Specifying fault tolerance in large complex computing systems

A difficult task in the process of engineering large complex computing systems is the derivation of requirements which assure that a system can supply the expected behavior the presence of faults. This paper provides insight into the constraints placed upon the system during the requirements specification phase of the system life-cycle by quality of service requirements, such as performance, reliability, availability, safety, and timeliness. Focusing on a simple environmental control system, we examine the derivation of requirements to support system resiliency to faults. After partitioning possible system behaviors into acceptable and unacceptable sets, we provide guidelines for specifying acceptable behavior using the following process: define the normal behavior for a correct system; identify the fault hypothesis appropriate to the system and applications; and, define the exceptional behavior for a partially correct system satisfying the system fault hypothesis. We motivate the specification of a health management function to assure acceptable behavior to the extent indicated by the quality of service requirements and the dependability constraints of availability, reliability, safety, integrity, confidentiality, and maintainability