Towards a unified approach to the representation of, and reasoning with, probabilistic risk information about software and its system interface

Early risk assessment is key in planning the development of systems, including systems that involve software. Such risk assessment needs a combination of the following elements; 1) Severity estimates for the potential effects of failures, and likelihood estimates for their causes; 2) Fault trees that link causes to failures; 3) Efficacy estimates of design and process steps towards reducing risk; 4) Distinctions between preventing, alleviating and detecting (thereafter removing), risks; 5) Risk preventions that have potential side effects of themselves introducing risks. The paper shows a unified approach that accommodates all these elements. The approach combines fault trees (from probabilistic risk assessment methods) with explicit treatment of risk mitigations (a generalization of the notion of a "detection" seen in FMECA analyses). Fault trees capture the causal relationships by which failure mechanisms may combine to lead to failure modes. Risk mitigations encompass (and distinguish among) options to prevent risks, detect risks, and alleviate risks (i.e., decrease their impact should they occur). This approach has been embodied in extensions to a JPL-developed risk assessment tool, and is illustrated here on software risk assessment information drawn from an actual project's software system FMECA (failure modes, effects and criticality analysis). Since its elements are typical of risk assessment of software and its system interface, the findings should be relevant to a wide range of software systems.

[1]  S. L. Comford,et al.  Towards more accurate life cycle risk management through integration of ddp and pra , 2003, 2003 IEEE Aerospace Conference Proceedings (Cat. No.03TH8652).

[2]  Jeffrey S. Lavell,et al.  Report on the Loss of the Mars Polar Lander and Deep Space 2 Missions , 2000 .

[3]  P Haapanen,et al.  Failure mode and effects analysis of software-based automation systems , 2002 .

[4]  David Coppit,et al.  The Galileo fault tree analysis tool , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[5]  S.L. Cornford,et al.  DDP: a tool for life-cycle risk management , 2006, IEEE Aerospace and Electronic Systems Magazine.

[6]  Martin S. Feather,et al.  Quantitative risk-based requirements reasoning , 2003, Requirements Engineering.

[7]  Norman E. Fenton,et al.  A Critique of Software Defect Prediction Models , 1999, IEEE Trans. Software Eng..

[8]  Norman Fenton,et al.  A Probabilistic Model for Software Defect Prediction , 2001 .

[9]  Robyn R. Lutz,et al.  Requirements analysis using forward and backward search , 1997, Ann. Softw. Eng..

[10]  Martin S. Feather,et al.  4.6.1 Combining Heuristic Search, Visualization and Data Mining for Exploration of System Design Spaces , 2004 .

[11]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[12]  Vasant Honavar,et al.  A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System , 2002, Requirements Engineering.

[13]  Martin S. Feather,et al.  Optimizing the design of end-to-end spacecraft systems using risk as a currency , 2002, Proceedings, IEEE Aerospace Conference.

[14]  Axel van Lamsweerde,et al.  Integrating obstacles in goal-driven requirements engineering , 1998, Proceedings of the 20th International Conference on Software Engineering.

[15]  Joanne Bechta Dugan,et al.  Dynamic Fault Tree Analysis of a Reconfigurable Software System , 2001 .