Section: New Results

Design-driven Development of Dependable Software Systems

Dependability of a system is the ability to avoid service failures that are more frequent and more severe than is acceptable  [22] . This generic concept includes attributes such as availability, integrity and reliability. Dependable systems are now pervasive in a range of domains (e.g., railway, avionics, automotive) and require a certification process. The main goal of certification is to demonstrate that a system is conform to its high-level requirements, resulting from functional and safety analyses.

Software plays an increasingly important role in dependable systems; software development is thus required to be certified. In particular, the stakeholders have to pay attention to the coherence of the functional and non-functional aspects of an application to demonstrate the conformance of the software with the high-level requirements. Non-functional aspects of a system refer to constraints on the manner in which this system implements and delivers its functionality (e.g., performance, reliability, security)  [48] .

Coherence. Because functional and non-functional aspects are inherently coupled, ensuring their coherence is critical to avoid unpredicted failures  [39] . For example, fault-tolerance mechanisms may significantly deteriorate the application performance. Generally, this kind of issues are detected at the late stages of the development process, increasing the development cost of applications  [21] .

Conformance. Ensuring that an application is in conformance with its high-level requirements is typically done by tracing their propagation across the development stages. In practice, this process is human-intensive and error prone because it is performed manually  [37] .

Certifying a development process requires a variety of activities. In industry, the usual procedures involve holding peer review sessions for coherence verification, and writing traceability documents for conformance certification. In this context, design-driven development approaches are of paramount importance because the design drives the development of the application and provides a basis for tracing requirements  [53] . However, because most existing approaches are general purpose, their guidance is limited, causing inconsistencies to be introduced in the design and along the development process. This situation calls for an integrated development process centered around a conceptual framework that allows to guide the certification process in a systematic manner. In response to this situation, we proposed a design-driven development methodology, named DiaSuite  [2] , which is dedicated to the Sense/Compute/Control (SCC) paradigm  [48] . As demonstrated by Shaw, the use of a specific paradigm provides a conceptual framework, leading to a more disciplined engineering process and guiding the verification process  [47] . An SCC application is one that interacts with a physical environment. Such applications are typical of domains such as home/building automation, robotics and avionics.

In this work, we have shown the benefits of DiaSuite for the development of dependable SCC applications. This approach is applied to a realistic case study in the avionics domain, in the context of two non-functional aspects, namely time-related performance and reliability. The DiaSuite design language, named DiaSpec , offers declarations covering both functional and non-functional dimensions of an SCC application [2] , [9] [32] . However, so far, the DiaSuite methodology has only been used to study each dimension in isolation, leaving open the problems of coherence and conformance when considering multiple dimensions. This work integrates all these dimensions, enabling the generation of validation support. More precisely, this work makes the following contributions:

Design coherence over functional and non-functional dimensions. We use the DiaSpec language to describe both functional and non-functional aspects of an application and apply this approach to a realistic case study. A DiaSpec description is verified at design time for coherence of its declarations. This verification is performed with respect to a formal model generated from a DiaSpec description.

Design conformance through the development process. At design time, we provide verification support to check the conformance between the specification and the formalized form of the high-level requirements. At implementation time, we guarantee the conformance between the application code and the previously verified requirements. This process is automatically done by leveraging the generative approach of DiaSuite . As some of the high-level requirements cannot be ensured at design time (e.g., time-related performance), we provide further testing support to validate the implementation with respect to these remaining requirements. This support leverages a realistic flight simulator, namely FlightGear  [44] .

Validation in avionics. We validate our approach by developing a realistic case study in avionics. Following the DiaSuite methodology, we have developed an aircraft flight guidance system and tested it on FlightGear. Additionally, we have duplicated this case study in the context of a commercial drone system, namely Parrot AR.Drone. (http://ardrone.parrot.com )

These accomplishments were conducted by Julien Bruneau, Quentin Enard and Stéphanie Gatti, in the context of their PhD studies. This work will be published at the International Conference on Pervasive and Embedded Computing and Computation Systems (PECCS'13).