Toward dependable safety-critical software

The failure of safety critical systems can result in catastrophic loss of life and property. Hence, it is necessary to assure the reliability of these systems to a high degree of confidence before they are put into operational use. However, at these extreme levels of ultra high reliability requirements, errors in the specification and in estimates of the operational profile become significant factors. An approach that has been suggested is to use secondary and tertiary software that meet ultra high reliability requirements but at a reduced functionality as compared with the primary software. Two major problems are: how to select appropriate functionality for the non primary versions; and how to determine when to invoke these backup versions. We present a unified approach for handling these two problems. It starts with a rigorous method for assessing ultra high reliability requirements and then develops mechanisms for incorporating one of more backup versions. The reliability assessment procedure uses formal methods to amplify the effect of each test case and results in the construction of a reliability MAP (Measured Assurance Prediction system) for the software. This provides a confidence estimate for the correctness of the software for a given operational situation and serves as a trigger for switching to a backup version. The main requirement is that the MAP for the backup version must be known to a higher degree of confidence than that for the original version. The approach is illustrated using a simple process control example