The distributed P/T nets used in this contribution are the same as in [ 10 ]. In this context, they build on the formal definition of [ 20 ] and extend it with the informal extension of distributed synchronous channels. If we are considering simulation time, multiple instances of these distributed P/T nets are executed within a single simulator; however, there are also multiple simulators in place.

The informal extension of distributed synchronous channels ensures that P/T nets can communicate with each other by implementing rendezvous synchronization. Transitions are labeled with signatures

In every computer system, it is unavoidable that, at some point, some failure can occur. [ 25 ] This applies specifically to distributed simulation systems. These errors may have diferent causes and origins.

Internal or in-process errors occur within an application and can be classified into diferent types. Logical errors [ 26 ] occur when incorrect instructions are present in the application’s source code, resulting in issues such as erroneous calculations or infinite loops. These represent implementation faults caused by flawed algorithms or incorrect control flows.

Closely related are semantic errors, which are often used synonymously. Semantic errors [ 26 ] afect the interpretation of data or interactions: although the code functions correctly on a technical level, the meaning of the results or processes deviates from the specification.

In addition to the mentioned types of errors that result in faulty program behavior, runtime errors may also occur despite a "correct" program implementation. For example, excessive nested calls of a recursive function typically lead to a stack overflow, where the call stack of a program exceeds the allocated memory space. If a program continuously consumes memory without releasing it correctly, this leads to a memory leak. Both stack overflows and memory leaks fall into the category of memory-related errors. [ 27 ]

Problems in the parallel execution of (sub-)processes can cause synchronization errors, such as deadlocks or race conditions. A deadlock occurs when a cyclic waiting situation arises between the involved processes, with each waiting for the release of a system resource that is exclusively held by another. A race condition, on the other hand, describes an unintended fault where multiple operations influence the final result due to their timing behavior. [ 28 ]

We can group logical and semantic errors, as well as synchronization and memory errors, into a broader category of software errors to fit into the categorization of Schroeder et al. [ 29 ]. They also mention other types of errors that are not directly software-related, which we look at next.

When disruptions occur during data transmission or exchange between distributed components, they are referred to as network or communication errors. These can result from issues such as packet loss or connection failures, leading to inconsistencies in the state of distributed systems. Such inconsistencies can adversely afect the synchronization and correctness of the simulation.

System and hardware errors originate from physical defects or failures in the components of the distributed system, such as the CPU or memory. These errors are often dificult to predict and can cause abrupt system crashes or faulty data processing.

In addition to internal errors, there are also external error types that depend on external factors. Undesired user inputs or environmental influences can impair the correctness of the simulation or even disrupt the intended functionality of the entire system.

In the context of our contribution, a relevant structure of error types emerges, as shown in Figure 2. We distinguish between internal and external errors that may afect our distributed simulation. Among internal errors, we further diferentiate between software-based errors (such as logical, semantic, synchronization-specific, and memory-related errors) and infrastructure-based errors, which depend on the system architecture. The latter includes communication and hardware errors.

To ensure the robustness and reliability of a distributed simulation, the early detection of occurring failures is essential. These errors can occur in both deterministic and non-deterministic ways, which complicates their identification and reproducibility. Typical deterministic errors include logical flaws or faulty algorithms, whereas synchronization errors, such as deadlocks and race conditions, are considered non-deterministic.

The first method for detecting failures is through static analysis. Although they primarily serve compile-time checking, formal analysis techniques can detect potential runtime errors before execution. Static analysis tools such as SonarGraph [ 30 ] or FindBugs [ 31 ] can flag unused variables, incorrect assignments, or potential null references. Many modern IDEs already include basic static analysis tools with various features as standard.

On the other hand, there are dynamic methods to detect failures at runtime. This involves monitoring the system during execution. Techniques such as assertion checking, instrumentation, or the use of debugging tools like Valgrind [ 32 ], the GNU Debugger [ 33 ], or AddressSanitizer [ 34 ] enable the detection of memory errors, invalid memory accesses, or synchronization issues. Particularly in productive, complex, and automated systems or simulations, continuous and comprehensive monitoring plays a crucial role. It is the foundation and, therefore, essential for ensuring the availability, reliability, and performance of a system.

Monitoring technologies such as Prometheus [ 35 ] ofer suitable solutions by collecting a wide range of metrics and visualizing them. In most cases, an alert manager is included for triggering alerts in the event of anomalies. The open-source monitoring framework Kieker is also worth mentioning as a valuable tool for the runtime monitoring of software-based systems. It incorporates the aforementioned capabilities and is particularly useful for analyzing performance, architectural behavior, and failures in distributed applications.[ 36 ]

Since we cannot entirely prevent failures, we must at least design our systems to tolerate or recover from them when they occur. It is worth noting that, in some situations, it can be better to tolerate small failures by not addressing them if an automated recovery system might do more harm than good [ 25 ].

In general, we can categorize fault tolerance methods into two main groups: reactive and proactive methods. Static analysis methods act as a proactive method. Proactive methods take action preemptively to try and limit failures as much as possible, while reactive methods rely on failure detection and start acting when a failure has occurred. [ 37 ] For this reason, to make a system truly failure-tolerant, one needs to implement at least one reactive method.

Since proactive methods cannot entirely prevent failures, we do not elaborate on them further in this paper. More information can be found, e.g., in [ 38 ].

An obvious reactive method is checkpointing, sometimes also referred to as checkpoint-restart. [ 39 ] Here, each system component regularly stores its state on some form of persistent, highly available storage. If a component fails (e.g., due to a crash), it can be restarted by a failure detection system and automatically load the latest checkpoint to continue execution from that point.

Another reactive method, which can also be considered a hybrid method, is replication. Here, individual components can be replicated, potentially even on diferent physical machines, resulting in multiple instances of each component. If one instance fails, a replica can take its place to ensure smooth execution, and the original instance gets restarted to serve as another replica. [ 40 ]

According to Laprie et al. [ 41 ], the term resilient has been used mainly as a synonym of fault-tolerant for many years in the field of computer science. A resilient, fault-tolerant, or robust system should be able to deliver its service, even in some circumstances that are not part of its typical mode of operation. We use the term "some" here since we have already learned in section 2.3 that it is impossible to completely prevent failures, including those that are not tolerable by any software system (like a simultaneous hardware failure in all machines).

For this paper, we use the definition from Pradhan et al. [ 42 ], which defines a resilient system as a system that "includes eficient techniques for [...] ensuring its correct operation [...], even in the presence of faults and failures [...].". Additionally, it requires the resilient mechanism of a system to be autonomous, as human interaction is slow and introduces an additional opportunity for errors.

Kubernetes [ 43 ] is an open-source software for container orchestration developed by Google. It is commonly used to manage, harden and scale each individual component of deployed applications. It allows for easy creation of clusters made of multiple physical computers (nodes).

On each node, a service called kubelet acts as the "primary node agent" for Kubernetes, manages everything that Kubernetes runs on that node. If some application crashes on a specific node for example, the set of kubelets of all nodes would be responsible for restarting it.

Additionally, various resource types allow applications to scale automatically according to demand, making it suitable for all kinds of applications and workloads.

Containerisation can be defined as the act of bundling a software application and all necessary dependencies and system libraries into a single container. [ 44 ] There are various technologies for containerising applications like Docker [ 45 ] or Podman [ 46 ]. Under the hood, they all implement the specifications of the Open Container Initiative [ 47 ] (OCI), making them mostly interchangeable at runtime.

A key property of containers is that they are stateless by default. That means every time a container is started, it has no recollection of past instances of itself or other state.

A Pod is the smallest deployable entity in Kubernetes and consists of one or more containers [ 48 ]. Just like containers, Pods are not persistent by default; if a Pod dies and is restarted, a new replica of the Pod is created, without any memory of previous instances of the Pod.

