Towards a Formalism-Based Toolkit for Automotive Applications

The success of a number of projects has been shown to be significantly improved by the use of a formalism. However, there remains an open issue: to what extent can a development process based on a singular formal notation and method succeed. The majority of approaches demonstrate a low level of flexibility by attempting to use a single notation to express all of the different aspects encountered in software development. Often, these approaches leave a number of scalability issues open. We prefer a more eclectic approach. In our experience, the use of a formalism-based toolkit with adequate notations for each development phase is a viable solution. Following this principle, any specific notation is used only where and when it is really suitable and not necessarily over the entire software lifecycle. The approach explored in this article is perhaps slowly emerging in practice - we hope to accelerate its adoption. However, the major challenge is still finding the best way to instantiate it for each specific application scenario. In this work, we describe a development process and method for automotive applications which consists of five phases. The process recognizes the need for having adequate (and tailored) notations (Problem Frames, Requirements State Machine Language, and Event-B) for each development phase as well as direct traceability between the documents produced during each phase. This allows for a stepwise verification/validation of the system under development. The ideas for the formal development method have evolved over two significant case studies carried out in the DEPLOY project

On the analysis needs when verifying state-based software requirements: an experience report

AbstractIn a previous investigation we formally defined procedures for analyzing hierarchical state-based requirements specifications for two properties: (1) completeness with respect to a set of criteria related to robustness (a response is specified for every possible input and input sequence) and (2) consistency (the specification is free from conflicting requirements and undesired nondeterminism). Informally, the analysis involves determining if large Boolean expressions are tautologies. We implemented the analysis procedures in a prototype tool and evaluated their effectiveness and efficiency on a large real world requirements specification expressed in an hierarchical state-based language called Requirements State Machine Language. Although our initial approach was largely successful, there were some drawbacks with the original tools. In our initial implementation we abstracted all formulas to propositional logic. Unfortunately, since we are manipulating the formulas without interpreting any of the functions in the individual predicates, the abstraction can lead to large numbers of spurious (or false) error reports. To increase the accuracy of our analysis we have continually refined our tool with decision procedures and, finally, come to the conclusion that theorem proving is often needed to avoid large numbers of spurious error reports. This paper discusses the problems with spurious error reports and describes our experiences analyzing a large commercial avionics system for completeness and consistency

Développement sans rupture de systèmes complexes : une approche basée multi-exigences

