7 ● N-VERSION PROGRAMMINGTHIS FORM OF PROGRAMMING MEANS DEVELOPING...

17. - SOFTWARE ENGINEERING FOR STUDENTS A PROGRAMMING APPROACH PART 28 PDF 17. - SOFTWARE ENGINEERING FOR STUDENTS A PROGRAMMING APPROACH PART 28 PDF
SOFTWARE ENGINEERING FOR STUDENTS A PROGRAMMING APPROACH PART 28 PDF

17.7

n-version programming

This form of programming means developing n versions of the same software compo-

nent. For example, suppose a fly-by-wire airplane has a software component that

decides how much the rudder should be moved in response to information about

speed, pitch, throttle setting, etc. Three or more version of the component are imple-

mented and run concurrently. The outputs are compared by a voting module, the

majority vote wins and is used to control the rudder (see Figure 17.4).

It is important that the different versions of the component are developed by differ-

ent teams, using different methods and (preferably) at different locations, so that a mini-

mum of assumptions are shared by the developers. By this means, the modules will use

different algorithms, have different mistakes and produce different outputs (if they do)

under different circumstances. Thus the chances are that when one of the components

fails and produces an incorrect result, the others will perform correctly and the faulty

component will be outvoted by the majority.

Clearly the success of an n-programming scheme depends on the degree of inde-

pendence of the different components. If the majority embody a similar design fault,

they will fail together and the wrong decision will be the outcome. This is a bold

assumption, and some studies have shown a tendency for different developers to com-

mit the same mistakes, probably because of shared misunderstandings of the (same)

specification.

The expense of n-programming is in the effort to develop n versions, plus the pro-

cessing overhead of running the multiple versions. If hardware reliability is also an issue,

Version 1

Voting

Input

Output

Version 2

module

data

Version 3

Figure 17.4

Triple modular redundancy

as in fly-by-wire airplanes, each version runs on a separate (but identical) processor. The

voting module is small and simple, consuming minimal developer and processor time.

For obvious reasons, an even number of versions is not appropriate.

The main difference between the recovery block and the n-version schemes is that

in the former the different versions are executed sequentially (if need be).

Is n-programming forward error recovery or is it backward error recovery? The

answer is that, once an error is revealed, the correct behavior is immediately available

and the system can continue forwards. So it is forward error recovery.