Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 48
Текст из файла (страница 48)
Figure 6.5 depicts the state space of a fault-tolerant system. In thecenter we see the correct states. A normal failure will bring the system into a1546 DependabilityFig. 6.5 State space of a fault-tolerant systemnormal fault-state (i.e., a state that is covered by the fault hypothesis). A normalfault will be corrected by an available fault-tolerance mechanism that bringsthe system back into the domain of correct states. A rare fault will bring the systeminto a state that is outside the specified fault hypothesis and therefore will not becovered by the provided fault-tolerance mechanisms. Nevertheless, instead ofgiving up, a never-give-up (NGU) strategy should try to bring the system backinto a correct state.Example: Let us assume that the fault hypothesis states that during a specified timeinterval a fault of any single component must be tolerated.
The case that two componentsfail simultaneously is thus outside the fault hypothesis, because it is considered to be a rarefault. If the simultaneous failure of two components is detected, then the NGU strategykicks in. In the NGU strategy it is assumed that the simultaneous faults are transient and afast restart of the complete system will bring the system back into a correct state. In order tobe able to promptly activate the NGU strategy we must have a detection mechanism insidethe system that detects the violation of the fault hypothesis. A distributed fault-tolerantmembership service, such as the membership protocol contained in the Time-TriggeredProtocol (TTP) [Kop93] implements such a detection mechanisms.6.4.1Fault HypothesesFault-Containment Unit (FCU).
The fault hypothesis begins with a specificationof the units of failure, i.e., the fault containment units (FCUs). It is up to qualityengineering to ensure that FCUs fail independently. Even a small correlation ofthe failure rates of FCUs has a tremendous impact on the overall reliability of asystem. If a fault can cause more than one FCU to fail, then the probability of sucha correlated failure must be carefully analyzed and documented in the faulthypotheses.6.4 Fault Tolerance155Example: In a distributed system, a component, including hardware and software, can beconsidered to form an FCU. Given proper engineering precautions concerning the powersupply and the electrical isolation of process signals have been made, the assumption thatcomponents of a distributed system that are physically at a distance will fail independentlyis realistic.
On an MPSoC, an IP-core that communicates with other IP-cores solely by theexchange of messages can be considered to form an FCU. However, since the IP-cores of anMPSoC are physically close together (potential for spatial proximity faults), having acommon power supply and a common timing source, it is not justified to assume that thefailures of IP-cores are fully independent.
For example, in the aerospace domain, a failurerate of 106 FIT is assumed for a total MPSoC failure, no matter what kind of MPSoCinternal fault-containment mechanisms are available.Failure Modes and Failure Rates. In the next step, the assumed failure modes ofthe FCUs are described and an estimated failure rate for each failure mode isdocumented.
These estimated failure rates serve as an input for a reliabilitymodel to find out whether the calculated reliability of a design is in agreementwith the required reliability. Later, after the system has been built, these estimatedfailure rates are compared with the failure rates that are observed in the field.This is to check whether the fault hypothesis is reasonable and the requiredreliability goals can be met. The following Table 6.2 lists orders of magnitude oftypical hardware failure rates of large VLSI chips [Pau98] that are used in theindustrial and automotive domain.In addition to the failure modes and failure rates, the fault hypothesis mustcontain a section that discusses the error and failure detection mechanisms thatare designed to detect a failure.
This topic is discussed in Sect. 6.3.Recovery Time. The time needed to recover after a transient failure is an importantinput for a reliability model. In a state aware design, the recovery time depends onthe duration of the ground cycle (see Sect. 6.6) and the time it takes to restart acomponent.6.4.2Fault-Tolerant UnitIn order to tolerate the failure of a fault-containment unit (FCU), FCUs are groupedinto fault-tolerant units (FTU). The purpose of an FTU is to mask the failure ofa single FCU inside the FTU. If an FCU implements the fail-silent abstraction,then an FTU consists of two FCUs. If no assumptions can be made about the failurebehavior of an FCU, i.e., an FCU can exhibit Byzantine failures, then four FCUslinked by two independent communication channels are needed to form an FTU.If we can assume that a fault-tolerant global time is existent at all FCUs and thatTable 6.2 Order of magnitude of hardware failure ratesFailure modePermanent hardware failuresNon-fail silent permanent hardware failuresTransient hardware failures (strong dependence on environment)Failure rate (FIT)10–1001–101,000–1,000,0001566 Dependabilitythe communication network contains temporal failures of an FCU, then it ispossible to mask the failure of a non-fail-silent FCU by triplication, called triplemodular redundancy (TMR).
