Bibliography
[1] Abrial, Jean-Raymond, The B Book: Assigning Programs To Meanings, Cambridge University Press (2005)
[2] Ackerman, A., L. Buchwald, and F. Lewski, Software Inspections: An Effective Verification Process, IEEE Software, Vol. 6, No. 3 (May 1989)
[3] Ada Information Clearinghouse, Ada Reference Manual, ISO/IEC 8652:1995(E) with Technical Corrigendum 1 and Amendment 1http://www.adaic.com/standards/05rm/RM-Final.pdf
[4] Ada Information Clearinghouse, Ada Reference Manual, ISO/IEC 8652:1995(E) with Technical Corrigendum 1http://www.adaic.com/standards/95lrm/html/RM-TTL.html
[5] Adelard LLP, Adelard Safety Case Editorhttp://www.adelard.com
[6] Akera, A., The Circulation of Knowledge and the Origins of the ENIAC: (Or, What Was and Was Not Innovative About the American Wartime Project)http://ghn.ieee.org/wiki/images/
b/be/Akera.pdf
[7] American Nuclear Society, ANSI/ANS-2.29-2008: Probabilistic Seismic Hazard Analysis (2008)
[8] Amey, P., Correctness by Construction: Better Can Also Be Cheaper, Crosstalk: The Journal of Defense Software Engineering (March 2002)
[9] Ammann, P. and J. Knight, Data Diversity: An Approach To Software Fault Tolerance, IEEE Transactions on Computers, Vol. 37, No. 4 (April 1988)
[10] Anderson, T. amd P. Lee, Fault Tolerance: Principles and Practice, Prentice Hall International (1983)
[11] Australian Transport Safety Bureau, In-flight upset event 240 km north-west of Perth, WA, Boeing Company 777-200, 9M-MRGhttp://www.atsb.gov.au/publications/
investigation_reports/2005/AAIR/pdf/
aair200503722_001.pdf
[12] Automotive Industry Action Group (AIAG), FMEA-3: Potential Failure Effects Analysishttps://www.aiag.org
[13] Avizienis, A., J.-C. Laprie, B. Randell, and C. Landwehr, Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Secure and Dependable Computing, Vol. 1, No.1 (January-March 2004)
[14] Bahr, N., System Safety Engineering And Risk Assessment: A Practical Approach (Chemical Engineering), Taylor and Francis (1997)
[15] Ball, M. and F.H. Hardie, Architecture for an Extended Mission Aerospace Computer, IBM No. 66-825-1753, Owego, New York (May 1969)
[16] Barnes, J., High Integrity Software: The SPARK Approach to Safety and Security, Addison Wesley (2003)
[17] Beck, K. and C. Andres, Extreme Programming Explained: Embrace Change, Pearson (2004)
[18] Borkar, S., Designing reliable systems from unreliable components: the challenges of transistor variability and degradation, IEEE Micro, Vol. 25, No. 6 (November/December 2005)
[19] Bose, P., Designing reliable systems with unreliable components, IEEE Micro, Vol. 26, No. 5, (June 2006)
[20] Bowen, J.P. and M.G. Hinchey, Seven More Myths of Formal Methods, IEEE Software (July 1995)
[21] British Standards Institution BS 5760-5, Reliability of systems, equipment and components. Guide to failure modes, effects and criticality analysis (FMEA and FMECA) (1991)
[22] Burns, A. and A. Wellings, Safety Kernels: Specification and Implementation, High Integrity Systems, Vol 1, No 3 (1995)
[23] Burns, A., B. Dobbing, and T. Vardanega, Guide for the Use of the Ada Ravenscar Profile in High Integrity Systems, University of York Technical Report YCS-2003-348 (2003)
[24] Butler, R. and G. Finelli, The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software, IEEE Transactions on Software Engineering, Vol. 19, No. 1, pp. 3-12 (January 1993)
[25] Chen, L. and A. Avizienis, N-version Programming: A Fault-tolerance Approach to Reliability of Software Operation, Eighth International Symposium on Fault Tolerant Computing, Toulouse, France (1978)
[26] Chilenski, J. and S. Miller, Applicability of Modified Condition/Decision Coverage to Software Testing, Software Engineering Journal, Vol. 9, No. 5, pp.193-200 (September 1994)
[27] Clarke, E. and J. Wing, Formal Methods: State of the Art and Future Directions, ACM Computing Surveys, Vol. 28, No. 4 (December 1996)
[28] ClearSy System Engineering, Atelier B toolsethttp://www.atelierb.eu/index-en.php
[29] Cole, G., Estimating Drive Reliability in Desktop Computers and Consumer Electronics Systems, Seagate Technology Paper TP-338.1 (November 2000)
[30] Computerworld, March 29, 2007http://www.computerworld.com/action/article.
