軟件體系結(jié)構(gòu)5aATC案例分析課件

案例分析：AirTrafficControl張平健華南理工大學(xué)軟件學(xué)院1案例分析：AirTrafficControl張平健1AirTrafficControl(ATC)Theproblemistocontrolaverylargenumberofaircraftfromtake-offtolanding.Problemfeatures:Hardrealtime–notoleranceformissingdeadlinesUltraHighavailabilitySafetycriticalHighlydistributed2AirTrafficControl(ATC)ThepFlyingfrompointAtopointBintheU.S.airtrafficcontrolsystem3FlyingfrompointAtopointBEnroutecentersintheUnitedStates4EnroutecentersintheUnitedFlightMonitoringFlightfromKeyWesttoDCKeywestgroundcontrol(totaxitorunway)KeyWestTower(takeofftillleavingairportairspaceZMAenroutezonecenterZJXenroutezonecenterZTLenroutezonecenterZDCenroutezonecenterDCTower(arrivalairport)ground-control(totaxiagain)AdvancedAutomationSystem(AAS)ComponentsGroundControlAirportTowerEnRouteCenters–InitialSectorSuiteSystem(ISSS)ThisstudywillfocusonISSSonly.5FlightMonitoringFlightfromKISSSInfluencesISSSwasonlyonepartofAASNotesonDesignofISSSManycomponentsincommonInterfacesto:radiosystems,flight-planDB,eachotherCommonqualityrequirementsforavailability,reliability…SoISSSwasinfluencedbyrequirementsforallofAASHistoryISSSrealsystem,designed,mostofcodedevelopedNotdeployed,scaledbacktomoreeconomical,morestagedsolution(budgetcuts)OutsideAudit–thearchitectureanddesignwereanalyzedbyanindependentauditteamthatjudged“satisfiesrequirements.”ThesystemdeployedborrowedheavilyfromISSS/lusch/blharris.html6ISSSInfluencesISSSwasonlyoABCoftheAirTrafficControlSystem7ABCoftheAirTrafficControlRequirementsandQualityAttributesATCsystemishighlyvisiblewithenormouscommercial,governmentalandpublicinterestGreatpotentialforlossoflifeandcostlyproperty.Thusthetwomostimportantqualityattributeswere:UltrahighavailabilityEssentialthat“unavailability”limitedtoveryshortperiodsAvailabilityrequirement.99999:unavailablelessthan5minutesinayear;howevershortrecoverperiods(<10sec)didnotcountHighperformanceHandleupto2440aircraftseffectivelyandefficiently8RequirementsandQualityAttriOtherRequirementsandQualityAttributesOpenness-meaningthesystemneedstobeabletoincorporatecommerciallydevelopedcomponentsAbilitytofieldsubsetsofthesystemModifiability–modificationstofunctionalityandtohandleupgradesinhardwareandsoftwareInteroperability–theabilitytooperatewithandinterfaceawiderangeofexternalsystems9OtherRequirementsandQualityStakeholdersFAAControllers(endusers)–couldrejectthissystemifitwasnottotheirlikingevenifitmetallfunctionalrequirementsUsabilityattribute?Actuallyhandledbytakinggreatcarewithrequirementsanddesign(thusslowingtheprocess)10StakeholdersFAA10SectorSuitesSectorSuites–asuiteofair-trafficcontrollerseachwiththeirownconsolethatcollectivelyhandlealltheaircraftinthesectorSectorscouldbedefineddifferentlyateachcenterCouldbedonephysicallyCouldbedonetobalancetheloadLessdenselytraveledsectorscouldbemadelargerPlanesarepassedofffromDepartureairport->enroutezonecenter->…->arrivalairportAlsowithinzone:sector->sector->…->sectorbeforepassingtothenextcenter11SectorSuitesSectorSuites–aISSSDesignISSSrequiresflexibilityinnumberofcontrolstationspersector(1to4)Atleasttwocontrollerspersector:1.RadarcontrollerMonitorsradarCommunicateswithaircraftResponsibleformaintainingseparationofaircraft2.DatacontrollerRetrievesflightplansetc.Suppliesradarcontrollerwith“intentions”ofaircraft12ISSSDesignISSSrequiresflexiISSSImplementationMetricsThesystemcontainsabout1millionlinesofAdacodeDesignedtosupportupto210consolesperenroutecenter.EachconsolewasaworkstationwithIBMRS/6000processorRequirementstohandlefrom400to2440aircraftsimultaneouslyTheremaybefrom16to40radarunitstosupportasinglefacilityAcentermayhavefrom60to90controlpositionsineachcenter13ISSSImplementationMetricsTheISSSFunctionalitySummaryAcquireradartargetsreportsfromexistingATCsystem,theHostComputerSystem(henceforth“Host”)Convertradarreportsfordisplayandbroadcasttoallconsoles(consolescanswitchareasthataredisplayed)Handleconflictalerts(potentialcollisions)InterfacewithHostforinputandtoretrieveflightplansProvideextensivemonitoringofthesystemitselftoallowdynamicreconfigurationProviderecordingcapabilityforlaterplaybackProvideniceGUIProvidereducedbackupcapabilityintheeventofthefailureoftheHost,theprimarynetwork,theprimaryradarsensors14ISSSFunctionalitySummaryAcquISSSArchitectureViews1.PhysicalView2.Moduledecompositionview3.ProcessView4.Client-ServerView5.CodeView6.LayeredView7.FaultToleranceView15ISSSArchitectureViews15PhysicalView16PhysicalView16PhysicalViewNotesHCSA–HostcomputerSystemA(primary)Processesradarandflight-planinfo.Outputtoconsoles(radar)andflight-stripprinters(flight-plans)HCSB–backupHostCommonConsoles–theworkstationsLocalCommunicationsNetwork–Consoles<-->HostsEachhosthastwoLCNinterfaceunitscalledLIU-HLCNcomposedof4paralleltokenringnetworks1.Onesupportsbroadcastofradarinfo2.Oneforpoint-to-pointbetweenworkstations3.Oneprovidesforrecordingdataforlaterplayback4.Aspare17PhysicalViewNotesHCSA–HosPhysicalViewNotesBackupCommunicationNetwork(BCN)isanEthernetusingTCP/IPBothLCNandBCNhavemonitorandcontrolconsolesformaintenancepersonnel

EnhanceDirectAccessRadarChannel(EDARC)providesbackupdisplayofinfoincaseoflossofHost.EDARCsuppliesrawdatatotheExternalSystemInterface(EIS)processorCentralprocessorsmainframesthatprovidedrecordandplaybackforearlyversionofISSSTestingandtrainingsubsystem–allowtrainingofnewpersonnelandtestingofnewequipmentwithoutinterfering18PhysicalViewNotesBackupCommModuleDecompositionViewElementscalledComputerSoftwareConfigurationItems(CSCIs)asrequiredbythegovernmentsoftwaredevelopmentstandardrequiredbythecustomer5CSCIs:1.DisplayManagement2.CommonSystemsServicesGeneralATCutilities;ISSSis1/3ofAAS3.Recording,analysisandplayback4.NationalAirspaceSystemModificationModifyingsoftwareonhost5.IBMAIXoperatingsystem19ModuleDecompositionViewElemeModuleDecompositionView:TacticsTheCSCIsformeddeliverableunitssoftwareanddocumentationTactics:Semanticcoherence–mainoneguidingthewell-definedandnon-overlappingdecompositionAbstractcommonservices–CommonSystemServicesModuleRecord/playbacktactics-testabilityGeneralizingmodule–welldesignedinterfaces20ModuleDecompositionView:TacProcessViewConcurrencyresidesin“applications”,roughlyprocessesinDijkstra’scooperatingsequentialprocessesAdaMainunit–aprocessschedulablebyOSISSSdesignedtoworkonmorethanoneprocessorProcessorsgroupedinto“processorgroups”CriticaltofaulttoleranceandthusavailabilityOneprimary,therestbackupPAS–primaryaddressspaceSAS–standbyaddressspaceOperationalunit–thecollectionofprimaryanditsstandbysFunctiongroupsarethecomponentsnotimplementedinthisfaulttolerantfashion(replicatedonseveralgroups)21ProcessViewConcurrencyresideProcessview22Processview22PrimaryFailureSwitchover1.PASfails2.AstandbysystemSASispromotedtoPAS3.ThenewPASsendsmessagesnotifyingofthefailureandstartsprovidingallservices4.AnewSASisstarteduptoreplacetooldfailedPAS5.ThenewSASsendsmessagetonotifythenewPAS6.Addingannewoperationalunitissimilarbutmorecomplexstateresynchronizationandpassiveredundancy23PrimaryFailureSwitchover1.PAddinganewOperationalUnit1.Identifynecessaryinputdataanditslocation.2.Identifywhere(whichOperationUnit/FG)tosendoutput3.Fitoperationalunit’scommunicationpatternsintosystemwideacyclicgraphsuchthatitremainsacyclicanddeadlockswillnotoccur.4.Designmessagestoachievethis.5.Identifyinternalstatedatathatmustbeusedforcheck-pointing.(mustbeincludedinPAS->SASs)6.Definemessages:messagetypes,data7.Planforswitchoveronfailure;testforconsistency8.Ensureprocessingstepscompletewithinaheartbeat9.Plandata-sharingandsynchronizationwithotherOperationalUnits24AddinganewOperationalUnit1C/SView25C/SView25Client-ServerViewCommunicationbetweenPASelementswithinoperationalunits(clientandserver)Theclientsendsa“servicerequestmessage”TheserveracknowledgesandrespondswithresultsWithinoperationalunitsPASssendupdatedstatetoSASsWithinFGsnothingextrajustACKandresults26Client-ServerViewCommunicatioCodeViewCodeview–describeshowfunctionalityismappedintocodeunitsISSSCodeviewAdamainprogramSubprogramsgroupedintopackages(separatelycompilable)Adaprogramconsistsofoneormoretasks(threads)Applications(operationalunitsandfunctionalgroups)decomposedintoAdapackages27CodeViewCodeview–describesLayeredViewSharedmemory(TablesandMessageStorage)AASapplicationSharedMemory(TablesandMessageStorage)CASAIXKernelExtensionAIXKernel28LayeredViewSharedmemory(Tab2929FaultToleranceViewM&CconsoleGlobalAvailabilityManagerLocal/GroupAvailabilityManagerATCconsoleApplicationSoftwareOperationalUnit(ThreadProcessingModel)OSextensionsAddressSpaceModelsNetworkOperatingSystemProcessorI/Odevices30FaultToleranceViewM&Cconsolcomponent-and-connectorviewforfaulttolerance31component-and-connectorviewfFaultToleranceHierarchyEachlevelofthehierarchyDetectserrorsinitself,peers,andalllowerlevelsHandlesexceptionsfromlowerlevelsDiagnoses,recovers,reportsorraisesexceptionsLevelsfromToptoBottomSystemmonitorandcontrolGlobalavailabilitymanagerGroupavailabilitymanagerLocalavailabilitymanagerApplicationRuntimeenvironmentOperatingSystemPhysicallevel:processors,networks,devices32FaultToleranceHierarchyEachFaultToleranceHierarchyFaultDetectionateachlevelbyBuilt-intestsEventtime-outsNetworkcircuittestsGroupmembershipprotocolsHumanreactiontoalarmsFaultrecoverycanbeautomaticormanualForavailabilitymanagersrecoveryisdecisiontabledrivenInaPASthereare4typesofrecovery1.InaswitchovertheSAStakesoverfortheoldPAS2.Awarmrestartusescheckpointdatasavedtonon-volatilememory3.Coldrestartusesdefaultstart-updata4.Acutoverisusedtotransitiontonewlogicordata33FaultToleranceHierarchyFaultFaultToleranceHierarchyFaulttoleranceofthehardwareisdoneviaredundancyLCN,BCN,variousbridgesBackupradarandseparatechannelforitProcessorhardwarereplicatedwithinprocessorgroupTacticsaddedhere–componentavailabilityusedforfaulttolerance“Ping/echo”“Heartbeat”“Exception”totransfererrorstothecorrectplace“spare”toperformrecovery34FaultToleranceHierarchyFaultRelatingtheViewsAdditionalinsightisprovidedbyexaminingrelationshipsbetweenviewsMappingoneviewtoanotherInISSSCSCIsaretheelementsinthemoduledecompositionview(composedofapplications)Applications(processes)aretheelementsintheprocessviewandintheclient-serverviewApplicationsareimplementedinAdapackagesandprogramselementsoftheCodeviewApplicationsareturnedintothreadsatruntimeelementsoftheconcurrencyviewThespecialqualityattributeview(fault-tolerance)useselementsfromtheprocess,layerandmoduleviews35RelatingtheViewsAdditionali“ConfigurationFiles”TacticISSSmakesextensiveuseofthemodifiabilitytactic“configurationfiles”(calledthisadaptationdata).Site-specificdataallowsconfigurationofISSSforeachofthe22enroutecentersThisconfigurationisfairlyextensiveandpowerfulE.g.,splittinganATCconsolewindowintotwo“generalizethemodule”tacticNegativesideIttakespowerfulinterpretationmechanismtosupportthislevelofadaptabilityatrun-timeItthereforeiscomplextomaintainthemechanismifchangesarerequiredthere.Differentconfigurationssubstantiallycomplicatestesting.36“ConfigurationFiles”TacticIS“AbstractCommonServices”TacticPASandSASreallycomesfromthesamesourceNodifferenceinthecodeJustdynamicstatebooleanvariable“primaryStatus”CodeTemplateStructureforalloperationunits“AbstractingCommonServices”tacticCommonpartisabstractedtotemplate37“AbstractCommonServices”TacCodeTemplateaffectsotherTacticsOthermodifiabilitytacticsaddressedbycodetemplate“anticipationofexpectedchanges”“Semanticcoherence”“generalizingthemodule”Makinginterfacespartofthetemplate“maintaininterfacestability”and“adherencetodefinedprotocols”38CodeTemplateaffectsotherTaGoalHowAchievedTacticsHighAvailabilityHardwareredundancy(bothprocessorandnetwork);softwareredundancy(layeredfaultdetectionandrecovery)Shadowing;stateresynchronization;passiveredundancy;limitexposure;ping/echo;heartbeat;exception;spareHighPerformanceDistributedmultiprocessors;front-endschedulabilityanalysis,andnetworkmodelingIntroduceconcurrency39GoalHowAchievedTacticsHighAvGoalHowAchievedTacticsModifiabilityTemplatesandtable-drivenadaptationdata;carefulassignmentofmoduleresponsibilities;strictuseofspecifiedinterfacesAbstractcommonservices;semanticcoherence;maintaininterfacestability;anticipateexpectedchanges;generalizethemodule;componentreplacement;adherencetodefinedprotocols;configurationfiles40GoalHowAchievedTacticsModifiaGoalHowAchievedTacticsOpennessInterfacewrappingandlayeringAbstractcommonservices;maintaininterfacestabilityAbilitytoFieldSubsetsAppropriateseparationofconcernsAbstractcommonservicesInteroperabilityClient-serverdivisionoffunctionalityandmessage-basedcommunicationsAdherencetodefinedprotocols;maintaininterfacestability41GoalHowAchievedTacticsOpennesISSSSummaryArchitecturalsolutionscanbethekeytoachievingtheneedsofanapplication(especiallyqualityattributerequirements)Highavailability:faulttoleranceLongevity:highmodifiability,interoperabilityAuditofISSSbeforeabandoning42ISSSSummaryArchitecturalsolu案例分析：AirTrafficControl張平健華南理工大學(xué)軟件學(xué)院43案例分析：AirTrafficControl張平健1AirTrafficControl(ATC)Theproblemistocontrolaverylargenumberofaircraftfromtake-offtolanding.Problemfeatures:Hardrealtime–notoleranceformissingdeadlinesUltraHighavailabilitySafetycriticalHighlydistributed44AirTrafficControl(ATC)ThepFlyingfrompointAtopointBintheU.S.airtrafficcontrolsystem45FlyingfrompointAtopointBEnroutecentersintheUnitedStates46EnroutecentersintheUnitedFlightMonitoringFlightfromKeyWesttoDCKeywestgroundcontrol(totaxitorunway)KeyWestTower(takeofftillleavingairportairspaceZMAenroutezonecenterZJXenroutezonecenterZTLenroutezonecenterZDCenroutezonecenterDCTower(arrivalairport)ground-control(totaxiagain)AdvancedAutomationSystem(AAS)ComponentsGroundControlAirportTowerEnRouteCenters–InitialSectorSuiteSystem(ISSS)ThisstudywillfocusonISSSonly.47FlightMonitoringFlightfromKISSSInfluencesISSSwasonlyonepartofAASNotesonDesignofISSSManycomponentsincommonInterfacesto:radiosystems,flight-planDB,eachotherCommonqualityrequirementsforavailability,reliability…SoISSSwasinfluencedbyrequirementsforallofAASHistoryISSSrealsystem,designed,mostofcodedevelopedNotdeployed,scaledbacktomoreeconomical,morestagedsolution(budgetcuts)OutsideAudit–thearchitectureanddesignwereanalyzedbyanindependentauditteamthatjudged“satisfiesrequirements.”ThesystemdeployedborrowedheavilyfromISSS/lusch/blharris.html48ISSSInfluencesISSSwasonlyoABCoftheAirTrafficControlSystem49ABCoftheAirTrafficControlRequirementsandQualityAttributesATCsystemishighlyvisiblewithenormouscommercial,governmentalandpublicinterestGreatpotentialforlossoflifeandcostlyproperty.Thusthetwomostimportantqualityattributeswere:UltrahighavailabilityEssentialthat“unavailability”limitedtoveryshortperiodsAvailabilityrequirement.99999:unavailablelessthan5minutesinayear;howevershortrecoverperiods(<10sec)didnotcountHighperformanceHandleupto2440aircraftseffectivelyandefficiently50RequirementsandQualityAttriOtherRequirementsandQualityAttributesOpenness-meaningthesystemneedstobeabletoincorporatecommerciallydevelopedcomponentsAbilitytofieldsubsetsofthesystemModifiability–modificationstofunctionalityandtohandleupgradesinhardwareandsoftwareInteroperability–theabilitytooperatewithandinterfaceawiderangeofexternalsystems51OtherRequirementsandQualityStakeholdersFAAControllers(endusers)–couldrejectthissystemifitwasnottotheirlikingevenifitmetallfunctionalrequirementsUsabilityattribute?Actuallyhandledbytakinggreatcarewithrequirementsanddesign(thusslowingtheprocess)52StakeholdersFAA10SectorSuitesSectorSuites–asuiteofair-trafficcontrollerseachwiththeirownconsolethatcollectivelyhandlealltheaircraftinthesectorSectorscouldbedefineddifferentlyateachcenterCouldbedonephysicallyCouldbedonetobalancetheloadLessdenselytraveledsectorscouldbemadelargerPlanesarepassedofffromDepartureairport->enroutezonecenter->…->arrivalairportAlsowithinzone:sector->sector->…->sectorbeforepassingtothenextcenter53SectorSuitesSectorSuites–aISSSDesignISSSrequiresflexibilityinnumberofcontrolstationspersector(1to4)Atleasttwocontrollerspersector:1.RadarcontrollerMonitorsradarCommunicateswithaircraftResponsibleformaintainingseparationofaircraft2.DatacontrollerRetrievesflightplansetc.Suppliesradarcontrollerwith“intentions”ofaircraft54ISSSDesignISSSrequiresflexiISSSImplementationMetricsThesystemcontainsabout1millionlinesofAdacodeDesignedtosupportupto210consolesperenroutecenter.EachconsolewasaworkstationwithIBMRS/6000processorRequirementstohandlefrom400to2440aircraftsimultaneouslyTheremaybefrom16to40radarunitstosupportasinglefacilityAcentermayhavefrom60to90controlpositionsineachcenter55ISSSImplementationMetricsTheISSSFunctionalitySummaryAcquireradartargetsreportsfromexistingATCsystem,theHostComputerSystem(henceforth“Host”)Convertradarreportsfordisplayandbroadcasttoallconsoles(consolescanswitchareasthataredisplayed)Handleconflictalerts(potentialcollisions)InterfacewithHostforinputandtoretrieveflightplansProvideextensivemonitoringofthesystemitselftoallowdynamicreconfigurationProviderecordingcapabilityforlaterplaybackProvideniceGUIProvidereducedbackupcapabilityintheeventofthefailureoftheHost,theprimarynetwork,theprimaryradarsensors56ISSSFunctionalitySummaryAcquISSSArchitectureViews1.PhysicalView2.Moduledecompositionview3.ProcessView4.Client-ServerView5.CodeView6.LayeredView7.FaultToleranceView57ISSSArchitectureViews15PhysicalView58PhysicalView16PhysicalViewNotesHCSA–HostcomputerSystemA(primary)Processesradarandflight-planinfo.Outputtoconsoles(radar)andflight-stripprinters(flight-plans)HCSB–backupHostCommonConsoles–theworkstationsLocalCommunicationsNetwork–Consoles<-->HostsEachhosthastwoLCNinterfaceunitscalledLIU-HLCNcomposedof4paralleltokenringnetworks1.Onesupportsbroadcastofradarinfo2.Oneforpoint-to-pointbetweenworkstations3.Oneprovidesforrecordingdataforlaterplayback4.Aspare59PhysicalViewNotesHCSA–HosPhysicalViewNotesBackupCommunicationNetwork(BCN)isanEthernetusingTCP/IPBothLCNandBCNhavemonitorandcontrolconsolesformaintenancepersonnel

EnhanceDirectAccessRadarChannel(EDARC)providesbackupdisplayofinfoincaseoflossofHost.EDARCsuppliesrawdatatotheExternalSystemInterface(EIS)processorCentralprocessorsmainframesthatprovidedrecordandplaybackforearlyversionofISSSTestingandtrainingsubsystem–allowtrainingofnewpersonnelandtestingofnewequipmentwithoutinterfering60PhysicalViewNotesBackupCommModuleDecompositionViewElementscalledComputerSoftwareConfigurationItems(CSCIs)asrequiredbythegovernmentsoftwaredevelopmentstandardrequiredbythecustomer5CSCIs:1.DisplayManagement2.CommonSystemsServicesGeneralATCutilities;ISSSis1/3ofAAS3.Recording,analysisandplayback4.NationalAirspaceSystemModificationModifyingsoftwareonhost5.IBMAIXoperatingsystem61ModuleDecompositionViewElemeModuleDecompositionView:TacticsTheCSCIsformeddeliverableunitssoftwareanddocumentationTactics:Semanticcoherence–mainoneguidingthewell-definedandnon-overlappingdecompositionAbstractcommonservices–CommonSystemServicesModuleRecord/playbacktactics-testabilityGeneralizingmodule–welldesignedinterfaces62ModuleDecompositionView:TacProcessViewConcurrencyresidesin“applications”,roughlyprocessesinDijkstra’scooperatingsequentialprocessesAdaMainunit–aprocessschedulablebyOSISSSdesignedtoworkonmorethanoneprocessorProcessorsgroupedinto“processorgroups”CriticaltofaulttoleranceandthusavailabilityOneprimary,therestbackupPAS–primaryaddressspaceSAS–standbyaddressspaceOperationalunit–thecollectionofprimaryanditsstandbysFunctiongroupsarethecomponentsnotimplementedinthisfaulttolerantfashion(replicatedonseveralgroups)63ProcessViewConcurrencyresideProcessview64Processview22PrimaryFailureSwitchover1.PASfails2.AstandbysystemSASispromotedtoPAS3.ThenewPASsendsmessagesnotifyingofthefailureandstartsprovidingallservices4.AnewSASisstarteduptoreplacetooldfailedPAS5.ThenewSASsendsmessagetonotifythenewPAS6.Addingannewoperationalunitissimilarbutmorecomplexstateresynchronizationandpassiveredundancy65PrimaryFailureSwitchover1.PAddinganewOperationalUnit1.Identifynecessaryinputdataanditslocation.2.Identifywhere(whichOperationUnit/FG)tosendoutput3.Fitoperationalunit’scommunicationpatternsintosystemwideacyclicgraphsuchthatitremainsacyclicanddeadlockswillnotoccur.4.Designmessagestoachievethis.5.Identifyinternalstatedatathatmustbeusedforcheck-pointing.