Formal design and verification of a reliable computing platform for real-time control. Phase 1: Results by Caldwell, James L. et al.
NASA Technical Memorandum 102716
FORMAL DESIGN AND VERIFICATION OF
A RELIABLE COMPUTING PLATFORM FOR
REAL-TIME CONTROL
Phase 1 Results
BEN L. DI VITO
RICKY W. BUTLER
JAMES L. CALDWELL
PI..ATi:_]K" F_,__ nLAL-TT_'I'- CONTRjL. P_-4ASL 1:
"3/ol
[',_')O --Z ");'" _
OCTOBER 1990
National Aeronautics and
Space Administration
Langley Research Cenler
Hampton, Virginia 23665-5225
https://ntrs.nasa.gov/search.jsp?R=19900020649 2020-03-19T21:36:25+00:00Z

Contents
1 Introduction 3
2
3
4
5
6
7
8
9
10
11
A Science of Reliable Design
The Role of Formal Methods 5
3.1 Formal Methods is Applied Logic ................ 6
3.2 Levels of Application ....................... 7
The Digital Flight Control Problem
Design of the Reliable Computing Platform 11
5.1 The Uniprocessor Model ..................... 13
5.2 The Synchronous Replicated Model ............... 14
5.3 Asynchronous Replicated System ................ 16
5.4 Hardware/Software Implementation ............... 16
The Role of Reliability Modeling 16
Previous Efforts 19
p0
Overview of Results 21
Specification of the Operating System Workload 22
9.1 Application Definition ...................... 23
9.2 Schedules ............................. 23
9.3 Well-Formedness Conditions ................... 26
Top-Level Specification (Uniprocessor Model) 27
10.1 Uniprocessor State and I/O Types ............... 27
10.2 State Transition Definitions ................... 28
10.3 Actuator Tasks .......................... 29
Second Level Specification (Replicated Model) 30
11.1 Faulty Processors ......................... 31
11.2 The Replicated State ....................... 32
11.3 Replicated System Transitions .................. 32
11.4 ReplicatedActuator Output ................... 34
11.5 Conceptsof Voting and Majority . ............... 35
12 Replicated System Proofs 36
12.1 Fault Model ............................ 36
12.2 FrameworkFor State MachineCorrectness ........... 37
12.3 The CorrectnessConcep_...................... 40
13 Sufficient Conditions for Correctness 45
13.1 ConsensusProperty ........................ 45
13.2 Full RecoveryProperty ...................... 49
13.3 ReplicatedState Invaxiant .................... 52
14 Proofs for Specific Voting Patterns 57
14.1 Continuous Voting ........................ 57
14.2 Cyclic Voting ........................... 58
14.3 Minimal Voting .......................... 59
15 Conclusions and Outlook for the Future 64
1 Introduction
NASA has initiated a major research effort towards the development of a
practical validation and verification methodology for digital fly-by-wire con-
trol systems. The validation process for these systems must demonstrate that
these systems meet stringent reliability requirements. An often quoted re-
quirement is that the flight critical components of commercial aircraft should
have a probability of failure of at most 10 -9 for a l0 hour mission [3]. Under
such a severe reliability requirement, design errors, also referred to in the lit-
erature as generic errors, can not be tolerated. Thus, the validation problem
for life-critical systems can be decomposed into two major tasks:
1. Quantifying the probability of system failure due to physical failure.
2. Establishing that design errors are not present.
Since current technology cannot support the manufacturing of electronic de-
vices with failure rates low enough to meet the reliability requirements di-
rectly, fault-tolerance strategies must be utilized that enable the continued
operation of the system in the presence of component failures. The first task
must therefore calculate the reliability of the system architecture that is de-
signed to tolerate physical failures. The second task must not only establish
the absence of errors in the control laws and their implementation, but also
the absence of errors in the underlying architecture that executes the control
laws. Researchers at NASA Langley Research Center (LaRC) are explor-
ing formal verification as a candidate technology for the elimination of such
errors.
This paper presents the first results of applying formal methods to the
verification of a fault-tolerant operating system that schedules and executes
the application tasks of a digital flight control system. The major goal of this
work is to produce a verified real-time computing platform (both hardware
and software), which is useful for a wide variety of control-system appli-
cations. Towards this goal, the operating system provides a user interface
that "hides" the implementation details of the system such as the redundant
processors, voting, clock synchronization, etc.
This paper describes an abstract model of an architecture for digital con-
trol, a first level decomposition of the model towards a physical realization,
and a mathematical proof that the decomposition is an implementation of
the model.
2 A Science of Reliable Design
Digital control systems are implemented using a combination of hardware and
software components. Fault-tolerant architectures use replicated hardware
resources and majority voting to enable continued operation of the system
in the presence of component failures.
Management of the replicated resources that implement the required fault
tolerance is a complex systems problem. A fundamental problem is the elim-
ination of all single-point failures. Clearly, a simple hardware voter is not
sufficient. The voter itself must be distributed! A second difficulty arises
from the fact that a distributed voter can only mask errors if each repli-
cate receives the same inputs; thus, sensor values must also be distributed
to each processor in a fault-tolerant manner. This problem has been called
the interactive consistency or Byzantine Generals problem. Many algorithms
have been developed to perform this function. How these algorithms can be
incorporated into the fabric of a distributed operating system is at the heart
of fault-tolerant system design.
Mathematical reliability models provide the foundation for a scientific
approach to fault-tolerant system design. Using these models, the impact of
architectural design decisions on system reliability can be analytically evalu-
ated. A reliability model is constructed that abstractly accounts for possible
physical failures and all system recovery processes. The physical failures must
be enumerated and their failure rates determined. The fault arrival rates for
physical hardware devices are available from field data or empirical models
[16]. The fault recovery behavior of a system is strongly dependent upon the
particular fault-tolerant system architecture. The recovery behavior must be
determined by experimentation or by formal analysis.
The justification for building ultra-reliable systems from rephcated re-
sources rests on an assumption of failure independence among redundant
units. The alternative approach of modeling and experimentally measuring
the degree of dependence is infeasible, see [12]. The unreliability of a sys-
tem of replicated components with independent probabilities of failure can
easily be calculated by multiplying the individual probabilities. Thus, the
assumption of independence allows fault-tolerant system designers to obtain
ultra-rehable designs using moderately reliable parts. Often complex systems
are constructed from several ultra-rehable subsystems. The subsystem inter-
dependencies (e.g. due to shared memories, shared power supplies, etc.), can
still be modeled (assuming perfect knowledge about the failure dependencies)
and the system reliability can be computed. Of course, the reliability model
can become very complex.
The validity of the reliability analysis depends critically upon the ac-
curacy of the reliability model. If the reliability model omits certain failure
mechanisms or its representation of the recovery behavior is overly optimistic a,
the predicted probability of failure is inaccurate. Thus, the validation method-
ology must. address the "correctness" of the reliability model with respect to
the actual implementation. Ultimately, a mathematical mapping between the
implementation and the reliability model should be constructed. In this pa-
per, this is not accomplished formally. Nevertheless, the critical assumptions
from which the reliability model is constructed are established by mathemati-
cal proof. In particular, the formal proof establishes that as long as a majority
of the processors are working, the system produces "correct" outputs, that is,
outputs equal to those produced by a non-failed simplex processor running
the same applications as the fault-tolerant system. The key assumption used
in the construction of the reliability model is thai as long as a majority of
processors axe working, the system does not fail, i.e. such "states" are oper-
ational. The "operational" states of the reliability model correspond exactly
to the conditions under which the formal proof establishes that the behavior
of the system is equivalent to a non-failed simplex processor. Another key
concept used in the construction of the reliability model is that there is a
recovery transition for transient faults. The formal proof establishes that the
errors produced by a transient fault are removed from the system within a
bounded amount of time.
Thus, the two validation tasks presented above are largely dominated
by "correctness" demonstrations. Although the first task involves reliability
models, experimental data and numerical calculation, it is essential that the
correctness of the model be demonstrated.
3 The Role of Formal Methods
A major difference between the development effort presented in this paper
and other efforts is the use of formal methods. This approach is born from
1This might occur, for example, if there were errors in the logical design or implemen-
tation of the fault-recovery strategy.
the belief that. the successful engin_ring of complex computing systems will
require the application of rnathcmatwally based analysis analogous to the
structural analysis performed before a bridge or airplane wing is built. The
mathematics for the design of a software system is logic, just as calculus and
differential equations are the mathematical tools used in other engineering
fields.
3.1 Formal Methods is Applied Logic
The application of the tools of mathematical logic and formal proof to the ver-
ification of computer systems, is referred to as formal methods. The various
formal methods techniques are based on formal theories, formal specification
and proof. A development effort based upon formal methods is characterized
by the following steps:
o Formalization of the set of assumptions characterizing the intended op-
erating environment in which the system is to operate. This is typically
a conjunction of assertions M = {A1, A2,..., An} where each A, cap-
tures some constraint on the intended environment. Typically M has
many models but the author of a specification generally has a particular
model in mind.
,
.
The second step is the formal characterization of the system specifi-
cation in the formal theory. This is a statement 5' characterizing the
properties that any implementation must satisfy.
The third step is formalization in the theory of an _mplementation Z.
Typically, an implementation is a decomposition of the specification to
a more detailed level of specification. In a hierarchical design process
there may be a number of implementations, each more detailed than
its specification.
4. The final stage is a proof that the implementation Z satisfies the spec-
ification $ under the assumptions A. Formally, this is a proof of the
statement A D (Z _ 3), where D denotes logical implication. That is,
under any model of .4, Z is an implementation of the specification S.
Ultimately the verification activity depends on the "correctness" of the
assumptions. This suggests a strategy of minimizing both the number and
complexity of the assumptions. Many of the assumptionsare fundamental
laws of mathematics but alsoinclude constraints on the operating environ-
ment in which the system is to be placed. The social process is employed
to verify the correctness of the assumptions. For an interesting discussion of
this view in the context of circuit level hardware verification see [18].
It should also be noted that the outline provided here is inherently hier-
archical. Under the assumptions .A, if implementation 2"1 is shown to be an
implementation of a specification S and 12 is shown to be an implementation
of 2"1 we conclude 2-2 is also an implementation of S. Formally;
A3 (2":3 2-1), (2-1
Logically, this is a simple consequence of the transitivity of implication. Its
significance for a hierarchical verification strategy is obvious; it provides for-
real justification for hnking together a chain of formal proofs of correctness
to show the lowest level decomposition of a series of decompositions is an
implementation of the original specification.
3.2 Levels of Application
Formal methods are the applied mathematics of computer systems engineer-
ing. In other engineering fields, applied mathematics are utilized to the
extent that they are required to achieve acceptable levels of assurance for
safety, performance or rehability. It is often assumed that the application
of formal methods is an "all or nothing" affair. This is not the case. There
are different levels of application. The following is a useful taxonomy of the
degrees of rigor in formal methods:
Level-0: No application of formal methods.
Level-l: Formal specification of all or part of the system.
Level-2: Paper and pencil proof of correctness.
Level-3: Formal proof checked by mechanical theorem prover.
Significant gains in assurance are possible in existing design methodolo-
gies by formalizing the assumptions and constraints, the specification and
the implementation. Experience shows that application of level I alone often
reveals inconsistencies and subtle errors that might not be caught until much
later in the development process if at all. It is generally accepted that the
later a design error is identified the more costly its repair becomes so this
level of application can provide significant benefits.
The use of paper and pencil proof in the design process adds another
level of assurance in design correctness. Level 2 application forces explicit
consideration of the relationships between the implementation and the spec-
ification and often reveals forgotten assumptions or incorrect formalizations.
It can be argued that level 2 application requires scrutiny through the social
process in order to be more effective than level 1.
A proof of correctness is only as good as the prover. Even stronger evi-
dence for correctness can be established by forcing proofs through a mechani-
cal theorem prover. This is level 3 application of formal methods. It must be
noted that there is no guarantee that the implementation of the mechanical
prover is correct or that the hardware on which the mechanical verification
was performed was not faulty. Thus, there is no absolute guarantee of the
correctness of an implementation even after a mechanical proof has been
performed. What is gained by the additional effort, is a detailed argument
for the correctness of the implementation. The process of convincing a me-
chanical prover is really a process of developing an argument for an ultimate
skeptic who must be shown every detail.
Partial application of any of the levels is possible for different parts of the
system. We advocate the application of level 3 formal methods only for the
most critical (and hopefully reusable) system components. What is classified
here as level 1 and level 2 formal methods are being widely applied in the
United Kingdom.
The proofs presented below are level 2, paper and pencil proofs that have
been subjected to peer review.
4 The Digital Flight Control Problem
The control system architecture for aerospace vehicles can be viewed as
hierarchical as shown in figure 1. Each level in the hierarchy represents
different aspects of the design process and involves different validation and
verification issues. The top-level represents the aerodynamic properties of a
rigid body controlled by maneuverable surfaces. The second level represents
the continuous-time feedback-control functions that operate on the aerody-
Aerodynamic Properties ]
I
[Continuous DifferentialEquations Model]
I
ICootrol Bloc Diagraml
I
Application CodeJ
I
[ Operating System [
I
[Redundant, Hardware[
Figure 1: Digital Flight Control System Hierarchy
namic vehicle. The third level represents the block-diagram specification of
the control laws. The fourth level represents the implementation of the con-
trol laws in a executable programming language. The fifth level describes the
system that dispatches the control-law code on a set of redundant hardware
in a manner that provides fault tolerance. The sixth level represents the hard-
ware components of the system. In this project, the design and verification
issues at the bottom two levels of the hierarchy are being explored.
