RESPONDING TO CATASTROPHIC ERRORS - A DESIGN TECHNIQUE FOR FAULT-TOLERANT SOFTWARE

The usual classification of software-caused system errors as internal, external, or pervasive assumes a rippling propagation of errors through a hierarchy of structures. As a result, most fault-tolerant software handles errors through nested detection and recovery mechanisms. In many cases, particularly in distributed systems, this assumption may not hold; catastrophic errors may occur that can evade the boundaries of the usual mechanisms and cause large-scale system failure. System designers must consider the possibility of failure from the first stages of system development, define the circumstances under which these failures might occur, and analyze the costs of dealing with such failures. Fault-tolerance techniques can be applied to reduce the effect of catastrophic errors. One such technique, dynamic reconfiguration, is described here as an example of a practical way for a system to respond to a detected error. Dynamic reconfiguration can be used not only to recover from software errors but also to remove the faults that caused the errors. An example of the design of a life-critical software system using dynamic configuration to handle potentially catastrophic errors is presented.