Information Technology Reference
In-Depth Information
Here healthy rise time (healthy fall time)representsthemaximumtime
that the sluice should take to rise (fall). We require that a healthy sluice gate
should satisfy the condition MotorOperation given in Section 2.5, and hence,
for example, that healthy rise time < uptime. The choice of the constant
healthy rise time may depend on the particular equipment being used,
whereas uptime is a requirement on any equipment.
The general point here is that one class of potential enhancements toward
a fault-tolerant system can be motivated by a formal analysis of the idealised
specification. Systematically looking at rely conditions to see what behaviour
might be achieved when clauses fail looks like a useful heuristic for developing
specifications of fault-tolerant systems.
3.3
New Equipment/Requirements
In many cases, fault spotting and warning will be associated with extra equip-
ment. Such new equipment clearly changes the problem and requires a new
problem diagram and new requirements. In the sluice gate system, one could for
example consider adding a temperature sensor to the motor. This would require
a revision of the problem diagram in Figure 3 and a description of what would
constitute “overheat” and the action required; 9 this would probably involve sig-
nalling an alarm.
For the purposes of this paper, we stick to our resolve that no such new sensors
are available and confine the discussion to what can be done with the existing
equipment.
3.4
Looking for “Drift”
The idea of finding “patterns” for extensions to the specification for a system by
formal means without having to delve into details of the external equipment is
attractive because it can lead to heuristics which apply to a class of problems.
Another idea which works on the sluice gate example and appears to be general
is to look for “drift” toward unacceptable behaviour.
For the sluice gate, for example, if the time to raise the gate is getting longer
on each use, this might suggest that the moment is approaching (but has not
yet arrived) when the rely condition will not be satisfied. Physically, some mal-
function is getting closer in time and a warning could be issued. Care should
however be exercised in distinguishing cyclic patterns (e.g. the grease getting
more viscous in lower night-time temperatures) from long-term decay. We do
not present the formulae for this example.
3.5
Looking at the External Equipment
Just formal analysis of the specification is not sucient for locating problems
with the equipment. One also needs to analyse the way the equipment operates.
Examples are:
9 See also the discussion of transience in Section 3.6.
Search WWH ::




Custom Search