Container lifecycle hooks are part of the OCI runtime specification [ 49 ] and widely used when working with containers. They are used to intercept specific events in the container lifecycle, for example the container starting or stopping.

Kubernetes ofers a few hooks (more commonly called probes) related to Pod lifecycles, most importantly liveness probes. As the name suggests, liveness probes allow Kubernetes to check that our Pods are still active and have not failed or crashed [ 50 ]. If a liveness probe fails too often, Kubernetes will treat the corresponding Pod as failed, and automatically restart it. This makes them an important tool when developing any kind of failure-resistant application.

In Kubernetes, one usually does not directly create Pods themselves. Instead, there are a number of resources types that create and manage a set of Pods, each having unique use cases, advantages and disadvantages.

A StatefulSet owns a set of Pods and maintains a unique identity for each one, as well as an ordering over all its Pods. The Pod identity it provides includes a network address, (if configured) a dedicated storage mount, a name and and index label. If any Pod that belongs to a StatefulSet fails, for example by crashing or because the associated Liveness Probe fails, a new Pod will be created with the same identity of the failed Pod.

Some applications do require Pods to have some form of persistent storage, or memory, even between restarts. For this purpose, Kubernetes implements the concept of Persistent Volumes (PVs) and Persistent Volume Claims (PVCs).

A PV is a resource in a cluster that provides a piece of storage. Their lifecycle is independent from Pods. If a Pod needs some persistent storage, it can request some via a PVC. In this case, the Pod can only start when a fitting PV binds to its PVC. The volume will then mount in the corresponding container(s) filesystem.

PVs can either be created manually by cluster administrators, or by a StorageClass that is configured to automatically provision PVs when a PVC requests storage from it.

Ceph is a mature distributed file system that is developed for performance, scalability and reliability [ 51 ]. Rook [ 52 ] is a cloud native Kubernetes deployment of Ceph [ 53 ] that allows developers to focus on configuring Kubernetes resources, while silently managing the Ceph file system on all nodes in the background. It does so by providing StorageClasses for various purporses that automatically provision PVs as needed.

The Cloud Native Computing Foundation [ 54 ], an ofshoot of the Linux Foundation [ 55 ], lists Rook as one of only two graduated technologies in the context of Cloud Native Storage. [ 56 ] Graduated projects are "[...] considered stable, widely adopted, and production ready, attracting thousands of constributors". This makes Rook a great choice for managing storage in a Kubernetes cluster.

To achieve a simulation of a distributed P/T net that is as error-free and correct as possible, it is all the more important to eficiently detect as many types of occurring errors during the simulation as possible. This enables their subsequent elimination using appropriate recovery mechanisms in the following prototype (Section 6), thereby ensuring the resilience of the simulators.

For this purpose, various error detection methods described in Section 2.3 are employed, with dynamic runtime analysis, as well as monitoring and logging, playing a key role in identifying potential runtime errors within and between individual simulators. The focus of this prototype is the requirement that it should be possible to detect failures within a simulator.

Besides possible logical and semantic errors—which we already try to detect and resolve within our quality assurance process—the most critical errors to identify are fail-stop errors. These are the kinds of errors that can halt the entire simulation and potentially compromise its results.

A mechanism is therefore required that can identify the fail-stop. For this purpose, the liveliness, i.e., the availability, of the simulator is to be checked at regular short intervals.

Particular attention is given to infrastructure-related faults. Thus, if communication errors occur during the simulation—i.e., errors in data transmission between the distributed components caused by, for example, connection losses or packet loss—they must be detected and reported. Similarly, if system or hardware faults arise due to processor or memory failures or malfunctions, these errors must also be identified for recovery. Furthermore, all external errors, including those due to Force Majeure or specific user inputs, are also known but not relevant to our context of distributed simulations.

In order to detect errors in a simulator, we need an infrastructure that can check the availability of the simulators and, if necessary, start new simulators on other nodes. For this purpose, a container-based infrastructure is built that can recognize failing nodes and control a container’s lifecycle.

In addition, a corresponding HTTP endpoint is required in Renew to check the availability of the simulator. The CloudNative plugin is used to provide this endpoint.

