SlideShare a Scribd company logo

Dependablity Engineering 1 (CS 5032 2012)

Download as PPTX, PDF
Ian Sommerville
Ian Sommerville
TechnologyBusiness
1 of 24
Dependability engineering Lecture 1 Dependability engineering, CSE, 2012 Slide 1
Software dependability • Software customers expect all software to be dependable. However, for non-critical applications, they may be willing to accept some system failures. • Some critical systems have very high dependability requirements and special software engineering techniques may be used to achieve this. – Medical systems – Telecommunications and power systems Dependability engineering, CSE, 2012 – Aerospace systems Slide 2
Dependability achievement • Fault avoidance – The system is developed in such a way that human error is avoided and thus system faults are minimised. – The development process is organised so that faults in the system are detected and repaired before delivery to the customer. • Fault detection – Verification and validation techniques are used to discover and remove faults in a system before it is deployed. • Fault tolerance – The system is designed so that faults in the delivered software do not result in system failure. Dependability engineering, CSE, 2012 Slide 3
Regulated systems • Many critical systems are regulated systems, which means that their use must be approved by an external regulator before the systems go into service. – Nuclear systems – Air traffic control systems – Medical devices • A safety and dependability case has to be approved by the regulator. Therefore, critical systems development has to create the evidence to convince a regulator that the system is dependable, safe and secure. Dependability engineering, CSE, 2012 Slide 4
The increasing costs of residual fault removal Dependability engineering, CSE, 2012 Slide 5
Diversity and redundancy • Redundancy – Keep more than 1 version of a critical component available so that if one fails then a backup is available. • Diversity – Provide the same functionality in different ways so that they will not fail in the same way. • However, diversity adds complexity – more chance of errors. • Some engineers advocate simplicity and extensive V & V Dependability engineering, CSE, 2012 rather then redundancy. Slide 6
Diversity and redundancy examples • Redundancy. Where availability is critical (e.g. in e-commerce systems), companies normally keep backup servers and switch to these automatically if failure occurs. • Diversity. To provide resilience against external attacks, different servers may be implemented using different operating systems (e.g. Windows and Linux) Dependability engineering, CSE, 2012 Slide 7
Dependable processes • To ensure a minimal number of software faults, it is important to have a well-defined, repeatable software process. • A well-defined repeatable process is one that does not depend entirely on individual skills; rather can be enacted by different people. • Regulators use information about the process to check if good software engineering practice has been used. • For fault detection, it is clear that the process activities should include significant effort devoted to Dependability engineering, CSE, 2012 and validation. verification Slide 8
Attributes of dependable processes Process characteristic Description Documentable The process should have a defined process model that sets out the activities in the process and the documentation that is to be produced during these activities. Standardized A comprehensive set of software development standards covering software production and documentation should be available. Auditable The process should be understandable by people apart from process participants, who can check that process standards are being followed and make suggestions for process improvement. Diverse The process should include redundant and diverse verification and validation activities. Robust The process should be able to recover from failures of individual process activities. Dependability engineering, CSE, 2012 Slide 9
Process diversity and redundancy • Process activities, such as validation, should not depend on a single approach, such as testing, to validate the system • Rather, multiple different process activities the complement each other and allow for cross-checking help to avoid process errors, which may lead to errors in the software Reviews Automated analysis Testing Dependability engineering, CSE, 2012 Slide 10
Validation activities • Requirements reviews. Reviews • Requirements management.Reviews Automated analysis • Formal specification. Automated analysis • System modeling Automated analysis • Design and code inspection.Reviews • Static analysis. Automated analysis • Test planning and management.Testing Dependability engineering, CSE, 2012 Slide 11
