Demonstrating Software Reliability using Possibly Correlated Tests: Insights from a Conservative Bayesian Approach

TL;DR

This paper develops Bayesian methods to assess software reliability when execution independence is uncertain, providing conservative confidence bounds and insights into how dependence affects reliability claims in safety-critical systems.

Contribution

It introduces novel conservative Bayesian inference techniques that incorporate doubts about independence, enhancing reliability assessments for safety-critical software.

Findings

Independence assumptions can sometimes support conservative claims

Observing failures can paradoxically decrease confidence in system reliability

Additional failures significantly increase the required operational testing

Abstract

This paper presents Bayesian techniques for conservative claims about software reliability, particularly when evidence suggests the software's executions are not statistically independent. We formalise informal notions of "doubting" that the executions are independent, and incorporate such doubts into reliability assessments. We develop techniques that reveal the extent to which independence assumptions can undermine conservatism in assessments, and identify conditions under which this impact is not significant. These techniques - novel extensions of conservative Bayesian inference (CBI) approaches - give conservative confidence bounds on the software's failure probability per execution. With illustrations in two application areas - nuclear power-plant safety and autonomous vehicle (AV) safety - our analyses reveals: 1) the confidence an assessor should possess before subjecting a system to operational testing. Otherwise, such testing is futile - favourable operational testing evidence will eventually decrease one's confidence in the system being sufficiently reliable; 2) the independence assumption supports conservative claims sometimes; 3) in some scenarios, observing a system operate without failure gives less confidence in the system than if some failures had been observed; 4) building confidence in a system is very sensitive to failures - each additional failure means significantly more operational testing is required, in order to support a reliability claim.