652 IEEE TRANSACTIONS ON RELIABILITY, VOL. 45, NO. 4,1996 DECEMBER

ayes Nonparametric Framew iability Analysis oftware- We

El-Aroui AG, Grenoble der AG. Grenoble

Key Words - Software reliability evaluation, Bays inference, e-Carlo method, Maximum-entropy prin-

~ u m m a ~ & Conclusions - This paper presents a Bayes non- ~ a r a ~ e ~ r ~ c approach for tracking & predicting software reliabili-

e the common assumptions on the software operational nt to get a stochastic model where the successive times

be~ween sof~ware failures are exponentially distributed; their failure iors. Under these general assumptions we give

of the parameters that assess & predict the soft- . We give algorithms (based on Monte-Carlo

these Bayes estimates. Our approach allows

to ~rans l~te this ~now~edge to prior distributions on the failure- rate process. Our approach is used to study some simulated & real failure data sets.

1. INTRODUCTION

Acronyms

BEM Bayes exponential Markov GS Gibbs Sampler algorithm NPOP homogeneous Poisson operational profile

CI Monte-Carlo integration EP maximum-entropy [distribution, principle]

MTTF mean time to failure.

Notation

set of vectors having n real positive components time between software failures i- 1 and if i 2: 1; a r.v. realization of X, number of failures discovered during the observation period

failure rate after the correction i - 1; A, 2 0 uncertainty on A,; a r.v. (AI, ‘..) A,) prior distribution of {A,},,

(XI, . . . J n )

r I i (A , ]A , - l ) prior pdf of A,, given A,-l = IIn ( A c n ) ) prior pdf of A ( n )

pdf {x, I A,] pdf of X, given A, = A, n

*n [A, exp(-Az *%I e n , (A, I A,- 111 r=l

o n j R + n *n a ‘ n )

pdf(A,IA-,,x(”)) pdf of A, given {AJ = Aj}Jz,, and

X, - Exp(A,) X, is exponentially distributed: Sf(x) = exp(-A,

X - 3Z (m,02) Xis a s-normal r.v. with mean m and StdDev

x - L G N ( ~ , ~ ~ ) In(X) - %(m,u2)

x ( n ) =,(.I

0

- implies: the mean value.

Other, standard notation is given in “Information for Readers & Authors” at the rear of each issue.

A newly developed system, like software, has to be sub- mitted to several stages of testing before being launched. A test stage is stopped when a failure is observed; corrections & modifications are then performed in the hope of removing the involved faults and of increasing the reliability. Nevertheless, some corrections do introduce new errors and decrease the soft- ware reliability. After observing x ( ~ ) , one needs to know:

e How reliable is the software after the previous test stage? * Did the modificatims actually cause an overall reliability

4

Answering these questions is helped by statistical model- ing of the software life. Software reliability modeling centers around two sources of uncertainty [l]:

increase? e Is there any need for more tests?

* The tester behavior: viz, the way the tester selects data to be processed. The corrector’s behavior: viz, the sequence of the modifica- tions & corrections of the software. -4

Reasonable assumptions about software life [l - 31 lead to exponential distributions for the r.v. XI, X2, ... :

pdf{x,IAJ = A,.exp(-A, x,), for all i 2 1.

The A, measures the importance of the software faults after correction i-1; it considers the ‘size of these faults’ and the ‘probability of selecting inputs lying in their regions’. A good correction changes the software failure rate from A, to A, +

such that Ai+l < A,.

0018-9529/96/$5.00 01996 IEEE

EL AROUI/SOLER: A BAYES NONPARAMETRIC FRAMEWORK FOR SORWARE-RELIABILITY ANALYSIS 653

The correction effects are modeled as stochastic evolution of the failure rates. The Xi can be estimated by a Bayes framework where priors are chosen using the available prior- knowledge’ concerning the initial faults and the corrections of the studied software.

Most Bayes approaches, eg [2, 4, 51, use priors on Ai that afford analytic simplicity of the posterior distributions. Models usually have this mathematical tractability by moving away from the realistic interpretation of the available physical knowledge. The wide range of Bayes computational methods, eg [6, 71 developed during the past decade (eg, numerical integration, Monte-Carlo method, Markov chain simulation) and the very high computer-capacities, make the Bayes computations possi- ble, even if there is no explicit formula for the posterior statistics. Thus it is possible, as described in this paper, to get rid of the analytic tractability constraint, and choose priors that model as faithfully as possible the available physical knowledge concerning the corrector’s behaviors.

Section 2 presents the general assumptions (and their justification) of our framework. Section 3, a) gives Bayes estimates of the failure rates and the predictive distribution of the next time to failure, b) gives examples of possible inter- pretation of the available physical knowledge, and c) shows that many classical Bayes models are special cases of our general framework. Section 4 describes how to use two Bayes computa- tional methods, MCI & GS, to compute the Bayes estimates developed in the general framework. Section 5 gives applica- tion examples of our Bayes framework on some data sets.

General Assumptions

1. After each failure, a correction is attempted and the soft- ware is restarted.

2. The correction time is negligible or not taken into ac- count. 4

2. BAYES EXPONENTIAL MARKOV ASSUMPTIONS

2.1 Exponential Assumptions

common in software reliability analysis. The choice of the exponential distributions for the Xi is

Assumption

ponential distributions: 3. X1, X2, ... are mutually s-independent r.v. with ex-

Xi - Exp(hi), for all i 2 1. 4

The choice of the exponential distribution is a consequence of the lack of aging for software. After each correction we get a new software release, the relationship between these releases

is modeled by a dependence relation between the Ai. It is therefore reasonable to assume that the Xi are mutually s-independent .

2.2 General Bayes Modeling

The relationship between A, can be modeled parametrical- ly. Nevertheless these models are very restrictive since they assume a precise model (relating the different Ai) which is rele- vant in very few cases. On the contrary, the nonparametric Bayes approach gives a general tool for modeling the relation- ship between the Ai. This tool, based on general assumptions in software reliability, allows every user to introduce the par- ticularities of the study by choosing personal priors for the A,. The uncertainty on the deterministic rates Ai is modeled by considering them as r.v. denoted Ai.

General assumptions in the software reliability context lead to the Bayes exponential model:

Assumptions

4. The Xi are exponentially distributed with random rates A,:

Xi - Exp(Ai), for all i L 1. BEM 1

5. Given {Ar}i21, the r.v. Xi are mutually s-independent.

BEM2 is a stochastic process with prior distribution

n. 4 6.

2.3 Bayes Exponential Markov Assumption

The Ai model the software reliability evolution, so it is reasonable to assume that the r.v. hi are Markov:

Assumption

7. (Ai}izl is a Markov stochastic process; its distribution is defined by IIi(hilAi-l), for all i 2 1. rBEM3

Assumption 7 (BEM3) results because software-state (after cor- rection i ) is a transformation, via this correction, of its state after correction i - 1.

The nonparametric Bayes framework in this paper is bas- ed on general assumptions 4 (BEMl), 5 (BEM2), and 7 (BEM3). Under these assumptions:

’Prior distributions are used here to model degree-of-belief rather than relative frequency.

654 IEEE TRANSACTIONS ON RELIABILITY, VOL. 45, NO. 4, 1996 DECEMBER

pdf{x(")} = Assumption

8. A quadratic loss function applies in the following deriva-

The Bayes estimates of (h,),,,, for a quadratic loss func- tion.

tion are the posterior means:

K, = E { A , ~ x ( ~ ) } , for all i 5 n.

[A, exp(h, .x,) *n, (A, I A, - I ) I Ai ) . ..,an.

2.4 Another Justification for BEM Assumptions

Assumptions BEM1, BEM2, BEM3 ,can be obtained another way. Let the software verify the HPOP [SI, ie, that the following assumptions hold:

e the successive software solicitation times form a homogeneous

0 the solicited inputs are mutually s-independent, all with the

0 the solicited inputs are s-independent of the solicitation times.

Also, let assumption #2 hold; then these HPOP assumptions lead exactly to assumptions BEMI, BEM2, BEM3. Nevertheless the HPQP approach leads to a nonlinear discrete filtering framework with the observation equations:

given A, = A,, X, - Exp(h,), for all i z 1.

The system equations are:

Use assumptions BEM1, BEM2, BEM3:

pdf{A'n'lx'n'} = Dil.!€',,, (3)

Poisson process,

same distribution, i R + n xJ = E{AJ I x (n)} =

for all ~ n.

Al. '@, dA ( n ) j

(4)

These estimates give the best idea about the actual effect of the software corrections and the trend of the reliability.

3.2 Predictive Distribution

Software reliability is often evaluated by its MTTF. The Bayes approach provides the conditional distribution of X,, +

given x ( ~ ) =x which is the predictive distribution:

given A,-l = A, - II ,(h,lAt-l) , for all i L 1. pdf(x,+l =

(51

(6)

The same tools are used to estimate A, in the Bayes framework

are two justifications and two terminologies for a unique model. and to filter & predict the A, in the filtering approach. There j pdf{xn+ 1 I hn + 1,x(n)) *pdfihn+ 1 I dhn+ 1 ;

pdf{hn + 1 I x ',) 9 h n I = pdf{hn + 1 I An> .

3. BAYES INFERENCE

Under the BEM assumptions, we use the prior knowledge on the r.v. A, and the to estimate (A,),,, and to predict X,+ 1. Estimating these quantities allows the evaluation & prediction of the software reliability.

3.1 Estimation of Failure Rates

Initial prior knowledge about the unknown h, is used to choose the prior XI, of A("). After observing x ( ~ ) , the prior about A'") is modified. To update our knowledge, we replace the prior II, by the conditional distribution of A ( n ) given X'") - -x(,). The pdf of this posterior distribution is (Bayes theorem):

Using, a) assumption BEM2 in (5) , and b) (6), it is easy to prove theorem 3.1.

neorem 3.1 Let the BEM assumptions hold. The predictive pdf & MTTF are:

pdf{xfl+l =

A, + . exp(-h, + . x,, + ) . '@: (n + , (7) s R+n+ 1 DL1.

Proof See [l 13. We now translate our prior knowledge concerning the

(A,),,, into prior distributions on the {A,),5,.

3.3 Choice of Prior Distributions

'Optimal filtering theory has already been used for software reliability modeling [9, IO].

The most important step in the Bayes approach is transfor- ming the available prior knowledge (past behavior of the

EL AROUI/SOLER: A BAYES NONPARAMETRIC FRAMEWORK FOR SOITWARE-RELIABILITY ANALYSIS 655

debugging teams, test. & debugging procedures, etc) into prior distributions on {Ai}is,. This transformation can be perform- ed using the MEP.

3.3.1 MED

Let Y be a r.v. with pdf f, defined on Dy C R. The uncer- tainty concerning Y is measured by the Entropy Function:

HV) = - f(y).ln[f(y)l dy. i, H V ) also measures the quantity of information we obtain after the observation of a realization yo of Y.

Notation

gr

If we have prior information concerning Y, eg, we know that:

known functions, r 5 m.

f(Y).gr(Y) dY = g,, for all r 5 m,

then, the MEP states that, considering our prior knowledge about Y, the most likely distribution [12] of Y is the distribu- tion which maximizes H V ) subject to the two constraints:

r f(y).g,(y) dy = gr, for all r 5 m.

Example 1

We know a priori the mean m and StdDev (J of a r,v. Y. 4 Thus the MED of Y is X ( m , a 2 ) .

Example 2

We know apriori that a) Y 2 0, and b) E{Y} = m. Thus

More details about the MEP are in 1121. the MED is Exp(1lm). 4

3.3.2 Modeling the corrections effect

This section gives 3 examples of expressing our available prior knowledge about the testing & correction environments. Generally, when we observe a software system, we note an overall reliability growth, with short periods of reliability decay (bad corrections). This prior knowledge can be modeled by a stochastic decrease of {A, } l sn . {A,},l, being Markov, its stochastic decrease can be expressed by the fact that, given A,-1 = A l - l , the r.v. A, is smaller (in a certain sense 121) than

Using more precise physical prior knowledge about the cor- rection environment, we can specify the way in which {A,},,, decreases. The 3 examples use the MEP to make the transition between the physical knowledge and the mathematical inter-

A,-1.

pretation of the {A,}, ,, stochastic decrease. Software reliabili- ty analysts can of course translate their own knowledge by choosing the appropriate prior on A, given A,-l = A,-l through the specification of

I I , ( X , ~ X , - ~ ) , for all i 2 1.

Example 1

the same effect on the software reliability. Thus

E{A, I A, - I > = g (A, - 11,

We believe that the modifications have, on the average,

g a real known function expressing our beliefs concern- ing the average improvement due to a single correction.

‘ g ( x ) < x ’ translates a reliability growth.

The MED of A,, given A,-l = is then:

4 - ExPr 1/s (A, - 1 )I .

