SlideShare a Scribd company logo

Software best practices for human-rated spacecraft

N
NASAPMC
Technology
1 of 35
Download to read offline
Software Development Best Practices for Human-Rated Spacecraft Project Management Challenge 2008 Daytona Beach, Florida February 26 - 27, 2008 Michael Aguilar NASA Engineering and Safety Center Engineering Excellence 1
Background • In late 2005, the NASA Engineering and Safety Center (NESC) was asked by the Astronaut Office to answer the basic question: "How do you know you have a safe and reliable system?" Full report available on-line at: nesc.nasa.gov Engineering Excellence 2
Trends In Space Vehicle Software Size Engineering Excellence 3
Software Reliability There are two major approaches to increasing the reliability of software: • Software defect prevention (fault avoidance): using a disciplined development approach that minimizes the likelihood that defects will be introduced or will remain undetected in the software product • Software fault tolerance: designing and implementing the software under an assumption that a limited number of residual defects will remain despite the best efforts to eliminate them Engineering Excellence 4
Software Defect Prevention Using a disciplined development approach that minimizes the likelihood that defects will be introduced or will remain undetected in the software product. Engineering Excellence 5
Ideal Software Development Process System System Requirements Qualification Testing System System Architectural Design Integration Software Software Requirements Analysis Qualification Testing Software Software Integration Architectural Design Software Software Detailed Design Unit Testing Software Coding Engineering Excellence 6
Allocation of Causes of Major Aerospace System Failures by Phase Cause of failures Phase Reqts Def. Arch. Def. SW Design Implementation Test & Integration Overconfidence and over reliance in digital automation X X X X Not understanding the risks associated with software X X X Over relying on redundancy X X Confusing reliability and safety X X Assuming that risk decreases over time X X Ignoring early warning signs X X X X X Inadequate engineering X X X Inadequate specifications X Flawed review process X X X X X Inadequate safety engineering X X X X X Violation of basic safety engineering practices in the digital X X X X X parts of the system Software reuse without appropriate safety analysis X X X X X Unnecessary complexity and software functions X X X X Operational personnel not understanding automation X X Test and simulation environments that do not match the X X original environment Deficiencies in safety-related information collection and X X X X X use Engineering Excellence 7
Requirements Validation • Modeling and simulation: Modeling and simulation should be used to set and evaluate performance parameters requirements affecting software performance, quality of communication services in the data transport layers, requirements for responses to failures and anomalous conditions, and human/software or system interactions. • Non-advocate software and system requirements reviews: Reviews by knowledgeable third parties can uncover problems or issues that may have been overlooked by the primary requirements developers. • Use of relevant “golden rules” and “lessons learned”: Golden rules or lessons learned are excellent sources of requirements and should be reviewed as part of the requirements validation process. • Hazards and Safety analyses: Hazards analyses, such as Failure Modes and Effects Analyses and Fault Trees. Engineering Excellence 8
Requirements Verification • Early planning: Assure adequate planning for simulation test beds, communications equipment, test tools and data collection devices. • Verification methods for low observable parameters: Instrumentation methods development for throughput, response time, or reliability. • Anticipating ephemeral failure behaviors: The verification strategy should anticipate failure behaviors and plan for how this information can be captured – particular if they are ephemeral and non-reproducible. • Testing of diagnostics and failure isolation capabilities: Diagnostic and fault isolation capabilities for off-nominal behavior. • Capturing of unanticipated failures or behaviors: Ensure that test plans and procedures have provisions for recording of unanticipated behaviors. Engineering Excellence 9
Requirements Management • Gathering resources for software test and verification: Assembling modeling and simulation capabilities, domain expertise, identifying areas of uncertainty • Scheduling of software test and verification: The software test and verification program commonly includes managing critical path scheduling pressures. • Tracking and maintaining requirements throughout the development process: Newly discovered software requirements should be propagated back into the higher level software and systems requirements documentation, and changes in existing requirements should be documented and tracked. • Configuration Management of software requirements: Ensure that changes to software requirements are controlled and that when changes are made, they are propagated to all entities and stakeholders involved in the project. Engineering Excellence 10
Software Architecture Trades • Distributed vs. centralized architectures: Distributed single point transmission failures such as undetected or unregulated message delays, or loss of synchronization in replicas of common data. Centralized architectures are vulnerable to failures in the central node of a centralized system. • Extent of modularity: Uncoupled development, integration of revised components, and utilization of previously developed (or commercial off the shelf) components traded against increases the number of interfaces. • Point-to-point vs. common communications infrastructure: The reduction of interdependencies among software elements and use of common inter-process communications constructs traded against vulnerabilities in terms of lost or delayed messages, message integrity, and message validity. Engineering Excellence 11
Software Architecture Trades • COTS or reused vs. reused/modified vs. developed software: Reliability benefits are the ability to begin early test and integration of such software. • An understanding of the operational condition differences, constraints and tradeoffs are necessary. In safety critical applications, uncertainties about undocumented design decisions and tradeoffs embodied in the code may necessitate redevelopment. • Ariane 5 booster loss (inertial reference software re-use) • Magellan spacecraft (GNC software re-use from a DSCS satellite). • Verification of the suitability of the re-used software components by means of assessment of operational service history, the applicability of the allocated requirements to the published capabilities of the software, compatibility with other runtime elements, and proper version numbers. Engineering Excellence 12
Software Design • Traceability: Requirements should be traceable to the functional elements or classes defined in the design. • Exception handling and other failure behaviors: Exception handlers should consider all failure conditions defined in the requirements and in safety analyses. Where possible, exceptions should be handled as close to the locations in the code where they are generated. • Diagnostics capabilities: Special attention should be paid to response time anomalies, priority inversion, and resource contention. The diagnostic capability of the system as a whole will largely depend on the diagnostic capabilities in all of the constituent software components. Engineering Excellence 13
Software Design • Implementation language: The implementation language and runtime environment (including virtual machines) should be capable of realizing the design. • Interfaces: Interfaces among software modules should be completely defined and include not only arguments for the inputs and outputs of the function or object itself but also additional parameters for status, error handling, and recovery. Interfaces should be designed “defensively”. • Class library definition and inheritance: For object oriented architectures the definition of base and derived classes should be consistent and traceable to both the requirements and the architecture. Engineering Excellence 14
Software Design • Compatibility with hardware and resource constraints: The software allocated to each hardware element should conform to memory, processor capacity, and interface constraints • COTS and Non-developmental runtime elements: Existing software components and runtime elements should be configuration controlled, well characterized with respect to the intended use, and fully documented • Automated Coding Tools: Newer techniques based on object oriented design or model-based development have resulted in tools that can go directly from design to executable code. – Among the advantages are the ability to generate an executable design that can be evaluated prior to detailed coding. – Among the concerns is the quality of the automatically generated code, particularly with respect to off-nominal conditions or inputs. Engineering Excellence 15
Code Implementation • Use of “safe” subsets for safety or mission critical functions: Modern languages such as Ada, C, C++ and Java have safe subsets defined (or in the process of being defined) for their use in safety critical applications. – Disadvantages of such subsets is implementation in the language requires more source code which both reduces productivity (thereby adding to development cost), complicates software maintenance, and discourages reusability. • Routine or class libraries, and runtime environments: The runtime libraries and other environmental components that support the developed software should conform to the constraints of the architecture and design and should provide the necessary capabilities to support desired failure behavior – including – Reliability, performance, throughput – Failure response, detection and recovery – Diagnostics requirements Engineering Excellence 16
Code Implementation • Definition of suitable coding standards and conventions: Coding standards and conventions can enhance reliability by considering such issues as – Policies on dynamic memory allocation in safety critical systems (generally, it should not be allowed) – Policies on the use of “pointers” – “Defensive” coding practices for out of range inputs and response times – Exception handler implementation – Coding to enhance testability and readability – Documentation to support verification – Interrupt versus deterministic timing loop processing for safety critical software – Policies on allowable interprocess communications mechanisms (e.g., point to point vs. publish and subscribe) – Permitted use of dynamic binding (an alternative is static “case statements”) – Policies on initialization of variables (some standards prohibit assignment of dummy values to variables upon initialization in order to enable detection of assignment errors in subsequent execution) – Use of “friend” (C++) or “child” (Ada) declarations to enable testing and evaluation of encapsulated data code during development without requiring the subsequent removal of “scaffold code”. Engineering Excellence 17
