Peter Tröger, profile picture
Uploaded byPeter Tröger
885 views

Dependable Systems - Introduction (1/16)

The document discusses the concept of dependability in computing systems, defining it as the trustworthiness that allows reliance on the service provided, along with its components like reliability and maintainability. It illustrates the critical importance of dependability through historical examples, such as the Therac-25 accidents and the Air France AF 447 incident, emphasizing how failures can lead to severe consequences. The course aims to address dependability topics including fault tolerance, testing, and metrics to enhance system reliability and performance.

Embed presentation

Downloaded 27 times
Dependable Systems ! Introduction Dr. Peter Tröger
Dependable Systems Course PT 2014 Dependability • Umbrella term for operational requirements on a system • IFIP WG 10.4: "[..] the trustworthiness of a computing system which allows reliance to be justifiably placed on the service it delivers [..]" • IEC IEV: "dependability (is) the collective term used to describe the availability performance and its influencing factors : reliability performance, maintainability performance and maintenance support performance" • Laprie: „ Trustworthiness of a computer system such that 
 reliance can be placed on the service it delivers to the user “ • Adds a third dimension to system quality • General question: How to deal with unexpected events ? • In German: ,Verlässlichkeit‘ vs. ,Zuverlässigkeit‘
 2
Dependable Systems Course PT 2014 English vs. German 3 Dependability Verlässlichkeit Reliability Zuverlässigkeit Availability Verfügbarkeit Safety Sicherheit Security Schutz Maintainability Wartbarkeit Fault Fehlerursache (Fehler) Error Fehlerzustand (Fehler) Failure Ausfall Error Propagation Fehlerausbreitung Fault Prevention Fehlerursachenverhinderung Fault Removal Fehlerursachenbeseitigung Fault Tolerance Fehlertoleranz Fault Forecasting Fehlervorhersage
Dependable Systems Course PT 2014 Computers in Safety-Critical Systems • Different levels of critical participation for a computer system • Information provisioning to human controller on request • Interpretation of data and presentation to the user • Issues command on behalf of the human controller • Replaces human controller • Trend to realize critical systems with commercial-of-the-shelf components • Driven by budget cuts and performance advantage • Puts sole responsibility on software layer, in contrast to early hardware-only redundancy approaches 4
Dependable Systems Course PT 2014 Dependable Systems Motivation Money Life saving Human users Harsh environments Complexity 5
Dependable Systems Course PT 2014 Example: Therac 25 • Radiation therapy engine, involved in 6 accidents between 1985 and 1987 • Two operation modes: High-power spreaded beam, or low power focus beam • Accident: High-power mode without spreader plate activated • Harmful operation not detected due to software flaws • Institutional issues: No independent software review, 
 no risk analysis for failure modes, no test of hardware / software assembling • Engineering issues: No hardware interlock, software re-use from older models, 
 no sensors for hardware check, arithmetic overflow in the check routines • No investigation of single modules 6
Dependable Systems Course PT 2014 Example: Patriot Missile Launcher • Mobile missile launcher, designed for a few hours of operation • Used for Scud defense operation, never designed for it • February 1991 - Battery in Dharan (Saudi Arabia) failed to intercept Scud missile,
 hit army barrack • Software aging problem in system‘s weapon control computer • Target velocity and time 
 demanded as real values, 
 stored as 24-bit integer • Inaccurate tracking computation 
 due to overlong operation 
 ( > 100 hours) • Modified software reached the 
 base one day after the accident 7
Dependable Systems Course PT 2014 Example: Ariane 5 • June 4 1996, self-destruction firework for $500 million • Initiated because boosters were ripping from the rocket • Reasoned by on-board computer reaction on inertia system data • Was not data, but a diagnostic bit pattern due to an overflow error • Identical inertia backup system had shut down milliseconds before • Inertia system from Ariane 4, numbers were never expected to get that high • 64-bit FP to 16-bit signed integer, data conversion in Ada was not protected • No test of full system due to budget limits • System was running after lift off for no special purpose • Possibility for fast restart with brief hold in the countdown, only for Ariane 4 8
declare v_veloc_sensor: float; -- 64 bit floating point h_veloc_sensor: float; v_veloc_bias: integer; -- 16 bit signed integer h_veloc_bias: integer; begin sensor_get (v_veloc_sensor); sensor_get (h_veloc_sensor); v_veloc_bias := integer (v_veloc_sensor); h_veloc_bias := integer (h_veloc_sensor); exception when others => use_irs1(); end; Dependable Systems Course PT 2014 Example: Ariane 5 9
Dependable Systems Course PT 2014 Example: Mars Pathfinder • Successful landing on Mars at July 4th, 1997 • Spontaneous resets after landing • VxWorks operating system, real-time scheduling of data streams and commands • Classical priority inversion - long-running medium-communication task, 
 low-priority meteorological task, reset triggered by watchdog • Antennas performed too good, unexpected timing behavior in data transmission • Problem reproduced with identical Pathfinder on earth • Semaphore had priority inheritance protection, which was switched off for performance optimization 10
