U. Voges, editor. Software Diversity in Computerized Control Systems. Springer Verlag, 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of dependable systems are clarified at about that time. For example, Lala states that field experience with approximate voting was not at all satisfying. At about the same time a heated debate started concerning the cost efficiency of design diversity for the tolerance of design faults [13] 14] [15]. The important ARINC 178B standard [16] that was published in 1992 and deals with software development for safety critical avionics systems contains no clear statement about the use of software design diversity. This issue has not been resolved until today. In Europe, the ESPRIT funded research ....

U. Voges, editor. Software Diversity in Computerized Control Systems. Springer Verlag, 1988.

....and scheduled to execute, according to various alternative schemes, adapted to the kind of hardware redundancy present. The hardware processors themselves will often be diverse, for protection against the design faults in the processors, which are known to be common. And so on [Lyu 1995] [Voges 1988], Laprie et al. 1990] Widely known, simple fault tolerant schemes are: pure N version software, with multiple versions produced as we outlined above, and executed on the redundant processors of an N modular redundant system; recovery blocks, in which one version is executed at a time, its ....

....effectiveness of design diversity falls into three main types: Operational experience of its application in real industrial systems; Controlled experimental studies; Mathematical models of the failure processes of diverse versions. Many industrial and research experiences are reported in [Voges 1988, Lyu 1995] but relatively little data have been published. On the positive side, several safety critical systems have been implemented using software fault tolerance based on design diversity, and there have been no reports of catastrophic failure attributable to software design faults. It ....

U. Voges (Ed.), Software diversity in computerized control systems, Dependable Computing and Fault-Tolerance series, 2, Springer-Verlag, Wien, 1988.

.... evidence that fault tolerance can deliver levels of reliability higher than could be achieved with a single software version [Knight Leveson 1986a] Indeed, there are several examples of apparently successful use of design diversity in engineered systems that are in operational use, e.g. [Voges 1988], Briere Traverse 1993] Kantz Koza 1995] The reason that software fault tolerance does not deliver dramatically high reliability is that the failures of different software versions in a fault tolerant system cannot be assumed to be independent [Eckhardt Lee 1985] Knight Leveson ....

U. Voges (Ed.), Software diversity in computerized control systems, Dependable Computing and Fault-Tolerance series, 2, Springer-Verlag, Wien, 1988.

.... redundancy [1] there is nevertheless evidence that fault tolerance can deliver levels of reliability higher than achieved with a single software version [2] Indeed, there are several examples of apparently successful use of design diversity in engineered systems that are in operational use, e.g. [3], 4] 5] The reason that software fault tolerance does not deliver dramatically high reliability is that the failures of different software versions in a fault tolerant system cannot be assumed to be independent [6] 1] 7] Peter Popov, Lorenzo Strigini, Bev Littlewood: Choosing between ....

U. Voges (Ed.), "Software diversity in computerized control systems", Wien, Springer-Verlag, 1988. Peter Popov, Lorenzo Strigini, Bev Littlewood: Choosing between Fault-Tolerance and Increased V&V 7

....more versions are then run in a redundant configuration, so that failures in a subset of the versions may be masked or at least detected. More refined arrangements are possible, e.g. with some version only performing a monitoring or auditing function on others which have active control functions [1, 2]. Other benefits are also sought from implementing multiple versions, e.g. back toback testing provides a cheap, though imperfect, oracle for automated testing. An important problem with design diversity (as with most other techniques for reducing or tolerating design faults) is that the ....

....should not discourage us: for decision making it is usually sufficient to know whether a certain decision is substantially better than (or even simply at least as good as ) another one. 2.3 Empirical Evidence We know very little about the general efficacy of any specific DSD. Experiments [2, 1] have seldom been analysed from this viewpoint (attempts are presented in [11, p. 7 12] and some interesting considerations in [13] In any case, they only provide anecdotal evidence: each experiment only developed multiple versions of one program, leaving open the doubt whether a DSD that ....

Voges, U. (Ed.): Software diversity in computerized control systems. Springer-Verlag, Wien (1988)

....fault tolerant software has gained significant acceptance in academia and industry during the past decade. Two, three, and four version software is switching trains [Hag88] performing flight control computations on modern airliners [Wil83, Tra88] and more NVS applications are on the way [Vog88a, Wal88, Hil88]. Publications about f t software are growing in numbers and in depth of understanding, and at least three long term academic hands on efforts are in their second decade: recovery blocks at Newcastle [Ran87, And88] distributed recovery blocks at UC Irvine [Chu87, Kim88] and N version software ....

U. Voges, editor. Software Diversity in Computerized Control Systems. Springer, Wien, New York, 1988.

....more versions are then run in a redundant configuration, so that failures in a subset of the versions may be masked or at least detected. More refined arrangements are possible, e.g. with some version only performing a monitoring or auditing function on others which have active control functions [1, 2]. An important problem with design diversity (as with most other techniques for reducing or tolerating design faults) is that the reliability gain that it produces is difficult to evaluate. We know that one cannot assume diverse versions to fail independently, and all other techniques for ....

....should not discourage us: for decisionmaking it is usually sufficient to know whether a certain decision is substantially better than (or even simply at least as good as ) another one. 2.3 Empirical evidence We know very little about the general efficacy of any specific DSD. Experiments [2, 1] have seldom been analysed from this viewpoint (one of the rare attempts is [13] and some interesting considerations in [14] In any case, they only provide anecdotal evidence: each experiment only developed multiple versions of one program, leaving open the doubt whether a DSD that appeared ....

U. Voges (Ed.), "Software diversity in computerized control systems", Wien, Springer-Verlag, 1988.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC