DEPEND: A Simulation-Based Environment for System Level Dependability Analysis

The design and evaluation of highly reliable computer systems is a complex issue. Designers mostly develop such systems based on prior knowledge and experience and occasionally from analytical evaluations of simplified designs. This paper presents a simulation-based environment called DEPEND which is especially geared for the design and evaluation of fault-tolerant architectures. DEPEND is unique in that it exploits the properties of object-oriented programming to provide a flexible framework with which a user can rapidly model and evaluate various fault-tolerant systems. The paper describes the key features of the DEPEND environment and illustrates its capabilities with a detailed analysis of a real design. In particular, DEPEND is used to simulate the Unix based Tandem Integrity fault-tolerant system 1 and evaluate how well it copes with near-coincident errors caused by correlated and latent faults. Issues such as memory scrubbing, re-integration policies and workload dependent repair times which affect how the system handles near-coincident errors are also evaluated. Issues such as the method used by DEPEND to simulate error latency and, the time acceleration technique that provides enormous simulation speed up are also discussed. Unlike any other simulation-based dependability studies, the use of these approaches and the accuracy of the simulation model are validated by comparing the results of the simulations with measurements obtained from fault injection experiments conducted on a production Tandem Integrity machine. _The MTBF figures presented in this paper should not be construed to reflect the MTBF figures of an actual Tandem Integrity system because key parameters that have a direct bearing on this measure were not obtained from measurements of the Integrity system but rather from other production machines. For this reason, the results shown in this paper should only be construed to reflect the trend and behavior of a general TMR based system.