Implementing Fault-tolerant Services Using the State Machine Approach: a Tutorial

Computer systems are increasingly employed in circumstances wheretheir failure (or even their correct operation, if they are built to awedrequirements) can have serious consequences.There is a surprising diversity of opinion concerning the propertiesthat such \critical systems" should possess, and the best methods todevelop them. The dependability approach grew out of the tradition ofultra-reliable and fault-tolerant systems, while the safety approach grewout of the tradition of hazard analysis and system safety engineering.Yet another tradition is found in the security community, and there arefurther specialized approaches in the tradition of real-time systems. Inthis report, I examine the critical properties considered in each approach,and the techniques that have been developed to specify them and toensure their satisfaction.Since systems are now being constructed that must satisfy severalof these critical system properties simultaneously, there is particularinterest in the extent to which techniques from one tradition supportor con ict with those of another, and in whether certain critical sys-tem properties are fundamentally compatible or incompatible with eachother. As a step toward improved understanding of these issues, I suggesta taxonomy, based on Perrow's analysis1, that considers the complexityof component interactions and tightness of coupling as primary factors.1C. Perrow. Normal Accidents: Living with High Risk Technologies. Basic Books, New York,NY, 1984. Critical System Properties:Survey and Taxonomy1Original version published in Reliability Engineering and System Safety , Vol. 43,No. 2, pp. 189{219, 1994John RushbyComputer Science LaboratorySRI InternationalMenlo Park CA 94025 USATechnical Report CSL-93-01, May 1993Revised February 19941This work was supported by the National Aeronautics and Space Administration Lan-gley Research Center and the US Naval Research Laboratory under contract NAS1-18969and by the US Naval Research Laboratory under contract N00014-92-C-2177.