Dependable Systems Course PT 2014 Unbounded Priority Inversion • Pathfinder scenario • T1: Periodically checks health of systems • T2: Processes image data • T3: Occasional test on equipment status • T1 and T3 share a protected data structure • T1 must indirectly wait for T2 suspend, which has no relation to it‘s own purpose • T1 timeout lead to full system reset and check 11
Dependable Systems Course PT 2014 Example: Air France AF 447 (May 2009) • Airbus A330 flight at 10.000m through turbulent weather conditions • Ice crystals trigger malfunction in Pitot air pressure sensors • Stream of air normally used for speed computation • Flight speed instruments shut down, followed by auto pilot • Demanded manual angle and thrust level computation by pilots • Flight computer switches to emergency mode (,alternate law 2‘) • Still operational (,fly-by-wire‘), but different flight feeling • Pilots lost physical control over machine, restart of flight computer not successful • Specification for sensors not feasible (written in 1947) • Sensor must be operational till -40 degrees / 9000m height 12
Dependable Systems Course PT 2014 Importance of Dependability for Business • Average costs per hour of downtime (Gartner 1998) • Brokerage operations in finance: $6.5 million • Credit card authorization: $2.6 million • Home catalog sales: $90.000 • Airline reservation: $89.500 • 22-hour service outage of eBay on June 6th 1999 • Interruption of around 2.3 million auctions • 9.2% stock value drop, $3-5 billion of lost revenues • Problems blamed on Sun server software • Banking, telephone system, online games, cloud operations, ... 13
Dependable Systems Course PT 2014 Example: New York Stock Exchange • Credit Suisse trading desk, Nov 14th, 2007 • Automated trading algorithm went mad • Reasoned by misplaced double click in the trading software UI • Hundreds of thousands of bogus order cancellations • DoS nature of fault caused NYSE to freeze up - $150.000 fine 14
Dependable Systems Course PT 2014 Example: Amazon Cloud Outages • 2006 - Elevated levels of authenticated requests from multiple users • Request volumes are monitored, but cryptographic overhead was not considered • Overload on authentication services - performs request processing and validation • S3 service (cloud storage service) became inaccessible, but is the only storage facility supported for Amazon-hosted virtual machines • Took 3,25 hours to solve the problem - live fixing, started at 3am • No SLA promises ever, but trust in cloud-only hosted web sited dropped dramatically • 2009 - 19 hours of outage for bitbucket.org • Code hosting service, relies on EC2 and block storage • UDP / TCP flooding attack influenced also access to storage facility 16
Hello, A few days ago we sent you an email letting you know that we were working on recovering an inconsistent data snapshot of one or more of your Amazon EBS volumes. We are very sorry, but ultimately our efforts to manually recover your volume were unsuccessful. The hardware failed in such a way that we could not forensically restore the data. What we were able to recover has been made available via a snapshot, although the data is in such a state that it may have little to no utility… If you have no need for this snapshot, please delete it to avoid incurring storage charges. We apologize for this volume loss and any impact to your business. Sincerely,
 Amazon Web Services, EBS Support
Dependable Systems Course PT 2014 Example: IBM S/390 Outage Sources • Examination of 16 managed mainframe systems over 6 months (Pfister, 1990) • 92% planned outages, 8% unplanned outages • 32% database backup • 24% database reorganization • 14% system software maintenance • 12% network • 8% applications • 8% hardware • 2% other 18
Dependable Systems Course PT 2014 Tradeoffs 19 0.99999 0.9999 0.999 0.99 0.9 Massively Parallel/ Distributed Systems Commercial Fault-Tolerant Systems Ultra Reliable Systems Availability Throughput (MIPS)
Dependable Systems Course PT 2014 Example: AT&T Electronic Switching System ESS1A • Downtime for entire system not more than 2 hours over 40 years of life • System outage < 3 minutes / year • 100% availability from user perspective • Goal achieved, two minutes of down time [Malek] • 24 sec hardware faults, 18 sec software problems, 
 36 sec procedural errors, 42 sec recovery problems • Full duplication of all critical components • Automated error detection on hardware and software level • Replication checks - duplex system with comparison
 on every cycle • Timing checks, coding checks, internal checks with comparators 20
Dependable Systems Course PT 2014 Example: AT&T Electronic Switching System ESS1A 21 (C) Malek
Dependable Systems Course PT 2014 Example: Boeing 777 Flight Controller 22 • Fly-by-wire system, requirements • Probability 1x10-10 for degradation 
 from ,MIN-OP configuration‘ • ,Never give up‘ redundancy 
 management strategy • Mean time between 
 maintenance actions: 25.000 operating hours • TMR for all hardware resources, fail-passive electronics • Candidate architectures were evaluated according to many trade aspects
Dependable Systems Course PT 2014 Example: Boeing 777 Flight Controller (Buus et al.) 23
Dependable Systems Course PT 2014 Example: VAX Hardware Redundancy • VMS operating system on VAX hardware, since mid-1970‘s, outgrow of PDP-11 • VAXft in the early 1990‘s 24
