Safety Demonstration and Software Development

The paper reports about a study conducted for RATP, the utility organisation for public transportation in Paris and region. RATP has developed since the mid eighties a mathematically formal approach for the development of safety-critical software, based on the B method. The question raised, in the context of evolutions in software development, was: Is it possible to demonstrate the same level of safety without resorting to mathematically formal approaches? In order to respond this question, several steps were considered: 1) reminding the infeasibility of quantifying safety-critical software, and its consequences on the development process, and on the system vision, 2) situating the current RATP approach with respect to other safety-critical domains, 3) examining and comparing alternate approaches for developing safety-critical software, 4) coming back to the RATP approach, for examining underlying assumptions. The conclusion was the recommendation to pursue the mathematically formal development approach.

[1]  Stephen A. Edwards,et al.  The synchronous languages 12 years later , 2003, Proc. IEEE.

[2]  Edmund M. Clarke,et al.  Formal Methods: State of the Art and Future Directions Working Group Members , 1996 .

[3]  G. B. Finelli,et al.  The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software , 1993, IEEE Trans. Software Eng..

[4]  Jean Arlat,et al.  Definition and analysis of hardware- and software-fault-tolerant architectures , 1990, Computer.

[5]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[6]  D. M. Hunns,et al.  Software-based protection for Sizewell B: the regulator's perspective , 1992 .

[7]  Barry W. Johnson,et al.  Safety-Critical Systems Built with COTS , 1996, Computer.

[8]  Jean-Raymond Abrial B : passé, présent, futur , 2003, Tech. Sci. Informatiques.

[9]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[10]  Marie-Laure Potet Spécifications et développements structurés dans la méthode B , 2003, Tech. Sci. Informatiques.

[11]  Antoine Rauzy,et al.  Mode automata and their compilation into fault trees , 2002, Reliab. Eng. Syst. Saf..

[12]  Martin L. Shooman Avionics software problem occurrence rates , 1996, Proceedings of ISSRE '96: 7th International Symposium on Software Reliability Engineering.

[13]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[14]  Peter G. Bishop,et al.  PODS — A project on diverse software , 1986, IEEE Transactions on Software Engineering.

[15]  David Wright,et al.  Some Conservative Stopping Rules for the Operational Testing of Safety-Critical Software , 1997, IEEE Trans. Software Eng..

[16]  Thuy Nguyen,et al.  Dependability assessment of safety-critical system software by static analysis methods , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[17]  William H. Murray Viewpoint: who holds the keys? , 1992, CACM.

[18]  Pierre Bieber,et al.  Combination of Fault Tree Analysis and Model Checking for Safety Assessment of Complex System , 2002, EDCC.

[19]  Pascal Traverse,et al.  AIRBUS A320/A330/A340 electrical flight controls - A family of fault-tolerant systems , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[20]  Leonardo Mendonça de Moura,et al.  Generating efficient test sets with a model checker , 2004, Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004..

[21]  J. C. Boarder A Practical Introduction To Formal Methods , 1970 .

[22]  Daniel Dollé,et al.  B dans le tranport ferroviaire. L'expérience de Siemens Transportation Systems , 2003, Tech. Sci. Informatiques.

[23]  Jeanine Souquières,et al.  Modeling class operations in B: Application to UML behavioral diagrams , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[24]  William E. Howden,et al.  Functional program testing and analysis , 1986 .

[25]  Jean-Claude Laprie For a product-in-a-process approach to software reliability evaluation , 1992, [1992] Proceedings Third International Symposium on Software Reliability Engineering.

[26]  Johan F. Lindeberg,et al.  The Swedish State Railways’ experience with n-version programmed systems , 1993 .

[27]  John M. Rushby,et al.  Theorem Proving for Verification , 2000, MOVEP.

[28]  Albert Benveniste,et al.  The synchronous approach to reactive and real-time systems , 1991 .

[29]  John Rushby,et al.  Dependable Computing for Critical Applications 7 , 1999, Dependable Computing for Critical Applications 7.

[30]  A. Avizienis,et al.  Microprocessor entomology: a taxonomy of design faults in COTS microprocessors , 1999, Dependable Computing for Critical Applications 7.

[31]  Eric Pilaud Some experiences of critical software development , 1990, [1990] Proceedings. 12th International Conference on Software Engineering.

[32]  Bev Littlewood,et al.  Modeling software design diversity: a review , 2001, CSUR.

[33]  P. Chapront VITAL CODED PROCESSOR AND SAFETY RELATED SOFTWARE DESIGN , 1992 .

[34]  Ravishankar K. Iyer,et al.  Dependable Computing for Critical Applications , 1998 .

[35]  Heinz Kantz,et al.  The ELEKTRA railway signalling system: field experience with an actively replicated system with diversity , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[36]  Chin-Kuei Cho Quality programming: Developing and testing software with statistical quality control , 1987 .

[37]  Humbert Fiorino,et al.  Planification multi-agent par cycles de conjecture/réfutation , 2003, Tech. Sci. Informatiques.

[38]  David A. Carrington,et al.  A Tale of Two Paradigms: Formal Methods and Software Testing , 1994, Z User Workshop.

[39]  Claude Jard,et al.  Modeling and Verification of Parallel Processes , 2001, Lecture Notes in Computer Science.

[40]  Jean Arlat,et al.  Dependability Modeling and Evaluation of Software Fault-Tolerant Systems , 1990, IEEE Trans. Computers.

[41]  Anders P. Ravn,et al.  From Safety Analysis to Software Requirements , 1998, IEEE Trans. Software Eng..

[42]  Anthony Hall Using Formal Methods to Develop an ATC Information System , 1996, IEEE Softw..

[43]  Robyn R. Lutz Targeting safety-related errors during software requirements analysis , 1996, J. Syst. Softw..

[44]  William E. Howden,et al.  Good enough versus high assurance software testing and analysis methods , 1998, Proceedings Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231).

[45]  Gérard D. Guiho,et al.  SACEM: A fault tolerant system for train speed control , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[46]  Dan Craigen,et al.  An International Survey of Industrial Applications of Formal Methods , 1992, Z User Workshop.