An Incremental Life-cycle Assurance Strategy for Critical System Certification
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213
Peter H. Feiler Nov 4, 2014
© 2014 Carnegie Mellon University Copyright 2014 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution except as restricted below.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
DM-0001837
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 2 © 2014 Carnegie Mellon University Outline
Challenges in Safety-critical Software-intensive systems An Architecture-centric Virtual Integration Strategy with SAE AADL Improving the Quality of Requirements Architecture Fault Modeling and Safety Incremental Life-cycle Assurance of Systems Summary and Conclusion
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 3 © 2014 Carnegie Mellon University We Rely on Software for Safe Aircraft Operation
Embedded software systems introduce a new class of problems not addressed by traditional system modeling & analysis
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 4 © 2014 Carnegie Mellon University Software Problems not just in Aircraft
How do you upgrade washing machine software?
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 5 © 2014 Carnegie Mellon University High Fault Leakage Drives Major Increase in Rework Cost Aircraft industry has reached limits of affordability 20.5% due to exponential growth in SW size and complexity. 300-1000x Requirements Engineering Acceptance 70% Requirements & 0%, 9% 80x Test system interaction errors 80% late error discovery at high System reworkrepair cost cost Design System Test 70%, 3.5% 1x 10%, 50.5% 20x Software Architectural Integration Design Major cost savings through rework avoidance Test by early discovery and correction A $10k architecture phase correction saves $3M Component Software Design 20%, 16% Total System Cost Unit Boeing 777 $12B Where faults are introduced 5x Test Boeing 787 $24B Where faults are found
The estimated nominal cost for fault removal Software as % of total system cost Sources: 1997: 45% → 2010: 66% → 2024: 88% NIST Planning report 02-3, The Economic Impacts of Inadequate Infrastructure for Software Testing, May 2002. Post-unit test software rework cost D. Galin, Software Quality Assurance: From Theory to Code 50% of total system cost and growing Implementation, Pearson/Addison-Wesley (2004) Development B.W. Boehm, Software Engineering Economics, Prentice Hall (1981)
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 6 © 2014 Carnegie Mellon University Mismatched Assumptions in System Interactions
System Engineer Physical Plant Control Engineer Hazards Characteristics Measurement Units, value range Impact of Lag, proximity Boolean/Integer abstraction system failures Air Canada, Ariane, 7500 Boolean variable architectureApplication Developer System Control Under Data Stream System Characteristics Control Latency jitter affects
User/Environment Operator Error control behavior Automation & Potential event loss human actions Compute Runtime Application System System Platform Architecture Software Hardware Distribution & Redundancy Virtualization, load balancing, Concurrency Engineer mode confusion Communication Embedded SW System EngineerITunes crashes on dual-cores
Embedded software system Why do system level failures still occur despite fault as major source of hazards tolerance techniques being deployed in systems?
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 7 © 2014 Carnegie Mellon University Model-based Engineering Pitfalls
The system
Inconsistency between independently developed analytical models System models
Confidence that model reflects implementation System implementation
This aircraft industry experience has led to the System Architecture Virtual Integration (SAVI) initiative
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 8 © 2014 Carnegie Mellon University Why UML, SysML Are Not Sufficient
• System engineering – Focus on system architecture and operational environment – SysML developed to capture interactions with outside world, as a standardized UML profile – 4 pillars/diagrams: requirements, parameterics (added in SysML), structure, behavior • Conceptual architecture – UML-based component model – Architecture views (DoDAF, IEEE 1471) – Platform Independent model (PIM) • Embedded software system engineering – OMG Modeling and Analysis of Real Time Embedded systems (MARTE) as UML profile • Borrowed Meta model concepts from AADL • Focus on modeling implementations – xUML insufficient for PSM (Kennedy-Carter, NATO ALWI study)
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 9 © 2014 Carnegie Mellon University Impact of Three Step Data Request Protocol
Data Provider Data Consumer
Request Sensor Data
Receive Sensor Data
Request Current State
Receive Current State
Request Target State
Receive Target State
Apply algorithm
Publish Updated State
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 10 © 2014 Carnegie Mellon University Operating as ARINC653 Partitioned System
Data Consumer Requirement • Process data in 1 second Partitions • Provide space and time boundary enforcement • Execute periodically on a static timeline at 1 second rate Data request protocols across partitions
Request1 Provide1 Request2 Provide2 Request3 Provide3 Process
Provider Consumer Provider Consumer Provider Consumer Provider Consumer
How much time does consumer actually have to process the data? Who pays for the communication overhead?