Dependable Systems Course PT 2014 IBM zEnterprise 25 © 2011 IBM Corporation16 IBM zEnterprise 16 Designed to deliver continuous availability at the application level Single System z Multiple System z Site 1 Site 2 Multiple Data Centers Where mean time between failure is measured in decades Designed for application availability of 99.999% Industry-leading solution for disaster recovery  Avoiding the cost of downtime  Ensuring access to critical applications  Maintaining productivity of users  Open to clients 24/7 Manage Risk with System z Resiliency Availability built in across the system (C) IBM
Dependable Systems Course PT 2014 IBM zEnterprise 26 © 2011 IBM Corporation56 IBM zEnterprise Scheduled(CIE+DisruptivePatches+ECs) Planned- (MES+Driver Upgrades) Unscheduled(UIRA) Sources of Outages Pre z9 -Hrs/Year/Syst- Prior Servers z9 EC Z10 EC z196 Unscheduled Outages Scheduled Outages Planned Outages Preplanning requirements Power & Thermal Management Increased Focus over time             Temperature = Silicon Reliability Worst Enemy Wearout = Mechanical Components Reliability Worst Enemy. System z overall RAS Strategy …..Continuing our RAS focus helps avoid outages ImpactofOutage (C) IBM
Dependable Systems Course PT 2014 IBM zEnterprise 27 © 2011 IBM Corporation14 IBM zEnterprise The potential performance impact of the Linux server farm is isolated from the other Logical partitions (LPAR) LPAR – Up to 60 Logical partitions System z Deploy virtual servers in seconds Highly granular resource sharing (<1%) Add physical resources without taking system down, scale out to 1000s of virtual servers Do more with less: More virtual servers per core, Share more physical resources across servers Extensive built-in facilities for virtual server life- cycle management Hardware-enforced isolation Distributed Platforms Limited per-core virtual server scalability Physical server sprawl is needed to scale Operational complexity increases as virtual server images grow VMware tools only support VMware hypervisor (ESX) PR/SM Hypervisor in firmware z/VM – 100s of virtual servers – Shared Memory Hardware support: 10% of circuits are used for virtualization Each LPAR is one Virtual Mainframe Extreme Virtualization in zEnterprise - Built into the architecture not an “add on” feature (C) IBM
Dependable Systems Course PT 2014 Dependability Examples • A segmentation fault can lead to a system failure. • A faulty controller in an RAID array lowers the reliability of the storage facility. • The measurable availability of a web server depends on the fault tolerance capabilities in all its components. • A database fault creates an erroneous state in the authentication component, which can lead to a system failure influencing the system confidentiality. • The integrity of electronic voting systems depends on the complete absence of failures in the voting and the calculation procedures. • Fault forecasting can support the maintainability of a system. • Testing can only prove the presence of faults, not their absence. • Our service level agreement guarantees an availability of 99.99%. 28
Dependable Systems Course PT 2014 Consequences of Failures [Knight] • Human injury or loss of life • Damage to the environment • Damage to or loss of equipment • Damage to or loss of data • Financial loss by theft • Financial loss through production of useless or defective products • Financial loss through reduced capacity for production or service • Loss of business reputation • Loss of customer base • Loss of jobs 29
Dependable Systems Course PT 2014 Dependability Concerns [Knight] • Do I know all available techniques to prevent some damage in / by my system ? • I don‘t know how the system is used, so how can I decide for an appropriate dependability mechanism ? • How do I get an accurate and complete set of term definitions to communicate reliably with the other engineers ? • What is a technology to tackle all weak points in my system architecture, not only the weakest or the obvious ones ? • How can I measure the effectiveness of my dependability techniques ? • Software is special ... • Definition of the required function is harder than in other engineering disciplines • Software needs to take action when hardware fails • Software may have to operate on platforms whose design was influenced by dependability goals 30
Dependable Systems Course PT 2014 Course Topics • Definitions and metrics • Fault, error, failure, fault models, fault tolerance, fault forecasting, ... • Reliability, availability, maintainability, error mitigation, damage confinement, ... • Reliability engineering, reliability testing, MTTF, MTBF, failure rate, ... • Fault tolerance patterns • N-out-of-M, voting, heartbeat, ... • Analytical evaluation • Reliability block diagrams, fault tree analysis, ... • Petri nets, Markov chains • Root cause analysis, risk analysis and assessment 31
Dependable Systems Course PT 2014 Course Topics • Hardware-Implemented Dependability • Failure rates, testing, hardware redundancy approaches • Software-Implemented Dependability • Fault-tolerant programming: simplex, recovery blocks, checkpointing, roll-back, ... • Testing, software metrics • Fault-tolerant distributed systems: Transactions, consensus, clocks, ... • Advanced approaches • Autonomic computing, rejuvenation, online failure prediction, performability • Case studies from practice 32

