Chapter 1 – Dependable systems

11/21/2024 Chapter 1 Dependable Systems 1

Topics covered

 Dependability properties
 Sociotechnical systems
 Redundancy and diversity
 Dependable processes
 Formal methods and dependability

11/21/2024 Chapter 1 Dependable Systems 2

System dependability

 For many computer-based systems, the most important

system property is the dependability of the system.
 The dependability of a system reflects the user’s degree
of trust in that system. It reflects the extent of the user’s
confidence that it will operate as users expect and that it
will not ‘fail’ in normal use.
 Dependability covers the related systems attributes of
reliability, availability and security. These are all inter-
dependent.

11/21/2024 Chapter 1 Dependable Systems 3

Importance of dependability

 System failures may have widespread effects with large

numbers of people affected by the failure.
 Systems that are not dependable and are unreliable,
unsafe or insecure may be rejected by their users.
 The costs of system failure may be very high if the failure
leads to economic losses or physical damage.
 Undependable systems may cause information loss with
a high consequent recovery cost.

11/21/2024 Chapter 1 Dependable Systems 4

Causes of failure

 Hardware failure
 Hardware fails because of design and manufacturing errors or
because components have reached the end of their natural life.
 Software failure
 Software fails due to errors in its specification, design or
implementation.
 Operational failure
 Human operators make mistakes. Now perhaps the largest
single cause of system failures in socio-technical systems.

11/21/2024 Chapter 1 Dependable Systems 5

 Dependability properties

11/21/2024 Chapter 1 Dependable Systems 6

The principal dependability properties

11/21/2024 Chapter 1 Dependable Systems 7

Principal properties

 Availability
 The probability that the system will be up and running and able
to deliver useful services to users.
 Reliability
 The probability that the system will correctly deliver services as
expected by users.
 Safety
 A judgment of how likely it is that the system will cause damage
to people or its environment.

11/21/2024 Chapter 1 Dependable Systems 8

Principal properties

 Security
 A judgment of how likely it is that the system can resist
accidental or deliberate intrusions.
 Resilience
 A judgment of how well a system can maintain the continuity of
its critical services in the presence of disruptive events such as
equipment failure and cyberattacks.

11/21/2024 Chapter 1 Dependable Systems 9

Other dependability properties

 Repairability
 Reflects the extent to which the system can be repaired in the
event of a failure
 Maintainability
 Reflects the extent to which the system can be adapted to new
requirements;
 Error tolerance
 Reflects the extent to which user input errors can be avoided
and tolerated.

11/21/2024 Chapter 1 Dependable Systems 10

Dependability attribute dependencies

 Safe system operation depends on the system being

available and operating reliably.
 A system may be unreliable because its data has been
corrupted by an external attack.
 Denial of service attacks on a system are intended to
make it unavailable.
 If a system is infected with a virus, you cannot be
confident in its reliability or safety.

11/21/2024 Chapter 1 Dependable Systems 11

Dependability achievement

 Avoid the introduction of accidental errors when

developing the system.
 Design V & V processes that are effective in discovering
residual errors in the system.
 Design systems to be fault tolerant so that they can
continue in operation when faults occur
 Design protection mechanisms that guard against
external attacks.

11/21/2024 Chapter 1 Dependable Systems 12

Dependability achievement

 Configure the system correctly for its operating

environment.
 Include system capabilities to recognise and resist
cyberattacks.
 Include recovery mechanisms to help restore normal
system service after a failure.

11/21/2024 Chapter 1 Dependable Systems 13

Dependability costs

 Dependability costs tend to increase exponentially as

increasing levels of dependability are required.
 There are two reasons for this
 The use of more expensive development techniques and
hardware that are required to achieve the higher levels of
dependability.
 The increased testing and system validation that is required to
convince the system client and regulators that the required levels
of dependability have been achieved.

11/21/2024 Chapter 1 Dependable Systems 14

Cost/dependability curve

11/21/2024 Chapter 1 Dependable Systems 15

 Sociotechnical systems

11/21/2024 Chapter 1 Dependable Systems 16

Systems and software

 Software engineering is not an isolated activity but is part

of a broader systems engineering process.
 Software systems are therefore not isolated systems but
are essential components of broader systems that have
a human, social or organizational purpose.
 Example
 The wilderness weather system is part of broader weather
recording and forecasting systems
 These include hardware and software, forecasting processes,
system users, the organizations that depend on weather
forecasts, etc.

11/21/2024 Chapter 1 Dependable Systems 17

The sociotechnical systems stack

11/21/2024 Chapter 1 Dependable Systems 18

Layers in the STS stack

 Equipment
 Hardware devices, some of which may be computers. Most
devices will include an embedded system of some kind.
 Operating system
 Provides a set of common facilities for higher levels in the
system.
 Communications and data management
 Middleware that provides access to remote systems and
databases.
 Application systems
 Specific functionality to meet some organization requirements.

11/21/2024 Chapter 1 Dependable Systems 19

Layers in the STS stack

 Business processes
 A set of processes involving people and computer systems that
support the activities of the business.
 Organizations
 Higher level strategic business activities that affect the operation
of the system.
 Society
 Laws, regulation and culture that affect the operation of the
system.

