Jan Hlavicka

Fault tolerance evaluation using two software based fault injection methods

A silicon independent C-Based model of the TTP/C protocol was implemented within the EU-founded project FIT. The C-based model is integrated in the C-Sim simulation environment. The main objective of this work is to verify whether the simulation model of the TTP/C protocol behaves in the presence of faults in the same way as the existing hardware prototype implementation. Thus, the experimental results of the software implemented fault injection applied in the simulation model and in the hardware implementation of the TTP/C network have been compared. Fault injection experiments in both the hardware and the simulation model are performed using the same configuration setup, and the same fault injection input parameters (fault injection location, fault type and the fault injection time). The end result comparison has shown a complete conformance of 96.30%, while the cause of the different results was due to hardware specific implementation of the built-in-self-test error detection mechanisms.

Evaluation of process controller fault tolerance using simulation

Abstract The paper presents a study of several alternatives of a fault-tolerant process controller design. We compare controller architectures based on different amount of hardware redundancy with those using time redundancy. The system behaviour is evaluated by means of a process-oriented simulation model enabling software injection of faults. As an overall measure of controller design quality (which includes both performance and reliability) we use the numerical error of the output. The results obtained on the model are used to show the dependence of the output error upon the relative speed of computation and upon the rate of faults damaging the data. Thus for every set of parameters, a system configuration which gives the best results, can be determined.

FC-Min: a fast multi-output Boolean minimizer

We present a novel heuristic algorithm for two-level Boolean minimization. In contrast to the other approaches, the proposed method firstly finds the coverage of the on-sets and from that it derives the group implicants. No prime implicants of the single functions are being computed; only the necessary implicants needed to cover the on-sets are produced. This reverse approach makes the algorithm extremely fast and minimizes the memory demands. It is most efficient for functions with a large number of output variables, where the other minimization algorithms (e.g. ESPRESSO) are too slow. It is also very efficient for highly unspecified functions, i.e. functions with only few terms defined.

Model-Based Dependability Evaluation Method for TTP/C Based Systems

This paper presents a simulation model of the Time-Triggered Protocol (TTP/C) based embedded computer system as a tool for evaluation of system capability to tolerate a chosen category of faults. The model, being written in ANSI-C, is portable and machineindependent. Its structure is modular and flexible, so that the system to be studied and the experiment setting can easily be changed. The functionality of this model is demonstrated on a set of fault injection experiments aimed mainly to evaluate the correctness of the TTP/C specification. These experiments were done within the EU/IST FIT (Fault Injection for Time triggered architecture) project solution.

C-Sim - the C language enhancement for discrete-time simulation

The paper presents the C-Sim simulation environment, which enables the execution of several processes in an interleaved mode using the global simulation lime concept. C-Sim was used within the EU/IST project Fault Injection for Time Triggered Architecture (FIT) to build a simulation model of TTP/C protocol based real-time embedded computer system in order to verify its dependability through fault injection.

On the use of mutations in Boolean minimization

The paper presents a new method of Boolean function minimization based on an original approach to implicant generation by inclusion of literals. The selection of these newly included literals, as well as the subsequent rejection of some others to obtain prime implicants, is based on heuristics working with the frequency of literal occurrence. Instead of using this data directly, some mutations are used in certain places in the algorithm. The technique of mutations and their influence on the quality of the result obtained is evaluated. The BOOM system implementing the proposed method is efficient especially for functions with several hundreds of input variables, whose values are defined only for a small part of their range. It has been tested both on standard benchmarks and on problems of a much larger dimension, generated randomly. These experiments proved that the new algorithm is very fast and that for large circuits it delivers better results than the state-of-the-art ESPRESSO.

Functional validation of fault-tolerant asynchronous algorithms

The paper presents an alternative approach to the formal specification and validation of distributed asynchronous algorithms. It begins with a syntactically correct description of the algorithm whose correctness is then to be validated. The validation of the algorithm is based on the process-oriented discrete simulation and permits a partial correctness validation of the algorithm implemented by a program. The suggested method enables to model independent activity of several processors (using pseudo-parallel processes) in simulation time and to model communication channels with defined time behavior and failure semantics. Using the approach it is easy to add other processes like model of systems environment, fault injector and state observer. The method is described with the aid of a simple C-based validation tool called C-Sim. The utilization of C-Sim requires only slight changes in C-coded implementation of the verified algorithm. An example of validation of distributed election algorithm with the presence of faults is presented.

RT level test scheduling

The paper describes a new model of exploiting parallelism in testing of VLSI circuits. A circuit at the register transfer level is denoted as an RTL circuit. The model utilizes the concept of TACG (test application conflict graph). For the testing process the resource utilization model was defined and used for the TACG construction. The problem of concurrent test application is transformed to the one of TACG coloring and covering its nodes. Thus, the graph theory algorithms can be utilized for an RT level test scheduling. A methodology was defined that can be utilized during VLSI circuit design process, the final goal of which is to reduce the overall test application time of an RTL circuit.<<ETX>>