More Related Content

PDF
Dependable Systems - Summary (16/16)
byPeter Tröger
 
PDF
Dependable Systems -Dependability Means (3/16)
byPeter Tröger
 
PDF
Dependable Systems -Fault Tolerance Patterns (4/16)
byPeter Tröger
 
PDF
Dependable Systems -Reliability Prediction (9/16)
byPeter Tröger
 
PDF
Dependable Systems -Dependability Attributes (5/16)
byPeter Tröger
 
PDF
Dependable Systems - Hardware Dependability with Redundancy (14/16)
byPeter Tröger
 
PDF
Dependable Systems -Dependability Threats (2/16)
byPeter Tröger
 
PDF
Dependable Systems - Hardware Dependability with Diagnosis (13/16)
byPeter Tröger
 
Dependable Systems - Summary (16/16)
byPeter Tröger
 
Dependable Systems -Dependability Means (3/16)
byPeter Tröger
 
Dependable Systems -Fault Tolerance Patterns (4/16)
byPeter Tröger
 
Dependable Systems -Reliability Prediction (9/16)
byPeter Tröger
 
Dependable Systems -Dependability Attributes (5/16)
byPeter Tröger
 
Dependable Systems - Hardware Dependability with Redundancy (14/16)
byPeter Tröger
 
Dependable Systems -Dependability Threats (2/16)
byPeter Tröger
 
Dependable Systems - Hardware Dependability with Diagnosis (13/16)
byPeter Tröger
 

What's hot

PDF
Real Time Systems
byDeepak John
 
PPTX
Real Time Systems
byleo3004
 
PPT
RTOS Basic Concepts
byPantech ProLabs India Pvt Ltd
 
PDF
Fault tolerance
byGaurav Rawat
 
PPT
Fault tolerance and computing
byPalani murugan
 
PPT
Rtos Concepts
bySundaresan Sundar
 
PPTX
Fault tolerance techniques for real time operating system
byanujos25
 
PPT
Fault tolearant system
byarvinthsaran
 
PPTX
Fault tolerant presentation
byskadyan1
 
PPTX
Components in real time systems
bySaransh Garg
 
PDF
Rtos
byمحمدعبد الحى
 
PPT
Software Fault Tolerance
byAnkit Singh
 
PPT
Real time system tsp
byPradeep Kumar TS
 
PPT
Fault tolerance
byLekashri Subramanian
 
PDF
Voting protocol
byDipti Shrivastava
 
PDF
OpenSubmit - How to grade 1200 code submissions
byPeter Tröger
 
DOCX
Availability tactics
byahsan riaz
 
PDF
Dependable Systems -Software Dependability (15/16)
byPeter Tröger
 
PDF
Dependable Systems - Structure-Based Dependabiilty Modeling (6/16)
byPeter Tröger
 
PDF
What activates a bug? A refinement of the Laprie terminology model.
byPeter Tröger
 
Real Time Systems
byDeepak John
 
Real Time Systems
byleo3004
 
RTOS Basic Concepts
byPantech ProLabs India Pvt Ltd
 
Fault tolerance
byGaurav Rawat
 
Fault tolerance and computing
byPalani murugan
 
Rtos Concepts
bySundaresan Sundar
 
Fault tolerance techniques for real time operating system
byanujos25
 
Fault tolearant system
byarvinthsaran
 
Fault tolerant presentation
byskadyan1
 
Components in real time systems
bySaransh Garg
 
Rtos
byمحمدعبد الحى
 
Software Fault Tolerance
byAnkit Singh
 
Real time system tsp
byPradeep Kumar TS
 
Fault tolerance
byLekashri Subramanian
 
Voting protocol
byDipti Shrivastava
 
OpenSubmit - How to grade 1200 code submissions
byPeter Tröger
 
Availability tactics
byahsan riaz
 
Dependable Systems -Software Dependability (15/16)
byPeter Tröger
 
Dependable Systems - Structure-Based Dependabiilty Modeling (6/16)
byPeter Tröger
 
What activates a bug? A refinement of the Laprie terminology model.
byPeter Tröger
 

Similar to Dependable Systems - Introduction (1/16)

PPTX
Ch11 reliability engineering
bysoftware-engineering-book
 
PPT
Critical Systems
byUsman Bin Saad
 
PPTX
Ch11 - Reliability Engineering
byHarsh Verdhan Raj
 
PPT
Lecture07_FaultTolerance in parallel and distributing
bysameerkumar56473
 
PPT
Lecture07_FaultTolerance in parallel and distributed
bysameerkumar56473
 
PDF
Separation of concerns is a design concept [Dij82] that suggests that any com...
bypremsridev11
 
