On the probability of perfection of software-based systems

The probability of perfection becomes of interest as the realization of its role in the reliability assessment of software-based systems. It is not only important on its own, but also in the reliability assessment of 1-out-of-2 diverse systems. By “perfection”, it means that thesoftware will never fail in a specific operating environment. If we assume that failures of a software system can occur if and only if it contains faults, then it means that the system is “fault-free”. Such perfection is possible for sufficiently simple software. While the perfection can never be certain, so the interest lies in claims for the probability of perfection. In this thesis, firstly two different probabilities of perfection – an objective parameter characterizing a population property and a subjective confidence in the perfection of the specific software of interest – are distinguished and discussed. Then a conservative Bayesian method is used to claim about probability of perfection from various types of evidence, i.e. failure-free testing evidence, process evidence and formal proof evidence. Also, a “quasiperfection” notion is realized as a potentially useful approach to cover some shortages of perfection models. A possible framework to incorporate the various models is discussed at the end. There are generally two themes in this thesis: tackling the failure dependence issue in the reliability assessment of 1-out-of-2 diverse systems at both aleatory and epistemic levels; and degrading the well-known difficulty of specifying complete Bayesian priors into reasoning with only partial priors. Both of them are solved at the price of conservatism. In summary, this thesis provides 3 parallel sets of (quasi-)perfection models which could be used individually as a conservative end-to-end argument that reasoning from various types of evidence to the reliability of a software-based system. Although in some cases models here are providing very conservative results, some ways are proposed of dealing with the excessive conservatism. In other cases, the very conservative results could serve as warnings/support to safety engineers/regulators in the face of claims based on reasoning that is less rigorous than the reasoning in this thesis.

[1]  L. Gmeiner,et al.  Software Diversity in Reactor Protection Systems: An Experment , 1979 .

[2]  Jean Arlat,et al.  Definition and analysis of hardware- and software-fault-tolerant architectures , 1990, Computer.

[3]  Bev Littlewood,et al.  Conceptual Modeling of Coincident Failures in Multiversion Software , 1989, IEEE Trans. Software Eng..

[4]  Bev Littlewood,et al.  Evaluating the Assessment of Software Fault-Freeness , 2014, ArXiv.

[5]  Nikolai Kosmatov,et al.  Your Proof Fails? Testing Helps to Find the Reason , 2015, TAP@STAF.

[6]  D. M. Hunns,et al.  Software-based protection for Sizewell B: the regulator's perspective , 1992 .

[7]  Brian Randell,et al.  The Evolution of the Recovery Block Concept , 1994 .

[8]  Yennun Huang,et al.  Software rejuvenation: analysis, module and applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[9]  David Wright,et al.  The Use of Multilegged Arguments to Increase Confidence in Safety Claims for Software-Based Systems: A Study Based on a BBN Analysis of an Idealized Example , 2007, IEEE Transactions on Software Engineering.

[10]  Michael R. Lyu,et al.  Improving the N-version programming process through the evolution of a design paradigm , 1993 .

[11]  Peter J. F. Lucas,et al.  Verification of Medical Guidelines Using Background Knowledge in Task Networks , 2007, IEEE Transactions on Knowledge and Data Engineering.

[12]  David Wright,et al.  Conservative claims about the probability of perfection of software-based systems , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).

[13]  Lorenzo Strigini,et al.  Assessing Asymmetric Fault-Tolerant Software , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[14]  David Wright,et al.  Toward a Formalism for Conservative Claims about the Dependability of Software-Based Systems , 2011, IEEE Transactions on Software Engineering.

[15]  Janet R. Dunham Experiments in software reliability: Life-critical applications , 1986, IEEE Transactions on Software Engineering.

[16]  Jean Arlat,et al.  Hardware- and Software-Fault Tolerance , 1990 .

[17]  Jeffrey M. Voas,et al.  Estimating the Probability of Failure When Testing Reveals No Failures , 1992, IEEE Trans. Software Eng..

[18]  Bev Littlewood,et al.  Multi-legged arguments:the impact of diversity upon confidence in dependability arguments , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[19]  David F. McAllister,et al.  An Experimental Evaluation of Software Redundancy as a Strategy For Improving Reliability , 1991, IEEE Trans. Software Eng..