System fault tolerance • Fault tolerance means that the system can continue in operation in spite of software fault i.e. the fault does not lead to a failure • Fault tolerance is required where there are high availability requirements, no ‘fail safe’ state or where system failure costs are very high. • Even if the system has been proved to conform to its specification, it must also be fault tolerant as there may be specification errors or the validation may be incorrect. Dependability engineering, CSE, 2012 Slide 12
Dependable system architectures • Dependable systems architectures are used in situations where fault tolerance is essential. These architectures are generally all based on redundancy and diversity. • Examples of situations where dependable architectures are used: – Flight control systems, where system failure could threaten the safety of passengers – Reactor systems where failure of a control system could lead to a chemical or nuclear emergency – Telecommunication systems, where there is a need for 24/7 availability. Dependability engineering, CSE, 2012 Slide 13
Protection systems • A specialized system that is associated with some other control system, which can take emergency action if a failure occurs. – System to stop a train if it passes a red light – System to shut down a reactor if temperature/pressure are too high • Protection systems independently monitor the controlled system and the environment. • If a problem is detected, it issues commands to take emergency action to shut down the system and avoid a catastrophe. Dependability engineering, CSE, 2012 Slide 14
Sizewell B reactor • Software controlled protection system in Sizewell B reactor • Go-live in 1993 • Software protection system has been claimed to have a 1/10000 PFD Dependability engineering, CSE, 2012 Slide 15
Protection system architecture Dependability engineering, CSE, 2012 Slide 16
Protection system functionality • Protection systems are redundant because they include monitoring and control capabilities that replicate those in the control software. • Protection systems should be diverse and use different technology from the control software. • They are simpler than the control system so more effort can be expended in validation and dependability assurance. • Aim is to ensure that there is a low probability of failure on demand for the protection system. Dependability engineering, CSE, 2012 Slide 17
Self-monitoring architectures • Multi-channel architectures where the system monitors its own operations and takes action if inconsistencies are detected. • The same computation is carried out on each channel and the results are compared. If the results are identical and are produced at the same time, then it is assumed that the system is operating correctly. • If the results are different, then a failure is assumed and a failure exception is raised. Dependability engineering, CSE, 2012 Slide 18
Self-monitoring architecture Dependability engineering, CSE, 2012 Slide 19
Self-monitoring systems • Hardware in each channel has to be diverse so that common mode hardware failure will not lead to each channel producing the same results. • Software in each channel must also be diverse, otherwise the same software error would affect each channel. • If high-availability is required, you may use several self-checking systems in parallel. – This is the approach used in the Airbus family of aircraft for their flight control systems. Dependability engineering, CSE, 2012 Slide 20
Airbus 340 • Airbus were the first commercial aircraft manufacturer to use ‘fly by wire’ flight control systems • Fly by wire systems are lighter (saving fuel), can be more fuel efficient and can detect and prevent pilot actions that are potentially dangerous. Dependability engineering, CSE, 2012 Slide 21
Airbus flight control system architecture Dependability engineering, CSE, 2012 Slide 22
Airbus architecture discussion • The Airbus FCS has 5 separate computers, any one of which can run the control software. • Extensive use has been made of diversity – Primary and secondary systems use different processors. – Primary and secondary systems use chipsets from different manufacturers. – Software in secondary systems is less complex than in primary system – provides only critical functionality. – Software in each channel is developed in different programming languages by different teams. – Different programming languages used in primary and secondary systems. Dependability engineering, CSE, 2012 Slide 23
Key points • Dependability in a program can be achieved by avoiding the introduction of faults, by detecting and removing faults before system deployment, and by including fault tolerance facilities. • The use of redundancy and diversity in hardware, software processes and software systems is essential for the development of dependable systems. • The use of a well-defined, repeatable process is essential if faults in a system are to be minimized. • Dependable system architectures are system architectures that are designed for fault tolerance. Architectural styles that support fault tolerance include protection systems, self-monitoring architectures and N-version programming. Dependability engineering, CSE, 2012 Slide 24