PPT
Chapter- Five fault powers poin lecture
byborchala1
 
PPTX
SEPM_MODULE 2 PPT.pptx
byVaishaliBagewadikar
 
PPTX
Dependability and security (CS 5032 2012)
byIan Sommerville
 
PDF
ASE_Chap1 - Compatibility Mode for advance software
by12a3lehanguyenkhanh1
 
PDF
5 - Safety - Critical Systems.pdf
byFelixKipyego1
 
PPTX
Ch10 dependable systems
bysoftware-engineering-book
 
PDF
intro.pdf
byRajesh Tiwary
 
PPTX
Ch10 - Dependable Systems
byHarsh Verdhan Raj
 
PPTX
High dependability of the automated systems
byAlan Tatourian
 
PPTX
Scs.pptx repaired
bySaransh Garg
 
PDF
l4a.pdf
byrajinooka
 
PPTX
Ch11
byKeith Jasper Mier
 
PPTX
ch10.pptx
bygdfgdfgdf1
 
PDF
Presentation
bySaleh Aldajah
 
Ch11 reliability engineering
bysoftware-engineering-book
 
Critical Systems
byUsman Bin Saad
 
Ch11 - Reliability Engineering
byHarsh Verdhan Raj
 
Lecture07_FaultTolerance in parallel and distributing
bysameerkumar56473
 
Lecture07_FaultTolerance in parallel and distributed
bysameerkumar56473
 
Separation of concerns is a design concept [Dij82] that suggests that any com...
bypremsridev11
 
Chapter- Five fault powers poin lecture
byborchala1
 
SEPM_MODULE 2 PPT.pptx
byVaishaliBagewadikar
 
Dependability and security (CS 5032 2012)
byIan Sommerville
 
ASE_Chap1 - Compatibility Mode for advance software
by12a3lehanguyenkhanh1
 
5 - Safety - Critical Systems.pdf
byFelixKipyego1
 
Ch10 dependable systems
bysoftware-engineering-book
 
intro.pdf
byRajesh Tiwary
 
Ch10 - Dependable Systems
byHarsh Verdhan Raj
 
High dependability of the automated systems
byAlan Tatourian
 
Scs.pptx repaired
bySaransh Garg
 
l4a.pdf
byrajinooka
 
Ch11
byKeith Jasper Mier
 
ch10.pptx
bygdfgdfgdf1
 
Presentation
bySaleh Aldajah
 

More from Peter Tröger

PDF
Design of Software for Embedded Systems
byPeter Tröger
 
PDF
Operating Systems 1 (7/12) - Threads
byPeter Tröger
 
PDF
Operating Systems 1 (9/12) - Memory Management Concepts
byPeter Tröger
 
PDF
Operating Systems 1 (3/12) - Architectures
byPeter Tröger
 
PDF
Operating Systems 1 (11/12) - Input / Output
byPeter Tröger
 
PDF
Verteilte Software-Systeme im Kontext von Industrie 4.0
byPeter Tröger
 
PDF
Operating Systems 1 (6/12) - Processes
byPeter Tröger
 
PDF
Operating Systems 1 (12/12) - Summary
byPeter Tröger
 
PDF
Distributed Resource Management Application API (DRMAA) Version 2
byPeter Tröger
 
PDF
Operating Systems 1 (1/12) - History
byPeter Tröger
 
PDF
Operating Systems 1 (4/12) - Architectures (Windows)
byPeter Tröger
 
PDF
Operating Systems 1 (8/12) - Concurrency
byPeter Tröger
 
PDF
WannaCry - An OS course perspective
byPeter Tröger
 
PDF
Humans should not write XML.
byPeter Tröger
 
PDF
Dependable Systems - System Dependability Evaluation (8/16)
byPeter Tröger
 
PDF
Operating Systems 1 (2/12) - Hardware Basics
byPeter Tröger
 
PDF
Cloud Standards and Virtualization
byPeter Tröger
 
PDF
Operating Systems 1 (5/12) - Architectures (Unix)
byPeter Tröger
 
Design of Software for Embedded Systems
byPeter Tröger
 
Operating Systems 1 (7/12) - Threads
byPeter Tröger
 
Operating Systems 1 (9/12) - Memory Management Concepts
byPeter Tröger
 
Operating Systems 1 (3/12) - Architectures
byPeter Tröger
 
Operating Systems 1 (11/12) - Input / Output
byPeter Tröger
 
Verteilte Software-Systeme im Kontext von Industrie 4.0
byPeter Tröger
 
Operating Systems 1 (6/12) - Processes
byPeter Tröger
 
Operating Systems 1 (12/12) - Summary
byPeter Tröger
 
Distributed Resource Management Application API (DRMAA) Version 2
byPeter Tröger
 
Operating Systems 1 (1/12) - History
byPeter Tröger
 
Operating Systems 1 (4/12) - Architectures (Windows)
byPeter Tröger
 
Operating Systems 1 (8/12) - Concurrency
byPeter Tröger
 
WannaCry - An OS course perspective
byPeter Tröger
 
Humans should not write XML.
byPeter Tröger
 
Dependable Systems - System Dependability Evaluation (8/16)
byPeter Tröger
 
Operating Systems 1 (2/12) - Hardware Basics
byPeter Tröger
 
Cloud Standards and Virtualization
byPeter Tröger
 
Operating Systems 1 (5/12) - Architectures (Unix)
byPeter Tröger
 

Recently uploaded

PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PDF
The voice of the rain poem class 11th.pdf
byReeta Baral
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PPTX
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
PPTX
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PPTX
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
PPTX
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PDF
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
PDF
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
The voice of the rain poem class 11th.pdf
byReeta Baral
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
Analyzing the data of your initial survey
byThelma Villaflores
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 

