Quantitative evaluation of safety critical software testability based on fault tree analysis and entropy

doi:10.1016/j.jss.2003.10.028

Journal of Systems and Software

Volume 73, Issue 2, October 2004, Pages 351-360

https://doi.org/10.1016/j.jss.2003.10.028 Get rights and content

Abstract

One of the definitions for testability is the probability whether tests will detect a fault, given that a fault in the program exists. The testability can be estimated from the probability of each statement fault leading to output failure. The probability of the test detecting a fault depends on the probability of individual statement faults appearing as an output failure when a fault exists at a statement. The testability measure of the software has been introduced based on output failure probability and the entropy of the importance of basic statements to the output failure from the software fault tree analysis. The output failure probability and the importance of statements are calculated from software fault tree analysis. The suggested testability measure has been applied to the two modules of the safety system in a nuclear power plant. The proposed testability measure can be used for the selection of output variables or to determine the modules that are more vulnerable to undetected faults.

Introduction

The software life cycle is defined from the functional requirements phase to the operation and maintenance phases, where testing is one of the major processes. The testing is performed in a unit entity that can be a module in an assembled entity or can be a program with combined modules for a specific function. Depending on the importance of the software, the unit testing can be merged into program-level testing. There have been efforts to model the software failure to derive test cases that can detect any software faults included in the program. Richardson et al. (1993) proposed the RELAY model of faults and failures based on the incorrect intermediate state from a faulty statement to output. The model defines necessary and sufficient conditions for detecting certain classes of faults. In the RELAY model, a fault needs three distinct steps to appear as a failure: introduction of an origination of a fault, computational transfer of a fault, and propagation of an error to the output. The introduction of a fault and its computational transfer occurs when the statement containing the fault evaluates incorrectly. Even if the error state is introduced, certain transfer conditions to output should be met for an error state to result in failure. By analyzing these conditions, the test case can be selected to guarantee fault detection for chosen fault classes. With the safety critical software, the number of faults detected has been very few. If there has been detection of an error, the testing should be repeated to make sure that there have been no faults introduced with modifications. Littlewood and Wright (1997) derives the number of test cases that should be repeated after a fault is detected in safety critical software. Even though no fault has been detected, it might be necessary to verify the effectiveness of the testing. The effectiveness of the testing might be checked with fault injection testing or justified with a testability measure showing that the module or software has high testability. The testability to justify the testing should demonstrate that the testing is effective in detecting a fault. But in the IEEE glossary of terminology, the software testability is defined as the degree to which a system or component facilitates the establishment of test criteria and the performance of tests to determine whether those criteria have been met. In this definition, the testability is focused on the ease of generating test sets and satisfying the criteria. There have been efforts to measure testability in this respect, trying to measure the testability early in the design stage based on the specification. Voas and Miller (1993) estimated testability of the software from the software input domain and software output range. If the ratio of the domain and range is big, then the testability is low. If the ratio is small, the testability is high. The testability measure based on the domain-range ratio can be calculated from the program specification using a simple relationship, but it does not consider the detail specification of the program. Freedman (1991) introduced the testability by measuring the observability and controllability of the software. The observability of the program is defined as the ease of determining if specified inputs affect the outputs, and the controllability is defined as the ease of producing a specified output from a specified input. Programs can be made more observable by introducing more input based on implicit states, and programs can be made more controllable by restricting the range of outputs. The testability proposed is based on observability and controllability of the program specification. It represents testing efforts required to modify a component to a domain testable form which is more testable from the aspects of the observability and controllability. It is argued that it takes less time to build and test a program if it is more observable and controllable. Voas and Miller (1995) defines software testability as the probability that a piece of software will fail on its next execution during testing if the software includes a fault. He proposes software testability predicted by sensitivity analysis that seeds the fault and observes the propagation into failures. The testability estimation is based on the empirical sensitivity analysis which consists of three empirical analyses: program execution analysis, infection analysis, and propagation analysis. The mutation testing is performed for infection analysis and random testing is performed to monitor the propagation analysis. As design heuristics for testability, he suggests three methods: specification decomposition to reduce error cancellation, minimizing variable reuse, and increasing out-parameters. Out-parameters mean specifying special output variables that are specified and implemented specifically and exclusively for testing. For the suggestion of making software easy to reveal faults, Bertolino and Strigini (1996) argues to make programs more robust, increase coverage by improving oracle or observability of the internal state, and choose test input distribution to increase error infection probability. He argues that increasing testability by raising the failure probability is dangerous and should not increase failure probability while increasing probability of detecting faults. He recommends more refined testing tools and to improve the internal error detection capability. The testability measures proposed so far have been based on the program specification of input/output variables (Freedman, 1991; Voas and Miller, 1993), or they required sensitivity analysis with program execution (Voas and Miller, 1995). The testability based on program specification can be obtained simply from specification on inputs and outputs, but it does not consider the internal complexity of the specification. The testability from sensitivity analysis is based on the program and requires mutation analysis and random testing in addition. In this paper, a measure for testability based on the program is proposed, which measures the ease of detecting a fault when the program includes a fault. The measure can be obtained from the fault tree analysis of the program. It is based on the output failure probability and entropy of the importance of statements leading to output failure in software fault tree analysis. It considers the internal complexity of the program but does not require the execution of the program. In the case where software safety analysis is required using the fault tree analysis method, the testability can be easily estimated from the fault tree analysis.

