SlideShare a Scribd company logo

Critical System Validation in Software Engineering SE21

Download as PPT, PDF
K
koolkampus

The document discusses techniques for validating critical systems, with a focus on validating safety and reliability. Static validation techniques include design reviews and formal proofs, while dynamic techniques involve testing. Reliability validation uses statistical testing against an operational profile to measure reliability. Safety validation aims to prove a system cannot reach unsafe states, using techniques like safety proofs, hazard analysis, and safety cases presenting arguments about risk levels. The document also provides an example safety validation of an insulin pump system.

Technology
1 of 50
Downloaded 235 times
1
2
Most read
3
4
5
Most read
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Critical Systems Validation Validating the reliability, safety and security of computer-based systems
Validation perspectives Reliability validation Does the measured reliability of the system meet its specification? Is the reliability of the system good enough to satisfy users? Safety validation Does the system always operate in such a way that accidents do not occur or that accident consequences are minimised? Security validation Is the system and its data secure against external attack?
Validation techniques Static techniques Design reviews and program inspections Mathematical arguments and proof Dynamic techniques Statistical testing Scenario-based testing Run-time checking Process validation Design development processes that minimise the chances of process errors that might compromise the dependability of the system
Static validation techniques Static validation is concerned with analyses of the system documentation (requirements, design, code, test data). It is concerned with finding errors in the system and identifying potential problems that may arise during system execution. Documents may be prepared (structured arguments, mathematical proofs, etc.) to support the static validation
Static techniques for safety validation Demonstrating safety by testing is difficult because testing is intended to demonstrate what the system does in a particular situation. Testing all possible operational situations is impossible Normal reviews for correctness may be supplemented by specific techniques that are intended to focus on checking that unsafe situations never arise
Safety reviews Review for correct intended function Review for maintainable, understandable structure Review to verify algorithm and data structure design against specification Review to check code consistency with algorithm and data structure design Review adequacy of system testing
Make software as simple as possible Use simple techniques for software development avoiding error-prone constructs such as pointers and recursion Use information hiding to localise the effect of any data corruption Make appropriate use of fault-tolerant techniques but do not be seduced into thinking that fault-tolerant software is necessarily safe Review guidance
Hazard-driven analysis Effective safety assurance relies on hazard identification (covered in previous lectures) Safety can be assured by Hazard avoidance Accident avoidance Protection systems Safety reviews should demonstrate that one or more of these techniques have been applied to all identified hazards
The system safety case It is now normal practice for a formal safety case to be required for all safety-critical computer-based systems e.g. railway signalling, air traffic control, etc. A safety case presents a list of arguments, based on identified hazards, why there is an acceptably low probability that these hazards will not result in an accident Arguments can be based on formal proof, design rationale, safety proofs, etc. Process factors may also be included
Formal methods and critical systems The development of critical systems is one of the ‘success’ stories for formal methods Formal methods are mandated in Britain for the development of some types of safety-critical software for defence applications There is not currently general agreement on the value of formal methods in critical systems development
Formal methods and validation Specification validation Developing a formal model of a system requirements specification forces a detailed analysis of that specification and this usually reveals errors and omissions Mathematical analysis of the formal specification is possible and this also discovers specification problems Formal verification Mathematical arguments (at varying degrees of rigour) are used to demonstrate that a program or a design is consistent with its formal specification
Problems with formal validation The formal model of the specification is not understandable by domain experts It is difficult or impossible to check if the formal model is an accurate representation of the specification for most systems A consistently wrong specification is not useful! Verification does not scale-up Verification is complex, error-prone and requires the use of systems such as theorem provers. The cost of verification increases exponentially as the system size increases.
Formal methods conclusion Formal specification and checking of critical system components is, in my view, useful While formality does not provide any guarantees, it helps to increase confidence in the system by demonstrating that some classes of error are not present Formal verification is only likely to be used for very small, critical, system components About 5-6000 lines of code seems to be the upper limit for practical verification
