Page 311 -
P. 311
294 Chapter 11 Dependability and security
system’s availability. If a system is infected with a virus, you cannot then be confident
in its reliability or safety because the virus may change its behavior.
To develop dependable software, you therefore need to ensure that:
1. You avoid the introduction of accidental errors into the system during software
specification and development.
2. You design verification and validation processes that are effective in discovering
residual errors that affect the dependability of the system.
3. You design protection mechanisms that guard against external attacks that can
compromise the availability or security of the system.
4. You configure the deployed system and its supporting software correctly for its
operating environment.
In addition, you should usually assume that your software is not perfect and
that software failures may occur. Your system should therefore include recovery
mechanisms that make it possible to restore normal system service as quickly as
possible.
The need for fault tolerance means that dependable systems have to include
redundant code to help them monitor themselves, detect erroneous states, and
recover from faults before failures occur. This affects the performance of systems, as
additional checking is required each time the system executes. Therefore, designers
usually have to trade off performance and dependability. You may need to leave
checks out of the system because these slow the system down. However, the conse-
quential risk here is that some failures occur because a fault has not been detected.
Because of extra design, implementation, and validation costs, increasing the
dependability of a system significantly increases development costs. In particular,
validation costs are high for systems that must be ultra-dependable such as safety-
critical control systems. As well as validating that the system meets its requirements,
the validation process may have to prove to an external regulator that the system is
safe. For example, aircraft systems have to demonstrate to regulators, such as the
Federal Aviation Authority, that the probability of a catastrophic system failure that
affects aircraft safety is extremely low.
Figure 11.2 shows that the relationship between costs and incremental improve-
ments in dependability. If your software is not very dependable, you can get signifi-
cant improvements at relatively low costs by using better software engineering.
However, if you are already using good practice, the costs of improvement are much
greater and the benefits from that improvement are less. There is also the problem of
testing your software to demonstrate that it is dependable. This relies on running
many tests and looking at the number of failures that occur. As your software
becomes more dependable, you see fewer and fewer failures. Consequently, more
and more tests are needed to try and assess how many problems remain in the
software. As testing is very expensive, this dramatically increases the cost of
high-dependability systems.
