The ANSA project

1. The ANSA project Failures and Dependability in ANSA

2. System structure • Component based: component behaviour can be observed by other components • Independent components: own observations and reasoning about events • No global observer • No global ordering of events • No global time

3. Expectations – I V An event with value v0 is expectedin time interval t0 and t1 v0 t0 t1 T

4. Expectations – II V An event with a value between v0 and v1 is expected in time interval t0 and t1 v1 v0 t0 t1 T

5. Expectations – III V An event with a value between v0 and v1 is expected in time interval t0 and t1 The event value is time dependent v0 E  V x T v0 t0 t1 T

6. Occurrences V An event can occur exactly once in the ANSA model v0 O0 v0 t0 t1 T

7. Occurrences V An event can occur exactly once in the ANSA model v0 O1 O  V x T |O| = {0,1} v0 t0 t1 T

8. Correctness • Correct occurrence of an eventO  E   • Correct non-occurrence of an eventO  E =  • Formal definition of correctness(O  E  )  (O  E = )

9. Failures • Negation of correct event(O  E  )  (O  E = ) • Simplified(O  E  )  (O  E = ) • Unexpected occurrenceO    E =  • Omission failureE    O =  • Incorrect occurrenceO    E    (O  E = )

10. Consistency between multiple events • Events constrain the expectation of future events • Local events: Observation by local mechanisms of a component • Distributed events: Distributed consensus problem, collaboration of components required • Consistency enforcement instead of distributed deviation detection • Express global properties as a set of local ones

11. Computability of next expectation • Research questions: • Does a function f(O) exist to compute the next expectation? • How many such functions are need for a simple protocol? V V v1 O0 v0 v3 v2 t1 T t3 T t0 TO TO t2

12. Computability of next expectation • Research question: • Does a function g(O) exist to compute the next expectation in case of a failure? V V v1 v0 v3 O0 v2 t1 T t3 T t0 TO TO t2

13. Dependability Principles – I • Separation: More (distributed) components reduce dependability • Diversity: Designers need to be prepared and mechanisms need to allow for diversity • Scaling: Mechanisms must be exchangeable to suit different scenarios

14. Dependability Principles – II • Federation: heterogeneous authorities and dependability contracts • Transparency: hide dependability mechanisms from the programmer • Concurrency: conflicting, inconsistent changes to data • Configuration: add and update parts of the system; adapt failure detectors

15. Management Model – I • Fault confinement: limitation of propagation to other parts of the system • Fault detection: compare time/value observation with expectation • Fault diagnosis: if fault detection can not identify the faulty component • Reconfiguration: isolate faulty component or replace with spare • Recovery: remove effect of fault

16. Management Model – II • Restart: after all damaged state has been removed • Repair: restores the faulty component to an undamaged state • Reintegration: reconfiguration of the system to reintroduce the repaired component

17. Open questions • Is our list of principles complete? • Separation, Diversity, Scaling, Federation, Transparency, Concurrency, Configuration • Is our D2R3 strategy complete? • Fault confinement, Fault detection, Fault diagnosis, Reconfiguration, Recovery, Restart, Repair, Reintegration • Is our CFEF diagram correct? • Do we detect faults, errors of failures?

18. CFEF diagram question ? ?