11/21/2024 Chapter 1 Dependable Systems 20

Regulation and compliance

 The general model of economic organization that is now

almost universal in the world is that privately owned
companies offer goods and services and make a profit
on these.
 To ensure the safety of their citizens, most governments
regulate (limit the freedom of) privately owned
companies so that they must follow certain standards to
ensure that their products are safe and secure.

11/21/2024 Chapter 1 Dependable Systems 21

Regulated systems

 Many critical systems are regulated systems, which

means that their use must be approved by an external
regulator before the systems go into service.
 Nuclear systems
 Air traffic control systems
 Medical devices
 A safety and dependability case has to be approved by
the regulator. Therefore, critical systems development
has to create the evidence to convince a regulator that
the system is dependable, safe and secure.

11/21/2024 Chapter 1 Dependable Systems 22

 Redundancy and diversity

11/21/2024 Chapter 1 Dependable Systems 23

Redundancy and diversity

 Redundancy
 Keep more than a single version of critical components so that if
one fails then a backup is available.
 Diversity
 Provide the same functionality in different ways in different
components so that they will not fail in the same way.
 Redundant and diverse components should be
independent so that they will not suffer from ‘common-
mode’ failures
 For example, components implemented in different programming
languages means that a compiler fault will not affect all of them.

11/21/2024 Chapter 1 Dependable Systems 24

Diversity and redundancy examples

 Redundancy. Where availability is critical (e.g. in e-

commerce systems), companies normally keep backup
servers and switch to these automatically if failure
occurs.
 Diversity. To provide resilience against external attacks,
different servers may be implemented using different
operating systems (e.g. Windows and Linux)

11/21/2024 Chapter 1 Dependable Systems 25

Process diversity and redundancy

 Process activities, such as validation, should not depend

on a single approach, such as testing, to validate the
system.
 Redundant and diverse process activities are important
especially for verification and validation.
 Multiple, different process activities the complement
each other and allow for cross-checking help to avoid
process errors, which may lead to errors in the software.

11/21/2024 Chapter 1 Dependable Systems 26

Problems with redundancy and diversity

 Adding diversity and redundancy to a system increases

the system complexity.
 This can increase the chances of error because of
unanticipated interactions and dependencies between
the redundant system components.
 Some engineers therefore advocate simplicity and
extensive V & V as a more effective route to software
dependability.
 Airbus FCS architecture is redundant/diverse; Boeing
777 FCS architecture has no software diversity

11/21/2024 Chapter 1 Dependable Systems 27

 Dependable processes

11/21/2024 Chapter 1 Dependable Systems 28

Dependable processes

 To ensure a minimal number of software faults, it is

important to have a well-defined, repeatable software
process.
 A well-defined repeatable process is one that does not
depend entirely on individual skills; rather can be
enacted by different people.
 Regulators use information about the process to check if
good software engineering practice has been used.
 For fault detection, it is clear that the process activities
should include significant effort devoted to verification
and validation.
11/21/2024 Chapter 1 Dependable Systems 29
Dependable process characteristics

 Explicitly defined
 A process that has a defined process model that is used to drive
the software production process. Data must be collected during
the process that proves that the development team has followed
the process as defined in the process model.
 Repeatable
 A process that does not rely on individual interpretation and
judgment. The process can be repeated across projects and with
different team members, irrespective of who is involved in the
development.

11/21/2024 Chapter 1 Dependable Systems 30

Attributes of dependable processes

Process characteristic Description

Auditable The process should be understandable by people apart
from process participants, who can check that process
standards are being followed and make suggestions for
process improvement.
Diverse The process should include redundant and diverse
verification and validation activities.
Documentable The process should have a defined process model that
sets out the activities in the process and the
documentation that is to be produced during these
activities.

Robust The process should be able to recover from failures of

individual process activities.

Standardized A comprehensive set of software development

standards covering software production and
documentation should be available.

11/21/2024 Chapter 1 Dependable Systems 31

Dependable process activities

 Requirements reviews to check that the requirements

are, as far as possible, complete and consistent.
 Requirements management to ensure that changes to
the requirements are controlled and that the impact of
proposed requirements changes is understood.
 Formal specification, where a mathematical model of the
software is created and analyzed.
 System modeling, where the software design is explicitly
documented as a set of graphical models, and the links
between the requirements and these models are
documented.
11/21/2024 Chapter 1 Dependable Systems 32
Dependable process activities

 Design and program inspections, where the different

descriptions of the system are inspected and checked by
different people.
 Static analysis, where automated checks are carried out
on the source code of the program.
 Test planning and management, where a comprehensive
set of system tests is designed.
 The testing process has to be carefully managed to demonstrate
that these tests provide coverage of the system requirements
and have been correctly applied in the testing process.

11/21/2024 Chapter 1 Dependable Systems 33

Dependable processes and agility

 Dependable software often requires certification so both

process and product documentation has to be produced.
 Up-front requirements analysis is also essential to
discover requirements and requirements conflicts that
may compromise the safety and security of the system.
 These conflict with the general approach in agile
development of co-development of the requirements and
the system and minimizing documentation.

11/21/2024 Chapter 1 Dependable Systems 34

Dependable processes and agility

 An agile process may be defined that incorporates

techniques such as iterative development, test-first
development and user involvement in the development
team.
 So long as the team follows that process and documents
their actions, agile methods can be used.
 However, additional documentation and planning is
essential so ‘pure agile’ is impractical for dependable
systems engineering.

11/21/2024 Chapter 1 Dependable Systems 35