BEHAVIOR BASED DESCRIPTION OF DEPENDABILITY

Deﬁning a Minium Set of Attributes for a Behavioral Description of Dependability

Jan R

udiger, Achim Wagner and Essam Badreddin

Automation Laboratory, University of Mannheim, B6, 23-29, Building B, EG, 68131 Mannheim, Germany

Keywords:

Fault-tolerant systems, Autonomous systems, Behavioral systems.

Abstract:

Dependability is widely understood as an integrated concept that consists of different attributes. The set

of attributes and requirements of each attribute varies from application to application thus making it very

challenging to deﬁne dependability for a broad amount of application. The dependability, however, is of

great importance when dealing with autonomous or semi-autonomous systems, thus deﬁning dependability

for those kind of system is vital. Such autonomous mobile system are usually described by their behavior. In

this paper a minimum set of attributes for the dependability of autonomous mobile systems is proposed based

on a behavioral deﬁnition of dependability.

1 INTRODUCTION

Complex computing systems, such as network com-

puters, computer controlled plants or ﬂight controll

systems need not only to fulﬁll their functional but

also their non-functional properties like availabil-

ity, reliability, safety, performance, dependability etc.

Non-functional properties reﬂect the overall quality of

a system. Besides performance the dependability is

getting a more important non-functional requirement

of a system.

The dependability is usually understood as an inte-

grated concept (Avizienis et al., 2004b; Avizienis

et al., 2004a; Randell, 2000; Candea, 2003; Dews-

bury et al., 2003) that further consists of attributes that

affect the dependability of the system. The set of at-

tributes and the requirements on each attribute vary

from application to application. This makes it hard to

deﬁne dependability for a broad amount of applica-

tions.

The dependability of a system is particularly im-

portant when dealing with autonomous or semi-

autonomous systems. With an increasing degree of

autonomy and safety requirements the requirements

for dependability increase hence being able to mea-

sure and compare the dependability of these system is

getting more and more important.

In this paper a minimum set of attributes for the de-

pendability of autonomous mobile systems is pro-

posed.

This paper is outlined as follows: In Section 2 a de-

scription for systems on which dependability is usu-

ally deﬁned is presented. Since the dependability def-

inition used throughout this paper is based on a dif-

ferent deﬁnition of a system the equivalence of the

two system deﬁnitions is shown. In Section 3 the dif-

ferent deﬁnitions used in the literature are used and

again compared to the behavior based deﬁnition used

throughout this paper. Section 4 summarizes the at-

tributes of dependability and a minimum set of those

attributes is proposed based on the behavioral deﬁni-

tion of dependability and of the attributes. The paper

ends with the discussion of the set in Section 5 and

the conclusion.

2 SYSTEM

According to (Randell, 1999; Avizienis et al., 2004b;

Avizienis et al., 2004a; Jones, 2003) the system for

which dependability will be discussed is described by

its

• functional and non-functional properties,

341

Rüdiger J., Wagner A. and Badreddin E. (2007).

BEHAVIOR BASED DESCRIPTION OF DEPENDABILITY - Deﬁning a Minium Set of Attributes for a Behavioral Description of Dependability.

In Proceedings of the Fourth International Conference on Informatics in Control, Automation and Robotics, pages 341-346

DOI: 10.5220/0001650203410346

 SciTePress

• the boundaries of the system,

• the environment the system is designed for,

• the system behavior,

• the service the system delivers, and

• its structure.

In Wikipedia a System (from the Latin (syst

ema),

and this from the Greek συστηµα (sust

ema)) is de-

ﬁned as an assemblage of entities/objects, real or ab-

stract, comprising a whole with each and every com-

ponent/element interacting with or related to at least

one other component/element. Any object which has

no relationship with any other element of the system,

is not a component of that system. A subsystem is

then a set of elements, which is a system itself, and a

part of the whole system.

In this view it is equal wether a system is connected

to another system or to a user, who is again treated as

a system.

