The infeasibility of quantifying the reliability of life-critical real-time software

Butler, Ricky W.; Finelli, George B.

doi:10.1109/32.210303

Cited by 322 publications

(159 citation statements)

References 11 publications

Supporting

Mentioning

154

Contrasting

Unclassified

Order By: Relevance

“…Even though these requirements exist, it is beyond the current state of the art to demonstrate these failure rates [Littlewood and Strigini, 1993;Butler and Finelli, 1993;Shimeall and Leveson, 19911. [Littlewood, 19911 and [Musa et al, 19871 have shown that current techniques are capable of demonstrating failure rates of 10-4 per hour (to high confidence levels) by testing.…”

Section: -24mentioning

confidence: 99%

“…'There is no meaningful metric in which small changes and small effects go hand in hand, and there never will be" [Dijkstra, 19891. Furthermore, many problems with developing software arise from its inherent complexity and the nonlinear increase in complexity with size. "From the complexity comes the difficulty of enumerating, much less understanding, all the possible states of the program, and from that comes the unreliability" [Brooks, 19871. Based on a great deal of research completed on software-based systems in normal environments, it appears that deterministic evaluation of such complex systems is currently an intractable problem [Littlewood and Stringini, 1992;Butler and Finelli, 1993;Bennett, 1991;Zucconi, 1991;Lavine, 1990; ; s m 9 3 -2 2 101.…”

Section: Nature Of Available Technical Basis and Safety Rationalementioning

confidence: 99%

See 1 more Smart Citation

High integrity software for nuclear power plants: Candidate guidelines, technical basis and research needs. Main report, Volume 2

Seth¹,

Bail²,

Cleaves³

et al. 1995

View full text Add to dashboard Cite

Section: -24mentioning

confidence: 99%

Section: Nature Of Available Technical Basis and Safety Rationalementioning

confidence: 99%

High integrity software for nuclear power plants: Candidate guidelines, technical basis and research needs. Main report, Volume 2

Seth¹,

Bail²,

Cleaves³

et al. 1995

View full text Add to dashboard Cite

“…A design error causing a system to have a higher rate of failure-say a failure rate of 10 −8 per hour-is unacceptable, yet it is infeasible to determine whether a system has this reliability through testing alone [6]. The inability to demonstrate correctness through testing motivates us to prove these systems are correct.…”

Section: Introductionmentioning

confidence: 99%

Modeling Time-Triggered Protocols and Verifying Their Real-Time Schedules

Pike¹

2007

Formal Methods in Computer Aided Design (FMCAD'07)

View full text Add to dashboard Cite

Time-triggered systems are distributed systems in which the nodes are independently-clocked but maintain synchrony with one another. Time-triggered protocols depend on the synchrony assumption the underlying system provides, and the protocols are often formally verified in an untimed or synchronous model based on this assumption. An untimed model is simpler than a real-time model, but it abstracts away timing assumptions that must hold for the model to be valid. In the first part of this paper, we extend previous work by Rushby [1] to prove, using mechanical theorem-proving, that for an arbitrary time-triggered protocol, its real-time implementation satisfies its untimed specification. The second part of this paper shows how the combination of a bounded model-checker and a satisfiability modulo theories (SMT) solver can be used to prove that the timing characteristics of a hardware realization of a protocol satisfy the assumptions of the time-triggered model. The upshot is a formally-verified connection between the untimed specification and the hardware realization of a timetriggered protocol with respect to its timing parameters.

show abstract

“…For instance, if we had 90% confidence that an item of avionic software has no faults such as to cause catastrophic failure, this by itself satisfies the regulatory requirement that catastrophic failures due to this equipment be "not anticipated to occur during the entire operational life of all airplanes of one type", "usually expressed" as "probability on the order of 10 −9 or less" per flight-hour [6] (the often-quoted "10 −9 " requirement which has been forcefully argued to be infeasible to demonstrate statistically [1,7]). Yet, the possibility that, in the unlikely (10% probability) case of faults being present, such faults cause a high probability (say 1%) of failure per flight, would probably seem unacceptable: some evidence would be required that even if faults are present the pfd would still be low.…”

Section: Introductionmentioning

confidence: 99%

Software Fault-Freeness and Reliability Predictions

Strigini

Povyakalo

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Many software development practices aim at ensuring that software is correct, or fault-free. In safety critical applications, requirements are in terms of probabilities of certain behaviours, e.g. as associated to the Safety Integrity Levels of IEC 61508. The two forms of reasoning -about evidence of correctness and about probabilities of certain failures -are rarely brought together explicitly. The desirability of using claims of correctness has been argued by many authors, but not been taken up in practice. We address how to combine evidence concerning probability of failure together with evidence pertaining to likelihood of fault-freeness, in a Bayesian framework. We present novel results to make this approach practical, by guaranteeing reliability predictions that are conservative (err on the side of pessimism), despite the difficulty of stating prior probability distributions for reliability parameters. This approach seems suitable for practical application to assessment of certain classes of safety critical systems.

show abstract

The infeasibility of quantifying the reliability of life-critical real-time software

Cited by 322 publications

References 11 publications

High integrity software for nuclear power plants: Candidate guidelines, technical basis and research needs. Main report, Volume 2

High integrity software for nuclear power plants: Candidate guidelines, technical basis and research needs. Main report, Volume 2

Modeling Time-Triggered Protocols and Verifying Their Real-Time Schedules

Software Fault-Freeness and Reliability Predictions

Contact Info

Product

Resources

About