| Preface | p. xv |
| Introductory Elements: Dependability Issues | p. 1 |
| Quality | p. 1 |
| Quality Needs of Computer Systems | p. 1 |
| Quality Attributes | p. 2 |
| Dependability | p. 3 |
| Product Failures and their Consequences | p. 3 |
| Failure Causes | p. 4 |
| Taking Faults into Account | p. 7 |
| Definitions of Dependability | p. 9 |
| Means of Dependability | p. 10 |
| Evolution | p. 10 |
| Means | p. 13 |
| Summary | p. 13 |
| Destructive Mechanisms | p. 15 |
| General Context | p. 17 |
| Application Context | p. 17 |
| Life Cycle | p. 21 |
| Principles | p. 21 |
| Specification | p. 22 |
| Design | p. 24 |
| Production | p. 28 |
| Operation | p. 29 |
| Product Model | p. 29 |
| Product Structure and Functioning | p. 30 |
| Hierarchy | p. 31 |
| Examples | p. 32 |
| Refinement Process and Primitive Components | p. 33 |
| Logical Part of a Drinks Distributor | p. 34 |
| Specifications | p. 35 |
| Design | p. 36 |
| Production | p. 38 |
| Operation | p. 38 |
| Failures and Faults | p. 39 |
| Failures | p. 39 |
| Definition | p. 39 |
| Characterization of Failures | p. 42 |
| Faults | p. 44 |
| Difficulties in Identifying the Causes of a Failure | p. 44 |
| Fault Characterization | p. 45 |
| Fault Origin | p. 46 |
| Nature of the Fault | p. 48 |
| Faults Occurring in the Life Cycle | p. 51 |
| Specification and Design Faults | p. 52 |
| Production Faults | p. 56 |
| Operational Faults | p. 58 |
| Examples of Functional Faults Altering a Drinks Distributor | p. 60 |
| Description of the Product | p. 60 |
| Faults Due to Functional Specifications | p. 61 |
| Faults Due to Technological Constraints | p. 61 |
| Design Faults | p. 62 |
| Interests and Limits of Fault Classes | p. 63 |
| Simplified Classification | p. 63 |
| Limitations of the Classification | p. 65 |
| Protection Against Faults and their Effects | p. 65 |
| Exercises | p. 66 |
| Faults and their Effects | p. 69 |
| Internal Effects | p. 69 |
| Fault | p. 69 |
| Error | p. 71 |
| Error Propagation | p. 73 |
| Latency | p. 75 |
| External Effects: Consequences | p. 77 |
| External Consequences of Faults | p. 77 |
| Inertia of the Functional Environment | p. 80 |
| Completeness and Compatibility | p. 80 |
| Influence of the Functional Environment: Emergence | p. 82 |
| Conclusion on the Effects of Faults | p. 83 |
| Exercises | p. 85 |
| Fault and Error Models | p. 89 |
| Definitions | p. 89 |
| Structural and Behavioral Properties | p. 89 |
| Structural Properties | p. 90 |
| Behavioral Properties | p. 91 |
| Significant Fault and Error Models | p. 92 |
| Faults and Errors at Different Representation Levels | p. 92 |
| Hardware Fault/Error Models | p. 94 |
| Software Fault and Error Models | p. 101 |
| Fault and Error Model Assessment | p. 105 |
| Assessment Criteria | p. 105 |
| Relations Between Fault/Error Models and Failures | p. 107 |
| Analysis of Two Simple Examples | p. 109 |
| First example: an Hardware Full Adder | p. 109 |
| Second Example: a Software Average Function | p. 111 |
| Exercises | p. 115 |
| Protective Mechanisms | p. 119 |
| Towards the Mastering of Faults and their Effects | p. 121 |
| Three Approaches | p. 121 |
| Fault Prevention | p. 123 |
| During the Specification | p. 123 |
| During the Design | p. 124 |
| During the Production | p. 124 |
| During the Operation | p. 125 |
| Fault Removal | p. 127 |
| General Notions | p. 127 |
| During Specification and Design | p. 129 |
| During the Production | p. 133 |
| During the Operation | p. 134 |
| Fault Tolerance | p. 135 |
| Failure Prevention by Masking | p. 136 |
| Error Detection and Correction | p. 136 |
| Fail-Safe Techniques | p. 137 |
| Resulting Fault Tolerance Classes | p. 138 |
| Dependability Means and Assessment | p. 138 |
| Conclusion | p. 140 |
| Dependability Assessment | p. 141 |
| Quantitative and Qualitative Assessment | p. 141 |
| Quantitative Assessment | p. 141 |
| Qualitative Assessment | p. 143 |
| Synthesis | p. 143 |
| Reliability | p. 145 |
| General Characteristics of the Reliability of Electronic Systems | p. 145 |
| Reliability Models | p. 146 |
| Failure Rate Estimation | p. 148 |
| Reliability Evolution | p. 148 |
| Testability | p. 149 |
| Maintainability | p. 150 |
| Maintenance | p. 150 |
| Maintainability | p. 152 |
| Reliability and Maintainability | p. 153 |
| Availability | p. 154 |
| Safety | p. 155 |
| Security | p. 157 |
| Synthesis of the Main Criteria | p. 157 |
| Quantitative Analysis Tools at System Level | p. 159 |
| Fault Simulation | p. 159 |
| Reliability Block Diagrams | p. 160 |
| Non-Deterministic State Graph Models | p. 162 |
| Inductive Qualitative Assessment: Failure Mode and Effect Analysis | p. 164 |
| Principles | p. 164 |
| Means | p. 166 |
| FMECA | p. 167 |
| Deductive Qualitative Assessment: Fault Tree Method | p. 168 |
| Principles | p. 168 |
| Software Example | p. 169 |
| Use of the FTM | p. 171 |
| Exercises | p. 171 |
| Redundancy | p. 175 |
| Functional and Structural Redundancy | p. 176 |
| Linguistic Redundancy | p. 176 |
| Redundancy of Computer Systems | p. 177 |
| Functional Redundancy | p. 179 |
| Static Functional Domains | p. 180 |
| Dynamic Functional Domains | p. 182 |
| Generalization of Functional Redundancy | p. 185 |
| Redundancy and Module Composition | p. 186 |
| Structural Redundancy | p. 187 |
| Definition and Illustration | p. 187 |
| Active and Passive Redundancy | p. 188 |
| Separable Redundancy | p. 193 |
| Summary of the Various Redundancy Forms | p. 195 |
| Exercises | p. 195 |
| Fault Avoidance Means | p. 199 |
| Avoidance of Functional Faults During Specification | p. 201 |
| Introduction | p. 201 |
| Specification Phase | p. 201 |
| Validation and Verification | p. 202 |
| Fault Prevention During the Requirement Expression | p. 204 |
| Introduction | p. 204 |
| Help in the Capturing of Needs | p. 204 |
| Expression Aid | p. 205 |
| Evaluation of a Method | p. 207 |
| Fault Avoidance During the Specification Phase | p. 209 |
| Fault Prevention: Valid Method | p. 209 |
| Fault Removal: Verification of the Specifications | p. 211 |
| Review Techniques | p. 214 |
| Principles | p. 214 |
| Walkthrough | p. 215 |
| Inspection | p. 215 |
| Exercise | p. 217 |
| Avoidance of Functional Faults During Design | p. 219 |
| Principles | p. 219 |
| Prevention by Design Model Choice | p. 222 |
| Prevention by Design Process Choice | p. 223 |
| General Considerations | p. 223 |
| Design Guide | p. 224 |
| Expression Guide | p. 225 |
| Fault Removal | p. 229 |
| Verification with the Specifications | p. 229 |
| Fault Removal without Specifications | p. 238 |
| Functional Test | p. 240 |
| Input Sequence | p. 240 |
| Output Sequence | p. 243 |
| Functional Diagnosis | p. 245 |
| Analysis of an Arithmetic Unit | p. 247 |
| Formal Proof Methods | p. 248 |
