When Does "Diversity" in Development Reduce Common Failures? Insights from Probabilistic Modeling

Fault tolerance via diverse redundancy, with multiple “versions” of a system in a redundant configuration, is an attractive defence against design faults. To reduce the probability of common failures, development and procurement practices pursue “diversity” between the ways the different versions are developed. But difficult questions remain open about which practices are more effective to this aim. About these questions, probabilistic models have helped by exposing fallacies in “common sense” judgements. However, most make very restrictive assumptions. They model well scenarios in which diverse versions are developed in rigorous isolation from each other: a condition that many think desirable, but is unlikely in practice. We extend these models to cover non-independent development processes for diverse versions. This gives us a rigorous way of framing claims and open questions about how best to pursue diversity, and about the effects – negative and positive – of commonalities between developments, from specification corrections to the choice of test cases. We obtain three theorems that, under specific scenarios, identify preferences between alternative ways of seeking diversity. We also discuss non-intuitive issues, including how expected system reliability may be improved by creating intentional “negative” dependencies between the developments of different versions. Index Terms Common-mode failure, Software Diversity, Fault tolerance, Multiversion software, Probability of failure on demand, Reliability.