Safety proofs Safety proofs are intended to show that the system cannot reach in unsafe state Weaker than correctness proofs which must show that the system code conforms to its specification Generally based on proof by contradiction Assume that an unsafe state can be reached Show that this is contradicted by the program code May be displayed graphically
Construction of a safety proof Establish the safe exit conditions for a component or a program Starting from the END of the code, work backwards until you have identified all paths that lead to the exit of the code Assume that the exit condition is false Show that, for each path leading to the exit that the assignments made in that path contradict the assumption of an unsafe exit from the component
Gas warning system System to warn of poisonous gas. Consists of a sensor, a controller and an alarm Two levels of gas are hazardous Warning level - no immediate danger but take action to reduce level Evacuate level - immediate danger. Evacuate the area The controller takes air samples, computes the gas level and then decides whether or not the alarm should be activated
Gas sensor control Gas_level: GL_TYPE ; loop -- Take 100 samples of air Gas_level := 0.000 ; for i in 1..100 loop Gas_level := Gas_level + Gas_sensor.Read ; end loop ; Gas_level := Gas_level / 100 ; if Gas_level > Warning and Gas_level < Danger then Alarm := Warning ; Wait_for_reset ; elsif Gas_level > Danger then Alarm := Evacuate ; Wait_for_reset ; else Alarm := off ; end if ; end loop ;
Graphical argument Gas_level > Warning and Alarm = off Unsafe state Gas_level > Warning and Gas_level < Danger Gas_level > Danger Alarm = Warning Alarm = Evacuate Alarm = off contradiction contradiction Path 1 Path 2 Path 3 or or or
Condition checking Code is incorrect. Gas_level = Danger does not cause the alarm to be on
Key points Safety-related systems should be developed to be as simple as possible using ‘safe’ development techniques Safety assurance may depend on ‘trusted’ development processes and specific development techniques such as the use of formal methods and safety proofs Safety proofs are easier than proofs of consistency or correctness. They must demonstrate that the system cannot reach an unsafe state. Usually proofs by contradiction
Dynamic validation techniques These are techniques that are concerned with validating the system in execution Testing techniques - analysing the system outside of its operational environment Run-time checking - checking during execution that the system is operating within a dependability ‘envelope’
Reliability validation Reliability validation involves exercising the program to assess whether or not it has reached the required level of reliability Cannot be included as part of a normal defect testing process because data for defect testing is (usually) atypical of actual usage data Statistical testing must be used where a statistically significant data sample based on simulated usage is used to assess the reliability
Testing software for reliability rather than fault detection Measuring the number of errors allows the reliability of the software to be predicted. Note that, for statistical reasons, more errors than are allowed for in the reliability specification must be induced An acceptable level of reliability should be specified and the software tested and amended until that level of reliability is reached Statistical testing
Reliability validation process Establish the operational profile for the system Construct test data reflecting the operational profile Test the system and observe the number of failures and the times of these failures Compute the reliability after a statistically significant number of failures have been observed
Operational profiles An operational profile is a set of test data whose frequency matches the actual frequency of these inputs from ‘normal’ usage of the system. A close match with actual usage is necessary otherwise the measured reliability will not be reflected in the actual usage of the system Can be generated from real data collected from an existing system or (more often) depends on assumptions made about the pattern of usage of a system
An operational profile
Operational profile generation Should be generated automatically whenever possible Automatic profile generation is difficult for interactive systems May be straightforward for ‘normal’ inputs but it is difficult to predict ‘unlikely’ inputs and to create test data for them
A reliability growth model is a mathematical model of the system reliability change as it is tested and faults are removed Used as a means of reliability prediction by extrapolating from current data Simplifies test planning and customer negotiations Depends on the use of statistical testing to measure the reliability of a system version Reliability modelling
Equal-step reliability growth
Observed reliability growth Simple equal-step model but does not reflect reality Reliability does not necessarily increase with change as the change can introduce new faults The rate of reliability growth tends to slow down with time as frequently occurring faults are discovered and removed from the software A random-growth model may be more accurate
Random-step reliability growth
Growth model selection Many different reliability growth models have been proposed No universally applicable growth model Reliability should be measured and observed data should be fitted to several models Best-fit model should be used for reliability prediction
Reliability prediction
