What is it?
We propose to create a consortium of universities, government agencies, and the High Dependability Computing and Communication Consortiumcorporations⎯ to undertake basic, empirical, and engineering research aimed at making the creation and maintenance of computer systems a true professional discipline comparable to civil engineering and medicine⎯ disciplines people stake their lives on without question.
It will have a permanent research and education program that transforms computing practices over the next 50 years. The researchers and educators should number about 500 and be contributed by the partners.
It is envisioned to have a central base of operations in the San Francisco Bay Area, but incorporate activities around the country and, as appropriate, around the world in member organization locations.
Strategic Goals
The HDCC research agenda embodies four strategic goals.
Protect the Public. We must assure the nation's critical infrastructure services upon which individual citizens depend. To meet this strategic goal, we must identify and promote technologies that can increase confidence in the safety, reliability, trustworthiness, security, timeliness, and survivability of systems such as transportation systems and communications systems.
Protect the Consumer. We must find cost-effective means to gain assurance that enables commercial products to meet certain minimum quality standards. This includes expedited quality certification, validation, and verification; shortened times to market; simplicity of use; plug-and-play interconnection; lower lifecycle costs; and improved customer satisfaction. Confidence is needed in consumer products and services. Such products could include "smart" cars, medical devices, consumer electronics, business systems, smart houses, sensor technologies, Global Positioning System (GPS) receivers, smart cards, educational technologies, electronic commerce software packages, educational technologies, and digital libraries.
Preserve Competitiveness. Software production is the ultimate intellectual industry and there are few barriers to entry. Ten years ago we felt beleaguered because the Japanese engineering culture seemed to be dominating us in electronics and semi-conductors. Wise men (Gordon Bell, for one) said we must change the game; and, indeed, we did by making it a software/network game. But now the game is clear to all and we can expect crushing competition, not only in price but also in deep ideas. Educating more hackers will not solve our problem; we must educate new generations of sophisticated software engineers backed by new science to stay ahead in the global economic race.
Promote National Security. Dependability is most crucial to military systems that are used to defend our national interests. National security will require defense-in-depth protection services and assurance that those services will perform as required. However, economic reality will dictate that these services be accomplished using largely commercial rather than specifically military technology.
Scope
The relentless pressure to keep up with "Internet Time" results in most organizations using ad hoc approaches to survive on a daily basis, with no time or energy left for long-term investments in surviving the coming months and years. While such an approach can be made to work in the short term, it is inherently inadequate at addressing trends over the span of years or decades. Instead, it is vital that a concerted effort be made to prepare for downstream problems in a number of key areas. The long-term scope will evolve as appropriate to address the hard, long-term problems facing us. Current areas include:
-
Use of off-the-shelf components: Most systems now rely heavily on the use of commercial off-the-shelf (COTS) technology for hardware and/or software for reasons of cost and time to market. Many current approaches to creating dependable systems assume complete control and understanding of system components⎯ an assumption that is simply not representative of the majority of systems that must be built. And, even if complete understanding of components were possible, the marketplace is such that components become obsolete and are replaced many times over during the production and deployment life of many critical systems. New techniques are urgently needed to create highly dependable systems from "black-box" components that continually change. Previously useful approaches and simpler forms of analysis (e.g., old notions of creating components based on separation of concerns and creating systems based on synthesis rather than component composition no longer work for every situation).
-
Use of complex, non-dependable components: Achieving high confidence is becoming more difficult as systems become more complex. Today's trends of large-scale use of component technology, increased integration, continuous evolution, and larger scale are yielding more complex systems. Furthermore, such systems are often build of complex components that are not inherently dependable. Not only is it difficult to get such systems to work in the first place, but furthermore such systems frequently exhibit unpredictable emergent behaviors at inopportune moments. New ways to create dependable systems from complex components are urgently needed.
-
Hostile operating environments: Lacking adequate protection, today's information and communications systems are being subjected to numerous malicious attacks. New and advanced techniques are required to achieve required levels of system integrity and availability. Protection against both active and insider threats must be developed. Methods are needed for system monitoring, detection, response, and recovery.
-
Embedded Systems: Embedded computer systems are arguably both more difficult to make dependable, and more in need of complete dependability. Because they often do not have a human operator acting as a safety net, embedded systems must achieve absolutely bulletproof operation over years or decades of time. But, because the actual amount of computational power used is small, such systems are often perceived as easy to build and are often created by engineers or technicians with no formal training in software engineering or critical system design. Whereas desktop computers are built in the tens of millions per year, embedded microcontrollers are produced in the billions⎯ soon to be tens of billions per year. The challenge is how to scale high assurance methods down to the budgets, timelines, and skill sets prevalent in the embedded system world.
-
Ubiquitous critical systems: The days of critical systems being a niche market are over. Many everyday safety critical systems will soon have or already have software in them. Consider, for example, a domestic hot water heating system, which can cause scalding burns if it drifts even a few degrees higher than its set point. Or, consider an Internet-based stock trading system that can bankrupt a user who (foolishly) depends on typical response times being available during a stock market meltdown. As we entrust our lives and livelihoods to computers, many systems will effectively become critical. A challenge here is how to proliferate good practice in highly dependable system design to everyday practitioners rather than a few select critical system designers in niche fields such as nuclear power and aerospace applications.
-
Indirectly critical systems: As computer systems are becoming highly complex, so is our society. While the number of critical systems is growing, the number of indirectly critical systems also grows. For example, the software that routes messages for a personal pager system becomes indirectly critical when it transmits the page for an emergency room physician to respond to a crisis. Similarly, database software becomes indirectly critical when it identifies owners of vehicles subject to an urgent recall notice or is used to look up emergency contact information. Even a simple word processor can become mission critical if it crashes a few minutes before the courier pickup deadline for a proposal submission. It is vital that even everyday, seemingly non-critical, applications be raised to a higher level of dependability to reduce the enormous hidden costs their unreliability levies on businesses and individuals.
-
International markets: The U.S. is not alone in its growing dependence on computing throughout industries having safety-critical aspects. This is especially true in transportation, health care, energy, and manufacturing sectors. However, many areas do not have the technical and labor infrastructures to support critical system operation. It will be imperative to create dependable systems that can operate properly even with shortages of repair parts, scarce availability of skilled operators/maintainers, and erratically available infrastructure support.
Activities
Six research and education activities will contribute to the HDCC strategic goals:
-
Provide a sound theoretical, scientific and technological basis for assured construction of safe, secure systems. To meet this goal, the research agenda must:
- achieve the capability to specify, compose, analyze, and assess system behavioral properties,
- furnish the capability to enforce specific behavioral properties, and
- furnish the capability to be more predictably tolerant of specified behavioral failures including malicious attack.
These are still hot topics in universities despite the general acceptance of C (and perhaps, someday, Java) as do-everything programming languages. Ultimately the proper and reliable functioning of a system depends upon people describing their designs in a formal specification, namely a language. When the language is shaky, the entire edifice will be built on a soft foundation. Special areas of interest include applications of logic, techniques for designing and implementing programming languages, and formal specification and verification of hardware and software systems. It is important to apply these techniques to problems of realistic scale and complexity, for example: implementation of high speed network communication software and application of type theoretic principles in the construction of compilers for proof carrying code. For Carnegie Mellon activities in principles of programming see
-
Develop hardware, software, and system engineering tools that incorporate ubiquitous, application-based, domain-based, and risk-based assurance. To meet this goal the HDCC research agenda must:
- furnish the methods, tools, and environments necessary for the design, construction, and evaluation of behavioral enforcement mechanisms; and
- establish indicators and characteristics of overall system confidence in the achieved behavioral properties gained through the application of such methods, tools and environments.
Software Engineering has grown into a field of Computer Science in its own right. Its aim is that systems constructed from software can attain the same reliability and predictability as bridges and other symbols of engineering excellence. At Carnegie Mellon much of the research and education in this field is conducted by the Institute for Software Research () and the Software Engineering Institute ().
-
Reduce the effort, time, and cost of assurance and quality certification processes. To meet this goal, the HDCC research agenda must:
- furnish the means to improve the productivity of information system design, development, and analysis,
- while simultaneously improving the levels of confidence that can be achieved through such productivity enhancements.
