Risk ModelingRisk Modeling

The Tropos ApproachThe Tropos ApproachPhD Lunch Meeting 07/07/2005PhD Lunch Meeting 07/07/2005

Yudistira Asnar – yudis.asnar@dit.unitn.itYudistira Asnar – yudis.asnar@dit.unitn.it

DefinitionDefinition

• Failure: The inability of a system or component to perform its required functions within specified performance

• Failure mode: The physical or functional manifestation of a failure

• Model of Risk: Likelihood, but also effect of the failure

Risk = Likelihood * Severity– Severity: [0,5]– Likelihood: [0,1]

Every Choice has the own consequences

Risk ModelingRisk Modeling

O1

R1

O3O2

R4R3R2

M3M2M1 M5

- - - --+

- + - --

IMPACTS

EFFECTS

Taken from DDP

Goal AnalysisGoal Analysis

Objective of Risk AnalysisObjective of Risk Analysis• Traditionally:

– Find the most effective and efficient set of mitigation plans such that the risk can be manageable Strategy of choosing option

– Increasing Quality of System (Reliability, Safety, Available, etc)

• Tropos Approach: The evaluation of the best solution must be based on– Adopt traditional ones– REAL Cost is the cost of achieving main goals and the cost of

associated Mitigation Plans• This means selecting subgoals taking into account their risks

and the associated mitigation plans– We should optimize not only one of them, but both at the same

time

Basic AssumptionBasic Assumption

• Failure Mode-Risk can be associated with Objective-AssetTropos: Goal, Task/Plan, Resource

• Property of Assets (Necessary):– Rank– Threshold (Confidence Level):

• Denial Likelihood (DL) [0,1]• Satisfaction Level (SL) [0,100]

Risk Analysis ScenarioRisk Analysis Scenario• Given Threshold of each assets

– Find the most efficient set of solutions, that can be acceptable for given threshold (satisfaction level and denial likelihood)

• Given Budget for accomplishment– Find the set of solutions (Assets and Mitigation) with

the highest satisfaction level and the least denial likelihood

• How much does it cost for achieving the highest satisfaction and confidence level

• Etc.

Case StudyCase StudyGoal

Independent FM

Dependent FM

Positive ImpactNegative Impact

Mitigation

Computing ImpactComputing Impact

• Top-Level Goals are annotated with their importance (Imp), that define by user

• Leaf-Goal has rank (R), value that come form the function. It calculates order among all of them.

• Failure modes are annotated with likelihood (L), a.k.a probability, and severity (S)

• Links between failure modes and goals are annotated with Impact (I)[-20,20] (e.g. Satisfaction reduction)

Computing ImpactComputing Impact• The risk of a goal G is computed as Possibility of

Loss (PL)PLG = RG * ΣG (S * L * |I|) ; I ≤ 0

• Mitigation Plans are chosen in order to reduce PLG, until acceptable value

• PLG is acceptable if PLG ≤ RG * SL * DL

• If there is no mitigation plan for it, we can de-idealize (Confidence Level) of the least importance goal– How much we can do de-idealize?

Defining ImportanceDefining Importance• Propagation Importance of Top-Level Goal (value: 1, 2,

3, etc., the bigger means more important)• Set of Goals with the cheapest cost of satisfaction of top

level goal• Rules:[??]

– And-Decomposition: AND(G1,G2) G3• ImpG1=ImpG2=ImpG3

• CostG3 = CostG1+ CostG2

– Or-Decomposition: OR(G1,G2) G3• ImpG3=1; ImpG2=[1,2) and ImpG3=[1,2) needs more precise• CostG2 > CostG1↔ ImpG2 < ImpG1

• CostG3 = Min(CostG1, CostG2)– G3 is sub goal of G1 and G2

• ImpG3= Max(ImpG3-G1,ImpG3-G2)

Defining RankDefining Rank

Failure ModeFailure Mode

• Failure Mode contribute to Intermediate Goal, not just leaf goal

• Failure modes can contribute not only to goals but to other failure modes

• Failure Mode is traditionally represented as an isolated event, but in reality, there is interrelation among failure modes

