Abstract-We study the problem of synthesizing fault-tolerant components from specifications, i.e., the problem of automatically constructing a fault-tolerant component implementation from a logical specification of the component, and the system's required level of fault-tolerance. In our approach, the logical specification of the component is given in dCTL, a branching time temporal logic with deontic operators, especially designed for fault-tolerant component specification. The synthesis algorithm takes the component specification, and a user-defined level of fault-tolerance (masking, nonmasking, failsafe), and automatically determines whether a component with the required fault-tolerance is realizable. Moreover, if the answer is positive, then the algorithm produces such a fault-tolerant implementation. Our technique for synthesis is based on the use of (bi)simulation algorithms for capturing different fault-tolerance classes, and the extension of a synthesis algorithm for CTL to cope with dCTL specifications.
I. INTRODUCTION
Fault-tolerance is an important property of critical systems, that is, those systems that are employed in critical activities such as medical devices and controllers in the avionics or automotive industry. In this context, a problem that deserves attention is that of capturing faults, understood as unexpected events that affect a system, as well as expressing and reasoning about the properties of systems in the presence of faults. Indeed, various researchers have been concerned with formally expressing and reasoning about fault-tolerant behavior, and some formalisms and tools have been proposed for this task [4] , [12] , [13] , [15] .
Moreover, in formal approaches to fault-tolerance (and in general in formal approaches to software development), it is generally recognized that powerful (semi-)automated analysis techniques are essential for a method to be effectively applicable in practice. Therefore, tools for automated or semi-automated reasoning, such as those based on model checking or automated theorem proving, have been central in many of the above cited works. In this direction, but with less emphasis, approaches for automatically synthesizing programs, in particular fault-tolerant ones, have also been studied [1] , [2] , [9] , [14] .
In this paper, we focus our attention on the problem of automatically synthesizing fault-tolerant systems from logical specifications. The synthesis algorithm takes the component specification, and a user-defined level of fault-tolerance (masking, nonmasking, failsafe), and automatically determines whether a component with the required fault-tolerance is realizable. Moreover, if the answer is positive, then the algorithm produces such a fault-tolerant implementation. As opposed to other approaches, in this work the logical specification of the component is given in dCTL [5] , a branching time temporal logic with deontic operators, especially designed for fault-tolerant component specification. This logic allows us to distinguish in a natural way good executions from faulty ones, and, although is strictly more expressive than CTL, the model checking problem for it is still polynomial, as for CTL. Our technique for synthesis is based on the use of bisimulation algorithms for capturing different fault classes, and the extension of a synthesis algorithm for CTL [2] , [6] to cope with dCTL specifications.
The remainder of the paper is structured as follows. In section II, we give an introduction to deontic logics and the arguments why these seem to be adequate formalisms to express concepts related to fault-tolerance. In section III, we present our approach to capture fault-tolerance properties by means of simulation and bisimulation relations. In section IV, we describe our synthesis method. Section V reviews some related work. Section VI discusses an evaluation plan, and Section VII presents research progress. Finally, we list our publications and we discuss some conclusions.
II. BACKGROUND
Deontic logic is a variation of modal logic whose purpose is to logically capture the notion of norm. Deontic formalisms have been used in Computer Science for different purposes, including database specification, reactive system specification, artificial intelligence and legal reasoning [16] . Furthermore, some researchers have observed that deontic logic is useful for reasoning about fault-tolerant systems, since deontic operators offer a natural way of distinguishing between normal (correct, without faults) and abnormal (faulty) behaviors of the system.
In our approach, we state properties of components using a fragment of dCTL [5] called dCTL-, a branching time temporal logic with deontic operators designed for fault-tolerant system verification. Formulas in this logic refer to properties of behaviors corresponding to colored Kripke structures. In a colored Kripke structures, states are colored, in our case simply as "green" (normal) or "red" (abnormal), with transitions leading to normal (resp. abnormal) states being also normal (resp. abnormal). Normal traces are those transiting only through normal states/transitions, whereas abnormal ones are those transiting through at least one abnormal state/transition. The logic dCTL is defined over the Computation Tree Logic CTL, with its novel part being the deontic operators O(ψ) (obligation) and P(ψ) (permission), which are applied to a certain kind of path formula ψ. The intention of these operators is to capture the notion of obligation and permission over traces. Intuitively, these operators have the following meaning:
• O(ψ): property ψ holds in every future state reachable via non-faulty transitions.
• P(ψ): there exists a normal execution, i.e., not involving faults, starting from the current state and along which ψ holds. Obligation and permission will enable us to express intended properties which should hold in all normal behaviors and some normal behaviors, respectively. These deontic operators have an implicit temporal character, since ψ is a path formula.
