Showing papers on "Dependability published in 1990"

Fault tolerance, principles and practice

Abstract: 1 Introduction.- Fault Prevention and Fault Tolerance.- Anticipated and Unanticipated Faults.- Book Aim.- References.- 2 System Structure and Dependability.- System Structure.- Systems.- System Model.- Software/Hardware Interaction.- Interpreter Model of Systems.- Component Model of Systems.- Measures and Mechanisms.- Atomic Actions.- System Dependability and Reliability.- Dependability.- Failure and Reliability.- System Specification.- Multiple Specifications.- Erroneous Transitions and States.- Component/Design Failures.- Errors and Faults.- Fault Classifications.- Summary.- References.- 3 Fault Tolerance.- Fault Tolerance: How.- Principles of Fault Tolerance.- Redundancy.- Fault Tolerance: Where and How Much.- Quantitative Reliability Evaluation.- Hardware Reliability Models.- Software Reliability Models.- An Implementation Framework.- Exceptions and Exception Handling.- Classification of Exceptions.- Exception Handling in Software Systems.- Exception Propagation.- Summary of Exception Handling.- References.- 4 Fault Tolerant Systems.- ESS No. lA.- System Description.- Reliability Strategies.- SIFT and Ftmp.- SIFT System Design.- SIFT Reliability Strategies.- FTMP System Design.- FTMP Reliability Strategies.- Tandem.- Tandem Reliability Strategies.- Stratus.- Stratus Reliability Strategies.- References.- 5 Error Detection.- Measures for Error Detection.- Ideal Checks.- Types of Check.- Replication Checks.- Timing Checks.- Reversal Checks.- Coding Checks.- Reasonableness Checks.- Structural Checks.- Diagnostic Checks.- Mechanisms for Error Detection.- Structuring Error Detection in Systems.- References.- 6 Damage Confinement and Assessment.- Damage Confinement.- Measures for Damage Confinement.- Measures for Damage Assessment.- Mechanisms for Damage Confinement.- Protection Mechanisms.- Mechanisms for Damage Assessment.- Summary.- References.- 7 Error Recovery.- Concepts of Error Recovery.- State Restoration.- Forward and Backward Error Recovery.- Measures for Forward Error Recovery.- Backward Error Recovery.- Facilities for Backward Error Recovery.- Measures For Backward Error Recovery.- Mechanisms For Backward Error Recovery.- Checkpoints and Audit Trails.- The Recovery Cache.- Unrecoverable Components.- Recovery in Hierarchical Systems.- Recovery in Concurrent Systems.- Concurrent Processes.- Recovery for Competing Processes.- Recovery for Cooperating Processes.- Distributed Systems.- Recovery in Idealised Fault Tolerant Components.- Summary.- References.- 8 Fault Treatment and Continued Service.- Fault Location.- System Repair.- Resuming Normal Service.- Idealised Fault Tolerant Components.- Summary.- References.- 9 Software Fault Tolerance.- The Recovery Block Scheme.- Implementation of Recovery Blocks.- The Utility of Recovery Blocks.- Acceptance Tests.- Run-Time Overheads.- Experiments With Recovery Blocks.- Summary of Recovery Blocks.- The N-Version Programming Scheme.- Implementation of N-Version Programming.- Voting Check.- Experiments With N-Version Programming.- Summary of N-Version Programming.- Comparison with the Recovery Block Scheme.- Summary.- References.- 10 Conclusion.- Methodology and Framework for Fault Tolerance.- Idealised Fault Tolerant Components.- Failure Exceptions.- Critical Components.- The Future.- References.- References.- Annotated Bibliography.- Multiple Sources.- Fault Tolerant Systems.- August Systems.- COMTRAC.- COPRA.- C.vmp.- ESS Systems (Bell Laboratories).- Fault Tolerant Multiprocessor (FTMP).- Fault Tolerant Spaceborne Computer (FTSC).- IBM 9020.- JPL-STAR Computer.- MARS.- Plessey System 250.- Pluribus.- PRIME.- Sequoia.- Software Implemented Fault Tolerance (SIFT).- Space Shuttle Computer Complex.- Stratus.- Tandem.- VOTRICS.- Software Fault Tolerance.- Multiple Source.- Recovery Blocks.- N-Version Programming.- Other Software Fault Tolerance Papers.- Exception Handling.

