Cleanroom Software Engineering Technology and Process Stacy J. Prowell Carmen J. Trammell Richard C. Linger Jesse H. Poore ▲ ▼▼ Addison-Wesley An imprint of Addison Wesley Longman, Inc. Reading,Massachusetts Menlo Park,California New York Don Mills,Ontario Wokingham,England Amsterdam Bonn Sydney Singapore Tokyo Madrid San Juan Paris Milan Software Engineering Institute The SEI Series in Software Engineering Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book,and Addison-Wesley was aware of a trademark claim,the designations have been printed in initial caps or all caps. The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers discounts on this book when ordered in quantity for special sales. For more information,please contact: Corporate,Government,and Special Sales Addison Wesley Longman,Inc. One Jacob Way Reading,Massachusetts 01867 (781) 944-3700 Library of Congress Cataloging-in-Publication Data Cleanroom software engineering :technology and process / Stacy Prowell ...[et al.]. p. cm. Includes bibliographical references and index. ISBN 0-201-85480-5 1. Software engineering. I. Prowell,Stacy. QA76.758.C535 1998 005.1—dc21 98–38520 CIP Portions of the following publications are used in this book with the permission of CMU/SEI: Linger,R.C. and Trammell,C.J.,Cleanroom Software Engineering Reference Model Version 1.0,CMU/SEI-96-TR-022. Linger,R.C.,Paulk,M.C.,and Trammell,C.J.,Cleanroom Software Engineering Implementation of the Capability Maturity ModelSMfor Software,CMU/SEI-96-TR-023. ®CMM is registered in the U.S. Patent and Trademark Office. SMCapability Maturity Model is a service mark of Carnegie Mellon University. Copyright ©1999 by Addison Wesley Longman,Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,or transmitted,in any form,or by any means,electronic,mechanical,photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada. ISBN 0-201-85480-5 Text printed on recycled and acid-free paper. 1 2 3 4 5 6 7 8 9 10—MA—0302010099 First printing,February 1999. This book is dedicated to the founder of Cleanroom software engineering, Dr. Harlan D. Mills (1919–1996), whose insights into the mathematical foundations of software have had a profound and enduring impact on countless students, practitioners,managers,organizations, and the entire software engineering profession. —STACYJ. PROWELL, CARMENJ. TRAMMELL, RICHARDC. LINGER, JESSEH. POORE, 1999 This page intentionally left blank Contents Preface ix Introduction xi Part I Cleanroom Software Engineering Fundamentals 1 1 Cleanroom Overview 3 1.1 Economic Production of High-Quality Software 3 1.2 Cleanroom Foundations 4 1.3 Cleanroom Technologies 8 1.4 The Cleanroom Process 13 1.5 Relationship of Cleanroom to Other Practices 15 1.6 Cleanroom Project Experience 18 1.7 References 18 1.8 Suggested Reading 19 2 Cleanroom Management by Incremental Development 21 2.1 Benefits of Incremental Development 22 2.2 Theoretical Foundations of Incremental Development 25 2.3 Increment Planning in Practice 28 2.4 Incremental Development in Practice 30 2.5 References 32 v vi Contents 3 Cleanroom Software Specification 33 3.1 Box Structures for Cleanroom Specification and Design 34 3.2 The Sequence-Based Specification Process 43 3.3 Example:Specification of a Security Alarm 46 3.4 References 59 4 Cleanroom Software Development 61 4.1 Box Structure Development 61 4.2 Clear Box Development 63 4.3 Clear Box Verification 72 4.4 Example:The Security Alarm Clear Box 81 4.5 References 90 5 Cleanroom Software Certification 91 5.1 Benefits of Statistical Testing Based on a Usage Model 91 5.2 Theoretical Foundations of Statistical Testing 93 5.3 Statistical Usage Testing in Practice 95 5.4 Example:Security Alarm 99 5.5 References 108 Part II The Cleanroom Software Engineering Reference Model 111 6 The Cleanroom Reference Model 113 6.1 An Introduction to the CRM 113 6.2 Cleanroom Process Definition Format 125 6.3 Common Cleanroom Process Elements 126 6.4 References 129 7 Cleanroom Management Processes 131 7.1 Project Planning Process 131 7.2 Project Management Process 136 7.3 Performance Improvement Process 139 7.4 Engineering Change Process 