Code Implementation • Coding tools and development environments: Coding tools and integrated development environments can be used to for many purposes including automated documentation generation, enforcement of coding standards, debugging, diagnosis of potentially troublesome coding practices, cross reference listing, execution profiles, dependency analysis, design traceability, and many other purposes. • Configuration management practices: Defect tracking and configuration management practices for software units and higher levels of integration should be defined to avoid uncertainty in the actual configuration of the software. Engineering Excellence 18
Test and Inspection of Code • Code execution: Numerous methods for verification of executable code (see next slides), however code execution testing can not cover all possible code execution states • Code inspections: Code inspections by knowledgeable individuals can find and fix mistakes overlooked in the initial programming. Another form of code inspection is the use of automated code analysis tools. Other types of reviews may occur in conjunction with code reviews including “walkthroughs” and “code audits” • Formal methods: Testing is often insufficient to provide the necessary degree of assurance of correctness for safety critical software. Formal methods use mathematical techniques to prove the specification, the verification test suite and also automatic code generators to create the software. The NASA Langley Research Center has been active advancing formal methods, and extensive information is available from their web site. • Cleanroom technique: The cleanroom technique was developed as an alternative approach to producing high quality software by preventing software defects by means of more formal notations and reviews prior to coding. The cleanroom technique has been used in several projects included the NASA/JPL Interferometer System Integrated Testbed. Engineering Excellence 19
Types of Software Tests (1 of 2) Method type and description Objective Test Applicable level type Scenario (also called thread) based testing: Assess overall conformance and dependability Black Integrated Testing using test data based on usage scenarios, in nominal usage box software and e.g., simulation of the mission system Requirements based testing: Testing to assess Determine whether the software meets specific Black All level at which the conformance of the software with requirements box requirements are requirements defined Nominal testing: Testing using input values Verify conformance with nominal Black All within the expected range and of the correct type requirements box Stress testing (a subcategory of negative testing): Measure capacity and throughput, evaluate Black Integrated Testing with simulated levels of beyond normal system behavior under heavy loads and box software and workloads or starving the software of the anomalous conditions, to determine workload system computational resources needed for the levels at which system degrades or fails workload; also called workload testing (usually run concurrently with endurance tests) Robustness testing (a subcategory of negative Challenge or “break” the system with the Black All testing): Testing with values, data rates, operator objective of testing fail safe and recovery & inputs, and workloads outside expected ranges capabilities White box Boundary value testing (a subcategory of Test error detection and exception handling Black Unit, Software negative testing): Test the software with data at behavior of software with anticipated & subsystem and immediately outside of expected value exception conditions – whether software test White ranges item exits gracefully without an abnormal box termination and for correctness Extreme value testing (a subcategory of negative Same as boundary value Black Unit, Software testing): testing for large values, small values, & subsystem and the value zero White box Engineering Excellence 20
Types of Software Tests (2 of 2) Method type and description Objective Test Applicable level type Random testing: test software using input data Assess overall stability, reliability and Black Integrated system randomly selected from the operational profile conformance with requirements box probability distribution Fault injection testing: Testing on the nominal Assess failure behavior, ensure that system Black Integrated baseline source code and randomly altered properly responds to component failures & software versions of the source (white box) or object code White (black box) box Branch testing: Test cases selected to test each Test correctness of code to the level of White Software unit branch at least once branches box Path testing: Test cases selected to test each path Test correctness of code to the level of paths White Software unit (i.e., feasible set of branches) at least once. Also box called flow graph testing Modified condition decision coverage (MCDC): Test for safety critical software where a failure White Software unit Coverage–Every point of entry and exit in the would probably or almost inevitably result in a box (assembly code program has been invoked at least once, every loss of life created by condition in a decision in the program has taken compiler under all possible outcomes at least once, every some decision in the program has taken all possible circumstances) outcomes at least once, and each condition in a decision has been shown to independently affect that decision’s outcome. Engineering Excellence 21
Testing Saturation Multiple testing methods increase detection of software faults Engineering Excellence 22
Reliability Estimation Reliability based upon detected software failures can be misleading Engineering Excellence 23
Software Fault Tolerance Designing and implementing the software under an assumption that a limited number of residual defects will remain despite the best efforts to eliminate them. Engineering Excellence 24
Replication • Replication: The executing redundant copies of software as an architecture level concept. – static redundancy: all copies of the executing program are provided with the same input and produce the same output. The output is chosen by a default selection of one of the channels or by comparing or voting on the output. The primary challenge for this form of replication is synchronization of the input or the output. – dynamic redundancy: one of the copies is assigned the active or “hot” role and other copies are in a standby role. The designation of “dynamic” is related to the fact that changing roles requires a change in the state of the software. Engineering Excellence 25
Exception Handling • Exception handling: The ability of the software to detect (exception “raised” or “thrown”) and handle (exception handled or “caught) abnormal conditions in a controlled manner which allows for continued operation or a safe shutdown and is an architectural or design-level concept. – Examples of responses include rollback and retry, substituting a default value, using a previous value, proceeding with processing without the input value, stopping processing, raising an alarm condition, sending a message to a user (or another software process) requesting an instruction on further action, or safe shutdown. Engineering Excellence 26
Multiversion Software • Multiversion software: The independent generation of functionally equivalent programs, called versions, from the same initial specification. Independent generation of programs means that the programming efforts are carried out by different individuals or groups, using different programming languages and algorithms wherever possible. If three or more versions are developed, then voting logic can be implemented. – Even if the versions are developed independently, they suffer from correlated failures – Maintenance of multiple versions must be managed for all defect corrections and upgrades Engineering Excellence 27
Recovery Blocks • Recovery blocks: Structures that consist of three elements: a primary routine, an alternate routine, and a runtime acceptance test. If a primary routine is not capable of completing the task correctly, then an alternate routine can be invoked to mitigate the effects of the failure. The acceptance test determines whether the primary routine failed. – The primary and alternative routines can run sequentially or concurrently. – Recovery blocks are resource intensive not only in development, but also in subsequent maintenance and runtime resources. Engineering Excellence 28
Computer Aided Software Engineering (CASE) GSFC James Web Space Telescope CASE experience Engineering Excellence 29
JWST Full-Scale Model Engineering Excellence 30
“Real” Software Development Process Engineering Excellence 31
JWST Software Development Toolset • Requisite Pro – Requirements Tracking – Requirements Tracing • Project Requirements • Test Cases • Personnel Assignments • Clear Quest – Change Management and Tracking – Integrated with Requisite Pro and Clear Case • Clear Case – Configuration Management • Rational Rose Real Time – FSW Generation Engineering Excellence 32
JWST Experience Unified Modeling Language (UML) • Scientists and Operators presented their requirements to JWST software developers in UML Use Case and Sequence Diagrams • Review diagrams consistent within peer reviews – Review material consisted of minimal meeting package – Design was reviewed, projected directly out of the development environment • Statechart Diagrams, Sequence Diagrams, and Timing Diagrams presented to Instrument developers to define software/hardware interface • Design document described each and every software build exactly Engineering Excellence 33
JWST Software Integration Experience • External software developers supplied with identical tool suite and hardware development environment – Rational ROSE tool suite, COTS C&DH hardware, Ground system, Database • Complete C&DH model is supplied to NASA developers • Library of C&DH model is supplied to ITAR restricted developers • Integration of the C&DH model and instrument application specific model occurs for all development teams at the model level • Training, lessons learned, support and guidance shared across all development teams due to identical environments and development tools • Review presentation material was similar in content across all external and internal reviews Engineering Excellence 34
JWST Code Generation Experience • Generated code is at interface between drivers, board- support package, OS, and state machine framework – Drivers, board-support package, OS configuration, and application specific functions are all hand coded – State machine diagrams provide structure to the reactive system – Source code for entire system is generated and available for analysis • Minor and major alterations to system statemachine can be accomplished with little effort producing a robust statemachine after modification • Minor defects and changes to functionality are accomplished with similar effort to hand coded implementation • Static code analysis was performed on JWST source code (250K LOC) uncovering 60 defects – far below industry metrics for code defect density Engineering Excellence 35

