Nancy G. Leveson
Skip Abstract Section
Abstract
Software safety issues become important when computers are used to control real-time, safety-critical processes. This survey attempts to explain why there is a problem, what the problem is, and what is known about how to solve it. Since this is a relatively new software research area, emphasis is placed on delineating the outstanding issues and research topics.
- ALFORD, M. 1982. Summary of presentation of validation and verification panel. In Proceedings of the 2nd International Workshop on Safety and Reliability of Industrial Computer Systems (IFAC SAFECOMP '82) (West Lafayette, Ind., Oct.). Pergamon, Elmsford, N.Y.]]Google Scholar
- ALFORD, M. 1985. SREM at the age of eight; The distributed computing design system. IEEE Computer 18, 4 (Apr.), 36-46.]]Google Scholar
- ALLWORTH, S. T. 1981. Introduction to Real-Time Software Design. Springer-Verlag, New York.]] Google Scholar
- ANDERSON, T., AND LEE, P. A. 1981. Fault Tolerance: Principles and Practice. Prentice-Hall, Englewood Cliffs, N.J.]] Google Scholar
- ANDERSON, T., AND WITTY, R. W. 1978. Safe programming. BIT 18, 1-8.]]Google Scholar
- ANONYMOUS 1971. Blown balloons. Aviat. Week Space Technol. (Sept. 20), 17.]]Google Scholar
- ARLAT, J., AND LAPRIE, J. C. 1985. On the dependability evaluation of high safety systems. In Proceedings of the 15th International Symposium on Fault Tolerant Computing (Ann Arbor, Mich., June). IEEE, New York, pp. 318-323.]]Google Scholar
- AVlZIENIS, A. 1985. The N-version approach to fault-tolerant software. IEEE Trans. Softw. Eng. SE-11, 12 (Dec.), 1491-1501.]]Google Scholar
- BASSEN, H., SILBERBERG, J., HOUSTON, F., KNIGHT, W., CHRISTMAN, C., AND GREBERMAN, M. 1985. Computerized medical devices: Usage trends, problems, and safety technology. In Proceedings of the 7th Annual Conference of IEEE Engineering in Medicine and Biology Society (Chicago, Ill., Sept. 27-30). IEEE, New York, pp. 180-185.]]Google Scholar
- BOEBERT, W. E. 1980. Formal verification of embedded software. ACM Softw. Eng. Notes 5, 3 (July), 41-42.]]Google Scholar
- BOEHM, B. W., MCCLEAN, R. L., AND URFIG, D. B. 1975. Some experiences with automated aids to the design of large-scale reliable software. IEEE Trans. Softw. Eng. SE-1, 2, 125-133.]] Google Scholar
- BONNETT, B. J. 1984. Position paper on software safety and security critical systems. In Proceedings of Compcon '84 (Sept). IEEE, New York, p. 191.]]Google Scholar
- BORNING, A. 1985. Computer systems reliability and nuclear war. Tech. Rep., Computer Science Dept., Univ. of Washington, Seattle, Washington.]]Google Scholar
- BROWN, J. R., AND BUCHANAN, H. N. 1973. The Quantitative Measurement of Software Safety and Reliability. TRW, Redondo Beach, Calif., Aug.]]Google Scholar
- BROWNING, R. L. 1980. The Loss Rate Concept in Safety Engineering. Marcel Dekker, New York.]]Google Scholar
- CAMPBELL, R. H., HORTON, K. H., AND BELFORD, G. G. 1979. Simulations of a fault tolerant deadline mechanism. In Proceedings of the 9th International Conference on Fault Tolerant Computing (June). IEEE, New York, pp. 95-101.]]Google Scholar
- CHAMOUX, P., AND SCHMID, O. 1983. PLC's in offshore shut-down systems, In Proceedings of the 3rd International Workshop on Safety and Reliability of Industrial Computer Systems (IFAC SAFECOMP '83). Pergamon, Elmsford, N.Y., pp. 201-205.]]Google Scholar