We implement our containers with Docker [ 45 ] and the container orchestration system using Kubernetes [ 43 ] (Section 2.5). For this reason, we can utilize Kubernetes liveness probes to detect the liveness of our simulators.

With this implementation, we can detect failures of physical machines, as Kubernetes detects node failures and reschedules Pods on healthy nodes. Additionally, we can detect failures of the simulator Pods directly if they disturb the availability of the HTTP endpoint of the CloudNative plugin.

This means we can detect fail-stop errors using this method, including crashes, node failures, network errors, and other similar issues. However, Silent errors, like deadlocks in the internal Renew-internal simulation thread pool, would remain undetected.

Our overarching objective is to develop a fully resilient DPTN simulation. However, the present contribution explicitly addresses the resilience of the simulators themselves.

In this context, it is imperative that fail-stop failures afecting individual simulators do not compromise the overall functionality or correctness of the distributed system. To this end, resilience must be ensured through a reactive failure recovery mechanism, as proactive strategies alone are insuficient to eliminate the occurrence of fail-stop failures.

The prototype developed in this work is designed to facilitate reactive recovery from such simulator failures. Specifically, when a simulator process crashes or experiences a fail-stop event, it must be automatically restarted without impairing the operational integrity of the distributed simulation. While a minimal delay associated with the recovery process is unavoidable, it remains functionally inconsequential to the system as a whole.

In accordance with the requirements outlined in Section 6.1, a reactive recovery mechanism is necessary to mitigate the efects of fail-stop events. Given that the distributed P/T nets simulated within the Renew framework are serializable, we adopt a checkpoint-based recovery strategy. This approach entails periodically saving and, if required, reloading the simulation state within Renew.

Each checkpoint must encapsulate the complete state of the simulation, including both the internal markings of all distributed P/T Net (DPTN) instances and the communication state with the synchronization service. This includes metadata on distributed transitions—such as whether a firing request has been issued—and a consistent record of which communication events have been processed up to the checkpoint.

To ensure the durability of checkpoints beyond the occurrence of a fail-stop event, these must be stored in a fault-tolerant, highly available storage system. This storage must not reside within a single container or be bound to a single physical node. Reliance on a single container is inherently fragile, as container failure leads to complete data loss. Similarly, tying checkpoint persistence to a single node is inadequate since a node-level failure would result in the irrevocable loss of all checkpoint data. Consequently, a resilient, distributed storage solution is imperative—one that can withstand partial system failures without compromising checkpoint integrity.

Our distributed simulation system can be viewed as a distributed database system that executes distributed transactions, in the sense that each simulator processes events coming in from the event broker. We can design our system in a way similar to how database systems manage transactions [ 58 ], making sure to uphold the ACID properties that serve as foundational guarantees [ 59, 60 ]. The distributed nature of our system also means we are subject to the constraints of the CAP theorem [ 61 ]. By implementing ACID, we make sure to guarantee Consistency and Partition Tolerance at the cost of Availability, since it’s never possible to guarantee all three properties at once. Sacrificing availability means we may get stuck in a recovery loop for a while, in order to make sure the other properties are upheld.

Upon initialization, a simulator will check if it finds an existing checkpoint, in which case it must assume a previous failure and recover from that checkpoint. Using the list of events from the event broker as a log, it can recover from the failure by replaying uncommited events on top of the latest checkpoint. In order for this to work, we must only commit events (i.e., mark them as processed) once a checkpoint has been created that includes the implications of the events.

To facilitate resilient simulations, we developed a dedicated Renew plugin named DPTNResiliency. This plugin relies on other essential Renew components—specifically, the Simulator and GUI plugins—to enable functionalities such as saving and loading simulation states. It is employed by the DPTNFormalism plugin, introduced in [ 10 ], to execute distributed P/T net simulations.

The DPTNResiliency plugin introduces the console command startResilientSimulation, which initiates the simulation of a specified distributed P/T net. If a checkpoint is available, the simulation automatically resumes from the most recent one. This command serves as the entry point for determining the current simulation state when launching a simulator instance.