do?command=viewArti-cleBasic&articleId=9014782
[31] Craigen, D., S. Gerhart, and T. Ralston, An International Survey of Industrial Applications of Formal Methods, National Institute of Standards and Technology, GCR 626 (1993)
[32] Dahl, O., E. W. Dijkstra, and C. A. Hoare, Structured Programming, Academic Press, New York (1972)
[33] Defense Industry Daily, F-22 Squadron Shot Down by the International Date Linehttp://www.defenseindustrydaily.com/f22-squadron-shot-down-by-the-international-date-line-03087/
[34] Department of Defense, Ada Joint Program Office, Ada 95 Quality and Style: Guidelines for Professional Programmershttp://www.adaic.org/docs/95style/
95style.pdf
[35] Department of Defense, Mil-Std-882D, Standard Practice for System Safetyhttp://www.denix.osd.mil/shf/upload/MIL-STD-882D.pdf
[36] Department of Defense, MIL-STD-1629A: Procedures for Performing a Failure Mode, Effects and Criticality Analysis.
[37] Dobson, J. and B. Randell, Building Reliable Secure Computing Systems Out Of Unreliable Insecure Components, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (1986)
[38] Driscoll, K., B. Hall, M. Paulitsch, P. Zumsteg, and H. Sivencrona, The Real Byzantine Generals, 23rd Digital Avionics Systems Conference, Salt Lake City (October 2004)
[39] Droschl, G., W. Kuhn, G. Sonneck, and M. Thuswald, A Formal Methods Case Study: Using Light-Weight VDM for the Development of a Security System Module, Lecture Notes in Computer Science, Vol. 1943, Springer Verlag (2000)
[40] Easterbrook, S. and J. Callahan, Formal Methods for Verification and Validation of Partial Specifications: A Case Study, NASA Independent Verification and Validation Facility, Morgantown, WV (1997)
[41] Eckhardt, D. and L. Lee, A Theoretical Basis for the Analysis of Multiversion Software Subject to Coincident Errors, IEEE Transactions on Software Engineering, Vol. SE-11, No. 12 (December 1985)
[42] Eiffel Softwarehttp://www.eiffel.com/
[43] Ericson, C., Fault Tree Analysis—A History, Proceedings 17th International System Safety Conference, International System Safety Society, Orlando FL (1999)
[44] Esterel Technologies, SCADE Suitehttp://www.esterel-technologies.com/products/scade-suite/
[45] Fagan, M.E., Design and code inspections to reduce errors in program development, IBM Journal of Research and Development, Vol. 15, No. 3 (1976)
[46] Federal Aviation Administration, System Safety Handbookhttp://www.faa.gov/library/manuals/
aviation/risk_management/ss_handbook/
[47] Finkelstein, A. and J. Dowell, A Comedy of Errors: The London Ambulance Service Case Studyhttp://www.cs.ucl.ac.uk/staff/
a.finkelstein/papers/lascase.pdf
[48] Food and Drug Administration, Guidance for Industry and FDA Staff, Total Product Life Cycle: Infusion Pump — Premarket Notification [510(k)] Submissions, DRAFT GUIDANCE (April 2010)
[49] Garman, J., The “Bug” Heard ‘Round the World, ACM Sigsoft Software Engineering notes, Vol. 6, No. 5 (October 1981)
[50] GNU Coding Standardshttp://www.gnu.org/prep/standards/
[51] Gray, J., Why Do Computers Stop and What Can Be Done About It?, Tandem Computers Technical Report TR 85.7 (June 1985)http://www.hpl.hp.com/techreports/
tandem/TR-85.7.pdf
[52] Gray, J. and C. van Ingen, Empirical Measurements of Disk Failure Rates and Error Rates, Microsoft Research Technical Report MSR-TR-2005-166 (December 2005)
[53] Gregory, S. and J.C. Knight, On the Provision of Backward Error Recovery in Production Programming Languages, Nineteenth Annual Symposium on Fault-Tolerant Computing, Chicago, IL (June 1989)
