Why a workshop on software reuse and safety?

In the software engineering community at large, reuse has long since come of age, and in its various manifestations - component-based development, generative languages, domain engineering and others - it is one of the most popular and important paradigms. But there is one domain in which software reuse is looked upon with suspicion: the domain of safety critical systems.

Much of the negative view of reuse is based on the failure of the Therac-25 medical system which resulted in the deaths of several patients. One of the sources of failure is believed to be reusable software carried over from previous versions of the Therac system.

The case against reuse in the Ariane 5 system was made by Jézéquel and Meyer in a paper where they state that, "Reuse without a precise specification mechanism is a disastrous risk."

These and other cases led some members of the software reuse community to the belief that it was important to begin addressing the issues surrounding reuse and safety in an organized manner, and the result was a panel at the 8th International Conference on Software Reuse in Madrid in 2004. Following the interest generated by that panel, it was decided to create a full-day workshop in order to be able to explore and discuss the issues in detail. The RESAFE-2006 workshop was concluded successfully on 15 June 2006 with participation from research, public, and private institutions from Europe and North America. It was followed by the RESAFE-2008 workshop in Beijing, China in May 2008.

Safety is different

In her book Safeware, Leveson observes that a common problem in much current work in the area is the tendency to consider safety together with other nonfunctional properties such as reliability, availability, and dependability, leading to the impression that improvement in any of the other areas will automatically lead to improvements in its safety-related characteristics.  Yet it is easily demonstrated that a less dependable system can be safer than another, more dependable one - depending on how you choose to define those terms (for example, some have noted that the Ariane 5 incident was more related to dependability than safety, since human life was not in jeopardy). A strong case is made for considering safety on its own merits, separately from other characteristics.

This is indeed the trend in some of the major international standardization bodies. The European Space Agency has separate standards for safety and dependability. The CENELEC authority for the rail transport industry provides for an independent assessment capability on safety, separate from other characteristics of a system. Very strict constraints are placed upon software reuse within the CENELEC standards and the standards of the European Space Agency, as well as a number of other standards.

A roadmap for research in software reuse and safety

The software reuse research community has largely ignored the major issues in safety, although the recent interest in "wrappers" and similar technologies holds promise for addressing some of the issues around reuse of COTS (including entire operating systems) in safety critical systems. One potential contribution of the RESAFE initiative is the identification of areas in which researchers could work to advance the state of the art with respect to reuse and safety. This will lead to a roadmap for research in software reuse and safety. We hope that you will join us in this initiative.

Bill Frakes

John Favaro