Parnas, D. L., van Schouwen, A. J. and Kwan, S. P., "Evaluation of Safety-Critical Software," Communications of the ACM, vol. 33, no. 6, pp. 636-648, June 1990.  Home/Search   Document Not in Database   Summary   ACM   TOC   Related Articles   Check

....the customised nature of their components. There are many general and sector specific standards produced to assist in building such important systems, for example, U.S. DO178B, and MISRA guidelines. Within high integrity systems, there has been a growing trend to use software, because it provides [25, 26, 38, 10] . improved functionality . increased flexibility in design and implementation . reduced production cost . enhanced management of complexity in application areas. Over the recent years, Java has proved to be an appropriate vehicle for a diverse range of applications including web based ....

D. L. Parnas, A. J. van Schouwen, and S. P. Kwan, Evaluation of Safety-Critical Software, Communications of the ACM, Vol. 33, No. 6, June 1990.

....a direct impact on the safety of the systems. Within such systems, there has been a growing trend of using software, because it provides improved functionality, increased flexibility in design and implementation, reduced production cost, and enhanced management of complexity in application areas [23, 24, 27, 8]. Java, equipped with an automatic garbage collection mechanism, has proved to be an appropriate vehicle for a diverse range of applications thanks to its relatively simple linguistic semantics, the adoption of wellunderstood approaches to managing software complexity, and support for ....

D. L. Parnas, A. J. van Schouwen, and S. P. Kwan, Evaluation of Safety-Critical Software, Communications of the ACM, Vol. 33, No. 6, June 1990.

....produced. This paper begins to explore approaches to the validation of the equivalence of formal and informal representations, where the formal specification is developed informally. The approach follows recent work by El Koursi et al.[6] which develops review guidelines, much as Parnas et al.[17] did in the early 1990s. 3.1 Basis of the Approach The approach taken in this paper has two fundamental characteristics. 1. The model must follow the OMT structures (implicit and explicit) as faithfully as possible. 2. Transcription guidelines, and the B machines produced, are as general as ....

....translation, El Koursi et al.[6] propose that a range of validation mechanisms should be used to increase confidence in the equivalence of the representations. The validation processes that they describe accord with the review guidelines for safety oriented developments outlined by Parnas et al.[17]. In an OMT to B transcription, there are several obvious checks that can be made. Structure The B machines must capture not only the structure of the graphical summary that is the OMT models, but must also attempt to capture implicit semantics. Functionality The B must formally define the ....

D. L. Parnas, van Schouwen, and P. K. Shu. Evaluation of safety critical software. Communications of the ACM, 33(6), 1990.

....include space shuttles, nuclear power plants, automatic fund transfers and medical instruments. They typically have high development and maintenance costs due to the customised nature of their components. Within such systems, there has been a growing trend to use software, because it provides [25, 26, 30, 8]: improved functionality . increased flexibility in design and implementation . reduced production cost . enhanced management of complexity in application areas. Java [16] has proved to be an appropriate vehicle for a diverse range of applications including web based intranets and embedded ....

D. L. Parnas, A. J. van Schouwen, and S. P. Kwan, Evaluation of Safety-Critical Software, Communications of the ACM, Vol. 33, No. 6, June 1990.

....pools of knowledge and no silver bullets that can handle everything. Some people do nonetheless, with an almost religious glee, decree that their method, principle or programming language handles or kills all werewolves (which these days have shrunken to tiny, but sometimes lethal bugs) 9] 38][85]. The motivation for writing this thesis is an ambition to increase the depth of knowledge in the pool of distributed real time systems verification, which previously has been very shallow. We will specifically address testing and debugging, and as most real time systems are embedded with limited ....

....problems of designing and verifying software are fundamental in character: Software has discontinuous behavior, no inertia, and has no physical restrictions what so ever, except for time. Silver bullets, i.e. techniques or methods that solely will eliminate all bugs have shown to be myths [9] 38][85]. Any Programming language, any formal method, any theory of scheduling, any fault tolerance technique, and any testing technique will always be flawed or incomplete. To design reliable software we must thus make use of all these concepts in union. Consequently, we will never be able to eliminate ....

[Article contains additional citation context not shown here]

Parnas D.L., van Schouwen J., and Kwan S.P. Evaluation of Safety-Critical Software. Communication of the ACM, 6(33):636-648, June 1990.

