Assessing Requirements Quality Through Requirements Coverage

In model-based development, the development effort is centered around a formal description of the proposed software system the model. This model is derived from some high-level requirements describing the expected behavior of the software. For validation and verification purposes, this model can then be subjected to various types of analysis, for example, completeness and consistency analysis [6], model checking [3], theorem proving [1], and test-case generation [4, 7]. This development paradigm is making rapid inroads in certain industries, e.g., automotive, avionics, space applications, and medical technology. This shift towards model-based development naturally leads to changes in the verification and validation (V&V) process. The model validation problem determining that the model accurately captures the customer's high-level requirements has received little attention and the sufficiency of the validation activities has been largely determined through ad-hoc methods. Since the model serves as the central artifact, its correctness with respect to the users needs is absolutely crucial. In our investigation, we attempt to answer the following two questions with respect to validation (1) Are the requirements sufficiently defined for the system? and (2) How well does the model implement the behaviors specified by the requirements? The second question can be addressed using formal verification. Nevertheless, the size and complexity of many industrial systems make formal verification infeasible even if we have a formal model and formalized requirements. Thus, presently, there is no objective way of answering these two questions. To this end, we propose an approach based on testing that, when given a set of formal requirements, explores the relationship between requirements-based structural test-adequacy coverage and model-based structural test-adequacy coverage. The proposed technique uses requirements coverage metrics defined in [9] on formal high-level software requirements and existing model coverage metrics such as the Modified Condition and Decision Coverage (MC/DC) used when testing highly critical software in the avionics industry [8]. Our work is related to Chockler et al. [2], but we base our work on traditional testing techniques as opposed to verification techniques

Windform® XT 2.0 Use as 3U CubeSat Primary Structure

CubeSats provide a platform for small-scale space research and technology demonstration at reduced complexity, cost, and development time. These advantages drove the NASA Langley Research Center (LaRC) to develop and launch the GPX2 3U CubeSat to explore the viability of using Commerical Off-The-Shelf (COTS) differential Global Position System (dGPS) in low earth orbit. To reduce manufacturing costs and increase design flexibility, the project chose additive manufactured Windform® XT 2.0 as the primary bus material rather than traditional subtractive manufactured (milled) metal. The bus is a two-part, Selective Laser Sintered, 3D-print structure consisting of a single-piece, five-walled chassis and single-walled cover. The bus was specially designed to allow the project to accommodate the payload electronics stack as well as antennas, receivers, and deployable mechanisms. By using an additive manufactured solution, LaRC was able to design in features unrealizable through traditional milling, with a lead-time of roughly two weeks. In comparison, traditional subtractive manufacturing limits geometry options due to toolpath reach and bus construction would have required multiple components for each wall. This would have resulted in a more costly, longer lead-time article with more joints, fasteners, and complexity with a commensurate increase in overall mass. A number of lessons-learned were captured during the design, analysis, and testing of the GPX2 CubeSat covering thermal and structural analysis, vibration modeling, and geometric tolerancing. Additionally, a variety of material testing and verification were performed before and during spacecraft design and integration to assure the suitability of Windform® XT 2.0 for the launch and mission environments. This article provides the highlights of designing and testing the GPX2 bus

Case Study: Model-Based Analysis of the Mission Data System Reference Architecture

This report documents the results of applying the Architecture Analysis and Design Language (AADL) to the Mission Data System (MDS) architecture. The work described in this case study is part of the National Aeronautics and Space Administration (NASA) Software Assurance Research Program (SARP) research project "Model-Based Software Assurance with the SAE Architecture Analysis and Design Language (AADL)." The report includes discussion of modeling and analyzing the MDS reference architecture and its instantiation for specific platforms. In particular, it focuses on modeling aspects of state-based system behavior in MDS for quantitative analysis. Three different types of state-based system models are considered: closed loop control, goal-oriented mission plan execution, and fault tolerance through mission replanning. This report demonstrates modeling and analysis of the MDS reference architecture as well as instantiations of the reference architecture for a specific mission system

