J. C. Knight and N. G. Leveson, \A reply to the criticisms of the Knight & Leveson experiment, " ACM SIGSOFT Software Engineering Notes, Jan. 1990. 19  Home/Search   Document Not in Database   Summary   Related Articles   Check

....for dependability on reliability and availability and study how the dynamic management of redundant component instances with identical implementation can contribute to improvements for these two dependability attributes. The questionable impact of using multiple diverse implementations (cf. [7]) is not considered. The application services are further treated as black boxes with given dependability characteristics. We make the strong simplification that hardware and software component failures simply result in the inability of the affected services to fulfill the regular behavior. Thus, ....

J. Knight and N. Leveson. A reply to the criticisms of the Knight & Leveson experiment. ACM SIGSOFT Software Engineering Notes, 15(1):25--35, January 1990.

....and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 maybeachievable using fault tolerance approaches such as N version programming [101] In fact, the benefits of these techniques are still a matter of some contention [78]. Combining these gives a figure of around 10 but most safety critical situations demand a figure of nearer 10 ;9 or even 10 (e.g. see [FAA82] This leaves us with an enormous gap between what is desired and what is attainable with current practice. A viable means of narrowing this gap ....

KNIGHT, J.C., and LEVESON, N.G.: `A reply to the criticisms of the Knight & Leveson experiment', ACM SIGSOFT Software Engineering Notes, January 1990, 15, (1), pp. 25--35

....year) and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 maybeachievable using fault tolerance approaches suchasN version programming [86] In fact, the benefits of these techniques are still a matter of some contention [71]. Combining these gives a figure of around 10 but most safety critical situations demand a figure of nearer 10 ;9 or even 10 (e.g. see [FAA82] This leaves us with an enormous gap between what is desired and what is attainable with current practice. A viable means of narrowing this gap ....

KNIGHT, J.C., and LEVESON, N.G.: `A reply to the criticisms of the Knight & Leveson experiment', ACM SIGSOFT Software Engineering Notes,January 1990, 15, (1), pp. 25--35

....will not be estimable for a new development, although [Nicola Goyal 1990] shows ways of estimating it given a sample of many developed versions of a program obtained in experiments. 11 For an interesting discussion of the scientific controversy that surrounded some of these early claims, see [Knight Leveson 1990] and the sources quoted there. Bev Littlewood, Peter Popov, Lorenzo Strigini: Modelling software design diversity a review 14 The main result of EL is a negative one. It tells us that claims for independence of failures even from diverse software versions cannot be justified. Whilst it should ....

J. C. Knight and N. G. Leveson, "A reply to the criticism of the Knight & Leveson experiment", ACM SIGSOFT Software Engineering Notes, Vol. 15, No. 1, January, pp.24-35, 1990.

....rejected at the 99 confidence level. The quantity of coincident errors was much greater than that predicted by the independence model. Experiments produced by other researchers have confirmed the Knight Leveson conclusion [12, 15] A excellent discussion of the experimental results is given in [16]. Some debate [16] has occurred over the credibility of these experiments. Rather than describe the details of this debate, we would prefer to make a few general observations about the scope and limitations of such experiments. First, the N version systems used in these experiments must have ....

....99 confidence level. The quantity of coincident errors was much greater than that predicted by the independence model. Experiments produced by other researchers have confirmed the Knight Leveson conclusion [12, 15] A excellent discussion of the experimental results is given in [16] Some debate [16] has occurred over the credibility of these experiments. Rather than describe the details of this debate, we would prefer to make a few general observations about the scope and limitations of such experiments. First, the N version systems used in these experiments must have reliabilities in the ....

J. C. Knight and N. G. Leveson, "A reply to the criticisms of the Knight & Leveson experiment, " ACM SIGSOFT Software Engineering Notes, Jan. 1990. 19

....to contain software faults (and limit the scope of fault recovery) in a manner analogous to containing hardware faults. Further, partitioning can be supported by hardware, as well as software mechanisms, to enforce the partitioning and participate in fault detection and recovery. For 3 See [3]. Task 3 Interim Report September 30, 1999 Page 6 of 34 example, by partitioning an application into tasks (with hardware helping to protect the task memory and to limit the task s resource consumption) faults manifesting in one task may be prevented from affecting other tasks and the system. ....

Leveson, N.G., and Knight, J.C., (available on the Web), A reply to the criticisms of the Knight & Leveson Experiment.

....estimates of system reliability can be obtained even with failure rates for individual versions of 10 4 hour. However, the independence assumption does not appear to be valid. In several experiments for low reliability software, the assumption was rejected at the 99 confidence level [13, 14]. Furthermore, the independence assumption cannot be validated for high reliability software because of the exorbitant test times required [12] As a result, design diversity is inadequate, also. Because design flaws cannot be handled adequately by approaches based on either testing or design ....

John C. Knight and Nancy. G. Leveson. A Reply To the Criticisms Of The Knight & Leveson Experiment. ACM SIGSOFT Software Engineering Notes, January 1990.

....rejected at the 99 confidence level. The quantity of coincident errors was much greater than that predicted by the independence model. Experiments produced by other researchers have confirmed the Knight Leveson conclusion [15, 16] A excellent discussion of the experimental results is given in [6]. Some debate [6] has occurred over the credibility of these experiments. Rather than describe the details of this debate, we would prefer to make a few general ob7 servations about the scope and limitations of such experiments. First, the N version systems used in these experiments must have ....

....99 confidence level. The quantity of coincident errors was much greater than that predicted by the independence model. Experiments produced by other researchers have confirmed the Knight Leveson conclusion [15, 16] A excellent discussion of the experimental results is given in [6] Some debate [6] has occurred over the credibility of these experiments. Rather than describe the details of this debate, we would prefer to make a few general ob7 servations about the scope and limitations of such experiments. First, the N version systems used in these experiments must have reliabilities in the ....

Knight, J. C., and Leveson, N. G. A reply to the criticisms of the Knight & Leveson experiment. ACM SIGSOFT Software Engineering Notes (Jan. 1990).

....and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 may be achievable using fault tolerance approaches such as N version programming [86] In fact, the benefits of these techniques are still a matter of some contention [71]. Combining these gives a figure of around 10 Gamma5 but most safety critical situations demand a figure of nearer 10 Gamma9 or even 10 Gamma10 (e.g. see [FAA82] This leaves us with an enormous gap between what is desired and what is attainable with current practice. A viable means of ....

KNIGHT, J.C., and LEVESON, N.G.: `A reply to the criticisms of the Knight & Leveson experiment', ACM SIGSOFT Software Engineering Notes, January 1990, 15, (1), pp. 25--35

....and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 may be achievable using fault tolerance approaches such as N version programming [101] In fact, the benefits of these techniques are still a matter of some contention [78]. Combining these gives a figure of around 10 Gamma5 but most safety critical situations demand a figure of nearer 10 Gamma9 or even 10 Gamma10 (e.g. see [FAA82] This leaves us with an enormous gap between what is desired and what is attainable with current practice. A viable means of ....

KNIGHT, J.C., and LEVESON, N.G.: `A reply to the criticisms of the Knight & Leveson experiment', ACM SIGSOFT Software Engineering Notes, January 1990, 15, (1), pp. 25--35

....one can obtain ultrareliable level estimates of reliability, even with failure rates for the individual versions on the order of 10 Gamma4 =hour. Unfortunately, the independence assumption has been rejected at the 99 confidence level in several experiments for low reliability software [71, 72]. Furthermore, the independence assumption cannot be validated for high reliability software because of the exorbitant test times required. If one cannot assume independence then one must measure correlations. This is infeasible as well; it requires as much testing time as life testing the system, ....

Knight, John. C.; and Leveson, Nancy. G.: A Reply To the Criticisms Of The Knight & Leveson Experiment. ACM SIGSOFT Software Engineering Notes, Jan. 1990.

....one can obtain ultrareliable level estimates of reliability, even with failure rates for the individual versions on the order of 10 Gamma4 =hour. Unfortunately, the independence assumption has been rejected at the 99 confidence level in several experiments for low reliability software [60, 61]. Furthermore, the independence assumption cannot be validated for high reliability software because of the exorbitant test times required. If one cannot assume independence then one must measure correlations. This is infeasible as well; it requires as much testing time as life testing the system, ....

Knight, John. C.; and Leveson, Nancy. G.: A Reply To the Criticisms Of The Knight & Leveson Experiment. ACM SIGSOFT Software Engineering Notes, Jan. 1990.

....one can obtain ultrareliable level estimates of system reliability, even with failure rates for the individual versions on the order of 10 Gamma4 =hour. Unfortunately, the independence assumption has been rejected at the 99 confidence level in several experiments for low reliability software [12, 13]. Furthermore, the independence assumption cannot be validated for high reliability software because of the exorbitant test times required. If one cannot assume independence then one must measure correlations. This is infeasible as well; it requires as much testing time as life testing the system, ....

John. C. Knight and Nancy. G. Leveson, "A reply to the criticisms of the Knight & Leveson experiment ", ACM SIGSOFT Software Engineering Notes, Jan. 1990.

No context found.

J. C. Knight and N. G. Leveson, \A reply to the criticisms of the Knight & Leveson experiment, " ACM SIGSOFT Software Engineering Notes, Jan. 1990. 19

No context found.

Knight, John. C.; and Leveson, Nancy. G.: A Reply To the Criticisms Of The Knight & Leveson Experi10 ment. ACM SIGSOFT Software Engineering Notes, Jan. 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC