Abstract
Software development in safety-critical systems demands techniques which provide both the precision of formal methods and the practicality of tried and trusted engineering methods, giving a measure of rigour as required by the application. In particular, reasoning about system behaviour in the presence of failures requires a realistic use of formal methods. We show how to capture the semantics implied by software fault trees using a form of weakest precondition programming in modelling the failure properties of different software expressions as an example. Leveson et al. [1] have used software fault trees to produce ‘failure templates’ at the statement level for the Ada programming language. These templates are concerned solely with logical program errors and not with compiler errors, control errors, memory errors etc. which could be captured by a system-wide view of the software. Furthermore, the notion of software fault tree ‘failure templates’ is confusing for safety engineers used to normal fault tree analysis; the trees are motivated by failures, rather than by working back from system hazards, and thus are much more akin to failure modes and effects analysis. We propose a more traditional view in the application of fault trees to software expressions, which leads to a difference in their expression in weakest precondition semantics.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
