High Dependability Computing Program Modeling Dependability(7)

Individuals and organizations increasingly use sophisticated software systems from which they demand great reliance. “Reliance ” is contextually subjective and depends on the particular stakeholder’s needs; therefore, in different circumstances, the sta

Failure: any departure of the system behavior from the user’s expectations.

Hazard: a state of the system that can lead to catastrophic consequences for the user(s) and the environment.

Note that the concepts of hazard and failure are not exclusive, but overlap: a failure may be also a hazard (i.e. a failure can lead to an accident), whereas a hazard can occur without a failure occurring. Given the chosen set of dependability attributes, then, we can further distinguish failures into different failure types:

Accuracy failure: the departure of the system behavior from providing data within the desired range and with the required precision;

Performance failure: the departure of the system behavior from providing the desired static or dynamic capability (response time, throughput);

Other failure: any failure that cannot be classified as accuracy or performance failure.

In addition, having availability among the chosen dependability attributes, we can also distinguish failures according to their impact upon availability. For example, we can distinguish between:

Stopping failure is any failure that makes the system unavailable.

Non-Stopping failure is any failure that does not make the system unavailable. It is worth noting that the above classifications in terms of Failures Types (accuracy, performance, other) and Failure impact over availability (stopping, non-stopping) are orthogonal.

The same observations can be repeated for the hazards. Based on the above definition of safety, in fact, we can distinguish different hazards types:

User(s) Hazard: a state of the system that can lead to catastrophic consequences for the user(s);

Environment Hazard: a state of the system that can lead to catastrophic consequences for the environment.

Finally, from the above definitions (see for example reliability), we can also observe that the issues caused to the users by a system could result from the misbehavior of the whole system or of part of it, for example, a service or component. Thus, we can characterize an issue in terms of the part of the system that it affects. We distinguish the scope:

The system, i.e., the whole system;

A service, i.e., a functionality delivered by the system, as perceived by the users (a human or another interacting system).

From this initial analysis, thus, it results that some concepts are common across the different definitions, however, with different degrees of commonality and independence from the chosen set of attributes. The concept of issue (with the more elementary ones of failure and hazard) and the concept of scope are common across all the attributes and independent from the initial set. Each dependability attribute can in fact be defined in terms of some kind of issues affecting the whole system or part of it. The characterizations of failure, hazard and scope, instead, depend on the set of dependability attributes taken into account. For example, the distinction of failures into accuracy, performance and other failures is the result of the chosen sub-set of dependability attributes. Similarly, the idea of classifying failures according to their impact on availability results from having availability among the considered attributes. In this case,