Dependable Systems - Introduction (1/16)

  • 1.
  • 2.
    Dependable Systems CoursePT 2014 Dependability • Umbrella term for operational requirements on a system • IFIP WG 10.4: "[..] the trustworthiness of a computing system which allows reliance to be justifiably placed on the service it delivers [..]" • IEC IEV: "dependability (is) the collective term used to describe the availability performance and its influencing factors : reliability performance, maintainability performance and maintenance support performance" • Laprie: „ Trustworthiness of a computer system such that 
 reliance can be placed on the service it delivers to the user “ • Adds a third dimension to system quality • General question: How to deal with unexpected events ? • In German: ,Verlässlichkeit‘ vs. ,Zuverlässigkeit‘
 2
  • 3.
    Dependable Systems CoursePT 2014 English vs. German 3 Dependability Verlässlichkeit Reliability Zuverlässigkeit Availability Verfügbarkeit Safety Sicherheit Security Schutz Maintainability Wartbarkeit Fault Fehlerursache (Fehler) Error Fehlerzustand (Fehler) Failure Ausfall Error Propagation Fehlerausbreitung Fault Prevention Fehlerursachenverhinderung Fault Removal Fehlerursachenbeseitigung Fault Tolerance Fehlertoleranz Fault Forecasting Fehlervorhersage
  • 4.
    Dependable Systems CoursePT 2014 Computers in Safety-Critical Systems • Different levels of critical participation for a computer system • Information provisioning to human controller on request • Interpretation of data and presentation to the user • Issues command on behalf of the human controller • Replaces human controller • Trend to realize critical systems with commercial-of-the-shelf components • Driven by budget cuts and performance advantage • Puts sole responsibility on software layer, in contrast to early hardware-only redundancy approaches 4
  • 5.
    Dependable Systems CoursePT 2014 Dependable Systems Motivation Money Life saving Human users Harsh environments Complexity 5
  • 6.
    Dependable Systems CoursePT 2014 Example: Therac 25 • Radiation therapy engine, involved in 6 accidents between 1985 and 1987 • Two operation modes: High-power spreaded beam, or low power focus beam • Accident: High-power mode without spreader plate activated • Harmful operation not detected due to software flaws • Institutional issues: No independent software review, 
 no risk analysis for failure modes, no test of hardware / software assembling • Engineering issues: No hardware interlock, software re-use from older models, 
 no sensors for hardware check, arithmetic overflow in the check routines • No investigation of single modules 6
  • 7.
    Dependable Systems CoursePT 2014 Example: Patriot Missile Launcher • Mobile missile launcher, designed for a few hours of operation • Used for Scud defense operation, never designed for it • February 1991 - Battery in Dharan (Saudi Arabia) failed to intercept Scud missile,
 hit army barrack • Software aging problem in system‘s weapon control computer • Target velocity and time 
 demanded as real values, 
 stored as 24-bit integer • Inaccurate tracking computation 
 due to overlong operation 
 ( > 100 hours) • Modified software reached the 
 base one day after the accident 7
  • 8.
    Dependable Systems CoursePT 2014 Example: Ariane 5 • June 4 1996, self-destruction firework for $500 million • Initiated because boosters were ripping from the rocket • Reasoned by on-board computer reaction on inertia system data • Was not data, but a diagnostic bit pattern due to an overflow error • Identical inertia backup system had shut down milliseconds before • Inertia system from Ariane 4, numbers were never expected to get that high • 64-bit FP to 16-bit signed integer, data conversion in Ada was not protected • No test of full system due to budget limits • System was running after lift off for no special purpose • Possibility for fast restart with brief hold in the countdown, only for Ariane 4 8
  • 9.
    declare v_veloc_sensor: float; --64 bit floating point h_veloc_sensor: float; v_veloc_bias: integer; -- 16 bit signed integer h_veloc_bias: integer; begin sensor_get (v_veloc_sensor); sensor_get (h_veloc_sensor); v_veloc_bias := integer (v_veloc_sensor); h_veloc_bias := integer (h_veloc_sensor); exception when others => use_irs1(); end; Dependable Systems Course PT 2014 Example: Ariane 5 9
  • 10.
    Dependable Systems CoursePT 2014 Example: Mars Pathfinder • Successful landing on Mars at July 4th, 1997 • Spontaneous resets after landing • VxWorks operating system, real-time scheduling of data streams and commands • Classical priority inversion - long-running medium-communication task, 
 low-priority meteorological task, reset triggered by watchdog • Antennas performed too good, unexpected timing behavior in data transmission • Problem reproduced with identical Pathfinder on earth • Semaphore had priority inheritance protection, which was switched off for performance optimization 10
  • 11.
    Dependable Systems CoursePT 2014 Unbounded Priority Inversion • Pathfinder scenario • T1: Periodically checks health of systems • T2: Processes image data • T3: Occasional test on equipment status • T1 and T3 share a protected data structure • T1 must indirectly wait for T2 suspend, which has no relation to it‘s own purpose • T1 timeout lead to full system reset and check 11