The industrial use of system analysis and verification tools has been limited, but university researchers have made considerable progress in producing tools that find bugs in real hardware and software. So far, most of the success has been in hardware where complexity is lower and specifications cleaner; but there have been promising successes in software as well. For Carnegie Mellon activities in formal systems see
-
Understand the human problems in creating, maintaining, and using computer systems. This has become a vital area of research as computers have become ubiquitous. Seat-of-the-pants design might have been sufficient when the users of computers were engineers, scientists, and programmers; but now a deep understanding of human capabilities must be built into design because the users are often very different from the designers. "Pilot error" is the most frequently cited cause of airline mishaps, and "programmer error" is similarly often the purported cause of software defects, except in the frequent case in which problems are blamed on "user error". We need to understand and account for the capabilities of both the designers and end users of systems. For Carnegie Mellon activities in human-computer interaction see .
-
Provide measures of results. To meet this goal, the HDCC research agenda must:
- develop measures of performance and measures of effectiveness for use in quantifying and qualifying the progress of improvements in system-level confidence that can be achieved through the application of HDCC technologies.
- Further, the agenda must show through such measures that the benefits achieved are cost effective.
One reason to do system fault discovery is to find a metric. Fault discovery is only somewhat helpful as a debugging technique⎯ it is much more powerful as a quality assurance technique in support of building dependable systems. For some Carnegie Mellon research in this area see
-
Promote software engineering education. Currently, de facto software engineers coming from universities are emerging from departments of computer science and engineering. Unfortunately the computer scientists are often too theoretical while the engineers are often too hardware-oriented. What is needed is professional education akin to what medical doctors receive, but nobody is doing it. Both software engineering research and education must have strong connections to practice: education needs a practical setting to develop skill, and research needs access to real problems that expose the deep issues involved in real-world development.
We should create an institution that serves software engineering as a teaching hospital serves medicine. Students would learn in the context of real cases. Clinical faculty would both practice and teach. Research would exploit access to real cases and data. We would provide a development laboratory in which real software developers produce real software for real clients. Developers would interact with researchers to infuse the research agenda with visibility into real problems, and developers can take advantage of research results. Students would learn through direct experience in a real⎯ not just "realistic"⎯ setting. Clinical faculty would be skilled professional software developers and have significant responsibilities for both teaching and software production
Who Should Participate
As shapers of the future, universities should address the software quality problem now, before the world at large sees a crisis. Just as John Hopkins led a reform in medical practice in the early 20th century, we can lead a reform in software practice now. Fortunately, this effort needn't begin from scratch because computer scientists and academic software engineers have always taken the issue of software quality seriously. Computer science's first gift to industry was the programming language, which has now been thoroughly digested and exploited. It's time to continue that tradition with a practical, but comprehensive way to create and operate dependable systems.
The universities whose faculty have expressed interest so far are Carnegie Mellon, Georgia Institute of Technology, MIT, and the Universities of California and Washington. Collectively, these schools have diverse group of researchers already attacking the problem and a strong commitment to engineering education.
For inspiration, look to a 15th century character, Prince Henry the Navigator of Portugal. He was the first great program manager. Intent on finding a westward route to India, he founded schools for navigators and research into shipbuilding. Columbus et al. were the ultimate instruments of his foresighted plan. He died long before 1492. While the government's role should not really be to seek silver bullets to solve any one problem, they have a definite role to play in leading and creating a real movement.
The government agency members should include:
- NASA because it has extraordinary requirements for high assurance systems.
- DARPA because of its 50-year commitment to computer science research, and the military's need for high assurance systems.
- Industry
The major event in the last twenty years in the computer field is that the industry has taken the lead in the creation of real systems. The academically oriented ACM Software and Systems Award has been going to industrial projects since 1982: UNIX, System R, and the Alto System, to name a few. Some of Software Engineering's academic leaders (Fred Brooks, Barry Boehm, Watts Humphreys, and David Garlan) developed their insights in industrial settings and then moved to continue work in academe. It is essential that experienced engineers from industry contribute their wisdom to subsequent generations
The following companies have expressed an interest in the project and signed a memorandum of understanding committing to a planning process: Adobe Systems, Compaq, Hewlett-Packard, IBM , Ilog, Marimba, Microsoft, Novell, SGI, Siebel Systems, SUN Microsystems, and Sybase.
