DO-331 MBD Intro For Engineers & Managers

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

DO-331 MODEL BASED DEVELOPMENT

FOR ENGINEERS AND MANAGERS

DO-331, Model-Based Development and Verification Supplement to DO-178C


and DO-278A, is a 125-page guideline governing model-based development
(MBD) usage in airborne and ground-based aviation software. However, since
MBD is relatively new to aviation software, the authors of DO-331 faced a large AUTHOR
hurdle: how to provide meaningful guidelines to persons generally unfamiliar VANCE HILDERMAN
with model-based development? The answer was artfully handled within DO-
331 by combining workable “guidelines” with a high-level MBD tutorial which ➢ BSEE, MSEE, MBA
➢ Founder of two of the
laid a common foundation for MBD terminology and application. world’s largest avionics
development services
Ask any software developer (and their manager!) “What is the Holy Grail of companies
software development?” and there will be one predominant answer: “software ➢ Developer of the world’s
automatically generated from models with 100% reusability”. Admittedly, that first training in DO-178
answer will be provided with a smile (or a smirk, if interpreted by the engineer’s and trainer of over 10,500
engineers in 35 countries
manager). But software is rarely 100% automatically generated and entirely
for DO-178, DO-254, DO-
reusable. Aviation makes ample use of software reusability and few would 278A, and DO-200B
deny aviation software is among the best, if not the very best, in the entire ➢ Primary author of the
world of safety-critical embedded software. Aviation authorities operate on the world’s first, and best
underlying factual premise that no software is perfect and all software may selling, book on DO-178
and DO-254 (available at
eventually fail. That fact is unquestioned because the “answer” within aviation
most major bookstores
software is in detecting and mitigating such failures. Now, broaching modern worldwide)
software development practices causes one to embrace MBD as the “next
great hope” in getting us a little closer to that Holy Grail: perfect and perfectly
reusable software …
TECHNICAL
REVIEWERS
Many readers have been to a safety-critical engineering training class provided
by this author. Such attendees know that one of the secrets to keeping
students engaged in a seemingly boring technical topic is combining the
Socratic method of teaching with frequent quizzes. Keep the student engaged
and assess knowledge along the way, not at the end when it is too late to
modify the teaching. With that, consider the following “easy” DO-331 MBD
quiz:

Copyright Vance Hilderman Page 1 of 15


vance.hilderman@afuzion.com www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

# Question Answer?
1. If you use Modeling but not auto-code generation (e.g. you write code (Yes, No or
manually), do you still need a Software Modeling Standard and also Model Maybe)
Coverage Analysis?
2. When using models for verification, should expected results be determined prior (Yes, No or
to test execution? Maybe)
3. Can the Design Model be developed from System Requirements without first (Yes or No)
decomposing System requirements to High Level Software requirements
4. Must the System Requirements first be decomposed to High Level Software (Yes or No)
Requirements prior to making the Design Model?
5. If System Requirements are used for the source of requirements in the Design (Yes, No, or
Model, are those System Requirements then treated as High level Requirements Maybe)
and does the Design Model thus contain Low-Level Requirements?

Answers to the above questions are provided later herein.

Why Modeling?

Software modeling is almost as old as software development, with models being actively used to assist
engineers in early NASA lunar launches. Today, modeling refers to a generic activity whereby structure and
behavior by and between objects is defined at a higher level abstracted from logic development. Common
usage of “model” implies developing a model of structure and behavior prior to using that model to generate
actual software or hardware logic. (Remember, in the avionics world, the term “hardware” includes logic
embedded in silicon, previously known as “firmware” but now termed “complex electronic hardware” via DO-
254). However, modeling can actually follow the logic development process instead of preceding it; many
legacy codebases have modeling applied to them post-facto to aid in understanding, verifying, improving, or
reusing those code bases; especially within the field of avionics whereby most systems make at least partial
reuse of preceding, similar systems. This process is commonly known as “reverse engineering.”

Why is modeling increasingly important to avionics as evidenced by the release of DO-331 in December of
2011? There are many reasons including those below:
2

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

1. Improved Handling of Complex Systems


Modeling enables greater understanding/control for increasingly complex systems

2. Improved Reusability
Modeling promotes reuse by enabling developers to abstract functionality.

3. Enables Automated Code Generation


Modeling provides potential to automatically generate code directly from model.

4. Improved Logic Clarity


Modeling enables use of graphical languages such as Simulink or SysML.

5. Common Language = Fewer Assumptions


Systems engineers & developers can use common Modeling language.

