Software safety: why, what, and how

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Software safety: why, what, and how

Full text

Pdf (4.18 MB)

Source

ACM Computing Surveys (CSUR) archive
Volume 18 , Issue 2 (June 1986) table of contents

Pages: 125 - 163

Year of Publication: 1986

ISSN:0360-0300

Author

Nancy G. Leveson

Univ. of California, Irvine

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 67, Downloads (12 Months): 451, Citation Count: 46

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/7474.7528 What is a DOI?

ABSTRACT

Software safety issues become important when computers are used to control real-time, safety-critical processes. This survey attempts to explain why there is a problem, what the problem is, and what is known about how to solve it. Since this is a relatively new software research area, emphasis is placed on delineating the outstanding issues and research topics.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	ALFORD, M. 1982. Summary of presentation of validation and verification panel. In Proceedings of the 2nd International Workshop on Safety and Reliability of Industrial Computer Systems (IFAC SAFECOMP '82) (West Lafayette, Ind., Oct.). Pergamon, Elmsford, N.Y.
	2	ALFORD, M. 1985. SREM at the age of eight; The distributed computing design system. IEEE Computer 18, 4 (Apr.), 36-46.
	3	S. T. Allworth, Introduction to real-time software design, Springer-Verlag New York, Inc., New York, NY, 1987
	4	P. A. Lee , T. Anderson , J. C. Laprie , A. Avizienis , H. Kopetz, Fault Tolerance: Principles and Practice, Springer-Verlag New York, Inc., Secaucus, NJ, 1990
	5	ANDERSON, T., AND WITTY, R. W. 1978. Safe programming. BIT 18, 1-8.
	6	ANONYMOUS 1971. Blown balloons. Aviat. Week Space Technol. (Sept. 20), 17.
	7	ARLAT, J., AND LAPRIE, J. C. 1985. On the dependability evaluation of high safety systems. In Proceedings of the 15th International Symposium on Fault Tolerant Computing (Ann Arbor, Mich., June). IEEE, New York, pp. 318-323.
	8	AVlZIENIS, A. 1985. The N-version approach to fault-tolerant software. IEEE Trans. Softw. Eng. SE-11, 12 (Dec.), 1491-1501.
	9	BASSEN, H., SILBERBERG, J., HOUSTON, F., KNIGHT, W., CHRISTMAN, C., AND GREBERMAN, M. 1985. Computerized medical devices: Usage trends, problems, and safety technology. In Proceedings of the 7th Annual Conference of IEEE Engineering in Medicine and Biology Society (Chicago, Ill., Sept. 27-30). IEEE, New York, pp. 180-185.
	10	BOEBERT, W. E. 1980. Formal verification of embedded software. ACM Softw. Eng. Notes 5, 3 (July), 41-42.
	11	BOEHM, B. W., MCCLEAN, R. L., AND URFIG, D. B. 1975. Some experiences with automated aids to the design of large-scale reliable software. IEEE Trans. Softw. Eng. SE-1, 2, 125-133.
	12	BONNETT, B. J. 1984. Position paper on software safety and security critical systems. In Proceedings of Compcon '84 (Sept). IEEE, New York, p. 191.
	13	BORNING, A. 1985. Computer systems reliability and nuclear war. Tech. Rep., Computer Science Dept., Univ. of Washington, Seattle, Washington.
	14	BROWN, J. R., AND BUCHANAN, H. N. 1973. The Quantitative Measurement of Software Safety and Reliability. TRW, Redondo Beach, Calif., Aug.
	15	BROWNING, R. L. 1980. The Loss Rate Concept in Safety Engineering. Marcel Dekker, New York.
	16	CAMPBELL, R. H., HORTON, K. H., AND BELFORD, G. G. 1979. Simulations of a fault tolerant deadline mechanism. In Proceedings of the 9th International Conference on Fault Tolerant Computing (June). IEEE, New York, pp. 95-101.
	17	CHAMOUX, P., AND SCHMID, O. 1983. PLC's in offshore shut-down systems, In Proceedings of the 3rd International Workshop on Safety and Reliability of Industrial Computer Systems (IFAC SAFECOMP '83). Pergamon, Elmsford, N.Y., pp. 201-205.
	18	CHEUNG, R. C. 1980. A user-oriented software reliability model. IEEE Trans. Softw. Eng. SE-6, 2, 118-125.
	19	DANIELS, B. K., BELL, R., AND WRIGHT, R. I. 1983. Safety integrity assessment of programmable electronic systems. In Proceedings of iFAC SAFECOMP '83. Pergamon, Elmsford, N.Y., pp. 1-12.
