Professional Documents
Culture Documents
Reading: December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
Reading: December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
Reliability and safety for hardware in computer systems have been sufficiently studied
in recent years. On the other hand, a safety-related system (SRS) for software has not
been assured with the proper method of calculating the software safety integrity level
(SIL) in the functional safety standards, which is currently determined only by the num-
ber of development methods applied to practical safety-related system (SRSs). In this
paper, we discuss quantitative assessment for it by applying quantitative measures based
on software reliability growth models (SRGMs) that have been widely and successfully
applied to practical software quality management activities. Based on a nonhomoge-
neous Poisson process (NHPP), the plausible methods of calculating software SIL in the
functional safety standard are proposed. Further, we discuss the quantitative method
for assuring software SIL based on the optimal release policies with the test cost during
testing-environment and the risk cost after the software products will be released.
Keywords: Functional safety; software safety integrity level; software reliability growth
model; nonhomogeneous Poisson process; optimal release policies; risk costs.
1. Introduction
Recently, there have been frequent product recalls in our social life. One of the
causes can be considered to be the lowness of reliability and safety maturity of the
embedded software system which is a main component of the computer system used
in various fields. That is, once system failures due to faults (defects or errors) latent
in the software come to surface, the whole system including its computer system is
entirely useless and many people sustain great damage. Occasionally, these are also
worst-level faults which would bring about serious and critical accidents to human
∗ Corresponding author.
1450030-1
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
life and their properties. Accordingly, the development of highly reliable and safe
software systems is an important issue for developers and users.
It is considered that the characteristic of safety is obtained by improving the
reliability defined by standardized software quality characteristics ISO/IEC 9126.1
However, safety and reliability are essentially different concepts and the improve-
ment in reliability is not necessarily resulted in that in safety. That is, when the
requirements for the software development in regard of safety are missing even if the
reliability requirements are sufficiently provided, we cannot say that a safe software
is constructed.
Therefore, as one of the solutions to the software safety issue, developers of
the social infrastructure systems such as railway, automobile, and so on, have been
conforming their development to the functional safety standard (IEC 61508).2 In
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
the functional safety standard, plural quantitative analytical methods of the safety
integrity level (SIL) of the safety-related system (SRS) for hardware are defined.
Traditionally, it has been defined to determine software SIL only by the number of
methods applied to practical SRS development.
However, we have an objection about the usual way to determine the SIL from
the viewpoint of our actual software development experiences. That is, in con-
trast with the functional safety standard’s definition, it is the well-known fact
that the software development receives great influence in developer’s skills and
experiences.
In this paper, we propose a quantitative method of calculating the software SIL
in the functional safety standard with the test costs during testing-environment
and the risk cost after the software products will be released, based on reliability
assessment measures derived from software reliability growth models (SRGMs)3
and software management metrics.
2. Description of SRGM3
2.1. Nonhomogeneous Poisson process model
Generally, during the testing-phase in the software development process, the devel-
opers have to execute many test cases in order to verify the implemented functions
based on the requirement specifications. At that time, they detect many faults
latent in the software system, and those corrections and removals are carried out
in accordance with the specified procedures. That is, a software reliability growth
during the testing phase means the relationships between the testing time and
the cumulative number of faults detected by testing or the time interval between
software failures. Then, the reliability growth curve represents the time-dependent
behavior of the cumulative number of detected faults with the progress of testing.
By describing a fault-detection phenomenon by a stochastic model based on non-
homogeneous Poisson process (NHPP), we can obtain useful measures for software
reliability assessment during the testing phase and reliability prediction during the
operation phase.
1450030-2
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
where Pr{A} means the probability of event A, and H(t) is called the mean value
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
function of an NHPP, which represents the expected value of N (t). Further, h(t)
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
is called the intensity function of the NHPP, and represents the instantaneous
fault-detection rate at testing time t. We have to choose the most suitable model
from existing SRGM’s by specifying the mean value function and the intensity
function.
Further, we assume the exponential SRGM with the mean value function m(t)
and the intensity function hm (t) for the fault-detection process. The exponential
SRGM which is widely used to analyze software failure occurrence data is an NHPP
model with the mean value function and the intensity function in Eq. (1) as
m(t) = a(1 − e−bt ) (a > 0, b > 0), (2)
hm (t) = abe−bt , (3)
where a is the expected number of faults to be eventually detected and b the fault-
detection rate per fault at time t.
