Cleanroom Software Engineering

CIS 376
Bruce R. Maxim
UM-Dearborn
 Where did it come from?

• The name “cleanroom” is derived from the

process used to fabricate semiconductor
• The philosophy focuses on defect avoidance
rather than defect removal
• It combines many of the formal methods
and software quality methods we have
studied so far
 Cleanroom is Shift in Pracrice
• From • To
– Individual – Peer reviewed
craftsmanship engineering
– Sequential – Incremental
development
development
– Team correctness
– Individual unit verification
testing
– Statistical usage testing
– Informal coverage
testing
– Measured reliability
– Unknown reliability
– Disciplined engineering
– Informal design specification and design
 What is it?
• Cleanroom software engineering involves the integrated
use of
– software engineering modeling
– program verification
– statistical software quality assurance.
 Verifies design specification using mathematically-based
proof of correctness
• Relies heavily on statistical use testing to uncover high
impact errors
• Generally follows an incremental development process
 Incremental development
Frozen
specification

Establish Formal Develop s/w Deliver

rerquirements specification increment software

Requir ements change request

 Benefits
• Zero failures in the field
– that’s the goal any way
– a realistic expectation is < 5 failures per KLOC on first program
execution in the first team project
• Short development cycles
– results from use incremental strategy and avoidance of rework
– new teams should experience a two-fold productivity increase on
the first project and continue the increase
• Longer product life
– investments detailed specifications and usage models help keep a
product viable longer
 Why are Cleanroom Techniques
Not Widely Used
 Some people believe cleanroom techniques are too
theoretical, too mathematical, and too radical for use in real
software development
 Relies on correctness verification and statistical quality
control rather than unit testing (a major departure from
traditional software development)
 Organizations operating at the ad hoc level of the
Capability Maturity Model, do not make rigorous use of the
defined processes needed in all phases of the software life
cycle
 Cleanroom Principles - part 1
• Small teams
– independent specification, development, and
certification sub-teams
• Incremental development under statistical quality
control
– performance assessed during each increment using
measure like errors per KLOC, rate of growth in MTTF,
or number of sequential error-free test cases
– feedback is used for process improvement and the
development plan is adjusted as needed
 Cleanroom Process Teams
• Specification team
– develops and maintains the system specification
• Development team
– develops and verifies software
– the software is not compiled or executes during verification
• Certification team
– develops set of statistical test to exercise software after
development
– reliability growth models used to assess reliability
 Cleanroom Principles - part 2
• Software development based on mathematical
principles
– the box principle is used for specification and design
– formal verification is used to confirm correctness of
implementation of specification
– program correctness is verified by team reviews using
questionnaires
• Testing based on statistical principles
– operational usage profiles needed
– test cases are randomly generated from the usage model
– failure data is interpreted using statistical models
 Cleanroom Process Overview

Formally Error rework

specify
system

Define Construct Formally

Integrate
software structured verify
increment
increments program code

Develop
operational Design Test
profile statistical integrated
tests system
 Cleanroom Strategy - part 1
• Increment planning.
– The project plan is built around the incremental strategy.
• Requirements gathering.
– Customer requirements are elicited and refined for each
increment using traditional methods.
• Box structure specification.
– Box structures isolate and separate the definition of
behavior, data, and procedures at each level of
refinement.
 Cleanroom Strategy - part 2
• Formal design.
– Specifications (black-boxes) are iteratively refined to
become architectural designs (state-boxes) and
component-level designs (clear boxes).
• Correctness verification.
– Correctness questions are asked and answered, formal
mathematical verification is used as required.
 Cleanroom Strategy - part 3
• Code generation, inspection, verification.
– Box structures are translated into program language;
inspections are used to ensure conformance of code and
boxes, as well as syntactic correctness of code;
followed by correctness verification of the code.
• Statistical test planning.
– A suite of test cases is created to match the probability
distribution of the projected product usage pattern.
 Cleanroom Strategy - part 4
• Statistical use testing.
– A statistical sample of all possible test cases is used
rather than exhaustive testing.
• Certification.
– Once verification, inspection, and usage testing are
complete and all defects removed, the increment is
certified as ready for integration.
 Increment Planning - Purpose
• Developing the right systems the first time,
requires customer involvement and feedback
throughout the development process
• Facilitates the customer’s clarification of system
requirements
• Requires management control of resources and
technical control of complexity
• Product quality requires process measurement and
control throughout the SW development cycle
 Increment Planning - Benefits
• Concurrent engineering by scheduling parallel development
and certification
• Stepwise integration through testing cumulative increments
• Continuous quality feedback from statistical process control
• Continuous customer feedback from actual use
• Risk management by treating high-risk elements in early
increments
• Change management by systematic accommodation of
changes
 Black Box
• Specifies a set of transition rules that describe the behavior
of system components as responses to specific stimuli,
makes use of inheritance in a manner similar to classes
• Specifies system function by mapping all possible stimulus
histories to all possible responses

S*  R
stimulus history  responses
 State Box
• Generalization of a state machine, encapsulates the data
and operations similar to an object, the inputs (stimuli) and
outputs (responses) are represented, data that must be
retained between transitions is encapsulated
• The state is the encapsulation of the stimulus history
• State variables are invented to save any stimuli that need to
retained

