We give a formal definition of what it means for a system to "tolerate" a class of "faults". The definition consists of two conditions: One, if a fault occurs when the system state is within a set of "legal" states, the resulting state is within some larger set and, if faults continue occurring, the system state remains within that larger set (Closure). And two, if faults stop occurring, the system eventually reaches a state within the legal set (Convergence). We demonstrate the applicability of our definition for specifying and verifying the fault-tolerance properties of a variety of digital and computer systems. Further, using the definition, we obtain a simple classification of fault-tolerant systems and discuss methods for their systematic design. as traditionally been studied in the context of specifi...

This paper presents fault-tolerant protocols for fast packet switch networks with convergence routing. The objective is to provide fast reconfiguration and continuous host-to-host communication after a link or a node (switch) failure, Convergence routing is a variant of deflection routing, which combines, in a dynamic fashion, the on-line routing decision with the traffic load inside the network. Unlike other deflection techniques, convergence routing operates with global sense of direction and guarantees that packets will reach or converge to their destinations. Global sense of direction is achieved by embedding of virtual rings to obtain a linear ordering of the nodes. We consider virtual ring embeddings over (i) a single spanning tree, and (ii) over two edge-disjoint spanning trees. Thus, the fault-tolerant solution is based on spanning trees and designed for a switchbased (i.e., arbitrary topology) LAN architecture called MetaNet. In this work, the original MetaNet's convergence ...

This document results from the work done by the ENCRESS Application Group "Safety Applications of Computer Based Systems for the Process Industry". The goal is to raise awareness in process industry around the problem of safety applications of computer based systems and provide indications of today's best practices. The document does not intend to be neither a guideline nor a state-ofart. Participation of individuals in the development of this document shall not be construed as an unreserved endorsement of the proposed practices by the individuals or the employers of these individuals.

This paper examines the effects of less than perfect diagnostics coverage on system reliability. The mathematical background for analyzing the coverage factor of fault--tolerant systems is presented in detail as well as specific examples of practical systems and their relative reliability measures. In a complex system, malfunction and even total nonfunction may not be detected for long periods, if ever. --- John Gall