Abstract
Introduction
This paper describes the T-VEC (Test VECtor) system that was used to develop and certify two avionics systems. These certifications were conducted by the Federal Aviation Administration (FAA) based on DO-178A -Software Considerations in Airborne S,ystems and Equipment Certification 1241 (now DO-178B). These certification guidelines emphasize a software engineering approach, where requirement-based testing and analysis are key to supporting the assurance arguments required for certification.
T-VEC is an integrated development environment and associated specification and verification method [3; 41.
One of the key tools of the T-VEC system is an automatic test vector generator: it determines test inputs, expected outputs, and a mapping of each test to the associated requirement, directly from formal specifications. It has been documented that testing can account for 40% to 70% of the development effort [ S ; 141. Testing a critical system can require tens or hundreds of thousands of test cases. A test vector generator that determines expected output values can reduce the testing effort as compared to Robert D. Busser T-VEC Technologies bobb@ns.upcyber.com a test case generator, where the expected output values must be determined manually. Figure 1 shows the T-VEC Environment. It supports a process that produces a hierarchy of requirement and design specifications. Graphical editors are employed in the acquisition of different aspects of the specification. The T-VEC compiler checks syntactic and semantic information during the compilation of the requirement specification. The test vector generator derives test vectors from the system knowledge. Its automatic coverage analyzer ensures that every unique requirement specificaeion is exercised by at least one test vector. T-VEC also automatically generates test drivers and documentation, relieving engineers from such tedious tasks. Finally, T-VEC provides project and configuration management tools specifically developed to support the method.
T-VEC overview

T-VEC in operation
T-VEC is operational today. It has been used to develop flight-critical, real-time, embedded systems since 1989. As a result of this experience, T-VEC evolved and was tailored to aid engineers in applying formal specifications by representing them using graphics with textual annotations. T-VEC was applied to a portion (approximately 50 subsystems) of a Traffic and Collision Avoidance System (TCAS), which was FAA-certified in March of 1990. T-VEC was applied to the entire MD90 (McDonnell Douglas) Electrical Power System Variable Speed Constant Frequency (VSCF) system that was FAA-certified in January of 1995. T-VEC was also used in the development of component libraries for a family of avionics display systems. T-VEC was also qualified in support of the certification requirements (see Section 5). 
Organization of paper
Section 2 describes how T-VEC supports the development of a critical system. Section 3 provides an overview of the T-VEC specification model to support the explanation of the test generation mechanisms. Section 4 describes the T-VEC test vector generator, compares it to other related test data generators, and identifies the unique characteristics of the tool. Section 5 discusses the qualification of tools used in critical system development. Section 6 provides a summary of T-VEC capabilities and benefits.
T-VEC's role in critical system development
Leveson argues that an overall systems approach is required for developing a safety-critical application [20] . Such an approach can potentially provide high assurance. However, the infeasibility of quantifying the reliability and assurance levels of software is described by Miller, Butler, and Finelli [6;  211. This section describes a framework that is used to explain T-VEC's role in supporting a high assurance software development process.
To certify a system based on DO-178B guidelines, system developers are permitted to define their own software life-cycle processes. The guidelines identify some basic types of software development artifacts that must be produced. DO-178B also defines assessment criteria for these software artifacts to ensure that the development results in a safe system. DO-178B guidelines emphasize the verification process and results as the primary means for providing high assurance evidence. Verification is a process to ensure that one level of specification complies with another. A particular design must satisfy a requirement specification, and the implementation must comply with the design. Verification relies on a set of complementary subprocesses, including testing, analysis, and reviews.
Tesa'ng is the process of exercising a system or system component to verify that it satisfies specified requirements and to detect errors. Analysis provides a repeatable means for producing evidence of correctness, and reviews provide a qualitative assessment of correctness [24] .
