HCMDSS Panel Software and Systems Engineering John Anton

HCMDSS Panel Software and Systems Engineering John Anton Kestrel Institute November 16 -17, 2004 Kestrel

State of commercial art u How it goes today (roughly): • • requirements --> spec (maybe UML) --> (partially automated) code production --> testing (unit, integration, model checking) [spiral] Use ‘best practices’ (e. g. , CMM-N) • • Quality assurance • u UML-based tools Labview , Math. Works (Matlab , Stateflow , Simulink ), Modelica Documentation support (e. g. , through UML tools, 3 GL IDEs, etc. ) In-house QA, COTS tools, outsourced services Problems • • • air gaps referential integrity tool semantics, tool integration code visibility/accessibility (e. g. , Labview, Math. Works) code portability (e. g. , Math. Works) property assessment on code MC/DC testing impracticality high assurance can be at odds with code clarity non-uniformity of product design policies and their application Kestrel

Some current research for high assurance code u Best practice • • • u • • • CMU (strong leadership) NASA (with work from U Kansas) U Cincinnati (BDDs) Rockwell-Collins (with work from UT/Austin) Others u u • tool vendors service providers • • • Programmatica (OGI/Galois) Eclipse (IBM, public domain) Specware (Kestrel Institute, Kestrel Technology) • u Middleware (VU, Wash U, …) Others Aspect weaving • • u Auto. Smart (Java. Card, FIPS 140 -2, Kestrel) Reusable (certified) modules • “N-GL” environments Kestrel, NASA, Z, B, … Automated certification support • u Simple (MISRA) C (JPL with Kernighan & Ritchie support) Safety critical Java (The Open Group thrust with Bush, Bollella, Locke support) Correct-by-construction technologies • Code QA suppliers • u SEI (CMM-N) Praxis (best practice on steroids) Others “Safe” code Model checking • u u Kestrel Code level (Aspect. J, UBC, IBM) Spec level (Handl. Err, etc. , Kestrel) Others …

Problems to address for HCMDSS u Language • • Inconsistency, lack of precision Multiple disciplines for regulatory evaluators to contend with • u Software spectrum, domain details Blank screen • u Kestrel For developers, testers, evaluators Application code reuse has not met initial promise • Optimization, platforms, change impact, mismatched models, properties of composition

Considerations u u Formal Jargon Libraries of specifications Kestrel

Toward efficient (re)certification Formal Jargon u What is it? • • • u In each domain, a description in logic of basic terms, definitions, axioms, desirable properties, functionality, behavior, constraints Organized in a semantically rich taxonomy (systematic evolution) Developed, published and maintained as a standard Why consider it? • • • u Kestrel Communication (developers, plug & play, FDA, …) Improve economics in the certification process Basis for (abstract) specification libraries How to get there? • • • Consider development of a new “product line” of standards (NIST, The Open Group, OMG) Domain participants collaborate with regulatory bodies (FAA, FDA, …) Start with a single domain to serve as style-guide for others

Toward efficient (re)certification Specification and proof libraries u u Kestrel Use formal (standardized) language (Formal Jargon) Libraries of specifications • Standardized, domain-specific language • Proven properties • Support ‘plug & play’ • Address • • • functionality & behavior interfaces (static and dynamic aspects) “policies” (e. g. , error handling) Include reference implementations and compliance tests Proof libraries Mechanisms for field-time certification maintenance • Run-time monitoring archive review • • Pharmaceutical experience -- but don’t wait for bad news FAA framework for airplane maintenance

Summary u Promising directions • • u Formality Abstraction Challenges • • • Composition “Policy” (design-level mandates) Runtime uncertainties COTS components and certification Tech transfer Kestrel

Bio Kestrel John Anton is the founder of Reasoning Systems, and Kestrel Technology LLC, where he is now President/CEO. He is also President/CEO/Co-founder of the non-profit Lexia Institute, whose mission is to develop and deliver technology to help dyslexic people and their teachers. In addition, he is a Manager at the Kestrel Institute. Anton has expertise in the areas of control theory, signal processing, software technologies, and their application. As VP for Advanced R&D at Systems Control, Inc. , he led a team that built the Reconfigurable Inflight Control System (RIFCS) for Mc. Donnell Aircraft – built using technology from CTRL C (the predecessor to today’s Matlab), which was also built under his leadership. Anton was an Adjunct Professor at Santa Clara University where, for 10 years, he taught courses in linear systems theory, optimal and stochastic control, and decision theory. He received a Ph. D. in Applied Mathematics from Brown, a B. S. from Notre Dame, and was a Fulbright Fellow at the Technische Hochschule, Germany.