Recommended

CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013Ian Sommerville
 
CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013Ian Sommerville
 
Wind River For Medical
Wind River For MedicalWind River For Medical
Wind River For Medicalsheilamia
 
CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013Ian Sommerville
 
Lee Technologies Corporate Brochure
Lee Technologies Corporate BrochureLee Technologies Corporate Brochure
Lee Technologies Corporate Brochurecwoodson
 
Verrex portfolio 2012
Verrex portfolio 2012Verrex portfolio 2012
Verrex portfolio 2012Michelle Scheller
 
Intro softwareeng
Intro softwareengIntro softwareeng
Intro softwareengPINKU29
 
Sa 007 availability
Sa 007 availabilitySa 007 availability
Sa 007 availabilityFrank Gielen
 

Recommended

CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013Ian Sommerville
 
CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013Ian Sommerville
 
Wind River For Medical
Wind River For MedicalWind River For Medical
Wind River For Medicalsheilamia
 
CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013Ian Sommerville
 
Lee Technologies Corporate Brochure
Lee Technologies Corporate BrochureLee Technologies Corporate Brochure
Lee Technologies Corporate Brochurecwoodson
 
Verrex portfolio 2012
Verrex portfolio 2012Verrex portfolio 2012
Verrex portfolio 2012Michelle Scheller
 
Intro softwareeng
Intro softwareengIntro softwareeng
Intro softwareengPINKU29
 
Sa 007 availability
Sa 007 availabilitySa 007 availability
Sa 007 availabilityFrank Gielen
 
Poole.eric
Poole.ericPoole.eric
Poole.ericNASAPMC
 
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...Visure Solutions
 
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIIEmbedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIINi
 
OpSource Application Operations
OpSource Application OperationsOpSource Application Operations
OpSource Application OperationsOpSource
 
Ppg Capabilities 2010
Ppg Capabilities 2010Ppg Capabilities 2010
Ppg Capabilities 2010JimShinkle
 
Jim.free
Jim.freeJim.free
Jim.freeNASAPMC
 
Soa test methodology
Soa test methodologySoa test methodology
Soa test methodologyInfosys
 
Odum.t.averbeck.r
Odum.t.averbeck.rOdum.t.averbeck.r
Odum.t.averbeck.rNASAPMC
 
Environmental stress screening
Environmental stress screeningEnvironmental stress screening
Environmental stress screeningHilaire (Ananda) Perera P.Eng.
 
Software Architecture Second Lecture
Software Architecture Second LectureSoftware Architecture Second Lecture
Software Architecture Second LectureSadhana Ghalsasi
 
Software Evolution
Software EvolutionSoftware Evolution
Software EvolutionMuhammad Asim
 
Emerson Migration Services
Emerson Migration ServicesEmerson Migration Services
Emerson Migration ServicesSumeet Goel
 
JBoss Health Check
JBoss Health CheckJBoss Health Check
JBoss Health CheckC2B2 Consulting
 
Software Lifecycle
Software LifecycleSoftware Lifecycle
Software LifecycleSoumen Sarkar
 
Exp eng brochure
Exp eng brochureExp eng brochure
Exp eng brochurekkathrynlee
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9Ian Sommerville
 
Galorath.dan
Galorath.danGalorath.dan
Galorath.danNASAPMC
 
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsEliane Collins
 
ClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieuClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieumHealth Initiative
 
Ch10 dependable systems
Ch10 dependable systemsCh10 dependable systems
Ch10 dependable systemssoftware-engineering-book
 
Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Ian Sommerville
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 

More Related Content

What's hot

Poole.eric
Poole.ericPoole.eric
Poole.ericNASAPMC
 
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...Visure Solutions
 
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIIEmbedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIINi
 
OpSource Application Operations
OpSource Application OperationsOpSource Application Operations
OpSource Application OperationsOpSource
 
Ppg Capabilities 2010
Ppg Capabilities 2010Ppg Capabilities 2010
Ppg Capabilities 2010JimShinkle
 
Jim.free
Jim.freeJim.free
Jim.freeNASAPMC
 
Soa test methodology
Soa test methodologySoa test methodology
Soa test methodologyInfosys
 
Odum.t.averbeck.r
Odum.t.averbeck.rOdum.t.averbeck.r
Odum.t.averbeck.rNASAPMC
 
Software Architecture Second Lecture
Software Architecture Second LectureSoftware Architecture Second Lecture
Software Architecture Second LectureSadhana Ghalsasi
 
Emerson Migration Services
Emerson Migration ServicesEmerson Migration Services
Emerson Migration ServicesSumeet Goel
 
Exp eng brochure
Exp eng brochureExp eng brochure
Exp eng brochurekkathrynlee
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9Ian Sommerville
 
Galorath.dan
Galorath.danGalorath.dan
Galorath.danNASAPMC
 
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsEliane Collins
 
ClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieuClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieumHealth Initiative
 

What's hot (20)

Poole.eric
Poole.ericPoole.eric
Poole.eric
 
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...
Visure Requirements for Product and Embedded Devolpment - Visure Solutions - ...
 
