Rational Design of Multiple-Redundant Systems: Adjudication and Fault Treatment

Abstract

The design of fault-tolerant systems should ideally be based on rigorous predictions of the effects of design decisions on the achieved dependability. However, the complexity of the task is such that these decisions are typically based on ingrained, time-proven practice, without the benefit of thorough mathematical analysis. We analyse two specific problems in fault-tolerant design based on modular replication (with or without design diversity). First, we consider adjudication, i.e., the derivation of a single correct result from the multiple results produced by the replicas in a redundant component. Many designs have been proposed in the literature, supposed to improve upon simple majority voting, but without a unified, rigorous analysis to assist design choices. We describe such a general method for evaluating and comparing adjudicators, in probabilistic terms, and specify an optimal adjudicator, which yields the highest possible reliability for a redundant component, given the (probabilistic) failure characteristics of its subcomponents. Our analysis applies to components with and without a fail-safe mode. Second, we consider fault treatment: how the decision can be made to remove a replica of a component, considering it permanently failed, on the basis of its history of agreement/disagreement with other replicas. The problem is compounded by transient faults, which make it undesirable to disconnect a component at the first signs of errors, and by the use of dynamic error processing, in which the number of replicas executed depends on whether disagreements are observed. For this problem, we choose a scheme integrating dynamic error processing with diagnosis and disconnection of components that may be permanently failed, and show how its behaviour can be compared with alternative designs via simulation.

This paper is a compendium of [44] and [26].