Proving the shalls

Early validation of requirements through formal methods
  • Steven P. MillerEmail author
  • Alan C. Tribble
  • Michael W. Whalen
  • Mats P. E. Heimdahl
Special section on The Industrialization of formal methods: A view from formal methods 2003


Incomplete, inaccurate, ambiguous, and vola-tile requirements have plagued the software industry since its inception. The convergence of model-based development and formal methods offers developers of safety-critical systems a powerful new approach to the early validation of requirements. This paper describes an exercise conducted to determine if formal methods could be used to validate system requirements early in the lifecycle at reasonable cost. Several hundred functional and safety requirements for the mode logic of a typical flight guidance system were captured as natural language “shall” statements. A formal model of the mode logic was written in the RSMLe language and translated into the NuSMV model checker and the PVS theorem prover using translators developed as part of the project. Each “shall” statement was manually translated into a NuSMV or PVS property and proven using these tools. Numerous errors were found in both the original requirements and the RSMLe model. This demonstrates that formal models can be written for realistic systems and that formal analysis tools have matured to the point where they can be effectively used to find errors before implementation.


Software requirements Formal verification Model-based development 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anonymous. Esterel Technologies Home Page.
  2. 2.
    Anonymous. NASA Software Assurance Technology Center Formal Inspections Page.
  3. 3.
    Anonymous. NuSMV Home Page.
  4. 4.
    Anonymous. PVS Home Page.
  5. 5.
    Anonymous. The MathWorks Home Page.
  6. 6.
    Bensalem, S., Caspi, P., Parent-Vigouroux, C., Dumas, C.: A methodology for proving control systems with Lustre and PVS. In: Proceedings of the IEEE 7th Working Conference on Dependable Computing for Critical Applications (DCCA 7), San Jose, CA, pp. 89–107 (Jan. 1999)Google Scholar
  7. 7.
    Berry, G., Gonthier, G.: The synchronous programming lanugage esterel: design, semantics, and implementation. Sci. Comput. Prog. 19, 87–152 (1992)CrossRefzbMATHGoogle Scholar
  8. 8.
    Billings, C.: Aviation Automation: The Search for a Human-Centered Approach. Erlbaum, Mahwah, NJ (1997)Google Scholar
  9. 9.
    Boehm, B.: Software Engineering Economics. Prentice-Hall, Englewood Cliffs, NJ (1981)Google Scholar
  10. 10.
    Brooks, F.: No silver bullet: essence and accidents of software engineering. IEEE Comput. 20(4), 10–19 (1987)MathSciNetGoogle Scholar
  11. 11.
    Butler, R., Miller, S., Potts, J., Carreno, V.: A formal methods approach to the analysis of mode confusion. In: 17th Digital Avionics Systems Conference (DASC’ 98), vol. 1, pp. C41/1–C41/8. Belllevue, WA (Oct. 1998)Google Scholar
  12. 12.
    Chan, W., Anderson, R., Beame, P., Burns, S., Modugno, F., Notkin, D., Reese, J.: Model checking large software specifications. IEEE Trans. Softw. Eng. 24(7), 498–520 (1998)CrossRefGoogle Scholar
  13. 13.
    Choi, Y.: Model checking RSMLe requirements. PhD Thesis, University of Minnesota (July 2003)Google Scholar
  14. 14.
    Choi, Y., Heimdahl, M.: Model checking RSMLe requirements. In: Proceedings of the 7th IEEE/IEICE International Symposium on High Assurance Systems Engineering, pp. 109–118. Tokyo (Oct. 2002)Google Scholar
  15. 15.
    Choi, Y., Rayadurgam, S., Heimdahl, M.: Toward automation for model checking requirement specifications with numeric constraints. Requir. Eng. J. 7(4), 225–242 (2002)CrossRefGoogle Scholar
  16. 16.
    Clark, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge, MA (2001)Google Scholar
  17. 17.
    Davis, A.: Software Requirements: Object, Function, and States. Prentice-Hall, Englewood Cliffs, NJ (1993)Google Scholar
  18. 18.
    de Moura, L.: SAL: Tutorial. SRI International, Computer Science Laboratory. Menlo Park, CA (Jan. 2004)Google Scholar
  19. 19.
    Fagan, M.: Design and code inspections to reduce errors in program development. IBM Syst. J. 15(3), 182–211 (1976)CrossRefGoogle Scholar
  20. 20.
    Faulk, S., Brackett, J., Ward, P., Kirby, J.: The Core method for real-time requirements. IEEE Softw. 9(5), 22–33 (1992)CrossRefGoogle Scholar
  21. 21.
    Faulk, S., Finneran, L., Kirby, J., Shah, S., Sutton, J.: Experience applying the Core method to the Lockheed C-130J software requirements. In: 9th Annual Conference on Computer Assurance, pp. 3–8. Gaithersburg, MD (June 1994)Google Scholar
  22. 22.
    Harel, D., Naamad, A.: The STATEMATE semantics of statecharts. ACM Trans. Softw. Eng. Met. (TOSEM) 5(4), 293–333 (1996)CrossRefGoogle Scholar
  23. 23.
    Heitmeyer, C., Labaw, B., Kiskis, D.: Consistency checking of SCR-style requirements specifications. In: Proceedings of the 2nd IEEE International Symposium on Requirements Engineering, pp. 56–65 (March 1995)Google Scholar
  24. 24.
    Heitmeyer, C. Kirby, J., Labaw, B.: Automated consistency checking of requirements specification. ACM Trans. Softw. Eng. Methodol. (TOSEM) 5(3), 231–261 (1996)CrossRefGoogle Scholar
  25. 25.
    Joshi, A., Miller, S., Heimdahl, M.: Mode confusion analysis of a flight guidance system using formal methods. In: 22nd Digital Avionics Systems Conference DASC’03, pp. 2.D.1–1–2.D.1–11 (Oct. 2003)Google Scholar
  26. 26.
    Leveson, N.: Safeware: system safety and computer. Addison-Wesley, Reading, MA (1995)Google Scholar
  27. 27.
    Leveson, N., Heimdahl, M., Hildreth, H., Reese, J.: TCAS II Collision Avoidance System (CAS) System Requirements Specification change 6.00. Federal Aviation Administration, U.S. Department of Transportation (1993)Google Scholar
  28. 28.
    Leveson, N., Heimdahl, M., Hildreth, H., Reese, J.: Requirements specifications for process-control systems. IEEE Trans. Softw. Eng. 20(9), 684–707 (1994)CrossRefGoogle Scholar
  29. 29.
    Leveson, N., Pinnel, D., Sandys, S., Koga, S., Reese, J.: Analyzing software specifications for mode confusion potential. In: Workshop on Human Error and System Development, Glasgow, UK (March 1997)Google Scholar
  30. 30.
    Leveson, N., Heimdahl, M., Reese, J.: Designing specification languages for process control systems: Lessons learned and steps to the future. In: 7th ACM SIGSOFT Symposium on the Foundations of Software Engineering, Lecture Notes in Computer Science, vol. 1687, pp. 127–145. Springer, Berlin Heidelberg New York (Sept. 1999)Google Scholar
  31. 31.
    Lutz, R.: Analyzing software requirements errors in safety-critical, embedded systems. In: IEEE Symposium on Requirements Engineering, pp. 126–133. San Diego (1993)Google Scholar
  32. 32.
    Miller, S.: Specifying the mode logic of a flight guidance system in CoRE and SCR. In: 2nd Workshop on Formal Methods in Software Practice (FMSP98), pp 44–53. Clearwater Beach, FL (1998)Google Scholar
  33. 33.
    Miller, S.: Taxonomy of mode confusion sources—final report. In: NASA Contractor Report (Feb. 2001)Google Scholar
  34. 34.
    Miller, S., Tribble, A.: A methodology for improving mode awareness in flight guidance design. In: 21st Digital Avionics Systems Conference (DASC’02), vol. 2, pp. 7D1–1–7D1–11. Irvine, CA (Oct. 2002)Google Scholar
  35. 35.
    Miller, S., Tribble, A., Carlson, T., Danielson, E.: Flight guidance system requirements specification. Technical Report CR-2003-212426, NASA Langley Research Center (June 2003).
  36. 36.