[54] Hall, A., Seven Myths of Formal Methods, IEEE Software (September 1990)
[55] Hall, A. and R. Chapman, Correctness by Construction: Developing a Commercial Secure System, IEEE Software, Vol.19, No. 1, pp. 18-25 (Jan/Feb 2002)
[56] Hall, A. and R. Chapman, Correctness by Constructionhttp://www.anthonyhall.org/
Correctness_by_Construction.pdf
[57] Harel, D., Statecharts: A Visual Formalism for Complex Systems, Science of Computer Programming, Vol. 8, pp. 231-274 (1987)
[58] Hayhurst, K., D. Veerhusen, J. Chilenski, L. Rierson, A Practical Tutorial on Modified Condition/Decision Coverage, NASA Langley Technical Report TM-2001-21087 (May 2001)
[59] Health and Safety at Work etc. Act 1974http://www.healthandsafety.co.uk/haswa.htm
[60] Health and Safety Executive, ALARP Suite of Guidancehttp://www.hse.gov.uk/risk/theory/alarp.htm
[61] Hekmatpor, S. and D. Ince, Software Prototyping, Formal Methods and VDM, Addison-Wesley (1988)
[62] Heitmeyer, C., M. Archer, R. Bharadwaj and R. Jeffords, Tools for constructing requirements specifications: The SCR toolset at the age of ten, International Journal of Computer Systems Science & Engineering, Vol. 20, No. 1 (2005)
[63] Holzmann, G., The Spin Model Checker: Primer and Reference Manual, Addison Wesley, Boston (2004)
[64] Institute of Electrical and Electronic Engineershttp://www.ieee.org/portal/innovate/
products/standard/ieee_choice.html
[65] International Electrotechnical Commission IEC 61025, Fault tree analysis (FTA) (2006)
[66] International Electrotechnical Commission IEC 60812:2006(E), Analysis techniques for system reliability – Procedure for failure mode and effects analysis (FMEA) (2006)
[67] International Electrotechnical, Commission IEC 61882. Hazard and opera-bility studies (HAZOP studies) – Application guide (2001)
[68] International Standards Organizationhttp://www.iso.org/iso/home.htm
[69] International Standards Organization/International Electrotechnical Commission 9899 – Programming languages – C (2005)http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf
[70] International Standards Organization/International Electrotechnical Commission 15026:1998 – Information technology – System and software integrity levels (1998)
[71] Jacky, J, The Way of Z: Practical Programming with Formal Methods, Cambridge University Press (1996)
[72] Jetley, R., C. Carlos, and S. Iyer, A case study on applying formal methods to medical devices: computer-aided resuscitation algorithm, International Journal on Software Tools for Technology Transfer, Vol. 5 No. 4 (May 2004)
[73] Johnson, C.W., A Handbook of Incident and Accident Reporting, University of Glasgow Press, Glasgow, Scotland (October 2003)http://www.dcs.gla.ac.uk/~johnson/book/
[74] Jones, C., Systematic Software Development Using VDM, Prentice Hall (1986)
[75] Kelly, T.P., A Systematic Approach to Safety Case Management, Proceedings SAE 2004 World Congress, Detroit, MI (2004)
[76] Kelly, T.P., Arguing Safety — A Systematic Approach to Managing Safety Cases, D. Phil Thesis, University of York, U.K. (September 1998)
[77] Knight, J., The Glass Cockpit, IEEE Computer, Vol. 40, No. 9 (September 2007)
[78] Knight J.C., A.G. Cass, A.M. Fernandez, and K.G. Wika, Testing a Safety-Critical Application, ISSTA ‘94, International Symposium on Software Testing and Analysis (workshop section), Seattle, WA (August 1994)
[79] Knight, J. and M. Dunn, Software quality through domain-driven certification, Annals of Software Engineering, Vol. 5 (1998)
