Towards Architecture-based Self-Healing SystemsEric M. Dashofy, André van der Hoek, and Richard N. TaylorWOSS’02November 18, 2002What is “self-healing?”Fault-Tolerantn Connotes fault-based repair and understandingn Faults are likely pre-specifiedn Repair strategies are also pre-specifiedSelf-Healingn Connotes goal-based repair and understandingn Unexpected faults are expectedn Arbitrary repair strategies constructed at runtimeKey Question: What is the difference between a fault-tolerant and a self-healing system?Overall VisionPlan ChangesDeploy ChangeDescriptionsEvaluate & MonitorObservationsEnact Changes &Collect ObservationsArchitecturalModelImplementationMaintainConsistencyChooserepairstrategyModel &enactrepairstrategyOur FocusPlan ChangesDeploy ChangeDescriptionsEvaluate & MonitorObservationsEnact Changes &Collect ObservationsArchitecturalModelImplementationMaintainConsistencyChooserepairstrategyModel &enactrepairstrategyAdditional Aspects of the ApproachArchitectural Stylesn Loosely-coupled, event-basedn Foundation for runtime changen Foundation for monitoringSystems described in extensible ADLn Description accompanies deployed systemn Repair strategies expressed in terms of architecture descriptionExpressing Repair Strategies Using Architecture DifferencingComp1CONNComp2Comp5Comp4Comp3SmartMonitoringAgentwatchingArchitecture 1(bound to running system)Expressing Repair Strategies Using Architecture DifferencingComp1CONNComp2Comp5Comp3SmartMonitoringAgentwatchingComp4Malfunction Detected!Architecture 1(bound to running system)Expressing Repair Strategies Using Architecture DifferencingComp1CONNComp2Comp5Comp3SmartMonitoringAgentwatchingComp4Comp1CONNComp2Comp5Comp3Architecture 2Comp6creates description ofArchitecture 1(bound to running system)Note: Opportunityfor architectureanalysis here.Expressing Repair Strategies Using Architecture DifferencingComp1CONNComp2Comp5Comp3SmartMonitoringAgentwatchingComp4Comp1CONNComp2Comp5Comp3Architecture 2Comp6DifferencingEngineDifferencing Engine creates “architectural diff” describing differences between architecturesArchitecture 1(bound to running system)Expressing Repair Strategies Using Architecture DifferencingComp1CONNComp2Comp5Comp3SmartMonitoringAgentwatchingComp4Comp1CONNComp2Comp5Comp3Architecture 2Comp6DifferencingEngineDifferencing Engine creates “architectural diff” describing differences between architecturesDiff 1Remove AddComp4 Comp6Architecture 1(bound to running system)Effecting Repairs Using Architectural DiffsRepair Plan 1Remove AddComp4 Comp6Comp1CONNComp2Comp5Comp3Architecture 1Comp4Architecture EvolutionManagerRunning SystemMaintainsConsistencyEffecting Repairs Using Architectural DiffsRepair Plan 1Remove AddComp4 Comp6Comp1CONNComp2Comp5Comp3Architecture 1Comp4MergingEngineArchitecture EvolutionManagerRunning SystemMaintainsConsistencyArchitecture Mergingengine mergesarchitectural diffsinto architecture descriptions.Effecting Repairs Using Architectural DiffsRepair Plan 1Remove AddComp4 Comp6Comp1CONNComp2Comp5Comp3Architecture 1Comp4MergingEngineArchitecture EvolutionManagerRunning SystemMaintainsConsistencyPerforms mergeNote: A “what-if”merge can also be doneagainst a copy of the architecture description for validation or analysis.Effecting Repairs Using Architectural DiffsRepair Plan 1Remove AddComp4 Comp6Comp1CONNComp2Comp5Comp3Architecture 1MergingEngineArchitecture EvolutionManagerRunning SystemMaintainsConsistencyComp6Effecting Repairs Using Architectural DiffsRepair Plan 1Remove AddComp4 Comp6Comp1CONNComp2Comp5Comp3Architecture 1MergingEngineArchitecture EvolutionManagerRunning SystemMaintainsConsistencyComp6Effecting Repairs Using Architectural DiffsRepair Plan 1Remove AddComp4 Comp6Comp1CONNComp2Comp5Comp3Architecture 1MergingEngineArchitecture EvolutionManagerRunning SystemMaintainsConsistencyComp6Applications TargetedSpacecraft/Spacecraft Ground Systemsn Architecture modeling formalism, ideas about dynamism already being adopted by MDS project at JPLOther component-based, event-driven systemsn Military command and controlMulti-agency systemsn Coalition warfare among allied partners with independently developed systemsFuture Work/Top IdeasDistributed Dynamismn Making repairs in the face of w (Partial) link failure, w (Partial) node failurew Asymmetric connectivityAre diffs sufficient as repair plans?n Ordering of changesn Additional information needed to make changesApproaches to quiescencen Inspired by Kramer &