Раздел: Документация
0 ... 109 110 111 112 113 114 115 ... 117 Annex K (informative) Resource utilisation (FRU) This class provides three families that support the availability of required resources such as processing capability and/or storage capacity. The family Fault Tolerance provides protection against unavailability of capabilities caused by failure of the TOE. The family Priority of Service ensures that the resources will be allocated to the more important or time-critical tasks, and cannot be monopolised by lower priority tasks. The family Resource Allocation provides limits on the use of available resources, therefore preventing users from monopolising the resources. Resource utilisation FPT FLT Fault tolerance 1 - 2 FRU PRS Priority of service
FRU RSA Resource allocation
Figure K.1 - Resource utilisation class decomposition K.1 Fault tolerance (FRU FLT) This family provides requirements for the availability of capabilities even in the case of failures. Examples of such failures are power failure, hardware failure, or software error. In case of these errors, if so specified, the TOE will maintain the specified capabilities. The PP/ST author could specify, for example, that a TOE used in a nuclear plant will continue the operation of the shutdown procedure in the case of power-failure or communication-failure. User notes Because the TOE can only continue its correct operation if the TSP is enforced, there is a requirement that the system must remain in a secure state after a failure. This capability is provided by FPTFLS.1. The mechanisms to provide fault tolerance could be active or passive. In case of an active mechanism, specific functions are in place that are activated in case the error occurs. For example, a fire alarm is an active mechanism: the TSF will detect the fire and can take action such as switching operation to a backup. In a passive scheme, the architecture of the TOE is capable of handling the error. For example, the use of a majority voting scheme with multiple processors is a passive solution; failure of one processor will not disrupt the operation of the TOE (although it needs to be detected to allow correction). For this family, it does not matter whether the failure has been initiated accidentally (such as flooding or unplugging the wrong device) or intentionally (such as monopolising). FRUFLT.1 Degraded fault tolerance User application notes This component is intended to specify which capabilities the TOE will still provide after a failure of the system. Since it would be difficult to describe all specific failures, categories of failures may be specified. Examples of general failures are flooding of the computer room, short term power interruption, breakdown of a CPU or host, software failure, or buffer overflow. Operations Assignment: In FRU FLT.1.1 the PP/ST author should specify the list of TOE capabilities the TOE will maintain during and after a specified failure. In FRU FLT.1.1 the PP/ST author should specify the list of type of failures against which the TOE has to be explicitly protected. If a failure in this list occurs, the TOE will be able to continue its operation. FRUFLT.2 Limited fault tolerance User application notes This component is intended to specify against what type of failures the TOE must be resistant. Since it would be difficult to describe all specific failures, categories offailures may be specified. Examples of general failures are flooding of the computer room, short term power interruption, breakdown of a CPU or host, software failure, or overflow of buffer. Operations Assignment: In FRUFLT.2.1 the PP/ST author should specify the list of type of failures against which the TOE has to be explicitly protected. If a failure in this list occurs, the TOE will be able to continue its operation. 0 ... 109 110 111 112 113 114 115 ... 117
|
