreover, the label of transition f t prcv common to the corresponding automation component model has been assigned according to the inherited association affect(Physical Faults, Au-tomation Component), whose qualifier type of part allows to discriminate the part of the auAu-tomation component affected by the fault (i.e., elaboration unit, memory unit, communication unit). The net structure of FT₀has been maintained but rates of transitions f t occ and f t end have been defined as functions of the added parameters,

(A) (B)

Figure 4.5: GSPN component models of fault classes.

i.e., w( f t occ) = f ault rate and w( f t end) = 1/duration.

The behavior of Permanent Physical Faults and of Temporary Physical Faults classes is represented by the GSPN models FT₂₁and FT₂₂, respectively. Both the models inherit from model FT₁, add a parameter (the pa-rameter min-duration for model FT21and the parameter max-duration for model FT22) and maintain the same net structure of FT₁. A fault is classified permanent if it lasts more than min-duration, and it is classified temporary if it lasts less than max-duration, with the constraints, derived from the note symbol of the CD of Figure 4.5(A), that min-duration is greater than max-duration. The interaction of the models with the corresponding AC_i and ERhmodels is also inherited from FT1.

With respect to the fault models proposed in [62], where permanent faults remain always active while temporary faults once occurred after a certain amount of time eventually disappear, both the fault models FT₂₁and FT₂₂are characterized by a termination state (i.e., place gone f t) and the represented fault classes are discriminated by the fault duration.

CHAPTER 4. USE OF STOCHASTIC PETRI NETS IN THE DEPAUDE METHODOLOGY 81 Temporary faults can still be distinguished into intermittent and transient faults. Intermittent faults, once oc-curred, are characterized by alternating periods in which they are active, and they can be perceived by the system entity, and periods in which they are latent and hence they do not cause any error. Transient faults, instead, disappear a certain amount of time after their activation; however, unlike generic temporary faults, they are characterized by a complex mechanism of activation that depends on the condition of the external environment.

The behavior of Transient Physical Faults class is represented by the GSPN model FT31 in which a fault moves from the latent state to the active state with a different rate depending on the environment conditions.

Under normal condition, represented by the place normal marked, transition lat-actN with rate parameter equal to latency rateN will fire, while under “burst” condition, represented by the place burst marked, transition la-tency rateB with rate parameter equal to lala-tency rateB will fire.

The behavior of Intermittent Physical Faults class is represented by the GSPN model FT32, in which firing of transition act-lat (with rate parameter equal to persistence rate) brings the state of the fault from active to latent and, vice-versa, firing of transition lat-act (with rate parameters equal to latency rate) changes the fault state from latent to active.

GSPN models FT31and FT32 inherit from FT22: for the static point of view, new parameters have been added with respect to the parameter list of FT22and for FT31the parameter fault rate is now not relevant (and it has been set to the default value of 1), since the fault activation depends upon the two transitions lat-actN and lat-actB.

For the behavioral point of view [86], the GSPN model FT32strongly inherits from FT22, i.e., it preserves both the projection and the protocol inheritance, while the GSPN model FT₃₁preserves only the projection inheritance.

Finally, the sub-classes DevTemp of temporary physical faults and sub-classes of permanent physical faults inherit the behavior of their super-classes and they have been represented by the same GSPN models associated to the latter.

All the fault GSPN models described above are multi-labeled; in particular, transition f t prcv is characterized by, at least, two types of labels: one is used to interact with the model of the system entity affected by the fault AC_i and the other is used to interact with the corresponding error model ERh. The composition of the models laying at the resource level results then into multi-labeled SPN system, unlike in the original definition of PSR [28]

where the final resource model is a labeled SPN system.

Error Models Errors are deviations from the correct state of the system that may cause a subsequent fail-ure [53]; within the DepAuDE methodology, they are caused by faults affecting the automation components and they are related to automation functions performed by the faulty components. A classification of errors is given by the CD Error Hierarchy of the generic CD scheme shown in Figure 4.6(A) that discriminates those errors caused by physical faults depending on which type of part of the automation component has been affected. The super-class Error of the hierarchy/logical view is characterized by two attributes that have been mapped in two results to be computed in the GSPN model ER0- shown in Figure 4.6(B) - representing the behavior of the class:

(A) ^Error Automation Functions (B)

Figure 4.6: GSPN component models of error classes.

error latency, the length of time between the occurrence of an error and the appearance of the corresponding failure, and PE, the probability of error. The GSPN model ER0is characterized by four states: the error is not present (place no err), the error is generated (place pot err), the error is occurred (place error) and the error has been detected (detected). Places error and detected are used to define the result PE as the probability that one of the places is marked. The error can be caused by either a fault occurred in an system entity or by the error propagation effect: the error generation is represented by the firing of transition cause that is labeled so as to ensure synchronization with caused fault or error model. The labels are derived from the associations ef-fect(Fault, Error) and association Eeffect(Error,Error) of the CD of Figure 4.6(A). In general, ER₀ contain as many transition “cause” (i.e., with input place no err and with output place pot err) as the number of GSPN models representing potential causes of the error. The occurrence of the error in the corresponding automation function is represented by the firing of transition err occ, properly labeled to ensure synchronization with the automation function model. Transition det err represents error detection carried out by a mechanism used in the error processing step; the transition has to be synchronized then with a model Ml working at service level, its label is derived from the association address(Error Processing Step, Error).