A system is usually deﬁned by its functional and

non-functional properties. The functional proper-

ties deﬁne speciﬁc behaviors of the system or sub-

system while the non-functional properties deﬁne

overall characteristics of the system. Thus, the non-

functional properties deﬁne properties the system

must satisfy while performing its functional proper-

ties. Among other things the non-functional proper-

ties of a system are: functionality, performance, avail-

ability, dependability, stability, cost, extensibility,

scalability, manageability, application maintainabil-

ity, portability, interface, usability and safety. This

list is non-exhaustive since the non-functional prop-

erties of a system are highly system speciﬁc (Torres-

Pomales, 2000; Sutcliffe and Minocha, 1998; Franch

and Botella, 1998). When systems or sub-systems in-

teract with each other or with their environment the

common boundaries of those systems as well as the

environment itself must be deﬁned. A system acting

well in the speciﬁed environment may fail in an envi-

ronment its was not designed for. The system bound-

ary deﬁnes the scope of what the system will be and

as such deﬁnes the limits of the system.

The behavior of the system is how the system imple-

ments its intended function. The behavior of a dy-

namic system as deﬁned (Willems, 1991) is a time

trajectory of the legal states of the system. The le-

gal states of the system are further divided into ex-

ternal and internal states. External states of a system

are those which are perceivable by the user or another

system. The external states thus deﬁne the interface

of the (sub-)system. The remaining states are inter-

nal.

The service the system delivers is its visible behavior

to the user or another system. According to the above

deﬁnition of behavior this is the time trajectory of its

external states.

Last but not least the structure of the system deﬁnes

how the system is partitioned into sub-systems and

how those sub-systems are connected to each other

and how the system is ,,connected” to the environ-

ment. The structure of the system also deﬁnes how

the communication of the sub-systems is organized.

When dealing with autonomous mobile robots the

system is often viewed as a black box and described

by its behavior. The behavioral approach is very com-

mon when dealing with autonomous mobile robots

(Brooks, 1986; Michaud, ; Jaeger, 1996). The frame-

work of Willems (Willems, 1991) is used for describ-

ing a system by its behavior. In this framework a dy-

namical system is deﬁned to be ,,living” in an universe

Deﬁnition 2.1 A dynamical system

∑

is a triple

∑

(T, W, B) with T ⊆ R the time axis, W the signal

space, and B ⊆ W

the behavior.

A mathematical model of a system claims that cer-

tain outcomes are possible, while others are not. This

subset is called the behavior of the system. The be-

havior B is thus the set of all admissible trajecto-

ries. The universe U is the equivalence to the envi-

ronment as described above and the behavior B is the

equivalence to function of the system. In (R

udiger

et al., 2007) the deﬁnition of a dynamical system is

extended by a set of basic and fused behaviors B and

by a mission w

of the system which is the equiva-

lence of the service the system is intended to deliver.

Such a system is deﬁned as:

Deﬁnition 2.2 Let Σ = (T, W, B) be a time-invariant

dynamical system then B ⊆ W

is called the set of

basic behaviors w

(t) : T → W, i = 1...n and B the set

of fused behaviors.

B is a set of trajectories in the signal space W. The

set of basic behaviors B of an autonomous system, in

contrast to the behaviors B of a dynamical system as

deﬁned in (Willems, 1991), is not the set of admis-

sible behaviors, but solely those behaviors which are

given to the system by the system engineer (program-

mer).

The mission of such a system is deﬁned as:

Deﬁnition 2.3 Let Σ = (T, W, B) be a time-invariant

dynamical system. We say the mission w

of this sys-

tem is the map w

: T → W with w

∈ B.

A dynamical system can, like the system described

above, be divided into subsystem having their own

behavior. This deﬁnition of system and behavior is

used throughout this paper.

ICINCO 2007 - International Conference on Informatics in Control, Automation and Robotics

342

3 DEFINITION OF

DEPENDABILITY

Beside the other mentioned non-functional properties

of a system the dependability is getting a more impor-

tant non-functional property.

The general, qualitative, deﬁnitions for dependability

used in the literature so far are:

Carter (Carter, 1982): A system is depend-

able if it is trustworthy enough that reliance

can be placed on the service it delivers.

Laprie (Laprie, 1992): Dependability is that

property of a computing system which allows

reliance to be justiﬁably placed on the service

it delivers.

Badreddin (Badreddin, 1999): Dependability

in general is the capability of a system to suc-

cessfully and safely fulﬁll its mission.