142 8 Cleanroom Specification Processes 145 8.1 Requirements Analysis Process 145 8.2 Function Specification Process 149 8.3 Usage Specification Process 154 8.4 Architecture Specification Process 160 8.5 Increment Planning Process 163 8.6 References 167 Contents vii 9 Cleanroom Development Processes 169 9.1 Software Reengineering Process 169 9.2 Increment Design Process 173 9.3 Correctness Verification Process 178 9.4 References 182 10 Cleanroom Certification Processes 183 10.1 Usage Modeling and Test Planning Process 183 10.2 Statistical Testing and Certification Process 191 10.3 References 197 11 Cleanroom and the Capability Maturity Model for Software 199 11.1 The CMM for Software 199 11.2 Cleanroom Process Mappings to CMM KPAs 202 11.3 Integrating CRM Technology and CMM Management 206 11.4 References 207 Part III A Case Study in Cleanroom Software Engineering 209 12 Satellite Control System Requirements 211 12.1 The Satellite Control System Case Study 211 12.2 Satellite Operations Software Requirements 212 12.3 Reference 219 13 Satellite Control System Black Box Specification 221 13.1 Black Box Sequence-Based Specification 221 13.2 Step 1:Define the System Boundary 224 13.3 Step 2:Enumerate Stimulus Sequences 229 13.4 Step 3:Analyze Canonical Sequences 256 13.5 Step 4:Define Specification Functions 257 13.6 Step 5:Construct the Black Box Tables 260 13.7 Removing Abstractions 269 13.8 Common Sequence Abstraction Techniques 272 14 Satellite Control System State Box Specification 277 14.1 State Box Specification 277 14.2 Step 1:Invent the State Data 278 14.3 Step 2:Construct the State Box Tables 283 viii Contents 15 Satellite Control System Clear Box Design 293 15.1 Clear Box Implementation 293 15.2 Step 1:Select a High-Level Software Architecture 294 15.3 Step 2:Select an Implementation for Stimulus Gathering 312 15.4 Step 3:Select an Implementation for Response Generation 313 15.5 Step 4:Select an Implementation for the State Data Items 316 15.6 Step 5:Select an Implementation for Each Entry in the State Box Table 317 15.7 Step 6:Reorganize the Implementations into Executable Code 338 16 Satellite Control System Testing and Certification 349 16.1 Statistical Testing 349 16.2 Step 1:Define Certification Plan 350 16.3 Step 2:Build Model Structure 352 16.4 Step 3:Determine State Transition Probabilities 377 16.5 Step 4:Validate the Usage Model 378 16.6 Step 5:Generate Test Cases, and Execute and Evaluate Results 380 Index 383 Preface This book is about Cleanroom software engineering technology and manage- ment. It provides an overview of Cleanroom for application to software engi- neering projects,and a road map for software management,development,and testing as disciplined engineering practices. It serves as an introduction for those who are new to Cleanroom software engineering and as a reference guide for the growing practitioner community. The book is organized into three parts as follows: 1. Part I:Cleanroom Software Engineering Fundamentalsis a presenta- tion of Cleanroom theory and engineering practice. The principal Cleanroom practices are described: incremental development under statistical quality control; function-based specification, development, and verification; and statistical testing based on usage models. The Cleanroom Reference Model (CRM) is introduced as a framework for an overall Cleanroom engineering process. A small example,the secu- rity alarm,is used in Part I to illustrate practices and work products. 2. Part II: The Cleanroom Software Engineering Reference Model pro- vides a process model that can be adopted,tailored,and elaborated by a software engineering organization. The CRM is expressed in 14 Cleanroom processes and 20 work products. Each process is defined in terms of anaugmented ETVX (Entry,Tasks,Verification,Exit) model. The CRM is a guide for Cleanroom project performance and process improvement. Chapter 11 relates the CRM to the Key Process Areas of the Capability Maturity Model for Software. 3. Part III:A Case Study in Cleanroom Software Engineeringpresents a large example,the satellite control system,that includes key technical ix