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 11 © 2014 Carnegie Mellon University Model-based Engineering in Practice
Modeling is used in practice • Modeling, analysis, and simulation in mechanical, control, computer hardware engineering Current practice: software modeling close to source code – Remember software through pictures – MDE and MDA with UML – Automatically generated documents We need language for architecture modeling and analysis • Strongly typed • Well-defined execution and communication timing semantics • Systematic approach to dealing with exceptional conditions • Support for large-scale development
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 12 © 2014 Carnegie Mellon University Outline
Challenges in Safety-critical Software-intensive systems An Architecture-centric Virtual Integration Strategy with SAE AADL Improving the Quality of Requirements Architecture Fault Modeling and Safety Incremental Life-cycle Assurance of Systems Summary and Conclusion
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 13 © 2014 Carnegie Mellon University SAE Architecture Analysis & Design Language (AADL) for Software-reliant Systems SW Design & Runtime The Mechanical System Architecture Command & Control Embedded Operational Physical platform Avionics & Mission Aircraft Software The Software System Deployed on Utilizes
Physical interface Platform component Computer System Hardware & OS
The Computer System
AADL focuses on interaction between the three elements of a software-reliant mission and safety-critical systems.
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 14 © 2014 Carnegie Mellon University The SAE AADL Standard Suite (AS-5506 series) Core AADL language standard (V2.1-Sep 2012, V1-Nov 2004) • Strongly typed language with well-defined execution and communication semantics • Textual and graphical notation • Standardized XMI interchange format
Standardized AADL Extensions Error Model language for safety, reliability, security analysis ARINC653 extension for partitioned architectures Behavior Specification Language for modes and interaction behavior Data Modeling extension for interfacing with data models (UML, ASN.1, …)
AADL Annex Extensions in Progress Requirements Definition and Assurance Annex Synchronous System Specification Annex Hybrid System Specification Annex System Constraint Specification Annex Network Specification Annex
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 15 © 2014 Carnegie Mellon University AADL: The Language
Precise execution semantics for components • Thread, process, data, subprogram, system, processor, memory, bus, device, virtual processor, virtual bus Continuous control & event response processing • Data and event flow, call/return, shared access • End-to-End flow specifications Operational modes & fault tolerant configurations • Modes & mode transition Modeling of large-scale systems • Component variants, layered system modeling, packages, abstract, prototype, parameterized templates, arrays of components, connection patterns Accommodation of diverse analysis needs • Extension mechanism, standardized extensions
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 16 © 2014 Carnegie Mellon University
Architecture-Centric Quality Attribute Analysis Single Annotated Architecture Model Addresses Impact Across Operational Quality Attributes Safety Security & Reliability •Intrusion •MTBF •Integrity •FMEA Architecture Model •Confidentiality •Hazard analysis
Auto-generated Data analytical models Quality •Data precision/ Resource accuracy Real-time Consumption Performance •Bandwidth •Temporal correctness •Execution time/ •CPU time Deadline •Confidence •Power •Deadlock/starvation consumption •Latency
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 17 © 2014 Carnegie Mellon University Multi-Fidelity End-to-end Latency in Control Systems
System Engineer Control Engineer Operational Environment System Control Under System Control Common latency data from system engineering • Processing latency • Sampling latency • Physical signal latency
Impact of Scheduler Choice on Controller Stability A. Cervin, Lund U., CCACSD 2006
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 18 © 2014 Carnegie Mellon University Software-Based Latency Contributors
Execution time variation: algorithm, use of cache Processor speed Resource contention Preemption Legacy & shared variable communication Rate group optimization Protocol specific communication delay Partitioned architecture Migration of functionality Fault tolerance strategy
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 19 © 2014 Carnegie Mellon University Early Discovery and Incremental V&V through System Architecture Virtual Integration (SAVI) Aircraft: (Tier 0) Aircraft system: (Tier 1) Engine, Landing Gear, Cockpit, … Weight, Electrical, Fuel, Hydraulics,… LRU/IMA System: (Tier 2) Hardware platform, software partitions Power, MIPS, RAM capacity & budgets End-to-end flow latency System & SW Engineering: Subcontracted software subsystem: (Tier 3) Mechatronics: Actuator & Wings Tasks, periods, execution time Safety Analysis (FHA, FMEA) Software allocation, schedulability Reliability Analysis (MTTF) Generated executables
OEM & Subcontractor: Repeated Virtual Integration Analyses: Subsystem proposal validation Power/weight Functional integration consistency MIPS/RAM, Scheduling Data bus protocol mappings End-to-end latency Network bandwidth
Proof of Concept Demonstration and Transition by Aerospace industry initiative • Architecture-centric model-based software and system engineering • Architecture-centric model-based acquisition and development process • Multi notation, multi team model repository & standardized model interchange Multi-tier system & software architecture (in AADL) Incremental end-to-end validation of system properties
