Software reliability predictions can increase trust in the reliability
of safety critical software such as the NASA Space Shuttle Primary Av
ionics Software System (Shuttle flight software). This objective was a
chieved using a novel approach to integrate software-safety criteria,
risk analysis, reliability prediction, and stopping rules for testing.
This approach applies to other safety-critical software. We cover onl
y the safety of the software in a safety-critical system. The hardware
and human-operator components of such systems are not explicitly mode
led nor are the hardware and operator-induced software failures. The c
oncern is with reducing the risk of all failures attributed to softwar
e. Thus, safety refers to software-safety and not to system-safety. By
improving the software reliability, where the reliability measurement
s & predictions are directly related to mission & crew safety, we cont
ribute to system safety. Remaining failures (RF), maximum failures, to
tal test time (TTT) required to attain a given fraction of RF and time
to next failure (TTNF) are shown to be useful reliability measures &
predictions for: providing assurance that the software has achieved sa
fety goals; rationalizing how long to test a piece of software; analyz
ing the risk of not achieving RF & TTNF goals. Having predictions of t
he extent that the software is not fault free (RF) and whether it is l
ikely to survive a mission (TTNF) provide criteria for assessing the r
isk of deploying the software. Furthermore, 'fraction of RF' can be us
ed as both an operational-quality goal in predicting TTT requirements
and, conversely, as an indicator of operational-quality as a function
of TTT expended. Software reliability models provide one of several to
ols that software managers of the Shuttle flight software are using to
assure that the software meets required safety goals. Other tools are
inspections, software reviews, testing, change control boards, and pe
rhaps most important - experience & judgement.