Operational profile uncertainty Is the operational profile an accurate reflection of the real use of the system High costs of test data generation Very expensive to generate and check the large number of test cases that are required Statistical uncertainty for high-reliability systems It may be impossible to generate enough failures to draw statistically valid conclusions Reliability validation problems
Security validation Security validation has something in common with safety validation It is intended to demonstrate that the system cannot enter some state (an unsafe or an insecure state) rather than to demonstrate that the system can do something However, there are differences Safety problems are accidental; security problems are deliberate Security problems are more generic; Safety problems are related to the application domain
Security validation Experience-based validation The system is reviewed and analysed against the types of attack that are known to the validation team Tool-based validation Various security tools such as password checkers are used to analyse the system in operation Tiger teams A team is established whose goal is to breach the security of the system by simulating attacks on the system.
Key points Statistical testing supplements the defect testing process and is intended to measure the reliability of a system Reliability validation relies on exercising the system using an operational profile - a simulated input set which matches the actual usage of the system Reliability growth modelling is concerned with modelling how the reliability of a software system improves as it is tested and faults are removed
The portable insulin pump Validating the safety of the insulin pump system
Safety validation Design validation Checking the design to ensure that hazards do not arise or that they can be handled without causing an accident. Code validation Testing the system to check the conformance of the code to its specification and to check that the code is a true implementation of the design. Run-time validation Designing safety checks while the system is in operation to ensure that it does not reach an unsafe state.
insulin overdose or underdose (biological) power failure (electrical) machine interferes electrically with other medical equipment such as a heart pacemaker (electrical) parts of machine break off in patient’s body(physical) infection caused by introduction of machine (biol.) allergic reaction to the materials or insulin used in the machine (biol). Insulin system hazards
Fault tree for software hazards
Safety proofs Safety proofs are intended to show that the system cannot reach in unsafe state Weaker than correctness proofs which must show that the system code conforms to its specification Generally based on proof by contradiction Assume that an unsafe state can be reached Show that this is contradicted by the program code
Insulin delivery system Safe state is a shutdown state where no insulin is delivered If hazard arises,shutting down the system will prevent an accident Software may be included to detect and prevent hazards such as power failure Consider only hazards arising from software failure Arithmetic error The insulin dose is computed incorrectly because of some failure of the computer arithmetic Algorithmic error The dose computation algorithm is incorrect
Use language exception handling mechanisms to trap errors as they arise Use explicit error checks for all errors which are identified Avoid error-prone arithmetic operations (multiply and divide). Replace with add and subtract Never use floating-point numbers Shut down system if exception detected (safe state) Arithmetic errors
Harder to detect than arithmetic errors. System should always err on the side of safety Use reasonableness checks for the dose delivered based on previous dose and rate of dose change Set maximum delivery level in any specified time period If computed dose is very high, medical intervention may be necessary anyway because the patient may be ill Algorithmic errors
Insulin delivery code // The insulin dose to be delivered is a function of blood sugar level, the previous dose // delivered and the time of delivery of the previous dose currentDose = computeInsulin () ; // Safety check - adjust currentDose if necessary if (previousDose == 0) // if statement 1 { if (currentDose > 16) currentDose = 16 ; } else if (currentDose > (previousDose * 2) ) currentDose = previousDose * 2 ; if ( currentDose < minimumDose ) // if statement 2 currentDose = 0 ; // then branch else if ( currentDose > maxDose ) // else branch currentDose = maxDose ; administerInsulin (currentDose) ;
Informal safety proof See Portrait slide
System testing System testing of the software has to rely on simulators for the sensor and the insulin delivery components. Test for normal operation using an operational profile. Can be constructed using data gathered from existing diabetics Testing has to include situations where rate of change of glucose is very fast and very slow Test for exceptions using the simulator
Safety assertions Predicates included in the program indicating conditions which should hold at that point May be based on pre-computed limits e.g. number of insulin pump increments in maximum dose Used in formal program inspections or may be pre-processed into safety checks that are executed when the system is in operation
Safety assertions static void administerInsulin ( ) throws SafetyException { int maxIncrements = InsulinPump.maxDose / 8 ; int increments = InsulinPump.currentDose / 8 ; // assert currentDose <= InsulinPump.maxDose if (InsulinPump.currentDose > InsulinPump.maxDose) throw new SafetyException (Pump.doseHigh); else for (int i=1; i<= increments; i++) { generateSignal () ; if (i > maxIncrements) throw new SafetyException ( Pump.incorrectIncrements); } // for loop } //administerInsulin