[20]  Lorenzo Strigini,et al.  Assessing the Risk due to Software Faults: Estimates of Failure Rate versus Evidence of Perfection , 1998, Softw. Test. Verification Reliab..

[21]  Bev Littlewood,et al.  Choosing Between Fault-Tolerance and Increased V&V for Improving Reliability , 2000, PDPTA.

[22]  P. M. Melliar-Smith,et al.  A program structure for error detection and recovery , 1974, Symposium on Operating Systems.

[23]  Bev Littlewood,et al.  Modeling software design diversity: a review , 2001, CSUR.

[24]  Lorenzo Strigini,et al.  When Does "Diversity"' in Development Reduce Common Failures? Insights from Probabilistic Modeling , 2014, IEEE Transactions on Dependable and Secure Computing.

[25]  Meine van der Meulen,et al.  The Effectiveness of Software Diversity in a Large Population of Programs , 2008, IEEE Transactions on Software Engineering.

[26]  P. M. Melliar-Smith,et al.  Formal Specification and Mechanical Verification of SIFT: A Fault-Tolerant Flight Control System , 1982, IEEE Transactions on Computers.

[27]  Lorenzo Strigini,et al.  Engineering judgement in reliability and safety and its limits: what can we learn from research in psychology , 1996 .

[28]  Michael R. Lyu,et al.  In search of effective diversity: a six-language study of fault-tolerant flight control software , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[29]  Bev Littlewood,et al.  Assessment of the Reliability of Fault-Tolerant Software: A Bayesian Approach , 2000, SAFECOMP.

[30]  Peter T. Popov Reliability Assessment of Legacy Safety-Critical Systems Upgraded with Off-the-Shelf Components , 2002, SAFECOMP.

[31]  Domenico Cotroneo,et al.  A survey of software aging and rejuvenation studies , 2014, ACM J. Emerg. Technol. Comput. Syst..

[32]  Bev Littlewood,et al.  Modelling the effects of combining diverse software fault removal techniques , 1999 .

[33]  Ming Li,et al.  A Ranking of Software Engineering Measures Based on Expert Opinion , 2003, IEEE Trans. Software Eng..

[34]  James H. Fetzer Program verification: the very idea , 1988, CACM.

[35]  Yiliu Liu Reliability Assessment of Safety Critical Systems , 2014 .

[36]  Bev Littlewood,et al.  A discussion of practices for enhancing diversity in software designs , 2000 .

[37]  Richard J. Lipton,et al.  Social processes and proofs of theorems and programs , 1979, CACM.

[38]  Shinichi Shiraishi,et al.  Test suites for benchmarks of static analysis tools , 2015, 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[39]  Bojam Cukic,et al.  The Theory of software reliability corroboration , 2003 .

[40]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[41]  Bev Littlewood,et al.  Conservative Reasoning about the Probability of Failure on Demand of a 1-out-of-2 Software-Based System in Which One Channel Is "Possibly Perfect" , 2013, IEEE Transactions on Software Engineering.

[42]  R. Kerr,et al.  Recovery blocks in action: A system supporting high reliability , 1976, ICSE '76.

[43]  Lorenzo Strigini,et al.  Choosing Effective Methods for Design Diversity - How to Progress from Intuition to Science , 1999, SAFECOMP.

[44]  Lorenzo Strigini,et al.  Conceptual models for the reliability of diverse systems-new results , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[45]  G. Dahll,et al.  AN INVESTIGATION OF METHODS FOR PRODUCTION AND VERIFICATION OF HIGHLY RELIABLE SOFTWARE , 1979 .

[46]  D. N. Wall,et al.  Darts - An Experiment Into Cost of and Diversity in Safety Critical Computer Systems , 1991 .

[47]  Peter G. Bishop,et al.  PODS — A project on diverse software , 1986, IEEE Transactions on Software Engineering.

