Trivariate Bernoulli distribution with application to software fault tolerance

Abstract

The widespread reliance on software for mission and life critical applications makes the reliability of these systems essential. Techniques such as fault tolerance have been proposed to achieve the highest levels of software reliability. However, the fault tolerance paradigm suffers from the risk of correlated failures, where a majority of the software versions fail on the same input leading to system failure. This paper derives a trivariate Bernoulli distribution to quantify the negative impact of correlated failures on the reliability of fault tolerant software composed of highly reliable versions. An experiment based on early empirical research demonstrates the capacity of the distribution to conduct reliability assessment for many combinations of the version reliabilities and correlations. The results indicate that correlated failures detract from system reliability, but that this reliability is often higher than a system composed of the single most reliable version.

Appendices

Appendix

Proof of Theorem 1

Without loss of generality, let \( p_{1}> p_{2}> p_{3}\). It follows directly from Eqs. (16) and (21) that \(\alpha _{1,1}<\alpha _{2,2}<\alpha _{3,3}\) and that

$$\begin{aligned} \alpha _{i,j}<\alpha _{i,i} \,\mathtt{and }\, \alpha _{i,j}<\alpha _{j,j},\quad \forall i,j. \end{aligned}$$

(22)

These inequalities reduce the number of cases to the eight given in Table 1. The first six correspond to permutations of \(\alpha _{1,2}, \alpha _{1,3}\), and \(\alpha _{2,3}\) followed by \(\alpha _{1,1}<\alpha _{2,2}<\alpha _{3,3}\). In the other two cases, \(\alpha _{1,1}<a_{2,3}\) and the beginning of the sequence is \(\alpha _{1,2}<\alpha _{1,3}\) or \(\alpha _{1,3}<\alpha _{1,2}\). The proof of Case I where,

$$\begin{aligned} \alpha _{1,2}<\alpha _{1,3}<\alpha _{2,3}<\alpha _{1,1}<\alpha _{2,2}<\alpha _{3,3} \end{aligned}$$

(23)

proceeds as follows.

Proof

Using the algorithm of (Park et al. 1996), write the initial \(\alpha _{i,j}\) in matrix form as

$$\begin{aligned} \varvec{\alpha }(0)=\left( \begin{array}{c@{\quad }c@{\quad }c} \alpha _{1,1} &{} \alpha _{1,2} &{} \alpha _{1,3} \\ &{} \alpha _{2,2} &{} \alpha _{2,3} \\ &{} &{} \alpha _{3,3} \\ \end{array}\right) \!. \end{aligned}$$

(24)

We know from Eq. (23) that \(\alpha _{1,2}\) is the minimum element, so we subtract it from each entry of Eq. (24), producing

$$\begin{aligned} \varvec{\alpha }(1)=\left( \begin{array}{c@{\quad }c@{\quad }c} (\alpha _{1,1}-\alpha _{1,2}) &{} 0 &{} (\alpha _{1,3}-\alpha _{1,2}) \\ &{} (\alpha _{2,2}-\alpha _{1,2}) &{} (\alpha _{2,3}-\alpha _{1,2}) \\ &{} &{} (\alpha _{3,3}-\alpha _{1,2}) \\ \end{array} \right) \!. \end{aligned}$$

(25)

Subtracting, \(\alpha _{1,2}\) preserves the order of the nonzero entries in Eq. (25), so that \((\alpha _{1,3}-\alpha _{1,2})<(\alpha _{2,3} -\alpha _{1,2})<(\alpha _{1,1}-\alpha _{1,2}) <(\alpha _{2,2}-\alpha _{1,2})<(\alpha _{3,3}-\alpha _{1,2})\), which implies that the entry \((\alpha _{1,3}-\alpha _{1,2})\) in position \(\alpha _{1,3}(1)\), is the smallest value remaining. Thus, we subtract \((\alpha _{1,3}-\alpha _{1,2})\) from \(\alpha _{1,1}(1), \alpha _{1,3}(1)\), and \(\alpha _{3,3}(1)\), producing

$$\begin{aligned} \varvec{\alpha }(2)=\left( \begin{array}{c@{\quad }c@{\quad }c} (\alpha _{1,1}-\alpha _{1,3}) &{} 0 &{} 0 \\ &{} (\alpha _{2,2}-\alpha _{1,2}) &{} (\alpha _{2,3}-\alpha _{1,2}) \\ &{} &{} (\alpha _{3,3}-\alpha _{1,3}) \\ \end{array} \right) \!. \end{aligned}$$