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 20 © 2014 Carnegie Mellon University Multi-Notation Approach to Architecture-centric Virtual System and Software Integration
Embedded Software Engineering System Engineering
AADL SysML
Application Software Physical System Operational Runtime Architecture Architecture (task & communication) (interface with embedded Environment SW/HW) (People, Use scenarios) Control Application Software Engineering Components Physical Components UML (source code) (mechanical , electrical, heat) Java, UML, Simulink Simulink, Modelica
Application Computer Platform Mechanical Software Engineering Engineering Architecture (processors & networks) SAVI Approach
Hardware Model delivery with interchange standards
Electrical Components Model repository content with intra and inter- Engineering (circuits & logic) VHDL model consistency Tool chain flexibility for contractor
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 21 © 2014 Carnegie Mellon University Architecture-centric Virtual Integration Practice (ACVIP) Iterative architecture Transformation and design, safety analysis, and code generation based requirement decomposition Model-based architecture on verified architecture specifications & multi- specifications dimensional QA analysis Stakeholder and Quality Attribute (QA) driven architecture- centric requirement specification
BUSINESS AND ARCHITECTURE SYSTEM MISSION GOALS
Testing against verified specifications Architecture-centric virtual and models integration and compositional verification of requirements Assurance plan and execution
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 22 © 2014 Carnegie Mellon University Outline
Challenges in Safety-critical Software-intensive systems An Architecture-centric Virtual Integration Strategy with SAE AADL Improving the Quality of Requirements Architecture Fault Modeling and Safety Incremental Life-cycle Assurance of Systems Summary and Conclusion
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 23 © 2014 Carnegie Mellon University Certification & Recertification Challenges Certification: assure the quality of the delivered system • Sufficient evidence that a system implementation meets system requirements • Quality of requirements and quality of evidence determines quality of system Certification related rework cost • Currently 50% of total system cost and growing Recertification Challenge • Desired cost of recertification in proportion to change
Improve quality of requirements and evidence
Perform verification compositionally throughout the life cycle
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 24 © 2014 Carnegie Mellon University Industry Practice in DO-178B Compliant Requirements Capture Tool Industry Survey in 2009 FAA Requirements Engineering Study
Notation
Need analyzable & executable specifications
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 25 © 2014 Carnegie Mellon University Requirement Quality Challenge
There is more to requirements quality than “shall”s and stakeholder traceability Requirements % IEEE 830-1998 Recommended Practice for SW Requirements Specification error Incomplete 21%
Missing 33%
Incorrect 24%
Ambiguous 6% Browsable links/Coverage metrics Inconsistent 5%
System to SW requirements gap [Boehm 2006] How do we verify low level SW requirements against system requirements?
When StartUpComplete is TRUE in both FADECs and SlowStartupComplete is FALSE, the FADECStartupSW shall set SlowStartupInComplete to TRUE
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 26 © 2014 Carnegie Mellon University Stakeholder Needs and Requirement Categories
Leveson System Theoretic Framework
System, operational environment, development and V&V process Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 27 © 2014 Carnegie Mellon University Mixture of Requirements & Architecture Design Constraints
Requirements for a Patient Therapy System
Typical requirement documents span multiple levels of a system architecture We have made architecture design decisions. We have effectively specified a partial architecture
Adapted from M. Whalen presentation
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 28 © 2014 Carnegie Mellon University System Specification and Requirements
Coverage Developmental Quality attribute utility tree Requirements Modifiability
Assurability … Environmental Assumptions
Requirements Guarantees Mission Dependability Assumptions Requirements Requirements Function Reliability
Behavior Safety Precondition Postcondition Performance Security Invariant … …
Exceptional condition Implementation constraints Interaction contract: match input assumption with guarantee
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 29 © 2014 Carnegie Mellon University Architecture-led Requirement & Hazard Specification
Error Propagation Ontology
Behavior Output Control System Input State
Leveson pattern
Behavior Actuator System Under Control Sensor State
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 30 © 2014 Carnegie Mellon University Outline
Challenges in Safety-critical Software-intensive systems An Architecture-centric Virtual Integration Strategy with SAE AADL Improving the Quality of Requirements Architecture Fault Modeling and Safety Incremental Life-cycle Assurance of Systems Summary and Conclusion
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 31 © 2014 Carnegie Mellon University AADL Error Model Scope and Purpose
System safety process uses many individual methods and analyses, e.g. • hazard analysis System Capture hazards • failure modes and effects analysis Subsystem • fault trees Capture risk mitigation architecture • Markov processes Component Capture FMEA model
Goal: a general facility for modeling fault/error/failure behaviors that can be used for several modeling and analysis activities. Annotated architecture model permits checking for consistency and completeness between these various declarations.
