1 / 18

# The ANSA project - PowerPoint PPT Presentation

The ANSA project. Failures and Dependability in ANSA. System structure. Component based: component behaviour can be observed by other components Independent components: own observations and reasoning about events No global observer No global ordering of events No global time.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' The ANSA project' - thimba

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### The ANSA project

Failures and Dependability in ANSA

• Component based: component behaviour can be observed by other components

• Independent components: own observations and reasoning about events

• No global observer

• No global ordering of events

• No global time

V

An event with value v0 is expectedin time interval t0 and t1

v0

t0

t1

T

V

An event with a value between v0 and v1

is expected in time interval t0 and t1

v1

v0

t0

t1

T

V

An event with a value between v0 and v1

is expected in time interval t0 and t1

The event value is time dependent

v0

E  V x T

v0

t0

t1

T

V

An event can occur exactly once

in the ANSA model

v0

O0

v0

t0

t1

T

V

An event can occur exactly once

in the ANSA model

v0

O1

O  V x T

|O| = {0,1}

v0

t0

t1

T

• Correct occurrence of an eventO  E  

• Correct non-occurrence of an eventO  E = 

• Formal definition of correctness(O  E  )  (O  E = )

• Negation of correct event(O  E  )  (O  E = )

• Simplified(O  E  )  (O  E = )

• Unexpected occurrenceO    E = 

• Omission failureE    O = 

• Incorrect occurrenceO    E    (O  E = )

• Events constrain the expectation of future events

• Local events: Observation by local mechanisms of a component

• Distributed events: Distributed consensus problem, collaboration of components required

• Consistency enforcement instead of distributed deviation detection

• Express global properties as a set of local ones

• Research questions:

• Does a function f(O) exist to compute the next expectation?

• How many such functions are need for a simple protocol?

V

V

v1

O0

v0

v3

v2

t1

T

t3

T

t0

TO

TO

t2

• Research question:

• Does a function g(O) exist to compute the next expectation in case of a failure?

V

V

v1

v0

v3

O0

v2

t1

T

t3

T

t0

TO

TO

t2

• Separation: More (distributed) components reduce dependability

• Diversity: Designers need to be prepared and mechanisms need to allow for diversity

• Scaling: Mechanisms must be exchangeable to suit different scenarios

• Federation: heterogeneous authorities and dependability contracts

• Transparency: hide dependability mechanisms from the programmer

• Concurrency: conflicting, inconsistent changes to data

• Configuration: add and update parts of the system; adapt failure detectors

• Fault confinement: limitation of propagation to other parts of the system

• Fault detection: compare time/value observation with expectation

• Fault diagnosis: if fault detection can not identify the faulty component

• Reconfiguration: isolate faulty component or replace with spare

• Recovery: remove effect of fault

• Restart: after all damaged state has been removed

• Repair: restores the faulty component to an undamaged state

• Reintegration: reconfiguration of the system to reintroduce the repaired component

• Is our list of principles complete?

• Separation, Diversity, Scaling, Federation, Transparency, Concurrency, Configuration

• Is our D2R3 strategy complete?

• Fault confinement, Fault detection, Fault diagnosis, Reconfiguration, Recovery, Restart, Repair, Reintegration

• Is our CFEF diagram correct?

• Do we detect faults, errors of failures?