J. Knight and N. Leveson. An Empirical Study of Failure Probabilities in Multi-version Software. In Proceedings of the 16th International Symposium on Fault-Tolerant Computing, pages 165--170, 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of dependable systems are clarified at about that time. For example, Lala states that field experience with approximate voting was not at all satisfying. At about the same time a heated debate started concerning the cost efficiency of design diversity for the tolerance of design faults [13] [14], 15] The important ARINC 178B standard [16] that was published in 1992 and deals with software development for safety critical avionics systems contains no clear statement about the use of software design diversity. This issue has not been resolved until today. In Europe, the ESPRIT funded ....

J. Knight and N. Leveson. An Empirical Study of Failure Probabilities in Multi-version Software. In Proceedings of the 16th International Symposium on Fault-Tolerant Computing, pages 165--170, 1986.

.... Whilst the benefits of software diversity do not seem to be as high as those sometimes claimed for hardware redundancy [Knight Leveson 1986b] there is nevertheless evidence that fault tolerance can deliver levels of reliability higher than could be achieved with a single software version [Knight Leveson 1986a] Indeed, there are several examples of apparently successful use of design diversity in engineered systems that are in operational use, e.g. Voges 1988] Briere Traverse 1993] Kantz Koza 1995] The reason that software fault tolerance does not deliver dramatically high reliability is ....

J. C. Knight and N. G. Leveson, "An empirical study of failure probabilities in multi-version software", in 16th International Symposium on Fault-Tolerant Computing (FTCS-16), Vienna, Austria, pp.165-170, IEEE Computer Society Press, 1986a.

....of achieving very high reliability. Whilst the benefits of software diversity do not seem to be as high as those sometimes claimed for hardware redundancy [1] there is nevertheless evidence that fault tolerance can deliver levels of reliability higher than achieved with a single software version [2]. Indeed, there are several examples of apparently successful use of design diversity in engineered systems that are in operational use, e.g. 3] 4] 5] The reason that software fault tolerance does not deliver dramatically high reliability is that the failures of different software versions ....

J. C. Knight and N. G. Leveson, "An empirical study of failure probabilities in multi-version software", in Proc. 16th International Symposium on Fault-Tolerant Computing (FTCS-16), Vienna, Austria, 1986, pp. 165-170.

....data, and voting schemes are used to decide which version(s) are correct. In this manner, the reliability of the component as displayed to the system is greater than the reliability of any one version. Empirical evidence indicates, however, that the assumptions about independence may not be valid [5, 20, 21]; notions of failure diversity have been devised to better understand the conditions under which multi version programming work well [11, 24] Redundant Replicated Systems Redundant or replicated systems run more than one copy of the exact same component, usually to protect against ....

J. Knight and N. Leveson. An Empirical Study of Failure Probabilities in Multi-version Software. In Proceedings of the 16th International Symposium on FaultTolerant Computing (FTCS-16), pages 165--170, New York, July 1986. IEEE.

....been experimentally evaluated in [Kni86a] In this experiment no less than 27 different versions of a program were evaluated. The result of study shows that the versions cannot be considered to fail independently. Although this may seem to invalidate the entire NVP approach, empirical studies in [Kni86b] on 3 version systems have shown that even if the assumption of independence does not hold, the probability of failure of a system can be decreased using the NVP approach. However, this decrease was not nearly as high as that derived through simple models of the NVP approach. Software Fault ....

Knight J.C., Leveson N.G., An Empirical Study of Failure Probabilities in Multi-Version Software Proceedings of the 16 th International Symposium on Fault-Tolerant Computing, pp. 165-170, 1986

....two categories: design and data diversity. Data diversity techniques first appeared in an excellent paper by Amman and Knight [1] Unfortunately these techniques have failed to progress from this starting point. On the other hand design diversity techniques have received a great deal of attention [3, 16, 13, 12]. Both fault tolerance strategies can be subdivided into two subareas: static and dynamic. 2.1 Fault Tolerance based upon Design Diversity The most common manifestation of static fault tolerance is N version programming (Figure 1) From an initial specification, N functionally equivalent ....

J.C. Knight and N.G. Leveson. An empirical study of failure probabilities in multi-version software. In 16th Annual Symposium on Fault Tolerant Computing, pages 165 -- 170, 1986.

....and voting schemes are used to decide which version(s) are correct. In this manner, the reliability of the component as displayed to the system is greater than the reliability of any one version. Empirical evidence indicates, however, that the assumptions about independence may not be valid [6, 20, 21]; notions of failure diversity have been devised to better understand the conditions under which multi versioned systems work well [12, 24, 32] 2.4 Redundant Replicated Systems Redundant or replicated systems run more than one copy of the exact same component, usually to protect against ....

J. Knight and N. Leveson. An Empirical Study of Failure Probabilities in Multi-version Software. In Proceedings of the 16th International Symposium on Fault-Tolerant Computing (FTCS-16), pages 165--170, New York, July 1986. IEEE.

....possible that, by chance, the faults in the various implementations are sufficiently different that their effects are masked. But this cannot be assured with high probability. This problem with the assumption of independent failures has been well documented along with other possible difficulties [8,13,14,26,27,30]. A key difference between the general application of software fault tolerance and its manifestation in the safety kernel is that whereas general software fault tolerance is targeted at tolerating all software faults, the safety kernel is focused on a very specific set of failures. This permits ....

Knight, J.C., and Leveson, N.G., "An Empirical Study of Failure Probabilities in Multi-Version Software," Digest of papers of the 16th International Symposium on Fault-Tolerant Computing, Vienna, Austria, 1986, pp 165-170.

....mutation analysis, constraintbased test data generation, data diversity This work was partially supported by NASA Langley Research Center under grant NAG 1 1024. 1 Introduction The use of multi version software to improve computer system reliability remains a topic of vigorous debate [2, 15, 17, 18]. One cause for concern is easily seen in considering a simple model of majority voting: if each of three voters independently votes yes (meaning a correct vote) with probability p, then the probability of a majority yes decision is 3p 2 Gamma 2p 3 , which is larger than p when p is ....

J. Knight and N. Leveson. An empirical study of failure probabilities in multi-version software. Proc. of FTCS-16, Vienna, 1986.

No context found.

J. C. Knight and N. G. Leveson. An empirical study of failure probabilities in multi-version software. In Fault Tolerant Computing Symposium 16, pages 165--170, Vienna, Austria, July 1986. IEEE Computer Society.

No context found.

J.C. Knight and N.G. Leveson, "An Empirical Study of the Failure Probabilities in Multi-Version Software", Proc. FTCS 16, Vienna, July 1986

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC