BCS APG 10.10.13



# System software support of hardware efficiency

by Igor Schagaev



## Plan for today - I

Theories in brief: FT: GAFT, Processes Redundancy Recoverability Reconfigurability

System Structure Change GAFT, Supportive processes Redundancy handling Reconfigurability support Static&Dynamic Control of RP Properties... Reliability... Fault tolerance... Performance... Maintainability... Adaptability... Scalability... Life circle costs (manufacturing, run-time, utilization) Energy efficiency Ease of use (learning, application, maintenance)

#### Plan for today - 11

System Software for FT: Language Data structures Control operators Semaphores Recovery point formation

System Software for FT: Run-time system Health monitoring - tests and checks Recovery point support Recovery point handling (organization, HW use) Recovery point search GAFT support: reconfiguration control - a syndrome

System Software & Hardware for future: PRESSA

#### R&D principles for computer systems



#### Reliability vs. performance in computer systems



#### Model of fault tolerance: introduction of GAFT



FT property will be achieved if...

Generalized Algorithm of Fault Tolerance (GAFT)

- Detecting faults
- Identifying faults
- Identifying faulty component
- Hardware reconfiguration to achieve a fault-free state
- Recovery from correct state(s) for both: the system and user software

#### Model of fault tolerance GAFT and HW & SSW

#### Hardware and System Software for Fault Tolerance

#### $\mathsf{GAFT}\xspace$ in HW and SSW



New property achieved

## GAFT implementations using redundancy

8

| Step             | Description                                                                                                                              |          | dancy Ty    | -              | OW(1)         | CIV(C) |             | Nr.         | Name                                                                         |
|------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------|----------------|---------------|--------|-------------|-------------|------------------------------------------------------------------------------|
| )                | PERIODICALLY DO                                                                                                                          | HW(I)    | HW(S)       | HW(T)          | SW(1)         | SW(S)  | SW(T)       | 1           | HW checkin                                                                   |
|                  | Create recovery point END                                                                                                                |          | 1           |                |               | 1      |             | 1           | II W CHECKI                                                                  |
|                  | IF error is detected THEN                                                                                                                | 2        | 1,3,9       | 1,2            | 8             | 6,9    | 6           |             |                                                                              |
|                  | ELSE                                                                                                                                     | -        | 1,0,0       | 1,2            | 0             | 0,0    | 0           | 2           | processor i                                                                  |
|                  | Determine the fault type                                                                                                                 | 2        | $1,\!3,\!9$ | 1              | 8             | 6,9    | 6           |             | tion re-exec                                                                 |
|                  | IF fault is permanent THEN                                                                                                               |          | , ,         |                |               | ,      |             |             |                                                                              |
|                  | Locate Faulty Element                                                                                                                    | 2        | 1,3         | 1              | 8             |        |             | 3           | Triplicated                                                                  |
|                  | Reconfigure Hardware                                                                                                                     |          | 10          |                |               | 10     |             |             | memory                                                                       |
|                  | END                                                                                                                                      |          |             |                |               |        |             |             |                                                                              |
|                  | IF hardware has been reconfig-<br>ured OR software is affected                                                                           |          | 3           |                | 8             | 6      | $5,\!6$     |             |                                                                              |
|                  | Locate faulty software states                                                                                                            |          |             |                |               | 7      | 7           |             |                                                                              |
|                  | Recover software                                                                                                                         |          | 9           |                |               | 7,9    | 7           | 4           | Duplicated                                                                   |
