conceptual models to practical
play

Conceptual Models to Practical Implementations Dr Peter Popov - PowerPoint PPT Presentation

Feb 23, 2024 •36 likes •366 views

Software Design Diversity from Conceptual Models to Practical Implementations Dr Peter Popov Centre for Software Reliability City University London ptp@csr.city.ac.uk College Building, City University London EC1V 0HB Tel: +44 207 040

  1. Software Design Diversity – from Conceptual Models to Practical Implementations Dr Peter Popov Centre for Software Reliability City University London ptp@csr.city.ac.uk College Building, City University London EC1V 0HB Tel: +44 207 040 8963 (direct) +44 207 040 8420 (sec. CSR)

  2. Software design diversity: Why • The idea of redundancy (i.e. multiple software channels) for increased reliability/availability is not new: – has been known for a very long time and used actively in many application domains. • simple redundancy does not work with software – software failures are deterministic: whenever a software fault is triggered a failure will result – software does not ware out – software channels work in parallel, but must be: • different by design ( design diversity ) • work on (slightly) different inputs/demands ( data diversity ) 18/11/2013 29 th CREST Open Workshop 2 Software Redundancy

  3. Software design diversity (2) • Surprisingly , various homogeneous fail-over schemes dominate the market of FT ‘enterprise’ applications. These are ineffective! • U.S.-Canada Power System Outage Task Force, Final Report on the August 14th (2003) Blackout in the United States and Canada – https://reports.energy.gov/BlackoutFinal-Web.pdf EMS Server Failures. FE’s EMS system includes several server nodes that perform the higher functions of the EMS. Although any one of them can host all of the functions, FE’s normal system configuration is to have a number of host subsets of the applications, with one server remaining in a “hot - standby” mode as a backup to the others should any fail. At 14:41 EDT, the primary server hosting the EMS alarm processing application failed, due either to the stalling of the alarm application, “queuing” to the remote EMS terminals, or some combination of the two. Following preprogrammed instructions, the alarm system application and all other EMS software running on the first server automatically transferred (“failedover”) onto the back -up server. However, because the alarm application moved intact onto the backup while still stalled and ineffective, the backup server failed 13 minutes later , at 14:54 EDT. Accordingly, all of the EMS applications on these two servers stopped running. (Part 2, p 32) 18/11/2013 29 th CREST Open Workshop 3 Software Redundancy

  4. Examples: diverse, modular redundancy • “natural” 1 -out-of-2 scheme (e.g. communication, alarm, protection) Parallel (OR, Channel 1 1-out-of-2) inputs arrangements Channel 2 • Voted system (e.g. control) System Channel 1 output Bespoke Channel 2 adjudicator inputs Channel 3 18/11/2013 29 th CREST Open Workshop 5 Software Redundancy

  5. Examples: primary/checker systems Computation Input System Primary output software Approved/ checker rejected • Checker will usually be bespoke (possibly on OTS platform) • If simpler than primary high quality is affordable • Safety kernel idea can be implemented here 18/11/2013 29 th CREST Open Workshop 6 Software Redundancy

  6. Achievement vs. Assessment • Cost-benefit analysis is always needed: – design diversity is more expensive than non-diverse redundancy, or solutions without redundancy • especially in 80s, when the area was actively researched – what are the benefits of design diversity, how much one gains from diverse redundancy? • Assessing the benefits is a problem much harder for (diverse) software than for hardware • NVP ‘implicitly’ assumed independence of failures of the channels – huge controversy , very entertaining exchange in the IEEE Transaction on Software Engineering in mid 80s. 18/11/2013 29 th CREST Open Workshop 7 Software Redundancy

  7. Is failure independence realistic? • Knight and Leveson experiment (FTCS-15, 1985 and TSE, 1986) – 27 software versions developed to the same specification by students in two US Universities – tested on 1,000,000 test cases and the versions’ reliability ‘measured’ – Coincident failures observed much more frequently than independence would suggest • i.e. refuted convincingly the hypothesis of statistical independence between the failures of the independently developed versions! • Eckhardt & Lee model (TSE, 1985) – probabilistic model demonstrates why independently developed versions will not fail independently 18/11/2013 29 th CREST Open Workshop 8 Software Redundancy

  8. Eckhardt and Lee model • Model of software development – population of possible versions  ={  1 ,  2 ...} – probabilistic measure S(  ), i.e. S(  i ) is the probability that version  i will be developed • Demand space modelled probabilistically – D={x 1 , x 2 ...} - demand space, – Q(  ) probabilistic measure: the likelihood of different demands being chosen in operation.   1 , if program fails on x ;     ( , x )   0 , if program does not fail on x . 18/11/2013 29 th CREST Open Workshop 9 Software Redundancy

  9. Eckhardt and Lee model (2)  (  ,X) • The variable random represents the performance of a random program on a random demand: this is a model for the uncertainty both in software development and usage .             ( x ) ( , x ). S ( ) ( , x ) S  is the probability that a randomly chosen program fails for a particular demand x (‘difficulty’ function).  (X) is a random variable • – upper case X represents a random demand, i.e. chosen in operation at random according to Q(  ) 18/11/2013 29 th CREST Open Workshop 10 Software Redundancy

  10. Eckhardt and Lee model (3)          P ( and both fail on X ) P ( ( , X ) ( , X ) 1 ) 1 2 1 2         x x S S Q x ( , ) ( , ) ( ) ( ) ( ) 1 2 1 2   F        2           2 2 x Q x Var ( ) ( ) ( ) ( ) F   .    2 Var ( ) P ( fails on X ) There is no reason to expect that independently developed software versions will fail independently on a randomly chosen demand, X , even though they fail conditionally independently on a given demand, x . 18/11/2013 29 th CREST Open Workshop 11 Software Redundancy

  11. Littlewood and Miller model • A generalisation of the EL model for the case of ‘forced diversity’ – the development teams are kept apart but also forced to use different methodologies, e.g. programming languages, different algorithms, etc. • Model of forced diversity – probabilistic measures S A (  ) and S B (  ) for development methodologies, A and B. • a version (with a specific set of scores,  (  ,x) ) may be very likely with methodology A and very unlikely with methodology B – The model in every other aspect is identical to the EL model. 18/11/2013 29 th CREST Open Workshop 12 Software Redundancy

  12. Littlewood and Miller model (2)    P ( fails on X , fails on X ) A B      Cov ( , ) P ( fails on X ) P ( fails on X ). A B A B • Since covariance can be negative , then with forced diversity one may do even better than the unattainable independence under the EL model • Littlewood & Miller in their TSE paper 1989 applied their model to Knight & Leveson’s data and discovered negative covariance. – For them the two methodologies were represented by the programs developed by students from different universities. 18/11/2013 29 th CREST Open Workshop 13 Software Redundancy

  13. Limitations of EL and LM models • Eckhardt and Lee (EL) and Littlewood and Miller (LM) models deal with a ‘snapshot’ of the population of versions – extended by allowing the versions to evolve through their being tested and fixing the detected faults • These are models ‘on average’ – extended by looking at models of a particular pair of versions (models ‘in particular’). – Not covered here. The models are similar, but not identical. 18/11/2013 29 th CREST Open Workshop 14 Software Redundancy

  14. A new model ‘on average’ version i tested with j no testing version i version i Testing: tested with k - test suite (a given test generation procedure may be instantiated differently, i.e. different sets of test cases can be generated) - independently generated for each channel of the system; - the same test suite used; - adjudication (oracle: perfect/imperfect, back-to-back) - fault-removal (perfect/imperfect, new faults?) 18/11/2013 29 th CREST Open Workshop 15 Software Redundancy