• Failure Mode property:– Severity and Likelihood

Failure ModeFailure Mode

• Contribution of FM1 to FM2, depends on the intrinsic risk of FM1 and the weight of edge connecting FM1 to FM2

• Contribution among FMs can be meant:– Modifying Likelihood– Modifying Severity

• Weight of edge should represent both• Traditional Fault Trees are incomplete and

faults should be represented as graphs

Computing RiskComputing Risk

R1

M1

R2

• In Case Study:– Contribution of Explosive User Added means

increasing just likelihood of Limited Key Space

• R Original Risk, R’ Contributed Risk, R” Mitigated Risk– R2” R2 * M1

– R1” R1’ * M2

– R1’ R1 + R2”

Failure Mode IdentificationFailure Mode Identification• Goal has 2 dimension: Satisfy and Maintain• Failure Mode of Goal (Negative-Goal)

– Undesired thing– Something that not suppose to be maintained

• Undesired Thing– Set-Theory

• A’ = U – A

– What is the Universe? [??]• Context

• Domain

• Something that not suppose to be maintained[??]

Mitigation PlanMitigation Plan

• Mitigations are set of actions to reduce (Likelihood and Severity) of Failure Mode– Likelihood ≤ Threshold Denial-Likelihood– Severity * Impact ≤ Threshold Satisfaction-Level

• One mitigation action can reduce the one risk and can also increase the other risk

• Choosing plan with considering– Severity Level of Risk – Some mitigation plan give the same effect to one

particular failure mode

Mitigation PlanMitigation Plan• Mitigations are annotated with Costs (C), Category

(Transfer, Prevention, Detection, Retention, Alleviation, etc)

• Link between mitigation and failure mode is annotated as Effect (E) (e.g. reduce/increase the risks)

• Mitigation Plan Analysis– And-Or Decomposition– Positive-Negative Contribution

• Mitigation Plan contribute to Goal, instead of Failure Mode

• Mitigation Plan can fail• Introducing concept of time constrain to satisfy goal and

to accomplish mitigation

Mitigation Plan IdentificationMitigation Plan Identification

• Based on experience and repository

• [??]

Re-Writing TreeRe-Writing Tree

G1 G6AA

G2 G3

G5G4

OO

G9 G10

G8G7

OO

AA

R1 R2 R3 R4

--+

-

-

-

M1M4

M3M2

- - - - +

-

• Solution to satisfy G1 and G6– S1: G3,G4,G8– S2: G3,G5,G8– S3: G3,G4,G9,G10– S4: G3,G5,G9,G10

Classic ApproachClassic Approach

• Top-Down

Approach to SolveApproach to Solve

• Classic: Top-Down Bottom-Up Adjustment

• Re-Writing Tree

Re-Writing TreeRe-Writing TreeG1 G6

AA

G2 G3

G5G4

OO

G9 G10

G8G7

OO

AA

R1 R2 R3 R4

--+

-

-

-

M1M4

M3M2

- - - - +

-

G1-G6

S1 S4S3S2

OO

[M1,M2,M3] [M2,M3][M1,M2,M3,

M4][M2,M3,M4]

OO OO OO

• S1: G3,G4,G8 + M1,M2,M3

• S2: G3,G5,G8 + M2,M3

• S3: G3,G4,G9,G10 + M1,M2,M3,M4

• S4: G3,G5,G9,G10 + M2,M3,M4

Re-Writing TreeRe-Writing Tree

• Find all possible set goal solutions to satisfy top-level goal

• Find all Mitigation Plans that is reachable from set goal solution

• Calculate (Cost, Confidence Level) all possible combination between set goal solutions and all subset of mitigation plans

• Needs something to reduce the search space

Severity - Mitigation PlanSeverity - Mitigation Plan

Severity Type of Mitigation Plan

0 Ignorable

1 Alleviation

2 Alleviation, Transfer, Detection, Prevention

3 Detection, Transfer, Prevention

4 Transfer, Prevention

5 Retention