Re: What Makes Software Safe? (was Concord Loses #3)

From:         strigini@csr.city.ac.uk (Lorenzo Strigini)
Organization: Centre for Software Reliability
Date:         30 Jun 95 03:47:09 
References:   1 2 3
View raw article
  or MIME structure

I noticed in Brian A. Reynold's message the following quote from a previous
posting:

>........
>software.  Academic studies seem to indicate that common mode errors are just
> >as likely to occur in multiversion software asredundant systems which use the
> >same software.
This is incorrect, to my knowledge.
I have read (and done research) on multiple-version software for the last
11 years, and I am not aware of any such results.

What academic studies have shown is:
1.(through experimental work by Knight and Leveson - not Levison) that you
cannot expect multiple versions to fail independently (that is, the
probability of two versions failing should not be expected to be the
product of the probabilities of each failing). This is also true, in most
cases, for physical failures of redundant hardware, by the way;
2. that there are good theoretical reasons for _expecting_ the above
experimental result to hold (work by Eckhardt and Lee and by Littlewood and
Miller) (and, by the way, that behaviour _better_ than independence is
theoretically achievable, though we don't know how in practice)
3. that in experimental studies of multiversion development, multiversion
software was always shown to be more reliable than a single version. These
studies were sometimes run in unrealistic conditions (student programmers)
and never developed very large programs, but all evidence so far is that
multiversion software will, on average, fail less frequently than one of
its component versions.

What academic research cannot indicate is whether resources are better
spent on making multiple versions than on making a single version as good
as possible.  However, Airbus (for instance) would probably tell you that
they first spent as much as could be reasonably expected to be useful in
making each version as good as possible, and then they added multiple
versions for added safety.

If anyone would like to read the original papers, please E-mail me and I'll
provide full references.

Lorenzo Strigini

--
Lorenzo Strigini
Centre for Software Reliability, City University
Northampton Square,  London EC1V OHB,  UK
Fax +44 171 477 8585  ;  email: strigini@csr.city.ac.uk