HW4: Chapters 11 & 12

31 Aug 2016

11.4

All fault-tolerant architectures have some degree of redundancy (with associated diversity) and some way to check that redundant systems running in parallel are producing consistent results. Redundancy is critical here so that a fault in one component can be tolerated by the system because a redundant component is still working well. In order for components to truly be redundant, they should be as diverse as possible with regards to their hardware and software so that they do not fault at the same time due to a shared weakness.

11.7

I do not especially like the idea of N-version programming, because it seems to assume that a system failure will never be the result of something shared by all replicates. If the design is perfect, and any failure that can occur is due to a stochastic component failure, then relying on 0-diversity redundancy seems reasonable. Realistically though, it is virtually impossible for there to be no design flaws, so it seems quite possible for a single fault to knock out two or more of the components at the same time. N-version programming relies on the majority opinion, and the majority is not always correct. I would prefer a method that relies on diverse and redundant components, as diverse and redundant systems have amazing track records, e.g. Airbus flight control systems.

11.9

Exception handlers call time-out if an error occurs in part of the system so that the error is not propagated throughout the system. If an error does occur that is not handled, it is likely to spread throughout the system as the system continues to run and could result in a system failure. It is much better for the system to stop running when a component fails and deal with the issue by restarting perhaps as the simplest option.

12.5

Functional system requirements include functions that minimize development errors, check system inputs during runtime, recover from runtime faults, and provide redundancy in the case that faults cannot be recovered. To achieve the stated safety requirements, five possible functional system requirements could be:

  1. Check that the train is decelerating at an acceptable rate while approaching a red signal.
  2. Check that the speed of the train is approaching the next section speed limit while approaching that section with a green signal.
  3. When either of the above conditions is not met, alert the train operator to decelerate immediately.
  4. When either of the above conditions is not met and the operator does not immediately respond, override the operator to declerate the train appropriately.
  5. If the train deceleration override is not functioning properly, apply brakes and cut power to the accelerator.