Membership arbitration by itself is inadequate for complete data protection because it assumes that all systems will either participate in the arbitration or are already down.
Rare situations can arise which must also be protected against. Some examples are:
A system hang causes the kernel to stop processing for a period of time.
The system resources were so busy that the heartbeat signal was not sent.
A break and resume function is supported by the hardware and executed. Dropping the system to a system controller level with a break command can result in the heartbeat signal timeout.
In these types of situations, the systems are not actually down, and may return to the cluster after cluster membership has been recalculated. This could result in data corruption as a system could potentially write to disk before it determines it should no longer be in the cluster.
Combining membership arbitration with data protection of the shared storage eliminates all of the above possibilities for data corruption.
Data protection fences off (removes access to) the shared data storage from any system that is not a current and verified member of the cluster. Access is blocked by the use of SCSI-3 persistent reservations.