Figure 2 illustrates how the hierarchy above can be further refined 2. Un-
fortunately, there is no quantitative science of hierarchical design. It is widely
accepted that hierarchical design is "good"; however, choosing appropriate
abstractions and selecting convenient interfaces is currently more art than
science. With this in mind, figure 2 should be seen as one of many possi-
ble subjective decompositions although it can be rationally justified and has
2In the graphical convention adopted here, non-overlapping boxes contained within
another box denote horizontal hierarchy or system interfaces. The dependence of an inter-
face on a resource is indicated by placing the dependent box above the box denoting the
resource. Adjacent boxes at the same level within the horizontal hierarchy indicate inde-
pendent resources. Thus, in figure 2 the operating system is dependent on the replicated
processors for implementation; however, the individual processors are not dependent on
one another. Nested blocks denote vertical hierarchy or successive levels of abstraction.
9
Sensors
Digital Flight Control System
Control Application Domain
Continuous Differential
Equations Model
Application Code
Reliable Computing Platform
Operating System
Replzcated Processors
Actuators
Figure 2: Digital Flight Control System Architecture
advantages over many others.
Traversing the horizontal hierarchy at the coarsest level of abstraction
reveals the control application domain, which is built on the reliable com-
puting platform. These in turn view the state of the aircraft through the
sensor/actuator network. Each of these abstractions is decomposed into sub-
levels discussed below. The rationale for choosing the major system inter-
faces at the points noted in figure 2 is based on notions of reusability, a
partitioning of the areas of technical expertise, and the interfaces found in
most computing systems in use today.
The control application domain abstraction isolates one of the two main
10
application specificaspectsof the control system The most abstract view
at.this levelmight be a systemof continuousdiffeJentialequationsmodeling
the control surfacesand aerodynamicpropertiesof the aircraft. Abstractions
below this level include the block-diagram specificationof the control laws
and at the lowestlevel, implementationof the control lawsin an executable
programming languageon the underlying reliable computing platform. Ob-
viously, correctnessat eachlevel is as important as the correctnessof the
computing platform. Formal methods can have an impact on correctness
in areas in the control application domain; however, these issuesare not
addressedhere.
The reliablecomputingplatform dispatchesthe control-law codeand pro-
videsthe interfaceto the networkof sensorsand ac'..uators.Traversingthe hi-
erarchywithin the reliablecomputingplatform abs:faction revealstwo boxes,
onerepresentingthe operating system and the other representing the under-
lying replicated processors. The operating system provides the interface to
the bottom level of the control application domaii_, the application code.
The third component of the control system is the network of sensors and
actuators. Like the control application domain, the sensor actuator network
is highly application dependent. Because of the application specific nature
of this part of the system, we regard this component as being outside of the
reliable computing platform.
The goal of designing and building a truly reusable computing platform
for control applications must be tempered by the fact that application reli-
ability and performance requirements determine the architecture of the sys-
tem. The best we can hope to do is to provide interfaces that are general
enough to support a range of applications while still being specific enough to
enable the development of engineering methodologies supporting their use.
5 Design of the Reliable Computing Plat-
form
The operating system provides the applications software developer a reliable
mechanism for dispatching periodic tasks on a fault-tolerant computing base
that appears to him as a single ultra-reliable processor. Traditionally, the
operating system has been implemented as an executive (or main program)
11
[ Uniprocessor Model
J
Fault-tolerant Synchronous Replicated Model
f
Fault-tolerant Asynchronous Replicated Model
I
[Hardware/Software Implementation 1
Figure 3: Hierarchical Specification of the Reliable Computing Platform
that invokes subroutines implementing the application tasks. Communica-
tion between the tasks has been accomplished by use of shared memory. This
strategy is effective for systems with nominal reliability requirements where
a simplex processor can be used. For ultra-reliable systems, the additional
responsibility of providing fault tolerance makes this approach untenable.
For these reasons, the operating system and replicated computer archi-
tecture must be designed together so they mutually support the goals of the
reliable computing platform. A four-level hierarchical decomposition of the
reliable computing platform is shown in figure 3.
The design philosophy advocated in this paper is to design the system
in a manner that minimizes the amount of experimental testing required
and maximizes the ability to mathematically reason about correctness 3. The
following design decisions have been made toward that end:
• the system is non-reconfigurable
• the system is frame-synchronous
• the scheduling is static, non-preemptive
• internal voting is used to recover the state of a processor affected by a
transient fault
3Ultimately, the quantification of system reliability must be made on the basis of a
mathematical model of the system and the correctness of the model must be demonstrated.
The complexity and number of parameters that must be measured should be minimized
in order to reduce the cost of the verification and validation process.
12
5.1 The Uniprocessor Model
The top level of the hierarchy describes the operating system as a function
that sequentially invokes application tasks. It extends the executive model
by supporting a more sophisticated model of inter-task communication. This
view of the operating system will be referred to as the umprocessor model.
The uniprocessor model is formalized as a state transition system in sec-
tion 10 and forms the basis of the specification for the operating system.
It is essential that the uniprocessor mode] meet the requirements of the
application level (i.e. the control laws). The following is a summary of the
most important, requirements of control-law application tasks:
• Fixed set of tasks
• Hard deadlines
• Multi-rate cyclic scheduling
• Upper bound on task execution time
• Intertask communication
The set of tasks that must be executed is fixed, i.e., there is no arrival of
a task from the external world. The hard-deadline requirement means that
a task must be dispatched and complete within a strict time boundary. In
particular, the time delay between reading a sensor and sending a signal to
an actuator, the transpor_ delay, must be strictly less than a predetermined
value. The required periods of execution are different for different tasks.
Thus, the system must perform multi-rate scheduling. Associated with each
task is an upper bound on execution time. If a task receives input from
another task that has the same execution period, the receiving task must
execute after the source task. Thus, within a "period-class", there is a prece-
dence ordering on the tasks. The relationship between different tasks with
different execution periods, is not constrained.
There are two major design issues at this level--the choice of the schedul-
ing strategy and the choice of intertask communication strategy. There
are many theoretical approaches to scheduling multi-rate periodic tasks.
Scheduling can be classified as either (1) preemptive or non-preemptive or (2)
dynamic or static. Unfortunately, the theoretical results cannot guarantee
that the hard deadlines will be met for any of the non-static or preemptive
algorithms capable of scheduling the real-time control application tasks [2].
Consequently, all commercial aircraft, control systems have been implemented
13
usingastatic, non-preemptivescheduletable. The intertask communications
problem is simplified by the fact. that tasks need only receive data produced
by other tasks after they have terminated. This can been implemented by
use of data buffers 4.
5.2 The Synchronous Replicated Model
Fault tolerance is achieved by voting results computed by the replicated
processors operating on the same inputs. Interactive consistency checks on
sensor inputs and voting actuator outputs requires synchronization of the
replicated processors. This implies the existence of a global time base. In
the absence of technology supporting manufacture of ultra-reliable clocks,
electrically isolated processors can not share a single clock. Thus, fault-
tolerant implementation of the uniprocessor model must ultimately be an
asynchronous distributed system.
Reasoning about asynchronous distributed systems is notoriously difficult s.
Serious validation problems have appeared in previous efforts due to the de-
cision to deal with the asynchrony at the application level s. Thus, it is
advantageous to deal with the complexities due to asynchrony at the lowest
possible level in the system. This isolates the difficulties to a single clock
synchronization function. With a fault-tolerant clock synchronization algo-
rithm at the base of the operating system, the rest of the operating system
can be designed in a synchronous manner. The advantages of this approach
are discussed in [7].
Based on the above considerations, the operating system is being im-
plemented as a synchronous system. Thus, the second level in the hierarchy
describes the operating system as a synchronous system where each replicated
4A fault-tolerant operating system maintains "voted" versions of previous tasks' out-
puts in buffers.
6In fact Lehmann and Shelah [10] claim the analysis of such systems is an order of
magnitude more difficult than reasoning about simply sequential systems
6The AFTI F16 is a good example of the problems that can arise when asynchrony is
present at the application level. There was a significant problem with false alarms caused
by design oversights traced to the asynchronous computer operation [11]. Also the ability
to set effective thresholds for the redundant sensor selection algorithms was seriously
hampered. Thresholds should be tight to filter the effects of failed sensors. Unfortunately,
the thresholds had to be set at 15% to eliminate false alarms due to the asynchrony. But,
with such a large threshold a single channel failure can cause large aircraft transients.
14
processorexecutesthe sameapplication tasks. The existence of a global time
base, an interactive consistency mechanism and a _eliable voting mechanism
are assumed at this level. The formal details of the model, specified as a
state transition system, are described in section 11.
The replicated synchronous model implements 1he uniprocessor model by
voting the synchronized replicates. Voting can tak_ _ place at a number of lo-
cations in the system and associated with each choice are various tradeoffs.
If voting occurs only at the actuators and the inlernal state of the system
(contained in volatile memory) is never subjected to a vote, a single tran-
sient fault can permanently corrupt the state of a good processor. This is
an unacceptable approach since field data indicates that transient faults are
significantly more likely than permanent faults [1._]. An alternative voting
strategy is to vote the entire system state. This approach purges the effects
of transient faults from the system; however, the computational overhead for
this approach may be prohibitive. We observe that voting need only occur
for system state that is not recoverable from sensor inputs. This approach
accomplishes recovery from the effects of transient faults at greatly reduced
overhead, but involves increased design complexit3. The formal models pre-
sented here provide a precise characterization of the minimum voting require-
ments for a fault-tolerant system that purges the effects of transient faults.
There is a trade-off between the rate of recovery from transient faults and the
frequency of voting. The more frequent the voting, the faster the recovery
from transients, but at the price of increased computational overhead.
Voting is dependent upon two additional system activities: (1) the re-
dundant processing sites must synchronize for the vote and (2) single source
input data must be sent to the redundant sites using interactive consistency
algorithms to ensure that each processor uses the s_tme inputs for performing
the same computations.
Voting can take place at different places in the ,,ystem with a correspond-
ing impact on the level of clock synchronization required. If voting takes place
at the instruction level, synchronization must be very tight. If outputs are
voted only after task execution is complete, loose synchronization is possible
lessening the computational burden required for clock synchronization.
15
5.3 Asynchronous Replicated System
At this level, the assumptions of the synchronous model must be discharged.
In [14] Rushby and yon Henke report on the formal verification of Lam-
port and Melliar-Smith's [8] interactive-convergence clock synchronization
algorithm. Consequently, this algorithm can serve as a foundation for the
implementation of the replicated system as a collection of asynchronously
operating processors. Elaboration of the asynchronous layer design will be
carried out in Phase 2 of the research effort.
5.4 Hardware/Software Implementation
Final realization of the reliable computing platform is the subject of the Phase
3 effort. The research activity will culminate in a detailed design and pro-
totype implementation. Figure 4 depicts the generic hardware architecture
assumed for implementing the replicated system. Single-source sensor inputs
are distributed by special purpose hardware executing a Byzantine agree-
ment algorithm. Rephcated actuator outputs are all delivered in parallel to
the actuators, where force-sum voting occurs. Interprocessor communication
links allow replicated processors to exchange and vote on the results of task
computations.
6 The Role of Reliability Modeling
Since reliability is a driving influence on the system design it is essential
that the design be faithfully captured in a reliability model. The reliability
analysis must be sound and the parameters of the reliability model must be
measurable. Although the architecture presented here is parameterized for
an arbitrary number of replicated processors, interactive consistency requires
at least four processors. Thus, a quadruplex is the minimum system config-
uration. A reliability model for a quadruplex version of the system archi-
tecture is shown in figure 5. The horizontal transitions represent transient
fault arrivals. The vertical transitions represent permanent fault arrivals.
These arrive at rate AT and Ap respectively. The backwards arc represents
the disappearance of the transient fault and all errors produced by it. This
is accomplished by voting the internal state. This is sometimes referred to as
16
lProcessor
Replicate
1
Interactive Consistency
Distribution Network
Interprocessor
Comrnunzcation Link
]nterTrocessor
Communication Link
Processor
Replicate
R
illll
[ 1
Actuators J
Figure 4: Generic Hardware Architecture
transient fault "scrubbing". In our system, this scr-lbbing takes place contin-
uously and does not rely upon the system detecting the transient fault. The
presence of the transition from state 2 to state 1 depends upon the proper
design of the operating system so that it can recover the state of a processor
that has been affected by a transient 7. The model has 6 states of which 3
are operational. State 1 represents the initial fault free state of the system.
There are only two transitions from state 1 due to the arrival of either a tran-
7To simplify this discussion, the arrival of a second transient before the disappearance
of the first transient has not been included in the model. TILe complete reliability analysis
will include such events.