  15. Modelling the testing process •  ={ t 1 ,t 2 ,... } with M(  ) , i.e. M(t) = P( T = t ) • Extended score function:   if tested with t fails on x 1 , ,     x t ( , , )   0 , if tested with t does not fail on x . is the score of  on x before testing    ( , x , ) 18/11/2013 29 th CREST Open Workshop 16 Software Redundancy

  16. Comparison of testing regimes • Testing with oracles: – Detailed analysis with perfect oracles: • testing with oracles on independently chosen testing suites ; • testing with oracles on the same testing suite ; – Speculative analysis of oracle imperfection • ‘back -to- back’ testing - lower and upper bounds identified under simplifying assumptions 18/11/2013 29 th CREST Open Workshop 17 Software Redundancy

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

From Conceptual Models From Conceptual Models to Simulation Models to Simulation Models Model

From Conceptual Models From Conceptual Models to Simulation Models to Simulation Models Model

From Conceptual Models From Conceptual Models to Simulation Models to Simulation Models Model Driven Development of Agent- -Based Based Simulations Simulations Model Driven Development of Agent Takashi Iba* Yoshiaki Matsuzawa** Nozomu

235 views • 11 slides
Chapter 7 Friday, February 05, 1999 Interface Metaphors and Conceptual Models Preview of

Chapter 7 Friday, February 05, 1999 Interface Metaphors and Conceptual Models Preview of

Chapter 7 Friday, February 05, 1999 Interface Metaphors and Conceptual Models Preview of Chapter 7 l Verbal metaphors l Virtual interface metaphors l Ubiquitous computing l Conceptual models 1 Metaphors l Metaphors convey an abstract concept

571 views • 7 slides
Practical lesson Two models of the cardiovascular system: 1. Simple RLRC model 2. Accurate

Practical lesson Two models of the cardiovascular system: 1. Simple RLRC model 2. Accurate

Lesson 5 University of Bergamo Engineering and Management for Health FOR CHRONIC DISEASES MEDICAL SUPPORT SYSTEMS LESSON 5 Lumped parameter models of the cardiovascular system: practical lesson. Ettore Lanzarone March 25, 2020 Practical

399 views • 6 slides
Software practical final presentation Niels Buwen David Sprengel Vulkan vs OpenGL Conceptual

Software practical final presentation Niels Buwen David Sprengel Vulkan vs OpenGL Conceptual

Software practical final presentation Niels Buwen David Sprengel Vulkan vs OpenGL Conceptual differences and performance 23.04.2018 2 / 24 'Vulkan is not well-suited to simple test applications; neither is it a suitable aid for teaching

526 views • 24 slides
Connecting Conceptual Models using Relational Reference Attribute Grammars

Connecting Conceptual Models using Relational Reference Attribute Grammars

Ren Schne, Johannes Mey, Sebastian Ebert, Uwe Amann Connecting Conceptual Models using Relational Reference Attribute Grammars connector.relational-rags.eu October 16th 2020 Challenges when Designing Cyber-Physical Systems Distribution:

1k views • 42 slides
CL CLU-In In April pril 3, 2018 3, 2018 US EPA Emphasis on Geologic Based CSMs and

CL CLU-In In April pril 3, 2018 3, 2018 US EPA Emphasis on Geologic Based CSMs and

Best Best Pr Practice actices s for or En Envir vironmenta onmental Site Mana l Site Manageme gement nt A Practical Guide for Applying Environmental Sequence Stratigraphy (ESS) to Improve Conceptual Site Models Pr Prese esente

1.09k views • 83 slides
09-12-2019 Outline Introduction to Dynamic Linear Models (DLM) - Conceptual introduction -

09-12-2019 Outline Introduction to Dynamic Linear Models (DLM) - Conceptual introduction -

09-12-2019 Outline Introduction to Dynamic Linear Models (DLM) - Conceptual introduction - Difference between the Classical methods and DLM Monitoring and data filtering II - A very simple DLM and the Kalman filter - Break (5 minutes)

790 views • 5 slides
U.S. NRC Staff Experience with Conceptual Site Models from Development and Testing to Lessons