Fault injection for dependability validation: a methodology and some applications

Abstract: The authors address the problem of validating the dependability of fault-tolerant computing systems, in particular, the validation of the fault-tolerance mechanisms. The proposed approach is based on the use of fault injection at the physical level on a hardware/software prototype of the system considered. The place of this approach in a validation-directed design process and with respect to related work on fault injection is clearly identified. The major requirements and problems related to the development and application of a validation methodology based on fault injection are presented and discussed. Emphasis is put on the definition, analysis, and use of the experimental dependability measures that can be obtained. The proposed methodology has been implemented through the realization of a general pin-level fault injection tool (MESSALINE), and its usefulness is demonstrated by the application of MESSALINE to the experimental validation of two systems: a subsystem of a centralized computerized interlocking system for railway control applications and a distributed system corresponding to the current implementation of the dependable communication system of the ESPRIT Delta-4 Project. >

Fault-tolerant computing: fundamental concepts

Abstract: The basic concepts of fault-tolerant computing are reviewed, focusing on hardware. Failures, faults, and errors in digital systems are examined, and measures of dependability, which dictate and evaluate fault-tolerance strategies for different classes of applications, are defined. The elements of fault-tolerance strategies are identified, and various strategies are reviewed. They are: error detection, masking, and correction; error detection and correction codes; self-checking logic; module replication for error detection and masking; protocol and timing checks; fault containment; reconfiguration and repair; and system recovery. >

Performance Measures for Evaluation of Irrigation‐Water‐Delivery Systems

Abstract: Performance measures are developed that facilitate analysis of irrigation‐water delivery systems in terms of adequacy, efficiency, dependability, and equity of water delivery. The measures provide a quantitative assessment not only of overall system performance, but also of contributions to performance from the structural and management components of the system. Spatial and temporal distributions of required, scheduled, deliverable, and delivered water are used to calculate the performance measures. These variables may be estimated by a combination of field‐measurement and simulation techniques. The performance measures can be incorporated in an irrigation‐system monitoring program and can provide a framework for assessing system improvement alternatives. They are amenable to decomposition analysis of systems, allowing assessment of trends in performance among distinctly defined subregions or comparison of performance at different levels of system‐network hierarchy. Example applications to systems typical...

Fault injection experiments using FIAT

Abstract: The results of several experiments conducted using the fault-injection-based automated testing (FIAT) system are presented. FIAT is capable of emulating a variety of distributed system architectures, and it provides the capabilities to monitor system behavior and inject faults for the purpose of experimental characterization and validation of a system's dependability. The experiments consists of exhaustively injecting three separate fault types into various locations, encompassing both the code and data portions of memory images, of two distinct applications executed with several different data values and sizes. Fault types are variations of memory bit faults. The results show that there are a limited number of system-level fault manifestations. These manifestations follow a normal distribution for each fault type. Error detection latencies are found to be normally distributed. The methodology can be used to predict the system-level fault responses during the system design stage. >

Dependability modeling and evaluation of software fault-tolerant systems

Abstract: Dependability modeling and evaluation (encompassing reliability and safety issues) of the two major fault tolerance software approaches-recovery blocks (RBs) and N version programming (NVP)-are presented. The study is based on the detailed analysis of software fault-tolerance architectures able to tolerate a single fault (RB: two alternates and an acceptance test; NVP: three versions and a decider). For each approach a detailed model based on the software production process is established and then simplified by assuming that only a single fault type may manifest during execution of the fault-tolerant software and that no error compensation may take place within the software. The analytical results obtained make it possible to identify the improvement, compared to a non-fault-tolerant software, that could result from the use of RB (the acceptance test has to be more reliable from the alternates) and NVP (related faults among the versions and the decider have to be minimized) and to determine the most critical types of related faults. Nested RBs are studied, showing that the proposed analysis approach can be applied to such realistic software structures and that when an alternate is itself an RB, the results are analogous to the case of the addition of a third alternate. The reliability analysis shows that only a small improvement can be expected. >

Failure classification with respect to detection

Abstract: A comprehensive classification of failures in computing systems is discussed. The underlying guidelines are: (1) a failure classification must be independent of any particular system; that is, it should be able to be applied to every system; (2) a failure classification must be as detailed as possible; (3) treatment of failures following detection and other parameters, such as the severity of failures, are to be considered as a second step, since they may require a defined categorization. The main advantage of the failure classification is the possibility of characterizing systems with respect to their failure modes, providing designers with a way to choose the most appropriate detection techniques for each particular system. >

Availability and reliability modeling for computer systems

Abstract: Publisher Summary Dependability calculates the capability of a product to deliver its intended level of service to the user, especially in light of failures or other incidents that impinge on its performance, and combines various underlying ideas, such as reliability, maintainability, availability, and user demand patterns, into a basic overall measure of quality, which customers use along with cost and performance to evaluate products. This chapter describes the computer system dependability analysis and its types, different classes of dependability measures, Markov and Markov reward models commonly involved for dependability analysis and their solution methods. The three classes of dependability measures are system availability measures, system reliability measures, and task completion measures. The chapter also describes four types of dependability analyses: evaluation, sensitivity analysis, specification determination, and tradeoff analysis. A model-based evaluation, or sometimes a hybrid approach based on a judicious combination of models and measurements, is used for cost-effective dependability analysis. The chapter discusses the determination of the parameters, such as failure rates, coverage probabilities, repair rates, and reward rates as well as model verification and validation. The chapter also demonstrates the use of these methods, a detailed dependability analysis on a full-system example representative of existing computer systems.

Fast simulation of dependability models with general failure, repair and maintenance processes

Abstract: An approach to simulating models of highly dependable systems with general failure and repair time distributions is described. The approach combines importance sampling with event rescheduling in order to obtain variance reduction in such rare event simulations. The approach is general in nature and allows effective simulation of a variety of features commonly arising in dependability modeling. For example, it is shown how the technique can be applied to systems with periodic maintenance. The effects on the steady-state availability of the maintenance period and of different failure time distributions are explored. Some of the trade-offs involved in the design of specific rescheduling rules are described, and their potential effectiveness in simulations of systems with nonexponential failure and repair time distributions are demonstrated. It is found that an effective method for selecting the rescheduling distribution is to keep the probability of a failure transition in the range between 0.1 and 0.5. >

Adaptive relaying

Abstract: The concept of adaptive relaying is explained. The reasons for choosing adaptive relaying are examined, and various applications are described. These include load effect, cold load pickup, end-of-line protection, transformer protection, and automatic reclosing. The tradeoff between dependability and security of protection is discussed. The ability of computer relays to monitor themselves and to report their condition to a central location is also discussed. >

Assuring the dependability of telecommunications networks and services

Abstract: Service dependability is defined as comprising reliability, availability, maintainability, and survivability, and the service dependability management process is addressed. A description is given of a service dependability management process intended to assure high-quality telecommunications services for ISDN, intelligent network, common channel signaling, broadband service capabilities, and other new network service concepts. Techniques for assessing network dependability are briefly considered. >

DEPEND: a design environment for prediction and evaluation of system dependability

Abstract: The development of DEPEND, an integrated simulation environment for the design and dependability analysis of fault-tolerant systems, is described. DEPEND models both hardware and software components at a functional level, and allows automatic failure injection to assess system performance and reliability. It relieves the user of the work needed to inject failures, maintain statistics, and output reports. The automatic failure injection scheme is geared toward evaluating a system under high stress (workload) conditions. The failures that are injected can affect both hardware and software components. To illustrate the capability of the simulator, a distributed system which employs a prediction-based, dynamic load-balancing heuristic is evaluated. Experiments were conducted to determine the impact of failures on system performance and to identify the failures to which the system is especially susceptible. >

Dependability modeling for multiprocessors

Abstract: A tutorial on dependability and performance-related dependability models for multiprocessors is presented. Multiprocessors are classified as having shared-memory or distributed-memory architectures, and some fundamental dependability modeling concepts. Reliability models based on four types of reliability evaluation techniques (terminal, multiterminal, task-based, and network reliability) are examined. The status of research efforts on performance-related dependability is discussed, and the models' effectiveness is illustrated with a few numerical examples. A brief survey of software packages for dependability computation in included. >

The Optimization of Generalizability Studies with Resource Constraints

Abstract: Generalizability theory is a measurement theory that provides a framework for examining the dependability of behavioral measurements When limited resources are available determining the appropriate number of conditions to use in a measurement design is not a simple task This paper presents a methodology for determining the optimal number of observations to use in a measurement design when resource constraints are imposed

Achieving dependability throughout the development process: a distributed software experiment

Abstract: Distributed software engineering techniques and methods for improving the specification and testing phases are considered. To examine these issues, an experiment was performed using the design diversity approach in the specification, design, implementation, and testing of distributed software. In the experiment, three diverse formal specifications were used to produce multiple independent implementations of a distributed communication protocol in Ada. The problems encountered in building complex concurrent processing systems in Ada were also studied. Many pitfalls were discovered in mapping the formal specifications into Ada implementations. >

Performability Modelling Tools, Evaluation Techniques and Applications

Abstract: This thesis deals with three aspects of quantitative evaluation of fault-tolerant and distributed computer and communication systems: performability evaluation techniques, performability modelling tools, and performability modelling applications. Performability modelling is a relatively new modelling technique, which combines aspects of {performance modelling} and {dependability modelling}. Performability modelling is concerned with the derivation of performance measures of systems, given that these systems might change their structure, e.g., due to the occurrences of failures and repairs. With the proliferation of fault-tolerant and distributed computer and communication systems in all parts of society, the ability to model and evaluate these systems during their lifecycle is of key importance. Chapter 1 describes the need for modelling, the various types of model evaluation techniques, the structure of the thesis and the aims of the research. These research aims are: - to get insight in the requirements to be met by software tools for performability modelling and evaluation; - to design new performability modelling tools; - to demonstrate the usability of these newly developed tools; - to develop new, efficient evaluation techniques. - In order to fulfil these aims, it is necessary to get insight in: - existing performability modelling tools; - performability model evaluation techniques; - application areas for performability modelling and evaluation. Chapters 2 through 10 are devoted to these research aims. In Chapter 2 an overview is given of the existing performability evaluation techniques, where emphasis is put on evaluation techniques based on behavioural decomposition and Markov reward analysis. In Chapter 3 an overview is given of software tools for performability modelling and evaluation. A general modelling tool framework is discussed as well as a number of requirements that have to be fulfilled by any performability modelling tool to be designed. In Chapter 4 the application areas that are in the scope of this thesis are addressed. Fault-tolerant computer systems, distributed computer systems, and communication systems are discussed. By stressing the performance and dependability determining aspects of these systems, a list of system aspects is derived that a performability modelling tool must be able to model. In Chapter 5 the performability modelling tool Proper is discussed. With this tool performance models can be addressed in which some fault-tolerance aspects are included. An example is given of the use of Proper and its advantages and disadvantages are discussed. In Chapter 6 the dynamic queueing network concept is introduced, a performability modelling concept that in many respects does improve upon the tool Proper. Moreover, the dynamic queueing network concept fulfils practically all the requirements that have to be fulfilled according to the discussions in Chapters 2 to 4. In Chapter 7 the design and implementation of DyQNtool, a software tool supporting the dynamic queueing network concept is discussed. In Chapter 8 three applications of the dynamic queueing network concept are discussed. The first application addresses a distributed computer system. This application perfectly fits the dynamic queueing network concept, and due to its size, shows the need for software tools for performability modelling. The second example addresses a flexible manufacturing system. This application can not be completely modelled conveniently; the inconvenience follows from the limited applicability of product form queueing networks and not from the dynamic queueing network concept as such. In the last example we address systems with a very general dynamically changing structure. This application does not fit in the dynamic queueing network concept. However, a new, wider class of models is defined in which dynamic resource allocation plays an important role. Some examples of systems falling in this new class of models are given. In Chapter 9 the mathematical aspects of performability modelling are revisited. Since performability models tend to become very large, computationally efficient evaluation techniques are required. In this chapter therefore a number of product forms as well as a number of model size reduction (state space truncation) techniques are discussed. In Chapter 10 the overall conclusions are drawn from the thesis, the fulfilment of the research aims are discussed, and future research areas are indicated.

On the modelling and testing of recovery block structures

Abstract: The authors proposes a reliability model for recovery block structures based on error events that can be observed and distinguished during testing. Strategies are described for the collection of failure histories, which are needed to estimate the model parameters and obtain dependability predictions. Given that the software goes through different testing stages, the model can be employed at different points of the development cycle to assess or forecast the quality of project choices and the resulting product. >

ASSURE: automated design for dependability

Abstract: Design for dependability has long been an important issue for computer systems. While several dependability analysis tools have been produced, no effort has been made to automate the design for dependability. This paper describes ASSURE, an automated design for dependability advisor, which is part of the MICON system for rapid prototyping of small computer systems. A design for dependability methodology and a formal interface between synthesis and dependability analysis are presented. ASSURE's operation includes dependability analysis, evaluation of dependability enhancement techniques using predictive estimation, and selection of a technique. Different kinds of knowledge used in designing for dependability are identified, including an algorithmic approach for dependability analysis and a knowledge-based approach for suggesting dependability enhancement techniques. Examples of designs produced using ASSURE as a dependability advisor are provided and show an order of magnitude dependability improvement.

