Hardware Reference
In-Depth Information
Section
8.3.5
concludes this part by providing some additional insights derived from
the study.
8.3.1
Some Rationale About Fault Injection
The successful deployment of a dependable computing system heavily relies on
various forms of hardware and/or software redundancies that are aimed at handling
faults/errors, i.e., which embody the fault tolerance features of the system. A large
number of studies (both theoretical and experimental) have shown that the adequacy
and the efficiency, i.e., the
coverage
(
Bouricius et al.
1969
)
, of the fault tolerance
mechanisms (FTMs) have a paramount influence on the dependability and in partic-
ular on the measures (reliability, availability, etc.) usually considered for assessing
the level of dependability actually obtained.
For a pragmatic and objective assessment of the coverage of the FTMs, it is es-
sential to be able to test them against the typical sets of “inputs” they are a meant
to cope with: the faults and resulting errors; hence, the rationale for applying test
sequences consisting in fault injection experiments. Moreover, the difficulty in accu-
rately modeling/simulating the erroneous behaviors of a complex computing system
sustain the need of relying on experimental techniques in complement to more for-
mal approaches. Moreover, the scarcity of the fault events prevents from relying on
the natural occurrence of faulty conditions: controlled experiments that speed-up
the occurrence of errors are needed.
Fault injection, i.e., the deliberate introduction of faults into a system (the tar-
get system) is applicable every time fault and/or error notions are concerned in the
development process. Classically, fault injection testing is based on the design and
realization of a
test sequence.
More precisely, a fault injection test sequence is char-
acterized by an
input
domain and an
output
domain (
Arlat et al.
1990
).
8.3.1.1
The FARM Attributes
The input domain
I
corresponds to a set of injected
faults
F
and a set
A
that specifies
thedatausedforthe
activation
of the target system and thus, of the injected faults.
Both
F
and
A
are the lever to provoke errors suitable to exercise the FTMs.
2
The
output domain
O
corresponds to a set of
readouts
R
that are collected to characterize
the target system behavior in presence of faults and a set of
measures
M
that are
derived from the analysis and processing of the
FA R
sets. Together, the
FARM
sets
2
Recent work oriented towards the development of (fault injection-based) dependability bench-
marks (e.g., see
Kanoun and Spainhower
2008
)
has adapted the notions attached to the
A
and
F
domains to the ones of
Workload
and
Faultload
, respectively.