17
3Av
Figure 5: Reliability Model of a Quadruplex
sient or permanent fault. These transitions carry the system into states 2 and
4, both of which are not system failure states. This is justified by the main
formal proof presented in the paper which estabhshes that for a quadraplex,
no single fault can cause the system to produce an erroneous output. All of
the transitions except one from these states are due to second failures. These
lead to system failure states. The other transition from state 2 back to state
1 models the transient fault scrubbing process. The main formal proof also
establishes that the system removes the effects of a transient fault within a
bounded amount of time, justifying the inclusion of this transition.
The probability of system failure as a function of 1/p, the rate of re-
covering the state, is shown in figure 6. The model was solved using the
STEM reliability analysis program [1] for the following parameter values:
Ap = lO-4/hour, AT = lO-3/hour and mission time T = 10 hours.
It is worth noting the validation tasks that have been eliminated by not
18
10 -3
...................................... -"" .........-
........ ..................................
10-5 I I I I I I I I
10-s 10 -4 10-3 10-2 10 -1 10 o _01 10 2 10 3 10 4
Mean Time to Recover From Transient (hours)
Figure 6: Probability of failure as a function of 1/p
using reconfiguration. First, it is not necessary to perform fault-injection ex-
periments to measure the recovery time distributions. Second, fault-latency
is of no concern. Fault latency is only a concern when one is trying to detect
and remove a faulty component, because latency merely defers error pro-
duction and thus detection. Third, the logical complexity of the system is
greatly reduced--e.g., no reconfiguration process, the interface to the sensors
and actuators is static as opposed to dynamic. Hence, there are fewer design
errors to be corrected during the validation process.
7 Previous Efforts
Many techniques for implementing fault-tolerance through redundancy have
been developed over the past decade, e.g. SIFT [4], FTMP [5], FTP [6],
19
MAFT [17]. The techniques differ with respect to:
• the unit of fault-isolation and reconfiguration
• the voting strategy
• the level of synchronization
• the verification concept
In FTMP, for example, the unit of reconfiguration is a memory module or a
CPU module. In SIFT, FTP and MAFT, the unit of reconfiguration is an
entire processor. In a reconfigurable system, voting can be used to detect
faults. In the architecture considered here it is assumed that faulty processors
are not removed until after the mission is over. The operating system does
not utilize error reports from the voter. However, it may be desirable to store
these reports in memory for later use by ground maintenance personnel.
Differences between previously developed systems naturally arose from
different design decisions. However, an often overlooked but significant factor
in the development process is the approach to system verification. In SIFT
and MAFT, serious consideration was given to the need to mathematically
reason about the system. In FTMP and FTP, the verification concept was
almost exclusively testing. Obviously, the approach advocated here is one of
formal rigor in specification and verification of the system.
Although several fault-tolerant real-time computing bases have been de-
signed for control apphcations [4, 5, 6, 17], only the SIFT project attempted
to use formal methods. Although many positive theoretical advances were
made, the SIFT operating system was never completely verified [13]. On the
positive side, the concept of Byzantine Generals algorithms was developed
[9]. Also the first fault-tolerant clock synchronization with a mathematical
performance proof was developed [8]. On the negative side, the verified oper-
ating system was not the system running on the hardware. Furthermore, the
verification did not cover key features of the system--clock-interrupt handler,
interactive consistency implementation, the synchronization implementation,
etc.
Unlike the SIFT models, which did not present an operational view of
the scheduling function of the system, the models described here deal with
this functionality in some detail. The SIFT specification was given from the
perspective of an individual task. The specification defined the behavior of a
task given inputs from other tasks. However, it did not describe the required
behavior of the scheduling system. It roughly stated that if a task were
2O
executed and given stable inputs, the output wouht be correct as long as the
system had enough non-faulty hardware. Although there was an abstract
notion of execution windows for the tasks, there was no specification of the
requirement that the operating system must dispalch tasks according to this
schedule. Thus, the specification was incomplete in many important ways.
8 Overview of Results
Before presenting the complete details, we provide an overview of the major
formalizations and results for the reliable computing platform. The Phase
1 work focuses on the first two layers depicted in figure 3. A set of defi-
nitions is introduced to model the scheduling of application tasks. Formal
specifications exist to describe the behavior of the uniprocessor system ab-
straction and the synchronous replicated system design. State transition
systems are used as the underlying model of computation. A framework is
then established to define what it means for one state machine to correctly
implement another. Various sufficient conditions are provided to characterize
when the synchronous rephcated system correctly implements the uniproces-
sor abstraction. Finally, these sufficient conditions are shown to hold for
three methods of voting the internal state information within the rephcated
system.
In accordance with accepted terminology, we consider a fault to be a con-
dition in which a piece of hardware is not operating within its specifications,
and an error to be an incorrect computation result or system output. When
a fault occurs, errors may or may not be produced. Although fault-tolerant
architectures offer a high degree of immunity from hardware faults, there is
a limit to how many simultaneous faults can be tolerated. During system
execution, if this limit is not exceeded, the system will mask the occurrence
of errors so that the system as a whole produces no computation errors. If
the limit is exceeded, however, the system might produce erroneous results.
Consequently, the proofs we construct are expressed in a conditional form
to account for this situation of limited fault tolerance. The main results we
establish can be abstracted by the following formula:
w = = V([rl,...,rn])
where W is a predicate to define a minimal working hardware subset over
21
time, u is the uniprocessor model's system results, rl,..., r, are the results of
the replicated processors, and V is a function that selects the properly voted
values at each step. Thus, as long as the system hardware does not experience
an unusually heavy burst of component faults, the proof establishes that no
erroneous operation will occur at the system level. Individual replicates may
produce errors, but they will be out-voted by replicates producing correct
results.
If the condition W were true 100% of the time, the system would never
fail. Unfortunately, real devices are imperfect and this can not be achieved
in practice. The design of the fault-tolerant architecture must ensure that
the condition W holds with high probability; typically, P(W) > 1 - 10 -9 for
a 10 hour mission is the goal. This provides a vital connection between the
reliability model and the formal correctness proofs. The proofs conditionally
establish that system output is not erroneous as long as W holds, and the
reliability model predicts that W will hold with adequately high probability.
In the formal development to follow, we model the possible occurrence of
component hardware faults and the unknown nature of computation results
produced under such conditions. It is important to note that this modeling
is for specification purposes only and reflects no cognizance on the part of the
running system. We assume a nonreconfigurable architecture that is capable
of masking the effects of faults, but makes no attempt to detect or diagnose
those faults. Each replicate is computing independently and continues to
operate the best it can under faulty conditions; it has no knowledge of its
own faultiness or that of its peers. Thus, wherever the formal specifications
consider the two cases of whether a processor is faulty or not, it is important
to remember that this case analysis is not performed by the running system.
9 Specification of the Operating System Work-
load
Having introduced a sketch of the reliable computing platform design, we
now proceed to its formalization. In this section, the method for specifying
an operating system workload will be presented. It characterizes the interface
between the application software and the operating system. The specification
consists of a generic set of mathematical definitions used in the OS spedfica-
22
tions. For an actual apphcation, these definitions would be instantiated with
appropriate values.
9.1 Application Definition
Let T1,..., TK be the application tasks. Assume each task produces either
actuator output or data values drawn from some domain. These data values
may be provided as inputs to other tasks or serw as state variables. Tasks
have no persistent state variables; the effect of persistent state is achieved by
recirculating task outputs.
Let S1,...,Sv be the sensors and A1,...,Aq be the actuators. Let these
symbols also stand for the sets of values received from the sensors and sent
to the actuators. Also let D_ be the set of data values produced as output by
task T_. These values may be structured objects such as arrays, records, etc.
Thus, if T_ is an actuator task, Di = Aj for some j. Note that this precludes
an actuator task from producing non-actuator data in addition to actuator
data. Let D = U; D_.
Task T_ computes a function f, on a set of input values. Inputs may be
taken from sensor data or the outputs of other tasks. Tasks are prohibited
from having side effects; their only effects are their explicit outputs.
9.2 Schedules
Apphcation tasks are scheduled via a fixed, deterministic sequence of task
executions. A complete, repeating task schedule comprises a cycle.
Cycles are repeated indefinitely and the task execution sequence of one
cycle is identical to the others.
duration.
A cycle is divided into M frames of equal
I ÷ Cycle * I
The frame length is a fundamental unit of time for the apphcation. The
sensors are read at most once per frame and actuators are written at most
23
Frame 0 Tl T2 T3 T1 T4
1 T5 T1 T2 T6 T1
M T1 T9 T8 T4 T7
Figure 7: Execution of tasks.
once per frame. Each frame is divided into subframes of variable length. The
number of subframes is variable also.
j Subframel I "'" I SubframeM, ///// I
I' Framei * I
The number of subframes for the i th frame is given by M_. The time
from the end of the last subframe until the end of the frame is slack time
for performing OS overhead functions. (In some systems non-critical, pre-
emptable tasks are dispatched during this time.) In practice, slack time may
be distributed across the frame and not just appear at the end.
The schedule for an entire cycle would assign task executions to each
subframe. Figure 7 illustrates the concept.
We refer to each site in a task schedule as a cell. A cell is denoted by the
pair (i,j) for the i th frame and jth subframe. A schedule is then given by a
mapping from cells into the scheduled task:
ST: {0..M- 1} x nat --+ {0..K}
24
ST(i,j) gives the task index of the scheduled task for cell (i,j), and 0 for
j> Mi.
Now we must specify the binding of input values for task execution. For
task Ti, we must supply inputs for the arguments of fi. Each input must come
from a prior task execution or be taken as sensor input. So the designation
of a task input will be a triple (i.type, i, j) where i_type E {.censor, cell} with
the meaning:
sensor
cell
value from sensor i in current frame
value from task output in cell (i, j) of current or previous
cycle
A task may get input from a prior task output up to one cycle length in
the past (M frames). By convention, if the task in cell (k, l) receives input
from the task in cell (i,j) where
i> kV(i=kAj>_l)
then the input comes from (i,j)'s task execution during the previous cycle.
A mapping from cells into sequences of triples defines the assignment of
input values to task executions.
TI : {0..M - 1} x nat _ sequence(triple)
TI(i,j) = [(tl,il,jl),...,(t,,i,,j,,)]
for a task with n inputs. The first component of the triple is of type i.type,
which determines whether the input comes from a sensor or another task.
Let TI(i,j)= [] when j > Mi or the task at (i,j) has no inputs.
This suffices to uniquely characterize a task schedule. The functions ST
and TI need to be supplemented by a binding of task outputs to actuators
for "actuator" tasks:
AO: {0..M- 1} x nat _ {i}..q}
AO(i,j) = a to designate that the output of the task at cell (i,j) should go
to actuator a. As before, AO(i,j) = 0 if j > Mi or the task at (i,j) does not
produce actuator output.
25
Since task results may be carried forward from one cycle to the next, it
is necessary to account for the "previous" cycle at system initialization. The
application must define what these previous cycle task outputs should be for
the first cycle to use as task inputs. A function
IR : {0..M - 1} x nat ---* D
is used to characterize the initial task results values. An application must
provide a suitable IR as part of its specification.
The kind of scheduling allowed by the foregoing definitions imposes some
constraints on the application designer. One is that old sensor values from
previous frames are not saved and provided by the OS. To use old sensor
values, a task will have to be introduced in the desired frame that reads the
sensor and "saves" its value as the task output, thereby making it accessible
to tasks in later frames. Alternatively, sensor values could be added to the
output of existing tasks in that frame.
A similar constraint exists for task outputs. Tasks may not provide nor-
real output and actuator output simultaneously. Again, this is overcome by
introducing a separate output task T2 that uses the output of task T1 to
write to an actuator. Such constraints and their consequent work-arounds
via forwarding tasks are conscious design decisions; they result from trading
off desirable functionality against tractability of formal analysis.
9.3 Well-Formedness Conditions
The functions TI and AO must satisfy certain constraints to be well-formed
schedules. First, the data types must be correct:
Vi, j, Vl E {1..]TI(i,j)l} :
TI(i,j)[l] = (t,a,b)
domain(t, ST(i, j )) =
if t = sensor then S_ else range(ST(a,b))
Vi,j : AO(i,j) # 0 _ range(ST(i,j)) = A,
It is also required that at most one output be sent to each actuator in each
frame:
Vi,j,k : AO(i,j) = AO(i,k) _ (j = k V AO(i,j) = 0 V AO(i,k) = 0).
26
The lack of an actuator output for a given frame is permitted.
Because of the convention on cell references described earlier, a schedule
will always be logically admissible and cannot ask for inputs before they are
produced. However, because the subframe index is unbounded, we do need to
ensure that a task is scheduled for every cell referenced in the task schedule.
Vi, j, V(t,a,b) E TI(i,j) : t = cell D _T(a,b) # 0
We can also add reed time constraints, although they probably depend
on design parameters. Let MT(i) be the mazzmum execution time for task
i. Then the slack time Li for the i th frame must satisfy
Mi
Li = tF- _ MT(ST(i,j)) >_ to.
j=]
where tF is the frame time and toll is the time required for the OS to carry
out overhead functions.
