Table Of ContentUwe Zdun · Eugene Wallingford
e
n
Editors
i
l
b
u
S
l
a
n
r
u
o Transactions on
J
0
0 Pattern Languages
6
0
1
S
of Programming IV
C
N
L
James Noble · Ralph Johnson
Editors-in-Chief
123
Lecture Notes in Computer Science 10600
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
More information about this series at http://www.springer.com/series/8677
James Noble Ralph Johnson
(cid:129)
Uwe Zdun Eugene Wallingford (Eds.)
(cid:129)
Transactions on
Pattern Languages
of Programming IV
123
Editors-in-Chief
James Noble RalphJohnson
Victoria University ofWellington Siebel Center forComputer Science
Wellington, NewZealand Urbana,IL, USA
Editors
UweZdun Eugene Wallingford
University of Vienna University of Northern Iowa
Vienna,Austria Cedar Falls,IA, USA
ISSN 0302-9743 ISSN 1611-3349 (electronic)
Lecture Notesin Computer Science
ISSN 1869-6015 ISSN 2511-6444 (electronic)
Transactions onPattern Languages ofProgramming
ISBN 978-3-030-14290-2 ISBN978-3-030-14291-9 (eBook)
https://doi.org/10.1007/978-3-030-14291-9
LibraryofCongressControlNumber:2019932783
©SpringerNatureSwitzerlandAG2019
Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow
knownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication
doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant
protectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare
believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictionalclaimsin
publishedmapsandinstitutionalaffiliations.
ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG
Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland
Preface
Welcome to the fourth issue of LNCS Transactions on Pattern Languages of
Programming. Software patterns are an effective means for improving the quality of
softwaredesignandengineeringandcommunicationamongthepeoplebuildingthem.
Patterns capture the best practices of software design, making them available to all
software engineers.
LNCS Transactions on Pattern Languages of Programming publishes papers on
patterns and pattern languages as applied to software design, development, and use,
throughout all phases of the software life cycle, from requirements and design to
implementation, maintenance and evolution. The primary focus of the LNCS Trans-
actions on Pattern Languages of Programming is on patterns, pattern collections, and
pattern languages themselves. The journal also includes reviews, survey articles, crit-
icisms of patterns and pattern languages, as well as other research on patterns and
pattern languages.
This issue includes six articles that went through two phases of review and
improvement. First, the articles were workshopped at one of the PLoP conferences
where (after an initial peer review) they received suggestions for improvement in a
shepherding process and in a writer’s workshop. Then the articles were substantially
extended by the authors, and these extended versions were peer-reviewed again by at
least three reviewers per article.
ThiseditionofLNCSTransactionsonPatternLanguagesofProgrammingmarksa
transitionineditorship:Thefoundingeditors-in-chief,JamesNobleandRalphJohnson,
will retire after this issue and the current editors, Eugene Wallingford and Uwe Zdun,
willbecometheneweditors-in-chief.WethankJamesandRalphfortheireffortsduring
thefounding periodof LNCS Transactions on Pattern Languages ofProgramming.
We thank the anonymous reviewers who helped in the peer-review process of this
issue.
January 2019 James Noble
Eugene Wallingford
Uwe Zdun
Contents
Patterns for Light-Weight Fault Tolerance and Decoupled Design
in Distributed Control Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Pekka Alho and Jari Rauhamäki
Safety Architecture Pattern System with Security Aspects . . . . . . . . . . . . . . 22
Christopher Preschern, Nermin Kajtazovic, and Christian Kreiner
An Open Source Pattern Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Christoph Hannebauer and Volker Gruhn
Patterns for Functional Safety System Development . . . . . . . . . . . . . . . . . . 100
Jari Rauhamäki
Internet of Things Patterns for Communication and Management . . . . . . . . . 139
Lukas Reinfurt, Uwe Breitenbücher, Michael Falkenthal,
Frank Leymann, and Andreas Riegg
A Pattern Language for Knowledge Handover When People Transition. . . . . 183
Kei Ito, Joseph W. Yoder, Hironori Washizaki, and Yoshiaki Fukazawa
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Patterns for Light-Weight Fault
Tolerance and Decoupled Design
in Distributed Control Systems
Pekka Alho1(&) and Jari Rauhamäki2
1 Departmentof Intelligent HydraulicsandAutomation,
Tampere University of Technology,Tampere, Finland
pekka.alho@iki.fi
2 Department of Automation Science andEngineering,
Tampere University of Technology,Tampere, Finland
[email protected]
Abstract. Distributed control systems comprise networked computing units
that monitor and control physical processes in feedback loops. Reliability of
these systems is affected by dynamic and complex computing environments
where connections and system configurations may change rapidly. Diverse
redundancy can be effective in improving system dependability, but it is sus-
ceptible to common mode failures and development costs for design diversity
areoftenseenasprohibitive.Inthispaperwepresentthreepatternsthatcanbe
used to provide light-weight form of fault tolerance to improve system
dependabilityandresiliencebyprovidingabilitytocopewithunexpectedevents
and faults. These patterns are presented together with a pattern language that
shows howthey relate toother fault tolerance patterns.
