Comments on 'Evolutionary neural network modelling for software cumulative failure time prediction' by Liang Tian and Afzel Noore [Reliability Engineering and System Safety 87 (2005) 45-51]

This paper [Tian L, Noore A. Evolutionary neural network modelling for software cumulative failure time prediction. Reliab Eng Syst Saf 2005; 87:45–51] purports to present a useful means of predicting the cumulative failure time function for software reliability growth. In fact, the nature of the ‘prediction’ is too simplistic to be of use. Furthermore, the authors' claims for the accuracy of the predictions appear to be without value

Modeling the probability of failure on demand (pfd) of a 1-out-of-2 system in which one channel is “quasi-perfect”

Our earlier work proposed ways of overcoming some of the difficulties of lack of independence in reliability modeling of 1-out-of-2 software-based systems. Firstly, it is well known that aleatory independence between the failures of two channels A and B cannot be assumed, so system pfd is not a simple product of channel pfds. However, it has been shown that the probability of system failure can be bounded conservatively by a simple product of pfdA and pnpB (probability not perfect) in those special cases where channel B is sufficiently simple to be possibly perfect. Whilst this “solves” the problem of aleatory dependence, the issue of epistemic dependence remains: An assessor’s beliefs about unknown pfdA and pnpB will not have them independent. Recent work has partially overcome this problem by requiring only marginal beliefs – at the price of further conservatism. Here we generalize these results. Instead of “perfection” we introduce the notion of “quasi-perfection”: a small pfd practically equivalent to perfection (e.g. yielding very small chance of failure in the entire life of a fleet of systems). We present a conservative argument supporting claims about system pfd. We propose further work, e.g. to conduct “what if?” calculations to understand exactly how conservative our approach might be in practice, and suggest further simplifications

A conservative bound for the probability of failure of a 1-out-of-2 protection system with one hardware-only and one software-based protection train

Redundancy and diversity have long been used as means to obtain high reliability in critical systems. While it is easy to show that, say, a 1-out-of-2 diverse system will be more reliable than each of its two individual “trains”, assessing the actual reliability of such systems can be difficult because the trains cannot be assumed to fail independently. If we cannot claim independence of train failures, the computation of system reliability is difficult, because we would need to know the probability of failure on demand (pfd) for every possible demand. These are unlikely to be known in the case of software. Claims for software often concern its marginalpfd, i.e. average across all possible demands. In this paper we consider the case of a 1-out-of-2 safety protection system in which one train contains software (and hardware), and the other train contains only hardware equipment. We show that a useful upper (i.e. conservative) bound can be obtained for the system pfd using only the unconditional pfd for software together with information about the variation of hardware failure probability across demands, which is likely to be known or estimatable. The worst-case result is obtained by “allocating” software failure probability among demand “classes” so as to maximize system pfd

Validation of Ultrahigh Dependability for Software-Based Systems

Modern society depends on computers for a number of critical tasks in which failure can have very high costs. As a consequence, high levels of dependability (reliability, safety, etc.) are required from such computers, including their software. Whenever a quantitative approach to risk is adopted, these requirements must be stated in quantitative terms, and a rigorous demonstration of their being attained is necessary. For software used in the most critical roles, such demonstrations are not usually supplied. The fact is that the dependability requirements often lie near the limit of the current state of the art, or beyond, in terms not only of the ability to satisfy them, but also, and more often, of the ability to demonstrate that they are satisfied in the individual operational products (validation). We discuss reasons why such demonstrations cannot usually be provided with the means available: reliability growth models, testing with stable reliability, structural dependability modelling, as well as more informal arguments based on good engineering practice. We state some rigorous arguments about the limits of what can be validated with each of such means. Combining evidence from these different sources would seem to raise the levels that can be validated; yet this improvement is not such as to solve the problem. It appears that engineering practice must take into account the fact that no solution exists, at present, for the validation of ultra-high dependability in systems relying on complex software

Modeling software design diversity

Design diversity has been used for many years now as a means of achieving a degree of fault tolerance in software-based systems. Whilst there is clear evidence that the approach can be expected to deliver some increase in reliability compared with a single version, there is not agreement about the extent of this. More importantly, it remains difficult to evaluate exactly how reliable a particular diverse fault-tolerant system is. This difficulty arises because assumptions of independence of failures between different versions have been shown not to be tenable: assessment of the actual level of dependence present is therefore needed, and this is hard. In this tutorial we survey the modelling issues here, with an emphasis upon the impact these have upon the problem of assessing the reliability of fault tolerant systems. The intended audience is one of designers, assessors and project managers with only a basic knowledge of probabilities, as well as reliability experts without detailed knowledge of software, who seek an introduction to the probabilistic issues in decisions about design diversity