Formal methods are formal techniques that support verification and can be used to ensure that the captured specifications are consistent and complete, and satisfy critical system properties. Formal specification languages, methods, and tool systems, like Z [27] , VDM [191, and PVS [ll] , continue to expand in scope and capabilities. As the tools and techniques underlying formal methods mature, they will most likely play a larger role in the development of critical systems because they help identify specification errors. Table 1 provides a framework that relates the primary assurance techniques of verification with the general types of software artifacts. The TechniquelProcess column lists some assurance techniques or processes that can be used to produce and assess artifacts during development. Under Sofbvure Development Artifacts, an "x" is used if a technique is strongly associated with the artifact; an "0" means that these artifacts may be weakly associated with the technique or process, depending on the specific development method (e.g., modeling and simulation are typically used to gain a better understanding of the requirements, but could be used to help make design choices). The Comments column gives a brief description of the assurance technique or process.
Rushby describes how several of these techniques support verification [25] . Table 1 also indicates those assur<ance techniques that are supported by the T-VEC tools <and method. Figure 2 highlights the relationships (in shaded boxes) between the tools and the artifacts.
T-VEC can symbolically execute specifications, allowing users to execute scenarios to help users assess a captured requirement specification. The test vector generation mechanism also performs typechecking and consistency checking of requirement specifications (see Section 4).
The T-VEC compiler ensures that the requirement specifications are well-formed, consistent, and complete (with respect to T-VEC's specification model [see Section 31) . The test vector generator automates most of the testing process, and the coverage analyzer ensures that there is at least one test for every requirement. A manual analysis process is used to verify that traceability linkages are completely and consistently mapped from each requirement specification to some design specification and associated implementation construct. A check is also made to verify that every implementation construct is associated with a requirement specification.
Finally, T-VEC has been integrated with several test execution environments; test are downloaded to the target hardware, executed, and the results are uploaded and analyzed automatically to verify that the implementation passes every test. 
T-VEC specification model
This section focuses on the specification model concepts that are relevant to test vector generation.
Hierarchical specification model
There are two main principles that characterize the formalization of T-VEC's hierarchical specification process [8]:
* Every system is a subsystem of some higher level system (i.e~, a parent system) [2: 91.
Input and output objects of any given subsystem are defined a priori by its parent system. Data structure diagrams are used to specify the input and output objects of a given subsystem. Each leaf node of a possibly complex data structure must minimally specify the type, domain constraint, and data representation of the object in a corresponding textual annotation. The objects specified in a given diagram are those that make up the subsystem interface design of the parent architecture. For example, the inputs and output shown in the top-level functional requirement diagram are consistent with the interfaces to the Filter subsystem shown in the New Architecture (Figure 4) , T-VEC supports the base types: Boolean, enumeration, unsigned, integer, float, and string. The user can define mays, records, and user-defined types. In addition, objects can be bit packed and accessed as record structures.
Functional requirement diagrams represent a hierarchy of functional relationships and constraints. The top level, or context view, abstractly represents the semantics of the parent's architecture diagram for that subsystem. These diagrams show the input-to-output mapping for each functional relationship for each output of the subsystem and provide a reference to a corresponding relevance predicate. Each functional relationship specification must include a traceability reference to the system requirement from which it was derived and the implementation procedure where it is or must be implemented.
Functional relationships expressions are specified in terms of primitive operators: bit operations, assignment, addition, subtraction, multiplication, division, exponentiation, absolute value, log, and trigonometric functions. Subsystems can be treated like functions, even if the subsystem specifies the requirements for complex objects; therefore, subsystems can be referenced within a functional relationship or in a relevance predicate. A functional relationship can also be expressed in terms of a forall operator when specifying a relationship governing some or all elements of a specified range of "ray elements.
Logic structure diagrams can be used to specify parameterized predicates that define constraints on the input space. Logic structures can be referenced anywhere within a relevance predicate of a subsystem and are inherited by all lower-level children subsystems in the specification hierarchy. Logic structures can be used for multiple sets of objects within a subsystem. Figure 7 shows logic structures that are referenced in relevance predicate tables. The logic structure is interpreted as 
Automatic test vector generation
This section focuses on the mechanism for specification-based test generation. Gourlay Before describing the test selection strategies and associated test generation mechanism, some verification process constraints and assumptions need to be stated because testing alone cannot be used to assess the completeness or consistency between a specification and an implementation.