| Inductive Approach and Symbolic Execution | p. 248 |
| Deductive Approach and FTM | p. 251 |
| Exercises | p. 253 |
| Prevention of Technological Faults | p. 257 |
| Parameters of the Prevention of Technological Faults | p. 257 |
| Hardware Technology | p. 258 |
| Software Technology | p. 258 |
| Prevention of Technological Faults | p. 260 |
| Action on the Product | p. 261 |
| Hardware Technology | p. 261 |
| Software Technology | p. 265 |
| Action on the Environment | p. 272 |
| Hardware Technology | p. 272 |
| Software Technology | p. 273 |
| Exercises | p. 276 |
| Removal of Technological Faults | p. 279 |
| Off-Line Testing | p. 279 |
| Context of Off-Line Testing | p. 280 |
| Different Kinds of Tests and Testers | p. 281 |
| Logical Testing | p. 288 |
| Logical Testers | p. 288 |
| Test Parameters | p. 291 |
| Production Testing | p. 292 |
| Maintenance Testing | p. 296 |
| Principles of Logical Test Generation | p. 302 |
| Logical Testing | p. 302 |
| Determination of Input Vectors Testing a Fault | p. 307 |
| Fault Grading | p. 307 |
| Test Pattern Generation of Combinational Systems | p. 314 |
| Test of Sequential Systems | p. 316 |
| Exercises | p. 320 |
| Structural Testing Methods | p. 323 |
| Generation of Logical Test by a Gate Level Structural Approach | p. 323 |
| Test Generation for a Given Error | p. 325 |
| Principles of the Method | p. 325 |
| Activation and Backward Propagation | p. 326 |
| Forward Propagation | p. 327 |
| Justification | p. 329 |
| Complete Study of a Small Circuit | p. 329 |
| Test of Structured Circuits | p. 332 |
| Determination of the Faults/Errors Detected by a Given Test Vector | p. 333 |
| Principles of the Method | p. 333 |
| Study of a Small Circuit | p. 335 |
| Diagnosis of a Test Sequence | p. 336 |
| General Problem of the Diagnosis | p. 336 |
| Study of a Small Circuit | p. 337 |
| Influence of Passive Redundancy on Detection and Diagnosis | p. 339 |
| Detection Test without Error Model. Application to Software | p. 340 |
| The Problem of Structural Test without Error Model | p. 340 |
| Statement Test | p. 342 |
| Branch & Path Test | p. 343 |
| Condition & Decision Test | p. 345 |
| Finite State Machine Identification | p. 346 |
| Diagnosis without Fault Models | p. 346 |
| Principles | p. 346 |
| Highlight the Erroneous Situations | p. 347 |
| Elaborate the Hypotheses | p. 349 |
| Confirm the Hypotheses | p. 350 |
| Verify the Hypotheses | p. 350 |
| Mutation Test Methods | p. 351 |
| Principles and Pertinence of Mutation Methods | p. 351 |
| Mutation Testing Technique | p. 352 |
| Exercises | p. 354 |
| Design For Testability | p. 361 |
| Introduction | p. 361 |
| Test Complexity | p. 361 |
| General Principles of Design For Testability | p. 362 |
| Ad Hoc Approach to DFT | p. 367 |
| Guidelines | p. 367 |
| Instrumentation: Data Recording | p. 373 |
| Exception Mechanisms: Error Propagation | p. 374 |
| Design of Systems Having Short Test Sequences | p. 377 |
| Illustration on Electronic Products | p. 377 |
| Illustration on Software Applications | p. 379 |
| Built-In Test (BIT) | p. 380 |
| Introduction | p. 380 |
| The FIT PLA | p. 380 |
| Scan Design and LSSD | p. 383 |
| Boundary Scan | p. 385 |
| Discussion about BIT Evolution | p. 387 |
| Built-In Self-Test (BIST) | p. 388 |
| Principles | p. 388 |
| Test Sequence Generation and Signature Analysis | p. 389 |
| Towards On-Line Testing | p. 392 |