ReqsCov: A Tool for Measuring Test-Adequacy over Requirements

Associated research group: Critical Systems Research GroupWhen creating test cases for software, a common approach is to create tests that exercise requirements. Determining the adequacy of test cases, however, is generally done through inspection or indirectly by measuring structural coverage of an executable artifact (such as source code or a software model). We present ReqsCov, a tool to directly measure requirements coverage provided by test cases. ReqsCov allows users to measure Linear Temporal Logic requirements coverage using three increasingly rigorous requirements coverage metrics: naive coverage, antecedent coverage, and Unique First Cause coverage. By measuring requirements coverage, users are given insight into the quality of test suites beyond what is available when solely using structural coverage metrics over an implementation

FUELEAP Model-Based System Safety Analysis

NASA researchers, in a partnership with Boeing, are investigating a fuel-cell powered variant of the X-57 Maxwell Mod-II electric propulsion aircraft, which is itself derived from a stock Tecnam P2006T. The Fostering Ultra-Efficient Low-Emitting Aviation Power (FUELEAP) project will replace the X-57 power subsystem with a hybrid Solid-Oxide Fuel Cell (SOFC) system to increase the potential range of the electric-propulsion aircraft while dramatically improving efficiency and emissions over stock internal-combustion engines. Our FUELEAP safety analysis faces two primary challenges. First, the Part 23 certificated Tecnam P2006T is undergoing significant modifications to host the hybrid electric-propulsion system, and the challenge is to assure that the safety inherent in the stock aircraft (and subsequently in X-57 Mod-II) is not compromised by changes in avionics, aircraft structural loading, weight and balance, or other considerations. Secondly, because the SOFC power system has little (if any) relevant in-service precedent, our challenge is to assure that we identify and mitigate all reasonably plausible hazards introduced by unique FUELEAP equipage. We are investigating and utilizing Model-Based Safety Analysis (MBSA) methods to help us address these FUELEAP safety challenges. We captured aircraft-level system hazard conditions using instances of a SysML hazard block via aircraft-level Functional Hazard Analysis (FHA). Then, using SysML models of the FUELEAP architecture, we related the hazard conditions to initiating system events and possible mitigations, such as design architecture modifications or operational constraints. We are continuing to define our approach to MBSA by developing a component-by-component inventory of local failure modes and tracing their possible contribution to hazard conditions. Finally, we are applying an argument-based approach to FUELEAP assurance. Through a FUELEAP safety case, we are providing an explicit argument for FUELEAP safety by associating assurance evidence with overarching safety claims through a structured argument

A dormant microbial component in the development of pre-eclampsia

Preeclampsia (PE) is a complex, multisystem disorder that remains a leading cause of morbidity and mortality in pregnancy. Four main classes of dysregulation accompany PE and are widely considered to contribute to its severity. These are abnormal trophoblast invasion of the placenta, anti-angiogenic responses, oxidative stress, and inflammation. What is lacking, however, is an explanation of how these themselves are caused. We here develop the unifying idea, and the considerable evidence for it, that the originating cause of PE (and of the four classes of dysregulation) is, in fact, microbial infection, that most such microbes are dormant and hence resist detection by conventional (replication-dependent) microbiology, and that by occasional resuscitation and growth it is they that are responsible for all the observable sequelae, including the continuing, chronic inflammation. In particular, bacterial products such as lipopolysaccharide (LPS), also known as endotoxin, are well known as highly inflammagenic and stimulate an innate (and possibly trained) immune response that exacerbates the inflammation further. The known need of microbes for free iron can explain the iron dysregulation that accompanies PE. We describe the main routes of infection (gut, oral, and urinary tract infection) and the regularly observed presence of microbes in placental and other tissues in PE. Every known proteomic biomarker of “preeclampsia” that we assessed has, in fact, also been shown to be raised in response to infection. An infectious component to PE fulfills the Bradford Hill criteria for ascribing a disease to an environmental cause and suggests a number of treatments, some of which have, in fact, been shown to be successful. PE was classically referred to as endotoxemia or toxemia of pregnancy, and it is ironic that it seems that LPS and other microbial endotoxins really are involved. Overall, the recognition of an infectious component in the etiology of PE mirrors that for ulcers and other diseases that were previously considered to lack one