SxTRxT
stimuli X state data  responses X state data
 Clear Box
• Contains the procedural design of the state box, in a
manner similar to structured programming
• Specifies both data flow and control flow

SxTRxT
stimuli X state data  responses X state data

• State update and response production is allowed

 Box Principles
• Transaction closure of stimuli and responses
– users and uses are considered including security and
error recovery
• State migration within box hierarchy
– downward migration of state data is possible whenever
new black boxes are created inside a clear box
– upward migration of state date is desirable when
duplicate data is updated in several places in the tree
• Common services
– reusable boxes from library
Formal Specification and Inspections
• The state-based model is treated as a system
specification
• The inspection process checks the program against
the state-based model
• The programming approach used is defined to make
clear the correspondence between the model and the
implemented system
• The proofs used resemble mathematical arguments
and are used to increase confidence in the
inspection process
 Design Verification Advantages
• Reduces verification to a finite process
• Improves quality
• Lets cleanroom teams verify every line of code
• Results in near zero levels of defects
• Scales up to larger systems and higher levels
• Produces better code than unit testing
 Certification Steps
• Usage scenarios must be created
• Usage profile is specified
• Test cases generated from the usage profile
• Tests are executed and failure data are recorded
and analyzed
• Reliability is computed and recorded
 Usage Specification
• High-level characterization of the operational
environment of the software
• User - person, device, or piece of software
• Use - work session, transaction, or other unit of
service
• Usage Environment - platform, system load,
concurrency, multi-user, etc.
• Usage classes - clusters of similar users doing
similar tasks
 Usage Modeling
• Might be represented as a
– graph
– transition matrix
– Markov chain (adjacency matrix, arc probabilities as cell entries)
• A probability usage distribution can be defined by
– assignments based on field data
– informed assumptions about expected usage
– uniform probabilities (if no information is available)
• Optimization using operations research techniques
– may be used to support test management objectives
– does not require modelers to over specify knowledge about usage
 Statistical Testing
• Generation of test cases
– each test case begins in a start state and represents a random walk
through the usage model ending at a designated end state
• Control of statistical testing
– a well-defined procedure is performed under specified conditions
– each performance is a trial and can be used as part of an empirical
probability computation
• Stopping criteria for testing
– when testing goals or quality standards are achieved
– when the difference between the predicted usage chain and the
actual testing chain becomes very small
 Reliability Estimation
Confidence Level

Reliability 90% 95% 99% 99.9%

.9 22 29 44 66

.95 45 59 90 135

.99 230 299 459 688

.999 2302 2995 4603 6905

The binomial distribution can be used to estimate the

number of error-free test cases are needed to assume a
given level of reliability at a specified confidence level.
 Cleanroom Certification Models
• Sampling model
– determines the number if random cases that need to be
executed to achieve a particular reliability level
• Component model
– allows analyst to determine the probability that a given
component in a multi-component system fails prior to
completion
• Certification model
– projected overall reliability of system
 Process Control
• Involves comparing actual performance on a task
with pre-established standards and using the
results to make process management decisions.
• Measurement of key process variables is central to
process control.
• In cleanroom software process there are many
times that team members compare their progress
against a standard and decide whether to continue
or redo a portion of their project work.
 Process Improvement
• May take both quantitative and qualitative forms.
• Statistical quality control is an example of a
quantitative approach to process improvement
found in cleanroom software process.
• Root cause analysis is and example of qualitative
process improvement found in the cleanroom
software process. After each certification failure
error causes are identified and ways to prevent
them from reoccurring are sought.
 Cleanroom Process Evaluation
• Some organizations have achieved impressive
results and have delivered systems with few faults
• Independent assessment shows that the process is
no more expensive the other approaches
• Produces products with fewer errors than
traditional software engineering techniques
• Hard to see how this approach can be used by
inexperienced software engineers
• Requires highly a motivated development team
 Cleanroom and Object-Oriented SE
Common Characteristics
• Lifecycle
– both rely on incremental development
• Usage
– cleanroom usage model similar to OO use case
• State Machine Use
– cleanroom state box and OO transition diagram
• Reuse
– explicit objective in both process models
 Cleanroom and Object-Oriented SE
Key Differences
• Cleanroom relies on decomposition OO relies on
composition
• Cleanroom relies on formal methods while OO allows
informal use case definition and testing
• OO inheritance hierarchy is a design resource where
cleanroom usage hierarchy is system itself
• OO practitioners prefer graphical representations while
cleanroom practitioners prefer tabular representations
• Tool support is good for most OO processes, but usually
tool support is only found in cleanroom testing not design
 DOD/STARS Recommendations
• Use OO for front-end domain analysis
• Use cleanroom for life cycle application engineering
• Use OO for exploring a problem
• Use cleanrrom for developing a solution
• Use OO to develop components
• Use cleanroom to develop systems
• Use OO to identify domain pertinent to problem and
characterizing domain objects and relationships
• Use cleanroom for formal specification, design, verification,
usage modeling, and testing