(mustbeincludedinPAS->SASs)6.Definemessages:messagetypes,data7.Planforswitchoveronfailure;testforconsistency8.Ensureprocessingstepscompletewithinaheartbeat9.Plandata-sharingandsynchronizationwithotherOperationalUnits66AddinganewOperationalUnit1C/SView67C/SView25Client-ServerViewCommunicationbetweenPASelementswithinoperationalunits(clientandserver)Theclientsendsa“servicerequestmessage”TheserveracknowledgesandrespondswithresultsWithinoperationalunitsPASssendupdatedstatetoSASsWithinFGsnothingextrajustACKandresults68Client-ServerViewCommunicatioCodeViewCodeview–describeshowfunctionalityismappedintocodeunitsISSSCodeviewAdamainprogramSubprogramsgroupedintopackages(separatelycompilable)Adaprogramconsistsofoneormoretasks(threads)Applications(operationalunitsandfunctionalgroups)decomposedintoAdapackages69CodeViewCodeview–describesLayeredViewSharedmemory(TablesandMessageStorage)AASapplicationSharedMemory(TablesandMessageStorage)CASAIXKernelExtensionAIXKernel70LayeredViewSharedmemory(Tab7129FaultToleranceViewM&CconsoleGlobalAvailabilityManagerLocal/GroupAvailabilityManagerATCconsoleApplicationSoftwareOperationalUnit(ThreadProcessingModel)OSextensionsAddressSpaceModelsNetworkOperatingSystemProcessorI/Odevices72FaultToleranceViewM&Cconsolcomponent-and-connectorviewforfaulttolerance73component-and-connectorviewfFaultToleranceHierarchyEachlevelofthehierarchyDetectserrorsinitself,peers,andalllowerlevelsHandlesexceptionsfromlowerlevelsDiagnoses,recovers,reportsorraisesexceptionsLevelsfromToptoBottomSystemmonitorandcontrolGlobalavailabilitymanagerGroupavailabilitymanagerLocalavailabilitymanagerApplicationRuntimeenvironmentOperatingSystemPhysicallevel:processors,networks,devices74FaultToleranceHierarchyEachFaultToleranceHierarchyFaultDetectionateachlevelbyBuilt-intestsEventtime-outsNetworkcircuittestsGroupmembershipprotocolsHumanreactiontoalarmsFaultrecoverycanbeautomaticormanualForavailabilitymanagersrecoveryisdecisiontabledrivenInaPASthereare4typesofrecovery1.InaswitchovertheSAStakesoverfortheoldPAS2.Awarmrestartusescheckpointdatasavedtonon-volatilememory3.Coldrestartusesdefaultstart-updata4.Acutoverisusedtotransitiontonewlogicordata75FaultToleranceHierarchyFaultFaultToleranceHierarchyFaulttoleranceofthehardwareisdoneviaredundancyLCN,BCN,variousbridgesBackupradarandseparatechannelforitProcessorhardwarereplicatedwithinprocessorgroupTacticsaddedhere–componentavailabilityusedforfaulttolerance“Ping/echo”“Heartbeat”“Exception”totransfererrorstothecorrectplace“spare”toperformrecovery76FaultToleranceHierarchyFaultRelatingtheViewsAdditionalinsightisprovidedbyexaminingrelationshipsbetweenviewsMappingoneviewtoanotherInISSSCSCIsaretheelementsinthemoduledecompositionview(composedofapplications)Applications(processes)aretheelementsintheprocessviewandintheclient-serverviewApplicationsareimplementedinAdapackagesandprogramselementsoftheCodeviewApplicationsare