[48]  Lorenzo Strigini,et al.  An Empirical Study of the Effectiveness of "Forcing" Diversity Based on a Large Population of Diverse Programs , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[49]  David Wright,et al.  Some Conservative Stopping Rules for the Operational Testing of Safety-Critical Software , 1997, IEEE Trans. Software Eng..

[50]  David Wright,et al.  Confidence: Its Role in Dependability Cases for Risk Assessment , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[51]  John H. R. May,et al.  Structural Software Reliability Estimation , 1999, SAFECOMP.

[52]  John D. Musa,et al.  Quantifying Software Validation: When to Stop Testing? , 1989, IEEE Softw..

[53]  Bev Littlewood,et al.  Validation of ultrahigh dependability for software-based systems , 1993, CACM.

[54]  Richard A. Kemmerer,et al.  Testing Formal Specifications to Detect Design Errors , 1985, IEEE Transactions on Software Engineering.

[55]  Kishor S. Trivedi,et al.  Software Reliability and Rejuvenation: Modeling and Analysis , 2002, Performance.

[56]  Lorenzo Strigini,et al.  Fault diversity among off-the-shelf SQL database servers , 2004, International Conference on Dependable Systems and Networks, 2004.

[57]  Peter G. Bishop,et al.  Error Masking: A Source of Failure Dependency in Multi-Version Programs , 1991 .

[58]  Bev Littlewood,et al.  Reasoning about the Reliability of Diverse Two-Channel Systems in Which One Channel Is "Possibly Perfect" , 2012, IEEE Transactions on Software Engineering.

[59]  Peter G. Bishop,et al.  Safety and Assurance Cases: Past, Present and Possible Future - an Adelard Perspective , 2010, SSS.

[60]  Benoit Baudry,et al.  The Multiple Facets of Software Diversity , 2014, ACM Comput. Surv..

[61]  Peter G. Bishop,et al.  Stem — A Project on Software Test and Evaluation Methods , 1987 .

[62]  Les Hatton,et al.  N-Version Design vs. One Good Version , 1997, IEEE Softw..

[63]  Paul Ammann,et al.  Data Diversity: An Approach to Software Fault Tolerance , 1988, IEEE Trans. Computers.

[64]  David F. McAllister,et al.  A large scale second generation experiment in multi-version software: description and early results , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[65]  Edward N. Adams,et al.  Optimizing Preventive Service of Software Products , 1984, IBM J. Res. Dev..

[66]  Michael R. Lowry,et al.  Formal Analysis of a Space-Craft Controller Using SPIN , 2001, IEEE Trans. Software Eng..

[67]  Jon C. Helton,et al.  Alternative representations of epistemic uncertainty , 2004, Reliab. Eng. Syst. Saf..

[68]  H. Amjad,et al.  Combining model checking and theorem proving , 2004 .

[69]  David Wright,et al.  Bounds on survival probability given mean probability of failure per demand; and the paradoxical advantages of uncertainty , 2014, Reliab. Eng. Syst. Saf..

[70]  David Wright,et al.  A Bayesian Model that Combines Disparate Evidence for the Quantitative Assessment of System Dependability , 1998, SAFECOMP.

[71]  Bev Littlewood,et al.  Conservative Bounds for the pfd of a 1-out-of-2 Software-Based System Based on an Assessor's Subjective Probability of "Not Worse Than Independence" , 2013, IEEE Transactions on Software Engineering.

[72]  Dave E. Eckhardt,et al.  A Theoretical Basis for the Analysis of Multiversion Software Subject to Coincident Errors , 1985, IEEE Transactions on Software Engineering.

[73]  Bev Littlewood,et al.  A note on reliability estimation of functionally diverse systems , 1999 .

[74]  G. B. Finelli,et al.  The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software , 1993, IEEE Trans. Software Eng..

[75]  John M. Rushby,et al.  Software Verification and System Assurance , 2009, 2009 Seventh IEEE International Conference on Software Engineering and Formal Methods.

[76]  Nikolai Kosmatov,et al.  How Test Generation Helps Software Specification and Deductive Verification in Frama-C , 2014, TAP@STAF.

[77]  Lorenzo Strigini,et al.  Software Fault-Freeness and Reliability Predictions , 2013, SAFECOMP.