III. (BI)SIMULATIONS AND FAULT-TOLERANCE
In order to reason about fault-tolerance, we need to formally specify what we understand by fault-tolerant behavior. There exist different kinds of fault-tolerant behaviors that a computer system may exhibit. For instance, the system may completely tolerate faults, not allowing these to have any observable consequences for the users, often called masking fault-tolerance. Alternatively, after a fault occurs, the system may undergo some process to eventually take the system back to a "good" behavior (after some amount of time); this is usually called nonmasking fault-tolerance and it is normally observable at the fault-tolerant component's interface. Also, the system may react to a fault by switching to a behavior that is safe but in which the system is restricted in its capacity; this is called failsafe fault-tolerance. Formally speaking, as stated in [10] , the fault-tolerance that a system may exhibit can be classified in terms of how the liveness and safety properties of the given specification are respected in the presence of the faults.
In [7] , we propose an alternative approach for capturing faulttolerant behaviors, based on defining simulation/bisimulation relations for different degrees of fault-tolerance. The problem of checking different kinds of similarity/bisimilarity is well known, and there exist efficient (bi)simulation algorithms [11] , which we exploit for checking fault-tolerance. Basically, in order to check fault-tolerance we consider two colored Kripke structures of a system, the first one acting as a specification of the intended behavior and the second as the fault-tolerant implementation. The existence of an appropriate bisimulation relation between the two will correspond to the achievement of a certain kind of fault-tolerant behavior. For instance, let us consider the case of nonmasking fault-tolerance. This is captured via a corresponding bisimulation relation between the specification and the model of the system with faults, relating states of the first with states of the second, in such a way that: (i) the system strongly bisimulates the specification for the normative part, (ii) every fault transition in the model of the system corresponds to either a normal transition of the specification, or masks a fault in the specification, or is embedded in a path that corresponds to a normal transition or a masking of a fault of the specification.
As an example, let us consider a simple memory cell that stores a bit of information and supports reading and writing operations. Briefly, each state maintains the current value of the memory cell (m = i, for i = 0, 1) and the last write operation that was performed (w = i, for i = 0, 1). Some potential faults in this problem occur when a bit's value (say 1) unexpectedly loses its charge and it turns into another value (say 0). We may employ redundancy to deal with this situation, e.g., by replicating the memory bits three times. Writing operations are performed simultaneously on the three bits, whereas a reading returns the value that is repeated at least twice in the memory bits (also known as voting), and then the value read by voting is written back in all the bits. Each state in the model is described by variables m and w which record the last writing operation performed and the actual reading in the state. In addition, each state has three bits, described
associate with this model is that, in every non faulty situation, the value read from the cell coincides with that of the last writing performed in the system. This property can straightforwardly be expressed using dCTL, as follows: w 1 ) ). Now, consider the colored Kripke structures M (left) and M' (right) depicted in figure  1 . In this case, M' expresses the same behavior that M does (condition (i)), but now we consider that two faults (indicated by dashed lines and circles) may occur: bit changes its value from 1 to 0 and after that another bit may change its value too (i.e., two errors may occur consecutively). The relation R = {(s 0 , t 0 ), (s 1 , t 1 ), (s 0 , t 2 )} is nonmasking tolerant for (M, M'). In particular, notice that the faulty transition t 0 t 2 Fig. 1 . Two nonmasking fault-tolerance colored Kripke structures.
in M' corresponds to condition (ii), being nonmasking with respect to M's normal transition s 0 → s 0 . For further details, including the thorough formal definitions of fault-tolerance related bisimulations, we refer the reader to [7] .
IV. THE SYNTHESIS METHOD
We are interested in the general problem of synthesizing programs from specifications, i.e., extracting a finite model from a given logical specification, expressed as safety and liveness specifications, in a temporal logic. In general, this problem is solved based on decision procedures for the satisfiability of the corresponding logical specification language. Furthermore, most methods for synthesis require a complete specification, and only address synthesis of closed systems (from closed system descriptions), i.e., systems that do not interact with the environment. In particular, we analyze the problem of synthesizing fault-tolerant components from deontic logic specifications.
Problem Statement: given a dCTL-specification of a component and a desired level of fault-tolerance (masking, nonmasking, failsafe), our goal is to automatically determine whether a fault-tolerant component, with the required level of fault-tolerance, is realizable. Moreover, if the answer is positive, the goal is to algorithmically produce such a faulttolerant implementation.
Sketch of the Synthesis Process: initially, the designer specifies the normative behavior of the component by invariants expressed by using deontic operators: obligations, prohibitions, etc. The sample deontic formula capturing the property "the read bit coincides with that of the last writing" is an example of such an invariant. In more details, the dCTL-system specification involves the use of CTL to describe the system declaratively (including safety and liveness properties of the system), while the deontic operators of dCTL-allow us to capture obligations, prohibitions, etc. Moreover, these allow us to indirectly characterize faults as events violating these obligations. Notice that the deontic specification states what the expected behavior of the system is, and, indirectly, what the possible faults are. In other words, the possible faults are not explicitly given, as in other approaches, but stated at the specification level. We compare our approach with related work in Section V. Our synthesis method starts building a tableau following the tableau based algorithm for CTL satisfiability. In the next step, we inject the faults. The main idea is to add faulty transitions to the current model, based on the negation of the deontic formulas specified in the original specification. In this way, we will produce traces that mix normal and abnormal transitions. At the same time, we apply in an on-the-fly fashion the corresponding simulation algorithm of the required level of tolerance, in order to remove from this model those states and faults that lie outside the required level of tolerance. The synthesis algorithm aims at detecting the maximal set of faults that can be tolerated (for the required level of fault-tolerance), and returning a (maximal) program that provides recovery from these faults. Of course, if the resulting system can only deal with the empty set of faults, then for example no masking faulttolerant program is possible, from the provided specification. Finally, the synthesized program is extracted from the generated tableau. In figure 2 we illustrate the skeleton of our synthesis method.