	20	DAVIS, A. M. 1982. The design of a family of application-oriented languages. IEEE Computer (May), 21-28.
	21	DEAN, E. S. 1981. Software system safety. In Proceedings of the 5th International System Safety Conference (Denver, Colo.), vol. 1, part 1. System Safety $oc., Newport Beach, CaliL, pp. III-A-1 to III-A-8.
	22	Edsger Wybe Dijkstra, A Discipline of Programming, Prentice Hall PTR, Upper Saddle River, NJ, 1997
	23	DUNHAM, J. R. 1984. Measuring software safety. In Proceedings of Compcon '84 (Washington D.C., Sept.). IEEE, New York, pp. 192-193.
	24	DUNHAM, J. R., AND KNIGHT, J. C. (Eds.) 1981. Production of reliable flight-crucial software. In Proceedings of Validation Methods Research for Fault-Tolerant Avionics and Control Systems Sub-Working-Group Meeting (Research Triangle Park, N.C., Nov. 2-4). NASA ConferenCe Publication 2222. NASA, Langley, Va.
	25	ENORES, A. B. 1975. An analysis of errors and their causes in software systems. IEEE Trans. So{tw. Eng. SE-1, 2, 140-149.
	26	ERICSON, C. A. 1981. Software and system safety. In Proceedings of the 5th International System Safety Conference (Denver, Colo.), vol. 1, part 1. System Safety Soc., Newport Beach, Calif., pp. III-B-1 to iii-B-11.
	27	FREY, H. H. 1974. Safety evaluation of mass transit systems by reliability analysis. IEEE Trans. Reliability R-23, 3 (Aug.), 161-169.
	28	FREY, H. H. 1979. Safety and reliability--their terms and models of complex systems. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 3-10.
	29	Michael Allan Friedman, Modeling the penalty costs of software failure, University of California at Irvine, Irvine, CA, 1986
	30	FROLA, F. R., AND MILLER, C. O. 1984. System Safety in Aircraft Management. Logistics Management Institute, Washington, D.C., Jan.
	31	FULLER, J. G. 1977. We almost lost Detroit. In The Silent Bomb, Peter Faulkner, Ed. Random House, New York, pp. 46-59.
	32	FULLER, J. G. 1984. Death by robot. Omni 6, 6 (Mar.), 45-46, 97-102.
	33	John R. Garman, The "BUG" heard 'round the world: discussion of the software problem which delayed the first shuttle orbital flight, ACM SIGSOFT Software Engineering Notes, v.6 n.5, p.3-10, October 1981 [doi>10.1145/1005928.1005929]
	34	GLOE, G. 1979. Inspection of process computers for nuclear power plants. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 213-218.
	35	GLOSS, D. $., AND WARDLE, M. G. 1984. Introduction to Safety Engineering. Wiley, New York.
	36	GRIGGS, J. G. 1981. A method of software safety analysis. In Proceedings of the Safety Conference (Denver, Colo.), vol. 1, part 1. System Safety Soc., Newport Beach, Calif., pp. III-D-1 to III-D-18.
	37	HAMMER, W. 1972. Handbook of System and Product Safety. Prentice-Hall, Englewood Cliffs, N.J.
	38	HAUPTMANN, D. L. 1981. A systems approach to software safety analysis. In Proceedings of the 5th International System Safety Conference (Denver, Colo., July). Systems Safety Soc., Newport Beach, Calif.
	39	HECUT, H., AND HECHT, M. 1982. Use of fault trees for the design of recovery blocks. In Proceedings of the 12th International Conference on Fault Tolerant Computing (Santa Monica, Calif., June). IEEE, New York, pp. 134-139.
	40	HENINGER, K. L. 1980. Specifying software requirements for complex systems: New techniques and their application. IEEE Trans. Softw. Eng. SE-6, 1 (Jan.), 2-12.
	41	HIGGS, J. C. 1983. A high integrity software based turbine governing system. In Proceedings of iFAC SAFECOMP '83. Pergamon, Elmsford, N.Y. pp. 207-218.
	42	HOAGLAND, M. 1982. The pilot's role in automation. In Proceedings of the ALPA Air Safety Workshop. Airline Pilots Assoc.
	43	HOPE, S., et al. 1983. Methodologies for hazard analysis and risk assessment in the petroleum refining and storage industry. Hazard Prevention (journal of the System Safety Society) (July/Aug.), 24-32.
	44	IYER, R. K., AND VELARDI, P. 1985. Hardware related software errors: Measurement and analysis. IEEE Trans. Softw. Eng. SE-11, 2 (Feb.) 223-231.
	45	F Jahanian , A K Mok, Safety analysis of timing properties in real-time systems, IEEE Transactions on Software Engineering, v.12 n.9, p.890-904, Sept. 1986
	46	JOHNSON, W. G. 1973. The management oversight and risk tree. MORT, U.S. Atomic Energy Commission, SAN 821-2, UC-41, 1973. Also available from Marcel Dekker, New York, 1980.
	47	KEMENY, J., et al. 1979. Report of the President's Commission on the accident at Three Mile Island. Govt. Printing Office, Washingon, D.C.
	48	KLETZ, T. 1983. Human problems with computer control. Hazard Prevention (journal of the System Safety Society) (Mar./Apr.), 24-26.
	49	J. C. Knight , N. G. Leveson, An experimental evaluation of the assumption of independence in multiversion programming, IEEE Transactions on Software Engineering, v.12 n.1, p.96-109, Jan. 1986
	50	KNIGHT, J. C., AND LEVESON, N. G. 1986b. An empirical study of failure probabilities in multiversion software. In Proceedings of the 16th International Symposium on Fault- Tolerant Computing (FTCS-16) (Vienna, Austria, July). IEEE, New York, pp. 165-170.
	51	KONAKOVSKY, R. 1978. Safety evaluation of computer hardware and software. In Proceedings of Compsac '78. IEEE, New York, pp. 559-564.
	52	LANDWEHR, C. 1984. Software safety is redundance. In Proceedings of Compcon '84 (Washington, D.C., Sept.). IEEE, New York, p. 195.
	53	LAPRIE, J. C. 1984. Dependable computing and fault tolerance: Concepts and terminology. Res. Rep. No. 84.035, LAAS, Toulouse, France, June.
	54	LAPRIE, J. C., AND COSTES, A. 1982. Dependability: A unifying concept for reliable computing. In Proceedings of the 12th International Symposium on Fault Tolerant Computing (Santa Monica, Calif., June). IEEE, New York, pp. 18-21.
	55	LAUSER, R. 1980. Strategies for the design and validation of safety-related computer-controlled systems. In Real-time Data Handling and Process Control, G. Meyer, Ed. North-Holland Publ., Amsterdam, pp. 305-310.
	56	LERNER, E. J. 1982. Automating U.S. air lanes: A review. IEEE Spectrum (Nov.), 46-51.
	57	LEVESON, N. G. 1981. Software safety: A definition and some preliminary ideas. Tech. Rep. 174, Computer Science Dept., Univ. of California, Irvine, Apr.
	58	LEVESON, N. G. 1983a. Verification of safety. In Proceedings of IFAC SAFECOMP '83 (Cambridge, England, Sept.). Pergamon, Elmsford, N.Y., pp. 167-174.
	59	LEVESON, N. G. 1983b. Software fault tolerance: The case for forward recovery. In Proceedings of the American Institute for Astronautics and Aeronautics (AIAA) Conference on Computers in Aerospace (Hartford, Conn., Oct.). AIAA, New York.
	60	LEVESON, N. G. 1984a. Software safety in computercontrolled systems. IEEE Computer (Feb.), 48- 55.
	61	LEVESON, N. G. 1984b. Murphy: Expecting the worst and preparing for it. In Proceedings of the IEEE Compcon '84 (Washington D.C., Sept.). IEEE, New York, pp. 294-300.
	62	LEVESON, N. G.N.d. The use of fault trees in software development. In preparation.
	63	LEVESON, N. G., AND HARVEY, P. R. 1983. Analyzing software safety. IEEE Trans. Softw. Eng. SE-9, 5 (Sept.), 569-579.
	64	LEVESON, N. G., AND SHIMEALL, T. 1983. Safety assertions for process control systems. In Proceedings of the 13th International Conference on Fault Tolerant Computing (Milan, Italy). IEEE, New York.
	65	LEVESON, N. G., AND STOLZY, g.' L. 1983. Safety analysis of Ada programs using fault trees. IEEE Trans. Reliability R-32, 5 (Dec.), 479-484.
	66	N G Leveson , J L Stolzy, Analyzing safety and fault tolerance using time Petri nets, Proceedings of the International Joint Conference on Theory and Practice of Software Development (TAPSOFT) on Formal Methods and Software, Vol.2: Colloquium on Software Engineering (CSE), p.339-355, June 1985, Berlin, Germany
	67	N. G. Leveson , J. L. Stolzy, Safety analysis using Petri nets, IEEE Transactions on Software Engineering, v.13 n.3, p.386-397, March 1987 [doi>10.1109/TSE.1987.233170]
