CpSc 873

Verification and Validation

 

Name ____________________________________

 

There are 5 questions. Answer any 4 of them. Answer all parts of the questions you select. Place a large x of the page containing the question you are not answering. Do NOT answer all 5. If you do I will only count the 4 worst answers.

 

This is an individual effort. You may use the class handouts, sources pointed to in the slides, and your notes. Nothing else and no one else. No laptops, no sharing notes or handouts. You have 75 minutes, from 12:30 pm until 1:45 pm.

 

 

 

 

  1.  
    1. The “assume” and “guarantee” keywords in AGREE are used to define a contract. Why in a safety critical system must we still design a module interface defensively even if a contract is defined?
    2. How does model checking go beyond testing?
    3. In what specific ways is a software inspection similar to software testing?
    4. All the notations for requirements we used allowed a hierarchy of requirements. What is different from one level in the hierarchy to the next? What is the benefit of doing this hierarchy?

 

a.      Because there are tools that check the design for the guarantee but no tools for the code-a nefarious programmer may violate the contract

b.     Model checking checks every path not just selected paths

c.      The scenarios used in an inspection are translated into test cases during testing; coverage metrics talk about parts of the system inspected/tested

d.     The level of detail goes down as you move up a hierarchy and increases as you move down. It guides stakeholders from an abstract understanding of the system to a more concrete understanding as you go down.

 

  1.  
    1. AADL provides a rigorous semantics for modeling. Explain what the complete definition of a port provides that can be used in verifying the correctness of an AADL model.
    2. AADL and supporting annexes and languages enhance traceability. Give two specific ways (syntactic elements) that facilitate traceability (don’t worry about exact spelling of the syntax).
    3. Team A produces software with an average defect density of 3.5 defects/KLOC while team B produces with an average of 4.7defects/KLOC. Give at least two reasons why team B might be better than team A.

 

a.      A category for the information flowing through (data, event or both), a direction for the flow, and an exact type name

b.     The “see goal” and requirements list in reqspec requirements; the extends relationship between requirements

c.      The complexity of team B’s component might be greater; the component might be less cohesive

 

  1.  
    1. Using the CACC give a specific example of fault, error, and failure.
    2. The feedback control loop architecture pattern is for embedded control systems. Give a fault model for the pattern with at least 5 faults.
    3. What techniques do we have for identifying hazards? What techniques do we have for documenting them?
    4. How is “coverage” determined when evaluating an architecture?  

 

  1. Fault - The design might specify that the gap between cars  be checked for being less than but not for being equal to the commanded gap; Error – car generates “too close” alert late; failure – the driver has to brake harder than usual
  2. 1. Sensor mis-calibrated; 2. Sensor activates at wrong time; 3. Activator mis-calibrated; 4. Control model does not match controlled process; 5. Controlled model does not behave as assumed
  3. Recognizing exceptional conditions; hazard record in Error Model
  4. Which elements of the architecture is traced through for the set of analyzed scenarios

 

 

  1.  
    1. The ATAM identifies more scenarios than can be reasonably handled in a session. Explain the process for determining which scenarios to evaluate.
    2. Give two faults that might be present in the CACC model. Explain how they would be in different categories in an orthogonal defect classification.
    3. How does the assurance case make use of the V&V process?
    4. How is a product requirement different from a stakeholder goal?

 

a.      Use  priority voting scheme in which the number of votes are assigned based on  a criteria such as rank or position

b.     Fault in a behavior state machine and fault in synchronization among threads sharing data – thread synchronization depends on the design of timing while the behavior in the state machine is about sequence rather than timing

c.      The assurance case uses the verification results as evidence concerning claims in the assurance case

d.     The product requirement is more narrowly focused

 

  1.  

 

    1. What verification actions are no longer necessary if we create an interface contract and we trust the maturity of the other developers?
    2. Select two modules in the CACC. Assign them levels of integrity. Explain why you gave the value you gave.
    3. Give one property that is traded off against testability during the design phase. What can be done to the design to enhance testability?
    4. What does the error modeling in the architecture give to the tester?

 

  1. Checking pre-conditions
  2. Sensor – 4; gps – 2;  The driver relies on information from both but if a sensor misses an obstacle the result could be  a crash while the gps failure may simply get the driver lost
  3. Flexibility – giving greater access to the test code will allow additional tests to exam unexplored areas
  4. A roadmap for writing negative tests