Recommended

Software Reliability Engineering
Software Reliability EngineeringSoftware Reliability Engineering
Software Reliability Engineeringguest90cec6
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Galorath.dan
Galorath.danGalorath.dan
Galorath.danNASAPMC
 
Top Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityTop Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityAnn Marie Neufelder
 
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Mahindra Satyam
 
The Top Ten things that have been proven to effect software reliability
The Top Ten things that have been proven to effect software reliabilityThe Top Ten things that have been proven to effect software reliability
The Top Ten things that have been proven to effect software reliabilityAnn Marie Neufelder
 
Overview of software reliability engineering
Overview of software reliability engineeringOverview of software reliability engineering
Overview of software reliability engineeringAnn Marie Neufelder
 
Practical Guide To Software System Testing
Practical Guide To Software System TestingPractical Guide To Software System Testing
Practical Guide To Software System Testingvladimir zaremba
 

Recommended

Software Reliability Engineering
Software Reliability EngineeringSoftware Reliability Engineering
Software Reliability Engineeringguest90cec6
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Galorath.dan
Galorath.danGalorath.dan
Galorath.danNASAPMC
 
Top Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityTop Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityAnn Marie Neufelder
 
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Mahindra Satyam
 
The Top Ten things that have been proven to effect software reliability
The Top Ten things that have been proven to effect software reliabilityThe Top Ten things that have been proven to effect software reliability
The Top Ten things that have been proven to effect software reliabilityAnn Marie Neufelder
 
Overview of software reliability engineering
Overview of software reliability engineeringOverview of software reliability engineering
Overview of software reliability engineeringAnn Marie Neufelder
 
Practical Guide To Software System Testing
Practical Guide To Software System TestingPractical Guide To Software System Testing
Practical Guide To Software System Testingvladimir zaremba
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsEliane Collins
 
Sa 007 availability
Sa 007 availabilitySa 007 availability
Sa 007 availabilityFrank Gielen
 
Software reliability
Software reliabilitySoftware reliability
Software reliabilityBaptiste Wicht
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaibleNASAPMC
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
Kapruch steve
Kapruch steveKapruch steve
Kapruch steveNASAPMC
 