- CHEUNG, R. C. 1980. A user-oriented software reliability model. IEEE Trans. Softw. Eng. SE-6, 2, 118-125.]]Google Scholar
- DANIELS, B. K., BELL, R., AND WRIGHT, R. I. 1983. Safety integrity assessment of programmable electronic systems. In Proceedings of iFAC SAFECOMP '83. Pergamon, Elmsford, N.Y., pp. 1-12.]]Google Scholar
- DAVIS, A. M. 1982. The design of a family of application-oriented languages. IEEE Computer (May), 21-28.]]Google Scholar
- DEAN, E. S. 1981. Software system safety. In Proceedings of the 5th International System Safety Conference (Denver, Colo.), vol. 1, part 1. System Safety $oc., Newport Beach, CaliL, pp. III-A-1 to III-A-8.]]Google Scholar
- DIJKSTRA, E. 1976. A Discipline of Programming. Prentice-Hall, Englewood Cliffs, N.J.]] Google Scholar
- DUNHAM, J. R. 1984. Measuring software safety. In Proceedings of Compcon '84 (Washington D.C., Sept.). IEEE, New York, pp. 192-193.]]Google Scholar
- DUNHAM, J. R., AND KNIGHT, J. C. (Eds.) 1981. Production of reliable flight-crucial software. In Proceedings of Validation Methods Research for Fault-Tolerant Avionics and Control Systems Sub-Working-Group Meeting (Research Triangle Park, N.C., Nov. 2-4). NASA ConferenCe Publication 2222. NASA, Langley, Va.]]Google Scholar
- ENORES, A. B. 1975. An analysis of errors and their causes in software systems. IEEE Trans. So{tw. Eng. SE-1, 2, 140-149.]]Google Scholar
- ERICSON, C. A. 1981. Software and system safety. In Proceedings of the 5th International System Safety Conference (Denver, Colo.), vol. 1, part 1. System Safety Soc., Newport Beach, Calif., pp. III-B-1 to iii-B-11.]]Google Scholar
- FREY, H. H. 1974. Safety evaluation of mass transit systems by reliability analysis. IEEE Trans. Reliability R-23, 3 (Aug.), 161-169.]]Google Scholar
- FREY, H. H. 1979. Safety and reliability--their terms and models of complex systems. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 3-10.]]Google Scholar
- FRIEDMAN, M. 1986. Modeling the penalty costs of software failure. Ph.D. dissertation, Dept. of Information and Computer Science, Univ. of California, Irvine, Mar.]] Google Scholar
- FROLA, F. R., AND MILLER, C. O. 1984. System Safety in Aircraft Management. Logistics Management Institute, Washington, D.C., Jan.]]Google Scholar
- FULLER, J. G. 1977. We almost lost Detroit. In The Silent Bomb, Peter Faulkner, Ed. Random House, New York, pp. 46-59.]]Google Scholar
- FULLER, J. G. 1984. Death by robot. Omni 6, 6 (Mar.), 45-46, 97-102.]]Google Scholar
- GARMAN, J. R. 1981. The bug heard 'round the world.' ACM Softw. Eng. Notes 6, 5 (Oct.), 3-10.]] Google Scholar
- GLOE, G. 1979. Inspection of process computers for nuclear power plants. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 213-218.]]Google Scholar
- GLOSS, D. $., AND WARDLE, M. G. 1984. Introduction to Safety Engineering. Wiley, New York.]]Google Scholar
- GRIGGS, J. G. 1981. A method of software safety analysis. In Proceedings of the Safety Conference (Denver, Colo.), vol. 1, part 1. System Safety Soc., Newport Beach, Calif., pp. III-D-1 to III-D-18.]]Google Scholar
- HAMMER, W. 1972. Handbook of System and Product Safety. Prentice-Hall, Englewood Cliffs, N.J.]]Google Scholar
- HAUPTMANN, D. L. 1981. A systems approach to software safety analysis. In Proceedings of the 5th International System Safety Conference (Denver, Colo., July). Systems Safety Soc., Newport Beach, Calif.]]Google Scholar
- HECUT, H., AND HECHT, M. 1982. Use of fault trees for the design of recovery blocks. In Proceedings of the 12th International Conference on Fault Tolerant Computing (Santa Monica, Calif., June). IEEE, New York, pp. 134-139.]]Google Scholar
- HENINGER, K. L. 1980. Specifying software requirements for complex systems: New techniques and their application. IEEE Trans. Softw. Eng. SE-6, 1 (Jan.), 2-12.]]Google Scholar
- HIGGS, J. C. 1983. A high integrity software based turbine governing system. In Proceedings of iFAC SAFECOMP '83. Pergamon, Elmsford, N.Y. pp. 207-218.]]Google Scholar
- HOAGLAND, M. 1982. The pilot's role in automation. In Proceedings of the ALPA Air Safety Workshop. Airline Pilots Assoc.]]Google Scholar
- HOPE, S., et al. 1983. Methodologies for hazard analysis and risk assessment in the petroleum refining and storage industry. Hazard Prevention (journal of the System Safety Society) (July/Aug.), 24-32.]]Google Scholar
- IYER, R. K., AND VELARDI, P. 1985. Hardware related software errors: Measurement and analysis. IEEE Trans. Softw. Eng. SE-11, 2 (Feb.) 223-231.]]Google Scholar
- JAHANIAN, F., AND MOK, A. K. 1986. Safety analysis of timing properties in real-time systems. IEEE Trans. Softw. Eng. SE-12, 9 (Sept.), 890-904.]] Google Scholar
- JOHNSON, W. G. 1973. The management oversight and risk tree. MORT, U.S. Atomic Energy Commission, SAN 821-2, UC-41, 1973. Also available from Marcel Dekker, New York, 1980.]]Google Scholar
- KEMENY, J., et al. 1979. Report of the President's Commission on the accident at Three Mile Island. Govt. Printing Office, Washingon, D.C.]]Google Scholar
- KLETZ, T. 1983. Human problems with computer control. Hazard Prevention (journal of the System Safety Society) (Mar./Apr.), 24-26.]]Google Scholar
- KNIGHT, J. C., AND L~VESON, N. G. 1986a. An experimental evaluation of the assumption of independence in multi-version programming. IEEE Trans. Softw. Eng. SE-12, i (Jan.), 96-109.]] Google Scholar
- KNIGHT, J. C., AND LEVESON, N. G. 1986b. An empirical study of failure probabilities in multiversion software. In Proceedings of the 16th International Symposium on Fault- Tolerant Computing (FTCS-16) (Vienna, Austria, July). IEEE, New York, pp. 165-170.]]Google Scholar
- KONAKOVSKY, R. 1978. Safety evaluation of computer hardware and software. In Proceedings of Compsac '78. IEEE, New York, pp. 559-564.]]Google Scholar
- LANDWEHR, C. 1984. Software safety is redundance. In Proceedings of Compcon '84 (Washington, D.C., Sept.). IEEE, New York, p. 195.]]Google Scholar
- LAPRIE, J. C. 1984. Dependable computing and fault tolerance: Concepts and terminology. Res. Rep. No. 84.035, LAAS, Toulouse, France, June.]]Google Scholar
- LAPRIE, J. C., AND COSTES, A. 1982. Dependability: A unifying concept for reliable computing. In Proceedings of the 12th International Symposium on Fault Tolerant Computing (Santa Monica, Calif., June). IEEE, New York, pp. 18-21.]]Google Scholar
- LAUSER, R. 1980. Strategies for the design and validation of safety-related computer-controlled systems. In Real-time Data Handling and Process Control, G. Meyer, Ed. North-Holland Publ., Amsterdam, pp. 305-310.]]Google Scholar
- LERNER, E. J. 1982. Automating U.S. air lanes: A review. IEEE Spectrum (Nov.), 46-51.]]Google Scholar
- LEVESON, N. G. 1981. Software safety: A definition and some preliminary ideas. Tech. Rep. 174, Computer Science Dept., Univ. of California, Irvine, Apr.]]Google Scholar
