Dave E. Eckhardt

A Theoretical Basis for the Analysis of Multiversion Software Subject to Coincident Errors

Fundamental to the development of redundant software techniques (known as fault-tolerant software) is an understanding of the impact of multiple joint occurrences of errors, referred to here as coincident errors. A theoretical basis for the study of redundant software is developed which 1) provides a probabilistic framework for empirically evaluating the effectiveness of a general multiversion strategy when component versions are subject to coincident errors, and 2) permits an analytical study of the effects of these errors. An intensity function, called the intensity of coincident errors, has a central role in this analysis. This function describes the propensity of programmers to introduce design faults in such a way that software components fail together when executing in the application environment. We give a condition under which a multiversion system is a better strategy than relying on a single version and we study some differences between the coincident errors model developed here and the model that assumes independent failures of component verions.

An experimental evaluation of software redundancy as a strategy for improving reliability

The strategy of using multiple versions of independently developed software as a means to tolerate residual software design faults is discussed. The effectiveness of multiversion software is studied by comparing estimates of the failure probabilities of these systems with the failure probabilities of single versions. The estimates are obtained under a model of dependent failures and compared with estimates obtained when failures are assumed to be independent. The experimental results are based on 20 versions of an aerospace application developed and independently validated by 60 programmers from 4 universities. Descriptions of the application and development process are given, together with an analysis of the 20 versions. >

A theoretical investigation of generalized voters for redundant systems

The authors generalize several commonly used voting techniques to arbitrary N-version systems with arbitrary output types using a metric space framework. In particular, they introduce the generalized median voter, which extends the thresholdless midvalue selection technique to arbitrary metric spaces and obviates most of the problems associated with inexact voting. They also introduce the formalized majority voter, which allows an inexact notion of equality between version outputs using a threshold. The authors then show that the median output determined by the generalized median voter will always be contained in the set of consensus outputs produced by the formalized majority voter. In addition, the authors introduce the formalized plurality voter which generalizes two-out-of-N type voters and the weighted averaging voter which generalizes dynamic voting. The performance of these voters under different postulated failure scenarios is compared.<<ETX>>

Fundamental differences in the reliability of n-modular redundancy and redundancy and N-version programming

Abstract N-Modular redundancy is an approach to increasing the reliability of hardware systems constructed from component devices that are subject to failure. The analogous approach in software is known as N-version programming. There are a number of well-known reliability implications of the hardware approach that result from assuming independent failures of the hardware components. This paper reviews these and examines the analogous results of N-version programming where an equivalent assumption of independent failures of the component versions may not be valid. It is shown that the results are not equivalent although both approaches can improve system reliability.

An experimental investigation of software diversity in a fault-tolerant avionics application

Highly reliable and effective failure detection and isolation (FDI) software is crucial in modern avionics systems that tolerate hardware failures in real time. The FDI function is an excellent opportunity for applying the principal of software design diversity to the fullest, i.e., algorithm diversity, in order to provide gains in functional performance as well as potentially enhancing the reliability of the software. The authors examine algorithm diversity applied to the redundancy management software for a hardware fault-tolerant sensor array. Results of an experiment are presented that show the performance gains that can be provided by utilizing the consensus of three diverse algorithms for sensor FDI.<<ETX>>

An experimental investigation of fault tolerant software structures in an avionics application

The objective of this experimental investigation is to compare the functional performance and software reliability of competing fault tolerant software structures utilizing software diversity. In this experiment, three versions of the redundancy management software for a skewed sensor array have been developed using three diverse failure detection and isolation algorithms and incorporated into various N-version, recovery block and hybrid software structures. The empirical results show that, for maximum functional performance improvement in the selected application domain, the results of diverse algorithms should be voted before being processed by multiple versions without enforced diversity. Results also suggest that when the reliability gain with an N-version structure is modest, recovery block structures are more feasible since higher reliability can be obtained using an acceptance check with a modest reliability.