Presentation is loading. Please wait.

Presentation is loading. Please wait.

Addressing Human Error with Undo

Published byAmberlynn Loreen Simmons Modified over 6 years ago

Similar presentations

Presentation on theme: "Addressing Human Error with Undo"— Presentation transcript:

1 Addressing Human Error with Undo
Aaron Brown ROC Retreat, June 2001

2 Outline Motivation: importance of human error during system maintenance Challenge: providing recovery from human error Solution: undo defining an undo paradigm for system administration implementation techniques for sysadmin undo Status and plans

3 Motivation: human error is important
Half of system failures are from human error Oracle: half of DB failures due to human error (1999) Gray/Tandem: 42% of failures from human administrator errors (1986) Murphy/Gent study of VAX systems (1993): Causes of system crashes Time ( ) % of System Crashes System management Software failure Hardware failure Other 18% 53% 18% 10%

4 Human error is important (2)
More data: telephone network failures FCC records, ; from Kuhn, Computer 30(4), ’97 half of outages, outage-minutes are human-related about 25% are direct result of maintenance errors by phone company workers

5 Don’t just blame the operator!
Typical response of system designers is to blame the operator. But... Don’t just blame the operator! Psychology shows that human errors are inevitable [see J. Reason, Human Error, 1990] humans prone to slips & lapses even on familiar tasks 60% of errors are on “skill-based” automatic tasks also prone to mistakes when tasks become difficult 30% of errors on “rule-based” reasoning tasks 10% of errors on “knowledge-based” tasks that require novel reasoning from first principles Allowing human error can even be beneficial mistakes are a part of trial-and-error reasoning trial & error is needed to solve knowledge-based tasks fear of error can stymie innovation and learning

6 Outline Motivation: importance of human error during system maintenance Challenge: providing recovery from human error Solution: undo defining an undo paradigm for system administration implementation techniques for sysadmin undo Status and plans

7 Recovery from human error
ROC principle: recovery from human error, not avoidance accepts inevitability of errors promotes better human-system interaction by enabling trial-and-error improves other forms of system recovery Recovery mechanism: Undo ubiquitous and well-proven in productivity applications unusual in system maintenance primitive versions exist (backup, standby machines, ...) but not well-matched to human error or interaction patterns

8 Outline Motivation: importance of human error during system maintenance Challenge: providing recovery from human error Solution: undo defining an undo paradigm for system administration implementation techniques for sysadmin undo Status and plans

9 Undo paradigms An effective undo paradigm matches the needs of its target environment cannot reuse existing undo paradigms for system maintenance We need a new undo paradigm for maintenance plan: lay out the design space pick a tentative undo paradigm carry out experiments to validate the paradigm Underlying assumption: service model single application users access via well-defined network requests

10 Issue #1: Choice of undo model
Branching is important for trial and error Issue #1: Choice of undo model Undo model defines the view of past history Spectrum of model options: simplicity flexibility multiple linear undo/redo branching undo/redo w/deletion single undo single undo/redo multiple linear undo linearized branching undo/redo branching MS Office emacs Important choices: undo only, or undo/redo? single, linear, or branching? deletion or no deletion? Tentative choice for maintenance undo multiple linear undo/redo branching undo/redo w/deletion single undo single undo/redo multiple linear undo linearized branching undo/redo branching Important choices: undo only, or undo/redo? single, linear, or branching? deletion or no deletion? 5 4 3 2 1 u trial-and-error history pattern

11 More undo issues 2) Representation 3) Selection of undo points
does undo act on states or actions? how are the states/actions named? TBD 3) Selection of undo points granularity: undo points at each state change/action? or at checkpoints of some granularity? are undo points administrator- or system-defined? Tentative maintenance undo choices in red 2) Representation does undo act on states or actions? how are the states/actions named? 3) Selection of undo points granularity: undo points at each state change/action? or at checkpoints of some granularity? are undo points administrator- or system-defined?

12 More undo issues (2) 4) Scope of undo 4) Scope of undo
“what state can be recovered by undo?” single-node, multi-node, multi-node+network? on each node: system hardware state: BIOS, hardware configs? disk state: user, application, OS/system? soft state: process, OS, full-machine checkpoints? tentative maintenance undo goals in red 4) Scope of undo “what state can be recovered by undo?” single-node, multi-node, multi-node+network? on each node: system hardware state: BIOS, hardware configs? disk state: user, application, OS/system? soft state: process, OS, full-machine checkpoints?

13 More undo issues (3) 5) Transparency to service user ideally:
undo of system state preserves user data & updates user always sees consistent, forward-moving timeline undo has no user-visible impact on data or service availability

14 Context: other undo mechanisms
Design axis Undo model Representation Undo-point selection Scope Trans-parency Desired maintenance-undo semantics branching undo/redo state, naming TBD automatic checkpoints all disk & HW, all nodes & network high Geoplex site failover single undo state, unnamed varies; usu. automatic checkpoints entire system Tape backup single or multiple linear undo state ad-hoc naming manual checkpoints disk (1 FS), single node low GoBack® linearized branching undo/redo state, temporal naming disk (all), single node low-medium Netapp Snapshots multiple linear undo state, temporal naming disk (all), single server DBMS logging (for txn abort) hybrid, unnamed single txn, app-level Undo mech.

