Kristina Lundqvist

Investigating the readability of state-based formal requirements specification languages

The readability of formal requirements specification languages is hypothesized as a limiting factor in the acceptance of formal methods by the industrial community. An empirical study was conducted to determine how various factors of state-based requirements specification language design affect readability using aerospace applications. Six factors were tested in all, including the representation of the overall state machine structure, the expression of triggering conditions, the use of macros, the use of internal broadcast events, the use of hierarchies, and transition perspective (going-to or coming-from). Subjects included computer scientists as well as aerospace engineers in an effort to determine whether background affects notational preferences. Because so little previous experimentation on this topic exists on which to build hypotheses, the study was designed as a preliminary exploration of what factors are most important with respect to readability. It can serve as a starting point for more thorough and carefully controlled experimentation in specification language readability.

A Ravenscar-Compliant Run-time Kernel for Safety-Critical Systems*

The Ravenscar tasking profile for Ada 95 has been designed to allow implementation of highly safety critical systems. Ravenscar defines a tasking system with deterministic behavior and low complexity. We provide a formal model using UPPAAL of the primitives provided by Ravenscar including exceptions. This formal model is used to verify the correctness of the Ravenscar model and can be used to verify safety properties of applications using the Ravenscar profile. As an illustration of this, we model a sample application using all features of Ravenscar and formally verify its correctness. Furthermore, an introduction to the Ravenscar model is given.

An analysis of causation in aerospace accidents

After a short description of common accident models and their limitations, a new model is used to evaluate the causal factors in a mission interruption of the SOHO (SOlar Heliospheric Observatory) spacecraft. The factors in this accident are similar to common factors found in other recent software related aerospace losses.

Using Agile Methods in Software Product Development: A Case Study

The mythos surrounding the use of agile methods emphasizes improved customer satisfaction, developer morale, and end-product quality. While the difficulty of adopting these methods is mentioned, it is often glossed over in the discussion. This paper presents an in-depth case study of agile methods adoption in a software product development firm. The choice of the firm as the unit of analysis enables the identification of organizational, social and technological challenges with respect to using agile methods. Using a mix of interviews, observation and archival data, the evolution of agile adoption within the firm is reconstructed. The data analysis highlights the importance of the four areas of requirements management, scrum implementation, organizational learning, and verification & validation activities.

Agile in India: challenges and lessons learned

Indian software organizations have long been early adopters of process improvement as a means of demonstrating organizational capabilities to their global client base. As a result, the development approaches in these organizations are often heavily plan-based, generating structures and processes that are appropriate to those approaches. Agile methods have forced a paradigm change in how we manage and execute software development. Adopting and sustaining agile methods requires organizations to not only manage the radical shift in the operational aspects of software development, but also the soft factors of organizational design such as vision, commitment, culture and training. Using three case studies of organizations that have adopted agile methods in India, we highlight the importance of senior leadership vision, mentoring, and personnel selection in creating an environment that will support successful agile adoption. Furthermore, we highlight the importance of building strong teams, managing customer expectations and driving process excellence as key for successful adoption.

Industrial Experiences of Building a Safety Case in Compliance with ISO 26262

The ISO 26262 functional safety standard provides appropriate development processes, requirements and safety integrity levels specific for the automotive domain. One crucial requirement consists of the creation of a safety case, a structured argument, which inter-relates evidence and claims, needed to show that safety-critical systems are acceptably safe. The standard is currently not mandatory to be applied to safety critical systems installed in heavy trucks, however, this is likely to be changed by 2016. This paper describes the experience gathered by applying the standard to the Fuel Level Estimation and Display System, a subsystem that together with other subsystems plays a significant role in terms of global system safety for heavy trucks manufactured by Scania. More specifically, exploratory and laborious work related to the creation of a safety case in compliance with ISO 26262 in an inexperienced industrial setting is described, and the paper ends with presenting some lessons learned together with guidelines to facilitate the adoption of ISO 26262.

Automated Verification of AADL-Specifications Using UPPAAL

The Architecture Analysis and Design Language (AADL) is used to represent architecture design decisions of safety-critical and real-time embedded systems. Due to the far-reaching effects these decisions have on the development process, an architecture design fault is likely to have a significant deteriorating impact through the complete process. Automated fault avoidance of architecture design decisions therefore has the potential to significantly reduce the cost of the development while increasing the dependability of the end product. To provide means for automated fault avoidance when developing systems specified in AADL, a formal verification technique has been developed to ensure completeness and consistency of an AADL specification as well as its conformity with the end product. The approach requires the semantics of AADL to be formalized and implemented. We use the methodology of semantic anchoring to contribute with a formal and implemented semantics of a subset of AADL through a set of transformation rules to timed automata constructs. In addition, the verification technique, including the transformation rules, is validated using a case study of a safety-critical fuel-level system developed by a major vehicle manufacturer.

'State of the Art' in Using Agile Methods for Embedded Systems Development

Agile methods hold a significant promise to reduce cycle times and provide greater value to all key stakeholders involved in the software ecosystem. While these methods appear to be well suited for embedded systems development, their use has not become a widespread practice. In analyzing the state-of-the-art, as captured in published literature, we found that there are technical issues (requirements management, and testing), as well as organizational issues (process tailoring, knowledge sharing & transfer, culture change, and support infrastructure). In this paper, we build preliminary guidance for firms around these six areas and presented as a framework that will enable understanding the expected adoption trajectory.

The TASM toolset: specification, simulation, and formal verification of real-time systems

In this paper, we describe the features of the Timed Abstract State Machine toolset. The toolset implements the features of the Timed Abstract State Machine (TASM) language, a specification language for reactive real-time systems. The TASM language enables the specification of functional and nonfunctional properties using a unified language. The toolset incorporates features to create specifications, simulate specifications, and verify formal properties of specifications. Properties that can be verified using the toolset include completeness, consistency, worst-case execution time, and best-case execution time. The toolset is being developed as part of an architecture-based framework for embedded realtime system engineering. We describe how the features of the toolset were used successfully to model and analyze case studies fromthe aerospace and automotive communities.

Modeling an electronic throttle controller using the timed abstract state machine language and toolset

In this paper, we present an integrated toolset that implements the features of the Timed Abstract State Machine (TASM) language, a novel specification language for embedded real-time systems. The toolset enables the creation of executable specifications with well-defined execution semantics, abstraction mechanisms, and composition semantics. The features of the toolset are demonstrated using an Electronic Throttle Controller (ETC) from a major automotive vendor. The TASM toolset is used to analyze the resource consumption resulting from the mode switching logic of the ETC, and to verify the completeness and consistency of the specification.