Predict Software Reliability Before the Code is Written
Predict Software Reliability Before the Code is WrittenPredict Software Reliability Before the Code is Written
Predict Software Reliability Before the Code is WrittenAnn Marie Neufelder
 
Fraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer SIT
 
Software reliability & quality
Software reliability & qualitySoftware reliability & quality
Software reliability & qualityNur Islam
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Hughitt brian
Hughitt brianHughitt brian
Hughitt brianNASAPMC
 
Terry.cooke davies
Terry.cooke daviesTerry.cooke davies
Terry.cooke daviesNASAPMC
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineeringMark Turner CRP
 
Verifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasiVerifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasirizqiariy
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectivessombat nirund
 
Software reliability
Software reliability Software reliability
Software reliability Usman Mukhtar
 
CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture CheckerCAST
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
Essential Test Management and Planning
Essential Test Management and PlanningEssential Test Management and Planning
Essential Test Management and PlanningTechWell
 
Michael.hazen
Michael.hazenMichael.hazen
Michael.hazenNASAPMC
 
Randy.lovell
Randy.lovellRandy.lovell
Randy.lovellNASAPMC
 

More Related Content

What's hot

Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsEliane Collins
 
Sa 007 availability
Sa 007 availabilitySa 007 availability
Sa 007 availabilityFrank Gielen
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaibleNASAPMC
 
Kapruch steve
Kapruch steveKapruch steve
Kapruch steveNASAPMC
 
Predict Software Reliability Before the Code is Written
Predict Software Reliability Before the Code is WrittenPredict Software Reliability Before the Code is Written
Predict Software Reliability Before the Code is WrittenAnn Marie Neufelder
 
Fraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer SIT
 
Software reliability & quality
Software reliability & qualitySoftware reliability & quality
Software reliability & qualityNur Islam
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Hughitt brian
Hughitt brianHughitt brian
Hughitt brianNASAPMC
 
Terry.cooke davies
Terry.cooke daviesTerry.cooke davies
Terry.cooke daviesNASAPMC
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineeringMark Turner CRP
 
Verifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasiVerifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasirizqiariy
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectivessombat nirund
 
Software reliability
Software reliability Software reliability
Software reliability Usman Mukhtar
 
CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture CheckerCAST
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
Essential Test Management and Planning
Essential Test Management and PlanningEssential Test Management and Planning
Essential Test Management and PlanningTechWell
 

What's hot (20)

Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall ProjectsICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
ICTSS 2010 - Iterative Software Testing Process for Scrum and Waterfall Projects
 
Sa 007 availability
Sa 007 availabilitySa 007 availability
Sa 007 availability
 
Software reliability
Software reliabilitySoftware reliability
Software reliability
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaible
 
Csslp
CsslpCsslp
Csslp
 
Kapruch steve
Kapruch steveKapruch steve
Kapruch steve
 
Predict Software Reliability Before the Code is Written
Predict Software Reliability Before the Code is WrittenPredict Software Reliability Before the Code is Written
Predict Software Reliability Before the Code is Written
 
Fraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer Report on Black
Fraunhofer Report on Black
 
Software reliability & quality
Software reliability & qualitySoftware reliability & quality
Software reliability & quality
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Hughitt brian
Hughitt brianHughitt brian
Hughitt brian
 
Terry.cooke davies
Terry.cooke daviesTerry.cooke davies
Terry.cooke davies
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineering
 
Verifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasiVerifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasi
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectives
 
Software reliability
Software reliability Software reliability
Software reliability
 
CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture Checker
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013
 
Essential Test Management and Planning
Essential Test Management and PlanningEssential Test Management and Planning
Essential Test Management and Planning
 

Viewers also liked

Michael.hazen
Michael.hazenMichael.hazen
Michael.hazenNASAPMC
 
Randy.lovell
Randy.lovellRandy.lovell
Randy.lovellNASAPMC
 
Glenn.perez
Glenn.perezGlenn.perez
Glenn.perezNASAPMC
 
Dickey.alan
Dickey.alanDickey.alan
Dickey.alanNASAPMC
 
Dickerson mark
Dickerson markDickerson mark
Dickerson markNASAPMC
 
Matt.leonard
Matt.leonardMatt.leonard
Matt.leonardNASAPMC
 
Nichols.hornback.moses
Nichols.hornback.mosesNichols.hornback.moses
Nichols.hornback.mosesNASAPMC
 
Le roy ward
Le roy wardLe roy ward
Le roy wardNASAPMC
 
Dumbacher.d.singer.c
Dumbacher.d.singer.cDumbacher.d.singer.c
Dumbacher.d.singer.cNASAPMC
 
Cathy.carr
Cathy.carrCathy.carr
Cathy.carrNASAPMC
 
Gena.henderson
Gena.hendersonGena.henderson
Gena.hendersonNASAPMC
 
Krahula john
Krahula johnKrahula john
Krahula johnNASAPMC
 
Fayssal.safie
Fayssal.safieFayssal.safie
Fayssal.safieNASAPMC
 
Luat nguyen
Luat nguyenLuat nguyen
Luat nguyenNASAPMC
 
Ray hines stegeman
Ray hines stegemanRay hines stegeman
Ray hines stegemanNASAPMC
 

Viewers also liked (20)

Michael.hazen
Michael.hazenMichael.hazen
Michael.hazen
 
Randy.lovell
Randy.lovellRandy.lovell
Randy.lovell
 
Mukai
MukaiMukai
Mukai
 
Taube
TaubeTaube
Taube
 
Glenn.perez
Glenn.perezGlenn.perez
Glenn.perez
 
Dickey.alan
Dickey.alanDickey.alan
Dickey.alan
 
Dickerson mark
Dickerson markDickerson mark
Dickerson mark
 
Matt.leonard
Matt.leonardMatt.leonard
Matt.leonard
 
Nichols.hornback.moses
Nichols.hornback.mosesNichols.hornback.moses
Nichols.hornback.moses
 
Le roy ward
Le roy wardLe roy ward
Le roy ward
 
Dumbacher.d.singer.c
Dumbacher.d.singer.cDumbacher.d.singer.c
Dumbacher.d.singer.c
 
