Her research interests are in architecture-based, component-based and service-oriented test methodologies, as well as methods for analysis of non-functional properties.

Certification of modeling and simulation (M&S) applications poses significant technical challenges for M&S program managers, engineers, and practitioners. Certification is becoming increasingly more important as M&S applications are used more and more for military training, complex system design evaluation, M&S-based acquisition, problem solving, and critical decision making. Certification, a very complex process, involves the measurement and evaluation of hundreds of qualitative and quantitative elements, mandates subject matter expert evaluation, and requires the integration of different evaluations. Planning and managing such measurements and evaluations requires a unifying methodology and should not be performed in an ad hoc manner. This paper presents such a methodology. The methodology consists of the following body of methods, rules, and postulates: (a) employment of subject matter experts, (b) construction of a hierarchy of indicators, (c) relative criticality weighting of indicators using the analytic hierarchy process, (d) using a rule-based expert knowledge base with an object-oriented specification language, (e) assignment of crisp, fuzzy, and nominal scores for the indicators, (f) aggregation of indicator scores, (g) graphical representation of the indicator scores and weights, (h) hypertext certification report, and (i) interpretation of the results. The methodology can be used for certification of any kind of M&S application either throughout the M&S development life cycle or after the development is completed.

CIRCA is an architecture for real-time intelligent control. The CIRCA planner can generate plans that are guaranteed to maintain system safety, given certain timing constraints. To prove that its plans guarantee safety, CIRCA relies on formal verification methods. However, in many domains it is impossible to build 100 % guaranteed safe plans, either because it requires more resources than available, or because the possibility of failure simply cannot be eliminated. By extending the CIRCA world model to allow for uncertainty in the form of probability distribution functions, we can instead generate plans that maintain system safety with high probability. This paper presents a procedure for probabilistic plan verification to ensure that heuristically-generated plans achieve the desired level of safety. Drawing from the theory of quality control, this approach aims to minimize verification effort while guaranteeing that at most a specified proportion of good plans are rejected and bad plans accepted.

Abstract: The evaluation of software architectures is crucial to ensure that the design of software systems meets the requirements. We present a generic methodical framework that enables the evaluation of component-based software architectures. It allows to determine system characteristics on the basis of the characteristics of its constituent components. Basic prerequisites are discussed and an overview of different architectural views is given, which can be utilised for the evaluation process. On this basis, we outline the general process of evaluating software architectures and provide a taxonomy of existing evaluation methods. To illustrate the evaluation of software architectures in practice, we present some of the methods in detail. 1

One of the most compelling reasons for adopting component-based approaches to software development is the premise of reuse. The idea is to build software from existing components primarily by assembling and

Using arguments based on an analysis of the state of the art in the field of software reliability estimation and related practice, we warn practitioners that the road to reliability estimation is fraught with peril. Our analysis is based on several factors, with key factors including (a) difficulties in estimating accurate operational profiles, and (b) inaccuracies in reliability estimates caused by erroneous operational profiles and/or invalid model assumptions. To circumvent these perils, we advocate new approaches to software reliability estimation, particularly robust approaches with minimal model assumptions, and approaches which combine failure data with code coverage data. 1 Introduction Existing methods for estimating software reliability are fraught with risk. We present a critique of such methods and encourage new approaches which seek to reduce or eliminate factors that imperil the development and use of reliable software. Indeed, many researchers have recognized problems a...

This paper considers the problem of certifying the reliability of a software system that can be decomposed into a finite number of modules. It uses a Markovian model for the transfer of control between modules in order to develop the system reliability expression in terms of the module reliabilities. A test procedure is considered in which only the individual modules are tested and the system is certified if, and only if, no failures are observed. The minimum number of tests required of each module is determined such that the probability of certifying a system whose reliability falls below a specified value R 0 is less than a specified small fraction b. This sample size determination problem is formulated as a two-stage mathematical program and an algorithm is developed for solving this problem. Two examples from the literature are considered to demonstrate the procedure. Keywords: Software reliability; Modular Tests; Sample Size Determination; Mathematical Programming 1 1. Introduc...

Conventional knowledge engineering techniques for acquiring experts' knowledge can not produce quality knowledge due to improper knowledge documentation and informal knowledge acquisition method. We propose a new method for knowledge documentation and acquisition using Specification and Description Language (SDL). SDL is used to describe both the target system and the reasoning process. The main idea is to follow deterministic problem solving behavior of human experts and document it. Then knowledge can be extracted by comparing documents of the successive steps. This knowledge is recorded and reused in similar or novel cases. We present an implementation of this method in a tool for software design. The implemented system consists of a SDL CASE tool and an expert system for applying the design knowledge. This system serves as an experimental platform for the study of human design by simulating the design at the lowest level. However, we have found that by acquiring enough domain knowledge, this system can simulate general problem solving of human experts.

A simulation model is successful if it leads to policy action, i.e., if it is implemented. Studies show that for a model to be implemented, it must have good correspondence with the mental model of the system held by the user of the model. The user must feel confident that the simulation model corresponds to this mental model. An understanding of how the model works is required. Simulation models for implementation must be developed step by step, starting with a simple model, the simulation prototype. After this has been explained to the user, a more detailed model can be developed on the basis of feedback from the user. Software for simulation prototyping is discussed, e.g., with regard to the ease with which models and output can be explained and the speed with which small models can be written.

this paper we show how the problem of job-shop scheduling where the jobs are preemptible can be modeled naturally as a shortest path problem defined on an extension of timed automata, namely stopwatch automata where some of the clocks might be freezed at certain states. Although general verification problems on stopwatch automata are known to be undecidable, we show that due to particular properties of optimal schedules, the shortest path in the automaton belongs to a finite subset of the set of acyclic paths and hence the problem is solvable. We present several algorithms and heuristics for finding the shortest paths in such automata and test their implementation on numerous benchmark examples