10 Top-Level Specification (Uniprocessor Model)
This section continues with the specification effort by putting together a
specification of the top level OS machine. This specification represents the
behavior of the application tasks running on an ideal computer. It defines
the net effect of task execution as seen by the control application. All details
of the replicated system implementation are hidden at this level.
O S_state = (
where
10.1 Uniprocessor State and I/O Types
The state of the ideal OS consists of a frame counter and task outputs pro-
duced in the current and previous cycle. Thus an OS__tatc is a pair:
frame : {0..M - 1},
results : cycle_state )
cycle_state : {0..M - ]} x nat --* D
In these definitions, OS.frame denotes the frame counter while OS.results(i, j)
denotes the task output at cell (i,j) during the current or previous cycle.
27
The application definition needs to provide the initial state values for the
results portion of the state. Any task outputs normally obtained from the
previous cycle need to be given meaningful values. We assume the initial
frame is 0. The initial OS state is then given by the pair (0,IR), where IR
defines the initial results state values.
Inputs are assumed to come from the sensors $1,..., Sv which may be
sampled at most once per frame. Similarly, outputs go to the actuators
A1,...,Aq. To facifitate specification writing, we introduce data types to
represent vectors of sensor inputs and actuator outputs.
si, = vector([1..p])of U,&
Aout = veaoT([1..q])of A,
10.2 State Transition Definitions
Transitions correspond to the execution of all tasks for a single frame. The
state variable OS.frame gives the number of the frame to be executed by
the next transition. After the M th state transition of the current cycle,
OS.frame is reset to 0. After the i th state transition of the current cycle,
OS.results(i,j) contain the results of the latest task executions. Later ceils
of OS.results still contain the results of the prior cycle's task executions.
First, note that we will have occasion to write expressions such as (z +
1) mod M repeatedly. Therefore, let us use the shorthand notation defined
as follows.
z (gy = (z + y) rood M
z O y = (z + M- y) rood M
The OS state transition is defined by the function OS.
OS : Sin × OS_state _ OS..state
OS(s,u) = (u.frame_ 1,M,j. new._esults(s,u,i,j))
Here the variable s stands for the vector of all sensor inputs and u stands
for the current OS state. The result of the function is an ordered pair (f,r)
containing the new frame counter and results state. The subordinate function
new_results is defined below.
28
new_results(s,u,i,j) = if i = u.frame
then ezec( s, u, i, j )
else u.results(i, j )
The results cycle..state is modified only for the current frame; other frames'
portions remain unchanged.
The next item is to define the exec function, which yields the result
of executing the task at cell (i,j). Because the 1asks in a frame may use
the outputs of prior tasks within the same frame, which are computed in
this frame rather than found in the result state, the definition gets a little
complicated. We use two mutually recursive functions, exec and ar9, to sort
things out.
ezec: Sin × OS2tate × {0..M - 1} × nat -_ D
ezec(s,u,i,j) = fST(,.j)(arg(TI(i,j)[1],s,u,i,j),...,arg(TI(i,j)[n],s,u,i,j))
Here fk is the function computed by scheduled task k, arg(...) retrieves the
data value for the task input, and fk has n arguments.
ar9 : triple x Sin x OS_state x {O..M - 1} x nat ---* D
arg(t, s, u,i,j) = if t.type = sensor
then s[t.i]
else if t.i=iAt.j<j
then exec(s,u,i, t.j)
else u.results(t.i, t.j)
The function ezec uses the functions ST and TI from the application
definition to get pointers to the argument values. The function arg does the
detailed work of extracting the appropriate values from the state variables.
10.3 Actuator Tasks
Since actuator outputs are always taken from task outputs, which are recorded
as part of the OS state, we find it convenient to define actuator outputs as a
function only of the OS state, as in a "Moore" style state machine. To cast
actuator outputs into a functional framework, we must account for the case
of an actuator not being sent an output value in a given frame. We assume
29
an actuator may be sent commands as needed by the application, which may
choose not to sent output during some frames. Let us denote by the symbol
¢ the null actuator output, i.e., an output value ¢ indicates the absence of
anything to send to the actuator or a "no update" condition. Then we define
actuator outputs as a function of the OS state using the function UA.
UA(u) = A t(u,k) ]
We use the notation [_=1 all to mean [al,...,am].
The function Act is used to define the output for each individual actuator.
Act(u,k) = I
u.results(u.frame 0 1,j)
if 3j: AO(u.frame G 1,j) = k
¢ otherwise
Because of the application restriction that at most one task output may be
assigned to an actuator, the axiom above leads to a well-defined result. We
need to decrement the frame count by one because of the assumption that
UA is applied to the new state after a transition, where the frame count has
already been incremented.
11 Second Level Specification (Replicated Model)
In this section the specification of the synchronous replicated OS machine
is developed. This specification represents the behavior of the OS and ap-
plication tasks running on a redundant system of synchronized, independent
processors with a mechanism for voting on intermediate states. Sensor inputs
are assumed to be distributed to each processor using an interactive consis-
tency scheme and redundant actuator outputs are assumed to be voted at
the actuators.
Let R be the number of redundant processors. We use {1,...,R} as
processor IDs. Each processor runs a copy of the OS and the application
tasks. The uniprocessor OS state is replicated R times and this composite
state forms the replicated OS state. Transitions for the replicated OS cause
each individual OS state to be updated, although not in exactly the same
way because some processors may be faulty.
3O
11.1 Faulty Processors
The possibility of processors becoming faulty requires a means of modeling
the condition for spedfication purposes and a means of compensating for
fault tolerance purposes. We adopt a worst case tault model. In each frame,
a processor and its assodated hardware is either faulty or not. A fault status
vector is introduced to condition specification expressions on the possibility
of faulty processors.
Assumptions about the faultiness of a processor pertain only to the health
and integrity of the hardware, i.e., its abihty to compute correctly. Desig-
nating a processor as faulty implies nothing abou_ whether any computation
errors have actually occurred; only the potential for errors exists. Given a
nonfaulty status we conclude that no computation errors have occurred.
Voting intermediate results is the way a previously faulty processor recov-
ers valid state information. The voting pattern determines which portions
of the state should be voted on each frame. A state variable that is voted
will be replaced with the voted value regardless of what its current value is
in memory. Some voted values will be based on stored information from the
last frame and some will be based on task outputs computed in the current
frame. For this rephcated OS specification, we will vote the frame counter
on every frame and hence, will not include it in the voting pattern definition.
The results portion of the OS state will be selectively voted. We will not
consider the derivation of voting patterns here; assume they can be derived
from the application task definitions. Let the predicate VP represent the
voting pattern.
VP: {0..M - 1} x nat x {0..M- 1} ---* {T,F}
VP(i,j,n) = Tiff we are to vote OS.results(i,j) during frame n.
Since processors may be faulty and the values of their state variables may
be indeterminate, we introduce a special bottom data object, for specification
purposes only, to denote questionable or unknown data values. The symbol
"±" is used to denote bottom. We regard it as a special data object distinct
from known "good" objects. This usage is intended to model the presence of
potentially erroneous data; we never expect an implementation to represent
such bottom objects explicitly.
Voting is the primary application for _l_. We use the function
maj : sequence(D U {_1_}) _ L' U {-1- }
31
to denote the majority computation. It takes a sequence of data objects of
type D and produces a result of type D. If a majority does not exist, then
maj(S) = L; otherwise, maj(S) returns the value within S that occurs more
than [SI/2 times.
11.2 The Replicated State
The replicated OS state is formed as a vector of uniprocessor 0S states:
Rept_ tate = waor([1..R]) o/os_ t t¢
Thus, if r is a Repl..state value, then r[k] refers to the OS_state for the k th
processor. The OS_state definition is identical to that of the top level OS
specification. To refer to the results element of a replicated OS state we use
the notation r[k].results(i,j).
The initial state of the replicated OS is formed by merely copying the
uniprocessor initial state R times. Thus, we have:
Initial_Repl..state = [L1 (O, IR) ]
where IR denotes the initial results state values as provided in the application
task definitions. We use the notation [,_=1a, ] to mean [al,..., a,_].
Inputs to the replicated processors come from the same sensors as in the
uniprocessor case. The act of distributing sensor values via some kind of
interactive consistency algorithm is assumed to produce R values to present
to the replicated system. Therefore, we introduce a vectorized data type to
use for input variables in the functions below.
ICin = vector([1..R]) of Sin
Thus, if c is an ICin value, then c[k] refers to the sensor inputs for the
k th processor. The Sin definition is identical to that of the top level OS
specification (it is itself a vector of individual sensor input values).
11.3 Replicated System Transitions
Transitions correspond to the execution of all tasks in a single frame for all
replicates. The state variable r[k].frame gives the number of the frame to
be executed by the next transition within processor k. After the i th state
32
transition of the current cycle,r[k].results(i,j) contain the results of the lat-
est task executions. Since the replicated OS state is a vector of uniprocessor
OS states, we can first decompose the Repl_state transition into R separate
cases.
Repl : ICin × Repl_state × f ault.ztat_s _ Repl_sLate
Repl(c,r, #2) = [_=1 RT(c,r,k, i)]
RT is the function used to define the OS state transition for each replicate.
The additional argument i is used to supply assumptions about the cur-
rent fault status of the replicated processors.
fault_status = vector([1..R]) of {T,F}
if[k] is true when processor k is faulty during the current frame. Various
specification functions take i arguments as a way to model possible fault
behavior and show what the system response is under those possibilities.
To define RT we must take into account whether the processor is faulty
and apply voting at the appropriate points. Because voting incorporates
values from all the processors, the entire Repl state is required as an argument
to RT even though it only returns the OS state for the k th processor.
RT(c, r, k, i) = if i[k] then _1_else (frame_vole(r, i), Repl_results(c, r, k, i))
If processor k is faulty, we regard its entire OS state as suspect and therefore
assign it the value _1_;otherwise, we derive the new OS state as a function of
the old state. RT requires the frame counter be voted on every transition.
Voting on the task result state variables is done according to the voting
pattern.
Frame counter voting is straightforward. All processor frame counters
are input to a majority operation. Voting for a frame is based on values
computed during that frame. Consequently, the incremented frame counter
values are used in the specification.
frame_vote(r, i) = maj([_= a FI/, ])
where FVt = if ¢[/] then 2_ else r[l].frame • 1
Because some of the r[l] may be faulty, their old and new frame counter
values are questionable and produce _1_as their votes.
For the results state variables, we need to incorporate selective voting.
The VP predicate determines when and where to vote.
33
Repl_results(c, r, k, q)) =
)ti, j. if VP(i,j,r[k].frame)
then results_vote(c, r, i,j, _ )
else new_results(c[k],r[k],i,j)
The function new_results is defined in the uniprocessor OS specification. It
gives the value of the task results part of the state after a state transition.
Defining the vote of task results is similar to that for the frame counter.
results_vote( c, r, i,j, (b)= maj([_=l RV_ ])
where RVt = if q'[l] then _1_else new_results(c[l],r[l],i,j).
As before, some of the processors may be faulty so some r[l] may have value
_1_. Any task execution on a faulty processor produces 5- as well.
Note that voting within a frame occurs after all computation has taken
place. In particular, the voted value of a task's output is not immediately
available to a later task within the same frame.
11.4 Replicated Actuator Output
As in the uniprocessor case, outputs from the replicated processors go to
the actuators. Each processor sends its own actuator outputs separately.
Therefore, we introduce a vectorized data type to describe the replicated
system outputs.
RAout = vector([1..R]) of Aout
Thus, if b is an RAout value, then b[k] refers to the actuator outputs for the
k th processor. The Aout definition is identical to that of the top level OS
specification (it is itself a vector of individual actuator output values).
The actuator output variables are updated according to the application
function AO in the same manner as the uniprocessor OS. We use the OS func-
tion UA to extract the actuator outputs for each processor in the replicated
system.
RA : Repl_state × fault_status ---+RAout
RA(r,¢b) = [_=_ RA_ ]
where RAk = if O[k] then 5_ else VA(r[k])
RA produces a vector of actuator outputs, one for each processor. Faulty
processors are assumed to produce indeterminate output (5_).
34
11.5 Concepts of Voting and Majority
Correctness proofs for the replicated OS hinge on the properties of voting
and majorities. The purpose of voting is to mask the effects of faulty hard-
ware. We make no attempt to detect faults or diagnose faulty hardware.
Consequently, our model of hardware behavior is very simple: processors are
either faulty or completely healthy. Partial fault conditions are not enter-
talned. Any data residing in a faulty processor has an unknown value; any
computations performed on such data produce unknown results. Everything
we do is aimed toward sufficient conditions for dependable results.
Since processors may be faulty and the values of their state variables may
be indeterminate, we use 2_ to denote questionable or unknown data values.
Any computations thai depend on these values we regard as potentially er-
roneous. We do not require strictness properties such as 2- + 1 = 2-. We do,
however, require the converse:
f_ (x{ :fi 2-) D/j(zl,...,z,_) # 2-
i=1
That is, if all inputs are wen defined, then so is tt_e task output.
Voting with the maj definition means accepting 2- values as inputs. This
raises some questions about the meaning of our formalization. We are implic-
itly extending the data types in the specification by this additional, distinct
value 2_. When the actual hardware receives inputs for voting, however, it
sees only bit vectors. There is no representation for 2_. Can this be a faithful
model of what the hardware is doing?
