2005-05-29 - TU/e p-colloqium - Ontwikkeling van betrouwbare software

Redden we dat ? © 2004 CIBIT | SERC Meetfouten ( Kans is zeer groot: golven, zeemeeuwen) Relais blijft hangen/kapot ( Kans is groot: 1 x per 30 jaar) Waterverklikker kapot ( Kans is zeer groot: roestvorming !) Draden kapot ( Kans is redelijk groot: opgraven, mollen)

Faalkansen © 2004 CIBIT | SERC Info Hoogtebepaling Aansturing Hoogtemeting Waterkering Diesels Meet a Meet b Stuur a Stuur b Schakelfouten Kans: (10 -6 ) 2 + (10 -6 ) 2 Meetfouten Kans: (10 -6 ) 3 Meter kapot Kans: (10 -5 ) 3 Kabelbreuk Kans: (10 -8 ) 12 Kabelbreuk Kans: (10 -8 ) 4 Kabelbreuk Kans: 3 * (10 -8 ) 2 Schakelfouten Kans: 10 -2

De algemene bouw van de componenten © 2004 CIBIT | SERC Stuur x WD Component X :: Functionaliteit Component X ::Diagnose Info Input a Input b Output a Output b Voortgang Functionaliteit Voortgang Diagnose Controle Functionaliteit

Stuur x : Een kladblaadje… © 2004 CIBIT | SERC Init Start_D “ Start” signaal Diesels Wacht Waterstand < 3 meter Waterstand > 3 meter Waterstand W_O_D “ Diesels gereed” Waterstand > 3 meter Sluit_? Waterstand < 3 meter Waterstand “ Sluit kering”

Stuur x : Redundantie… © 2004 CIBIT | SERC Wacht Waterstand < 3 meter Waterstand > 3 meter Waterstand Waterstand a Waterstand b Waterstand a > 3 meter Waterstand b > 3 meter Waterstanden ontbreken Waterstand a < 3 meter EN Waterstand b < 3 meter

Stuur x : Redundantie… © 2004 CIBIT | SERC StartD W_O_D Stuur b StartD2 “ OK” van Stuur b “ OK” StartD1 “ Start_D” naar Stuur b > 1 minuut StartD1’ Stuur b geeft “Start_D” “ OK” naar Stuur b “ Sent” van Stuur b StartD3 “ Sent” naar Stuur b “ Start” naar Diesels > 1 minuut StartD4 “ Sent” van Stuur b

Stuur x : Zonder redundantie © 2004 CIBIT | SERC StartD W_O_D Sluit b Wacht Init Not Sluit a EN Not Sluit b Sluit a SluitA SluitB Geen waterstand “ Ready” van Diesels Sluit_? “ Sluitt” naar Kering Finished Failed “ Start” naar Diesels

© 2004 CIBIT | SERC StartD2 Stuur b “ OK” StartD StartD1 “ Start_D” naar Stuur b W_O_D Stuur b > 1 minuut StartD1’ Stuur b geeft “Start_D” “ OK” naar Stuur b “ Sent” StartD3 “ Sent” naar Stuur b “ Start” naar Diesels Init2 Init1 “ Init” naar Stuur b > 1 minuut “ Wacht” Init “ Stuur b “ StartD” W_O_D1 “ Ready” via Stuur b “ Ready” van Diesels “ Ready” naar Stuur b Sluit2 Stuur b “ OK” Sluit_? Sluit1 “ SluitS” naar Stuur b Stuur b > 1 minuut Sluit1’ Stuur b geeft “Sluit” “ Sent” Sluit3 “ SentS” naar Stuur b “ Sluitt” naar Kering Finished Waterstanda < 3 meter EN Waterstandb < 3 meter Failed “ OKS” naar Stuur b StartD4 > 1 minuut “ Sent” van Stuur b Sluit4 “ Sent” van Stuur b Sluit b Wacht Not Sluit a EN Not Sluit b Sluit a SluitA SluitB Geen waterstand Stuur x : Met redundantie

En zelfs dan……. © 2004 CIBIT | SERC Microsoft server crash nearly causes 800-plane pile-up Failure to restart system after 30 days caused data overload. A major breakdown in Southern California's air traffic control system last week was partly due to a "design anomaly" in the way Microsoft Windows servers were integrated into the system, according to a report in the Los Angeles Times. The radio system shutdown, which lasted more than three hours, left 800 planes in the air without contact to air traffic control, and led to at least five cases where planes came too close to one another, according to comments by the Federal Aviation Administration reported in the LA Times and The New York Times. Air traffic controllers were reduced to using personal mobile phones to pass on warnings to controllers at other facilities, and watched close calls without being able to alert pilots, according to the LA Times report. The failure was ultimately down to a combination of human error and a design glitch in the Windows servers brought in over the past three years to replace the radio system's original Unix servers, according to the FAA. The servers are timed to shut down after 49.7 days of use in order to prevent a data overload, a union official told the LA Times. To avoid this automatic shutdown, technicians are required to restart the system manually every 30 days. An improperly trained employee failed to reset the system, leading it to shut down without warning, the official said. Backup systems failed because of a software failure, according to a report in The New York Times. The contract for designing the system, called Voice Switching and Control System (VSCS), was awarded to Harris Corporation in 1992 and the system was installed in the late 1990s, initially using Unix servers, according to Harris. In 2001, the company completed testing of the VSCS Control Subsystem Upgrade (VCSU), which replaced the original servers with off-the-shelf Dell hardware running Microsoft Windows 2000 Advanced Server. The upgrade was installed in California last year, according to the FAA. Soon after installation, however, the FAA discovered that the system design could lead to a radio system shutdown, and put the maintenance procedure into place as a workaround, the LA Times said. The FAA reportedly said it has been working on a permanent fix but has only eliminated the problem in Seattle. The FAA is now planning to institute a second workaround - an alert that will warn controllers well before the software shuts down. The shutdown is intended to keep the system from becoming overloaded with data and potentially giving controllers wrong information about flights, according to a software analyst cited by the LA Times. Microsoft told Techworld it was aware of the reports but was not immediately able to comment.

2005-05-29 - TU/e p-colloqium - Ontwikkeling van betrouwbare software

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie 2005-05-29 - TU/e p-colloqium - Ontwikkeling van betrouwbare software

Ähnlich wie 2005-05-29 - TU/e p-colloqium - Ontwikkeling van betrouwbare software (20)

Mehr von Jaap van Ekris

Mehr von Jaap van Ekris (20)

2005-05-29 - TU/e p-colloqium - Ontwikkeling van betrouwbare software

Hinweis der Redaktion