Using Data Consistency Assumptions to Show System Safety

  • Glenn Bruns
  • Stuart Anderson
Part of the Dependable Computing and Fault-Tolerant Systems book series (DEPENDABLECOMP, volume 9)


Systems cannot usually be proved safe unless some failure assumptions are made. Here we prove that the water level in a generic boiler system is always within its safe range by assuming that device failures result in inconsistent readings. Key parts of our approach are a failure-reporting strategy that determines failures from consistency conditions, and a level-calculation strategy that gives a best estimate of boiler level in light of the reported failures. These strategies are generic and could be used in other safety-critical applications.


Consistency Condition Safety Property Boiler System Recovery Block Data Fusion Model 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    T. Anderson and P.A. Lee, editors. Fault Tolerance: Principles and Practice. Prentice Hall, 1981.Google Scholar
  2. [2]
    Flaviu Cristian. A rigorous approach to fault-tolerant programming. IEEE Transactions on Software Engineering, SE-11(1), January 1985.Google Scholar
  3. [3]
    Specification for a software program for a boiler water content monitor and control system. Institute for Risk Research, 1992.Google Scholar
  4. [4]
    Leslie Lamport. The temporal logic of actions. Technical Report 79, Digital Systems Research Center, 1991.Google Scholar
  5. [5]
    B. Randall. System structure for software fault tolerance. IEEE Transactions on Software Engineering, SE1(2), 1975.Google Scholar

Copyright information

© Springer-Verlag/Wien 1995

Authors and Affiliations

  • Glenn Bruns
    • 1
  • Stuart Anderson
    • 1
  1. 1.Laboratory for Foundations of Computer ScienceUniversity of EdinburghEdinburghUK

Personalised recommendations