U.S. NRC Staff Experience with Conceptual Site Models from Development and Testing to Lessons

U.S. NRC Staff Experience with Conceptual Site Models from Development and Testing to Lessons Learned November 13, 2019 George Alexander Risk and Technical Analysis Branch & Uranium Recovery and Materials Decommissioning Branch Division

223 views • 19 slides
Q-Analysis and Human Mental Models: A Conceptual Framework for Complexity Estimate of Simplicial

Q-Analysis and Human Mental Models: A Conceptual Framework for Complexity Estimate of Simplicial

Q-Analysis and Human Mental Models: A Conceptual Framework for Complexity Estimate of Simplicial Complex in Psychological Space Dr. Konstantin DEGT AREV Faculty of Business Informatics (BI) School of Software Engineering (SSE) The National

467 views • 28 slides
A comparison between conceptual and physically based models in predicting the hydrological

A comparison between conceptual and physically based models in predicting the hydrological

University of Salerno Department of Civil Engineering A comparison between conceptual and physically based models in predicting the hydrological behavior of green roofs AUTHORS: Antonia Longobardi Mirka Mobilia Department of Civil

239 views • 8 slides
Effect Decomposition with Structural Nested Models A Practical Multiply Robust Approach Ashley I

Effect Decomposition with Structural Nested Models A Practical Multiply Robust Approach Ashley I

Effect Decomposition with Structural Nested Models A Practical Multiply Robust Approach Ashley I Naimi Stijn Vansteelandt 1 Overview 1. Preliminaries & Review 2. Marginal Structural vs Structural Nested Models 3. Practical MR Estimation

419 views • 38 slides
DEVELOPING CONCEPTUAL MODELS FOR FLOW AND TRANSPORT IN BEDROCK AQUIFERS USING DEPTH-DISCRETE

DEVELOPING CONCEPTUAL MODELS FOR FLOW AND TRANSPORT IN BEDROCK AQUIFERS USING DEPTH-DISCRETE

DEVELOPING CONCEPTUAL MODELS FOR FLOW AND TRANSPORT IN BEDROCK AQUIFERS USING DEPTH-DISCRETE HYDRAULIC AND TRACER TRANSPORT MEASUREMENTS Kent Novakowski Dept. of Civil Engineering, Queens University Kingston, Ontario, Canada Nov. 7, 2013

257 views • 25 slides
Conceptual Models as Ontological Contracts Giancarlo Guizzardi CORE/UNIBZ, Italy (together with

Conceptual Models as Ontological Contracts Giancarlo Guizzardi CORE/UNIBZ, Italy (together with

Conceptual Models as Ontological Contracts Giancarlo Guizzardi CORE/UNIBZ, Italy (together with Nicola Guarino and the NEMO Group) By Tom Gould I s D Ham I s Bacon Sausage I s Real-World ( Ontological ) Semantics X Formal

1.23k views • 109 slides
1 Characteristics of Objects Identity The Class Diagrams Discrete and distinguishable

1 Characteristics of Objects Identity The Class Diagrams Discrete and distinguishable

Outline Conceptual modeling Conceptual Modeling The goal of conceptual modeling The OO solution The object model (conceptual) Syntax and semantics A Short Discussion Object modeling

118 views • 9 slides
Recognizing Critical Processes and Scales in Conceptual Site Models for Decision Support at Sites

Recognizing Critical Processes and Scales in Conceptual Site Models for Decision Support at Sites

Recognizing Critical Processes and Scales in Conceptual Site Models for Decision Support at Sites of Groundwater Contamination Allen M. Shapiro U.S. Geological Survey Water Mission Area, Earth Systems Processes Division, Reston, VA

500 views • 22 slides
Entity-Relationship Models 1 / 24 Entity-Relationship Models Entities Attributes

