J. P. J. Kelly and A. Avizienis, "A Specification-Oriented MultiVersion Software Experiment", in 13th International Symposium on Fault-Tolerant Computing, (Milano, Italy), pp. 120-6., 1983.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... that this, together with other DSDs employed at least separate developments tolerated some faults, but this is no clear basis for believing that diverse specification languages will produce substantially better reliability than could be achieved by simple diverse developments (see for example [Kelly Avizienis 1983, Bishop et al. 1986, Bishop 1988] Stronger, though anecdotal evidence that different specification languages can be quite useful in introducing cognitive diversity comes from an experiment on using diverse formal specification languages [McVittie et al. 1992] the versions generated from one of ....

J. P. J. Kelly and A. Avizienis, "A Specification-Oriented MultiVersion Software Experiment", in 13th International Symposium on Fault-Tolerant Computing, (Milano, Italy), pp. 120-6., 1983.

....then formal mathematical techniques used to verify consistencybetween the specifications before the next step in development proceeded. Thus theywere able to detect specification faults by using redundancyand then repair them before the separate software versions were produced. Kelly and Avizienis [3,4] also used separate specifications for their N version programming experiment, but the specifications were all written by the same person so independence was syntactic only (three different specification languages were used) N version programming is faced with several practical difficulties in ....

....of the output. Thus common errors would not necessarily have been detected. In other experiments, common errors were observed but since independence was not the hypothesis being tested, the design of the experiments makeitimpossible to draw anystatistically valid conclusions. Kelly and Avizienis [3,4] report finding 21 related faults, one common fault was found in practical tests of the Halden nuclear reactor project [9] and Taylor [9] reports that common faults have been found in about half of the practical redundant European software systems. In summary,although there is some negative ....

[Article contains additional citation context not shown here]

J.P.J. Kelly and A. Avizienis, "A specification-oriented multi-version software experiment," Digest of PapersFTCS-13: Thirteenth International Conference on Fault Tolerant Computing, Milan, Italy,pp. 120-125, June 1983.

.... the form of design diversity, but are able to provide fault tolerance only against certain type of faults [1, 13, 14, 15, 29] Many experiments have been done to evaluate the effectiveness, or validate assumptions in multiversion software, particularly the assumption about independence of failures [3, 5, 17, 18, 19]. Work has also been done to develop models to analyze the reliability provided by the two approaches to fault tolerance [2, 26] However, little work has been done to analyze the cost effectiveness of software using design diversity, even though the issue of cost is one of the predominant ....

J. Kelly and A. Avizienis, "A specification oriented multi-version software experiment", Dij. Papers, FTCS-13, Milan, Italy, June 1983, pp. 120-125.

.... [1] Such systems are normally operated on an N Version Executive (NVX) environment [2] Since the idea of NVP was first proposed in [3] numerous papers were published in either modeling NVS systems [4] 5] 6] 7] 8] 9] 10] or providing empirical studies of NVS systems [11] 12] 13] [14] [15] 16] 17] 18] The effectiveness of the NVP approach, however, has remained highly controversial and inconclusive. Nevertheless, most researchers and practitioners agree that a high degree of version independency and a low probability of failure correlation would play the key role in ....

J.P.J. Kelly and A. Avizienis, "A Specification Oriented Multi-Version Software Experiment," Digest of 13th Annual International Symposium on Fault-Tolerant Computing, pp. 121-126, Milan, Italy, June 1983.

....mutation analysis, constraintbased test data generation, data diversity This work was partially supported by NASA Langley Research Center under grant NAG 1 1024. 1 Introduction The use of multi version software to improve computer system reliability remains a topic of vigorous debate [2, 15, 17, 18]. One cause for concern is easily seen in considering a simple model of majority voting: if each of three voters independently votes yes (meaning a correct vote) with probability p, then the probability of a majority yes decision is 3p 2 Gamma 2p 3 , which is larger than p when p is ....

