Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028883
A. Casimiro, P. Veríssimo
Designing applications with timeliness requirements in environments of uncertain synchrony is known to be a difficult problem. In this paper we follow the perspective of timing fault tolerance: tinting errors occur and they are processed using redundancy, e.g., component replication, to recover and deliver timely service. We introduce a paradigm for generic tinting fault tolerance with replicated state machines. The paradigm is based on the existence of Timing Failure Detection with tinted completeness and accuracy properties. Generic timing fault tolerance implies the ability to dependably observe the system and to timely notify timing failures, which we discuss in the paper On the other hand, it ensures replica determinism with respect to time (temporal consistency), and safety in case of spare exhaustion. We show that the paradigm can be addressed and realized in the framework of the timely computing base (TCB) model and architecture. Furthermore, we illustrate the generality, of our approach by reviewing previous existing solutions and by showing that in contrast with ours, they, only secure a restricted semantics, or simply provide ad-hoc solutions.
{"title":"Generic timing fault tolerance using a timely computing base","authors":"A. Casimiro, P. Veríssimo","doi":"10.1109/DSN.2002.1028883","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028883","url":null,"abstract":"Designing applications with timeliness requirements in environments of uncertain synchrony is known to be a difficult problem. In this paper we follow the perspective of timing fault tolerance: tinting errors occur and they are processed using redundancy, e.g., component replication, to recover and deliver timely service. We introduce a paradigm for generic tinting fault tolerance with replicated state machines. The paradigm is based on the existence of Timing Failure Detection with tinted completeness and accuracy properties. Generic timing fault tolerance implies the ability to dependably observe the system and to timely notify timing failures, which we discuss in the paper On the other hand, it ensures replica determinism with respect to time (temporal consistency), and safety in case of spare exhaustion. We show that the paradigm can be addressed and realized in the framework of the timely computing base (TCB) model and architecture. Furthermore, we illustrate the generality, of our approach by reviewing previous existing solutions and by showing that in contrast with ours, they, only secure a restricted semantics, or simply provide ad-hoc solutions.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"1 1","pages":"27-36"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82998908","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1029016
M. Meo, M. Marsan, Cecilia Batetta
In this paper we consider the problem of resource management in GSM/GPRS cellular networks offering not only mobile telephony services, but also data services for the wireless access to the Internet. In particular we investigate channel allocation policies that can provide a good tradeoff between the QoS guaranteed to voice and data services end users, considering three different alternatives, and developing analytical techniques for the assessment of their relative merits. The first channel allocation policy is called voice priority, since it gives priority to voice in the access to radio channels; we show that this policy cannot provide acceptable performance to data services, and we discuss the reasons for this shortcoming. The second channel allocation policy is called R-reservation; it statically reserves a fixed number of channels to data services, thus drastically improving their performance, but subtracting resources from voice users, even when these are not needed for data, thus inducing an unnecessary performance degradation for voice services. The third channel allocation policy is called dynamic reservation; as the name implies, it dynamically allocates channels to data when necessary, using the information about the queue length of GPRS data units within the base station. A threshold on the queue length is used in order to decide when channels must be allocated to data. Numerical results, show that the dynamic reservation channel allocation policy can provide very effective performance tradeoffs for data and voice services, with the additional advantage of being easily managed through the setting of the threshold value.