- LEVESON, N. G. 1983a. Verification of safety. In Proceedings of IFAC SAFECOMP '83 (Cambridge, England, Sept.). Pergamon, Elmsford, N.Y., pp. 167-174.]]Google Scholar
- LEVESON, N. G. 1983b. Software fault tolerance: The case for forward recovery. In Proceedings of the American Institute for Astronautics and Aeronautics (AIAA) Conference on Computers in Aerospace (Hartford, Conn., Oct.). AIAA, New York.]]Google Scholar
- LEVESON, N. G. 1984a. Software safety in computercontrolled systems. IEEE Computer (Feb.), 48- 55.]]Google Scholar
- LEVESON, N. G. 1984b. Murphy: Expecting the worst and preparing for it. In Proceedings of the IEEE Compcon '84 (Washington D.C., Sept.). IEEE, New York, pp. 294-300.]]Google Scholar
- LEVESON, N. G.N.d. The use of fault trees in software development. In preparation.]]Google Scholar
- LEVESON, N. G., AND HARVEY, P. R. 1983. Analyzing software safety. IEEE Trans. Softw. Eng. SE-9, 5 (Sept.), 569-579.]]Google Scholar
- LEVESON, N. G., AND SHIMEALL, T. 1983. Safety assertions for process control systems. In Proceedings of the 13th International Conference on Fault Tolerant Computing (Milan, Italy). IEEE, New York.]]Google Scholar
- LEVESON, N. G., AND STOLZY, g.' L. 1983. Safety analysis of Ada programs using fault trees. IEEE Trans. Reliability R-32, 5 (Dec.), 479-484.]]Google Scholar
- LEVESON, N. G., AND STOLZY, J. L. 1985. Analyzing safety and fault tolerance using Time Petri nets. In TAPSOFT: Joint Conference on Theory and Practice of Software Development (Berlin, East Germany, Mar.). Springer-Verlag, Berlin and New York.]] Google Scholar
- LEVESON, N. G., AND STOLZY, J. L. 1986. Safety analysis using Petri nets. IEEE Trans. So{tw. Eng. In press.]] Google Scholar
- LEVESON, N. G., SHIMEALL, T. J., STOLZY, J. L., AND THOMAS, J. 1983. Design for safe software. In Proceedings of the American Institute for Astronautics and Aeronautics (AIAA) Space Sciences Meeting (Reno, Nev.). AIAA, New York.]]Google Scholar
- LEVINE, S. 1984. Probabilistic risk assessment: Identifying the real risks of nuclear power. Tech. Rev. (Feb./Mar.), 41-44.]]Google Scholar
- LITTLEWOOO, B. 1980. Theories of software reliability: How good are they and how can they be improved? IEEE Trans. Softw. Eng. SE-6, (Sept.), 489-500.]]Google Scholar
- MACKENZIE, J. J. 1984. Finessing the risks of nuclear power. Technol. Rev. (Feb./Mar.), 34-39.]]Google Scholar
- MALASKY, S. W. 1982. System Safety Technology and Application. Garland STPM Press, New York.]]Google Scholar
- MARSHALL, E. 1980. NRC takes a second look at reactor design. Science 207 (Mar. 28), 1445-1448.]]Google Scholar
- MCINTEE, J. W. 1983. Fault tree technique as applied to software (SOFT TREE). BMO/AWS, Norton Air Force Base, Calif. 92409.]]Google Scholar
- MIDDLETON, P. 1983. Nuclear safety cross check analysis. Minutes of the First Software System Safety Working Group Meeting, Andrews Air Force Base, June. Available from Air Force Inspection and Safety Center, Norton Air Force Base, Calif. 92409.]]Google Scholar
- MIL-STD-1574A (USAF) 1979. System Safety Program for Space and Missile Systems (15 Aug.), Dept. of Air Force, Govt. Printing Office, Washington, D.C.]]Google Scholar
- MIL-STD-882B 1984. System Safety Program Requirements (30 March). U.S. Dept. of Defense, U.S. Govt. Printing Office, Washington, D.C.]]Google Scholar
