When Does "Diversity"' in Development Reduce Common Failures? Insights from Probabilistic Modeling

Fault tolerance via diverse redundancy, with multiple "versions" of a system in a redundant configuration, is an attractive defence against design faults. To reduce the probability of common failures, development and procurement practices pursue "diversity" between the ways the different versions are developed. But difficult questions remain open about which practices are more effective to this aim. About these questions, probabilistic models have helped by exposing fallacies in "common sense" judgements. However, most make very restrictive assumptions. They model well scenarios in which diverse versions are developed in rigorous isolation from each other: A condition that many think desirable, but is unlikely in practice. We extend these models to cover nonindependent development processes for diverse versions. This gives us a rigorous way of framing claims and open questions about how best to pursue diversity, and about the effects - negative and positive - of commonalities between developments, from specification corrections to the choice of test cases. We obtain three theorems that, under specific scenarios, identify preferences between alternative ways of seeking diversity. We also discuss nonintuitive issues, including how expected system reliability may be improved by creating intentional "negative" dependences between the developments of different versions.

[1]  Michael R. Lyu,et al.  Improving the N-version programming process through the evolution of a design paradigm , 1993 .

[2]  Bev Littlewood,et al.  Conceptual Modeling of Coincident Failures in Multiversion Software , 1989, IEEE Trans. Software Eng..

[3]  David F. McAllister,et al.  An Experimental Evaluation of Software Redundancy as a Strategy For Improving Reliability , 1991, IEEE Trans. Software Eng..

[4]  Ying C. Yeh Design considerations in Boeing 777 fly-by-wire computers , 1998, Proceedings Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231).

[5]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[6]  Lorenzo Strigini,et al.  Choosing Effective Methods for Design Diversity - How to Progress from Intuition to Science , 1999, SAFECOMP.

[7]  Lorenzo Strigini,et al.  Conceptual models for the reliability of diverse systems-new results , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[8]  Lorenzo Strigini,et al.  An Empirical Study of the Effectiveness of "Forcing" Diversity Based on a Large Population of Diverse Programs , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[9]  Bev Littlewood,et al.  Bayesian belief networks for safety assessment of computer-based systems , 2000 .

[10]  Bev Littlewood,et al.  Modeling the Effects of Combining Diverse Software Fault Detection Techniques , 2000, IEEE Trans. Software Eng..

[11]  Lorenzo Strigini,et al.  Fault Tolerance Against Design Faults , 2005 .

[12]  Dave E. Eckhardt,et al.  A Theoretical Basis for the Analysis of Multiversion Software Subject to Coincident Errors , 1985, IEEE Transactions on Software Engineering.

[13]  Laura L. Pullum,et al.  Software Fault Tolerance Techniques and Implementation , 2001 .

[14]  Michael R. Lyu,et al.  An experimental evaluation on reliability features of N-version programming , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[15]  Bev Littlewood,et al.  The effect of testing on reliability of fault-tolerant software , 2004, International Conference on Dependable Systems and Networks, 2004.

[16]  Bev Littlewood,et al.  A discussion of practices for enhancing diversity in software designs , 2000 .

[17]  Lorenzo Strigini,et al.  Human-machine diversity in the use of computerised advisory systems: a case study , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[18]  G. B. Finelli,et al.  The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software , 1993, IEEE Trans. Software Eng..

[19]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[20]  Bev Littlewood,et al.  Validation of ultrahigh dependability for software-based systems , 1993, CACM.

[21]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[22]  Michael P. Wellman,et al.  Real-world applications of Bayesian networks , 1995, CACM.

[23]  Bev Littlewood,et al.  Modeling software design diversity: a review , 2001, CSUR.

[24]  Bev Littlewood,et al.  Modelling the effects of combining diverse software fault removal techniques , 1999 .