....costs due to the customised nature of their components. There exist many general and sector specific standards produced to assist in building such important systems. Within high integrity systems, there has been a growing trend to use software, because it provides [Leveson1986, Leveson1991, Parnas 1990, Bowen 1998] improved functionality . increased flexibility in design and implementation . reduced production cost . enhanced management of complexity in application areas. Over the recent years, Java has proved to be an appropriate vehicle for a diverse range of applications including web ....

D. L. Parnas, A. J. van Schouwen, and S. P. Kwan, Evaluation of Safety-Critical Software, Communications of the ACM, Vol. 33, No. 6, June 1990.

....measure which makes safety provision and measurement extremely difficult and contentious tasks. Probably the best survey paper of the 1980s in the area of software safetyisprovided by [84] However this is now somewhat out of date because of recent developments. For an update, 85] and [113] are recommended. Safety concerns in computer systems are even more confusing. Such systems consist of many subcomponents which are tightly coupled and have highly complex interactions. The binding of application to operating system to architecture is a prime example of a tightly coupled system. ....

PARNAS, D.L., VON SCHOUWEN, A.J., and SHU PO KWAN `Evaluation of safetycritical software', Communications of the ACM, June 1990, 33, (6), pp. 636--648

....by sampling the input space, i.e. life testing, or as a component whose structure permits modeling of its failure probability from its design. Unfortunately, the quantification of software dependability by life testing has been shown to be infeasible in general for safety critical systems [4, 12]. The reason is that an infeasible number of tests are required to establish a useful bound on the probability of failure in the ultra dependable range. The large number of tests derives from the number of combinations of input values that can occur. It is quite literally the case that for most ....

Parnas, D. L. Evaluation of safety-critical software. Communications of the ACM, June 1990, 33(6), p. 636--48.

....subjective measure whichmakes safety provision and measurement extremely difficult and contentious tasks. Probably the best survey paper of the 1980s in the area of software safetyisprovided by [76] However this is now somewhat out of date because of recentdevelopments. For an update, 77] and [95] are recommended. Safety concerns in computer systems are even more confusing. Such systems consist of many subcomponents which are tightly coupled and have highly complex interactions. The binding of application to operating system to architecture is a prime example of a tightly coupled system. ....

PARNAS, D.L., VON SCHOUWEN, A.J. and SHU PO KWAN `Evaluation of safety-critical software', Communications of the ACM, June 1990, 33, (6), pp. 636--648

....regulatory requirements for the use of their products in HCSS s. 7] In traditional software developments, assurance that the software will function as intended is built up from several sources of evidence. These sources can broadly be classified as people and process, analysis, and testing [4]. There is agreement in the community that all three of these sources of evidence are necessary for true assurance. To date, the systems of interest to software assurance researchers have been primarily safety critical systems. Typically, such systems are built from scratch with few, if any, COTS ....

D. Parnas, et al., Evaluation of Safety-Critical Software, Communication of the ACM, 6 June 1990, Volume 33, Number 6, pg. 636-648.

....of systematic reliability. Unlike the treatment of system architecture in random failure models (using probability models) the systematic failure models we are proposing here are statistics. The mathematical heritage of SST lies in the approaches reported in [Thayer et al. 78] Howden 87] Parnas 90] Ehrenburger 91] Miller et al. 92] Littlewood Wright 95] These are all variations on work that dates back to Laplace on urn models. They are statistical estimation models focused purely on assessment of system reliability from test results. However, these standard SST statistics can not be ....

Parnas DI "Evaluation of safety critical software" Comms. of the ACM v33 n6 1990

....[Boe88] A complete specification can be developed and then refined through design and ultimately implementation, with little risk that changing requirements or other unanticipated events will necessitate significant backtracking. 28 There are many examples of such systems in the literature (e.g. [Cor89, Rus81, PVK90]) These systems demonstrated that a waterfall process could be used to successfully build secure system software. The many documented successes might even suggest that a waterfall model is generally applicable to security critical systems. But it is crucial to note that these systems all fell ....

Parnas, D., J van Schouwen, S. Kwan, "Evaluation of Safety-Critical Software," Communications of the ACM, Vol. 33, No. 9, June 1990, pp. 636-648.

....test runs are independent of each other. Testing stops when probablity of finding another coverage element is low enough and associated confidence level high enough. Cost of testing is not part of the model. Other approaches similar to [5, 6] that are based on the binomial distribution include [15, 4]. 1 Depending on the model, we assume this means at least one new coverage element, one new coverage element, or a specific number of coverage elements. Various statistical testing techniques have been used to determine the number of test cases needed to achieve a particular test objective (in ....