- MIL-STD-SNS (NAVY) 1986. Software nuclear safety (draft) Feb. 25. U.S. Navy. Available from Naval Weapons Evaluation Facility, Kirtland Airforce Base, N.M.]]Google Scholar
- MINECK, D. W., D~.RR, R. E., LYKKEN, L. O., AND HALL, J. C. 1972. Avionic flight control system for the Lockheed L-1011 Tristar. SAE Aerospace Control and Guidance Systems Meeting No. 30 (San Diego, Calif., Sept.), pp. 27-29.]]Google Scholar
- MORGAN, M. G. 1981a. Probing the question of technology-induced risk. IEEE Spectrum (Nov.), 58-64.]]Google Scholar
- MORGAN, M. G. 1981b. Choosing and managing technology-induced risk. IEEE Spectrum (Dec.), 53-60.]]Google Scholar
- NEUMANN, P. G. 1979. Letter from the Editor. ACM Softw. Eng. Notes 4, 2.]]Google Scholar
- NEUMANN, P. G. 1981. Letter from the Editor. ACM Softw. Eng. Notes 6, 2.]]Google Scholar
- NEUMANN, P. G. 1984. Letter from the Editor. ACM Softw. Eng. Notes 9, 5, 2-7.]]Google Scholar
- NEUMANN, P. G. 1985. Some computer-related disasters and other egregious horrors. ACM Softw. Eng. Notes 10, i (Jan.), 6-7.]]Google Scholar
- NEUMANN, P. G. 1986. On hierarchical designs of computer systems for critical applications. IEEE Trans. Softw. Eng. SE-12, 9 (Sept.), 905-920.]] Google Scholar
- NOBLE, W. B. 1984. Developing safe software for critical airborne applications. In Proceedings of the IEEE 6th Digital Avionics Systems Conference (Baltimore, Md., Dec.). iEEE, New York, pp. 1-5.]]Google Scholar
- OLIVER, J. G., HOAGLAND, M. R., AND TERHUNE, G. J. 1982. Automation of the flight path--the pilot's role. In Proceedings of the 1982 SAE Aerospace Congress and Exhibition (Anaheim, Calif., Oct.). SAE, New York.]]Google Scholar
- PARK, W. T. 1978. Robot safety suggestions. Tech. Note No. 159, SRI International, Palo Alto, Calif., 29 April.]]Google Scholar
- PARNAS, D. 1985. Software aspects of strategic defense systems. Commun. ACM 28, 12 (Dec.), 1326-1335.]] Google Scholar
- PERROW, C. 1984. Normal Accidents: Living with High Risk Technologies. Basic Books, New York.]]Google Scholar
- PETERSEN, D. 1971. Techniques of Safety Management. McGraw-Hill, New York.]]Google Scholar
- PETERSON, J. L. 1981. Petri Net Theory and the Modeling of Systems. Prentice-Hall, Englewood Cliffs, N.J.]] Google Scholar
- REINER, A. 1979. Preventing navigation errors during ocean crossings. Flight Crew (Fall).]]Google Scholar
- RIDLEY, J. 1983. Safety at Work. Butterworths, London.]]Google Scholar
- ROOOERS, W. P. 1971. Introduction to System Safety Engineering. Wiley, New York.]]Google Scholar
- ROLAND, H. E., AND MORIARTY, B. 1983. System Safety Engineering and Management. Wiley, New York.]]Google Scholar
- ROSE, C. W. 1982. The contribution of operating systems to reliability and safety in real-time systems. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.]]Google Scholar
- ROUSE, W. B. 1981. Human-computer interaction in the control of dynamic systems. ACM Cornput. Surv. 13, i (Mar.), 99.]] Google Scholar
- SHIRLEY, R. S. 1982. Four views of the humanprocess interface. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.]]Google Scholar
- SLIWA, A. F. 1984. Panel Proceedings, software in safety and security-critical systems. In Proceedings of Compcon '84 (Washington D.C., Sept.). IEEE, New York.]]Google Scholar
- SOFTWARE SAFETY HANDBOOK (Draft). H.Q. AFISC/ SESD, Norton Air Force Base, Calif. 92409.]]Google Scholar
- TAYLOR, D. J., MORGAN, D. E., AND BLACK, J. P. 1980. Redundancy in data structures: Improving software fault tolerance. IEEE Trans. Softw. Eng. SE-6, 6 (Nov.), 585-594.]]Google Scholar
