This paper proposes the Total High Performance Time as a performance-related reliability measure in degradable/recoverable real-time systems. This measure reflects the effect of system behavior in pending states that are temporary states between the normal state and degraded states where the system operates in a degraded mode as a consequence of component failures. Such systems have to perform not only normal procedures but also error/recovery procedures in pending states, so the performance there is lower than that in the degraded states. In real-time systems, if performance is less than a lower limit, the response time for on-line transactions cannot meet the deadline. The consequences of failing to meet the deadline could be system failure. Therefore, the system reliability is affected significantly by whether the performance there is higher than the lower limit or not. A state where the level of performance is higher than the lower limit is called a High Performance State. We define the Total High Performance Time as the total time that the system spends operating in High Performance States. Moreover, this paper explains how to utilize the Total High Performance Time in system design. We model a method of controlling a system in pending states by using Extended Stochastic Petri Nets and obtain the characteristics necessary for evaluating the Total High Performance Time by analyzing the model. This approach is applied to a storage system that controls mirrored disks, and shown to be helpful for designing a method of controlling a system in pending states, which has been considered difficult because of the trade-off between performance and reliability.

In systems where the same data are distributed in plural memories, data consistency must be maintained after a failure. It is important to verify that error recovery specifications guarantee the data consistency, and it is difficult because system status is nondeterministic after a failure occurs. In this paper, a method of modeling and verifying error recovery specifications by using colored Petri nets is proposed. First, the concept of data freshness is introduced to describe the relationship between the data explicitly. Then, a flow-chart that describes data renewal sequences is converted into a Petri net. Failure events and recovery procedures are added to the model. Consistency is verified by investigating reachable markings and by checking for the existence of states in which data freshness is contradictory. The number of reachable markings is generally enormous and sometimes infinite. Thus, the condition in which two markings are identified for verification is studied. The introduction of the equivalence relation itno reachable markings reduces the number of the markings to be verified. The usefulness of the proposed approach is demonstrated by a read/write process of a disk controller with a built-in cache memory. This example makes it clear that the analysis is helpful not only for checking whether the data is consistent, but also for designing the recovery procedures maintaining the data consistency.