In the following section, the software testability measure based on the fault tree analysis is introduced. Section 3 shows the application of testability for simple programs with AND, OR logic. Section 4 shows the application of the testability measure to the safety software modules and its testing. Section 5 concludes the paper.

Section snippets

Software testability based on fault tree analysis and entropy

The safety critical software for the nuclear protection system requires the safety analysis to be performed at every major development stage. At the requirement stage, the analysis is performed to specify the safety requirements such that no hazard conditions exist. Then as development proceeds to the design stage, the design documents are analyzed to verify that the safety requirements are met and no new design hazards have been introduced. The analysis is performed at the coding stage to

Testability for simple programs with AND, OR logic

In order to investigate the effects of the fault tree structure and the basic statement fault probabilities, a simple fault tree with different combinations of “AND” and “OR” gates is selected, and the proposed testability measure was applied and compared with each other. The top event probability is obtained from the logical “AND” or “OR” operations of the basic events. The fault tree structure with basic event fault probability determines the probability of the top event occurrence. The

Testability of safety software modules

The core protection calculator system (CPCS) in some nuclear power plants performs the safety function of generating departure from the nucleate boiling ratio (DNBR) trip and local power density (LPD) trip signals. The software consists of several programs related to DNBR and LPD calculations. The UPDATE software is one of the programs and updates the detailed calculation of the DNBR based on the newly read input signals. The UPDATE is composed of several modules that perform specified

Conclusions

A novel testability measure for software has been proposed in this paper. The testability is defined as the probability whether tests will detect a fault, given that a fault in the program exists. The existence of a fault and its propagation and effect on output failure is captured in the fault tree analysis. The testability is obtained from two components. One is the output failure probability calculated from the fault tree assuming that basic statement fault probabilities are same. The other

SeDo Sohn received a B.S. in Nuclear Engineering from Seoul National University in 1984 and an M.S. degree in Nuclear Engineering from the Korea Advanced Institute of Science and Technology (KAIST), Daejeon, in 1986. He is currently a Ph.D candidate in Nuclear and Quantum Engineering in KAIST. He works for the Korea Power Engineering Company as a senior researcher. His research interests include safety critical software engineering and safety systems at nuclear power plants.

References (13)

J Voas et al.
Semantic metric for software testability
Journal of Systems and Software
(1993)
AECL, 1994. SDS1 Software Hazards Analysis Report for Wolsong Nuclear Power...
A Bertolino et al.
On the use of software testability measures for dependability assessment
IEEE Transactions on Software Engineering
(1996)
Cha, S.S. et al., 1988. Safety Verification in Murphy Using Fault Tree Analysis, 10th International Conference on...
R.S Freedman
Testability of software components
IEEE Transactions on Software Engineering
(1991)
KNFC, 1988. Functional Design Requirements for Core Protection Calculator...

There are more references available in the full text version of this article.

Cited by (20)

A review of research on diagnosability of control systems
2024, Energy Reports
Diagnosability is a design characteristic that reflects the control system's ability to diagnose faults. Diagnosability design not only ensures that the structure of the control system provides sufficient fault information but also that the control system accomplishes the fault diagnosis task with minimum cost and maximum efficiency. This paper discusses the diagnosability technology of control systems in detail from four aspects: technical architecture, research status, influencing factors, and future research trends. Firstly, this paper analyzes the technical connotation of diagnosability from three aspects: the definition of diagnosability, technical framework, and connotation analysis, which clarifies the significance and value of diagnosability research. Secondly, the research status of diagnosability and its influencing factors are analyzed, and the key technologies and research focus of diagnosability are summarized. Finally, it summarizes and analyzes the problems of diagnosability research and the development trend of diagnosability in the future.
Two-dimensional fuzzy fault tree analysis for chlorine release from a chlor-alkali industry using expert elicitation
2010, Journal of Hazardous Materials
The hazards associated with major accident hazard (MAH) industries are fire, explosion and toxic gas releases. Of these, toxic gas release is the worst as it has the potential to cause extensive fatalities. Qualitative and quantitative hazard analyses are essential for the identification and quantification of these hazards related to chemical industries. Fault tree analysis (FTA) is an established technique in hazard identification. This technique has the advantage of being both qualitative and quantitative, if the probabilities and frequencies of the basic events are known. This paper outlines the estimation of the probability of release of chlorine from storage and filling facility of chlor-alkali industry using FTA. An attempt has also been made to arrive at the probability of chlorine release using expert elicitation and proven fuzzy logic technique for Indian conditions. Sensitivity analysis has been done to evaluate the percentage contribution of each basic event that could lead to chlorine release. Two-dimensional fuzzy fault tree analysis (TDFFTA) has been proposed for balancing the hesitation factor involved in expert elicitation.
Using intuitionistic fuzzy sets for fault-tree analysis on printed circuit board assembly
2006, Microelectronics Reliability
Fault-tree analysis (FTA) is a powerful technique used to identify the root causes of undesired event in system failure by constructing a tree of sub-events, spreading into bottom events, procreating the fault and finally heading to the top event. From integrating expert’s knowledge and experience in terms of providing the possibilities of failure of bottom events, an algorithm of the intuitionistic fuzzy fault-tree analysis is proposed in this paper to calculate fault interval of system components and to find the most critical system component for the managerial decision-making based on some basic definitions. The proposed method is applied for the failure analysis problem of printed circuit board assembly (PCBA) to generate the PCBA fault-tree, fault-tree nodes, then directly compute the intuitionistic fuzzy fault-tree interval, traditional reliability, and the intuitionistic fuzzy reliability interval. The result of this proposed method is compared with the existing approaches of fault-tree methods.
Testing digital safety system software with a testability measure based on a software fault tree
2006, Reliability Engineering and System Safety
Using predeveloped software, a digital safety system is designed that meets the quality standards of a safety system. To demonstrate the quality, the design process and operating history of the product are reviewed along with configuration management practices. The application software of the safety system is developed in accordance with the planned life cycle. Testing, which is a major phase that takes a significant time in the overall life cycle, can be optimized if the testability of the software can be evaluated. The proposed testability measure of the software is based on the entropy of the importance of basic statements and the failure probability from a software fault tree. To calculate testability, a fault tree is used in the analysis of a source code. With a quantitative measure of testability, testing can be optimized. The proposed testability can also be used to demonstrate whether the test cases based on uniform partitions, such as branch coverage criteria, result in homogeneous partitions that is known to be more effective than random testing. In this paper, the testability measure is calculated for the modules of a nuclear power plant's safety software. The module testing with branch coverage criteria required fewer test cases if the module has higher testability. The result shows that the testability measure can be used to evaluate whether partitions have homogeneous characteristics.
Design for testability of ermts applications
2019, Proceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019
A systematic review of software testability measurement techniques
2019, 2018 International Conference on Computing, Power and Communication Technologies, GUCON 2018

View all citing articles on Scopus

PoongHyun Seong received a B.S. degree in Nuclear Engineering from Seoul National University in 1977 and M.S. and Ph.D degrees both in Nuclear Engineering from the Massachusetts Institute of Technology, Cambridge, in 1984 and 1987, respectively. He is currently a professor in Nuclear and Quantum Engineering with the Korea Advanced Institute of Science and Technology, Daejeon. From 1987 to 1991, he was a Technical Staff member with AT&T Bell Laboratories. His research interests include development and safety assessment of nuclear power plant man–machine interface systems and reliability and safety assessment of human and digital systems. He is a Fellow of the Korean Nuclear Society.

¹: Tel.: +82-42-869-3820; fax: +82-42-861-1481.

View full text