• MSE:
Letting Ĥ(t) be the estimated mean value function, we can calculate the value of
the MSE by using the following equation:
n
1
MSE = [yk − Ĥ(tk )]2 , (4)
n
k=1
1450030-3
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
• AIC:
3. Software SIL
Safety Integrity and the SIL are defined by IEC 61508-4 as follows2 :
• Safety Integrity:
• SIL:
The discrete level for specifying the safety integrity requirements of the safety func-
tions to be allocated to the E/E/PE SRSs,2 where SIL-4 has the highest level of
safety integrity and SIL-1 has the lowest.
Generally, target failure measures for the four levels of SILs are specified in
Table 1 (see IEC 61508-12). Further, the target failure measure is defined as the
intended probability of dangerous mode failures to be achieved in respect of the
safety integrity requirements, and specified viewpoint of IEC 61508-4:
• Low demand mode:
The frequency of demands for operation made on an SRS is no greater than one
per year and no greater than twice the proof-test frequency. This means an average
probability of failure on demand (PFD) of the design function per frequency of
Table 1. Definition of SIL levels (target failure measures for a safety func-
tion, allocated to an E/E/PE SRS).
1450030-4
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
demands. In IEC 61508-4, PFD is defined as unavailability. That is, the lowness of
availability shows the lowness of reliability, since failure often occurs. Accordingly,
in order to make software availability high, the software system needs to have
low occurrence probability of software failures to the design function under all the
stated conditions within a stated period of time. Consequently, PFD in this mode
is computable as an unreliability function per frequency of demands by applying
the software reliability function which is one of the reliability assessment measures
derived from an NHPP model:
The frequency of demands for operation made on an SRS is greater than one per
year or greater than twice the proof-test frequency. In IEC 61508-4, this is defined
as the average probability of dangerous failure per hour (PFH). That is, it can
be considered as the dangerous failure rate or dangerous failure intensity in SRS.
Consequently, when we assume that we can ignore the repair time as compared
with the mean time to failure, we can consider that the dangerous failure rate or
dangerous failure intensity are almost equivalent. Furthermore, since PFH unit is
“1/time”, PFH can be considered as the proportion of average dangerous failure
per hour, and PFH can be represented by the following equation:
1
PFH = SILH ≡ . (7)
(Mean Time between Software Failures)
1450030-5
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
failure-occurrence time or fault-detection time Sk−1 = t was given, from Eq. (1)
the conditional reliability function for Xk is given by
R(x | t) ≡ Pr{Xk > x | Sk−1 = t}
= exp[−{H(t + x) − H(t)}] . (8)
(x ≥ 0, t ≥ 0)
Equation (8) shows the probability that a software failure does not occur or
a fault is not detected in the testing time interval (t, t + x]. The software relia-
bility function in Eq. (8) is applied to calculate PFD in Eq. (6) for low demand
mode.
We can calculate the software SIL for high demand mode by using Eq. (7)
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
discussed in Sec. 3. Then, because the mean time between failures (MTBF) for
software can be represented as the mean time between software failure-occurrences
or the mean time between fault-detections, we can use the Instantaneous MTBF3
and the Cumulative MTBF3 as the software reliability assessment measures. The
Instantaneous MTBF and the Cumulative MTBF can be explained as follows:
• Instantaneous MTBF
Instantaneous MTBF is represented with the inverse number of the expected value
of faults detected by testing time t. We can compute it as the following equation:
1
MTBFI (t) = . (9)
h(t)
That is, we have to pay attention to show an optimistic estimate, because the
analysis result of the Instantaneous MTBF can be obtained by using the latest
data.
• Cumulative MTBF
We can calculate Cumulative MTBF as the following equation:
t
MTBFC (t) = . (10)
H(t)
That is, we have to pay attention to show a pessimism value, because the analysis
result of the Cumulative MTBF can be obtained by using all data observed from
the test beginning to the present.
1450030-6
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
Consequently, we can get the following equation from Eqs. (6) and (11) as the
calculation method for software SIL in the low demand mode:
SILL = 1 − RL (x | t). (12)
For example, in order to evaluate the calculation method for software SIL for the
low demand mode, we adopt the actual data set of the number of fault-detections
observed in the actual testing phase, which consists of 21 data pairs in the form of
DS : (tk , yk )(k = 1, 2, . . . , 21; 0 < t1 < t2 · · · < t21 ),
1.00
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
0.98
Software Reliability RL (7.3|t)
0.96
0.94
0.9150
0.92
0.90
14 15 16 17 18 19 20 21 22
Testing Time (Days)
1.00
0.98
Software Reliability RL (7.3|t)
0.96
0.94
0.9645
0.92
0.90
21 22 23 24 25 26 27 28 29
Testing Time (Days)
1450030-7
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
where the measurement unit of testing time tk represents calendar days. This data
set has been collected in the testing where we test one by one using the test cases
beforehand designed based on the customer requirements.
As analysis results for this data set based on the exponential SRGM with m(t)
in Eq. (2), we show the estimated software reliability function for the low demand
mode in Fig. 1. The upper side of Fig. 1 is the result analyzed using the number
of fault-detections from the test beginning time to the 14th day, and the lower
side shows the result analyzed with 21 data pairs of all data. Additionally, as pre-
conditions for analysis, we assume that one day under the testing-environment
corresponds to 50 days under the operational-environment (SC = 50), and DFR
is 0.01.
From Fig. 1, we can calculate the software SIL for the low demand mode
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
when t14 = 14 (â = 59.61, b̂ = 0.0725) and t21 = 21 (â = 51.31, b̂ = 0.0928) as
follows:
In Fig. 1, when assuming that the operation requirement is after one year under
the user operational-environment, we find that it is equivalent to 7.3 days under
the testing-environment by taking SC into consideration (SC(x) = 7.3). As shown
in the upper side graph in Fig. 1, we can find that the software reliability func-
tion for the dangerous failure under the user operational-environment is 0.9150.
Thus, the occurrence probability of the dangerous failure is 8.50 × 10−2 as the cal-
culation result in Eq. (13). Therefore, from Table 1 we can get SIL-1 as SILL at
t14 = 14. Similarly, as shown in the lower side graph in Fig. 1, we find that the
software reliability function for the dangerous failure under the user operational-
environment is 0.9645. Thus, the occurrence probability of the dangerous failure is
3.55 × 10−2 as the calculation result in Eq. (14). Therefore, from Table 1 we can
get SIL-1 as SILL at t21 = 21. Accordingly, we can judge that the software SIL
for the low demand mode has been sustained quantitatively with additional testing
time.
SC
MTBFSCI (t) = , (15)
h(t)
(SC) × t
MTBFSCC (t) = . (16)
H(t)
1450030-8
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
Consequently, we can get the following equation from Eqs. (7) and (15) or (16)
with DFR as the calculation method for software SIL in the high demand mode:
DFR
SILH = . (17)
MTBFSC (t) × TC
In Eq. (17), MTBFSC (t) represents Eq. (15) or (16), and TC means Transform
Coefficient, which is the value for converting into the collection time unit of the
fault-detection data used for MTBF calculation.
For example, in order to evaluate the calculation method for software SIL for
the high demand mode, we adopt the actual data set discussed in Sec. 4.1.
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
120
Instantaneous MTBFSC (T) (Days)
100
80
31.9239
60
40
20
0
5 10 15 20 25
Testing Time (Days)
120
Instantaneous MTBFSC (T) (Days)
100
80
60
40 73.7171
20
0
5 10 15 20 25
Testing Time (Days)
1450030-9
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
As analysis results for this data set based on the exponential SRGM with m(t)
in Eq. (2), we show the estimated instantaneous MTBF in Eq. (5) for the high
demand mode in Fig. 2. The upper side of Fig. 2 is the result analyzed using the
number of fault-detections from the test beginning time to the 14th day, and the
lower side shows the result analyzed by 21 data pairs of all data. Additionally, as
preconditions for analysis, we assume that one day under the testing-environment
corresponds to 50 days under the operational-environment (SC = 50), and DFR is
0.01.
From Fig. 2, we can calculate the software SIL for the high demand mode when
t14 = 14 (â = 59.61, b̂ = 0.0725) and t21 = 21 (â = 51.31, b̂ = 0.0928) as follows:
0.01
SILH |t14 =14 = = 1.31 × 10−5 , (18)
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
31.92 × 24
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
0.01
SILH |t21 =21 = = 5.65 × 10−6 . (19)
73.72 × 24
Figure 2 shows the instantaneous MTBF for the dangerous failure under the
user operational-environment, by setting TC to 24 because the measurement unit
is calender day. As shown in the upper side graph in Fig. 2, we can find that the
Instantaneous MTBF is about 31.92 days. Hence, we find that the Instantaneous
MTBF for the dangerous failure under the user operational-environment is 1.31 ×
10−5 as the calculation result of Eq. (18). Therefore, from Table 1 we have shown
that SILH is not fulfilled for the target failure measure as SILH at t14 = 14. Similarly,
as shown in the lower side graph in Fig. 2, we can find that the instantaneous
MTBF for the dangerous failure under the user operational-environment is about
73.72 days. Thus, the occurrence probability of the dangerous failure is 5.65 × 10−6
as the calculation result of Eq. (19). Therefore, from Table 1 we can get SIL-1 as
SILH at t21 = 21. Accordingly, we can judge that the software SIL for the high
demand mode has been sustained quantitatively with additional testing time.
1450030-10
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
2
hp (t) = a pi bi e−bi t (21)
i=1
b(t) = bi . (22)
i=1
p1 e−b1 t + p2 e−b2 t
1450030-11
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
1.00
0.96
0.9150
0.94
0.92
0.90
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
14 15 16 17 18 19 20 21 22
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
1.00
Software Reliability RL (7.3|t)
0.98
0.96
0.94 0.9647
0.92
0.90
21 22 23 24 25 26 27 28 29
Testing Time (Days)
in the upper side graph in Fig. 3, we find that the software reliability function for
the dangerous failure under the user operational-environment is 0.9150. Thus, the
occurrence probability of the dangerous failure is 8.50 × 10−2 as the calculation
result of Eq. (25). Therefore, from Table 1 we can get SIL-1 as SILLME at t14 = 14.
Similarly, as shown in the lower side graph in Fig. 3, we find that the software
reliability function for the dangerous failure under the user operational-environment
is 0.9647. Thus, the occurrence probability of the dangerous failure is 3.53 × 10−2
as the calculation result in Eq. (26). Therefore, we can get SIL-1 from Table 1 as
SILLME at t21 = 21. Accordingly, we can judge that the software SIL for the low
demand mode has been sustained quantitatively with additional testing time.
1450030-12
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
1450030-13
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
120
80
31.9237
60
40
20
0
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
5 10 15 20 25
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
120
Instantaneous MTBFSC (T) (Days)
100
80
60
40
73.7155
20
0
5 10 15 20 25
Testing Time (Days)
MTBF for the dangerous failure under the user operational-environment is about
73.72 days. Thus, the occurrence probability of the dangerous failure is 5.65 × 10−6
as the calculation result of Eq. (31). Therefore, from Table 1 we can get SIL-1 as
SILH at t21 = 21. Accordingly, we can judge that the software SIL for the high
demand mode has been sustained quantitatively with additional testing time.
1450030-14
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
before release and the costs of fixing faults before and after releases are counted as
software cost factors. The following are introduced:
c1 = the cost of fixing a fault detected during testing,
c2 = the cost of fixing a fault detected during operation
(c2 > c1 > 0),
c3 = the cost of testing per unit time,
TLC = the software life-cycle length,
T = the software release time, i.e., the total testing time,
T ∗ = the optimum software release time.
Let C(T ) denote the associated total expected software cost based on the expo-
nential SRGM with Eq. (2). Then, the total expected software cost during testing
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
1450030-15
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
be formulated as follows:
Minimize C(T )
subject to RL (SC(x) | T ) ≥ RSIL−i , T ≥ 0
. (39)
for c2 > c1 > 0, c3 > 0,
SC (x) ≥ 0, 0 < RSIL−i < 1
Then, we can obtain the solutions for the cost-reliability optimum software release
times:
TL = max{T0 , T1 }, (40)
where T0 is given by Eqs. (35) and (36), and T1 is given by Eqs. (37) and (38).
