[SystemSafety] Paper on Software Reliability and the Urn Model

Nick Lusty nl887 at my.open.ac.uk
Sat Feb 28 20:26:08 CET 2015

But as you state, the beauty of the Turing machine is that it provably 
_does _represent computational behaviour through a mapping.

First of all I have to confess to being no mathematician, bur I think 
the problem with the urn model is more its assumption that the balls 
have an equal likelihood of being selected.

Taking an overoptimistic viewpoint, the software before release, works 
flawlessly for (hopefully)  all of a wide range of test scenarios.  In 
other word, the scenarios tested all get a white ball.

However, apart from whatever structural coverage is mandated 
(MCDC/statement, boundary conditions etc) , the natural tendency is that 
the tests provide inputs around the expected domain in the real world.  
Thus when real use starts, one would expect few failures.  But what if 
an obscure unexpected combination of events exists in the real world, 
that causes the system to enter unexpected states that trigger 
"failure". For example one that could only occur if certain atmospheric 
conditions arise that only occur in nature once in a hundred years.  
There is a high (90%) chance that  that millions of hours of testing in 
a period of ten years will find this, because the atmospheric conditions 
simply did not exist.  This is alike to having a bunch of black balls 
all together in a hard to reach part of the urn. It is not only the 
sampling process but also how the sampling process is performed that 
provides you with a true measure of the statistical risk... or to use 
the urn analogy again, did you use a child tester with highly flexible 
arms who could reach that awkward corner of the urn that was filled with 
black balls?

On 25/02/2015 12:20, Peter Bernard Ladkin wrote:
> On 2015-02-25 12:27 , Derek M Jones wrote:
>> A model that does not reflect reality is one good reason for not liking
>> the urn model.
> You might as well say that a Turing machine doesn't "reflect reality". But if you can map your
> computational behavior onto some Turing machine, you're in good shape, because both the math and the
> programming are well understood.
> Similarly, the urn model is a state machine. If you can map your problem onto it, you're in good
> shape, because the 302 year old math is well understood. Some SW - not all, but some - can be so mapped.
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150228/b5930e67/attachment.html>

More information about the systemsafety mailing list