| To Place the Tester in the Application Site | p. 392 |
| In-situ Maintenance Operation | p. 392 |
| Integration of the Tester to the Product's Activity | p. 393 |
| Exercises | p. 393 |
| Fault Tolerance Means | p. 397 |
| Error Detecting and Correcting Codes | p. 399 |
| General Context | p. 399 |
| Error Model | p. 399 |
| Redundant Coding | p. 402 |
| Application to Error Detection and Correction | p. 403 |
| Limitations of our Study | p. 404 |
| Definitions | p. 405 |
| Separable and Non-Separable Codes | p. 405 |
| Hamming Distance | p. 406 |
| Redundancy and Efficiency | p. 408 |
| Parity Check Codes | p. 409 |
| Single Parity Code | p. 409 |
| Multiple Parity Codes | p. 409 |
| Unidirectional Codes | p. 416 |
| M-out-of-n Codes | p. 417 |
| Two-Rail Codes | p. 418 |
| Berger Codes | p. 418 |
| Arithmetic Codes | p. 419 |
| Limitations of the Hamming Distance | p. 419 |
| Residual Codes | p. 420 |
| Application of EDC Codes to Different Classes of Systems | p. 422 |
| Exercises | p. 423 |
| On-Line Testing | p. 427 |
| Two Approaches of On-Line Testing | p. 427 |
| Discontinuous Testing | p. 428 |
| External Tester | p. 428 |
| Test Performed by One of the Regulators | p. 430 |
| Test Distributed Between the Regulators | p. 430 |
| Precautions | p. 432 |
| Continuous Testing: Self-Testing | p. 433 |
| Principles | p. 433 |
| Use of Functional Redundancy | p. 436 |
| Use of Structural Redundancy | p. 441 |
| Exercises | p. 447 |
| Fail-Safe Systems | p. 451 |
| Risk and Safety | p. 452 |
| Seriousness Classes | p. 452 |
| Risk and Safety Classes | p. 453 |
| Fail-Safe Systems | p. 456 |
| Fail-Safe Techniques | p. 457 |
| Intrinsic Safety | p. 457 |
| Safety by Structural Redundancy | p. 459 |
| Self-Testing Systems and Fail-Safe Systems | p. 465 |
| Fail-Safe Applications | p. 466 |
| Exercises | p. 467 |
| Fault-Tolerant Systems | p. 469 |
| Introduction | p. 469 |
| Aims | p. 469 |
| From Error Detection Towards Fault Tolerance | p. 470 |
| N-Versions | p. 472 |
| Principles | p. 472 |
| Realization of the Duplicates and the Voter | p. 473 |
| Performance Analysis | p. 475 |
| Backward Recovery | p. 476 |
| Principles and Use | p. 476 |
| Recovery Cache | p. 478 |
| Recovery Points | p. 479 |
| Forward Recovery | p. 482 |
| Principles | p. 482 |
| Recovery Blocks | p. 482 |
| Termination Mode | p. 483 |
| Comparison | p. 485 |
| Similarities | p. 485 |
| Differences | p. 487 |
| Use of Multiple Techniques | p. 490 |
| Impact on the Design | p. 493 |
| Some Application Domains | p. 496 |
| Watchdog and Reset | p. 496 |
| Avionics Systems | p. 496 |
| Data Storage | p. 498 |
| Data Transmission | p. 503 |
| Exercises | p. 508 |
| Conclusions | p. 511 |
| Needs and Impairments | p. 512 |
| Dependability Needs | p. 512 |
| Dependability Impairments | p. 513 |
| Protective Means | p. 516 |
| Fault Prevention | p. 516 |
| Fault Removal | p. 517 |
| Fault Tolerance | p. 519 |
| Dependability Assessment | p. 520 |
| Quantitative Approaches | p. 520 |
| Qualitative Approaches | p. 524 |
| Choice of Methods | p. 525 |
| Error Detecting and Correcting Codes | p. 527 |
| Reliability Block Diagrams | p. 529 |
| Testing Features of a Microprocessor | p. 535 |
| Study of a Software Product | p. 539 |
| Answer to the Exercises | p. 543 |
| Glossary | p. 605 |
| References | p. 651 |
| Index | p. 657 |
| Table of Contents provided by Ingram. All Rights Reserved. |