6. Improved Traceability
Modeling tools can automate traceability from requirements to design to code.

7. Earlier Verification
Model simulation enables earlier requirements validation and design verification.

Benefits of Modeling

As seen in the above Figure: “Benefits of Modeling”, there are many advantages to modeling complex systems
and software. Other software domains such as telecommunications have been utilizing modeling for many
years; avionics has been gradually catching up. It should be noted that the realm of avionics software
certification guidance is generally devoid of cost and schedule considerations: while no one desires or expects
avionics developers to go bankrupt, they are free to do so. Accordingly, what then keeps everyone from
unanimously adopting modeling within their avionics development organizations? The following are often
cited as reasons avionics developers avoid partial or full use of modeling:

1) Uncertainly about interpreting DO-331 or being held to an overly conservative interpretation;


2) Licensing cost of modeling tools;
3) Learning curve of modeling tools;
4) Perception of difficulty or need to qualify a modeling tool per DO-330;
5) Culture of traditional Systems Engineers preferring to work solely with English text and avoid any
modeling tool usage or input;
3

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

6) Fear of doing something in a new way;


7) A lack of trust in the quality of the source code generated from models;
8) A concern about the lack of control over the specific source code statements generated from
models.

Are the aforementioned reasons for avoiding modeling valid? To the extent that perception equals reality for
some people, the answer is “maybe”. But with a more informed understanding, perceptions may be changed.
First, DO-331 provides a framework for enabling the usage of modeling within a prescribed regimen of
modeling standards and model verification: just as for traditional software requirements and software design
which must be verified to show compliance to user-defined standards, the same is true for avionics modeling.
Second, modeling tool licensing costs are really not that great when considering the cost-savings obtained
via engineering productivity improvements; and some modeling tools such as IBM’s Rhapsody™ and Magic
Draw are quite affordable while providing the necessary key features. Third, like licensing costs, the learning
curve of modeling tools is usually conquered in a matter of weeks or a few months at most; relatively short
considering the multi-year duration of most avionic system developments. Fourth, it is not necessary to qualify
a modeling tool: while benefits of qualification are noteworthy (such as eliminating the need for manual code
peer reviews, automatic code generation, and model-level verification), all the benefits of modeling cited
previously apply whether or not the modeling tool is Qualified. Fifth, all engineers are capable of learning new
techniques and most actually embrace such knowledge improvements in recognition of the resume-
enhancement benefits thereof. So the seeming disadvantages of modeling are readily dispelled. Further,
tools such as IBM’s Rhapsody tool have been around for 20 years and are quite mature in both the quality of
the code that is generated and in the ability to control and customize the generation of that code.

Modeling Terminology

Modeling is a domain which has its own vernacular; common modeling terms are summarized below.

Code The generation of code from a design model in a specified software source code
Generation language, such as C, C++, or Ada.

A model that defines any software design such as low-level requirements, software
Design
Model architecture, algorithms, component internal data structures, data flow and/or
control flow. A model used to generate Source Code is a Design Model.
An abstract representation of a given set of aspects of a system used for
Model
analysis, verification, simulation, code generation, or any combination thereof. It
should be unambiguous, regardless of its level of abstraction
• Note: The "given set of aspects of a system" may contain all aspects of the system or only a subset.

Model-Based A technology in which models represent software requirements and/or software


Development
and design descriptions to support the software development and verification
Verification processes.

Model- The creation of test cases within a modeling language and tool for the purpose of
Based Test verifying the model and/or the generated source code.
4

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

The application of well-formedness rules to ensure syntactic correctness of the


Model
Checking models, such as the reachabilty of states and the proper use of modeling language
elements
An analysis that determines which requirements expressed by the Design Model
Model were not exercised by verification based on the requirements from which the
Coverage
Analysis Design Model was developed. The purpose is to support the detection of
unintended function in the Design Model.

Model
Element A unit from which a model is constructed

Model A collection of model elements used as a baseline to construct a model. A model


Element
Library may or may not be developed using model element libraries.

Model
Simulation The activity of exercising the behavior of a model using a model simulator

A device, computer program or system that enables the execution of a model to


Model demonstrate its behavior in support of verification and/or validation.
Simulator
• The model simulator may or may not be executing code that is representative of the target code

A combination of a modeling language and a particular manner of using this


Modeling
Technique modeling language. It is driven by the level of abstraction of the information to be
represented by the model and the selected modeling tools.

Report The generation of documents from a model for the particular purpose, often
Generation template-based to generate documents in a standardized format.

Reverse
Engineering The creation of a model from source code.

A model representing high-level requirements providing an abstract


Specification representation of software functional, performance, interface, or safety
Model characteristics. Excludes design details such as internal data structures,
internal data flow, or internal control flow.

Symbology
The graphical appearance of modeling elements. Some modeling environments
allow custom symbology to be defined.

