SlideShare a Scribd company logo

Phil Koopman's ISSRE 2016 Keynote

E
edgecaseresearch

In which Professor Koopman talks about why embedded software is often bad, why machine learning will make it more complicated...and why embedded software is critically important.

Engineering
1 of 32
Download to read offline
Embedded System Software Quality Why is it so often terrible? What can we do about it? ISSRE 2016 Keynote © 2016 Edge Case Research LLC Prof. Philip Koopman
2© 2016 Edge Case Research LLC  Embedded software failures are on the rise  Computers go far beyond “Internet of Things”  Slapped together source code isn’t good enough  Security, safety, critical infrastructure all matter  The usual suspects won’t solve this problem  Better process, more testing, formal methods, …  The fundamental problem: poor software development literacy  Code is not written by “computer” people  Managers don’t get why software is difficult  Low probability failures * large fleet exposure  And … machine learning makes things harder! Overview: What I’ve Learned in 200 Reviews https://goo.gl/RPv9V6
3© 2016 Edge Case Research LLC Bad Code Shows Up Everywhere https://goo.gl/LlyuRt (1991) Patriot Missile Software Defect / 28 Americans Dead Workaround: frequent reboots https://goo.gl/UXyQVC https://goo.gl/FbHOYk https://goo.gl/gtWt rK Therac 25: 1985-1987 6+ radiation overdoses https://goo.gl/RrYLGi FDA Recall Data 2002-2012 https://goo.gl/vdGAF3 Repurposed Bit activates testing mode
4© 2016 Edge Case Research LLC Bad Code Is A Leading Security Problem https://goo.gl/CDsbV2 https://goo.gl/24Jp7j  Attacks can affect the physical world 26% Buffer Overflow or Similar6% Crypto Issues https://goo.gl/rYgWFf
5© 2016 Edge Case Research LLC  Security problems often due to bad fundamentals Is It That Hard To Get Basics Right? It’s a buffer overflow bug: memcpy(bp,pl,payload); https://goo.gl/1Joxy2 https://goo.gl/o2FuqZ No password & no signature for externally pushed firewall update
6© 2016 Edge Case Research LLC  $$$B Toyota Unintended Acceleration Fiasco: 2010-…?  “Reckless disregard” Jury verdict in one death  Hundreds of death and injury settlements (still ongoing)  Code quality overview (256K SLOC in C):  Throttle angle routine: MCC of 146 (MCC above 50 is “untestable”)  80,000 MISRA C violations – Uninitialized variables, condition side effects, unsafe type casting – 2272 global variable declaration type mismatches  10,000 read/write global variables  Missing concurrency locks; confirmed race condition bug  Recursion with essentially full stack; no stack protection  Ineffective watchdog (kicked from HW timer)  No configuration management, no bug tracking, real time scheduling overload, minimal peer reviews For more, web search: “Koopman Toyota” Automotive Engine Control Code Quality
7© 2016 Edge Case Research LLChttp://www.popsci.com/software-rising-cause-car-recalls  Software can make or break a company  So why is it still so often bad?  Don’t we have tools for that?  Automated testing, build tools  Static analysis tools  Formal methods  Better development processes  Model-based design  CMMI  … Is Bad Software Eating The World?
8© 2016 Edge Case Research LLC Who’s Writing All This Code?  In embedded systems:  Most are domain specialists (Mech. Eng., Industrial Eng., etc.)  Older workers are self-taught  Younger workers took intro programming Who pays more for computer grads: Silicon Valley or an industrial controls device manufacturer?
9© 2016 Edge Case Research LLC  Simple answer: one bad line of code at a time  Emphasis on coding, not engineering software  Deeper answer:  Gaps in technical skills  Gaps in process skills  Gaps in management understanding  Gaps in education  Gerry Weinberg's Second Law:  If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization How Did We Get Here?
10© 2016 Edge Case Research LLC Coding Is Essentially 0% of Creating Software http://e.ubmelectronics.com/2013EmbeddedStudy/index.html
11© 2016 Edge Case Research LLC Staffing Requires 1:1 Designers To Testers [IEC 60730]IEC 60730 Appliance Safety
12© 2016 Edge Case Research LLC  Mechanical engineers (etc.) have intro software  But typically no deep training in engineering software-based systems  How many CompEng/CS students have deep software engineering skills?  Well written requirements, change tracking, traceability  Rigorous approaches to testing & peer reviews  Really understand all the boxes for V, Scrum, or whatever? Is A “Computer” Degree Enough?
13© 2016 Edge Case Research LLC  Basic skills  Programming, A/D, D/A, math, power  Software Construction  Modularity, complexity, style  Real Time Software  Interrupts, scheduling, concurrency, time  Robust System Design  Watchdog, stack overflow, exceptions  Validation  Test strategies, coverage, traceability  Peer reviews, lightweight formal methods Example Technical Skills https://goo.gl/0d5ANZ
14© 2016 Edge Case Research LLC  Development process  Process models, artifacts, metrics  Requirements & estimation  Architecture, software design, test design  Deployment process  Configuration management  Version control  Defect tracking and resolution (software & process defects)  Building, deployment, field defects Example Process Skills https://goo.gl/l2RWUv May 2015 https://goo.gl/4hbom9
15© 2016 Edge Case Research LLC  Safety  Critical system design  Safety plan  Safety standards  Redundancy  Security  Secure system design  Security plan & best practices  Cryptography, security protocols, key management  Patch management and secure boot Example Specialty Skills
16© 2016 Edge Case Research LLC  Software Quality Challenges  Process & technical quality  Technical debt management  Validation: testing and beyond  Role of SQA/PPQA  Software Project Management  Software process models  Requirements management  Estimation, Mythical Man Month  External safety & security certification Example Management Skills https://goo.gl/4bS5rd
17© 2016 Edge Case Research LLC Why Managing Software Costs Is Difficult Mechanical System 90% of BOM cost Mostly commodity Electronic Controller 10% of BOM cost Mostly commodity Software 0% of BOM cost 90% of product differentiation Product costs are managed by BOM = Bill Of Materials