Therefore, we have the following:
Theorem 1.
(1) If ab > c3 /(c2 − c1 ) and RL (SC(x) | 0) < RSIL−i < 1, then TL∗ = max{T0 , T1 }.
(2) If ab > c3 /(c2 − c1 ) and RSIL−i ≤ RL (SC(x) | 0), then TL∗ = T0 .
(3) If ab ≤ c3 /(c2 − c1 ) and RL (SC(x) | 0) < RSIL−i < 1, then TL∗ = T1 .
(4) If ab ≤ c3 /(c2 − c1 ) and RSIL−i ≤ RL (SC(x) | 0), then TL∗ = 0.
6.3. Optimal software release policies for the high demand mode
∗
Based on MTBFSCI (t) in Eq. (15), the optimum software release time, TH , for the
high demand mode is given by the testing time which comes closest to satisfying
some prespecified MTBF:MTBFSCI (T ) = MTBFSIL−i (1 ≤ i ≤ 4), where i means
the level of SIL.
If MTBFSCI (0) < MTBFSIL−i then there exists an interior solution to
MTBFSCI (T ) = MTBFSIL−i at
bT2 = ln(ab) + ln(MTBFSIL−i ). (41)
Otherwise, there is an exterior unattainable solution, and the boundary value is the
closest attainable value at
T2 = 0. (42)
1450030-16
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
Consider the optimal software release policies for the high demand mode which
minimize the expected total software cost under the constraint qualification that
the MTBF achieved by software testing is not less than some prespecified value.
The optimal software release problem for the high demand mode can be formulated
as follows:
Minimize C(T )
subject to MTBFSCI (T ) ≥ MTBFSIL−i , T ≥ 0 . (43)
for c2 > c1 > 0, c3 > 0
Then, in a similar way to Sec. 6.2, we can obtain the solutions for the cost-reliability
optimum software release times
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
TH = max{T0 , T2 }, (44)
where T0 is given by Eqs. (35) and (36), and T2 is given by Eqs. (41) and (42).
Therefore, we have the following:
Theorem 2.
∗
(1) If ab > c3 /(c2 − c1 ) and MTBFSCI (0) < MTBFSIL−i , then TH = max{T0 , T2 }.
∗
(2) If ab > c3 /(c2 − c1 ) and MTBFSIL−i ≤ MTBFSCI (0), then TH = T0 .
∗
(3) If ab ≤ c3 /(c2 − c1 ) and MTBFSCI (0) < MTBFSIL−i , then TH = T2 .
∗
(4) If ab ≤ c3 /(c2 − c1 ) and MTBFSIL−i ≤ MTBFSCI (0), then TH = 0.
1450030-17
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
7.2. Optimal software release policies for the low demand mode
The total expected software cost for the low demand mode is given by
CRL (T ) = cR1 T + cR2 m(T )µy + cR3 [1 − RL (SC(x) | T )]. (46)
Then, we define two functions in order to get the testing time which minimizes
the total expected software cost as follows:
f (T ) = hm(T )[cR3 (1 − e−b×SC(x) )RL (SC(x) | T ) − cR2 µy ], (47)
g(T ) = cR3 (1 − e−b×SC(x) )RL (SC(x) | T )[1 − ae−bT (1 − e−b×SC(x) )]. (48)
It should be noted that g(T ) is a strictly increasing function of T .
The optimum software release time, TL∗ , for the low demand mode is given by the
testing time which comes closest to satisfying some prespecified software reliability:
RL (SC(x) | t) = RSIL−i (1 ≤ i ≤ 4), where x is the operation time of a released
software system and i means the level of SIL.
If RL (SC(x) | 0) < RSIL−i , then there exists an interior solution to RL (SC
(x) | T ) = RSIL−i at
1
bTRL1 = ln[DFR × m(SC(x))] − ln ln . (49)
RSIL−i
Consider the optimal software release policies for the low demand mode which
minimize the total expected software cost under the constraint qualification that the
software reliability achieved by software testing is not less than some prespecified
value RSIL−i . The optimal software release problem for the low demand mode can
be formulated as follows:
Minimize CRL (T )
subject to RL (SC(x) | T ) ≥ RSIL−i , T ≥ 0
. (50)
for cR3 > cR2 > cR1 > 0,
SC (x) ≥ 0, 0 < RSIL−i < 1
1450030-18
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
Theorem 3.
(1) if g(0) > cR2 µy , then
(a) f (0) ≤ cR1 , then TL∗ = 0 minimizes CRL .
(b) f (TRL1 ) > cR1 , then TL∗ = TRL1 minimizes CRL .
(c) f (0) > cR1 , f (T ) ≥ cR1 (T : T ∈ (0, T ]) and f (T ) < cR1 (T : T ∈
(T , TRL1 )), then TL∗ = T (T = inf{T : f (T ) < cR1 }).
(2) if g(TRL1 ) < cR2 µy , then
(a) f (0) ≥ cR1 , then TL∗ = TRL1 minimizes CRL (T ).
(b) f (TRL1 ) < cR1 , then TL∗ = 0 minimizes CRL (T ).
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
7.3. Optimal software release policies for the high demand mode
The total expected software cost for the high demand mode is given by
DFR
CRH (T ) = cR1 T + cR2 m(T )µy + cR3 . (51)
MTBFSCI (T ) × TC
We can get the following equation from Eqs. (15) and (51):
DFR × hm (T )
CRH (T ) = cR1 T + cR2 m(T )µy + cR3 . (52)
TC × SC
Then, since DFR, SC and TC is constant, we can express the following equation
with high demand coefficient (HDC):
DFR
HDC = . (53)
TC × SC
Therefore, Eq. (51) is formulated the following equation with Eq. (53):
CRH (T ) = cR1 T + cR2 m(T )µy + cR3 [HDC × hm (T )]. (54)
1450030-19
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
It can be shown that, given the constraints on the parameters, there is a unique
time that minimizes the total expected software cost. From Eqs. (3) and (54), if
ab(cR3 b × HDC − cR2 µy ) > cR1 then there exists an interior minimum for CRH (T )
at
ab(cR3 b × HDC − cR2 µy )
bTRH0 = ln . (55)
cR1
Otherwise, there is an exterior unattainable minimum, and the boundary value is
the attainable minimum at
TRH0 = 0. (56)
∗
Based on MTBFSCI (t) in Eq. (15), the optimum software release time, TH , for the
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
high demand mode is given by the testing time which comes closest to satisfying
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
Theorem 4.
(1) If ab > cR1 /(cR3 b × HDC − cR2 µy ) and
MTBFSCI (0) < MTBFSIL−i ,
∗
then TH = max{TRH0 , TRH1 }.
1450030-20
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
8. Numerical Example
8.1. Preliminaries
Consider numerical illustrations of the cost-reliability optimal software release poli-
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
cies based on functional safety standards and risk cost with software SIL. Let
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
1450030-21
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
1600
1538.9
1550
1484.5
1500
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
1450
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
30 40 50 60
Testing Time (Days)
1
0.9990
Software Reliability RL (6.1|T)
0.995
0.9900
RSIL-2
TRL0 = 53.1
0.98
30 40 50 60
Testing Time (Days)
Fig. 5. An illustration of the cost-reliablity optimal software release policy with software SIL for
the low demand mode.
we can calculate HDC = 6.9 × 10−6 . Then, we show the estimated instantaneous
MTBF for the dangerous failure under the user operational-environment, and the
total expected software cost for the high demand mode in Fig. 6. The upper side of
Fig. 6 is the total software cost CRH (T ), and the lower side shows the instantaneous
MTBF.
Then, the cost-reliability optimal software release problem for the high demand
mode to be solved is given as
Minimize CRH (T ) = Minimize [1 · T + 100 · m(T ) · 0.1
+ 1.0 × 108 × {6.9 × 10−6 · hm (T )}] . (63)
subject to MTBFSCI (T ) ≥ MTBFSIL−4 = 41666.7, T ≥ 0
1450030-22
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
1540
Total Expected Software Cost CH (T)
1520 1499.6
1489.1
1500
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
1480
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
40 50 60 70 80
Testing Time (Days)
50000
MTBFSIL-4
40000
Instantaneous MTBFSC (T) (Days)
30000
41725.2
TRH1 = 75.6
20000 4598.1
0
40 50 60 70 80
Testing Time (Days)
Fig. 6. An illustration of the cost-reliability optimal software release policy with software SIL
for the high demand mode.
Thus, the optimum software release time can be determined from Theorem 4 as
∗
TH = max{TRH0 , TRH1 }
= max{57.9, 75.6} . (64)
= 75.6
9. Concluding Remarks
In this paper, we have proposed a method of calculating the software SIL for the low
demand mode and high demand mode based on IEC 61508 with optimal software
release policies based on functional safety standards and risk costs. Especially, we
1450030-23
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
have applied the reliability assessment measures derived from SRGMs by using
fault-detection data collected during the testing. Then, we can grasp the attainment
degree for the planned SIL target value, and make it feedback to the testing-policy
easily. Accordingly, we may secure system-wide safety and realize highly reliable
and safe software development based on the optimal software release policies.
As future issues, we are going to verify our method of calculating the software
SIL based on many practical applications. Therefore, we have to investigate the
metrics collectable during the software development. Moreover, we are going to
consider how to apply the method of calculating the software SIL to another devel-
opment paradigm such as the iterative and incremental development processes.
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
Acknowledgments
This work was supported in part by the Grant-in-Aid for Scientific Research (C),
Grant No. 25350445 from Japan Society for the Promotion of Science. The authors
would like to thank Mr. Yuki Fujita, Graduate Student at Tottori University, Japan,
for his helpful comments.
References
1. ISO/IEC 9126, Software Engineering — Product Quality (1991).
2. IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-Related System (1998).
3. S. Yamada, Software Reliability Modeling: Fundamentals and Applications (Spring-
Verlag, Tokyo/Heidelberg, 2013).
4. T. Fujiwara, J. E. Esteves, Y. Satoh and S. Yamada: A Calculation method for soft-
ware safety integrity level, in Proc. 1st Workshop on Critical Automotive Applications:
Robustness Safety (Valencia, Spain, 2010), pp. 31–34.
5. T. Nishikawa, T. Fujiwara and S. Yamada: Quantitative assessment for software safety
integrity level based on functional safety standards, in Proc. 18th ISSAT Int. Conf.
Reliability and Quality in Design (Boston, MA, USA, 2012), pp. 283–287.
6. S. Yamada, S. Osaki and H. Narihisa, A software reliability growth model with two
types of errors, RAIRO Oper. Res. 19(1) (1985) 87–104.
7. T. Nishikawa and S. Yamada, Quantitative assessment for software safety integrity
level with optimal software release policies, in Proc. 19th ISSAT Int. Conf. Reliability
and Quality in Design (Honolulu, Hawaii, USA, 2013), 5–7 August, pp. 180–184.
8. X. Zhang and H. Pham, A software cost model with error removal times and risk costs,
Int. J. Syst. Sci. 29(4) (1998) 435–442.
1450030-24
2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
1993, the Paper Award from the Reliability Engineering Association of Japan in
1999, International Leadership Award in Reliability Engineering Research from the
ICQRIT/SREQOM in 2003, the Best Paper Award at the 2004 International Com-
puter Symposium, the Best Paper Award from the Society of Project Management
in 2006, the Leadership Award from the ISSAT (USA) in 2007, the Outstanding
Paper Award at the IEEE-IEEM 2008, the International Leadership and Pioneering
Research Award in Software Reliability Engineering from the SRECOM/ICQRIT
in 2009, the Exceptional International Leadership and Contribution Award in Soft-
ware Reliability at the ICRITO2010, 2011 Best Paper Award from the IEEE Reli-
ability Society Japan Chapter in 2012, and the Leadership Award from the ISAT
(USA) in 2014.
He is a regular member of the IEICE, the Information Processing Society of
Japan, the Operations Research Society of Japan, the Reliability Engineering Asso-
ciation of Japan, Japan Industrial Management Association, the Japanese Society
for Quality Control, the Society of Project Management of Japan, and the IEEE.
Takahiro Nishikawa was born in Tottori Prefecture, Japan, in 1988. He received
his B.S.E. and M.S. degree from Tottori University in 2012 and 2014, respectively.
He has been working at the Japan Air Self-Defense Force since 2014. His research
interests included software reliability and safety assessment at Graduate School of
Engineering, Tottori University.
1450030-25