Jeffrey M. Thompson

Specification-based prototyping for embedded systems

Specification of software for safety critical, embedded computer systems has been widely addressed in literature. To achieve the high level of confidence in a specifications correctness necessary in many applications, manual inspections, formal verification, and simulation must be used in concert. Researchers have successfully addressed issues in inspection and verification; however, results in the areas of execution and simulation of specifications have not made as large an impact as desired. In this paper we present an approach to specification-based prototyping which addresses this issue. It combines the advantages of rigorous formal specifications and rapid systems prototyping. The approach lets us refine a formal executable model of the system requirements to a detailed model of the software requirements. Throughout this refinement process, the specification is used as a prototype of the proposed software. Thus, we guarantee that the formal specification of the system is always consistent with the observed behavior of the prototype. The approach is supported with the NIMBUS environment, a framework that allows the formal specification to execute while interacting with software models of its embedding environment or even the physical environment itself (hardware-in-the-loop simulation).

Specification and analysis of intercomponent communication

The correctness, safety and robustness of the specification of a critical system are assessed through a combination of rigorous specification capture and inspection, formal analysis of the specification, and execution and simulation of the specification. Any integrated approach to specifying critical systems should support all three activities. Embedded systems pose special challenges to the specification and analysis of intercomponent communication. The authors present a formal approach which lets the interface specifications serve as kernels that enforce safety and simple liveness constraints.

Extending the product family approach to support n-dimensional and hierarchical product lines

The software product-line approach (for software product families) is one of the success stories of software reuse. When applied, it can result in cost savings and increases in productivity. In addition, in safety-critical systems the approach has the potential for reuse of analysis and testing results, which can lead to safer systems. Nevertheless, there are times when it seems like a product family approach should work when, in fact, there are difficulties in properly defining the boundaries of the product family. The authors draw on their experiences in applying the software product-line approach to a family of mobile robots as well as case studies done by others to: (1) illustrate how domain structure can currently limit applicability of product-line approaches to certain domains, and (2) demonstrate our initial progress towards a solution using a set-theoretic approach to reason about domains of what we call n-dimensional and hierarchical product families.

On the effectiveness of slicing hierarchical state machines: a case study

Formal specifications can be hundreds of pages in length-a reflection of the size and complexity of the systems being specified. Lengthy documents are difficult to read understand, and use. Program slicing was developed to address these issues for programs. The authors apply similar techniques to formal specifications expressed as hierarchical state machines. They present a two tiered approach to slicing (or simplification) of hierarchical state machines. They have applied their techniques to a large case study and present empirical data highlighting the reduction and simplification capabilities of their approach to large specifications.

An integrated development environment for prototyping safety critical systems

The development of software for safety critical, embedded computer systems has been widely addressed in literature. Nevertheless, there does not currently exist any single environment which provides adequate support for all of the following: static analysis, system simulation, animation and visualization, specification reuse, and refinement (from high-level requirements to implementation). In this paper we present an overview of such an environment that is currently under development at the University of Minnesota concentrating on the prototyping capabilities and refinement model.

Specification based prototyping of control systems

We focus on an approach to simulation and debugging of formal software specifications for control systems called specification-based prototyping. Within the context of specification execution and simulation, specification-based prototyping combines the advantages of traditional formal specifications (e.g., precision and analysis) with the advantages of rapid prototyping (e.g., risk management and early user involvement). The approach lets us refine a formal and executable model of the system requirements specification to a detailed model of the software requirements specification. Throughout this refinement process, the specification is used as an early prototype of the proposed software. By using the specification as the prototype, most of the problems that plague traditional code-based prototyping disappear. First, the formal specification will always be consistent with the behavior of the prototype (excluding real-time response) and the specification is, by definition, updated as the prototype evolves. Second, the common problems associated with evolving the prototype into a production system are largely eliminated. Finally, the dynamic evaluation of the prototype can be augmented with formal analysis. To enable specification-based prototyping, we have developed the NIMBUS requirements engineering environment. NIMBUS, among other things, allows an engineer to dynamically evaluate an RSML/sup -e/ (Requirements State Machine Language without events) specification while interacting with (1) user input or text file input scripts, (2) RSML/sup -e/ models of the components in the embedding environment, (3) software simulations of the components, or (4) the physical components themselves (hardware-in-the-loop simulation).

Specifying and analysing system-level inter-component interfaces

In control systems, the interfaces between software and its embedding environment are a major source of costly errors. For example, Lutz reported that 20–35% of the safety-related errors discovered during integration and system testing of two spacecraft were related to the interfaces between the software and the embedding hardware. Also, the software’s operating environment is likely to change over time, further complicating the issues related to system-level inter-component communication. In this paper we discuss a formal approach to the specification and analysis of inter-component communication using a revised version of RSML (Requirements State Machine Language). The formalism allows rigorous specification of the physical aspects of the inter-component communication and forces encapsulation of communication-related properties in well-defined and easy-to-read interface specifications. This enables us both to analyse a system design to detect incompatibilities between connected components and to use the interface specifications as safety kernels to enforce safety constraints.

Specification and analysis of system level inter-component communication

In embedded systems the interfaces between software and its embedding environment are a major source of costly errors. For example, R.R. Lutz (1993) reported that 20%-35% of the safety related errors discovered during integration and system testing of two spacecraft were related to the interfaces between the software and the embedding hardware. Also, the softwares operating environment is likely to change over time further complicating the issues related to system level inter component communication. We discuss a formal approach to the specification and analysis of inter component communication using a revised version of the RSML (Requirements State Machine Language) specification language. The formalism allows rigorous specification of the physical aspects of the inter component communication and enables encapsulation of communication related properties in well defined interface specifications. This allows us to both analyze a system design and detect incompatibilities between connected components and use the interface specifications as simple safety kernels to enforce safety and sample liveness constraints.