A particular case of this model uses:

E{A,IX,-1} = exp(-80).X,-1,

Bo measures the average improvement ( &) of the reliability due to a correction.

The MED of A, given A,- 1 = A, - is: Exp[exp(Oo) /A,- 11 which corresponds to the Moranda geometric model 1131.

Example 2

Correction-effects can be measured by the proportion of removed (good correction) or added (bad correction) faults. A possible prior knowledge is: a good correction removes at most the fraction a of the initial faults, while a bad correction adds at worst the fraction P of the software faults:

Given A,-1 = X l - l ,

then A, E [ ( l -a)

The related MED of A, given A, - = X, - is:

A, - Uniform[(l-a).h,-l, ( l+P).X,-l] .

Example 3

( 1 + P )

The corrections effects can be modeled by a geometric evolution of the failure rates X, [14]. This is translated in our framework by the relationships:

A, = exp(-0,) for all i > 1;

0, = corrections effects, r.v.

656 IEEE TRANSACTIONS ON RELIABILITY, VOL. 45, NO. 4, 1996 DECEMBER

It is known a priori that the corrector's improvement fluctuates around a mean correction effect 00 with a StdDev U (tiredness of the correctors, bonus, etc). Then the MEP states that the 6, are: X(80,02). Thus, given A,- =A,- 1, the MED of the r.v., ln(A,/Xz-l), is:

see [14] for a non-Bayes treatment of this model.

3.3.3 Remarks about section 3.3.2

1. In examples 1 - 3, the user should specify the prior values of the parameters:

eo, h0, 02, etc.

2. Many common Bayes models can be considered as members of our Bayes framework with specific priors on {A , }Lcn . Four examples are given.

a. Littlewood & Verrall [2]. { A i } i 2 l are s-independent, Gamma distributed:

for all i 2 1.

b. Mazzuchi & Soyer [4]. Use an empirical Bayes approach to treat the uncertainty of the unknown parameters P1, P2, a!

of the Littlewood & Verrall [2] model. c. Becker & Camaranipoulos [5]. Take a class of conjugate

priors on (A,}Lrl; they assume:

so that they get conjugate priors with some desirable properties. d. In the Bayes Version of the Jelinski-Moranda model [15,

161, the uncertainty on {Xz},21 is modeled by:

h , i sar . v . :A , = X - + ( i - l ) , f o r a l l i 2 1 (h&+arenon- negative real numbers), with Gamma priors on X and a.

4. BAYES COMPUTATIONS

The Bayes approach leads generally to posterior statistics involving high dimensional integrals; see (4) & (8). During 1986 - 1995, several numerical & simulation techniques [6, 71 have been developed to solve the problem of estimating intractable posterior formulae. This section uses two methods:

* MCI [17] based on the central limit approximation; e GS [7] based on Monte-Carlo Markov chain approach.

In our software reliability framework, we are interested in computing the posterior estimates of XJ & MTTF in (4) & (8).

4.1 MCI

MCI requires computing separately the numerators and denominators of (4) & (8). For example, consider estimating D,.

X ( n ) , k , k= 1, ..., d E a sample generated from the prior rIn ( A (,I).

The quality of this estimate depends on d. The Bienayme- Tchebychev inequality relates d to the precision of the approximation:

for all E > 0, Pr(lD, - f i nd / > E } I Var(Z,}/(d.E2), n

E , = n A,.exp(-A,.x,). r = l

To get, for example:

there must be,

d = 103Var{Zn} /E2{2,) simulations.

The required d increases with n, and with the StdDev of the priors II, (A, I A,- ). For n > 20, d becomes very large. A precise estimate of (4) & (8) therefore requires too many simula- tions. This problem can be solved by dividing the failure data sets into small subsets; each subset is dealt with separately us- ing prior values given by the previous packet. For large data sets one can also use the GS.

4.2 GS

We want to get samples from the pdf(X(") Ix'")} in order to estimate posterior averages such that E v( A ) I x c n ) } where f is a real, integrable function. GS [7] gives approximate samples from pdf{A(n'lx(n'}; it has 3 steps.

1. Pick arbitrary starting values X (n ) ,o = (Xp,. . . ,A,"). 2. Randomly draw from the pdf{h, I h-,,x("') :

0 X: from pdf{X1~Xol,x(")}, * A,' from pdf(h21X:,h! ,..., h;,x(")),

X: from pd;(h, 1 A: ,A;, A!, . . . , X;,X 1, 0 :

Xk from pdf{h,lX!,,x("'>.

