Software Criticality Analysis

Sometimes, it is useful to make use of legacy code in systems that must have high dependability. Confidence in the dependability of the code may come from extensive operating experience, but doubts over the relevance of the experience, the wish for diverse arguments for dependability, and requirements imposed by standards or regulatory bodies may require other evidence to be produced. Where software has not been developed for critical applications, it may be necessary to reverse engineer it to obtain this.

Within an application, some parts may be more critical than others. More critical components need stronger justification. A software criticality analysis allows appropriate effort to be directed at each component of the software.

We have undertaken a software criticality analysis for a substantial legacy program written primarily in C with some assembler. We:

• Extracted the call tree structure from the C code using Grammatech's CodeSurfer tool.
   
• Determined the root procedures in the call tree.
   
• Used domain experts to classify the top level procedures as:
• Definitely of the same criticality as the application.
• Potentially of lower criticality.
• Invoked by means other than a procedure call, such as via an interrupt.
• Not used by the application.


• Conducted a Hazops on each top-level procedure of potentially lower criticality, to identify its failure modes and their consequences. The Hazops was based on a functional description provided by the experts.
   
• Determined a criticality for each of these procedures based on failure consequence and frequency of invocation.
   
• Assigned criticalities to invoked procedures by propagation from the tree roots.

This gave a conservative view of the criticalities, since a procedure may call another but not use it to perform its most critical activities. The Hazops identifies what these critical activities are, so further analysis of the code can be used to refine the criticality assignment. Knowing the critical failure modes of the function also allows us to identify analyses and tests to determine if they are credible failure modes of the implementation, providing a reasoned basis for the next stage of the software qualification programme. A Safecomp 2002 paper on software criticality analysis is available for download.