A methodology for developing real-time control software for efficient and dependable manufacturing systems

Abstract: Designing efficient and dependable manufacturing systems has always been a major goal of modern computer-integrated manufacturing. The dissertation proposes a methodology for developing the control software of these systems, and develops a set of software tools that enhance the applicability of this methodology. These tools aid in planning the set of operations of a manufacturing job, generating a cyclic schedule for processing a batch of jobs, and monitoring the operations of the system while this batch is being processed. The syntax and semantics of a component-oriented rule-based language for specifying the formal models of manufacturing systems is presented. A model captures the state of a component of the system in a set of first-order logic predicates, and it captures the semantics of the operations performed by this component in a set of rules that determine the preconditions and postconditions of an operation. These models are used in planning the sequence of operations of each class of jobs to be manufactured by these systems. To achieve efficiency, the reservation table technique is used to create optimum cyclic job-shop schedules for processing a batch of identical jobs or a mix of jobs from several classes on these systems. A reservation table is derived from the plan of a job. This table is then used to determine the theoretical maximum job initiation rate and the set of all possible initiation strategies for the batch. In some cases, this theoretical maximum rate is achieved by increasing the flow time of the job. The above technique inherently allows multiple devices to be reserved concurrently, it can deal with transport time explicitly, and it achieves higher initiation rates by including cycles that involve multiple job initiations. To achieve dependability, a plan-oriented fault detection and correction strategy is proposed. This strategy can automatically handle any combination of faults that may occur when monitoring the operations of manufacturing systems. A fault-tree is consulted prior to executing the scheduled operations of a plan, and the faults that affect the execution of these operations are handled subsequently. Resuming the original cyclic schedule is attempted, whenever feasible.

Notes on real-time distributed database systems stability

Abstract: Issues regarding the effect of routing and load-balancing algorithms on the stability of a fault-tolerant distributed database system are examined. Reference is mainly to control algorithms. It is shown that the behavior of the routing algorithm is vital for the dependability of the system, and that the transitions induced by the algorithm should be stable or at least transitively stable. Degradation indexes are defined for the system dependability, and some open questions are raised. >

Meeting the challenge of assuring dependable telecommunication services in the '90s

Abstract: Assuring the dependability of telecommunication services in the face of increasing customer expectations, revolutionary changes being made or proposed in networks, and recent disruptive disasters are discussed. Work focused on reducing vulnerability to network element outages is described and examined for three new technologies: fiber network architectures, common channel signaling, and intelligent network architectures. A comprehensive service dependability management process to be established by service providers is recommended. >

A concurrent object-oriented switching program in chill

Abstract: This paper details concurrent object oriented switching program with the following aspects that improve program maintain ability and dependability. This program is structured as a direct mapping of a logical switching system mode4 mapping each logical component to a software lobjecf'@ Concurrent objects are introducedfor multi-processing, and sequential objects are intro. duced to efficiently implement objects that need no concurrency. Switching programs must meet the very severe requirements of real-time multi-processing services, but the existing object orientedprogramming languages have insufficient efficiency and concurrency. Because of this, concurrent object-oriented pro gramming has been devised for Chill (CCf7T recommended language) and a simple preprocessor can be used to enhance its writability and readabilay

A Tool for Defining the Architecture of Z Specifications

Abstract: When specifying systems which have some real-time or safety-critical aspect to them, it has been suggested that the specification must necessarily represent properties of the system other than just functionality, for example, properties which could be examined might include timeliness, security and dependability.

Service location tradeoffs in intelligent networks

Abstract: Intelligent Network (IN) architectureplanners envision many different kinds of network structure to provide service offerings. These structures vary from arrangements where service logic is located in the switch to those where it is located in a Network Element (NE) physically remote from the switch. This service logic is expressed through Service Logic Programs (SLPs). SLP placement in one, or several of a wide variety of locations is considered. This paper analyzes different classes of service, identifies their characteristics, and presents tradeoffs to be considered in the implementation of individual services. In addition, considerations of the effects of service descriptions and groupings, as well as service performance, economics, dependability, operations support, and billing needs on SLP placement are included.

Performance Measures for Irrigation Water Delivery

Abstract: Performance measures are developed which facilitate analysis of irrigation water delivery systems in light of the objectives of adequacy, efficiency, dependability and equity and of water delivery. The measures provide a quantitative assessment, not only of overall system performance, but also of contributions to performance from both structural and management components of the system. Example applications give a flavor for the usefulness of the proposed measures in system evaluation.