This document type describes the functions, data and dynamic behaviour of an object associated with a specific level. In addition, boundary conditions restricting the class of possible realisations for the object are documented. (2) Architecture Description: This is a design structure which decomposes the object under consideration and/or refines its data structures. The process of decomposition introduces new objects to be associated with a lower level, as well as interfaces between them. Each new object is associated with its own lower-level requirements description. In this way, the alternation between requirements and architecture documents can be recursively applied to the decomposition tree from system to module level

We present a compositional network proof theory to specify and verify safety properties of fault tolerant distributed systems. We abstract from the precise nature and occurrence of faults, but model their effect on the externally visible input and output behaviour. To this end a failure hypothesis is formalized as a relation between the normal behaviour (i.e. the behaviour when no faults occur) of a system and its acceptable behaviour, that is, the normal behaviour together with the exceptional behaviour (i.e. the behaviour whose abnormality should be tolerated). The method is compositional to allow reasoning with the specifications of processes while ignoring their implementation details. A compositional formalism to reason about the normal behaviour is extended with a single rule by which a specification of the acceptable behaviour can be obtained from the specification of the normal behaviour and a predicate characterizing the failure hypothesis. Soundness and relative network compl...

. In this paper we show how a formal reasoning can be applied for studying the fault coverage of a fault tolerant technique when the behaviour of a system with a set of predefined faults is considered. This method is based on process algebras and equivalence theory. The behaviour of the system in absence of faults is formally specified and faults are assumed as random events which interfere with the system by modifying its behaviour. A fault tolerant technique can be proved to tolerate the set of predefined faults iff the actual behaviour of the system is the same as the behaviour of the system in absence of faults. The approach is illustrated by considering the design of a stable storage disk. 1 Introduction Before any system can be designed and built, some form of specification of the required behaviour must be available. The specification provides a document against which the behaviour of the system can be judged, and a failure of a system occurs when the behaviour of the system fi...

We present a case study in formal design of a distributed database. The database supports atomic transactions despite distribution and faults affecting its components. Development proceeds compositionally, from sequential, concurrent to distributed system, while building up capacity of individual components to tolerate an increasing number of faults. The case study illustrates some useful techniques for building fault-tolerant systems in general. We conclude by discussing them and their support in the formalism based on CCS (for implementation) and a version of mu-calculus (for specification and verification). Tomasz Janowski is a Research Fellow of UNU/IIST. He received an MSc in Mathematics from the University of Gda'nsk (Poland) and a PhD in Computer Science from the University of Warwick (England). His research interests include logics for provable fault-tolerance, real-time scheduling, formal models for manufacturing and the integration of formal and informal techniques in softw...

With the increasing emphasis on dependability in complex, distributed systems, it is essential that system development can be done gradually and at different levels of detail. In this paper we propose an incremental treatment of faults as a refinement process on object-oriented system specifications. An intolerant system specification is a natural abstraction from which a fault-tolerant system can evolve. With each refinement step a fault and its treatment are introduced, so the fault-tolerance of the system increases during the design process. Different kinds of faults are identified and captured by separate refinement relations according to how the tolerant system relates to abstract properties of the intolerant one in terms of safety and liveness. The specification language utilized is object-oriented and based upon first-order predicates on communication traces. Fault-tolerance refinement relations are formalized within this framework.

. We provide three methods of verifying concurrent systems which are tolerant of faults in their operating environment - algebraic, logical and transformational. The first is an extension of the bisimulation equivalence, the second is rooted in the Hennessy-Milner logic, and the third involves transformations of CCS processes. Based on the common semantic model of labelled transition systems, which is also used to model faults, all three methods are proved equivalent for certain classes of faults. 1 Introduction Many models of concurrent systems have been proposed in the literature, based on either actions or states. Examples include sequences [MP91], trees [Mil89], machines [LT87], partial orders [Pra86] and event structures [Win89]. They offer different ways of representing executions of systems (linear or branching), their concurrent activity (interleaving or non-interleaving) and interaction (shared memory or message-passing). A concept which unifies various models is a labelled t...

A case study on the application of Communicating Sequential Processes (CSP) to the design and veri cation of fault-tolerant real-time systems is presented. The distributed recovery block (DRB) scheme is a design technique for the uniform treatment of hardware and software faults in real-time systems. Through a simple fault-tolerant real-time system design using the DRB scheme, the case study illustrates a paradigm for specifying fault-tolerant software and demonstrates how the different behavioural aspects of a fault-tolerant real-time system design can be separately and systematically specified, formulated, and verified using an integrated set of formal techniques based on CSP.

Reconfigurable logic devices such as the FPGA have brought about a revolution in the field of hardware design. The reduction in development costs has had a huge impact on broadening the scope of applications for which a hardware implementation is a realistic possibility. Current FPGA devices run to many millions of gates, giving a huge potential for efficiency gains, benefiting from the inherently parallel nature of hardware circuits. These devices continue to grow in size, to the end that we can now seriously consider implementing even large scale systems purely in reconfigurable logic. Despite these advances, we find ourselves somewhat lacking in the tools and methodologies required to fully exploit this potential. Issues of hardware implementation and parallelism intro-duce significant complexity into the design process. We argue that without the correct approach, not only will this potential be under used, but the inherent complexity will undermine people’s

In this article we describe a formal framework for the development of dependable systems, supporting the systematic development of cooperating mechanisms designed to encounter combinations of threats. We focus on the combination of fault-tolerance mechanisms and security mechanisms in communication protocols. Until recently, fault-tolerant systems and secure systems were discussed and developed, at least in Germany, in different -- often non-communicating -- communities. Based on experiences with systems developed by the author in various industrial projects we motivate that a unified approach for the development of systems that combine both security and fault-tolerance properties will become increasingly important. Practical experience has shown that the a posteriori integration of security features into a fault-tolerant system and vice versa is much more complicated than pre-planning every desired dependability and security feature simultaneously during the specification phase of th...

We introduce a necessary test for the claims about provable fault-tolerance: having proved to tolerate several faults, we must tolerate (provably) any combination of them. One notable failure to pass this test is bisimulation. The paper presents a class of bisimulations which are faultmonotonic and within CCS support compositional design of component specifications by stepwise refinement, each step increasing or at least preserving the current level of fault-tolerance.