8.1.

Explain how the number of known defects remaining in a program at the time of delivery

affects product support.

8.2. Testing is meant to show that a program does what it is intended to do. Why may testers not

always know what a program is intended for?

8.3. Some people argue that developers should not be involved in testing their own code but that

all testing should be the responsibility of a separate team. Give arguments for and against

testing by the developers themselves.

8.4. You have been asked to test a method called catWhiteSpace in a “Paragraph” object that, within

the paragraph, replaces sequences of blank characters with a single blank character. Identify

testing partitions for this example and derive a set of tests for the catWhiteSpace method.

8.5. What is regression testing? Explain how the use of automated tests and a testing framework

such as JUnit simplifies regression testing.

8.6. The Mentcare system is constructed by adapting an off-the-shelf information system. What do

you think are the differences between testing such a system and testing software that is

developed using an object-oriented language such as Java?

8.7. Write a scenario that could be used to help design tests for the wilderness weather station system.

8.8. What do you understand by the term stress testing? Suggest how you might stress-test the

Mentcare system.

8.9. What are the benefits of involving users in release testing at an early stage in the testing pro

cess? Are there disadvantages in user involvement?

8.10. A common approach to system testing is to test the more important functionalities of a system

first, followed by the less important functionalities until the testing budget is exhausted. Dis

cuss the ethics involved in identifying what “more important” means

10.1. Suggest six reasons why software dependability is important in most sociotechnical systems.

10.2. Explain with an example why resilience to cyber attacks is a very important characteristic of

system dependability.

10.3. Using an example, explain why it is important when developing dependable systems to consider

these as sociotechnical systems and not simply as technical software and hardware systems.
10.4. Give two examples of government functions that are supported by complex sociotechnical

systems and explain why, in the foreseeable future, these functions cannot be completely

automated.

10.5. Explain the difference between redundancy and diversity.

10.6. Explain why it is reasonable to assume that the use of dependable processes will lead to the

creation of dependable software.

10.7. Give two examples of diverse, redundant activities that might be incorporated into depend

able processes.

10.8. Give two reasons why different versions of a system based on software diversity may fail in

a similar way.

10.9. You are an engineer in charge of the development of a small, safety-critical train control

system, which must be demonstrably safe and secure. You suggest that formal methods

should be used in the development of this system, but your manager is skeptical of this

approach. Write a report highlighting the benefits of formal methods and presenting a

case for their use in this project.

10.10. It has been suggested that the need for regulation inhibits innovation and that regulators

force the use of older methods of systems development that have been used on other

systems. Discuss whether or not you think this is true and the desirability of regulators

imposing their views on what methods should be used.

11.1. Explain why it is practically impossible to validate reliability specifications when these are

expressed in terms of a very small number of failures over the total lifetime of a system.

11.2. Suggest appropriate reliability metrics for the classes of software system below. Give rea

sons for your choice of metric. Predict the usage of these systems and suggest appropriate

values for the reliability metrics.

■ asystemthatmonitors patients in a hospital intensive care unit

■ awordprocessor

■ anautomatedvendingmachinecontrol system

■ asystemtocontrolbraking in a car
■ asystemtocontrolarefrigeration unit

■ amanagementreportgenerator

11.3. Imagine that a network operations center monitors and controls the national telecommu

nications network of a country. This includes controlling and monitoring the operational

status of switching and transmission equipment and keeping track of nationwide equip

ment inventories. The center needs to have redundant systems. Explain three reliability

metrics you would use to specify the needs of such systems.

11.4. What is the common characteristic of all architectural styles that are geared to supporting

software fault tolerance?

11.5. Suggest circumstances where it is appropriate to use a fault-tolerant architecture when

implementing a software-based control system and explain why this approach is required.

11.6. You are responsible for the design of a communications switch that has to provide 24/7

availability but that is not safety-critical. Giving reasons for your answer, suggest an archi

tectural style that might be used for this system.

11.7. It has been suggested that the control software for a radiation therapy machine, used to

treat patients with cancer, should be implemented using N-version programming. Comment

on whether or not you think this is a good suggestion.

11.8. Explain why all the versions in a system designed around software diversity may fail in a

similar way.

11.9. Explain how programming language support of exception handling can contribute to the reli

ability of software systems.

