[SystemSafety] Comparing reliability predictions with reality

Prof. Dr. Peter Bernard Ladkin ladkin at causalis.com
Mon Feb 24 15:53:03 CET 2025 

On 2025-02-24 14:54 , Robert P Schaefer wrote:
> I hear you, i have no answers.

I do.

Back when CapGemini, formerly Altran UK, was still called Praxis, they regularly estimated the 
achieved reliability of delivered products (and still did for iFACTS when they were Altran, a decade 
ago. Probably still do.) There is a very public project called Tokeneer, undertaken with the NSA, 
where the attempt was made to develop a bug-free small (10K LoC, as I remember) biomeasurement 
system for access control. They almost succeeded (I recall Rod Chapman saying that two bugs were 
belatedly discovered).

There are lots of ways, increasingly accessible, in which objective properties of code and its 
documentation can be rigorously established. You of course need the right kind of tools, right 
choice of programming language, right compiler, and so on.


On Feb 24, 2025, at 8:47 AM, Derek M Jones <derek at knosof.co.uk> wrote:

>
> In systems safety there is the belief that following a process
> will lead to reliable code.  And the evidence for this is?

In system safety there is the standard IEC 61508-3 which says formal methods are highly recommended 
for high-reliability requirements. It (rather, the definition of "formal methods" in IEC 61508-4 
NextEd) refers to IEC 61508-3-2 which describes methods for establishing objective properties of 
documentation and code. There are four steps in this "waterfall", namely requirements, design, 
source code, and object code, and the key relation of "fulfils".

The evidence for this approach succeeding lies in, for example, the entire project histories of 
Praxis/Praxis HIS/Altran UK/CapGemini.

It astonishes me that there are still people who claim some kind of software expertise who deny the 
efficacy of all this.

And of course it is not the only example. Modern civil aerospace is full of very-highly-reliable 
software-based kit, developed according to evolutionary company practices following DO-178C and 
DO-333 (or EUROCAE ED-12C and ED-216). Evidence, again, in the operational histories of all this kit.

PBL

Prof. Dr. Peter Bernard Ladkin
Causalis Limited/Causalis IngenieurGmbH, Bielefeld, Germany
Tel: +49 (0)521 3 29 31 00

More information about the systemsafety mailing list