Abstract
Introduction
The benefits and cost savings of identifying problems during the requirements development phase are well known, and methods and tools have matured to make this process feasible in industry [HLK95, BB961. For high assurance systems, formal approaches are being applied in industry. However, based on a survey of 12 industrial applications of formal methods, there were no tools used to automatically generate tests from the specifications that were developed and analyzed in support of the system verifications [CGR93] . Testing can account for 40% to 70% of the development effort [Bei83; GW941. Testing a critical system can require tens or hundreds of thousands of test cases.' Such tools are valuable in reducing manual effort and preventing manual errors in the testing process, while freeing developers to focus on the more complex task of specification development and analysis. The 
54
combination of requirement and design specification methods and tools with automatic test generation technologies could significantly reduce the cost of verification and testing. Such integration would provide stronger arguments and benefits to use and further advance specification-based methods and tools.
SCR was one of the methods surveyed in the survey of formal methods industrial applications. It was developed at the Naval Research Laboratory (NRL) [Hen80] . The SCR method has a long history, and other methods like the Consortium Requirements Engineering Method (CORE) [SPC93; FBWK921, have evolved from the original SCR method. Enhancements to CORE have also been factored into the current embodiment of the SCR method. More recently, NRL has built tools to support specification acquisition, simulation, and formal analysis [HLK95; HBGL95; HJL961. Powerful proof systems like PVS have been used to check well-formedness properties in SCR specifications [ORS95] . Model checking tools have also been applied to SCR-style specifications [ORS95; SA961. These methods and tools are important in helping to develop correct specifications. However, there is still a need to assess that an operational system complies with its specification. Testing can be used in this type of assessment.
T-VEC is an integrated development environment and associated specification and verification method [BB96] . It was used to develop two avionics systems that were certified by the Federal Aviation Administration (FAA) based on DO-178A -SofhYare Considerations in Airborne Systems and Equipment Certification [ R W ] (now DO-178B). These certification guidelines emphasize a software engineering approach, where requirement-based testing and analysis are key to supporting the assurance arguments required for certification.
One of the key tools of the T-VEC system is an automatic test vector generator; it determines test inputs, expected outputs, and a mapping of each test to the associated requirement, directly from formal specifications. A test vector generator that determines expected output values can reduce the testing effort as compared to a test case generator, where the expected output values must be determined manually. The other tools of the environment check that the specification is well-formed with respect to the model, and the specification-based coverage analyzer ensures that every unique requirement specification has at least one corresponding test vector.
Overview
This paper describes the results of an effort to integrate the SCR formal methods approach with the T-VEC automatic test vector generator and specification analysis system. An example SCR specification taken from Heitmeyer et al. [HLK95;  HJL961 was translated into the T-VEC specification language. Test vectors were generated and analyzed for several different variations of the translated specification. Although the models are very similar, the analysis of the resulting test vectors helped identify two general guidelines for the translation process:
Variables referenced in an SCR event operator must be expanded into two states when translated into the T-VEC model to adequately represent the state before and after the event. T-VEC must generate input values for each variable at both states for all specified mode combinations of the SCR variables.
The structure of the T-VEC specification must map to the ideal functions of an SCR specification so that only those constraints directly associated with an ideal function are relevant to the test vector generation and coverage analysis process.
0
These guidelines are fundamental for generating tests from specifications that use event operators to ensure that the reactive aspects of the system are implemented in the target system. The specification structuring is important for the translation process as well as the resulting design in order to associate the generated tests with requirements that must be mapped to the decisions in an implementation.
Organization of paper
Section 2 provides an overview of the SCR model and an example specification. Section 3 describes the T-VEC model and its relationship to the SCR model and language constructs. Section 4 provides an overview of the T-VEC test vector generation mechanisms, a description of the test vectors, and their relationship to the example specification. Section 5 summarizes the analysis results and the requirements for an SCR-to-T-VEC translator.
SCR model and example specification
This section presents an overview of the SCR specification constructs to support the T-VEC mapping discussion that is provided in Section 3. A more complete formal description of the SCR model can be found in [HJL96] .
The Four Variable Model [PM91; Sch901 shown in Figure 1 provides a conceptual basis for describing the artifacts that are represented in an SCR specification. 