18© 2016 Edge Case Research LLC  FALSE: A “mostly working,” undisciplined prototype can be deployed  It’s more expensive to fix a mess than to take a step back and do it right  FALSE: Getting compiled code quickly indicates progress  Skimping on up-front design and review creates bug farms  FALSE: Testing improves software quality  It mostly removes the “easy” and frequent bugs  Product testing won’t find subtle timing bugs and edge cases  FALSE: Peer review is expensive  It’s perhaps 10% of project budget to find 50%-70% of bugs  “Sorry, no time to peer review” – they’re too busy writing bugs  FALSE: Software development is quick & cheap; anyone can write code  It takes 1-2 SLOC/person-hr if you want good embedded code  Fixed end date + inflexible requirements = project failure Example Management Misconceptions https://en.wikipedi a.org/wiki/File:Poin ty-Haired_Boss.jpg “Anything I don’t understand is easy.”
19© 2016 Edge Case Research LLC  Embedded systems is about breadth… … computer skills + domain skills  Computer experts need domain literacy – Thermodynamics, materials, statics & dynamics, …  Domain experts need software literacy – Teaching “how to code” will (mostly) just get you bad software  Mid-career skill upgrade delivery paths:  Self-instruction, on-line training, etc.  Project reviews with hands-on mentoring of fixing problems  How about some books that cover all this important stuff? Deploying SW Competence Upgrades Coriolis Flow Meter (actual size)
20© 2016 Edge Case Research LLC  6/2016: Tesla “AutoPilot” Crash  Claimed first crash after 130M miles of operation And Now … Self-Driving Cars
21© 2016 Edge Case Research LLC  Need to test for at least ~3x crash rate to validate safety  Hypothetical deployment: NYC Medallion Taxi Fleet  13,437 vehicles @ 70,000 miles/yr = 941M miles/year  7 critical crashes in 2015 134M miles/critical crash (death or serious injury)  How much testing to validate critical crash rate?  Answer: 3x – ~10x the mean crash rate – Probably you’ll get a crash  even more testing  These are optimistic test lengths…  Assumes random independent arrivals  Is simulated driving accurate enough? It Takes A Billion Miles Of Testing Testing Miles Confidence if NO critical crash seen 122.8M 60% 308.5M 90% 401.4M 95% 617.1M 99% [2014 NYC Taxi Fact Book] [Fatal and Critical Injury data / Local Law 31 of 2014]
22© 2016 Edge Case Research LLC  Self-driving cars are so cool!  But also kind of scary  These need all those skills  Good technical skills  Good process skills  Safety & security  Management who “gets it” ….  AND: Validating Machine Learning How Do You Validated Machine Learning? https://en.wikipedia.org/wiki/Autonomous_car
23© 2016 Edge Case Research LLC 1985 1990 1995 2000 2005 2010 DARPA Grand Challenge DARPA LAGR ARPA Demo II DARPA SC-ALV NASA Lunar Rover NASA Dante II Auto Excavator Auto Harvesting Auto Forklift Mars Rovers Urban Challenge DARPA PerceptOR DARPA UPI Auto Haulage Auto Spraying Laser Paint RemovalArmy FCS Carnegie Mellon University Faculty, staff, students Off-campus Robotics Institute facility NREC: 30 Years Of Cool Robots
24© 2016 Edge Case Research LLC  Even the “easy” (well known) cases are challenging Validating Robots Is Difficult Extreme contrast No markings Poor visibility Unusual  obstacles Construction Water (appears flat!) [Wagner 2014]
25© 2016 Edge Case Research LLC The Tough Cases Are Legion http://piximus.net/fun/funny-and-odd-things-spotted-on-the-road http://blogs.reuters.com/photographers-blog/2012/11/26/house-in-the-middle-of-the-road/ http://edtech2.boisestate.edu/robertsona/506/images/buffalo.jpg
26© 2016 Edge Case Research LLC Deep Learning Can Be Brittle & Inscrutable https://goo.gl/5sKnZV QuocNet: Car Not a Car Magnified Difference Bus Not a Bus Magnified Difference AlexNet: Szegedy, Christian, et al. "Intriguing properties of neural networks." arXiv preprint arXiv:1312.6199 (2013).
27© 2016 Edge Case Research LLC  Where are Machine Learning Requirements?  V model traces reqts to V&V  ML system is just a framework  The training data forms de facto requirements  Is training data “complete” and correct?  Training data is safety critical  What if a moderately rare case isn’t trained? – It might not behave as you expect – People’s perception of “almost the same” does not necessarily predict ML responses! How Do We Trace To Safety Standard “V”? REQUIREMENTS SPECIFICATION SYSTEM SPECIFICATION SUBSYSTEM/ COMPONENT SPECIFICATION PROGRAM SPECIFICATION MODULE SPECIFICATION SOURCE CODE UNIT TEST PROGRAM TEST SUBSYSTEM/ COMPONENT TEST SYSTEM INTEGRATION & TEST ACCEPTANCE TEST VERIFICATION & TRACEABILITY VALIDATION & TRACEABILITY VERIFICATION & TRACEABILITY VERIFICATION & TRACEABILITY VERIFICATION & TRACEABILITY Review Review Review Review Review Review Review Review Review Review Review Cluster Analysis ? ?
DISTRIBUTION A – NREC case number STAA‐2013‐10‐02
29© 2016 Edge Case Research LLC  Improper handling of floating-point numbers:  Inf, NaN, limited precision  Array indexing and allocation:  Images, point clouds, etc…  Segmentation faults due to arrays that are too small  Many forms of buffer overflow with complex data types  Large arrays and memory exhaustion  Time:  Time flowing backwards, jumps  Not rejecting stale data  Problems handling dynamic state:  For example, lists of perceived objects or command trajectories  Race conditions permit improper insertion or removal of items  Garbage collection causes crashes or hangs Some Autonomy Problems We’ve Found DISTRIBUTION A – NREC case number STAA-2013-10-02
30© 2016 Edge Case Research LLC  Good job of advocating for progress  E.g., recommends ISO 26262 safety standard  But, some areas need work, such as:  Machine Learning validation is immature  Need independent safety assessment  Re-certification for all updates to critical components  Which long-tail exceptional situations are “reasonable” to mitigate  Crash data recorders must have forensic validity Current Snapshot: NHTSA Guidance
31© 2016 Edge Case Research LLC  Challenge: Software Development Literacy  Critical skill shortage in engineering software – Learning to code doesn’t fix this alone  Long-term need to upgrade workforce skills – Teaching this in college won’t fix this alone  Tools and such only help if basic skills in place  Machine Learning ups the ante  Validating ML training is challenging  Workforce knows even less about ML than about engineering software!  And yet, our society revolves around the quality of all this software  A small step: http://www.edge-case-research.com/videos/ Conclusions
32© 2016 Edge Case Research LLC  Specialists in Making Robust Software:  Embedded software quality assessment and improvement  Embedded software skill evaluation and training  Lightweight software processes for mission critical systems  Lightweight automation for process & technical area improvement info@edge-case-research.com http://www.edge-case-research.com/