(26)

The algorithm (Park et al. 1996) requires that all off diagonal elements \(\alpha _{i,j}, i< j\), be eliminated before the elements \(\alpha _{i,i}\) on the diagonal to successfully encode the correlations. Because \((\alpha _{2,3}-\alpha _{1,2})<(\alpha _{2,2}-\alpha _{1,2})\) from the initial ordering the only requirement is that \((\alpha _{2,3}-\alpha _{1,2})<(\alpha _{3,3}-\alpha _{1,3})\), which is equivalent to

$$\begin{aligned}&= (\alpha _{2,3}+\alpha _{1,3}-\alpha _{1,2})<\alpha _{3,3}\nonumber \\&= \exp (\alpha _{2,3}+\alpha _{1,3}-\alpha _{1,2})<\exp (\alpha _{3,3})\nonumber \\&= \frac{\beta _{2,3}\beta _{1,3}}{\beta _{1,2}}<\frac{1}{ p_{3}}\nonumber \\&= p_{3}<\frac{\beta _{1,2}}{\beta _{1,3}\beta _{2,3}}=\frac{\beta _{1,2}^{2}}{\prod _{i<j}\beta _{i,j}}. \end{aligned}$$

(27)

Repeating this derivation process for each of the eight cases given in Table 1, reveals that the term in the numerator on the right-hand side of Eq. (27) is the smallest \(\beta _{i,j}\) of the initial sequence, \(\beta _{i,j}^{(1)}\). Note that the denominator of Eq. (27) has been rewritten as a product series to avoid enumerating the three specific forms of the denominator that occur when the numerator is \(\beta _{1,2}, \beta _{1,3}\), or \(\beta _{2,3}\). It also follows that for each of the eight cases, the subscript of \(p\) in Eq. (27), is equal to the third variable index \(k\) not appearing in \(\beta _{i,j}^{(1)}\). These two generalizations lead to the bound provided in Eq. (17).

To complete the proof, assume that Eq. (27) is satisfied and subtract \((\alpha _{2,3}-\alpha _{1,2})\) from \(\alpha _{2,2}(2), \alpha _{2,3}(2)\), and \(\alpha _{3,3}(2)\), producing

$$\begin{aligned} \varvec{\alpha }(3)=\left( \begin{array}{c@{\quad }c@{\quad }c} (\alpha _{1,1}-\alpha _{1,3}) &{} 0 &{} 0 \\ &{} (\alpha _{2,2}-\alpha _{2,3}) &{} 0 \\ &{} &{} (\alpha _{3,3}+\alpha _{1,2}\\ &{} &{} -\alpha _{2,3}-\alpha _{1,3}) \end{array} \right) \!. \end{aligned}$$

(28)

Now the on-diagonal elements can be eliminated in isolation, so do this in the order \(\alpha _{1,1}(3), \alpha _{2,2}(3), \alpha _{3,3}(3)\).

Table 3 shows the symbolic value subtracted in each iteration. These values are the rate parameters of independent Poisson random variables \(Y_{l}, 1\le l\le 6\). The sets indicate the subset of correlated Bernoulli variables to which these independent Poisson variables belong.

Thus, the expressions for the success of the three correlated Bernoulli variables are

$$\begin{aligned} Z_{1}&= I_{\{0\}}\left( Y_{1}+Y_{2}+Y_{4}\right) \\ Z_{2}&= I_{\{0\}}\left( Y_{1}+Y_{3}+Y_{5}\right) \\ Z_{3}&= I_{\{0\}}\left( Y_{1}+Y_{2}+Y_{3}+Y_{6}\right) \end{aligned}$$

Here, the indicator function \(I_{\{0\}}(.)=1\) if the sum of the outcomes of \(Y_{l}\) in \(Z_{i}\) equals zero. Hence \(Z_{1}=1\) if and only if \(Y_{1}=Y_{2}=Y_{4}=0, Z_{2}=1\) if and only if \(Y_{1}=Y_{3}=Y_{5}=0\), while \(Z_{3}=1\) if and only if \(Y_{1}=Y_{2}=Y_{3}=Y_{6}=0\). Table 4 shows the probability that variable \(Y_{l}=0\), which is defined as \(m_{l}:=Pr\{Y_{l}=0\}=\exp (-\lambda _{l})\).