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIIEmbedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
 
OpSource Application Operations
OpSource Application OperationsOpSource Application Operations
OpSource Application Operations
 
Ppg Capabilities 2010
Ppg Capabilities 2010Ppg Capabilities 2010
Ppg Capabilities 2010
 
Jim.free
Jim.freeJim.free
Jim.free
 
Soa test methodology
Soa test methodologySoa test methodology
Soa test methodology
 
Odum.t.averbeck.r
Odum.t.averbeck.rOdum.t.averbeck.r
Odum.t.averbeck.r
 
Environmental stress screening
Environmental stress screeningEnvironmental stress screening
Environmental stress screening
 
Software Architecture Second Lecture
Software Architecture Second LectureSoftware Architecture Second Lecture
Software Architecture Second Lecture
 
Software Evolution
Software EvolutionSoftware Evolution
Software Evolution
 
Emerson Migration Services
Emerson Migration ServicesEmerson Migration Services
Emerson Migration Services
 
JBoss Health Check
JBoss Health CheckJBoss Health Check
JBoss Health Check
 
Software Lifecycle
Software LifecycleSoftware Lifecycle
Software Lifecycle
 
Exp eng brochure
Exp eng brochureExp eng brochure
Exp eng brochure
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9
 
Galorath.dan
Galorath.danGalorath.dan
Galorath.dan
 
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
 
ClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieuClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.Beaulieu
 
Ch10 dependable systems
Ch10 dependable systemsCh10 dependable systems
Ch10 dependable systems
 

Similar to Dependablity Engineering 1 (CS 5032 2012)

Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Ian Sommerville
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
Quality attributes in software architecture
Quality attributes in software architectureQuality attributes in software architecture
Quality attributes in software architectureGang Tao
 
Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)Ian Sommerville
 
Презентация
ПрезентацияПрезентация
Презентацияguest22d71d
 
DevOps for Mainframe for IBM Pulse Conference
DevOps for Mainframe for IBM Pulse ConferenceDevOps for Mainframe for IBM Pulse Conference
DevOps for Mainframe for IBM Pulse ConferenceRosalind Radcliffe
 
Whose View is it Anyway: Addressing Multiple Stakeholder Concerns
Whose View is it Anyway: Addressing Multiple Stakeholder ConcernsWhose View is it Anyway: Addressing Multiple Stakeholder Concerns
Whose View is it Anyway: Addressing Multiple Stakeholder Concernssferoz
 
Michael.bay
Michael.bayMichael.bay
Michael.bayNASAPMC
 
Software evaluation competency, criteria, quality
Software evaluation competency, criteria, qualitySoftware evaluation competency, criteria, quality
Software evaluation competency, criteria, qualityvasishta bhargava
 
Software Evolution_Se lect3 btech
Software Evolution_Se lect3 btechSoftware Evolution_Se lect3 btech
Software Evolution_Se lect3 btechIIITA
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdmguestc990b6
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality AssuranceSanthiya Grace
 
Ncerc rlmca202 adm m4 ssm
Ncerc rlmca202 adm m4 ssmNcerc rlmca202 adm m4 ssm
Ncerc rlmca202 adm m4 ssmssmarar
 
How to bake in quality in agile scrum projects
How to bake in quality in agile scrum projectsHow to bake in quality in agile scrum projects
How to bake in quality in agile scrum projectsSantanu Bhattacharya
 
Testing Practices for Continuous Delivery - Ken McCormack
Testing Practices for Continuous Delivery - Ken McCormackTesting Practices for Continuous Delivery - Ken McCormack
Testing Practices for Continuous Delivery - Ken McCormackkennymccormack
 
Software Process Models
Software Process ModelsSoftware Process Models
Software Process ModelsAhmed Alageed
 

Similar to Dependablity Engineering 1 (CS 5032 2012) (20)

Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013
 
Quality attributes in software architecture
Quality attributes in software architectureQuality attributes in software architecture
Quality attributes in software architecture
 
Sqa material
Sqa materialSqa material
Sqa material
 
Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)
 
Презентация
ПрезентацияПрезентация
Презентация
 
DevOps for Mainframe for IBM Pulse Conference
DevOps for Mainframe for IBM Pulse ConferenceDevOps for Mainframe for IBM Pulse Conference
DevOps for Mainframe for IBM Pulse Conference
 
Whose View is it Anyway: Addressing Multiple Stakeholder Concerns
Whose View is it Anyway: Addressing Multiple Stakeholder ConcernsWhose View is it Anyway: Addressing Multiple Stakeholder Concerns
Whose View is it Anyway: Addressing Multiple Stakeholder Concerns
 
Michael.bay
Michael.bayMichael.bay
Michael.bay
 
Software evaluation competency, criteria, quality
Software evaluation competency, criteria, qualitySoftware evaluation competency, criteria, quality
Software evaluation competency, criteria, quality
 
Software Evolution_Se lect3 btech
Software Evolution_Se lect3 btechSoftware Evolution_Se lect3 btech
Software Evolution_Se lect3 btech
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdm
 
1 introduction
1 introduction1 introduction
1 introduction
 
1 introduction (1)
1 introduction (1)1 introduction (1)
1 introduction (1)
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
Ncerc rlmca202 adm m4 ssm
Ncerc rlmca202 adm m4 ssmNcerc rlmca202 adm m4 ssm
Ncerc rlmca202 adm m4 ssm
 
How to bake in quality in agile scrum projects
How to bake in quality in agile scrum projectsHow to bake in quality in agile scrum projects
How to bake in quality in agile scrum projects
 
Testing Practices for Continuous Delivery - Ken McCormack
Testing Practices for Continuous Delivery - Ken McCormackTesting Practices for Continuous Delivery - Ken McCormack
Testing Practices for Continuous Delivery - Ken McCormack
 
Software Process Models
Software Process ModelsSoftware Process Models
Software Process Models
 
Ch13.pptx
Ch13.pptxCh13.pptx
Ch13.pptx
 

More from Ian Sommerville

Ultra Large Scale Systems
Ultra Large Scale SystemsUltra Large Scale Systems
Ultra Large Scale SystemsIan Sommerville
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITSIan Sommerville
 
Conceptual systems design
Conceptual systems designConceptual systems design
Conceptual systems designIan Sommerville
 
Requirements Engineering for LSCITS
Requirements Engineering for LSCITSRequirements Engineering for LSCITS
Requirements Engineering for LSCITSIan Sommerville
 
An introduction to LSCITS
An introduction to LSCITSAn introduction to LSCITS
An introduction to LSCITSIan Sommerville
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-studyIan Sommerville
 
Designing software for a million users
Designing software for a million usersDesigning software for a million users
Designing software for a million usersIan Sommerville
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
CS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureCS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureIan Sommerville
 
CS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterCS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterIan Sommerville
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 
L17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureL17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureIan Sommerville
 
CS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachCS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachIan Sommerville
 
CS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsCS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsIan Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 

More from Ian Sommerville (20)

Ultra Large Scale Systems
Ultra Large Scale SystemsUltra Large Scale Systems
Ultra Large Scale Systems
 
Resp modellingintro
Resp modellingintroResp modellingintro
Resp modellingintro
 
Resilience and recovery
Resilience and recoveryResilience and recovery
Resilience and recovery
 
LSCITS-engineering
LSCITS-engineeringLSCITS-engineering
LSCITS-engineering
 
Requirements reality
Requirements realityRequirements reality
Requirements reality
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITS
 
Conceptual systems design
Conceptual systems designConceptual systems design
Conceptual systems design
 
Requirements Engineering for LSCITS
Requirements Engineering for LSCITSRequirements Engineering for LSCITS
Requirements Engineering for LSCITS
 
