Software Development in the Fields of Embedded Systems, Safety, and Security

(1)

Teaching Resilient Computing M. Heisel Introduction Principles Terminology Environment Problem Analysis Patterns Model-Based Development Notation Process Description Quality Assurance Conclusions Literature

Software Development in the Fields of

Embedded Systems, Safety, and Security

Teaching Resilient Computing, Erlangen, May 2007

Maritta Heisel

Joint work with Denis Hatebur and Holger Schmidt

University Duisburg-Essen, Faculty of Engineering, Department of Computer Science and Applied Cognitive Science

(2)

Experience in teaching resilient computing

• master course “Embedded Systems”

• master course “Development of Safe and Secure Software” at the University of Duisburg-Essen for students of

• applied computer science

• computer engineering (in a program “International Studies in Engineering”)

(3)

Embedded Systems

• concrete process for developing embedded systems • consisting of 12 steps, including

• requirements analysis

• system architecture

• software architecture

• component specification and implementation

• systematic testing

• each step resulting in some document(s) • expressed mostly in UML notations

• validation conditions for checking coherence between documents

• practical training: development of small embedded system, e.g., tea timer, sun-blind control, fire detection system.

(4)

Development of Safe and Secure Software

• ongoing new course

• goal: integrate safety and security concerns in software development

• take standards (IEC 61508, CC) and human factors into account

• teach safety and security techniques for the different phases of software development, try to combine and integrate them

(5)

Principles for teaching resilient computing

• establish a clearterminology

• take a system view, i.e., take environmentinto account • pay special attention to problem analysis

• use patterns

• apply model-baseddevelopment techniques • consider notations as well asprocesses • stressquality assurance:

• validation conditions

Note

These principles are not only important for teaching, but also for engineering practice!

(6)

Terminology [Jac01]

Machine thing we are going to build; may consist of software and hardware

Environment part of the world where the machine will be integrated

System consists of machine and its environment

Requirements optative statements; describe how the

environmentshould behave when the machine is

in action

Specification implementablerequirements; describe the machine; are basis for its construction

Domain knowledge indicative statements; consist of facts and assumptions; needed to derive specification

(7)

Modeling the environment: context diagrams

traffic lights control

lights

crossing waiting area_{of main road} waiting area _{of secondary road}

fire brigade on lanes vehicle_waiting emergency_request see_red see_green see_yellow enter, enter,

leave enter,leave leave

on, off broken road users

(8)

Problem analysis: problem diagrams

lights TLC

fault tolerance R6

tlc!{on,off}

l!{broken} light settings

R6 In case of a broken light bulb the traffic lights should blink in yellow for the secondary road, after all red lights have been switched on for a period of time.

(9)

Problem analysis: problem frames

• are patternsfor simple development problems

• fitting a problem to some problem frame means

instantiating the frame diagram

• example: required behaviourproblem frame

Control CD!C2 CM!C1 domain Controlled C C3 machine behaviour Required

(10)

Patterns

• are templatesfor the documents set up during the software development process

• serve to represent and re-use existing knowledge • re-use achieved by instantiation

• can be used in different development phases:

• safety patternsfor expressing safety requirements

• problem framesfor problem analysis

• structuring the machine witharchitectural styles

• fine-grained design withdesign patterns

• programming withidioms

(11)

Model-based development

• develop sequence of models, each describing different aspects of the system/machine

• abstraction is crucial

• models can be analyzed and checked for coherence

sd InductionLoopIAL InductionLoopIAL srr () vehicle_ waiting () InductionLoopIAL wait_for_srr srr () vehicle_waiting () /

(12)

Notation

• natural language is hard to handle, does not fit well with model-based development approach

• use diagrammatic notations to express models, e.g.

• Jackson’s context and problem diagrams

• UML notations, e.g.

sequence diagrams, composite structure diagrams, . . .

• formal notations: useful, but difficult to apply

• important: notation should not prevent expressing relevant aspects

Note

(13)

Representing processes: agendas [Hei98]

Processes presented as tables, consisting of • numbering of steps

• description of steps

• possibly hints for expressing the result of the steps • validation conditions to check coherence of models

No Step Validation Conditions

1 Fix the domain vocabulary. ◦ The vocabulary must con-tain exactly the notions 2 State the facts, assumptions and

requirements concerning the sys-tem in natural language.

occurring in the facts, as-sumptions, requirements, op-erations and events.

3 List the possible system operations that can be invoked by the users, together with their input and out-put parameters.

(14)

Quality assurance

achieved by

• checking validation conditions as specified in process descriptions

systematic testing:

• develop test cases during earlier phases of the development, i.e.,beforethe implementation • test against requirements also, not only against

specification

• for this purpose: model environment by stochastic processes

(15)

“On the Fly” test approach using state machines

Adapters Input − Event − Generator _AO AS Environment Model State Machine Executor

Requirements Violation System Under Test AS AO CO CS tick Violation 6b 2 3b 6a 3a 4 (7) 1 (5)

CO: Concrete Observation AO: Abstract Observation CS: Concrete Stimulus

AS: Abstract Stimulus

tick: Request for new Abstract Stimulus Violation: Test Result

(16)

Conclusions

• positive experience in Embedded-Systems course • practical training is mandatory

• students worked in groups; all groups were able to produce a running system

• checking validation conditions turned out to be crucial • grades were better than for other courses

(17)

Literature

Maritta Heisel.

Agendas – a concept to guide software development activites.

In R. N. Horspool, editor,Proc. Systems Implementation 2000, pages 19–32. Chapman & Hall London, 1998.

Michael Jackson.

Problem Frames. Analyzing and structuring software development problems.