The failure of safety-critical systems can result in catastrophic loss of life and property. Hence, it is necessary to assure the reliability of these systems to a high degree of confidence before they are put into operational use. However, at these extreme levels of ultra-high reliability requirements, typically failures rates of less than 10 \Gamma7 failures per hour, errors in the specification and in estimates of the operational profile become significant factors. An approach that has been suggested in practice is to use secondary and tertiary software that meet ultra-high reliability requirements but at a reduced functionality as compared with the primary software. Two major problems are (a) how to select appropriate functionality for the non-primary versions and (b) how to determine when to invoke these backup versions. In this paper, we present a unified approach for handling these two problems. It starts with a rigorous method for assessing ultra-high reliability requirements...

In the statistical sampling method, as in any other statistical approaches for measuring software reliability, the inputs to the program are chosen according to the estimated probability with which they occur in field use, forming the operational profile. However, in practice it is very difficult to accurately assess the operational distribution of input points. Furthermore, a variety of factors can cause the operational distribution to change during field use making the estimation even more difficult. Musa has suggested that reducing the size of the input domain simplifies the task of determining operational profiles. In this paper, we present a class of techniques that reduce the dimensionality of input domains and describe their application. These techniques do not limit the functionality or change the input-output behavior of the program. An additional benefit of these techniques is the insensitivity of the reliability estimate to variations in the operational profile of variables ...

The statistical sampling method is a theoretically sound approach for measuring the reliability of safety-critical software, such as control systems for nuclear power plants, aircrafts, space vehicles, etc. It has, however, some practical drawbacks, two of which are the large number of test cases needed to attain a reasonable confidence in the reliability estimate and the sensitivity of the reliability estimate to variations in the operational profile. One way of dealing with both of these issues is to combine statistical sampling with formal methods and attempt to verify complete program paths. This combination becomes especially effective if high usage paths are verified. However, the verification of complete paths is difficult to perform in practice and viable only when there is a high confidence in the correctness of the specification. In this paper we identify program transformations and partial proofs which have a measurable impact on the reliability assessment procedure. These m...

Software reliability is becoming the dominant concern in software development. This particularly holds for the development of safety-critical control systems. Any failure of these systems can result in catastrophic loss of life and property. Hence, it is essential to ensure with a high degree of confidence that these systems meet their reliability requirements prior to deploying them in the field. In this paper, we present a unified approach to the development, reliability assessment and run-time safety enhancement of process-control systems. Evolutionary program design facilitates incremental construction of software reliability MAP (Measured Assurance Prediction). MAP confidence estimates are used as run-time triggers for switching to a reduced capability backup version. The backup version is invoked if its MAP provides a higher degree of confidence in correctness than that for the primary version of the software. 1 Introduction Very few computer users have escaped problems related...

This Report includes data that shall not be disclosed outside the Government and shall not be duplicated, used, or disclosed in whole or in part for any purpose other than to evaluate this Report. This restriction does not limit the right of the Government to use information contained in this Report if it is proprietary data contained herein, if obtained from another source without restriction. The data subject to this restriction are contained in all sheets of this Report. The proprietary data contained herein, if disclosed to the public, would affect ISR’s competitive position in obtaining business; therefore, it is considered to be exempt from public release under the Freedom of Information Act (5 USC §552, as amended), paragraph (b)(4). IVVNN-LITREV-F002-UNCLASS-111202