Reading: December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030

2nd Reading
December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030
International Journal of Reliability, Quality and Safety Engineering

Vol. 21, No. 6 (2014) 1450030 (25 pages)
c World Scientific Publishing Company
DOI: 10.1142/S0218539314500302
QUANTITATIVE ASSESSMENT FOR SOFTWARE

SAFETY INTEGRITY LEVEL WITH FUNCTIONAL
SAFETY STANDARDS AND RISK COSTS
SHIGERU YAMADA∗ and TAKAHIRO NISHIKAWA†

Department of Social Management Engineering
Int. J. Rel. Qual. Saf. Eng. 2014.21. Downloaded from www.worldscientific.com
by FLINDERS UNIVERSITY LIBRARY on 02/07/15. For personal use only.
Graduate School of Engineering, Tottori University

Minami 4-101, Koyama, Tottori-shi 680-8552, Japan
∗yamada@sse.tottori-u.ac.jp
†m12t7016c@edu.tottori-u.ac.jp
Received 15 March 2014

Revised 26 July 2014
Accepted 24 November 2014
Published 17 December 2014
Reliability and safety for hardware in computer systems have been sufficiently studied
in recent years. On the other hand, a safety-related system (SRS) for software has not
been assured with the proper method of calculating the software safety integrity level
(SIL) in the functional safety standards, which is currently determined only by the num-
ber of development methods applied to practical safety-related system (SRSs). In this
paper, we discuss quantitative assessment for it by applying quantitative measures based
on software reliability growth models (SRGMs) that have been widely and successfully
applied to practical software quality management activities. Based on a nonhomoge-
neous Poisson process (NHPP), the plausible methods of calculating software SIL in the
functional safety standard are proposed. Further, we discuss the quantitative method
for assuring software SIL based on the optimal release policies with the test cost during
testing-environment and the risk cost after the software products will be released.
Keywords: Functional safety; software safety integrity level; software reliability growth
model; nonhomogeneous Poisson process; optimal release policies; risk costs.
1. Introduction
Recently, there have been frequent product recalls in our social life. One of the
causes can be considered to be the lowness of reliability and safety maturity of the
embedded software system which is a main component of the computer system used
in various fields. That is, once system failures due to faults (defects or errors) latent
in the software come to surface, the whole system including its computer system is
entirely useless and many people sustain great damage. Occasionally, these are also
worst-level faults which would bring about serious and critical accidents to human
∗ Corresponding author.
1450030-1
2nd Reading
S. Yamada & T. Nishikawa
life and their properties. Accordingly, the development of highly reliable and safe
software systems is an important issue for developers and users.
It is considered that the characteristic of safety is obtained by improving the
reliability defined by standardized software quality characteristics ISO/IEC 9126.1
However, safety and reliability are essentially different concepts and the improve-
ment in reliability is not necessarily resulted in that in safety. That is, when the
requirements for the software development in regard of safety are missing even if the
reliability requirements are sufficiently provided, we cannot say that a safe software
is constructed.
Therefore, as one of the solutions to the software safety issue, developers of
the social infrastructure systems such as railway, automobile, and so on, have been
conforming their development to the functional safety standard (IEC 61508).2 In
the functional safety standard, plural quantitative analytical methods of the safety
integrity level (SIL) of the safety-related system (SRS) for hardware are defined.
Traditionally, it has been defined to determine software SIL only by the number of
methods applied to practical SRS development.
However, we have an objection about the usual way to determine the SIL from
the viewpoint of our actual software development experiences. That is, in con-
trast with the functional safety standard’s definition, it is the well-known fact
that the software development receives great influence in developer’s skills and
experiences.
In this paper, we propose a quantitative method of calculating the software SIL
in the functional safety standard with the test costs during testing-environment
and the risk cost after the software products will be released, based on reliability
assessment measures derived from software reliability growth models (SRGMs)3
and software management metrics.
2. Description of SRGM3
2.1. Nonhomogeneous Poisson process model
Generally, during the testing-phase in the software development process, the devel-
opers have to execute many test cases in order to verify the implemented functions
based on the requirement specifications. At that time, they detect many faults
latent in the software system, and those corrections and removals are carried out
in accordance with the specified procedures. That is, a software reliability growth
during the testing phase means the relationships between the testing time and
the cumulative number of faults detected by testing or the time interval between
software failures. Then, the reliability growth curve represents the time-dependent
behavior of the cumulative number of detected faults with the progress of testing.
By describing a fault-detection phenomenon by a stochastic model based on non-
homogeneous Poisson process (NHPP), we can obtain useful measures for software
reliability assessment during the testing phase and reliability prediction during the
operation phase.
1450030-2
2nd Reading
Quantitative Assessment for Software SIL
In order to describe the fault-detection phenomenon at arbitrary testing time t,

let {N (t), t ≥ 0} denote a counting process representing the cumulative number of
faults detected up to arbitrary testing time t. Then, the fault-detection phenomenon
can be formulated by an NHPP as follows:

{H(t)}n
Pr{N (t) = n} = exp[−H(t)] 

n! 


(n = 0, 1, 2, . . .) , , (1)
t 



H(t) = h(x)dx (t ≥ 0)  
0
where Pr{A} means the probability of event A, and H(t) is called the mean value
function of an NHPP, which represents the expected value of N (t). Further, h(t)
is called the intensity function of the NHPP, and represents the instantaneous
fault-detection rate at testing time t. We have to choose the most suitable model
from existing SRGM’s by specifying the mean value function and the intensity
function.
Further, we assume the exponential SRGM with the mean value function m(t)
and the intensity function hm (t) for the fault-detection process. The exponential
SRGM which is widely used to analyze software failure occurrence data is an NHPP
model with the mean value function and the intensity function in Eq. (1) as
m(t) = a(1 − e−bt ) (a > 0, b > 0), (2)
hm (t) = abe−bt , (3)
where a is the expected number of faults to be eventually detected and b the fault-
detection rate per fault at time t.
2.2. Criteria for selecting suitable SRGMs

We have to choose the most suitable model from existing SRGMs to obtain useful
information from data analyses. As criteria for selecting the most suitable model
for the observed data, we can use the mean square errors (MSE) and the Akaike
Information Criterion (AIC).
• MSE:
Letting Ĥ(t) be the estimated mean value function, we can calculate the value of
the MSE by using the following equation:
n
1
MSE = [yk − Ĥ(tk )]2 , (4)
n
k=1
where yk means the cumulative number of faults detected during (0, tk ] (k =