More Related Content

What's hot (20)

PPT
Software process and project metrics
Indu Sharma Bhardwaj
 
PPTX
SRS(software requirement specification)
Akash Kumar Dhameja
 
PPTX
Checkpoints of the Process
Munazza-Mah-Jabeen
 
PPTX
software cost factor
Abinaya B
 
PPT
Object Oriented Analysis and Design
Haitham El-Ghareeb
 
DOCX
Levels of Virtualization.docx
kumari36
 
PPT
Analysis modeling
Inocentshuja Ahmad
 
PDF
Software Cost Estimation Techniques
MohamedIbrahim1408
 
PPTX
Introduction to Software Engineering
Saqib Raza
 
PDF
Unit 5- Architectural Design in software engineering
arvind pandey
 
PPTX
Importance & Principles of Modeling from UML Designing
ABHISHEK KUMAR
 
PPTX
Handwritten Digit Recognition(Convolutional Neural Network) PPT
RishabhTyagi48
 
PPT
10 software maintenance
akiara
 
PPTX
Lect3 conventional vs modern spm
meena466141
 
PPTX
Unit 7 performing user interface design
Preeti Mishra
 
PPTX
Decomposition technique In Software Engineering
Bilal Hassan
 
PPTX
Modules and modularization criteria
Umaselvi_R
 
PPT
Object Oriented Design
Sudarsun Santhiappan
 
PPTX
Software Engineering
janani thirupathi
 
DOCX
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMI
nimmik4u
 
Software process and project metrics
Indu Sharma Bhardwaj
 
SRS(software requirement specification)
Akash Kumar Dhameja
 
Checkpoints of the Process
Munazza-Mah-Jabeen
 
software cost factor
Abinaya B
 
Object Oriented Analysis and Design
Haitham El-Ghareeb
 
Levels of Virtualization.docx
kumari36
 
Analysis modeling
Inocentshuja Ahmad
 
Software Cost Estimation Techniques
MohamedIbrahim1408
 
Introduction to Software Engineering
Saqib Raza
 
Unit 5- Architectural Design in software engineering
arvind pandey
 
Importance & Principles of Modeling from UML Designing
ABHISHEK KUMAR
 
Handwritten Digit Recognition(Convolutional Neural Network) PPT
RishabhTyagi48
 
10 software maintenance
akiara
 
Lect3 conventional vs modern spm
meena466141
 
Unit 7 performing user interface design
Preeti Mishra
 
Decomposition technique In Software Engineering
Bilal Hassan
 
Modules and modularization criteria
Umaselvi_R
 
Object Oriented Design
Sudarsun Santhiappan
 
Software Engineering
janani thirupathi
 
Evolving role of Software,Legacy software,CASE tools,Process Models,CMMI
nimmik4u
 

Viewers also liked (20)

PDF
Follow on Biologics Market
Sanjay Modi
 
PPT
Ais Romney 2006 Slides 07 Is Control1
Sharing Slides Training
 
PDF
Fundamentals of reliability engineering and applications part2of3
ASQ Reliability Division
 
PPTX
4 key technological trends that raise ethical issues
Rownel Cerezo Gagani
 
PPT
Flow oriented modeling
ramyaaswin
 
PPT
Quality Management in Software Engineering SE24
koolkampus
 
ODP
The Art Of Debugging
svilen.ivanov
 
PPTX
Reliability Maintenance Engineering 2 - 2 Reliability Techniques
Accendo Reliability
 
PPTX
Ch24 quality management
software-engineering-book
 
PDF
Fundamentals of reliability engineering and applications part3of3
ASQ Reliability Division
 
PPTX
Testing, qa, qc. what the difference
ISsoft
 
PDF
Fundamentals of reliability engineering and applications part1of3
ASQ Reliability Division
 
PDF
Software Evolution
Michele Lanza
 
PPT
Software Process Improvement
Bilal Shah
 
PPT
Software cost estimation
Dr. C.V. Suresh Babu
 
PPT
Local Area Networks in Data Communication DC24
koolkampus
 
PPT
Unit1
anuragmbst
 
PPT
Ethical and social issues in information systems
Prof. Othman Alsalloum
 
PPTX
verification and validation
Dinesh Pasi
 
PPT
Quality Assurance Vs Quality Control
Yogita patil
 
Follow on Biologics Market
Sanjay Modi
 
Ais Romney 2006 Slides 07 Is Control1
Sharing Slides Training
 
Fundamentals of reliability engineering and applications part2of3
ASQ Reliability Division
 
4 key technological trends that raise ethical issues
Rownel Cerezo Gagani
 
Flow oriented modeling
ramyaaswin
 
Quality Management in Software Engineering SE24
koolkampus
 
The Art Of Debugging
svilen.ivanov
 
Reliability Maintenance Engineering 2 - 2 Reliability Techniques
Accendo Reliability
 
Ch24 quality management
software-engineering-book
 
Fundamentals of reliability engineering and applications part3of3
ASQ Reliability Division
 
Testing, qa, qc. what the difference
ISsoft
 
Fundamentals of reliability engineering and applications part1of3
ASQ Reliability Division
 
Software Evolution
Michele Lanza
 
Software Process Improvement
Bilal Shah
 
Software cost estimation
Dr. C.V. Suresh Babu
 
Local Area Networks in Data Communication DC24
koolkampus
 
Unit1
anuragmbst
 
Ethical and social issues in information systems
Prof. Othman Alsalloum
 
verification and validation
Dinesh Pasi
 
Quality Assurance Vs Quality Control
Yogita patil
 
Ad

Similar to Critical System Validation in Software Engineering SE21 (20)