Figure 1. Four variable model
Monitored and controlled variables represent environmental quantities. REQ and NAT relations specify the required system behavior in terms of monitored and controlled variables. NAT defines the set of possible values; it captures any constraints on behavior imposed by physical laws. REQ defines the additional constraints imposed by the system to be built. Monitored variables must be mapped through input devices where they are represented as inpuf data items; the IN relation specifies this mapping. Controlled variables are mapped as characterized by the OUT relation from output data items. The SCR model can describe system requirements or software requirements. As described in [HJL96] , the term input variable is used to represent a monitored variable or input data item, and an output variable is used to a represent a controlled variable or output data item.
There are four ather constructs that are used in the specification; these are modes, terms, conditions, and events. A mode class is a state machine, where related system states are called system modes and the transitions of the state machine are characterized by events. A term is any function in input variables, modes, or other terms. A condition is a predicate characterizing a system state. An event occurs when any system entity changes value.
Safety injection system example
The following is an example system that is presented in [HLK95; HJL961. The specification is for a Safety Injection control system. The system uses three sensors to monitor water pressure and adds coolant to the reactor core when the pressure falls below some threshold. The system operator blocks Safety Injection by turning on a Block switch and resets the system after blockage by turning on a Reset switch. Tables 8 and 9 specify the overall behavior of the system in terms of modes, events, and terms. An example interpretation of the set of all functional relationships, for all points of temporal relevance, for a given output object Given a set of boundaries for a software system, the requirements are defined in terms of the syntactic structure and semantic values associated with the given input/output space. Figure 2 relates the functional requirements model to the precondition and postcondition model of Hoare [Hoa69] . A T-VEC subsystem is defined by: outputs, inputs, functional relationships, and relevance predicates. A finctional relationship characterizes an object of the output space as a function of the inputs with respect to a relevance predicate. A relevance predicate groups all the precondition constraints associated with each functional relationship. Relevance predicates characterize data and temporal constraints on the objects of the input space.
A software system specification is captured in a set of related subsystems called a project. The elements of a subsystem are defined as follows: Functional relationship expressions are specified in terms of primitive operators: bit operations, assignment, addition, subtraction, multiplication, division, exponentiation, absolute value, log, and trigonometric functions. Subsystems can be treated like functions, even if the subsystem specifies the requirements for complex objects; therefore, subsystems can be referenced within a functional relationship or in a relevance predicate. A functional relationship can also be expressed in terms of a f o r d operator when specifying a relationship governing some or all elements of a specified range of array elements.
0
LS is a set of parameterized Boolean-valued statements that define constraints used in a relevance predicate. A logic structure defines constraints on the parameters in terms of connected conditions or logic structures using A, v, and 1 . A condition is a statement r cp s where 
T-VEC Requirement Specification Model

Figure 2. Relationship between T-VEC requirement specification model and preconditiodpostcondition
The structural model defines the relationship between subsystems of a project. Subsystems can be related hierarchically such that SSij inherits I, 0, and LS from SSi. Any SSi can reference input (I) and output (0) definitions. A subsystem can also reference functional relationships or logic structures from subsystems in the project by passing the input and output state space as a parameter. Figure 3 shows an annotated T-VEC linear form' specification for the first version of the Safety Injection system. The labels on the left side of the figure are used later in the paper to explain the specification constructs. The system is specified with a project in one subsystem that contains the mode transition function for M-Pressure and the ideal functions for Overridden and Safety Injection. Version 2 of the example, shown in Figures 6 and 7, is specified in one project containing two subsystems where Overridden is specified in a "lower-level'' subsystem that is referenced by the Safety Injection subsystem.
Specification mapping goal
The SCR model is based on a finite state automaton, and T-VEC is a logic specification. The SCR model defines a system state in terms of entities, a condition as a predicate on the system state, and an input event as a change in an input variable [HJL96] . Modes represent event transitions over time. As shown in Figure 2 , a T-VEC specification is defined in terms of the old state, characterized by the precondition, and the new state that is characterized by the postcondition. The relevance predicate specifies the constraints on input variables in the old state, and the functional relationship specifies the expected output for the new state. This directly supports the concept of an SCR condition.
A functional relationship that is related to an SCR event can depend on both the old state and new state of the specification entities, as described in [HJL96] . This means that a translation must create two instances of each input variable, term or mode, one for the old state and another for the new state. The relevance predicate characterizes the constraints associated with the old and new state; this means the relevance predicate is equivalent to the next-state relation for a state transition system. In the T-VEC specification, variables have a 1 or 2 suffix added to their name to indicate the association with the old state or new state. Variable definitions examples are shown in Figure 3 .