Dubrova (Dubrova, 2006): Dependability is

the ability of a system to deliver its intended

level of service to its users.

All four deﬁnitions have in common that they deﬁne

dependability on the service a system delivers and the

trust that can be placed on that service. As mentioned

before the service a system delivers is the behavior as

it is perceived by the user, which in our case is also

called the mission of the system.

A more quantitative deﬁnition for dependability used

in (Avizienis et al., 2004a) is:

Dependability of a system is the ability to

avoid service failures that are more frequent

and more severe than is acceptable by the

user(s).

This deﬁnition, however, does not directly include

the service the system is intended to deliver nor does

it include the time up to which the system has to

deliver the intended service.

Derived from the above deﬁnitions and the behavioral

deﬁnition of a system a behavior-based deﬁnition

for dependability for autonomous mobile robots was

introduced in (R

udiger et al., 2007). This includes

the deﬁnition of a mission which coresponds with the

service mentioned above.

4 ATTRIBUTES OF

DEPENDABILITY

According to (Avizienis et al., 2004b; Avizienis et al.,

2004a; Randell, 2000) the dependability is an inte-

Dependability

Attributes

Availability

Reliability

Safety

Conﬁdentiality

Integrity

Maintainability

Threats

Faults

Errors

Failures

Means

Fault Prevention

Fault Tolerance

Fault Removal

Fault Forecasting

Figure 1: The dependability tree.

grated concept that further consists of the attributes

(see also Figure 1)

• Availability readiness for correct service,

• Reliability continuity of correct service,

• Safety absence of catastrophic consequences for

the user(s) and the environment,

• Conﬁdentiality absence of unauthorized disclo-

sure of information,

• Integrity absence of improper system state alter-

ation and

• Maintanability ability to undergo modiﬁcations

and repairs.

In (Candea, 2003) only reliability, availability and

safety together with security is listed; however, se-

curity is seen as an additional concept as described

below.

In (Dewsbury et al., 2003) the dependability attributes

for home systems are deﬁned as:

• Trustworthiness the system behaves as the users

expects,

• Acceptability a system that is not acceptable will

not be used,

• Fitness for its purpose the system must ﬁt the

purpose it was designed for and

• Adaptability the system must evolve over time

and react to changes in the environment and the

user.

The dependability speciﬁcations of a system must set

requirements for the above attributes. Based on a spe-

ciﬁc system the dependability of the system depends

on those requirements for a subset or all of the above

attributes. Since the (sub-)systems are designed in a

behavioral context it is common to also describe the

attributes of dependability in a behavioral context or

the other way round to describe the requirements for

BEHAVIOR BASED DESCRIPTION OF DEPENDABILITY - Defining a Minium Set of Attributes for a Behavioral

Description of Dependability

343

the attributes on the behavior of the (sub-)system.

Before further describing the attributes it is, however,

important to deﬁne a priority for the attributes.

4.1 Safety

For autonomous mobile robots the main attribute is,

or should be, safety. The attribute safety is not to be

mistaken with the attribute security which is a com-

bination of the attributes conﬁdentiality, integrity and

availability and as thus an additional concept (Sama-

rati and Jajodia, 2000; Cotroneo et al., 2003; Cera

et al., 2004). For a comparison of security and de-

pendability see (Meadows and McLean, 1999). Even

if the the intended service of the system cannot be

fullﬁlled the safety requirements of the system are not

allowed to be violated. Thus, the requirement on the

behavior of the system, as deﬁned in section 2, is that

it must always fullﬁll its safety requirements.

From a reliability point of view, all failures are equal.

In case of safety, those failures are further divided

into fail-safe and fail-unsafe ones. Safety is reliabil-

ity with respect to failures that may cause catastrophic

consequences. Therefore, safety is unformaly deﬁned

as (see e.g. (Dubrova, 2006)):

Safety S(t) of a system is the probability that

the system will either perform its function cor-

rectly or will discontinue its operation in a

fail-safe manner.

In (R

udiger et al., 2007) an area S around the be-

havior of the system B is introduced, which leads to

catastrophic consequences when left. Safety of a sys-

tem Σ is then deﬁned as:

Deﬁnition 4.1 Let Σ = (T, W, B), T = Z or R, be

a time-invariant dynamical system with a safe area

S ⊇ B. The system is said to be safe if for all t ∈ T

the system state w(t) ∈ S.