PPT
Ch24
phanleson
 
PPT
Depandability in Software Engineering SE16
koolkampus
 
PPT
Ch9
phanleson
 
PPT
Critical System Specification in Software Engineering SE17
koolkampus
 
PPT
Ch3
Saad Gabr
 
PPT
Ch3
phanleson
 
PPT
Ch20
phanleson
 
PPT
Critical Systems
Usman Bin Saad
 
PPT
Chapter- Five fault powers poin lecture
borchala1
 
PPTX
RTS fault tolerance, Reliability evaluation
4132lenin6497ram
 
PPTX
real time systems fault tolerance, Redundancy
4132lenin6497ram
 
PDF
Vortrag LWS Schweiz
Michael Rumpler
 
PDF
Icssea 2013 arrl_final_08102013
Vincenzo De Florio
 
PDF
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
IJCSES Journal
 
PDF
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATING SAFETY AND SECURITY ENGIN...
IJCSES Journal
 
PPTX
lec 17.pptxlec 17.pptxlec 17.pptxlec 17.pptx
nawasyt700
 
PPTX
L7 Design For Recovery
Ian Sommerville
 
PPT
Testing
Kiran Kumar
 
PPT
Ch10
phanleson
 
PPTX
Software engineering
sakthibalabalamuruga
 
Ch24
phanleson
 
Depandability in Software Engineering SE16
koolkampus
 
Ch9
phanleson
 
Critical System Specification in Software Engineering SE17
koolkampus
 
Ch3
Saad Gabr
 
Ch3
phanleson
 
Ch20
phanleson
 
Critical Systems
Usman Bin Saad
 
Chapter- Five fault powers poin lecture
borchala1
 
RTS fault tolerance, Reliability evaluation
4132lenin6497ram
 
real time systems fault tolerance, Redundancy
4132lenin6497ram
 
Vortrag LWS Schweiz
Michael Rumpler
 
Icssea 2013 arrl_final_08102013
Vincenzo De Florio
 
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
IJCSES Journal
 
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATING SAFETY AND SECURITY ENGIN...
IJCSES Journal
 
lec 17.pptxlec 17.pptxlec 17.pptxlec 17.pptx
nawasyt700
 
L7 Design For Recovery
Ian Sommerville
 
Testing
Kiran Kumar
 
Ch10
phanleson
 
Software engineering
sakthibalabalamuruga
 
Ad

More from koolkampus (20)

PPT
Bit Oriented Protocols in Data Communication DC23
koolkampus
 
PPT
Data Link Control in Data Communication DC20
koolkampus
 
PPT
Error Detection and Correction in Data Communication DC18
koolkampus
 
PPT
TDM in Data Communication DC16
koolkampus
 
PPT
Radio Communication Band(Data Communication) DC14
koolkampus
 
PPT
Connectors in Data Communication DC12
koolkampus
 
PPT
Transmission of Digital Data(Data Communication) DC11
koolkampus
 
PPT
Analog to Digital Encoding in Data Communication DC9
koolkampus
 
PPT
Signal with DC Component(Data Communication) DC7
koolkampus
 
PPT
Layer Examples in Data Communication CD4
koolkampus
 
PPT
OSI Model (Data Communication) DC3
koolkampus
 
PPT
Basic Concepts in Data Communication DC1
koolkampus
 
PPT
Token Passing in Data Communication DC25
koolkampus
 
PPT
Data Link Protocols in Data Communication DC22
koolkampus
 
PPT
Flow Control in Data Communication DC21
koolkampus
 
PPT
CRC in Data Communication DC19
koolkampus
 
PPT
Telephone Networn in Data Communication DC17
koolkampus
 
PPT
Multiplexing in Data Communication DC15
koolkampus
 
PPT
Transmission Media in Data Communication DC13
koolkampus
 
PPT
Analog to Analog Modulation in Data Communication DC10
koolkampus
 
Bit Oriented Protocols in Data Communication DC23
koolkampus
 
Data Link Control in Data Communication DC20
koolkampus
 
Error Detection and Correction in Data Communication DC18
koolkampus
 
TDM in Data Communication DC16
koolkampus
 
Radio Communication Band(Data Communication) DC14
koolkampus
 
Connectors in Data Communication DC12
koolkampus
 
Transmission of Digital Data(Data Communication) DC11
koolkampus
 
Analog to Digital Encoding in Data Communication DC9
koolkampus
 
Signal with DC Component(Data Communication) DC7
koolkampus
 
Layer Examples in Data Communication CD4
koolkampus
 
OSI Model (Data Communication) DC3
koolkampus
 
Basic Concepts in Data Communication DC1
koolkampus
 
Token Passing in Data Communication DC25
koolkampus
 
Data Link Protocols in Data Communication DC22
koolkampus
 
Flow Control in Data Communication DC21
koolkampus
 
CRC in Data Communication DC19
koolkampus
 
Telephone Networn in Data Communication DC17
koolkampus
 
Multiplexing in Data Communication DC15
koolkampus
 
Transmission Media in Data Communication DC13
koolkampus
 
Analog to Analog Modulation in Data Communication DC10
koolkampus
 

Recently uploaded (20)