The goal of the translation process is to map every SCR functional expression of an output variable to a T-VEC functional relationship of an output variable with respect to a set of predicates on the input variables. These predicates correspond to conditions, events, and corresponding mode transitions. Events must be reduced to predicates of input variables or ObjectDefinitions - 
T-VEC
Specification construct mappings
Tables 10, 1 1, and 12 summarize the mapping between the elements of the SCR and T-VEC models in terms of their specification constructs. Table 10 shows that T-VEC inputs map to SCR input variables, and the outputs map to SCR output variables. SCR terms can be input or output variables, and mode classes are inputs. Both T-VEC and SCR support constant and type definitions. Both methods allow data to be specified in terms of base and derived types. Table 11 shows the type definition mappings; in T-VEC, numeric subranges or enumeration constants are described in constraints, and the analogous concepts are characterized as legal values in the SCR method. Both methods support accuracy and representation. Initial values can be specified in the SCR. As a logic specification, T-VEC does not explicitly represent state; any specific data value must be specified in terms of a predicate on the input variables as it relates to a functional relationship. 
Mapping mode transition functions
An SCR mode transition function defines a mapping from one mode to another based on the occurrence of an event. In T-VEC, the mode transition function is mapped into a logic structure. See LS7 in Figure 3 . The source mode, Pressure1 is defined as part of a relevance predicate old state, and the event specifies the condition for the transition to the destination mode ~ressure2. This translation is based on the specification given in standard logic in [HJL96] , with some minor exceptions. In [HJL96] , there is an assumption that limits the rate of change of the input variable WaterPres. This assumption precludes the transitions from TooLow to High and from High to TooLow. The constraints associated with this assumption have been formalized in LS7. The transition from LS7.1 specifies the transition from Permitted to TooLow; LS7.2 specifies the transition from Permitted to High; LS7.3 specifies both transitions as disjunctions, one from TooLow to Permitted and the other from High to Permitted. LS7.4 specifies the case where there is no transition.
Mapping ideal functions of terms
Overridden is an ideal function for a term variable. The term Overridden is used in the Safety Injection ideal function as shown in Figure 4 . In SCR, an ideal function for a term variable modularizes a specification. The term variable is not an output of the system, but it is used in the constraint of the Safety Injection ideal function. Overridden can be mapped to the T-VEC model in two ways: as a set of predicates represented in a logic structure or as a lower-level subsystem that has a Boolean output associated with the value of the function. For version 1, the function Overridden is translated as a logic structure that is referenced within the Safety Injection relevance predicate. Figure 3 shows the representation of the Overridden ideal function as a logic structure LS6. The two disjunctions, LS6.1 and LS6.2, map to the two outputs of the ideal function Overridden. The nested disjunctions, LS6.1.1 through LS6.1.4, are required when Overridden2 is false, and disjunctions LS6.2.1 and LS6.2.2 are required when Overridden2 is true. These specifications also illustrate the use of parameterized logic structures, which are reused in the negated sense to characterize the states when Overridden2 does not change state. This situation is discussed in the next section.
One case is not reflected in the translation; Figure 4 shows the correspondence between a T-VEC functional relationship and an SCR functional expression. The functional requirement output is Safety Injection, and it is based on the mode class M-Pressure. The functional relationship FR.0 is associated with one disjunction for the relevance predicate RP.0, which states that M-Pressure is always relevant to any functional relationship for Safety Injection. Figure 3 shows how the specification characterizes the functional relationship for each functional expression of the SCR specification (one when Safety Injection is ON and the other when it is OFF); they are labeled FR.l and FR.2. The functional relationship FR. 1 has one disjunction RP 1.1. The conditions of this disjunction are consistent with the ideal function for Safety Injection shown in Table 9 ; it specifies that Pressure2 = TOOLOW and Overridden2 = f a l s e in the context of the logic structure Overridden-Term (i.e., the logic structure representation of Overridden). In addition, any disjunction must also satisfy the disjunctions of RP.0, which characterizes the constraints of M-Pressure.
Functional relationships
Similarly the relevance predicate for FR.2 has three disjunctions, RP.2.1, RP.2.2, RP.2.3, that correspond to the cases when Safety Injection is OFF.
