In this paper, we s h o w that two t ypes of tolerance components, namely detectors and correctors, appear in a rich class of fault-tolerant systems. This class includes systems designed using the wellknown techniques of encapsulation and re nement, as well as systems designed using extant fault-tolerance methods such as replication and the state-machine approach. Our demonstration is via a theory of detectors and correctors, which c haracterizes the particular role of these components in

more »

... ing various types of fault-tolerance. Based on this theory and on our experience with using these components in designs, we suggest that detectors and correctors provide a p o werful basis for e cient, component-based design of fault-tolerance. The guard of each action is a boolean expression over the program variables. The statement of each action is such that its execution atomically and instantaneously updates zero or more program variables. Let p, q and p 0 be programs. De nition (State). A state of p is de ned by a value for each variable of p, chosen from the prede ned domain of the variable. De nition (State predicate). A state predicate of p is a boolean expression over the variables of p . Note that a state predicate may becharacterized by the set of all states in which its boolean expression is true. We therefore use sets of states and state predicates interchangeably. Thus, conjunction, disjunction and negation of sets is the same as the conjunction, disjunction and 2 negation of the respective state predicates.