Page 360 -
P. 360

13.1   Redundancy and diversity  343







                                                  Cost per Error Detected











                     Figure 13.1 The
                     increasing costs of            Many               Few              Very Few
                     residual fault removal                    Number of Residual Errors



                                         As a result, software development companies accept that their software will
                                       always contain some residual faults. The level of faults depends on the type of sys-
                                       tem. Shrink-wrapped products have a relatively high level of faults, whereas critical
                                       systems usually have a much lower fault density.
                                         The rationale for accepting faults is that, if and when the system fails, it is cheaper
                                       to pay for the consequences of failure than it would be to discover and remove the
                                       faults before system delivery. However, as discussed in Chapter 11, the decision to
                                       release faulty software is not simply an economic decision. The social and political
                                       acceptability of system failure must also be taken into account.
                                         Many critical systems, such as aircraft systems, medical systems, and accounting
                                       systems, are used in regulated domains such as air transport, medicine, and finance.
                                       National governments define regulations that apply in these domains and appoint a
                                       regulatory body to ensure that companies follow these regulations. In practice, this
                                       means that the regulator often has to be convinced that critical software systems can be
                                       trusted and this requires clear evidence that shows that these systems are dependable.
                                         Therefore, the development process for critical systems is not just concerned with
                                       producing a dependable system; it must also produce the evidence that can convince
                                       a regulator that the system is dependable. Producing such evidence consumes a high
                                       proportion of the development costs for critical systems and so is an important con-
                                       tributory factor to the high costs of critical systems. I discuss the issues of producing
                                       safety and dependability cases in Chapter 15.




                                13.1 Redundancy and diversity


                                       Redundancy and diversity are fundamental strategies for enhancing the dependabil-
                                       ity of any type of system. Redundancy means that spare capacity is included in a
                                       system that can be used if part of that system fails. Diversity means that redundant
   355   356   357   358   359   360   361   362   363   364   365