The development of a military safety critical system has many facets, one of which is the collecting of evidence that can be used to assist the production of the safety case necessary for certification of a system into military use. Within the certification process, static analysis is required by the UK Ministry of Defence to provide evidence of a systems integrity and fitness for purpose. In this paper we describe how we have extended the approach of static analysis to gain evidence of the dynamic integrity of a system. This work, based on the abstract interpretation of variable values into sets of ranges of values, has resulted in the development of a software tool, called the Exception Analyser. This tool can investigate the potential for code, written in C, C++ and Ada, to raise run time exceptions and then derive the system constraints which would prevent these exceptions from occurring. We outline the foundation behind our approach and present the results of a case study into the successful application of the tool on a safety critical military project.
Safety Critical System AssessmentSoftware analysis is essential for any formal assessment of software, whether on the grounds of quality, system acceptance or the demonstration of levels of integrity required for safety critical systems. Understanding the source code of a program is difficult enough for the people who wrote it, but it is considerably harder for anyone making an independent assessment. Software analysis tools can be used to demonstrate properties such as control flow complexity or the dependency relations between variables and this can provide valuable insight and checks on obscure conditions, which might otherwise go unnoticed. As a result there are requirements for software analysis in the MOD standard for PASTE "99 9/99 Toulouse, France 1-58113-137-2/99/0008... safety critical software DEF STAN 00-55 [MOD91] and also in the avionics standard DO178B [RTC92]. Software analysis is very widely used in industry, not only for safety critical systems, but also as an aid to the production of high quality software.There are also a wide range of hazard analysis approach which are applied to software development, for eaxmple Fault Tree Analysis, Event Tree Analysis, Failure Modes and Effects Analysis, and HAZOP to name but a few. However, these approaches are aimed at determining the underlying risks of a system and not at analysis of the software produced (see Leveson [Lev95 ] for an outline of the above approaches).Software analysis can be either static or dynamic, see for example Osterweil [Ost81]. In static analysis, the code is analysed and the: assessment result produced directly from the analysis. Whereas in dynamic analysis, the compiled code is instrumented to measure the properties required, and the modified program is run to produce the assessment resuit. Static analysis is widely used for testing a large range of properties and is more desirable than dynamic analysis because it provides general, rather than specific properties, which are ...