Assurance techniques for code generators Ewen Denney USRA/RIACS, NASA Ames Bernd Fischer ECS, U Southampton.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Certifying Auto-generated Flight Code Ewen Denney Robust Software Engineering NASA Ames Research Center California, USA.
© by cellconsult.com Application Testing & Test Management.
Toward Innovative Model based Enterprise IT Outsourcing NGEBIS Workshop at CAISE 2013 Vinay Kulkarni and Sagar Sunkle.
Guaranteed Component Assembly with Round Trip Analysis for Energy Efficient High-integrity Multi-core Systems Artemis-AAL day 7 May, Budapest 1BME and.
ECMDA workshop Thales ATM experience in using MDE ECMDA Workshop From code centric to model centric software engineering Bilbao 11 July 2006.
Chapter 4 Quality Assurance in Context
LIFE CYCLE MODELS FORMAL TRANSFORMATION
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
Alternate Software Development Methodologies
Which role might model-based engineering play in software certification? Selo Sulistyo.
Assurance techniques for code generators Ewen Denney USRA/RIACS, NASA Ames Bernd Fischer ECS, U Southampton.
PROBLEMSOLUTION TECHNOLOGY Traceability relations between requirements and code are generally derived manually, and must be manually updated when software.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
Lecture 12 Reengineering Computer-aided Software Engineering Cleanroom Software Engineering.
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.
Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
Model Driven Architecture (MDA) Partha Kuchana. Agenda What is MDA Modeling Approaches MDA in a NutShell MDA Models SDLC MDA Models (an Example) MDA -
Design of a Certifiably Dependable Next- Generation Air Transportation System Stephen A. JacklinMichelle M. Eshow Michael R. LowryDave McNally Ewen Denny.
Copyright © 2007 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)
5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.
Introduction to Software Testing
LDRA Technology Pvt. Ltd
Safety-Critical Systems 6 Quality Management and Certification T
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Chapter 6 Software Implementation Process Group
Test Organization and Management
Copyright by Dr. Clarence Lau, IVE(TY)
ISO Tor Stålhane IDI / NTNU. What is ISO ISO 9001 was developed for the production industry but has a rather general structure ISO describes.
CLEANROOM SOFTWARE ENGINEERING.
Balancing Practices: Inspections, Testing, and Others JAXA scenario (formal method) Masa Katahira Japanese Space Agency.
S Q A.
EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
Jump to first page (c) 1999, A. Lakhotia 1 Software engineering? Arun Lakhotia University of Louisiana at Lafayette Po Box Lafayette, LA 70504, USA.
Automatic Software Design Document Generation Input Specification Synthesis System data double x(I); x~gauss(mu,sigma); … data double x(I); x~gauss(mu,sigma);
John D. McGregor Session 2 Preparing for Requirements V & V
Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.
© 2012 xtUML.org Bill Chown – Mentor Graphics Model Driven Engineering.
Model Checking and Model-Based Design Bruce H. Krogh Carnegie Mellon University.
Development of Methodologies for Independent Verification and Validation of Neural Networks NAG OSMA-F001-UNCLASS Methods and Procedures.
Safety Critical Systems 5 Testing T Safety Critical Systems.
Safety-Critical Systems 5 Testing and V&V T
Slide: 1 Copyright © 2009 AdaCore GeneAuto for Ada and SPARK A verifying model compiler GeneAuto2 meeting (Toulouse) September 2009 Matteo Bordin
FDT Foil no 1 On Methodology from Domain to System Descriptions by Rolv Bræk NTNU Workshop on Philosophy and Applicablitiy of Formal Languages Geneve 15.
Safety-Critical Systems 7 Summary T V - Lifecycle model System Acceptance System Integration & Test Module Integration & Test Requirements Analysis.
Intelligent Systems Software Assurance Symposium 2004 Bojan Cukic & Yan Liu, Robyn Lutz & Stacy Nelson, Chris Rouff, Johann Schumann, Margaret Smith July.
Ensure that the right functions are performed Ensure that the these functions are performed right and are reliable.
Software Maintenance Speaker: Jerry Gao Ph.D. San Jose State University URL: Sept., 2001.
EMEA Beat Schwegler Architect Microsoft EMEA HQ Ingo Rammer Principal Consultant thinktecture
Software Engineering Jon Walker. What is Software Engineering? Why do we call it Software Engineering? Why not just call it programming or software development?
Rational Unified Process Fundamentals Module 4: Core Workflows II - Concepts Rational Unified Process Fundamentals Module 4: Core Workflows II - Concepts.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
Dagstuhl Seminar Software and Systems Traceability for Safety-Critical Projects Patrick Rempel* * Technische Universität Ilmenau.
ARO Workshop Wendy Roll - May 2004 Topic 4: Effects of software certification on the current balance between software/system modeling, analysis and testing.
Formal Methods in Software Engineering1 Today’s Agenda  Mailing list  Syllabus  Introduction.
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
Technologietag Baugruppentest ISO – Funktionale Sicherheit mit dem TestStand Toolkit Daniel Riedelbauch Marketing Manager CER, National Instruments.
A Framework for Automated and Composable Testing of Component-based Services Miguel A. Jiménez, Ángela Villota, Norha M. Villegas, Gabriel Tamura, Laurence.
Software Design and Development Development Methodoligies Computing Science.
CHESS Methodology and Tool Federico Ciccozzi MBEES Meeting Sälen, January 2011 January 2011.
Computer Aided Software Engineering (CASE)
Object oriented system development life cycle
Introduction to Software Testing
QGen and TQL-1 Qualification
QGen and TQL Qualification
Process Modeling Tool (PMT) Very Short Overview
Presentation transcript:

