| Preface | xi |
| Acknowledgments | xiii |
| 1 | Introduction | 1 |
| 1.1 | A Few Definitions | 3 |
| 1.2 | Organization and Intended Use | 4 |
| 1.3 | Means to Achieve Dependable Software | 6 |
| 1.3.1 | Fault Avoidance or Prevention | 7 |
| 1.3.2 | Fault Removal | 9 |
| 1.3.3 | Fault/Failure Forecasting | 11 |
| 1.3.4 | Fault Tolerance | 12 |
| 1.4 | Types of Recovery | 13 |
| 1.4.1 | Backward Recovery | 14 |
| 1.4.2 | Forward Recovery | 16 |
| 1.5 | Types of Redundancy for Software Fault Tolerance | 18 |
| 1.5.1 | Software Redundancy | 18 |
| 1.5.2 | Information or Data Redundancy | 19 |
| 1.5.3 | Temporal Redundancy | 21 |
| 1.6 | Summary | 21 |
| References | 23 |
| 2 | Structuring Redundancy for Software Fault Tolerance | 25 |
| 2.1 | Robust Software | 27 |
| 2.2 | Design Diversity | 29 |
| 2.2.1 | Case Studies and Experiments in Design Diversity | 31 |
| 2.2.2 | Levels of Diversity and Fault Tolerance Application | 33 |
| 2.2.3 | Factors Influencing Diversity | 34 |
| 2.3 | Data Diversity | 35 |
| 2.3.1 | Overview of Data Re-expression | 37 |
| 2.3.2 | Output Types and Related Data Re-expression | 38 |
| 2.3.3 | Example Data Re-expression Algorithms | 40 |
| 2.4 | Temporal Diversity | 42 |
| 2.5 | Architectural Structure for Diverse Software | 44 |
| 2.6 | Structure for Development of Diverse Software | 44 |
| 2.6.1 | Xu and Randell Framework | 45 |
| 2.6.2 | Daniels, Kim, and Vouk Framework | 51 |
| 2.7 | Summary | 53 |
| References | 53 |
| 3 | Design Methods, Programming Techniques, and Issues | 59 |
| 3.1 | Problems and Issues | 59 |
| 3.1.1 | Similar Errors and a Lack of Diversity | 60 |
| 3.1.2 | Consistent Comparison Problem | 62 |
| 3.1.3 | Domino Effect | 68 |
| 3.1.4 | Overhead | 70 |
| 3.2 | Programming Techniques | 76 |
| 3.2.1 | Assertions | 78 |
| 3.2.2 | Checkpointing | 80 |
| 3.2.3 | Atomic Actions | 84 |
| 3.3 | Dependable System Development Model and N-Version Software Paradigm | 88 |
| 3.3.1 | Design Considerations | 88 |
| 3.3.2 | Dependable System Development Model | 91 |
| 3.3.3 | Design Paradigm for N-Version Programming | 93 |
| 3.4 | Summary | 94 |
| References | 97 |
| 4 | Design Diverse Software Fault Tolerance Techniques | 105 |
| 4.1 | Recovery Blocks | 106 |
| 4.1.1 | Recovery Block Operation | 107 |
| 4.1.2 | Recovery Block Example | 113 |
| 4.1.3 | Recovery Block Issues and Discussion | 115 |
| 4.2 | N-Version Programming | 120 |
| 4.2.1 | N-Version Programming Operation | 121 |
| 4.2.2 | N-Version Programming Example | 125 |
| 4.2.3 | N-Version Programming Issues and Discussion | 127 |
| 4.3 | Distributed Recovery Blocks | 132 |
| 4.3.1 | Distributed Recovery Block Operation | 132 |
| 4.3.2 | Distributed Recovery Block Example | 137 |
| 4.3.3 | Distributed Recovery Block Issues and Discussion | 139 |
| 4.4 | N Self-Checking Programming | 144 |
| 4.4.1 | N Self-Checking Programming Operation | 144 |
| 4.4.2 | N Self-Checking Programming Example | 145 |
| 4.4.3 | N Self-Checking Programming Issues and Discussion | 149 |