	68	LEVESON, N. G., SHIMEALL, T. J., STOLZY, J. L., AND THOMAS, J. 1983. Design for safe software. In Proceedings of the American Institute for Astronautics and Aeronautics (AIAA) Space Sciences Meeting (Reno, Nev.). AIAA, New York.
	69	LEVINE, S. 1984. Probabilistic risk assessment: Identifying the real risks of nuclear power. Tech. Rev. (Feb./Mar.), 41-44.
	70	LITTLEWOOO, B. 1980. Theories of software reliability: How good are they and how can they be improved? IEEE Trans. Softw. Eng. SE-6, (Sept.), 489-500.
	71	MACKENZIE, J. J. 1984. Finessing the risks of nuclear power. Technol. Rev. (Feb./Mar.), 34-39.
	72	MALASKY, S. W. 1982. System Safety Technology and Application. Garland STPM Press, New York.
	73	MARSHALL, E. 1980. NRC takes a second look at reactor design. Science 207 (Mar. 28), 1445-1448.
	74	MCINTEE, J. W. 1983. Fault tree technique as applied to software (SOFT TREE). BMO/AWS, Norton Air Force Base, Calif. 92409.
	75	MIDDLETON, P. 1983. Nuclear safety cross check analysis. Minutes of the First Software System Safety Working Group Meeting, Andrews Air Force Base, June. Available from Air Force Inspection and Safety Center, Norton Air Force Base, Calif. 92409.
	76	MIL-STD-1574A (USAF) 1979. System Safety Program for Space and Missile Systems (15 Aug.), Dept. of Air Force, Govt. Printing Office, Washington, D.C.
	77	MIL-STD-882B 1984. System Safety Program Requirements (30 March). U.S. Dept. of Defense, U.S. Govt. Printing Office, Washington, D.C.
	78	MIL-STD-SNS (NAVY) 1986. Software nuclear safety (draft) Feb. 25. U.S. Navy. Available from Naval Weapons Evaluation Facility, Kirtland Airforce Base, N.M.
	79	MINECK, D. W., D~.RR, R. E., LYKKEN, L. O., AND HALL, J. C. 1972. Avionic flight control system for the Lockheed L-1011 Tristar. SAE Aerospace Control and Guidance Systems Meeting No. 30 (San Diego, Calif., Sept.), pp. 27-29.
	80	MORGAN, M. G. 1981a. Probing the question of technology-induced risk. IEEE Spectrum (Nov.), 58-64.
	81	MORGAN, M. G. 1981b. Choosing and managing technology-induced risk. IEEE Spectrum (Dec.), 53-60.
	82	NEUMANN, P. G. 1979. Letter from the Editor. ACM Softw. Eng. Notes 4, 2.
	83	NEUMANN, P. G. 1981. Letter from the Editor. ACM Softw. Eng. Notes 6, 2.
	84	NEUMANN, P. G. 1984. Letter from the Editor. ACM Softw. Eng. Notes 9, 5, 2-7.
	85	NEUMANN, P. G. 1985. Some computer-related disasters and other egregious horrors. ACM Softw. Eng. Notes 10, i (Jan.), 6-7.
	86	P G Neumann, On hierarchical design of computer systems for critical applications, IEEE Transactions on Software Engineering, v.12 n.9, p.905-920, Sept. 1986
	87	NOBLE, W. B. 1984. Developing safe software for critical airborne applications. In Proceedings of the IEEE 6th Digital Avionics Systems Conference (Baltimore, Md., Dec.). iEEE, New York, pp. 1-5.
	88	OLIVER, J. G., HOAGLAND, M. R., AND TERHUNE, G. J. 1982. Automation of the flight path--the pilot's role. In Proceedings of the 1982 SAE Aerospace Congress and Exhibition (Anaheim, Calif., Oct.). SAE, New York.
	89	PARK, W. T. 1978. Robot safety suggestions. Tech. Note No. 159, SRI International, Palo Alto, Calif., 29 April.
	90	David Lorge Parnas, Software aspects of strategic defense systems, Communications of the ACM, v.28 n.12, p.1326-1335, Dec. 1985 [doi>10.1145/214956.214961]
	91	PERROW, C. 1984. Normal Accidents: Living with High Risk Technologies. Basic Books, New York.
	92	PETERSEN, D. 1971. Techniques of Safety Management. McGraw-Hill, New York.
	93	James Lyle Peterson, Petri Net Theory and the Modeling of Systems, Prentice Hall PTR, Upper Saddle River, NJ, 1981
	94	REINER, A. 1979. Preventing navigation errors during ocean crossings. Flight Crew (Fall).
	95	RIDLEY, J. 1983. Safety at Work. Butterworths, London.
	96	ROOOERS, W. P. 1971. Introduction to System Safety Engineering. Wiley, New York.
	97	ROLAND, H. E., AND MORIARTY, B. 1983. System Safety Engineering and Management. Wiley, New York.
	98	ROSE, C. W. 1982. The contribution of operating systems to reliability and safety in real-time systems. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.
	99	William B. Rouse, Human-Computer Interaction in the Control of Dynamic Systems, ACM Computing Surveys (CSUR), v.13 n.1, p.71-99, March 1981 [doi>10.1145/356835.356839]
	100	SHIRLEY, R. S. 1982. Four views of the humanprocess interface. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.
	101	SLIWA, A. F. 1984. Panel Proceedings, software in safety and security-critical systems. In Proceedings of Compcon '84 (Washington D.C., Sept.). IEEE, New York.
	102	SOFTWARE SAFETY HANDBOOK (Draft). H.Q. AFISC/ SESD, Norton Air Force Base, Calif. 92409.
	103	TAYLOR, D. J., MORGAN, D. E., AND BLACK, J. P. 1980. Redundancy in data structures: Improving software fault tolerance. IEEE Trans. Softw. Eng. SE-6, 6 (Nov.), 585-594.
	104	TAYLOR, J. R. 1981. Logical validation of safety control system specifications against plant models. RISO-M-2292. Available from Riso National Laboratory, DK-4000 Roskilde, Denmark, May.
	105	TAYLOR, J. R. 1982a. Fault tree and cause consequence analysis for control software validation. RISO-M-2326. Available from Riso National Laboratory, DK-4000 Roskilde, Denmark, Jan.
	106	TAYLOR, J. R. 1982b. An integrated approach to the treatment of design and specification errors in electronic systems and software. In Electronic Components and Systems, E. Lauger and J. Motort, Eds. North-Holland, Amsterdam.
	107	TERNHEM, K. E. 1981. Automatic complacency. Flight Crew (Winter), 34-35.
	108	TRAUBOTH, H., AND FREY, H. 1979. Safety considerations in project management of computerized automation systems. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 41-50.
	109	TUMA, F. 1983. Sneak software analysis. In Minutes of the First Software System Safety Working Group Meeting (Andrews Air Force Base, June). Available from Air Force Inspection and Safety Center, Norton Air Force Base, Calif. 92409.
	110	USAEC 1975. Reactor safety study: An assessment of accident risks in the U.S. Commercial Nuclear Power Plants Report WASH 1400 1975. U.S. Atomic Energy Commission, Washington D.C.
	111	VENDA, V. F., AND LOMOV, B. F. 1980. Human factors leading to engineering safety systems. Hazard Prevention (journal of the System Safety Society) (Mar./Apr.), 6-13.
	112	VESELY, W. E., GOLDBERG, F. F., ROBERTS, N. H., AND HAASL, D. F. 1981. Fault tree handbook. NUREG-0492, U.S. Nuclear Regulatory Commission, Jan.
	113	VOYSEY, H. 1977. Problems of mingling men and machines. New Sci. 18 (Aug.), 416-417.
	114	WATERMAN, H. E. 1978. FAA's certification position on advanced avionics. AIAA Astronaut. Aeronaut. (May), 49-51.
	115	WEAVER, W. W. 1981. Pitfalls in current design requirements. Nucl. Safety 22, 3 (May/June).
	116	WELLBOURNE, D. 1974. Computers for reactor safety systems. Nucl. Eng. Int. (Nov.), 945-950.
	117	WESSON, R., et al. 1980. Scenarios for Evolution of Air Traffic Control. Rand Corporation Rep., Rand Corp., Santa Monica, Calif.
	118	S. S. Yau , R. C. Cheung, Design of self-checking software, Proceedings of the international conference on Reliable software, p.450-455, April 21-23, 1975, Los Angeles, California
	119	ANDREWS, B. 1979. Using executable assertions for testing and fault tolerance. In Proceedings of the 9th International Symposium on Fault Tolerant Computing. IEEE, New York, pp. 102-105.
	120	BOLOGNA, S., DE AGOSTINO, E., MATrUCCI, A., MONACCI, P., AND PUTiGNAN{, M. G. 1979. An experiment in design and validation of software for a reactor protection system. In Proceedings of the International Workshop on Safety and Reliability of Industrial Computer Systems. (iFA C SAFECOMP '79). Pergamon, Elmsford, N.Y. pp. 103-115.
	121	BROWN, D. B. 1976. Systems Analysis and Design for Safety. Prentice-Hall, Englewood Cliffs, N.J.
	122	BROWN, M. L. 1985. Software safety for complex systems. In Proceedings of the 7th Annual Conference of IEEE Engineering in Medicine and Biology Society (Chicago, Ill., Sept. 27-30). IEEE, New York.
	123	BRUCH, C. W., et al. 1982. Report by the Task Force on computers and software as medical devices, Bureau of Medical Devices. Food and Drug Administration, Washington, D.C., Jan.
	124	DAHLL, G., AND LAHTI, J. 1979. An investigation of methods for production and verification of highly reliable software. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 89-94.
	125	DANIELS, B. K., AITKEN, A., AND SMITH, I. C. 1979. Experience with computers in some U.K. power plants. In Proceedings of iFAC SAFE- COMP '79. Pergamon, Elmsford, N.Y., pp. 11-32.
	126	EHRENBERGER, W. D. 1980. Aspects of development and verification of reliable process computer software. In Proceedings of the 6th IFAC/IFIP Conference on Digital Computer Applications to Process Control (Dusseldorf, Germany, Oct.). Pergamon, Elmsford, N.Y.
	127	EHRENBERGER, W. D., AND BOLOGNA, S. 1979. Safety program validation by means of control checking. In Proceedings of IFAC SAFECOMP '79. Pergamon. Elmsford, N.Y., pp. 120-137.
	128	EPHRATH, A. R., AND YOUNG, L. R. 1981. Monitoring vs. man-in-the-loop detection of aircraft control failures. In Human Detection and Diagnosis of System Failures, J. Rasmussen and W. B. Rouse, Eds. Plenum Press, New York.
	129	GmEM, P. D. 1982. Reliability and safety considerations in operating systems for process control. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.
	130	GUSMANN, B., Nielsen, O. F., and Hansen, R. 1983. Safety-critical fast-real-time systems. Software {or Avionics, AGARD Conference Proceedings No. 330 (Jan.). NATO.
	131	JORGENS, J., BRUCH, C. W., AND HOUSTON, F. 1982. FDA regulation of computerized medical devices. Byte (Sept.).
	132	KRONLUND, J. 1979. Organising for safety. New Sci. 82, 1159 (14 July), 899-901.
	133	LEVENE, A. A. 1979. Guidelines for the documentation of safety related computer systems. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 33-39.
	134	MARSHALL, G. 1982. Safety Engineering. Brooks/ Cole Engineering Division, Monterey, Calif.
	135	MELLIAR-SMITH, P. M., AND SCHWARTZ, R. L. 1982. Formal specification and mechanical vetification of SIFT: A fault-tolerant flight control system. IEEE Trans. Comput. C-31, 7 (July), 616-630.
	136	MULAZZANI, M. 1985. Reliability versus safety, in Proceedings of SAFECOMP '85 (Lake Como, Italy). Pergamon, Elmsford, N.Y.
	137	NAVORD. NAVORD OD 44942, Chapter 7, Hazard Analysis Techniques. U.S. Navy. U.S. Govt. Printing Office, Washington, D.C.
	138	RAMAMOORTHY, C. V., Ho, G. S., AND HAN, Y. W. 1977. Fault tree analysis of computer systems. In Proceedings of the National Computer Conference. IEEE, New York, pp. 13-17.
	139	RASMUSSEN, J., AND ROUSE, W. B. 1981. Human Detection and Diagnosis of System Failures. Plenum, New York.
	140	ROGERS, R. J., AND MCKENZIE, W. J. 1978. Software fault tree analysis of OMS purge ascent and entry critical function. Interim Tech. Rep. 78:2511.1-101, TRW, Redondo Beach, Calif., Dec.
	141	THOMAS, N. C., AND STRAKER, E. A. 1982. Experiences in verification and validation of digital systems used in nuclear applications. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.
	142	WEI, A. Y., HIRAISHI, K. H., CHENG, R., AND CAMPBELL, R. H. 1980. Application of the fault-tolerant deadline mechanism to a satellite onboard computer system. In Proceedings of the l Oth International Symposium on Fault Tolerant Computing. IEEE, New York, pp. 107-109.
	143	WEINER, E. L. 1985. Beyond the sterile cockpit. Human Factors 27, 1, 75-90.
	144	WOODS, D. 1982. Comments on man/machine interface session. In Proceedings of IFA C SAFECOMP '82. Pergamon, Elmsford, N.Y.
	145	YAU, S. S., CHEN, F. C., AND YAU, K. H. 1978. An approach to real-time control flow checking, in Proceedings of Compsac '78. IEEE, New York, pp. 163-168.
	146	ZELLWEGER, A. G. 1984. FAA perspective on software safety and security. In Proceedings of Compcon '84 (Washington, D.C., Sept.). IEEE, New York, pp. 200-201.