Furthermore, the event-streaming mechanism within the DPTNFormalism plugin has been extended to notify the DPTNResiliency plugin after the successful processing of each event. This notification mechanism is essential for persisting and tracking the accurate communication state throughout the simulation. Additionally, the DPTNResiliency plugin manages Kafka commits to make sure events are only marked as read once a checkpoint for them has been created.

The responsibility for checkpoint creation lies with the DPTNResiliency plugin, which utilizes the current marking and communication status. To ensure fault tolerance, especially in the event of a simulator crash, each checkpoint is initially written to a temporary location. Only upon successful creation is it copied to its final destination. Subsequently, the corresponding event is marked as consumed, ensuring that it cannot be processed again.

Checkpoints generated by the DPTNResiliency plugin must be stored in a resilient, highly available storage system. This storage operation is triggered after each Kafka event has been successfully processed. For this purpose, the distributed storage system Ceph [ 57 ] has been selected. Ceph ensures high availability and fault tolerance by requiring a minimum of three participating nodes, thereby eliminating single points of failure and mitigating split-brain scenarios.

The creation of checkpoints can also be regarded as a transaction in a (multi-)database system, making it efectively a sub-transaction in the context of the triggering of a distributed synchronous channel. As its write operations conform to ACID principles, Ceph ensures the correctness and durability of stored simulation checkpoints. Additionally, being a distributed system itself, Ceph also underlies the constraints of the CAP theorem. Being designed to prioritize Consistency and Partition Tolerance, in the event of network partitioning, it may temporarily compromise the availability of specific components to uphold global consistency guarantees, matching the specification of our system.

The DPTNResiliency plugin is implemented as an additional modular Renew plugin. The simulators, as well as the synchronization service, run in Docker containers within Kubernetes (Section 2.5), deployed via StatefulSets that include liveness probes. Kafka (Section 2.2), our event broker, is deployed with high availability on Kubernetes. Attached to each Renew container is a Persistent Volume provided by Rook, the Kubernetes Deployment of Ceph, on which the checkpoints are stored.

Our recovery mechanism is backed by the Kafka event history that acts as a highly available and distributed log. Additionally, our checkpoints are stored on a highly available distributed storage system as well. After processing an event, a simulator creates a checkpoint, using an atomic copy operation when putting it into the right place to prevent checkpoint corruption. Only after the checkpoint is created, the simulator commits its Kafka ofset, marking the event as consumed in the log and making sure it’s not consumed again. Furthermore, any simulator that fails is automatically restarted, which triggers the recovery mechanism that upholds the simulations integrity.

If a failure occurs before a checkpoint for an event is written, the simulator restores from the previous checkpoint and executes the event again, thus recovering successfully. If a failure occurs after a checkpoint is written, but before the Kafka commit has been completed, the simulator restores from the new checkpoint but is unable to execute the event again. This will lead to a global event timeout and the event will be attempted again, in which case it will now succeed, thus completing the recovery. Failures during the recovery process also fall into one of these two categories.

When drawing a parallel to database transactions, it becomes evident that our solution adheres to the ACID properties. If we view the processing of each Kafka event as a single transaction, it becomes clear that our methods guarantee atomicity and durability, in a similar way to how databases implement transaction logic. This is because we either process a single event fully or not at all (in which case we later recover and do process it), and we make the changes durable by writing them to our storage medium. The non-resilient Distributed P/T Net implementation already ensures consistency and isolation and remains unafected by our enhancements.

Altogether, these guarantees fulfill all functional requirements for our prototype, thereby confirming the resilience of the simulators. Nonetheless, one limitation persists: unresolved race conditions exist within the simulation thread pool of Renew. Although a delay mechanism has been introduced to temporarily mitigate this issue—and occurrences are exceedingly rare—it nonetheless imposes a slowdown on the distributed simulation.

