International Workshop on Software Reuse and Safety

RESAFE-2008

25 May 2008

Beijing, China

Held in conjunction with the Tenth International Conference on Software Reuse (ICSR 10)

Why a workshop on software reuse and safety?

In the software engineering community at large, reuse has long since come of age, and in its various manifestations - component-based development, generative languages, domain engineering and others - it is one of the most popular and important paradigms. But there is one domain in which software reuse is looked upon with suspicion: the domain of safety critical systems.

Much of the negative view of reuse is based on the failure of the Therac-25 medical system which resulted in the deaths of several patients (Leveson and Clark, 1993). One of the sources of failure is believed to be reusable software carried over from previous versions of the Therac system.

The case against reuse in the Ariane 5 system is made in (Jézéquel and Meyer, 1997). They state that, "Reuse without a precise specification mechanism is a disastrous risk." Yet some have noted that the Ariane 5 incident was more related to dependability than safety, since human life was not in jeopardy.

These and other cases led some members of the software reuse community to the belief that it was important to begin addressing the issues surrounding reuse and safety in an organized manner, and the result was a panel at the 8th International Conference on Software Reuse in Madrid in 2004. Following the interest generated by that panel, it was decided to create a full-day workshop in order to be able to explore and discuss the issues in detail. The RESAFE-2006 workshop was concluded successfully on 15 June 2006 with participation from research, public, and private institutions from Europe and North America. This workshop builds upon the results of those previous efforts.

Safety is different

In her book Safeware (Leveson 1995), Leveson observes that a common problem in much current work in the area is the tendency to consider safety together with other nonfunctional properties such as reliability, availability, and dependability, leading to the impression that improvement in any of the other areas will automatically lead to improvements in its safety-related characteristics.  Yet it is easily demonstrated that a less dependable system can be safer than another, more dependable one, for example. A strong case is made for considering safety on its own merits, separately from other RAM characteristics.

This is indeed the trend in some of the major international standardization bodies. The European Space Agency has separate standards for safety and dependability. The CENELEC authority for the rail transport industry provides for an independent assessment capability on safety, separate from other characteristics of a system. Very strict constraints are placed upon software reuse within the CENELEC standards.

A roadmap for research in software reuse and safety

The software reuse research community has largely ignored the major issues in safety, although the recent interest in "wrappers" and similar technologies holds promise for addressing some of the issues around reuse of COTS (including entire operating systems) in safety critical systems. One potential contribution of this workshop could therefore be the identification of areas in which researchers could work to advance the state of the art with respect to reuse and safety. A concrete output of the workshop may be a roadmap and paper to publish in a suitable journal and on appropriate websites such as the IEEE Software Engineering website.

The Call for Papers from the workshop is online, as well as a number of resources.

References

Jézéquel, J.-M., & Meyer, B. (1997). "Design by Contract: The Lessons of Ariane." IEEE Computer, 30(1), 129-130.

Leveson, N. G. (1995). Safeware: System Safety and Computers. Reading, MA: Addison-Wesley.

Leveson, N. G. , Clark S. Turner, "An Investigation of the Therac-25 Accidents -- Part V". See resources section of this site.