[Zurück]

C. Scherrer, A. Steininger:
"Periodic Node Shutdown in a Fail-Silent Architecture - Risk or Rescue?";
Vortrag: World Multiconference on Systemics, Cybernetics and Informatics (SCI), Orlando, FL, USA; 23.07.2000 - 26.07.2000; in: "World Multiconference on Systemics, Cybernetics and Informatics", (2000), S. 312 - 317.

Due to its high cost-effectiveness the fail-silent architecture is very attractive for embedded computing systems in safety-relevant applications. Accumulation of dormant faults, however, is a potential thread to the single-fault assumption usually implied by the fail-silent approach. This is especially true for systems with long mission times. On-line testing presents a solution to this problem, but is not easily applicable in real-time environments. Therefore we investigate a different approach in this paper: Does it make sense to shut down one of the two redundant nodes periodically for test purposes while relying on the other one to still provide the required service? This allows applying conventional off-line test methods to reduce the above mentioned risk of coverage violations. But apparently this approach increases the risk of to spare exhaustion. We use a Markov Model to perform a closer analysis of this situation. This analysis shows that with a carefully arranged test schedule we can find a balance between these two failure modes such that the overall dependability is increased.