- TAYLOR, J. R. 1981. Logical validation of safety control system specifications against plant models. RISO-M-2292. Available from Riso National Laboratory, DK-4000 Roskilde, Denmark, May.]]Google Scholar
- TAYLOR, J. R. 1982a. Fault tree and cause consequence analysis for control software validation. RISO-M-2326. Available from Riso National Laboratory, DK-4000 Roskilde, Denmark, Jan.]]Google Scholar
- TAYLOR, J. R. 1982b. An integrated approach to the treatment of design and specification errors in electronic systems and software. In Electronic Components and Systems, E. Lauger and J. Motort, Eds. North-Holland, Amsterdam.]]Google Scholar
- TERNHEM, K. E. 1981. Automatic complacency. Flight Crew (Winter), 34-35.]]Google Scholar
- TRAUBOTH, H., AND FREY, H. 1979. Safety considerations in project management of computerized automation systems. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 41-50.]]Google Scholar
- TUMA, F. 1983. Sneak software analysis. In Minutes of the First Software System Safety Working Group Meeting (Andrews Air Force Base, June). Available from Air Force Inspection and Safety Center, Norton Air Force Base, Calif. 92409.]]Google Scholar
- USAEC 1975. Reactor safety study: An assessment of accident risks in the U.S. Commercial Nuclear Power Plants Report WASH 1400 1975. U.S. Atomic Energy Commission, Washington D.C.]]Google Scholar
- VENDA, V. F., AND LOMOV, B. F. 1980. Human factors leading to engineering safety systems. Hazard Prevention (journal of the System Safety Society) (Mar./Apr.), 6-13.]]Google Scholar
- VESELY, W. E., GOLDBERG, F. F., ROBERTS, N. H., AND HAASL, D. F. 1981. Fault tree handbook. NUREG-0492, U.S. Nuclear Regulatory Commission, Jan.]]Google Scholar
- VOYSEY, H. 1977. Problems of mingling men and machines. New Sci. 18 (Aug.), 416-417.]]Google Scholar
- WATERMAN, H. E. 1978. FAA's certification position on advanced avionics. AIAA Astronaut. Aeronaut. (May), 49-51.]]Google Scholar
- WEAVER, W. W. 1981. Pitfalls in current design requirements. Nucl. Safety 22, 3 (May/June).]]Google Scholar
- WELLBOURNE, D. 1974. Computers for reactor safety systems. Nucl. Eng. Int. (Nov.), 945-950.]]Google Scholar
- WESSON, R., et al. 1980. Scenarios for Evolution of Air Traffic Control. Rand Corporation Rep., Rand Corp., Santa Monica, Calif.]]Google Scholar
- YAU, S. S., AND CHEUNC, R. C. 1975. Design of selfchecking software. In Proceedings of the 1975 International Conference on Reliable Software. ACM, New York, pp. 450-457.]] Google Scholar
- ANDREWS, B. 1979. Using executable assertions for testing and fault tolerance. In Proceedings of the 9th International Symposium on Fault Tolerant Computing. IEEE, New York, pp. 102-105.]]Google Scholar
- BOLOGNA, S., DE AGOSTINO, E., MATrUCCI, A., MONACCI, P., AND PUTiGNAN{, M. G. 1979. An experiment in design and validation of software for a reactor protection system. In Proceedings of the International Workshop on Safety and Reliability of Industrial Computer Systems. (iFA C SAFECOMP '79). Pergamon, Elmsford, N.Y. pp. 103-115.]]Google Scholar
- BROWN, D. B. 1976. Systems Analysis and Design for Safety. Prentice-Hall, Englewood Cliffs, N.J.]]Google Scholar
- BROWN, M. L. 1985. Software safety for complex systems. In Proceedings of the 7th Annual Conference of IEEE Engineering in Medicine and Biology Society (Chicago, Ill., Sept. 27-30). IEEE, New York.]]Google Scholar