Test transitions err prop and err fail are instead interface transitions for an error model ER_hand for a failure

CHAPTER 4. USE OF STOCHASTIC PETRI NETS IN THE DEPAUDE METHODOLOGY 83 model FAILn, respectively.

Classes Processing Error, Memory Error, Communication Error, Runtime Errors, Memory Violation, Corrupted Processing and Disordered Communication present the same behavior of the super-class Error, so that GSPN model ER0is reused to represent the behavior of these classes also.

Association affect defined between classes Error and Automation Function is refined in case of communication errors since the latter affect automation communication functions. This refinement is reflected in the GSPN error models of Communication Error class and its sub-classes where the label “domain” associated to transition err occ is restricted.

Late Processing and Late Communication classes are characterized by an input attribute, delay, whose values indicate the delay caused in the execution of the corresponding erroneous function. Their behavior is modeled by the GSPN ER11where delay has been added to their parameter list. Moreover, the model contains a pair of causal connected transitions: err delay, that represents the delay caused by the error, and end err that brings the error model to its initial state (no err). Timed transition err delay is characterized by a rate equal to w(err delay) = 1/delay, immediate transition end err is, instead, an interface transition and has to be synchronized with the automation (communication) function model in order to bring it from an erroneous state to a normal state.

Finally, GSPN model ER12 has been associated to the Corrupted Communication class characterized by the input attribute BER (Bit Error Rate). BER has been added to the parameter list of ER₂₂and it has been assigned to the weight of the immediate transition err.

From the behavioral point of view [86] both the models ER₁₁ and ER₁₂ inherits from model ER₀: protocol inheritance is preserved for model ER11while life cycle inheritance is preserved for model ER12, by considering transition err not observable and transitions no err and end err not allowed to fire.

As described in the previous section (Section 4.1) error models are placed at the service level of the layered structure; service layer in the original proposal [28] is characterized exclusively by models with immediate transitions. In our context instead, since mechanism models and error models may contain timed transition (such as for example GSPN models ER11and ER12), the service level can be represented by a timed model.

Failure Models The CD Failure Hierarchy depicted in Figure 3.9, once customized for a given application, can be exploited to construct GSPN model components representing different failure modes. Generally, system failure modes are identified through the combined adoption of bottom-up and top-down methods: bottom-up methods allow to characterize failures due to single fault occurrences, top-down methods allow instead to identify failures due to multiple fault occurrences [21].

The main purpose of GSPN component models representing failure modes is to synthesize in a unique place the set of (erroneous) states that have equivalent consequences on the system. These models correspond to the failure mode layer described in [74] that allow to arrange the final SPN model to be suitable to be analyzed for different levels of service degradation. In Figure 4.7 a skeleton of GSPN component model representing a failure

no_failX

pot_failX

failX fail_occ

effect(ER1,FAILX) and effect(ER2,FAILX) and ...

affect(FAIL,AS) FAILX

cond_i

address(M,FAILn) fail_repair

PARAMETER:

RESULT:

PF = Pr{#failX = 1}

RF = X(fail_occ) CONSTR:

Figure 4.7: Skeleton of a GSPN component model representing a failure mode “X”.

mode is depicted. The model is characterized by three main states: no failX, pot failX and failX, respectively meaning the absence of failure of type “X”, the occurrence of the error conditions causing it and its occurrence.

Several error conditions may cause the occurrence of failure of type “X”: the firing of transition cond i represents the occurrence of one of such conditions; since, in general, the failure occurrence is caused by a combination of errors, cond i is a multi-labeled transition with labels derived from association effect(Error, Failure) for syn-chronization with the error models ER_h(vertical composition). Transition fail occ has to be synchronized with an automation system model, so that it is characterized by a label derived from association affect(Failure, Au-tomation System) (horizontal composition). Depending on the failure mode, the GSPN model may contain or not transition fail repair that is an interface transition to be synchronized with reconfiguration mechanism models.

Concerning the result list, the GSPN model is characterized by two metrics to be computed: PF (i.e., probability of failure of type “X”) defined as the probability the place failX is marked and RF (i.e., rate of failure) defined as the throughput of transition fail occ.