Building dependable software for critical applications: multi-version software versus one good version

An increasing range of industries have a growing dependence on software based systems, many of which are safety-critical, real-time applications that require extremely high dependability. Multi-version programming has been proposed as a method for increasing the overall dependability of such systems. We describe an experiment to establish whether or not the multi-version method can offer increased dependability over the traditional single-version development approach when given the same level of resources. Three programs were developed independently to control a real-time, safety-critical system, and were put together to form a decentralized multi-version system. Three functionally equivalent single-version systems. were also implemented, each using the same amount of development resources as the combined resources of the multi-version system. The analytic results from this experiment show that 1) a single-version system is much more dependable than any individual version of the multi-version system, and 2) despite the poor quality of individual versions, the multi-version method still results in a safer system than the single-version solution. It is evident that regarding the single-version method as a "seem-to-be" safer design decision for critical applications is not generally justifiable. We conclude by describing plans for a follow up study based on our initial findings