(cid:1) (cid:1) (cid:1)
Keywords: Dependability Distributed systems Fault tolerance
(cid:1)
Real-time systems Reliability
1 Introduction
Distributed control systems are continuously gaining importance, as more and more
devicesandmachinesareequippedwithembeddedsystemsthatcontroltheiroperation.
Computers in these control systems are increasingly more powerful and networked,
providingintelligenceandinteroperability.Examplesofsuchsystemsrangefromlarge
mobile machines to groups of robots and intelligent sensor networks. These cyber-
physicalsystems(CPSs)interactwithenvironmentandphysicalprocesses,influencing
many parts of our lives either directly or indirectly. Therefore they need to be de-
pendable, which can be measured with the attributes of availability, reliability, safety,
integrity and maintainability [1]. However, with the increased functionality and intel-
ligence, the complexity of these systems is also increased, meaning that the develop-
ment process becomes more demanding and dependability becomes more costly to
achieve and verify. Another significant feature of CPSs is that they often have strict
timing constraints, which may put limitations on the architecture.
©SpringerNatureSwitzerlandAG2019
J.Nobleetal.(Eds.):TPLOPIV,LNCS10600,pp.1–21,2019.
https://doi.org/10.1007/978-3-030-14291-9_1
2 P. Alho and J.Rauhamäki
Many critical systemsthat havefailed catastrophicallyarewell-known –examples
such as Therac-25 radiation therapy machine and the explosion of Ariane 5 rocket are
infamous, whereashighly reliable systems receive little recognition, even though their
study might give valuable ideas for the design and architecture of new software. One
example of such systems can be found in telephony applications, namely Ericsson
AXD301 Asynchronous Transfer Mode (ATM) switches that achieved nine nines
(99.9999999%) service availability, running software written in Erlang [2]. Erlang’s
highly decoupled actor model and fault handling based on supervisors have inspired
especially. Let it crash and Service manager patterns found in this paper.
Thispaperpresentsthreesoftwarepatternsthatcanbeusedtoimprovecontrolsystem
dependability–thethirdpatterniscalledDATA-CENTRICARCHITECTURE–andshowshow
theyfitintheexistingliteraturebyaddressingthespecificneedsofCPSs.Theapproach
promoted by these three patterns is based on implementing a decoupled architectural
designwithsupportingfaultmitigationandhandling.Thedecoupledarchitecturecanalso
beusedtograduallyintroduceadditionalfaulttolerancesolutionssuchascheckpointing
andrejuvenationtothesystem,untilasufficientlevelofreliabilityhasbeenachieved[3].
Our patterns were originally encountered in the research of remote handling control
systemsforroboticmanipulators,butallpatternshaveexamplesofotherknownusesas
well.Theseexamplesarepresentedinthecorrespondingsectionsofthepatterns.
One reason why development of CPSs is difficult is because the systems typically
consist of dynamic service chains that operate on wide range of platforms, which
complicates management of end-to-end deadlines. Moreover, modern middleware
provide capabilities to flexibly change service deployment on these subsystems, but
some configurations may be inefficient or even unusable if communication links
become overloaded. While adaptability has benefits, these uncertainties nevertheless
complicate assurance of reliability and predictability of the system. Therefore, CPSs
benefit from a design that makes the overall system more robust, whereas more tra-
ditional fault tolerance solutions, such as hardware redundancy, are arguably better
suited for static safety-critical subsystems.
