A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
in those developments. The <strong>SEI</strong> was, however, instrumental in making many <strong>of</strong> <strong>the</strong> early adopters<br />
successful and in providing balanced, unbiased guidance to those faced with <strong>the</strong> language decision.<br />
The <strong>SEI</strong> Provided an Engineering Basis for Real-Time Systems<br />
Development<br />
A major factor in developing real-time s<strong>of</strong>tware for any language, including assembly language,<br />
was <strong>the</strong> development <strong>of</strong> <strong>the</strong> real-time scheduler. There simply was no analytic technique available<br />
to ensure that all deadlines could be met. Consequently, practicing engineers relied on experience<br />
and gross calculations. When two pr<strong>of</strong>essors at Carnegie Mellon University (CMU) proved that<br />
constraints <strong>of</strong> an obscure scheduling <strong>the</strong>ory could be relaxed, <strong>the</strong>y approached <strong>the</strong> <strong>SEI</strong> for help in<br />
making that new <strong>the</strong>oretic result practical for s<strong>of</strong>tware. The <strong>SEI</strong> responded by launching <strong>the</strong> rate<br />
monotonic analysis (RMA) effort. One <strong>of</strong> <strong>the</strong> faculty joined <strong>the</strong> <strong>SEI</strong> full time and was joined by<br />
experienced engineers in <strong>the</strong> <strong>SEI</strong> who had Ada and real-time experience. Toge<strong>the</strong>r <strong>the</strong>y applied<br />
<strong>the</strong> <strong>the</strong>ory, helped develop fur<strong>the</strong>r modifications, and demonstrated that a previously poorly understood<br />
concept <strong>of</strong> priority inversion could be analytically predicted and prevented. Rate monotonic<br />
analysis was quickly transitioned to enable defense industry s<strong>of</strong>tware engineers to build realtime<br />
schedulers that avoid priority inversion and meet all required schedule constraints [Sha<br />
1984]. RMA was applied in <strong>the</strong> Navy’s BSY-1 (Submarine Special Surveillance and Control)<br />
Trainer, and <strong>the</strong> Air Force’s F-22. RMA has become state <strong>of</strong> <strong>the</strong> practice in developing real-time<br />
systems. RMA influenced several standards, including Futurebus, POSIX, real-time CORBA, <strong>the</strong><br />
Ada language, and <strong>the</strong> Navy Next Generation Computer Resources (NGCR), and is credited with<br />
helping NASA restart <strong>the</strong> Mars Pathfinder in 1998 after a system shutdown. The transition was so<br />
successful that it became <strong>the</strong> model for effective technology transition at <strong>the</strong> <strong>SEI</strong> [Fowler 1993,<br />
1995].<br />
Ano<strong>the</strong>r complication for DoD real-time embedded systems is that <strong>the</strong>y <strong>of</strong>ten have a safety-critical<br />
component that must interact with o<strong>the</strong>r components. For example, <strong>the</strong> flight control component<br />
in an autopilot is certified to DO178B Level A (<strong>the</strong> highest level); however, it needs to accept<br />
guidance commands from a flight guidance system that is only certified to Level C.<br />
Never<strong>the</strong>less, avionics certification requires that Level A s<strong>of</strong>tware must still function correctly in<br />
spite <strong>of</strong> <strong>the</strong> s<strong>of</strong>tware failures in less critical components [DO-178B 1992, RTCA 1992]. The <strong>SEI</strong><br />
developed an architecture template, called <strong>the</strong> Simplex architecture, that supports overall safety<br />
when a system is composed <strong>of</strong> both reliable/safe components and less reliable/less safe components<br />
[Sha 2001]. This architecture divides a system into two parts: a complex component that<br />
cannot be fully verified but is needed to provide important services, and a high-assurance control<br />
subsystem that is simple and fully verified. It is designed so that (a) complex components cannot<br />
corrupt or interfere with <strong>the</strong> execution <strong>of</strong> <strong>the</strong> high-assurance system, and (b) <strong>the</strong> data and/or commands<br />
from <strong>the</strong> complex component will not be used unless <strong>the</strong> resulting system state can be<br />
checked in real time that it remains well within <strong>the</strong> safety and stability envelope. O<strong>the</strong>rwise, <strong>the</strong><br />
safety controllers put <strong>the</strong> system into safety mode. The Simplex architecture also ensures predictable<br />
and guaranteed timing behaviors in spite <strong>of</strong> failures <strong>of</strong> complex components and provides <strong>the</strong><br />
ability to restart or replace complex components during operation. Simplex architecture also enables<br />
switching <strong>the</strong> control to alternative components safely. The prototype s<strong>of</strong>tware was used to<br />
demonstrate <strong>the</strong> concept on an F-16 advanced maneuvering control study using Lockheed Mar-<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 21<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited