Salvatore J. Bavuso

Dynamic fault-tree models for fault-tolerant computer systems

Reliability analysis of fault-tolerant computer systems for critical applications is complicated by several factors. Systems designed to achieve high levels of reliability frequently employ high levels of redundancy, dynamic redundancy management, and complex fault and error recovery techniques. This paper describes dynamic fault-tree modeling techniques for handling these difficulties. Three advanced fault-tolerant computer systems are described: a fault-tolerant parallel processor, a mission avionics system, and a fault-tolerant hypercube. Fault-tree models for their analysis are presented. HARP (Hybrid Automated Reliability Predictor) is a software package developed at Duke University and NASA Langley Research Center that can solve those fault-tree models. >

Fault trees and Markov models for reliability analysis of fault-tolerant digital systems

Abstract Reliability analysis of fault tolerant computer systems for critical applications is complicated by several factors. In this paper, we discuss these modeling difficulties and describe and demonstrate approaches to handling them. Three important techniques characterize our approach. First, behavioral decomposition separates the system failure modes specification from the recovery process specification. Second, a fault tree representation of the system failure modes is converted to an equivalent Markov model, to which the recovery models are added automatically. Third, the fault tree to Markov chain conversion allows the definition of new dynamic fault tree gates to capture the sequence dependent failure modes that are often associated with advanced fault tolerant systems. Two advanced fault tolerant computer systems are described, and fault tree models for their analysis are presented. HARP (the Hybrid Automated Reliability Predictor) is a software package developed at Duke University and NASA Langley Research Center that is used to analyze the example systems.

Fault trees and sequence dependencies

One of the frequency cited shortcomings of fault-tree models, their inability to model so-called sequence dependencies, is discussed. Several sources of such sequence dependencies are discussed, and new fault-tree gates to capture this behavior are defined. These complex behaviors can be included in present fault-tree models because they utilize a Markov solution. The utility of the new gates is demonstrated by presenting several models of the FTPP (fault-tolerant parallel processor), which include both hot and cold spares.<<ETX>>

Analysis of Typical Fault-Tolerant Architectures using HARP

HARP (the Hybrid Automated Reliability Predictor) is a software package that implements advanced reliability modeling techniques. We present an overview of some of the problems that arise in modeling highly reliable fault-tolerant systems; the overview is loosely divided into model construction and model solution problems. We then describe the HARP approach to these difficulties, which is facilitated by a technique called behavioral decomposition. The bulk of this paper presents examples of the dependability evaluation of some typical fault-tolerant systems, including a local-area network, two well-known fault-tolerant computer systems (C.mmp and SIFT), and an example of a flight control system. HARP has been used to solve very large models. A system consisting of 20 components distributed among 7 stages produced a Markov chain with 24 533 states and over 335 000 transitions (without coverage). Depending on the system used to run this example, the run time took anywhere from 4 to 8 hours. HARP is undergoing beta testing at approximately 20 sites. It is written in standard FORTRAN 77, consists of nearly 30000 lines of code and comments, and has been tested under several operating systems. The graphics interface (written in C) runs on an IBM PC AT, and produces text files that can be used to solve the system on the PC (for very small systems), or can be uploaded to a larger machine. HARP is accompanied by an Introduction and Guide for Users. For information on obtaining a copy of HARP, contact one of the authors.

HiRel-reliability/availability integrated workstation tool

The HiRel software tool is described and demonstrated by application to the mission avionics subsystem of the advanced system integration demonstrations (ASID) system that utilizes the PAVE PILLAR approach. HiRel marks another accomplishment toward the goal of producing a totally integrated computer-aided design (CAD) workstation design capability. Since a reliability engineer generally represents a reliability model graphically before it can be solved, the use of a graphical input description language increases productivity and decreases the incidence of error. The graphical postprocessor module HARPO makes it possible for reliability engineers to quickly analyze huge amounts of reliability/availability data to observe trends due to exploratory design changes. The addition of several powerful HARP modeling engines provides the user with a reliability/availability modeling capability for a wide range of system applications all integrated under a common interactive graphical input-output capability.<<ETX>>