Sparrow
SparrowSparrow
Sparrow
 
Cathy.carr
Cathy.carrCathy.carr
Cathy.carr
 
Gena.henderson
Gena.hendersonGena.henderson
Gena.henderson
 
Krahula john
Krahula johnKrahula john
Krahula john
 
Fayssal.safie
Fayssal.safieFayssal.safie
Fayssal.safie
 
Luat nguyen
Luat nguyenLuat nguyen
Luat nguyen
 
Heard
HeardHeard
Heard
 
Art c
Art cArt c
Art c
 
Ray hines stegeman
Ray hines stegemanRay hines stegeman
Ray hines stegeman
 

Similar to Software best practices for human-rated spacecraft

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Se lect12 btech
Se lect12 btechSe lect12 btech
Se lect12 btechIIITA
 
Se lect13 btech
Se lect13 btechSe lect13 btech
Se lect13 btechIIITA
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Mark Frydenberg
 
Software Quality Plan
Software Quality PlanSoftware Quality Plan
Software Quality Planguy_davis
 
Chen.tim
Chen.timChen.tim
Chen.timNASAPMC
 
Lanzamiento Visual Studio 2012 - Modern ALM
Lanzamiento Visual Studio 2012 - Modern ALMLanzamiento Visual Studio 2012 - Modern ALM
Lanzamiento Visual Studio 2012 - Modern ALMDebora Di Piano
 
Wind River For Medical
Wind River For MedicalWind River For Medical
Wind River For Medicalsheilamia
 
EdgarDB - the simple, powerful database for scientific research
EdgarDB - the simple, powerful database for scientific researchEdgarDB - the simple, powerful database for scientific research
EdgarDB - the simple, powerful database for scientific researchMark Khoury
 
Elevator pitch for testing software architecture and software design
Elevator pitch for testing software architecture and software designElevator pitch for testing software architecture and software design
Elevator pitch for testing software architecture and software designZarko Acimovic
 
Elevator pitch architecture design
Elevator pitch architecture designElevator pitch architecture design
Elevator pitch architecture designZarko Acimovic
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldDr. Anish Cheriyan (PhD)
 
Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)Netcetera
 
Sqp 090508084934 Phpapp02
Sqp 090508084934 Phpapp02Sqp 090508084934 Phpapp02
Sqp 090508084934 Phpapp02sivavis
 
Persistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation ExpertisePersistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation ExpertiseSebastien RATTIER
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldDr. Anish Cheriyan (PhD)
 

Similar to Software best practices for human-rated spacecraft (20)

Careers in CIS
Careers in CISCareers in CIS
Careers in CIS
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
ITS-Fidel
ITS-FidelITS-Fidel
ITS-Fidel
 
Software Lifecycle
Software LifecycleSoftware Lifecycle
Software Lifecycle
 
Se lect12 btech
Se lect12 btechSe lect12 btech
Se lect12 btech
 
Se lect13 btech
Se lect13 btechSe lect13 btech
Se lect13 btech
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009
 
Software Quality Plan
Software Quality PlanSoftware Quality Plan
Software Quality Plan
 
Chen.tim
Chen.timChen.tim
Chen.tim
 
Lanzamiento Visual Studio 2012 - Modern ALM
Lanzamiento Visual Studio 2012 - Modern ALMLanzamiento Visual Studio 2012 - Modern ALM
Lanzamiento Visual Studio 2012 - Modern ALM
 
Wind River For Medical
Wind River For MedicalWind River For Medical
Wind River For Medical
 
EdgarDB - the simple, powerful database for scientific research
EdgarDB - the simple, powerful database for scientific researchEdgarDB - the simple, powerful database for scientific research
EdgarDB - the simple, powerful database for scientific research
 
Elevator pitch for testing software architecture and software design
Elevator pitch for testing software architecture and software designElevator pitch for testing software architecture and software design
Elevator pitch for testing software architecture and software design
 
Elevator pitch architecture design
Elevator pitch architecture designElevator pitch architecture design
Elevator pitch architecture design
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)Continuous Delivery (Internet-Briefing 2012-04-03)
Continuous Delivery (Internet-Briefing 2012-04-03)
 
Sqp 090508084934 Phpapp02
Sqp 090508084934 Phpapp02Sqp 090508084934 Phpapp02
Sqp 090508084934 Phpapp02
 
Persistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation ExpertisePersistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation Expertise
 
Quality & Reliability in Software Engineering
Quality & Reliability in Software EngineeringQuality & Reliability in Software Engineering
Quality & Reliability in Software Engineering
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 

More from NASAPMC

Bejmuk bo
Bejmuk boBejmuk bo
Bejmuk boNASAPMC
 
Baniszewski john
Baniszewski johnBaniszewski john
Baniszewski johnNASAPMC
 
Yew manson
Yew mansonYew manson
Yew mansonNASAPMC
 
Wood frank
Wood frankWood frank
Wood frankNASAPMC
 
Wood frank
Wood frankWood frank
Wood frankNASAPMC
 
Wessen randi (cd)
Wessen randi (cd)Wessen randi (cd)
Wessen randi (cd)NASAPMC
 
Vellinga joe
Vellinga joeVellinga joe
Vellinga joeNASAPMC
 
Trahan stuart
Trahan stuartTrahan stuart
Trahan stuartNASAPMC
 
Stock gahm
Stock gahmStock gahm
Stock gahmNASAPMC
 
Snow lee
Snow leeSnow lee
Snow leeNASAPMC
 
Smalley sandra
Smalley sandraSmalley sandra
Smalley sandraNASAPMC
 
Seftas krage
Seftas krageSeftas krage
Seftas krageNASAPMC
 
Sampietro marco
Sampietro marcoSampietro marco
Sampietro marcoNASAPMC
 
Rudolphi mike
Rudolphi mikeRudolphi mike
Rudolphi mikeNASAPMC
 
Roberts karlene
Roberts karleneRoberts karlene
Roberts karleneNASAPMC
 
Rackley mike
Rackley mikeRackley mike
Rackley mikeNASAPMC
 
Paradis william
Paradis williamParadis william
Paradis williamNASAPMC
 
Osterkamp jeff
Osterkamp jeffOsterkamp jeff
Osterkamp jeffNASAPMC
 
O'keefe william
O'keefe williamO'keefe william
O'keefe williamNASAPMC
 
Muller ralf
Muller ralfMuller ralf
Muller ralfNASAPMC
 

More from NASAPMC (20)

