The National Academies Press

Currently Skimming:

3 Broader Issues
Pages 89-102

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 89... ... Each of these areas warrants in-depth studies of its own, and the committee recognizes that policy prescriptions in particular -- especially in light of the limited data and evidence available in the arena of certifiably dependable software -- can have complex and unpredictable ramifications. The committee has therefore chosen to refrain from making concrete and prescriptive recommendations aimed at particular agencies or specific domains. Read the entire page →
From page 90... ... This suggests that data of a more general nature should be made available, including the qualifications of the personnel involved in the development; the track record of the organization in providing dependable software, which might include, for example, defect rates on previous projects; and the process by which the software was developed and the dependability argument constructed, which might include process manuals and metrics, internal standards documents, applicable test suites and results, and tools used. A company is likely to be reluctant to reveal data that might be of benefit to a competitor or that might tarnish the company's reputation. Read the entire page →
From page 91... ... ACCOUNTAbILITy AND LIAbILITy Where there is a need to deploy certifiably dependable software, it should always be explicit who is accountable, professionally and legally, for any failure to achieve the declared dependability. One benefit of making dependability claims explicit is that accountability becomes possible; without explicit claims, there cannot even be a clear determination of what constitutes failure. Read the entire page →
From page 92... ... Clearly, no software should be considered dependable if it is supplied with a disclaimer that releases the manufacturer from providing a warranty or other remedies for software that fails to meet its dependability claims. Determining appropriate remedies, however, was beyond the scope of this study and would have required careful analysis of benefits and costs, taking into account not only the legal issues but also the state of software engineering, the various submarkets for software, economic impact, and the effect on innovation. Read the entire page →
From page 93... ... BROADER ISSUES ing on dependability should make use of a dependability case, as has been described throughout this report. Certification should always explicitly allocate accountability for the failure of the software to meet the claimed dependability requirements. Read the entire page →
From page 94... ... Available online at and Read the entire page →
From page 95... ... While the CC assess security features, a new paradigm is needed to provide the owners of products and systems with a meaningful certification of resistance to attack. The approach to dependable software that this report proposes is germane to the development of such a certification paradigm. Read the entire page →
From page 96... ... Such an effort would probably involve at least two distinct components, both aimed at involving software engineering experts more directly in accident analysis and reporting. First, software experts should be actively involved in accident analysis. Read the entire page →
From page 97... ... In high school computer science education, giving students a foundation in the ideas of dependability would require greater emphasis on programming as a design activity, on the qualities of a good program, and on the process of constructing programs and reasoning about them. The intricacies of the programming language or platform low-level execution details would receive less emphasis. Read the entire page →
From page 98... ... Security and dependability are usually treated as specialized topics, but they should be integrated into the curriculum more fully and encountered by students repeatedly, especially when learning how to program. The mathematical background of students studying computer science and software engineering would need to be expanded to include not only discrete mathematics (set theory and logic) Read the entire page →
From page 99... ... capability in industrial competitive ness, and optimization of citizens' quality of life.9 The importance of software dependability suggests that funding could be focused on areas that might lead to more dependable software. 9 For more information, see the NITRD HCSS CG home page online at Read the entire page →
From page 100... ... Might testing with respect to a known operational profile be substantiated by online monitoring to ensure that the profile used for testing remains an accurate representation of actual operation? Although considerable literature on testing exists, there is an opportunity for further research to be undertaken focused specifically on methods that create evidence that a system has some explicit dependability properties to a high degree of confidence. Read the entire page →
From page 101... ... It is not clear, however, how to model the environment and structure environmental assumptions; how to account Read the entire page →
From page 102... ... The critical dependability properties of most critical systems will take the form "X should never happen, but if it does, then Y must happen." For example, the essential property of a radiotherapy machine is that it not overdose the patient. Yet some amount of overdose occurs in many systems, and any overdose that occurs must be reported. Read the entire page →

From page 89...

