Page 1Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Chapter 14Chapter 14

Testing Reusable Software Components Testing Reusable Software Components in Safety-Critical Real-Time Systemsin Safety-Critical Real-Time Systems

Page 2Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

OverviewOverview

Introduction Reuse and Exhaustive Testing Reuse and Statistical Evidence Component Reuse, Statistical Evidence and Failure

Behavior

Page 3Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

IntroductionIntroduction

How dynamic verification of real-time software relates to component reuse in safety-critical real-time systems.

Re-testing cannot be eliminated in general. Ariane 5 Therac 25

Contract Pre-conditions Post-conditions Invariants

Page 4Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Reuse and Exhaustive TestingReuse and Exhaustive Testing

Provide evidence based on the component’s: Contracts, Experience accumulated, That a component can be reused immediately, That only parts can be reused or that it cannot be

reused.

Page 5Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

First UseFirst Use

Dual band

1. 0...10

G...P

345…640

Necessary tests

0…1027

G…P

Page 6Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

New Environment New Environment

Dual band

1. -17...

A...P

45…723

Necessary tests

-27…-1

A…P

Page 7Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Overlapping Input DomainOverlapping Input Domain

Dual band

1. -3...9

B...N

95…700

Necessary tests

-3…913

B…N

Page 8Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Pre- and Post-conditions Pre- and Post-conditions

Telephone A

0...1027

G...P

345...640

Pre-condition ( (0 input1 1027) && (”G” input2 ”P”) ) // pre-condition statement 1; . . . statement n;Post-condition(345 output 640 ) // post-condition

A component with Pre- and Post-conditions

Page 9Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Updated Pre- and Post-conditionsUpdated Pre- and Post-conditions

Telephone B

-17...778

A...F

5...123

Pre-condition ( (-17 input1 1027) && (”A” input2 ”P”) ) // pre-condition statement 1; . . . statement n;Post-condition (45 < output < 640 ) // post-condition

A new environment would violate the pre- and post-conditions unless they are updated

Page 10Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Reliability and Confidence for a Input DomainReliability and Confidence for a Input Domain

R(c)

C(c)

I(c)0 1027

A graph representing the reliability and the confidence for a input domain

Page 11Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Lower Reliability Requirements Lower Reliability Requirements

R(c)

C(c)

I(c)0 1027

A component reused in a context with lower reliability requirements 

Page 12Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Reaching Desired Reliability Reaching Desired Reliability

R(c)

C(c)

I(c)0 1027

The component must be run for a longer time to reach the desired reliability

Page 13Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Previously Experienced ReliabilityPreviously Experienced Reliability

R(c)

C(c)

I(c)0 1027

Previously experienced reliability cannot be utilized ifinput domains are outside historical use of the component

Page 14Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Component Reuse, Statistical Evidence and Failure BehaviorComponent Reuse, Statistical Evidence and Failure Behavior

Failure The inability of a system or component to perform its

intended function as defined by the specification. A failure is a consequence of a fault, which has been

executed. When a fault in a computer program is executed an error

arise. Finally, if the error propagates and becomes externally

visible for an observer of a system or component, a failure occurs.

Page 15Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Byzantine and Arbitrary FailuresByzantine and Arbitrary Failures

This failure mode is characterized by a non-assumption: Meaning that there is absolutely no restriction with

respect to which effects the component user may perceive.

The failure mode has therefore been called malicious or fail-uncontrolled.

This failure mode includes two-faced behavior: a component can output “X is true” to one component user, and “X is false” to another component user.

Page 16Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Sequential Failure BehaviorSequential Failure Behavior

Control failures: Selecting the wrong branch in an if-then-else statement.

Value failures: Assigning an incorrect value to a correct (intended)

variable. Addressing failures:

Assigning a correct (intended) value to an incorrect variable.

Page 17Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Sequential Failure BehaviorSequential Failure Behavior

Termination failures: A loop statement failing to complete because the

termination condition is never satisfied. Input failures:

Receiving an (undetected) erroneous value from a sensor.

Page 18Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Failure BehaviorsFailure Behaviors

R(c)

C(c)

Failure behaviorAddressing failure

The confidence in the measured reliability is decreased when new failure behaviors can develop

Page 19Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Timing Failure BehaviorTiming Failure Behavior

This failure mode yields a correct result (value), although the procurement of the result is time-wise incorrect.

For example, deadline violations, start of task too early, incorrect period time, too much jitter, too many interrupts.

Page 20Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Deadline RequirementsDeadline Requirements

If we reuse a component with only a deadline requirement in a new environment in which the execution time is shorter, the component can be reused without re-testing.

Page 21Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Deadline RequirementsDeadline Requirements

R(c)

C(c)

Worst case execution timeNew old

The deadline requirement is still fulfilledsince the new execution time is shorter

Page 22Building Reliable Component-based Systems

Chapter 14 - Testing Reusable Software Components in Safety-Critical Real-Time Systems

Response TimeResponse Time

R(c)

C(c)

Response timeTol min Tol Max

The response time for the reused componentThe response time for the reused component is within the toleranceis within the tolerance