Related analyses are also useful for other purposes, e.g. • maintainability SAE ARP 4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment • availability Demonstrated in SAVI Wheel Braking System Example • Integrity
• Security Error Model Annex can be adapted to other ADLs
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 32 © 2014 Carnegie Mellon University Legend Propagation of Error Types Error Propagation Contracts P1 Port Direction Propagated HW Binding Processor Error Type Not propagated NoData Incoming BadValue Error Flow through component Component C P1 Path P1.NoData->P2.NoData ValueError NoData Source P2.BadData P3 Outgoing Path processor.NoResource -> P2.NoData NoData LateData
P2 BadValue Processor Memory Bus NoResource Binding “Not“ on propagated indicates that this error type is intended to be contained. This allows us to determine whether propagation specification is complete.
Incoming/Assumed Outgoing/Contract Bound resources • Error Propagation • Error Propagation • Error Propagation Propagated errors • Error Containment • Error Containment • Error Containment: • Errors not propagated Propagation to resource
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 33 © 2014 Carnegie Mellon University Original Preliminary System Safety Analysis (PSSA)
Anticipated: Anticipated: EGI No EGI data Flight Mgnt System NoService Actuator Cmd Oper’l NoData NoData Auto Pilot Airspeed Operational NoService Failed Data Failed Stall
FMS Processor Anticipated: No Stall Propagation Operational Failed
FMS Power
System engineering activity with focus on failing components.
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 34 © 2014 Carnegie Mellon University Discovery of Unexpected PSSA Hazard through Repeated Virtual Integration
Anticipated: Anticipated: EGI No EGI data Flight Mgnt System NoService EGI Logic Actuator Cmd Oper’l NoData Auto Pilot Airspeed Operational NoService Failed Data CorruptedData Failed Stall Corrupted FMS EGI HW Unexpected propagation of Processor Anticipated: No Oper’l corrupted Airspeed data results Stall Propagation in Stall due to miss-correction Operational Failed Failed Vibration causes boards to touch which causes EGI FMS Power data corruption EGI maintainer adds corrupted data hazard to model. Error Model analysis of integrated model detects unhandled propagation.
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 35 © 2014 Carnegie Mellon University Recent Automated FMEA Experience Failure Modes and Effects Analyses are rigorous and comprehensive reliability and safety design evaluations • Required by industry standards and Government policies • When performed manually are usually done once due to cost and schedule • If automated allows for – multiple iterations from conceptual to detailed design – Tradeoff studies and evaluation of alternatives – Early identification of potential problems
Largest analysis of satellite to date consists of 26,000 failure modes • Includes detailed model of satellite bus • 20 states perform failure mode • Longest failure mode sequences have 25 transitions (i.e., 25 effects)
Myron Hecht, Aerospace Corp. Safety Analysis for JPL, member of DO-178C committee 36 Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 36 © 2014 Carnegie Mellon University Outline
Challenges in Safety-critical Software-intensive systems An Architecture-centric Virtual Integration Strategy with SAE AADL Improving the Quality of Requirements Architecture Fault Modeling and Safety Incremental Life-cycle Assurance of Systems Summary and Conclusion
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 37 © 2014 Carnegie Mellon University Reliability & Qualification Improvement Strategy
2010 SEI Study for AMRDEC Aviation Engineering Directorate
Architecture-led Architecture-centric Static Analysis & Incremental Assurance Requirement Virtual System Compositional Plans & Cases Specification Integration Verification throughout Life Cycle
Model Mission Operational Repository Requirements & failure Function Architecture modes Behavior Model Performance Resource, Component Timing & Models Survivability Performance Analysis Requirements System Reliability Implementation Reliability, Safety Safety, Security System Security configuration Analysis
Four pillars for Improving Quality of Critical Software-reliant Systems
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 38 © 2014 Carnegie Mellon University Verification Actions
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 39 © 2014 Carnegie Mellon University Integrated Approach to Requirement V&V through Assurance Automation
Generated assurance cases
Requirement coverage Assumption evidence
Safety hazards are part of the picture
Evidence records in terms of claims that requirements have been met Linkage to automated test harnesses
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 40 © 2014 Carnegie Mellon University Contract-based Compositional Verification Secure Mathematically-Assured Composition of Control Models
Key Problem TA4 – Research Integration and Formal Methods Workbench Many vulnerabilities occur at component interfaces. Rockwell Collins and How can we use formal methods to detect these University of Minnesota vulnerabilities and build provably secure systems?
ARCHITECTURE-CENTRIC PROOF 16 months into the project Draper Labs could not hack into the system in 6 weeks Had access to source code
Accomplishments • Created AADL model of vehicle hardware & software architecture • Identified system-level requirements to be verified Technical Approach based on input from Red Team evaluations • Develop a complete, formal architecture model for UAVs that • Developed Resolute analysis tool for capturing and provides robustness against cyber attack evaluating assurance case arguments linked to • Develop compositional verification tools driven from the AADL model architecture model for combining formal evidence from multiple • Developed example assurance cases for two sources, components, and subsystems security requirements • Develop synthesis tools to generate flight software for UAVs • Developed synthesis tool for auto-generation of directly from the architecture model, verified components, and configuration data and glue code for OS and platform verified operation system hardware
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 41 © 2014 Carnegie Mellon University Building the Assurance Case throughout the Life Cycle
Continuous Confidence Measure throughout Life Incremental Evolution and Cycle that a System Meets its Requirements Execution of Assurance Plans
Architecture-centric Virtual Integration Incremental Architecture & Requirement Evolution Requirements Architecture Led Acceptance Verification Requirements Deployment Test Requirement Requirements SpecificationEngineering Build Flight Test RS Coverage Early Discovery through Architecture Analysis System&SW leads to Assurance Related Rework Reduction Design & Req Architecture Compositional System & SW System Verification System Integration Refinement Verification Architectural Target Test Design Build Lab Testing Virtual Architecture RS VA RS VA RS VA Integration & Analysis Design Integration Verification Component Integration Test Software Build Compositional Design Code Coverage Design & Req Testing Refinement Verification Unit Design ValidationCode by Code Test RS VA RS VA RS VA VirtualVerification Integration Development Auto-generation from verified models AADL&SCADE/Simulink Incremental Contract-based Compositional Verification Need for Multi-valued Ada SPARK/Ravenscar Argumentation Logic MISRA C
Confidence = Requirement Quality + Evidence Quality Build the System
Auto-generated Assurance Cases Build the Assurance Case FY15/16 line funded project
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 42 © 2014 Carnegie Mellon University Outline
Challenges in Safety-critical Software-intensive Systems An Architecture-centric Virtual Integration Strategy with SAE AADL Improving the Quality of Requirements Architecture Fault Modeling and Safety Incremental Life-cycle Assurance of Systems Summary and Conclusion
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 43 © 2014 Carnegie Mellon University Architecture-centric Virtual System Integration & Incremental Life-cycle Assurance
Reduce risks • Analyze system early and throughout life cycle • Understand system wide impact • Validate assumptions across system Increase confidence • Validate models to complement integration testing • Validate model assumptions in operational system • Evolve system models in increasing fidelity Reduce cost • Fewer system integration problems • Incremental evidence through compositional verification • Fewer verification steps through generation from single source and verified models
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 44 © 2014 Carnegie Mellon University References AADL Website www.aadl.info and AADL Wiki www.aadl.info/wiki Blog entries and podcasts on AADL at www.sei.cmu.edu AADL Book in SEI Series of Addison-Wesley http://www.informit.com/store/product.aspx?isbn=0321888944 On AADL and Model-based Engineering http://www.sei.cmu.edu/library/assets/ResearchandTechnology_AADLandMBE.p df On an architecture-centric virtual integration practice and SAVI http://www.sei.cmu.edu/architecture/research/model-based- engineering/virtual_system_integration.cfm On an a four pillar improvement strategy for software system verification and qualification http://blog.sei.cmu.edu/post.cfm/improving-safety-critical-systems-with-a- reliability-validation-improvement-framework Webinars on system verification https://www.csiac.org/event/architecture-centric- virtual-integration-strategy-safety-critical-system-verification and on architecture trade studies with AADL https://www.webcaster4.com/Webcast/Page/139/5357
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 45 © 2014 Carnegie Mellon University Contact Information
Peter H. Feiler U.S. Mail Principal Researcher Software Engineering Institute RTSS Customer Relations Telephone: +1 412-268-7790 4500 Fifth Avenue Email: [email protected] Pittsburgh, PA 15213-2612 USA
Web Customer Relations Wiki.sei.cmu.edu/aadl Email: [email protected] www.aadl.info SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257
Incremental Life-Cycle Assurance Feiler, Nov 4, 2014 46 © 2014 Carnegie Mellon University