HW3: Chapters 11 & 12

11.4: What is the common characteristic of all architectural styles that are geared to supporting software fault tolerance?

Architectural styles geared to supporting software fault tolerance include redundant and diverse hardware and software. Redundancy, implemented through replicated servers, for example, provides built-in backup in case one of the servers fails. Diversity reduces the probability of total system failure. If all of the servers are produced by the same manufacturer, they may fail simultaneously due to the same faulty part. If they are all from different manufacturers, one may remain healthy and carry the load of the rest.

11.7: It has been suggested that the control software for a radiation therapy machine, used to treat patients with cancer, should be implemented using N-version programming. Comment on whether or not you think this is a good suggestion.

I do not think N-version programming is the best fault tolerance technique for a radiation therapy machine. Systems that require high availability over reliability work well with N-version programming. Any medical system like a radiation machine prioritizes reliability over availability, so the high cost of creating different versions of the same program may not be worthwhile. For instance, what if the system begins delivering too high a dose of radiation to the patient? We would rather have a self-monitoring architecture detect that problem and shut down the administration of radiation with minor inconvenience to the patient than put the fate of that decision into the hands of a voting system.

11.9: Explain why you should explicitly handle all exceptions in a system that is intended to have a high level of availability.

Exception handling, built into programming languages such as Python and Java, provides a mechanism for mapping possible faults to the necessary recovery actions. In some cases, the exception handler will completely shut down the program to prevent damage but in many cases, the exception handler specifies a scenario in which the program can remain available despite the fault. In this way, exception handling is an important inner layer of fault tolerance that complements a technique like N-version programming or self-monitoring to further support both reliability and availability.

12.5: A train protection system automatically applies the brakes of a train if the speed limit for a segment of track is exceeded, or if the train enters a track segment that is currently signaled with a red light (i.e., the segment should not be entered). There are two critical-safety requirements for this train protection system:

1. The train shall not enter a segment of track that is signaled with a red light.

2. The train shall not exceed the specified speed limit for a section of track.

Assuming that the signal status and the speed limit for the track segment are transmitted to on-board software on the train before it enters the track segment, propose five possible functional system requirements for the onboard software that may be generated from the system safety requirements.

1. The speed and signal of the current and upcoming track will be available to the system at all times.
2. When the next track is a safe distance away, the system will check whether the train is going faster than the upcoming speed limit. If so, it will brake gently until the train is going slower than the upcoming speed limit.
3. Once the train is going slower than the upcoming speed limit, the system will fix its speed until the next transition.
4. When the next track is a safe distance away, the system will check whether it is signaled with a red light. If so, it will brake gently until the train stops.
5. If at any time, the current track is signaled with a red light, the system will brake gently until the train stops.

• 2021 11
• 2020 22