Joanne Bechta Dugan

Dynamic fault-tree models for fault-tolerant computer systems

Reliability analysis of fault-tolerant computer systems for critical applications is complicated by several factors. Systems designed to achieve high levels of reliability frequently employ high levels of redundancy, dynamic redundancy management, and complex fault and error recovery techniques. This paper describes dynamic fault-tree modeling techniques for handling these difficulties. Three advanced fault-tolerant computer systems are described: a fault-tolerant parallel processor, a mission avionics system, and a fault-tolerant hypercube. Fault-tree models for their analysis are presented. HARP (Hybrid Automated Reliability Predictor) is a software package developed at Duke University and NASA Langley Research Center that can solve those fault-tree models. >

Coverage modeling for dependability analysis of fault-tolerant systems

Several different models for predicting coverage in a fault-tolerant system, including models for permanent, intermittent, and transient errors, are discussed. Markov, semi-Markov, nonhomogeneous Markov, and extended stochastic Petri net models for computing coverage are developed. Two types of events that interfere with recovery are examined; and methods for modeling such events, whether they are deterministic or random, are given. The sensitivity of system reliability/availability to the coverage parameter and the sensitivity of the coverage parameter to various error-handling strategies are investigated. It is found that a policy of attempting transient recovery upon detection of an error (as opposed to automatically reconfiguring the affected component out of the system) can actually increase the unreliability of the system. >

Empirical Analysis of Software Fault Content and Fault Proneness Using Bayesian Methods

We present a methodology for Bayesian analysis of software quality. We cast our research in the broader context of constructing a causal framework that can include process, product, and other diverse sources of information regarding fault introduction during the software development process. In this paper, we discuss the aspect of relating internal product metrics to external quality metrics. Specifically, we build a Bayesian network (BN) model to relate object-oriented software metrics to software fault content and fault proneness. Assuming that the relationship can be described as a generalized linear model, we derive parametric functional forms for the target node conditional distributions in the BN. These functional forms are shown to be able to represent linear, Poisson, and binomial logistic regression. The models are empirically evaluated using a public domain data set from a software subsystem. The results show that our approach produces statistically significant estimations and that our overall modeling method performs no worse than existing techniques.

The Hybrid Automated Reliability Predictor

In this paper, we present an overview of the hybrid automated reliability predictor (HARP), under development at Duke and Clemson Universities. The HARP approach to reliability prediction is characterized by a decomposition of the overall model into distinct fault-occurrence/repair and fault /error-handling submodels. The faultoccurrence/repair model can be cast as either a fault tree or as a Markov chain and is solved analytically. Both exponential and Weibull time to failure distributions are allowed. There are a variety of choices available for the specification of the fault/error-handling behavior that may be solved analytically or simulated. Both graphical and textual interfaces are provided to HARP.

Automated analysis of phased-mission reliability

A method for automated analysis of phased mission reliability which considers the problem in terms of the construction of a continuous-time discrete-state Markov model and uses a standard Markov-chain solution technique that is adapted to the problem of phased missions is presented. The resulting state space is the union of the states in each independent phase, rather than the sum. This results in a model that can be substantially smaller than those required by other methods. A unified framework which is used for defining the separate phases using fault trees and for constructing and solving the resulting Markov model is discussed. The usual solution technique is altered to account for the phased nature of the problem. The framework is described for a previously published, simple three-component, three-phase system. An example in which a hypothetical two-phase application involving a fault-tolerant parallel processor is considered is given. The approach applies where the transition rates (failure and repair rates) are constant and where the phase change times are deterministic. >

A separable method for incorporating imperfect fault-coverage into combinatorial models

This paper presents a new method for incorporating imperfect FC (fault coverage) into a combinatorial model. Imperfect FC, the probability that a single malicious fault can thwart automatic recovery mechanisms, is important to accurate reliability assessment of fault-tolerant computer systems. Until recently, it was thought that the consideration of this probability necessitated a Markov model rather than the simpler (and usually faster) combinatorial model. SEA, the new approach, separates the modeling of FC failures into two terms that are multiplied to compute the system reliability. The first term, a simple product, represents the probability that no uncovered fault occurs. The second term comes from a combinatorial model which includes the covered faults that can lead to system failure. This second term can be computed from any common approach (e.g. fault tree, block diagram, digraph) which ignores the FC concept by slightly altering the component-failure probabilities. The result of this work is that reliability engineers can use their favorite software package (which ignores the FC concept) for computing reliability, and then adjust the input and output of that program slightly to produce a result which includes FC. This method applies to any system for which: the FC probabilities are constant and state-independent; the hazard rates are state-independent; and an FC failure leads to immediate system failure.