[80] Knight, J. and N. Leveson, An Experimental Evaluation of the Assumption of Independence in Multiversion Programming, IEEE Transactions on Software Engineering, Vol. 12, No. 1 (January 1986)
[81] Knight, J. and N. Leveson, The Consistent Comparison Problem in N-Version Software, IEEE Transactions on Software Engineering, Vol. 15, No. 11, (November 1989)
[82] Laitenberger, O., Cost-effective Detection of Software Defects through Perspective-based Inspections, Journal of Empirical Software Engineering, Vol. 6 (2001)
[83] Lamport, L., R. Shostak, and M. Pease, The Byzantine Generals Problem, ACM Transactions on Programming Languages and Systems, Vol. 4, No. 3 (July 1982)
[84] Leveson, N., Safeware: System Safety and Computers, Addision Wesley, (1995)
[85] Leveson, N. and P. Harvey, Software fault tree analysis, Journal of Systems and Software, Vol. 3, No. 2 (1983)
[86] Leveson, N., M. Heimdahl, H. Hildreth, and J. Reese, Requirements Specification for Process-Control Systems, IEEE Transactions on Software Engineering, Vol. 20, No. 9 (1994)
[87] Leveson, N. and J. Stolzy, Safety Analysis Using Petri Nets, IEEE Transactions on Software Engineering, Vol. 13, No. 3 (1987)
[88] Leveson, N.G. and C.S. Turner, An Investigation of the Therac-25 Accidents, IEEE Computer, Vol. 26, No. 7 (July 1993)
[89] Lions, J.L., Ariane 5 Flight 501 Failure, Report by the Inquiry Boardhttp://esamultimedia.esa.int/docs/esa-x-1819eng.pdf
[90] Littlewood, B., The Littlewood-Verrall model for software reliability compared with some rivals, Journal of Systems and Software, Vol. 1, pp. 251-258 (1979-1980)
[91] Luckham, D., F.W. von Henke, B. Krieg-Brueckner, O. Owe, ANNA: A Language for Annotating Ada Programs, Springer-Verlag Lecture Notes in Computer Science 260 (1987)
[92] Mackall, D., Development and Flight Test Experiences With a Flight-Crucial Digital Control System, Technical Report NASA TP-2857, Research Engineering, NASA Dryden Flight Research Center (1988)
[93] Mack, M.J., W. M. Sauer, S. B. Swaney, and B. G. Mealey, IBM POWER6 Reliability, IBM Journal of Research and Development, Vol. 51, No. 6 (2007)http://www.research.ibm.com/journal/
rd/516/mack.html
[94] Mars Climate Orbiter, Mishap Investigation Board Phase I Reportftp://ftp.hq.nasa.gov/pub/pao/reports/1999/MCO_report.pdf
[95] Mathworks Simulinkhttp://www.mathworks.com/products/simulink/
[96] Mills, H., R. Linger, and A. Hevner, Principles of Information System Analysis and Design, Academic Press, Inc. (1986)
[97] Motor Industry Software Reliability Association, MISRA-C:2004 Guidelines for the Use of the C Language in Critical Systemshttp://www.misra-c2.org/
[98] Myers, E. and J. Knight, An Improved Software Inspection Technique and an Empirical Evaluation of Its Effectiveness, Communications of the ACM, Vol. 36, No. 11, pp. 50-61 (November, 1993)
[99] National Highway Transportation Administration, Fatality Analysis Reporting System Encyclopediahttp://www-fars.nhtsa.dot.gov/Main/index.aspx
[100] National Transportation Board, Aviation Accident Statisticshttp://www.ntsb.gov/aviation/stats.htm
[101] National Transportation Safety Board, Aircraft Accident Report: Controlled Flight into Terrain Korean Air Flight 801, Boeing 747-300, HL7468, Nimitz Hill, Guam, August 6, 1997, NTSB No. AAR-00/01http://www.ntsb.gov/publictn/2000/
AAR0001.htm
[102] Neumann, P., Risks to the Public, ACM SIGSOFT, Software Engineering Notes, Vol. 15, No. 2, page 11ff (April 1990)
[103] Parnas, D. and D. Weiss, Active Design Reviews: Principles and Practices, International Conference on Software Engineering, London, U.K. (1985)