PDF
''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...
Fwdays
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
PDF
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
PDF
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
PDF
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
PDF
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
PDF
Unlocking FME Flow’s Potential: Architecture Design for Modern Enterprises
Safe Software
 
PDF
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
PDF
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 
PPTX
Practical Applications of AI in Local Government
OnBoard
 
PDF
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
PDF
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
PDF
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
PPTX
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
PDF
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
PDF
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PDF
Supporting the NextGen 911 Digital Transformation with FME
Safe Software
 
''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...
Fwdays
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
Unlocking FME Flow’s Potential: Architecture Design for Modern Enterprises
Safe Software
 
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 
Practical Applications of AI in Local Government
OnBoard
 
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
Kubernetes - Architecture & Components.pdf
geethak285
 
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
Supporting the NextGen 911 Digital Transformation with FME
Safe Software
 

Critical System Validation in Software Engineering SE21

  • 1. Critical Systems Validation Validating the reliability, safety and security of computer-based systems
  • 2. Validation perspectives Reliability validation Does the measured reliability of the system meet its specification? Is the reliability of the system good enough to satisfy users? Safety validation Does the system always operate in such a way that accidents do not occur or that accident consequences are minimised? Security validation Is the system and its data secure against external attack?
  • 3. Validation techniques Static techniques Design reviews and program inspections Mathematical arguments and proof Dynamic techniques Statistical testing Scenario-based testing Run-time checking Process validation Design development processes that minimise the chances of process errors that might compromise the dependability of the system
  • 4. Static validation techniques Static validation is concerned with analyses of the system documentation (requirements, design, code, test data). It is concerned with finding errors in the system and identifying potential problems that may arise during system execution. Documents may be prepared (structured arguments, mathematical proofs, etc.) to support the static validation
  • 5. Static techniques for safety validation Demonstrating safety by testing is difficult because testing is intended to demonstrate what the system does in a particular situation. Testing all possible operational situations is impossible Normal reviews for correctness may be supplemented by specific techniques that are intended to focus on checking that unsafe situations never arise
  • 6. Safety reviews Review for correct intended function Review for maintainable, understandable structure Review to verify algorithm and data structure design against specification Review to check code consistency with algorithm and data structure design Review adequacy of system testing
  • 7. Make software as simple as possible Use simple techniques for software development avoiding error-prone constructs such as pointers and recursion Use information hiding to localise the effect of any data corruption Make appropriate use of fault-tolerant techniques but do not be seduced into thinking that fault-tolerant software is necessarily safe Review guidance
  • 8. Hazard-driven analysis Effective safety assurance relies on hazard identification (covered in previous lectures) Safety can be assured by Hazard avoidance Accident avoidance Protection systems Safety reviews should demonstrate that one or more of these techniques have been applied to all identified hazards
  • 9. The system safety case It is now normal practice for a formal safety case to be required for all safety-critical computer-based systems e.g. railway signalling, air traffic control, etc. A safety case presents a list of arguments, based on identified hazards, why there is an acceptably low probability that these hazards will not result in an accident Arguments can be based on formal proof, design rationale, safety proofs, etc. Process factors may also be included
  • 10. Formal methods and critical systems The development of critical systems is one of the ‘success’ stories for formal methods Formal methods are mandated in Britain for the development of some types of safety-critical software for defence applications There is not currently general agreement on the value of formal methods in critical systems development
  • 11. Formal methods and validation Specification validation Developing a formal model of a system requirements specification forces a detailed analysis of that specification and this usually reveals errors and omissions Mathematical analysis of the formal specification is possible and this also discovers specification problems Formal verification Mathematical arguments (at varying degrees of rigour) are used to demonstrate that a program or a design is consistent with its formal specification
  • 12. Problems with formal validation The formal model of the specification is not understandable by domain experts It is difficult or impossible to check if the formal model is an accurate representation of the specification for most systems A consistently wrong specification is not useful! Verification does not scale-up Verification is complex, error-prone and requires the use of systems such as theorem provers. The cost of verification increases exponentially as the system size increases.
