Jon Damon Reese

Requirements specification for process-control systems

The paper describes an approach to writing requirements specifications for process-control systems, a specification language that supports this approach, and an example application of the approach and the language on an industrial aircraft collision avoidance system (TCAS II). The example specification demonstrates: the practicality of writing a formal requirements specification for a complex, process-control system; and the feasibility of building a formal model of a system using a specification language that is readable and reviewable by application experts who are not computer scientists or mathematicians. Some lessons learned in the process of this work, which are applicable both to forward and reverse engineering, are also presented. >

Model checking large software specifications

In this paper we present our results and experiences of using symbolic model checking to study the specification of an aircraft collision avoidance system. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in the question of whether or not model checking techniques can be applied to large software specifications.To investigate this, we translated a portion of the finite-state requirements specification of TCAS II (Traffic Alert and Collision Avoidance System) into a form accepted by a model checker (SMV). We successfully used the model checker to investigate a number of dynamic properties of the system.We report on our experiences, describing our approach to translating the specification to the SMV language and our methods for achieving acceptable performance in model checking, and giving a summary of the properties that we were able to check. We consider the paper as a data point that provides reason for optimism about the potential for successful application of model checking to software systems. In addition, our experiences provide a basis for characterizing features that would be especially suitable for model checkers built specifically for analyzing software systems.The intent of this paper is to evaluate symbolic model checking of state-machine based specifications, not to evaluate the TCAS II specification. We used a preliminary version of the specification, the version 6.00, dated March, 1993, in our study. We did not have access to later versions, so we do not know if the properties identified here are present in later versions.

Software deviation analysis

Jon Damon Reese Dept. of C.S.E. University of Washington Box 352350 Seattle, WA 98195, U.S.A. +1 (206) 616-1844 jdreese@cs. washington.edu Validation of software requirements is an important part of software engineering. This paper describes a new safety analysis technique called software deviation analysis to help identify weaknesses in how software handles an imperfect environment. The technique propagates deviations in software inputs to output deviations. A qualitative analysis is used to improve the search efficiency.

Designing specification languages for process control systems: lessons learned and steps to the future

Previously, we defined a blackbox formal system modeling language called RSML (Requirements State Machine Language). The language was developed over several years while specifying the system requirements for a collision avoidance system for commercial passenger aircraft. During the language development, we received continual feedback and evaluation by FAA employees and industry representatives, which helped us to produce a specification language that is easily learned and used by application experts. Since the completion of the RSML project, we have continued our research on specification languages. This research is part of a larger effort to investigate the more general problem of providing tools to assist in developing embedded systems. Our latest experimental toolset is called SpecTRM (Specification Tools and Requirements Methodology), and the formal specification language is SpecTRM-RL (SpecTRM Requirements Language). This paper describes what we have learned from our use of RSML and how those lessons were applied to the design of SpecTRM-RL. We discuss our goals for SpecTRM-RL and the design features that support each of these goals.

Integrated safety analysis of requirements specifications

This paper describes an integrated approach to safety analysis of software requirements and demonstrates the feasibility and utility of applying the individual techniques and the integrated approach on the requirements specification of a guidance system for a high-speed civil transport being developed at NASA Ames. Each analysis found different types of errors in the specification; thus together the techniques provided a more comprehensive safety analysis than any individual technique. We also discovered that the more the analyst knew about the application and the model, the more successful they were in finding errors. Our findings imply that the most effective safety-analysis tools will assist rather than replace the analyst.

Experiences using statecharts for a system requirements specification

Some lessons learned and issues raised while building a system requirements specification for a real aircraft collision avoidance system using statecharts are described. Some enhancements to statecharts were necessary to model the complete system and a few notational changes were made to improve reviewability.<<ETX>>

SpecTRM: a CAD system for digital automation

SpecTRM (specification tools and requirements methodology) is a system engineering environment to support modeling and analysis during requirements generation, functional decomposition and tradeoff analysis, subsystem specification, implementation, verification, and system maintenance and evolution. A general goal is to build bridges among disciplines by providing integrated specifications and modeling tools that can be used by system engineers, software engineers, hardware engineers, and human factors experts. We also hope to provide seamless transitions and mappings between the various system development and maintenance stages. Because many automated real-time systems have safety-critical aspects, SpecTRM provides support for hazard analysis and building safety into the design. The safety information and activities on a project are integrated into the development and decision making environment.

Safety analysis tools for requirements specifications

The paper describes safety analysis tools that have been developed for a state based requirements specification language called Requirements State Machine Language (RSML). These tools include a simulator that allows for forward and backward execution of RSML specifications, a fault tree generator that is based on backward simulation, tools to check for consistency and completeness of specifications, and additional safety analysis techniques. An example requirements specification for an Automated Highway System (AHS) is used for describing the functionality of the tools.

Creating and analyzing requirement specifications of joint human-computer controllers for safety-critical systems

The causes of many accidents in safety-critical systems, such as aircraft and nuclear pourer plants, can in part be found in the breakdown in communication between operators and computer(s) controlling the system. In this paper, we outline a method to model and analyze a controller in order to uncover potential requirement and design problems that can contribute to this communication breakdown. We illustrate the modeling and analysis techniques on a requirements specification for the guidance system of a high-speed civil transport being developed at NASA Ames. Our analysis revealed several system hazards, including potential sources of mode confusion, incomplete specification of computer response to operator input, as well as assumptions about the knowledge an operator must have in order to successfully control the aircraft.

A CAD Environment for Safety-Critical Software

The goal of the University of Washington, University of Minnesota, and Safeware Engineering Corporation Safety-Critical Systems Projects is to develop a theoretical foundation for software safety and to build a methodology upon that foundation. This paper describes the methodology and a set of safety analysis techniques (and prototype tools) to support it. The prototype tools are being developed in order to evaluate the techniques. To ensure that the procedures scale up to realistic systems, the tools and techniques are being evaluated on real systems, including TCAS II (Traffic Alert and Collision Avoidance System), an airborne collision avoidance system required on most aircraft that fly in U.S. airspace, a NASA experimental flight management system, a NASA robot used to service tiles on the Space Shuttle, and proposed upgrades to the U.S. Air Traffic Control System.