... Each of these areas warrants in-depth studies of its own, and the committee recognizes that policy prescriptions in particular -- especially in light of the limited data and evidence available in the arena of certifiably dependable software -- can have complex and unpredictable ramifications. The committee has therefore chosen to refrain from making concrete and prescriptive recommendations aimed at particular agencies or specific domains.

Read the entire page →

From page 90...

... This suggests that data of a more general nature should be made available, including the qualifications of the personnel involved in the development; the track record of the organization in providing dependable software, which might include, for example, defect rates on previous projects; and the process by which the software was developed and the dependability argument constructed, which might include process manuals and metrics, internal standards documents, applicable test suites and results, and tools used. A company is likely to be reluctant to reveal data that might be of benefit to a competitor or that might tarnish the company's reputation.

Read the entire page →

From page 91...

... ACCOUNTAbILITy AND LIAbILITy Where there is a need to deploy certifiably dependable software, it should always be explicit who is accountable, professionally and legally, for any failure to achieve the declared dependability. One benefit of making dependability claims explicit is that accountability becomes possible; without explicit claims, there cannot even be a clear determination of what constitutes failure.

Read the entire page →

From page 92...

... Clearly, no software should be considered dependable if it is supplied with a disclaimer that releases the manufacturer from providing a warranty or other remedies for software that fails to meet its dependability claims. Determining appropriate remedies, however, was beyond the scope of this study and would have required careful analysis of benefits and costs, taking into account not only the legal issues but also the state of software engineering, the various submarkets for software, economic impact, and the effect on innovation.

Read the entire page →

From page 93...

... BROADER ISSUES ing on dependability should make use of a dependability case, as has been described throughout this report. Certification should always explicitly allocate accountability for the failure of the software to meet the claimed dependability requirements.

Read the entire page →

From page 94...

... Available online at and

Read the entire page →

From page 95...

... While the CC assess security features, a new paradigm is needed to provide the owners of products and systems with a meaningful certification of resistance to attack. The approach to dependable software that this report proposes is germane to the development of such a certification paradigm.

Read the entire page →

From page 96...

... Such an effort would probably involve at least two distinct components, both aimed at involving software engineering experts more directly in accident analysis and reporting. First, software experts should be actively involved in accident analysis.

Read the entire page →

From page 97...

... In high school computer science education, giving students a foundation in the ideas of dependability would require greater emphasis on programming as a design activity, on the qualities of a good program, and on the process of constructing programs and reasoning about them. The intricacies of the programming language or platform low-level execution details would receive less emphasis.

Read the entire page →

From page 98...

... Security and dependability are usually treated as specialized topics, but they should be integrated into the curriculum more fully and encountered by students repeatedly, especially when learning how to program. The mathematical background of students studying computer science and software engineering would need to be expanded to include not only discrete mathematics (set theory and logic)

Read the entire page →

From page 99...

... capability in industrial competitive ness, and optimization of citizens' quality of life.9 The importance of software dependability suggests that funding could be focused on areas that might lead to more dependable software. 9 For more information, see the NITRD HCSS CG home page online at

Read the entire page →

From page 100...

... Might testing with respect to a known operational profile be substantiated by online monitoring to ensure that the profile used for testing remains an accurate representation of actual operation? Although considerable literature on testing exists, there is an opportunity for further research to be undertaken focused specifically on methods that create evidence that a system has some explicit dependability properties to a high degree of confidence.

Read the entire page →

From page 101...

... It is not clear, however, how to model the environment and structure environmental assumptions; how to account

Read the entire page →

From page 102...

... The critical dependability properties of most critical systems will take the form "X should never happen, but if it does, then Y must happen." For example, the essential property of a radiotherapy machine is that it not overdose the patient. Yet some amount of overdose occurs in many systems, and any overdose that occurs must be reported.

Read the entire page →

Key Terms

programming language

environmental assumptions

dependable software

software engineering

available online

dependability properties

claims explicit

formal methods

security vulnerabilities

dependability claims

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

3 Broader Issues Pages 89-102

3 Broader Issues
Pages 89-102