Prouver qu'un système satisfait à ses exigences est un défi important de l'ingénierie des exigences. D'une part, les approches formelles fournissent un moyen d'exprimer les exigences mathématiquement et de prouver qu'un système satisfait ses exigences. Cependant, si la formalisation offre des possibilités supplémentaires telles que la vérification, voire la validation, elle s'avère souvent trop difficile à utiliser en pratique par les acteurs impliqués dans le développement des systèmes. D'autre part, dans la plupart des cas, les exigences sont écrites et parfois tracées en langage naturel à des fins de communication et de compréhension mutuelle. De plus, cela reste le cas tout au long du processus de développement. Ainsi, il est nécessaire de considérer le besoin de s'adresser à toutes ces parties prenantes pendant le processus de développement. L'objectif principal de cette thèse est de fournir une méthodologie sans rupture qui permet de bénéficier de la formalisation des exigences tout en étant compréhensible par toutes les parties prenantes. Nous proposons une approche qui considère les exigences comme des parties du code du système, ce qui, en tant que tel, contribue à améliorer l'évaluation de la qualité. De plus, l'intégration des exigences dans le code garantit un développement sans rupture. Ces contributions visent trois avantages principaux. Premièrement, il n'est pas nécessaire de passer d'un outil ou d'un environnement à un autre : un cadre unique prend en charge le développement de l'analyse à la mise en œuvre. Deuxièmement, les changements et la réversibilité deviennent un phénomène régulier, directement pris en charge par la méthode, le langage et les outils, ce qui facilite les allers-retours. Enfin, les différents niveaux d'abstraction restent dans le cadre du paradigme orienté objet. Nous appliquons cette vision au processus de développement lui-même avec les mêmes avantages attendus. Le cycle de vie du développement peut alors bénéficier de cette forte intégration des exigences dans le code. Ces artefacts aident au développement du logiciel en fournissant un support et des lignes directrices pour l'analyse ou l'aide à la décision et en renforçant la qualité du logiciel. En outre, la réutilisabilité, l'évolutivité et la maintenabilité sont améliorées. La traçabilité entre les exigences et le code permet une analyse d'impact facile lorsque l'un de ces artefacts évolue. Cependant, si ce paradigme est familier aux développeurs et même si nous faisons un effort d'expressivité, il ne s'adresse pas aux autres parties prenantes qui ont l'habitude de travailler avec d'autres outils. Puisque nous souhaitons également que des non-experts utilisent notre approche pour valider des systèmes dans la première phase de leur développement, nous proposons un langage spécifique au domaine : (i) proche du langage naturel et (ii) basé sur une sémantique formelle. En utilisant les techniques de l'ingénierie dirigée par les modèles, ce langage permet de combler le fossé entre les différents acteurs impliqués dans un projet (compte tenu de leurs différentes expériences) et entre les exigences et le code. Nous avons enfin consacré un effort de recherche à la définition des relations entre les exigences. Nous fournissons leurs définitions formelles et leurs propriétés sur la propagation de l'état de satisfaction. Ces définitions peuvent aider les ingénieurs à vérifier les exigences (en vérifiant la validité de la sémantique des relations entre deux exigences) et à vérifier la conformité du système (grâce à la propagation de la satisfaction). Ce travail est une étape vers l'introduction de la sémantique formelle dans la traçabilité, permettant d'analyser automatiquement les exigences et d'utiliser leurs relations pour vérifier l'implémentation correspondante du système.Proving that a system satisfies its requirements is an important challenge of Requirements Engineering. On the one hand, formal approaches provide a way to express requirements mathematically and prove that a system satisfies its requirements. However, if formalization offers additional possibilities such as verification, or even validation, it often proves to be too difficult to use in practice by the stakeholders involved in the development of systems. On the other hand, in most cases, requirements are written and sometimes traced in Natural Language for communication and mutual understanding purposes. Moreover, this remains during the whole development process. Thus, it is necessary to consider the need to address all these stakeholders during the development process. The main objective of this thesis is to provide a seamless methodology that allows benefiting from the formalization of requirements while being understandable by all stakeholders. We propose an approach that considers requirements as parts of the system's code, which, as such, contributes to improving quality assessment. In addition, integrating the requirements into the code guarantees a seamless development. The contributions target three main benefits. First, there is no need to switch from one tool or environment to another: a single framework supports the development from analysis to implementation. Second, changes and reversibility become a regular occurrence, directly supported by the method, language, and tools, facilitating round-trips. Third, the different levels of abstraction remain inside the object-oriented paradigm. We apply this vision to the development process itself with the same expected advantages. The development life-cycle can then benefit from this strong integration of requirements into the code. These artifacts help in software development by providing support and guidelines for analysis or decision support and reinforcing the software quality. Besides, reusability, evolutivity, and maintainability are enhanced. Traceability between requirements and code allows an easy impact analysis when any of these artifacts evolve. However, if this paradigm is familiar to developers and even if we put an effort in providing expressivity, they are not addressed to other stakeholders that used to work with several tools. Since we also want non-experts to use our approach to validate systems in the early stage of their development, we propose a Domain-Specific Language: (i) close to natural language and (ii) based on formal semantics. Using Model-Driven Engineering techniques, this language bridges the gap between the several stakeholders involved in a project (considering their different backgrounds) and between the requirements and the code. We finally put a research effort into defining relationships between requirements. We provide their formal definitions and properties on the propagation of the satisfaction state. These definitions can help engineers verify requirements (by checking the validity of the semantics of the relationships between two requirements) and verify the system compliance (thanks to satisfaction propagation). This work is a step towards introducing formal semantics into traceability, making it possible to automatically analyze requirements and use their relationships to verify the corresponding implementation of the system

Testing Strategies for Model-Based Development

This report presents an approach for testing artifacts generated in a model-based development process. This approach divides the traditional testing process into two parts: requirements-based testing (validation testing) which determines whether the model implements the high-level requirements and model-based testing (conformance testing) which determines whether the code generated from a model is behaviorally equivalent to the model. The goals of the two processes differ significantly and this report explores suitable testing metrics and automation strategies for each. To support requirements-based testing, we define novel objective requirements coverage metrics similar to existing specification and code coverage metrics. For model-based testing, we briefly describe automation strategies and examine the fault-finding capability of different structural coverage metrics using tests automatically generated from the model

Control dependence for extended finite state machines

Though there has been nearly three decades of work on program slicing, there has been comparatively little work on slicing for state machines. One of the primary challenges that currently presents a barrier to wider application of state machine slicing is the problem of determining control dependence. We survey existing related definitions, introducing a new definition that subsumes one and extends another. We illustrate that by using this new definition our slices respect Weiser slicing’s termination behaviour. We prove results that clarify the relationships between our definition and older ones, following this up with examples to motivate the need for these differences

Validating Requirements for Fault Tolerant Systems Using Model Checking

Model checking is shown to be an effective tool in validating the behavior of a fault tolerant embedded spacecraft controller. The case study presented here shows that by judiciously abstracting away extraneous complexity, the state space of the model could be exhaustively searched allowing critical functional requirements to be validated down to the design level. Abstracting away detail not germane to the problem of interest leaves by definition a partial specification behind. The success of this procedure shows that it is feasible to effectively validate a partial specification with this technique. Three anomalies were found in the system one of which is an error in the detailed requirements, and the other two are missing/ambiguous requirements. Because the method allows validation of partial specifications, it also is an effective methodology towards maintaining fidelity between a co-evolving specification and an implementation

Applications of Formal Methods to Specification and Safety of Avionics Software

This report treats several topics in applications of formal methods to avionics software development. Most of these topics concern decision tables, an orderly, easy-to-understand format for formally specifying complex choices among alternative courses of action. The topics relating to decision tables include: generalizations fo decision tables that are more concise and support the use of decision tables in a refinement-based formal software development process; a formalism for systems of decision tables with behaviors; an exposition of Parnas tables for users of decision tables; and test coverage criteria and decision tables. We outline features of a revised version of ORA's decision table tool, Tablewise, which will support many of the new ideas described in this report. We also survey formal safety analysis of specifications and software

Fourth NASA Langley Formal Methods Workshop

This publication consists of papers presented at NASA Langley Research Center's fourth workshop on the application of formal methods to the design and verification of life-critical systems. Topic considered include: Proving properties of accident; modeling and validating SAFER in VDM-SL; requirement analysis of real-time control systems using PVS; a tabular language for system design; automated deductive verification of parallel systems. Also included is a fundamental hardware design in PVS

ADGS-2100 Adaptive Display and Guidance System Window Manager Analysis

Recent advances in modeling languages have made it feasible to formally specify and analyze the behavior of large system components. Synchronous data flow languages, such as Lustre, SCR, and RSML-e are particularly well suited to this task, and commercial versions of these tools such as SCADE and Simulink are growing in popularity among designers of safety critical systems, largely due to their ability to automatically generate code from the models. At the same time, advances in formal analysis tools have made it practical to formally verify important properties of these models to ensure that design defects are identified and corrected early in the lifecycle. This report describes how these tools have been applied to the ADGS-2100 Adaptive Display and Guidance Window Manager being developed by Rockwell Collins Inc. This work demonstrates how formal methods can be easily and cost-efficiently used to remove defects early in the design cycle