Check out the new USENIX Web site. next up previous
Next: Pinpoint + SSM = Up: Proposed Solution: SSM Previous: Recovery Philosophy


Brick MTTF vs. Availability

Before presenting experimental results, we illustrate the relationship between MTTF for an individual brick and the availability of data for SSM as a whole. We assume independent failures; when failures are correlated in Internet server clusters, it is often the result of a larger catastrophic failure that session state would not be expected to survive [20]. We describe a natural extension to SSM to survive site failures in section 8.

Let brick failure be modeled by a Poisson process with rate $\mu$ (i.e., the brick's MTTF is $1/\mu$), and let writes for a particular user's data be modeled by a Poisson process with rate $\lambda$. (In other words, in practice $1 / \lambda$ is the session expiration time, usually on the order of minutes or tens of minutes.) Then $\rho = \lambda / \mu$ is intuitively the ratio of the write rate to the failure rate, or equivalently, the ratio of the MTTF of a brick vs. the write interarrival time.

A session state object is lost if all $WQ$ copies of it are lost. Since every successful write re-creates $WQ$ copies of the data, the object is not lost if at most $WQ - 1$ failures occur between successive writes of the object. Equations 1 and 2 show this probability for $WQ=3$ and $WQ=2$ respectively; figure 2 shows the probabilities graphically.


\begin{displaymath} P_{no loss}^{WQ=3} = \frac {{\rho} {(\rho^2 + 6 \rho + 11)}} {(\rho + 1) (\rho + 2) {(\rho + 3)}} \end{displaymath} (1)


\begin{displaymath} P_{no loss}^{WQ=2} = \frac {\rho (\rho + 3)} {(\rho + 1) (\rho + 2)} \end{displaymath} (2)

Figure: Probability of data loss with WQ=2 and 3. The x-axis is the ratio of MTTF to the session expiration time. The y-axis is the probability that all WQ copies are lost before the subsequent write.

Table 2 summarizes the implication of the equations in terms of ``number of nines'' of availability. For example, to achieve ``three nines'' of availability, or probability $0.999$ that data will not be lost, a system with $WQ=2$ must be able to keep an individual brick from crashing for an interval that is $43.3$ times as long as the average time between writes. Adding redundancy ($WQ=3$) reduces this, requiring an MTTF that is only $16.2$ times the average time between writes. For example, if the average time between writes is 5 minutes and $WQ=3$, three nines can be achieved as long as brick MTTF is at least 81 minutes.


Table: For WQ=2 and 3, the necessary ratio of MTTF to average interval between writes in order for probability of a subsequent write to achieve a certain number of nines
  $WQ=2$ $WQ=3$
1 Nine 3 2
2 Nines 12.7 6.5
3 Nines 43.3 16.2
4 Nines 140 37.2
5 Nines 446.8 82.4


Another way to look at it is to fix the ratio of MTTF to the write interval. Figure 3 sets this ratio to 10 (intuitively, this means roughly that writes occur ten times as often as failures) and illustrates the effect of adding redundancy (modifying $WQ$) on data loss.

Figure: We fix the ratio of MTTF to the average interval between writes to 10. The x-axis represents the number of copies written. The y-axis represents the probability that all copies are lost.

next up previous
Next: Pinpoint + SSM = Up: Proposed Solution: SSM Previous: Recovery Philosophy
Benjamin Chan-Bin Ling 2004-03-04