The deﬁnition is illustrated in Figure 2. This deﬁni-

tion is consistent with the idea that a safe system is

either operable or not operable but in a safe state.

4.2 Availability Vs Realiability

Reliability means (Dubrova, 2006):

Reliability R|

is the probability that the sys-

tem will operate correctly in a speciﬁed oper-

ating environment in the interval [0,t], given

that it worked at time 0.

An autonomous system is, thus, said to be reliable if

the system state does not leave the set of admissible

trajectories B. In contrast to reliability the availabil-

ity is deﬁned at a time instant t while the reliability is

deﬁned in a time interval.

Figure 2: Safety: The system trajectory w leaves the set of

admissible trajectories B but is still considered to be safe

since it remains inside S.

Availability A|

is the probability that a system

is operational at the instant of time t.

Availability is typically important for real-time sys-

tems where a short interrupt can be tolerated if the

deadline is not missed. This also holds for au-

tonomous mobile systems. In (R

udiger et al., 2007)

the availability is deﬁned as:

Deﬁnition 4.2 Let Σ = (T, W, B), T = Z or R, be a

time-invariant dynamical system. The system is said

to be available at time t if w(t) ∈ B. Correspondingly,

the availability of the system is the probability that the

system is available.

For dependable autonomous mobile systems as de-

ﬁned above requirements for reliability are redundant

and can be omitted. In case of reliability and avail-

ability it is sufﬁcient to deﬁne requirements for the

availability.

4.3 Maintainability

A maintainable system is ,,able to react“ either au-

tonomously or by human interaction to changes in the

system and the environment.

Maintainability is the ability of a system to un-

dergo modiﬁcation and repairs.

While the requirements for the ﬁrst two attributes

rather passively deﬁne the dependability of a system,

the maintainability gives the system the ability to re-

act to changes. An event that would reduce or violate

the dependability of the system can counteract to re-

cover the dependability. In (R

udiger et al., 2007) the

maintainability is deﬁned as:

Deﬁnition 4.3 A dynamical system Σ = (T, W, B)

with the behaviors B is said to be maintainable if for

all w

∈ W a w

∈ B and a w : T ∩ [0, t] → W exist,

ICINCO 2007 - International Conference on Informatics in Control, Automation and Robotics

344

Figure 3: Maintainability: The system trajectory w

leaves

the set of admissible trajectories B and is steered back to B

with the trajectory w ∈ B.

with w

′

: T → W deﬁned by:

′

)







1(t

′

)

for t

′

< 0

′

)

for 0 ≤ t

′

≤ t

2(t

′

−t)

for t

′

> t

The deﬁnition is illustrated in Figure 3. An au-

tonomous mobile system is said to be maintainable

if it is able to steer the system from any trajectory

w 6∈ B back to the set of admissible trajectories B in

time [0,t].

4.4 Conﬁdentiality and Integrity

Conﬁdentiality has been deﬁned by the International

Organization for Standardization (ISO) as ”ensuring

that information is accessible only to those autho-

rized to have access”. This attribute is very important

for systems like operating systems or transaction sys-

tems. For autonomous mobile robots, however, this

attribute is underpart. If informations of the system

will be available un-authorized then this will not re-

duce the dependability of the autonomous mobile sys-

tem. For this attribute the functions of the underlaying

operating system are used.

When a program is executed on a system it is usually

checked whether the program is allow to be runned by

the user. Integrity ensures that the program ﬂow and

the information of the program will not be altered dur-

ing the execution. Even if a change, wether it was on

purpose, by an external or by soft- or hardware fail-

ure, in the program ﬂow could be severe this aspect is

already covered by the safety attribute.

5 DISCUSSION

Dependability

Attributes

Availability

Reliability

Safety

Conﬁdentiality

Integrity

Maintainability

Threats

Faults

Errors

Failures

Means

Fault Prevention

Fault Tolerance

Fault Removal

Fault Forecasting

Figure 4: The resulting dependability tree.

