Panel Session Dependable Embedded Systems Roadmap and Challenges From Requirements to Maintenance
advertisement
Panel Session Dependable Embedded Systems Roadmap and Challenges From Requirements to Maintenance The Impact of Maintenance on Process Quality & Product Quality Francesca Saglietti Department of Software Engineering University Erlangen – Nuernberg Germany Department of Software Engineering Francesca Saglietti SAFECOMP 2003 24.9.2003 Seite 1 Incorrectness in the SW Life Cycle responsible for reduction of reliability: potential failures Incorrectness type englisch incorrect behaviour failure deviation between desired / observed behaviour ⇑ incorrect state ⇑ error planned / actual internal state ⇑ incorrect product ⇑ fault planned / implemented product ⇑ incorrect mental process (thought) Department of Software Engineering Francesca Saglietti ⇑ mistake correct / actual mental process SAFECOMP 2003 24.9.2003 Seite 2 Countermeasures Incorrect SW-behaviour in operations is caused by remaining faults Type of incorrectness Fault occurrence Countermeasure Systematic Approach Mistake Fault one-time during development constructive analytical techniques for process improvement Avoidance Detection Error Failure repeated during operation redundant techiques for fault-tolerance in operation Recovery Department of Software Engineering Francesca Saglietti SAFECOMP 2003 Masking 24.9.2003 Seite 3 Process vs. Product Process quality necessary, but not sufficient! Department of Software Engineering Francesca Saglietti SAFECOMP 2003 24.9.2003 Seite 4 V-Model Intentions Tasks System in Operation Requirement Specification Installed System System Design SW-High Level Design SW-Low Level Design Department of Software Engineering Francesca Saglietti Integrated System Integrated SW-Modules SW-Modules SAFECOMP 2003 24.9.2003 Seite 5 Polar Chart: structured vs. agile process u Barry Boehm: five axes represent 5 factors used to distinguish between n lighter-weight agile methods toward the graph‘s centre n the heavier-weight plan-driven methods appearing toward the periphery Personnel Percent level 1B Percent level 2 and 3 40 30 Single life 20 Discretionary funds 10 Essential 0 funds 15 20 25 30 35 Criticality loss due to impact of defects Many lives Comfort 3 70 0 5 1 30 0 5 Agile 50 10 30 Department of Software Engineering Francesca Saglietti 90 10 30 0 10 00 3 Size Number of personnel Dynamism Percent requirement change/month 1 Plan drive n Culture Percent thriving on chaos vs. order SAFECOMP 2003 24.9.2003 Seite 6 Generic Standard IEC 61508 Safety Integrity Level average probability of failure on demand probability of failure per hour 4 10-5 ≤ x < 10-4 10-9 ≤ x < 10-8 3 10-4 ≤ x < 10-3 10-8 ≤ x < 10-7 2 10-3 ≤ x < 10-2 10-7 ≤ x < 10-6 1 10-2 ≤ x < 10-1 10-6 ≤ x < 10-5 Department of Software Engineering Francesca Saglietti SAFECOMP 2003 24.9.2003 Seite 7 Software-based Medical Devices (US) Minor Level failures or latent design flaws would not be expected to result in of Concern any injury to the patient, operator, and/or bystander Moderate Level of Concern the operation of the software associated with device function directly affects the patient, operator, and/or bystander so that failures of latent design flaws could result in non-serious injury to the patient, operator, and/or bystander, or if it directly affects the patient, operator, and/or bystander (e.g., through the action of the care provider) where incorrect or delayed information could result in non-serious injury of the patient, operator, and/or bystander Major Level of Concern operation of the software associated with device function directly affects the patient, operator, and/or bystander so that failures or latent flaws could result in death or serious injury to the patient, operator, and/or bystander, or if it indirectly affects the patient, operator, and/or bystander (e.g., through the action of care provider) such that incorrect or delayed information could result in death or serious injury to the patient, operator, and/or bystander. Department of Software Engineering Francesca Saglietti SAFECOMP 2003 24.9.2003 Seite 8 Software in the Automobile (UK) u Human Role (driver) Controllability Categories Definition SIL Uncontrollable This relates to failures whose effects are not controllable by the vehicle occupants, and which are most likely to lead to extremely severe outcomes. The outcome cannot be influenced by a human response. 4 Difficult to control This relates to failures whose effects are not normally controllable by the vehicle occupants but could, under favourable circumstances, be influenced by a mature human response. They are likely to lead to very severe outcomes. 3 Debilitating This relates to failures whose effects are usually controllable by a sensible human response and, whilst there is a reduction in the safety margin, can usually be expected to lead to outcomes which are at worst severe. 2 Distracting This relates to failures which produce operational limitations, but a normal human response will limit the outcome to no worse than minor. 1 Nuisance only This relates to failures where safety is not normally considered to be 0 affected, and where customer satisfaction is the main consideration. Department of Software Engineering Francesca Saglietti SAFECOMP 2003 24.9.2003 Seite 9 Impact of Maintenance on Quality Maintenance introduces u changes in product difficult to assess their impact on product reliability (regression testing) u changes in process we should try to assess their impact on process quality Department of Software Engineering Francesca Saglietti SAFECOMP 2003 24.9.2003 Seite 10 Impact of Maintenance on Process u Single versions compare cohesion / coupling measures before / after changes u Diverse versions compare dissimilarity metrics before / after changes EWICS TC7 Subgroup MDS Maintenance of Diverse Systems dealing with similar considerations including special case (human / software) diversity Department of Software Engineering Francesca Saglietti SAFECOMP 2003 24.9.2003 Seite 11