Entity-Relationship Models 1 / 24 Entity-Relationship Models Entities Attributes

Entity-Relationship Models 1 / 24 Entity-Relationship Models Entities Attributes Relationships 2 / 24 The Role of Conceptual Models High-level but concrete view of data understandable by end users and database developers 3 / 24

628 views • 24 slides
File and Metadata Replication in XtreemFS Bjrn Kolbeck Zuse Institute Berlin File and Metadata

File and Metadata Replication in XtreemFS Bjrn Kolbeck Zuse Institute Berlin File and Metadata

File and Metadata Replication in XtreemFS Bjrn Kolbeck Zuse Institute Berlin File and Metadata Replication in XtreemFS 1 Why Replicate ? fault tolerance mail server source repository bandwidth start 1,000 VMs in

497 views • 23 slides
OceanSt Stor or S2600 Main Slides www.huawei.com HUAWEI TECHNOLOGIES CO., LTD. Contents

OceanSt Stor or S2600 Main Slides www.huawei.com HUAWEI TECHNOLOGIES CO., LTD. Contents

Security Level: OceanSt Stor or S2600 Main Slides www.huawei.com HUAWEI TECHNOLOGIES CO., LTD. Contents Chapter Storage System Challenge One Chapter S2600 Overview Two pt Chapter S2600 Features Three OceanStor S2600 Chapter S2600

823 views • 27 slides
Distributed Systems Principles and Paradigms Chapter 11 (version October 15, 2007 ) Maarten van

Distributed Systems Principles and Paradigms Chapter 11 (version October 15, 2007 ) Maarten van

Distributed Systems Principles and Paradigms Chapter 11 (version October 15, 2007 ) Maarten van Steen Vrije Universiteit Amsterdam, Faculty of Science Dept. Mathematics and Computer Science Room R4.20. Tel: (020) 598 7784

520 views • 16 slides
Recall: virtual machines (VMs) Each guest VM runs a complete OS instance over an isolated

Recall: virtual machines (VMs) Each guest VM runs a complete OS instance over an isolated

Remus: VM Replica/on Jeff Chase Duke University Recall: virtual machines (VMs) Each guest VM runs a complete OS instance over an isolated sliver of host physical memory. Hypervisors support migration

207 views • 16 slides
Handling Nondeterminism in Multi-Tiered Distributed Systems Joseph Slember Priya Narasimhan

Handling Nondeterminism in Multi-Tiered Distributed Systems Joseph Slember Priya Narasimhan

Handling Nondeterminism in Multi-Tiered Distributed Systems Joseph Slember Priya Narasimhan Electrical & Computer Engineering Department Carnegie Mellon University Pittsburgh, PA Carnegie Mellon Motivation Consistent state-machine

614 views • 43 slides
DISTRIBUTED SYSTEMS II REPLICATION CNT. II The Quorum consensus method for Replication To

DISTRIBUTED SYSTEMS II REPLICATION CNT. II The Quorum consensus method for Replication To

Prof Philippas Tsigas Distributed Computing and Systems Research Group DISTRIBUTED SYSTEMS II REPLICATION CNT. II The Quorum consensus method for Replication To prevent transactions in different partitions from producing inconsistent

354 views • 23 slides
High-speed Checkpointing for High Availability Brendan Cully brendan@cs.ubc.ca Department of

High-speed Checkpointing for High Availability Brendan Cully brendan@cs.ubc.ca Department of

Introduction Design and Implementation Evaluation Conclusion High-speed Checkpointing for High Availability Brendan Cully brendan@cs.ubc.ca Department of Computer Science The University of British Columbia Xen Summit 5, November 2007

514 views • 26 slides
Tim OMahony Technical Support # Previouslyin Global Distributed Perforce Dont do

Tim OMahony Technical Support # Previouslyin Global Distributed Perforce Dont do

Tim OMahony Technical Support # Previouslyin Global Distributed Perforce Dont do that do this! Living on the Edge Not just for multi-site, but everywhere. # # Provide warm standby servers Reduce load and

592 views • 40 slides

More recommend