The answer lies in the fault model we are using. In each frame, we
explicitly consider whether a processor is faulty. The fault status vector
gives us a possible assignment of fault status indications for each processor.
The fault status of a processor can be regarded a_ an additional bit of state
information. We can imagine the Cartesian product of this bit with all the
data values of the OS state as the value set that gets mapped into D U {2_).
The (]artesian product vMues could potentially double the number of values
we might want to include in the specification; in our case we choose to map
all the faulty ones into the single value 2_. Thus, to model the hardware and
OS state relationship more explicitly we could imroduce the interpretation
function
l(v,/) = if f then 2_ els, v
35
to map value v under the fault assumption f. This interpretation can also
be extended to the case of recovering processors.
When maj(S) returns _l_, one of two cases exists: either there is no ma-
jority value or a majority of the Si have value 2_. This may seem anomalous,
but there is no problem with it. We use the _l_ outcome to indicate a lack
of consensus on "good" values, something we consider undesirable. During
the replicated system proofs, we must show (possibly indirectly) that out-
puts going to the actuators produce a consensus on good values, i.e., their
majorities are not _1_.
12 Replicated System Proofs
The methodology for showing that the replicated OS is a correct implementa-
tion of the uniprocessor OS is developed in this section. Previously presented
concepts are put together with a framework for the replicated and unipro-
cessor state machines. Sufficient conditions based on commutative diagram
techniques are derived for showing correctness.
12.1 Fault Model
In each frame, a processor is either faulty or not. A function
•_': {1..R) × nat _ iT, F}
represents a possible fault history for a given set of redundant processors.
.T'(k,n) = T when processor k is faulty in frame n, where n is the global
frame index (n E {0, 1,...}). The results we seek must hold for all _- that
satisfy a condition for maximally unfortunate fault behavior. Consequently,
we will be quantifying over _" and passing it as an argument to various
functions. Let fault_fn be the type representing the signature of _'.
Faults are often distinguished as being either permanent or transient.
While such distinctions are useful, the fault model need not represent them
explicitly. A permanent fault would appear in 9v as an entry that becomes
true for a processor k in frame n and remains true for all subsequent frames.
A transient fault would appear as an entry that becomes true for several
frames and then returns to false_ indicating a return to nonfaulty status, s
SThe operating system does not have knowledge of the fault model. The fault model
36
Application task configurationsand voting patterns determine the num-
ber of frames required to recover from a transient fault. Let NR represent
this number (NR > 0). We define a processor as working in frame n if it is
nonfaulty in frame n and nonfaulty for the previous NR frames. We use a
function _Y to represent this concept.
w: {1..R} × nat × fault_f, {T,F}
l'Y(k,n,_) = (Vj: 0 <_ j <_ rnin(n, NR) D "..T(k,n - j))
The number of working processors is also of interest; hence, the following
definition.
= I{krw(k,n,J:l}l
A processor that is nonfaulty, but not yet working, is considered to be recov-
ering.
Finally, the key assumption upon which correct state machine implemen-
tation rests is given below.
Definition 1 The Maximum Fault Assumption ]or a given fault function .T"
is that w(n,._) > R/2 for every frame n.
All theorems about state machine correctness are predicated on this assump-
tion that there are a majority of working processors in each frame.
12.2 Framework For State Machine Correctness
Previous definitions have characterized the uniprocessor and replicated OS
inputs, outputs, and states. We now build a framework for relating the
two state machines and discussing notions of correctness. These concepts
will be used to derive sufficient conditions for proving a given replicated OS
correctly implements a uniprocessor OS under suitable assumptions about
faulty processors. Let us refer to the uniprocessor state machine as UM and
the replicated state machine as RM.
First note that we have provided next state and output functions for two
state machines, but have not yet related the two levels. Functions needed to
bridge the gap between the two machines are those that do the following:
describes the actual state of the physical processor. Our operating system does not even
try to diagnose faulty processors since it is non-reconfigurable.
37
UR
gs s1
\g c
A
U
y"
R
Figure 8: Commutative diagram for state transitions.
1. Map sensor inputs for UM into replicated sensor inputs for RM.
2. Map replicated actuator outputs from RM into actuator outputs for
UM.
3. Map replicated OS states of RM into uniprocessor OS states of UM.
Introducing these mappings will give us an adequate basis to formalize no-
tions of correctness.
We map from RM to UM by applying the majority function. We map
from UM to RM by distributing data objects R ways. For sensor inputs, we
assume an interactive consistency process is actually used in the system, so
the net effect is that sensor data is merely copied and distributed.
IC : Sin _ ICin
= [2=, ]
The majority mapping on replicated states captures our intuition that a ma-
jority of the processors should be computing the right values. The majority
mapping on actuator outputs models the force-sum voting that takes place
at the actuators themselves.
To facilitate the development of a rigorous framework, we will introduce a
slight generalization of the replicated system involving UM and RM. More
general notation will be used and some general results will be derived where
38
Set
S
A
U
C
B
R
Element Type
Sin
Aout
O S_state
ICin
RAout
Repl_state
Description
Uniprocessor sensor inputs
Uniprocessor actuator outputs
Uniprocessor OS states
Replicated sensor inputs
Rephcated actuator outputs
Replicated OS states
Table 1: Sets of inputs, outputs, and states.
Fn Actual
f os
g Repl
h maj
a UA
j3 RA
IC
v maj
Description
Uniprocessor state transition function
Replicated system state transition function
Replicated to uniprocessor state mapping
Uniprocessor output function
Replicated system output function
Interactive consistency sensor value distribution
Replicated to uniprocessor actuator mapping
Table 2: Functions operating on inputs, outputs, and states.
the specific instantiations required for the replicated system will be trivial.
Relationships among the various entities for the two state machines in this
more general model can be characterized by the commutative diagram in
figure 8. For notational convenience, we have introduced abbreviated symbols
for the sets and mappings involved. Tables 1 and 2 summarize the notation
used and relate the symbols back to the actual instantiations we will use.
Some additional conventions are elaborated next. We will apply an in-
dexing scheme to the inputs_ outputs, and states of UM and RM. The initial
states have index zero. The n th state transition (starting from one) corre-
sponds to global frame index n - 1, and produces a state with index n. The
frame number starts at zero and lags the transition number by one; this is
done to facilitate modular arithmetic on frame numbers. Sensor inputs and
39
actuator outputs axe indexed by state transition number. Finally, transitions
in UM and RM are indexed identically.
Assume the inputs to UM are drawn from an infinite sequence of sensor
values S = [sl,s2,...]. Further assume UM will have states [Uo,Ul,U2,...]
and outputs [al,a_,...]. Similarly, the inputs to RM are drawn from the
infinite sequence C = [cl, c2,...], and RM will have states It0, rl, r2,...] and
outputs [bl, b2,...].
Definition 2 The state machines UM and RM are defined by initial states
Uo and r0, and state transitions that obey the following relations for n > O:
_. = f(sn,_.__) (1)
ao = _(_,_) (2)
rn = g(c,,,r,,__,72) (3)
b_ = _(r.,_:2) (4)
where.72 = [_=1_=(k,n - 1)]
The functions g and fl take an additional argument, a fault status vector,
which is not shown in figure 8. Its role is to model processor hardware
integrity and its use will be clarified in the subsequent formal development.
12.3 The Correctness Concept
Now we may proceed with a development of the correctness criteria. The
approach is based on state machine concepts of behavioral equivalence, spe-
cialized for this application. In essence, what we want to show is that the I/O
behavior of RM is the same as that of UM when interpreted by the mapping
functions 6 and v. We will say that the machine RM correctly implements
UM iff they exhibit matching output sequences when applied to matching
inputs sequences and the Maximum Fault Assumption holds. We will now
proceed to make this more rigorous; in particular, we will define the meaning
of matching I/O sequences.
First note that the relations in (1)-(4) describe the effects of a transition
in terms of the current input value and the previous machine state. Let us
introduce a formulation that defines the output values purely as a function
of the input values and the initial state. In other words, we use the follow-
ing additional notation to "solve" the recurrence relations (1)-(4). Refer to
table 2 as wen.
4O
Definition 3
applications of the state transition functions.
The following notation is used to denote the effects of repeated
s- = [,"_-1s, ] (5)
f°(S°,u) = u (6)
f"(S",u) = f(sn,f"-a(S"-l,u)) (7)
c- = [,"_-1c, ] (s)
g°(C°,r,Y) = r (9)
g°(C",r,g:) = g(c.,g"-l(c_-l,r,g:),y2) (lO)
These relations give us a way to refer to the result of n applications of a state
transition function to a sequence of n input values. Notation such as f" is
used to express an n-fold composition of the funclion f.
With the aid of the notation above, we can now characterize very suc-
cinctly the effects of the two state machines.
Lemma 1 The intermediate states and output values for U M and RM are
given by the following:
u. = f" ( S" , Uo) (11)
r,_ = 9n(Cn, ro,.T) (12)
a. = _(f"(s',uo)) (.. > 0) (13)
b. = _(g"(C",_0,3=),Y.R) (n > 0) (14)
where the machines start with initial states uo, to, and are subjected to input
sequences S", C '_.
Proof. We prove the first two relations by induction on n.
Case 1. n = O. Uo = f°(S°,uo) and r0 = g°(C°,r0,.T') by definition.
Case 2. n > 0. Assume (11) and (12) hold for rn < n.
u. = f(s.,u._l)
= f(s,,f"-l(S"-l,uo)) by induction hypothesis
= f"(S",_o)
r. = g(_.,r._l,_. _)
= g(_,g"-x(C'_-a,ro,._),.T_) by induction hypothesis
= g"(C",ro, J=)
41
The remaining two relations follow immediately from this result and the
definitions of an and b,. •
So far we have only considered the two machines separately. Now we
consider their interaction and formalize the net effect of their joint operation.
By applying the mappings g and v, which relate inputs and outputs between
the two machines, we can define the meaning of matching I/0 behavior.
Definition 4 UM and RM have matching I/0 behavior iff a,_ = v(bn) or
a(f'(S'_,uo)) = v(_(g"(6"(Sn), r0, _-),_-_)) (15)
for given S, .T, and all n > O, where 6n(S ") = [7=1 6(si) ].
The complete correctness criterion is captured by the next definition.
It states that RM correctly implements UM iff they have matching I/O
behavior, provided a fault assumption holds.
Definition 5 RM correctly implements UM under assumption 7:' iff the
following formula holds:
> vs, vn > o: an = (16)
where an = a(f'*(S'*,Uo)) and b. = fY(g"(6"(S"),ro,_'),_-R).
We parameterize the concept of necessary assumptions using the predicate
7_. For the replicated system, it will be instantiated by the Maximum Fault
Assumption:
= (Vm: > a/2).
Definition 5 gives us the formal means of comparing the effects of the two
machines and reasoning about their collective, intertwined behavior. Notice
that the intermediate states {u,} and {r,} and the mapping function h
appear nowhere in Definition 5. Instead, it focuses on the correctness of the
actuator outputs as a function of the sensor inputs; this is what matters to
the system under control. It is incumbent on the proof process to show that
the intermediate states resulting from state transitions are such that (16)
holds.
An important consequence of Definition 5 is that we are assured that the
replicated outputs {b,} do not map via t_ into the value l. This follows
42
because of the condition a,, = u(b,_). The {a,} have been characterized
in terms of the values ct(f"(S",uo)) where the apphcation of f and c_ can
produce no ± values. Therefore, satisfying the conditions in (16) ensures
that u(bn) is always well defined.
Having laid the groundwork of requisite definitions, we may now derive
the usual sufficient conditions for correctness based on commutative diagram
techniques. The following theorem can be understood as showing that two
subdiagrams of figure 8 commute: one for the state transition paths and
another for the output function paths. Although the second subdiagram is
a nonstandard form for commutative diagrams, since it does not depict a
homomorphism, it is nevertheless useful for characterizing the relationship
between the two machines' output values. The significance of the following
theorem is its reduction of proof effort from a formula implicitly quantifying
over all transitions to the proof of several conditions that involve only a single
state or transition.
Theorem 1 (Implementation Theorem) RM correctly implements UM
if the following conditions hold:
(1) Uo = h(ro)
(2) V.T', 7:'(_-) D VS, Vn > O: f(sn, h(rn-,)) = h(g(6(sn),r,_-,,._,z))
(3) V_, 7_(_ ") D VS, Vn > O: a(h(r,,))= u(B(r,,,_ff))
Proof. We need to establish that
v_=,_(_=) n vs, vn > 0, 4. :::_(b.).
First we prove that
vy, 7:,(.r)n vs, vn, _,,,= h(,-,,) (17)
follows by induction on n.
Case 1. n = O. Uo = h(ro) by condition (1).
43
c
Case 2. n > 0. Assume P(.T) and assume the theorem holds for all m < n.
Transform h(r,) as follows.
h(T.) = h(g(_(_.),T._I,_=.'))
= ](_.,h(_._l))
---- U n
by condition (2)
by induction hypothesis
Now proceed to transform u(b.):
_(b.) = _(Z(_., y.'))
= a(h(r_))
= _(_.)