An introduction to LSCITS
An introduction to LSCITSAn introduction to LSCITS
An introduction to LSCITS
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-study
 
Designing software for a million users
Designing software for a million usersDesigning software for a million users
Designing software for a million users
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
CS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureCS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failure
 
CS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterCS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disaster
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2
 
L17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureL17 CS5032 critical infrastructure
L17 CS5032 critical infrastructure
 
CS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachCS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breach
 
CS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsCS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systems
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013
 

Recently uploaded

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Dependablity Engineering 1 (CS 5032 2012)

  • 1. Dependability engineering Lecture 1 Dependability engineering, CSE, 2012 Slide 1
  • 2. Software dependability • Software customers expect all software to be dependable. However, for non-critical applications, they may be willing to accept some system failures. • Some critical systems have very high dependability requirements and special software engineering techniques may be used to achieve this. – Medical systems – Telecommunications and power systems Dependability engineering, CSE, 2012 – Aerospace systems Slide 2
  • 3. Dependability achievement • Fault avoidance – The system is developed in such a way that human error is avoided and thus system faults are minimised. – The development process is organised so that faults in the system are detected and repaired before delivery to the customer. • Fault detection – Verification and validation techniques are used to discover and remove faults in a system before it is deployed. • Fault tolerance – The system is designed so that faults in the delivered software do not result in system failure. Dependability engineering, CSE, 2012 Slide 3
  • 4. Regulated systems • Many critical systems are regulated systems, which means that their use must be approved by an external regulator before the systems go into service. – Nuclear systems – Air traffic control systems – Medical devices • A safety and dependability case has to be approved by the regulator. Therefore, critical systems development has to create the evidence to convince a regulator that the system is dependable, safe and secure. Dependability engineering, CSE, 2012 Slide 4
  • 5. The increasing costs of residual fault removal Dependability engineering, CSE, 2012 Slide 5
  • 6. Diversity and redundancy • Redundancy – Keep more than 1 version of a critical component available so that if one fails then a backup is available. • Diversity – Provide the same functionality in different ways so that they will not fail in the same way. • However, diversity adds complexity – more chance of errors. • Some engineers advocate simplicity and extensive V & V Dependability engineering, CSE, 2012 rather then redundancy. Slide 6
  • 7. Diversity and redundancy examples • Redundancy. Where availability is critical (e.g. in e-commerce systems), companies normally keep backup servers and switch to these automatically if failure occurs. • Diversity. To provide resilience against external attacks, different servers may be implemented using different operating systems (e.g. Windows and Linux) Dependability engineering, CSE, 2012 Slide 7
  • 8. Dependable processes • To ensure a minimal number of software faults, it is important to have a well-defined, repeatable software process. • A well-defined repeatable process is one that does not depend entirely on individual skills; rather can be enacted by different people. • Regulators use information about the process to check if good software engineering practice has been used. • For fault detection, it is clear that the process activities should include significant effort devoted to Dependability engineering, CSE, 2012 and validation. verification Slide 8
  • 9. Attributes of dependable processes Process characteristic Description Documentable The process should have a defined process model that sets out the activities in the process and the documentation that is to be produced during these activities. Standardized A comprehensive set of software development standards covering software production and documentation should be available. Auditable The process should be understandable by people apart from process participants, who can check that process standards are being followed and make suggestions for process improvement. Diverse The process should include redundant and diverse verification and validation activities. Robust The process should be able to recover from failures of individual process activities. Dependability engineering, CSE, 2012 Slide 9
  • 10. Process diversity and redundancy • Process activities, such as validation, should not depend on a single approach, such as testing, to validate the system • Rather, multiple different process activities the complement each other and allow for cross-checking help to avoid process errors, which may lead to errors in the software Reviews Automated analysis Testing Dependability engineering, CSE, 2012 Slide 10