EL AROUUSOLER A BAYES NONPARAMETRIC FRAMEWORK FOR SOFTWARE-RELIABILITY ANALYSIS 657

This completes the transition from X (')so to X (n) , l ,

3. Iterations of steps like step 2 give a realization

of a Markov chain whose equilibrium distribution is pdf{ X (,)

Asymptotic properties of the generated Markov chain give: Id,)}. 4

i d

Therefore, the unknown failure rates are estimated by:

. d

Implementation of GS requires knowing,

XI true rates laml

Rates estlm. IO I 8.95

+ Rates estim. IO - 3.00

0 Rates estim. IO - 0.50

N -

pdf{XjIX-j,x(")}, for a l l j I n.

These pdf are given by theorem 4.1, which follows from BEM assumptions,

Theorem 4.1 Let BEM assumptions hold.

pdf { Xj I X,,x (,)} = t j dxj a t j , for a l l j < n, ' / j R +

t j = Xj-exp(-Xj-xj) enj( Xi I Xj-l) .IIj+l ( X j + I X j ) ;

pdf{X,IX-,,x(")} = 4, E , A, a t,, f o r j = n, / S R +

Rejection sampling techniques [18, 191 are then used to generate samples from the previous pdf.

5 . EXPERIMENTAL RESULTS

Two simulated (from known rates) data sets and a real data set, Musa3 [20], are used.

5.1 Simulated Data Sets

Two known failure rate series, laml & lam2 (see figure l), are used to generate two exponentially distributed data sets: simull .d & simul2.d (see figures 3 & 4); simull .d & simul2.d are then used to obtain estimates a & a of laml & lam2.

Given

1. We know a priori that the correction team has a mean correction effect eo, and that the true effect can move away from this average effect (tiredness, bonus, etc).

I I I I

5 10 15 20

Log-Normal priors

NI true rates lam2

* Rates estim. 10 - 10.00

+ Rates estim. IO .. 1.04

8 0 Rates estlm. IO = 0.20 z * -

N

0 5 10 15 20 25 30

[GS with: O,=O, a=l]

Figure 1. Effect of ho

2. This distance is modeled by the StdDev U of the correc- tion effect. 4

The chosen priors are, given Ai-l =Xi-l:

Ai - LGN(-Bo + ln(Xi-l), a2), for all i 5 n.

This implies that, given Ai-l = Xi-l, then Ai/Ai-l = exp(-ei), ei - x(eo,u2).

IEEE TRANSACTIONS ON RELIABILITY, VOL. 45, NO. 4, 1996 DECEMBER

0

simull .d Log-Normal priors IO = 3, t h e t a 0 = 0

true r a t e s lam1

* Rates estim. sig2 = 0.1

+ R a t e s estim. sig2 1 .O

0 Rates estim sig2 = 4.0

I I I I

5 10 15 20

I

0

simu12.d Log-Normal priors

IO = 1, t h e t a 0 = 0

Y true rates lam2 R a t e s estim. si92 = 0.1

+ R a t e s estim. sig2 = 1 .O o R a t e s estim. siga - 4.0

0

0 5 10 15 20 25 3c

I

Figure 2. Effect of (T‘

The eo represents our priors about the failure reliability trend. If there are no priors (which is the case here) we choose

The Xo measures .the importance of the initial software faults. Figure 1 shows that the choice of Xo does not impor- tantly influence the failure-rate estimates. We can take, for ex- ample, ho = l/xl.

00 = 0.

The o2 measures the assurance we have in the priors:

0 a small o2 translates into a strong belief in the fact that, given A, - = X i - 1, A, is log-normally distributed,

. simull .d

Log-Normal priors E(Xi+I Ix(i))

0

thetaO=O. 1038.96, sig2-1 .O /‘’3,, : tt

+ theta0-0, 104.96, sig2=0.1 ,! ’, I 1,

I I I 10 15 20

I

simull .d Fai lure o b s e r v a t i o n s ii

I I t I I 5 20 15 10

I

[E{&+llx(’)}, for i 2 5 ; MCI]

Figure 3. E s t i m a t e s of the Predictive MTTF

* a large a2 expresses serious doubts concerning the priors, and the failure-rate estimates depend much more on the failure observations. 4