Bejmuk bo
Bejmuk boBejmuk bo
Bejmuk bo
 
Baniszewski john
Baniszewski johnBaniszewski john
Baniszewski john
 
Yew manson
Yew mansonYew manson
Yew manson
 
Wood frank
Wood frankWood frank
Wood frank
 
Wood frank
Wood frankWood frank
Wood frank
 
Wessen randi (cd)
Wessen randi (cd)Wessen randi (cd)
Wessen randi (cd)
 
Vellinga joe
Vellinga joeVellinga joe
Vellinga joe
 
Trahan stuart
Trahan stuartTrahan stuart
Trahan stuart
 
Stock gahm
Stock gahmStock gahm
Stock gahm
 
Snow lee
Snow leeSnow lee
Snow lee
 
Smalley sandra
Smalley sandraSmalley sandra
Smalley sandra
 
Seftas krage
Seftas krageSeftas krage
Seftas krage
 
Sampietro marco
Sampietro marcoSampietro marco
Sampietro marco
 
Rudolphi mike
Rudolphi mikeRudolphi mike
Rudolphi mike
 
Roberts karlene
Roberts karleneRoberts karlene
Roberts karlene
 
Rackley mike
Rackley mikeRackley mike
Rackley mike
 
Paradis william
Paradis williamParadis william
Paradis william
 
Osterkamp jeff
Osterkamp jeffOsterkamp jeff
Osterkamp jeff
 
O'keefe william
O'keefe williamO'keefe william
O'keefe william
 
Muller ralf
Muller ralfMuller ralf
Muller ralf
 

Recently uploaded

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Software best practices for human-rated spacecraft

