Chapter 11

Question 1

What is human error or mistake?

Answer 1

Human behavior that results in the introduction of faults into a system.

Question 2

What is system fault?

Answer 2

A characteristic of a software system that can lead to a system error.

Question 3

What is system error?

Answer 3

An erroneous system state that can lead to system behavior that is unexpected by system users.

Question 4

What is system failure?

Answer 4

An event that occurs at some point in time when the system does not deliver a service as expected by its users.

Question 5

Fill in the gaps:
_ are usually a result of system _ that are derived from _ in the system

Answer 5

Failures, errors, faults

Question 6

Do faults necessarily result in system errors?

Answer 6

No, if the erroneous system state is transient and can be ‘corrected’ before an error arises

Question 7

Do errors necessarily lead to system failures?

Answer 7

No, if the error is corrected by built-in error detection and recovery mechanism

Question 8

Fault management strategies to achieve reliability

Answer 8

Fault avoidance, Fault detection and removal, Fault tolerance

Question 9

What is fault avoidance?

Answer 9

Development techniques used that either minimize the possibility of mistakes or trap mistakes before they result in the introduction of system faults.

Question 10

What is fault detection and removal?

Answer 10

Verification and validation techniques that increase the probability of detecting and correcting errors before the system goes into service

Question 11

What is fault tolerance?

Answer 11

Run-time techniques used to ensure that system faults do not result in system errors and/or that system errors do not lead to system failures

Question 12

What is reliability?

Answer 12

the probability of failure-free system operation over a specified time in a given environment for a given purpose. Can be expressed quantitatively

Question 13

What is availability

Answer 13

the probability that a system, at a point in time, will be operational and able to deliver the requested services. Can be expressed quantitatively

Question 14

Does the formal definition of reliability always reflect the user’s perception of a system’s reliability?

Answer 14

No, reliability can only be defined formally with respect to a system specification i.e. a failure is a deviation from a specification. Users don’t read specifications and don’t know how the system is supposed to behave; therefore, perceived reliability is more important in practice.

Question 15

Availability is usually expressed as a percentage of time that the system is available to deliver services. What are the drawbacks of this?

Answer 15

It doesn’t take into account 2 factors:
The number of users affected by the service outage. Loss of service in the middle of the night is less important for many systems than loss of service during peak usage periods.
The length of the outage. The longer the outage, the more the disruption. Several short outages are less likely to be disruptive than 1 long outage. Long repair times are a particular problem.

Question 16

Will removing X% of the faults in a system necessarily improve the reliability by X%

Answer 16

No, program defects may be in rarely executed sections of the code so may never be encountered by users. Removing these does not affect the perceived reliability

Question 17

Can a program with known faults still be perceived as reliable by its users?

Answer 17

Yes. Program defects may be in rarely executed sections of the code so may never be encountered by users. Removing these does not affect the perceived reliability. Users adapt their behavior to avoid system features that may fail for them.

Question 18

System reliability is measured by…

Answer 18

counting the number of operational failures and, where appropriate, relating these to the demands made on the system and the time that the system has been operational

Question 19

Reliability metrics include:

Answer 19

Probability of failure on demand(POFOD), Rate of occurrence of failures (ROCOF), Availability(AVAIL)

Question 20

What is the Probability of failure on demand(POFOD)?

Answer 20

The probability that the system will fail when a service request is made. Useful when demands for service are intermittent and relatively infrequent.

Question 21

When the Rate of occurrence of failures (ROCOF) is relevant?

Answer 21

Relevant for systems where the system has to process a large number of similar requests in a short time.

Question 22

What is the reciprocal of ROCOF?

Answer 22

Mean time to failure (MTTF)

Question 23

Non-functional reliability requirements are…

Answer 23

specifications of the required reliability and availability of a system using one of the reliability metrics (POFOD, ROCOF or AVAIL)

Question 24

Functional reliability requirements specify…

Answer 24

the faults to be detected and the actions to be taken to ensure that these faults do not lead to system failures.

Question 25

Functional reliability requirements include:

Answer 25

Checking requirements that identify checks to ensure that incorrect data is detected before it leads to a failure.
Recovery requirements that are geared to help the system recover after a failure has occurred.
Redundancy requirements that specify redundant features of the system to be included.
Process requirements for reliability which specify the development process to be used may also be included.

Question 26

Fault tolerance is required where…

Answer 26

there are high availability requirements
or
where system failure costs are very high

Question 27

Fault tolerance means…

Answer 27

that the system can continue in operation in spite of software failure

Question 28

Fault-tolerant systems architectures based on:

Answer 28

redundancy and diversity

Question 29

The protection system is…

Answer 29

a specialized system that is associated with some other control system, which can take emergency action if a failure occurs, e.g. a system to stop a train if it passes a red light, or a system to shut down a reactor if temperature/pressure are too high

Question 30

Self-monitoring architecture is…

Answer 30

a multi-channel architectures where the system monitors its own operations and takes action if inconsistencies are detected. The same computation is carried out on each channel and the results are compared. If the results are identical and are produced at the same time, then it is assumed that the system is operating correctly. If the results are different, then a failure is assumed and a failure exception is raised.

Question 31

In self-monitoring architecture, hardware in each channel should be…

Answer 31

diverse so that common mode hardware failure will not lead to each channel producing the same results.

Question 32

In self-monitoring architecture, software in each channel should be…

Answer 32

diverse, otherwise the same software error would affect each channel

Question 33

When you should use several self-checking systems in parallel?

Answer 33

If high availability is required. This is the approach used in the Airbus family of aircraft for their flight control systems.

Question 34

N-version programming involves…

Answer 34

multiple versions of a software system to carry out computations at the same time. Approach derived from the notion of triple-modular redundancy, as used in hardware systems.

Question 35

Fill in the gaps:
In N-version programming, there should be an _ number of computers involved, typically _

Answer 35

odd, 3

Question 36

Fill in the gaps:
In N-version programming, the results are compared using a _ and the _ result is taken to be the correct result.

Answer 36

voting system, majority

Question 37

Hardware fault tolerance depends on …

Answer 37

triple-modular redundancy (TMR). There are three replicated identical components that receive the same input and whose outputs are compared. If one output is different, it is ignored and component failure is assumed.

Question 38

What are good programming practices that help reduce the incidence of program faults?

Answer 38

Limit the visibility of information in a program, Check all inputs for validity, Provide a handler for all exceptions, Minimize the use of error-prone constructs, Provide restart capabilities, Check array bounds, Include timeouts when calling external components, Name all constants that represent real-world values

Question 39

Error-prone constructs:

Answer 39

Unconditional branch (goto) statements
Floating-point numbers (inherently imprecise, which may lead to invalid comparisons)
Pointers
Dynamic memory allocation
Parallelism (can result in subtle timing errors because of unforeseen interaction between parallel processes)
Recursion (can cause memory overflow as the program stack fills up)
Interrupts (can cause a critical operation to be terminated and make a program difficult to understand)
Inheritance (code is not localized, which may result in unexpected behavior when changes are made and problems of understanding the code)
Aliasing (using more than 1 name to refer to the same state variable)
Unbounded arrays (may result in buffer overflow)
Default input processing (if the default action is to transfer control elsewhere in the program, incorrect or deliberately malicious input can then trigger a program failure)