  • 11. Validation activities • Requirements reviews. Reviews • Requirements management.Reviews Automated analysis • Formal specification. Automated analysis • System modeling Automated analysis • Design and code inspection.Reviews • Static analysis. Automated analysis • Test planning and management.Testing Dependability engineering, CSE, 2012 Slide 11
  • 12. System fault tolerance • Fault tolerance means that the system can continue in operation in spite of software fault i.e. the fault does not lead to a failure • Fault tolerance is required where there are high availability requirements, no ‘fail safe’ state or where system failure costs are very high. • Even if the system has been proved to conform to its specification, it must also be fault tolerant as there may be specification errors or the validation may be incorrect. Dependability engineering, CSE, 2012 Slide 12
  • 13. Dependable system architectures • Dependable systems architectures are used in situations where fault tolerance is essential. These architectures are generally all based on redundancy and diversity. • Examples of situations where dependable architectures are used: – Flight control systems, where system failure could threaten the safety of passengers – Reactor systems where failure of a control system could lead to a chemical or nuclear emergency – Telecommunication systems, where there is a need for 24/7 availability. Dependability engineering, CSE, 2012 Slide 13
  • 14. Protection systems • A specialized system that is associated with some other control system, which can take emergency action if a failure occurs. – System to stop a train if it passes a red light – System to shut down a reactor if temperature/pressure are too high • Protection systems independently monitor the controlled system and the environment. • If a problem is detected, it issues commands to take emergency action to shut down the system and avoid a catastrophe. Dependability engineering, CSE, 2012 Slide 14
  • 15. Sizewell B reactor • Software controlled protection system in Sizewell B reactor • Go-live in 1993 • Software protection system has been claimed to have a 1/10000 PFD Dependability engineering, CSE, 2012 Slide 15
  • 16. Protection system architecture Dependability engineering, CSE, 2012 Slide 16
  • 17. Protection system functionality • Protection systems are redundant because they include monitoring and control capabilities that replicate those in the control software. • Protection systems should be diverse and use different technology from the control software. • They are simpler than the control system so more effort can be expended in validation and dependability assurance. • Aim is to ensure that there is a low probability of failure on demand for the protection system. Dependability engineering, CSE, 2012 Slide 17
  • 18. Self-monitoring architectures • Multi-channel architectures where the system monitors its own operations and takes action if inconsistencies are detected. • The same computation is carried out on each channel and the results are compared. If the results are identical and are produced at the same time, then it is assumed that the system is operating correctly. • If the results are different, then a failure is assumed and a failure exception is raised. Dependability engineering, CSE, 2012 Slide 18
  • 20. Self-monitoring systems • Hardware in each channel has to be diverse so that common mode hardware failure will not lead to each channel producing the same results. • Software in each channel must also be diverse, otherwise the same software error would affect each channel. • If high-availability is required, you may use several self-checking systems in parallel. – This is the approach used in the Airbus family of aircraft for their flight control systems. Dependability engineering, CSE, 2012 Slide 20
  • 21. Airbus 340 • Airbus were the first commercial aircraft manufacturer to use ‘fly by wire’ flight control systems • Fly by wire systems are lighter (saving fuel), can be more fuel efficient and can detect and prevent pilot actions that are potentially dangerous. Dependability engineering, CSE, 2012 Slide 21
  • 22. Airbus flight control system architecture Dependability engineering, CSE, 2012 Slide 22
  • 23. Airbus architecture discussion • The Airbus FCS has 5 separate computers, any one of which can run the control software. • Extensive use has been made of diversity – Primary and secondary systems use different processors. – Primary and secondary systems use chipsets from different manufacturers. – Software in secondary systems is less complex than in primary system – provides only critical functionality. – Software in each channel is developed in different programming languages by different teams. – Different programming languages used in primary and secondary systems. Dependability engineering, CSE, 2012 Slide 23
  • 24. Key points • Dependability in a program can be achieved by avoiding the introduction of faults, by detecting and removing faults before system deployment, and by including fault tolerance facilities. • The use of redundancy and diversity in hardware, software processes and software systems is essential for the development of dependable systems. • The use of a well-defined, repeatable process is essential if faults in a system are to be minimized. • Dependable system architectures are system architectures that are designed for fault tolerance. Architectural styles that support fault tolerance include protection systems, self-monitoring architectures and N-version programming. Dependability engineering, CSE, 2012 Slide 24