  • 1. Software Development Best Practices for Human-Rated Spacecraft Project Management Challenge 2008 Daytona Beach, Florida February 26 - 27, 2008 Michael Aguilar NASA Engineering and Safety Center Engineering Excellence 1
  • 2. Background • In late 2005, the NASA Engineering and Safety Center (NESC) was asked by the Astronaut Office to answer the basic question: "How do you know you have a safe and reliable system?" Full report available on-line at: nesc.nasa.gov Engineering Excellence 2
  • 3. Trends In Space Vehicle Software Size Engineering Excellence 3
  • 4. Software Reliability There are two major approaches to increasing the reliability of software: • Software defect prevention (fault avoidance): using a disciplined development approach that minimizes the likelihood that defects will be introduced or will remain undetected in the software product • Software fault tolerance: designing and implementing the software under an assumption that a limited number of residual defects will remain despite the best efforts to eliminate them Engineering Excellence 4
  • 5. Software Defect Prevention Using a disciplined development approach that minimizes the likelihood that defects will be introduced or will remain undetected in the software product. Engineering Excellence 5
  • 6. Ideal Software Development Process System System Requirements Qualification Testing System System Architectural Design Integration Software Software Requirements Analysis Qualification Testing Software Software Integration Architectural Design Software Software Detailed Design Unit Testing Software Coding Engineering Excellence 6
  • 7. Allocation of Causes of Major Aerospace System Failures by Phase Cause of failures Phase Reqts Def. Arch. Def. SW Design Implementation Test & Integration Overconfidence and over reliance in digital automation X X X X Not understanding the risks associated with software X X X Over relying on redundancy X X Confusing reliability and safety X X Assuming that risk decreases over time X X Ignoring early warning signs X X X X X Inadequate engineering X X X Inadequate specifications X Flawed review process X X X X X Inadequate safety engineering X X X X X Violation of basic safety engineering practices in the digital X X X X X parts of the system Software reuse without appropriate safety analysis X X X X X Unnecessary complexity and software functions X X X X Operational personnel not understanding automation X X Test and simulation environments that do not match the X X original environment Deficiencies in safety-related information collection and X X X X X use Engineering Excellence 7
  • 8. Requirements Validation • Modeling and simulation: Modeling and simulation should be used to set and evaluate performance parameters requirements affecting software performance, quality of communication services in the data transport layers, requirements for responses to failures and anomalous conditions, and human/software or system interactions. • Non-advocate software and system requirements reviews: Reviews by knowledgeable third parties can uncover problems or issues that may have been overlooked by the primary requirements developers. • Use of relevant “golden rules” and “lessons learned”: Golden rules or lessons learned are excellent sources of requirements and should be reviewed as part of the requirements validation process. • Hazards and Safety analyses: Hazards analyses, such as Failure Modes and Effects Analyses and Fault Trees. Engineering Excellence 8
  • 9. Requirements Verification • Early planning: Assure adequate planning for simulation test beds, communications equipment, test tools and data collection devices. • Verification methods for low observable parameters: Instrumentation methods development for throughput, response time, or reliability. • Anticipating ephemeral failure behaviors: The verification strategy should anticipate failure behaviors and plan for how this information can be captured – particular if they are ephemeral and non-reproducible. • Testing of diagnostics and failure isolation capabilities: Diagnostic and fault isolation capabilities for off-nominal behavior. • Capturing of unanticipated failures or behaviors: Ensure that test plans and procedures have provisions for recording of unanticipated behaviors. Engineering Excellence 9
  • 10. Requirements Management • Gathering resources for software test and verification: Assembling modeling and simulation capabilities, domain expertise, identifying areas of uncertainty • Scheduling of software test and verification: The software test and verification program commonly includes managing critical path scheduling pressures. • Tracking and maintaining requirements throughout the development process: Newly discovered software requirements should be propagated back into the higher level software and systems requirements documentation, and changes in existing requirements should be documented and tracked. • Configuration Management of software requirements: Ensure that changes to software requirements are controlled and that when changes are made, they are propagated to all entities and stakeholders involved in the project. Engineering Excellence 10
  • 11. Software Architecture Trades • Distributed vs. centralized architectures: Distributed single point transmission failures such as undetected or unregulated message delays, or loss of synchronization in replicas of common data. Centralized architectures are vulnerable to failures in the central node of a centralized system. • Extent of modularity: Uncoupled development, integration of revised components, and utilization of previously developed (or commercial off the shelf) components traded against increases the number of interfaces. • Point-to-point vs. common communications infrastructure: The reduction of interdependencies among software elements and use of common inter-process communications constructs traded against vulnerabilities in terms of lost or delayed messages, message integrity, and message validity. Engineering Excellence 11
  • 12. Software Architecture Trades • COTS or reused vs. reused/modified vs. developed software: Reliability benefits are the ability to begin early test and integration of such software. • An understanding of the operational condition differences, constraints and tradeoffs are necessary. In safety critical applications, uncertainties about undocumented design decisions and tradeoffs embodied in the code may necessitate redevelopment. • Ariane 5 booster loss (inertial reference software re-use) • Magellan spacecraft (GNC software re-use from a DSCS satellite). • Verification of the suitability of the re-used software components by means of assessment of operational service history, the applicability of the allocated requirements to the published capabilities of the software, compatibility with other runtime elements, and proper version numbers. Engineering Excellence 12
  • 13. Software Design • Traceability: Requirements should be traceable to the functional elements or classes defined in the design. • Exception handling and other failure behaviors: Exception handlers should consider all failure conditions defined in the requirements and in safety analyses. Where possible, exceptions should be handled as close to the locations in the code where they are generated. • Diagnostics capabilities: Special attention should be paid to response time anomalies, priority inversion, and resource contention. The diagnostic capability of the system as a whole will largely depend on the diagnostic capabilities in all of the constituent software components. Engineering Excellence 13
  • 14. Software Design • Implementation language: The implementation language and runtime environment (including virtual machines) should be capable of realizing the design. • Interfaces: Interfaces among software modules should be completely defined and include not only arguments for the inputs and outputs of the function or object itself but also additional parameters for status, error handling, and recovery. Interfaces should be designed “defensively”. • Class library definition and inheritance: For object oriented architectures the definition of base and derived classes should be consistent and traceable to both the requirements and the architecture. Engineering Excellence 14
  • 15. Software Design • Compatibility with hardware and resource constraints: The software allocated to each hardware element should conform to memory, processor capacity, and interface constraints • COTS and Non-developmental runtime elements: Existing software components and runtime elements should be configuration controlled, well characterized with respect to the intended use, and fully documented • Automated Coding Tools: Newer techniques based on object oriented design or model-based development have resulted in tools that can go directly from design to executable code. – Among the advantages are the ability to generate an executable design that can be evaluated prior to detailed coding. – Among the concerns is the quality of the automatically generated code, particularly with respect to off-nominal conditions or inputs. Engineering Excellence 15
  • 16. Code Implementation • Use of “safe” subsets for safety or mission critical functions: Modern languages such as Ada, C, C++ and Java have safe subsets defined (or in the process of being defined) for their use in safety critical applications. – Disadvantages of such subsets is implementation in the language requires more source code which both reduces productivity (thereby adding to development cost), complicates software maintenance, and discourages reusability. • Routine or class libraries, and runtime environments: The runtime libraries and other environmental components that support the developed software should conform to the constraints of the architecture and design and should provide the necessary capabilities to support desired failure behavior – including – Reliability, performance, throughput – Failure response, detection and recovery – Diagnostics requirements Engineering Excellence 16
  • 17. Code Implementation • Definition of suitable coding standards and conventions: Coding standards and conventions can enhance reliability by considering such issues as – Policies on dynamic memory allocation in safety critical systems (generally, it should not be allowed) – Policies on the use of “pointers” – “Defensive” coding practices for out of range inputs and response times – Exception handler implementation – Coding to enhance testability and readability – Documentation to support verification – Interrupt versus deterministic timing loop processing for safety critical software – Policies on allowable interprocess communications mechanisms (e.g., point to point vs. publish and subscribe) – Permitted use of dynamic binding (an alternative is static “case statements”) – Policies on initialization of variables (some standards prohibit assignment of dummy values to variables upon initialization in order to enable detection of assignment errors in subsequent execution) – Use of “friend” (C++) or “child” (Ada) declarations to enable testing and evaluation of encapsulated data code during development without requiring the subsequent removal of “scaffold code”. Engineering Excellence 17
