dependable systems Basic Concepts & Terminology

Transcription

1 dependable systems Basic Concepts & Terminology

2 Dependability Dependability is that property of a computer system such that reliance can justifiably be placed on the service it delivers. J. C. Laprie

3 Dependability concept For critical systems, often the most important system property is the dependability of the system The dependability of a system reflects the user degree of trust in that system. It reflects the extent of the user confidence that it will operate as users expect and that it will not fail in normal use Usefulness and trustworthiness are not the same thing. A system does not have to be trusted to be useful

4 The scenario

5 Dependability Term used to encapsulate the concepts of Reliability Availability Safety Security Maintainability Performability Testability measures used to quantify the dependability of a system

6 Dependability attributes Reliability Availability Safety Integrity Security Maintainability Testability When expressing the system specification and requirements it is necessary to identify which properties are desirable/mandatory

7 Dependability attributes These are non-functional properties they do not relate to any specific functionality of the system Some or all of these attributes are usually more important than detailed system functionality These are emergent properties because they depend on the relationships between components as well as the components themselves.

8 Reliability The ability of a system or component to perform its required functions under stated conditions for a specified period of time [IEEE610] [IEEE610]: IEEE Standard Glossary of Software Engineering Terminology, IEEE Std (R2002).

9 definition Reliability R(t): probability that the system will operate correctly in a specified operating environment up until time t R(t) = P(not failed during [0, t]) assuming it was operating at time t = 0 t is important If a system needs to work for slots of ten hours at a time, then that is the target

10 characteristics Reliability 1 R(t): unreliability, also denoted Q(t) R(t) is a non-increasing function varying from 1 to 0 over [0,+ )

11 adoption Reliability Often used to characterize systems in which even momentary periods of incorrect behavior are unacceptable Performance requirements Timing requirements Impossibility to repair

12 Availability The degree to which a system or component is operational and accessible when required for use [IEEE610] Availability = Uptime / (Uptime + Downtime)

13 definition Availability A(t): probability that the system will be operational at time t A(t) = P(not failed at time t) Literally, readiness for service Admits the possibility of brief outages Fundamentally different concept

14 characteristics Availability 1 A(t): unavailability When the system is not repairable: A(t) = R(t) In general (repairable): A(t) R(t)

15 Numbers Availability Availability as a function of the number of 9 s Number of 9 s Availability Downtime (mins/system) Practical meaning 1 90% ~5 weeks per year 2 99% ~4 days per year % ~9 hours per year % ~1 hour per year % 5.26 ~5 minutes per year % 0.53 ~30 secs per year % 0.05 ~3 secs per year

16 Availability numbers Number of 9 s Availability Downtime/year System 2 99% ~4 days Generic web site % ~9 hours Amazon.com % ~1 hour Enterprise server % ~5 minutes Telephone system % ~30 seconds Phone switches

17 Maintainability Ability to undergo repairs and modifications Ease of repairing the system after a failure has been discovered or changing the system to include new features

18 definition Maintanability M(t): probability that a failed system can be repaired within time t M(t) = P(repaired in [0, t]) M(t) is a non-decreasing function varying from 0 to 1 over [0,+ )

19 R(t) & A(t) related indices MTTF: mean time to (first) failure, the up time before the first failure MTBF: mean time between failures

20 R(t) & A(t) related indices Other indices MUP: mean up time The device is operational MDT: mean down time Fault detection > Fault repair > Recovery

21 R(t) & A(t) related indices Other indices MTTR: mean time to repair MDT: mean down time Fault detection > Fault repair > Recovery MTTR may not be the same as MDT because: The failure may not be noticed for some time after it has occurred It may be decided not to repair the equipment immediately The equipment may not be put back in service immediately it is repaired

22 R(t) & A(t) related indices Other indices MTBF, MTTR, MDT MTBF = total operating time number of failures

23 R(t) & A(t) related indices Other indices MTTF: time before any failure will occur MTBF: time between two failures If we assume that before a second failure occurs, the system detects it, then: Such assumption is particularly CRITICAL

24 R(t) & A(t) related indices Other indices MTTF: mean time to (first) failure, the up time before the first failure MTBF: mean time between failures MTBF = FIT: failure in time total operating time number of failures another way of reporting MTBF number of failures λ = total operating time MTBF = the number of expected failures per one billion hours (10 9 ) of operation for a device 1 λ