- BRUCH, C. W., et al. 1982. Report by the Task Force on computers and software as medical devices, Bureau of Medical Devices. Food and Drug Administration, Washington, D.C., Jan.]]Google Scholar
- DAHLL, G., AND LAHTI, J. 1979. An investigation of methods for production and verification of highly reliable software. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 89-94.]]Google Scholar
- DANIELS, B. K., AITKEN, A., AND SMITH, I. C. 1979. Experience with computers in some U.K. power plants. In Proceedings of iFAC SAFE- COMP '79. Pergamon, Elmsford, N.Y., pp. 11-32.]]Google Scholar
- EHRENBERGER, W. D. 1980. Aspects of development and verification of reliable process computer software. In Proceedings of the 6th IFAC/IFIP Conference on Digital Computer Applications to Process Control (Dusseldorf, Germany, Oct.). Pergamon, Elmsford, N.Y.]]Google Scholar
- EHRENBERGER, W. D., AND BOLOGNA, S. 1979. Safety program validation by means of control checking. In Proceedings of IFAC SAFECOMP '79. Pergamon. Elmsford, N.Y., pp. 120-137.]]Google Scholar
- EPHRATH, A. R., AND YOUNG, L. R. 1981. Monitoring vs. man-in-the-loop detection of aircraft control failures. In Human Detection and Diagnosis of System Failures, J. Rasmussen and W. B. Rouse, Eds. Plenum Press, New York.]]Google Scholar
- GmEM, P. D. 1982. Reliability and safety considerations in operating systems for process control. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.]]Google Scholar
- GUSMANN, B., Nielsen, O. F., and Hansen, R. 1983. Safety-critical fast-real-time systems. Software {or Avionics, AGARD Conference Proceedings No. 330 (Jan.). NATO.]]Google Scholar
- JORGENS, J., BRUCH, C. W., AND HOUSTON, F. 1982. FDA regulation of computerized medical devices. Byte (Sept.).]]Google Scholar
- KRONLUND, J. 1979. Organising for safety. New Sci. 82, 1159 (14 July), 899-901.]]Google Scholar
- LEVENE, A. A. 1979. Guidelines for the documentation of safety related computer systems. In Proceedings of IFAC SAFECOMP '79. Pergamon, Elmsford, N.Y., pp. 33-39.]]Google Scholar
- MARSHALL, G. 1982. Safety Engineering. Brooks/ Cole Engineering Division, Monterey, Calif.]]Google Scholar
- MELLIAR-SMITH, P. M., AND SCHWARTZ, R. L. 1982. Formal specification and mechanical vetification of SIFT: A fault-tolerant flight control system. IEEE Trans. Comput. C-31, 7 (July), 616-630.]]Google Scholar
- MULAZZANI, M. 1985. Reliability versus safety, in Proceedings of SAFECOMP '85 (Lake Como, Italy). Pergamon, Elmsford, N.Y.]]Google Scholar
- NAVORD. NAVORD OD 44942, Chapter 7, Hazard Analysis Techniques. U.S. Navy. U.S. Govt. Printing Office, Washington, D.C.]]Google Scholar
- RAMAMOORTHY, C. V., Ho, G. S., AND HAN, Y. W. 1977. Fault tree analysis of computer systems. In Proceedings of the National Computer Conference. IEEE, New York, pp. 13-17.]]Google Scholar
- RASMUSSEN, J., AND ROUSE, W. B. 1981. Human Detection and Diagnosis of System Failures. Plenum, New York.]]Google Scholar
- ROGERS, R. J., AND MCKENZIE, W. J. 1978. Software fault tree analysis of OMS purge ascent and entry critical function. Interim Tech. Rep. 78:2511.1-101, TRW, Redondo Beach, Calif., Dec.]]Google Scholar
- THOMAS, N. C., AND STRAKER, E. A. 1982. Experiences in verification and validation of digital systems used in nuclear applications. In Proceedings of IFAC SAFECOMP '82. Pergamon, Elmsford, N.Y.]]Google Scholar