The relevance predicates RP. 1.2 and RP.2.1 have been separated to clearly identify the treatment of the case where Overridden does not change state. These are the cases when both Overridden2 = Overridden1 and all of the constraints associated with the events specified in Overridden-Term do not occur. This is reflected by the conjunction of the negated logic structure: 
Resulting test vectors
This section describes the test vectors that were generated for two different versions of the specification:
1. Overridden specified as a constraint within the Safety Injection subsystem (version 1)
Overridden specified as a lower-level subsystem (version 2 -described later in this section)
First, the linear form transformation and test vector 2.
generation concepts are described.
Specification compilation
A specification compiler transforms the linear form shown in Figure 3 into a logic specification represented in a Prolog-like language. During the process, syntax and semantic checks are performed to ensure that the resulting specification complies with the T-VEC models. The disjunctions in logic structures are expanded and a DeMorganization process is applied to logic structures preceded by the NOT : operator. When the compiled specification is loaded into the test vector generator, each functional relationship is associated with a set of disjunctions of conjunctions characterized by the "flattened" and DeMorganized logic structures within a subsystem. Each disjunction is referred to as a domain convergence path (DCP).
Test vector generation concepts and mechanisms
T-VEC is an oracle/error-based testing mechanism based on Richardson's et. a1 [ROT891 classification of specification-based testing approaches; such approaches extend implementation-based testing techniques to formal specifications. The T-VEC test selection mechanisms are related to implementationbased testing concepts and strategies. Using Zeil's [Zei89] modified version of Howden's [How761 definitions: a computation error occurs when the correct path through the program is taken, but the output is incorrect due to faults in the computation along the path. A domain error occurs when an incorrect output is generated due to executing the wrong path through a program. Based on the assumption that there is a strong correlation between predicates in the specification and path control conditions in the program, the test selection strategies are discussed in terms of domain testing theory concepts. White and Cohen [WCSO] proposed domain testing theory as a strategy for selecting test points to reveal domain errors. It is based on the premise that if there is no coincidental correctness, then test cases that localize the boundaries of domains with arbitrarily high precision are sufficient to test all the points in the domain.
T-VEC selects test data for subdomains of an input space based on the constraints of a DCP. The DCP predicates should map to the path conditions in a corresponding program.
A subdomain convergence algorithm is used to determine a DCP subdomain. If a nonempty subdomain exists for a DCP, then the input values associated with a test point are selected for the borders of the subdomain. A border is defined by evaluating the predicates of a DCP for a set of input values. For example, test points for numeric objects are selected for both upper and Iower domain boundary values. This results in test points for subdomain borders based on all low-bound values and high-bound input values that satisfy the DCP predicate evaluation. Some inputs to the functional relationship are not constrained by the DCP predicates. For each test point derived from DCP predicates, there are additional test points derived for unconstrained inputs not referenced in the DCP based on all domain boundary value combinations (e.g., low bound and high bound for numeric objects, sets for enumerated variable). By selecting the extreme value combinations, it is possible to detect computation errors in the output calculation. This test selection strategy is used to detect computation errors or show that unconstrained inputs do not affect the output for a program path.
The functional relationship is applied to each input value set to determine the expected output value. The value is checked against the subrange specification of the output variable; if the value is within the specified range, a test vector is produced that includes the inputs, input types and representation information, the expected output with its type information, and the DCP.
Resulting test vectors
The version 1 specification resulted in 178 test vectors that were generated in single vector mode (see Section 4.4). There were 18 test vectors generated for RP. 1.1, RP.2.1, RP.2.2, and RP.2.3 that correspond to the cases when Overridden changes; these vectors are shown in Table 13 . The remaining 160 test vectors were associated with relevance predicates RP. 1.2 and RP.2.4, which specify the states where there is no change in Overridden. These specifications are important for testing to ensure that the system stays in the specified mode when the inputs do not change. These tests are not shown due to space limitations.
Each row corresponds to one test vector. There are columns that identify the test vector number, the functional relationship (FR), the primary constraint of the relevance predicate (i.e., the prefix of the DCP), the convergence mode (e.g., low bound or high bound for numeric variables), and the values for the expected output (i.e., Safety Injection) and each input.
Vector generation modes
There are selectable modes for generating test vectors: multi, restricted, and single vector modes. The test point selection also depends on the relevance predicate constraints for each functional relationship. Table 14 shows the relationships between the resulting test points in each mode, with respect to a constraint.
Given two variables x and y, each with a subrange of -10 to 10, and a functional relationship z = x -t y; assume there are two relevance predicate constraints: 1) x > y, and 2) TRUE (i.e., there are no constraints on the variables x and y other than their subranges). For constraint 1, test points are selected based on the subdomain constraints for high bound and low bound combinations. Based on the assumption stated in Section 4.2 (i.e., the DCP predicates should map to the path conditions in a corresponding program), this heuristic has been effective in producing a minimal number of test cases to exercise each decision in a program with both high bound and low bound cases. For unconstrained variables, the following rules apply (i.e., the row labeled TRUE in Table 14) :
Multi: All combinations of the inputs based on the variable's range are selected as test points (this is effective in detecting computation errors).
Restricted: Each high bound and low bound of each variable as well as the high bound combination (as the number of inputs increases this number will result in significantly less tests than multi-vector mode).
Single vector mode: Only the high bound test points will be selected (this is effective in detecting computation errors, like overflows).
Table 14. Vector generation mode example
The internal form of a test vector is shown in Figure   5 . The first line indicates the functional relationship and relevance predicate. The <<1>> indicates that this is the first Safety Injection functional relationship; each predicate disjunction is identified by a unique number using this notation. The OUTPUT section includes one object, Safety Injection. Each output also includes the associated type, data representation (e.g., 32 bits) physical value (l), and enumeration constant (ON). This is followed by the INPUTS section that lists all the input objects. Each input object has the same information as the output object. Finally, the relevance predicate disjunction (i.e., DCP) that was used in the vector generation process is delineated by the keywords. The justification path is part of the input to the coverage analysis process.
Specification-based coverage analysis
START-JUSTIFICATION and END-JUSTIFICATION
After test vectors are generated, a check is performed to ensure that each specification corresponding to a DCP has at least one test vector. The T-VEC specification-based coverage analysis tool identifies specification inconsistencies that occur when there is not a complete mapping between the generated test vectors and the set of all DCP combinations in the compiled specification for a subsystem. Specification inconsistencies can result when:
The convergence process cannot determine an input subdomain for a DCP because there is an inconsistent set of predicates in the DCP.
The expected output value, computed using the functional relationship with the input test values, is not correct with respect to its subrange specification.
The coverage analyzer was used to check the resulting test vectors against the compiled specification. In this case, Pressure2 cannot be TooLow and Permitted, Similarly, the TooLow condition comes from the Safety Injection ideal function, and the Pressure2 = Permitted is specified in Overridden.
Version 2: Hierarchy of specifications
Guidelines to localize the constraints of an ideal function to a subsystem were applied to the second translation; this affects the way tests are generated and coverage analysis is performed. The specification was translated into a hierarchy of two subsystems: one for Safety Injection and one for Overridden. The structure of the T-VEC subsystems maps to the relationship of the ideal functions of an SCR specification.
The translated specifications are shown in Figures 6 and 7. Figure 6 is almost identical to Figure 3 ; the type, variable, constant sections have been removed, as well as the M-Pressure logic structure, as annotated in the figure. The key difference is the logic structure labeled LS-2.1.
The Overridden-Term logic structure references a subsystem named Overridden, instead of expanding the ideal function in the logic structure. Overridden inherits data, type, and logic structure information from Safety Injection, as annotated in Figure 6 .
In Figure 7 , functional relationship FR-2.0 is associated with the Overridden2 variable for the ideal function Overridden. The relevance predicate RP-2.0 is related to the M-Pressure mode class as it was in version 1. FR-2.1 maps to the TRUE output of the function, with respect to constraints RP-2.1.1 and RP-2.1.2. Similarly, FR-2.2 maps to the FALSE output of Overridden with respect to constraints RP-2.2.1 through RP-2.2.4. These conditions map directly to the events in Table 8 . Finally, RP-2.1.3 and RP-2.2.5 are associated with the situation when Overridden does not change state, using the negation of state change events defined in the logic structures.
Version 2: Hierarchical test vector generation and coverage analysis
A unique mechanism of T-VEC supports the generation of test vectors for a hierarchy of specifications, without regenerating all test vectors for each referenced lower-level subsystem. When any function, like Safety Injection, references another function, like Overridden, the test vector generator treats Overridden like a primitive operator. This mechanism precludes the combinatorial explosion associated with tests generated from the combination of constraints in a hierarchy of subsystems.
The T-WC coverage analyzer tool distinguishes between the specifications in the parent subsystem and any child subsystem that is used to support the functionality of a parent. In the case of Safety Injection, the coverage analyzer checked that a function reference was made to Overridden, rather than checking all the constraints associated for Overridden.
