Summary of a Workshop on Software Certification and Dependability

Committee on Certifiably Dependable Software Systems

Computer Science and Telecommunications Board

Division on Engineering and Physical Sciences

NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES

THE NATIONAL ACADEMIES PRESS
Washington, D.C.
www.nap.edu



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Summary of a Workshop on Software Certification and Dependability Summary of a Workshop on Software Certification and Dependability Committee on Certifiably Dependable Software Systems Computer Science and Telecommunications Board Division on Engineering and Physical Sciences NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES THE NATIONAL ACADEMIES PRESS Washington, D.C. www.nap.edu

OCR for page R1
Summary of a Workshop on Software Certification and Dependability THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the National Science Foundation, the National Security Agency, and the Office of Naval Research. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor. International Standard Book Number 0-309-09429-1 (Book) International Standard Book Number 0-309-54619-2 (PDF) Cover designed by Jennifer M. Bishop. Additional copies of this report are available from: The National Academies Press 500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 800/624-6242 202/334-3313 (in the Washington metropolitan area) http://www.nap.edu Copyright 2004 by the National Academy of Sciences. All rights reserved. Printed in the United States of America

OCR for page R1
Summary of a Workshop on Software Certification and Dependability THE NATIONAL ACADEMIES Advisers to the Nation on Science, Engineering, and Medicine The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chair and vice chair, respectively, of the National Research Council. www.national-academies.org

OCR for page R1
Summary of a Workshop on Software Certification and Dependability COMMITTEE ON CERTIFIABLY DEPENDABLE SOFTWARE SYSTEMS DANIEL JACKSON, Massachusetts Institute of Technology, Chair JOSHUA BLOCH, Google, Inc. MICHAEL DEWALT, Certification Services, Inc. REED GARDNER, University of Utah PETER LEE, Carnegie Mellon University STEVEN B. LIPNER, Microsoft Corporation CHARLES PERROW, Yale University JON PINCUS, Microsoft Research JOHN RUSHBY, SRI International LUI SHA, University of Illinois at Urbana-Champaign MARTYN THOMAS, Engineering and Physical Sciences Research Council SCOTT WALLSTEN, AEI/Brookings Joint Center and American Enterprise Institute DAVID WOODS, Ohio State University Staff LYNETTE I. MILLETT, Study Director and Program Officer PHIL HILLIARD, Research Associate (through May 2004) PENELOPE SMITH, Senior Program Assistant (February 2004 through July 2004)

OCR for page R1
Summary of a Workshop on Software Certification and Dependability COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD DAVID LIDDLE, U.S. Venture Partners, Co-Chair JEANNETTE M. WING, Carnegie Mellon University, Co-Chair ERIC BENHAMOU Global Ventures, LLC DAVID D. CLARK, Massachusetts Institute of Technology, CSTB Member Emeritus WILLIAM DALLY, Stanford University MARK E. DEAN, IBM Systems Group DEBORAH ESTRIN, University of California, Los Angeles JOAN FEIGENBAUM, Yale University HECTOR GARCIA-MOLINA, Stanford University KEVIN KAHN, Intel Corporation JAMES KAJIYA, Microsoft Corporation MICHAEL KATZ, University of California, Berkeley RANDY H. KATZ, University of California, Berkeley WENDY A. KELLOGG, IBM T.J. Watson Research Center SARA KIESLER, Carnegie Mellon University BUTLER W. LAMPSON, Microsoft Corporation, CSTB Member Emeritus TERESA H. MENG, Stanford University TOM M. MITCHELL, Carnegie Mellon University DANIEL PIKE, GCI Cable and Entertainment ERIC SCHMIDT, Google Inc. FRED B. SCHNEIDER, Cornell University WILLIAM STEAD, Vanderbilt University ANDREW J. VITERBI, Viterbi Group, LLC CHARLES N. BROWNSTEIN, Director KRISTEN BATCH, Research Associate JENNIFER M. BISHOP, Program Associate JANET BRISCOE, Manager, Program Operations JON EISENBERG, Senior Program Officer RENEE HAWKINS, Financial Associate MARGARET MARSH HUYNH, Senior Program Assistant HERBERT S. LIN, Senior Scientist LYNETTE I. MILLETT, Program Officer JANICE SABUDA, Senior Program Assistant BRANDYE WILLIAMS, Staff Assistant For more information on CSTB, see its Web site at <http://www.cstb.org>, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.

OCR for page R1
Summary of a Workshop on Software Certification and Dependability This page intentionally left blank.