{"title":"Resource management policies in GPRS wireless internet access systems","authors":"M. Meo, M. Marsan, Cecilia Batetta","doi":"10.1109/DSN.2002.1029016","DOIUrl":"https://doi.org/10.1109/DSN.2002.1029016","url":null,"abstract":"In this paper we consider the problem of resource management in GSM/GPRS cellular networks offering not only mobile telephony services, but also data services for the wireless access to the Internet. In particular we investigate channel allocation policies that can provide a good tradeoff between the QoS guaranteed to voice and data services end users, considering three different alternatives, and developing analytical techniques for the assessment of their relative merits. The first channel allocation policy is called voice priority, since it gives priority to voice in the access to radio channels; we show that this policy cannot provide acceptable performance to data services, and we discuss the reasons for this shortcoming. The second channel allocation policy is called R-reservation; it statically reserves a fixed number of channels to data services, thus drastically improving their performance, but subtracting resources from voice users, even when these are not needed for data, thus inducing an unnecessary performance degradation for voice services. The third channel allocation policy is called dynamic reservation; as the name implies, it dynamically allocates channels to data when necessary, using the information about the queue length of GPRS data units within the base station. A threshold on the queue length is used in order to decide when channels must be allocated to data. Numerical results, show that the dynamic reservation channel allocation policy can provide very effective performance tradeoffs for data and voice services, with the additional advantage of being easily managed through the setting of the threshold value.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"3 1","pages":"707-716"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80497567","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028954
A. Carloganu, J. Raguideau
Malfunctions of systems in domains such as medicine, avionics, traffic control, defense and nuclear applications can cause human injuries. Test and validation of such systems is a difficult task, because many situations cannot be safely reproduced. Simulation makes possible to assess the correctness of a safety-critical system, even in dangerous situations. This paper presents CLAIRE, a purely software simulation tool with graphic facilities for system modelling, designed for test, validation and non-intrusive dynamic analysis of real time applications.
{"title":"CLAIRE: an event-driven simulation tool for test and validation of software programs","authors":"A. Carloganu, J. Raguideau","doi":"10.1109/DSN.2002.1028954","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028954","url":null,"abstract":"Malfunctions of systems in domains such as medicine, avionics, traffic control, defense and nuclear applications can cause human injuries. Test and validation of such systems is a difficult task, because many situations cannot be safely reproduced. Simulation makes possible to assess the correctness of a safety-critical system, even in dangerous situations. This paper presents CLAIRE, a purely software simulation tool with graphic facilities for system modelling, designed for test, validation and non-intrusive dynamic analysis of real time applications.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"68 1","pages":"538-"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72579771","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028905
D. Sames, B. Matt, B. Niebuhr, G. Tally, B. Whitmore, D. Bakken
Intrusion tolerant systems provide high-integrity and high-availability services to their clients in the face of successful attacks from an adversary. The Intrusion Tolerant Distributed Object Systems (ITDOS) research project is developing an architecture for a heterogeneous intrusion tolerant distributed object system. ITDOS integrates a Byzantine Fault Tolerant multicast protocol into an open-source CORBA ORB to provide intrusion tolerant middleware. This foundation allows up to f simultaneous Byzantine failures of replicated servers in a system of at least 3f+1 replicas. Voting on unmarshalled CORBA messages allows heterogeneous application implementations for a given service, allowing for greater diversity in implementation and greater survivability. Symmetric encryption session keys generated by distributed pseudo-random function techniques provide confidential client-server communications. This paper overviews the ITDOS architecture, discusses some of the challenging technical issues related to intrusion tolerance in heterogeneous middleware systems, and offers views on future areas of work.
{"title":"Developing a heterogeneous intrusion tolerant CORBA system","authors":"D. Sames, B. Matt, B. Niebuhr, G. Tally, B. Whitmore, D. Bakken","doi":"10.1109/DSN.2002.1028905","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028905","url":null,"abstract":"Intrusion tolerant systems provide high-integrity and high-availability services to their clients in the face of successful attacks from an adversary. The Intrusion Tolerant Distributed Object Systems (ITDOS) research project is developing an architecture for a heterogeneous intrusion tolerant distributed object system. ITDOS integrates a Byzantine Fault Tolerant multicast protocol into an open-source CORBA ORB to provide intrusion tolerant middleware. This foundation allows up to f simultaneous Byzantine failures of replicated servers in a system of at least 3f+1 replicas. Voting on unmarshalled CORBA messages allows heterogeneous application implementations for a given service, allowing for greater diversity in implementation and greater survivability. Symmetric encryption session keys generated by distributed pseudo-random function techniques provide confidential client-server communications. This paper overviews the ITDOS architecture, discusses some of the challenging technical issues related to intrusion tolerance in heterogeneous middleware systems, and offers views on future areas of work.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"9 1","pages":"239-248"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76370254","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028895
John DeVale, P. Koopman
Software developers identify two main reasons why software systems are not made robust: performance and practicality. We demonstrate the effectiveness of general techniques to improve robustness that are practical and yield high performance. We present data from treating three systems to improve robustness by a factor of 5 or more, with a measured performance penalty of under 5% in nearly every case, and usually under 2%. We identify a third possible reason why software systems are not made robust: developer awareness. A case study on three professional development groups evaluated their ability to estimate the robustness of their software. Two groups were able to estimate their software's robustness to some extent, while one group had more divergent results. Although we can overcome the technical challenges, it appears that even experienced developers can benefit from tools to locate robustness failures and training in robustness issues.