Assurance techniques for code generators Ewen Denney USRA/RIACS, NASA Ames Bernd Fischer ECS, U Southampton

Assurance problem Safety/mission-critical software requires assurance that it meets a certain level of “quality” What are the issues in assuring automatically generated code? –Different forms of assurance –Different assurance techniques –Diverse generator paradigms

Forms of assurance What exactly might we need to assure? Compliance with requirements Compliance with spec/model Certification standards Coding standards Absence of run-time errors Traceability Appropriate documentation  Minimize “automation surprises” Correctness Reliability Legibility

Code generators in practice Practitioner survey carried out in March 2006 (Code Generators in Safety-critical Applications, J. Schumann, E. Denney); 23 responses from NASA and industry. How are ACGs used for safety-critical applications at NASA and in industry? Which are the primary application areas and domains? Which tools are used? Challenges, benefits and problems? How could ACGs be extended to be more useful in safety-critical applications?

Tools and languages The Big Three: Real-Time Workshop MatrixX SCADE

Domains and criticality levels Principle domains: –control –modeling/simulation Many highly critical applications ACG used for –production code (74%) –prototyping (52%) –simulation (48%) –testing (30%) –glue/interface code (30%)

System components

Weaknesses Steep Learning Curve –applicable problems, features, correct usage, architecture, implied methodology, semantic ambiguities, … –substantial impact on development process ACG customization –necessary in 1/3 of cases –often (2/3) done by tool vendor ACG bugs –in 2/3 of applications, bugs were found in ACG

Qualification A code generator is qualified –with respect to a given standard –for a given project if there is sufficient evidence about the generator itself so that V&V need not be carried out on the generated code to certify it Must be done for every project, version Can obtain verification credit Generators are rarely qualified Examples: ASCET-SE (IEC 61508), SCADE, VAPS (DO-178B)

Certification and V&V Auto-generated code must be certified for safety-critical use Techniques used: –testing(90%) –static analysis(58%) –simulation(52%) –manual review(48%) No formal verification No review of generator code

Safety properties

Generator features

Domain-specific analyses Mostly numeric issues: stability (root locus, Lyapunov) robustness convergence transience Some domain-specific design rules: “forbidden” constructs block structure

Documentation Design information Code derivation Configuration management information (to “replay” generation) Safety information Tracing information Interface definitions, requirements User manuals Installation information  Should be customizable

Traceability Most important:model  code Secondary:code  V&V artifacts

Tool integration Also workflow and process tools tools for integrating legacy code

Survey summary Integrated modeling, analysis, and simulation tools are most common in control domain In-house extensions common for modeling and verification issues Natural synergy between code generation and certification activities –perceived but not realized –autocode often treated like manual code Iterative customization of generator should be seen as integral part of development process

Assurance techniques Testing the generator (qualification) –for all specs, blocks, configurations, backends, … Post factum verification / certification –verify / certify generated programs individually Correctness by construction –generator inherently guarantees certain properties Documentation Traceability

Discussion questions What are the interesting assurance artifacts, properties, etc. in your target domains? What are suitable notions of documentation, traceability, development process? What assurance techniques have you tried? How is the generative knowledge represented (templates, transformation rules, etc.) and how can it be combined with assurance information? Can we apply Design for Verification (D4V) to generators?