Recommended

What to Fix-First: Accessibility Remediation Order Matters
What to Fix-First: Accessibility Remediation Order MattersWhat to Fix-First: Accessibility Remediation Order Matters
What to Fix-First: Accessibility Remediation Order Matters
Sean Kelly
 
SOFTWARE QUALITY ASSURANCE, PAOLA DI MAIO
SOFTWARE QUALITY ASSURANCE, PAOLA DI MAIOSOFTWARE QUALITY ASSURANCE, PAOLA DI MAIO
SOFTWARE QUALITY ASSURANCE, PAOLA DI MAIO
Networked Research Lab, UK
 
Test automation Anecdotes
Test automation AnecdotesTest automation Anecdotes
Test automation Anecdotes
Cristiano Caetano
 
Different phases of accessibility testing
Different phases of accessibility testingDifferent phases of accessibility testing
Different phases of accessibility testing
Poonam Tathavadkar
 
Risk Based Testing in Agile context - Kees Blokland
Risk Based Testing in Agile context - Kees BloklandRisk Based Testing in Agile context - Kees Blokland
Risk Based Testing in Agile context - Kees Blokland
Kees Blokland
 
Top Challenges in Testing Requirements
Top Challenges in Testing RequirementsTop Challenges in Testing Requirements
Top Challenges in Testing Requirements
TechWell
 
Accessibility Testing: Mileage May Vary
Accessibility Testing: Mileage May Vary Accessibility Testing: Mileage May Vary
Accessibility Testing: Mileage May Vary
Sean Kelly
 
caring_about_code_quality
caring_about_code_qualitycaring_about_code_quality
caring_about_code_qualityKetan Patel
 

Recommended

What to Fix-First: Accessibility Remediation Order Matters
What to Fix-First: Accessibility Remediation Order MattersWhat to Fix-First: Accessibility Remediation Order Matters
What to Fix-First: Accessibility Remediation Order Matters
Sean Kelly
 