  • 18. Code Implementation • Coding tools and development environments: Coding tools and integrated development environments can be used to for many purposes including automated documentation generation, enforcement of coding standards, debugging, diagnosis of potentially troublesome coding practices, cross reference listing, execution profiles, dependency analysis, design traceability, and many other purposes. • Configuration management practices: Defect tracking and configuration management practices for software units and higher levels of integration should be defined to avoid uncertainty in the actual configuration of the software. Engineering Excellence 18
  • 19. Test and Inspection of Code • Code execution: Numerous methods for verification of executable code (see next slides), however code execution testing can not cover all possible code execution states • Code inspections: Code inspections by knowledgeable individuals can find and fix mistakes overlooked in the initial programming. Another form of code inspection is the use of automated code analysis tools. Other types of reviews may occur in conjunction with code reviews including “walkthroughs” and “code audits” • Formal methods: Testing is often insufficient to provide the necessary degree of assurance of correctness for safety critical software. Formal methods use mathematical techniques to prove the specification, the verification test suite and also automatic code generators to create the software. The NASA Langley Research Center has been active advancing formal methods, and extensive information is available from their web site. • Cleanroom technique: The cleanroom technique was developed as an alternative approach to producing high quality software by preventing software defects by means of more formal notations and reviews prior to coding. The cleanroom technique has been used in several projects included the NASA/JPL Interferometer System Integrated Testbed. Engineering Excellence 19
  • 20. Types of Software Tests (1 of 2) Method type and description Objective Test Applicable level type Scenario (also called thread) based testing: Assess overall conformance and dependability Black Integrated Testing using test data based on usage scenarios, in nominal usage box software and e.g., simulation of the mission system Requirements based testing: Testing to assess Determine whether the software meets specific Black All level at which the conformance of the software with requirements box requirements are requirements defined Nominal testing: Testing using input values Verify conformance with nominal Black All within the expected range and of the correct type requirements box Stress testing (a subcategory of negative testing): Measure capacity and throughput, evaluate Black Integrated Testing with simulated levels of beyond normal system behavior under heavy loads and box software and workloads or starving the software of the anomalous conditions, to determine workload system computational resources needed for the levels at which system degrades or fails workload; also called workload testing (usually run concurrently with endurance tests) Robustness testing (a subcategory of negative Challenge or “break” the system with the Black All testing): Testing with values, data rates, operator objective of testing fail safe and recovery & inputs, and workloads outside expected ranges capabilities White box Boundary value testing (a subcategory of Test error detection and exception handling Black Unit, Software negative testing): Test the software with data at behavior of software with anticipated & subsystem and immediately outside of expected value exception conditions – whether software test White ranges item exits gracefully without an abnormal box termination and for correctness Extreme value testing (a subcategory of negative Same as boundary value Black Unit, Software testing): testing for large values, small values, & subsystem and the value zero White box Engineering Excellence 20
  • 21. Types of Software Tests (2 of 2) Method type and description Objective Test Applicable level type Random testing: test software using input data Assess overall stability, reliability and Black Integrated system randomly selected from the operational profile conformance with requirements box probability distribution Fault injection testing: Testing on the nominal Assess failure behavior, ensure that system Black Integrated baseline source code and randomly altered properly responds to component failures & software versions of the source (white box) or object code White (black box) box Branch testing: Test cases selected to test each Test correctness of code to the level of White Software unit branch at least once branches box Path testing: Test cases selected to test each path Test correctness of code to the level of paths White Software unit (i.e., feasible set of branches) at least once. Also box called flow graph testing Modified condition decision coverage (MCDC): Test for safety critical software where a failure White Software unit Coverage–Every point of entry and exit in the would probably or almost inevitably result in a box (assembly code program has been invoked at least once, every loss of life created by condition in a decision in the program has taken compiler under all possible outcomes at least once, every some decision in the program has taken all possible circumstances) outcomes at least once, and each condition in a decision has been shown to independently affect that decision’s outcome. Engineering Excellence 21
  • 22. Testing Saturation Multiple testing methods increase detection of software faults Engineering Excellence 22
  • 23. Reliability Estimation Reliability based upon detected software failures can be misleading Engineering Excellence 23
  • 24. Software Fault Tolerance Designing and implementing the software under an assumption that a limited number of residual defects will remain despite the best efforts to eliminate them. Engineering Excellence 24
  • 25. Replication • Replication: The executing redundant copies of software as an architecture level concept. – static redundancy: all copies of the executing program are provided with the same input and produce the same output. The output is chosen by a default selection of one of the channels or by comparing or voting on the output. The primary challenge for this form of replication is synchronization of the input or the output. – dynamic redundancy: one of the copies is assigned the active or “hot” role and other copies are in a standby role. The designation of “dynamic” is related to the fact that changing roles requires a change in the state of the software. Engineering Excellence 25
  • 26. Exception Handling • Exception handling: The ability of the software to detect (exception “raised” or “thrown”) and handle (exception handled or “caught) abnormal conditions in a controlled manner which allows for continued operation or a safe shutdown and is an architectural or design-level concept. – Examples of responses include rollback and retry, substituting a default value, using a previous value, proceeding with processing without the input value, stopping processing, raising an alarm condition, sending a message to a user (or another software process) requesting an instruction on further action, or safe shutdown. Engineering Excellence 26
  • 27. Multiversion Software • Multiversion software: The independent generation of functionally equivalent programs, called versions, from the same initial specification. Independent generation of programs means that the programming efforts are carried out by different individuals or groups, using different programming languages and algorithms wherever possible. If three or more versions are developed, then voting logic can be implemented. – Even if the versions are developed independently, they suffer from correlated failures – Maintenance of multiple versions must be managed for all defect corrections and upgrades Engineering Excellence 27
  • 28. Recovery Blocks • Recovery blocks: Structures that consist of three elements: a primary routine, an alternate routine, and a runtime acceptance test. If a primary routine is not capable of completing the task correctly, then an alternate routine can be invoked to mitigate the effects of the failure. The acceptance test determines whether the primary routine failed. – The primary and alternative routines can run sequentially or concurrently. – Recovery blocks are resource intensive not only in development, but also in subsequent maintenance and runtime resources. Engineering Excellence 28
  • 29. Computer Aided Software Engineering (CASE) GSFC James Web Space Telescope CASE experience Engineering Excellence 29
  • 30. JWST Full-Scale Model Engineering Excellence 30
  • 31. “Real” Software Development Process Engineering Excellence 31
  • 32. JWST Software Development Toolset • Requisite Pro – Requirements Tracking – Requirements Tracing • Project Requirements • Test Cases • Personnel Assignments • Clear Quest – Change Management and Tracking – Integrated with Requisite Pro and Clear Case • Clear Case – Configuration Management • Rational Rose Real Time – FSW Generation Engineering Excellence 32
  • 33. JWST Experience Unified Modeling Language (UML) • Scientists and Operators presented their requirements to JWST software developers in UML Use Case and Sequence Diagrams • Review diagrams consistent within peer reviews – Review material consisted of minimal meeting package – Design was reviewed, projected directly out of the development environment • Statechart Diagrams, Sequence Diagrams, and Timing Diagrams presented to Instrument developers to define software/hardware interface • Design document described each and every software build exactly Engineering Excellence 33
  • 34. JWST Software Integration Experience • External software developers supplied with identical tool suite and hardware development environment – Rational ROSE tool suite, COTS C&DH hardware, Ground system, Database • Complete C&DH model is supplied to NASA developers • Library of C&DH model is supplied to ITAR restricted developers • Integration of the C&DH model and instrument application specific model occurs for all development teams at the model level • Training, lessons learned, support and guidance shared across all development teams due to identical environments and development tools • Review presentation material was similar in content across all external and internal reviews Engineering Excellence 34
  • 35. JWST Code Generation Experience • Generated code is at interface between drivers, board- support package, OS, and state machine framework – Drivers, board-support package, OS configuration, and application specific functions are all hand coded – State machine diagrams provide structure to the reactive system – Source code for entire system is generated and available for analysis • Minor and major alterations to system statemachine can be accomplished with little effort producing a robust statemachine after modification • Minor defects and changes to functionality are accomplished with similar effort to hand coded implementation • Static code analysis was performed on JWST source code (250K LOC) uncovering 60 defects – far below industry metrics for code defect density Engineering Excellence 35