SysML
The Systems Modeling Language, a specialized variant of the UML for use in
systems modeling.

The Unified Modeling language, which is, by far, the most common software
UML modeling language in used. The UML has language elements to specified software
structure, behavior, functionality, and relationships.

Specification Model and Design Model

It is important to recall a basic DO-178C tenet is stepwise refinement: system requirements must precede
high level requirements (HLR’s) and HLR’s must precede low-level requirements (LLR’s). The temptation to
5

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

develop code directly from HLR’s must be avoided. Modeling provides the ability to express HLR’s and/or
LLR’s directly within a Model. A key facet of DO-331 modeling is the differentiation between a Specification
Model and a Design Model as depicted in the following figure:

Specification Model

Typically expresses high-level requirements (HLR's)

Design Model
Typically expresses low-level requirements
May be used to produce code
(LLR's)

The Design Model and the Specification Model are different, just as HLR’s differ and precede LLR’s: stepwise
refinement. Similar to HLR’s and LLR’s which may reside within the same requirements specification, the
Design Model and Specification Model could reside within the same model. But when both models exist, the
development of the Specification Model precedes the Design Model. Since the Specification Model and
Design Model accomplish different purposes, they each must use a different modeling standard.

In the UML, the specification model typically employs use cases to cluster requirements, and then employs
various UML mechanisms (state machines, scenario modeling, and activity modeling) to quality and
disambiguate requirements. The design model identifies the LLRs needed to meet the refined requirements
6

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

and specification models. The «trace» relation supports traceability between the requirements, the
specification model, and the design model.

The process for model development is not specified within DO-178C or DO-331, although those standards
specify the objectives with which such processes must comply and the evidence they must produce. A
common process is the Harmony Process for Embedded Software (see Real-Time Agility or Real-Time UML
Workshop for Embedded Systems 2nd Edition, both by Bruce Powel Douglass).

Example Use Case Diagram (reused with permission of Dr. Bruce Douglass, IBM):

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

Example Class Diagram (reused with permission of Dr. Bruce Douglass, IBM):

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

Example State Diagram (reused with permission of Dr. Bruce Douglass, IBM):

Example Simulink Model (reused with permission of Mr Eric Dillaber, Simulink Certification Manager):

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

Modeling Strategy Choices

Like art, music, and gourmet dining, modeling means different things to different people and there are vastly
different means to implement modeling. To narrow down the myriad modeling implementation possibilities,
DO-331 describes five different modeling options and advises users to adopt one of those five. The following
figure depicts the five recommended modeling options MB1 through MB5.

As with most decisions in life, there are choices and one size does not fit everyone. But when considering
where you are from, where you are at, and where you are going, a preferred choice can be more readily
ascertained. The pro/con of each modeling option is summarized below:

MB1 Traditional engineering but with a Design Model


• Pro: Introduces modeling into software development. Enables autocode generation.
• Con: Separates Systems and Software engineering. HLRs independent of model.

MB2 Traditional engineering with both Specification and Design Models


• Pro: Good use of Specification Model and Design Model. Enables autocode generation.
• Con: Still has separation of Systems and Software engineering.

MB3 Traditional engineering but with a Specification Model


• Pro: Introduces modeling for HLR's
• Con: No potential for autocode generation; potential to disincentivize model upkeep.

MB4 HLR's merged with System Rqmts; SW Engrs develop Design Model
• Pro: Promotes Systems insight and contribution to software requirements. Enables autocode generation
• Con: Doesn't use a Specification Model so particularly complex systems may miss stepwise model refinement

MB5 HLR's merged with System Rqmts; Sys Engrs develop Design Model
• Pro: Promotes strong Systems-centric development and control of HLRs and Model; very little ambiguity.
• Con: Doesn't use Specification Model and possible large step between requirements and code
10

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

Inputs to Modeling: Verifying the Model

In some software development domains, designers begin with a blank slate or concept, then iteratively evolve
a corresponding software model. But in aviation, the “guilty until proven innocent” paradigm holds true:
engineering work is not trusted until it is either qualified or verified. So consider: a model needs to be verified;
can a model be verified merely by inspecting it? Of course not: model verification requires formal
consideration of multiple inputs as depicted below:

Which of the above five inputs are actually required to perform a requisite model review? All of them, and
each of the five must be under configuration management, meaning it has a unique identifier and can be
retrieved in exactitude at any time in the future to determine its exact content used during the corresponding
model review. Note that a common challenge in modeling is requirement verification; again, models must
have requirements (software functionality) which can be used during the model review to assess the
correctness and completeness of the model.

