Testing Safety-Related Software Springer London Berlin Heidelberg New York Barcelona Hong Kong Milan Paris Santa Clara Singapore Tokyo Stewart Gardiner (Ed.) Testing Safety-Related Software A Practical Handbook With 39 Figures Springer Stewart N. Gardiner, BSc, PhD, CEng Ernst and Young, Management Consultants, George House, 50 George Square, Glasgow, G2 IRR, UK No representation or warranty, express or implied, is made or given by or on behalf of the editor and the contributors or any of their respective directors or affiliates or any other person as to the accuracy, completeness or fairness of the information, opinions or feasibility contained in this book and this book should not be relied upon by any third parties who should conduct their own investigations of this book and the matters set out herein and furthermore no responsibility or liability in negligence or otherwise is accepted for any such information, opinions or feasibility and the editor and contributors shall not be liable for any indirect or consequential loss caused by or arising from any such information, opinions or feasibility being loss of profit and/or loss of production. The contributors are: BAeSEMA Limited, G P Elliot Electronic Systems Limited, Lloyd's Register, Lucas Aerospace Limited, Rolls Royce Industrial Controls Limited, Nuclear Electric Limited, Rolls Royce pic, Scottish Nuclear Limited and The University of Warwick. ISBN-J3: 978-1-85233-034-7 e-ISBN-J3: 978-1-4471-3277-6 DOl: 10.1007/978-1-4471-3277-6 British Library Cataloguing in Publication Data Testing safety-related software : a practical handbook 1. Computer software -Testing 2. Computer software Reliability 3. Industrial safety -Computer programs I. Gardiner, Stewart 005.1'4 ISBN-13: 978-1-85233-034-7 library of Congress Cataloging-in-Publication Data Testing safety-related software : a practical handbook 1 Stewart Gardiner, ed. p. em. Includes bibliographical references and index. ISBN-J3: 978-1-85233-034-7 1. Computer software - Testing. 2. Industrial safety - Software -Testing.. I. Gardiner, Stewart, 1945- QA76.76.T48T476 1998 98-34276 620.8'6'028514-dc21 CIP Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms oflicences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers. © Springer-Verlag London Limited 1999 The use of registered names, trademarks etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant laws and regulations and therefore free for general use. The publisher makes no representation, express or implied, with regard to the accuracy of the information contained in this book and cannot accept any legal responsibility or liability for any errors or omissions that may be made. Typesetting: Camera ready by editor 34/3830-543210 Printed on acid-free paper Acknowledgements This book is based upon technical reports produced by a number of authors and is based upon the results of a collaborative research project (CONTESSE) to which many persons contributed. The project was partly funded by the UK Department of Trade and Industry (DTI) and the Engineering and Physical Sciences Research Council (EPSRC) and was carried out between 1992 and 1995. The editor gratefully acknowledges the following contributions to the book: Preparation of the final book: K Czachur (Lloyds' Register) K Khondar (University of Warwick) R. Lowe, M. Mills and A MacKenzie (BAeSEMA) Authors of the technical reports that form the basis of the book: BAeSEMA Dr. S. Gardiner R. Lowe A MacKenzie H.Morton S. Thomson G P-Elliot Electronic Systems M. Ashman KHomewood D. Marshall A Smith J. Tennis Lloyd's Register S. Allen K Czachur K Lee Prof. C. MacFarlane (University of Strathc1yde) B. McMillan (University of Strathc1yde) R. Melville (Brown Brothers) vi Testing Safety-Related Software: A Practical Handbook Lucas Aerospace A Ashdown D. Hodgson NEI Control Systems Dr. J. Parkinson A Rounding Nuclear Electric Dr. I. Andrews G.Hughes D.Pavey Prof. P. Hall (The Open University) Dr. J. May (The Open University) Dr. H. Zhu (The Open University) Dr. A D. Lunn (The Open University) Rolls-Royce M. Beeby T.Cockram S. Dootson N.Hayes Dr.J. Kelly P. Summers Dr. E. Williams Prof. A Burns (University of York) Dr. D. Jackson (Formal Systems(Europe» Dr. M. Richardson (University of York) Scottish Nuclear I. O'Neill P.Pymm The University of Warwick Dr. F. Craine Prof. J. Cullyer K. Khondkar Dr. N. Storey The helpful advice of Tony Levene, the Project Monitoring officer for the DTI, is acknowledged. Crown Copyright is reproduced with the permission of the Controller of Her Majesty's Stationery Office. Extracts from mc standards are reproduced with permission under licence no. BSI\PD\19981028. Complete editions of the standards can be obtained by post through national standards bodies. Camera-ready copy was created by Syntagma, Falmouth. Stewart Gardiner - CONTESSE project manager (Now with Ernst and Young, Management Consultancy Services.) July 1998 Contents 1 Introduction ................................................................................................... 1 1.1 Context.................................................................................................. 1 1.2 Audience............................................................................................... 2 1.3 Structure ............................................................................................... 3 1.4 Applicable Systems............................................................................. 4 1.5 Integrity Levels.................................................................................... 5 1.6 Typical Architectures.......................................................................... 5 1.7 The Safety Lifecyc1e and the Safety Case......................................... 17 1.8 Testing Issues across the Development Lifecyc1e........................... 18 1.9 Tool Support ........................................................................................ 22 1.10 Current Industrial Practice ................................................................ 23 1.11 The Significance Placed upon Testing by Standards and Guidelines ............................................................ 29 1.12 Guidance............................................................................................... 31 2 Testing and the Safety Case ......................................................................... 33 2.1 Introduction ......................................................................................... 33 2.2 Safety and Risk Assessment .............................................................. 34 2.3 Hazard Analysis .................................................................................. 35 2.4 The System Safety Case ...................................................................... 41 2.5 Lifecycle Issues .................................................................................... 45 2.6 Guidance............................................................................................... 54 3 Designing for Testability ............................................................................. 59 3.1 Introduction ......................................................................................... 59 3.2 Architectural Considerations ............................................................ 61 3.3 PES Interface Considerations ............................................................ 62 3.4 Implementation Options and Testing Attributes ........................... 64 3.5 Software Features................................................................................ 76 viii Testing Safety-Related Software: A Practical Handbook 3.6 Guidance............................................................................................... 