---- a n
by condition (3)
by lemma (17) above
This establishes that RM and UM have matching I/O behavior. •
All that remains is to instantiate Theorem 1 with the actual functions
used in the uniprocessor and replicated OS definitions. All of the instantia-
tions are given in table 2 except the substitution for :P(2-) which is replaced
by (Vm: w(m,5 r) > R/2). Thus, our working correctness criteria are given
by the next definition.
Definition 6 (Replicated OS Correctness Criteria) RM correctly im-
plements UM if the following conditions hold:
(1) =0= maj(,0)
(2) vy, (vm: w(m,y) > R/2)
MS,Vn > O: OS(s,_,maj(r.__))= maj(Repl(IC(s.,),rn__,a_.R))
(3) V_', (Vm: w(m,.T) > R/2) D
VS, Vn > 0: UA(maj(rn)) = maj(RA(r.,U_))
Given the foregoing verification framework, it remains to show that the
Replicated OS Correctness Criteria hold for various postulated voting pat-
terns VP and values of N_, the time it takes to recover from transient faults.
The next section presents additional results to enable such proofs.
44
13 Sufficient Conditions for Correctness
Proving replicated system correctness for a particular voting pattern can be
reduced to establishing sufficient conditions for certain system properties.
The following treatment is based on the use of a Consensus Property, which
relates the state of working processors to the majority of the replicated states.
Following this scheme means formulating a Consensus Property and using it
to prove the Replicated OS Correctness Criteria. This proof is independent
of a particular voting pattern; it need be done only once. Similarly, the
Consensus Property can be established by introducing a Replicated State
Invariant. Then we construct a proof of the invariant based on the Full
Recovery Property, whose statement is generic, but whose proof is different
for each voting pattern.
Adopting this methodology creates the following general proof structure.
Generic State Machine Correctness Criteria
Replicated OS Correctness Criteria
Consensus Property
lr
Replicated State Invaria_t
Full Recovery Property
Voting Pattern
13.1 Consensus Property
The Consensus Property relates certain elements of the replicated OS state to
the majority of those elements. It asserts that if the p,h processor is working
during a frame, i.e., not faulty and not recovering, then its element of the
replicated OS state equals that of the majority, both before and after the
transition. This reflects our intuition that if a processor is to be considered
productive, it must have established a state value that matches the consensus
and will continue to do so after the computations of the current frame. The
property gives us a critical relationship we need to reason about replicated
OS states and how they satisfy the correctness criteria.
45
Definition 7 (Consensus Property) For.T" satisfying the Maximum Fault
Assumption, the assertion
W(p,n - 1,_') _ rn-l[p] = maj(rn_l) A r,_[p] = maj(r,)
holds for all p and all n > O.
To facilitate later proofs, we introduce the following useful lemmas.
Lemma 2 If r is a replicated system state, then
w(n - 1,_') > R/2) A (Vp : W(p,n - 1,_') D rip] = maj(r)) D
maj([tR=_ if ._ff[l] then 5_ else f(r[l])])= f(maj(r)).
Proof. Consider the terms f(r[l]) where /is a working processor, namely
where W(l,n- 1,5 r') = T. The second hypothesis implies rill = maj(r) for
such l, which allows us to write:
f(r[l]) = if W(l,n- 1,_-) then f(maj(r))else f(r[l])
Because W(I,n-1,.T') D'-_ .T'(/,n-l)and _-(l,n-1)= .T2[l ] we can rewrite
the majority argument:
if 9vff[l] then _/_ else f(r[l]) = if }/Y(l,n- 1,9 v) then f(maj(r))
else if U(l,n - 1) then _1_else f(r[l])
Since w(n - 1,.T') > R/2 (majority are working), it follows that a majority
of the conditional terms will reduce to f(maj(r)). •
Lemma 3 (Working Majority Lemma) For n > 0 and .T" satisfying the
Maximum Fault Assumption, if the condition
(Vp: W(p,n - 1,9v) D r.__[p] = maj(r._l))
holds, the following equalities hold as well:
fv" = frame_vote(r._l,_'_)= maj(rn_l).framee 1
rv" = results_vote(1C(s.),rn__,i,j,_)
= new_results(sn, maj(r,___),i,j)
maj(rn) = (fv°,Ai,j. rv°).
46
Proof. Assume14;(p,n- 1,_-) D r._l[p] = maj(r.__) for all p.
the transition that results in r.:
rn = nept(1C(s_),r.-1,72)
= [_=1RT(IC(s,,),r,,__,k,.T_)]
= [L-1i/7."[k] then ± elseuv_]
Consider
(18)
(19)
(20)
using the following additional definitions:
uvk = (fv*,)_i,j. rrk)
fv" = frame_vote(r._l,:Y_)
rrk = if VP(i,j,r,,__[k].frame) then rv ° else nrk
rv" = results-vote(1C(s,,),r.-_,i,J,ZY. R)
nrk = new_results(IC(s,,)[k],r,-l[k],i,j)
This last set follows by expanding the various definitions subordinate to the
transition function Repl. Further expansion and simplification yield:
fv ° = maj([_=l FV, ])
FVz = if _'ff[l] then ± else r,___[l].frame @ 1
rv" = rnaj([f:_ RV, ])
nvz = if .7"2[l ] then ± else new_results(s,,,r.__[l],i,j)
nr_ = new_resuas(s.,r.__[_],/,j)
By applying Lemma 2 to the expressions for fv* and rv* we obtain:
/v" = maj(r.__)./r_mee l (21)
rv* = new_results(sn, maj(r,__l),i,j) (22)
Now consider the majority of r.:
maj(r,_) = maj([f:_ if _'ff[k] then ± else uvk ]) (23)
If k is a working processor, we know by the hypothesis that r,__l[k] =
rnaj(r,_l). Substituting into the definition for nrk yields:
nr ° = new_results( s,_, maj( rn_ x), i, j) = rv °. (24)
47
Applying Lemma 2 again results in
maj(r,) = uvk with (r,__a[k] ,-- maj(r,__l)) = (fv*,Ai,j. rr*)
rr* = if VP(i,j, maj(rn_l).frame) then rv* else nr* = rv*
Hence, maj(r,_) = (fv',Ai,j. rv*). •
Having stated a generic Consensus Property, we assume its truth to
prove the Replicated OS Correctness Criteria hold. (Refer to Definition 6 on
page 44.)
Theorem 2 The Replicated OS Correctness Criteria follow from the Con-
sensus Property.
Proof. Assume the Consensus Property holds. We show that each of the
required criteria follows.
Criterion 1. maj(ro) = maj([f=_ (O, IR) ]) = (O, IR) = Uo.
Criterion 2. Assume the antecedent of criterion (2): (Vm : w(m,._) >
R/2). This condition and the Consensus Property imply that rnaj(rn) =
(fv °, Ai,j. rv') using the Working Majority Lemma, where
fv* = maj(r,__l).frame _ 1
rv ° = new_results(sn, maj(r,___),i,j).
Applying majority to the transition for r,_ yields
maj(r,_) = maj(Repl(IC(sn),r,_l,.T2) )
and we conclude that
maj(Repl(IV(s,_),r,___,.Tn)) = (fv',Ai,j. rv').
Finally, we note that
(fv',Ai,j. rv °) = OS(s,.rnaj(r._a))
which proves criterion (2).
48
Criterion 3. Assume the antecedent of criterion (3): (Vm : w(m,W) >
R/2). Expand the definition of the replicated OS output function.
RA(r,,,_', a) = [_=1RAk ]
RAk = if _-_[k] then A else UA(rn[k])
Invoking the Consensus Property and Lemma 2 produces:
maj( RA(r,_, .F_) ) = U A( rnaj(rn) )
which proves criterion (3). •
13.2 Full Recovery Property
We introduce a predicate, rec, that captures the concept of a state element
having been recovered through voting. It is a function of the last faulty
frame, f, and the number of frames, h, a processor has been nonfau]ty.
rec(i,j,f,h,e)=if h_<l then F
else (VP(i,j,f @ h) A e) V
if i = f_h
then Alr=_(''j}l RI(TI(i,j)[l],i,j,f,h)
else ree(i,j,f,h- l,T)
RI(t,i,j,f,h) = (t.type = sensor) V
ift.i=f_hAt.j<j
then rec(t.i,t.j,f,h,F)
else rec(t.i, t.j, f, h - 1, T)
By recursively following the inputs for the scheduled task at cell (i,j), the
term rec(i,j,f,h,e)is defined to hold iff re_ult._(i,j) should have been re-
stored in frame f_h, provided the processor has been nonfaulty for h frames
and f was the last faulty frame. The Boolean argument, e, indicates whether
the recovery status applies at the end of the frame or sometime before com-
putation is complete. This is necessary to account for the block voting that
occurs at the end of a frame.
49
The conditions for rec can obtain if (i,j) is voted in frame f $ h, or it
is computed in frame f $ h and all inputs have been recovered, or it is not
computed in frame f _ h and was recovered by frame f $ (h - 1). Thus, cell
(i,j) is not recovered if it results from computations involving unrecovered
data, or it has not been voted since the last faulty frame f.
Note that this definition depends only on the voting pattern and the task
input specification (the function TI). It defines the recovery pattern induced
by the specified voting scheme; it is necessary to show that for a particular
voting pattern full recovery is actually achieved within NR frames. The next
definition captures this notion.
Definition 8 (Full Recovery Property) The predicate rec( i, j, f , N R, T)
holds for all i,j, f.
This definition equates full recovery with the predicate rec becoming true
for all state elements (i,j) after NR frames have passed since the last fault.
Later this property will be shown to hold for several different voting patterns.
Lemma 4 Ifrec(i,j,f, NR, T) for alli,j,f andh >_ NR, then rec(a,b,c,h,e)
for all a, b, c, e.
Proof. By induction on the pair d = (h, b) under lexicographic ordering.
Case 1. d = (Na,0). Immediate.
Case 2. d _ (NR, 0). Expanding rec(a, b, c, h, e) in the conclusion we see
that every recursive call rec(w, z,y, z, v) satisfies either z = h - 1 or
z = h A z < b. Thus, d = (h, b) _- (z, x) and the induction hypothesis
can be instantiated in each case to
rec(i,j,f, NR, T) D rec(w,z,y,z,v).
Using the antecedent of the lemma, we infer rec(w, z, y, z, v), i.e., each
recursive call evaluates to T. Hence, the conditional term in the rec
definition evaluates to true regardless of the VP term, and consequently
rec(a, b, c, h, e) holds as well. •
5O
Lemma 5 The functions rec and exec are related by the followtng formula.
i = f ¢ h A " (VP(i,j,f ¢ h) A e)/X rec(7,j,f,h,e) A
(Va, b : rec(a,b,f,h- 1,T) _ u.results(a.b)= v.results(a,b))
D
ezec(s,u,i,j) = ezec(s,v,i,j).
Proof. By induction on j.
Case 1. j = 0. From the hypothesis rec(i,j,f, h, T) we have:
rec(i, O, f, h, T)
ITI(i,o)l
= A RI(t,i,o,f,h) where t = TI(i, 0)[l] (25)
l=l
ITI(i,O)l
= A (t.type = sensor V rec(t.i,t.j,f,h- 1,T)) (26)
/=1
Expanding the term ezec(s, u,i, j) in the conclusion:
exec(s,u,i,O) = fsT(i.o)(al,...,a,_)
a, = arg(t,s,u,i,O) where t :: TI(i,O)[l]
= if t.type = sensor then s[t.i] else u.results(t.i,t.j)
Let bl,...,b, be the corresponding arguments in ezec(s,v,i,O). If
t.type = sensor then at = bz. Otherwise, (26) and the lemma hy-
potheses allow us to conclude
u.results( t.i,t.j) = v.resul_s( t.i,t.j )
for each t. Hence, at = bl and ezec(s,u,i,O) = ezec(s,v,i,O).
Case 2. j > 0. As before, expand the terms with ezec and rec:
e ec(s, ,i,j) =
al = arg(t,s,u,i,j) where t = TI(i,j)[1]
= if t.type = sensor then sit.i]
else if t.i = i A t.j < j
51
rec(i,j,f,h,T) =
then ezec(s,u,i, t.j)
else u.results( t.i, t.j )
ITX(i.Y)I
A RI(t,i,j,f,h) where t = TI(i,j)[l]
/=1
ITI(i,J)l
A (t.type = sensor) V
I=1
ift.i = f@ h A t.j < j
then rec( t.i, t.j, f, h, F)
else rec(t.i, t.j, f, h - 1, T)
Let bt represent the al terms with v substituted for u. Now consider
the cases suggested by the conditional expressions above. In each case
we will show that at = b_.
Case 2.1. t.type = sensor, al and bl both reduce to s[t.i].
Case 2.2. t.type _ sensorAt.i = iAt.j < j. It follows that rec(t.i, t.j, f, h, F)
holds and al = ezec( s, u, i, t.j ). The induction hypothesis gives:
rec(z,y,f,h,F) D ezec(s,u,z,y)= ezec(s,v,z,y)
from which ezec(s,u,i,t.j) = ezec(s,v,i,t.j) follows and hence,
al = bl.
