A verified model of fault-tolerance

Abstract

The main objectives are: a model of a replicated system with exact-match voting; a fault model that includes transients; a theorem that establishes the conditions under which the system provides fault tolerance; a formal specification of the model; and a mechanically checked verification of the theorem that is consonant with the journal-level presentation. Formal specification and verification revealed typos in the original report, exposed omission in original proof, led to the stronger theorem and more elegant proof, and confirmed that Enhanced Hierarchical Development Methodology (EHDM) has the capability to specify interesting and useful properties in a direct, natural, and readable manner