1, 2, . . . , n), and n is the number of data pairs (tk , yk ). Accordingly, we can conclude
that the SRGM having the smallest value of the MSE fits best the analyzed data.
1450030-3
2nd Reading
• AIC:
The AIC can be calculated with the following equation:

AIC = 2 × {M − (the logarithmic maximum
likelihood of the applied SRGM)}, (5)
where M is the number of parameters in the applied SRGM. The model parameters
are estimated by the method of maximum likelihood. When the values of AIC for
the compared SRGM’s are calculated, if the difference among the calculated values
is 2 or more, we can judge that the difference is significant and the SRGM with
smallest value has best suitability. And if the difference of the AIC is 2 or less, the
superiority or inferiority of the compared SRGM’s cannot be judged, and the same
degree of goodness-of-fit is meant.
3. Software SIL
Safety Integrity and the SIL are defined by IEC 61508-4 as follows2 :
• Safety Integrity:
The probability of an SRS satisfactorily performing the required safety functions

under all the stated conditions within a stated period of time.
• SIL:
The discrete level for specifying the safety integrity requirements of the safety func-
tions to be allocated to the E/E/PE SRSs,2 where SIL-4 has the highest level of
safety integrity and SIL-1 has the lowest.
Generally, target failure measures for the four levels of SILs are specified in
Table 1 (see IEC 61508-12). Further, the target failure measure is defined as the
intended probability of dangerous mode failures to be achieved in respect of the
safety integrity requirements, and specified viewpoint of IEC 61508-4:
• Low demand mode:
The frequency of demands for operation made on an SRS is no greater than one
per year and no greater than twice the proof-test frequency. This means an average
probability of failure on demand (PFD) of the design function per frequency of
Table 1. Definition of SIL levels (target failure measures for a safety func-
tion, allocated to an E/E/PE SRS).
SIL Low demand mode of operation High demand mode of operation

4 10−5 ≤ SILL < 10−4 10−9 ≤ SILH < 10−8
3 10−4 ≤ SILL < 10−3 10−8 ≤ SILH < 10−7
2 10−3 ≤ SILL < 10−2 10−7 ≤ SILH < 10−6
1 10−2 ≤ SILL < 10−1 10−6 ≤ SILH < 10−5
1450030-4
2nd Reading
demands. In IEC 61508-4, PFD is defined as unavailability. That is, the lowness of
availability shows the lowness of reliability, since failure often occurs. Accordingly,
in order to make software availability high, the software system needs to have
low occurrence probability of software failures to the design function under all the
stated conditions within a stated period of time. Consequently, PFD in this mode
is computable as an unreliability function per frequency of demands by applying
the software reliability function which is one of the reliability assessment measures
derived from an NHPP model:
PFD = SILL ≡ 1 − (Software Reliability Function). (6)
• High demand mode:

The frequency of demands for operation made on an SRS is greater than one per
year or greater than twice the proof-test frequency. In IEC 61508-4, this is defined
as the average probability of dangerous failure per hour (PFH). That is, it can
be considered as the dangerous failure rate or dangerous failure intensity in SRS.
Consequently, when we assume that we can ignore the repair time as compared
with the mean time to failure, we can consider that the dangerous failure rate or
dangerous failure intensity are almost equivalent. Furthermore, since PFH unit is
“1/time”, PFH can be considered as the proportion of average dangerous failure
per hour, and PFH can be represented by the following equation:
1
PFH = SILH ≡ . (7)
(Mean Time between Software Failures)
4. Method I for Calculating Software SIL4,5

Generally, if we assess the software reliability or mean time between software fail-
ures for the targeted software based on the NHPP models discussed in Sec. 2, we
need actual fault data observed during the testing. The data sets include the mix-
ture states of the dangerous and safe failures. Therefore, we have to classify into
dangerous and safe failures by analyzing the detected fault’s contents, because the
SIL shows the probability of occurrence of dangerous failures. However, there is a
case unclassifiable into dangerous or safe failure, according to the fault’s contents.
We call this type’s fault unclear failure (UCF). Based on this situation, we calculate
the dangerous failure ratio (DFR) according to the literature.4
When we assess the software SIL, we have to take into consideration the cor-
relation in the software execution under the testing- and operational-environment.
That is, we introduce the severity coefficient (SC) of the fault-detection.
Software reliability is the measure which represents the software failure-
occurrence or the fault-detection time interval by probability. Let Xk (k = 1, 2, . . .)
be the time interval between (k − 1)th and kth software failure-occurrences or
k
fault-detections. Then, random variable Sk = i=1 Xi shows the kth software
failure-occurrence time or fault-detection time. If we assume that (k − 1)th software
1450030-5
2nd Reading
failure-occurrence time or fault-detection time Sk−1 = t was given, from Eq. (1)
the conditional reliability function for Xk is given by

R(x | t) ≡ Pr{Xk > x | Sk−1 = t}  

= exp[−{H(t + x) − H(t)}] . (8)


(x ≥ 0, t ≥ 0) 
Equation (8) shows the probability that a software failure does not occur or
a fault is not detected in the testing time interval (t, t + x]. The software relia-
bility function in Eq. (8) is applied to calculate PFD in Eq. (6) for low demand
mode.
We can calculate the software SIL for high demand mode by using Eq. (7)
discussed in Sec. 3. Then, because the mean time between failures (MTBF) for
software can be represented as the mean time between software failure-occurrences
or the mean time between fault-detections, we can use the Instantaneous MTBF3
and the Cumulative MTBF3 as the software reliability assessment measures. The
Instantaneous MTBF and the Cumulative MTBF can be explained as follows:
• Instantaneous MTBF
Instantaneous MTBF is represented with the inverse number of the expected value
of faults detected by testing time t. We can compute it as the following equation:
1
MTBFI (t) = . (9)
h(t)
That is, we have to pay attention to show an optimistic estimate, because the
analysis result of the Instantaneous MTBF can be obtained by using the latest
data.
• Cumulative MTBF
We can calculate Cumulative MTBF as the following equation:
t
MTBFC (t) = . (10)
H(t)
That is, we have to pay attention to show a pessimism value, because the analysis
result of the Cumulative MTBF can be obtained by using all data observed from
the test beginning to the present.
4.1. Calculation for the low demand mode

In order to obtain the software reliability focused only on dangerous failure under
the user operational-environment, we have to apply DFR and SC discussed above
to specific formulation as follows:
RL (SC(x) | t) = exp[−DFR × {H(t + SC(x)) − H(t)}]. (11)
1450030-6
2nd Reading
Consequently, we can get the following equation from Eqs. (6) and (11) as the
calculation method for software SIL in the low demand mode:
SILL = 1 − RL (x | t). (12)
For example, in order to evaluate the calculation method for software SIL for the
low demand mode, we adopt the actual data set of the number of fault-detections
observed in the actual testing phase, which consists of 21 data pairs in the form of
DS : (tk , yk )(k = 1, 2, . . . , 21; 0 < t1 < t2 · · · < t21 ),
1.00
0.98
Software Reliability RL (7.3|t)
0.96
0.94
0.9150
0.92
0.90
14 15 16 17 18 19 20 21 22
Testing Time (Days)
1.00
0.98
0.96
0.94
0.9645
0.92
0.90
21 22 23 24 25 26 27 28 29
Testing Time (Days)
Fig. 1. The estimated software reliability by applying method I.
1450030-7
2nd Reading
where the measurement unit of testing time tk represents calendar days. This data
set has been collected in the testing where we test one by one using the test cases
beforehand designed based on the customer requirements.
As analysis results for this data set based on the exponential SRGM with m(t)
in Eq. (2), we show the estimated software reliability function for the low demand
mode in Fig. 1. The upper side of Fig. 1 is the result analyzed using the number
of fault-detections from the test beginning time to the 14th day, and the lower
side shows the result analyzed with 21 data pairs of all data. Additionally, as pre-
conditions for analysis, we assume that one day under the testing-environment
corresponds to 50 days under the operational-environment (SC = 50), and DFR
is 0.01.
From Fig. 1, we can calculate the software SIL for the low demand mode
when t14 = 14 (â = 59.61, b̂ = 0.0725) and t21 = 21 (â = 51.31, b̂ = 0.0928) as
follows:
SILL |t14 =14 = 1 − 0.9150 = 8.50 × 10−2 , (13)

SILL |t21 =21 = 1 − 0.9645 = 3.55 × 10−2 . (14)
In Fig. 1, when assuming that the operation requirement is after one year under
the user operational-environment, we find that it is equivalent to 7.3 days under
the testing-environment by taking SC into consideration (SC(x) = 7.3). As shown
in the upper side graph in Fig. 1, we can find that the software reliability func-
tion for the dangerous failure under the user operational-environment is 0.9150.
Thus, the occurrence probability of the dangerous failure is 8.50 × 10−2 as the cal-
culation result in Eq. (13). Therefore, from Table 1 we can get SIL-1 as SILL at
t14 = 14. Similarly, as shown in the lower side graph in Fig. 1, we find that the
software reliability function for the dangerous failure under the user operational-
environment is 0.9645. Thus, the occurrence probability of the dangerous failure is
3.55 × 10−2 as the calculation result in Eq. (14). Therefore, from Table 1 we can
get SIL-1 as SILL at t21 = 21. Accordingly, we can judge that the software SIL
for the low demand mode has been sustained quantitatively with additional testing
time.
4.2. Calculation for the high demand mode

In order to obtain the MTBF value focused only on dangerous failure under the
user operational-environment, we have to apply SC discussed above to Eqs. (9) and
(10) as follows:
SC
MTBFSCI (t) = , (15)
h(t)
(SC) × t
MTBFSCC (t) = . (16)
H(t)
1450030-8
2nd Reading
Consequently, we can get the following equation from Eqs. (7) and (15) or (16)
with DFR as the calculation method for software SIL in the high demand mode:
DFR
SILH = . (17)
MTBFSC (t) × TC
In Eq. (17), MTBFSC (t) represents Eq. (15) or (16), and TC means Transform
Coefficient, which is the value for converting into the collection time unit of the
fault-detection data used for MTBF calculation.
For example, in order to evaluate the calculation method for software SIL for
the high demand mode, we adopt the actual data set discussed in Sec. 4.1.
120
Instantaneous MTBFSC (T) (Days)
100
80
31.9239
60
40
20
0
5 10 15 20 25
Testing Time (Days)
120
100
80
60
40 73.7171
20
0
5 10 15 20 25
Testing Time (Days)
Fig. 2. The estimated instantaneous MTBF by applying method I.
1450030-9
2nd Reading
As analysis results for this data set based on the exponential SRGM with m(t)
in Eq. (2), we show the estimated instantaneous MTBF in Eq. (5) for the high
demand mode in Fig. 2. The upper side of Fig. 2 is the result analyzed using the
number of fault-detections from the test beginning time to the 14th day, and the
lower side shows the result analyzed by 21 data pairs of all data. Additionally, as
preconditions for analysis, we assume that one day under the testing-environment
corresponds to 50 days under the operational-environment (SC = 50), and DFR is
0.01.
From Fig. 2, we can calculate the software SIL for the high demand mode when
t14 = 14 (â = 59.61, b̂ = 0.0725) and t21 = 21 (â = 51.31, b̂ = 0.0928) as follows:
0.01
SILH |t14 =14 = = 1.31 × 10−5 , (18)
31.92 × 24
0.01
SILH |t21 =21 = = 5.65 × 10−6 . (19)
73.72 × 24
Figure 2 shows the instantaneous MTBF for the dangerous failure under the
user operational-environment, by setting TC to 24 because the measurement unit
is calender day. As shown in the upper side graph in Fig. 2, we can find that the
Instantaneous MTBF is about 31.92 days. Hence, we find that the Instantaneous
MTBF for the dangerous failure under the user operational-environment is 1.31 ×
10−5 as the calculation result of Eq. (18). Therefore, from Table 1 we have shown
that SILH is not fulfilled for the target failure measure as SILH at t14 = 14. Similarly,
as shown in the lower side graph in Fig. 2, we can find that the instantaneous
MTBF for the dangerous failure under the user operational-environment is about
73.72 days. Thus, the occurrence probability of the dangerous failure is 5.65 × 10−6
as the calculation result of Eq. (19). Therefore, from Table 1 we can get SIL-1 as
SILH at t21 = 21. Accordingly, we can judge that the software SIL for the high
demand mode has been sustained quantitatively with additional testing time.
5. Method II for Calculating Software SIL4,5

5.1. Modified exponential SRGM
In this section, we propose an another calculation method for the software SIL
by applying the modified exponential SRGM3,6 based on an NHPP. This model
assumes that there exist two types of faults: some are easy to be detected and the
others are difficult to do so. The former are defined as Type 1 faults and the latter
as Type 2 faults.
The mean value function and intensity function of an NHPP are respectively
given by
2