| 4.5 | Consensus Recovery Block | 152 |
| 4.5.1 | Consensus Recovery Block Operation | 152 |
| 4.5.2 | Consensus Recovery Block Example | 155 |
| 4.5.3 | Consensus Recovery Block Issues and Discussion | 159 |
| 4.6 | Acceptance Voting | 162 |
| 4.6.1 | Acceptance Voting Operation | 162 |
| 4.6.2 | Acceptance Voting Example | 166 |
| 4.6.3 | Acceptance Voting Issues and Discussion | 169 |
| 4.7 | Technique Comparisons | 172 |
| 4.7.1 | N-Version Programming and Recovery Block Technique Comparisons | 176 |
| 4.7.2 | Recovery Block and Distributed Recovery Block Technique Comparisons | 180 |
| 4.7.3 | Consensus Recovery Block, Recovery Block Technique, and N-Version Programming Comparisons | 181 |
| 4.7.4 | Acceptance Voting, Consensus Recovery Block, Recovery Block Technique, and N-Version Programming Comparisons | 182 |
| References | 183 |
| 5 | Data Diverse Software Fault Tolerance Techniques | 191 |
| 5.1 | Retry Blocks | 192 |
| 5.1.1 | Retry Block Operation | 193 |
| 5.1.2 | Retry Block Example | 202 |
| 5.1.3 | Retry Block Issues and Discussion | 204 |
| 5.2 | N-Copy Programming | 207 |
| 5.2.1 | N-Copy Programming Operation | 208 |
| 5.2.2 | N-Copy Programming Example | 212 |
| 5.2.3 | N-Copy Programming Issues and Discussion | 214 |
| 5.3 | Two-Pass Adjudicators | 218 |
| 5.3.1 | Two-Pass Adjudicator Operation | 218 |
| 5.3.2 | Two-Pass Adjudicators and Multiple Correct Results | 223 |
| 5.3.3 | Two-Pass Adjudicator Example | 227 |
| 5.3.4 | Two-Pass Adjudicator Issues and Discussion | 229 |
| 5.4 | Summary | 232 |
| References | 233 |
| 6 | Other Software Fault Tolerance Techniques | 235 |
| 6.1 | N-Version Programming Variants | 235 |
| 6.1.1 | N-Version Programming with Tie-Breaker and Acceptance Test Operation | 236 |
| 6.1.2 | N-Version Programming with Tie-Breaker and Acceptance Test Example | 241 |
| 6.2 | Resourceful Systems | 244 |
| 6.3 | Data-Driven Dependability Assurance Scheme | 247 |
| 6.4 | Self-Configuring Optimal Programming | 253 |
| 6.4.1 | Self-Configuring Optimal Programming Operation | 253 |
| 6.4.2 | Self-Configuring Optimal Programming Example | 257 |
| 6.4.3 | Self-Configuring Optimal Programming Issues and Discussion | 260 |
| 6.5 | Other Techniques | 262 |
| 6.6 | Summary | 262 |
| References | 265 |
| 7 | Adjudicating the Results | 269 |
| 7.1 | Voters | 270 |
| 7.1.1 | Exact Majority Voter | 273 |
| 7.1.2 | Median Voter | 278 |
| 7.1.3 | Mean Voter | 282 |
| 7.1.4 | Consensus Voter | 289 |
| 7.1.5 | Comparison Tolerances and the Formal Majority Voter | 295 |
| 7.1.6 | Dynamic Majority and Consensus Voters | 303 |
| 7.1.7 | Summary of Voters Discussed | 309 |
| 7.1.8 | Other Voters | 311 |
| 7.2 | Acceptance Tests | 311 |
| 7.2.1 | Satisfaction of Requirements | 314 |
| 7.2.2 | Accounting Tests | 315 |
| 7.2.3 | Reasonableness Tests | 315 |
| 7.2.4 | Computer Run-Time Tests | 318 |
| 7.3 | Summary | 319 |
| References | 320 |
| List of Acronyms | 325 |
| About the Author | 329 |
| Index | 331 |
