increases, the time and cost needed for
each audit to detect and repair damage
increases, reducing their frequency.
At first glance, keeping a petabyte
for a century is not difficult. Storage
system manufacturers make claims
for their products that far exceed the
reliability we need. For example, Sun
claimed that its ST5800 Honeycomb
product had an MTTDL (mean time to
data loss) of 2. 4× 106 years.a, 41
Off-the-shelf solutions appear so reliable that
backups are unnecessary. Should we
believe these claims? Where do they
come from?
All that Sun was saying was if you
watched a large number of ST5800
systems for a long time, recorded
the time at which each of them first
suffered a data loss, and then aver-
aged these times, the result would be
2. 4× 106 years. Suppose Sun watched
10 ST5800s and noticed that three of
them lost data during the first year,
four of them lost data after 2. 4× 106
years, and the remaining three lost
data after 4. 8× 106 years; Sun would be
correct that the MTTDL was 2. 4× 106
years. But we would not consider a
system with a 30% chance of data loss
after the start of the experiment. As
Sirius did not start watching a batch
of SC5800s 2. 8 million years ago, how
would they know?
Before using Sun’s claim for the
ST5800 as an example, I should stipulate that the ST5800 was an excellent
product. It represented the state of the
art in storage technology, and Sun’s
marketing claims represented the state
of the art in storage marketing. Nevertheless, Sun did not guarantee that
data in the ST5800 would last 2. 4× 106
years. Sun’s terms and conditions explicitly disclaimed any liability whatsoever for loss of, or damage to, the data
the ST5800 stores40 whenever it occurs.
in the first year was adequate to keep
a petabyte safe for a century. A single
MTTDL number is not a useful characterization of a solution.
Let’s look at the slightly more
scientific claim made at the re-
cent launch of the SC5800 by the
marketing department of Sirius
Cybernetics:b “SC5800 has an MTTDL
of ( 2. 4±0.4)× 106 years.” Sirius implic-
itly assumes the failures are normally
distributed and thus claims that about
two-thirds of the failures would oc-
cur between 2.0× 106 and 2. 8× 106 years
a Numbers are expressed in powers-of- 10 nota-
tion to help readers focus on the scale of the
problems and the extraordinary level of reli-
ability required.
b Purveyors of chatty doors, existential elevators, and paranoid androids to the nobility
and gentry of this galaxy. 1
models
The state of the art in this kind of mod-
eling is exemplified by the Pergamum
project at UC Santa Cruz. 39 Its model
includes disk failures at rates derived
from measurements30, 35 and sector fail-
ures at rates derived from disk vendor
specifications. This system attempts to
conserve power by spinning the disks
down whenever possible; it makes an
allowance for the effect of doing so on
disk lifetime, but it is not clear upon
what this allowance is based. The Per-
gamum team reports that the simula-
tions were difficult:
“This lack of data is due to the ex-
tremely high reliability of these con-
figurations—the simulator modeled
many failures, but so few caused data
loss that the simulation ran very slowly.
pHotograpH By taran rampersa D