A balance exists between the importance of the x, and the priors on the failure-rate estimates. This balance is governed by the variances of the {A,},,, prior distributions (a2 in this case). This is very close to what happens in optimal filtering. Figure 2 shows the influence of 02: for a2=0.1, the failure- rate estimates are smooth, which is not the case for a2=4. In

EL AROUI/SOLER A BAYES NONPARAMETRIC FRAMEWORK FOR SOFTWARE-RELIABILITY ANALYSIS 659

LD

.- I "

f

N

. I

$ simu12.d ::

Log-Normal priors ' I

I ; , I , I

, I

E(Xi+l Ix(i))

: : I I : I : : : : : : I :

theta0-0.10-1.69. slg2-1 .O ! t

; ..*: ; + theta0-0.10-1.69. sig2sO.l :

5 10 15 20 25 30 35

simul2.d Failure observations

.

I I I I I I 0 5 10 15 20 25 30

[ E { X , + , l x " ' } , fo r i 5. 5 ; MCI]

Figure 4. Estimates of the Predictive MTTF

the latter case, our estimates depend much more on the obser- vations; maxima of the failure-rate estimates correspond to minima of the .xi.

Figures 3 & 4 gives the estimates of the predictive MTTF. These estimates should be used to evaluate the present software reliability. Their comparison with the real failure observations is nonsense since software failure observations have very large StdDev.

MUSA3 Uniform priors

* alpha-0.5, beta-0.50, 0-0.0087

+ alpha-0.2, beta-0.05. IO-0.0087

0 alpha-0.5. beta=0.50. IO=0.0500

I I I

10 x) 30

i

Figure 5. Estimates of (A,),& GS

Remark

In our experimental results, we make d = lo4 simulations for the MCI method, and 500 iterations (the first 200 Markov chain realizations are discarded) for the GS.

5.2 Real Data Sets

Generally, during the debugging period of newly developed software, the test & correction teams have debugging-process reports where they record: a) all the information concerning the tests to be done, b) the way corrections are performed, c) the discovered failures, etc. The most important point in our framework is that it allows reliability analysts to construct their own software reliability model, just by translating the informa- tion found in the debugging-process reports to priors on the failure rates.

In classical software failure data sets, eg, [20], only times between failures are given; the required prior knowledge which allows getting priors on {Ai} isn is therefore not available. We nevertheless use our methods on the real data set: Musa3 [20]. We assume that the physical prior knowledge makes us believe that a good correction will at most remove the fraction a of the initial software faults; while a bad correction can add, in the worst case the fraction 0 of the initial faults. Thus our priors are, given Ai-l = h i - l , and for all i 2 1:

Figure 5 gives Bayes estimates of the X i (using various in- itial parameter-values). Choosing 01 = /3 = 0.5, means that we have no prior idea about the future reliability trend. Moreover, the choice of X, has a weak influence on the estimates. These estimates show a clear reliability growth trend for the data set.

660 IEEE TRANSACrrIONS ON RELIABILITY, VOL. 45, NO. 4,1996 DECEMBER

ACKNOWLEDGMENT [13J P. Moranda, “Event altered rate models for general reliability analysis”, IEEE Trans. Reliability, vol R-28, 1979 Dec, pp 376-381.

we are pleased to thank Dr, Ralph A. Evans for his [14] 0. Gaudoin, c . Lavergne, J. Soler, “A generalized geometric de- eutrophication software reliability model”, IEEE Trans Reliability, vol 43, 1994 DK, PT, 536-541. valuable comments & suggestions.

REFERENCES

B. Littlewood, “Predicting software reliability”, Phil. Truns. Royal Socie-

B. Littlewood, J. Verrall, “A Bayesian reliability growth model for com- puter software”, Applied Statistics, vol 22, 1973, pp 332-346. J. Soler, “ModBlisation des processus de risque, de defaillance et de cor- rection. application ?I la fiabilitC des logiciels (Modeling of risk, failure, and correction processes: Application to software reliability)”, Proc. 6th Int’l. Con$ Reliability and Maintailzability, 1988 Oct; Strasbourg, France. T. Mazzucbi, R. Soyer, “A Bayes empirical bayes model for software reliability”, IEEE Trans. Reliability, vol 37, 1988 Jun, pp 248-254. B. Becker, L. Camaranipoulos, “A Bayesian estimation method for the failure rate of a possibly correct program”, IEEE Trans. Sojiwure Eng’g, vol 16, 1990 Nov, pp 1307-1310. A. Smith, “Bayesian computational methods”, Phil. Trans. Royal Society ser. A, vol 337, 1991, pp 369-386. A. Smith, G. Roberts, “Bayesian computations via the Gibbs sampler and related Markov-chain Monte-Carlo methods”, J. Royal Statistical Society ser. B, vol 55, 1993, pp 3-23. 0. Gaudoin, J . Soler, “ModBles pour I’Btude de la fiabilitC des systkmes pr6sentant des fautes de conception. application B I’Bvduation de la fiabilitB des logiciels (Reliability models for systems with design defaults: Ap- plication to software reliability)”, Revue de Statistique AppliquBe, vol XXXX, num 2, 1992, pp 91-98. N. Singpurwalla, R. Soyer, “Non-homogeneous autoregressive processes for tracking (software) reliability growth, and their Bayesian analysis”, J. Royal Statistical Society ser B, vol 54, num 1, 1992, pp 145-156. Y. Chen, N. Singpurwalla, “A non-Gaussian Kalman filter model for tracking software reliability”, Statisticu Sinica, vol4, 1994, pp 535-548. M. El Aroui, Outils Statistiques pour la Construction et le Choix de Modeles en Fiabilitt des Logiciels (Statistical Tools for the Construc- tion and the Choice of Models in Software Reliability), 1996, PhD Thesis; Universitt Joseph Fourier de Grenoble. J. Kapur, Maximum-Entropy Models in Science and Engineering, 1989; John Wiley & Sons.

ty, VOI A 327, 1989, pp 513-527.

_ _ [15] B Littlewood, A Sofer, “A Bayesian modificaaon to the Jelinslu-

Moranda software reliability growth model”, Sofhyare Engzneenng J , 1987 Mar, pp 30-41

[16] A Csenlq ‘‘Bays predictwe analysis of a fundamental software reliabdity model”, IEEE Trans Relzabzlzty, vol 39, 1990 Jun, pp 177-183

[171 R Rubmtein, ~ZmIhhOn and the Monte-’Carlo Method, 1981, John Wdey & Sons

[18] E Arjas, D. Gasbarra, “Nonparametric Bayesian inference from right censored survival data, using the Gibbs sampler”, Statzstzca Sznzca, num 4, 1994, pp 505-524

1191 W Gilks P Wild, “Adaptive rejection sampling for Gibbs sampling”, Applied stahstzcs, vol 41, 1992, pp 337-348

[20] J Musa, “Software reliability data”, Tech Report, 1979, Rome Air Development Center

AUTHORS

Dr Mhamed-Ah El Aroui, Laboratoire LMC-IMAG, BP 53 X 38041 Greno- ble Cedex 9 FRANCE 1

Intemet (e-mail) elaroui@imag fr Mhamed-Ali El Aroui (born 1969 in Tunisia) received his Engineer

Diploma (1992) from the National Superior School of Computer Science and Applied Mathematics of Grenoble (France) and a PhD (1996) in Applied Mathematics from the Joseph Fourier University, Grenoble His research in- terests include statistical evaluation of software reliability, model choice, goodness-of-fit techniques and Bayes reliability analysis

Dr. Jean-Louis Soler; Laboratoire LMC-IMAG; BP 53 X 38041 Grenoble Cedex 9 FRANCE. Intemet (e-mail): Jean-Louis.Soler@imag. fr

1992 Dec, p 524. Jean-Louis Soler: For biography, see IEEE Trans. Relzability, vol 41,

Manuscript received 1996 April 15.

Publisher Item Identifier S 001 8-9529(96)09334-7 r T R b

PROCEEDINGS FREE PROCEEDINGS FREE PROCEEDINGS FREE PROCEEDINGS FREE PROCEEDINGS FREE PROCEEDINGS

Your Reliability Society gives each member a copy of the Proceedings for: 0 AR8cMS (Annual Reliability and Maintainability Symposium), and/or 0 IRPS (International Reliability Physics Symposium),

depending on the type of membership.

IUwhen there are surplus copies, the Society tries to make them available to: 0 Instructors in Reliability. (Sometimes we can supply a copy for every member of a reliability class.) e Technical Libraries.

At this time, there are no such surplus copies. 4TRb