11.10. Software failures can cause considerable inconvenience to users of the software. Is it

ethical for companies to release software that they know includes faults that could lead

to software failures? Should they be liable for compensating users for losses that are

caused by the failure of their software? Should they be required by law to offer software

warranties in the same way that consumer goods manufacturers must guarantee

their products?
12.1. Identify six consumer products that are likely to be controlled by safety-critical software systems.

12.2. A software system is to be deployed for a company that has extremely high safety standards

and allows for almost no risks, not even minor injuries. How will this affect the look of the risk

triangle in Figure 12.3?

12.3. In the insulin pump system, the user has to change the needle and insulin supply at regular

intervals and may also change the maximum single dose and the maximum daily dose that

may be administered. Suggest three user errors that might occur and propose safety require

ments that would avoid these errors resulting in an accident.

12.4. A safety-critical software system for managing roller coasters controls two main components:

■ The lock and release of the roller coaster harness which is supposed to keep riders in place

as the coaster performs sharp and sudden moves. The roller coaster could not move with

any unlocked harnesses.

■ The minimum and maximum speeds of the roller coaster as it moves along the various segments

of the ride to prevent derailing, given the number of people riding the roller coaster.

Identify three hazards that may arise in this system. For each hazard, suggest a

defensive requirement that will reduce the probability that these hazards will result in

an accident. Explain why your suggested defense is likely to reduce the risk associated

with the hazard.

12.5. A train protection system automatically applies the brakes of a train if the speed limit for a

segment of track is exceeded, or if the train enters a track segment that is currently signaled

with a red light (i.e., the segment should not be entered). There are two critical-safety

requirements for this train protection system:

The train shall not enter a segment of track that is signaled with a red light.

The train shall not exceed the specified speed limit for a section of track.

Assuming that the signal status and the speed limit for the track segment are transmitted to

on-board software on the train before it enters the track segment, propose five possible

functional system requirements for the onboard software that may be generated from the

system safety requirements.

12.6. Explain when it may be cost-effective to use formal specification and verification in the
development of safety-critical software systems. Why do you think that some critical systems

engineers are against the use of formal methods?

12.7. Explain why using model checking is sometimes a more cost-effective approach to verification

than verifying a program’s correctness against a formal specification.

12.8. List four types of systems that may require software safety cases, explaining why safety cases

are required.

12.9. The door lock control mechanism in a nuclear waste storage facility is designed for safe

operation. It ensures that entry to the storeroom is only permitted when radiation shields are

370 Chapter 12 ■ Safety engineering

370 Chapter 12 ■ Safety engineering

10

11

12

13

14

15

16

17

18

19
20

Figure 12.15 Door

entry code

21

22

entryCode = lock.getEntryCode () ;

if (entryCode == lock.authorizedCode)

shieldStatus = Shield.getStatus ();

radiationLevel = RadSensor.get ();

if (radiationLevel < dangerLevel)

state = safe;

else

state = unsafe;

if (shieldStatus == Shield.inPlace() )

state = safe;

if (state == safe)

Door.locked = false ;

Door.unlock ();

else

Door.lock ( );

Door.locked := true ;

in place or when the radiation level in the room falls below some given value (dangerLevel).

So:
(i)

If remotely controlled radiation shields are in place within a room, an authorized

operator may open the door.

(ii)

If the radiation level in a room is below a specified value, an authorized operator may

open the door.

(iii) An authorized operator is identified by the input of an authorized door entry code.

The code shown in Figure 12.15 controls the door-locking mechanism. Note that the safe state

is that entry should not be permitted. Using the approach discussed in this chapter, develop a

safety argument for this code. Use the line numbers to refer to specific statements. If you find

that the code is unsafe, suggest how it should be modified to make it safe.

12.10. Should software engineers working on the specification and development of safety-related

systems be professionally certified or licensed in some way? Explain your reasoning.

13.1. Describe the security dimensions and security levels that have to be considered in secure

systems engineering.

13.2. For the Mentcare system, suggest an example of an asset, an exposure, a vulnerability, an

attack, a threat, and a control, in addition to those discussed in this chapter.

13.3. Explain why security is considered a more challenging problem than safety in a system.

13.4. Extend the table in Figure 13.7 to identify two further threats to the Mentcare system, along

with associated controls. Use these as a basis for generating software security requirements

that implement the proposed controls.