25 Reliability & Availability Two different points of view reliability: does not break down availability: even if it breaks down, it is working when needed Example: a system that fails, on average, once per hour but which restarts automatically in ten milliseconds is not very reliable but is highly available A(t)=

26 Two points of view Reliability & Availability It is sometimes possible to subsume system availability under system reliability Obviously if a system is unavailable it is not delivering the specified system services It is possible to have systems with low reliability that must be available system failures can be repaired quickly and do not damage data, low reliability may not be a problem Availability takes repair time into account

27 R(t) what to do? Exploitation of R(t) information is used to compute, for a complex system, its reliability in time, that is the expected lifetime computation of the MTTF Computation of the overall reliability starting from the components one

28 Reliability terminology

29 Fault hierarchy Fault-error-failure cascades can lead to life-threatening hazards

30 Hazard A set of conditions (state of the system) that in certain environmental situations may lead to an incident Hazard is the potential to cause harm It determines a certain risk

31 Risk Risk is the likelihood of harm Risk(t) = p(accident) * cost(accident) Risk = Hazard * Value * Vulnerability Risk is the expected loss per unit time (in defined circumstances, and usually qualified by some statement of the severity of the harm) Safety is expressed as an acceptable level of loss

32 Hazard & Risk Risk = Hazard * Value * Vulnerability ² Hazard: probability of occurrence ² Value: value of life, property or productive capacity due to the event ² Vulnerability: proportion (%) of value likely to be lost if the event occurs

33 Safety The absence of catastrophic consequences on the users or the environment Are commercial aircraft safe? They seldom crash What is acceptable? Are cars safe? They crash a lot

34 Safety property Safety A safety-related system is one by which the safety of equipment or plant is assured Safety for computer systems: Computer hardware primary safety Equipment controlled by the computer functional safety Indirect consequences of a computer failure or incorrect information production indirect safety

35 Safety and Availability High-availability: strive to be up and running % (5 minutes down per year) Safety-critical don t always strive to maximize uptime. They may intentionally take themselves (or part of them) down when there is a threat for injury or loss of life.

36 Reliability & Availability & Safety Example: a system that is turned off is not very reliable, not very available, probably safe

37 FAA Safety and Reliability Categories

38 Safety assessment for SW level

39 Safety Integrity Level Associated with safety-related systems Level of performance for a safety function: orders of magnitude levels of risk reduction A standard (IEC 61508) details the requirements necessary to achieve each safety integrity level

40 Two working scenarios Safety Integrity Levels demand mode or continuous mode Probability of failure of safety function On Demand Continuous (per Year) Risk Reduction Factor SIL ,000 to 10,000 SIL ,000 to 1,000 SIL ,000 to 100 SIL to 10

41 Categories Safety Integrity Levels SIL2: Anti-Braking System (ABS) SIL3: active safety systems (x-by-wire, stability control, ) SIL4: not available for single chip solutions and considered not necessary for automotive

42 Examples Safety Integrity Levels ABS Airbags Braking Steering

43 Performability P(L,t): probability that the system performance will be at, or above, some level L, at time t A subset of the functions are performed correctly

44 Graceful degradation Ability of a system to automatically decrease its level of performance to compensate for hardware and software failures

45 Integrity Absence of improper system state alterations Operating systems Memory, files, disk access Database records File transfers

46 Security Systems should protect themselves and their data from external interference A judgment of how likely it is that the system can resist accidental or deliberate intrusions Prohibit unsupported actions

47 Survivability The ability of a system to continue to deliver its services to users in the face of deliberate or accidental attack An increasingly important attribute for distributed systems whose security can be compromised Survivability subsumes the notion of resilience (the ability of a system to continue in operation despite of component failures)

48 Testability Ability to test for certain attributes within a system Related to maintainability Ø importance of minimizing time required to identify and locate specific problems (diagnosis)

49 Dependability requirements Telecommunications Availability, maintainability Transportation Reliability, availability, safety Weapons Safety Nuclear systems Safety Pervasive computing

50 References [IEEE610]: IEEE Standard Glossary of Software Engineering Terminology, IEEE Std (R2002). D. K. Pradhan, Fault-tolerant Computer System Design, Computer Science Press, 2003 J. C. Knight, An Introduction To Computing System Dependability, Proc. 26th Int. Conf. on Software Engineering (ICSE 04) A. Villemeur, Reliability, Availability, Maintainability and Safety Assessment, vols. 1 & 2, John Wiley and sons, 1991 Ian Sommerville, Software Engineering, 9th edition, 2010