For high assurance, distributed systems, just delivering working software is insufficient. For the software to be acceptable, the customer must have confidence that it has certain critical properties (e.g., security, safety). Some of that confidence is derived from documentation that is typically a byproduct of the software development process, e.g., requirements and design specifications, test plans and results. Assurance arguments, relying on the documentation and the code as supporting evidence, and the results of applying various sorts of automated checkers (e.g., theorem provers, verifiers, model checkers) to the documentation and to the code may also contribute to confidence in the software.
The concerns of a software development method are the decisions that developers make, how developers record and organize those decisions, and how they evaluate them for important properties. While guidance on how developers make these decisions is also important, some decisions of particular interest deal with the boundary of the software with its environment; the behavior of the software that is visible at the boundary; the pieces into which the software is decomposed; and the interface that one piece of the software presents to other pieces.
In contrast, the concerns of a software development process are the ordering of the decisions and the use of resources, e.g., programmer effort, schedule. Some decisions that concern the software development process deal with when to start coding; when to deliver software; and who will do the work.
Agile development is a process focused on frequent delivery of working software and on responsiveness to customer needs. Frequent delivery of working software helps distinguish progress from motion, which can be hard to distinguish in a document-centered process that only produces working code near the end of development. Agile development is code-centric; it largely forgoes developing and delivering work products other than code, e.g., requirements and design models.
In stark contrast to agile development, model-driven development's defining characteristic is that software development's primary focus and products are models rather than computer programs. Model-driven development's full benefits can only be achieved when it generates complete programs from models (as opposed to just code skeletons and fragments).
As with software development in general, high assurance software development suffers from the sort of problems that agile development's ability to distinguish progress and motion can ameliorate. High assurance projects go over budget and schedule, fail to deliver promised functionality on time, or fail to deliver at all. Being able to discern early that while the project is generating many documents, it is making no progress toward delivering a system can make it possible to fix project problems before it is too late. However, applying agile development to high assurance software is problematic: a key principle eschews exactly the documentation that assurance arguments require as evidence.
What is needed is a software development method and its associated tool set, which support an incremental, iterative, model-driven process to build and maintain high assurance distributed software systems. More specifically, what is needed is a system and method that will enable a user to create a set of interconnected models addressing distinct concerns of software development that provide documentation supporting high assurance certification efforts, that tools can analyze for important classes of errors, that support maintenance and reuse of the models, and from which tools can generate complete distributed software systems.