OCR for page R1
Summary of a Workshop on Software Certification and Dependability Preface Systems on which the safety or security of individuals may depend are frequently subject to certification: a formal assurance that the system has met relevant technical standards, designed to give confidence that it has some specific properties—for example, that it will not unduly endanger the public. Today, certification of the dependability of a software-based system frequently relies at least as heavily on assessments of the process used to develop it as it does on the system's observable properties. While these assessments can be useful, few would dispute that direct evaluation of the artifact ought to provide a stronger kind of assurance than the credentials of its production methods could hope to provide. Yet the complexity of software systems, as well as their discrete nature, makes them extremely difficult to analyze unless great care has been taken with their structure and maintenance. To further understand these and related issues, the High Confidence Software and Systems Program at the National Coordination Office for Information Technology Research and Development initiated discussions with the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC). These discussions resulted in agreement to undertake a study to assess the current state of certification in dependable systems, with the goal of recommending areas for improvement. Initial funding for the project was obtained from the National Science Foundation, the National Security Agency, and the Office of Naval Research. The Committee on Certifiably Dependable Software Systems was appointed to conduct the study. The task of the committee is to identify the kinds of system properties for which certification is desired, describe how that certification is obtained today, and, most important, determine what design and development methods, as well as methods for establishing evidence of trustworthiness, could lead to systems structures that are more easily certified. To accomplish its mission, the committee divided this study into two phases: a framing phase and an assessment phase. This report is the outcome of the first phase, the framing phase, which included a public workshop organized by the committee and attended by members of industry, government, and academia. Held on April 19-20, 2004, the workshop featured a variety of participants invited to present their views on issues surrounding certification and dependability (see Appendix A for the workshop agenda). Six panels were organized, and each panelist gave a short presentation that addressed the theme of the panel. The workshop panelists are listed in Appendix B. Each panel session was followed by an extensive discussion involving all of the workshop participants and moderated by one or two committee members. The committee met three times: once to plan the workshop, then to hold the workshop, and, last, to distill information from the workshop and develop the report. This report is the committee’s summary of the panelists’ presentations and the discussions that followed.

OCR for page R1
Summary of a Workshop on Software Certification and Dependability Although the summary is based on presentations and discussion at the workshop, the participants’ comments do not necessarily reflect the views of the committee, nor does the summary present findings or recommendations of the National Research Council. In fact, the committee took care in writing this report simply to summarize the discussions, and to avoid any bias or appearance of bias in favor of one opinion or another. Because it did not seem sensible to attempt a distillation across panels, the committee tried to record something of the spirit of each individual panel session. Nor is this report intended to be complete; topics that were not discussed at the workshop are not mentioned, however important they might be. In the second phase of the study, the committee will analyze the information gathered in the workshop and summarized here, along with information and input it gathers from other experts and related studies. This assessment phase will deliver a final report (planned for release in 2005) with findings and recommendations from the committee. The Committee on Certifiably Dependable Software Systems consists of 13 members from industry and academia who are experts in different aspects of systems dependability, including software engineering, software testing and evaluation, software dependability, embedded systems, human-computer interaction, systems engineering, systems architecture, accident theory, standards setting, key applications domains, economics, and regulatory policy (see Appendix C for committee and staff biographies). The committee thanks the many individuals who contributed to its work. It appreciates the panelists’ willingness to address the questions posed to them and is grateful for their insights. The study’s sponsors at the National Science Foundation, the National Security Agency and the Office of Naval Research have been most supportive and responsive in helping the committee to do its work. The reviewers of the draft report provided insightful and constructive comments that contributed significantly to its clarity. The committee is particularly grateful to the CSTB staff: Lynette Millett, program officer, who as the study director for this project has provided excellent advice and assistance throughout; Phil Hilliard, research associate, whose work in note-taking and summarizing discussions, and in obtaining and organizing materials for the committee, has been invaluable; and Penelope Smith, senior program assistant, who deftly handled all kinds of administrative issues, including most of the arrangements for the workshop and associated meetings. The success of the workshop is a testament to their commitment and hard work. Susan Maurizi from the Division on Engineering and Physical Sciences’ editorial staff and Cameron Fletcher made significant editorial contributions to the final manuscript. Daniel Jackson, Chair Committee on Certifiably Dependable Software Systems

OCR for page R1
Summary of a Workshop on Software Certification and Dependability Acknowledgment of Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s (NRC’s) Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report: Anthony Hall, Independent Consultant John C. Knight, University of Virginia William Scherlis, Carnegie Mellon University William Stead, Vanderbilt University Jeannette Wing, Carnegie Mellon University Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Daniel P. Siewiorek, Carnegie Mellon University. Appointed by the National Research Council, he was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

OCR for page R1
Summary of a Workshop on Software Certification and Dependability This page intentionally left blank.

OCR for page R1
Summary of a Workshop on Software Certification and Dependability Contents 1   OVERVIEW OF WORKSHOP DISCUSSIONS   1 2   SUMMARY OF PANEL SESSIONS AND PRESENTATIONS   5     Panel A:  The Strengths and Limitations of Process,   5     Panel B:  Looking Forward: New Challenges, New Opportunities,   8     Panel C:  Certification and Regulation: Experience to Date,   11     Panel D:  Organizational Context, Incentives, Safety Culture, and Management,   13     Panel E:  Cost-effectiveness of Software Engineering Techniques,   16     Panel F:  Case Study: Electronic Voting,   18 3   SUMMARY OF CLOSING SESSION   21     APPENDIXES         A  Workshop Agenda   27     B  Panelist Biographies   31     C  Committee Member and Staff Biographies   39     WHAT IS CSTB?   45

OCR for page R1
Summary of a Workshop on Software Certification and Dependability This page intentionally left blank.