|                  | IF hardware has been reconfig-<br>ured THEN                                                                                              |          |             |                |               |        |             |             | storage devi                                                                 |
|                  | Reconfigure software                                                                                                                     |          | 10          |                |               | 10     |             | 5           | Duplicated                                                                   |
|                  | END                                                                                                                                      |          |             |                |               |        |             | 5           | program rui                                                                  |
|                  | END                                                                                                                                      |          |             |                |               |        |             |             | programmu                                                                    |
| [                | END<br>CONTINUE                                                                                                                          | _        | _           | _              | -             | -      | _           |             | put validati                                                                 |
|                  | CONTINUE                                                                                                                                 | emen     | ted (       | and            | fault         | -      | -           | 6           | put validati<br>Checkpoints                                                  |
| G/               |                                                                                                                                          |          |             | •              |               | of:    |             | 6<br>7      | put validati                                                                 |
| G/<br>ol         | CONTINUE<br>AFT might be imple<br>erance achieved) u                                                                                     |          |             | •              |               | of:    | -           |             | put validati<br>Checkpoints                                                  |
| G/<br>ol         | AFT might be imple<br>erance achieved) us<br>Information (I)                                                                             |          |             | •              |               | of:    |             | 7           | put validati<br>Checkpoints<br>Recovery po                                   |
| G/               | CONTINUE<br>AFT might be imple<br>erance achieved) u                                                                                     |          | redu        | ndan           | cies          | *****  | ***         |             | put validati<br>Checkpoints                                                  |
| G/<br>ol         | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or                                                              |          | redu        | ndan           | cies          | *****  |             | 7           | put validati<br>Checkpoints<br>Recovery po                                   |
| G/<br>ol         | AFT might be imple<br>erance achieved) us<br>Information (I)                                                                             |          | redu        | •              | cies          | *****  |             | 7           | put validati<br>Checkpoints<br>Recovery po                                   |
| G/<br>ol         | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or<br>Structure (S)                                             | sing     | redu        | ndan           | cies          | *****  |             | 7           | put validati<br>Checkpoints<br>Recovery po                                   |
| G/<br>ol         | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or                                                              | sing     | redu        | ndan           | cies          | *****  | 1<br>7<br>7 | 7<br>8      | put validati<br>Checkpoints<br>Recovery po                                   |
| G/<br>ol         | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or<br>Structure (S)                                             | sing     | redu        | ndan           | cies          | *****  |             | 7<br>8      | put validati<br>Checkpoints<br>Recovery po                                   |
| G/               | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or<br>Structure (S)                                             | sing<br> | redu        | ndan           | cies          | *****  |             | 7<br>8<br>9 | put validati Checkpoints Recovery po CRC Watchdog                            |
| G/<br>cole<br>Im | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or<br>Structure (S)<br>Informented in and E<br>Hardware (HW) au | sing<br> | redu        | ndan<br>is way | cies<br>we th | ink    |             | 7<br>8      | put validati<br>Checkpoints<br>Recovery po<br>CRC<br>Watchdog<br>Reconfigura |
| G/<br>ol         | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or<br>Structure (S)<br>Informented in and E<br>Hardware (HW) au | sing<br> | redu        | ndan<br>is way | cies          | ink    |             | 7<br>8<br>9 | put validati<br>Checkpoints<br>Recovery po                                   |
| ol<br>Im<br>F    | AFT might be imple<br>erance achieved) us<br>Information (I)<br>Time (T) or<br>Structure (S)                                             | sing<br> | redu        | ndan<br>is way | cies<br>we th | ink    |             | 7<br>8<br>9 | put validati<br>Checkpoints<br>Recovery po<br>CRC<br>Watchdog<br>Reconfigura |

| Nr. | Name                                              | Redundancy<br>type       | Description                                                                                                                                                                                                                                                                                  |
|-----|---------------------------------------------------|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1   | HW checking                                       | $HW(\delta S, \delta T)$ | Each hardware component such as processor, memory, controllers has built-in checking schemes to detect faults.                                                                                                                                                                               |
| 2   | processor instruc-<br>tion re-execution           | $HW(\delta I, \delta T)$ | The processor itself has measures to detect<br>faults during execution and can abort and<br>restart the currently running instruction                                                                                                                                                        |
| 3   | Triplicated<br>memory                             | HW(3S)                   | The memory chips are triplicated and a voter<br>compares the output of the three memory<br>chips. If a deviation is detected, the major-<br>ity voting is used to identify the faulty chip<br>and the faulty value is rewritten. Read after<br>write ensures the proper storing of the data. |
| 4   | Duplicated<br>storage device                      | HW(2S)                   | Storage devices such as flash cards or hard<br>disks are duplicated. Note that this feature<br>does only provide fault detection but not re-<br>covery                                                                                                                                       |
| 5   | Duplicated<br>program run & in-<br>put validation | SW(2T)                   | The same program is run twice with the same<br>input data set. The output of both programs<br>is then compared. Prior to running the pro-<br>gram, the input data is validated to conform<br>to a certain pattern and range.                                                                 |
| 6   | Checkpoints                                       | $SW(\delta T, \delta S)$ | Periodically executed checking functions for<br>checking software and hardware, implemented<br>in pure software                                                                                                                                                                              |
| 7   | Recovery points                                   | $SW(\delta T, \delta I)$ | Recovery points are points in time when the<br>complete system state is consistently stored on<br>a permanent storage device such as flash discs<br>or hard disks. They are either triggered by<br>software or an external interrupt.                                                        |
| 8   | CRC                                               | SW(I)                    | The data stored to the external storage device<br>is protected by a CRC-32. This allows the<br>identification of incorrect data but no recov-<br>ery.                                                                                                                                        |
| 9   | Watchdog                                          | HW(S)                    | As an ultimate resort, a watchdog is used to<br>restart parts of, or the whole system. Hard-<br>ware based watchdogs can typically on restart<br>the whole system at once.                                                                                                                   |
| 10  | Reconfiguration<br>facilities                     | $SW(S), HW(S_1, S_2)$    | If the hardware failed, the software can recon-<br>figure the hardware to exclude faulty compo-<br>nents. In addition, the software can start al-<br>ternative software version which need less re-<br>sources to adapt to the new hardware config-<br>uration.                              |

#### GAFT vs. ontologies... personal comment

Now in BOLD: Classification of system redundancy in terms of Information (I), Time (T), Structure (S)

can be used to implement Fault Tolerance (GAFT).

Fault tolerance, as a process, has to be implemented through hardware and system software combination. Both: concept and implementation form a theory that allows to *analyze*, *control* and *predict* behavior of the system with new properties.

An example of GAFT extension: "Method and apparatus of system safety" (patent <u>http://it-acs.co.uk/files/GB2448351B.pdf</u>)

In contrast to popular wave of various kind of ontologies that execute descriptive function of knowledge - GAFT and rigorous classification of redundancy analyze & predict system behavior.

## GAFT & redundancy theory vs. ontologies

|            | Definitive function<br>(DF) | Characteristic Function<br>(CF) | Predictive function<br>(PF) |
|------------|-----------------------------|---------------------------------|-----------------------------|
| GAFT       | +                           | +                               | +                           |
| Ontologies | +                           | ?+                              |                             |

Power of any theory is in predictions and our ability to use them

## GAFT impact on performance and reliability



### GAFT implementation using SSW soultions



**NB**: if probability of recovery  $\neq$  I the system is **NOT** fault tolerant !!!

### Language reflection of FT systems

#### New Features

#### Real Time

**HW** (Timers, RISC structure of processor etc

Language (Limitation of the language constructions that complicate RT capability)

**OS** (Management of timers and task scheduling with RT constraints

**AP** (Application specific schemes of RT)



#### Fault tolerance

**HW** (Majority schemes, Hamming codes)

Language (check points, recovery points, at language level)

OS (management of check points, recovery points, synchronization, HW reconfiguration)

**AP** specific realization of possible hardware deficiency solutions

#### Data structures and control operators 4 FT



File structure must be modified, Control operators - upgraded

#### State of the systems, Control operators



Level *i* is what has been changed in state of hardware.

All: control, data and conditions involved must be preserved (to be able to recover...)

### Control using nWhile

So far there is no clear separation of the actions to react on exceptions at the language level for operators of repetitions.

This is because awaiting of an event might be perfectly valid action or ...

endless wasting due to hardware fault that has happened.

New **nwhile**\* loop can be useful

Takaoka\* suggested new control operator, actually without thinking about embedded system issues...

This operator was called **nwhile**, and looks like below:

#### nwhile B do S

where B is condition to enter the loop and S is body of the loop.

Introducing precondition P and post condition Q for this structure Takaoka suggested to use several assignment statements  $S_1$ ,  $S_2$ ,  $S_3$ ,...,  $S_N$  in S which affect the condition B and therefore  $P_1 P_2$ ,  $P_3$ ,  $P_4$ ,...,  $P_N$  that held immediately before  $S_1$ ,  $S_2$ ,  $S_3$ ,...,  $S_N$  under precondition P.

\* New While loop [The semantics of new while loop, Tadao Takaoka, The Computer Journal, Vol.29, No 1, 1986].



#### Control using nWhile

Then we have an inference rule:

$$\frac{\prod_{i=1}^{n} \{P_i \land B\} S_i \{Q_i\}, \prod_{i=1}^{n} (\neg B \land Q_i \supset Q), P \land \neg B \supset Q}{\{P\} nwhile BdoS\{Q\}}$$

What it gives us? Actually, a lot.

Writing a program we use loop operators as usual, but during compilation System Configurator should introduce other  $S_2$ - $S_n$  conditions for loop exit that might be connected with computer state changes including hardware faults, timer run out or other interruptions, including interaction with other processes.

Then in case of hangs of the loop due to problem within hardware and/or arrival of another signal we are able to break loop execution and make it visible...

hardware state change is reflected immediately *within* program control construction and ... we are not using brutal force of waiting or waste of vast amount of another redundancy... still being uncertain...

#### More control: Fault Tolerant Semaphores

Concurrency and parallelism confusion;

What we start in parallel eventually will end up with concurrency... and (possibly) vice verso...

Resolving confusion - Graph Logic Model (GLM) -

XOR <u>and</u> AND will resolve confusion. Known solutions semaphores, monitors are all down to XOR.... But we should be using both operators...

Still... Why Fault Tolerance is required?

...Waiting mad driver to release train handle might be costly... (Jethro Tull, Locomotive breath)

Time redundancy - waiting for few *ms* for processes duration within dozens of *ns*? ... It is NOT the solution. Information and structure redundancies should be used instead...

> GLM - is structural redundancy... Information?



 $a: XOR_{-}(\alpha b, \gamma d), AND_{+}(\beta b, \delta c)$  $a: XOR_{-}(\alpha b, \gamma d), XOR_{+}(\beta b, \delta c)$ 

...old Charlie stole the handle and the train it won't stop going no way to slow down...

### Control: Fault Tolerant Semaphores - II

Mad driver, also known as "dining philosopher" should be trained to be polite...

We need to teach our dining philosophers to be polite, and ... "die like a man", especially when they are in critical section.

What does it mean? The one, being in critical section, if sick or dies must:

- Return all spaghetti, forks resources he uses
- Inform the rest by "I am dying" message...

Then "the rest" (Runtime system in our case...) has to :

- Reduce number of voters for further voting in sessions of concurrency resolution
- Mark a messenger as suspected ( not excluded, or dead ) and place in a special pool
- Schedule a "reincarnation procedure"

(...power of malfunction might be big, duration long (200ms+), but "treatable"...)

#### This scheme has been called FT semaphores...

#### FT Semaphores hardware support: T-logic scheme





whole is Artesting phase is the quite dripitially set boot up time to guarantee the correctness of the hardware; periodic test is required before and after A figure 7.4: Ensuring of hardware integrity through program test execution to detect A testing execution of faults and the set of the tested hardware.

the hardware and also a periodic test before and after the execution of a program. The

applied tests might vary in depth (coverage), type of faults and the set of the test P in the following analysis.

GAFT: System checking by system software - II



**NBI** If condition of hardware component U<sub>i</sub> has implicit dependencies on component U<sub>i</sub>, test of U<sub>i</sub> must be executed first.

**NB2** It is wise to wait task completion and then run test of hardware instead of stop, unload and reload task after test.

# GAFT: System checking by system software - II Testing at the level of tasks...



An algorithm for scheduling and imbedding tests of hardware used by each task should suit various number of tasks and time constrains for group of task completion...

