Page 30 -
P. 30
FLOW-SERVICE-QUALITY (FSQ) SYSTEMS ENGINEERING 15
A SEMANTIC MODEL FOR FSQ
In large-scale network systems, flows can engage in extensive traversals of network nodes and
communication links, where the behaviors of invoked services cannot always be known and pre-
dicted. In this environment, a variety of uncertainty factors must be managed, including:
1. Unpredictable function—a service may be provided by commercial off-the-shelf (COTS)
vendors or external service providers (ESP) without complete behavior definitions. Thus,
components of unpredictable function and reliability may not perform expected opera-
tions every time or anytime it is invoked.
2. Compromised function—a service may have been compromised or disrupted by an intru-
sion or physical attack and may not be able to perform its function correctly or at all.
3. High-risk function—a service may not be able to provide adequate levels of quality at-
tributes as required by a flow.
4. Modified function—a service may be modified or replaced as part of routine maintenance,
error correction, or system upgrade, with intentional or inadvertent modification of its
function.
5. Asynchronous function—a service may be used simultaneously and asynchronously by
other flows, and thus produce results dependent on unpredictable history of use, both
legitimate and illegitimate.
These factors are pervasive behavioral realities of network-centric systems (Schneider, 1999).
Dealing with them is an enterprise risk management problem with potentially serious consequences.
It is vital to take appropriate actions to continue system operations in the environments they cre-
ate. FSQ engineering is intended to provide a systematic means for defining information system
flows, services, and quality attributes despite these persistent uncertainties.
The mathematical semantics of the FSQ framework are defined to support development and
verification of flows for such uncertain environments as a standard engineering practice. To allow
for unpredictable behavior of services, flow semantics require specification of only the processing
that a flow itself performs and not the processing of the services it invokes. Flow specification
requires definition of appropriate actions by a flow for all possible responses of key services, both
desired and undesired. Thus, if the behavior of an invoked service changes for any reason, the
specification and verification of the invoking flow need not change. This approach accommodates
the realities of today’s network systems and offers important advantages. It requires for mission
survivability that the uncertainty factors be dealt with explicitly in specification, design, and dy-
namic execution, thereby addressing important aspects of enterprise risk management. It permits
flows and reasoning about them to be localized yet complete. And it permits flow structures to be
defined by simple deterministic structures despite the underlying asynchronous behavior of their
constituent services. These deterministic structures can be refined, abstracted, and verified using
straightforward compositional methods for human understanding and intellectual control.
It turns out that these objectives require extension of the traditional functional semantics model.
The FSQ semantic model is based on the well-known concept of services as rules for mathematical
functions (or relations if flows include concurrent operations), that is, mappings from domains
(inputs, stimuli) to ranges (outputs, responses) (Hoffman and Weiss, 2001; Linger, Mills, and Witt,
1979; Mills, Linger, and Hevner, 1986; Prowell et al., 1999). The key extension required to deal
systematically with uncertainty is to make the histories of service invocations themselves part
of the specified behavior of flows. Mathematically, this is achieved by including the invocation