Hp (t) = a pi (1 − e−bi t ), (20)
i=1
1450030-10
2nd Reading
2

hp (t) = a pi bi e−bi t (21)
i=1
(a > 0, 0 < b2 < b1 < 1, p1 + p2 = 1, 0 < pi < 1),

where a means the expected initial fault content in a software system, bi the fault-
detection rate per Type i faults (per unit time) (i = 1, 2), and pi the content
proportion of Type i faults (i = 1, 2). Furthermore, pi is assumed to be a prespecified
content proportion based on the past project experiences.
Further, the fault-detection rate per fault at time t can be represented by the
following equation:
2
pi e−bi t
b(t) = bi . (22)
i=1
p1 e−b1 t + p2 e−b2 t
5.2. Calculation for low demand mode

the user operational-environment, we have to apply p2 which means the content
rate for Type 2 faults, to DFR in Eq. (11). Thus, we have
RLME (SC(x) | t) = exp[−p2 × {Hp (t + SC(x)) − Hp (t)}]. (23)
Consequently, we can get the following equation from Eqs. (6) and (23) as the
calculation method for software SIL in the low demand mode:
SILLME = 1 − RLME (SC(x) | t). (24)
the low demand mode, we adopt the actual data set discussed in Sec. 4.1.
As analysis results for this data set based on the modified exponential SRGM
with Hp (t) in Eq. (20), we show the estimated software reliability for the low
demand mode in Fig. 3. The upper side of Fig. 3 is the analysis result by using
the fault-detection data observed from the test beginning to the 14th day, and the
lower side show the analysis result by using all 21 data pairs of all data. Here, we
assume that one day under the testing-environment corresponds to 50 days under
the operational-environment (SC = 50), and p2 is 0.01.
From Fig. 3, we can calculate the software SIL for the low demand mode when
t14 = 14(â = 59.88, b̂1 = 0.0727, b̂2 = 0.0200) and t21 = 21 (â = 51.53, b̂1 =
0.0931, b̂2 = 0.0242) as follows:
SILLME |t14 =14 = 1 − 0.9150 = 8.50 × 10−1 , (25)
SILLME |t21 =21 = 1 − 0.9647 = 3.53 × 10−2 . (26)
In Fig. 3, when assuming that the operation requirement is after one year under
the user operational-environment, we can find that it is equivalent to 7.3 days under
the testing-environment by taking SC into consideration (SC(x) = 7.3). As shown
1450030-11
2nd Reading
1.00

0.98
0.96
0.9150
0.94
0.92
0.90
14 15 16 17 18 19 20 21 22
Testing Time (Days)
1.00
0.98
0.96
0.94 0.9647
0.92
0.90
21 22 23 24 25 26 27 28 29
Testing Time (Days)
Fig. 3. The estimated software reliability by applying method II.
in the upper side graph in Fig. 3, we find that the software reliability function for
the dangerous failure under the user operational-environment is 0.9150. Thus, the
occurrence probability of the dangerous failure is 8.50 × 10−2 as the calculation
result of Eq. (25). Therefore, from Table 1 we can get SIL-1 as SILLME at t14 = 14.
Similarly, as shown in the lower side graph in Fig. 3, we find that the software
reliability function for the dangerous failure under the user operational-environment
is 0.9647. Thus, the occurrence probability of the dangerous failure is 3.53 × 10−2
as the calculation result in Eq. (26). Therefore, we can get SIL-1 from Table 1 as
SILLME at t21 = 21. Accordingly, we can judge that the software SIL for the low
1450030-12
2nd Reading
5.3. Calculation for high demand mode

In order to obtain the MTBF value focused only on dangerous failure under the
user operational-environment, we have to apply SC discussed above to Eqs. (9) and
(10) as follows:
SC
MTBFSCIp (t) = , (27)
hp (t)
(SC) × t
MTBFSCCp (t) = . (28)
Hp (t)
Consequently, we can get the following equation from Eqs. (7) and (27) or (28)
with p2 which means the content rate for Type 2 faults, as the calculation method
for software SIL in the high demand mode:

p2
SILHME = . (29)
MTBFSC (t) × TC
In Eq. (29), MTBFSC (t) represents Eq. (27) or (28), and TC means the value for
converting into a time unit the collection unit of the data of the number of fault-
detections used for MTBF calculation.
the high demand mode, we adopt the actual data set discussed in Sec. 4.1.
As analysis results for this data set based on the modified exponential SRGM
with Hp (t) in Eq. (20), we show the estimated instantaneous MTBF value of soft-
ware for the high demand mode in Fig. 4. The upper side of Fig. 4 is the analysis
result by using the fault-detection data observed from the test beginning to the
14th day, and the lower side shows the analysis result by using all 21 data pairs of
all data. Here, we assume that one day under the testing-environment corresponds
to 50 days under the operational-environment (SC = 50), and p2 is 0.01.
From Fig. 4, we can calculate the software SIL for the low demand mode when
t14 = 14 (â = 59.88, b̂1 = 0.0727, b̂2 = 0.0200) and t21 = 21 (â = 51.53, b̂1 =
0.0931, b̂2 = 0.0242) as follows:
0.01
SILHME |t14 =14 = = 1.31 × 10−5 , (30)
31.92 × 24
0.01
SILHME |t21 =21 = = 5.65 × 10−6 . (31)
73.72 × 24
Figure 4 shows the instantaneous MTBF for the dangerous failure under the user
operational-environment by setting TC to 24 because the measurement unit is calen-
der day. As shown in the upper side graph in Fig. 4, we find that the instantaneous
MTBF value is about 31.92 days. Hence, we find that the instantaneous MTBF
value for the dangerous failure under the user operational-environment is 1.31×10−5
as the calculation result of Eq. (30). Therefore, from Table 1 we have shown that
SILHME is not fulfilled for the target failure measure as SILHME at t14 = 14. Sim-
ilarly, as shown in the lower side graph in Fig. 2, we find that the instantaneous
1450030-13
2nd Reading
120
Instantaneous MTBFSC (T) (Days) 100
80
31.9237
60
40
20
0
5 10 15 20 25
Testing Time (Days)
120
100
80
60
40
73.7155
20
0
5 10 15 20 25
Testing Time (Days)
Fig. 4. The estimated instantaneous MTBF by applying method II.
MTBF for the dangerous failure under the user operational-environment is about
73.72 days. Thus, the occurrence probability of the dangerous failure is 5.65 × 10−6
as the calculation result of Eq. (31). Therefore, from Table 1 we can get SIL-1 as
SILH at t21 = 21. Accordingly, we can judge that the software SIL for the high
6. Method I for Assuring Software SIL Based on Optimal