- WEI, A. Y., HIRAISHI, K. H., CHENG, R., AND CAMPBELL, R. H. 1980. Application of the fault-tolerant deadline mechanism to a satellite onboard computer system. In Proceedings of the l Oth International Symposium on Fault Tolerant Computing. IEEE, New York, pp. 107-109.]]Google Scholar
- WEINER, E. L. 1985. Beyond the sterile cockpit. Human Factors 27, 1, 75-90.]]Google Scholar
- WOODS, D. 1982. Comments on man/machine interface session. In Proceedings of IFA C SAFECOMP '82. Pergamon, Elmsford, N.Y.]]Google Scholar
- YAU, S. S., CHEN, F. C., AND YAU, K. H. 1978. An approach to real-time control flow checking, in Proceedings of Compsac '78. IEEE, New York, pp. 163-168.]]Google Scholar
- ZELLWEGER, A. G. 1984. FAA perspective on software safety and security. In Proceedings of Compcon '84 (Washington, D.C., Sept.). IEEE, New York, pp. 200-201.]]Google Scholar
Recommendations
A framework for software safety in safety-critical systems
Software for safety-critical systems must deal with the hazards identified by safety analysis in order to make the system safe, risk-free, and fail-safe. Because human lives may be lost and tremendous economic costs may result if the software fails, the ...
An Approach to Modeling Software Safety
SNPD '08: Proceedings of the 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed ComputingSoftware for safety-critical systems must deal with the hazards identified by safety analysis in order to make the system safe, risk-free and fail-safe. Software safety is a composite of many factors. Existing software quality models like McCall’s and ...
Analyzing Software Safety
With the increased use of software controls in critical realtime applications, a new dimension has been introduced into software reliability-the "cost" of errors. The problems of safety have become critical as these applcations have increasingly ...
Reviews
Robert L. Glass
A paper that concludes “there are no X techniques that have been widely used and validated” and “dependence on any one X approach is unwise at the current state of knowledge” might seem, at first thought, to be a not-very-promising place to learn about X. But this first thought would be wrong. Leveson's view of X = Software Safety is a fascinating, thorough, and objective look at a formative technology. From the opening anecdotal look at safety, through techniques useful in designing and evaluating safe software, to the less-than-encouraging conclusions, the reader is drawn inexorably into the topic. Little gems of information lurk throughout: :9B“inadequate design foresight and specification errors are the greatest cause of software safety problems.” “effort is frequently diverted to proving theoretically that a system meets a stipulated level of risk when that effort could much more profitably be applied to eliminating, minimizing, and controlling hazards.” Some gems come from an extensive and up-to-date set of references; the rest come from Leveson's own pioneering research. In some places, topics are discussed without the examples the reader will need to understand them. The use of “real-time logic” and “time Petri nets” as methods for identifying and analyzing software are two cases in point. But the problems of the treatment and the softness of the topic seem minimal. The reader comes away with a sense of both knowing and caring about software safety.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments