No . CS - TR - 1151 April , 2009 Different Perspectives for Reasoning about Problems and Faults

This paper provides a different view for understanding problems and faults with the goal of defining a method for the formal specification of systems. To accomplish this task we need to pass through a non trivial number of steps, concepts and tools where the first one, the most important, is the concept of method itself, since we realized that computer science has a proliferation of languages but very few methods. This work also proposes the idea of Layered Fault Tolerant Specification (LFTS) to make the method extensible to fault tolerant systems. The principle is layering the specification, for the sake of clarity, in (at least) two different levels, the first one for the normal behavior and the others (if more than one) for the abnormal. The abnormal behavior is described in terms of an Error Injector (EI) which represents a model of the erroneous interference coming from the environment. This structure has been inspired by the notion of idealized fault tolerant component but the combination of LFTS and EI using rely guarantee reasoning to describe their interaction can be considered one of the main contributions of this work. The progress toward this method and this way to organize fault tolerant specifications has been made experimenting on case studies presented in a dedicated section. Abstract This paper provides a different view for understanding problems and faults with the goal of defining a method for the formal specification of systems. To accomplish this task we need to pass through a non trivial number of steps, concepts and tools where the first one, the most important, is the concept of method itself, since we realized that computer science has a proliferation of languages but very few methods. This work also proposes the idea of Layered Fault Tolerant Specification (LFTS) to make the method extensible to fault tolerant systems. The principle is layering the specification, for the sake of clarity, in (at least) two different levels, the first one for the normal behavior and the others (if more than one) for the abnormal. The abnormal behavior is described in terms of an Error Injector (EI) which represents a model of the erroneous interference coming from the environment. This structure has been inspired by the notion of idealized fault tolerant component but the combination of LFTS and EI using rely guarantee reasoning to describe their interaction can be considered one of the main contributions of …