SOFTWARE QUALITY ASSURANCE, PAOLA DI MAIO
SOFTWARE QUALITY ASSURANCE, PAOLA DI MAIOSOFTWARE QUALITY ASSURANCE, PAOLA DI MAIO
SOFTWARE QUALITY ASSURANCE, PAOLA DI MAIO
Networked Research Lab, UK
 
Test automation Anecdotes
Test automation AnecdotesTest automation Anecdotes
Test automation Anecdotes
Cristiano Caetano
 
Different phases of accessibility testing
Different phases of accessibility testingDifferent phases of accessibility testing
Different phases of accessibility testing
Poonam Tathavadkar
 
Risk Based Testing in Agile context - Kees Blokland
Risk Based Testing in Agile context - Kees BloklandRisk Based Testing in Agile context - Kees Blokland
Risk Based Testing in Agile context - Kees Blokland
Kees Blokland
 
Top Challenges in Testing Requirements
Top Challenges in Testing RequirementsTop Challenges in Testing Requirements
Top Challenges in Testing Requirements
TechWell
 
Accessibility Testing: Mileage May Vary
Accessibility Testing: Mileage May Vary Accessibility Testing: Mileage May Vary
Accessibility Testing: Mileage May Vary
Sean Kelly
 
caring_about_code_quality
caring_about_code_qualitycaring_about_code_quality
caring_about_code_qualityKetan Patel
 
FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1
fadhilla elita
 
FaultHunter workshop (SourceMeter for SonarQube plugin module)
FaultHunter workshop (SourceMeter for SonarQube plugin module)FaultHunter workshop (SourceMeter for SonarQube plugin module)
FaultHunter workshop (SourceMeter for SonarQube plugin module)
FrontEndART
 
Top Agile Myths & Misconceptions
Top Agile Myths & MisconceptionsTop Agile Myths & Misconceptions
Top Agile Myths & Misconceptions
David Tzemach
 
ISTQB REX BLACK book
ISTQB REX BLACK bookISTQB REX BLACK book
ISTQB REX BLACK bookNaga Chiranjeevi Kota
 
The Seven Deadly Sins of Software Testing
The Seven Deadly Sins of Software TestingThe Seven Deadly Sins of Software Testing
The Seven Deadly Sins of Software Testing
TechWell
 
Technology assessment
Technology assessmentTechnology assessment
Technology assessmentBrian Anderson
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
Dinis Cruz
 
Use Model-Based Testing to Navigate the Software Forest
Use Model-Based Testing to Navigate the Software ForestUse Model-Based Testing to Navigate the Software Forest
Use Model-Based Testing to Navigate the Software Forest
TechWell
 
Fundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & ImplementationsFundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & Implementations
yogi syafrialdi
 
Exploratory Testing with JIRA | QASymphony Webinar
Exploratory Testing with JIRA | QASymphony WebinarExploratory Testing with JIRA | QASymphony Webinar
Exploratory Testing with JIRA | QASymphony Webinar
QASymphony
 
EFFECTIVE TEST CASE DESING: A REVIEW
EFFECTIVE TEST CASE DESING: A REVIEWEFFECTIVE TEST CASE DESING: A REVIEW
EFFECTIVE TEST CASE DESING: A REVIEW
Journal For Research
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
Pacific Northwest Software Quality Conference
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
Andris Soroka
 
What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
What to Do—Develop Your Own Automation or Use Crowdsourced Testing?What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
TechWell
 
Scrum in Wonderland
Scrum in WonderlandScrum in Wonderland
Scrum in Wonderland
sjmarsh
 
Future of QA
Future of QAFuture of QA
Future of QAamitagarwal2006
 
Futureofqa
FutureofqaFutureofqa
Futureofqaamitagarwal2006
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10eshwar83
 
software testing
software testingsoftware testing
software testing
choclatyhero007
 
How Automation Reveals Technical Debt
How Automation Reveals Technical DebtHow Automation Reveals Technical Debt
How Automation Reveals Technical DebtIBM UrbanCode Products
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
Parasoft
 

More Related Content

What's hot

FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1
fadhilla elita
 
FaultHunter workshop (SourceMeter for SonarQube plugin module)
FaultHunter workshop (SourceMeter for SonarQube plugin module)FaultHunter workshop (SourceMeter for SonarQube plugin module)
FaultHunter workshop (SourceMeter for SonarQube plugin module)
FrontEndART
 
Top Agile Myths & Misconceptions
Top Agile Myths & MisconceptionsTop Agile Myths & Misconceptions
Top Agile Myths & Misconceptions
David Tzemach
 
The Seven Deadly Sins of Software Testing
The Seven Deadly Sins of Software TestingThe Seven Deadly Sins of Software Testing
The Seven Deadly Sins of Software Testing
TechWell
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
Dinis Cruz
 
Use Model-Based Testing to Navigate the Software Forest
Use Model-Based Testing to Navigate the Software ForestUse Model-Based Testing to Navigate the Software Forest
Use Model-Based Testing to Navigate the Software Forest
TechWell
 
Fundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & ImplementationsFundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & Implementations
yogi syafrialdi
 