82 4 Testing of TIming Aspects ........................................................................... 83 4.1 Introduction ......................................................................................... 83 4.2 . Correctness of Timing Requirements............................................... 84 4.3 Scheduling Issues ................................................................................ 86 4.4 Scheduling Strategies.......................................................................... 89 4.5 Calculating Worst Case Execution Times........................................ 94 4.6 Guidance ............................................................................................... 100 5 The Test Environment................................................................................... 101 5.1 Introduction ......................................................................................... 101 5.2 Test Activities Related to the Development of a Safety Case ....... 102 5.3 A Generic Test Toolset........................................................................ 104 5.4 Safety and Quality Requirements for Test Tools ............................ 107 5.5 Statemate .............................................................................................. 110 5.6 Requirements and Traceability Management (RTM) .................... 113 5.7 AdaTEST ............................................................................................... 116 5.8 Integrated Tool Support ..................................................................... 121 5.9 Tool Selection Criteria ........................................................................ 121 5.10 Guidance............................................................................................... 123 6 The Use of Simulators .................................................................................. 125 6.1 Introduction ......................................................................................... 125 6.2 Types of Environment Simulators .................................................... 126 6.3 Use of Software Environment Simulation in Testing Safety-Related Systems .................................................... 128 6.4 Environment Simulation Accuracy and its Assessment Based on the Set Theory Model...................... 132 6.5 Justification of Safety from Environment Simulation.................... 139 6.6 Guidance............................................................................................... 141 7 Test Adequacy ................................................................................................ 143 7.1 Introduction ......................................................................................... 143 7.2 The Notion of Test Adequacy ........................................................... 143 7.3 The Role of Test Data Adequacy Criteria ........................................ 144 7.4 Approaches to Measurement of Software Test Adequacy............ 147 7.5 The Use of Test Data Adequacy........................................................ 152 7.6 Guidance............................................................................................... 154 Contents ix 8 Statistical Software Testing ......................................................................... 155 8.1 Introduction ......................................................................................... 155 8.2 Statistical Software Testing and Related Work. .............................. 156 8.3 Test Adequacy and Statistical Software Testing............................. 157 8.4 Environment Simulations in Dynamic Software Testing.............. 159 8.5 Performing Statistical Software Testing........................................... 160 8.6 The Notion of Confidence in Statistical Software Testing ............ 166 8.7 Criticisms of Statistical Software Testing ........................................ 167 8.8 The Future of Statistical Software Testing....................................... 168 8.9 Guidance............................................................................................... 170 9 Empirical Quantifiable Measures of Testing ........................................... 171 9.1 Introduction ......................................................................................... 171 9.2 Test Cost Assessment ......................................................................... 171 9.3 Test Regime Assessment .................................................................... 177 9.4 Discussion of Test Regime Assessment ModeL............................. 188 9.5 Evidence to Support the Test Regime Assessment ModeL.......... 191 9.6 Guidance............................................................................................... 194 References ........................................................................................................... 195 Appendix A Summary of Advice from the Standards ............................ 201 Bibliography ....................................................................................................... 213 Index. .................................................................................................................... 219 Chapter 1 Introduction As software is very complex, we can only test a limited range of the possible states of the software in a reasonable time frame. In 1972, Dijkstra [1] claimed that 'program testing can be used to show the pres ence of bugs, but never their absence' to persuade us that a testing approach alone is not acceptable. This frequently quoted statement represented our knowledge about software testing at that time, and after over 25 years intensive practice, experiment and research, although software testing has been developed into a validation and ver ification technique indispensable to software engineering discipline, Dijkstra's state ment is still valid. To gain confidence in the safety of software based systems we must therefore assess both the product and the process of its development. Testing is one of the main ways of assessing the product, but it must be seen, together with process assessment, in the context of an overall safety case. This book provides guidance on how to make best use of the limited resources available for testing and to maximise the contribution that testing of the product makes to the safety case. 1.1 Context The safety assurance of software based systems is a complex task as most fail ures stem from design errors committed by humans. To provide safety assur ance, evidence needs to be gathered on the integrity of the system and put forward as an argued case (the safety case) that the system is adequately safe. It is effectively impossible to produce software based systems that are com pletely safe, as there will always be residual errors in the software which have the potential to cause failures that cause hazards. It is also important to build systems that are affordable. A judgement needs to be made on the cost incurred in ensuring that the system is safe. Testing is one of the main ways of assessing the integrity (safety) of a soft ware based system. Exhaustive testing of the software is all but impossible as the time taken to gain a credible estimate of its failure rate is excessive except for systems with the lower levels of safety integrity requirement. To gain con fidence in the safety of a software based system both the product (the system) and the process of its development need to be assessed. Littlewood provides S. N. Gardiner (ed.), Testing Safety-Related Software © Springer-Verlag London Limited 1999