  • 13. Formal methods conclusion Formal specification and checking of critical system components is, in my view, useful While formality does not provide any guarantees, it helps to increase confidence in the system by demonstrating that some classes of error are not present Formal verification is only likely to be used for very small, critical, system components About 5-6000 lines of code seems to be the upper limit for practical verification
  • 14. Safety proofs Safety proofs are intended to show that the system cannot reach in unsafe state Weaker than correctness proofs which must show that the system code conforms to its specification Generally based on proof by contradiction Assume that an unsafe state can be reached Show that this is contradicted by the program code May be displayed graphically
  • 15. Construction of a safety proof Establish the safe exit conditions for a component or a program Starting from the END of the code, work backwards until you have identified all paths that lead to the exit of the code Assume that the exit condition is false Show that, for each path leading to the exit that the assignments made in that path contradict the assumption of an unsafe exit from the component
  • 16. Gas warning system System to warn of poisonous gas. Consists of a sensor, a controller and an alarm Two levels of gas are hazardous Warning level - no immediate danger but take action to reduce level Evacuate level - immediate danger. Evacuate the area The controller takes air samples, computes the gas level and then decides whether or not the alarm should be activated
  • 17. Gas sensor control Gas_level: GL_TYPE ; loop -- Take 100 samples of air Gas_level := 0.000 ; for i in 1..100 loop Gas_level := Gas_level + Gas_sensor.Read ; end loop ; Gas_level := Gas_level / 100 ; if Gas_level > Warning and Gas_level < Danger then Alarm := Warning ; Wait_for_reset ; elsif Gas_level > Danger then Alarm := Evacuate ; Wait_for_reset ; else Alarm := off ; end if ; end loop ;
  • 18. Graphical argument Gas_level > Warning and Alarm = off Unsafe state Gas_level > Warning and Gas_level < Danger Gas_level > Danger Alarm = Warning Alarm = Evacuate Alarm = off contradiction contradiction Path 1 Path 2 Path 3 or or or
  • 19. Condition checking Code is incorrect. Gas_level = Danger does not cause the alarm to be on
  • 20. Key points Safety-related systems should be developed to be as simple as possible using ‘safe’ development techniques Safety assurance may depend on ‘trusted’ development processes and specific development techniques such as the use of formal methods and safety proofs Safety proofs are easier than proofs of consistency or correctness. They must demonstrate that the system cannot reach an unsafe state. Usually proofs by contradiction
  • 21. Dynamic validation techniques These are techniques that are concerned with validating the system in execution Testing techniques - analysing the system outside of its operational environment Run-time checking - checking during execution that the system is operating within a dependability ‘envelope’
  • 22. Reliability validation Reliability validation involves exercising the program to assess whether or not it has reached the required level of reliability Cannot be included as part of a normal defect testing process because data for defect testing is (usually) atypical of actual usage data Statistical testing must be used where a statistically significant data sample based on simulated usage is used to assess the reliability
  • 23. Testing software for reliability rather than fault detection Measuring the number of errors allows the reliability of the software to be predicted. Note that, for statistical reasons, more errors than are allowed for in the reliability specification must be induced An acceptable level of reliability should be specified and the software tested and amended until that level of reliability is reached Statistical testing
  • 24. Reliability validation process Establish the operational profile for the system Construct test data reflecting the operational profile Test the system and observe the number of failures and the times of these failures Compute the reliability after a statistically significant number of failures have been observed
  • 25. Operational profiles An operational profile is a set of test data whose frequency matches the actual frequency of these inputs from ‘normal’ usage of the system. A close match with actual usage is necessary otherwise the measured reliability will not be reflected in the actual usage of the system Can be generated from real data collected from an existing system or (more often) depends on assumptions made about the pattern of usage of a system
  • 27. Operational profile generation Should be generated automatically whenever possible Automatic profile generation is difficult for interactive systems May be straightforward for ‘normal’ inputs but it is difficult to predict ‘unlikely’ inputs and to create test data for them
  • 28. A reliability growth model is a mathematical model of the system reliability change as it is tested and faults are removed Used as a means of reliability prediction by extrapolating from current data Simplifies test planning and customer negotiations Depends on the use of statistical testing to measure the reliability of a system version Reliability modelling
  • 30. Observed reliability growth Simple equal-step model but does not reflect reality Reliability does not necessarily increase with change as the change can introduce new faults The rate of reliability growth tends to slow down with time as frequently occurring faults are discovered and removed from the software A random-growth model may be more accurate
  • 32. Growth model selection Many different reliability growth models have been proposed No universally applicable growth model Reliability should be measured and observed data should be fitted to several models Best-fit model should be used for reliability prediction
  • 34. Operational profile uncertainty Is the operational profile an accurate reflection of the real use of the system High costs of test data generation Very expensive to generate and check the large number of test cases that are required Statistical uncertainty for high-reliability systems It may be impossible to generate enough failures to draw statistically valid conclusions Reliability validation problems
  • 35. Security validation Security validation has something in common with safety validation It is intended to demonstrate that the system cannot enter some state (an unsafe or an insecure state) rather than to demonstrate that the system can do something However, there are differences Safety problems are accidental; security problems are deliberate Security problems are more generic; Safety problems are related to the application domain
  • 36. Security validation Experience-based validation The system is reviewed and analysed against the types of attack that are known to the validation team Tool-based validation Various security tools such as password checkers are used to analyse the system in operation Tiger teams A team is established whose goal is to breach the security of the system by simulating attacks on the system.
  • 37. Key points Statistical testing supplements the defect testing process and is intended to measure the reliability of a system Reliability validation relies on exercising the system using an operational profile - a simulated input set which matches the actual usage of the system Reliability growth modelling is concerned with modelling how the reliability of a software system improves as it is tested and faults are removed
  • 38. The portable insulin pump Validating the safety of the insulin pump system
  • 39. Safety validation Design validation Checking the design to ensure that hazards do not arise or that they can be handled without causing an accident. Code validation Testing the system to check the conformance of the code to its specification and to check that the code is a true implementation of the design. Run-time validation Designing safety checks while the system is in operation to ensure that it does not reach an unsafe state.
  • 40. insulin overdose or underdose (biological) power failure (electrical) machine interferes electrically with other medical equipment such as a heart pacemaker (electrical) parts of machine break off in patient’s body(physical) infection caused by introduction of machine (biol.) allergic reaction to the materials or insulin used in the machine (biol). Insulin system hazards
  • 41. Fault tree for software hazards
  • 42. Safety proofs Safety proofs are intended to show that the system cannot reach in unsafe state Weaker than correctness proofs which must show that the system code conforms to its specification Generally based on proof by contradiction Assume that an unsafe state can be reached Show that this is contradicted by the program code
  • 43. Insulin delivery system Safe state is a shutdown state where no insulin is delivered If hazard arises,shutting down the system will prevent an accident Software may be included to detect and prevent hazards such as power failure Consider only hazards arising from software failure Arithmetic error The insulin dose is computed incorrectly because of some failure of the computer arithmetic Algorithmic error The dose computation algorithm is incorrect
  • 44. Use language exception handling mechanisms to trap errors as they arise Use explicit error checks for all errors which are identified Avoid error-prone arithmetic operations (multiply and divide). Replace with add and subtract Never use floating-point numbers Shut down system if exception detected (safe state) Arithmetic errors
  • 45. Harder to detect than arithmetic errors. System should always err on the side of safety Use reasonableness checks for the dose delivered based on previous dose and rate of dose change Set maximum delivery level in any specified time period If computed dose is very high, medical intervention may be necessary anyway because the patient may be ill Algorithmic errors
  • 46. Insulin delivery code // The insulin dose to be delivered is a function of blood sugar level, the previous dose // delivered and the time of delivery of the previous dose currentDose = computeInsulin () ; // Safety check - adjust currentDose if necessary if (previousDose == 0) // if statement 1 { if (currentDose > 16) currentDose = 16 ; } else if (currentDose > (previousDose * 2) ) currentDose = previousDose * 2 ; if ( currentDose < minimumDose ) // if statement 2 currentDose = 0 ; // then branch else if ( currentDose > maxDose ) // else branch currentDose = maxDose ; administerInsulin (currentDose) ;
  • 47. Informal safety proof See Portrait slide
  • 48. System testing System testing of the software has to rely on simulators for the sensor and the insulin delivery components. Test for normal operation using an operational profile. Can be constructed using data gathered from existing diabetics Testing has to include situations where rate of change of glucose is very fast and very slow Test for exceptions using the simulator
  • 49. Safety assertions Predicates included in the program indicating conditions which should hold at that point May be based on pre-computed limits e.g. number of insulin pump increments in maximum dose Used in formal program inspections or may be pre-processed into safety checks that are executed when the system is in operation
  • 50. Safety assertions static void administerInsulin ( ) throws SafetyException { int maxIncrements = InsulinPump.maxDose / 8 ; int increments = InsulinPump.currentDose / 8 ; // assert currentDose <= InsulinPump.maxDose if (InsulinPump.currentDose > InsulinPump.maxDose) throw new SafetyException (Pump.doseHigh); else for (int i=1; i<= increments; i++) { generateSignal () ; if (i > maxIncrements) throw new SafetyException ( Pump.incorrectIncrements); } // for loop } //administerInsulin