![Page 1: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/1.jpg)
Evaluation of Safety Evaluation of Safety Critical SoftwareCritical Software
-- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan
-- June 1990
Presented By Zhuojing Li
![Page 2: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/2.jpg)
OutlineOutline
• Overview• Why is Software a Special Concern• Why is software used• How is software different from other controllers• Software testing concerns• Software review concerns• Modular structure• Reliability assessment• Conclusions
![Page 3: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/3.jpg)
OverviewOverview
• Can we trust software?• The authors present some important
questions.
![Page 4: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/4.jpg)
Why is Software a special Why is Software a special concern?concern?
• Software systems do not work well until they have been used and have failed repeatedly
• Errors are more common, and more troublesome
• Can be used in safety- critical applications.– Example: Military and civilian aircraft, nuclear
plants, medical devices
![Page 5: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/5.jpg)
Why is software used?Why is software used?
• More logic• Easier to change• More flexible
![Page 6: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/6.jpg)
How are software controllers How are software controllers like other controllerslike other controllers
• Similarities: Both can be described as black box mathematical models.
![Page 7: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/7.jpg)
How is software different from How is software different from other controller technologiesother controller technologies
• More complex• More error sensitive
– For example: sensitive to small errors– Conventional engineering is tolerant
• Harder to test• Has correlated failures• Lack of Professional standards
![Page 8: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/8.jpg)
Software testing concernsSoftware testing concernsCannot test software for correctness:
Testing can show the presence of bugs but it can not show that software is free of design errors.
Difficult to make prediction of software reliability and availability:
Impractical to measure the trustworthiness of software
Need for an independent agency
![Page 9: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/9.jpg)
Software review concernsSoftware review concerns• 1st question: Why is reviewability a
particular concern for software?– Each programmer has his/her own style.– Software structure and documentation
were dismissed.– There is problem of clarity
![Page 10: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/10.jpg)
Software review concernsSoftware review concerns2nd question: what reviews are
needed? Correct intended functions.Maintainable, understandable , well
documented structures.Each module to verify the algorithm and
data structure design.Code for consistency with the algorithm
and data structure design.Test completeness.
![Page 11: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/11.jpg)
Software review concernsSoftware review concerns• 3rd question: What documentation is
required to review the functional requirements?
• Description should use the mathematics of
control systems.
![Page 12: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/12.jpg)
Software review concernsSoftware review concerns• 4th question: What documentation is
required to review the software structure?
Three types of documents are required.Requirement specification Informal documents:
Describing the responsibilities of each modules.
Module specification: Provides black box description of each modules
![Page 13: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/13.jpg)
Software review concernsSoftware review concerns5th question: What documentation is
required to review the module’s internal design?
• Description of the data structures that will be used.
• Description of the program functions and abstraction functions.
• Programs that cannot be described on a single page must be presented in a layered way.
![Page 14: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/14.jpg)
Software review concernsSoftware review concerns6th question: What documentation is
required to review the code?
Examine the correctness between the algorithms and the actual code
No need to examine the global design of the system
![Page 15: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/15.jpg)
Software review concernsSoftware review concerns
• 7th question: What documentation is required to review the test plan?
-Reviewed by specialists, who compare it with requirement specification
![Page 16: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/16.jpg)
Software review concernsSoftware review concerns
• 8th question: Why is configuration management essential for rigorous reviews?– Complexity of software, and tremendous
amount of documents.
![Page 17: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/17.jpg)
Software review concernsSoftware review concernsSolution for 8th question:• Use online documentation instead of paper
copies of the documents.• Changes in the documentation should be
notified by the computer system to all persons who have used the affected document.
• Online versions must be kept under strict control.
![Page 18: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/18.jpg)
Modular structureModular structure• Information Hiding• Object-oriented programming• Separation of Concerns• Encapsulation• Data Abstraction Principle: increase “cohesion” and
reduce “coupling”
![Page 19: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/19.jpg)
Reliability Assessment forReliability Assessment forsafety–critical softwaresafety–critical software
• All software failures would be predictable if we fully understand the software
![Page 20: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/20.jpg)
Reliability Assessment forReliability Assessment forsafety–critical softwaresafety–critical software
• Software Measurements– Reliability:
• Probability of not encountering a sequence of inputs that leads to failure.
– Availability: • Fraction of time that the system is running and a
ssumed to be ready to function.
![Page 21: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/21.jpg)
Reliability Assessment forReliability Assessment forsafety–critical softwaresafety–critical software
• We cannot predict a software failure rate from failure rates for individual lines or subprograms
• The finite state machine model help us to determine the number of tests.
![Page 22: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/22.jpg)
Reliability Assessment forReliability Assessment forsafety–critical softwaresafety–critical software
• Use of hypothesis testing:
(1-1/h)N= M
1/h: the probability of failure in a testN: randomly selected tests
M: the probability that an unacceptable product
would pass our test.
![Page 23: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/23.jpg)
Reliability Assessment forReliability Assessment forsafety–critical softwaresafety–critical software
• Three classes of program:– For memoryless batch program, use a
randomly selected set of input data. – For a batch program with memory, a
test is selected by choosing both input data and an internal state.
– For real time system, use a multidimensional trajectory.
![Page 24: Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649e2f5503460f94b20004/html5/thumbnails/24.jpg)
ConclusionsConclusions• Software can be used in certain safety-
critical applications, but extreme discipline in design, documentation, testing and review is needed.
• Operating conditions and requirements should be well understood and fully documented
the end