Case 2.3. t.type y_ sensor A (t.i _ i V t.j > j). In this case it follows
that rec(t.i,t.j,f,h- 1, T) holds and az = u.results(t.i,t.j). The
lemma hypotheses provide
u.results( t.i, t.j ) = v.results( t.i, t.j )
and thus, al = bl.
With all arguments a, = b,,weconcludethat e_ec(s,_,i,j) = e_ec(s,v,i,j).
13.3 Replicated State Invariant
As a practical matter, it is necessary to prove the Consensus Property by
first establishing an invariant of the replicated OS state. Such an invariant
52
relates the valuesof the nonfaulty processorstates to the majority value
of replicated OS states. To do so, it is necessaryto identify the partially
recoveredvaluesof OSstatesfor recoveringprocessors.
Expressingthe invariant below requiresa function 7"lto determinehow
manyconsecutiveframesa processorhasbeenhe',dthy(without fault).
7"[(k, n,.T) = if n = 0 then NR
else if .T(k,n - 1) then 0 else 1 + Tl(k,n- 1,_')
7-I gives the number of healthy frames for processor k prior to the n th frame,
except when k has had no faults at all. In this case _ returns NR + n, which
is a way to model that the initial state appears as if k had been healthy for
NR frames already. The purpose of this quirk is to allow the invariant to
work for values of n < Nn when no faults have occurred. Moreover, it makes
the definitions of 7"l and W consistent. In particular, one consequence of the
definition is that
7 (k,n + i,y) > lvR - w(k, (27)
In an analogous way, we introduce a function L: that gives the last faulty
frame prior to a given point.
£:(k,n,.T) = ifn=0then -NR
else if .T(k,n - 1) then n - 1 else f_.(k,n - 1,.T)
If f is the last faulty frame for processor k prior to frame n,/_(k, n, .T') returns
f. If no faults have occurred, the value -NR is returned. This ensures that
the following relation holds:
£:(k,n,._-) + 7-/(k,n,.T') = n. (28)
We proceed by proving a Replicated State Invariant that relates certain
elements of the replicated OS state to the majority of those elements. The
invariant states that if the pth processor is nonfaulty during a frame, i.e.,
working or recovering, then its frame counter after the transition equals that
of the majority. It also relates this processor's results state values to the
majority if they have been recovered, as determined by the function rec.
53
Definition 9 (Replicated State Invariant) For fault function _r satisfy-
ing the Maximum Fault Assumption, the following assertion is true for every
frame n:
(n = 0 V~ Y:(p,n- 1))
rn[p].frame = maj(rn).frame = n rood M A
(Vi,j : rec(i,j,£(p,n,:F), 7"l(p,n,._),T)
r,_Lp].results(i,j) = maj(r,).results( i,j) ).
Lemma 6 If the Replicated State Invaviant holds for a particular value of
n, then
(Vp: 7"l(p,n,.T) >_ NR _ r,,[p] = maj(rn))
is a consequence of the Full Recovery Property.
Proof. Assume 7"l(p,n,J r) k NR, from which Lemma 4 and the Full Recov-
ery Property provide us with
Vi, j,f : rec(i,j,f,7"l(p,n,_),T). (29)
The Replicated State Invariant allows us to infer:
(n = 0 V "-..T(p,n- 1)) D
r,_].frame = maj(r,_).frame A
(Vi,j : rec(i,j,f..(p,n,Y),7"l(p,n,Jr),T) 3
rn_].results( i,j) = maj(rn).resuIts( i,j) ).
This fact along with (29) imply all components of rn[p] and maj(r,_) match;
consequently r.[p] = maj(r,_). •
Theorem 3 The Replicated State Invariant follows from the Full Recovery
Property.
Proof. We use proof by induction on n.
Case 1. n = 0. maj(ro) = rnaj([_= a (O, IR)]) = (O, IR) = ro[p] for all p.
Hence, roll.frame = maj(ro).frame = 0 mod M and ro_].results(i,j)=
maj(ro).results(i,j) for all i,j.
54
Case 2. n > 0. Express r,_ in terms of r,,__ via Repl:
r, = Rept(Ie(s,),r,_l,_2) = [_=_ if J:2[k] then ± else ,,v_ ]
using the following additional definitions:
uvk = (]v',_i,j.,_)
iv'= f,'am__vot_(,',,__,.r2)
rrk = if VP(i,j,r,,__[k].frame) then rv* else nrk
rv* = results_vote(IC(s,),r,___.i,j,:Y, R)
nrk = new_results(s,,r,,__[k],i,j)
(30)
Lemma 6 and the induction hypothesis imply:
(vk: _(k,,_ - 1,J=)> lv_ _ ,o__[k]= maj(T°__)).
Since 142(k,n - 1,_) _ 7"l(k,n - 1,.7") _> NR, the Working Majority
Lemma yields
fv" = maj(r,,_l).framee 1 (31)
rv* = new_results(s,_,maj(r,_l),i,j) (32)
maj(r,,) = (fv*,$i,j. rv*) (33)
First, we establish the frame counter part of the invariant. Evaluate
r,[p].frame for p nonfaulty in frame n- 1. (30) yields r,,[p].]rame =
uvp.frame = fv*, and by (33) we deduce r,,[p].frame = maj(r,_).frame.
Also, (31) implies maj(rn).frame = n rood M.
Next, we establish the results part of the invariant. Assume its an-
tecedent:
rec( i, j, £(p, n, .7"), _(p, n, .7"), T)
which implies 7-/(p, n, .7-) > 1 and hence n - 1 = 0 V _ .7"(p, n - 2).
Therefore, the induction hypothesis yields
r,__[p].frame=maj(r,_l).frame=(n- 1) mod M. (34)
Case 2.1. VP(i,j,r,,__].frame). This allows the following:
r,,[p].results(i,j) = rrp = rv" = ,naj(r,).results(i,j).
55
Case 2.2..-_ VP(i,j,r,_l[p].frame). As before, we begin evaluating:
r,[p].results(i,j) = rr, = nr, = new_results(s,,r._l[p],i,j).
Expanding new_results, (34) permits us to write:
nr, = if i= maj(r,_l).]rame
then ezec(sn, r,_l[p],i,j)
else r,_, [p] .results(i, j)
Now consider the two cases of the conditional.
Case 2.2.1. i = maj(r,_l).frame. Since
maj(r,___).frame = (n-l) mod M = f_(p,n-l,:7:)eg(p,n-l,Y)
invoking Lemma 5 on the induction hypothesis yields:
nrp = ezec(s.,r._l[p],i,j)= ezec(s.,maj(r,__l),i,j)= nr*
from which we infer that
r,, _p].r esults( i, j ) = may ( r,, ).results( i, j ).
Case 2.2.2. i # maj(r,_x).frame. In this case, nr v = r,_l[p].results(i,j).
Expanding rec produces:
rec( i, j, f_(p, n, Jr), 7"l(p, n, _), T) =
rec(i,j,f.(p,n,Y), - 1,T).
In this case we know 7-/(p, n, Y) - 1 = 7"/(p, n - 1,._') and
f_(p,n,Y) = £(p,n- 1,_')so
rec(i,j,L(p,n- 1,_-), 7-/(p,n- 1,_-),T)
holds as well. Invoking the induction hypothesis then yields
r,_lN.results(i,j) = maj(r,_l).results(i,j)
and nrp = nr" and r,[p].results(i,j)= maj(rn).results(i,j).
56
Having estabhshed the Replicated State Invariant, we use this result to
prove the Consensus Property (Definition 7 on page 46) holds.
Theorem 4 The Consensus Property follows from the Replicated State In-
variant and the Full Recovery Property.
Proof. Assume (Vm: w(m,_') > R/2) holds. Assume W(p,n- 1,J r) holds
as well. Since
w(p,n- 1,Jr) _ 7t(p,n- 1,_)_> _R
Lemma 6 for index n - 1 implies r,-l[p] = maj(r.__). Since
W(p,n - 1,y) = 7_(p,n,7)> NR
invoking Lemma 6 again with index n produces the other half of the Con-
sensus Property conclusion: r,[p] = maj(r,). •
14 Proofs for Specific Voting Patterns
With the general framework established thus far, the replicated system design
is verified on the premise that the Full Recovery Property holds. This prop-
erty depends on the details of each voting pattern and must be established
separately for each. Following are three voting schemes and their proofs. The
last one is the most general and constitutes the goal of this work; the other
two can be seen as special cases whose proofs are simpler and instructive.
14.1 Continuous Voting
We begin with the simplest case, namely when the voting pattern calls for
voting all the data on every frame. Clearly, this leads to transient fault
recovery in a single frame. Although the entire state of a recovering processor
is restored in one frame, our formalization of rec assumes one frame is used
to recover the frame counter, so the conservative assignment NR = 2 is used.
Definition 10 The continuous voting version of the replicated OS uses the
assignments VP(i,j, k) = T for all i,j, k, and Nn = 2.
57
Theorem 5 The continuous voting pattern satisfies the Full Recovery Prop-
erty.
Proof. Since VP(i,j,k) holds for all i,j,k, and NR = 2, expanding the
definition of rec shows that rec(i,j, f, NR, T) reduces to T for all i,j, f. •
14.2 Cyclic Voting
In this section, we consider a more sparse voting pattern, namely voting only
the data computed in the current frame. Only the portion of r.results(i,j)
where i = r.frame is voted; the other M - 1 portions are voted in later
frames. This leads to voting each part of the results state exactly once per
cycle and therefore leads to transient fault recovery in M + 1 frames. (One
frame is required to recover the frame counter.) The proof in this case is
only slightly more difficult.
Definition 11 The cyclic voting version of the replicated OS uses the as-
signments YP(i,j,k) = (i = k) for all i,j,k, and NR = M + 1.
As an example of the cyclic voting pattern, suppose we have a four frame
cycle. Then voting will proceed as depicted below.
n Frame
1 0
2 1
3 2
4 3
5 0
State components voted
results(O,j) Vj
results(1,j) Vj
results(2,j) Vj
results(3,j) Vj
results(O,j) Vj
Theorem 6 The cyclic voting pattern satisfies the Full Recovery Property.
Proof. Since VP(i,j,f (3 h) reduces to i = f _3 h, the definition of rec
becomes
rec(i, j, f, h, T) = if h < 1 then F else i = f @ h V tee(i, j, f, h - 1, T).
Thus, it follows that
rec(i,j,f, NmT) = rec(i,j,f,M + 1,T)
= (i=f(Be) v(i=f_3)V...V(i=f_(M+l))
Because the modulus of _ is M this expression evaluates to T. •
58
14.3 Minimal Voting
The last case is concerned with the most general characterization of voting re-
quirements. Minimal votin 9 is the name used to describe these requirements
because they represent conditions necessary to recover from transient faults
via the most sparse voting possible. These conditions actually define a large
family of voting patterns including Continuous Voting and Cyclic Voting;
patterns satisfying the conditions can vary widely in the amount of voting
used. Thus, it is possible to use the following result to design voting patterns
that can trade transient fault recovery rate for lower voting overhead.
Central to the approach is the use of task I/O graphs. These are graphs
constructed from the application task specifications embodied in the function
TI. Nodes in the graph denote cells in the task schedule and directed edges
correspond to the flow of data from a producer task to a consumer task.
Sensor inputs and actuator outputs have no edges in these graphs. Associated
with edges of the graph are voting sites that indicate where task output data
should be voted before being supplied as input to the receiving task. An
actual voting pattern as specified by the predicate VP would assign these
votes to specific frames.
With these notions in hand, the essence of the Minimal Voting scheme
is that every cycle 9 of the task I/O graph should be covered by at least
one voting site. It is possible to place more than one vote along a cycle
or place votes along noncyclic paths, but they are unnecessary to recover
from transient faults. Such superfluous votes may be desirable, however, to
improve the transient fault recovery rate. We now proceed to formalize and
prove the Minimal Voting claim.
Definition 12 A task I/0 graph G:(V,E) contains nodes vi • V that cor-
respond to the cells (i,j) of a task schedule. Edge,_ consist of ordered pairs
(va,v2) where ((il,jl),(i2,j2)) • E iff output from cell (il,jl) is used as input
to (i:,j2).
Definition 13 A path through the task I/O graph G = (V, E) consists of
a sequence of nodes P = [v_,...,v,_] such that (vi, vi+l) • E. A cycle is a
path C = [v_,...,v,,,v_]. The frame length of an edge e = ((il,j_),(i2,j2)) is
9We are using the graph theoretic concept of cycle here, as opposed to the terminology
introduced earlier of a frame cycle consisting of M contiguous frames in a schedule.
59
given by:
M ifil=i2Ajl>_j2fl(e) = i2 @ il otherwise
The frame length of a path is the sum of the frame lengths of its edges. Let
FL(P) denote the frame length of path P.
Definition 14 Let C1,...,C,_ be the cycles of graph G, and P1,...,P, be
the noncyclic paths of G. Define the following maximum frame length values
for cycles and noncyclic paths:
Le = max((FL(C,)})
LN = max({FL(P_)}) + 1
Note that noncyclic paths may share edges with cycles in the graph, but may
not contain a complete cycle. LN is increased by one to account for the frame
at the beginning of the path.