Once the setup has been completed, the experiment can be initiated. The simulation commences with the deployment of the four system components. To verify correct execution, the logs of each Pod are inspected to ensure that the simulation is actively running.

Following confirmation of execution, a brief waiting period is introduced. This period is suficiently long to allow the simulation to make measurable progress, yet not so extensive that it reaches completion during this interval.

Subsequently, a fail-stop fault is emulated by deliberately terminating one of the simulator Pods. Upon automatic restart, the process resumes, and the simulation continues until it reaches completion.

k8user@artpc17:~$ kubectl get pods -n dptn NAME READY STATUS RESTARTS AGE consumer-statefulset-0 1/1 Running 0 60s producer-statefulset-0 1/1 Running 0 60s storage-statefulset-0 1/1 Running 0 60s syncservice-statefulset-0 1/1 Running 0 60s k8user@artpc17:~$ kubectl delete pod storage-statefulset-0 -n dptn pod "storage-statefulset-0" deleted k8user@artpc17:~$ kubectl get pods -n dptn NAME READY STATUS RESTARTS AGE consumer-statefulset-0 1/1 Running 0 115s producer-statefulset-0 1/1 Running 0 115s storage-statefulset-0 1/1 Running 0 21s syncservice-statefulset-0 1/1 Running 0 115s

ScriptCommand: Try to load file startscript_storage.txt Opening gui...

Passung args to gui...

Initialising CheckpointStorageServiceImpl with checkpoint Storage-232.rst Starting Simulation... ...

Simulation initialised.

INFO: Record RegisterDownlink sent successfully on topic RegisterTopic.

INFO: Subscribed to topic: receiveMessage.

INFO: Subscribed to topic: sendMessage.

INFO: Consumed event ConfirmDownlink from topic receiveMessage.

INFO: Consumed event ConfirmFiring from topic receiveMessage.

INFO: Fired Confirm Transition of channel: receiveMessage Storage.

INFO: Consumed event UpdateDownlink from topic receiveMessage.

INFO: Consumed event UpdateUplink from topic receiveMessage.

INFO: Consumed event UpdateDownlink from topic receiveMessage.

INFO: Consumed event RequestFiring from topic receiveMessage.

INFO: Record ConfirmDownlink sent successfully on topic receiveMessage.

INFO: Fired Request Transition of channel: receiveMessage in Storage.

INFO: Record UpdateDownlink sent successfully on topic receiveMessage.

...

Upon initiating the simulation, the logs of all simulator instances consistently indicate that the simulation is actively running. As illustrated in Figure 4, Kafka events are successfully transmitted and received, confirming the correct operation of the simulation. In this context, the UpdateUplink and UpdateDownlink events represent communication with the synchronization service regarding updates to the up- and downlinks of the registered distributed synchronous channels. The RequestFiring event is employed to coordinate a distributed firing across all relevant simulators. Upon successful execution, the ConfirmUplink, ConfirmDownlink, and ConfirmFiring events confirm the resulting state changes. Detailed specifications of these event types are provided by Clasen et al. [ 10 ].

Following the deletion of a simulator Pod, Kubernetes automatically initiates a replacement Pod to restore the simulation topology. As depicted in Figure 5, one simulator Pod exhibits a delayed startup relative to the others, corresponding to the previously deleted instance.

Subsequently, once the newly instantiated Pod begins to receive Kafka events, Figure 6 demonstrates that it resumes participation in distributed transitions, including up- and downlink operations. Moreover, an examination of the logs from the remaining simulator Pods verifies that interaction with the restarted Pod is functioning as expected.

This experiment can be replicated with either the Consumer or the Producer Pod, yielding analogous results. These observations collectively substantiate the resilience of our simulator architecture.

• . . . Bing Translate in order to: Translate Text. • . . . DeepL in order to: Translate Text. • . . . ChatGPT in order to: Rephrasing.

• . . . Grammarly in order to: Grammar and spelling check, Repharsing.

After using these tool(s)/service(s), the authors reviewed and edited the content as needed and take full responsibility for the publication’s content.