  • 12.
    Dependable Systems CoursePT 2014 Example: Air France AF 447 (May 2009) • Airbus A330 flight at 10.000m through turbulent weather conditions • Ice crystals trigger malfunction in Pitot air pressure sensors • Stream of air normally used for speed computation • Flight speed instruments shut down, followed by auto pilot • Demanded manual angle and thrust level computation by pilots • Flight computer switches to emergency mode (,alternate law 2‘) • Still operational (,fly-by-wire‘), but different flight feeling • Pilots lost physical control over machine, restart of flight computer not successful • Specification for sensors not feasible (written in 1947) • Sensor must be operational till -40 degrees / 9000m height 12
  • 13.
    Dependable Systems CoursePT 2014 Importance of Dependability for Business • Average costs per hour of downtime (Gartner 1998) • Brokerage operations in finance: $6.5 million • Credit card authorization: $2.6 million • Home catalog sales: $90.000 • Airline reservation: $89.500 • 22-hour service outage of eBay on June 6th 1999 • Interruption of around 2.3 million auctions • 9.2% stock value drop, $3-5 billion of lost revenues • Problems blamed on Sun server software • Banking, telephone system, online games, cloud operations, ... 13
  • 14.
    Dependable Systems CoursePT 2014 Example: New York Stock Exchange • Credit Suisse trading desk, Nov 14th, 2007 • Automated trading algorithm went mad • Reasoned by misplaced double click in the trading software UI • Hundreds of thousands of bogus order cancellations • DoS nature of fault caused NYSE to freeze up - $150.000 fine 14
  • 16.
    Dependable Systems CoursePT 2014 Example: Amazon Cloud Outages • 2006 - Elevated levels of authenticated requests from multiple users • Request volumes are monitored, but cryptographic overhead was not considered • Overload on authentication services - performs request processing and validation • S3 service (cloud storage service) became inaccessible, but is the only storage facility supported for Amazon-hosted virtual machines • Took 3,25 hours to solve the problem - live fixing, started at 3am • No SLA promises ever, but trust in cloud-only hosted web sited dropped dramatically • 2009 - 19 hours of outage for bitbucket.org • Code hosting service, relies on EC2 and block storage • UDP / TCP flooding attack influenced also access to storage facility 16
  • 17.
    Hello, A few daysago we sent you an email letting you know that we were working on recovering an inconsistent data snapshot of one or more of your Amazon EBS volumes. We are very sorry, but ultimately our efforts to manually recover your volume were unsuccessful. The hardware failed in such a way that we could not forensically restore the data. What we were able to recover has been made available via a snapshot, although the data is in such a state that it may have little to no utility… If you have no need for this snapshot, please delete it to avoid incurring storage charges. We apologize for this volume loss and any impact to your business. Sincerely,
 Amazon Web Services, EBS Support
  • 18.
    Dependable Systems CoursePT 2014 Example: IBM S/390 Outage Sources • Examination of 16 managed mainframe systems over 6 months (Pfister, 1990) • 92% planned outages, 8% unplanned outages • 32% database backup • 24% database reorganization • 14% system software maintenance • 12% network • 8% applications • 8% hardware • 2% other 18
  • 19.
    Dependable Systems CoursePT 2014 Tradeoffs 19 0.99999 0.9999 0.999 0.99 0.9 Massively Parallel/ Distributed Systems Commercial Fault-Tolerant Systems Ultra Reliable Systems Availability Throughput (MIPS)
  • 20.
    Dependable Systems CoursePT 2014 Example: AT&T Electronic Switching System ESS1A • Downtime for entire system not more than 2 hours over 40 years of life • System outage < 3 minutes / year • 100% availability from user perspective • Goal achieved, two minutes of down time [Malek] • 24 sec hardware faults, 18 sec software problems, 
 36 sec procedural errors, 42 sec recovery problems • Full duplication of all critical components • Automated error detection on hardware and software level • Replication checks - duplex system with comparison
 on every cycle • Timing checks, coding checks, internal checks with comparators 20
  • 21.
    Dependable Systems CoursePT 2014 Example: AT&T Electronic Switching System ESS1A 21 (C) Malek
  • 22.
    Dependable Systems CoursePT 2014 Example: Boeing 777 Flight Controller 22 • Fly-by-wire system, requirements • Probability 1x10-10 for degradation 
 from ,MIN-OP configuration‘ • ,Never give up‘ redundancy 
 management strategy • Mean time between 
 maintenance actions: 25.000 operating hours • TMR for all hardware resources, fail-passive electronics • Candidate architectures were evaluated according to many trade aspects
  • 23.
    Dependable Systems CoursePT 2014 Example: Boeing 777 Flight Controller (Buus et al.) 23
  • 24.
    Dependable Systems CoursePT 2014 Example: VAX Hardware Redundancy • VMS operating system on VAX hardware, since mid-1970‘s, outgrow of PDP-11 • VAXft in the early 1990‘s 24
  • 25.
