Formal analysis of fault tolerant algorithms in the time-triggered architecture

Formal Model Layers The basis for the formal analysis work has been given in Chapter 2. It introduces adequate formal models to analyse distributed algorithms at different levels of abstraction. We have presented a formalization of the untimed synchronous system model, and a ground model for time-triggered systems. In particular, we have introduced abstract models of the communication network that capture the essence of the TDMA communication mechanism and encompass both the star-coupler approach and the bus topology. It has been demonstrated that the different guardian systems used in these two topologies, the central guardians and the local bus guardians, respectively, can be regarded as instances of a common, abstract scheme. The relationship of the formal models has been described in Chapter 5. It has been shown that the internal states of the processors as seen in the abstract, untimed synchronous system level soundly correspond to the states of the processors on the time-triggered level during the global communication phase of a slot. The prerequisite for this refinement is that the clocks of the processors are synchronized within a small bounded quantity. Both the formalizations of the synchronous and time-triggered system models and the corresponding refinement proof are based on developments by J. Rushby [Rus99]. We have extended the work in two respects. In particular, we have augmented the formalizations with a series of generic models to describe the behaviour and functionality of the communication network and the guardians. Moreover, the description of sending and receiving messages has been separated from the timing concerns in the time-triggered model for two reasons. First, we needed a different way to model send and receive faults of processors that is more appropriate for TTP/C’s communication through broadcast channels. Second, the separation allows the same fault models for an algorithm to be used on both the untimed synchronous and the time-trigerred system level and thus ultimately facilitates the integration of the models for group mem-