Dependable Computing — EDCC-3

In this paper we present a new modelling approach for dependability evaluation and sensitivity analysis of Scheduled Maintenance Systems, based on a Deterministic and Stochastic Petri Net approach. The DSPN approach offers significant advantages in terms of easiness and clearness of modelling with respect to the existing Markov chain based tools, drastically limiting the amount of user-assistance needed to define the model. At the same time, these improved modelling capabilities do not result in additional computational costs. Indeed, the evaluation of the DSPN model of SMS is supported by an efficient and fully automatable analytical solution technique for the time-dependent marking occupation probabilities. Moreover, the existence of such explicit analytical solution allows to obtain the sensitivity functions of the dependability measures with respect to the variation of the parameter values. These sensitivity functions can be conveniently employed to analytically evaluate the effects that parameter variations have on the measures of interest. 1 Systems with Multiple Phases and Multiple Missions With the increasing complexity and automation encountered in systems of the nuclear, aerospace, transportation, electronic, and many other industrial fields, the deployment of processing systems in charge of performing a multiplicity of different control and computational activities is becoming common practice. Very often, the system and its external environment can be altered during the operation, in a way that the behaviour during a time interval can be completely different from that within other periods. The operational scenario devised for the Scheduled Maintenance System (SMS) problem is a typical one in the context of the on-board aeroplane control systems. SMS are to be used during their life-time for multiple missions. The system is run for a finite number of missions, and then it has to pass a maintenance check. Such maintenance can be more or less extensive and accurate. Typically, it is the case that after a prefixed number of missions the system is completely checked, so that all its components are as good as new ones after that. Moreover, other kinds of maintenance actions are usually performed between two major checks. For instance, some highly critical components could be checked and possibly repaired after each mission, and J. Hlavicka et al (Eds.): EDCC-3’99, LNCS 1667, pp. 7-23, 1999  Springer-Verlag Berlin Heidelberg 1999 some others could be replaced after some missions even if they are still working. Anyway, these partial checks are not able to guarantee the absence of faulty components in the system, and thus the dependability figures of the SMS inside a mission are affected by the past history of the SMS inside the previous missions. Within each mission, an SMS behaves as a phased mission system (PMS), that is it is has to carry out various operational phases, each of them possibly having specific dependability requirements and particular failure criteria. Specifically, the typical phases of an aeroplane mission include a take off, ascent, cruise, descent, approach and landing phases. Once again, since the same architectural components are to be used by the system, the behaviour of the SMS during a particular phase is affected by its past evolution while inside other phases of the same mission. It is quite intuitive that an SMS can be reduced to a PMS, by simply disregarding the multiple missions, and considering all the phases to be executed as being part of a long mission. In this way, all the methods that have been proposed for the dependability analysis of PMS, also apply to SMS. Because of their deployment in critical applications, the dependability modelling and analysis of PMS has been considered a task of primary relevance, and many different approaches have appeared in the literature [4, 8, 13, 15, 17-19]. However, the modelling of complex systems always poses formidable problems, and PMS do not represent an exception to the rule. Moreover, the phased behaviour adds a further degree of complexity to the analysis of these systems. Modelling a PMS can be a complex task even inside one single phase; when a multiplicity of phases and the dependencies among them are to be taken into account, additional difficulties are encountered. The sole methodology specifically designed for the dependability modelling and evaluation of the SMS has been proposed by Somani et al., who implemented it within the EHARP tool [18] (an extension of the HARP tool). Some further extensions of EHARP for the SMS problem were introduced by Twigg et al. in [20]. The EHARP tool is based on a separate Markov chain modelling of the SMS inside the various phases, an approach that is able to effectively master the complexity and the computational cost of the analysis. However, as carefully explained in [15], this separate Markov based modelling approach requires a relevant amount of user-assistance to correctly model the dependencies among successive phases. In this work, we show how the general methodology based on the Deterministic and Stochastic Petri Nets (DSPN) proposed in [15] for the modelling and evaluation of PMS can be applied to the specific case of the SMS problem. Thanks to the expressiveness of the DSPN, the modelling of systems showing a phased behaviour becomes quite intuitive and simple. The specific features of SMS are easily accommodated within our general modelling scheme, and the resulting model is defined in a very compact way, with a dramatic reduction in the number of the interactions with the user and the consequent reduction in possible errors. Indeed, the treatment of the dependencies among phases is moved from the low level of the Markov chains to the more abstract and easier to handle level of the DSPN. The evaluation procedure of the DSPN model of an SMS is supported by the existence of an efficient analytical solution method for the transient probabilities of the underlying marking process. Moreover, we offer in this paper another relevant contribution to the study of systems with multiple phases, either PMS or SMS. The existence of analytical expressions for the time-dependent marking occupation probabilities of the DSPN models of this class of systems allows us to explicitly derive the sensitivity functions 8 A. Bondavalli, I. Mura, and K.S. Trivedi

Verification of Fault-Tolerant Embedded Computer Systems Using Higher-Level Simulation Model

Abstract This article describes a method that uses higher-level simulation model of embedded computer system in order to evaluate its specified fault-tolerant properties. The method was developed during the solution of the EU/IST project FIT - Fault Injection for Time Triggered Architecture (TTA). The TTA architecture uses TTP/C communication protocol to connect nodes of distributed computer system. A utilization of the described simulation method is demonstrated evaluating a time that needs TTP/C communication controller to recover from a short data-damaging transient fault.