Release Policies7
6.1. Optimal software release problem
Consider an associated total software cost occurring during the software life cycle
length measured from the time when the testing starts. Then, the cost of testing
1450030-14
2nd Reading
before release and the costs of fixing faults before and after releases are counted as
software cost factors. The following are introduced:
c1 = the cost of fixing a fault detected during testing,
c2 = the cost of fixing a fault detected during operation
(c2 > c1 > 0),
c3 = the cost of testing per unit time,
TLC = the software life-cycle length,
T = the software release time, i.e., the total testing time,
T ∗ = the optimum software release time.
Let C(T ) denote the associated total expected software cost based on the expo-
nential SRGM with Eq. (2). Then, the total expected software cost during testing
and operation is given by

C(T ) = c1 m(T ) + c2 {m(TLC ) − m(T )} + c3 T. (32)
The optimum software release time is the testing time which minimizes the total
expected software cost in Eq. (32).
6.2. Optimal software release policies for the low

demand mode
From Eq. (8), we obtain the software reliability as
R(SC(x) | t) = exp[−m(SC(x))e−bt ]. (33)
the user operational-environment, we have to apply DFR and SC discussed above
to specific formulation as
RL (SC(x) | t) = exp[−DFR × m(SC(x)) × e−bt ]. (34)
The optimum software release time, TL∗ , for the low demand mode is given by the
testing time which comes closest to satisfying some prespecified software reliability:
RL (SC(x) | t) = RSIL−i (1 ≤ i ≤ 4), where x is the operation time of a released
software system and i means the level of SIL.
It can be shown that, given the constraints on the parameters, there is a unique
time that minimizes the total expected software cost. From Eqs. (32) and (34), if
ab(c2 − c1 ) > c3 , then there exists an interior minimum for C(T ) at
bT0 = ln[ab(c2 − c1 )/c3 ]. (35)
Otherwise, there is an exterior unattainable minimum, and the boundary value is
the attainable minimum at
T0 = 0. (36)
Likewise, there is a unique time that brings the reliability closest to its requirement.
1450030-15
2nd Reading
If RL (SC(x) | 0) < RSIL−i , then there exists an interior solution to

RL (SC(x) | T ) = RSIL−i at
bT1 = ln[m(SC(x))] − ln[ln(1/RSIL−i )]. (37)
Otherwise, there is an exterior unattainable solution, and the boundary value is the
closest attainable value at
T1 = 0. (38)
Consider the optimal software release policies for the low demand mode which
minimize the total expected software cost under the constraint qualification that the
software reliability achieved by software testing is not less than some prespecified
value RSIL−i . The optimal software release problem for the low demand mode can
be formulated as follows:

Minimize C(T ) 



subject to RL (SC(x) | T ) ≥ RSIL−i , T ≥ 0
. (39)
for c2 > c1 > 0, c3 > 0, 




SC (x) ≥ 0, 0 < RSIL−i < 1
Then, we can obtain the solutions for the cost-reliability optimum software release
times:
TL = max{T0 , T1 }, (40)
where T0 is given by Eqs. (35) and (36), and T1 is given by Eqs. (37) and (38).
Therefore, we have the following:
Theorem 1.
(1) If ab > c3 /(c2 − c1 ) and RL (SC(x) | 0) < RSIL−i < 1, then TL∗ = max{T0 , T1 }.
(2) If ab > c3 /(c2 − c1 ) and RSIL−i ≤ RL (SC(x) | 0), then TL∗ = T0 .
(3) If ab ≤ c3 /(c2 − c1 ) and RL (SC(x) | 0) < RSIL−i < 1, then TL∗ = T1 .
(4) If ab ≤ c3 /(c2 − c1 ) and RSIL−i ≤ RL (SC(x) | 0), then TL∗ = 0.
6.3. Optimal software release policies for the high demand mode
∗
Based on MTBFSCI (t) in Eq. (15), the optimum software release time, TH , for the
high demand mode is given by the testing time which comes closest to satisfying
some prespecified MTBF:MTBFSCI (T ) = MTBFSIL−i (1 ≤ i ≤ 4), where i means
the level of SIL.
If MTBFSCI (0) < MTBFSIL−i then there exists an interior solution to
MTBFSCI (T ) = MTBFSIL−i at
bT2 = ln(ab) + ln(MTBFSIL−i ). (41)
T2 = 0. (42)
1450030-16
2nd Reading
Consider the optimal software release policies for the high demand mode which
minimize the expected total software cost under the constraint qualification that
the MTBF achieved by software testing is not less than some prespecified value.
The optimal software release problem for the high demand mode can be formulated
as follows:

Minimize C(T ) 

subject to MTBFSCI (T ) ≥ MTBFSIL−i , T ≥ 0 . (43)


for c2 > c1 > 0, c3 > 0
Then, in a similar way to Sec. 6.2, we can obtain the solutions for the cost-reliability
optimum software release times
TH = max{T0 , T2 }, (44)
where T0 is given by Eqs. (35) and (36), and T2 is given by Eqs. (41) and (42).
Theorem 2.
∗
(1) If ab > c3 /(c2 − c1 ) and MTBFSCI (0) < MTBFSIL−i , then TH = max{T0 , T2 }.
∗
(2) If ab > c3 /(c2 − c1 ) and MTBFSIL−i ≤ MTBFSCI (0), then TH = T0 .
∗
(3) If ab ≤ c3 /(c2 − c1 ) and MTBFSCI (0) < MTBFSIL−i , then TH = T2 .
∗
(4) If ab ≤ c3 /(c2 − c1 ) and MTBFSIL−i ≤ MTBFSCI (0), then TH = 0.
7. Method II for Assuring Software SIL Based on Optimal

Release Policies8
7.1. Optimal software release problem with risk costs
Consider an associated total software cost with test cost and risk cost in this section.
Generally speaking, the longer the testing takes, the more reliable the software can
be expected to be. However, in the mean time the total cost of developing the
software will also increase. On the other hand, if the testing time is too short, the
cost of the software development could be reduced, but the customers may take a
higher risk of using an unreliable software. Therefore, it is important to determine
the optimal policies, that is, when to stop testing and release the software. Then,
the cost of testing and fixing faults before release are counted as software cost
factors. The following are introduced:
cR1 = the cost of testing per unit time,

cR2 = the cost of fixing a fault detected during testing-
environment per unit time,
cR3 = the loss due to software failure after release,
(cR3 > cR2 > cR1 > 0),
1450030-17
2nd Reading
µy = the expected time to remove a fault during testing-

environment,
T = the software release time, i.e., the total testing time,
TL∗ , TH
∗
= the optimum software release times for low and high demand mode.
Let CR (T ) denote the associated total expected software cost based on the expo-
nential SRGM with Eq. (2). Then, the total expected software cost for considering
the software SIL is given by
CR (T ) = cR1 T + cR2 m(T )µy + cR3 × (Software SIL). (45)
The optimum software release time is the testing time which minimizes the total
expected software cost in Eq. (45).
7.2. Optimal software release policies for the low demand mode
The total expected software cost for the low demand mode is given by
CRL (T ) = cR1 T + cR2 m(T )µy + cR3 [1 − RL (SC(x) | T )]. (46)
Then, we define two functions in order to get the testing time which minimizes
the total expected software cost as follows:
f (T ) = hm(T )[cR3 (1 − e−b×SC(x) )RL (SC(x) | T ) − cR2 µy ], (47)
g(T ) = cR3 (1 − e−b×SC(x) )RL (SC(x) | T )[1 − ae−bT (1 − e−b×SC(x) )]. (48)
It should be noted that g(T ) is a strictly increasing function of T .
The optimum software release time, TL∗ , for the low demand mode is given by the
testing time which comes closest to satisfying some prespecified software reliability:
RL (SC(x) | t) = RSIL−i (1 ≤ i ≤ 4), where x is the operation time of a released
software system and i means the level of SIL.
If RL (SC(x) | 0) < RSIL−i , then there exists an interior solution to RL (SC
(x) | T ) = RSIL−i at

1
bTRL1 = ln[DFR × m(SC(x))] − ln ln . (49)
RSIL−i
Consider the optimal software release policies for the low demand mode which
minimize the total expected software cost under the constraint qualification that the
software reliability achieved by software testing is not less than some prespecified
value RSIL−i . The optimal software release problem for the low demand mode can
be formulated as follows:

Minimize CRL (T ) 



subject to RL (SC(x) | T ) ≥ RSIL−i , T ≥ 0
. (50)
for cR3 > cR2 > cR1 > 0, 




SC (x) ≥ 0, 0 < RSIL−i < 1
1450030-18
2nd Reading
Theorem 3.
(1) if g(0) > cR2 µy , then
(a) f (0) ≤ cR1 , then TL∗ = 0 minimizes CRL .
(b) f (TRL1 ) > cR1 , then TL∗ = TRL1 minimizes CRL .
(c) f (0) > cR1 , f (T ) ≥ cR1 (T : T ∈ (0, T ]) and f (T ) < cR1 (T : T ∈
(T , TRL1 )), then TL∗ = T (T = inf{T : f (T ) < cR1 }).
(2) if g(TRL1 ) < cR2 µy , then
(a) f (0) ≥ cR1 , then TL∗ = TRL1 minimizes CRL (T ).
(b) f (TRL1 ) < cR1 , then TL∗ = 0 minimizes CRL (T ).
(c) f (0) < cR1 , f (T ) ≤ cR1 (T : T ∈ (0, T ]) and f (T ) > cR1 (T : T ∈

(T , TRL1 )), then
TL∗ = 0 [CRL (0) < CRL (TRL1 )],
TL∗ = TRL1 [CRL (0) > CRL (TRL1 )]
(T = inf{T : f (T ) > cR1 }).
(3) if g(0) < cR2 µy , g(T ) ≤ cR2 µy (T : T ∈ (0, T 0 ]) and g(T ) > cR2 µy (T : T ∈
(T 0 , TRL1 ])(T 0 = g −1 (cR2 µy ab2 )), then
(a) f (0) < cR1 , then
TL∗ = 0 [CRL (0) < CRL (TRL0 )],
TL∗ = TRL0 [CRL (0) > CRL (TRL0 )]
(TRL0 = inf{T : f (T ) < cR1 , T > cR1 − f (T ) > 0}).
(b) f (0) ≥ cR1 , then TL∗ = TRL0

minimizes CRL (TRL0
= inf{T : f (T ) < cR1 }).
7.3. Optimal software release policies for the high demand mode
The total expected software cost for the high demand mode is given by

DFR
CRH (T ) = cR1 T + cR2 m(T )µy + cR3 . (51)
MTBFSCI (T ) × TC
We can get the following equation from Eqs. (15) and (51):
DFR × hm (T )
CRH (T ) = cR1 T + cR2 m(T )µy + cR3 . (52)
TC × SC
Then, since DFR, SC and TC is constant, we can express the following equation
with high demand coefficient (HDC):
DFR
HDC = . (53)
TC × SC
Therefore, Eq. (51) is formulated the following equation with Eq. (53):
CRH (T ) = cR1 T + cR2 m(T )µy + cR3 [HDC × hm (T )]. (54)
1450030-19
2nd Reading
It can be shown that, given the constraints on the parameters, there is a unique
time that minimizes the total expected software cost. From Eqs. (3) and (54), if
ab(cR3 b × HDC − cR2 µy ) > cR1 then there exists an interior minimum for CRH (T )
at
ab(cR3 b × HDC − cR2 µy )
bTRH0 = ln . (55)
cR1
Otherwise, there is an exterior unattainable minimum, and the boundary value is
the attainable minimum at
TRH0 = 0. (56)
∗
Based on MTBFSCI (t) in Eq. (15), the optimum software release time, TH , for the
high demand mode is given by the testing time which comes closest to satisfying
some prespecified MTBF:MTBFSCI (T ) = MTBFSIL−i (1 ≤ i ≤ 4), where i means

the level of SIL.
If MTBFSCI (0) < MTBFSIL−i then there exists an interior solution to
MTBFSCI (T ) = MTBFSIL−i at

ab
bTRH1 = ln + ln(MTBFSIL−i ). (57)
SC
TRH1 = 0. (58)
Consider the optimal software release policies for the high demand mode which
minimize the total expected software cost under the constraint qualification that
the MTBF achieved by software testing is not less than some prespecified value.
The optimal software release problem for the high demand mode can be formulated
as follows:

Minimize CRH (T ) 


subject to MTBFSCI (T ) ≥ MTBFSIL−i , T ≥ 0 . (59)



for cR3 > cR2 > cR1 > 0
Then, we can obtain the solutions for the cost-reliability optimum software release
times
∗
TH = max{TRH0 , TRH1 }, (60)
where TRH0 is given by Eqs. (55) and (56), and TRH1 given by Eqs. (57) and (58).
Theorem 4.
(1) If ab > cR1 /(cR3 b × HDC − cR2 µy ) and
MTBFSCI (0) < MTBFSIL−i ,
∗
then TH = max{TRH0 , TRH1 }.
1450030-20
2nd Reading
(2) If ab > cR1 /(cR3 b × HDC − cR2 µy ) and

∗
MTBFSIL−i ≤ MTBFSCI (0), then TH = TRH0 .
(3) If ab ≤ cR1 /(cR3 b × HDC − cR2 µy ) and
∗
MTBFSCI (0) < MTBFSIL−i , then TH = TRH1 .
(4) If ab ≤ cR1 /(cR3 b × HDC − cR2 µy ) and
∗
MTBFSIL−i ≤ MTBFSCI (0), then TH = 0.
8. Numerical Example
8.1. Preliminaries
Consider numerical illustrations of the cost-reliability optimal software release poli-
cies based on functional safety standards and risk cost with software SIL. Let
us refer to the obtained results by Yamada3 as â = 142.32 and b̂ = 0.1246. We

assume that one day under the testing-environment corresponds to 60 days under
the operational-environment (SC = 60) and DFR = 0.01.
8.2. Assessment for the low demand mode

We assume that cR1 = 1, cR2 = 100, cR3 = 1.0 × 104 , µy = 0.1, RSIL−i = RSIL−2
for this analysis. We show the estimated software reliability function and the total
expected software cost for the low demand mode in Fig. 5. The upper side of Fig. 5
is the total expected software cost CRL (T ), and the lower side shows the software
reliability RL (SC(x) | T ).
Then, in Fig. 5, when assuming that the operation requirement is after one
year under the user operational-environment, we find that it is equivalent to 6.1
days under the testing-environment by taking SC into consideration (SC(x) = 6.1).
Then, the cost-reliability optimal software release problem for the low demand mode
to be solved is given as

Minimize CRL (T ) = Minimize [1 · T + 100 · m(T ) · 0.1 
+ 1.0 × 104 × {1 − RL (6.1 | T )}] . (61)


subject to RL (6.1 | T ) ≥ RSIL−2 = 0.9900, T ≥ 0
From Fig. 5, TRL0 = 53.1 and TRL1 = 34.7.
Thus, the optimum software release time can be determined from Theorem 3 as
TL∗ = TRL0 = 53.1. (62)
Accordingly, we can determine the cost-reliability optimal software release time
quantitatively for the low demand mode.
8.3. Assessment for the high demand mode

We assume that cR1 = 1, cR2 = 100, cR3 = 1.0 × 108 , µy = 0.1, MTBFSIL−i =
MTBFSIL−4 for this analysis. Further, since DFR = 0.01, SC = 60 and TC = 24,
1450030-21
2nd Reading
1600
Total Expected Software Cost CL (T)
1538.9
1550
1484.5
1500
1450
30 40 50 60
Testing Time (Days)
1
0.9990
Software Reliability RL (6.1|T)
0.995
0.9900
RSIL-2
TRL0 = 53.1
0.985 TRL1 = 34.7
0.98
30 40 50 60
Testing Time (Days)
Fig. 5. An illustration of the cost-reliablity optimal software release policy with software SIL for
the low demand mode.
we can calculate HDC = 6.9 × 10−6 . Then, we show the estimated instantaneous
MTBF for the dangerous failure under the user operational-environment, and the
total expected software cost for the high demand mode in Fig. 6. The upper side of
Fig. 6 is the total software cost CRH (T ), and the lower side shows the instantaneous
MTBF.
Then, the cost-reliability optimal software release problem for the high demand
mode to be solved is given as

Minimize CRH (T ) = Minimize [1 · T + 100 · m(T ) · 0.1 

+ 1.0 × 108 × {6.9 × 10−6 · hm (T )}] . (63)


subject to MTBFSCI (T ) ≥ MTBFSIL−4 = 41666.7, T ≥ 0
From Fig. 6, we have TRH0 = 57.9 and TRH1 = 75.6.
1450030-22
2nd Reading
1540
Total Expected Software Cost CH (T)
1520 1499.6
1489.1
1500
1480
40 50 60 70 80
Testing Time (Days)
50000
MTBFSIL-4
40000
30000
41725.2
TRH1 = 75.6
20000 4598.1
10000 TRH0 = 57.9
0
40 50 60 70 80
Testing Time (Days)
Fig. 6. An illustration of the cost-reliability optimal software release policy with software SIL
for the high demand mode.
Thus, the optimum software release time can be determined from Theorem 4 as

∗
TH = max{TRH0 , TRH1 } 

= max{57.9, 75.6} . (64)


= 75.6 
Accordingly, we can determine the cost-reliability optimal software release time

quantitatively for the high demand mode.
9. Concluding Remarks
In this paper, we have proposed a method of calculating the software SIL for the low
demand mode and high demand mode based on IEC 61508 with optimal software
release policies based on functional safety standards and risk costs. Especially, we
1450030-23
2nd Reading
have applied the reliability assessment measures derived from SRGMs by using
fault-detection data collected during the testing. Then, we can grasp the attainment
degree for the planned SIL target value, and make it feedback to the testing-policy
easily. Accordingly, we may secure system-wide safety and realize highly reliable
and safe software development based on the optimal software release policies.
As future issues, we are going to verify our method of calculating the software
SIL based on many practical applications. Therefore, we have to investigate the
metrics collectable during the software development. Moreover, we are going to
consider how to apply the method of calculating the software SIL to another devel-
opment paradigm such as the iterative and incremental development processes.
Acknowledgments
This work was supported in part by the Grant-in-Aid for Scientific Research (C),
Grant No. 25350445 from Japan Society for the Promotion of Science. The authors
would like to thank Mr. Yuki Fujita, Graduate Student at Tottori University, Japan,
for his helpful comments.
References
1. ISO/IEC 9126, Software Engineering — Product Quality (1991).
2. IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-Related System (1998).
3. S. Yamada, Software Reliability Modeling: Fundamentals and Applications (Spring-
Verlag, Tokyo/Heidelberg, 2013).
4. T. Fujiwara, J. E. Esteves, Y. Satoh and S. Yamada: A Calculation method for soft-
ware safety integrity level, in Proc. 1st Workshop on Critical Automotive Applications:
Robustness Safety (Valencia, Spain, 2010), pp. 31–34.
5. T. Nishikawa, T. Fujiwara and S. Yamada: Quantitative assessment for software safety
integrity level based on functional safety standards, in Proc. 18th ISSAT Int. Conf.
Reliability and Quality in Design (Boston, MA, USA, 2012), pp. 283–287.
6. S. Yamada, S. Osaki and H. Narihisa, A software reliability growth model with two
types of errors, RAIRO Oper. Res. 19(1) (1985) 87–104.
7. T. Nishikawa and S. Yamada, Quantitative assessment for software safety integrity
level with optimal software release policies, in Proc. 19th ISSAT Int. Conf. Reliability
and Quality in Design (Honolulu, Hawaii, USA, 2013), 5–7 August, pp. 180–184.
8. X. Zhang and H. Pham, A software cost model with error removal times and risk costs,
Int. J. Syst. Sci. 29(4) (1998) 435–442.
About the Authors

