been requested. Programs running on these computers may not operate as expected
and, occasionally, may corrupt the data that is managed by the system. We have
118 Chapter 3 • Critical systems
The abilityofthe system to deliver services when
requested
The ability of the system The ability of the system to deliver services as to operate without
specified catastrophic failure
The abilityofthe system to protect itelf against accidental or deliberate
intrusion
Figure 3.3 Dimensions of dependability
learnedtolive with these failures, and few of us completely trust the personal com-puters that we normally use.
The dependability of a computer system is a property of the system that equates to its trustworthiness. Trustworthiness essentially means the degree of user confi-dence that the system will operate as they expect and that the system will not 'fail' in normal use. This property cannot be expressed numerically, but we use relative terms such as 'not dependable', 'very dependable' and 'ultra-dependable' to reflect . the degrees of trust that we might have in a system.
Trustworthiness and usefulness are not, of course, the same thing. I don't think that the word processor that I used to write this book is a very dependable system, butitis very useful. However, to reflect my lack of trust in the system I frequently save my work and keep multiple backup copies of it. I compensate for the lack of system dependability by actiuiis that limit the damage that could be caused if the system failed.
There are four principal dimensions to dependability, as shown in Figure 3.3:
1. AvailabilityInformally, the availability of a system is the probability that it will be up and running and able to deliver useful services at any given time.
2. ReliabilityInformally, the reliability of a system is the probability, over a given period of time, that the system will correctly deliver services as expected by the user.
3. SafetyInformally, the safety of a system is a jUdgement of how likely it is that the system will cause damage to people or its environment.
4. SecurityInformally, the security of a system is a judgement of how likely it is that the system can resist accidental or deliberate intrusions.
These are complex properties that can be decomposed into a number of other, simpler properties. For example, security includes integrity (ensuring that the
3.2 • System dependability 49
systems program and data are not damaged) andconfidentiality(ensuring that infor-mation can only be accessed by people who are authorised). Reliability includes correctness(ensuring the system services are as specified),precision(ensuring infor-mation is delivered at an appropriate level of detail) andtimeliness(ensuring that information is delivered when iti~ required).
The dependability properties of availability, security, reliability and safety are all inte::Telated. Safe system operation usually depends on the system being avail-able and operating reliability. A ~;ystemmay become unreliable because its data has been corrupted by an intruder. Denial-of-service attacks on a system are intended to compromise its availability. If a system that has been proved to be safe is infected with a virus, safe operation can no longer be assumed. It is because of these close links that the notion of system dependability as an encompassing property was introduced.
As well as these four main dimensions, other system properties can also be con-sidered under the heading of dependability:
1. RepairabilitySystem failures are inevitable, but the disruption caused by fail-un: can be minimised if the system can be repaired quickly. In order for that to happen, it must be possible to diagnose the problem, access the component thax has failed and make changes to fix that component. Repairability in soft-ware is enhanced when the organisation using the system has access to the source code and has the skills to make changes to it. Unfortunately, this is becoming increasingly uncommon asWt:move towards system development using third-paJ1y, black-box components (see Chapter19).
2. MaintainabilityAs systems are used, new requirements emerge.Itis important to maintain the usefulness of a system by changing it to accommodate these new requirements. Maintainable software is software that can be adapted eco-nomically to cope with new requirements and where there is a low probability that making changes will introduce new errors into the system.
3. Survivability A very important attribute for Internet-based systems is surviv-abiJity, which is closely related to security and availability (Ellison, et al.,1999).
Survivability is the ability of a system to continue to deliver service whilst it is under attack and, potentially, while part of the system is disabled. Work on survivability focuses on identifying key system components and ensuring that they can deliver a minimal service. Three strategies are used to enhance survivability-naJrnely, resistance to attack, attack recognition and recovery from tht: damage caused by an attack (Ellison, et aI., 1999;Ellison, et aI., 2(02).
4. Error toleranceThis property can be considered as part of usability (discussed in Chapter16) and reflects the extent to which the system has been designed so that user input error are avoided and tolerated. When user errors occur, the system should, as far as possible, detect these errors and either fix them auto-matically or request the usertore-input their data
50
Chapter 3/I Critical systemsFigure3.4 Cost/dependability curve
Low Medium High 'Wry
Ultra-high high Dependability