| Preface | xi |
| Acknowledgments | xiii |
1 | Introduction | 1 |
1.1 | A Few Definitions | 3 |
1.2 | Organization and Intended Use | 4 |
1.3 | Means to Achieve Dependable Software | 6 |
1.3.1 | Fault Avoidance or Prevention | 7 |
1.3.2 | Fault Removal | 9 |
1.3.3 | Fault/Failure Forecasting | 11 |
1.3.4 | Fault Tolerance | 12 |
1.4 | Types of Recovery | 13 |
1.4.1 | Backward Recovery | 14 |
1.4.2 | Forward Recovery | 16 |
1.5 | Types of Redundancy for Software Fault Tolerance | 18 |
1.5.1 | Software Redundancy | 18 |
1.5.2 | Information or Data Redundancy | 19 |
1.5.3 | Temporal Redundancy | 21 |
1.6 | Summary | 21 |
| References | 23 |
2 | Structuring Redundancy for Software Fault Tolerance | 25 |
2.1 | Robust Software | 27 |
2.2 | Design Diversity | 29 |
2.2.1 | Case Studies and Experiments in Design Diversity | 31 |
2.2.2 | Levels of Diversity and Fault Tolerance Application | 33 |
2.2.3 | Factors Influencing Diversity | 34 |
2.3 | Data Diversity | 35 |
2.3.1 | Overview of Data Re-expression | 37 |
2.3.2 | Output Types and Related Data Re-expression | 38 |
2.3.3 | Example Data Re-expression Algorithms | 40 |
2.4 | Temporal Diversity | 42 |
2.5 | Architectural Structure for Diverse Software | 44 |
2.6 | Structure for Development of Diverse Software | 44 |
2.6.1 | Xu and Randell Framework | 45 |
2.6.2 | Daniels, Kim, and Vouk Framework | 51 |
2.7 | Summary | 53 |
| References | 53 |
3 | Design Methods, Programming Techniques, and Issues | 59 |
3.1 | Problems and Issues | 59 |
3.1.1 | Similar Errors and a Lack of Diversity | 60 |
3.1.2 | Consistent Comparison Problem | 62 |
3.1.3 | Domino Effect | 68 |
3.1.4 | Overhead | 70 |
3.2 | Programming Techniques | 76 |
3.2.1 | Assertions | 78 |
3.2.2 | Checkpointing | 80 |
3.2.3 | Atomic Actions | 84 |
3.3 | Dependable System Development Model and N-Version Software Paradigm | 88 |
3.3.1 | Design Considerations | 88 |
3.3.2 | Dependable System Development Model | 91 |
3.3.3 | Design Paradigm for N-Version Programming | 93 |
3.4 | Summary | 94 |
| References | 97 |
4 | Design Diverse Software Fault Tolerance Techniques | 105 |
4.1 | Recovery Blocks | 106 |
4.1.1 | Recovery Block Operation | 107 |
4.1.2 | Recovery Block Example | 113 |
4.1.3 | Recovery Block Issues and Discussion | 115 |
4.2 | N-Version Programming | 120 |
4.2.1 | N-Version Programming Operation | 121 |
4.2.2 | N-Version Programming Example | 125 |
4.2.3 | N-Version Programming Issues and Discussion | 127 |
4.3 | Distributed Recovery Blocks | 132 |
4.3.1 | Distributed Recovery Block Operation | 132 |
4.3.2 | Distributed Recovery Block Example | 137 |
4.3.3 | Distributed Recovery Block Issues and Discussion | 139 |
4.4 | N Self-Checking Programming | 144 |
4.4.1 | N Self-Checking Programming Operation | 144 |
4.4.2 | N Self-Checking Programming Example | 145 |
4.4.3 | N Self-Checking Programming Issues and Discussion | 149 |
4.5 | Consensus Recovery Block | 152 |
4.5.1 | Consensus Recovery Block Operation | 152 |
4.5.2 | Consensus Recovery Block Example | 155 |
4.5.3 | Consensus Recovery Block Issues and Discussion | 159 |
4.6 | Acceptance Voting | 162 |
4.6.1 | Acceptance Voting Operation | 162 |
4.6.2 | Acceptance Voting Example | 166 |
4.6.3 | Acceptance Voting Issues and Discussion | 169 |
4.7 | Technique Comparisons | 172 |
4.7.1 | N-Version Programming and Recovery Block Technique Comparisons | 176 |
4.7.2 | Recovery Block and Distributed Recovery Block Technique Comparisons | 180 |
4.7.3 | Consensus Recovery Block, Recovery Block Technique, and N-Version Programming Comparisons | 181 |
4.7.4 | Acceptance Voting, Consensus Recovery Block, Recovery Block Technique, and N-Version Programming Comparisons | 182 |
| References | 183 |
5 | Data Diverse Software Fault Tolerance Techniques | 191 |
5.1 | Retry Blocks | 192 |
5.1.1 | Retry Block Operation | 193 |
5.1.2 | Retry Block Example | 202 |
5.1.3 | Retry Block Issues and Discussion | 204 |
5.2 | N-Copy Programming | 207 |
5.2.1 | N-Copy Programming Operation | 208 |
5.2.2 | N-Copy Programming Example | 212 |
5.2.3 | N-Copy Programming Issues and Discussion | 214 |
5.3 | Two-Pass Adjudicators | 218 |
5.3.1 | Two-Pass Adjudicator Operation | 218 |
5.3.2 | Two-Pass Adjudicators and Multiple Correct Results | 223 |
5.3.3 | Two-Pass Adjudicator Example | 227 |
5.3.4 | Two-Pass Adjudicator Issues and Discussion | 229 |
5.4 | Summary | 232 |
| References | 233 |
6 | Other Software Fault Tolerance Techniques | 235 |
6.1 | N-Version Programming Variants | 235 |
6.1.1 | N-Version Programming with Tie-Breaker and Acceptance Test Operation | 236 |
6.1.2 | N-Version Programming with Tie-Breaker and Acceptance Test Example | 241 |
6.2 | Resourceful Systems | 244 |
6.3 | Data-Driven Dependability Assurance Scheme | 247 |
6.4 | Self-Configuring Optimal Programming | 253 |
6.4.1 | Self-Configuring Optimal Programming Operation | 253 |
6.4.2 | Self-Configuring Optimal Programming Example | 257 |
6.4.3 | Self-Configuring Optimal Programming Issues and Discussion | 260 |
6.5 | Other Techniques | 262 |
6.6 | Summary | 262 |
| References | 265 |
7 | Adjudicating the Results | 269 |
7.1 | Voters | 270 |
7.1.1 | Exact Majority Voter | 273 |
7.1.2 | Median Voter | 278 |
7.1.3 | Mean Voter | 282 |
7.1.4 | Consensus Voter | 289 |
7.1.5 | Comparison Tolerances and the Formal Majority Voter | 295 |
7.1.6 | Dynamic Majority and Consensus Voters | 303 |
7.1.7 | Summary of Voters Discussed | 309 |
7.1.8 | Other Voters | 311 |
7.2 | Acceptance Tests | 311 |
7.2.1 | Satisfaction of Requirements | 314 |
7.2.2 | Accounting Tests | 315 |
7.2.3 | Reasonableness Tests | 315 |
7.2.4 | Computer Run-Time Tests | 318 |
7.3 | Summary | 319 |
| References | 320 |
| List of Acronyms | 325 |
| About the Author | 329 |
| Index | 331 |