Briefing Note: The legal rule that computers are presumed to be operating correctly – unforeseen and unjust consequences

The presumption that computers are reliable in England and Wales is proved to be wrong. Nicholas Bohm, James Christie, Peter Bernard Ladkin, Bev Littlewood, Paul Marshall, Stephen Mason, Martin Newby, Steven J. Murdoch, Harold Thimbleby and Martyn Thomas CB

The legal rule that computers are presumed to be operating correctly – unforeseen and unjust consequences

In England and Wales, courts consider computers, as a matter of law, to have been working correctly unless there is evidence to the contrary. Therefore, evidence produced by computers is treated as reliable unless other evidence suggests otherwise. This way of handling evidence is known as a ‘rebuttable presumption’. A court will treat a computer as if it is working perfectly unless someone can show why that is not the case. This presumption poses a challenge to those who dispute evidence produced by a computer system. Frequently the challenge is insurmountable, particularly where a substantial institution operates the system. The Post Office Horizon scandal clearly exposes the problem and the harm that may result. From 1999, the Post Office prosecuted hundreds of postmasters and Post Office employees for theft and fraud based on evidence produced by the Horizon computer system showing shortfalls in their branch accounts. In those prosecutions, the Post Office relied on the presumption that computers were operating correctly. Hundreds of postmasters and others were convicted, sentenced to terms of imprisonment, fined, or had their property confiscated. This clearly demonstrated that the Law Commission’s assertion that ‘such a regime would work fairly’ was flawed. In the December 2019 judgment in the group litigation Bates v The Post Office Ltd (No 6: Horizon Issues) Rev 1, Mr Justice Fraser concluded that it was possible that software errors in Horizon could have caused apparent shortfalls in branch accounts, rather than these being due to theft or fraud. Following this judgement, the Criminal Cases Review Commission referred an unprecedented number of convictions, based upon the supposed shortfalls in the Horizon accounts, to the Court of Appeal. Appeal courts have quashed more than 70 convictions at the time of writing. There will be many more appeals and many more convictions quashed in what is likely the largest miscarriage of justice in British history. Were it not for the group litigation, the fundamental unreliability of the software in the Post Office’s Horizon computer system would not have been revealed, as previous challenges to Horizon’s correctness were unable to rebut the presumption of reliability for computer evidence. The financial risk of bringing legal action deterred other challenges. Similar issues apply in other situations where the reliability of computer evidence is questioned, such as in payment disputes. The legal presumption, as applied in practice, has exposed widespread misunderstanding about the nature of computer failures – in particular, the fact that these are almost invariably failures of software. The presumption has been the cause of widespread injustice. There is a pressing requirement for the presumption to be re-evaluated to avoid the risk of further or continuing injustice. We propose that the presumption that computer evidence is reliable be replaced with a process where if computer evidence is challenged, a party must justify the correctness of the evidence upon which they rely. The proposed process, summarised below, requires the disclosure of documents that would already exist in any well-managed computer system. The procedural and evidential safeguards of the kind we propose would probably have avoided the disastrous repeated miscarriages of justice over the past 20 years

Identification of depression in women during pregnancy and the early postnatal period using the Whooley questions and the Edinburgh Postnatal Depression Scale : protocol for the Born and Bred in Yorkshire: PeriNatal Depression Diagnostic Accuracy (BaBY PaNDA) study

INTRODUCTION: Perinatal depression is well recognised as a mental health condition but <50% of cases are identified by healthcare professionals in routine clinical practice. The Edinburgh Postnatal Depression Scale (EPDS) is often used to detect symptoms of postnatal depression in maternity and child services. The National Institute for Health and Care Excellence (NICE) recommends 2 'ultra-brief' case-finding questions (the Whooley questions) to aid identification of depression during the perinatal period, but this recommendation was made in the absence of any validation studies in a perinatal population. Limited research exists on the acceptability of these depression case-finding instruments and the cost-effectiveness of routine screening for perinatal depression. METHODS AND ANALYSIS: The diagnostic accuracy of the Whooley questions and the EPDS will be determined against a reference standard (the Client Interview Schedule-Revised) during pregnancy (around 20 weeks) and the early postnatal period (around 3-4 months post partum) in a sample of 379 women. Further outcome measures will assess a range of psychological comorbidities, health-related quality of life and resource utilisation. Women will be followed up 12 months postnatally. The sensitivity, specificity and predictive values of the Whooley questions and the EPDS will be calculated against the reference standard at 20 weeks pregnancy and 3-4 months post partum. Acceptability of the depression case-finding instruments to women and healthcare professionals will involve in-depth qualitative interviews. An existing decision analytic model will be adapted to determine the cost-effectiveness of routine screening for perinatal depression. ETHICS AND DISSEMINATION: This study is considered low risk for participants. Robust protocols will deal with cases where risk of depression, self-harm or suicide is identified. The protocol received favourable ethical opinion from the North East-York Research Ethics Committee (reference: 11/NE/0022). The study findings will be published in peer-reviewed journals and presented at relevant conferences

