Geoffrey F. Carpenter

The use of GMB in the design of robust software for distributed systems

State-space modelling of software for distributed systems has been effective in exposing design faults and has provided a method for the placement of software fault-tolerant structures. The most widely known methods (in the United Kingdom) have used Petri-net modelling. However, Petri nets are not the only representations available to the designer. The paper considers the use of the UCLA Graphical Model of Behaviour (GMB) in the design and simulation of software for distributed systems with emphasis on the study of dynamic interprocess interactions. It is shown that GMB possesses a number of analytical features which improve the models. A case study of the design of robust software for a safety critical application shows that GMB provides a complementary, and in some respects superior, method to Petri-net modelling.

Mechanism for evaluating the effectiveness of software fault-tolerant structures

Abstract The provision of software structures to enable a computer to tolerate faults is frequently proposed as an effective and economic method of improving the reliability of a computer system. The paper is concerned with assessing the ability of software structures to cope with induced faults. It discusses the design of a software harness which allows the user to insert predetermined faults into software and to trace the subsequent execution of that software. The paper summarizes the use of the harness to determine the effectiveness of software-based fault-tolerant mechanisms.

The design and simulation of software fault tolerant mechanisms for application in distributed processing systems

Abstract A number of fault tolerant mechanisms have been proposed for sequential and concurrent systems. Discussion of these mechanisms has concentrated on structural aspects; a systematic approach to the design and placement of fault tolerant structures has been lacking. This paper considers techniques for the systematic and proper placement of software fault tolerant structures for distributed systems. It describes the design of such a system and shows how the error detection and recovery mechanisms can be included in the system model. The methods which are presented should have a wide range of application including microprocessor and transputer implementation.

Database for investigating the effects of induced faults

Abstract To improve the reliability of a computing system, it is common to include appropriate software fault tolerance. The designer has to be certain that the infrastructure can cope with the effects of faults in the protected program, including faults which have not been anticipated. This paper is concerned with the effects which occur when hardware malfunctions lead to the corruption of software. An analysis of the structure of the instruction set of a selected microprocessor and its use in generating a database for examining the effects induced by such malfunctions are described. This database can be used to determine the types of behaviour which must be captured by a fault-tolerance mechanism.

The design of distributed, software fault tolerant, real-time systems incorporating decision mechanisms

Abstract This paper considers the use of software fault tolerance in the design of loosely-coupled real-time distributed systems. It also addresses the problem of taking distributed multi-party decisions in decentralised systems and shows that distributed database techniques can be used to provide a general solution. In particular, it is shown that a two phase locking mechanism can be used to serialise concurrent decisions, thus removing certain timing problems, and a two phase commit protocol can be used to implement distibuted decisions which are recoverable for certain classes of failure. The techniques described are illustrated by reference to a safety critical application. A solution is proposed comprising an Occam program which can be implemented on microprocessor and transputer based systems.

The design of a weather “nowcast” system

Abstract Many local organizations would benefit from the availability of a local, short-term, bespoke, weather prediction facility. This paper reports research which shows that many of the features of such a facility can be provided by a low-cost, PC-based system which monitors site-specific ground data, such as temperature, pressure, wind speed and direction, augmented with readily available satellite images for above-ground information to produce a ‘nowcast’ for dissemination to the local community.

Session D2: Fault tolerant parallel software

Abstract If a distributed computing system is intended for use in an application where safety is of paramount importance, then it is necessary to ensure that the design is able to tolerate faults. The conversation scheme is a software mechanism which will allow a set of parallel processes to undertake error recovery in a well behaved manner if a fault is detected. This paper describes a method using CSP for locating conversation boundaries in software for a distributed system.

The synthesis of deadlock-free interprocess communications

Abstract The communication structure of a distributed computing system needs careful design if pathologies, such as deadlock, are to be avoided. This paper is concerned with the communication properties of a set of distributed processes and discusses a number of different approaches to deadlock recognition, elimination and avoidance, as part of a programme of research into systematic methods for ensuring deadlock-freedom.

Data flow methods in the design of parallel computing systems

Abstract Data flow is central to the operation of a set of distributed processes and data flow should be central to the design process. This paper brings this role to the fore and considers the use of data flow methods to model applications, to obtain performance measures and to influence partitioning strategies.

Tolerating communication failures

A distributed real-time system for use in applications with safety implications must produce satisfactory results on time even under abnormal conditions, such as site or communication failure. This paper discusses issues which arise in the design of mechanisms to provide consistent safe and timely decisions and considers explicitly the modelling and implementation of multi-participant commit protocols with timeouts to cope with communication failure.<<ETX>>