Exploratory Testing with JIRA | QASymphony Webinar
Exploratory Testing with JIRA | QASymphony WebinarExploratory Testing with JIRA | QASymphony Webinar
Exploratory Testing with JIRA | QASymphony Webinar
QASymphony
 
EFFECTIVE TEST CASE DESING: A REVIEW
EFFECTIVE TEST CASE DESING: A REVIEWEFFECTIVE TEST CASE DESING: A REVIEW
EFFECTIVE TEST CASE DESING: A REVIEW
Journal For Research
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
Pacific Northwest Software Quality Conference
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
Andris Soroka
 

What's hot (14)

FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1
 
FaultHunter workshop (SourceMeter for SonarQube plugin module)
FaultHunter workshop (SourceMeter for SonarQube plugin module)FaultHunter workshop (SourceMeter for SonarQube plugin module)
FaultHunter workshop (SourceMeter for SonarQube plugin module)
 
Top Agile Myths & Misconceptions
Top Agile Myths & MisconceptionsTop Agile Myths & Misconceptions
Top Agile Myths & Misconceptions
 
ISTQB REX BLACK book
ISTQB REX BLACK bookISTQB REX BLACK book
ISTQB REX BLACK book
 
The Seven Deadly Sins of Software Testing
The Seven Deadly Sins of Software TestingThe Seven Deadly Sins of Software Testing
The Seven Deadly Sins of Software Testing
 
Technology assessment
Technology assessmentTechnology assessment
Technology assessment
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Use Model-Based Testing to Navigate the Software Forest
Use Model-Based Testing to Navigate the Software ForestUse Model-Based Testing to Navigate the Software Forest
Use Model-Based Testing to Navigate the Software Forest
 
Fundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & ImplementationsFundamentals of testing - Testing & Implementations
Fundamentals of testing - Testing & Implementations
 
Exploratory Testing with JIRA | QASymphony Webinar
Exploratory Testing with JIRA | QASymphony WebinarExploratory Testing with JIRA | QASymphony Webinar
Exploratory Testing with JIRA | QASymphony Webinar
 
EFFECTIVE TEST CASE DESING: A REVIEW
EFFECTIVE TEST CASE DESING: A REVIEWEFFECTIVE TEST CASE DESING: A REVIEW
EFFECTIVE TEST CASE DESING: A REVIEW
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
 

Similar to Phil Koopman's ISSRE 2016 Keynote

What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
What to Do—Develop Your Own Automation or Use Crowdsourced Testing?What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
TechWell
 
Scrum in Wonderland
Scrum in WonderlandScrum in Wonderland
Scrum in Wonderland
sjmarsh
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10eshwar83
 
software testing
software testingsoftware testing
software testing
choclatyhero007
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
Parasoft
 
Comparing Agile QA Approaches to End-to-End Testing
Comparing Agile QA Approaches to End-to-End TestingComparing Agile QA Approaches to End-to-End Testing
Comparing Agile QA Approaches to End-to-End Testing
Katie Chin
 
Creating a successful continuous testing environment by Eran Kinsbruner
Creating a successful continuous testing environment by Eran KinsbrunerCreating a successful continuous testing environment by Eran Kinsbruner
Creating a successful continuous testing environment by Eran Kinsbruner
QA or the Highway
 
Acerta Deck
Acerta DeckAcerta Deck
Acerta Deck
h_patel1
 
Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Ann Marie Neufelder
 
Popular Pitfalls In Sdlc Phases 1
Popular Pitfalls In Sdlc Phases 1Popular Pitfalls In Sdlc Phases 1
Popular Pitfalls In Sdlc Phases 1
Ramkumar Ramachandran
 
Scope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vidScope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vid
Colin Hammond
 
Developing software at scale cs 394 may 2011
Developing software at scale cs 394 may 2011Developing software at scale cs 394 may 2011
Developing software at scale cs 394 may 2011
Todd Warren
 
The Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdfThe Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdf
RohitBhandari66
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
OnBoard Security, Inc. - a Qualcomm Company
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Functional and Non-functional Test automation
Functional and Non-functional Test automationFunctional and Non-functional Test automation
Functional and Non-functional Test automation
Dr Ganesh Iyer
 

Similar to Phil Koopman's ISSRE 2016 Keynote (20)

What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
What to Do—Develop Your Own Automation or Use Crowdsourced Testing?What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
What to Do—Develop Your Own Automation or Use Crowdsourced Testing?
 
Scrum in Wonderland
Scrum in WonderlandScrum in Wonderland
Scrum in Wonderland
 
Future of QA
Future of QAFuture of QA
Future of QA
 
Futureofqa
FutureofqaFutureofqa
Futureofqa
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
 
software testing
software testingsoftware testing
software testing
 
How Automation Reveals Technical Debt
How Automation Reveals Technical DebtHow Automation Reveals Technical Debt
How Automation Reveals Technical Debt
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
 
Comparing Agile QA Approaches to End-to-End Testing
Comparing Agile QA Approaches to End-to-End TestingComparing Agile QA Approaches to End-to-End Testing
Comparing Agile QA Approaches to End-to-End Testing
 
Creating a successful continuous testing environment by Eran Kinsbruner
Creating a successful continuous testing environment by Eran KinsbrunerCreating a successful continuous testing environment by Eran Kinsbruner
Creating a successful continuous testing environment by Eran Kinsbruner
 
Acerta Deck
Acerta DeckAcerta Deck
Acerta Deck
 
Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...Reliable software in a continuous integration/continuous deployment (CI/CD) e...
Reliable software in a continuous integration/continuous deployment (CI/CD) e...
 