    Owen, D., Menzies, T.: Lurch: a lightweight alternative to model checking. In: Proceedings of the 2003 Software Engineering and Knowledge Engineering Conference (SEKE’03), pp. 158–165 (2003)Google Scholar
  37. 37.
    Owre, S., Rushby, J., Shankar, N.: Analyzing tabular and state-transition requirements specifications in PVS. Technical Report SRI-CSL-95-12, SRI International, Menlo Park, CA (June 1995)Google Scholar
  38. 38.
    Owre, S., Rushby, J., Shankar, N., Henke, F.: Formal verification for fault-tolerant architectures: prolegomena to the design of PVS. IEEE Trans. Softw. Eng. 21(2), 107–125 (1995)CrossRefGoogle Scholar
  39. 39.
    Parnas, D., Madey, J.: Functional documentation for computer systems engineering (vol. 2). Technical Report CRL 237, McMaster University, Hamilton, Ontario, Canada (Sept. 1990)Google Scholar
  40. 40.
    Ramamoorthy, C., Prakesh, A., Tsai, W., Usuda, Y.: Software engineering: problems and perspectives. IEEE Comput. 17(10), 191–209 (1984)Google Scholar
  41. 41.
    Rayadurgam, S., Joshi, A., Heimdahl, M.: Using PVS to prove properties of systems modelled in a synchronous dataflow language. In: Proceedigns of the 5th International Conference on Formal Engineering Methods (ICFEM 2003), pp. 167–186. Singapore (Nov. 2003)Google Scholar
  42. 42.
    Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. In: Proceedings of the 3rd Workshop on Human Error, Safety, and System Development (HESSD’99), Liege, Belgium (June 1999)Google Scholar
  43. 43.
    Rushby, J.: Analyzing cockpit interfaces using formal models. Electron. Notes Theor. Comput. Sci. 43, 1–14 (2001)Google Scholar
  44. 44.
    Rushby, J., Crow, J., Palmer, E.: An automated method to detect potential mode confusion. In: Proceedings of the 18th AIAA/IEEE Digital Avionics Systems Conference (DASC), vol. 1, pp. 4.B.2–1–4.B.2–6. St. Louis, MO (Oct. 1999)Google Scholar
  45. 45.
    Sarter, N., Woods, D.: Pilot interaction with cockpit automation: operational experiences with the flight management system. Int. J. Aviat. Psychol. 2(4), 303–331 (1992)CrossRefGoogle Scholar
  46. 46.
    Sarter, N., Woods, D.: Pilot interaction with cockpit automation II: an experimental study of pilots’ model and awareness of the flight management system. Int. J. Aviat. Psychol. 4(1), 1–28 (1994)CrossRefGoogle Scholar
  47. 47.
    Sarter, N., Woods, D.: How in the world did I ever get into that mode?: mode error and awareness in supervisory control. Hum. Fact. 37(1), 5–19 (1995)CrossRefGoogle Scholar
  48. 48.
    Thompson, J., Heimdahl, M., Miller, S.: Specification based prototyping for embedded systems. In: 7th ACM SIGSOFT Symposium on the Foundations on Software Engineering, Lecture Notes in Computer Science, vol 1687, pp. 163–179 (Sept. 1999)Google Scholar
  49. 49.
    Tribble, A., Miller, S.: Safety analysis of a flight guidance system. In: 21st Digital Avionics Systems Conference (DASC’02), vol. 2, pp. 13C1–1–13C1–10. Irvine, CA (Oct. 2002)Google Scholar
  50. 50.
    van Schouwen, A.: The A-7 requirements model: re-examination for real-time systems and an application to monitoring systems. Technical Report 90-276, Queens University, Hamilton, Ontario, Canada (1990)Google Scholar
  51. 51.
    Whalen, M.W.: A formal semantics for RSMLe. Master’s thesis, University of Minnesota (May 2000)Google Scholar
  52. 52.
    Whalen, M.W.: Trustworthy translation for RSMLe. PhD thesis, University of Minnesota (Dec. 2004)Google Scholar

Copyright information

© Springer-Verlag 2006

Authors and Affiliations

  • Steven P. Miller
    • 1
    Email author
  • Alan C. Tribble
    • 1
  • Michael W. Whalen
    • 1
  • Mats P. E. Heimdahl
    • 2
  1. 1.Rockwell Collins Inc.Cedar RapidsUSA
  2. 2.Department of Computer Science and EngineeringUniversity of MinnesotaMinneapolisUSA

Personalised recommendations