7 ● N-VERSION PROGRAMMINGTHIS FORM OF PROGRAMMING MEANS DEVELOPING...
17.7
●
n-version programming
This form of programming means developing n versions of the same software compo-
nent. For example, suppose a fly-by-wire airplane has a software component that
decides how much the rudder should be moved in response to information about
speed, pitch, throttle setting, etc. Three or more version of the component are imple-
mented and run concurrently. The outputs are compared by a voting module, the
majority vote wins and is used to control the rudder (see Figure 17.4).
It is important that the different versions of the component are developed by differ-
ent teams, using different methods and (preferably) at different locations, so that a mini-
mum of assumptions are shared by the developers. By this means, the modules will use
different algorithms, have different mistakes and produce different outputs (if they do)
under different circumstances. Thus the chances are that when one of the components
fails and produces an incorrect result, the others will perform correctly and the faulty
component will be outvoted by the majority.
Clearly the success of an n-programming scheme depends on the degree of inde-
pendence of the different components. If the majority embody a similar design fault,
they will fail together and the wrong decision will be the outcome. This is a bold
assumption, and some studies have shown a tendency for different developers to com-
mit the same mistakes, probably because of shared misunderstandings of the (same)
specification.
The expense of n-programming is in the effort to develop n versions, plus the pro-
cessing overhead of running the multiple versions. If hardware reliability is also an issue,
Version 1
Voting
Input
Output
Version 2
module
data
Version 3
Figure 17.4
Triple modular redundancy
as in fly-by-wire airplanes, each version runs on a separate (but identical) processor. The
voting module is small and simple, consuming minimal developer and processor time.
For obvious reasons, an even number of versions is not appropriate.
The main difference between the recovery block and the n-version schemes is that
in the former the different versions are executed sequentially (if need be).
Is n-programming forward error recovery or is it backward error recovery? The
answer is that, once an error is revealed, the correct behavior is immediately available
and the system can continue forwards. So it is forward error recovery.