Version 2: Resulting test vectors and coverage analysis
Test vectors were regenerated for both subsystems. Table 15 shows the test vectors for Safety Injection. Table 16 shows 24 vectors associated with the FR-2.1 and FR-2.2 relevance predicates with state changes as specified by the events for the ideal function. There were 468 total test vectors for Overridden; however, 444 of these vectors were related to the conditions associated with the state not changing, as specified by RP-2.1.3 and RP-2.2.5 in Figure 7 .
The coverage analysis check was performed for version 2, and the test vectors for Safety Injection and Overridden covered all DCP combinations of the compiled specification. However, a NAT constraint specified in M-Pressure did cause the coverage analyzer to flag a constraint in Overridden. M-Pressure limits the amount that WaterPres can change during one state transition. The constraint associated with RP-2.2.4, which references the logic structure labeled Ls-2.1 Specifies that Pressurel ! = Permitted A Pressurel ! = TOOLOW; this implies that Pressurel = High, and Pressure2 = Permitted v Pressure2 = TOOLOW. Based on the constraints of M-Pressure, if Pressurel = High, the only permitted transition is pressure2 = Permitted. This is consistent with the NAT constraint. 
Summary
This paper describes an effort to integrate the SCR formal methods approach with the T-VEC automatic test vector generator and specification analysis system. The results indicate the strong potential for mechanically translating SCR-style specifications into the T-VEC specifications to support automatic test vector generation. Two versions of an example SCR specification were manually translated into the T-VEC language. Test vectors were generated for the two versions using the T-VEC system. The relationships between the specifications and the resulting test vectors were analyzed. Two general guidelines for the translation process were identified:
1. An SCR mode transition function defines a mapping from one mode to another based on the occurrence of an event. Variables referenced in an SCR event operator must be expanded into two states when translated into the T-VEC model to adequately represent the states before and after the event. In T-VEC, the source mode is defined as a constraint on the input state space at some time point, and the event at some later time point leads to the destination mode. For test vector generation, each possible set of input variables must be tested to ensure that the software reacts correctly with respect to its specification. The translated specification must characterize the transition case for each mode event, as well as the case where there is no transition, to ensure that the system stays in the specified mode when the inputs do not change.
The need for mapping ideal functions to T-VEC subsystems was demonstrated. For version 1 of the specification, the Safety Injection and Overridden ideal functions were included in the same T-VEC subsystem; the analysis identified the need to localize the constraints of an ideal function to a subsystem; this affects the way tests are generated and coverage analysis is performed. In version 2, the ideal functions were represented as a hierarchy of subsystems, where Overridden is a child subsystem to Safety Injection. Test vectors were generated and all valid constraints of the specifications were fully covered by test vectors.
2.
Therefore, based on the results, every SCR ideal function must be translated into a T-VEC subsystem; this will result in a hierarchy of T-VEC subsystems that correspond to the logical hierarchy of SCR ideal functions. When T-VEC generates test vectors for a hierarchy of specifications it supports integration testing that covers the relationships between ideal functions. The tests for each subsystem should be injected into the target system using a bottom-up testing strategy. To adequately test the implementation, the structure of the implementation should correspond with the specification so that the DCP predicates map to the path conditions in a corresponding program. If all tests pass, there is a strong argument that all constraints in the specifications have a valid implementation in terms of the decisions guarding the computations that implement the functional expressions of an ideal function. This approach was demonstrated for realworld applications. T-VEC was used in two critical system developments within an industrial engineering organization for two systems that have been certified by the FAA [BB96] . To provide assurance that the implementation is complete and consistent with respect to the specification, this type of consistency is typically required for software developed to support FAA certifications [RTCA92]. The structural mapping from the specification to the implementation implies that the specifier should have some influence on the design of the resulting implementation if requirements-to-test traceability is a requirement of the verification process.
The combination of requirement specification methods and tools with automatic test generation technologies could significantly reduce the cost of verification and testing. T-VEC significantly reduced the verification cost by eliminating most of the manual testing effort on the last release of the MD90 Electrical Power System Variable Speed Constant Frequency system; there was a 6 to 1 reduction in time, effort and cost on the reverification of the system [BB96]. This experimental integration demonstrates the utility and benefits of such an approach and provides strong arguments for further advancing specification-based methods and tools.
