Andy Moyer

Cleanroom Software Engineering  What is it?  Goals  Properties of Cleanroom  Cleanroom Technologies  Case Studies  Critiques

Cleanroom Software Engineering: What is it?  Set of principles and practices for the specification, development, and certification of software-intensive systems.  Based on the work of Harlan D. Mills who was an employee of IBM in early 1980s. Influenced by Dijkstras structured programming, Nicholas Wirth on stepwise refinement, and David Parnas on modular design  Methods based on two principles: Programs are rules for mathematical functions Software testing is sampling

Where the Idea Came From  The cleanroom model follows the ideas of manufacturing semiconductors in a “cleanroom” environment.

Goals of the Cleanroom Process  Main goal: Achieve or approach zero defects  Other goals: Prevent defects Create correct, verifiable software Incremental development

Properties of Cleanroom  Spend a lot of time and money "up-front" preventing defects  Use statistical methods to ensure quality  Formally state and “prove” requirement needs  Specification, development, and certification may be done by separate teams depending on the size of the project

Cleanroom Technologies 1. Incremental development under Statistical Process Control 2. Function-Based Specification, Design, and Verification 3. Correctness Verification 4. Statistical Testing and Software Verification

Incremental Development Under Statistical Process Control  Used to reduce the risk associated with managing large systems by focusing on smaller, manageable subsystems of increments.  Each increment is developed and tested separate from the whole system before integrating into the whole system.  As increments are added, the whole system is tested.  Some amount of end-user function used to obtain customer confirmation or clarification

Incremental Development Under Statistical Process Control  Increment should have these properties: Externally executable Contain all functionality of prior increments  Benefits: Specification, design, and certification activities may be performed often Timely feedback can be obtained from customer Intellectual control over a system

Cleanroom Technologies 1. Incremental development under Statistical Process Control 2. Function-Based Specification, Design, and Verification 3. Correctness verification 4. Statistical Testing and Software Verification

Function-Based Specification, Design, and Verification  Objectives: Expand the specification into implementation via small steps Maintain intellectual control by designing data and control structures at appropriate levels of abstraction  The Three Boxes: Black Box State Box Clear Box

Function-Based Specification, Design, and Verification  The Box Structures Begins with an external view – Black Box Transformed into a state machine – State Box Fully developed into a procedure – Clear Box

The Black Box  A view of an object that hides data implementation and process implementation. It describes how a system responds to stimuli, usually in a formal specification language.  No internal state is looked at  Our good friend – Z (Zed)

The State Box  A view of an object that shows data implementation but hides process implementation. It describes how "state" information is transformed.  Derived from the black box – first step to implementation  This is represented as a finite state machine

The Clear Box  A view of an object that shows both data implementation and process implementation. The goal is to stepwise refine procedures and to prove them correct.  Derived from the state box  May introduce new black boxes defining major operations  Creates the required responses (outputs) to stimuli (inputs)

Stepwise Refinement of Specifications to Code  Steps: 1. Expand clear box into lower level designs 2. Verify the correctness of the expanded designs 3. Expand low level designs into code

Cleanroom Technologies 1. Incremental development under Statistical Process Control 2. Function-Based Specification, Design, and Verification 3. Correctness verification 4. Statistical Testing and Software Verification

Correctness Verification  The primary debugging process for Cleanroom  Each box structure subject to correctness verification  Objectives: Determine that the box structures correctly implements design Remove any errors that were introduced during development Completely review the code for completeness, consistency, and correctness

Correctness Verification  So what is verified? If the box structure behaves as defined Correctness of each refinement Response mapping defined in one step is preserved

Cleanroom Technologies 1. Incremental development process model 2. Stepwise refinement of specifications to code 3. Correctness verification of developed code 4. Statistical Testing and Software Verification

Statistical Testing and Software Verification  Each increment of compilable functionality is statistically tested to: Ensure that it meets the quality standards defined by the development organization Certify a level of reliability that the product will deliver in the field Provide feedback for quality control and process improvement

Statistical Testing and Software Verification  Steps taken: 1. Plan the test ○ Stratification plan which describes each layer to be developed ○ The sampling plan ○ A description of which physical testing resources are to be devoted to each increment and each stratum 2. Develop usage models required by the test plan 3. Develop and validate the usage distribution

Example Usage Model

NASA Case Study  In March of 1990 NASA preformed a case study of SEL Cleanroom versus their typical process  Each group applied the process to the same project – a Coarse/Fine Attitude Determination Subsystem of the Upper Atmosphere Research Satellite.  Completed system contained about 34,000 Source Lines of Code (SLOC) of primarily FORTRAN

NASA Case Study-SEL Cleanroom Lifecycle

NASA Case Study-Experience Comparison

NASA Case Study  Testers and developers are on completely separate teams  Developers have no access to the mainframe computer for compilation and testing  Developers rely on code reading instead of unit testing to verify correctness  Testers use a statistical testing approach

NASA Case Study - Results

 Failure Rate: Standard SEL process – 6 errors/KSLOC Cleanroom SEL procees – 3.3 errors/KSLOC  The inexperience of the cleanroom team had no effect on the outcome  Impact of unstable requirements lessened by concentrated effort in team reviews

DoD Case Study  The STARS program is a US Department of Defense (DoD) reasearch and development program  Emphasizes: Process driven Re-use based Integrated software engineering environment

DoD Case Study  Typical Process Productivity measured at 121 loc/person month Failure rate: 23~27 failures/KLOC  Cleanroom Process Productivity measured at 559 loc/person month Failure rate: 1 failure/KLOC

DoD Case Study  Important benefits: Improved Productivity Improved quality High staff morale

Critiques  In 1997, Beizer argued the elimination of unit testing is contradicting “known testing theory and common sense”  Also, is it possible to find bugs without compiling/running code?

References  1. Cleanroom Software Engineering. Retrieved from University of Texas at Arlington website: r/clean/page1.html 2. DACS, The Data and Analysis Center for Software. Retrieved January 5, 2009 Found at: keycode=64 r/clean/page1.htmlwww.dacs.dtic.mil/databases/url/key.php? keycode=64

References  3. Green, Scott et al. (1990). "The Cleanroom Case Study in the Software Engineering Laboratory: Project Description and Early Analysis". NASA. Retrieved from nasa.gov/ _ pdf 4. Prowell, Stacy et al. (1993). "Cleanroom Software Engineering: Technology and Process". Reading, MA: Addison Wesley Longman, Inc. nasa.gov/ _ pdf