CITED BY 46

	Ricky W. Butler , George B. Finelli, The infeasibility of experimental quantification of life-critical software reliability, ACM SIGSOFT Software Engineering Notes, v.16 n.5, p.66-76, Dec. 1991
	Donald A Norman, Viewpoint, Communications of the ACM, v.33 n.1, p.4-ff., Jan. 1990
	Ioannis Parissis , Farid Ouabdesselam, Specification-based testing of synchronous software, ACM SIGSOFT Software Engineering Notes, v.21 n.6, p.127-134, Nov. 1996
	A. D. Hutcheon , A. J. Wellings, Supporting Ada in a distributed environment, ACM SIGAda Ada Letters, v.VIII n.7, p.113-117, June 1-3, 1988
	Andy Podgurski, Reliability, sampling, and algorithmic randomness, Proceedings of the symposium on Testing, analysis, and verification, p.11-20, October 08-10, 1991, Victoria, British Columbia, Canada
	David Monniaux, An abstract Monte-Carlo method for the analysis of probabilistic programs, ACM SIGPLAN Notices, v.36 n.3, p.93-101, March 2001
	Rogério de Lemos , Amer Saeed , Tom Anderson, Analyzing Safety Requirements for Process-Control Systems, IEEE Software, v.12 n.3, p.42-53, May 1995
	Jagun Kwon , Andy Wellings , Steve King, Assessment of the Java programming language for use in high integrity systems, ACM SIGPLAN Notices, v.38 n.4, April 2003
	M. S. Jaffe , N. G. Leveson, Completeness, robustness, and safety in real-time software requirements specification, Proceedings of the 11th international conference on Software engineering, p.302-311, May 1989, Pittsburgh, Pennsylvania, United States
	David L. Parnas , A. John van Schouwen , Shu Po Kwan, Evaluation of safety-critical software, Communications of the ACM, v.33 n.6, p.636-648, June 1990
	N. B. Leveson, Evaluation of software safety, Proceedings of the 12th international conference on Software engineering, p.223-224, March 26-30, 1990, Nice, France
	Jack Beusmans , Karen Wieckert, Computing, research, and war: if knowledge is power, where is responsibility?, Communications of the ACM, v.32 n.8, p.939-951, Aug. 1989
	S. S. Cha , N. G. Leveson , T. J. Shimeall, Safety verification in Murphy using fault tree analysis, Proceedings of the 10th international conference on Software engineering, p.377-386, April 11-15, 1988, Singapore
	Helen Nissenbaum, Computing and accountability, Communications of the ACM, v.37 n.1, p.72-80, Jan. 1994
	Russell J. Abbott, Resourceful systems for fault tolerance, reliability, and safety, ACM Computing Surveys (CSUR), v.22 n.1, p.35-68, March 1990
	Adele E. Howe, Improving the Reliability of Artificial Intelligence Planning Systems by Analyzing their Failure Recovery, IEEE Transactions on Knowledge and Data Engineering, v.7 n.1, p.14-25, February 1995
	R. W. Butler , G. B. Finelli, The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software, IEEE Transactions on Software Engineering, v.19 n.1, p.3-12, January 1993
	Nancy G. Leveson, Software safety in embedded computer systems, Communications of the ACM, v.34 n.2, p.34-46, Feb. 1991
	John W. McCormick, Using a model railroad to teach digital process control, ACM SIGCSE Bulletin, v.20 n.1, p.304-308, Feb. 1988
	S. R. Dalal , J. R. Horgan , J. R. Kettenring, Reliable software and communication: software quality, reliability, and safety, Proceedings of the 15th international conference on Software Engineering, p.425-435, May 17-21, 1993, Baltimore, Maryland, United States
	N. G. Leveson , M. Heimdahl , H. Hildreth , J. Reese , R. Ortega, Experiences using statecharts for a system requirements specification, Proceedings of the 6th international workshop on Software specification and design, October 25-26, 1991, Como, Italy
	Jeannette M. Wing, A Specifier's Introduction to Formal Methods, Computer, v.23 n.9, p.8-23, September 1990
	Marvin V. Zelkowitz, A Functional Correctness Model of Program Verification, Computer, v.23 n.11, p.30-39, November 1990
	Antonio Pessoa Magalhães , João Gabriel Silva, Stabilizing Pre-Run-Time Schedules With the Help of GraceTime, Real-Time Systems, v.17 n.1, p.65-86, July 1999