The test of task **i** is performed asynchronously, if it is possible to schedule it in the timeframe **ti** to **di** as long as all other tasks can still meet their deadlines and only one test is executed simultaneously. Otherwise, execute the test synchronously. More see pp 68 -79 (http://www.it-acs.co.uk/book.html)

#### GAFT: Recovery by System Software



#### **RP** formation: structure-wise scheme



N Wirth's structural programming can be exploited:

- 1) Structural features and limitation of visibility for lower layer variables reduce a volume of recovery points;
- Only variables that are accessible at the level are required 2) to save at recovery point;

Language with Runtime system support

Along the tree, selected path:

- 1) Select subset of visible variables you use
- 2) Create a "Key", i.e. collection of variables to a given leaf





 $K = \langle V_{01}, ..., V_{0x} \rangle \langle V_{11}, ..., V_{1i} \rangle \langle V_{21}, ..., V_{2z} \rangle \langle V_{31}, ..., V_{3k} \rangle \langle V_{41}, ..., V_{4m} \rangle$ 

### Recovery Points Support Summary

- The original program code should be re-processed, introducing a generation of recovery point at the beginning of each hierarchy level;
- During compilation a data structure with a list of accessible variables should be formed for each level of a program nesting;
- The program begins an execution of each successive level by calling run-time system indicating the level number, the number of accessible modules and list of variables;
- Run-time system has to monitor keys along executing a program and generate checksums along execution of recovery point;
- Run-time system can "simulate" recovery point formation when it is required;
- Execution of "generate recovery point" action consists of recording of variables accordingly key generated scheme along the execution a program: Save as you go

**NB**. Efficiency of "static and dynamic economy" methods of recovery point formation was proven to be at the order of magnitude better than other known schemes of recovery point schemes.

### Searching of correct state of a program: MLR

...Faults might stay latent in the system for a long time until they trigger an error, i.e. it implies that the last recovery points have been damaged by the latent fault...



#### Searching: MLR powers multiple faults



During search MLR creates Check Sums (CS) and compares them with previously created CSs of RPs - sequence of matches and mismatches *m* and *mm* defines MLR termination rule.

#### Recovery support : Hardware

Hardware checking schemes must be involved in generation of a RP and CS for each program segment.

...The RP and associated CS should be generated concurrently with program execution.

For performance gain the RP storage and checksum generator should be directly accessed by processor (to speed up RP generation and recovery).

When the error is detected, by direct intervention from Run-time system an access to RP sequence is enabled and searching of correct RP initiated. ...The checksum and recovery point device has two operating modes: the standard mode which creates RPs and CSs and recovery mode which generates only the checksums. ...The operating mode is configurable by the system software (Run-time system).



#### Reconfigurability: a syndrome for FT



File name: FT resolved, Sept 2010

First version of syndrome concept: witnessed by PhD students V Castano and A Petukhov.

#### Reconfigurability: a syndrome

Slightly better syndrome picture...

| Power   |      | Proc        | essor             |                                  | Devices Memory |                      |                      |           |                                    |         |         |         |        |        |        |        |        |        |
|---------|------|-------------|-------------------|----------------------------------|----------------|----------------------|----------------------|-----------|------------------------------------|---------|---------|---------|--------|--------|--------|--------|--------|--------|
| o Power | o CU | O Registers | • Arithmetic Unit | <ul> <li>Logical Unit</li> </ul> | o Timer        | o Random Number Gen. | Interrupt Controller | o Console | <ul> <li>Stable Storage</li> </ul> | O UART1 | o UART2 | O UART3 | o ROM1 | o ROM2 | o RAM1 | o RAM2 | o RAM3 | o RAM4 |

From a system software point of view the syndrome is represented as a set of special hardware registers.

Syndrome Registers indicates the current hardware state (current configuration, detected faults, power)...

Fault detection schemes signal to syndrome causing hardware interrupts and initiation of GAFT by run-time system.

Run-time system, when necessary, executes reconfiguration of hardware.