Definition 15 The minimal voting condition is specified by the following
constraint on V P :
VC E cycles(G):
3((a, b),(c, d)) c, 3.f:
V.P(a,b,f) A(a --cAb >_ dV0 _< fea < cea)
and the assignment N_ = Lc + Llv + M.
The condition requires at least one vote along each cycle. There is a caveat,
however, on where the votes may be placed. Because voting occurs at the end
of a frame, a vote site may not be specified on an edge between two cells of
the same frame. Such placements are ruled out by the condition above. The
bound NR includes a worst case length to restore a state element, Lc ÷ LN,
plus an additional M frames to account for maximum latency due to when
the last fault occurred within the schedule. Note that all cycles must have
frame lengths that are multiples of M.
Figure 9 illustrates the definitions above for a graph embedded in a four
frame schedule. The graph shown has one cycle with frame length four
(Lc = 4) and a single vote site. The voting pattern would be specified by
VP(1, 0, 2) = T to indicate that results cell (1,0) is voted in frame 2. The
6O
Vote
0 1 2 3
Figure 9: Example of task I/O graph.
longest noncyclic path has frame length three (LN = 4). Thus, the voting
pattern meets the Minimal Voting condition and we assign it NR = 12.
To facilitate the proof, we introduce several additional definitions.
Definition 16 A recovery tree is derived from the' expansion of the recursive
function rec applied to specific arguments. Nodes of the tree are associated
with terms of the form rec(i,j,f,h,e). The tree is constructed as follows.
Associate the root with the original term rec(i,j,f,h,e). At each node, ex-
pand the rec function. If VP(i,j, f _ h) A e is true, mark the node with a
T. Otherwise, evaluate the conditional term of the rec definition. Create a
child node for each recursive call associated with the appropriate term and
repeat the process. If evaluation shows only sensor inputs are used at a node,
mark it with a T. If evaluation terminates with h < 1, mark the node with
an F. After building the tree out to all its leaves, work back toward the root
by marking each parent node with the conjunction of its child node markings.
Thus, construction of the recovery tree for a term rec(i, j, f, h, e) corresponds
to building a complete recursive expansion of the Boolean term. The marking
' 61
rec(O,O,2,2, T) T
rec(2,0,2,4, T)
F_I, 0, 2, 3, T)
rec(1,O,2,2,T)
F () rec(1,0,2,1,T)
Figure 10: Recovery tree for term rec(2, 0, 2, 4, T) of sample graph.
at the root after the construction process is the value of the term.
Definition 17 The frame length of an edge (vl,v2) in a recovery tree, where
vl = (ia,j_,f_,h_,el) andv: = (i2,j2,f2,h2, e_), is given by [h2-hxl E {0,1}.
The frame length of a path in the tree is the sum of the frame lengths of the
edges in the path.
Figure 10 shows the recovery tree for term rec(2, 0, 2,4, T) applied to the
graph in figure 9. In this case, the four healthy frames are insufficient to
recover the value of cell (2, 0); eight frames are required.
Lemma 7 If all leaves of a recovery tree are marked T, then the root must
be marked T.
Proof. By induction on the height h of the tree.
62
Case 1. h = 0. The tree consists of a single node and the root must be T.
Case 2. h > 0. Let Ca,...,C,_ be the children of the root. Each Ci is the
root of a subtree of height at most h- 1 with leaves marked T. Hence,
the induction hypothesis imphes each C_ is marked T and their parent
must be as well. •
Definition 18 Let GP(P) map a path P = [ul,.. ., u,_] from a recovery tree
into the analogous path in the corresponding task I/0 graph. Form P' =
Iv1,..., v,_] by retaining only those nodes from P a_,'ising from a computation
frame (i = f @ h). Then let GP(P) = [(il,j_),...,(i,_,j,,)] where (ik,jk) is
taken from the rec term of vk.
Lemma 8 If a path P from a recovery tree begins and ends with a compu-
tation node, then FL(GP(P))= FL(P).
Proof. Along the path P in the tree, between every successive pair of compu-
tation nodes lying in different frames there will be .fl(e) - 1 noncomputation
nodes one frame apart, where e is the edge in the task graph correspond-
ing to this pair. Each of these tree edges contributes a frame length value
of one. Computation nodes within the same frame give rise to fl(e) = 0,
which corresponds to tree nodes having the same b value and hence, a frame
length contribution of zero for the edge. Summing all the contributions makes
FL(GP(P)) = FL(P). •
Theorem 7 The minimal voting condition satisfi,:s the Full Recovery Prop-
erty.
Proof. To show rec(i,j, f, NR, T), construct the recovery tree for this term.
Consider each leaf node vi and its path Pi to the root w. Let Pi be the
concatenation of three subpaths X,Y,Z, where Y is the maximal subpath
beginning and ending with a computation node. Let u be the first node of
Y. Hence, Z has no computation nodes and FL(Z) < M. By Lemma 8, it
follows that FL(GP(Y))= FL(Y).
Case 1. GP(Y) has no cycles. Since GP(Y) is acycfic and begins with a
computation node, u must have only sensor inputs and X is empty
63
and u = vl. Furthermore, FL(Y) = FL(GP(Y)) < LN and since
NR = Lc+LN+M, FL(Pi) _< NR-2 andvi's h > 1. Hence, viis
marked with T.
Case 2. GP(Y) has a cycle. Since each cycle contains a vote site, which
would terminate the recursion of rec, there can be only one cycle and
it must be span the front of GP(Y) with vi as the voting node. The
remainder of GP(Y) must be acyclic. Hence, FL(Y) = FL(GP(Y)) <
Lc+L_v and FL(Pi) _< NR-2and vi's h > 1. Hence, viis marked
with T.
Consequently, all leaves vi are marked with a T. By Lemma 7, it follows that
the root is likewise marked with T and therefore rec(i, j, f, Nn, T) holds. •
The results presented above are conservative, being based on a loose upper
bound for NR. The actual N_ for a given graph will be somewhat smaller.
The worst case for the graph of Figure 9 is actually 10 frames versus the
estimated value of NR = 12. In addition, for more dense and highly regular
voting patterns such as Continuous Voting and Cyclic Voting, we can obtain
more accurate values and it would be inadvisable to apply the Minimal Voting
bound to these cases.
An important consequence of the Minimal Voting result is that if a graph
has no cycles, then no voting is required! In this case the recovery time would
be given exactly by Nn = LN + M. Although such a task graph is untypical
for real control systems, there may be applications that could be based on
this kind of design.
15 Conclusions and Outlook for the Future
In this paper, a paradigm for specifying and verifying operating systems for
fault-tolerant, reM-time control systems is developed. The paper develops a
uniprocessor top-level specification that models the system as a single (ultra-
reliable) processor and a second-level specification that models the system in
terms of redundant computational units. There is no notion of redundancy in
the top-level specification. The paper then develops an approach to proving
that the second-level specification is an implementation of the top level. The
64
paper explores different strategies for voting and develops a correctness proof
for three voting strategies.
The specifications have been written using traditional mathematical no-
tation rather than a specific formal specification language. The next phase of
the research project will be to translate these specifications into the EHDM
specification language and mechanically verify the proofs. Also, work will
continue towards a third-level specification that includes more implementa-
tion detail
The first version of the operating system described here has been greatly
simplified to facilitate the formal verification process. Nevertheless, an evo-
lutionary process is envisioned for this system. The growth will take place in
several different directions leading to a family of verified reusable operating
systems. The first direction of evolution is in the area of scheduling. The
following progression in capabihty is under consideration:
• rigid identical schedule on all processors
• non-deterministic but identical workloads on each processor
• non-deterministic and different workloads on each processor
The fault-tolerance strategy options include:
• non-reconfigurable
• static reconfiguration
• dynamic reconfiguration
Continued development and evaluation of the intermediate results will
determine these choices and other areas of investigation.
65
References
[1]Butler, Ricky W.; and Stevenson, Philip H. 1988: The PAWS and STEM
Reliability Analysis Programs. NASA Technical Memorandum 100572,
March.
[2] Elvany, Michelle C. Mc 1988: Guaranteeing Deadlines in MAFT. In
IEEE Real-Time Systems Symposium, Huntsville, AL., December.
[3] FAA 1988: System Design and Analysis. U.S. Department of Trans-
portation, Advisory Circular AC 25.1309-1A, June.
[4]Goldberg, Jack; et al. 1984: Development and Analysis of the Software
Implemented Fault-Tolerance (SIFT) Computer. NASA Contractor Re-
port 172146.
I5]Hopkins, Albert L., Jr.; Smith, T. Basil, III; and Lala, Jaynarayan H.
1978: FTMP -- A Highly Reliable Fault-Tolerant Multiprocessor for
Aircraft. Proceedings of the IEEE, vol. 66, no. 10, pp. 1221-1239, Octo-
ber.
[6] Lala, J. H.; Alger, L. S.; Gauthier, R. J.; and Dzwonczyk, M. J.
1986: A Fault-Tolerant Processor to Meet Rigorous Failure Require-
ments. Charles Stark Draper Lab., Inc., Technical Report CSDL-P-2705,
July.
[7] Lamport, Leslie 1984: Using Time Instead of Timeout for Fault-Tolerant
Distributed Systems. A CM Transactions on Programming Languages
and Systems, vol. 6, no. 2, pp. 254-280, April.
is] Lamport, Leslie; and Melliar-Smith, P. M. 1987: Synchronizing Clocks
in the Presence of Faults. Journal of the ACM, vol. 32, no. 1, pp. 52-78,
January.
I9]Lamport, Leslie; Shostak, Robert; and Pease, Marshall 1982: The
Byzantine Generals Problem. A CM Transactions on Programming Lan-
guages and Systems, vol. 4, no. 3, pp. 382-401, July.
[10] Lehmann, Daniel; and Shelah, Saharon 1982: Reasoning with Time and
Chance. Information and Control, vol. 53, pp. 165-198.
66
[11] Mackall, Dale A. 1988: Experiences With a Flight-Crucial Digital Con-
trol System. NASA Technical Paper 2857, November.
[12] Miller, Doug 1988: Making Statistical Inferences about Software Relia-
bility. NASA Contractor Report 4197, December.
[13] Peer Review of a Formal Verification/Design Proof Methodology. NASA
Conference Publication 2377, July.
[14] Rushby, John; and von I-Ienke, Friedrick 198!1: Formal Verification of
a Fault Tolerant Clock Synchronization Algo,ithm. NASA Contractor
Report 4239, June.
[15] Siewiorek, Daniel P.; and Swarz, Robert S. 1982: The Theory and
Practice of Reliable System Design. Digital Press.
[16] U.S. Department of Defense. Reliability PredTction of Electronic Equip-
ment, January. MIL-HDBK-217D.
[17] Walter, C. J.; Kieckhafer, R. M.; and Finn, A. M. 1985: MAFT: A
Multicomputer Architecture for Fault-Tolerance in Real-Time Control
Systems. In IEEE Real-Time Systems Symposium, December.
[18] Weise, Daniel 1989: Constraints, Abstraction, and Verification. In
Workshop on Hardware Specification, Verification and Synthesis: Math-
ematical Aspects, Cornell University, Ithaca, N.Y. Springer Verlag.
67
N/LRA
1. Report No.
NASA TM- 102716
4 Title and Subtme
Report Documentation Page
l 2. Government Accession No. 3 Recipient's Catalog No.
{) Report Date
Formal Design and Verification of a Reliable
Computing Platform for Real-Time Control--Phase
Results
7. Author(s)
Ben L. DiVito
Ricky W. Butler
James L. Caldwell
9. Performing Organization Name and Address
Langley Research Center
Hampton, VA 23665-5225
12. Sponsoring Agency Name and Address
National Aeronautics and Space Administration
Washington, DC 20546
15. Supplementary Notes ..............
Ben L. DiVito: Vigyan, Inc., Hampton, Virginia.
Ricky W. Butler and James L. Caldwell:
October 1990
6 Perform,_90rga-r',-_zat,on-Cod-e .......
8. Performing Organization Report No.
10. Work Unit No.
505-66-21-01
I1. Contract or Grant No
13. Type of Report and Period Covered
Technical Memorandum
14 Sponsoring Agency Code
Langley Research Center, Hampton, Virginia
16. Abstract
Th_pmeems a high-level design for a reliable computing platform for real-time
control applications. Design tradeoffs and analyses related to the development of the
fault-tolerant computing platform are discussed. The architecture is formalized and
shown to satisfy a key correctness property. The reliable computing platform uses
replicated processors and majority voting to achieve fault tolerance. Under the
assumption of a majority of processors working in each frame, it is shown that the
replicated system computes the same results as a single processor system not subject
to failures. Sufficient conditions are obtained to establish that the replicated system
recovers from transient faults within a bounded amount of time. Three different voting
schemes are examined and proved to satisfy the bounded recovery time conditions.
17. Key Words (Suggested by Author(s))
Fault Tolerance
Formal Methods
Correctness Proofs
Majority Votin_
Modular Redundancy
Transient Faults
19. Security Classif. (of this report)
Unclassified
NASA FORM 1626 OCT 86
18 Distribution Statement
Unclassified-Unlimited
Subject Category 61
20. SecuriW Cla_if. (of this page}
Unclassified
21 No of pages
68
22. Price
A04
