Supporting Software Fault Tree Analysis Using a Key Node Metric

Design-time use of software fault tree analysis allows designers to focus on safety critical system aspects early in the software development process. This paper presents a technique for evaluating the impact of software fault tree 'key nodes' requiring multiple inputs to fail before the hazard propagates through the system. A heuristics-based key node metric providing a design tool with which to compare fault trees within product lines is presented. The metric is applied without a priori component reliability knowledge, allowing the metric to be used at design time when component reliability values are often unknown. The key node metric allows designers to evaluate the safety critical aspects of design iterations before final component selection or completion of component reliability studies. This paper considers theoretical aspects of the metric, analyzes an application of the metric, and discusses the results of applying the metric to 10 sets of software design mutations. Safety-critical software systems are capable of entering hazardous states with the potential of causing the loss or damage of life, property, information, mission or environment [1]. Fault Tree Analysis [2] supports examination of safety-critical systems by assessing failure statistics to examine probable effects of contributory system component failures. Such analysis focuses on a hazard event or condition which serves as the root of a fault tree. Fault trees are expanded from the root downward in an effort to identify the system component failures at the leaves of the tree that need to exist in order to allow entry into the root's hazardous state. Fault tree analysis has been applied to for using software fault tree analysis (SFTA) in the requirements and design phases of a system's development. Support for analysis of software safety at design time using knowledge of the system derived from software fault trees has also been the focus of recent work with software product lines [12], [8], [13]. Clements and Northrop identify software product lines as systems that share features developed from a common set of core assets to meet specific needs within a market segment [14]. SFTA is suitable for use with safety-critical product line systems, such as the Ariane 4 control software catastrophically reused in the European Space Agency's Ariane 5 rocket [15]. Lutz's recent work [8], [13] applies SFTA to product lines in an effort to improve software reuse within safety-critical systems. These efforts led to the development of analysis tools such as PLFaultCAT [12] …