The structure of the authors’ fault-tolerance model is based on the fact that failures in software execution have different origins. The specifications may contain faults, and the implementation of the separate variants of the software may contain faults, and these faults are not necessarily independent of each other. The paper uses this model to analyze two major approaches to software fault tolerance: recovery blocks (two alternates and an acceptance test) and N-version programming (three versions and a decider).

Program behavior is described as a state-transition model. In the model a state corresponds to the execution of a software block (alternate or test, version or decider, respectively), either in the “normal mode” or when a certain type of fault has been activated. The state transitions are determined by the various fault-activation probabilities.

The analysis produces two failure rates: the rate for detected failures of the system and the rate for catastrophic (non-detected) failures. The derivation of the results presents an interesting case in probabilistic modeling. It is easy to read and understand for anybody familiar with the basic probability theory.

A practitioner might raise questions about the fault-activation probabilities, however. It is hardly possible to get estimates of them in a real software production environment, and without these estimates the analysis remains qualitative.

The major contribution of the paper is in its way to model the behavior of some important fault-tolerant software systems. The analytical results also give some insight into the relative performance of various fault-tolerance methods.