Dependability TSW 10 Anders P. Ravn Aalborg University November 2009.

Dependability

TSW 10Anders P. Ravn

Aalborg UniversityNovember 2009

Characteristics of a RTS

• Timing Constraints• Dependability Requirements• Concurrent control of separate components • Facilities to interact with special purpose

hardware

Dependability - impediments

• Faults • Errors• Failures

BW Ch 2, ...

Fault Error Failure ...Fault

System and Component

Dependability - attributes

• Availability• Reliability• Safety• Confidentiality• Integrity• Maintainability

BW Ch 2

Dependability - means

• Fault prevention • Fault tolerance• Error Removal• Failure Forecasting

BW Ch 2

Fault classification

• Origin

• Kind

• Property

• physical (internal/external)

• logical (design/interaction)

• omission

• value

• timing

byzantine

• duration (permanent, transient)

• consistency (determinate, nondeterminate)

• autonomy (spontaneous, event-dependent)

Error Classification

• (Fault Error)

• Effect

• Extent

• latent

• effective

• local

• distributed

Failure Classification

• (Fault Failure)

• Consequence • benign

• malign (a mishap)

BW (Failure modes) Ch 2

Dependability - means

• Fault prevention • Fault tolerance• Error Removal• Failure Forecasting

Fault Prevention

• Careful Design

• Conservative Design

• process (procedures)

• notations

• tools

• robust functionality

• testability

• tracability

Dependability - means

• Fault prevention • Fault tolerance• Error Removal• Failure Forecasting

Error Removal

• Verification (analysis of design)

• Test (analysis of implementation)

Dependability - means

• Fault prevention • Fault tolerance• Error Removal• Failure Forecasting

Failure Forecasting

• Calculation – analysis of design

• Simulation – measurement on design

• Test -- measurement on implementation

Dependability - means

• Fault prevention • Fault tolerance• Error Removal• Failure Forecasting

BW Ch 2

Fault Tolerance

Means to isolate component faults

Prevents system failures

May increase system dependability

... And mask them

Fault Tolerance

FT - levels

• Full tolerance

• Graceful Degradation

• Fail safeBW Ch 2

FT basis: Redundancy

• Time

• Space

Try Retry Retry ...

TryTry

Try

...

BW Ch 2

N-version programming

V1 V2 V3

Driver (comporator)

Comparison vectors (votes)

Comparison status indicators

BW Ch 2Comparison points

Fault classification (scope of N-VP)

• Origin

• Kind

• Property

• physical (internal/external)

• logical (design/interaction)

• omission

• value

• timing

byzantine

• duration (permanent, transient)

• consistency (determinate, nondeterminate)

• autonomy (spontaneous, event-dependent)

++

(+)++(+)

+ / (+)

+ / ++ / +

Dynamic Redundancy

1. Error detection

2. Damage confinement and assessment

3. Error recovery

4. Fault treatment and continued service

BW Ch 2

Error Detection

f: State x Input State x Output• Environment (exception)• Application

BW Ch 2

Assertion:• precondition (input)• postcondition (input, output)• invariant(state, state’)

Timing:• WCET(f, input) • Deadline (f,input)

D

Damage Confinement

• Static structure

• Dynamic structure

BW Ch 2

object

object

II

Error Recovery

• Forward • Backward

BW Ch 2

Repair the state – if you can !

• define recovery points• checkpoint state at r. p.• roll back• retry

Domino effect

Recovery blocks

ENSURE acceptance_testBY { module_1 }ELSE BY { module_2 } ...ELSE BY { module_m }ELSE ERROR

BW Ch 2

The ideal FT-component

Exception HandlerNormal mode

Request/response

Request/response

Interfaceexception

Interfaceexception

Failureexception

Failureexception

BW Ch 2