[Fwd: RE: MTBF for voting machines] part 2
As discussed on today's teleconference, I'm forwarding a discussion
between Herb Deutsch and myself regarding reliability.
This email contains the most recent part of the thread. There is
another that I've already forwarded that contains the beginning and most
of the thread.
Stan Klein
-----Forwarded Message-----
> From: "Deutsch, Herb" <hdeutsch@essvote.com>
> To: 'Stanley A. Klein' <sklein@cpcug.org>
> Subject: RE: MTBF for voting machines
> Date: 08 Feb 2005 08:54:02 -0600
>
> Stan,
>
> I do agree with the 2 tiered approach. I've also had some conversation with
> Ian regarding this issue. As you previously pointed out, anything that we
> use for numbers would be sort of arbitrary. Ian also believes, and I have
> to agree, that any specified standard has to have testability in mind.
> Unfortunately we don't have any reliability subject matter experts in the
> group. I'm going to contact NIST for some consultation on this. This is an
> issue that I'm sure they deal with continuously. I'll let you know what I
> find out.
>
> Herb
>
> -----Original Message-----
> From: Stanley A. Klein [mailto:sklein@cpcug.org]
> Sent: Sunday, February 06, 2005 7:37 PM
> To: Deutsch, Herb
> Subject: RE: MTBF for voting machines
>
>
> Herb -
>
> Here is a possible approach to think about:
>
> 1. The number of cast vote records unrecoverably lost or altered as a
> result of machine malfunction shall be less than 1 in N ballots cast,
> where N is something like a million.
>
> (Note this recognizes that inaccuracy is not the same as malfunction,
> which is defined as in the current spec. Also, paper tabulation is
> inherently recoverable, as long as the malfunction doesn't destroy and
> obliterate the paper.)
>
> 2. For systems that either only tabulate, or record and provide either
> a voter-verified paper audit trail, or a voter-verified duplicate
> electronic CVR held in a separate, completely independent electronic
> system, the MTBF is 1500 hours for each electronic system. Component
> reliability testing, a failure mode analysis, and a documented and
> tested CVR recovery procedure must demonstrate that the cast vote record
> reliability requirement is achieved.
>
> 3. For electronic systems that record votes, do not provide a
> voter-verified paper audit trail, and have only a single electronic
> system, the MTBF is 15000 hours. Component reliability testing, a
> failure mode analysis, and a documented and tested CVR recovery
> procedure must demonstrate that the cast vote record reliability
> requirement is achieved.
>
> 4. For ballot preparation systems that neither tabulate nor record
> votes, the MTBF is 1500 hours.
>
> (This is intended to cover EBP, EBM, and EAMBM systems.)
>
> The critical requirement is the CVR reliability requirement. In all
> cases the MTBF now turns out to be just a baseline that protects against
> faulty demonstration that the CVR reliability requirement is being met.
> I'm sure there is some MIL Spec (188 ?) that covers the component
> testing and the failure mode analysis. I know we want to get away from
> MIL Specs but I think we have one if there is no equivalent commercial
> spec.
>
> How does this look?
>
>
> Stan
--
Stanley A. Klein <sklein@cpcug.org>