Verification through Testing

In addition to review which assesses the model’s conformance to the applicable modeling standard and
system/software requirements, , models themselves may be verified through testing. The UML Profile for
Testing defines a standard way for test case specification, architecting, execution and analysis. This may be
done by manually creating the test elements and using model simulation/execution to ensure that the
outcomes match expectations. Tools such as IBM Rhapsody’s add-on Test Conductor automate some of
these steps and may be used as well.
11

Verification through formal methods (DO-333)

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

Formal methods are another key means to verify models, especially subsets of system models. Some
engineers attempt to verify entire system models via formal methods, and such is ostensibly “allowed” by DO-
333 (the supplement commonly applied to DO-178C and DO-278A). However, a “Best Practice” is to instead
focus formal method-based model verification to a particular algorithm or set of cohesive algorithms within a
model to maximize provability. (See Formal Methods for additional information).

Model Simulation

Another advantage of modeling is simulation: a model simulator may be used to execute the model earlier in
the development lifecycle. Model simulation can be used to aid verification in the following ways:

✓ Compliance with system requirements (Specification Models)

✓ Compliance with high-level requirements (Design Models)

✓ Accuracy and consistency

✓ Verifiability

✓ Algorithm aspects

However, model simulation is not intended for verification of the following:

X Compatibility with the target computer

X Conformance to standards

X Traceability

X Partitioning integrity

Model and Code Verification

The UML Testing Profile (www.omg.org) provides a standard approach for specifying, executing, and
analyzing test cases in the UML language. This means that all the advantages of modeling can be gained not
only from the specification and design models, but also the means by which those models are verified. The
IBM Rhapsody tool add-on “Test Conductor” implements that standard and comes with a qualification kit for
DO-178. This tool automates test generation, execution and analysis and can provide detailed statistics about
model coverage (see the next section) and, when coupled with code verification tools, code-level coverage
as well.

Model Coverage Analysis & Traceability

Since the models are developed by engineers and engineers can neglect to add necessary model details or
remove model details which are no longer needed, model coverage analysis must be performed. Model
coverage analysis can determine which model elements may not have been completely verified and it can
12

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

also detect unintended functionality within the model. Model coverage analysis may be done via simulation
or formal methods, however software structural coverage is performed via actual testing.

Model traceability must also exist to prove that each model element is there for a reason. Each part of the
model should be traced to:

✓ The requirement(s) that it implements, and

✓ The source code that implements it.

Model traceability can of course be performed manually, but modeling tools increasingly have built-in
capabilities to support and provide traceability.

Conclusion

Modeling is a powerful capability which is increasingly applied to avionics. DO-331 provides a framework to
understand modeling, harness modeling’s power, and help prove the model is correct.

Answers to the questions posed earlier herein are provided below.

# Question Answer?
1. If you use Modeling but not auto-code generation (e.g. you write code Yes
manually), do you still need a Software Modeling Standard and also Model Code
Analysis?
2. When using models for verification, should expected results be determined prior Yes
to test execution?
3. Can the Design Model be developed from System Requirements without first Yes
decomposing System requirements to High Level Software requirements
4. Must the System Requirements first be decomposed to High Level Software No
Requirements prior to making the Design Model?
5. If System Requirements are used for the source of requirements in the Design Yes
Model, are those System Requirements then treated as High level Requirements
and the Design Model thus contains Low-Level Requirements?

Is YOUR team optimally trained? AFuzion: 23,000 aviation engineers trained; more than all
competitors COMBINED:

➢ Over 100 Public and Private classes worldwide, annually.


➢ Info on next courses here – DO-178C, DO-254, ARP4754A / ARP4761, DO-326A:
https://afuzion.com/training/

Have Aviation Certification Gaps? Fun 1-Minute video to close them: http://afuzion.com/gap-
analysis/
13

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com
DO-331 MBD Introduction – For Engineers & Managers

Free avionics development DO-178C, DO-254, ARP4754A, DO-326A, & ARP4761/A training
videos, here: https://www.youtube.com/playlist?list=PL0es63yi1vbw9Tt1GWX8TtiFm4R2qRryu

For DO-178 & DO-254 specific details, procure the book “Avionics Certification: A Complete Guide
to DO-178 & DO-254”, from major bookstores such as Amazon.com. (The author of this whitepaper
is the primary author of that book.) Also, the new book “Avionics Development Ecosystem” by
Vance Hilderman covers the big-picture view of avionics development from safety, to systems, and
through all key regulatory and design aspects for modern avionics development. See the Afuzion
website, www.afuzion.com, for advanced training modules relevant to DO-331 MBD and DO-178C
for beginners and experts alike.

AFuzion’s Worldwide Onsite Engineering Footprint - When Safety Is Critical TM:


14

Copyright 2015-2018, Vance Hilderman vance.hilderman@afuzion.com


www.afuzion.com

You might also like