Software fault trees and weakest preconditions: a comparison and analysis
Software development in safety-critical systems demands techniques which provide both the precision of formal methods and the practicality of tried and trusted engineering methods, giving a measure of rigour as required by the application. In particular, reasoning about system behaviour in the presence of failures requires a realistic use of formal methods. We show how to capture the semantics implied by software fault trees using a form of weakest precondition programming in modelling the failure properties of different software expressions as an example. Leveson et al. [1] have used software fault trees to produce ‘failure templates’ at the statement level for the Ada programming language. These templates are concerned solely with logical program errors and not with compiler errors, control errors, memory errors etc. which could be captured by a system-wide view of the software. Furthermore, the notion of software fault tree ‘failure templates’ is confusing for safety engineers used to normal fault tree analysis; the trees are motivated by failures, rather than by working back from system hazards, and thus are much more akin to failure modes and effects analysis. We propose a more traditional view in the application of fault trees to software expressions, which leads to a difference in their expression in weakest precondition semantics.