J. Kelly and A. Avizienis. A specification-oriented multi-version software experiment. Proc. FTCS-13, Milan, 1983.

....of comparison testing (either against each other or against a golden program) to detect residual faults and estimate reliability. Some typical N version experiments are summarised below: Experiment Specs Languages Versions Ref. Halden, Reactor Trip 1 2 2 [Dah79] NASA, First Generation 3 1 18 [Kel83] KFK, Reactor Trip 1 3 3 [Gme80] NASA RTI, Launch Interceptor 1 3 3 [Dun86] UCI UVA, Launch Interceptor 1 1 27 [Kni86a] Halden (PODS) Reactor Trip 2 2 3 [Bis86] UCLA, Flight Control 1 6 6 [Avi88] NASA (2nd Gen. Inertial Guidance 1 1 20 [Eck91] UI Rockwell, Flight Control 1 1 15 [Lyu93] Table 1: ....

....by a number of different criteria, including: diversity of faults . empirical reliability improvement . comparison with the independence assumption Some of the main results in these areas will be discussed below. 2. 1 Fault diversity Most of the early research in this area [Dah79] Gmei80] [Kel83], Dun86] focused on analysing the software faults produced and the empirical improvement in reliability to be gained from design diversity. One common outcome of these experiments was that a significant proportion of the faults were similar, and the major cause of these common faults was the ....

[Article contains additional citation context not shown here]

J.P.J. Kelly and A. Avizienis, "A specification-oriented multi-version software experiment", in Thirteenth International Symposium on Fault Tolerant Computing (FTCS 13), Milan, June 1983

....of the same outputs, followed by a choice of a consensus result. It must be noted that the individual versions of NVS usually contain error detection and exception handling (similar to an acceptance test) and that the NVP decision algorithm takes the known failures of member versions into account [Kel83, Avi84]. Reinforcement of the decision algorithm by means of a preceding acceptance test (a filter) has been addressed in [And86] and the use of an acceptance test when the decision algorithm cannot make a decision in [Sco84, Sco87] The remaining parts of this chapter present the various aspects of ....

....The limiting case of required diversity is the use of two or more distinct V specs, derived from the same set of user requirements. In early work, two cases have been practically explored: a set of three V specs (formal algebraic OBJ, semi formal PDL, and English) that were derived together [Kel83, Avi84], and a set of two V specs that were derived by two independent efforts [Ram81] These approaches provide additional means for the verification of the V specs, and offer diverse starting points for version implementors. In the long run, the most promising means for the writing of the V specs are ....

[Article contains additional citation context not shown here]

J. P. J. Kelly and A. Avi zienis. A specification-oriented multi-version software experiment. In Digest of 13th FTCS, pages 120--126, Milano, Italy, June 1983.

....computeraided software engineering, or even the clean room approach [Dye88] A qualitative design diversity metric is proposed in Table 1. This assessment of diversity is an initial effort based on the experiences gained from previous NVP experiments and implementations [CA78, AK84, KA83, GV79, BEB 86, ABHM85, Tra88] implementors languages tools algorithms methodologies specification higher higher lower higher lower design higher lower lower higher higher coding higher higher lower higher higher testing lower lower higher lower higher Table 1: A Qualitative Design ....

J. P. J. Kelly and A. Avizienis. A specification oriented multi-version software experiment. In Digest of 13th Annual International Symposium on Fault-Tolerant Computing, pages 121--126, June 1983.

....software engineering, prototyping, computer aided software engineering, or even the clean room approach[14] A qualitative design diversity metric is proposed in Table 1. This assessment of diversity is an initial effort based on the experiences gained from previous experiments at UCLA[4] 5] [15], and published work from other sites[12] 13] 16] 17] ###################################################### imple lan algo methodmentors guages tools rithms ologies ###################################################### ###################################################### spec. ....

....The use of two or more distinct V specs, derived from the same set of user requirements, can put extensive protection against specification errors. Two cases have been practically explored: a set of three V specs (formal algebraic OBJ, semi formal PDL, and English) that were derived together[5] [15], and a set of two V specs that were derived by two independent efforts[20] These approaches provide additional means for the verification of the V specs, and offer diverse starting points for version implementors. In the Six Language Project, only absolutely necessary information was supplied to ....

J.P.J. Kelly and A. Avizienis, "A Specification Oriented Multi-Version Software Experiment," Digest of 13th Annual International Symposium on Fault-Tolerant Computing, pp. 121-126, Milan, Italy, June 1983.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC