In: IEEE TRANSACTIONS ON RELIABILITY, VOL. 49, NO. 4,, pages 363-376. December 2000.
Abstract: This paper presents a framework for modeling the dependability of hardware and software fault-tolerant systems, taking into account explicitly the dependence among the components. These dependencies can result from: a) functional or structural interactions between the components or b) interactions due to global system reconfiguration and maintenance strategies. Modeling is based on GSPN (generalized stochastic Petri net). The modeling approach is modular: the behavior of each component and each interaction is represented by its own GSPN, while the system model is obtained by composition of these GSPN. Composition rules are defined and formalized through clear identification of the interfaces between the component and interaction nets. In addition to modularity, the formalism brings flexibility and re-usability, thereby allowing easy sensitivity analysis with respect to the assumptions that could be made about the behavior of the components and the resulting interactions. This approach has been successfully applied to select new architectures for the French Air Traffic Control system, based among other things, on availability evaluation. This paper illustrates it on a simple representative example, including all the types of the identified dependencies: the duplex system. Modeling of this system showed the strong dependence between components. For example: the activation of a temporary hardware fault can propagate an error to the hosted software component, which in turn can propagate to other components communicating with it (without being necessarily on the same computer). Thus the activation of a hardware temporary fault can lead to the restart of one or more software components. Even if this has been observed on real systems, it has not been modeled explicitly in previouswork. This paper shows how the modification of one or several assumptions can be performed without modifying all GSPN, considering two repair policies and two switching policies (with or without manual switch). The main advantage of this modeling approach, based on considering explicitly the interactions, lies in its efficiency for modeling several alternatives for the same system. These alternatives can differ by their composition or the organization or by the fault-tolerance and maintenance strategies. One can clearly identify from the beginning the components and interactions that are specific and those that are common to all alternatives. The common GSPN are thus developed and validated only once.
Keywords: Dependability modeling; GSPN (generalized stochastic Petri net); hardware failures; interaction between hardware and software components; software failures.