[104] Patterson, D., G. Gibson, and R. Katz, A Case for Redundant Arrays of Inexpensive Disks (RAID), Proceedings of the ACM International Conference on Management of Data (SIGMOD), Chicago, IL (1988)
[105] Petroski, H., To Engineer Is Human: The Role of Failure in Successful Design, St. Martin’s Press (1985)
[106] Pinheiro, E., W. Weber, and L. Barroso, Failure Trends in a Large Disk Drive Population, FAST ‘07: 5th USENIX Conference on File and USENIX Association Storage Technologies (2007)
[107] Porter, A., et al., An Experiment to Assess the Cost-Benefits of Code Inspections in Large Scale Software Development, IEEE Transactions on Software Engineering, Vol. 23, No. 6 (June 1997)
[108] Potter, B., J. Sinclair, and D. Till, An Introduction to Formal Specification and Z — Second Edition, Prentice Hall (1996)
[109] PQRA, http://www.programmingresearch.com
[110] Praxis High Integrity Systemshttp://www.spark.com
[111] Praxis High Integrity Systems, S PARK Ada Reference Manualhttp://www.sparkada.com/
downloads/SPARK95.pdf
[112] Prowell, S., C. Trammell, R. Linger, and J. Poore, Cleanroom Software Engineering: Technology and Process, SEI Series in Software Engineering (1995)
[113] Randell, B., The Colossus, in A History of Computing in the Twentieth Century (N. Metropolis, J. Howlett and G. C. Rota, Eds.), pp. 47-92, Academic Press, New York (1980)
[114] Randell, B., System Structure for Software Fault Tolerance, IEEE Transactions on Software Engineering, Vol. SE-1, No. 2, pp. 220-232 (1975)
[115] Random House, Dictionary of the English Language, Second Edition, unabridged (1987)
[116] Redmill, F., M. Chudleigh, and J. Catmur, System Safety: HAZOP and Software HAZOP, John Wiley (1999)
[117] Redmill, F., ALARP Explored, Technical Report CS-TR-1197, Department of Computing Science, University of Newcastle upon Tyne (March 2010)
[118] Report of the Loss of the Mars Polar Lander and Deep Space 2 Missionsftp://ftp.hq.nasa.gov/pub/pao/reports/
2000/2000_mpl_report_1.pdfftp://ftp.hq.nasa.gov/pub/pao/reports/
2000/2000_mpl_report_2.pdfftp://ftp.hq.nasa.gov/pub/pao/reports/
2000/2000_mpl_report_3.pdfftp://ftp.hq.nasa.gov/pub/pao/reports/
2000/2000_mpl_report_4.pdfftp://ftp.hq.nasa.gov/pub/pao/reports/
2000/2000_mpl_report_5.pdf
[119] RCM, Integrated Safety Case Development Environment, ISCaDEhttp://www.iscade.co.uk
[120] RTCA/DO-178B/ED-12B, Software Considerations in Airborne Systems and Equipment, Federal Aviation Administration software standard, RTCA Inc. (December 1992)
[121] RTCA/DO-248, Final Report for Clarification of DO-178B, “Software Considerations in Airborne Systems and Equipment,” Prepared by SC-190, (October 12, 2001)
[122] Rushby, J., Kernels for Safety?, in Safe and Secure Computing Systems, T. Anderson, Ed., Blackwell Scientific Publications (1989)
[123] SAE International, ARP 5580, Recommended Failure Modes and Effects Analysis (FMEA) Practices for Non-Automobile Applicationshttp://www.sae.org/technical/
standards/ARP5580
[124] SAE International, J1739: Potential Failure Mode and Effects Analysis in Design (Design FMEA), Potential Failure Mode and Effects Analysis in Manufacturing and Assembly Processes (Process FMEA)http://www.sae.org/technical/
standards/J1739_200901
[125] Schneier, B., Attack Trees, Dr. Dobbs Journal (December 1999)http://www.schneier.com/paper-attacktrees-ddj-ft.html
[126] Schneider, F., Byzantine Generals in Action: Implementing Fail-Stop Processors, ACM Transactions on Computer Systems, Vol. 2, No. 2, pp. 45-154 (May 1984)
