Presentation is loading. Please wait.

Presentation is loading. Please wait.

Creating high confidence, highly dependable, critical software

Published byNickolas Lenard Johns Modified over 5 years ago

Similar presentations

Presentation on theme: "Creating high confidence, highly dependable, critical software"— Presentation transcript:

1 Creating high confidence, highly dependable, critical software
For the last year I’ve been interested in how to make software more dependable, how to have more confidence in our software. I’d like to share with you some of the things I’ve learned. Roger L. Costello March 24, 2018

2 View the “Notes” section
I added notes under each slide. Be sure to read the notes. Read the notes in here. Did you see my introductory note on the previous slide?

3 Traditional approach Test the heck out of it. Verification
Microsoft: One tester for every developer Verification Mathematical theorem-proving techniques Follow a formal certification process. Aeronautical software: follow the DO-178C process Traditionally, the approach to creating highly dependable software is three-pronged: (1) Test the heck out of the software. At Microsoft there is approximately one tester for every developer. (2) Use formal, theorem-proving techniques to prove the correctness of the code. (3) Follow a formal certification process. For example, aerospace companies must follow the certification process DO-178C for their software to be approved by the FAA.

4 Testing to produce dependable software
Testing is indispensable. No software system can be regarded as dependable if it has not been extensively tested. At the same time, it is important to realize that testing alone is incomplete and is rarely sufficient to establish high levels of dependability. Even the largest test suites will not exercise enough paths to provide evidence that the software is correct and will have little statistical significance for the levels of confidence usually desired. It is erroneous to believe that a rigorous development process, in which testing and code review are the only verification techniques used, justifies claims of high levels of dependability.

5 Acknowledgement: this diagram is from Greg Dennis’ Ph.D dissertation.
Due to its low initial costs, testing can be an attractive option for checking program correctness. A handful of test cases can be written quickly without much expertise, run fully automatically, and when bugs are found, testing provides the user with concrete counterexamples that exhibit the error. As this diagram shows, testing allows users, for relatively little cost, to obtain an immediate boost in confidence in the correctness of their code. The challenge of testing is that high confidence is very difficult and costly to obtain. If high confidence is required, a developer might instead opt for theorem proving. As its name implies, theorem proving yields a proof of the program’s correctness—a very high level of confidence. However, as reflected in this diagram, theorem proving requires a large investment in both time and expertise before any confidence is obtained. It is common for a theorem prover to carry a learning curve of about 6 months, even for a highly skilled developer. That amount of upfront investment makes theorem proving prohibitively expensive for most projects. Acknowledgement: this diagram is from Greg Dennis’ Ph.D dissertation.

6 Certification process to produce dependable software
DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, approve all commercial software-based aerospace systems. IEC provides requirements for the purpose of achieving highly reliable nuclear software. To date, most approaches to developing dependable software have relied on fixed prescriptions, in which particular processes are applied and from which dependability is assumed to follow. Some certification schemes, for example, associate higher safety integrity levels with more burdensome process prescriptions and imply that following the processes recommended for the highest integrity levels will ensure that the failure rate is minuscule. In the absence of a carefully constructed dependability case, such confidence is misplaced.

7 Model of an aircraft Aircraft companies create models before building aircraft. Why? Because models are more convenient to analyze and because an actual aircraft contains lots of details that are irrelevant for analysis. Models allow concepts to be developed before committing to physically building the aircraft.

8 Model of software model of the software software (application)
Enlightened software companies create models before building software. Why? Because models are more convenient to analyze and because the actual software contains lots of details that are irrelevant for analysis. Models allow concepts to be developed before committing to implementing the code.

9 MIT Professor Daniel Jackson created Alloy for making software models
A couple years ago I was looking for ways to create more dependable software. I discovered something called Alloy, which was created at MIT. Alloy is both a language and an analysis tool. The language is used to create models of software. The analysis tool can automatically, exhaustively evaluate models for vulnerabilities. Further, the analysis tool can automatically generate instances that satisfies the model’s constraints. In a project that I recently worked on, this instance-generator capability of Alloy enabled us to find an error that had gone undetected for more than a decade.

10 Alloy = “lightweight formal modeling”
Formal theorem proving can create highly dependable software, but it is very expensive. Alloy is rigorous, like formal theorem proving, but simpler. The modeling done in Alloy is called lightweight formal modeling. Unlike formal modeling, there are no complicated mathematics or unfamiliar symbols. The Alloy language is based on simple notions of basic logic.

11 Traditional testing Alloy analysis
Whereas testing is incomplete, the Alloy Analyzer does exhaustive checking, within a bound. It leaves no stone unturned. If there are problems in corner cases, the Analyzer will find them. This forearms the developer to be aware and alert to those corner cases. In other words, through modeling and analysis the concepts are worked out and verified prior to committing to code. This leads to a higher level of confidence in the code.

12 Alloy Alloy requires a greater upfront investment than testing, but once that initial investment is made, it provides a dramatic increase in confidence. Being fully automatic, its cost is much lower than theorem proving, though it can never attain the confidence of a proof. The Alloy language is expressive. It is capable of checking a model against strong, user-provided properties, such as: The radiotherapy system will not deliver an overdose to the patient.

13 Recently I have been reading this book from the National Academy of Sciences. Its central premise is that a “dependability case” must be made which provides evidence that the software is dependable. Part of that dependability case are models and exhaustive analysis of the models.

14 Creating software that is highly dependable
Testing Certification process Dependable software To wrap things up, I think that Alloy can help create more dependable software. Software model and analysis (Alloy)

15 Acknowledgement Much of the information in these slides come from these sources: The book Software Abstractions by Daniel Jackson. The National Academy of Sciences book (see 2 slides back). Greg Dennis’ Ph.D dissertation.

Download ppt "Creating high confidence, highly dependable, critical software"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
IB Portfolio Tasks 20% of final grade

IB Portfolio Tasks 20% of final grade
Test process essentials Riitta Viitamäki, 14.4.2004

Test process essentials Riitta Viitamäki,
Acceptance Testing.

Acceptance Testing.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.

Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
May 11, 2009 1 ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.

May 11, ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.
COMP2001 Testing. Aims of Testing To achieve a correct system producing correct results with a variety of input data.

COMP2001 Testing. Aims of Testing To achieve a correct system producing correct results with a variety of input data.
Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.

Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
Writing Good Software Engineering Research Papers A Paper by Mary Shaw In Proceedings of the 25th International Conference on Software Engineering (ICSE),

Writing Good Software Engineering Research Papers A Paper by Mary Shaw In Proceedings of the 25th International Conference on Software Engineering (ICSE),
High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical.

High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
1 Computer Systems & Architecture Lesson 1 1. The Architecture Business Cycle.

1 Computer Systems & Architecture Lesson 1 1. The Architecture Business Cycle.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

Similar presentations

Ads by Google