[SystemSafety] Paper on Software Reliability and the Urn Model
nl887 at my.open.ac.uk
Sat Feb 28 20:26:08 CET 2015
But as you state, the beauty of the Turing machine is that it provably
_does _represent computational behaviour through a mapping.
First of all I have to confess to being no mathematician, bur I think
the problem with the urn model is more its assumption that the balls
have an equal likelihood of being selected.
Taking an overoptimistic viewpoint, the software before release, works
flawlessly for (hopefully) all of a wide range of test scenarios. In
other word, the scenarios tested all get a white ball.
However, apart from whatever structural coverage is mandated
(MCDC/statement, boundary conditions etc) , the natural tendency is that
the tests provide inputs around the expected domain in the real world.
Thus when real use starts, one would expect few failures. But what if
an obscure unexpected combination of events exists in the real world,
that causes the system to enter unexpected states that trigger
"failure". For example one that could only occur if certain atmospheric
conditions arise that only occur in nature once in a hundred years.
There is a high (90%) chance that that millions of hours of testing in
a period of ten years will find this, because the atmospheric conditions
simply did not exist. This is alike to having a bunch of black balls
all together in a hard to reach part of the urn. It is not only the
sampling process but also how the sampling process is performed that
provides you with a true measure of the statistical risk... or to use
the urn analogy again, did you use a child tester with highly flexible
arms who could reach that awkward corner of the urn that was filled with
On 25/02/2015 12:20, Peter Bernard Ladkin wrote:
> On 2015-02-25 12:27 , Derek M Jones wrote:
>> A model that does not reflect reality is one good reason for not liking
>> the urn model.
> You might as well say that a Turing machine doesn't "reflect reality". But if you can map your
> computational behavior onto some Turing machine, you're in good shape, because both the math and the
> programming are well understood.
> Similarly, the urn model is a state machine. If you can map your problem onto it, you're in good
> shape, because the 302 year old math is well understood. Some SW - not all, but some - can be so mapped.
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the systemsafety