    Dependable Systems CoursePT 2014 IBM zEnterprise 25 © 2011 IBM Corporation16 IBM zEnterprise 16 Designed to deliver continuous availability at the application level Single System z Multiple System z Site 1 Site 2 Multiple Data Centers Where mean time between failure is measured in decades Designed for application availability of 99.999% Industry-leading solution for disaster recovery  Avoiding the cost of downtime  Ensuring access to critical applications  Maintaining productivity of users  Open to clients 24/7 Manage Risk with System z Resiliency Availability built in across the system (C) IBM
  • 26.
    Dependable Systems CoursePT 2014 IBM zEnterprise 26 © 2011 IBM Corporation56 IBM zEnterprise Scheduled(CIE+DisruptivePatches+ECs) Planned- (MES+Driver Upgrades) Unscheduled(UIRA) Sources of Outages Pre z9 -Hrs/Year/Syst- Prior Servers z9 EC Z10 EC z196 Unscheduled Outages Scheduled Outages Planned Outages Preplanning requirements Power & Thermal Management Increased Focus over time             Temperature = Silicon Reliability Worst Enemy Wearout = Mechanical Components Reliability Worst Enemy. System z overall RAS Strategy …..Continuing our RAS focus helps avoid outages ImpactofOutage (C) IBM
  • 27.
    Dependable Systems CoursePT 2014 IBM zEnterprise 27 © 2011 IBM Corporation14 IBM zEnterprise The potential performance impact of the Linux server farm is isolated from the other Logical partitions (LPAR) LPAR – Up to 60 Logical partitions System z Deploy virtual servers in seconds Highly granular resource sharing (<1%) Add physical resources without taking system down, scale out to 1000s of virtual servers Do more with less: More virtual servers per core, Share more physical resources across servers Extensive built-in facilities for virtual server life- cycle management Hardware-enforced isolation Distributed Platforms Limited per-core virtual server scalability Physical server sprawl is needed to scale Operational complexity increases as virtual server images grow VMware tools only support VMware hypervisor (ESX) PR/SM Hypervisor in firmware z/VM – 100s of virtual servers – Shared Memory Hardware support: 10% of circuits are used for virtualization Each LPAR is one Virtual Mainframe Extreme Virtualization in zEnterprise - Built into the architecture not an “add on” feature (C) IBM
  • 28.
    Dependable Systems CoursePT 2014 Dependability Examples • A segmentation fault can lead to a system failure. • A faulty controller in an RAID array lowers the reliability of the storage facility. • The measurable availability of a web server depends on the fault tolerance capabilities in all its components. • A database fault creates an erroneous state in the authentication component, which can lead to a system failure influencing the system confidentiality. • The integrity of electronic voting systems depends on the complete absence of failures in the voting and the calculation procedures. • Fault forecasting can support the maintainability of a system. • Testing can only prove the presence of faults, not their absence. • Our service level agreement guarantees an availability of 99.99%. 28
  • 29.
    Dependable Systems CoursePT 2014 Consequences of Failures [Knight] • Human injury or loss of life • Damage to the environment • Damage to or loss of equipment • Damage to or loss of data • Financial loss by theft • Financial loss through production of useless or defective products • Financial loss through reduced capacity for production or service • Loss of business reputation • Loss of customer base • Loss of jobs 29
  • 30.
    Dependable Systems CoursePT 2014 Dependability Concerns [Knight] • Do I know all available techniques to prevent some damage in / by my system ? • I don‘t know how the system is used, so how can I decide for an appropriate dependability mechanism ? • How do I get an accurate and complete set of term definitions to communicate reliably with the other engineers ? • What is a technology to tackle all weak points in my system architecture, not only the weakest or the obvious ones ? • How can I measure the effectiveness of my dependability techniques ? • Software is special ... • Definition of the required function is harder than in other engineering disciplines • Software needs to take action when hardware fails • Software may have to operate on platforms whose design was influenced by dependability goals 30
  • 31.
    Dependable Systems CoursePT 2014 Course Topics • Definitions and metrics • Fault, error, failure, fault models, fault tolerance, fault forecasting, ... • Reliability, availability, maintainability, error mitigation, damage confinement, ... • Reliability engineering, reliability testing, MTTF, MTBF, failure rate, ... • Fault tolerance patterns • N-out-of-M, voting, heartbeat, ... • Analytical evaluation • Reliability block diagrams, fault tree analysis, ... • Petri nets, Markov chains • Root cause analysis, risk analysis and assessment 31
  • 32.
    Dependable Systems CoursePT 2014 Course Topics • Hardware-Implemented Dependability • Failure rates, testing, hardware redundancy approaches • Software-Implemented Dependability • Fault-tolerant programming: simplex, recovery blocks, checkpointing, roll-back, ... • Testing, software metrics • Fault-tolerant distributed systems: Transactions, consensus, clocks, ... • Advanced approaches • Autonomic computing, rejuvenation, online failure prediction, performability • Case studies from practice 32