Page 344 -
P. 344
12.3 Reliability specification 327
banking and e-commerce systems, the focus of reliability specification is usually on
specifying the availability of the system.
To specify the availability of an ATM network, you should identify the system
services and specify the required availability for each of these. These are:
• the customer account database service;
• the individual services provided by an ATM such as ‘withdraw cash,’ ‘provide
account information,’ etc.
Here, the database service is most critical as failure of this service means that all
of the ATMs in the network are out of action. Therefore, you should specify this to
have a high level of availability. In this case, an acceptable figure for database avail-
ability (ignoring issues such as scheduled maintenance and upgrades) would proba-
bly be around 0.9999, between 7 am and 11 pm. This means a down time of less than
one minute per week. In practice, this would mean that very few customers would be
affected and would only lead to minor customer inconvenience.
For an individual ATM, the overall availability depends on mechanical reliability
and the fact that it can run out of cash. Software issues are likely to have less effect
than factors such as these. Therefore, a lower level of availability for the ATM soft-
ware is acceptable. The overall availability of the ATM software might therefore be
specified as 0.999, which means that a machine might be unavailable for between
one and two minutes each day.
To illustrate failure-based reliability specification, consider the reliability require-
ments for the control software in the insulin pump. This system delivers insulin a
number of times per day and monitors the user’s blood glucose several times per
hour. Because the use of the system is intermittent and failure consequences are seri-
ous, the most appropriate reliability metric is POFOD (probability of failure on
demand).
There are two possible types of failure in the insulin pump:
1. Transient software failures that can be repaired by user actions such as resetting
or recalibrating the machine. For these types of failures, a relatively low value of
POFOD (say 0.002) may be acceptable. This means that one failure may occur
in every 500 demands made on the machine. This is approximately once every
3.5 days, because the blood sugar is checked about five times per hour.
2. Permanent software failures that require the software to be reinstalled by the
manufacturer. The probability of this type of failure should be much lower.
Roughly once a year is the minimum figure, so POFOD should be no more than
0.00002.
However, failure to deliver insulin does not have immediate safety implications, so
commercial factors rather than the safety factors govern the level of reliability required.
Service costs are high because users need fast repair and replacement. It is in the
manufacturer’s interest to limit the number of permanent failures that require repair.
