Fault-tolerant programming by transformations

It has been usual to consider that the steps of program refinement start with a program specification and end with the production of the text of an executable program. But for fault-tolerance, the program must be capable of taking account of the failure modes of the particular architecture on which it is to be executed. In this thesis we shall develop a formal framework which shows how a program constructed for a fault-free system can be transformed into a fault-tolerant program for execution on a system which susceptible to failures. Physical faults are modelled by a set of atomic actions whose semantics are defined in the same way as the semantics of usual program actions. The interference of fault actions on the execution of a program is then defined by the failure semantics. The behaviours of the program on a system with the specified set of fault actions are simulated by a fault transformation of the program into its fault-affected version. The properties of such a behaviour (called the fault properties) are studied by reasoning about the fault-affected version. The addition of fault-tolerance to a program is modelled by a fault-tolerant transformation which introduces the necessary redundancy in the program so that the specified faults can be tolerated. A fault-tolerant program can be further refined by using fault-tolerant refinement which preserves both the functional and the faulttolerant properties of the program.