Popular Pitfalls In Sdlc Phases 1
Popular Pitfalls In Sdlc Phases 1Popular Pitfalls In Sdlc Phases 1
Popular Pitfalls In Sdlc Phases 1
 
Scope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vidScope master introduction presentation feb 2020 w vid
Scope master introduction presentation feb 2020 w vid
 
Developing software at scale cs 394 may 2011
Developing software at scale cs 394 may 2011Developing software at scale cs 394 may 2011
Developing software at scale cs 394 may 2011
 
The Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdfThe Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdf
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
 
Functional and Non-functional Test automation
Functional and Non-functional Test automationFunctional and Non-functional Test automation
Functional and Non-functional Test automation
 

Recently uploaded

ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
ongomchris
 
Runway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptxRunway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptx
SupreethSP4
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
ydteq
 
AP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specificAP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specific
BrazilAccount1
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
karthi keyan
 
The role of big data in decision making.
The role of big data in decision making.The role of big data in decision making.
The role of big data in decision making.
ankuprajapati0525
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
obonagu
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
gerogepatton
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
Pratik Pawar
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Dr.Costas Sachpazis
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
Divya Somashekar
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 

Recently uploaded (20)

ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
 
Runway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptxRunway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptx
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
 
AP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specificAP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specific
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
The role of big data in decision making.
The role of big data in decision making.The role of big data in decision making.
The role of big data in decision making.
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 