Data-centric approach is one way to increase decoupling between communicating
units. However, data-centric design as a central communication paradigm, as well as
the concept of CPS, is still fairly novel in the domain of distributed control systems.
Although control systems are by nature data-centric (read sensor data and desired
output, send actuator command, etc.), this has usually been from point A to point B.
The patterns in this paper capture some of the ways that reliability-related challenges
faced in developing more intelligent and adaptable distributed control systems have
been solved. Next chapter shows how our patterns fit the gaps in the existing pattern
literature, by addressing needs specific to CPSs.
2 Context of the Patterns
Faulttolerancecannotbeimplementedwithoutredundancyofsomekind.Tohavefault
tolerancefore.g.computerfailures,wewouldneedatleasttwocomputers–ifonefails
theotheronecandetecttheerrorandtrytocorrectit.Softwarefaultsontheotherhand
are typically development faults, which are harder todetect and correct than hardware
Patterns for Light-Weight Fault Tolerance andDecoupled Design 3
faults. To have good coverage for software faults, diverse redundancy (e.g. N-version
programming) is needed, but it has been criticized of being susceptible to common
mode failures [4]. Moreover, development costs for design diversity are often seen as
prohibitive.
Patterns in this paper present an alternative approach to fault tolerance, based on
dividingthesystemintohighlydecoupledmodulesandimplementinglightweightform
of fault tolerance. We present an architectural pattern called DATA-CENTRIC ARCHITEC-
TURE as one way to achieve a high level of decoupling. One of the key points of
decoupling is that it should by itself improve reliability by limiting fault propagation
and improving modularity and understandability of the system. In a way, modular
approachcanbeseensimilartocompartmentalizationofships–withoutcompartments,
everyleakcansinktheship.Anexampleofasoftwaresystemthatusesmodularityto
successfully implement fault isolation and resilience is the MINIX 3 operating system
releasedin2005[5].DrivermanagementofMINIX3ispresentedasoneoftheknown
uses of SERVICE MANAGER.
Modularanddecoupledarchitecturecanalsobeusedtoimplementotherreliability-
improvingpatternslikeSERVICEMANAGERandLETITCRASHdocumentedinthispaperor
other well-known patterns like LEAKY BUCKET COUNTER [6], WATCHDOG [6, 7], etc. The
shortdescriptionsofthepatternspresentedinthispaperarelistedintheTable 1.Listof
all referenced patterns with descriptions can be found in an appendix.
Table1. Pattern descriptions
Pattern Description
DATA-CENTRIC How toimplement reliableandscalable distributed control system?
ARCHITECTURE Build the system fromautonomous modules that communicate by
sharing data that isbased onawell-designed andconsistent data
model
SERVICEMANAGER Howtodetectfaultsandrestartmodulesor processesafterafailure?
Implementaservicemanagerthatcanmonitor,startandstopmodules
LETITCRASH Howtoreacttofailureswithoutcrashingthewholesystem?Flushthe
corruptedstateby“crashing”theprocessinsteadofwritingextensive
error handlingcode. Letsome other process like service managerdo
the error recovery e.g.byrestarting thecrashed process
DATA-CENTRIC ARCHITECTURE provides the decoupled architectural model needed to
use LET IT CRASH for fault handling. The SERVICE MANAGER pattern provides a way for
trying recovery after failures, in addition to providing error detection and monitoring.
TheideaofcrashingaprocesssuggestedbyLETITCRASHmaysoundlikeariskyaction
to take. However, the idea is to offer recovery from transient physical and interaction
faults (sometimes called Heisenbugs), ability to keep the system as a whole func-
tioning, even if some internal process would crash, and possibility to hot-swap code
and bug-fixes. The downside of this approach is of course that it is not suited for fail-
operate systems such as flight controllers that must be operational all the time – this
type of systems would be the right domain to apply design diversity.
