Bruce G. Labaw

Automated consistency checking of requirements specifications

This article describes a formal analysis technique, called consistency checking, for automatic detection of errors, such as type errors, nondeterminism, missing cases, and circular definitions, in requirements specifications. The technique is designed to analyze requirements specifications expressed in the SCR (Software Cost Reduction) tabular notation. As background, the SCR approach to specifying requirements is reviewed. To provide a formal semantics for the SCR notation and a foundation for consistency checking, a formal requirements model is introduced; the model represents a software system as a finite-state automation which produces externally visible outputs in response to changes in monitored environmental quantities. Results of two experiments are presented which evaluated the utility and scalability of our technique for consistency checking in real-world avionics application. The role of consistency checking during the requirements phase of software development is discussed.

SCR*: A Toolset for Specifying and Analyzing Software Requirements

A controversial issue in the formal methods community is the degree to which mathematical sophistication and theorem proving skills should be needed to apply a formal method and its support tools. This paper describes the SCR (Software Cost Reduction) tools, part of a “practical” formal method—a. method with a solid mathematical foundation that software developers can apply without theorem proving skills, knowledge of temporal and higher order logics, or consultation with formal methods experts. The SCR method provides a tabular notation for specifying requirements and a set of “light-weight” tools that detect several classes of errors automatically. The method also provides support for more “heavy-duty” tools, such as a model checker. To make model checking feasible, users can automatically apply one or more abstraction methods.

Consistency checking of SCR-style requirements specifications

The paper describes a class of formal analysis called consistency checking that mechanically checks requirements specifications, expressed in the SCR tabular notation, for application independent properties. Properties include domain coverage, type correctness, and determinism. As background, the SCR notation for specifying requirements is reviewed. A formal requirements model describing the meaning of the SCR notation is summarized, and consistency checks derived from the formal model are described. The results of experiments to evaluate the utility of automated consistency checking are presented. Where consistency checking of requirements fits in the software development process is discussed.

SCR: a toolset for specifying and analyzing requirements

A set of CASE tools is described for developing formal requirements specifications expressed in the SCR (Software Cost Reduction) tabular notation. The tools include an editor for building the specifications, a consistency checker for testing the specifications for consistency with a formal requirements model, a simulator for symbolically executing the specifications, and a verifier for checking that the specifications satisfy selected application properties. As background, the SCR method for specifying requirements is reviewed and a formal requirements model is introduced. Examples are presented to illustrate the tools.

MT: A toolset for specifying and analyzing real-time systems

This paper introduces MT, a collection of integrated tools for specifying and analyzing real-time systems using the Modechart language. The toolset includes facilities for creating and editing Modechart specifications. Users may symbolically execute the specifications with an automatic simulation tool to make sure that the specified behavior is what was intended. They may also invoke a verifier that uses model-checking to determine whether the specifications imply (satisfy) any of a broad class of safety assertions. To illustrate the toolsets capabilities as well as several issues that arise when formal methods are applied to real-world systems, the paper includes specifications and analysis procedures for a software component taken from an actual Naval real-time system.<<ETX>>

Tools for formal specification, verification, and validation of requirements

Although formal methods for developing computer systems have been available for more than a decade, few have had significant impact in practice. A major barrier to their use is that software developers find formal methods difficult to understand and apply. One exception is a formal method called SCR for specifying computer system requirements which, due to its easy to use tabular notation and its demonstrated scalability, has already achieved some success in industry. Recently a set of software tools, including a specification editor, a consistency checker, a simulator, and a verifier has been developed to support the SCR method. This paper describes recent enhancements to the SCR tools: a new dependency graph browser which displays the dependencies among the variables in the specification, an improved consistency checker which produces detailed feedback about detected errors, and an assertion checker which checks application properties during simulation. To illustrate the tool enhancements, a simple automobile cruise control system is presented and analyzed.

The SCR method for formally specifying, verifying, and validating requirements: tool support