Shigeru Yamada was born in Hiroshima Prefecture, Japan, in 1952. He received
the B.S.E., M.S. and Ph.D. degrees from Hiroshima University, Japan, in 1975,
1977 and 1985, respectively. Since 1993, he has been working as a Professor at the
Department of Social Management Engineering, Graduate School of Engineering,
Tottori University, Tottori-shi, Japan.
1450030-24
2nd Reading
He has published numerous technical papers in the area of software reliability

engineering, project management, reliability engineering, and quality control. He
has authored several books entitled, such as Introduction to Software Management
Model (Kyoritsu Shuppan, Tokyo), Software Reliability Models: Fundamentals and
Applications (JUSE, Tokyo), Statistical Quality Control for TQM (Corona Pub-
lishing, Tokyo), Software Reliability: Model, Tool, Management (The Society of
Project Management, Tokyo) Quality-Oriented Software Management (Morikita
Shuppan, Tokyo). Element of Software Reliability (Kyoritsu Shuppan, Tokyo),
Software Engineering (Surikogakusha, Tokyo), and Software Reliability Modeling
(Springer-Verlag, Tokyo/Heidelberg). Dr. Yamada received the Best Author Award
from the Information Processing Society of Japan in 1992, the TELECOM Sys-
tem Technology Award from the Telecommunications Advancement Foundation in
1993, the Paper Award from the Reliability Engineering Association of Japan in
1999, International Leadership Award in Reliability Engineering Research from the
ICQRIT/SREQOM in 2003, the Best Paper Award at the 2004 International Com-
puter Symposium, the Best Paper Award from the Society of Project Management
in 2006, the Leadership Award from the ISSAT (USA) in 2007, the Outstanding
Paper Award at the IEEE-IEEM 2008, the International Leadership and Pioneering
Research Award in Software Reliability Engineering from the SRECOM/ICQRIT
in 2009, the Exceptional International Leadership and Contribution Award in Soft-
ware Reliability at the ICRITO2010, 2011 Best Paper Award from the IEEE Reli-
ability Society Japan Chapter in 2012, and the Leadership Award from the ISAT
(USA) in 2014.
He is a regular member of the IEICE, the Information Processing Society of
Japan, the Operations Research Society of Japan, the Reliability Engineering Asso-
ciation of Japan, Japan Industrial Management Association, the Japanese Society
for Quality Control, the Society of Project Management of Japan, and the IEEE.
Takahiro Nishikawa was born in Tottori Prefecture, Japan, in 1988. He received
his B.S.E. and M.S. degree from Tottori University in 2012 and 2014, respectively.
He has been working at the Japan Air Self-Defense Force since 2014. His research
interests included software reliability and safety assessment at Graduate School of
Engineering, Tottori University.
1450030-25

Reading: December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reading: December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030

Uploaded by

Copyright:

Available Formats

2nd Reading

December 15, 2014 15:14 WSPC/S0218-5393 122-IJRQSE 1450030

International Journal of Reliability, Quality and Safety Engineering

QUANTITATIVE ASSESSMENT FOR SOFTWARE

SHIGERU YAMADA∗ and TAKAHIRO NISHIKAWA†

Graduate School of Engineering, Tottori University

Received 15 March 2014

S. Yamada & T. Nishikawa

Quantitative Assessment for Software SIL

In order to describe the fault-detection phenomenon at arbitrary testing time t,

2.2. Criteria for selecting suitable SRGMs

where yk means the cumulative number of faults detected during (0, tk ] (k =

S. Yamada & T. Nishikawa

The AIC can be calculated with the following equation:

degree of goodness-of-ﬁt is meant.

The probability of an SRS satisfactorily performing the required safety functions

SIL Low demand mode of operation High demand mode of operation

Quantitative Assessment for Software SIL

PFD = SILL ≡ 1 − (Software Reliability Function). (6)

• High demand mode:

4. Method I for Calculating Software SIL4,5

S. Yamada & T. Nishikawa

4.1. Calculation for the low demand mode

Quantitative Assessment for Software SIL

Fig. 1. The estimated software reliability by applying method I.

S. Yamada & T. Nishikawa

SILL |t14 =14 = 1 − 0.9150 = 8.50 × 10−2 , (13)

4.2. Calculation for the high demand mode

Quantitative Assessment for Software SIL

Fig. 2. The estimated instantaneous MTBF by applying method I.

S. Yamada & T. Nishikawa

5. Method II for Calculating Software SIL4,5

Quantitative Assessment for Software SIL

(a > 0, 0 < b2 < b1 < 1, p1 + p2 = 1, 0 < pi < 1),

5.2. Calculation for low demand mode

S. Yamada & T. Nishikawa

Software Reliability RL (7.3|t)

Testing Time (Days)

Fig. 3. The estimated software reliability by applying method II.

Quantitative Assessment for Software SIL

5.3. Calculation for high demand mode

for software SIL in the high demand mode:

S. Yamada & T. Nishikawa

Instantaneous MTBFSC (T) (Days) 100

Testing Time (Days)

Fig. 4. The estimated instantaneous MTBF by applying method II.

6. Method I for Assuring Software SIL Based on Optimal

Quantitative Assessment for Software SIL

and operation is given by

6.2. Optimal software release policies for the low

S. Yamada & T. Nishikawa

If RL (SC(x) | 0) < RSIL−i , then there exists an interior solution to

Quantitative Assessment for Software SIL

7. Method II for Assuring Software SIL Based on Optimal

cR1 = the cost of testing per unit time,

S. Yamada & T. Nishikawa

µy = the expected time to remove a fault during testing-

Quantitative Assessment for Software SIL

Therefore, we have the following:

(c) f (0) < cR1 , f (T ) ≤ cR1 (T : T ∈ (0, T ]) and f (T ) > cR1 (T : T ∈

S. Yamada & T. Nishikawa

some prespeciﬁed MTBF:MTBFSCI (T ) = MTBFSIL−i (1 ≤ i ≤ 4), where i means

Quantitative Assessment for Software SIL