The only outcome that contributes to the correlated outcome \(E[Z_{1}Z_{2}Z_{3}]\), where all three experiments are successful is the uncorrelated outcome where all six independent Poisson variables are zero. Thus, the probability of this outcome is

$$\begin{aligned} E[Z_{1}Z_{2}Z_{3}]&= \textstyle {\prod \limits _{i=1}^{6}}m_{i}\nonumber \\&= \frac{1}{\beta _{1,2}}\times \frac{\beta _{1,2}}{\beta _{1,3}}\times \frac{\beta _{1,2}}{\beta _{2,3}}\nonumber \\&\quad \times \, p_{1}\beta _{1,3}\times p_{2}\beta _{2,3}\times \frac{ p_{3}\beta _{1,3}\beta _{2,3}}{\beta _{1,2}}\nonumber \\&= p_{1} p_{2} p_{3}\beta _{1,3}\beta _{2,3}\nonumber \\&= \frac{\prod _{i=1}^{3} p_{i}\prod _{i<j}\beta _{i,j}}{\beta _{1,2}}. \end{aligned}$$

(29)

The remaining seven outcomes are easily obtained from Eqs. (29) and (12), with expectations. For example,

$$\begin{aligned} E[Z_{1}Z_{2}\overline{Z}_{3}]&= E[Z_{1}Z_{2}-Z_{1}Z_{2}Z_{3}]\nonumber \\&= p_{1} p_{2}\beta _{1,2}-\frac{\prod _{i=1}^{3} p_{i}\prod _{i<j}\beta _{i,j}}{\beta _{1,2}}, \end{aligned}$$

(30)

and the cases \(E[Z_{1}\overline{Z}_{2}Z_{3}]\) and \(E[\overline{Z}_{1}Z_{2}Z_{3}]\) are symmetric to Eq. (30). Similarly,

$$\begin{aligned} E[\overline{Z}_{1}\overline{Z}_{2}Z_{3}]&= E[Z_{3}]-E[Z_{1}Z_{3}]-E[Z_{2}Z_{3}]+E[Z_{1}Z_{2}Z_{3}]\nonumber \\&= p_{3}-p_{1}p_{3}\beta _{1,3}-p_{2}p_{3}\beta _{2,3}\nonumber \\&\quad +\,\frac{\prod _{i=1}^{3} p_{i}\prod _{i<j}\beta _{i,j}}{\beta _{1,2}}, \end{aligned}$$

(31)

and the cases \(E[Z_{1}\overline{Z}_{2}\overline{Z}_{3}]\) and \(E[\overline{Z}_{1}Z_{2}\overline{Z}_{3}]\) are symmetric to Eq. (31). The final outcome where all three experiments result in failure is

$$\begin{aligned} E[\overline{Z}_{1}\overline{Z}_{2}\overline{Z}_{3}]&= 1-\sum _{i=1}^{3}E[Z_{i}]+\sum _{i<j}E[Z_{i}Z_{j}]-E[Z_{1}Z_{2}Z_{3}]\nonumber \\&= 1-\sum _{i=1}^{3} p_{i}+\sum _{i<j} p_{i} p_{j}\beta _{i,j}-\frac{\prod _{i=1}^{3} p_{i}\prod _{i<j}\beta _{i,j}}{\beta _{1,2}}. \end{aligned}$$

(32)

Repeating this derivation for Cases II–VIII, given in Table 1, reveals \(\beta ^{(1)}_{i,j}\) is the general form of the denominator in terms of the form \(\frac{\prod _{i=1}^{3} p_{i}\prod _{i<j}\beta _{i,j}}{\beta _{1,2}}\) in Eqs. (29)–(32). This completes the proof. \(\square \)

Table 3 Minimum and sets

Table 4 Poisson probabilities