The CONIC, Rex and Regis work demonstrated the utility of using a separate architectural language for describing system structure. Current work is centred on the Darwin language. This supports multiple views, including both a service view for system construction and a behaviour view for system modelling and analysis. An environment, the Architect's Assistant, supports the design of distributed Darwin/Regis programs.
Behaviour modelling is supported by modelling the behaviour of individual components and composing them to form composite components based on the architecture. The work thus exploits the positive experience in the use of configuration languages for system description and construction as the basis for formal specifications, i.e. using configurations of specifications as a means for specifying and analysing systems in a compositional manner. The work, which was conducted in the TRACTA project, uses LTS (labelled transition systems) as the underlying formalism, with specifications given in FSP (Finite State Processes), a process algebra. Model checking is provided by the LTSA analysis tool, which supports graphical LTS displays, animation, and safety and progress checking.
Current work includes investigation of dynamic configuration management, self-organising software architectures, and mobile systems.
Current projects in this field include:
ALPINE: Application Level Programmable Inter-Network Environment
BEADS: Behaviour Analysis for Distributed Systems
C3DS: Control and Coordination of Complex Distributed Services
SLURP: Sound Languages Underpin Reliable Programming
Overview
Distributed Software Engineering
Jeff Kramer
Presentation at 16th ICSE Conference, Sorrento, Italy, May 1994
The term "Distributed Software Engineering" is ambiguous. It includes both the engineering of distributed software and the process of distributed development of software, such as cooperative work. This paper concentrates on the former, giving an indication of the special needs and rewards in distributed computing. In essence, we argue that the structure of these systems as interacting components is a blessing which forces software engineers towards compositional techniques which offer the best hope for constructing scalable and evolvable systems in an incremental manner. We offer some guidance and recommendations as to the approaches which seem most appropriate, particularly in languages for distributed programming, specification and analysis techniques for modelling and distributed paradigms for guiding design.
Distributed Software Architectures (Darwin) Specifying Distributed Software Architectures
Jeff Magee, Naranker Dulay, Susan Eisenbach, Jeff Kramer
Proc. of 5th European Software Engineering Conference (ESEC '95), Sitges, September 1995, LNCS 989, (Springer-Verlag), 1995, 137-153
There is a real need for clear and sound design specifications of distributed systems at the architectural level. This is the level of the design which deals with the high-level organisation of computational elements and the interactions between those elements. The paper presents the Darwin notation for specifying this high-level organisation. Darwin is in essence a declarative binding language which can be used to define hierarchic compositions of interconnected components. Distribution is dealt with orthogonally to system structuring. The language supports the specification of both static structures and dynamic structures which may evolve during execution. The central abstractions managed by Darwin are components and service. Services are the means by which components interact. In addition to its use in specifying the architecture of a distributed system, Darwin has an operational semantics for the elaboration of specifications such that they may be used at runtime to direct the construction of the desired system. The paper describes the operation semantics of Darwin in terms of the pi-calculus, Milner's calculus of mobile processes. The correspondence between the treatment of names in the pi-calculus and the management of services in Darwin leads to an elegant and concise pi-calulus model of Darwin's operational semantics. The model is used to argue the correctness of the Darwin elaboration process. The overall objective is to provide a soundly based notation for specifying and constructing distributed software architectures.
A CASE Tool for Software Architecture Design (Part 2) (Part 3)
Keng Ng, Jeff Kramer, Jeff Magee
Accepted for Journal of Automated Software Engineering (JASE), Special
Issue on CASE-95, 1996
This paper describes the Software Architect's Assistant, an automated visual tool for the design and construction of Regis distributed programs. Unlike conventional CASE tools and their supported methodologies, the Architect's Assistant supports a compositional approach to program development in which the software architecture plays a central role throughout the software life-cycle - from the early design stage through to system management and evolution. In its implementation, we have addressed some of the limitations of existing CASE tools, particularly in the degree of automated support offered to the human developer. Conscious effort has been made to maximise usability and efficiency, primarily by enhancing the level of automation and flexibility together with careful design of the user interface. Our objective is to provide a tool which automates all mundane clerical tasks, enforces program correctness and consistency and, at the same time, accommodates the individual working styles of its users. Although currently specific to the development of Regis programs, the Architect's Assistant embodies concepts and ideas which are applicable to CASE tools in general.
