Highly critical application domains, like medicine and aerospace, require the use of strict design, implementation, and validation techniques. Functional languages have been used in these domains to develop synchronous dataflow programming languages for reactive systems. Causal stream functions and functional reactive programming (FRP) capture the essence of those languages in a way that is both elegant and robust. To guarantee that critical systems can operate under high stress over long periods of time, these applications require clear specifications of possible faults and hazards, and how they are being handled. Modeling failure is straightforward in functional languages, and many functional reactive abstractions incorporate support for failure or termination. However, handling unknown types of faults, and incorporating fault tolerance into FRP, requires a different construction and remains an open problem. This work demonstrates how to extend an existing functional reactive framework with fault tolerance features. At value level, we tag faulty signals with reliability and probability information and use random testing to inject faults and validate system properties encoded in temporal logic. At type level, we tag components with the kinds of faults they may exhibit and use type-level programming to obtain compile-time guarantees of key aspects of fault tolerance. Our approach is powerful enough to be used in systems with realistic complexity, and flexible enough to be used to guide system analysis and design, validate system properties in the presence of faults, perform runtime monitoring, and study the effects of different fault tolerance mechanisms.

中文翻译：

---

容错函数式反应式编程（扩展版）

高度关键的应用领域，如医学和航空航天，需要使用严格的设计、实施和验证技术。在这些领域中已使用函数式语言为反应式系统开发同步数据流编程语言。因果流函数和函数式反应式编程 (FRP) 以优雅和健壮的方式捕捉这些语言的本质。为确保关键系统能够在高压力下长时间运行，这些应用程序需要明确说明可能的故障和危险，以及如何处理它们。在函数式语言中建模失败很简单，许多函数式反应抽象都包含对失败或终止的支持。然而，处理未知类型的故障, 并结合容错进入 FRP，需要不同的结构，并且仍然是一个悬而未决的问题。这项工作演示了如何扩展具有容错功能的现有功能反应框架。在价值层面，我们用可靠性和概率信息标记故障信号，并使用随机测试来注入故障并验证以时间逻辑编码的系统属性。在类型级别，我们用组件可能表现出的错误类型标记组件，并使用类型级别编程来获得容错关键方面的编译时保证。我们的方法足够强大，可以用于具有现实复杂性的系统，并且足够灵活，可以用于指导系统分析和设计，在存在故障时验证系统属性，执行运行时监控，以及研究不同容错机制的影响。