Professional Documents
Culture Documents
Takaji Fujiwara
fujiwara@biz3.co.jp
Yoshinobu Satoh
jme@biz3.co.jp
Shigeru Yamada
yoshi@kaiyodai.ac.jp
yamada@sse.tottori-u.ac.jp
with the hardware, though software reliability and safety
has been studied so far, these have still not necessarily been
satisfactory. Therefore, once system failures due to defects
or faults latent in the software system come to the surface,
the computer system is entirely useless and many people
sustain great damage. Occasionally, there are also the worst
defects or faults which would bring about serious and critical accidents to human life. In such present circumstances,
the development of highly reliable and safe software is an
important issue.
As one of the solutions to this issue, developers have been
conforming their development to the functional safety standards (IEC 61508 and ISO/DIS 26262) [1],[2]. In the functional safety standards, the development and quantitative
analytical methods are dened for the hardware of safetyrelated systems (abbreviated as SRSs). However, only development methods are dened for the software SRSs. That
is, the safety integrity level (in IEC 61508, it is called Automotive Safety Integrity Level in case of ISO/DIS 26262)
(abbreviated as SIL) for software is determined only by the
number of the development methods applied to practical
SRS development. This is not reasonable to evaluate the
SIL, because various risk factors should be included. As a
clear risk factor, the implemented software varies in quality
according to the skill level of the developers. Thus, a developer has to grasp reliability and safety quantitatively as a
quality level when verifying the implemented software.
In this paper, we propose a method for calculating the SIL
for software. Especially, we propose a calculation method
based on the software reliability growth model (abbreviated
as SRGM) [5],[6] that has long been used in the large-scale
system development.
ABSTRACT
In the functional safety standards (IEC 61508 and ISO/DIS
26262), development methods and quantitative analytical
methods are dened for establishment of safety-related systems. However, only development methods are recommended
to establish the software of safety-related systems. That is,
the safety integrity level for software is determined only by
the number of the development methods applied to practical safety-related system development. This is not reasonable to evaluate the safety integrity level, because various
risk factors should be taken up. In this paper, we propose
how to calculate the safety integrity level for software. Especially, we propose the calculation method based on the
software reliability growth model that has long been used in
the large-scale system development.
General Terms
Software Reliability and Safety
Keywords
safety integrity level, software reliability growth model, calculation method
1.
INTRODUCTION
2.
DESCRIPTION OF SRGM
In this Section, we discuss software reliability growth modeling based on a non-homogeneous Poisson process (abbreviated as NHPP) [5],[6], because the SRGM based on NHPPs
have been widely and successfully applied to practical software development activities.
Generally, during the testing phase in the software development process, the software developer has to execute many
various test-cases in order to verify the implemented functions based on the requirement specication. At that time,
they detect the faults which are latent in the software, and
those corrections and removals are performed in accordance
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
CARS 10, April 27, Valencia, Spain
Copyright 2010 ACM 978-1-60558-915-2/10/04 ...$10.00.
31
with the specied procedures. That is, a software reliability growth during the testing-phase means the relationships
between the testing-phase and the cumulative number of
faults detected by testing or the time-interval between software failures. Then, the reliability growth curve represents
the time-dependent behavior of the cumulative number of
detected faults with progress of the testing. By describing
fault-detection phenomenon by a stochastic model based on
an NHPP, software reliability assessment during the testingphase and the reliability prediction for the operating-phase
can be performed.
In order to describe the fault-detection phenomenon at
arbitrary testing time t, let {N(t) , t 0} denote a counting process representing the cumulative number of faults
detected up to arbitrary testing time t. Then, the faultdetection phenomenon can be formulated by an NHPP as
follows;
{H(t)}n
exp[H(t)]
n!
(n
= 0, 1, 2, ) ,
Z t
H(t) =
h(x) dx,
Distribution
exponential
2-Erlang
hyperexponential
truncated logistic
Pareto
Weibull
n-Erlang
log-logistic
log-normal
phase-type
(3)
Pr {N(t) = n} =
3.
(1)
3.1
Safety Integrity: probability of an SRS satisfactorily performing the required safety functions under all the stated
conditions within a stated period of time.
SIL: discrete level for specifying the safety integrity requirements of the safety functions to be allocated to the
E/E/PE SRSs, where SIL 4 has the highest level of safety
integrity and SIL 1 has the lowest.
As a note, target failure measures for the four safety integrity levels are specied in Table 2 (see IEC 61508-1).
Further, target failure measure is dened as intended probability of dangerous mode failures to be achieved in respect
of the safety integrity requirements, and specied viewpoint
of following either by IEC 61508-4:
low demand mode: where the frequency of demands for
operation made on an SRS is no greater than one per
year and no greater than twice the proof-test frequency.
high demand or continuous mode: where the frequency
of demands for operation made on an SRS is greater
than one per year or greater than twice the proof-test
frequency.
32
Table 2: SILs: target failure measures for a safety function, allocated to an E/E/PE SRS.
SIL
4
3
2
1
105
104
103
102
to
to
to
to
< 104
< 103
< 102
< 101
109
108
107
106
That is, target failure measure, i.e., SIL for high demand
and continuous mode of operation can be considered the
dangerous failure rate or dangerous failure intensity of SRS.
These values are almost equivalent, given that the time to
repair is negligible comparing to the mean time to failure.
Consequently, we can show SIL by the following equation:
SIL failure rate =
1
.
Mean Time Between Failure
(4)
< 108
< 107
< 106
< 105
DFR =
NDF
.
TNF
to
to
to
to
3.2
high demand or
continuous mode of operation
(probability of a dangerous
failure per hour)
DFR =
(5)
UCF
,
TNF + UCF
where a unclear failure is counted to each of the dangerous and safe failure.
Ex.: DFR is 0.0099, where TNF is 100 and UCF is 1
in it.
Cumulative MTBF =
t
.
H(t)
DFR =
(6)
3.3
NDF + UCF
.
TNF + UCF
Consequently, we can get dangerous failure rate by multiplying the Instantaneous MTBF or the Cumulative MTBF
obtained as the analysis result by calculated DFR. Then,
we can judge the calculation result to be the software SIL
of the tested at the analysis time.
Calculation Method
33
500
500
Analysis result based on
400
300
Reflect
analysis results
200
to testing-policy
100
300
200
100
0
5
10
15
20
25
30
Testing-Time (days)
10
15
20
25
30
Testing-Time (days)
3.4
Numerical Examples
5.
6.
REFERENCES
where the tested software can operate without a fault occurring for 500 days after several days testing and DFR is
0.0099 from the detected faults' contents. Consequently,
we can see that this calculation result shows software SIL-2
from Table 2.
4.
ACKNOWLEDGMENTS
The authors wish to thank Prof. Mitsuhiro Kimura, Faculty of Science and Engineering, Hosei University for helpful
suggestions and generous supports.
CONCLUSIONS
34