Exposing the Skeleton in the Coordination Closet
Jeff Kramer, Jeff Magee
Coordination Languages and Models, 2nd International Conference COORDINATION ‘97, Berlin, 1997, 18-31
One of the ways in which we cope with large and complex systems is to abstract away some of the detail, considering them at an architectural level as compositions of interacting components. To this end, the variously termed Coordination, Configuration and Architectural Description Languages (ADL) facilitate description, comprehension and reasoning at that level, providing a clean separation between individual component behaviour and their interaction in a software architecture. However, in the search to provide sufficient detail for reasoning, analysis or construction, many approaches are in danger of obscuring the essential structural aspect of the architecture, thereby losing the benefit of abstraction. In this paper we argue for the use of a concise and simple language explicitly designed for describing architectural structures. This can be used to provide the “skeleton” upon which to add the particular details of concern when necessary. Systems described in this way have an explicit and exposed skeleton which, being shared, helps to maintain consistency between the various elaborated views. To illustrate our approach, we use the Darwin architectural description language and the Tracta approach for compositional reachability analysis.
Dynamic Configuration The Evolving Philosophers Problem: Dynamic Change Management
Jeff Kramer, Jeff Magee
IEEE Trans. on Software Eng., SE-16, 11 (1990), pp 1293-1306.
One of the major challenges in the provision of distributed systems is the accommodation of evolutionary change. This may involve modifications or extensions to the system which were not envisaged at design time. Furthermore, in many application domains there is a requirement that the system accommodate such change dynamically, without stopping or disturbing the operation of those parts of the system unaffected by the change. Since the description of software structure (components and interconnections) provides a clear means for both system comprehension and construction, it seems appropriate that changes should also be specified as structural change, in terms of component creation/deletion and connection/disconnection. These changes are then applied to the operational system. This paper presents a model for dynamic change management which separates structural concerns from component application concerns. This separation of concerns permits the formulation of general structural rules for change at the configuration level without the need to consider application state, and the specification of application component actions without prior knowledge of the actual structural changes which may be introduced. In addition, the changes can be applied in such a way as to leave the modified system in a consistent state, and cause no disturbance to the unaffected part of the operational system. The model is applied to an example problem, "evolving philosophers". The principles described in this model have been implemented and tested in the Conic environment for distributed systems.
Maintaining Node Consistency in the Face of Dynamic Change
Kaveh Moazami Goudarzi, Jeff Kramer
Proc. of 3rd International Conference on Configurable Distributed Systems (CDS '96), Annapolis, Maryland, USA, May 1996; pp 62-69; IEEE Computer Society Press
With the increasing demand for long running and highly available distributed services, interest in systems which can undergo dynamic reconfiguration has risen. However for dynamic change to yield valid systems, change actions must be carried out such that the consistency of the software modules making up the system is not breached. This can be ensured if the subset of the system which is to undergo change is in a state amenable to reconfiguration. This paper presents an algorithm which imposes a safe state over the part of the system undergoing change. The algorithm suits a particular class of transactional systems and places special emphasis on minimising the interference to the rest of the system and reducing the programmer contribution necessary for achieving this safe state.
Implementing Interactive Configuration Management for Distributed Systems
Halldor Fossa, Morris Sloman
Proc. of 3rd International Conference on Configurable Distributed Systems (CDS '96), Annapolis, Maryland, USA, May 1996; pp 44-51; IEEE Computer Society Press
This paper describes an environment for interactive configuration management of software for distributed applications and services. Configuration management involves creating the components which form a distributed service; allocating these components to physical nodes and binding the interfaces of the components to each other or to existing services. Components register both required and provided interfaces in a domain service. We describe a graphical configuration environment, based on the Darwin Configuration language, which can be used to create the required configurations, and maintain the configuration structure as part of the overall systems management infrastructure. The paper describes a simple example to show how an initial system can be initially constructed and subsequently reconfigured at run-time without shutting down the system.