A User's View of CARE III

A novel, powerful, computerized reliability predictor for highly reliable digital fault-tolerant systems has recently been developed and will soon be released. CARE III (Computer-Aided Reliability Estimation) was designed to model very large systems on the order of 106 Markovian equivalent states. Through the use of advanced stochastic modeling techniques, CARE III implements a mixed Markov model that enables it to drastically reduce the state size of hitherto computationally unreachable models that are of practical interest. This paper introduces the basic concepts of CARE III from a users point of view. After describing the major attributes of the reliability evaluator, a discussion o the applicable class of fault-tolerant, digital-based computer architectures is presented. Following this discussion, the notions of failure, fault, and error are presented in the context of CARE IIIs fault/error-handling models. The paper concludes with a description of CARE IIIs user friendly interface and an example dialog portraying the assessment of a highly reliable fault-tolerant system. Also, some mention is made of the extensive testing and verification of the CARE III stochastic model and computer program.

A fourth generation reliability predictor

A reliability/availability predictor computer program has been developed and is currently being beta-tested by over 30 US companies. The computer program is called the Hybrid Automated Reliability Predictor (HARP), and was developed to fill an important gap in reliability assessment capabilities. This gap was manifested through the use of its third-generation cousin, the Computer-Aided Reliability Estimation (CARE III) program, over a six-year development period and an additional three-year period during which CARE III has been in public use. The accumulated experience of over 30 establishments now using CARE III was used in the development of the HARP program.<<ETX>>

The Effects of Latent Faults on Highly Reliable Computer Systems

Latent faults represent a potential obstacle in the synthesis of highly reliable digital computer systems. A simulation of an NMR redundant processor system was constructed using a gate level simulation package. The ability of each digital processor to react to randomly induced stuck-at faults is measured, and the amount of time it took the processors control program to propagate faults to an output was recorded. These propagation times represent the latency times of the faults. The effect of fault latency in degrading system reliability is explored.

Advanced Reliability Modeling of Fault-Tolerant Computer-Based Systems

Digital fault-tolerant computer-based systems are on the verge of becoming commonplace in military and commercial avionics. These systems hold the promise of increased availability, reliability, and maintainability over conventional analog-based systems through the application of replicated digital computers arranged in fault-tolerant configurations. Three tightly coupled factors of paramount importance, ultimately determining the viability of these systems, are reliability, safety, and profitability. Reliability, the major driver, involves virtually every aspect of design, packaging, and field operations with regard to safety, maintainability, and invariably profit for commercial applications or to national security for military uses.

A novel solution-technique applied to a novel WAAS architecture

The Federal Aviation Administration has embarked on an historic task of modernizing and significantly improving the national air transportation system. One system that uses the Global Positioning System (GPS) to determine aircraft navigational information is called the Wide Area Augmentation System (WAAS). This paper describes a reliability assessment of one candidate system architecture for the WAAS. A unique aspect of this study regards the modeling and solution of a candidate system that allows a novel cold sparing scheme. The cold spare is a WAAS communications satellite that is fabricated and launched after a predetermined number of orbiting satellite failures have occurred and after some stochastic fabrication time transpires. Because these satellites are complex systems with redundant components, they exhibit an increasing failure rate with a Weibull time to failure distribution. Moreover, the cold spare satellite build-time is Weibull and upon launch is considered to be a good-as-new system with an increasing failure rate and a Weibull time to failure distribution as well. The reliability model for this system is nonMarkovian because three distinct system clocks are required: the time to failure of the orbiting satellites, the build time for the cold spare, and the time to failure for the launched spare satellite. A powerful dynamic fault tree modeling notation and Monte Carlo simulation technique with importance sampling are shown to arrive at a reliability prediction for a 10 year mission.