Fault trees and Markov models for reliability analysis of fault-tolerant digital systems

Abstract Reliability analysis of fault tolerant computer systems for critical applications is complicated by several factors. In this paper, we discuss these modeling difficulties and describe and demonstrate approaches to handling them. Three important techniques characterize our approach. First, behavioral decomposition separates the system failure modes specification from the recovery process specification. Second, a fault tree representation of the system failure modes is converted to an equivalent Markov model, to which the recovery models are added automatically. Third, the fault tree to Markov chain conversion allows the definition of new dynamic fault tree gates to capture the sequence dependent failure modes that are often associated with advanced fault tolerant systems. Two advanced fault tolerant computer systems are described, and fault tree models for their analysis are presented. HARP (the Hybrid Automated Reliability Predictor) is a software package developed at Duke University and NASA Langley Research Center that is used to analyze the example systems.

Fault trees and sequence dependencies

One of the frequency cited shortcomings of fault-tree models, their inability to model so-called sequence dependencies, is discussed. Several sources of such sequence dependencies are discussed, and new fault-tree gates to capture this behavior are defined. These complex behaviors can be included in present fault-tree models because they utilize a Markov solution. The utility of the new gates is demonstrated by presenting several models of the FTPP (fault-tolerant parallel processor), which include both hot and cold spares.<<ETX>>

Analysis of Typical Fault-Tolerant Architectures using HARP

HARP (the Hybrid Automated Reliability Predictor) is a software package that implements advanced reliability modeling techniques. We present an overview of some of the problems that arise in modeling highly reliable fault-tolerant systems; the overview is loosely divided into model construction and model solution problems. We then describe the HARP approach to these difficulties, which is facilitated by a technique called behavioral decomposition. The bulk of this paper presents examples of the dependability evaluation of some typical fault-tolerant systems, including a local-area network, two well-known fault-tolerant computer systems (C.mmp and SIFT), and an example of a flight control system. HARP has been used to solve very large models. A system consisting of 20 components distributed among 7 stages produced a Markov chain with 24 533 states and over 335 000 transitions (without coverage). Depending on the system used to run this example, the run time took anywhere from 4 to 8 hours. HARP is undergoing beta testing at approximately 20 sites. It is written in standard FORTRAN 77, consists of nearly 30000 lines of code and comments, and has been tested under several operating systems. The graphics interface (written in C) runs on an IBM PC AT, and produces text files that can be used to solve the system on the PC (for very small systems), or can be uploaded to a larger machine. HARP is accompanied by an Introduction and Guide for Users. For information on obtaining a copy of HARP, contact one of the authors.

Modular solution of dynamic multi-phase systems

Binary Decision Diagram (BDD)-based solution approaches and Markov chain based approaches are commonly used for the reliability analysis of multi-phase systems. These approaches either assume that every phase is static, and thus can be solved with combinatorial methods, or assume that every phase must be modeled via Markov methods. If every phase is indeed static, then the combinatorial approach is much more efficient than the Markov chain approach. But in a multi-phased system, using currently available techniques, if the failure criteria in even one phase is dynamic, then a Markov approach must be used for every phase. The problem with Markov chain based approaches is that the size of the Markov model can expand exponentially with an increase in the size of the system, and therefore becomes computationally intensive to solve. Two new concepts, phase module and module joint probability, are introduced in this paper to deal with the s-dependency among phases. We also present a new modular solution to nonrepairable dynamic multi-phase systems, which provides a combination of BDD solution techniques for static modules, and Markov chain solution techniques for dynamic modules. Our modular approach divides the multi-phase system into its static and dynamic subsystems, and solves them independently; and then combines the results for the solution of the entire system using the module joint probability method. A hypothetical example multi-phase system is given to demonstrate the modular approach.