1. Dependability TSW 10 Anders P. Ravn Aalborg University November 2009

2. Characteristics of a RTS Timing Constraints Dependability Requirements Concurrent control of separate components Facilities to interact with special purpose hardware

3. Dependability - impediments Faults Errors Failures BW Ch 2,... FaultErrorFailure... Fault

4. System and Component

5. Dependability - attributes Availability Reliability Safety Confidentiality Integrity Maintainability BW Ch 2

6. Dependability - means Fault prevention Fault tolerance Error Removal Failure Forecasting BW Ch 2

7. Fault classification Origin Kind Property physical (internal/external) logical (design/interaction) omission value timing byzantine duration (permanent, transient) consistency (determinate, nondeterminate) autonomy (spontaneous, event-dependent)

8. Error Classification (Fault  Error) Effect Extent latent effective local distributed

9. Failure Classification (Fault  Failure) Consequence benign malign (a mishap) BW (Failure modes) Ch 2

10. Dependability - means Fault prevention Fault tolerance Error Removal Failure Forecasting

11. Fault Prevention Careful Design Conservative Design process (procedures) notations tools robust functionality testability tracability

12. Dependability - means Fault prevention Fault tolerance Error Removal Failure Forecasting

13. Error Removal Verification (analysis of design) Test (analysis of implementation)

14. Dependability - means Fault prevention Fault tolerance Error Removal Failure Forecasting

15. Calculation – analysis of design Simulation – measurement on design Test -- measurement on implementation

16. Dependability - means Fault prevention Fault tolerance Error Removal Failure Forecasting BW Ch 2

17. Fault Tolerance Means to isolate component faults Prevents system failures May increase system dependability... And mask them

18. Fault Tolerance

19. FT - levels Full tolerance Graceful Degradation Fail safe BW Ch 2

20. FT basis: Redundancy Time Space TryRetry... Try... BW Ch 2

21. N-version programming V1 V2 V3 Driver (comporator) Comparison vectors (votes) Comparison status indicators BW Ch 2 Comparison points

22. Fault classification (scope of N-VP) Origin Kind Property physical (internal/external) logical (design/interaction) omission value timing byzantine duration (permanent, transient) consistency (determinate, nondeterminate) autonomy (spontaneous, event-dependent) + (+) ++ (+) + / (+) + / +

23. Dynamic Redundancy 1.Error detection 2.Damage confinement and assessment 3.Error recovery 4.Fault treatment and continued service BW Ch 2

24. Error Detection f: State x Input  State x Output Environment (exception) Application BW Ch 2 Assertion: precondition (input) postcondition (input, output) invariant(state, state’) Timing: WCET(f, input) Deadline (f,input) D

25. Damage Confinement Static structure Dynamic structure BW Ch 2 object I I

26. Error Recovery Forward Backward BW Ch 2 Repair the state – if you can ! define recovery points checkpoint state at r. p. roll back retry Domino effect

27. Recovery blocks ENSURE acceptance_test BY { module_1 } ELSE BY { module_2 }... ELSE BY { module_m } ELSE ERROR BW Ch 2

28. The ideal FT-component Exception HandlerNormal mode Request/response Interface exception Interface exception Failure exception Failure exception BW Ch 2