data loss despite the replication and
auditing provided by NetApp’s row-diagonal parity RAID. 11
The CERN study used a program
that wrote large files into CERN’s various data stores, which represent a
broad range of state-of-the-art enterprise storage systems (mostly RAID arrays), and checked them over a period
of six months. A total of about 9. 7×1016
bytes was written and about 1. 92× 108
bytes were found to have suffered silent corruption, of which about two-thirds were persistent; rereading did
not return good data. In other words,
about 1. 2× 10–9 of the data written to
CERN’s storage was permanently corrupted within six months. We can place
an upper bound on the bit half-life in
this sample of current storage systems
by assuming the data was written instantly at the start of the six months
and checked instantly at the end; the
result is 2× 108 or about 10–2 times the
age of the universe. Thus, to reach the
petabyte for a century requirement
we would need to improve the performance of current enterprise storage
systems by a factor of at least 109.
nately, adding the necessary inter-stor-age-system replication and scrubbing
is expensive.
Cost figures from the San Diego
Supercomputer Centerc in 2008 show
that maintaining a single online copy
of a petabyte for a year costs about
$1.05× 106. A single near-line copy on
tape costs about $4.2× 105 a year. These
costs decrease with time, albeit not as
fast as raw disk costs. The British Li-
brary estimates a 30% per annum de-
crease. Assuming this rate continues
for at least a decade, if you can afford
about 3. 3 times the first year’s cost to
we need to be, and thus the cost of the
necessary replication. At small scales
the response to this uncertainty is to
add more replicas, but as the scale in-
creases this rapidly becomes unafford-
able.
tolerating failures
Despite manufacturers’ claims, current research shows that state-of-the-art storage systems fall so many orders
of magnitude below our bit preservation requirements that we cannot expect even dramatic improvements in
technology to fill the gap. Maintaining
a single replica in a single storage system is not an adequate solution to the
bit preservation problem.
Practical digital preservation systems must therefore:
˲ ˲ Maintain more than one copy by
replicating their data on multiple, ideally different, storage systems.
˲ ˲ Audit or (scrub) the replicas to detect damage, and repair it by overwriting the known-bad copy with data from
another.
pHotograpH By taran rampersa D
The more replicas and the more fre-
quently they are audited and repaired,
the longer the bit half-life we can ex-
pect. This is, after all, the basis for the
backups and checksums technique in
common use. In fact, current storage
systems already use such techniques
internally—for example, in the form
of RAID. 29 Despite this, the bit half-life
they deliver is inadequate. Unfortu-
store an extra replica for a decade, you
can afford to store it indefinitely. So,
adding a second replica of a petabyte
on disk would cost about $3.5× 106 and
on tape about $1.4× 106. Adding cost to
a preservation effort to increase reli-
ability in this way is a two-edged sword:
doing so necessarily increases the risk
that preservation will fail for economic
reasons.
will be considerably cheaper than operating a set of diverse systems.
Each replica is vulnerable to loss
and damage. Unless they are regularly
audited they contribute little to increasing bit half-life. The bandwidth
and processing capacity needed to
scrub the data are both costly, and adding these costs increases the risk of
failure. Custom hardware25 could compute the SHA-128 checksum of a petabyte of data in a month, but doing so
requires impressive bandwidth—the
equivalent of three gigabit Ethernet
interfaces running at full speed the entire month. User access to data in long-term storage is typically infrequent; it
is therefore rarely architected to pro-
