














Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A set of slides from a graduate course on fault-tolerant computing taught by professor behrooz parhami at the university of california, santa barbara. The slides cover various aspects of failure confinement, including reliability models, failure probability, failure warning, and fail-safe systems. The document also includes a thought experiment on the value of human life in relation to various risks, and discussions on engineering ethics and recovery from failures.
Typology: Exams
1 / 22
This page cannot be seen from the preview
Don't miss anything!















Nov. 2007
Failure Confinement
Nov. 2007
Failure Confinement
Edition
Released
Revised
Revised
First
Nov. 2006
Nov. 2007
This presentation has been prepared for the graduatecourse ECE 257A (Fault-Tolerant Computing) byBehrooz Parhami, Professor of Electrical and ComputerEngineering at University of California, Santa Barbara.The material contained herein can be used freely inclassroom teaching or any other educational setting.Unauthorized uses are prohibited. Ā© Behrooz Parhami
Nov. 2007
Failure Confinement
Nov. 2007
Failure Confinement
Slide 5
Component
Logic
Service
Result
Information
System
Level
ā
Low-Level Impaired
Mid-Level Impaired
High-Level Impaired
Unimpaired
Entry Legend:
Deviation
Remedy
Tolerance
Ideal
Defective
Faulty
Erroneous
Malfunctioning
Degraded
Failed
Nov. 2007
Failure Confinement
Slide 7
Hardware
Software
Operations Environment
Bellcore [Ali86]
Tandem [Gray87]
Northern Telecom
Japanese Commercial
Mainframe users
Overall average
*Excluding scheduled maintenance Tandem unscheduled outages^ Power
Communication lines
Application software
File system
Hardware
Tandem outages due to hardware^ Disk storage
Communications
Processors
Wiring
Spare units
Nov. 2007
Failure Confinement
Slide 8
Two disks, each with MTTF = 50,000 hr, MTTR = 5 hr Disk pair failure rate
ā^2 Ī»
2 /μ
Disk pair MTTF
ā μ
/(2Ī»
8 hr = 285 centuries
In 48,000 years of observation (2 years
Ć^ 6000 systems
Ć^ 4 disk pairs),
35 double disk failures were reported
ā^ 14 centuries 2
1
0
2 Ī»^
λ μ
-^ Indicate accuracy of model predictions (compare multiple models?) ā¢^ Help in fine-tuning of models to better match the observed behavior Problems with experimental failure data: ā¢^ Difficult to collect, while ensuring uniform operating conditions ā¢^ Logs may not be complete or accurate (the embarrassment factor) ā¢^ Assigning a cause to each failure not an easy task ā¢^ Even after collection, vendors may not be willing to share data ā¢^ Impossible to do for one-of-a-kind or very limited systems
Nov. 2007
Failure Confinement
-^ Minimum requirement: accurate estimation of failure probability ā¢^ Putting in place procedures for dealing with failures when they occur Failure probability = Unreliability Reliability models are by nature pessimistic (provide lower bounds) However, we do not want them to be too pessimistic
Risk
Frequency
Magnitude
Consequence / Unit time
Events / Unit time
Consequence / Event
Frequency may be equated with unreliability or failure probability Magnitude is estimated via economic analysis (next slide) Failure handling is often the most neglected part of the process An important beginning: clean, unambiguous messages to operator/user Listing the options and urgency of various actions is a good idea Two way system-user communication (adding user feedback) helpful Quality of failure handling affects the āMagnitudeā term in risk equation
Nov. 2007
Failure Confinement
Thought experiment: You are told that you have a 1/10,000 chance of dying todayHow much would you be willing to pay to buy out this risk, assumingthat youāre not limited by current assets (can use future earnings too)? If your answer is $1000, then your life is worth $10M to you
Risk
Frequency
Magnitude
Consequence / Unit time
Events / Unit time
Consequence / Event
Can visualize the risk by imagining that 10,000 people in a stadium aretold that one will be killed unless they collectively pay a certain sum Consciously made tradeoffs in the face of well-understood risks (salarydemanded for certain types of work, willingness to buy smoke detector)has been used to quantify the worth of a āstatistical human lifeā
Nov. 2007
Failure Confinement
āNo warning system will function effectively if its messages,however logically arrived at, are ignored, disbelieved, or lead toinappropriate actions.ā
Foster, H.D., āDisaster Warning Systems,ā 1987
Unbelievable failure warnings: Failure event after numerous false alarms Real failure occurring in the proximity of a scheduled test run Users or operators inadequately trained (May 1960 Tsunami in Hilo,^ Hawaii, killed 61, despite 10-hour advance warning via sirens) Unhelpful failure warnings: Autos ā āCheck engineā Computer systems ā āFatal errorā
Nov. 2007
Failure Confinement
Risks must be evaluated thoroughly and truthfully IEEE Code of Ethics:
As IEEE members, we agree to
Computing professionals must
minimize malfunctions by following generally accepted standards forsystem design and testing give comprehensive and thorough evaluations of computer systemsand their impacts, including analysis of possible risks
Nov. 2007
Failure Confinement
Fail-safe:
Produces one of a predetermined set of safe outputs when it fails as a result of āundesirable eventsā that it cannot tolerate Fail-safe traffic light: Will remain stuck on red Fail-safe gas range/furnace pilot: Cooling off of the pilot assembly dueto the flame going out will shut off the gas intake valve A fail-safe digital system must have at least two binary output lines,together representing the normal outputs and the safe failure condition Reason: If we have a single output line, then even if one value (say, 0)is inherently safe, the output stuck at the other value would be unsafe Two-rail encoding is a possible choice:
F : 00, 11, or both
Totally fail-safe:
Only safe erroneous outputs are produced, provided
another failure does not occur before detection of the current one Ultimate fail-safe:
Only safe erroneous output is produced, forever
Nov. 2007
Failure Confinement
Slide 17
Is the specification above consistent and complete?
Correctoutput Safe outputsUnsafeoutputs
Input spaceInput
Output space
Amusement park train safety system Signal
s when asserted indicates thatB^ the train is at beginning of its track (can move forward, but should not beallowed to go back) Signal
s when asserted indicates thatE^ the train is at end of its track (can goback, but should not move forward) No, because it does not say what happens if
s =B^
s = 1; this would notE^
occur under normal conditions, but because such sensors are oftendesigned to fail in the safe mode, the combination is not impossible Why is this a problem, though? (Train simply cannot be moved at all) Completeness will prevent potential implementation or safety problems
Nov. 2007
Failure Confinement
Use an error code to encode states Implement the next-state logic so that the machine is forced to an errorstate when something goes wrong Possible design methodology: Use Berger code for states, avoiding the all 0s state with all-1s check,and vice versa Implement next-state logic equations in sum-of-products form for themain state bits and in product-of-sums form for the check state bits The resulting state machine will be fail-safe under unidirectional errors
Input State
x =^
x =
A^
State
Encoding A
Hardware overhead for n -state machine consistsof O(log log
n ) additional
state bits and associatednext-state logic, and aBerger code checkerconnected to state FFs
Nov. 2007
Failure Confinement
Principles for designing a safe system
(J. Goldberg, 1987)