Re: [SystemSafety] Paper on Software Reliability and the Urn Model

From: Nick Lusty < >
Date: Sat, 28 Feb 2015 19:26:08 +0000

But as you state, the beauty of the Turing machine is that it provably _does _represent computational behaviour through a mapping.

First of all I have to confess to being no mathematician, bur I think the problem with the urn model is more its assumption that the balls have an equal likelihood of being selected.

Taking an overoptimistic viewpoint, the software before release, works flawlessly for (hopefully) all of a wide range of test scenarios. In other word, the scenarios tested all get a white ball.

However, apart from whatever structural coverage is mandated (MCDC/statement, boundary conditions etc) , the natural tendency is that the tests provide inputs around the expected domain in the real world. Thus when real use starts, one would expect few failures. But what if an obscure unexpected combination of events exists in the real world, that causes the system to enter unexpected states that trigger "failure". For example one that could only occur if certain atmospheric conditions arise that only occur in nature once in a hundred years. There is a high (90%) chance that that millions of hours of testing in a period of ten years will find this, because the atmospheric conditions simply did not exist. This is alike to having a bunch of black balls all together in a hard to reach part of the urn. It is not only the sampling process but also how the sampling process is performed that provides you with a true measure of the statistical risk... or to use the urn analogy again, did you use a child tester with highly flexible arms who could reach that awkward corner of the urn that was filled with black balls?

On 25/02/2015 12:20, Peter Bernard Ladkin wrote:
> On 2015-02-25 12:27 , Derek M Jones wrote:
>> A model that does not reflect reality is one good reason for not liking
>> the urn model.
> You might as well say that a Turing machine doesn't "reflect reality". But if you can map your
> computational behavior onto some Turing machine, you're in good shape, because both the math and the
> programming are well understood.
> Similarly, the urn model is a state machine. If you can map your problem onto it, you're in good
> shape, because the 302 year old math is well understood. Some SW - not all, but some - can be so mapped.
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sat Feb 28 2015 - 20:26:29 CET

This archive was generated by hypermail 2.3.0 : Sun Feb 17 2019 - 08:17:06 CET