Identifying perinatal depression with case-finding instruments : a mixed-methods study (BaBY PaNDA – Born and Bred in Yorkshire PeriNatal Depression Diagnostic Accuracy)

Background: Perinatal depression is well recognised as a mental health condition but < 50% of cases are identified in routine practice. A case-finding strategy using the Whooley questions is currently recommended by the National Institute for Health and Care Excellence. Objectives: To determine the diagnostic accuracy, acceptability and cost-effectiveness of the Whooley questions and the Edinburgh Postnatal Depression Scale (EPDS) to identify perinatal depression. Design: A prospective diagnostic accuracy cohort study, with concurrent qualitative and economic evaluations. Setting: Maternity services in England. Participants: A total of 391 pregnant women. Main outcome measures: Women completed the Whooley questions, EPDS and a diagnostic reference standard (Clinical Interview Schedule – Revised) during pregnancy (20 weeks) and postnatally (3–4 months). Qualitative interviews were conducted with health professionals (HPs) and a subsample of women. Results: Diagnostic accuracy results: depression prevalence rates were 10.3% during pregnancy and 10.5% postnatally. The Whooley questions and EPDS (cut-off point of ≥ 10) performed reasonably well, with comparable sensitivity [pregnancy: Whooley questions 85.0%, 95% confidence interval (CI) 70.2% to 94.3%; EPDS 82.5%, 95% CI 67.2% to 92.7%; postnatally: Whooley questions 85.7%, 95% CI 69.7% to 95.2%; EPDS 82.9%, 95% CI 66.4% to 93.4%] and specificity (pregnancy: Whooley questions 83.7%, 95% CI 79.4% to 87.4%; EPDS 86.6%, 95% CI 82.5% to 90.0%; postnatally: Whooley questions 80.6%, 95% CI 75.7% to 84.9%; EPDS 87.6%, 95% CI 83.3% to 91.1%). Diagnostic accuracy of the EPDS (cut-off point of ≥ 13) was poor at both time points (pregnancy: sensitivity 45%, 95% CI 29.3% to 61.5%, and specificity 95.7%, 95% CI 93.0% to 97.6%; postnatally: sensitivity 62.9%, 95% CI 44.9% to 78.5%, and specificity 95.7%, 95% CI 92.7% to 97.7%). Qualitative evaluation: women and HPs were supportive of screening/case-finding for perinatal depression. The EPDS was preferred to the Whooley questions by women and HPs, mainly because of its ‘softer’ wording. Whooley question 1 was thought to be less acceptable, largely because of the terms ‘depressed’ and ‘hopeless’, leading to women not revealing their depressive symptoms. HPs identified a ‘patient-centred’ environment that focused on the mother and baby to promote discussion about mental health. Cost-effectiveness results: screening/case-finding using the Whooley questions or the EPDS alone was not the most cost-effective strategy. A two-stage strategy, ‘Whooley questions followed by the Patient Health Questionnaire’ (a measure assessing depression symptomatology), was the most cost-effective strategy in the range between £20,000 and £30,000 per quality-adjusted life-year in both the prenatal and postnatal decision models. Limitations: Perinatal depression diagnosis was not cross-referenced with women’s medical records so the proportion of new cases identified is unknown. The clinical effectiveness and cost-effectiveness of screening/case-finding strategies was not assessed as part of a randomised controlled trial. Conclusions: The Whooley questions and EPDS had acceptable sensitivity and specificity, but their use in practice might be limited by low predictive value and variation in their acceptability. A two-stage strategy was more cost-effective than single-stage strategies. Neither case-finding instrument met National Screening Committee criteria. Future work: The yield of screening/case-finding should be established with reference to health-care records. The clinical effectiveness and cost-effectiveness of screening/case-finding for perinatal depression needs to be tested in a randomised controlled trial. Funding: The National Institute for Health Research Health Services and Delivery Research programme