V. RELATED WORK
Several algorithms have been presented in the literature for synthesis of reactive systems from temporal logic specifications. The initial work was presented by Emerson and Clarke [6] .
Their synthesis method was based on a decision procedure for checking the satisfiability of a CTL temporal logic specification. With respect to automated synthesis of fault-tolerant systems, Attie, Arora, and Emerson [2] presented an algorithm for synthesizing fault-tolerant programs from CTL specifications, based on a tableau method defined by Emerson and Clarke in [6] . Most of these works consider CTL and CTL* as the temporal logic specification for the input of their synthesis methods. It is well-known that these logics have important applications in concurrent system specification and verification via model checking. However, these logics are not specialized for describing properties of fault-tolerant systems. Moreover, when expressing fault-tolerance properties, the specifier needs to encode in some suitable way the faults and their consequences. This may make formulas longer and more difficult to understand, and even have a potential negative impact on analysis, since the performance of model checking algorithms depends on the length of the formula being analyzed. One main difference with our work is that we use deontic operators to distinguish between good and bad system's behavior, while in [2] the abnormal behavior is captured by means of faulty actions. Another difference with our work is that in [2] safety properties only need to hold after faults or through fail-free paths, which implies that the semantics of CTL has to be adapted to cope with this condition.
Another important stream of work is presented in [1] , [9] , [14] . Therein, Unity style programs are developed, the Unity logic is used to specify programs and to state fault-tolerant properties. Moreover, only a finite number of faults are allowed. It is important to note that a main difference between that work and our approach is that our synthesized programs preserve all safety properties of the non-faulty part of the obtained program, while both Kulkarni et al. ([1] , [9] , [14] ) and Attie et al. ( [2] ) preserve only the properties explicitly stated in the specification.
VI. EVALUATION PLAN
To evaluate the effectiveness of our approach, we aim to formalize and synthesize some well-known case studies of fault-tolerant systems and compare with other works like [9] . Moreover, we want to demonstrate the practical application of our formalization undertaking case studies which contain faulty scenarios related to the automotive industry 1 .
VII. RESEARCH PROGRESS
This section presents our research progress: finished and ongoing tasks. Our current research results up to date include the following:
• We have defined suitable notions of simulation and bisimulation (see [7] for more details), that allow us to capture diverse fault-tolerance properties, namely, masking, nonmasking, and failsafe fault-tolerance and, therefore, compare executions of systems that exhibit faults with executions where no faults occur. We have also developed corresponding algorithms for calculating the different levels of fault-tolerant programs based on efficient algorithms for calculating several simulation and bisimulation relations [3] , [11] .
• We have already adapted the decision procedure that verifies the satisfiability of a dCTL-temporal logic specification based on the tableau-based method defined by Emerson and Clarke in [6] and the work by Attie et al. [2] .
• We have integrated the masking and failsafe (bi)simulation algorithms with the satisfiability decision procedures for dCTL-. Some interesting properties have been proven like soundness and completeness. The research to be done is structured as follows:
• We are doing research to extend our framework to accommodate multitolerance [14] , in which multiple classes of faults may occur simultaneously.
• In our work, so far, we are concerned with the synthesis of a single component. The approach can be extended to extract several concurrent components from a specification, by using indexes as done in [2] .
• Currently, we have defined the algorithms for synthesizing masking and failsafe fault-tolerance components. At present, we are working on the synthesis algorithm for nonmasking fault-tolerant programs.
• Further work should be done to implement a software tool which allows us to synthesize fault-tolerant programs. As a first goal, we need to implement our synthesis algorithm for masking and failsafe fault-tolerance. In this way we will be able to obtain fault-tolerant programs automatically from deontic logic specifications and validate our ideas with more interesting case studies.
VIII. PUBLICATIONS
So far, our publication includes two articles in Reference [7] and [8] covering the characterization of different level of fault-tolerance via simulation relations and the synthesis of masking fault-tolerant programs from deontic specifications, respectively.
IX. CONCLUSIONS
We propose to synthesize fault-tolerant components from dCTL-specifications. The logic dCTL-is a branching time temporal logic equipped with deontic operators, which is especially designed for fault-tolerant component specification. We believe this logic is better suited for fault-tolerance specification, and therefore synthesizing fault-tolerant implementations from dCTL-specifications is relevant. In order to capture faulttolerance, we use an approach based on defining appropriate bisimulation relations, describing the relationship that must hold between a system specification and its fault-tolerant implementation. Our mechanism for synthesis is then based on combining decision procedures for the satisfiability of dCTLtemporal formulas, with bisimulation algorithms for checking a user required level of fault-tolerance.