TMR is the most important fault-masking method.Although a failure of an FCU is masked by the fault-tolerant mechanism and isthus not visible at the user interface, a permanent failure of an FCU neverthelessreduces or eliminates any further fault-masking capability. It is therefore essential thatmasked failures are reported to a diagnostic system so that the faulty units can berepaired.
Furthermore, special testing techniques must be provided to periodicallycheck whether all FCUs and the fault-tolerance mechanisms are operational. Thename scrubbing refers to testing techniques that are periodically applied todetect faulty units and avoid the accumulation of errors.Example: If the data words in memory are protected by an error-correcting code, then thedata words must be accessed periodically in order to correct errors and thus avoid theaccumulation of errors.Fail-Silent FCUs. A fail-silent FCU consists of a computational subsystem and anerror detector (Fig.
6.6) or of two FCUs and a self-checking checker to compare theresults. A fail-silent FCU produces either correct results (in the value andtime domain) or no results at all. In a time-triggered architecture, an FTU thatconsists of two deterministic fail-silent FCUs produces zero, one, or two correctresult messages at about the same instant. If it produces no message, it has failed.If it produces one or two messages, it is operational.
The receiver must discardredundant result messages. Since the two FCUs are deterministic, both results,if available, are correct and it does not matter which one of the two results istaken. If the result messages are idempotent, two replicated messages will have thesame effect as a single message.Triple Modular Redundancy. If a fault-containment unit (FCU) can exhibitvalue failures at its linking interface (LIF) with a probability that cannot betolerated in the given application domain, then these value failures can be detectedand masked in a triple modular redundant (TMR) configuration.
In a TMR configuration, a fault-tolerant unit (FTU) must consist of three synchronized deterministicFig. 6.6 FTU consisting of two fail-silent FCUs6.4 Fault Tolerance157Fig. 6.7 Two FTUs, each one consisting of three FCUs with votersFCUs, where each FCU is composed of a voter and the computational subsystem.Any two successive FTUs must be connected by two independent real-timecommunication systems to tolerate a failure in any of the two communicationsystems (Fig. 6.7). All FCUs and the communication system must have access toa fault-tolerant global time base.
The communication system must perform errorcontainment in the temporal domain, i.e., it must have knowledge about thepermitted temporal behavior of an FCU. In case an FCU violates its temporalspecification, the communication system will discard all messages received fromthis FCU in order to protect itself from an overload condition. In the fault-free case,each receiving FCU will receive six physical messages, two (via the twoindependent communication systems) from each sending FCU. Since all FCUsare deterministic, the correct FCUs will produce identical messages.
The voterdetects an erroneous message and masks the error in one step by comparing thethree independently computed results and then selecting the result that hasbeen computed by the majority, i.e., by two out of three FCUs.A TMR configuration that is set up according to the above specified rules willtolerate an arbitrary failure of any FCU and any communication system, providedthat a fault-tolerant global time base is available.Two different kinds of voting strategies can be distinguished: exact voting andinexact voting. In exact voting, a bit-by-bit comparison of the data fields inthe result messages of the three FCUs forming an FTU is performed. If two outof the three available messages have exactly the same bit pattern, then one of thetwo messages is selected as the output of the triad.
The underlying assumptionis that correctly operating replica-determinate components produce exactly thesame results. Exact voting requires that the input messages and the g-state ofthe three FCUs that form an FTU are bit-identical. If the inputs originate fromredundant sensors to the physical environment, an agreement protocol must beexecuted to enforce bit-identical input messages.1586 DependabilityIn inexact voting, two messages are assumed to contain semantically the sameresult if the results are within some application-specific interval.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
