Re: Safety-critical software (Mellor, RISKS-15.19) -- from Dave Parnas

[David Farber <farber () central cis upenn edu>]

Date: Fri, 5 Nov 1993 14:33:43 -0500
From: David Parnas <parnas () qusunt eng McMaster CA>
Subject: Re: Safety-critical software (Mellor, RISKS-15.19)


Pete Mellor wrote, "Prof. Cliff Jones of Manchester characterised the
complexity of software in terms of the number of branch points it may contain,
and hence the number of possible paths through it.  The combinatorial
explosion of possible paths makes exhaustive testing impossible in all but the
simplest programs.  It may be difficult to achieve with 50 Lines of code and
10 branch points.  With 10,000 LOC and the same density of branch points, the
testing time would exceed the time elapsed since the big bang.  As he pointed
out, the Sizewell B Primary Protection System contains 100,000 LOC."


It is worth remembering that were John von Neumann still alive, he might
remind us that program state and data state are interchangeable, and that
the number of sequences of data states in such programs is even larger
than the number of sequences of control states.  Even if we did test
every possible path, we have not done exhaustive testing.  We should
not ever imply that such a test would be an exhaustive test.


Dave Parnas