An application of formal analysis to software in a fault-tolerant environment

The paper describes work that represents the culmination of a comprehensive hardware/software modeling and analysis project concerning the Charles Stark Draper Laboratory Fault-Tolerant Processor (FTP). The FTP performs a safety related function at the Integral Fast Reactor (IFR, previously known as the Experimental Breeder Reactor-II) operated by Argonne National Laboratory for the Department of Energy. Previously, we demonstrated the tolerance to hardware failures of data exchange instructions on the FTP (G.H. Chisholm et al., 1987; A.J. Kljaich et al., 1989; A.S. Wojcik et al., 1984; A.S. Wojcik, 1983). We describe a methodology for assuring that the software executing on the FTP is also tolerant to hardware failures. This methodology is based on an abstraction of the program data and control flows in terms of the specification of an abstract application program that operates on the FTP. We then prove the fault tolerance of the abstract application program to hardware and sensor failures. Based on a more detailed specification and analysis of the code that is used in the application software, we demonstrate that this code satisfies the sufficient conditions developed for the abstract application program to claim system fault tolerance