The resulting dependability tree for autonomous mo-

bile systems is shown in Figure 4. The requirements

for the safety assures that failures in the system will

not lead to catastrophic consequences. The require-

ments for the availability assures that the system is

operational at the desired time instances t and ﬁnally

the maintainability requirements assures that even in

case of changes of the system or the environment the

system is able to react and modify itself to maintain

the dependability of the system.

6 CONCLUSION

Dependability is part of the non-functional proper-

ties of a system which reﬂect the overall quality of

a system. Qualitative deﬁnitions for dependability

like in (Carter, 1982; Laprie, 1992; Badreddin, 1999;

Dubrova, 2006) further divide the dependability into

attributes. Those attributes are again rather qualitative

and also not distinct. Autonomous mobile systems

are often described by their behavior. This aspect was

utilized in this paper to propose a minimum subset of

the attributes of dependability, as deﬁned in (R

udiger

et al., 2007), which are deﬁned quantitative and can

still ensure the dependability of the autonomous mo-

bile system.

REFERENCES

Avizienis, A., Laprie, J.-C., and Randell, B. (2004a). De-

pendability and its threats: A taxonomy.

Avizienis, A., Laprie, J.-C., Randell, B., and Landwehr, C.

(2004b). Basic concepts and taxonomy of dependable

BEHAVIOR BASED DESCRIPTION OF DEPENDABILITY - Defining a Minium Set of Attributes for a Behavioral

Description of Dependability

345

and secure computing. IEEE Trans. on Dependable

and Secure Computing, 1(1):11–33.

Badreddin, E. (1999). Safety and dependability of mecha-

tronics systems. In Lecture Notes. ETH Z

urich.

Brooks, R. A. (1986). A robust layered control system for a

mobile robot. IEEE Journal of Robotics and Automa-

tion, 2(1):14–23.

Candea, G. (2003). The basics of dependability.

Carter, W. (1982). A time for reﬂection. In Proc. 12th

Int. Symp. on Fault Tolerant Computing (FTCS-12).

FTCS-12) IEEE Computer Society Press Santa Mon-

ica.

Cera, C. D., Kim, T., Han, J., and Regli, W. C. (2004). Role-

based viewing envelopes for information protection in

collaborative modeling.

Cotroneo, D., Mazzeo, A., Romano, L., and Russo, S.

(2003). An architecture for security-oriented perfec-

tive maintenance of legacy software.

Dewsbury, G., Sommerville, I., Clarke, K., and Rounce-

ﬁeld, M. (2003). A dependability model for domestic

systems. In SAFECOMP, pages 103–115.

Dubrova, E. (2006). Fault tolerant design: An introduction.

Draft.

Franch, X. and Botella, P. (1998). Putting non-functional

requirements into software architecture.

Jaeger, H. (1996). Brains on wheels: Mobile robots for

brain research.

Jones, C. (2003). A formal basis for some dependability

notions.

Laprie, J. C. (1992). Dependable computing: Basic con-

cepts and terminology. Ed. Springer Verlag, 1992.

Meadows, C. and McLean, J. (1999). Security and depend-

ability: then and now. In Computer Security, Depend-

ability, and Assurance: From Needs to Solutions, 7-

9 July 1998 & 11-13 November 1998, York, UK &

Williamsburg, VA, USA, pages p.166–70. Los Alami-

tos, CA, USA : IEEE Comput. Soc, 1999.

Michaud, F. Adaptability by behavior selection and obser-

vation for mobile robots.

Randell, B. (1999). Dependability - a unifying concept.

Randell, B. (2000). Turing Memorial Lecture: Facing up to

faults. j-COMP-J, 43(2):95–106.

udiger, J., Wagner, A., and Badreddin, E. (2007). Behav-

ior based deﬁnition of dependability for autonomous

mobile systems. European Control Conference.

Samarati, P. and Jajodia, S. (2000). Data security.

Sutcliffe, A. G. and Minocha, S. (1998). Scenario-based

analysis of non-functional requirements.

Torres-Pomales, W. (2000). Software Fault Tolerance: A

Tutorial.

Willems, J. (1991). Paradigms and puzzles in the theory of

dynamical systems. Automatic Control, IEEE Trans-

actions on, 36(3):259–294.

ICINCO 2007 - International Conference on Informatics in Control, Automation and Robotics

346