[127] Schneider, F. and R. Schlichting, Fail-Stop Processors: An Approach to Designing Fault Tolerant Computing Systems, ACM Transactions on Computing Systems, Vol. 1, No. 3, pp. 222-238 (August 1983)
[128] Schonberg, E., Comparing Ada With C and C++,http://www.adaic.org/whyada/
ada-vs-c/ada-vs-c.html
[129] Schroeder, B, and G. Gibson, Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?, FAST ‘07: 5th USENIX Conference on File and USENIX Association Storage Technologies (2007)
[130] Selby, R., V. Basili, and F.T. Baker, Cleanroom Software Development: An Empirical Evaluation, IEEE Transactions on Software Engineering, Vol. 13, No. 12 (1987)
[131] Siewiorek, D. and R. Swarz, Reliable Computer Systems: Design and Evaluation, Digital Press, Newton, MA (1998)
[132] Software Rejuvenationhttp://srejuv.ee.duke.edu/
[133] Spin model checkerhttp://spinroot.com
[134] Spivey, J.M., The Z Notation: A Reference Manualhttp://spivey.oriel.ox.ac.uk/mike/zrm/
[135] Splint — Secure Programming Linthttp://www.splint.org/
[136] SRI International, PVS Specification and Verification Systemhttp://pvs.csl.sri.com/
[137] Sutton, J. and B. Carré, (eds.), Achieving High Integrity at Low Cost: A Constructive Approach, Elsevier (1997)
[138] The System Safety Societyhttp://www.system-safety.org/
[139] Toulmin, S., The Uses of Argument, Cambridge University Press (1958)
[140] U.K. Minstry of Defence, Safety Management Requirements for Defence Systems, Defence Standard 00-56 (2007)
[141] U.K. Civil Aviation Authority, CAP 670 Air Traffic Services Safety Requirements (2009)
[142] University of York, Department of Computer Science, GSN Editing Add-on for Microsoft Visiohttp://www.cs.york.ac.uk/~tpk/
gsn/gsnaddoninstaller.zip
[143] U.S. Department of Energy, Advisory Notice, L-117: The Code Red Wormhttp://www.ciac.org/ciac/
bulletins/l-117.shtml
[144] von Neumann, J., First Draft of a Report on the EDVAC, Contract No. W-670-ORD-492, Moore School of Electrical Engineering, Univ. of Penn., Philadelphia (1945)
[145] Vouk, M.A., On Back-To-Back Testing, Computer Assurance, 1988, Gaith-ersburg, MD (1988)
[146] Weaver, R.A., The Safety of Software – Constructing and Assuring Arguments, D. Phil. Thesis, Department of Computer Science, University of York, U.K. (September 2003)
[147] Weimer, W., T. Nguyen, C. Le Goues, and S. Forrest, Automatically Finding Patches Using Genetic Programming, International Conference on Software Engineering (ICSE), Vancouver, BC (2009)
[148] Wika, K., Safety Kernel Enforcement of Software Safety Policies, Ph.D. dissertation, Department of Computer Science, University of Virginia (May 1995)http://www.cs.virginia.edu/
dissertations/9504.pdf
[149] Wika, K. and J. Knight, On the Enforcement of Software Safety Policies, 10th Annual IEEE Conference on Computer Assurance (COMPASS ‘95), Gaith-ersburg, MD (June 1995)
[150] Wikipedia, As Low As Reasonably Practicablehttp://en.wikipedia.org/wiki/
ALARP#Carrot_diagrams
[151] Wikipedia, List of tools for static code analysishttp://en.wikipedia.org/wiki/
List_of_tools_for_static_code_analysis
[152] Wikipedia, The Pentium FDIV Bughttp://en.wikipedia.org/wiki/
Pentium_FDIV_bug
[153] Wikipedia, U.S.S. Yorktown (CG-48)http://en.wikipedia.org/wiki/
USS_Yorktown_(CG-48)
[154] Wordsworth, J., Software Development With Z, Addison Wesley (1994)
[155] Yeh, Y.C., Safety Critical Avionics for the 777 Primary Flight Controls System, 20th Digital Avionics Systems Conference, Daytona Beach, FL (2001)
[156] Yu, W., A Software Fault Prevention Approach in Coding and Root Cause Analysis, Bell Labs Technical Journal (April-June, 1998)