{"title":"Robust software - no more excuses","authors":"John DeVale, P. Koopman","doi":"10.1109/DSN.2002.1028895","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028895","url":null,"abstract":"Software developers identify two main reasons why software systems are not made robust: performance and practicality. We demonstrate the effectiveness of general techniques to improve robustness that are practical and yield high performance. We present data from treating three systems to improve robustness by a factor of 5 or more, with a measured performance penalty of under 5% in nearly every case, and usually under 2%. We identify a third possible reason why software systems are not made robust: developer awareness. A case study on three professional development groups evaluated their ability to estimate the robustness of their software. Two groups were able to estimate their software's robustness to some extent, while one group had more divergent results. Although we can overcome the technical challenges, it appears that even experienced developers can benefit from tools to locate robustness failures and training in robustness issues.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"31 1","pages":"145-154"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81253660","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028925
M. Jochim
A virtual duplex system (VDS) can be used to increase safety without the use of structural redundancy on a single machine. If a deterministic program P is calculating a given function f, then a VDS contains two variants P/sub a/ and P/sub b/ of P which are calculating the diverse functions f/sub a/ and f/sub b/ in sequence. If no error occurs in the process of designing and executing P/sub a/ and P/sub b/, then f= f/sub a/=f/sub b/ holds. A fault in the underlying processor hardware is likely to be detected by the deviation of the results, i.e. f/sub a/(i)/spl ne/f/sub b/(i) for input i. Normally, VDSs are generated by manually applying different diversity techniques. This paper, in contrast, presents a new method and a tool for the automated generation of VDSs with a high detection probability for hardware faults. Moreover, for the first time the diversity techniques are selected by an optimization algorithm rather than chosen intuitively. The generated VDSs are investigated extensively by means of software implemented processor fault injection.
虚拟双工系统(VDS)可用于提高安全性,而无需在单个机器上使用结构冗余。如果一个确定性程序P正在计算一个给定的函数f,那么VDS包含两个变量P/下标a/和P/下标b/,它们依次计算不同的函数f/下标a/和f/下标b/。如果P/sub a/和P/sub b/在设计和执行过程中没有出现错误,则f= f/sub a/=f/sub b/成立。底层处理器硬件的故障很可能通过结果的偏差来检测,即输入i的f/sub A /(i)/spl ne/f/sub b/(i)。通常,vds是通过手动应用不同的分集技术产生的。相比之下,本文提出了一种新的方法和工具来自动生成具有高检测概率的硬件故障vds。此外,首次采用优化算法选择分集技术,而不是直观地选择分集技术。通过软件实现的处理器故障注入,对生成的虚拟决策系统进行了广泛的研究。
{"title":"Detecting processor hardware faults by means of automatically generated virtual duplex systems","authors":"M. Jochim","doi":"10.1109/DSN.2002.1028925","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028925","url":null,"abstract":"A virtual duplex system (VDS) can be used to increase safety without the use of structural redundancy on a single machine. If a deterministic program P is calculating a given function f, then a VDS contains two variants P/sub a/ and P/sub b/ of P which are calculating the diverse functions f/sub a/ and f/sub b/ in sequence. If no error occurs in the process of designing and executing P/sub a/ and P/sub b/, then f= f/sub a/=f/sub b/ holds. A fault in the underlying processor hardware is likely to be detected by the deviation of the results, i.e. f/sub a/(i)/spl ne/f/sub b/(i) for input i. Normally, VDSs are generated by manually applying different diversity techniques. This paper, in contrast, presents a new method and a tool for the automated generation of VDSs with a high detection probability for hardware faults. Moreover, for the first time the diversity techniques are selected by an optimization algorithm rather than chosen intuitively. The generated VDSs are investigated extensively by means of software implemented processor fault injection.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"89 1","pages":"399-408"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73447183","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028914
Abhinandan Das, Indranil Gupta, Ashish Motivala
Several distributed peer-to-peer applications require weakly-consistent knowledge of process group membership information at all participating processes. SWIM is a generic software module that offers this service for large scale process groups. The SWIM effort is motivated by the unscalability of traditional heart-beating protocols, which either impose network loads that grow quadratically with group size, or compromise response times or false positive frequency w.r.t. detecting process crashes. This paper reports on the design, implementation and performance of the SWIM sub-system on a large cluster of commodity PCs. Unlike traditional heart beating protocols, SWIM separates the failure detection and membership update dissemination functionalities of the membership protocol. Processes are monitored through an efficient peer-to-peer periodic randomized probing protocol. Both the expected time to first detection of each process failure, and the expected message load per member do not vary with group size. Information about membership changes, such as process joins, drop-outs and failures, is propagated via piggybacking on ping messages and acknowledgments. This results in a robust and fast infection style (also epidemic or gossip-style) of dissemination. The rate of false failure detections in the SWIM system is reduced by modifying the protocol to allow group members to suspect a process before declaring it as failed - this allows the system to discover and rectify false failure detections. Finally, the protocol guarantees a deterministic time bound to detect failures. Experimental results from the SWIM prototype are presented. We discuss the extensibility of the design to a WAN-wide scale.
{"title":"SWIM: scalable weakly-consistent infection-style process group membership protocol","authors":"Abhinandan Das, Indranil Gupta, Ashish Motivala","doi":"10.1109/DSN.2002.1028914","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028914","url":null,"abstract":"Several distributed peer-to-peer applications require weakly-consistent knowledge of process group membership information at all participating processes. SWIM is a generic software module that offers this service for large scale process groups. The SWIM effort is motivated by the unscalability of traditional heart-beating protocols, which either impose network loads that grow quadratically with group size, or compromise response times or false positive frequency w.r.t. detecting process crashes. This paper reports on the design, implementation and performance of the SWIM sub-system on a large cluster of commodity PCs. Unlike traditional heart beating protocols, SWIM separates the failure detection and membership update dissemination functionalities of the membership protocol. Processes are monitored through an efficient peer-to-peer periodic randomized probing protocol. Both the expected time to first detection of each process failure, and the expected message load per member do not vary with group size. Information about membership changes, such as process joins, drop-outs and failures, is propagated via piggybacking on ping messages and acknowledgments. This results in a robust and fast infection style (also epidemic or gossip-style) of dissemination. The rate of false failure detections in the SWIM system is reduced by modifying the protocol to allow group members to suspect a process before declaring it as failed - this allows the system to discover and rectify false failure detections. Finally, the protocol guarantees a deterministic time bound to detect failures. Experimental results from the SWIM prototype are presented. We discuss the extensibility of the design to a WAN-wide scale.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"6 1","pages":"303-312"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81743479","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028888
Benjamin Floering, B. Brothers, Z. Kalbarczyk, R. Iyer
Describes the design of a reconfigurable device using an FPGA (field programmable gate array) whose primary function is high-speed (several Gb/s) network data monitoring and run-time adaptive fault injection and statistics gathering for failure analysis. The device is designed for two types of media: Myrinet SAN and Fibre Channel, and failure analysis can be performed simultaneously over both of these networks. Although the device intercepts and retransmits signals on the network, no impact on the data transfer rate is observed and the latency caused by inserting the device in the network is negligible. The fault injection capabilities are demonstrated on a Myrinet LAN. Fault injection experiments are conducted on data transmitted across the network, including control packets previously inaccessible to software-based techniques.
{"title":"An adaptive architecture for monitoring and failure analysis of high-speed networks","authors":"Benjamin Floering, B. Brothers, Z. Kalbarczyk, R. Iyer","doi":"10.1109/DSN.2002.1028888","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028888","url":null,"abstract":"Describes the design of a reconfigurable device using an FPGA (field programmable gate array) whose primary function is high-speed (several Gb/s) network data monitoring and run-time adaptive fault injection and statistics gathering for failure analysis. The device is designed for two types of media: Myrinet SAN and Fibre Channel, and failure analysis can be performed simultaneously over both of these networks. Although the device intercepts and retransmits signals on the network, no impact on the data transfer rate is observed and the latency caused by inserting the device in the network is negligible. The fault injection capabilities are demonstrated on a Myrinet LAN. Fault injection experiments are conducted on data transmitted across the network, including control packets previously inaccessible to software-based techniques.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"9 1","pages":"69-78"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82059344","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1028885
Paul Ammann, Wei Ding, Daling Xu
Presents the experiences of using a symbolic model checker to check the safety properties of a servo-loop control system. Symbolic model checking has been shown to be beneficial when the system under analysis can be modeled as a finite state machine. Servo-loop control systems are typically represented by differential equations (Laplace transforms)-not as finite state machines. However, the control loop is only apart of the software system needed to properly and safely operate the system. The paper first validates the safety of the servo loop using control theory and simulation. Then, a simple state model of a servo loop is combined with the state model of the entire system. This model is then entered into a model checker (SMV) along with safety predicates. The model checker is used to validate the safety predicates. The paper shows via an example-an antenna tracking system-that safety issues can be discovered and defined for control systems using a model checker. Furthermore, it demonstrates that effective hazard analysis may require multiple techniques.
{"title":"Model checking safety properties of servo-loop control systems","authors":"Paul Ammann, Wei Ding, Daling Xu","doi":"10.1109/DSN.2002.1028885","DOIUrl":"https://doi.org/10.1109/DSN.2002.1028885","url":null,"abstract":"Presents the experiences of using a symbolic model checker to check the safety properties of a servo-loop control system. Symbolic model checking has been shown to be beneficial when the system under analysis can be modeled as a finite state machine. Servo-loop control systems are typically represented by differential equations (Laplace transforms)-not as finite state machines. However, the control loop is only apart of the software system needed to properly and safely operate the system. The paper first validates the safety of the servo loop using control theory and simulation. Then, a simple state model of a servo loop is combined with the state model of the entire system. This model is then entered into a model checker (SMV) along with safety predicates. The model checker is used to validate the safety predicates. The paper shows via an example-an antenna tracking system-that safety issues can be discovered and defined for control systems using a model checker. Furthermore, it demonstrates that effective hazard analysis may require multiple techniques.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"44 1","pages":"45-50"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86318718","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-06-23DOI: 10.1109/DSN.2002.1029019
G. Rubino
This paper deals with the performance analysis of a system modeled by a queue. If we are interested in occupation problems and if we look at the transient phase, then it makes sense to study the maximum backlog observed in the queue over a finite period. This paper proposes an efficient algorithmic scheme to evaluate the distribution of this maximum backlog level, based on the uniformization technique. The approach is illustrated using the classical M/M/1 model, but it can be extended to more complex ones.
{"title":"Evaluation of the maximum level reached by a queue over a finite period","authors":"G. Rubino","doi":"10.1109/DSN.2002.1029019","DOIUrl":"https://doi.org/10.1109/DSN.2002.1029019","url":null,"abstract":"This paper deals with the performance analysis of a system modeled by a queue. If we are interested in occupation problems and if we look at the transient phase, then it makes sense to study the maximum backlog observed in the queue over a finite period. This paper proposes an efficient algorithmic scheme to evaluate the distribution of this maximum backlog level, based on the uniformization technique. The approach is illustrated using the classical M/M/1 model, but it can be extended to more complex ones.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"7 1","pages":"735-742"},"PeriodicalIF":0.0,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87202861","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: