• No results found

Reaping the benefits of Reusable Software Components

N/A
N/A
Protected

Academic year: 2021

Share "Reaping the benefits of Reusable Software Components"

Copied!
24
0
0

Loading.... (view fulltext now)

Full text

(1)

Safety & Security for the Connected World

Reaping the benefits of Reusable Software

Components

(2)

The conflicting demands on development

• The project triangle shows how conflicting

demands on a project have the scope to

compromise quality

• Process standards are primarily concerned with Quality and Functionality

• But Time and Cost are also critical to the viability of the development team

(3)

Software Reuse

Software Reuse is an attractive weapon to

use in balancing the demands of the project

triangle

But history shows us that what is proven in

one system, may not be quite so

appropriate in other circumstances

There are examples both outside the realms

(4)

Therac 25

• Later model replaced hardware interlocks with software, exposing

existing software flaws elsewhere

• Therac 25 involved in at least 6 accidents in which 100 times the correct

dose was applied

• Standards such as IEC 62304 designed to

ensure that quality is not compromised

• And yet cost and time

pressures don’t go away!

(5)

Ariane 5

• Software exception raised in the Inertial Reference System (SRI). • Design was almost exactly the

same as that used successfully on the Ariane 4, particularly in the case of the software.

• Standards such as DO-178 are designed to ensure that quality is not compromised

• And yet cost and time

(6)

The overheads of compliance

• DO-178 focuses on establishing quality software design and development practices.

• It describes the standard to which the definition of and tracing to requirements, design phases, software

development and testing needs to be applied. • It describe the

artifacts which need to be collated to

provide evidence of each completed

(7)

The principle of risk

Risk =

Probability of

hazardous event

occurring

x

Severity of event

(8)

Design Assurance Level

EFF

ORT

• The greater the risk, the higher the DAL, the

more compliance overhead increases

(9)

Safety Objectives: DO-178C

Design Assurance Level Objectives Objectives that must be verified with independence

A - Catastrophic 71 30

B - Hazardous 69 18

C - Major 62 5

D - Minor 26 2

(10)
(11)

How much Testing is Enough?

For example:

Structural Coverage:

Statement Coverage

Branch Coverage

MCDC (Modified Condition / Decision

Coverage)

Object Code Coverage

DO-178B/C level A: 100% coverage of

the Object Code

(12)

The conundrum

• Ariane 5 shows the dangers of assuming that software proven in one circumstance is necessarily acceptable for another.

• Therac 25 is an early example of the dangers of replacing hardware safety systems with inadequately proven software

• But showing that a

system is not flawed is both expensive and

(13)

Reusable Software Components

The FAA Advisory Circular AC 20-148 was

written in recognition of this conundrum.

“Because of economic incentives and advances in software component technology, software developers want to develop an RSC that can be integrated into many systems’ target computers and environments with other system software applications, as determined by the integrator or applicant.

In these cases, an RSC developer may partially satisfy the applicable

RTCA/DO-178B objectives, while the integrator or applicant completes

and shows the compliance for the integrated software package, systems aspects, and aircraft certification. Examples of potential RSCs include software libraries, operating systems, and communication protocols.”

(14)

Reusable Software Component

• What is an RSC?

A previously developed software component intended for reuse in follow-on systems in DO-178 projects

• What is AC 20-148?

Provides a means of compliance for RSC developers to take

full/partial certification credit for RSC usage in follow-on programs.

• Motivation

– Advances in system design & software component technology – Trend towards common/reusable components (eg, RTOS &

middleware)

(15)

Re-use Certification Without RSC

Reuse of COTS Product or In-House Solution

 Suppose it has been certified previously

 It is incorporated into your DO-178 system & submit for

certification

 The lessons learned from such as Ariane 5 mean that the

FAA looks for justification that the software component is appropriate for this application.

 Without an RSC, that requires all certification artifacts to be

regenerated, resubmitted and re-reviewed

Result: Time and Money are spent on

certifying the same components over and

over again.

(16)

RSC RTOS: Modularity is key

CPU Support Package Static Device Drivers PCI DRM Board Support Package Dynamic Device Drivers VCT LynxOS-178 Partitioning Kernel

POSIX Health Monitor Cinit User Mode Supervisor Mode S y s tem S of tw a re Hardw A pplic a tion S of tw a re TCP/IP/UDP ARP/ICMP/IGMP POSIX POSIX ARINC ARINC POSIX SNMPv3 FTP/TFTP SOCKETS SOCKETS SOCKETS SNTP Partition N, Level E Partition 0, Level A/B Partition 1, Level B Partition 2, Level D

mixed criticalities and increased integration modular architecture multiple development groups

Development Team 1 Development Team 2

(17)

RSC RTOS: What is the difference?

RSC Documentation doesn’t stop with the

provision of artifacts

It includes guidelines to ensure that every

(18)

RSC RTOS: What is the difference?

This highly specified modularity means that

the RTOS can be treated as a “black box”

FAA is satisfied that the application code

cannot then cause a problem as long as

the instructions are adhered to

Adherence to those instructions is then the

(19)

In practical terms:

The Certifying Authority will not re-examine

the RSC component artifacts

Modifications / Variations – only require a

Change Impact Analysis – not a full

re-certification

Protects against hardware and software

modifications – means greater re-use and

repeatability

(20)

For the Integrator

The RSC artifacts provide educational

value to the integrator

Written guidance and tests help the

integrator to assimilate their

applications

Yields significant savings in labour

compared to conventional DO-178

artifacts.

(21)
(22)

For some systems, it is enough to know

that a system is capable of certification

For any RSC, the FAA is satisfied that

the component will ALWAYS behave as

expected.

For alternative non-RSC components,

they require evidence of that.

Whatever your application, that provides

evidence of an additional level of quality

(23)

Standards such as DO-178 seek to apply best

practice to avoid repeating the mistakes of the past

Applying best practice requires time & money –

“the project triangle”

For aviation projects, specifying an FAA

designated RSC RTOS will reduce that effort with

no compromise on quality

Projects outside the scope of DO-178 certification

can also benefit from that thoroughness of

engineering, in terms of

 Presentation of evidence

(24)

Safety & Security for the Connected World

For further information visit

References

Related documents

Drawing on data from InnoCentive, one of the largest crowdsourcing platforms for innovation problems, this paper shows that the various types of motivation driving crowd members

If French software is required the Skills/Compétences Canada Provincial/Territorial offices must advise Skills/Compétences Canada National Secretariat a minimum of 1 month prior

Component- based software development approach is based on the idea to develop software systems by selecting appropriate off-the-shelf components and then to

• in parallel to the implementation of the Review of Tourism Statistics report, work with DCMS, the National Tourist Boards, and the English regions to improve the quality of

The shear testing rig used was DS MK1 type rig consisting of two 150 mm side cubes and a central 300 mm rectangular central block. The rig size was adequate because of the type of

“Advances,” as used in this endorsement, shall mean only those advances of principal indebtedness made after the Date of Policy as provided in the Agreement, including expenses of

We argue that buy-side risk management practices provide an alternative conception of risk management which is more grounded in operations and which avoids the problems

(1872–2016) of the floodplain vegetation of a segment of the heavily regulated upper Rhine River to different static approaches for the es- timation of its PNV a) a statistical