A. J. van Schouwen, D. L. Parnas, S. P. Kwan, "Evaluation of Safety-critical software", Communications of the ACM, vol. 33, no. 6(June 1990), p. 636 -- 648.

....on the use of reliability to characterize software. Reliability is an important quality measure of a system. Since software is viewed as one of many system components, system analysts often consider the estimation of software reliability essential in order to estimate the full system reliability [Parnas 90] To some people, the apparently random behavior of software failures is nothing more than a reflection of our ignorance and lack of understanding of the software [Parnas 90] Since software does not fail like hardware does, some reliability engineers argue that software is either correct ....

.... analysts often consider the estimation of software reliability essential in order to estimate the full system reliability [Parnas 90] To some people, the apparently random behavior of software failures is nothing more than a reflection of our ignorance and lack of understanding of the software [Parnas 90] Since software does not fail like hardware does, some reliability engineers argue that software is either correct (reliability 1) or incorrect (reliability 0) and in order to get any meaningful system reliability estimates they assume a software reliability of 1 [Parnas 90] To others, the ....

[Article contains additional citation context not shown here]

David L.Parnas, A. John van Schouwen, and Shu Po Kwan, Evaluation of Safety-Critical Software, Communications of the ACM, Vol. 33, No. 6, June 1990, pp. 636 -- 648.

....that test runs are independent of each other. Testing stops when probablity of finding another coverage element is low enough and associated confidence level high enough. Cost of testing is not part of the model. Other approaches similar to [6, 7] include work done by Hamlet [1] and by Schouwen [16]. Various statistical testing techniques have been used to determine the number of test cases needed to achieve a particular test objective [17, 18] Stopping rules were used to attain a given reliability criterion [8, 21] Poore et al. 9, 20] use statistical testing based on a usage model. ....

A. J. van Schouwen, D. L. Parnas, S. P. Kwan, "Evaluation of Safety-critical software", Communications of the ACM, vol. 33, no. 6(June 1990), p. 636 -- 648.

....domain has been safetycritical. For the verification of safety critical systems it is necessary to produce very rare scenarios (10 9 occurrences hour) that would be extremely difficult (or even dangerous) to produce even if the target system and target environment were available to the testers [73][57] Examples are space applications, weapons systems, and medical treatment devices. Figure 4 8. Effects of a sparse time base. Event e2 Event e1 C 1 (t) C 2 (t) C 3 (t) d d i i i i 1 i 1 i 1 23 4.6 Reproduction of complete system behavior When it comes to the reproduction of the ....

Parnas D.L., van Schouwen J., and Kwan S.P. Evaluation of Safety-Critical Software. Communication of the ACM, 6(33):636-648, June 1990.

No context found.

Parnas, D. L., van Schouwen, A. J. and Kwan, S. P., "Evaluation of Safety-Critical Software," Communications of the ACM, vol. 33, no. 6, pp. 636-648, June 1990.

No context found.

David L. Parnas, A. John van Schouwen, and Shu Po Kwan. Evaluation of safety-critical software. Communications of the ACM, 33(6):636--648, June 1990.

No context found.

D.L. Parnas, A.J. van Schouwen, and S.P. Kwan. Evaluation of safety-critical software. Communications of the ACM, 33(6):636-648, June 1990.

No context found.

David L. Parnas, A. John van Schouwen, and Shu Po Kwan. Evaluation of safety-critical software. Communications of the ACM, 33(6):636--648, June 1990.

No context found.

David L. Parnas, A. John van Schouwen, and Shu Po Kwan. Evaluation of safety-critical software. Communications of the ACM, 33(6):636--648, June 1990.

No context found.

David L. Parnas, A. John van Schouwen and Shu Po Kwan, `Evaluation of safety-critical software', Communications of the ACM, 33, (6), 636--648 (1990).

No context found.

D. L. Parnas, A. J. van Schouwen, and S. P. Kwan, Evaluation of SafetyCritical Software, Communications of the ACM, Vol. 33, No. 6, June 1990.

No context found.

A. J. van Schouwen, D. L. Parnas, S. P. Kwan, "Evaluation of Safety-critical software", Comm. ACM, vol. 33, no. 6, p. 636--648.

No context found.

PAR90 David L. Parnas, A. John van Schouwen and Shu Po, "Evaluation of Safety-Critical Software", Communications of the ACM, 33( 6), pp 636-648, June 1990.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC