9.01 Software Design Principles Resource oversubscription is a severe fault condition that can lead to unpredictable behavior of the software system and render it inoperable. Timely detection and planned response to oversubscriptions can preserve critical system capabilities. Many resources can become oversubscribed during system operation. Examples include: buffers overflowing, exceeding a rate group time boundary, and excessive inputs or interrupts. The usual response consists of reducing the demand presented on the system by non-essential items, especially if they are the cause of the oversubscription. The system can also generate error messages, being careful not to overload the system further, and attempt to throttle the demand presented to it by external entities. In severe cases interrupts may be locked out. Additionally, the system may be reconfigured to reduce/eliminate non-essential functionality, or to allow use of less-demanding (even if less-accurate) algorithms. In severe cases processes and even the computer may have to be shut down. An example of a graceful response to an overload is the Apollo Lunar Module onboard software, which correctly handled an unplanned scenario in which the LM's ascent stage rendezvous radar was incorrectly switched on, overloading the Apollo Guidance Computer with input data. In this case the use of task prioritization (the Guidance, Navigation and Control (GNC) had higher priority than the radar), prevented the critical GNC functions from being starved of processor time, saving the mission and crew. It is recommended that the system design include the monitoring of resource usage with appropriate thresholds set to trigger carefully designed escalation responses, and that the method for detection and response protocol be explicitly documented and verified in the requirements. This design principle is closely related to the 9.12 Resource Margins principle. Implementing run time measurements enables monitoring of margins during development as well as protecting against oversubscription once the software has been deployed operationally. None None The NASA Lesson Learned 439 database contains the following lessons learned related to resource oversubscription:
See edit history of this section
Post feedback on this section
1. Principle
1.1 Rationale
2. Examples and Discussion
3. Inputs
3.1 ARC
Note: Examples of these situations include buffers overflowing, exceeding a rate group time boundary, and excessive inputs or interrupts. There are several common methods for tolerating these situations, most of which relate to reducing demand from non-essential items, especially if they are the source of over subscription:
a. Generate warning messages when appropriate.
b. Instruct external systems to reduce their demands.
c. Lock out interrupts.
d. Change operational behavior to handle the load. For example, the software may use faster but less accurate algorithms to keep up with the load.
e. Reduce the functionality of the software, or even halt or suspend a process or shutdown a computer.3.2 GSFC
3.3 JPL
Note: Examples of these situations include buffers overflowing, exceeding a rate group time boundary, and excessive inputs or interrupts. There are several common methods for tolerating these situations, most of which relate to reducing demand from non-essential items, especially if they are the source of over subscription:
a. Generate warning messages when appropriate.
b. Instruct external systems to reduce their demands.
c. Lock out interrupts.
d. Change operational behavior to handle the load. For example, the software may use faster but less accurate algorithms to keep up with the load.
e. Reduce the functionality of the software, or even halt or suspend a process or shutdown a computer.3.4 MSFC
4. Resources
4.1 References
5. Lessons Learned
5.1 NASA Lessons Learned
9.13 Resource Oversubscription
Web Resources
View this section on the websiteUnknown macro: {page-info}