Verification constraints and assumptions
The specification is assumed to be correct, although as discussed later in this section, the test vector generator can detect inconsistencies in the specification. To provide aSsurance that the implementation is complete and consistent with respect to the specification, the following manual review processes were used to support the FAA certifications in which T-VEC was used: there must be a consistent interface mapping to a "lower-level" subsystem specification (this allows the same mechanism to be used for all levels of the software system).
It is assumed that an implementor follows these rules when coding from a formal specification. It is also assumed that there is a strong correlation between the relevance predicates and path controls guarding the output assignments of a program even if a human fails to detect an inconsistency between the specification and implementation.
Test selection strategy
T-VEC is as an oraclelerror-based testing mechanism based on Richardson's et. a1 [23] classification of specification-based testing approaches: such approaches extend implementation-based testing techniques to formal specifications. This subsection relates implementationbased testing concepts and strategies to the T-VEC test selection mechanisms. Using Zeil's [311 modified version of Howden's 1171 definitions: a computation error occurs when the correct path through the program is taken, but the output is incorrect due to faults in the computation along the path. A domain error occurs when an incorrect output is generated due to executing the wrong path through a program. Howden Specification-based testing can detect missing path errors: however, in general, we assume that missing and extraneous paths in the code will be detected during a manual review process. T-VEC mechanisms can detect both domain and computation errors.
Selecting test data to reveal domain errors. Based on the assumption that there is a strong correlation between predicates in the specification and path control conditions in the program, the test selection strategies are discussed in terms of domain testing theory concepts. White and Cohen [29] proposed domain testing theory as a strategy for selecting test points to reveal domain errors. It is based on the premise that if there is no coincidental correctness, then test cases that localize the boundaries of domains with arbitrarily high precision are sufficient to test all the points in the domain.
T-VEC selects test data for subdomains of an input space based on the constraints of a relevance predicate. As shown in Figure 8 this constant i s likely to have significant meaning in the problem domain. For example, in TCAS, if an aircraft is above 10,000 feet (ground term), and if an aircraft is within 2,500 feet of altitude of your own aircraft altitude (ground clause), it is a candidate for tracking by TCAS. Therefore, ground terms are used to initialize the subdomain for a DCP before a ground clause or clause is used to constrain the subdomain.' points derived for unconstrained inputs not referenced in the DCP based on all domain boundary value combinations (i.e., low bound and high bound for numeric objects, sets for enumerated variable, etc.). By selecting the extreme value combinations, there is a possibility to detect computation errors in the output calculation. This test selection strategy is used to detect computation errors or show that unconstrained inputs do not affect the output for a program path.
Computing the expected output. The functional relationship is applied to each input value set to determine the expected output value. The value is checked against the subrange specification of the output variable, if the value is within the specified range, a test vector is produced that includes the inputs, input types and representation information, the expected output with its type information, and the requirement DCP.
Specification inconsistencies are identified when the test coverage analyzer cannot find a complete mapping between the generated test vectors and the set of all DCP combinations in the source specification for each subsystem. Specification inconsistencies result when the test generator does not produce test vectors: this occurs when:
The convergence process cannot determine an input subdomain for a DCP because there is an inconsistent set of predicates in the DCP.
The expected output value, computed using the functional relationship with the input test values, is not correct with respect to its subrange specification.
0
There is an interactive specification analysis tool ("debugger") that can be used to determine the source of a specification inconsistency.
Relationship to other strategies
Domain testing strategies have focused on programs rather than specifications, but the foundational concepts can be related to specification-based test selection. The initial domain testing strategy proposals [12; 291, had some limitations and flawed arguments as described by Zeil [31] . Zeil simplified strategy that reduces the number of test points and addresses the limitation of programs with variable *The TCAS Collision Avoidance Logic, developed by two mdependent organizations, is a pseudo-code specification that TCAS system developers must implement in their system. These specifications have evolved over the last 20 years. A change was made between version 5 and version 6 that specified unreachahle code. To test the code, the specifications were reverse-engineered into T-VEC specifications. T-VEC's use of domain boundaries helped identify a complex combination of constraints that were inconsistent in version 6. Values inside the boundaries would not have detected this inconsistency. and extended Zeil's et al. [30] contributions to address the needs of real-world applications, by supporting:
Borders associated with predicate expressions that are linearly dependent nonlinear inequalities. As is discussed in Afifi et al. [l] , real-world problems (e.g., TCAS, global navigation) contain nonlinear constraints and functions.
As an oracle-based mechanism, T-VEC deviates fiom the implementation-based strategies in one way.
Implementation-based strategies select test points ON the borders (within the subdomain) and OFF the borders in an adjacent subdomain. T-VEC selects only ON border test points, because it cannot determine the expected output for an OFF border test point in an adjacent domain based on the current DCP and functional relationship. The expected output for an OFF border test point in an adjacent subdomain should be covered by another relevance predicate of the specification.
Relationship to other test generators
T-VEC is a mechanized instance within a general framework for specification-based testing as described by Stocks and Carrington [26] . It uses specification categories (see Section 4.2) to select test data based on a test point selection strategy. Convergence operations, based on the specification precondition, are used to reduce the input space, and test point heuristics are used to select test points. 
Unique characteristics of T-VEC test vector generator
The distinguishing characteristics of T-VEC include:
T-VEC generates test vectors for specifications characterized by nonlinear inequalities, where both sides of the inequality can be expressions with dependent variables, rather than being limited to linear inequalities with constants.
T-VEC generates test vectors involving complex structures and arrays for both input and output spaces.
T-VEC generates test vectors using selection heuristics (e.g., limit the number of combinations of unconstrained input variable to all low-bound, and all high-bound values).
T-VEC generates test vectors for a hierarchy of specifications, supporting integration testing of a high-level subsystem, without regenerating all the test vectors for each referenced lower-level subsystem. This mechanism precludes the combinatorial explosion associated with tests generated from the combination of constraints in a hierarchy of subsystems, while ensuring complete coverage when following a bottom-up testing strategy.
0
The concept of hierarchical specification is fundamental to the scalability of both the specification method and the associated verification process. T-VEC promotes a hierarchy of specifications to manage complexity, changeability, and reuse, as well as scalability. T-VEC checks and compiles, as needed, the system knowledge to ensure that it is up-to-date with the graphically entered specification.
Automated test process
If it is error free, T-VEC generates test vectors from the system knowledge.
T-VEC checks to ensure that there is at least one test vector for every requirement specification DCP. 
Test vector generation example
This section illustrates the mechanisms of the test vector generator using an example specification fragment. Table 2 shows an example of a relevance predicate. Clause types are identified in the second column. Table 3 provides a way to view the subranges on the inputs during the domain convergence process. The steps of the convergence process are numbered to support the following discussion of the process. After every operation, there is a propagation step that is used to ensure that all constraints are still satisfied. If any constraint cannot be satisfied, then the specification is inconsistent.
0
Step 0 shows the initial domain for each variable.
Step 1 limits the domain based on all ground terms to ensure that the selected test points are near a subdomain boundary.
Step 2 limits the domain based on ground clauses. To satisfy the condition x + y 2 6, the subrange of y must be modified. To satisfy the constraint s i n ( z ) 2 0 . 5 there is a change of the lower bound of z.
Step 3 limits the domain based on all clauses; there is no effect because the subrange of x -y, which is [-5 ... 91, contains a point that satisfies the constraint.
