software in powerful and invasive physical devices brings
greater risk, especially in medicine, where software can save lives
but also kill.
36 Software problems
led to the recall of 200,000 implanted
pacemakers and defibrillators between
1990 and 2000.30 In the 20 years prior to
2005, the U.S. Food and Drug Administration (FDA) recorded 30,000 deaths
and 600,000 injuries from medical-device failures.
9 How many of these incidents can be attributed to software is
unclear, though separate studies have
found that about 8% of medical-device
recalls are software-related. Moreover,
few of the device failures that occur—
perhaps only 1 in 40—are actually reported,
12 so the actual incidence of injuries is likely to be higher.
illustration by mikael christensen
What would it take to make software more dependable? Until now,
most approaches have been indirect,
involving practices—processes, tools, or
techniques—believed to yield dependable software. The case for dependability
has thus rested on the extent to which
the developers adhered to these practices. This article argues that developers
should instead produce direct evidence
of their software’s dependability. The
potential advantages of this approach
are greater credibility (as the claim is
not contingent on the effectiveness of
the practices) and reduced cost (because
development resources can be focused
where they have the most impact).
the need for a Direct Approach
A dependable system is one you can
depend on—that is, you can place your
trust in it. A rational person or organization only does this with evidence that the
system’s benefits far outweigh its risks.
Without such evidence, a system cannot
be depended on, in much the same way
that a download from an unknown Web
site cannot be said to be “safe” just because it happens not to harbor a virus.
Perhaps in the future we will know
enough about software-development
practices that the very use of a particular technique will constitute evidence
of the resulting software’s quality.
Today, however, we are far from that
goal. Although individual companies
can predict defect rates within product
families based on historical data, in-
dustrywide data collection and analysis barely exist.
Contrast software systems with cars,
for example. In the U.S., the National
Highway Traffic Safety Administration (NHTSA) maintains several databases that include records of all fatal
accidents—approximately 40,000 a
year—and data about how particular
models fare in crashes. Researchers
can use this data to correlate risk with
design features. NHTSA also receives
data from auto companies regarding
warranty claims, defects, and customer
complaints. Similarly, the National
Transportation Safety Board (NTSB),
best known for its work in aviation,
analyzes highway accidents and issues
reports on, among other things, the efficacy of safety devices such as seatbelts
and airbags.
The software industry has no comparable mechanism, and as a society
we have almost no data on the causes
or effects of software failure. Producers
of software therefore cannot benefit
from industry data that would improve
their designs and development strategies, and consumers cannot use such
APriL 2009 | voL. 52 | no. 4 | communicAtionS of the Acm
79