I N T R O D U C T I O N Given the high frequency of requirements errors, the serious accidents they may cause, and the high cost of correcting them, techniques for improving the quality of requirements specifications and for early detection of requirements errors are crucial. One promising approach to reducing software errors is to apply formal methods to the requirements specification. Using a formal notation to specify requirements can reduce errors by reducing ambiguity and imprecision. Applying formal analysis to the requirements specification can detect many classes of errors, some automatically. The SCR (Software Cost Reduction) requirements method, which is based on a tabular notation, is a formal method for specifying the requirements of real-time, embedded systems introduced more than a decade ago by the A-7 project. Designed for use by engineers, the SCR method has been applied to a variety of practical systems, including avionics systems, telephone networks, and safety-critical components of nuclear power plants. Recently, a version of SCR was used to specify the requirements of Lockheed’s C-130J Operational Flight Program (OFP) [a]. The OFP contains more than 100K of Ada code, thus demonstrating the scalability of the SCR method. While the above applications of SCR rely on manual techniques, effective use of the method in industry will require powerful and robust tool support. A significant barrier to industrial use of formal methods to date has been the weakness of the methods associated with given formalisms. Although much attention has been focused on the f o r m a l aspects of formal methods, too little effort has been devoted to the supporting methods. To be useful in practice, formal methods must not only provide * This work was supported by ONR and SPAWAR. http:/ /www.itd.nrl .ny.~l /ITD/554O/perso~el /heitmeyer.ht~ rigor, they must also be usable by software developers and supported by robust, well-engineered tools. In many practical cases, a large amount of detail is required to apply a formal method. This detail is unmanageable without some automation. SCR* (also called STSR) is an integrated suite of tools supporting the SCR requirements method [4]. The tools include a specification editor for creating and modifying a requirements specification, a dependency graph browser for displaying the dependencies among the variables in the specification, a s imu la tor for symbolically executing the system based on the specification, a consis tency checker for checking the specification for application-independent properties (e.g., type correctness and completeness), and a verif ier for analyzing the specification for critical application properties. SCR METHOD: B A C K G R O U N D In SCR, the required system behavior is described by a mathematical relation between monitored variables, denoting environmental quantities that the system monitors, and controlled variables, denoting environmental quantities that the system controls. To specify this relation concisely, our method uses conditions, events, and tables. A condi t ion is a predicate defined on one or more variables in the specification. An event occurs when any variable changes value. The environment changes monitored quantities, thus causing i npu t events . In response, the system may change the value of one or more controlled quantities. Each SCR table specifies the required value of a variable as a mathematical function defined on conditions and events. Among the tables in SCR specifications are condition tables, event tables, and mode transition tables. The tables facilitate industrial application of the SCR method. Not only do engineers find tables relatively easy to understand and to develop; in addition, tables can describe large quantities of requirements information concisely. SCR Requirements Model. To provide a precise and detailed semantics for the SCR method, our requirements model represents the system to be built as a finite state automaton and describes the monitored and control variables, conditions, events, and other constructs that make up an SCR specification in terms of that automaton [7]. Our automaton model represents all monitored and controlled quantities, even those which are naturally continuous, as discrete variables. Moreover, because our model initially abstracts away timing and imprecision, it describes the “ideal” system behavior. The system requirements are easier to specify and to

Applying the SCR requirements method to a weapons control panel: an experience report

A major barrier to the use of formal methods in software practice is the difllculty software developers have understanding and applying the methods. To overcome this barrier, a requirements method called SCR (Software Cost Reduction) offers a user-friendly tabular notation to specify software requirements and a collection of easytouse tools that automatically detect many classes of errors in requirements specifications. This paper describes our experience in applying the SCR method and tools to a safety-critical military application-the problems encountered in translating the original contractorproduced software requirements specification into SCR and the lessons learned in applying the SCR technology to a practical system. The short time required to apply the SCR method, the serious safety violation detected, and the working system prototype produced demonstrate the utility and potential cost-effectiveness of SCR for developing safety-critical systems.

Engineering CASE tools to support formal methods for real-time software development

A prototype toolset that provides comprehensive support for constructing verifiably correct real-time systems is described. The toolset supports the development of specifications in the graphical Modechart language and several methods for improving the correctness of the specifications, including formal verification, simulation, and consistency and completeness checking. An engineering approach for developing the toolset is presented that integrates software engineering principles, prototyping, and early and continued focus on user interface design. Contributions that the toolset effort makes to computer-aided software engineering (CASE) support for formal methods are summarized.<<ETX>>

An approach to monitoring and assertion-checking of real-time specifications

The paper describes the development of a monitoring and assertion checking tool, MAC, which supports monitoring of symbolic execution traces generated by the Modechart Toolset, permitting testing of specifications early in the design phase and providing a mechanism for evaluating properties of the system on a particular execution trace. This approach avoids many of the difficulties of run time monitoring and testing such as interference and the probe effect. Monitoring and assertion checking capabilities are provided by the automatic translation of assertions in a declarative language (such as Real Time Logic) into monitoring fragments, written in Modechart, which augment the original specification to perform monitoring and assertion checking during simulation.