Information Engineering

This paper proposes the use of a functional language and of a dataflow computing model for the design of large-scale parallel computing systems for which dependability, in its aspects of reliability, timeliness, parallelism and distributedness are requirements of main concern. The proposed design methodology is sufficiently flexible to allow for verification and validation of such systems from the very first steps of the design. The advantages of such an approach resides in the potential for parallelism it admits, in being characterised by referential transparency and in the property of composability. The design description language is extended for dealing with dependability issues, with the creation of a library of fault tolerance schemes which can be used for modular insertion of redundancy. A set of tools are being defined as part of a design development environment allowing the designer to proceed in successive interactive steps, each of which can be validated.

This paper reports an experience made in building a model and analysing the dependability of an actual railway station interlocking control system. Despite our analysis has been restricted to the Safety Nucleus subsystem, mastering complexity and size required a considerable effort. We identified a modelling strategy, based on a modular, hierarchical decomposition allowing to use different methods and tools for modelling at the various level of the hierarchy. This multi-layered modelling methodology led to an accurate representation of the system behaviour and allowed us (i) to keep under control the size of the models within the different levels to be easily managed by the automatic tools, (ii) to make changes in the model in a very easy and cheap way. The paper contains also examples of the extensive analyses performed regarding the sensitivity of the dependability measures to variations of critical parameters and towards the validation of the assumptions made.

Many application fields use computer-controlled systems, with different levels of criticality requirements. A common characteristic of such embedded systems is their increasing complexity in intrinsic terms-distribution management, redundancy, functionality layering, and so on-and of their in-the-field operation-environmental interfaces, timing constraints, controlled application criticality, and so on. Designers rarely completely master this increasing complexity. Usual design practices often suffer from partial approaches, overlooked details, inadequate modeling, insufficient prototyping, and limited design tools or available techniques. With these shortcomings, designs often end up addressing incorrect, incomplete, or misunderstood user requirementsoften the main cause of a design's or system's final failure. A full solution to this situation is far away, but solving these problems requires development and testing of design processes. Improved processes need to address the entire system and integrate as many relevant requirements as possible, including interactions with the environment. The current disciplines of hardware, firmware, software, and application engineering-commonly considered as separate-must evolve toward a system engineering discipline. This system engineering must encompass all previous approaches to provide the reliability expected from systems that control critical environments. 2 This integrated discipline should encompass the following:

Electric Power Systems (EPS) become more and more critical for our society, since they provide vital services for the human activities. At the same time, obtaining dependable behaviour of EPS is an highly challenging task, both in terms of defining effective business management and in terms of analysis of dependability and performability attributes. A major concern when dealing with EPS is the understanding and the evaluation of the interdependencies between Electric Infrastructures (EI) and the Computer-based Control System (CCS), which controls the status and the activities of EI. Studies on these interdependencies are only at an early stage of development. Major difficulties are the complexity of the infrastructures under analysis and the lack of well-established models and tools for dealing with them. This paper presents an ad-hoc simulator for the evaluation of dependability and performability measures in EPS. The system model the simulator is based on focuses on interdependencies between EI and CCS. Most existing modeling approaches in EPS does not provide explicit modeling of interdependencies among the composing subsystems, so that the cascading or escalating phenomena cannot be deeply analyzed. Our stochastic model is composed by separated and simple, but representative, submodels representing the dynamics of EI and different policies of reactions to disruptions and reconfigurations triggered by CCS. In this way, the simulator aims at providing explicit modeling of the interdependencies between the main subsystems, so the impact on the dependability and performability of the cascading or escalating failures can be analyzed. In this paper, we describe the simulator and highlight the design choices.

In this paper we show how a formal reasoning can be applied for studying the fault coverage of a fault tolerant technique when the behaviour of a system with a set of prede ned faults is considered. This method is based on process algebras and equivalence theory. The behaviour of the system in absence of faults is formally speci ed and faults are assumed as random events which interfere with the system by modifying its behaviour. A fault tolerant technique can be proved to tolerate the set of prede ned faults i the actual behaviour of the system is the same as the behaviour of the system in absence of faults. The approach is illustrated by considering the design of a stable storage disk.

This paper presents a structured way of inserting software redundancy in programs and to describe the solutions provided for programming software fault-tolerance techniques. It is based on a data-flow like programming paradigm, which is more suitable, in our opinion, and as shown in , to implement fault-tolerant systems, with high levels of flexibility and performability, than conventional imperative programming paradigms. The proposed computational model, BSM [4], describes an application in a set of atomic modules, mainly functional, which: 1) maintain the visibility of the semantic of the application, in order to take full advantage of the possibility offered by the use of assertions and predicates for early error detection, and 2) maintain a close correlation between the logical structure of the application and the physical support, to take full advantage of replication as a mechanism of redundancy. The set of modules is executed asynchronously, with a firing rule similar to that of data-flow model; the modules are atomic and do not interact or communicate with other modules during execution, but release data only at their termination. The close correlation between the semantic of the application and the module structuring allows also to scale the needed redundancy since it can be properly driven by the semantic of the application itself.

This paper is two-fold. In the first part it tries to raise awareness on the level of complexity of future computer-based interconnected systems/infrastructures, at least as they are envisioned, and on the level of dependability we are today able to justify with confidence. It tries to motivate that fundamental methods and methodologies must be reconsidered, studied, exploited, assessed and applied to move towards an utopia that can be called "ambient dependability", a global view of the concept of dependability , which encompasses not only the technological aspects but includes inter and multi disciplinary fields, which span over ergonomics, usability, education, sociology, law and government. The second part of the paper provides the authors views, based on their experience, on future directions and architectural challenges to be tackled for approaching, as a first step towards ambient dependability, at least an Information Society which we can depend on.

Data flow networks are a paradigm for concurrent computations in which a collection of concurrently and asynchronously executing nodes communicate by sending data over FIFO communication channels. The need to deal with data and the asynchronous communication make reasoning about the semantics of nondeterministic networks very difficult .

A bstract : The literature on reliable systems is composed by a very broad range of specific problems and solutions. Very few designs of reliable systems are reported, in which an integrated methodology is taken into account as one of the most design goals.

The term resilience has been used in many fields and, as a property, two threads can be identified: a) in social psychology, where it is about elasticity, spirit, resource and good mood, and b) and in material science, where it is about robustness and elasticity.

The adjective resilient has been used in dependable computing essentially as a synonym of fault-tolerant, thus ignoring the unexpected aspect of the phenomena the systems may have to face. These phenomena are very relevant when moving to systems like the future large, networked, evolving systems constituting complex information infrastructures that are the emergence of the ubiquitous systems that will support Ambient Intelligence.

Data flow is a paradigm for concurrent computations in which a collection of parallel processes communicate asynchronously. For nondeterministic data flow networks many semantic models have been defined, however, it is complex to reason about the semantics of a network. In this paper, we introduce a transformation between data flow networks and the LOTOS specification language to make available theories and tools developed for process algebras for the semantic analysis of nondeterministic data flow networks. The transformation does not establish a one-to-one mapping between the traces of a data flow network and the LOTOS specification, but maps each network in a specification which usually contains more traces. The obtained system specification has the same set of traces as the corresponding network if they are finite, otherwise also non fair traces are included. Formal analysis and verification methods can still be applied to prove properties of the original data flow network, allowing in case of networks with finite traces to prove also networks equivalence.

Complex systems require the use of an integrated and best balanced set of components. The integration and the balanced set are crucial issues, which require some sort of verifiable compositionality property of component parts that contribute structurally, functionally, non functionally and interactionally to the total quality of the system design. This is even more important when dealing with the design of highly dependable systems. The concept of verifiable compositionality is much more demanding than the usual approach based on composition of building blocks. It implies the preservation of properties and the ability of verifying them, as well as those that are added (which mainly deal with interactions among parts) in the process of designing and building a system made of components. Economic reasons push towards the use of COTS (Commercial Off the Shelf) and towards the re-use of available components and this trend poses new problems.