On 10/16/11 2:24 PM, Nancy Leveson wrote:
> Also, I haven't read the Rushby and Littlewood's paper, but I did read the
> abstract. So I may have missed something important. But what is the
> difference between this proposal and the classic "monitor" in the fault
> tolerance literature (from decades ago). Is the difference in the
> mathematical analysis (which I haven't had time to review yet)?

Yes, that's my take on it. They can get the software to high levels of reliability with high 
confidence by using the particular architecture. The key phrase is "with high confidence".

PBL

Peter Bernard Ladkin, Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de