At
Step 4, when the effects of propagation are stable, T-VEC selects a test point at the domain boundaries. On the first pass, the low bound values of the variables' domains are selected. This process is repeated for the high bounds of the inputs. Depending on the test selection heuristic mode, one or all values of enumerated type objects are selected, each producing a unique test vector.
Step 5, the constraints on the converged subdomains must be propagated after each test point is selected.
Step 6 , once all of the propagation is stable, another test point is selected.
This process continues until test points have been selected for all the inputs in the constraint. The inputs are then used to compute the expected output for the output variable.
Detecting specification inconsistencies. This test vector generation mechanism also detects specification inconsistencies; for example, suppose that constraint x -y I z was x * y 5 z . Therewouldnotbea solution to the problem, because x * y would have a subrange of [5 ..SO] after Step 4, which could never satisfy the subrange for z.
Tool system qualification
Tools can help in the development of critical systems, but tool qualification is required by most certification authorities and defense agencies. Tool qualification is required by DO-178B when tools are used to eliminate, reduce, or automate aspects of the development process. The objective of qualification is to ensure that the tool provides confidence at least equivalent to that of the process(es) that has been reduced or automated.
T-VEC was subjected to qualification for two TCAS releases as required by the FAA to support the certification. The qualification process was used to reverify the system when it was ported from the Sunm 386i to the SunTM SPARC architecture running a new operating system. To verify the system knowledge compiler, several subsystems were specified, and manual analysis was performed to show that the generated results where consistent and complete with the expected results. There was also a coverage analysis activity which demonstrated that all classes of specification data types, constructs, and hierarchical relationships were included in the test specifications. Similar verification processes were performed for the coverage analyzer and test driver generators.
The verification of the test vector generator was much more extensive. The verification activities for the TCAS certification (i.e., the first release of T-VEC) were based on traditional verification and coverage analysis processes. All specification constructs for all data types were tested using domain testing principles. In addition, all combinations of hierarchical specification relationships were also tested and checked manually.
For the second and third releases, T-VEC was used to Iesl itself. Several unique specifications were created using the T-VEC specification language, T-VEC's inference engine i s based on Prolog-like semantics; therefore, every operator of the language is a predicate. This unique approach involved specifying the output of each functional relationship as a constant or bound input variable, representing the expected output. Therefore, when the test vector generator computed the actual output for a functional relationship, the final operation was an equality predicate that checked the computed output with the expected output. Manual coverage analysis techniques were still used to show that all combinations of specification constructs and data types were tested to support the verification process.
Summary
This paper has described a software engineering approach to critical system development that has been used in an industrial engineering organization. Automated tools played a fundamental role in supporting the formal process. The automated testing process relieves engineers from many manual tasks and reduces the possibility of manual error. The use of graphics was key to making a formal specification approach usable by typical engineers in industrial organizations. It helped them focus on each aspect of the specification individually, using one type of graphic and annotation. The developers relied on the tools to integrate the views. In addition, customers and reviewers, like the FAA, were able to understand the notations and processes with minimal training.
The automatic generation of test vectors and automated coverage analysis provide a highly automated verification process to support critical system development with several benefits. T-VEC significantly reduces the verification cost by eliminating most of the manual testing effort. A test vector generator that produces expected outputs reduces the test time and effort as compared to a test case generator, where the expected output must be determined manually. From a customer or FAA-certifier perspective, the T-VEC method and automation make the development process very systematic. When the process is understood, it is easy to determine the level of completion and compliance with the DO-178B guidelines for any level of a critical system.
The productivity benefits are best expressed in terms of the customer's expectation. On the last release of the MD90 VSCF, there were 10 of the 73 subsystems impacted resulting in 602 lines of code changed in 10 Adz packages. The prime contractor estimated the task at 6 months, based on software development efforts prior to this program. The specification, implementation and verification efforts were reduced to 4.5 weeks. The primary reason for the reduction in time and effort was because the test generation and execution were performed automatically. Although the actual data is proprietary, in all of the T-VEC releases to the prime contractor and customer, no defects have been found in the software.
