Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element Architectural Element Rogé ério rio de Lemos de Lemos Rog University of Kent, UK University of Kent, UK � Motivation – architectural fault tolerance; � iFTE & propagation of exceptions; � Case study – mining control system; � Conclusions & future work; Rogério de Lemos DSN 2006 WADS – June 2006 – 1
Motivation Motivation Architectures are about structures: � unstructured approaches can reduce system dependability by introducing more faults; � a good architecture should promote error confinement; Architectural fault tolerance: � avoid the failure of systems � error detection and handling; � fault handling; � components need to collaborate for handling certain failure scenarios; Rogério de Lemos DSN 2006 WADS – June 2006 – 2
Idealised Idealised Fault Tolerant Component Fault Tolerant Component An architectural solution based on exception handling: � idealised fault tolerant component idealised fault tolerant component enables fault � tolerance to be built into the system [Anderson & Lee 81]: � separation between normal and abnormal behaviour; � provided and required services; � local, interface and failure exceptions; Rogério de Lemos DSN 2006 WADS – June 2006 – 3
Idealised Idealised Fault Tolerant Component Fault Tolerant Component Exception handlers provides mechanisms for: � handling exceptional conditions so that the exception can be masked; � backward recovery – roll back to a previous state; � forward recovery – perform actions to correct the state by other means; � signalling exceptions; Handlers are provided for anticipated exceptions: � default handlers are provided for unanticipated exceptions; Rogério de Lemos DSN 2006 WADS – June 2006 – 4
Idealised Idealised Fault Tolerant C2 Component (iC2C) Fault Tolerant C2 Component (iC2C) upper_detector iC2C_top detector_top iC2C_top detector_top Error Error NormalActivity Error Error • • • Detector (1) Detector (n) Detector (1) Detector (n) upper_detector upper_detector detector_bottom detector_bottom COTS AbnormalActivity lower_detector abnormal_top lower_detector abnormal_top Error Error iC2C_internal Diagnosis iC2C_internal Diagnosis abnormal_internal abnormal_internal AbormalActivity Error Error Error Error • • • Handler (1) Handler (n) Handler (1) Handler (n) iC2C_bottom iC2C_bottom abnormal_bottom abnormal_bottom Rogério de Lemos DSN 2006 WADS – June 2006 – 5
Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element (iFTE iFTE) ) Architectural Element ( Idealised fault tolerant architectural element (iFTE iFTE) ) ; Idealised fault tolerant architectural element ( � fault fault- -tolerant software component: tolerant software component: � � preventing the propagation of internal errors by constraining its exceptional behaviour; � fault fault- -tolerant software connector: tolerant software connector: � � coordinating exceptional behaviour among components; � resolving potential mismatches; � preventing the propagation of errors by handling them as exceptions; Rogério de Lemos DSN 2006 WADS – June 2006 – 6
Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element (iFTE iFTE) ) Architectural Element ( Architectural solution/pattern: � peer-to-peer style; � request/reply interaction; <<element>> idealised fault-tolerant architectural element IR_iFTE_S <<component>> IP_iFTE_S Normal I_CN_S I_NC_S I_NC_E I_PC_S I_CR_S <<component>> <<connector>> <<component>> Provided Coordinator Required I_CR_E I_PC_E I_AC_S I_AC_E I_CA_E IP_iFTE_E IR_iFTE_E <<component>> Abnormal Rogério de Lemos DSN 2006 WADS – June 2006 – 7
iFTE: Propagation Scenarios : Propagation Scenarios iFTE Normal behaviour: Exceptional behaviour: Normal behaviour: Exceptional behaviour: internal services with no internal services with � � exceptions; exceptions: not masked by internal internal services with � � handlers; exceptions: not masked by external masked by internal handlers; � � handlers; masked by external handlers; � requests external services with � requests external services with � exceptions; no exceptions; not masked by internal � requests external services with handlers; � exceptions; not masked by external � handlers; masked by internal handlers; � masked by external handlers; � Rogério de Lemos DSN 2006 WADS – June 2006 – 8
iFTE: Propagation Scenarios : Propagation Scenarios iFTE � normal behaviour when requesting external services with no exceptions; Rogério de Lemos DSN 2006 WADS – June 2006 – 9
iFTE: Exception Propagation : Exception Propagation iFTE � contexts for handling exceptions: component, roles and connectors; � � exceptions meaningful for components and connectors; translation on the types of exceptions; � Propagation of exceptions: � from components to connectors; � from connectors to components; Rogério de Lemos DSN 2006 WADS – June 2006 – 10
iFTE: Exception Propagation : Exception Propagation iFTE Propagation of exceptions: � from connectors to connectors; Rogério de Lemos DSN 2006 WADS – June 2006 – 11
Embedded System: Embedded System: Mining Control System Mining Control System 3 1 6 1- Control system 2- Pump 3- Exhaustor 4- Water sensor (low level) Mining environment 5- Water sensor (high level) 2 6- Methan sensor 5 Dump 4 Rogério de Lemos DSN 2006 WADS – June 2006 – 12
Embedded System: Embedded System: Mining Control System Mining Control System Rogério de Lemos DSN 2006 WADS – June 2006 – 13
Embedded System: Embedded System: Mining Control System Mining Control System Exception propagation when AirExtractor fails exception is propagated to OperatorInterface : � the whole system shuts down; Rogério de Lemos DSN 2006 WADS – June 2006 – 14
Conclusions Conclusions Fault tolerance at the architectural level: � error detection and handling: � application dependent; � idealised Fault Tolerant Architectural Elements (iFTE); architectural solution/pattern based on exception handling; � � fault handling: � not application dependent; � reconfiguration support by CA action; Rogério de Lemos DSN 2006 WADS – June 2006 – 15
Future Work Future Work � model the iFTE with AADL – Error Model; � iFTE is application dependent and requires additional assurances: � model iFTE with B and CSP for analysing the propagation of exceptions; � identification of iFTE properties that can be applied to architectures; � identification of iFTE test cases; � automatic generation of Provided and Required components; Rogério de Lemos DSN 2006 WADS – June 2006 – 16
Recommend
More recommend