Self-Organising Software Architectures for Distributed Systems
Georgiadis I., Magee J. and Kramer J
ACM SIGSOFT Workshop on Self-Healing Systems (WOSS ‘02), Charleston, South Carolina, November 18, 2002
A self-organising software architecture is one in which components automatically configure their interaction in a way that is compatible with an overall architectural specification. The objective is to minimise the degree of explicit management necessary for construction and subsequent evolution whilst preserving the architectural properties implied by its specification. This paper examines the feasibility of using architectural constraints as the basis for the specification, design and implementation of self- organising architectures for distributed systems. Although we focus on organising the structure of systems, we show how component state can influence re-configuration via interface attributes.
Analysis Contextual Local Analysis for the Design of Distributed Systems
Shing Chi Cheung, Jeff Kramer
Journal of Automated Software Engineering (JASE), 2 (1), (1994), 5-32
Compositional Reachability Analysis is a popular technique for studying behaviour of finite state distributed systems. The technique is applied by a repetition of local analyses, the basic steps to construct and examine the behaviour of subsystems. In most cases, behaviour of the subsystem is constrained by its environment (called context) formed by neighbouring components. These behaviour constraints are normally not considered when using local analysis in conventional techniques of compositional reachability analysis. As a result, many execution paths derived in the local analysis may not be actually traversed by the subsystem. These paths are made impossible to traverse by the constraints. The paths are unnecessary for understanding the subsystem behaviour and their removal greatly simplify the local analysis. In this paper, we describe an elegant technique, called contextual local analysis, to include these behaviour constraints in conventional local analysis. The technique can alleviate dramatically the state explosion problem encountered in local analysis. It also facilitates early detection of anomalous behaviour of a distributed system at its design stage. The technique works by composing an interface process with the subsystem being examined. That interface process is so chosen that it captures behaviour constraints enforced by the environment while its composition with the subsystem does not affect the global system behaviour. This interface process can be automatically derived using a simple algorithm. The contextual local analysis technique results in a simplified labelled transition system which can be used to substitute the original subsystem in the construction of the global system behaviour. The contextual local analysis technique is illustrated with a clients/server example implementing a round-robin protocol.
An Integrated Method for Effective Behaviour Analysis of Distributed Systems
Shing Chi Cheung, Jeff Kramer
Proc. of 16th IEEE Int. Conf. on Software Engineering (ICSE-16), Sorrento, 1994, 309-320
Behaviour analysis is a valuable aid for the design and maintenance of well-behaved distributed systems. Dataflow and reachability analyses are two orthogonal but complementary behaviour analysis techniques. Individually, each of these techniques may be inadequate for the analysis of large-scale distributed systems. On the one hand, dataflow analysis algorithms, while tractable, may not be sufficiently accurate to provide meaningful detection of errors. On the other hand, reachability analysis, while providing exhaustive analysis, may be computationally too expensive for complex systems. In this paper, we present a method which integrates a dataflow and a reachability analysis technique to provide a flexible and effective means for analysing distributed systems at preliminary and final design stages respectively. We also describe some effective measures taken to improve the adequacy of the individual analysis techniques using concepts of action dependency and context constraints. A prototype supporting the method has been built and its performance is described in the paper. A realistic example of a distributed track control system is used as a case study.
Checking Subsystem Safety Properties in Compositional Reachability Analysis
Shing Chi Cheung, Jeff Kramer
Proc. of 18th IEEE Int. Conf. on Software Engineering (ICSE-18), Berlin, 1996
The software architecture of a distributed program can be represented by an hierarchical composition of subsystems, with interacting processes at the leaves of the hierarchy. Compositional reachability analysis has been proposed as a promising automated method to derive the overall behavior of a distributed program in stages, based on its architecture. The method is particularly suitable for the analysis of programs which are subject to evolutionary change. When a program evolves, only behavior of those subsystems affected by the change need be re-evaluated. The method however has a limitation. The properties available for analysis are constrained by the set of actions that remain globally observable. The properties of subsystems, however, may not be analyzed. In this paper, we extend the method to check safety properties of subsystems which may contain actions that are not globally observable. These safety properties can still be checked in the framework of compositional reachability analysis. The extension is supported by augmenting finite-state machines with a special undefined state. The state is used to capture possible violation of the safety properties specified by software developers. In the paper, the concepts are illustrated using a gas station system as a case study.
Web pages maintained by Arosha Bandara
(bandara@doc.ic.ac.uk),
unless otherwise indicated.
Up to: Research, DSE Group, Department of Computing, Imperial College