13.5. Explain, using an analogy drawn from a non-software engineering context, why a layered

approach to asset protection should be used.

13.6. Explain why it is important to log user actions in the development of secure systems.
13.7. For the equity trading system discussed in Section 13.4.2, whose architecture is shown in

Figure 13.14, suggest two further plausible attacks on the system and propose possible strat

egies that could counter these attacks.

13.8. Explain why it is important when writing secure systems to validate all user inputs to check

that these have the expected format.

13.9. Suggest how you would go about validating a password protection system for an application

that you have developed. Explain the function of any tools that you think may be useful.

13.10. The Mentcare system has to be secure against attacks that might reveal confidential patient

information. Suggest three possible attacks against this system that might occur. Using this

information, extend the checklist in Figure 13.17 to guide testers of the Mentcare system.

14.1. Explain how the complementary strategies of resistance, recognition, recovery, and reinstate

ment may be used to provide system resilience.

14.2. What are the types of threats that have to be considered in resilience planning? Provide

examples of the controls that organizations should put in place to counter those threats.

14.3. Describe the ways in which human error can be viewed according to Reason (Reason, 2000)

and the strategies that can be used to increase resilience according to the Swiss cheese

model (Figure 14.6).

14.4. A hospital proposes to introduce a policy that any member of clinical staff (doctors or nurses)

who takes or authorizes actions that leads to a patient being injured will be subject to criminal

charges. Explain why this is a bad idea, which is unlikely to improve patient safety, and why it

is likely to adversely affect the resilience of the organization.

14.5. What is survivable systems analysis and what are the key activities in each of the four stages

involved in it as shown in Figure 14.8?

14.6. Explain why process inflexibility can inhibit the ability of a sociotechnical system to resist and

recover from adverse events such as cyberattacks and software failure. If you have experience
of process inflexibility, illustrate your answer with examples from your experience.

14.7. Suggest how the approach to resilience engineering that I proposed in Figure 14.9 could be

used in conjunction with an agile development process for the software in the system. What

problems might arise in using agile development for systems where resilience is important?

14.8. In Section 13.4.2, (1) an unauthorized user places malicious orders to move prices and (2) an

intrusion corrupts the database of transactions that have taken place. For each of these cyber

attacks, identify resistance, recognition, and recovery strategies that might be used.

14.9. In Figure 14.11, I suggested a number of adverse events that could affect the Mentcare system.

Draw up a test plan for this system that sets out how you could test the ability of the Mentcare

system to recognize, resist, and recover from these events.

14.10. A senior manager in a company is concerned about insider attacks from disaffected staff on

the company’s IT assets. As part of a resilience improvement program, she proposes that a

logging system and data analysis software be introduced to capture and analyze all employee

actions but that employees should not be told about this system. Discuss the ethics of both

introducing a logging system and doing so without telling system users.

24.1. Define the terms quality assurance and quality control. List out the key points included in

Humphrey’s outline structure for software management.

24.2. Explain how standards may be used to capture organizational wisdom about effective

methods of software development. Suggest four types of knowledge that might be captured

in organizational standards.

24.3. Discuss the assessment of software quality according to the quality attributes shown in

Figure 24.2. You should consider each attribute in turn and explain how it might be assessed

24.4. Briefly describe possible standards that might be used for:

■ the use of control constructs in C, C#, or Java;

■ reports that might be submitted for a term project in a university;

■ the process of making and approving program changes (web Chapter 26); and
■ the process of purchasing and installing a new computer.

24.5. Assume you work for an organization that develops database products for individuals and

small businesses. This organization is interested in quantifying its software development.

Write a report suggesting appropriate metrics and suggest how these can be collected.

24.6. Briefly explain what happens during the software quality review process and the software

quality inspection process.

24.7. What problems are likely to arise if formalized program inspections are introduced in a

company where some software is developed using agile methods.

24.8. What is a software metric? Define different types of software metrics with examples.

24.9. You work for a software product company and your manager has read an article on software

analytics. She asks you to do some research in this area. Survey the literature on analytics

and write a short report that summarizes work in software analytics and issues to be

considered if analytics is introduced.

24.10 A colleague who is a very good programmer produces software with a low number of defects

but consistently ignores organizational quality standards. How should her managers react to

this behavior?