the airbus a320 - technische universität münchen · 2007-11-26 · • a320 slams into golf...
TRANSCRIPT
![Page 1: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/1.jpg)
Trusting SoftwareTrusting Software
It is a people, product, process and It is a people, product, process and project thingproject thing
Larry Bernstein Larry Bernstein lbernsteinlbernstein@@ieeeieee.org.org
![Page 2: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/2.jpg)
What is Trustworthy Software?What is Trustworthy Software?
Trustworthy software is secure, safe and reliable
![Page 3: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/3.jpg)
The Airbus A320The Airbus A320
![Page 4: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/4.jpg)
Come Fly with MeCome Fly with Me
![Page 5: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/5.jpg)
BackgroundBackground
• First civilian fly-by-wire computer system so advanced can land plane virtually unassisted
• No instrument dials – 6 CRTs
![Page 6: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/6.jpg)
Crash June 26, 1988Crash June 26, 1988
• Mulhouse-Habsheim test airfield in Alsace, France
• The airplane software interpreted the low altitude/downed gear as "We're about to land“; would not allow the pilot to control the throttle.
![Page 7: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/7.jpg)
Crash February 1990Crash February 1990
• Indian Airlines A320 during final approach• Speed drops to dangerously low level
causing rapid descent• A320 slams into golf course just short of
runway
![Page 8: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/8.jpg)
Crash January 1992Crash January 1992
• Airbus A320 plows into pine forest near Mont Sainte-OdilMinimum approach altitude reads 4700 feet on instruments
• Height at impact: about 2500 feet
![Page 9: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/9.jpg)
What’s the Problem?What’s the Problem?
• In all three crashes, the pilot claimed the plane was higher than indicated.
• Altitude read 67ft before the wheels had even left the ground!
• The fly-by-wire system could ignore pilot actions.
![Page 10: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/10.jpg)
Poor Designs in A320Poor Designs in A320
• Programmed landing maneuvers with bug in altitude calculation
• Warning system alerts only seconds before accident; no time to react
• Flight path angle and vertical speed indicator have the same display format; confuses pilots.
![Page 11: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/11.jpg)
More Blame on SoftwareMore Blame on Software
• Pilot is either extremely busy or extremely bored. During flight, they get a false sense of security.
• Error and warning messages during data entry are often indecipherable, so pilots ignore them.
![Page 12: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/12.jpg)
London Ambulance Dispatch London Ambulance Dispatch Failure 1992Failure 1992
The major objective of the London Ambulance Service Computer Aided Dispatch project was to automate many of the human-intensive processes of manual dispatch systems associated with ambulance services in the UK.
![Page 13: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/13.jpg)
CharacteristicsCharacteristics
• Designed for Trustworthiness• Defined Development Process• Bounded Execution Domains• Certified against Requirements• Certified against Problem• Reliability Tested• Stress Tested• Diabolically Tested
![Page 14: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/14.jpg)
System Performance Resulting from Robust Requirements vs. Discrete Specifications
Volume
Discrete Specifications
RobustRequirements
Ideal
Dynamic Range
![Page 15: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/15.jpg)
Universal Software Engineering Universal Software Engineering EquationEquation
For constant error rate:Reliability (t) = exp (-k λt) where k is a normalizing constant, λ = Complexity/ effectiveness x staffing
For linear increasing error rate:Reliability (t) = ?
![Page 16: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/16.jpg)
Fault density is a function of Fault density is a function of timetime
Faultsper1000lines
EKLOC
Time of testing
![Page 17: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/17.jpg)
Conditions That Cause InstabilityConditions That Cause Instability
• Poor Algorithms• Missing Deadlines• Roundoff Error Build Up• Memory Leaks• Broken Pointers• Register Misuse
![Page 18: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/18.jpg)
PeoplePeople
Software Trustworthiness depends on people:
I propose that customers insist that software products identify a Software Architect and Software Project Manager in their contracts
![Page 19: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/19.jpg)
Software Architect:Software Architect:
• Affirms that the software product solves the customer’s problem
• Affirms that the software product is suitably reliable, easy-to-use, extendible, not harmful and robust. That it is trustworthy.
• Affirms that the requirements are valid.
![Page 20: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/20.jpg)
Software Project Manager: Software Project Manager:
• Affirms that the software was successfully tested against the requirements.
• Affirms and identifies the good software engineering processes were used in the software development and integration.
• Affirms that the project is within budget, on-time and performs satisfactorily.
![Page 21: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/21.jpg)
Trustworthy Software is:Trustworthy Software is:
• Safe: Does no harm• Reliable: No crash or hang.• Secure: No Hacking Possible
![Page 22: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/22.jpg)
Who does it?Who does it?
Designed and Implemented by Professionals committed to IEEE/ACM ethical code
![Page 23: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/23.jpg)
ACM/IEEE EthicsACM/IEEE Ethics1. PUBLIC - Software engineers shall act consistently
with the public interest.
2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer consistent with the public interest.
3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible.
4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment.
![Page 24: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/24.jpg)
ACM/IEEE EthicsACM/IEEE Ethics5. MANAGEMENT - Software engineering managers and leaders shall
subscribe to and promote an ethical approach to the management of software development and maintenance.
6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.
7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.
8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.
![Page 25: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/25.jpg)
Introduction to DeadlocksIntroduction to Deadlocks• Formal definition :
A set of processes is deadlocked if each process in the set is waiting for an event that only another process in the set can cause
• None of the processes can …– run– release resources– be awakened
• Number of processes and resources is unimportant
![Page 26: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/26.jpg)
Four Conditions for DeadlockFour Conditions for Deadlock1. Mutual exclusion condition
• each resource assigned to 1 process or is available2. Hold and wait condition
• process holding resources can request more3. No preemption condition
• previously granted resources cannot forcibly taken away
4. Circular wait condition• must be a circular chain of 2 or more processes• each is waiting for resource held by next member of
the chain
![Page 27: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/27.jpg)
Master of ScienceMaster of ScienceQuantitative Software Quantitative Software
EngineeringEngineering
Offered byArthur Imperatore School of
Sciences and Arts2003
![Page 28: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/28.jpg)
Master of Science in Quantitative Software Engineering
:7 Required Courses:- CS 540 -- Fundamentals of Quantitative Software Engineering– CS 533 -- Cost Estimation & Metrics– CS 564 -- Software Requirements Acquisition and Analysis– CS 565 -- Software Architecture and Component based Design– CS 567 -- Software Testing, Quality Assurance, and Maintenance– CS 568 Software Project I / CS 687 Large Software Systems– CS 569 Software Project II / CS 689 Software Reliability
3 Elective Courses: Any 3 CS Courses. Sample Choices:– CS 573 -- Fundamentals of Cyber Security– CS 668: Foundations of Cryptography– CS 693: Cryptographic Protocols– CS 694: E-business Security and Information Assurance
![Page 29: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/29.jpg)
VisionVision
• Reliable Software Products produced within budget and on-time.
• Metrics based Software Management• Quantitative Software Design• Understanding Technical Foundations• Repeatable Processes• State-of-the-Art
![Page 30: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/30.jpg)
InnovationsInnovations
• Design Simplification • Live-Thru Case Histories• Reliability Based Software Engineering • Universal Equation used for tradeoff
analysis• Model Driven Design • COTS Acquisition
![Page 31: The Airbus A320 - Technische Universität München · 2007-11-26 · • A320 slams into golf course just short of runway. Crash January 1992 • Airbus A320 plows into pine forest](https://reader030.vdocument.in/reader030/viewer/2022040913/5e88365839f5a15ab340456e/html5/thumbnails/31.jpg)
Trustworthy Systems for Today Trustworthy Systems for Today and Tomorrowand Tomorrow