	Nidhi Gupta , Manu Pratap Singh, Estimation of software reliability with execution time model using the pattern mapping technique of artificial neural network, Computers and Operations Research, v.32 n.1, p.187-199, January 2005
	Jagun Kwon , Andy Wellings , Steve King, Ravenscar-Java: a high integrity profile for real-time Java, Proceedings of the 2002 joint ACM-ISCOPE conference on Java Grande, p.131-140, November 03-05, 2002, Seattle, Washington, USA
	N. G. Leveson , C. S. Turner, An Investigation of the Therac-25 Accidents, Computer, v.26 n.7, p.18-41, July 1993
	Nancy G. Leveson, The Challenge of Building Process-Control Software, IEEE Software, v.7 n.6, p.55-62, November 1990
	Nancy G. Leveson , Stephen S. Cha , Timothy J. Shimeall, Safety Verification of Ada Programs Using Software Fault Trees, IEEE Software, v.8 n.4, p.48-59, July 1991
	Matthew S. Jaffe , Nancy G. Leveson , Mats P. E. Heimdahl , Bonnie E. Melhart, Software Requirements Analysis for Real-Time Process-Control Systems, IEEE Transactions on Software Engineering, v.17 n.3, p.241-258, March 1991
	J. Smith , S. Russell , M. Looi, Security as a safety issue in rail communications, Proceedings of the 8th Australian workshop on Safety critical systems and software, p.79-88, October 01, 2003, Canberra, Australia
	Alan M. Davis, 201 principles of software development, McGraw-Hill, Inc., New York, NY, 1995
	D. M. Needham , S. A. Jones, A software fault tree key node metric, Journal of Systems and Software, v.80 n.9, p.1530-1540, September, 2007
	Roman Obermaisser , Philipp Peti , Fulvio Tagliabo, An integrated architecture for future car generations, Real-Time Systems, v.36 n.1-2, p.101-133, July 2007
	Holly A. Yanco , Jill L. Drury, Rescuing interfaces: A multi-year study of human-robot interaction at the AAAI Robot Rescue Competition, Autonomous Robots, v.22 n.4, p.333-352, May 2007
	Mats P. E. Heimdahl, Safety and Software Intensive Systems: Challenges Old and New, 2007 Future of Software Engineering, p.137-152, May 23-25, 2007
	Koichi Tokuno , Shigeru Yamada, Stochastic software safety/reliability measurement and its application, Annals of Software Engineering, v.8 n.1-4, p.123-145, 1999
	Gregory M. Bowen, An organized, devoted, project-wide reuse effort, ACM SIGAda Ada Letters, v.XII n.1, p.43-52, Jan./Feb. 1992
	Mary Shaw, Beyond objects: a software design paradigm based on process control, ACM SIGSOFT Software Engineering Notes, v.20 n.1, p.27-38, Jan. 1995
	Jack Goldberg, Some principles and techniques for designing safe systems, ACM SIGSOFT Software Engineering Notes, v.12 n.3, p.17-19, July 1987
	Behrooz Parhami, From defects to failures: a view of dependable computing, ACM SIGARCH Computer Architecture News, v.16 n.4, p.157-168, Sept. 1988
	P. Salenieks, Software development: advice by analogy, ACM SIGSOFT Software Engineering Notes, v.14 n.1, p.56-60, Jan. 1989
	B. I. Blum, On data and their analysis, ACM SIGSOFT Software Engineering Notes, v.14 n.5, p.24-34, July 1989
	Holly A. Yanco , Jill L. Drury , Jean Scholtz, Beyond usability evaluation: analysis of human-robot interaction at a major robotics competition, Human-Computer Interaction, v.19 n.1, p.117-149, June 2004
	Ben Swarup Medikonda , Seetha Ramaiah Panchumarthy, A framework for software safety in safety-critical systems, ACM SIGSOFT Software Engineering Notes, v.34 n.2, March 2009
	Marc A. Le Pape , Ravi K. Vatrapu, An experimental study of field dependency in altered Gz environments, Proceedings of the 27th international conference on Human factors in computing systems, April 04-09, 2009, Boston, MA, USA

INDEX TERMS

Classification:
D. Software
D.2 SOFTWARE ENGINEERING

J. Computer Applications

K. Computing Milieux
K.4 COMPUTERS AND SOCIETY

General Terms:
Design, Human Factors, Measurement, Reliability, Security

REVIEW

"Robert L. Glass : Reviewer"

A paper that concludes “there are no X techniques that have been widely used and validated” and “dependence on any one X approach is unwise at the current state of knowledge” might seem, at first thought, to be a not-very more...

Collaborative Colleagues:

Nancy G. Leveson: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player