15 Implementing maintenance undo
Saving state: disk apply snapshot or logging techniques to disk state e.g., NetApp- or VMware-style block snapshots, or LFS all state, including OS, application binaries, config files leverage excess of cheap, fast storage integrate “time travel” with native storage mechanism for efficiency Saving state: hardware periodically discover and log hardware configuration can’t automatically undo all hardware changes, but can direct administrator to restore configuration

16 Implementing maintenance undo (2)
Providing transparency queue & log user requests at edge of system, in format of original request protocol correlate undo points to points in request log snoop/replay log to satisfy user requests during undo time ---> ... <--- user requests R E Q u current (real) time undo invoked system logical time An undo UI should visually display branching structure must provide way to name and select undo points, show changes between points

17 Outline Motivation: importance of human error during system maintenance Challenge: providing recovery from human error Solution: undo defining an undo paradigm for system administration implementation techniques for sysadmin undo Status and plans

18 Status and plans Status Plans
starting human experiments to pin down undo paradigm subjects are asked to configure and upgrade a 3-tier e-commerce system using HOWTO-style documentation we monitor their mistakes and identify where and how undo would be useful experiments also used to evaluate existing undo mechanisms like those in GoBack and VMware Plans finalize choice of undo paradigm build proof-of-concept implementation in Internet service on ROC-1 cluster evaluate effectiveness and transparency with further experiments

Download ppt "Addressing Human Error with Undo"

Similar presentations

© 2006 DataCore Software Corp DataCore Traveller Travel in Time : Do More with Time The Continuous Protection and Recovery (CPR) Solution Time Optimized.

© 2006 DataCore Software Corp DataCore Traveller Travel in Time : Do More with Time The Continuous Protection and Recovery (CPR) Solution Time Optimized.
SQL Server Disaster Recovery Chris Shaw Sr. SQL Server DBA, Xtivia Inc.

SQL Server Disaster Recovery Chris Shaw Sr. SQL Server DBA, Xtivia Inc.
Protect Your Business and Simplify IT with Symantec and VMware Presenter, Title, Company Date.

Protect Your Business and Simplify IT with Symantec and VMware Presenter, Title, Company Date.
Fabián E. Bustamante, Winter 2006 Recovery Oriented Computing Embracing Failure A. B. Brown and D. A. Patterson, Embracing failure: a case for recovery-

Fabián E. Bustamante, Winter 2006 Recovery Oriented Computing Embracing Failure A. B. Brown and D. A. Patterson, Embracing failure: a case for recovery-
Recovery CPSC 356 Database Ellen Walker Hiram College (Includes figures from Database Systems by Connolly & Begg, © Addison Wesley 2002)

Recovery CPSC 356 Database Ellen Walker Hiram College (Includes figures from Database Systems by Connolly & Begg, © Addison Wesley 2002)
High Availability Group 08: Võ Đức Vĩnh50703006 Nguyễn Quang Vũ50703033.

High Availability Group 08: Võ Đức Vĩnh Nguyễn Quang Vũ
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Data protection and disaster recovery.

© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Data protection and disaster recovery.
1 Disk Based Disaster Recovery & Data Replication Solutions Gavin Cole Storage Consultant SEE.

1 Disk Based Disaster Recovery & Data Replication Solutions Gavin Cole Storage Consultant SEE.
Slide 1 To Err is Human Aaron Brown and David A. Patterson Computer Science Division University of California at Berkeley First EASY Workshop 1 July 2001.

Slide 1 To Err is Human Aaron Brown and David A. Patterson Computer Science Division University of California at Berkeley First EASY Workshop 1 July 2001.
Oracle Data Guard Ensuring Disaster Recovery for Enterprise Data

Oracle Data Guard Ensuring Disaster Recovery for Enterprise Data
1 Principles of Reliable Distributed Systems Tutorial 12: Frangipani Spring 2009 Alex Shraer.

1 Principles of Reliable Distributed Systems Tutorial 12: Frangipani Spring 2009 Alex Shraer.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP StorageWorks LeftHand update Marcus.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP StorageWorks LeftHand update Marcus.
Installing software on personal computer

Installing software on personal computer
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 16 Slide 1 User interface design.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 16 Slide 1 User interface design.
Backup Concepts. Introduction Backup and recovery procedures protect your database against data loss and reconstruct the data, should loss occur. The.

Backup Concepts. Introduction Backup and recovery procedures protect your database against data loss and reconstruct the data, should loss occur. The.
Agenda  Overview  Configuring the database for basic Backup and Recovery  Backing up your database  Restore and Recovery Operations  Managing your.

Agenda  Overview  Configuring the database for basic Backup and Recovery  Backing up your database  Restore and Recovery Operations  Managing your.
Irwin/McGraw-Hill Copyright © 2000 The McGraw-Hill Companies. All Rights reserved Whitten Bentley DittmanSYSTEMS ANALYSIS AND DESIGN METHODS5th Edition.

Irwin/McGraw-Hill Copyright © 2000 The McGraw-Hill Companies. All Rights reserved Whitten Bentley DittmanSYSTEMS ANALYSIS AND DESIGN METHODS5th Edition.
Oracle Database High Availability Brandon Kuschel Jian Liu Source: Oracle Database 11g Release 2 High Availability An Oracle White Paper November 2010.

Oracle Database High Availability Brandon Kuschel Jian Liu Source: Oracle Database 11g Release 2 High Availability An Oracle White Paper November 2010.
IT:Network:Applications Fall 2009.  Running one “machine” inside another “machine”  OS in Virtual machines sees ◦ CPU(s) ◦ Memory ◦ Disk ◦ USB ◦ etc.

IT:Network:Applications Fall  Running one “machine” inside another “machine”  OS in Virtual machines sees ◦ CPU(s) ◦ Memory ◦ Disk ◦ USB ◦ etc.
Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.

Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.

Similar presentations

Ads by Google