Run-time system new functions of control are:

a) reconfiguration for reliability, performance or power-savingb) control of graceful degradation



## Reconfigurability: use of syndrome for memory

#### From defined by hardware design system configurations set memory configurations:

| Mode<br>Number        | Number of<br>used banks | Redundancy Mode                                                                                                | Number of used<br>memory modules                                 | Usa<br>in N           | ble Size<br>1b                  |              |                                                           |
|-----------------------|-------------------------|----------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|-----------------------|---------------------------------|--------------|-----------------------------------------------------------|
| 1<br>2<br>3<br>4<br>5 | 1<br>1<br>2<br>1<br>1   | Triplicated + 1 Spare<br>Triplicated<br>Triplicated + 1 Linear<br>Duplicated + 2 Spare<br>Duplicated + 1 Spare | $ \begin{array}{c}             3 \\             4 \\           $ | 4<br>4<br>8<br>4<br>4 |                                 | control of m | of system software<br>nemory degradation<br>icated memory |
| 6<br>7<br>8           | 2<br>3<br>2             | Duplicated<br>Duplicated + 2 Linear<br>Duplicated + 1 Linear                                                   | 4<br>4<br>3                                                      | 8<br>12<br>8          |                                 |              |                                                           |
| 9<br>10<br>11<br>12   | 4<br>3<br>2<br>1        | Linear<br>Linear<br>Linear<br>Linear                                                                           | 4<br>3<br>2<br>1                                                 | 16<br>12<br>8<br>4    | Phase 1<br>Triplication + Spare | 111          | ls                                                        |
|                       | of proces               | ssor, interfacing zor                                                                                          | ne, passive                                                      | ī                     | Phase 2<br>Triplication         | 11x1         | 1x11 x111                                                 |
| togeth                | ner with t              | of configurations c<br>heir degradation so<br>and their changes                                                | equences.                                                        | L                     | Phase 3<br>Duplication 11xx     | 1x1x         | x1x1 xx11                                                 |
| run-ti                | me syster               | and their changes<br>n, in principle, enat<br>dation "up to the l                                              | oling                                                            |                       | Phase 4<br>No FT                | x1xx         | XXX1 XXX1                                                 |

when single element of each section left, but system will remains operable.

Phase 5

Failure

F

#### Runtime system for FT architecture



# Reconfigurability, FT, is it important? PRESSA



Redundancy and reconfigurability of a system can be exploited differently...

...gaining in:

Performance (P), Reliability (R),

... or saving Energy (E).

Trading of P,R,E - in next generation of stand alone, connected and distributed systems is one of the biggest challenge...

#### Future: PRESSA concept



#### Thanks for...

- Discussions, joint efforts: T Kaegi, S Monkman, B Kirk
- Discussions on redundancy: J C Laprie (late 80's)
- Discussions on reliability vs. FT: S Birolini (2005-10)
- Discussions on GLM: Felix Friedrich
- Pictures: S Monkman, V Castano
- Publication support: Chong Chen (Chinese version)
- Publication support: Yurzin Bogdanov (Russian version)

#### Materials used...

Book: T Kaegi, I Schagaev System Software Support of Hardware Efficiency, ITACS Ltd 2013, UK http://www.it-acs.co.uk/book.html Papers: http://www.researchgate.net/publication/220908686 ERA Evolving Reconfigurable Architecture http://www.researchgate.net/publication/255701866 Greenwich ERA July 2010 http://www.researchgate.net/publication/253645564 Control Operators vs Graph Logic Model http://www.researchgate.net/publication/224370614 Reliability of malfunction tolerance http://www.researchgate.net/publication/252627186 Redundancy Reconfigurability Recoverability http://www.researchgate.net/publication/244477145 Method and apparatus for active system safety http://www.researchgate.net/publication/253643647 Redundancy Classification Principles for the Design of Fault Tolerant Computers http://www.researchgate.net/publication/252628898 Operating system for fault tolerant SIMD http://www.researchgate.net/publication/252629068 Using Software Recovery For Determine The Type of Hardware Faults http://www.researchgate.net/publication/253238741 Comparative analysis of efficiency of algorithms of recovery for computing process http://www.researchgate.net/publication/252628869 Recovery Points And Hardware Reliability Indices http://www.researchgate.net/publication/252629150 Computing process restoration algorithms http://www.researchgate.net/publication/253584715 Using Data Redundancy For Program Rollback http://www.researchgate.net/publication/228728452 Hardware Testing on the Level of Tasks