Abstract. This paper describes the dependability modelling and evaluation of a real complex system, made of redundant replicated hardware and redundant diverse software. It takes into account all aspects of their interactions (including correlation between the diverse software variants) and of the criticality of the several components. Our approach has been to realise the system model in a structured way. This allows to cope with complexity and to focus, where interesting, on specific behaviour for a more detailed analysis. Furthermore each level may be modelled using different methodologies and its evaluation performed with different tools without the need of modifying the general structure of the model. In order to validate the most complex sub-models, we built alternatives using different tools and methodologies; this proved to be very useful since it allowed to find small bugs and imperfections and to gain more confidence that the models represented the real system behaviour. With respect to the real system taken as the example, our analyses, which could not be reported here, allowed to establish the dependability bottlenecks of the current version and to state targets for the several subcomponents such that the system targets could be reached, thus providing hints for next releases or modifications of the system and information to assign targets to the various components of the system. 1

The N-Version Programming (NVP) approach achieves fault-tolerant software units, called N-Version Software (NVS) units, through the development and use of software diversity. To maximize the effectiveness of the NVP approach, the probability of similar errors that coincide at the NVS decision points should be reduced to the lowest possible value. Design diversity is potentially an effective method to get this result. It has been the major concern of this paper to formulate a set of rigorous guidelines, or a design paradigm, for the investigation and implementation of design diversity in building NVS units for practical applications. This effort includes the description of a most recent formulation of the NVP design paradigm, which integrates the knowledge and experience obtained from fault-tolerant system design with software engineering techniques, and the application of this design paradigm to a real-world project for an extensive evaluation. Some limitations of the approach are ...

: A major problem in transitioning fault tolerance practices to the practitioner community is a lack of a common view of what fault tolerance is, and how it can help in the design of reliable computer systems. This document takes a step towards making fault tolerance more understandable by proposing a conceptual framework. The framework provides a consistent vocabulary for fault tolerance concepts, discusses how systems fail, describes commonly used mechanisms for making systems fault tolerant, and provides some rules for developing fault tolerant systems. 1 Introduction One of the major problems in transitioning fault tolerance practices to the practitioner community is a lack of a common view of exactly what fault tolerance is, and how it can help in the design of reliable systems. One step towards making fault tolerance more understandable is to provide a conceptual framework. The purpose of this document is to propose such a framework. This document begins with a discussion of wh...

Abstract. An adaptive scheme for software fault-tolerance is evaluated from the point of view of performability, comparing it with previously published analyses of the more popular schemes, recovery blocks and multiple version programming. In the case considered, this adaptive scheme, "Self-Configuring Optimistic Programming " (SCOP), is equivalent to N-version programming in terms of the probability of delivering correct results, but achieves better performance by delaying the execution of some of the variants until it is made necessary by an error. A discussion follows highlighting the limits in the realism of these analyses, due to the assumptions made to obtain mathematically tractable models, to the lack of experimental data and to the need to consider also resource consumption in the definition of the models. We consider ways of improving usability of the results of comparative evaluation for guiding design decisions. 1

Abstract. With ever growing use of Internet, Web services become increasingly popular and their growth rate surpasses even the most optimistic predictions. Services are self-descriptive, self-contained, platformindependent and openly-available components that interact over the network. They are written strictly according to open specifications and/or standards and provide important and often critical functions for many business-to-business systems. Failures causing either service downtime or producing invalid results in such systems may range from a mere inconvenience to significant monetary penalties or even loss of human lives. In applications where sensing and control of machines and other devices take place via services, making the services highly dependable is one of main critical goals. Currently, there is no experimental investigation to evaluate the reliability and availability of Web services systems. In this paper, we identify parameters impacting the Web services dependability, describe the methods of dependability enhancement by redundancy in space and redundancy in time and perform a series of experiments to evaluate the availability of Web services. To increase the availability of the Web service, we use several replication schemes and compare them with a single service. The Web services are coordinated by a replication manager. The replication algorithm and the detailed system configuration are described in this paper.

Message-driven confidence-driven (MDCD) error containment and recovery, a low-cost approach to mitigating the effect of software design faults in distributed embedded systems, is developed for onboard guarded software upgrading for deep-space missions. In this paper, we first describe and verify the MDCD algorithms in which we introduce the notion of "confidence-driven" to complement the "communication-induced" approach employed by a number of existing checkpointing protocols to achieve error containment and recovery efficiency. We then conduct a model-based analysis to show that the algorithms ensure low performance overhead. Finally, we discuss the advantages of the MDCD approach and its potential utility as a general-purpose, low-cost software fault tolerance technique for distributed embedded computing.

Abstract. It is commonly accepted that intrusion detection systems (IDS) are required to compensate for the insufficient security mechanisms that are available on computer systems and networks. However, the anomaly-based IDSes that have been proposed in the recent years present some drawbacks, e.g., the necessity to explicitly define a behaviour reference model. In this paper, we propose a new approach to anomaly detection, based on the design diversity, a technique from the dependability field that has been widely ignored in the intrusion detection area. The main advantage is that it provides an implicit, and complete reference model, instead of the explicit model usually required. For practical reasons, we actually use Components-off-the-shelf (COTS) diversity, and discuss on the impact of this choice. We present an architecture using COTS-diversity, and then apply it to web servers. We also provide experimental results that confirm the expected properties of the built IDS, and compare them with other IDSes.

There are two common methods of evolving teams of genetic programs. Research suggests Island approaches produce teams of strong individuals that cooperate poorly and Team approaches produce teams of weak individuals that cooperate strongly. Ideally, teams should be composed of strong individuals that cooperate well. In this paper we present a new class of algorithms called Orthogonal Evolution of Teams (OET) that overcomes the weaknesses of current Island and Team approaches by applying evolutionary pressure at both the level of teams and individuals during selection and replacement. We present four novel algorithms in this new class and compare their performance to Island and Team approaches as well as multi-class Adaboost on a number of classification problems.

Redundancy is a critical component to the design of fault tolerant systems; both hardware and software. This paper explores the possibilities of using evolutionary techniques to first produce a processing system that will perform a required function, and then consider its applicability for producing useful redundancy that can be made use of in the presence of faults, ie is it fault tolerant? Results obtained using Evolutionary Strategies to automatically create redundancy as part of the "design" process are given. The experiments are undertaken on a Virtex FPGA with intrinsic evolution taking place. The results show that not only does the evolutionary process produce useful redundancy, it is also possible to reconfigure the system in real-time on the Virtex device. 1

The safety aspects of computer-based systems as increasingly important as the use of software escalates because of its convenience and flexibility. However the complexity of even modestly sized programs is such that the elimination of errors with a high degree of confidence is extremely difficult. There are a number of approaches to enhancing safety in safety-critical control systems. These are surveyed and compared with particular emphasis on systems with software in the controlling system. A glossary of terms and an extensive bibliography for further reading are included.