Phil Koopman's ISSRE 2016 Keynote

  • 1. Embedded System Software Quality Why is it so often terrible? What can we do about it? ISSRE 2016 Keynote © 2016 Edge Case Research LLC Prof. Philip Koopman
  • 2. 2© 2016 Edge Case Research LLC  Embedded software failures are on the rise  Computers go far beyond “Internet of Things”  Slapped together source code isn’t good enough  Security, safety, critical infrastructure all matter  The usual suspects won’t solve this problem  Better process, more testing, formal methods, …  The fundamental problem: poor software development literacy  Code is not written by “computer” people  Managers don’t get why software is difficult  Low probability failures * large fleet exposure  And … machine learning makes things harder! Overview: What I’ve Learned in 200 Reviews https://goo.gl/RPv9V6
  • 3. 3© 2016 Edge Case Research LLC Bad Code Shows Up Everywhere https://goo.gl/LlyuRt (1991) Patriot Missile Software Defect / 28 Americans Dead Workaround: frequent reboots https://goo.gl/UXyQVC https://goo.gl/FbHOYk https://goo.gl/gtWt rK Therac 25: 1985-1987 6+ radiation overdoses https://goo.gl/RrYLGi FDA Recall Data 2002-2012 https://goo.gl/vdGAF3 Repurposed Bit activates testing mode
  • 4. 4© 2016 Edge Case Research LLC Bad Code Is A Leading Security Problem https://goo.gl/CDsbV2 https://goo.gl/24Jp7j  Attacks can affect the physical world 26% Buffer Overflow or Similar6% Crypto Issues https://goo.gl/rYgWFf
  • 5. 5© 2016 Edge Case Research LLC  Security problems often due to bad fundamentals Is It That Hard To Get Basics Right? It’s a buffer overflow bug: memcpy(bp,pl,payload); https://goo.gl/1Joxy2 https://goo.gl/o2FuqZ No password & no signature for externally pushed firewall update
  • 6. 6© 2016 Edge Case Research LLC  $$$B Toyota Unintended Acceleration Fiasco: 2010-…?  “Reckless disregard” Jury verdict in one death  Hundreds of death and injury settlements (still ongoing)  Code quality overview (256K SLOC in C):  Throttle angle routine: MCC of 146 (MCC above 50 is “untestable”)  80,000 MISRA C violations – Uninitialized variables, condition side effects, unsafe type casting – 2272 global variable declaration type mismatches  10,000 read/write global variables  Missing concurrency locks; confirmed race condition bug  Recursion with essentially full stack; no stack protection  Ineffective watchdog (kicked from HW timer)  No configuration management, no bug tracking, real time scheduling overload, minimal peer reviews For more, web search: “Koopman Toyota” Automotive Engine Control Code Quality
  • 7. 7© 2016 Edge Case Research LLChttp://www.popsci.com/software-rising-cause-car-recalls  Software can make or break a company  So why is it still so often bad?  Don’t we have tools for that?  Automated testing, build tools  Static analysis tools  Formal methods  Better development processes  Model-based design  CMMI  … Is Bad Software Eating The World?
  • 8. 8© 2016 Edge Case Research LLC Who’s Writing All This Code?  In embedded systems:  Most are domain specialists (Mech. Eng., Industrial Eng., etc.)  Older workers are self-taught  Younger workers took intro programming Who pays more for computer grads: Silicon Valley or an industrial controls device manufacturer?
  • 9. 9© 2016 Edge Case Research LLC  Simple answer: one bad line of code at a time  Emphasis on coding, not engineering software  Deeper answer:  Gaps in technical skills  Gaps in process skills  Gaps in management understanding  Gaps in education  Gerry Weinberg's Second Law:  If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization How Did We Get Here?
  • 10. 10© 2016 Edge Case Research LLC Coding Is Essentially 0% of Creating Software http://e.ubmelectronics.com/2013EmbeddedStudy/index.html
  • 11. 11© 2016 Edge Case Research LLC Staffing Requires 1:1 Designers To Testers [IEC 60730]IEC 60730 Appliance Safety
  • 12. 12© 2016 Edge Case Research LLC  Mechanical engineers (etc.) have intro software  But typically no deep training in engineering software-based systems  How many CompEng/CS students have deep software engineering skills?  Well written requirements, change tracking, traceability  Rigorous approaches to testing & peer reviews  Really understand all the boxes for V, Scrum, or whatever? Is A “Computer” Degree Enough?
  • 13. 13© 2016 Edge Case Research LLC  Basic skills  Programming, A/D, D/A, math, power  Software Construction  Modularity, complexity, style  Real Time Software  Interrupts, scheduling, concurrency, time  Robust System Design  Watchdog, stack overflow, exceptions  Validation  Test strategies, coverage, traceability  Peer reviews, lightweight formal methods Example Technical Skills https://goo.gl/0d5ANZ
  • 14. 14© 2016 Edge Case Research LLC  Development process  Process models, artifacts, metrics  Requirements & estimation  Architecture, software design, test design  Deployment process  Configuration management  Version control  Defect tracking and resolution (software & process defects)  Building, deployment, field defects Example Process Skills https://goo.gl/l2RWUv May 2015 https://goo.gl/4hbom9
  • 15. 15© 2016 Edge Case Research LLC  Safety  Critical system design  Safety plan  Safety standards  Redundancy  Security  Secure system design  Security plan & best practices  Cryptography, security protocols, key management  Patch management and secure boot Example Specialty Skills
  • 16. 16© 2016 Edge Case Research LLC  Software Quality Challenges  Process & technical quality  Technical debt management  Validation: testing and beyond  Role of SQA/PPQA  Software Project Management  Software process models  Requirements management  Estimation, Mythical Man Month  External safety & security certification Example Management Skills https://goo.gl/4bS5rd
  • 17. 17© 2016 Edge Case Research LLC Why Managing Software Costs Is Difficult Mechanical System 90% of BOM cost Mostly commodity Electronic Controller 10% of BOM cost Mostly commodity Software 0% of BOM cost 90% of product differentiation Product costs are managed by BOM = Bill Of Materials
  • 18. 18© 2016 Edge Case Research LLC  FALSE: A “mostly working,” undisciplined prototype can be deployed  It’s more expensive to fix a mess than to take a step back and do it right  FALSE: Getting compiled code quickly indicates progress  Skimping on up-front design and review creates bug farms  FALSE: Testing improves software quality  It mostly removes the “easy” and frequent bugs  Product testing won’t find subtle timing bugs and edge cases  FALSE: Peer review is expensive  It’s perhaps 10% of project budget to find 50%-70% of bugs  “Sorry, no time to peer review” – they’re too busy writing bugs  FALSE: Software development is quick & cheap; anyone can write code  It takes 1-2 SLOC/person-hr if you want good embedded code  Fixed end date + inflexible requirements = project failure Example Management Misconceptions https://en.wikipedi a.org/wiki/File:Poin ty-Haired_Boss.jpg “Anything I don’t understand is easy.”
  • 19. 19© 2016 Edge Case Research LLC  Embedded systems is about breadth… … computer skills + domain skills  Computer experts need domain literacy – Thermodynamics, materials, statics & dynamics, …  Domain experts need software literacy – Teaching “how to code” will (mostly) just get you bad software  Mid-career skill upgrade delivery paths:  Self-instruction, on-line training, etc.  Project reviews with hands-on mentoring of fixing problems  How about some books that cover all this important stuff? Deploying SW Competence Upgrades Coriolis Flow Meter (actual size)
  • 20. 20© 2016 Edge Case Research LLC  6/2016: Tesla “AutoPilot” Crash  Claimed first crash after 130M miles of operation And Now … Self-Driving Cars
  • 21. 21© 2016 Edge Case Research LLC  Need to test for at least ~3x crash rate to validate safety  Hypothetical deployment: NYC Medallion Taxi Fleet  13,437 vehicles @ 70,000 miles/yr = 941M miles/year  7 critical crashes in 2015 134M miles/critical crash (death or serious injury)  How much testing to validate critical crash rate?  Answer: 3x – ~10x the mean crash rate – Probably you’ll get a crash  even more testing  These are optimistic test lengths…  Assumes random independent arrivals  Is simulated driving accurate enough? It Takes A Billion Miles Of Testing Testing Miles Confidence if NO critical crash seen 122.8M 60% 308.5M 90% 401.4M 95% 617.1M 99% [2014 NYC Taxi Fact Book] [Fatal and Critical Injury data / Local Law 31 of 2014]
  • 22. 22© 2016 Edge Case Research LLC  Self-driving cars are so cool!  But also kind of scary  These need all those skills  Good technical skills  Good process skills  Safety & security  Management who “gets it” ….  AND: Validating Machine Learning How Do You Validated Machine Learning? https://en.wikipedia.org/wiki/Autonomous_car
  • 23. 23© 2016 Edge Case Research LLC 1985 1990 1995 2000 2005 2010 DARPA Grand Challenge DARPA LAGR ARPA Demo II DARPA SC-ALV NASA Lunar Rover NASA Dante II Auto Excavator Auto Harvesting Auto Forklift Mars Rovers Urban Challenge DARPA PerceptOR DARPA UPI Auto Haulage Auto Spraying Laser Paint RemovalArmy FCS Carnegie Mellon University Faculty, staff, students Off-campus Robotics Institute facility NREC: 30 Years Of Cool Robots
  • 24. 24© 2016 Edge Case Research LLC  Even the “easy” (well known) cases are challenging Validating Robots Is Difficult Extreme contrast No markings Poor visibility Unusual  obstacles Construction Water (appears flat!) [Wagner 2014]
  • 25. 25© 2016 Edge Case Research LLC The Tough Cases Are Legion http://piximus.net/fun/funny-and-odd-things-spotted-on-the-road http://blogs.reuters.com/photographers-blog/2012/11/26/house-in-the-middle-of-the-road/ http://edtech2.boisestate.edu/robertsona/506/images/buffalo.jpg
  • 26. 26© 2016 Edge Case Research LLC Deep Learning Can Be Brittle & Inscrutable https://goo.gl/5sKnZV QuocNet: Car Not a Car Magnified Difference Bus Not a Bus Magnified Difference AlexNet: Szegedy, Christian, et al. "Intriguing properties of neural networks." arXiv preprint arXiv:1312.6199 (2013).
  • 27. 27© 2016 Edge Case Research LLC  Where are Machine Learning Requirements?  V model traces reqts to V&V  ML system is just a framework  The training data forms de facto requirements  Is training data “complete” and correct?  Training data is safety critical  What if a moderately rare case isn’t trained? – It might not behave as you expect – People’s perception of “almost the same” does not necessarily predict ML responses! How Do We Trace To Safety Standard “V”? REQUIREMENTS SPECIFICATION SYSTEM SPECIFICATION SUBSYSTEM/ COMPONENT SPECIFICATION PROGRAM SPECIFICATION MODULE SPECIFICATION SOURCE CODE UNIT TEST PROGRAM TEST SUBSYSTEM/ COMPONENT TEST SYSTEM INTEGRATION & TEST ACCEPTANCE TEST VERIFICATION & TRACEABILITY VALIDATION & TRACEABILITY VERIFICATION & TRACEABILITY VERIFICATION & TRACEABILITY VERIFICATION & TRACEABILITY Review Review Review Review Review Review Review Review Review Review Review Cluster Analysis ? ?
  • 29. 29© 2016 Edge Case Research LLC  Improper handling of floating-point numbers:  Inf, NaN, limited precision  Array indexing and allocation:  Images, point clouds, etc…  Segmentation faults due to arrays that are too small  Many forms of buffer overflow with complex data types  Large arrays and memory exhaustion  Time:  Time flowing backwards, jumps  Not rejecting stale data  Problems handling dynamic state:  For example, lists of perceived objects or command trajectories  Race conditions permit improper insertion or removal of items  Garbage collection causes crashes or hangs Some Autonomy Problems We’ve Found DISTRIBUTION A – NREC case number STAA-2013-10-02
  • 30. 30© 2016 Edge Case Research LLC  Good job of advocating for progress  E.g., recommends ISO 26262 safety standard  But, some areas need work, such as:  Machine Learning validation is immature  Need independent safety assessment  Re-certification for all updates to critical components  Which long-tail exceptional situations are “reasonable” to mitigate  Crash data recorders must have forensic validity Current Snapshot: NHTSA Guidance
  • 31. 31© 2016 Edge Case Research LLC  Challenge: Software Development Literacy  Critical skill shortage in engineering software – Learning to code doesn’t fix this alone  Long-term need to upgrade workforce skills – Teaching this in college won’t fix this alone  Tools and such only help if basic skills in place  Machine Learning ups the ante  Validating ML training is challenging  Workforce knows even less about ML than about engineering software!  And yet, our society revolves around the quality of all this software  A small step: http://www.edge-case-research.com/videos/ Conclusions
  • 32. 32© 2016 Edge Case Research LLC  Specialists in Making Robust Software:  Embedded software quality assessment and improvement  Embedded software skill evaluation and training  Lightweight software processes for mission critical systems  Lightweight automation for process & technical area improvement info@edge-case-research.com http://www.edge-case-research.com/